Clarification of legislation in the field of ETS

Technical Release: Planned Transition to DSTU 7564:2014 ("Kupina")

1. The essence and reason for the change

Ukraine is strengthening cybersecurity standards by transitioning to a modern and stable hash function standard DSTU 7564:2014. This is a planned step aimed at replacing the outdated GOST 34.311-95 with a more crypto-resistant algorithm for long-term digital data protection.

2. Who it is important to

 ● QTSPs: to update technological processes and transition to new certificate chains.

 ● DevOps and system engineers: to update Trust Stores in server environments.

 ● Developers: to check software compatibility with new algorithms.

 ● Cybersecurity units: to monitor compliance with regulatory requirements.

3. Key dates

 ● February 10, 2026: The new CCA keys have been put into operation.

 ● Graduality: Old algorithms are not turned off instantly. They cease to be used for new CCA operations, ensuring a smooth migration of the infrastructure.

4. Value and stability

 ● Security: The use of the "Kupina" algorithm guarantees protection against modern cryptanalysis methods.

 ● User support: All qualified certificates issued before 10.02.2026 remain valid and will be supported until their termination date. Reissuance of keys for existing users is not required.

5. Recommendations and technical flow

For QTSPs:

 ● From February 10, 2026, start issuing root certificates based on the DSTU 7564:2014 standard and in accordance with the requirements of the CCA Practice Statement.

 ● From February 10, 2026, start generating user certificates based on the new standard for full integration with the updated hierarchy of the CCA.

For System Administrators, Developers (The Update Algorithm):

 ● Obtaining Packages: Download the current certificate chains (.p7b containers):

    ○ Primary Source (CACertificates.p7b)

    ○ Alternate Source (CACertificates.p7b)

 ● Testing (Sandboxing):

    ○ Using the CCA Information and Communication System Program Interface, generate test certificates.

    ○ Using the CCA test chain, create an environment for checking compatibility.

    ○ Conduct testing and make sure that your cryptographic libraries correctly process the trust path (Path Validation) and OCSP responses using the new hash.

 ● Additionally:

    ○ Test examples of qualified electronic signature using the hash function according to DSTU 7564:2014.

    ○ In ICSs that use IIT crypto libraries, libraries of a version no older than 02/27/2024 shall be installed