GM/T 0077-2019 English PDF (GMT0077-2019)

On the basis of GM/T 0054-2018 and JR/T 0071-2012, this Standard integrates the characteristics of the core systems of banking financial institutions and the application demands of cryptographic technique in the security construction of this type of classified information system protection. From three perspectives, namely, cryptographic security technical requirements, key security and management requirements, security management requirements, specific requirements are put forward for the application of cryptographic technique in the core systems with different security protection levels.

GM/T 0077-2019
GM
CRYPTOGRAPIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography Technical Requirements for Core
Banking Systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative References ... 6
3 Terms and Definitions ... 7
4 Abbreviations ... 10
5 Core Banking System Model... 10
6 Basic Requirements and Functional Requirements for Cryptographic
Application ... 11
7 Level-3 Requirements for Cryptographic Technical Security Protection of Core Banking Information System ... 11
8 Four-level Requirements for Cryptographic Technical Security Protection of Core Banking Information System ... 33
Appendix A (normative) Security Requirements Comparison Table ... 58
Bibliography ... 60
Cryptography Technical Requirements for Core
Banking Systems
1 Scope
On the basis of GM/T 0054-2018 and JR/T 007-2012 (TRANSLATOR NOTE: it should be JR/T 0071-2012), this Standard integrates the characteristics of the core systems of banking financial institutions and the application demands of cryptographic technique in the security construction of this type of classified information system protection. From three perspectives, namely, cryptographic security technical requirements, key security and management requirements, security management requirements, specific requirements are put forward for the application of cryptographic technique in the core systems with different security protection levels. This Standard is applicable to the guidance, standardization and evaluation of the core information systems of banks and financial institutions.
2 Normative References
The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 20547.2-2006 Banking - Secure Cryptographic Devices (retail) - Part 2: Security Compliance Checklists for Devices Used in Financial Transactions
GB/T 21078.1 Banking - Personal Identification Number Management and Security - Part 1: Basic Principles and Requirements for Online PIN Handling in ATM and POS Systems
GB/T 21079.1 Banking - Secure Cryptographic Devices (retail) - Part 1: Concepts, Requirements and Evaluation Methods
GM/T 0024 SSL VPN Specification
GM/T 0028 Security Requirements for Cryptographic Modules
GM/T 0036-2014 Technical Guidance of Cryptographic Application for Access Control Systems Based on Contactless Smart Card
GM/T 0054-2018 General Requirements for Information System Cryptography Application
7.2 Cryptographic Technical Security Requirements
7.2.1 Physical and environmental security
7.2.1.1 General rules
Take the general rules of cryptographic application in physical and environmental security in GM/T 0054-2018 as a reference.
7.2.1.2 Cryptographic hardware security
“Cryptographic hardware security”, “physical environmental security” and “electronic access control system” are the constituent parts of “physical and environmental security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “physical and environmental security - cryptographic hardware security” indicator:
a) The system’s dedicated hardware or firmware and cryptographic device shall have effective physical security protection measures;
NOTE: in this Standard, “effective measures” refer to the means that can meet the requirements of the “ensured items” or the method that can achieve the
security goals set by the system, the same below.
b) The system’s dedicated hardware or firmware and cryptographic device shall satisfy operating environment reliability requirements.
7.2.1.3 Physical environmental security
“Cryptographic hardware security”, “physical environmental security” and “electronic access control system” are the constituent parts of “physical and environmental security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “physical and environmental security - physical environmental security” indicator:
The authenticity function of cryptographic technique shall be used to protect the identity authentication information of physical access control and ensure the authenticity of the identity of personnel entering important areas.
7.2.1.4 Electronic access control system
“Cryptographic hardware security”, “physical environmental security” and “electronic access control system” are the constituent parts of “physical and environmental security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following e) Cryptographic technique shall be adopted to establish a secure information transmission channel, so as to perform centralized management of the
security device or security components in the network.
7.2.2.5 Audit record
“Communication security”, “identity authentication”, “secure access path” and “audit record” are the constituent parts of “network and communication security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “network and communication security - audit record” indicator:
The integrity service of cryptographic technique shall be adopted to protect the integrity of audit record. It shall be ensured that its cryptographic function is correct and effective. 7.2.3 Device and computational security
7.2.3.1 General rules
Take the general rules of cryptographic application in device and computational security in GM/T 0054-2018 as a reference.
