Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0054-2018 English PDF (GMT0054-2018)

GM/T 0054-2018 English PDF (GMT0054-2018)

Regular price $265.00 USD
Regular price Sale price $265.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0054-2018 to get it for Purchase Approval, Bank TT...

GM/T 0054-2018: General requirements for information system cryptography application

This Standard specifies the general requirements for information system commercial cryptography application. This Standard is applicable to guide, regulate and assess the information system commercial cryptography application.
GM/T 0054-2018
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Record No.: 61709-2018
General Requirements for
Information System Cryptography Application
ISSUED ON: FEBRUARY 08, 2018
IMPLEMENTED ON: FEBRUARY 08, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 5
Introduction ... 6
1 Scope ... 7
2 Normative References ... 7
3 Terms and Definitions ... 7
4 Abbreviation ... 9
5 General Requirements ... 9
5.1 Cryptographic algorithm ... 9
5.2 Cryptographic technology ... 9
5.3 Cryptographic products... 9
5.4 Cryptographic service ... 9
6 Requirements of Cryptographic Function ... 10
6.1 Confidentiality ... 10
6.2 Data integrity ... 10
6.3 Authenticity ... 10
6.4 Non-repudiation ... 11
7 Cryptographic Technology Application Requirements ... 11
7.1 Physical and environmental security ... 11
7.1.1 General ... 11
7.1.2 Class-I information system with classified protection ... 11
7.1.3 Class-II information system with classified protection ... 12
7.1.4 Class-III information system with classified protection ... 12
7.1.5 Class-IV information system with classified protection ... 12
7.2 Network and communication security ... 13
7.2.1 General ... 13
7.2.2 Class-I information system with classified protection ... 13
7.2.3 Class-II information system with classified protection ... 14
7.2.4 Class-III information system with classified protection ... 14
7.2.5 Class-IV information system with classified protection ... 15
7.3 Equipment and computing security ... 16
7.3.1 General ... 16
7.3.2 Class-I information system with classified protection ... 16
7.3.3 Class-II information system with classified protection ... 16
7.3.4 Class-III information system with classified protection ... 17
7.3.5 Class-IV information system with classified protection ... 18
7.4 Application and data security ... 18
7.4.1 General ... 18
7.4.2 Class-I information system with classified protection ... 19
7.4.3 Class-II information system with classified protection ... 20
7.4.4 Class-III information system with classified protection ... 21
7.4.5 Class-IV information system with classified protection ... 22
8 Key Management ... 23
8.1 General ... 23
8.2 Class-I information system with classified protection ... 23
8.3 Class-II information system with classified protection ... 23
8.4 Class-III information system with classified protection ... 24
8.5 Class-IV information system with classified protection ... 25
9 Security Management ... 27
9.1 System ... 27
9.1.1 Class-I information system with classified protection ... 27
9.1.2 Class-II information system with classified protection ... 27
9.1.3 Class-III information system with classified protection ... 28
9.1.4 Class-IV information system with classified protection ... 28
9.2 Personnel ... 28
9.2.1 Class-I information system with classified protection ... 28
9.2.2 Class-II information system with classified protection ... 29
9.2.3 Class-III information system with classified protection ... 29
9.2.4 Class-IV information system with classified protection ... 30
9.3 Implementation ... 30
9.3.1 Planning ... 30
9.3.2 Construction ... 31
9.3.3 Operation ... 32
9.4 Emergency ... 33
9.4.1 Class-I information system with classified protection ... 33
9.4.2 Class-II information system with classified protection ... 33
9.4.3 Class-III information system with classified protection ... 33
9.4.4 Class-IV information system with classified protection ... 33
Appendix A (Informative) Security Requirements Comparison List ... 35
Appendix B (Informative) List of Cryptography Industry Standards ... 38 Bibliography ... 40
General Requirements for
Information System Cryptography Application
1 Scope
This Standard specifies the general requirements for information system commercial cryptography application.
This Standard is applicable to guide, regulate and assess the information system commercial cryptography application.
2 Normative References
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document.
GM/T 0005 Randomness Test Specification
GM/T 0028 Security Requirements for Cryptographic Modules
GM/T 0036 Technical Guidance of Cryptographic Application for Access Control Systems Based on Contactless Smart Card
GM/Z 4001-2013 Cryptography Terminology
3 Terms and Definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001-2013 and the following apply. For the benefit of use, some terms and definitions given in GM/Z 4001-2013 are listed repeatedly as follows.
3.1 One-time-password; OTP; dynamic password
The one-time password dynamically generated based on time, event, etc.
3.2 Access control
3.12 Message authentication code; MAC
The output of the message authentication algorithm; also known as the message authentication code.
3.13 Authenticity
The property ensuring that the identity of the subject or resource is the claimed one. The authenticity is applicable to the entities such as users, processes, systems, and information.
3.14 Non-repudiation
The nature that proves an action that has occurred can?€?t be denied.
4 Abbreviation
The following abbreviation is applicable to this document.
MAC (Message Authentication Code)
5 General Requirements
5.1 Cryptographic algorithm
The cryptographic algorithm used in the information system shall conform to the provisions of laws and regulations, as well as the relevant requirements of national and industry standards related to cryptography.
5.2 Cryptographic technology
The cryptographic technology used in the information system shall follow the national and industry standards related to cryptography.
5.3 Cryptographic products
The cryptographic products and cryptographic modules used in the information system shall be approved by the state cryptography administration department.
