GM/T 0045-2016 PDF English
Search result: GM/T 0045-2016_English: PDF (GM/T0045-2016)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0045-2016 | English | 180 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Specifications of financial cryptographic server
| Valid |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GM/T 0045-2016 Related standards: GM/T 0045-2016
PDF Preview: GM/T 0045-2016
GM/T 0045-2016: PDF in English (GMT 0045-2016) GM/T 0045-2016
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 55613-2016
Specifications of financial cryptographic server
ISSUED ON. MARCH 28, 2016
IMPLEMENTED ON. MARCH 28, 2016
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope .. 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviation ... 7
5 Functional requirements .. 8
5.1 Cryptographic algorithm ... 8
5.2 Key management... 9
5.3 Random number ... 11
5.4 Access control ... 12
5.5 Device management ... 13
5.6 Device initialization .. 13
5.7 Self-test .. 14
6 Hardware requirements ... 14
6.1 Physical interface.. 14
6.2 Status indicator .. 14
6.3 Random number generator ... 14
6.4 Environmental adaptability.. 14
6.5 Reliability ... 14
7 Security business requirements ... 15
7.1 Basic requirements .. 15
7.2 Data message interface ... 15
7.3 Business function requirements ... 16
8 Security requirements ... 38
9 Test requirements .. 38
9.1 Function test ... 38
9.2 Performance test .. 40
9.3 Environmental compatibility test .. 43
9.4 Security test ... 43
10 Determination of qualification .. 43
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code
Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Chengdu Westone Information
Industry Joint Stock Company, Wuxi Jiangnan Institute of Computer Technology,
Xing Tang Communication Technology Co., Ltd., Shandong De'an Information
Technology Co., Ltd., Beijing Sansec Technology Development Company, Ltd.,
Beijing Jiangnan Tian-An Technology Co., Ltd.
Main drafters of this Standard. Li Yuanzheng, Zhang Shixiong, Huang Jin,
Zhang Suocheng, Xu Mingyi, Wang Nina, Zheng Haisen, Gao Zhiquan, Li Guo,
Ma Xiaoyan.
Specifications of financial cryptographic server
1 Scope
This Standard defines relevant terms of financial cryptographic server, specifies
functional requirements, interface requirements, hardware requirements,
business requirements, security requirements and test requirements for
financial cryptographic server.
This Standard is applicable to the development, use of financial cryptographic
server. It is also applicable to guide the test of financial cryptographic server.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 4943, Safety of information technology equipment
GB/T 9813-2000, Specification for microcomputer
GB/T 17964, Information technology - Security techniques - Modes of
operation for a block cipher
GM/T 0002, SM4 Block Cipher Algorithm
GM/T 0003, Public Key Cryptographic Algorithm SM2 Based on Elliptic
Curves
GM/T 0004, SM3 Password Hashing Algorithm
GM/T 0005, Randomness Test Specification
GM/T 0006, Cryptographic application identifier criterion specification
GM/T 0009, SM2 Cryptography Algorithm Application Specification
GM/T 0028, Security Requirements for Cryptographic Modules
JR/T 0025, China Financial Integrated Circuit Card Specifications
use physical means to protect hardware cryptographic device and its keys or
sensitive information
3.9 master key; MK
it is at the highest layer in hierarchical key structure, used to protect its lower
keys
3.10 secondary master key; SMK
it is at the second layer in hierarchical key structure, used to generate or protect
its lower keys
3.11 key separation; KS
ensure that each cryptographic operation uses only the specified key type, for
example, the MAC key can only be used to generate a message authentication
code
3.12 data key; DK
a key that is to protect PIN and calculate MAC, including MAC key (MAK) and
PIN key (PINK), also known as working key
3.13 key check value; KCV
through the result value calculated by irreversible algorithm, it is used to for
integrity inspection; the check value usually uses irreversible algorithm to
calculate the result of any string under the key
3.14 personal identification number; PIN
in financial business, a digital ID that authorizes a cardholder in a request for
authorization message; PIN only contains decimal number; when logging in, it
can support numbers, uppercase and lowercase letters, punctuation
3.15 key loading; KL
a process of transferring keys to cryptographic server manually or electronically
3.16 manual key distribution; MKD
a method of using non-electronic means such as cryptography envelope for key
distribution
3.17 manual key entry; MKE
inject keys with keyboard into financial cryptographic server
5 Functional requirements
5.1 Cryptographic algorithm
5.1.1 Symmetric cryptographic algorithm
The financial cryptographic server shall be equipped with SM4 symmetric
cryptographic algorithm. The realization of SM4 cryptographic algorithm shall
follow GM/T 0002.
In order to meet the requirement of compatibility with the original system or the
interconnection with other systems (for example, the external card system), the
international standard DES/3DES/AES cryptographic algorithm and other
algorithms approved by the national cryptography management department
may also be supported.
The operation mode of symmetric cryptographic algorithm shall follow GB/T
17694, at least containing ECB and CBC modes.
The symmetric cryptographic algorithm is mainly used for PIN encryption, PIN
trans-encryption, MAC calculation, data encryption and decryption, key
protection.
5.1.2 Public key algorithm
The financial cryptographic server shall be equipped with SM2 asymmetric
cryptographic algorithm. The realization of SM2 cryptographic algorithm shall
follow GM/T 0003. The use of algorithm shall follow GM/T 0009.
In order to meet the requirement of compatibility with the original system or the
interconnection with other systems (for example, the external card system), the
international standard RSA cryptographic algorithm and other algorithms
approved by the national cryptography management department may also be
supported. RSA cryptographic algorithm module length shall meet the length
that is proposed and recommended by the international bank card organization.
And it can be extended.
The asymmetric cryptographic algorithm is mainly sued for digital signature and
signature verification, cryptography envelope, key distribution.
5.1.3 Hash algorithm
The financial cryptographic server shall be equipped with SM3 hash algorithm.
The realization of SM3 hash algorithm shall follow GM/T 0004. In addition, when
SM2 cryptographic algorithm is used for digital signature verification and
calculation of message authentication code, the algorithm is required to equip
with SM3 hash algorithm. The realization of SM3 hash algorithm used in SM2
information is not leaked.
The key in plaintext form that requires manual entry shall use segment
transmission, storage and entry. Different key components shall be saved
separately by different authorized administrators. During key entry, it shall be
completed together by at least more than 2 authorized administrators on the
entry site.
5.2.5 Key backup / restore
The financial cryptographic server shall have backup / restore function for
master key, secondary master key. The backup data generated by the backup
operation shall be stored in ciphertext on the storage medium. The key to
encrypt the backup data shall have a security mechanism to ensure its security.
The backup key can be restored to the financial cryptographic server. Different
models of financial cryptographic server of same manufacturer shall be able to
backup and restore each other. The key restore can be only performed in the
financial cryptographic server.
5.3 Random number
The financial cryptographic server shall use random numbers generated by no
less than two hardware physical noise sources. The generated random
numbers shall meet the requirements of GM/T 0005.
The random number generator equipped for financial cryptographic server shall
pass four phrases of random number tests. sample sending test, exit-factory
test, power-on test and use test.
a) Sample sending test
Carry out sample sending test of random number according to GM/T 0005
requirements.
b) Exit-factory test
• test quantity. collect 50×106 bit random numbe...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|