Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

GM/T 0073-2019 English PDF (GMT0073-2019)

GM/T 0073-2019 English PDF (GMT0073-2019)

Regular price $355.00 USD
Regular price Sale price $355.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0073-2019 to get it for Purchase Approval, Bank TT...

GM/T 0073-2019: Cryptography technical requirements for mobile banking information systems

On the basis of standards such as GM/T 0054-2018 and JR/T 007-2012; combined with the characteristics of mobile banking information systems, and the application needs of cryptography in the security construction of classified protection of this type of information system; in terms of cryptographic security technical requirements, key security and management requirements, and security management requirements; this Standard puts forward specific requirements for the cryptography in mobile banking information systems with different security protection classes. This Standard applies to the guidance, standardization and evaluation of commercial cryptographic applications in mobile banking information systems.
GM/T 0073-2019
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for mobile
banking information systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 9
5 Model of mobile banking information system ... 10
6 Basic requirements and functional requirements for cryptography application ... 11
7 Level 2 requirements for the cryptography security protection of mobile banking information systems ... 11
7.1 Basic technical requirements ... 11
7.2 Cryptography security requirements ... 11
7.2.1 Physical and environmental security ... 11
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Cryptography allocation policy requirements ... 17
7.3 Key security and management requirements ... 18
7.3.1 General ... 18
7.3.2 Key security ... 19
7.3.3 Key management ... 20
7.4 Security management requirements ... 24
7.4.1 Overview ... 24
7.4.2 Security management system ... 25
7.4.3 Personnel management requirements ... 25
7.4.4 Cryptographic device management ... 26
7.4.5 Password-using service terminal requirements ... 26
8 Level 3 requirements for the cryptography security protection of mobile banking information systems ... 27
8.1 Basic requirements ... 27
8.2 Cryptography security requirements ... 27
8.2.1 Physical and environmental security ... 27
8.2.2 Network and communication security ... 29
8.2.3 Device and computing security ... 31
8.2.4 Application and data security ... 33
8.2.5 Cryptography allocation policy requirements ... 35
8.3 Key security and management requirements ... 36
8.3.1 General ... 36
8.3.2 Key security ... 36
8.3.3 Key management ... 38
8.4 Security management requirements ... 44
8.4.1 Overview ... 44
8.4.2 Security management system ... 44
8.4.3 Personnel management requirements ... 45
8.4.4 Cryptographic device management ... 46
8.4.5 Password-using service terminal requirements ... 46
Appendix A (Normative) Table of comparison of security requirements ... 48 Bibliography ... 50
Cryptography technical requirements for mobile
banking information systems
1 Scope
On the basis of standards such as GM/T 0054-2018 and JR/T 007-2012;
combined with the characteristics of mobile banking information systems, and the application needs of cryptography in the security construction of classified protection of this type of information system; in terms of cryptographic security technical requirements, key security and management requirements, and
security management requirements; this Standard puts forward specific
requirements for the cryptography in mobile banking information systems with different security protection classes.
This Standard applies to the guidance, standardization and evaluation of commercial cryptographic applications in mobile banking information systems. 2 Normative references
The following documents are indispensable for the application of this document. For the dated references, only the editions with the dates indicated are applicable to this document. For the undated references, the latest edition (including all the amendments) are applicable to this document.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2: Security compliance checklists for devices used in financial transactions GB/T 21078.1-2007 Banking - Personal Identification Number management
and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0028-2014 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography application
Mobile banking mobile client: It refers to the mobile application client program of mobile banking, which can provide users with local electronic banking services.
Mobile banking server: It refers to the server that can provide targeted services, corresponding to the mobile client of mobile banking. The server specified in this Standard includes software programs, as well as hardware devices that carry and run programs.
Boundary: It refers to the boundary of interconnection between subjects, including interaction boundary, network boundary, physical boundary, etc. 6 Basic requirements and functional requirements for
cryptography application
The basic requirements and functional requirements for cryptography
application of mobile banking information systems shall comply with the requirements of Clause 5 and Clause 6 of GM/T 0054-2018.
7 Level 2 requirements for the cryptography security
protection of mobile banking information systems1)
7.1 Basic technical requirements
It shall be in accordance with the requirements of the level 2 indicators in GM/T 0054-2018.
7.2 Cryptography security requirements
7.2.1 Physical and environmental security
7.2.1.1 General
Refer to the general rules for cryptography application of physical and environmental security in GM/T 0054-2018.
