HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (6 Oct 2024)

GM/T 0070-2019 PDF in English


GM/T 0070-2019 (GM/T0070-2019, GMT 0070-2019, GMT0070-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0070-2019English150 Add to Cart 0-9 seconds. Auto-delivery. Technical requirement for applications of cryptography in electronic insurance policy Valid
Standards related to (historical): GM/T 0070-2019
PDF Preview

GM/T 0070-2019: PDF in English (GMT 0070-2019)

GM/T 0070-2019 CRYPTOGRAPHIC INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Technical requirement for applications of cryptography in electronic insurance policy ISSUED ON: JULY 12, 2019 IMPLEMENTED ON: JULY 12, 2019 Issued by: State Cryptography Administration Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 5  4 Acronyms ... 6  5 Security requirements for electronic insurance policy ... 7  5.1 Business process of electronic insurance policy ... 7  5.2 Security requirements ... 8  6 Technical framework of cryptographic application of electronic insurance policy ... 9  7 Cryptographic application requirements in the management process of electronic insurance policy ... 11  7.1 Application of electronic insurance policy ... 11  7.2 Issuance of electronic insurance policy ... 12  7.3 Storage of electronic insurance policies ... 13  7.4 Delivery of electronic insurance policy ... 13  7.5 Verification of electronic insurance policy ... 14  7.6 Lapse of electronic insurance policy ... 15  8 Cryptographic technical requirements for electronic insurance policy ... 15  8.1 Requirements for cryptographic algorithms ... 15  8.2 Requirement for cryptographic equipment ... 15  8.3 Requirements for key management ... 16  8.4 Requirements for certificate management ... 16  8.5 Requirements for digital certificate of electronic insurance policy ... 16  8.6 Data format requirements for electronic insurance policies ... 16  Technical requirement for applications of cryptography in electronic insurance policy 1 Scope This standard describes the cryptographic application requirements of the electronic policy business in the insurance industry. It specifies the technical requirements for the application of cryptography in the main aspects of electronic policy management, such as insurance, issuance, storage, verification, delivery of electronic insurance policy. This standard can provide guide for the cryptographic application for electronic insurance policy. This standard applies to the development and use of electronic insurance policy systems. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 20518 Information security technology - Public key infrastructure - Digital certificate format GB/T 20520 Information security technology - Public key infrastructure - Timestamp specification GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm GB/T 32907 Information security technology - SM4 block cipher algorithm GB/T 32918 (all parts) Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves GB/T 35275 Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification GB/T 35276 Information security technology - SM2 cryptography algorithm usage specification Electronic policy The electronic insurance contract certificate issued by the insurance company with the digital signature of the insurance company for the insurance applicant, which is legally equivalent to a paper insurance document. 3.7 Electronic application form An electronic offer application made by an insurance applicant to an insurance company for the purpose of entering into an insurance contract. 3.8 SM2 algorithm An algorithm as defined by GB/T 32918. 3.9 SM3 algorithm An algorithm as defined by GB/T 32905. 3.10 SM4 algorithm An algorithm defined by GB/T 32907. 3.11 Lapse of electronic policy An electronic policy after it becomes effective loses its legal effect for some reason. 4 Acronyms The following abbreviations apply to this document. CA: Certificate Authority CRL: Certificate Revocation List HTTPS: Hyper Text Transfer Protocol over Secure Socket Layer premium rate; c) Insurance acceptance: Refers to the insurance company's acceptance of the insurance application that has been successfully underwritten and paid; carries out the process of issuing, storing, delivering electronic insurance police; d) Claims: After the insured accident occurs, the insurance applicant and the insured submit an application for premium to the insurance company based on the electronic insurance policy. The insurance company verifies the electronic insurance policy and makes compensation or payment according to the insurance contract; e) Routine insurance process: querying policy information, renewing payment and other routine insurance processes. 5.2 Security requirements Insurance contract information is the key data in the insurance business. Electronic insurance policies exist as data messages in the form of insurance contracts. In order to ensure that electronic insurance policies have the same legal effect as paper insurance policies, the following security requirements exist in the generation and use of electronic insurance policies: a) Identity authentication requirements for traders of electronic insurance policy: -- Confirm that the parties such as the insurance applicant and insured have signed and approved the insurance contract; -- Ensure that the electronic insurance policy obtained by the customer is signed by the insurance company entrusted by the user to bear the insurance liability. b) Confidentiality requirements of electronic insurance policies: Ensure the security of relevant information of electronic policies of insurance companies during the storage, delivery, etc.; prevent user’s privacy information related to electronic policies from being stolen illegally during storage or transmission. c) Integrity requirements of electronic policies: It is necessary to ensure that the information seen by the insurance applicant and the insurance company is completely consistent. Therefore, it is required to ensure the integrity of the electronic policy information during the generation, storage, and delivery of the electronic policy and not to be illegally tampered with. The technical framework of cryptographic application of electronic insurance policy is composed of business support layer, cryptographic function layer, infrastructure layer: a) Business support layer: the electronic insurance policy’s business support layer involves the core data of network insurance, electronic insurance policy data and main management processes, including such links as the insurance application, issuance, verification, storage, delivery, lapse, etc. of the electronic insurance policy; it achieves the secure management of electronic insurance policy by calling the cryptographic function layer. b) Cryptographic function layer: The cryptographic function layer is an intermediate layer between the infrastructure layer and the insurance business application layer. It provides relevant cryptographic service functions for the electronic insurance policy’s business support layer to ensure the security of electronic insurance policies. The cryptographic function layer is a collection of hardware cryptographic modules and cryptographic middleware, which implements the following basic functions: - Encryption / decryption function It is used for the encrypted protection of personnel sensible information such as ID number, bank card number, health status, biometrics and so on which relate to the user privacy in the electronic insurance policy. Data encryption and decryption shall use block cipher