5.4 Cryptographic service
The cryptographic service used in the information system shall be licensed by the state cryptography administration department.
a) Authentication of personnel entering the important physical areas;
b) Authentication of the two parties of communication;
c) Authentication when network device is accessed;
d) Authentication for platform using the trusted computing technology;
e) Authentication of user who login the operating system and database system; f) Authentication of user who applies the system.
6.4 Non-repudiation
The non-repudiation of entity behavior that is achieved by using the digital signature, and the like cryptographic technology; it is against all behaviors that can?€?t be denied in the information system, such as sending, receiving, approving, creating, modifying, deleting, adding, configuring, etc.
7 Cryptographic Technology Application Requirements
7.1 Physical and environmental security
7.1.1 General
The general rules for cryptography application of the physical and environmental security are as follows:
a) Use the cryptographic technology to implement the physical access control against the important sites, monitoring equipment, etc.;
b) Use the cryptographic technology to implement the integrity protection against the physical and environmental sensitive information data such as physical access control records, monitoring information, etc.;
c) Electronic access control systems achieved by using the cryptographic technology shall follow GM/T 0036.
7.1.2 Class-I information system with classified protection
The requirements for the Class-I information system are as follows:
a) The authenticity function of the cryptographic technology may be used to protect the authentication information of the physical access control; ensuring the identify authenticity of the personnel entering the important area;
integrity of the entry and exit records of the electronic access control system; c) The integrity function of the cryptographic technology shall be used to ensure the integrity of the video surveillance audio record;
d) The Level-III and above cryptographic modules satisfying GM/T 0028 and the hardware cryptographic products approved by the state cryptography
administration department shall be used to achieve the cryptographic operation and key management.
7.2 Network and communication security
7.2.1 General
The general rules for network and communication security cryptography application are as follows:
a) Use cryptographic technology to conduct the security authentication against the device connected to the internal network;
b) Use cryptographic technology to conduct authentication against the identities of the two parties of the communication;
c) Use cryptographic technology to ensure the data integrity during the communication process.
d) Use cryptographic technology to ensure the confidentiality of the sensitive information data fields and the entire message during the communication process;
e) Use cryptographic technology to ensure the integrity of the network boundary access control information and the system resource access control information; f) Use cryptographic technology to establish a secure information transmission channel; then conduct centralized management against the security devices or security components in the network.
7.2.2 Class-I information system with classified protection
The requirements of Class-I information system are as follows:
a) Authentication may be conducted based on cryptographic technology before communication; use the confidentiality and authenticity functions of the cryptographic technology to achieve anti-interception, anti-counterfeiting and anti-reuse; so that ensure the confidentiality of the authentication information and identity authenticity of the network device entity during the transmission; c) Cryptographic technology shall be used to ensure the data integrity during the communication process;
d) Cryptographic technology shall be used to ensure the confidentiality of the sensitive information data fields or entire message during the communication process;
e) Cryptographic technology shall be used to establish a secure information transmission channel; then conduct centralized management against the
security devices or security components in the network;
f) The Level-III and above cryptographic modules satisfying GM/T 0028 and the hardware cryptographic products approved by the state cryptography
administration department should be used to achieve the cryptographic
operation and key management.
7.2.5 Class-IV information system with classified protection
The requirements for Class-IV information system are as follows:
a) Authentication shall be conducted based on cryptographic technology before communication; use the confidentiality and authenticity functions of the cryptographic technology to achieve anti-interception, anti-counterfeiting and anti-reuse; so that ensure the confidentiality of the authentication information and identity authenticity of the network device entity during the transmission; b) Cryptographic technology shall be used to conduct authentication against the device connected to the internal network; so that ensure the authenticity of the device connected to the network;
c) The integrity of cryptographic technology shall be used to ensure the integrity of network boundary and system resources access control information;
d) Cryptographic technology shall be used to ensure the data integrity during the communication process;
e) Cryptographic technology shall be used to ensure the confidentiality of the sensitive information data fields or entire message during the communication process;
f) Cryptographic technology shall be used to establish a secure information transmission channel; then conduct centralized management against the
security devices or security components in the network;
g) The Level-III and above cryptographic modules satisfying GM/T 0028 and the hardware cryptographic products approved by the state cryptography
a) Cryptographic technology should be used to conduct identification and authentication against the logged in user; the identification is unique; the authentication information has complexity requirements and is periodically replaced; use the authenticity of the cryptographic technology to achieve the anti- counterfeiting of the authentication information;
