1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0075-2019 English PDF (GM/T0075-2019)
GM/T 0075-2019 English PDF (GM/T0075-2019)
Regular price
$400.00
Regular price
Sale price
$400.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0075-2019: Cryptography technical requirements for credit banking information systems
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0075-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0075-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0075-2019
GM
CRYPTOLOGRIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for credit
banking information systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 7
4 Abbreviations ... 8
5 Model of credit banking information system ... 9
6 Basic requirements for cipher application and functional requirements for
cipher application ... 10
7 Secondary requirements for security protection of cryptography of credit
banking information system ... 10
8 Level three requirements of the cryptography security protection of the credit
banking information system ... 26
Annex A (normative) Security requirements comparison table ... 48
Bibliography ... 50
Cryptography technical requirements for credit
banking information systems
1 Scope
This Standard, on the basis of GM/T 0054-2018, JR/T 007-2012 and other
standards, combining the characteristics of credit banking system and the
application needs of cryptography in the level of protection of such information
system, from three aspects of cryptology security technical requirements, key
security and management requirements, and security management
requirements, PUTS FORWARD specific requirements for the application of
cryptology in credit banking information system with different security protection
levels.
This Standard is applicable to guide, standardize and evaluate commercial
cipher application in credit information system.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 20547.2-2006, Banking - Secure cryptographic devices (retail) - Part 2:
Security compliance checklists for devices used in financial transactions
GB/T 21078.1-2007, Banking - Personal Authentication Number
management and security - Part 1: Basic principles and requirements for
online PIN handling in ATM and POS systems
GB/T 21079.1, Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024, SSL VPN specification
GM/T 0028-2014, Security Requirements for Cryptographic Modules
GM/T 0036-2014, Technical guidance of cryptographic application for access
control systems based on contactless smart card
6 Basic requirements for cipher application and
functional requirements for cipher application
The basic requirements for cipher application and functional requirements for
cipher application of the credit banking information system shall comply with
the requirements in Clause 5, Clause 6 of GM/T 0054-2018.
7 Secondary requirements 1 for security protection of
cryptography of credit banking information system
7.1 Basic requirements
Meet the requirements for level two indicators in GM/T 0054-2018.
7.2 Security requirements for cryptography
7.2.1 Physical and environmental security
7.2.1.1 General
Refer to general principles for the application of physical and environmental
security cipher in GM/T 0054-2018.
7.2.1.2 Cipher hardware security
"Cipher hardware security", "physical environment security" and "electronic
access control system" are parts of the "physical and environmental security"
of the credit banking information system. In the level two requirements of the
cryptography security protection of the credit banking information system, the
following requirements are made for the indicators of "physical and
environmental security - cipher hardware security":
a) The dedicated hardware or firmware of the system and cryptographic
equipment shall have effective physical security protection measures;
NOTE: "Effective measures" in this Standard refer to means that can meet the
requirements of "guarantee items" or methods that can achieve the security goals set
by the system. The following notes are the same.
b) The dedicated hardware or firmware of the system and cryptographic
equipment shall meet the reliability requirements of the operating
1 For comparison of all security requirements of this level with other levels, please refer to Annex A
Security Requirements Comparison Table, the same below.
“network and communication security - communication security”:
a) In order to prevent the access communication data from being tampered,
intercepted, counterfeit and reused, it is advisable to use the integrity
service, confidentiality service and authenticity service of cryptography to
protect the network boundary and system resource access control
information;
b) During data transmission, cryptography such as digital certificates,
encryption and decryption shall be used to establish a secure transport
layer session channel.
7.2.2.3 Identity authentication
"Communication security" and "authentication" are parts of the "network and
communication security" of the credit banking information system. In the level
two requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“network and communication security - identity authentication”:
a) When authenticating user who logs in to network devices, in order to
prevent the authentication information from being reused and
counterfeited, it is advisable to use the authenticity service of cryptography
to protect the authentication information against reuse and counterfeiting.
Its cipher function shall ensure correct and effective;
b) Network equipment system management of user authentication shall not
be easily fraudulently used. The static cipher of key network equipment
shall be at least 6 digits. It is composed of a mixture of letters, numbers,
symbols and so on and shall be regularly replaced;
c) When performing remote network management, in order to prevent the
authentication information from being leaked during transmission, it is
advisable to use the confidentiality service of cryptography to protect the
confidentiality of the authentication information. Its cipher function shall
ensure correct and effective;
d) The information system shall use cryptography to generate unique random
identifiers for entities that have passed identity authentication and ensure
that the function is correct and effective.