7.2.1.2 Cryptographic hardware security
"Cryptographic hardware security", "physical environment security" and
"electronic access control system" are part of the "physical and environmental 1) For comparison of all security requirements of this level with other levels, please refer to Appendix A Table of comparison of security requirements; the same below. c) Corresponding rules and regulations should be developed, to ensure the compliance, correctness and effectiveness of the use of access control
system.
7.2.2 Network and communication security
7.2.2.1 General
Refer to the general rules for cryptography application of network and
communication security in GM/T 0054-2018.
7.2.2.2 Communication security
"Communication security" and "identity authentication" are part of the "network and communication security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "network and communication security-communication security" indicator:
a) In order to prevent access communication data from being tampered with, intercepted, counterfeited and reused, it is advisable to use the integrity service, confidentiality service and authenticity service of cryptography, to protect the network boundary and system resource access control
information;
b) During data transmission, cryptography such as digital certificates and encryption-decryption should be used, to establish a secure transport
layer session channel.
7.2.2.3 Identity authentication
"Communication security" and "identity authentication" are part of the "network and communication security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "network and communication security-identity authentication" indicator:
a) When authenticating users who log in to network devices, in order to prevent the authentication information from being reused and
counterfeited, it is advisable to use the authenticity service of cryptography, to protect the authentication information from reuse and counterfeiting. Its cryptographic function shall be correct and effective;
b) The network device system management user ID shall have the
characteristics that it is not easy to be fraudulently used. The static c) When conducting key business processes, such as transfers, transactions, and data modification, it is advisable to use a variety of cryptographic technologies to ensure the authenticity and validity of user identities; d) Operating system and database system management user ID shall have
the characteristics that it is not easy to be fraudulently used. The static password of key system shall be more than 6 digits; composed of a
mixture of letters, numbers, and symbols; and be replaced regularly.
7.2.3.4 Verification code and dynamic password
"Audit record", "identity authentication", "verification code and dynamic password" and "cryptographic module" are part of the "device and computing security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "device and computing security- verification code and dynamic password" indicator:
a) When using SMS or other channels to send the verification code, the
correct cryptography shall be used, to ensure that the dynamic password sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall be ensured that the content of the verification code is not disclosed;
c) If OTP tokens are used for identity verification, it shall use correct cryptography, to ensure that OTP is completely random and unpredictable. 7.2.3.5 Cryptographic module
"Audit record", "identity authentication", "verification code and dynamic password" and "cryptographic module" are part of the "device and computing security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "device and computing security- cryptographic module" indicator:
It shall use level 2 and above cryptographic modules meeting GM/T 0028-2014 or hardware cryptographic products approved by the national cryptography administration, to realize cryptographic calculations and key management: a) The system's dedicated hardware or firmware and cryptographic device shall implement security functions, such as authorization control,
detection of unauthorized access, and operation status indication; to
ensure that the cryptographic module can operate correctly in the
approved working mode;
level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "application and data security-data storage" indicator:
In terms of data storage security, the integrity service of cryptography can be used, to detect the integrity of system management data, authentication information, key configuration information and important business data in the storage process. Its cryptographic function shall be correct and effective. 7.2.4.4 Device application
"Data transmission", "data storage" and "device application" are part of the "application and data security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "application and data security-device application" indicator:
a) Mobile device applications shall not store the user's password, payment password, PAC, CVV and other sensitive information in plaintext or
encoding;
b) Mobile device applications shall desensitize sensitive data such as
passwords, PACs, and CVVs;
c) When mobile device applications process sensitive data entered by users, such as passwords, payment passwords, etc., security measures should
be taken; to ensure the confidentiality of sensitive data and ensure that they are not obtained without authorization;
d) Mobile device applications shall not leak sensitive data such as user passwords, personal information, PAC, CVV to other entities, such as
other local processes, Internet data servers, etc.
7.2.5 Cryptography allocation policy requirements
