Skip to product information
1 of 9

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0072-2019 English PDF (GMT0072-2019)

GM/T 0072-2019 English PDF (GMT0072-2019)

Regular price $175.00 USD
Regular price Sale price $175.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0072-2019 to get it for Purchase Approval, Bank TT...

GM/T 0072-2019: Technical requirements for the applying of cryptography in remote mobile payment

This Standard describes the architecture for the applying of cryptography in remote mobile payment based on the cryptographic module and specifies the cryptographic security elements of remote mobile payment and the technical requirements for the applying of cryptography.
GM/T 0072-2019
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Technical requirements for the applying of
cryptography in remote mobile payment
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 Mode for the applying of cryptography in remote mobile payment ... 8 6 Security requirements for applying of cryptography ... 10
6.1 Overview ... 10
6.2 Data confidentiality ... 10
6.3 Data integrity ... 10
6.4 Identity authentication ... 10
6.5 Non-repudiation ... 10
7 Technical requirements for cryptographic security ... 11
7.1 Overview ... 11
7.2 Requirements for using cryptographic algorithms ... 11
7.3 Device-side security requirements ... 11
7.3.1 Security requirements for cryptographic modules ... 11
7.3.2 Security requirements for key management ... 11
7.3.3 Security requirements for applying of cryptography ... 12
7.4 Platform-side security requirements ... 14
7.4.1 Cryptographic equipment security requirements ... 14
7.4.2 Key management security requirements ... 15
7.4.3 Security requirements for applying of cryptography ... 17
7.4.4 Management security requirements ... 19
7.5 Communication security requirements ... 19
Technical requirements for the applying of
cryptography in remote mobile payment
1 Scope
This Standard describes the architecture for the applying of cryptography in remote mobile payment based on the cryptographic module and specifies the cryptographic security elements of remote mobile payment and the technical requirements for the applying of cryptography.
This Standard is applicable to providing guidance on cryptographic security elements to be considered and technical requirements to be followed for the applying of cryptography in cryptographic module-based remote mobile
payment.
2 Normative references
The following documents are indispensable for the application of this document. For the dated references, only the editions with the dates indicated are applicable to this document. For the undated references, the latest edition (including all the amendments) are applicable to this document.
GB/T 32905 Information security techniques - SM3 cryptographic hash
algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm GB/T 32915 Information security technology - Randomness test methods for binary sequence
GB/T 32918 (all parts) Information security technology - Public key
cryptographic algorithm SM2 based on elliptic curves
GB/T 35275 Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification
GB/T 35276 Information security technology - SM2 cryptography algorithm usage specification
GB/T 37092 Information security technology - Security requirements for
cryptographic modules
The system used to manage all aspects of the life cycle of key such as
generation, loading, storage, backup, distribution, update, archiving, and destruction.
3.8 Certificate authority; CA
The issuing authority of certificate, i.e. the authority responsible for issuing certificates, certifying certificates, and managing issued certificates. It is responsible for formulating policies and specific steps to verify and identify users and signing user certificates, to ensure the identity of certificate holders and the ownership of public key. It is also known as the certification center. 3.9 Client software
The application that implements financial payment functions on mobile device. 3.10 One time password; OTP
It means that it is used only once in the authentication process; another password is used for the next authentication; each password is used only once. One time password authentication currently has three technical modes: based on time synchronization mechanism, based on event synchronization
mechanism, and based on challenge/response (asynchronous) mechanism.
3.11 SMS dynamic code
Also known as SMS password, which is a random number sent by the
background system to the user's bound mobile phone in the form of a mobile phone text message. The user is authenticated by replying to the random number.
3.12 Digital certificate
Also known as public key certificate, a data structure signed by a certificate authority (CA) and containing public key owner information, public key, issuer information, validity period, and extended information. According to category, it can be divided into personal certificate, authority certificate, and equipment certificate. According to purpose, it can be divided into signature certificate and encryption certificate.
3.13 Digital signature
The result obtained by the cryptographic operation of the signer using the private key to the hash value of the data to be signed. The result can only be verified with the public key of the signer, which is used to confirm the integrity authority (CA). If other authentication modes are used (such as OTP, etc.), the cryptography platform includes a key management system and other
cryptography platforms. The key management system provides key
management services for the cryptographic module on the platform side. A certificate authority is an authority that provides certificate authentication services. In the process of applying of cryptography in remote mobile payment, if a certificate authentication mode is not used, only a key management system is required; if a certificate authentication mode is used, a certificate authority is also required to provide certificate authentication services.
6 Security requirements for applying of cryptography
6.1 Overview
The security requirements for applying of cryptography are mainly the data confidentiality, integrity, identity authentication, and non-repudiation in remote mobile payment processes.
6.2 Data confidentiality
Transaction sensitive data, during the process of client application input, storage on the mobile device side, transmission between the mobile device side and the platform side, storage on the platform side, and transmission between different system platforms on the platform side, cannot be obtained in plain text by unauthorized entities and thus used or leaked.
6.3 Data integrity
The data transmitted between the client application and the cryptographic module, the data transmitted between the mobile device and the remote
payment system, and the data transmitted between the remote payment system and other system platforms cannot be modified or destroyed without
authorization.
6.4 Identity authentication
In remote mobile payment, the identity of each entity shall be confirmed, to prevent identity from being occupied or impersonated.
6.5 Non-repudiation