b) In the remote management, the confidentiality of the cryptographic technology should be used to achieve the anti-eavesdropping of the authentication
information;
c) The integrity of cryptographic technology should be used to ensure the integrity of the system resource access control information;
d) The integrity of cryptographic technology should be used to ensure the integrity of the sensitive tags of the important information resource;
e) The integrity of cryptographic technology should be used to protect the integrity of the log records;
f) The Level-II and above cryptographic modules satisfying GM/T 0028 and the hardware cryptographic products approved by the state cryptography
administration department should be used to achieve the cryptographic
operation and key management.
7.3.4 Class-III information system with classified protection
The requirements for Class-III information system are as follows:
a) Cryptographic technology shall be used to conduct identification and authentication against the logged in user; the identification is unique; the authentication information has complexity requirements and is periodically replaced;
b) In the remote management, the confidentiality of the cryptographic technology shall be used to achieve the anti-eavesdropping of the authentication information; c) The integrity of cryptographic technology shall be used to ensure the integrity of the system resource access control information;
d) The integrity of cryptographic technology shall be used to ensure the integrity of the sensitive tags of the important information resource;
e) Trusted computing technology shall be used to establish a trust chain from the system to the application; so that achieve the integrity protection of the important procedures and files during the system operation process;
f) The integrity of cryptographic technology shall be used to protect the integrity of resource access control information;
c) Use the integrity of cryptographic technology to ensure the integrity of sensitive tags of important information resource;
d) Use the cryptographic technology to ensure the important data confidentiality and integrity during the transmission process;
e) Use the cryptographic technology to ensure the important data confidentiality and integrity during the storage process;
f) Use cryptographic technology to conduct security control against the loading and unloading of important procedure;
g) Use cryptographic technology to achieve non-repudiation of entity behavior; h) Use the integrity of cryptographic technology to protect the integrity of the log records.
7.4.2 Class-I information system with classified protection
The requirements for Class-I information system are as follows:
a) Cryptographic technology may be used to conduct identification and
authentication against the logged in user; achieving the anti-interception, anti- counterfeiting and anti-reuse of the authentication information; ensuring the identity authenticity of the user of application system;
b) The integrity of cryptographic technology may be used to ensure the integrity of business application system access control policy, database table access control information, and sensitive tag of important information resource, etc.; c) Cryptographic technology may be used to ensure the confidentiality of important data during the transmission process, including but not limited to authentication information, important business data and important user information, etc.; d) Cryptographic technology may be used to ensure the confidentiality of important data during the storage process, including but not limited to authentication information, important business data and important user information, etc.; e) Cryptographic technology may be used to ensure the integrity of important data during the transmission process, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important user information, etc.;
f) Cryptographic technology may be used to ensure the integrity of the important data during the storage process, including but not limited to authentication data, administration department should be used to achieve the cryptographic
operation and key management.
7.4.4 Class-III information system with classified protection
The requirements for Class-III information system are as follows:
a) Cryptographic technology shall be used to conduct identification and authentication against the logged in user; achieving the anti-interception, anti- counterfeiting and anti-reuse of the authentication information; ensuring the identity authenticity of the user of application system;
b) The integrity of cryptographic technology shall be used to ensure the integrity of business application system access control policy, database table access control information, and sensitive tag of important information resource, etc.; c) Cryptographic technology shall be used to ensure the confidentiality of important data during the transmission process, including but not limited to authentication information, important business data and important user information, etc.; d) Cryptographic technology shall be used to ensure the confidentiality of important data during the storage process, including but not limited to authentication information, important business data and important user information, etc.; e) Cryptographic technology shall be used to ensure the integrity of important data during the transmission process, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important user information, etc.;
f) Cryptographic technology shall be used to ensure the integrity of the important data during the storage process, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, important user information, important executable programs, etc.;
g) The integrity of cryptographic technology shall be used to achieve the protection against the integrity of log records;
h) Cryptographic technology shall be used to conduct security control against the loading and unloading of important application program;
i) The Level-III and above cryptographic modules satisfying GM/T 0028 and the hardware cryptographic products approved by the state cryptography
administration department should be used to achieve the cryptographic
operation and key managemen...

View full details