GM/T 0070-2019 PDF in English
GM/T 0070-2019 (GM/T0070-2019, GMT 0070-2019, GMT0070-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0070-2019 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical requirement for applications of cryptography in electronic insurance policy
| Valid |
Standards related to (historical): GM/T 0070-2019
PDF Preview
GM/T 0070-2019: PDF in English (GMT 0070-2019) GM/T 0070-2019
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Technical requirement for applications of
cryptography in electronic insurance policy
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Acronyms ... 6
5 Security requirements for electronic insurance policy ... 7
5.1 Business process of electronic insurance policy ... 7
5.2 Security requirements ... 8
6 Technical framework of cryptographic application of electronic insurance
policy ... 9
7 Cryptographic application requirements in the management process of
electronic insurance policy ... 11
7.1 Application of electronic insurance policy ... 11
7.2 Issuance of electronic insurance policy ... 12
7.3 Storage of electronic insurance policies ... 13
7.4 Delivery of electronic insurance policy ... 13
7.5 Verification of electronic insurance policy ... 14
7.6 Lapse of electronic insurance policy ... 15
8 Cryptographic technical requirements for electronic insurance policy ... 15
8.1 Requirements for cryptographic algorithms ... 15
8.2 Requirement for cryptographic equipment ... 15
8.3 Requirements for key management ... 16
8.4 Requirements for certificate management ... 16
8.5 Requirements for digital certificate of electronic insurance policy ... 16
8.6 Data format requirements for electronic insurance policies ... 16
Technical requirement for applications of
cryptography in electronic insurance policy
1 Scope
This standard describes the cryptographic application requirements of the
electronic policy business in the insurance industry. It specifies the technical
requirements for the application of cryptography in the main aspects of
electronic policy management, such as insurance, issuance, storage,
verification, delivery of electronic insurance policy. This standard can provide
guide for the cryptographic application for electronic insurance policy.
This standard applies to the development and use of electronic insurance policy
systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20518 Information security technology - Public key infrastructure -
Digital certificate format
GB/T 20520 Information security technology - Public key infrastructure -
Timestamp specification
GB/T 32905 Information security techniques - SM3 cryptographic hash
algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32918 (all parts) Information security technology - Public key
cryptographic algorithm SM2 based on elliptic curves
GB/T 35275 Information security technology - SM2 cryptographic algorithm
encrypted signature message syntax specification
GB/T 35276 Information security technology - SM2 cryptography algorithm
usage specification
Electronic policy
The electronic insurance contract certificate issued by the insurance
company with the digital signature of the insurance company for the
insurance applicant, which is legally equivalent to a paper insurance
document.
3.7
Electronic application form
An electronic offer application made by an insurance applicant to an
insurance company for the purpose of entering into an insurance contract.
3.8
SM2 algorithm
An algorithm as defined by GB/T 32918.
3.9
SM3 algorithm
An algorithm as defined by GB/T 32905.
3.10
SM4 algorithm
An algorithm defined by GB/T 32907.
3.11
Lapse of electronic policy
An electronic policy after it becomes effective loses its legal effect for some
reason.
4 Acronyms
The following abbreviations apply to this document.
CA: Certificate Authority
CRL: Certificate Revocation List
HTTPS: Hyper Text Transfer Protocol over Secure Socket Layer
premium rate;
c) Insurance acceptance: Refers to the insurance company's acceptance of
the insurance application that has been successfully underwritten and
paid; carries out the process of issuing, storing, delivering electronic
insurance police;
d) Claims: After the insured accident occurs, the insurance applicant and the
insured submit an application for premium to the insurance company
based on the electronic insurance policy. The insurance company verifies
the electronic insurance policy and makes compensation or payment
according to the insurance contract;
e) Routine insurance process: querying policy information, renewing
payment and other routine insurance processes.
5.2 Security requirements
Insurance contract information is the key data in the insurance business.
Electronic insurance policies exist as data messages in the form of insurance
contracts. In order to ensure that electronic insurance policies have the same
legal effect as paper insurance policies, the following security requirements
exist in the generation and use of electronic insurance policies:
a) Identity authentication requirements for traders of electronic insurance
policy:
-- Confirm that the parties such as the insurance applicant and insured
have signed and approved the insurance contract;
-- Ensure that the electronic insurance policy obtained by the customer is
signed by the insurance company entrusted by the user to bear the
insurance liability.
b) Confidentiality requirements of electronic insurance policies: Ensure the
security of relevant information of electronic policies of insurance
companies during the storage, delivery, etc.; prevent user’s privacy
information related to electronic policies from being stolen illegally during
storage or transmission.
c) Integrity requirements of electronic policies: It is necessary to ensure that
the information seen by the insurance applicant and the insurance
company is completely consistent. Therefore, it is required to ensure the
integrity of the electronic policy information during the generation, storage,
and delivery of the electronic policy and not to be illegally tampered with.
The technical framework of cryptographic application of electronic insurance
policy is composed of business support layer, cryptographic function layer,
infrastructure layer:
a) Business support layer: the electronic insurance policy’s business support
layer involves the core data of network insurance, electronic insurance
policy data and main management processes, including such links as the
insurance application, issuance, verification, storage, delivery, lapse, etc.
of the electronic insurance policy; it achieves the secure management of
electronic insurance policy by calling the cryptographic function layer.
b) Cryptographic function layer: The cryptographic function layer is an
intermediate layer between the infrastructure layer and the insurance
business application layer. It provides relevant cryptographic service
functions for the electronic insurance policy’s business support layer to
ensure the security of electronic insurance policies.
