Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

JR/T 0025.7-2013 English PDF (JRT0025.7-2013)

JR/T 0025.7-2013 English PDF (JRT0025.7-2013)

Regular price $360.00 USD
Regular price Sale price $360.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds (Download full-editable-PDF + Invoice).
Quotation: Click JR/T 0025.7-2013>>Add to cart>>Quote
Editable-PDF Preview (Reload if blank, scroll for next page)

JR/T 0025.7-2013: China financial integrated circuit card specifications. Part 7: Debit/credit application security specification
This Part of JR/T 0025 describes the requirements for debit/credit application security functions and the security mechanisms involved in implementing these security functions and the encryption algorithms allowed for use, including IC card offline data authentication method, communication security between IC card and issuer, and related symmetric and asymmetric key managements.
JR/T 0025.7-2013
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
File No..
Replacing JR/T 0025.7-2010
China financial integrated circuit card specifications -
Part 7. Debit/credit application security specification
ISSUED ON. FEBRUARY 5, 2013
IMPLEMENTED ON. FEBRUARY 5, 2013
Issued by. People's Bank of China
3. No action is required - Full-copy of this standard will be automatically and immediately delivered to your EMAIL address in 0~60 minutes.
Table of Contents
Foreword ... 3
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 7
4 Symbols and abbreviations ... 12
5 Offline data authentication ... 13
6 Application cryptogram and issuer authentication ... 45
7 Security message ... 47
8 Card security ... 49
9 Terminal security ... 56
10 Key management system ... 64
11 Security mechanism ... 74
12 Approved algorithms ... 83
Bibliography ... 87
Foreword
JR/T 0025 China Financial Integrated Circuit Card Specifications consists of the following parts.
- Part 1. Electronic Purse/Electronic Deposit Application Card Specification; - Part 2. Electronic Purse/Electronic Deposit Application Specification; - Part 3. Specification on Application Independent ICC to Terminal Interface Requirements;
- Part 4. Debit/Credit Application Overview;
- Part 5. Debit/Credit Application Card Specification;
- Part 6. Debit/Credit Application Terminal Specification;
- Part 7. Debit/Credit Application Security Specification;
- Part 8. Contactless Specification Independent of Application;
- Part 9. Electronic Purse Extended Application Guide;
- Part 10. Debit/Credit Card Personalization Guide;
- Part 11. Contactless Integrated Circuit Card Communication Specification; - Part 12. Contactless Integrated Circuit Card Payment Specification;
- Part 13. Low-value Payment Specifications Based on Debit/Credit
Application;
- Part 14. Comprehensive Application Specification Based on Contactless Low-value Payment Application;
- Part 15. Electronic Cash Dual-currency Payment Specification;
- Part 16. IC Card Internet Terminal Specification;
- Part 17. Enhanced Debit/Credit Application Security Specification.
This is the 7th Part of JR/T 0025.
This Part was drafted in accordance with the rules given in GB/T 1.1-2009. This Part replaces JR/T 0025.7-2010 “China Financial Integrated Circuit Card Specifications - Part 7. Debit/Credit Application Security Specification”. China financial integrated circuit card specifications -
Part 7. Debit/credit application security specification
1 Scope
This Part of JR/T 0025 describes the requirements for debit/credit application security functions and the security mechanisms involved in implementing these security functions and the encryption algorithms allowed for use, including IC card offline data authentication method, communication security between IC card and issuer, and related symmetric and asymmetric key managements, as specified as follows.
- offline data authentication;
- application cryptogram and issuer authentication;
- security message;
- card security;
- terminal security;
- symmetric and asymmetric key management system.
In addition, it also includes the security mechanisms involved in implementing these security features and the specifications for the encryption algorithms approved for use.
This Part applies to the security related equipment, cards, terminal equipment and management of financial debit/credit IC card application issued or accepted by the bank. The users are mainly the research, development, integration, maintenance and other relevant departments (organizations) of design,
manufacture, management, distribution and application systems of cards, terminals and encryption devices related to the financial debit credit IC card application.
