Powered by Google www.ChineseStandard.net Database: 189759 (16 Jun 2024)

GM/T 0077-2019 PDF in English


GM/T 0077-2019 (GM/T0077-2019, GMT 0077-2019, GMT0077-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0077-2019English430 Add to Cart 0-9 seconds. Auto-delivery. Cryptography technical requirements for core banking systems Valid

PDF Preview

Standards related to: GM/T 0077-2019

GM/T 0077-2019: PDF in English (GMT 0077-2019)

GM/T 0077-2019
GM
CRYPTOGRAPIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography Technical Requirements for Core
Banking Systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 6 
2 Normative References ... 6 
3 Terms and Definitions ... 7 
4 Abbreviations ... 10 
5 Core Banking System Model... 10 
6 Basic Requirements and Functional Requirements for Cryptographic
Application ... 11 
7 Level-3 Requirements for Cryptographic Technical Security Protection of Core
Banking Information System ... 11 
8 Four-level Requirements for Cryptographic Technical Security Protection of
Core Banking Information System ... 33 
Appendix A (normative) Security Requirements Comparison Table ... 58 
Bibliography ... 60 
Cryptography Technical Requirements for Core
Banking Systems
1 Scope
On the basis of GM/T 0054-2018 and JR/T 007-2012 (TRANSLATOR NOTE: it should
be JR/T 0071-2012), this Standard integrates the characteristics of the core systems
of banking financial institutions and the application demands of cryptographic
technique in the security construction of this type of classified information system
protection. From three perspectives, namely, cryptographic security technical
requirements, key security and management requirements, security management
requirements, specific requirements are put forward for the application of cryptographic
technique in the core systems with different security protection levels.
This Standard is applicable to the guidance, standardization and evaluation of the core
information systems of banks and financial institutions.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 20547.2-2006 Banking - Secure Cryptographic Devices (retail) - Part 2: Security
Compliance Checklists for Devices Used in Financial Transactions
GB/T 21078.1 Banking - Personal Identification Number Management and Security -
Part 1: Basic Principles and Requirements for Online PIN Handling in ATM and POS
Systems
GB/T 21079.1 Banking - Secure Cryptographic Devices (retail) - Part 1: Concepts,
Requirements and Evaluation Methods
GM/T 0024 SSL VPN Specification
GM/T 0028 Security Requirements for Cryptographic Modules
GM/T 0036-2014 Technical Guidance of Cryptographic Application for Access Control
Systems Based on Contactless Smart Card
GM/T 0054-2018 General Requirements for Information System Cryptography
Application
7.2 Cryptographic Technical Security Requirements
7.2.1 Physical and environmental security
7.2.1.1 General rules
Take the general rules of cryptographic application in physical and environmental
security in GM/T 0054-2018 as a reference.
7.2.1.2 Cryptographic hardware security
“Cryptographic hardware security”, “physical environmental security” and “electronic
access control system” are the constituent parts of “physical and environmental
security” of the core banking system. In Level-3 requirements of cryptographic
technical security protection of the core banking information system, the following
requirements are made for the “physical and environmental security - cryptographic
hardware security” indicator:
a) The system’s dedicated hardware or firmware and cryptographic device shall
have effective physical security protection measures;
NOTE: in this Standard, “effective measures” refer to the means that can meet the
requirements of the “ensured items” or the method that can achieve the
security goals set by the system, the same below.
b) The system’s dedicated hardware or firmware and cryptographic device shall
satisfy operating environment reliability requirements.
7.2.1.3 Physical environmental security
“Cryptographic hardware security”, “physical environmental security” and “electronic
access control system” are the constituent parts of “physical and environmental
security” of the core banking system. In Level-3 requirements of cryptographic
technical security protection of the core banking information system, the following
requirements are made for the “physical and environmental security - physical
environmental security” indicator:
The authenticity function of cryptographic technique shall be used to protect the identity
authentication information of physical access control and ensure the authenticity of the
identity of personnel entering important areas.