The cryptographic function layer is a collection of hardware cryptographic
modules and cryptographic middleware, which implements the following
basic functions:
- Encryption / decryption function
It is used for the encrypted protection of personnel sensible information
such as ID number, bank card number, health status, biometrics and so
on which relate to the user privacy in the electronic insurance policy.
Data encryption and decryption shall use block cipher algorithms as
approved by the national cryptographic management department, such
as SM4.
- Signature / verification function
Implement digital signatures and verification of key data such as
electronic application forms and electronic insurance policies. Digital
signature and verification are the key cryptographic techniques applied
in electronic insurance policies, which shall use the public key
cryptographic algorithms (such as SM2) and hash algorithms (such as
SM3) as approved by the national cryptographic management authority.
- Key management function
The insurance company uses the enterprise digital certificate issued by
the CA to digitally sign the electronic insurance policy. Therefore, the
insurance company needs to perform strict key management on the
generation, storage, use, archiving of its private signature key.
- Identity authentication function
confirm the insurance intention. The application process shall meet the
following requirements:
a) The insurance applicant, insured or beneficiary, or agent completes the
reading of the electronic application form on the client side of the
insurance business system; confirms the insurance application; signs a
handwritten signature at the designated position on the electronic
application form.
b) The client side of the insurance business system shall collect data such
as handwritten signature’s handwriting information, voice, image, to form
an insurance behavior evidence chain; submit the digital certificate
request to the CA with the above evidence chain, signer user information,
electronic application certificate hash value. CA finishes the identity
verification of the signer and issues a digital certificate. At the same time,
the client side of the insurance business system uses the digital certificate
private key to complete the digital signature of the electronic insurance
application, so as to effectively bind the identity verification of the
insurance applicant to the behavior of this insurance signature.
c) Timestamp the above signed electronic application form.
d) The business system shall adopt encryption measures for the sensitive
information in the insurance application process according to the business
security needs, to ensure its process security such as transmission,
storage, and use.
e) The insurance business system shall, after receiving the electronic
insurance form, verify the validity of the digital signature of the electronic
application form.
7.2 Issuance of electronic insurance policy
After the insurance applicant's electronic application is completed and the
payment underwriting is approved, the business system can start issuing
electronic insurance policies. The issuance of an electronic insurance policy
shall meet the following requirements:
a) The electronic policy system shall, based on the insurance application
information filled by the insurance applicant and the corresponding
insurance policy content template according to the type of insurance,
automatically generate formatted insurance policy data; meanwhile
perform the electronic signature operation at the insurance company
signature position of the electronic insurance policy;
b) The electronic insurance policy shall be timestamped.
client side of insurance business system uses the digital certificate private
key to complete the digital signature of the electronic receipt.
c) Timestamp the above signed electronic receipts.
Cryptographic requirements for direct delivery without a signature:
a) The electronic policy shall be delivered to the insurance applicant through
online or offline delivery, which shall include at least one delivery method:
Email delivery, login Web download;
b) When the insurance applicant logs in to the web application and
downloads it, it should use a secure transmission channel such as HTTPS.
7.5 Verification of electronic insurance policy
After receiving the electronic insurance policy, the insurance applicant can
verify the authenticity of the insurance policy through the electronic policy
verification function as provided by the insurance company or CA. In the claims
business, insurance companies also need to verify electronic insurance policies
in the course of processing their business.
The verification of an electronic policy shall verify the identity authenticity of the
signer of the electronic policy insurance company by verifying the digital
signature and timestamp in the electronic insurance policy, to verify the integrity
of the electronic insurance policy document, to ensure the non-repudiation of
the insurance transaction contract, as well as the validity of signature time for
electronic insurance policies, etc. The verification process requirements for
electronic insurance policies are as follows:
a) Verify the digital certificate of the digital signer of the electronic insurance
policy (i.e. the insurance company), including verification of certificate
trust chain verification, verification of certificate validity period, whether the
certificate status is revoked, whether the key usage policy is correct;
b) The verification of the digital signature of the electronic insurance policy
shall be able to correctly identify whether the electronic insurance policy
has been tampered with and promptly remind that the signature is invalid;
c) It shall verify the validity of the timestamp;
d) According to the insurance business situation, check the electronic policy
lapse list, to verify the validity of the insurance policy.
standards for cryptography, meanwhile obtain certification and approval from
national cryptographic management authority.
8.3 Requirements for key management
The main key in the electronic policy signature device is the electronic policy
signature key pair. It must use the cryptographic equipment as approved by the
national cryptographic management authority to realize security management
of such links as the generation, storage, distribution, import and export, use,
backup and recovery, archiving, destruction of the signature key pair.
8.4 Requirements for certificate management
Certificate management in the application of electronic insurance policies shall
be provided by the CA, which is specifically responsible for issuing and
managing digital certificates. As a trusted third-party electronic authentication
service provider in electronic policy business transactions, it shall have legal e-
certification service license qualifications and bear the responsibility of the
legality check of the public key in the public key system, to provide legally valid
authentication services for application of electronic insurance policy.
CA that provides electronic authentication services shall provide certificate
services based on the SM2 cryptographic algorithm, following the GM/T 0034.
8.5 Requirements for digital certificate of electronic insurance
policy
The electronic insurance policy shall adopt digital certificates issued by third-
party CA that have obtained permission from the competent authority of
electronic certification services. The digital certificates and CRRL format shall
comply with GB/T 20518.
8.6 Data format requirements for electronic insurance policies
8.6.1 Basic requirements for electronic insurance policy data
The content of an electronic insurance policy that requires signature protection
includes insurance information such as insurance policy number, insurance
applicant’s information, insured information, beneficiary information, insured
amount, as well as layout attribute information of the corresponding insurance
policy.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|