algorithms as approved by the national cryptographic management department, such as SM4. - Signature / verification function Implement digital signatures and verification of key data such as electronic application forms and electronic insurance policies. Digital signature and verification are the key cryptographic techniques applied in electronic insurance policies, which shall use the public key cryptographic algorithms (such as SM2) and hash algorithms (such as SM3) as approved by the national cryptographic management authority. - Key management function The insurance company uses the enterprise digital certificate issued by the CA to digitally sign the electronic insurance policy. Therefore, the insurance company needs to perform strict key management on the generation, storage, use, archiving of its private signature key. - Identity authentication function confirm the insurance intention. The application process shall meet the following requirements: a) The insurance applicant, insured or beneficiary, or agent completes the reading of the electronic application form on the client side of the insurance business system; confirms the insurance application; signs a handwritten signature at the designated position on the electronic application form. b) The client side of the insurance business system shall collect data such as handwritten signature’s handwriting information, voice, image, to form an insurance behavior evidence chain; submit the digital certificate request to the CA with the above evidence chain, signer user information, electronic application certificate hash value. CA finishes the identity verification of the signer and issues a digital certificate. At the same time, the client side of the insurance business system uses the digital certificate private key to complete the digital signature of the electronic insurance application, so as to effectively bind the identity verification of the insurance applicant to the behavior of this insurance signature. c) Timestamp the above signed electronic application form. d) The business system shall adopt encryption measures for the sensitive information in the insurance application process according to the business security needs, to ensure its process security such as transmission, storage, and use. e) The insurance business system shall, after receiving the electronic insurance form, verify the validity of the digital signature of the electronic application form. 7.2 Issuance of electronic insurance policy After the insurance applicant's electronic application is completed and the payment underwriting is approved, the business system can start issuing electronic insurance policies. The issuance of an electronic insurance policy shall meet the following requirements: a) The electronic policy system shall, based on the insurance application information filled by the insurance applicant and the corresponding insurance policy content template according to the type of insurance, automatically generate formatted insurance policy data; meanwhile perform the electronic signature operation at the insurance company signature position of the electronic insurance policy; b) The electronic insurance policy shall be timestamped. client side of insurance business system uses the digital certificate private key to complete the digital signature of the electronic receipt. c) Timestamp the above signed electronic receipts. Cryptographic requirements for direct delivery without a signature: a) The electronic policy shall be delivered to the insurance applicant through online or offline delivery, which shall include at least one delivery method: Email delivery, login Web download; b) When the insurance applicant logs in to the web application and downloads it, it should use a secure transmission channel such as HTTPS. 7.5 Verification of electronic insurance policy After receiving the electronic insurance policy, the insurance applicant can verify the authenticity of the insurance policy through the electronic policy verification function as provided by the insurance company or CA. In the claims business, insurance companies also need to verify electronic insurance policies in the course of processing their business. The verification of an electronic policy shall verify the identity authenticity of the signer of the electronic policy insurance company by verifying the digital signature and timestamp in the electronic insurance policy, to verify the integrity of the electronic insurance policy document, to ensure the non-repudiation of the insurance transaction contract, as well as the validity of signature time for electronic insurance policies, etc. The verification process requirements for electronic insurance policies are as follows: a) Verify the digital certificate of the digital signer of the electronic insurance policy (i.e. the insurance company), including verification of certificate trust chain verification, verification of certificate validity period, whether the certificate status is revoked, whether the key usage policy is correct; b) The verification of the digital signature of the electronic insurance policy shall be able to correctly identify whether the electronic insurance policy has been tampered with and promptly remind that the signature is invalid; c) It shall verify the validity of the timestamp; d) According to the insurance business situation, check the electronic policy lapse list, to verify the validity of the insurance policy. standards for cryptography, meanwhile obtain certification and approval from national cryptographic management authority. 8.3 Requirements for key management The main key in the electronic policy signature device is the electronic policy signature key pair. It must use the cryptographic equipment as approved by the national cryptographic management authority to realize security management of such links as the generation, storage, distribution, import and export, use, backup and recovery, archiving, destruction of the signature key pair. 8.4 Requirements for certificate management Certificate management in the application of electronic insurance policies shall be provided by the CA, which is specifically responsible for issuing and managing digital certificates. As a trusted third-party electronic authentication service provider in electronic policy business transactions, it shall have legal e- certification service license qualifications and bear the responsibility of the legality check of the public key in the public key system, to provide legally valid authentication services for application of electronic insurance policy. CA that provides electronic authentication services shall provide certificate services based on the SM2 cryptographic algorithm, following the GM/T 0034. 8.5 Requirements for digital certificate of electronic insurance policy The electronic insurance policy shall adopt digital certificates issued by third- party CA that have obtained permission from the competent authority of electronic certification services. The digital certificates and CRRL format shall comply with GB/T 20518. 8.6 Data format requirements for electronic insurance policies 8.6.1 Basic requirements for electronic insurance policy data The content of an electronic insurance policy that requires signature protection includes insurance information such as insurance policy number, insurance applicant’s information, insured information, beneficiary information, insured amount, as well as layout attribute information of the corresponding insurance policy. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.