7.2.1.4 Electronic access control system
“Cryptographic hardware security”, “physical environmental security” and “electronic
access control system” are the constituent parts of “physical and environmental
security” of the core banking system. In Level-3 requirements of cryptographic
technical security protection of the core banking information system, the following
e) Cryptographic technique shall be adopted to establish a secure information
transmission channel, so as to perform centralized management of the
security device or security components in the network.
7.2.2.5 Audit record
“Communication security”, “identity authentication”, “secure access path” and “audit
record” are the constituent parts of “network and communication security” of the core
banking system. In Level-3 requirements of cryptographic technical security protection
of the core banking information system, the following requirements are made for the
“network and communication security - audit record” indicator:
The integrity service of cryptographic technique shall be adopted to protect the integrity
of audit record. It shall be ensured that its cryptographic function is correct and effective.
7.2.3 Device and computational security
7.2.3.1 General rules
Take the general rules of cryptographic application in device and computational
security in GM/T 0054-2018 as a reference.
7.2.3.2 Audit record
“Audit record”, “identity authentication”, “access control” and “cryptographic module”
are the constituent parts of “device and computational security” of the core banking
system. In Level-3 requirements of cryptographic technical security protection of the
core banking information system, the following requirements are made for the “device
and computational security - audit record” indicator:
a) The scope of audit shall cover every operating system user and database user
on the server and important client-sides;
b) The integrity service of cryptographic technique shall be adopted to implement
the integrity verification of audit records; it shall be ensured that its
cryptographic function is correct and effective;
c) The integrity function of cryptographic technique shall be adopted to protect
the integrity of log records;
d) Audit content shall include important security-related events in the system,
such as: important user behavior, abnormal use of system resources, and the
use of important system commands, etc.;
e) Audit record shall include date and time, type, subject identification, object
identification and event result, etc.
7.2.3.4 Access control
“Audit record”, “identity authentication”, “access control” and “cryptographic module”
are the constituent parts of “device and computational security” of the core banking
system. In Level-3 requirements of cryptographic technical security protection of the
core banking information system, the following requirements are made for the “device
and computational security - access control” indicator:
a) From the perspective of access control mechanism, in order to prevent
system resource access control information from being tampered with, the
integrity service of cryptographic technique shall be adopted to implement the
integrity protection of system resource access control information and
sensitive marks; it shall be ensured that its cryptographic function is correct
and effective;
b) In accordance with the role assignment permissions of user being managed,
implement the separation of permissions of the user being managed, and
merely grant the minimum permission required by the user;
c) Trusted computing technology shall be adopted to establish a chain of trust
from the system to the application, so as to implement protection of the
integrity of important programs or files during system operation.
7.2.3.5 Cryptographic module
“Audit record”, “identity authentication”, “access control” and “cryptographic module”
are the constituent parts of “device and computational security” of the core banking
system. In Level-3 requirements of cryptographic technical security protection of the
core banking information system, the following requirements are made for the “device
and computational security - cryptographic module” indicator:
Level-3 and above cryptographic modules that comply with GM/T 0028, or hardware
cryptographic products approved by the national cryptographic management
department should be adopted to implement cryptographic operation and key
management:
a) Dedicated hardware or firmware of the system, and cryptographic device shall
implement security functions, such as: authorized control, detection of
unauthorized access and indication of operation status, so as to ensure that
the cryptographic module can correctly operate in the approved working mode;
b) Dedicated hardware or firmware of the system, and cryptographic device shall
be able to prevent unauthorized disclosure of the module’s content or key
security parameters;
c) Dedicated hardware or firmware of the system, and cryptographic device shall
requirements are made for the “application and data security - data storage” indicator:
a) The integrity service of cryptographic technique should be adopted to
implement the detection of integrity of system management data,
authentication information and important business data during the storage
process; it shall be ensured that its cryptographic function is correct and
effective;
b) The confidentiality service of cryptographic technique should be adopted to
implement the confidentiality protection of the storage of system management
data, authentication information and important business data; it shall be
ensured that its cryptographic function is correct and effective.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm allocation
“Cryptographic algorithm allocation”, “cryptographic protocol application” and
“cryptographic device application” are the constituent parts of “requirements for
cryptographic allocation policy” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “requirements for cryptographic allocation
policy - cryptographic algorithm allocation” indicator:
Algorithms approved by the national cryptographic management department shall be
used.
