PDF GM/T 0076-2019 English
Search result: GM/T 0076-2019
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GM/T 0076-2019 | English | 500 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Cryptography technical requirements for banking card information system
| Valid |
PDF Preview: GM/T 0076-2019
GM/T 0076-2019: PDF in English (GMT 0076-2019) GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology
of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of
bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of
bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of
banking financial institutions and the application needs of cryptographic
technology in the classified protection of this type of information system, from
three aspects of cryptographic security technical requirements, key security and
management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking
card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of
commercial cryptographic applications in banking card information systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 :
Security compliance checklists for devices used in financial transactions
GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling
in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective;
b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information;
the cryptographic function shall be correct and effective;
c) The network device system’s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist
of a mixture of letters, numbers, symbols, etc. and be replaced regularly;
d) The information system shall use cryptographic technology to generate
unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective.
7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
password":
a) When sending the verification code by SMS or other channels, it shall use
the correct cryptographic technology, to ensure that the dynamic
password sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall
ensure that the content of the verification code is not disclosed;
c) If it uses OTP tokens for identity verification, it shall use correct
cryptographic techniques, to ensure that OTP is completely random and
unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-cryptographic module":
It shall use the level 2 and above cryptographic modules which complies with
GM/T 0028 or hardware cryptographic products approved by the national
cryptographic management department to realize the cryptographic
calculations and key management:
a) The system's dedicated hardware or firmware and cryptographic device
shall implement security functions such as authorization control,
unauthorized access detection, operating status indication, etc., to ensure
that the cryptographic module can operate correctly in the approved
working mode;
b) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized disclosure of the module's content
or key security parameters;
c) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized or undetectable modifications to
cryptographic modules and cryptographic algorithms.
7.2.4 Application and data security
7.2.4.1 General
Refer to 0054-2018 General requirements for information system cryptography
"application and data security-terminal application":
a) It should use the integrity service of cryptographic technology to verify the
integrity of important programs; its cryptographic function shall be correct
and effective;
b) Terminal applications shall not store sensitive information such as user
passwords, payment passwords, PAC, CVV, etc. in plaintext or encoding;
c) When the terminal application processes sensitive data entered by the
user, such as passwords, payment passwords, etc., it should use the
security measures to ensure the confidentiality of sensitive data and
ensure that it is not obtained by unauthorized access.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm configuration
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the cryptographic technology security protection of bank card
information systems, the following requirements are set for the indicators of
"cryptographic allocation strategy requirements-cryptographic algorithm
allocation":
It shall use the algorithm approved by the national cryptographic management
authority.
7.2.5.2 Use of cryptographic protocol
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "cryptographic allocation strategy requirement-cryptographic
protocol use":
It shall use the cryptographic protocol that has passed the security review of
the national cryptographic administration department to realize the
cryptographic function.
7.2.5.3 Generation of application ciphertext
between the cryptographic devices;
- It shall use cryptographic device to transmit the private key between the
device that generates the key and the device that uses the key;
- After importing the key to the target device, the key transfer device shall
not retain any information that may reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is
used, also includes the key identifier) shall be transferred from the
cryptographic device that generated the key to the key transfer device;
this device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported
to the device manually or by the key transmission device; the
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key envelope that will not
reveal the value of the key component before opening;
- Before entering the key component, it shall check the key envelope or
cryptographic device for signs of tampering. If one of the components is
tampered with, this set of key components shall not be used and shall
be destroyed according to the procedures described in GB/T 21078.1;
- The key component shall be individually input by each holder of the key
component and verify whether the input of the key component is correct.
e) The key administrator shall be responsible for checking the consistency of
the verification value generated when the key is imported and exported.
f) After the key component is entered into the cryptographic device, the key
envelope shall be destroyed or sealed in another tamper-proof key
envelope for possible future use.
g) After the key is injected, save the medium storing the backup key in a
password envelope; after being supervised and confirmed by a special
person, lock it in the safe.
7.3.3.2 Key storage and custody
"Key import and export", "key storage and custody", "key use and replacement",
corresponding emergency treatment and response measures;
f) Manage the system administrator password, user password, user authority
of the cryptographic machine and cryptographic management device.