2 Normative references
The following standards contain the provisions which, through reference in this Part, constitute the provisions of this Part. For dated references, subsequent amendments (excluding corrections) or revisions do not apply to this Part. However, the parties who enter into agreement based on this Part are
encouraged to investigate whether the latest versions of these documents are applicable. For undated reference documents, the latest versions apply to this Part.
GB/T 16649.4, Identification Cards - Integrated circuit cards - Part 4. Organization, security and commands for interchange (GB/T 16649.4-2010, ISO/IEC 7816-4.2005, IDT)
GB/T 16649. 5, Identification cards - Integrated circuit cards - Part 15. Cryptographic information application (GB/T 16649.5-2002, ISO/IEC 7816- 5.1994)
GB/T 20547.2, Banking - Secure cryptographic devices(retail) - Part 2.
Security compliance checklists for devices used in financial transactions (GB/T 20547.2-2006, ISO 13491-2.2005, IDT)
ISO 873-1, Intelligent transport systems - Cooperative ITS - Test architecture ISO 8732, Banking - Key management (wholesale)
ISO/IEC 9796-2, Information technology - Security techniques - Digital
signature schemes giving message recovery - Part 2. Integer factorization based mechanisms
ISO/IEC 9797-1, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 1. Mechanisms using a block cipher
ISO/IEC 10116, Information technology - Security techniques - Modes of
operation for an n-bit block cipher
ISO 13491-1, Financial services - Secure cryptographic devices (retail) - Part 1. Concepts, requirements and evaluation methods
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 3.1 accelerated revocation
recover keys before the issued expired key expiry date
3.2 application
application protocols and related data sets between cards and terminals 3.3 asymmetric cryptographic technique
are not used for offline data authentication processing and all other data in the READ RECORD command response data field (except SW1, SW2)
is participating in offline data authentication;
- for files with SFI from 11 to 30, the recorded Tag ('70') and recording length are used for offline data authentication processing so that all data in the READ RECORD command response data field (except SW1, SW2) is
participating in the offline data authentication;
- if the tag for the record in the file for offline data authentication is not '70', the offline data authentication is considered to have been performed and failed; the terminal must set the TSI's “Offline Data Authentication
Execution” bit and the TVR's corresponding “Offline Static Data
Authentication Failure” bit, “Offline Dynamic Data Authentication Failure” bit, or “CDA Failure” bit.
5.1 Key and certificate
Terminal, through the use of public key algorithm, verifies the signature and certificate on the IC card to achieve offline data authentication. Public key technology uses private keys to generate encrypted data (certificates or signatures) that can be decrypted by the public key for authentication and data recovery. The bit length of the RSA public key mode shall be a multiple of 8 and the leftmost (high) bit of the leftmost (high) byte is 1. All lengths are in bytes. If the static application data on the card is not unique (e.g. the card uses a different CVM for international and domestic transactions), the card must support multiple IC card public key certificates (or static data signatures). If the signed static application data may be modified after the card is issued, the card must support updating of the IC card public key certificate (or static data signature).
5.1.1 Certification authority
Offline data authentication requires a certification authority (CA). Certification authority has a high level of security encryption device that is used to issue the public key certificate of card issuer. Each terminal complying with JR/T 0025 shall store the corresponding certification authority public key for each application it can recognize.
5.1.2 Public-private key pair
The certification authority and the issuer must use the asymmetric algorithm specified in 12.2 to generate the public-private key pair of the certification authority, the public-private key pair of the issuer and the public-private key pair of the IC card. In this Clause, the offline data authentication process and related data elements are described by using the RSA algorithm as an example.
which generates the IC card public key certificate and is stored in the card. The length of IC card public key modulus must be less than or equal to the issuer public key modulus length. The le...
View full details