GM/T 0075-2019 English PDF (GMT0075-2019)

This Standard, on the basis of GM/T 0054-2018, JR/T 007-2012 and other standards, combining the characteristics of credit banking system and the application needs of cryptography in the level of protection of such information system, from three aspects of cryptology security technical requirements, key security and management requirements, and security management requirements, PUTS FORWARD specific requirements for the application of cryptology in credit banking information system with different security protection levels.

GM/T 0075-2019
GM
CRYPTOLOGRIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for credit
banking information systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 7
4 Abbreviations ... 8
5 Model of credit banking information system ... 9
6 Basic requirements for cipher application and functional requirements for cipher application ... 10
7 Secondary requirements for security protection of cryptography of credit banking information system ... 10
8 Level three requirements of the cryptography security protection of the credit banking information system ... 26
Annex A (normative) Security requirements comparison table ... 48
Bibliography ... 50
Cryptography technical requirements for credit
banking information systems
1 Scope
This Standard, on the basis of GM/T 0054-2018, JR/T 007-2012 and other
standards, combining the characteristics of credit banking system and the application needs of cryptography in the level of protection of such information system, from three aspects of cryptology security technical requirements, key security and management requirements, and security management
requirements, PUTS FORWARD specific requirements for the application of cryptology in credit banking information system with different security protection levels.
This Standard is applicable to guide, standardize and evaluate commercial cipher application in credit information system.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20547.2-2006, Banking - Secure cryptographic devices (retail) - Part 2: Security compliance checklists for devices used in financial transactions GB/T 21078.1-2007, Banking - Personal Authentication Number
management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
GB/T 21079.1, Banking - Secure cryptographic devices (retail) - Part 1: Concepts, requirements and evaluation methods
GM/T 0024, SSL VPN specification
GM/T 0028-2014, Security Requirements for Cryptographic Modules
GM/T 0036-2014, Technical guidance of cryptographic application for access control systems based on contactless smart card
6 Basic requirements for cipher application and
functional requirements for cipher application
The basic requirements for cipher application and functional requirements for cipher application of the credit banking information system shall comply with the requirements in Clause 5, Clause 6 of GM/T 0054-2018.
7 Secondary requirements 1 for security protection of
cryptography of credit banking information system
7.1 Basic requirements
Meet the requirements for level two indicators in GM/T 0054-2018.
7.2 Security requirements for cryptography
7.2.1 Physical and environmental security
7.2.1.1 General
Refer to general principles for the application of physical and environmental security cipher in GM/T 0054-2018.
7.2.1.2 Cipher hardware security
"Cipher hardware security", "physical environment security" and "electronic access control system" are parts of the "physical and environmental security" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of "physical and
environmental security - cipher hardware security":
a) The dedicated hardware or firmware of the system and cryptographic
equipment shall have effective physical security protection measures;
NOTE: "Effective measures" in this Standard refer to means that can meet the requirements of "guarantee items" or methods that can achieve the security goals set by the system. The following notes are the same.
b) The dedicated hardware or firmware of the system and cryptographic
equipment shall meet the reliability requirements of the operating
1 For comparison of all security requirements of this level with other levels, please refer to Annex A Security Requirements Comparison Table, the same below.
“network and communication security - communication security”:
a) In order to prevent the access communication data from being tampered, intercepted, counterfeit and reused, it is advisable to use the integrity service, confidentiality service and authenticity service of cryptography to protect the network boundary and system resource access control
information;
b) During data transmission, cryptography such as digital certificates, encryption and decryption shall be used to establish a secure transport layer session channel.