7.2.3.2 Audit record
“Audit record”, “identity authentication”, “access control” and “cryptographic module” are the constituent parts of “device and computational security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “device and computational security - audit record” indicator:
a) The scope of audit shall cover every operating system user and database user on the server and important client-sides;
b) The integrity service of cryptographic technique shall be adopted to implement the integrity verification of audit records; it shall be ensured that its cryptographic function is correct and effective;
c) The integrity function of cryptographic technique shall be adopted to protect the integrity of log records;
d) Audit content shall include important security-related events in the system, such as: important user behavior, abnormal use of system resources, and the use of important system commands, etc.;
e) Audit record shall include date and time, type, subject identification, object identification and event result, etc.
7.2.3.4 Access control
“Audit record”, “identity authentication”, “access control” and “cryptographic module” are the constituent parts of “device and computational security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “device and computational security - access control” indicator:
a) From the perspective of access control mechanism, in order to prevent system resource access control information from being tampered with, the integrity service of cryptographic technique shall be adopted to implement the integrity protection of system resource access control information and
sensitive marks; it shall be ensured that its cryptographic function is correct and effective;
b) In accordance with the role assignment permissions of user being managed, implement the separation of permissions of the user being managed, and
merely grant the minimum permission required by the user;
c) Trusted computing technology shall be adopted to establish a chain of trust from the system to the application, so as to implement protection of the integrity of important programs or files during system operation.
7.2.3.5 Cryptographic module
“Audit record”, “identity authentication”, “access control” and “cryptographic module” are the constituent parts of “device and computational security” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “device and computational security - cryptographic module” indicator:
Level-3 and above cryptographic modules that comply with GM/T 0028, or hardware cryptographic products approved by the national cryptographic management department should be adopted to implement cryptographic operation and key management:
a) Dedicated hardware or firmware of the system, and cryptographic device shall implement security functions, such as: authorized control, detection of unauthorized access and indication of operation status, so as to ensure that the cryptographic module can correctly operate in the approved working mode; b) Dedicated hardware or firmware of the system, and cryptographic device shall be able to prevent unauthorized disclosure of the module’s content or key security parameters;
c) Dedicated hardware or firmware of the system, and cryptographic device shall requirements are made for the “application and data security - data storage” indicator: a) The integrity service of cryptographic technique should be adopted to implement the detection of integrity of system management data,
authentication information and important business data during the storage process; it shall be ensured that its cryptographic function is correct and effective;
b) The confidentiality service of cryptographic technique should be adopted to implement the confidentiality protection of the storage of system management data, authentication information and important business data; it shall be ensured that its cryptographic function is correct and effective.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm allocation
“Cryptographic algorithm allocation”, “cryptographic protocol application” and “cryptographic device application” are the constituent parts of “requirements for cryptographic allocation policy” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “requirements for cryptographic allocation policy - cryptographic algorithm allocation” indicator:
Algorithms approved by the national cryptographic management department shall be used.
7.2.5.2 Cryptographic protocol application
“Cryptographic algorithm allocation”, “cryptographic protocol application” and “cryptographic device application” are the constituent parts of “requirements for cryptographic allocation policy” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “requirements for cryptographic allocation policy - cryptographic protocol application” indicator:
Cryptographic protocol that has passed the security review of the national cryptographic management department shall be adopted to implement the
cryptographic function.