Once a leak occurs or the authority is out of control, it shall initiate an
inspection and tracking program. Evaluate the incident level according to
the situation of out of control of authority; meanwhile update the relevant
key in due course.
7.3.3.4 Key backup and recovery
"Key import and export", "key storage and custody", "key use and replacement",
"key backup and recovery" are part of the bank card information system’s "key
management". In the level 2 requirements for the security protection of the
cryptographic technology of the bank card information system, the following
requirements are set for the indicator of "key management-key backup and
recovery":
a) It shall establish the key recovery and correction workflow; clarify the
situations to trigger the key replacement and correction; specify the
standard operating process for key replacement and correction; retain the
operation records of key replacement and correction;
b) If it suspects that the key is leaked or the security of the device is
threatened, the key shall be withdrawn or replaced (for example,
destroyed or revoked);
c) It shall formulate a clear key backup strategy; adopt a secure and reliable
key backup and recovery mechanism, to backup and restore the key;
d) It shall record the key backup or restoration and generate the audit
information. The audit information includes the subject of backup or
restoration, the time of backup or restoration, etc.;
e) There shall be security measures to prevent the leakage and replacement
of keys;
f) It shall ensure the security of the storage location and form of the key;
restrict the access rights of the key;
g) If, based on the information that the attacker has obtained, it can be
confirmed that an unauthorized key replacement has occurred, then the
following steps shall be followed for key replacement:
- Erase any encrypted version of the storage key that has been confirmed
to be replaced; confirm whether all the existing encrypted keys are legal;
if there is an illegal key, it shall be deleted;
management system that has deficiencies or needs improvement shall be
revised.
f) The release process of relevant management systems should be clarified.
7.4.3 Personnel management requirements
"Security management system", "personnel management requirements",
"cryptographic device management", "password-using business terminal
requirements" are part of the "security management requirements" of the bank
card information system. In the level 2 requirements for the security protection
of the cryptographic technology of the bank card information system, the
following requirements are set for the indicator of "security management
requirements-personnel management requirements":
a) It shall understand and abide by laws and regulations related to passwords;
b) It shall be able to use cryptographic products correctly;
c) A personnel training system shall be established to provide special training
for personnel involved in the operation and management of passwords
and key management;
d) According to the requirements of the competent department and the actual
situation of the organization, a certain number of key management
personnel, security auditors, cryptographic device operators and other
positions shall be assigned; the above-mentioned positions cannot be
concurrently held by each other;
e) It shall be equipped with full-time key management personnel; personnel
in this position cannot be concurrently held by personnel in other positions;
f) A post responsibility system shall be established to clarify the
responsibilities and authorities of relevant personnel in the management
of cryptographic device and key system management; the management
of device and systems related to cryptographic management and the use
of accounts shall not be shared by many people;
g) The key management personnel shall be regular employees of the
organization; they shall be filed level by level, to standardize key
management;
h) It shall establish a personnel selection system and review system for
cryptographic management and cryptographic device operation;
determine full-time personnel to undertake related tasks; implement
necessary review of relevant personnel;
b) In the process of establishing a secure access path, the integrity service
of cryptographic technology shall be used to ensure the integrity of the
routing control information in the secure access path; its cryptographic
function shall be correct and effective.
8.2.2.5 Audit records
"Communication security", "identity authentication", "secure access path",
"audit records" are the components of the "secure access path" of the bank
card information system. In the level-3 requirements for cryptographic
technology security protection of bank card information systems, the following
requirements are set for the indicator of "network and communication security-
audit records":
The integrity service of cryptographic technology shall be used to protect the
integrity of audit records; its cryptographic function shall be correct and effective.