7.2.2.3 Identity authentication
"Communication security" and "authentication" are parts of the "network and communication security" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “network and communication security - identity authentication”:
a) When authenticating user who logs in to network devices, in order to prevent the authentication information from being reused and
counterfeited, it is advisable to use the authenticity service of cryptography to protect the authentication information against reuse and counterfeiting. Its cipher function shall ensure correct and effective;
b) Network equipment system management of user authentication shall not be easily fraudulently used. The static cipher of key network equipment shall be at least 6 digits. It is composed of a mixture of letters, numbers, symbols and so on and shall be regularly replaced;
c) When performing remote network management, in order to prevent the
authentication information from being leaked during transmission, it is advisable to use the confidentiality service of cryptography to protect the confidentiality of the authentication information. Its cipher function shall ensure correct and effective;
d) The information system shall use cryptography to generate unique random identifiers for entities that have passed identity authentication and ensure that the function is correct and effective.
7.2.3 Equipment and computing security
7.2.3.1 General
Refer to general rules for the application of security cipher for devices and computing in GM/T 0054-2018.
password. Then enter the identity authentication module. The hash
function shall be correct and valid;
c) When conducting key business processes, such as transfers, transactions, and modification of information, it is advisable to use a variety of
cryptographies to ensure the authenticity and validity of user identity; d) Operating system and database system management of user identification shall not be easily fraudulently used. The static password of the key
system shall be more than 6 digits. It is composed of a mixture of letters, numbers, symbols and so on and shall be regularly replaced.
7.2.3.5 Verification code and dynamic password
"Audit records", "access control", "identity authentication", "verification code and dynamic cipher " and "cryptographic module " are parts of the "equipment and computing security" of credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “equipment and computing security - verification code and dynamic password”: a) When using SMS or other channels to send the verification code, the
correct cryptography shall be used to ensure that the dynamic password
sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, ensure that the content of the verification code is not disclosed;
c) If OTP tokens are used for identity verification, use correct cryptography to ensure that OTP is completely random and unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code and dynamic cipher " and "cryptographic module " are parts of the "equipment and computing security" of credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “equipment and computing security - cryptographic module”:
It shall use the cryptographic module that complies with level two and more in GM/T 0028-2014 or hardware password products approved by the national
cipher management department to realize cryptographic operations and key management:
a) The dedicated hardware or firmware of the system and the cryptographic equipment shall implement security functions such as authorization
"application and data security" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “application and data security - data storage”:
In terms of data storage security, the integrity service of cryptography can be used to detect the integrity of system management data, authentication
information, key configuration information and important business data during the storage process. Its cipher function shall ensure correct and effective. 7.2.4.4 Terminal application
"Data transmission", "data storage" and "terminal application" are parts of the "application and data security" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “application and data security - terminal application”:
a) The integrity service of cryptography shall be used to achieve the integrity check of important programs. Its cipher function shall ensure correct and effective;
b) Terminal application shall not store sensitive information such as user passwords and payment passwords in plaintext or encoding;
c) When terminal application processes sensitive data entered by user, such as passwords, payment passwords, security measures shall be taken to
ensure the confidentiality of sensitive data and ensure that it is not
obtained without authorization.
7.2.5 Cipher allocation policy requirements
7.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are parts of the "cipher allocation policy
requirements" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “cipher allocation policy requirements - cryptographic algorithm allocation”: It is advisable to use the algorithm approved by the national cryptographic management authority.