7.2.5.3 Cryptographic device application
“Cryptographic algorithm allocation”, “cryptographic protocol application” and “cryptographic device application” are the constituent parts of “requirements for cryptographic allocation policy” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “requirements for cryptographic allocation --- The continued usage of keys being suspected of leaking shall be prevented. 7.3.3 Key management
7.3.3.1 Key import and export
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key backup and recovery” and “key archive and destruction” are the constituent parts of “key management” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “key management - key import and export” indicator:
a) Key injection shall be performed in the presence of key administrators, security auditors and cryptographic device operators. Security auditors should also be present and record the operation memorandum, submit security audit logs and security audit documents, etc.;
b) The key transmission, import and export process shall be carried out in accordance with the principle of dual control and key division. If key
component is required, then, the required key component shall be
respectively imported by the holder of the key component;
c) When transmitting and importing keys, the follows shall be confirmed: ---Only when the cryptographic device has authenticated the identity of at least two authorized persons, for example, through the mode of password, can the private key be transmitted; in terms of manually distributed key, the management process shall be used, for example, through the mode of
paper authorized, to authenticate the identity of the authorized persons; ---Only when it can be ensured that the cryptographic device has not been tampered in a way that might lead to the disclosure of keys or sensitive data before using it, can the private key be imported into the cryptographic device;
---Only when it can be ensured that there is no eavesdropping device installed at the interface of the cryptographic device that might cause the leakage of any element of the transmission key, can the private key be transmitted between cryptographic devices;
---The device used to transmit private key between the device that generates the key and the device that uses the key shall be cryptographic device; ---After importing the key to the target device, the key transmission device shall not retain any information that might reveal the key;
indicator:
a) Documented regulations for key storage and custody shall be formulated; b) Key information must be kept in a safety box. The key to the safety box shall be the responsibility of the key administrator, so as to ensure that only the designated key administrator can open the device in custody; in addition, this regulation shall be implemented in the post responsibility system; the
implementation of this regulation shall be regularly examined;
c) Passwords can only be stored in cryptographic device that complies with the stipulations of GB/T 20547.2;
d) If key components are used, it shall be ensured that the key components are transmitted to the authorized person through a specific key mailer or key transmission device. The printing of the key miler shall ensure that the key components can only be seen after the mailer is opened. The mailer shall merely show the minimum information necessary to deliver the key mailer to the authorized person. The structure of the key mailer shall make accidental or deceptive opening easy to be found by the recipient. If this circumstance occurs, the key components shall not be used anymore;
e) There shall be emergency treatment and response measures in case of
possible leakage of the key;
f) Documented regulations for key storage and custody shall be formulated. Requirements shall be proposed for the key storage location, transmission mode, transmission medium, and import and export process, as well as the personnel and responsibilities in the post of custody; in addition, the implementation of this regulation shall be regularly examined;
g) Plaintext keys can only be stored in cryptographic device that complies with the stipulations of GB/T 21079.1 and GB/T 20547.2.
7.3.3.3 Key usage and replacement
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key backup and recovery” and “key archive and destruction” are the constituent parts of “key management” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “key management - key usage and replacement” indicator:
a) The purpose of the key shall be clarified; in addition, the key shall be correctly used in accordance with the purpose;
b) A tracking and verification system shall be established for each link of key d) Key backup or recovery shall be recorded; audit information shall also be generated; audit information includes the subject of backup or recovery, and the time of backup or recovery, etc.;
e) There shall be security measures to prevent the leakage and replacement of keys;
f) The security of the location and form of key storage shall be ensured; the access permissions of the key shall be restricted;
g) In accordance with the information that the attacker has obtained, if it can be confirmed that unauthorized key replacement has already occurred, then, the following steps shall be followed for key replacement:
---Erase any encrypted version of the storage key that has been confirmed to be replaced; confirm whether all existing encrypted keys are legal. If there is an illegal key, then, it shall be deleted;
---Use a certain new key encryption key to re-encrypt legally stored encrypted key;
---Delete the old key encryption key from all operating positions;
h) Key backup or recovery shall be recorded; audit information shall be generated; audit information includes the subject of backup or recovery, and the time of backup or recovery, etc.
7.3.3.5 Key archive and destruction
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key backup and recovery” and “key archive and destruction” are the constituent parts of “key management” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “key management - key archive and destruction” indicator:
a) Effective security measures shall be adopted to ensure the security and correctness of the archived keys;
b) The archived keys can only be used to decrypt the historical information encrypted by the key, or verify the historical information signed by the key; c) Key archive shall be recorded; audit information shall be generated; audit information includes the archived keys and the time of archive, etc.;
d) Implement data backup on the archived keys;
requirements” are the constituent parts of “requirements for security management” of the core banking system. In Level-3 requirements of cryptographic technical security protection of the core banking information system, the following requirements are made for the “requirements for security management - cryptographic device management” indicator:
a) The system shall establish an effective securit...