7.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are part of the "cryptography allocation policy requirements" of the mobile banking information system. In the level 2
requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "cryptography allocation policy requirements-cryptographic algorithm allocation" indicator: It is advisable to use algorithms approved by the national cryptography administration.
7.3.2 Key security
7.3.2.1 Key generation
"Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key generation" indicator:
a) A random number generator, which meets national standards, shall be
used to generate the key;
b) The key shall be produced inside the cryptographic device; must not
appear outside the cryptographic device in plaintext;
c) It shall have the ability to check and remove weak keys;
d) Key pair generation shall be completed by the owner of the key pair or its agent;
e) The method of generating asymmetric key pairs shall ensure the
confidentiality of the private key and the integrity of the public key. For the generation of asymmetric key pairs used for non-repudiation services, it shall be able to prove the integrity of the public key to a third party. 7.3.2.2 Key storage
"Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key storage" indicator:
a) The key shall be encrypted and stored. Strict security protection measures shall be taken, to prevent the key from being illegally obtained;
b) The key or its modules stored in the system shall be protected by a
password.
7.3.2.3 Key distribution
"Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key distribution" indicator:
should also be present; AND RECORD the operation memo; submit
security audit logs, security audit documents, etc.
b) The key transmission, import and export process shall be carried out in accordance with the principle of dual control and key splitting. If it is necessary to use key modules, the required key modules shall be
imported by the key module holders, respectively.
c) When transferring and importing keys, it shall be confirmed that:
- Only when the cryptographic device authenticates at least two or more authorized persons, such as through a password, can the key be
transmitted. For keys distributed manually, management procedures,
such as paper authorization, shall be used to authenticate the identity of the authorized person.
- Only when it is ensured that the cryptographic device has not been
tampered with before use that may lead to the disclosure of keys or
sensitive data, can the private key be imported into the cryptographic
device.
- Only when it is ensured that there is no eavesdropping device installed at the interface of the cryptographic device, which may cause the
disclosure of any element of the transmission key, can the private key be transmitted between the cryptographic devices.
- A cryptographic device shall be used to transfer the private key between the device generating the key and the device using the key.
- After importing the key to the target device, the key transportation device shall not retain any information which may reveal the key.
- When using a key transportation device, the key (if an explicit key
identifier is used, the key identifier is also included) shall be transferred from the cryptographic device that generated the key to the key
transportation device. This device shall be physically transported to the location of the cryptographic device that actually uses the key.
d) When using the key module, it shall be confirmed that:
- The key modules, which constitute the key, shall be imported or exported to the device manually or by the devices of key. The transmission
process of the key module shall not disclose any part of the key module to any unauthorized individual.
the key envelope to the authorized person. The structure of the key
envelope shall make accidental or deceptive openings easy to be
discovered by the receiver. If this happens, the key module shall not be used anymore.
7.3.3.3 Key use and replacement
"Key import and export", "key storage and custody", "key use and replacement", and "key backup and recovery" are part of the "key management" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key management-key use and replacement"
indicator:
a) The key shall be clearly used and used correctly according to the purpose; b) A tracking and verification system shall be established for each link of key use;
c) In the process of using the key, there shall be security measures
preventing the leakage and replacement of the key;
d) During the key use process, the key shall be replaced according to the key replacement cycle requirements. The key replacement allows
interruption of the system operation;
e) When the key is leaked, stop using it immediately; initiate corresponding emergency handling and response measures;
f) Manage system administrator passwords, user passwords, and user
permissions of cryptographic machines and cryptographic management
equipment. In case of leakage or out-of-control authority, the verification and tracking program shall be initiated. The event level shall be assessed according to the out-of-control authority. Relevant keys shall be updated in due course.
7.3.3.4 Key backup and recovery
"Key import and export", "key storage and custody", "key use and replacement", and "key backup and recovery" are part of the "key management" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key management-key backup and recovery"
indicator:
7.4.2 Security management system
"Security management system", "personnel management requirements",
"cryptographic device management" and "password-using service terminal
requirements" are part of the "security management requirements" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following r...

View full details