8.2.3 Device and computing security
8.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
8.2.3.2 Audit records
"Audit records", "identity authentication", "access control", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level-3
requirements for cryptographic technology security protection of bank card
information systems, the following requirements are set for the indicator of
"device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
8.2.3.3 Identity authentication
"Audit records", "identity authentication", "access control", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level-3
requirements for the cryptographic technology security protection of bank card
information systems, the following requirements are made for the indicator of
"device and computing security-identity authentication":
c) For bank card’s main account number, magnetic track (including chip
equivalent magnetic track information) information, card verification code
(CVN, CVN2), personal identification number (PIN), card validity period
and other sensitive account information, as well as the key fields such as
user ID number, mobile phone number, cryptographic technology shall be
used for confidentiality protection;
d) For systems that provide services to the outside world through the Internet,
in the entire message or conversation process in the communication
process, it shall use a dedicated communication protocol or encryption
method to ensure the confidentiality of the communication process;
e) The confidentiality service of cryptographic technology shall be used to
realize the confidentiality protection of the transmission of system
management data, authentication information and important business
data; its cryptographic function shall be correct and effective.
8.2.4.3 Data storage
"Data transmission", "data storage", "terminal application" are part of the
"application and data security" of the bank card information system. In the level-
3 requirements for cryptographic technology security protection of bank card
information systems, the following requirements are made for the indicator of
"application and data security-data storage":
a) The integrity service of cryptographic technology should be used to detect
the integrity of system management data, authentication information and
important business data in the storage process; its cryptographic function
shall be correct and effective;
b) The confidentiality service of cryptographic technology should be used to
realize the confidentiality protection of the storage of system management
data, authentication information and important business data; its
cryptographic function shall be correct and effective.
8.2.4.4 Terminal application
"Data transmission", "data storage", "terminal application" are part of the
"application and data security" of the bank card information system. In the level-
3 requirements for the cryptographic technology security protection of bank
card information systems, the following requirements are made for the indicator
of "application and data security-terminal application":
a) The integrity service of cryptographic technology shall be used to verify
the integrity of important programs; its cryptographic function shall be
correct and effective;
requirements:
For manned terminals (such as POS), the amount input process must be
separated from the PIN input process, to avoid accidentally displaying the PIN
on the terminal's display screen. If the amount and PIN are entered on the same
keyboard, the amount input and PIN input shall be two distinct operations. If
there is no other confirmation operation, the PIN entered by the cardholder shall
be used for the amount confirmation.
8.2.5.5 Password keyboard
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". For the password
keyboard, the following requirements shall be met:
a) The technical requirements of the password keyboard shall comply with
the relevant regulations and standards of the national cryptographic
management authority and the industry authority;
b) The password keyboard contains special devices with encryption
operation processing function, which can complete message encryption,
decryption, message authentication calculation and verification. The
password keyboard shall be able to store the key securely and prevent it
from being read. It shall be possible to store and select multiple sets of
keys;
c) The transaction amount must be displayed on the screen of the password
keyboard;
d) When the cardholder types the password, the display of the password
keyboard cannot display plain text, only asterisks;
e) The information transmission between the password keyboard and the
POS terminal shall be in the form of cipher text.
8.2.5.6 Cryptographic device use
"Cryptographic algorithm allocation", "cryptographic protocol use", "application
ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system’s "cryptographic allocation policy requirements". In the level-3
requirements for cryptographic technology security protection of bank card
information systems, the following requirements are set for the indicator of
"cryptographic allocation strategy requirements-cryptographic device use":
a) Key injection shall be performed in the presence of key administrators,
security auditors, cryptographic device operators. The security auditors
should also be present and record the operation memo; submit security
audit logs, security audit documents, etc.;
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key division. If it needs
to use key components, the required key components shall be imported
separately by the key component holder;
c) When transferring and importing keys, it shall confirm:
- Only when the cryptographic device authenticates at least two authorized
persons, such as through a password, can the private key be transmitted;
for manually distributed keys, the management process shall be used,
such as paper authorization method, to authenticate the identity of the
authorized person;
- Only when it is sure that the cryptographic device has not been tampered
with that may lead to the disclosure of keys or sensitive data before using
it, can it import the private key into the cryptographic device;
- Only when it is sure that there is no eavesdropping device installed at
the interface of the cryptographic device that may cause the leakage of
any element of the transmission key, can the private key be transmitted
between the cryptographic devices;
- The device used to transmit the private key between the device
generating the key and the device using the key shall be a cryptographic
device;
- After importing the key to the target device, the key ......
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|