7.2.5.2 Cryptographic protocol use
"Cryptographic algorithm allocation", "cryptographic protocol use" and
b) The key transmission, import and export process shall be carried out in accordance with the principle of dual control and key division. If it needs to use the key component, the required key component shall be imported
by the key component holder separately;
c) When transferring and importing keys, make sure:
- Only when the cryptographic device authenticates at least two authorized persons, if through a password, can the key be transmitted. For keys
distributed manually, management processes, such as paper
authorization, shall be used to authenticate the identity of the authorized person;
- Only when it is sure that the cryptographic device has not been tampered with that may lead to the disclosure of keys or sensitive data before using it, can it import the private key into the cryptographic device;
- Only when it is sure that there is no eavesdropping device installed at the interface of the cryptographic device that may cause the leakage of any element of the transmission key, can the private key be transmitted between the cryptographic devices;
- A cryptographic device shall be used to transfer the private key between the key generating device and the key using device;
- After importing the key to the target device, the key delivery device shall not retain any information that might reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is used, it shall also include the key identifier) shall be transferred from the cryptographic device that generates the key to the key transfer device. This device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported to the device manually or by the key transmission device. The
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key mailer that does not reveal the value of the key component before opening;
- Before entering the key component, check the key mailer or
cryptographic device for signs of tampering. If one of the components is "key backup and recovery" are parts of the "key management" of credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “key management - key use and replacement”: a) The key shall be clearly used and used correctly according to the purpose; b) Establish a tracking and verification system for each link in the use of the key;
c) In the process of using the key, there shall be security measures to prevent the leakage and replacement of the key;
d) During the key use process, the key shall be replaced according to the key replacement cycle requirements. Key replacement allows interruption of system operation;
e) When the key is leaked, stop using it immediately and start the
corresponding emergency treatment and response measures;
f) Manage the system administrator password, user password, and user
authority of cryptographic equipment and cryptographic management
equipment. In case of leakage or out of control of authority, the verification and tracking program shall be initiated. Evaluate the incident level
according to the out-of-control of the authority and update the relevant keys in time.
7.3.3.4 Key backup and recovery
"Key import and export", "key storage and custody", "key use and replacement", "key backup and recovery" are parts of the "key management" of credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “key management - key backup and recovery”: a) The key recovery and correction workflow shall be established. Clarify the triggering of key replacement and modification. Specify the standard
operating procedures for key replacement and modification. Keep key
replacement and revision operation records;
b) If it is suspected that the key is leaked or the security of the device is threatened, the key shall be withdrawn or replaced (for example,
destroyed or revoked);
c) A clear key backup strategy shall be developed. Use a safe and reliable key backup and recovery mechanism to back up or restore keys;
cryptographic systems shall be established. Clarify the operation standard process of each step. Work forms shall be generated for each stage of
operation and archived;
c) Regularly check the security management status of cryptographic
equipment and key systems. Fill in relevant forms and reports in
accordance with the requirements of the key security management
system;
d) It is advisable to formulate a cryptographic security management system and operation specifications, and safety operation specifications. The
cryptographic security management system shall include cryptographic
management related content such as cryptographic construction,
operation and maintenance, personnel, equipment, keys and so on;
e) The rationality and applicability of the cryptographic security management system shall be demonstrated and reviewed regularly. Revise security
management systems that are inadequate or need improvement;
f) The release process of relevant management systems shall be clarified. 7.4.3 Personnel management requirements
"Security management system", "personnel management requirements",
"cryptographic equipment management" and "business terminal requirements using ciphers" are parts of the "security management requirements" of the credit banking information system. In the level two requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “security management requirements - personnel management requirements”:
a) Shall understand and abide by laws and regulations related to
cryptography;
b) Shall be able to use cryptographic products correctly;
c) A personnel training system shall be established to provide special training for personnel involved in the operation and management of cipher and key management;
d) According to the requirements of the competent department and the actual situation of the organization, a certain number of key management
personnel, security auditors, cryptographic equipment operators and other positions shall be equipped. Personnel in the above positions cannot
concurrently serve each other;
e) Shall be equipped with full-time key management personnel. Personnel in the illegally attempted card;
d) The qualification, architecture and deployment of the adopted access control system shall comply with the technical specifications required by GM/T 0036-2014;
e) Corresponding rules and regulations shall be formulated to ensure the compliance, correctness and effectiveness of the access control system. 8.2.2 Network and communication security
8.2.2.1 General
Refer to general rules for network and communication security cipher
application in GM/T 0054-2018.
8.2.2.2 Communication security
"Communication security", "identity authentication", "secure access path" and "audit records" are parts of "network and communication security" of bank’s core system. In the level three requirements of the cryptography security protection of the credit banking information system, the following requirements are made for the indicators of “network and communication security -
communication security”:
a) In order to prevent access to communication data from being tampered with, intercepted, counterfeited an...