1
/
of
12
PayPal, credit cards. Download editable-PDF & invoice in 1 second!
GM/T 0076-2019 English PDF (GM/T0076-2019)
GM/T 0076-2019 English PDF (GM/T0076-2019)
Regular price
$500.00
Regular price
Sale price
$500.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0076-2019: Cryptography technical requirements for banking card information system
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0076-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0076-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology
of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of
bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of
bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of
banking financial institutions and the application needs of cryptographic
technology in the classified protection of this type of information system, from
three aspects of cryptographic security technical requirements, key security and
management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking
card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of
commercial cryptographic applications in banking card information systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 :
Security compliance checklists for devices used in financial transactions
GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling
in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective;
b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information;
the cryptographic function shall be correct and effective;
c) The network device system’s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist
of a mixture of letters, numbers, symbols, etc. and be replaced regularly;
d) The information system shall use cryptographic technology to generate
unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective.
7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
password":
a) When sending the verification code by SMS or other channels, it shall use
the correct cryptographic technology, to ensure that the dynamic
password sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall
ensure that the content of the verification code is not disclosed;
c) If it uses OTP tokens for identity verification, it shall use correct
cryptographic techniques, to ensure that OTP is completely random and
unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-cryptographic module":
It shall use the level 2 and above cryptographic modules which complies with
GM/T 0028 or hardware cryptographic products approved by the national
cryptographic management department to realize the cryptographic
calculations and key management:
a) The system's dedicated hardware or firmware and cryptographic device
shall implement security functions such as authorization control,
unauthorized access detection, operating status indication, etc., to ensure
that the cryptographic module can operate correctly in the approved
working mode;
b) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized disclosure of the module's content
or key security parameters;
c) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized or undetectable modifications to
cryptographic modules and cryptographic algorithms.
7.2.4 Application and data security
7.2.4.1 General
Refer to 0054-2018 General requirements for information system cryptography
"application and data security-terminal application":
a) It should use the integrity service of cryptographic technology to verify the
integrity of important programs; its cryptographic function shall be correct
and effective;
b) Terminal applications shall not store sensitive information such as user
passwords, payment passwords, PAC, CVV, etc. in plaintext or encoding;
c) When the terminal application processes sensitive data entered by the
user, such as passwords, payment passwords, etc., it should use the
security measures to ensure the confidentiality of sensitive data and
ensure that it is not obtained by unauthorized access.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm configuration
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the cryptographic technology security protection of bank card
information systems, the following requirements are set for the indicators of
"cryptographic allocation strategy requirements-cryptographic algorithm
allocation":
It shall use the algorithm approved by the national cryptographic management
authority.
7.2.5.2 Use of cryptographic protocol
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "cryptographic allocation strategy requirement-cryptographic
protocol use":
It shall use the cryptographic protocol that has passed the security review of
the national cryptographic administration department to realize the
cryptographic function.
7.2.5.3 Generation of application ciphertext
between the cryptographic devices;
- It shall use cryptographic device to transmit the private key between the
device that generates the key and the device that uses the key;
- After importing the key to the target device, the key transfer device shall
not retain any information that may reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is
used, also includes the key identifier) shall be transferred from the
cryptographic device that generated the key to the key transfer device;
this device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported
to the device manually or by the key transmission device; the
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key envelope that will not
reveal the value of the key component before opening;
- Before entering the key component, it shall check the key envelope or
cryptographic device for signs of tampering. If one of the components is
tampered with, this set of key components shall not be used and shall
be destroyed according to the procedures described in GB/T 21078.1;
- The key component shall be individually input by each holder of the key
component and verify whether the input of the key component is correct.
e) The key administrator shall be responsible for checking the consistency of
the verification value generated when the key is imported and exported.
f) After the key component is entered into the cryptographic device, the key
envelope shall be destroyed or sealed in another tamper-proof key
envelope for possible future use.
g) After the key is injected, save the medium storing the backup key in a
password envelope; after being supervised and confirmed by a special
person, lock it in the safe.