7.2.3 Equipment and computing security
7.2.3.1 General
Refer to general rules for the application of security cipher for devices and
computing in GM/T 0054-2018.
password. Then enter the identity authentication module. The hash
function shall be correct and valid;
c) When conducting key business processes, such as transfers, transactions,
and modification of information, it is advisable to use a variety of
cryptographies to ensure the authenticity and validity of user identity;
d) Operating system and database system management of user identification
shall not be easily fraudulently used. The static password of the key
system shall be more than 6 digits. It is composed of a mixture of letters,
numbers, symbols and so on and shall be regularly replaced.
7.2.3.5 Verification code and dynamic password
"Audit records", "access control", "identity authentication", "verification code
and dynamic cipher " and "cryptographic module " are parts of the "equipment
and computing security" of credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“equipment and computing security - verification code and dynamic password”:
a) When using SMS or other channels to send the verification code, the
correct cryptography shall be used to ensure that the dynamic password
sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, ensure
that the content of the verification code is not disclosed;
c) If OTP tokens are used for identity verification, use correct cryptography
to ensure that OTP is completely random and unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code
and dynamic cipher " and "cryptographic module " are parts of the "equipment
and computing security" of credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“equipment and computing security - cryptographic module”:
It shall use the cryptographic module that complies with level two and more in
GM/T 0028-2014 or hardware password products approved by the national
cipher management department to realize cryptographic operations and key
management:
a) The dedicated hardware or firmware of the system and the cryptographic
equipment shall implement security functions such as authorization
"application and data security" of the credit banking information system. In the
level two requirements of the cryptography security protection of the credit
banking information system, the following requirements are made for the
indicators of “application and data security - data storage”:
In terms of data storage security, the integrity service of cryptography can be
used to detect the integrity of system management data, authentication
information, key configuration information and important business data during
the storage process. Its cipher function shall ensure correct and effective.
7.2.4.4 Terminal application
"Data transmission", "data storage" and "terminal application" are parts of the
"application and data security" of the credit banking information system. In the
level two requirements of the cryptography security protection of the credit
banking information system, the following requirements are made for the
indicators of “application and data security - terminal application”:
a) The integrity service of cryptography shall be used to achieve the integrity
check of important programs. Its cipher function shall ensure correct and
effective;
b) Terminal application shall not store sensitive information such as user
passwords and payment passwords in plaintext or encoding;
c) When terminal application processes sensitive data entered by user, such
as passwords, payment passwords, security measures shall be taken to
ensure the confidentiality of sensitive data and ensure that it is not
obtained without authorization.
7.2.5 Cipher allocation policy requirements
7.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are parts of the "cipher allocation policy
requirements" of the credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“cipher allocation policy requirements - cryptographic algorithm allocation”:
It is advisable to use the algorithm approved by the national cryptographic
management authority.
7.2.5.2 Cryptographic protocol use
"Cryptographic algorithm allocation", "cryptographic protocol use" and
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key division. If it needs
to use the key component, the required key component shall be imported
by the key component holder separately;
c) When transferring and importing keys, make sure:
- Only when the cryptographic device authenticates at least two authorized
persons, if through a password, can the key be transmitted. For keys
distributed manually, management processes, such as paper
authorization, shall be used to authenticate the identity of the authorized
person;
- Only when it is sure that the cryptographic device has not been tampered
with that may lead to the disclosure of keys or sensitive data before using
it, can it import the private key into the cryptographic device;
- Only when it is sure that there is no eavesdropping device installed at
the interface of the cryptographic device that may cause the leakage of
any element of the transmission key, can the private key be transmitted
between the cryptographic devices;
- A cryptographic device shall be used to transfer the private key between
the key generating device and the key using device;
- After importing the key to the target device, the key delivery device shall
not retain any information that might reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is
used, it shall also include the key identifier) shall be transferred from the
cryptographic device that generates the key to the key transfer device.