7.2.5.2 Cryptographic protocol application
“Cryptographic algorithm allocation”, “cryptographic protocol application” and
“cryptographic device application” are the constituent parts of “requirements for
cryptographic allocation policy” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “requirements for cryptographic allocation
policy - cryptographic protocol application” indicator:
Cryptographic protocol that has passed the security review of the national
cryptographic management department shall be adopted to implement the
cryptographic function.
7.2.5.3 Cryptographic device application
“Cryptographic algorithm allocation”, “cryptographic protocol application” and
“cryptographic device application” are the constituent parts of “requirements for
cryptographic allocation policy” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “requirements for cryptographic allocation
--- The continued usage of keys being suspected of leaking shall be prevented.
7.3.3 Key management
7.3.3.1 Key import and export
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key
backup and recovery” and “key archive and destruction” are the constituent parts of
“key management” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “key management - key import and export”
indicator:
a) Key injection shall be performed in the presence of key administrators,
security auditors and cryptographic device operators. Security auditors should
also be present and record the operation memorandum, submit security audit
logs and security audit documents, etc.;
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key division. If key
component is required, then, the required key component shall be
respectively imported by the holder of the key component;
c) When transmitting and importing keys, the follows shall be confirmed:
---Only when the cryptographic device has authenticated the identity of at
least two authorized persons, for example, through the mode of password,
can the private key be transmitted; in terms of manually distributed key, the
management process shall be used, for example, through the mode of
paper authorized, to authenticate the identity of the authorized persons;
---Only when it can be ensured that the cryptographic device has not been
tampered in a way that might lead to the disclosure of keys or sensitive
data before using it, can the private key be imported into the cryptographic
device;
---Only when it can be ensured that there is no eavesdropping device installed
at the interface of the cryptographic device that might cause the leakage
of any element of the transmission key, can the private key be transmitted
between cryptographic devices;
---The device used to transmit private key between the device that generates
the key and the device that uses the key shall be cryptographic device;
---After importing the key to the target device, the key transmission device
shall not retain any information that might reveal the key;
indicator:
a) Documented regulations for key storage and custody shall be formulated;
b) Key information must be kept in a safety box. The key to the safety box shall
be the responsibility of the key administrator, so as to ensure that only the
designated key administrator can open the device in custody; in addition, this
regulation shall be implemented in the post responsibility system; the
implementation of this regulation shall be regularly examined;
c) Passwords can only be stored in cryptographic device that complies with the
stipulations of GB/T 20547.2;
d) If key components are used, it shall be ensured that the key components are
transmitted to the authorized person through a specific key mailer or key
transmission device. The printing of the key miler shall ensure that the key
components can only be seen after the mailer is opened. The mailer shall
merely show the minimum information necessary to deliver the key mailer to
the authorized person. The structure of the key mailer shall make accidental
or deceptive opening easy to be found by the recipient. If this circumstance
occurs, the key components shall not be used anymore;
e) There shall be emergency treatment and response measures in case of
possible leakage of the key;
f) Documented regulations for key storage and custody shall be formulated.
Requirements shall be proposed for the key storage location, transmission
mode, transmission medium, and import and export process, as well as the
personnel and responsibilities in the post of custody; in addition, the
implementation of this regulation shall be regularly examined;
g) Plaintext keys can only be stored in cryptographic device that complies with
the stipulations of GB/T 21079.1 and GB/T 20547.2.
7.3.3.3 Key usage and replacement
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key
backup and recovery” and “key archive and destruction” are the constituent parts of
“key management” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “key management - key usage and
replacement” indicator:
a) The purpose of the key shall be clarified; in addition, the key shall be correctly
used in accordance with the purpose;
b) A tracking and verification system shall be established for each link of key
d) Key backup or recovery shall be recorded; audit information shall also be
generated; audit information includes the subject of backup or recovery, and
the time of backup or recovery, etc.;
e) There shall be security measures to prevent the leakage and replacement of
keys;
f) The security of the location and form of key storage shall be ensured; the
access permissions of the key shall be restricted;
g) In accordance with the information that the attacker has obtained, if it can be
confirmed that unauthorized key replacement has already occurred, then, the
following steps shall be followed for key replacement:
---Erase any encrypted version of the storage key that has been confirmed to
be replaced; confirm whether all existing encrypted keys are legal. If there
is an illegal key, then, it shall be deleted;
---Use a certain new key encryption key to re-encrypt legally stored encrypted
key;
---Delete the old key encryption key from all operating positions;
h) Key backup or recovery shall be recorded; audit information shall be
generated; audit information includes the subject of backup or recovery, and
the time of backup or recovery, etc.
