Protection measures
Information for the protection of the IP-based handover point for intercepts and information requests
Information service of the certification body TKÜV-CA (Registration and Certification Authority)
General
For the protection of the IP-based handover point in accordance with the ETSI Standard, dedicated cryptosystems based on the IPsec protocol family are used to interconnect the subnetworks of the authorised bodies and obligated parties to create a Virtual Private Network (VPN). To administer it, a Public Key Infrastructure (PKI) is established which is run by the Federal Network Agency as a central registration and certification authority. The Federal Network Agency also takes care of the security relations permitted within the VPN in an Access Control List (ACL) which is made available via a LDAP directory service.
IP cryptosystems
In order to meet the stringent security requirements for secure transmission in IP networks, only such IP cryptosystems may be used that satisfy certain requirements which have been specified by the Federal Network Agency in coorperation with the Federal Office for Information Security (BSI). An IP cryptosystem was defined within the framework of a survey amongst manufacturers. In the case of another IP cryptosystem defined in a second survey it was not possible to demonstrate the requisite full-scale interoperability.
Only the IP cryptosystem specified in the table may be used on the basis of the TKÜV:
| Manufacturer | Product name | Contact |
|---|---|---|
secunet GERMANY | SINA Box | Mr. Neef Mail to Mr. Neef |
The cryptosystems basically form part of the technical equipment of the authorised bodies and obligated parties and as such the operation as well as maintenance and repair (operation of an own SYSLOG server) are the responsibility of the operators of the individual subnetworks.
Part A in Annex A.2 of the TR TKÜV (Technical Guideline for the implementation of legal measures for surveillance of telecommunications and information requests for traffic data) version 6.1 sets out the necessary relevant technical regulations.
The regulations for the registration and certification authority TKÜV-CA (policy) to which reference in the aforementioned section of the TR TKÜV is made are also published here.
Policy
A detailled description of the overall process and a list of the data required for participation in the VPN is set out in the policy of the TKÜV-CA available here.
Key elements of the policy:
- identity and services of the TKÜV-CA
- rules for the registration of subscribers / procedure
- information on the issue of the certificate (incl. IP configuration)
- revocation of certificates / barring
- options regarding the management system
- testing of the cryptosystems
- miscellaneous