This device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported
to the device manually or by the key transmission device. The
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key mailer that does not reveal
the value of the key component before opening;
- Before entering the key component, check the key mailer or
cryptographic device for signs of tampering. If one of the components is
"key backup and recovery" are parts of the "key management" of credit banking
information system. In the level two requirements of the cryptography security
protection of the credit banking...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0075-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0075-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0075-2019
GM
CRYPTOLOGRIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for credit
banking information systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 7
4 Abbreviations ... 8
5 Model of credit banking information system ... 9
6 Basic requirements for cipher application and functional requirements for
cipher application ... 10
7 Secondary requirements for security protection of cryptography of credit
banking information system ... 10
8 Level three requirements of the cryptography security protection of the credit
banking information system ... 26
Annex A (normative) Security requirements comparison table ... 48
Bibliography ... 50
Cryptography technical requirements for credit
banking information systems
1 Scope
This Standard, on the basis of GM/T 0054-2018, JR/T 007-2012 and other
standards, combining the characteristics of credit banking system and the
application needs of cryptography in the level of protection of such information
system, from three aspects of cryptology security technical requirements, key
security and management requirements, and security management
requirements, PUTS FORWARD specific requirements for the application of
cryptology in credit banking information system with different security protection
levels.
This Standard is applicable to guide, standardize and evaluate commercial
cipher application in credit information system.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 20547.2-2006, Banking - Secure cryptographic devices (retail) - Part 2:
Security compliance checklists for devices used in financial transactions
GB/T 21078.1-2007, Banking - Personal Authentication Number
management and security - Part 1: Basic principles and requirements for
online PIN handling in ATM and POS systems
GB/T 21079.1, Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024, SSL VPN specification
GM/T 0028-2014, Security Requirements for Cryptographic Modules
GM/T 0036-2014, Technical guidance of cryptographic application for access
control systems based on contactless smart card
6 Basic requirements for cipher application and
functional requirements for cipher application
The basic requirements for cipher application and functional requirements for
cipher application of the credit banking information system shall comply with
the requirements in Clause 5, Clause 6 of GM/T 0054-2018.
7 Secondary requirements 1 for security protection of
cryptography of credit banking information system
7.1 Basic requirements
Meet the requirements for level two indicators in GM/T 0054-2018.
7.2 Security requirements for cryptography
7.2.1 Physical and environmental security
7.2.1.1 General
Refer to general principles for the application of physical and environmental
security cipher in GM/T 0054-2018.
7.2.1.2 Cipher hardware security
"Cipher hardware security", "physical environment security" and "electronic
access control system" are parts of the "physical and environmental security"
of the credit banking information system. In the level two requirements of the
cryptography security protection of the credit banking information system, the
following requirements are made for the indicators of "physical and
environmental security - cipher hardware security":
a) The dedicated hardware or firmware of the system and cryptographic
equipment shall have effective physical security protection measures;
NOTE: "Effective measures" in this Standard refer to means that can meet the
requirements of "guarantee items" or methods that can achieve the security goals set
by the system. The following notes are the same.
b) The dedicated hardware or firmware of the system and cryptographic
equipment shall meet the reliability requirements of the operating
1 For comparison of all security requirements of this level with other levels, please refer to Annex A
Security Requirements Comparison Table, the same below.
“network and communication security - communication security”:
a) In order to prevent the access communication data from being tampered,
intercepted, counterfeit and reused, it is advisable to use the integrity
service, confidentiality service and authenticity service of cryptography to
protect the network boundary and system resource access control
information;
b) During data transmission, cryptography such as digital certificates,
encryption and decryption shall be used to establish a secure transport
layer session channel.
7.2.2.3 Identity authentication
"Communication security" and "authentication" are parts of the "network and
communication security" of the credit banking information system. In the level
two requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“network and communication security - identity authentication”:
a) When authenticating user who logs in to network devices, in order to
prevent the authentication information from being reused and
counterfeited, it is advisable to use the authenticity service of cryptography
to protect the authentication information against reuse and counterfeiting.
Its cipher function shall ensure correct and effective;
b) Network equipment system management of user authentication shall not
be easily fraudulently used. The static cipher of key network equipment
shall be at least 6 digits. It is composed of a mixture of letters, numbers,
symbols and so on and shall be regularly replaced;
c) When performing remote network management, in order to prevent the
authentication information from being leaked during transmission, it is
advisable to use the confidentiality service of cryptography to protect the
confidentiality of the authentication information. Its cipher function shall
ensure correct and effective;
d) The information system shall use cryptography to generate unique random
identifiers for entities that have passed identity authentication and ensure
that the function is correct and effective.