In remote mobile payment, it shall be ensured that the sending entity of transaction information cannot falsely deny the message it sent afterwards. 7.3.2.2 Key storage
If the symmetric key or SM2 private key needs to be stored, it must be securely stored in the cryptographic module of the mobile device, to ensure the security of key storage and prevent key leakage and illegal replacement.
When the cryptographic module of mobile device is invalidated, the stored key must be invalidated with it.
7.3.2.3 Key use
Keys need to specify attributes, to prevent unauthorized use or misuse of keys. Key use requirements:
a) The key can only be used for the specified application;
b) The key can only be used for the specified purpose or function;
c) When a known key is compromised, it shall be discontinued;
d) When it is suspected that a key is compromised, it is possible to actively stop using it.
7.3.2.4 Key update
It shall be possible to update the key according to the key update policy. 7.3.2.5 Key destruction
According to the key management policy, the key can be destroyed. The key to be destroyed is required to be destroyed from various used media. The
destruction result is required to be irreversible. The original key cannot be recovered from the destruction result.
7.3.3 Security requirements for applying of cryptography
7.3.3.1 Device data confidentiality guarantee requirements
Device data confidentiality guarantee requirements apply to the input of client?€?s sensitive information, the transmission of critical operational messages, and the device APP processing of its own stored data. It shall enhance the
confidentiality of sensitive information data with the risk of leakage. Security requirements:
a) USE a secure password keyboard to ensure the input security of device client passwords (static passwords, dynamic passwords);
c) When using the bound terminal equipment method, a secure hash
algorithm or encryption algorithm shall be used to securely process the original equipment information collected, to avoid the risk of forgery and replay attacks caused by the leakage of the original equipment information. d) When the device uses the digital signature method, the cryptographic module must be able to protect the security of the private key and avoid the leakage of the private key.
7.3.3.4 Device non-repudiation guarantee requirements
Device information non-repudiation guarantee requirements apply to high-risk business links, such as transfer transactions. Security measures such as certificate authentication shall be adopted to ensure that the operations and data performed by clients in these business links have legal non-repudiation effects.
Security requirements:
a) The device shall digitally sign critical sensitive information of the business, and send the original text of the sensitive information along with related signature data to the platform side for verification and storage;
b) The cryptographic module shall protect the security of the private key and avoid the leakage of the private key.
7.3.3.5 Device cryptographic algorithm requirements
It shall choose domestic cryptographic algorithms to ensure the security of information data. See 7.2 for the requirements of cryptographic algorithms. 7.4 Platform-side security requirements
7.4.1 Cryptographic equipment security requirements
The cryptographic equipment shall comply with relevant security regulations, including at least the following requirements:
a) Any operation on the cryptographic equipment must be performed strictly in accordance with the procedures after approval. RECORD the operation
log;
b) Prohibit illegal connection of cryptographic equipment or use of
cryptographic equipment for other purposes;
c) It shall use cryptographic equipment approved by the national
cryptography authority.
7.4.2.4 Key use
Keys need to specify attributes, to prevent unauthorized use or misuse of keys. Key use requirements:
a) The key can only be used for the specified application;
b) The key can only be used for the specified purpose or function;
c) When a known key is compromised, it shall be discontinued;
d) When it is suspected that a key is compromised, it is possible to actively stop using it.
7.4.2.5 Key update
The key management system, for the managed system and the managed
equipment, needs to set a key update policy.
It shall be possible to update the key according to the key update policy. If the updated key is a key encryption key or root key, all keys or subkeys encrypted by that key shall be replaced.
The application data to encryption caused by the key replacement is not the responsibility of the key management center.
Key update requirements:
a) UPDATE strictly in accordance with the key update policy;
b) The new key cannot irreversibly derive the old key;
c) The risk of leaking other keys cannot be increased.
7.4.2.6 Key archiving
When keys expire or are no longer used, according to key management policies, they can be archived.
Keys can be archived in the following forms:
a) Archived keys can only be used to prove the legitimacy of transactions made before archiving;
b) Archived keys shall not be returned to operational use;
c) Archived keys must not affect the security of the key in use.
device client business operations, to avoid critical information messages from being tampered with illegally.
Security requirements:
Methods for ensuring platform-side information integrity include, but are not limited to, supporting verification methods such as message authentication code (MAC) and digital signature.
7.4.3.3 Platform-side identity authentication guarantee requirements
Platform-side identity authentication guarantee requirements apply to the platform-side acceptance and verification of client identities in businesses such as remote mobile payment login and payment, ensuring the credibility of clients?€? online identities, as well as login and payment security.
Security requirements:
a) The platform side shall support multiple identity authentication methods. Conventional methods include, but are not limited to static passwords,
SMS dynamic codes, digital signatures, etc.;
b) USE SSL or other secure communication protocols to create a connection between the device and the platform side and maintain a secure
connection state until exit.
7.4.3.4 Platform-side non-repudiation guarantee requirements
Platform-side information non-repudiation guarantee requirements apply to high-risk business links, such as transfer transactions. It shall take security measures, to ensure legal non-repudiation effect for the operations and data of the device client in these business links.
Security requirements:
If certificate authentication is adopted, the platform side, after verifying the validity of the digital signature, shall continue to verify the validity of the signer's certificate, to ensure that the signer's certificate is legal and valid when the original information of the message and its digital signature are accepted. 7.4.3.5 Platform-side cryptographic algorithm requirements
It shall choose domestic cryptographic algorithms to ensure the security of information data. For key algorithm requirements, see 7.2.

View full details