7.3.3.2 Key storage and custody
"Key import and export", "key storage and custody", "key use and replacement",
corresponding emerg...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0076-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0076-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology
of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of
bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of
bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of
banking financial institutions and the application needs of cryptographic
technology in the classified protection of this type of information system, from
three aspects of cryptographic security technical requirements, key security and
management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking
card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of
commercial cryptographic applications in banking card information systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 :
Security compliance checklists for devices used in financial transactions
GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling
in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective;
b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information;
the cryptographic function shall be correct and effective;
c) The network device system’s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist
of a mixture of letters, numbers, symbols, etc. and be replaced regularly;
d) The information system shall use cryptographic technology to generate
unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective.
7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
password":
a) When sending the verification code by SMS or other channels, it shall use
the correct cryptographic technology, to ensure that the dynamic
password sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall
ensure that the content of the verification code is not disclosed;
c) If it uses OTP tokens for identity verification, it shall use correct
cryptographic techniques, to ensure that OTP is completely random and
unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-cryptographic module":
It shall use the level 2 and above cryptographic modules which complies with
GM/T 0028 or hardware cryptographic products approved by the national
cryptographic management department to realize the cryptographic
calculations and key management:
a) The system's dedicated hardware or firmware and cryptographic device
shall implement security functions such as authorization control,
unauthorized access detection, operating status indication, etc., to ensure
that the cryptographic module can operate correctly in the approved
working mode;
b) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized disclosure of the module's content
or key security parameters;
c) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized or undetectable modifications to
cryptographic modules and cryptographic algorithms.
7.2.4 Application and data security
7.2.4.1 General
Refer to 0054-2018 General requirements for information system cryptography
"application and data security-terminal application":
a) It should use the integrity service of cryptographic technology to verify the
integrity of important programs; its cryptographic function shall be correct
and effective;
b) Terminal applications shall not store sensitive information such as user
passwords, payment passwords, PAC, CVV, etc. in plaintext or encoding;
c) When the terminal application processes sensitive data entered by the
user, such as passwords, payment passwords, etc., it should use the
security measures to ensure the confidentiality of sensitive data and
ensure that it is not obtained by unauthorized access.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm configuration
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the cryptographic technology security protection of bank card
information systems, the following requirements are set for the indicators of
"cryptographic allocation strategy requirements-cryptographic algorithm
allocation":
It shall use the algorithm approved by the national cryptographic management
authority.
7.2.5.2 Use of cryptographic protocol
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "cryptographic allocation strategy requirement-cryptographic
protocol use":
It shall use the cryptographic protocol that has passed the security review of
the national cryptographic administration department to realize the
cryptographic function.
7.2.5.3 Generation of application ciphertext
between the cryptographic devices;
- It shall use cryptographic device to transmit the private key between the
device that generates the key and the device that uses the key;
- After importing the key to the target device, the key transfer device shall
not retain any information that may reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is
used, also includes the key identifier) shall be transferred from the
cryptographic device that generated the key to the key transfer device;
this device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported
to the device manually or by the key transmission device; the
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key envelope that will not
reveal the value of the key component before opening;
- Before entering the key component, it shall check the key envelope or
cryptographic device for signs of tampering. If one of the components is
tampered with, this set of key components shall not be used and shall
be destroyed according to the procedures described in GB/T 21078.1;
- The key component shall be individually input by each holder of the key
component and verify whether the input of the key component is correct.
e) The key administrator shall be responsible for checking the consistency of
the verification value generated when the key is imported and exported.
f) After the key component is entered into the cryptographic device, the key
envelope shall be destroyed or sealed in another tamper-proof key
envelope for possible future use.
g) After the key is injected, save the medium storing the backup key in a
password envelope; after being supervised and confirmed by a special
person, lock it in the safe.
7.3.3.2 Key storage and custody
"Key import and export", "key storage and custody", "key use and replacement",
corresponding emerg...
Share