7.2.3 Equipment and computing security
7.2.3.1 General
Refer to general rules for the application of security cipher for devices and
computing in GM/T 0054-2018.
password. Then enter the identity authentication module. The hash
function shall be correct and valid;
c) When conducting key business processes, such as transfers, transactions,
and modification of information, it is advisable to use a variety of
cryptographies to ensure the authenticity and validity of user identity;
d) Operating system and database system management of user identification
shall not be easily fraudulently used. The static password of the key
system shall be more than 6 digits. It is composed of a mixture of letters,
numbers, symbols and so on and shall be regularly replaced.
7.2.3.5 Verification code and dynamic password
"Audit records", "access control", "identity authentication", "verification code
and dynamic cipher " and "cryptographic module " are parts of the "equipment
and computing security" of credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“equipment and computing security - verification code and dynamic password”:
a) When using SMS or other channels to send the verification code, the
correct cryptography shall be used to ensure that the dynamic password
sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, ensure
that the content of the verification code is not disclosed;
c) If OTP tokens are used for identity verification, use correct cryptography
to ensure that OTP is completely random and unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code
and dynamic cipher " and "cryptographic module " are parts of the "equipment
and computing security" of credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“equipment and computing security - cryptographic module”:
It shall use the cryptographic module that complies with level two and more in
GM/T 0028-2014 or hardware password products approved by the national
cipher management department to realize cryptographic operations and key
management:
a) The dedicated hardware or firmware of the system and the cryptographic
equipment shall implement security functions such as authorization
"application and data security" of the credit banking information system. In the
level two requirements of the cryptography security protection of the credit
banking information system, the following requirements are made for the
indicators of “application and data security - data storage”:
In terms of data storage security, the integrity service of cryptography can be
used to detect the integrity of system management data, authentication
information, key configuration information and important business data during
the storage process. Its cipher function shall ensure correct and effective.
7.2.4.4 Terminal application
"Data transmission", "data storage" and "terminal application" are parts of the
"application and data security" of the credit banking information system. In the
level two requirements of the cryptography security protection of the credit
banking information system, the following requirements are made for the
indicators of “application and data security - terminal application”:
a) The integrity service of cryptography shall be used to achieve the integrity
check of important programs. Its cipher function shall ensure correct and
effective;
b) Terminal application shall not store sensitive information such as user
passwords and payment passwords in plaintext or encoding;
c) When terminal application processes sensitive data entered by user, such
as passwords, payment passwords, security measures shall be taken to
ensure the confidentiality of sensitive data and ensure that it is not
obtained without authorization.
7.2.5 Cipher allocation policy requirements
7.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are parts of the "cipher allocation policy
requirements" of the credit banking information system. In the level two
requirements of the cryptography security protection of the credit banking
information system, the following requirements are made for the indicators of
“cipher allocation policy requirements - cryptographic algorithm allocation”:
It is advisable to use the algorithm approved by the national cryptographic
management authority.
7.2.5.2 Cryptographic protocol use
"Cryptographic algorithm allocation", "cryptographic protocol use" and
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key division. If it needs
to use the key component, the required key component shall be imported
by the key component holder separately;
c) When transferring and importing keys, make sure:
- Only when the cryptographic device authenticates at least two authorized
persons, if through a password, can the key be transmitted. For keys
distributed manually, management processes, such as paper
authorization, shall be used to authenticate the identity of the authorized
person;
- Only when it is sure that the cryptographic device has not been tampered
with that may lead to the disclosure of keys or sensitive data before using
it, can it import the private key into the cryptographic device;
- Only when it is sure that there is no eavesdropping device installed at
the interface of the cryptographic device that may cause the leakage of
any element of the transmission key, can the private key be transmitted
between the cryptographic devices;
- A cryptographic device shall be used to transfer the private key between
the key generating device and the key using device;
- After importing the key to the target device, the key delivery device shall
not retain any information that might reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is
used, it shall also include the key identifier) shall be transferred from the
cryptographic device that generates the key to the key transfer device.
This device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported
to the device manually or by the key transmission device. The
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key mailer that does not reveal
the value of the key component before opening;
- Before entering the key component, check the key mailer or
cryptographic device for signs of tampering. If one of the components is
"key backup and recovery" are parts of the "key management" of credit banking
information system. In the level two requirements of the cryptography security
protection of the credit banking...
Share