7.3.3.5 Key archive and destruction
“Key import and export”, “key storage and custody”, “key usage and replacement”, “key
backup and recovery” and “key archive and destruction” are the constituent parts of
“key management” of the core banking system. In Level-3 requirements of
cryptographic technical security protection of the core banking information system, the
following requirements are made for the “key management - key archive and
destruction” indicator:
a) Effective security measures shall be adopted to ensure the security and
correctness of the archived keys;
b) The archived keys can only be used to decrypt the historical information
encrypted by the key, or verify the historical information signed by the key;
c) Key archive shall be recorded; audit information shall be generated; audit
information includes the archived keys and the time of archive, etc.;
d) Implement data backup on the archived keys;
requirements” are the constituent parts of “requirements for security management” of
the core banking system. In Level-3 requirements of cryptographic technical security
protection of the core banking information system, the following requirements are
made for the “requirements for security management - cryptographic device
management” indicator:
a) The system shall establish an effective security management system for
cryptographic device;
b) The system shall adopt cryptographic products approved by the national
cryptographic management department;
c) Cryptographic device operators shall go through specialized trainings and
assessments;
d) The system shall be equipped with dedicated cryptographic device
maintenance personnel and management personnel.
7.4.5 Requirements for cryptography-using business terminal
“Security management system”, “personnel management requirements”,
“cryptographic device management” and “cryptography-using business terminal
requirements” are the constituent parts of “requirements for security management” of
the core banking system. In Level-3 requirements of cryptographic technical security
protection of the core banking information system, the following requirements are
made for the “requirements for security management - cryptography-using business
terminal requirements” indicator:
a) The terminal device cryptographic module shall comply with the relevant
regulations and standards of the national cryptographic management
department and the industrial authorities;
b) The terminal device shall pass the test, and meet the basic functions and
performance requirements of cryptographic operation;
c) The operation of keys and passwords of the terminal device shall comply with
the operating manual and operating procedures;
d) When terminal device is scrapped, in accordance with the cryptographic
terminal device scrapping procedures, keys stored in the device shall be
deleted and destructed; the cryptographic application-related software on the
terminal shall be destructed and the destruction record shall be kept.
The authenticity function of cryptographic technique shall be used to protect the identity
authentication information of physical access control and ensure the authenticity of the
identity of personnel entering important areas.
8.2.1.4 Electronic access control system
“Cryptographic hardware security”, “physical environmental security” and “electronic
access control system” are the constituent parts of “physical and environmental
security” of the core banking system. In Level-4 requirements of cryptographic
technical security protection of the core banking information system, the following
requirements are made for the “physical and environmental security - electronic access
control system” indicator:
a) In the electronic access control system, the integrity service of cryptographic
technique shall be used to ensure the integrity of the electronic access control
system’s entry and exit records; it shall be ensured that its cryptographic
function is correct and effective;
b) The access control system requires that the card-reading mode should be
non-contact, and the use of magnetic stripe cards should be avoided;
c) When the access control system detects an unrecognized card attempting to
illegally enter, it shall provide a warning message and shall be able to locate
the illegally attempting card;
d) The qualification, architecture and deployment of the adopted access control
system shall comply with the technical specifications required by GM/T 0036-
2014;
e) Corresponding rules and regulations shall be formulated to ensure the
compliance, correctness and effectiveness of the application of the access
control system;
f) It shall be ensured that the identity authentication information of personnel
entering important areas cannot be tampered with; the integrity service of
cryptographic technique shall be used to ensure the integrity of entry and exit
records; it shall be ensured that the cryptographic function is correct and
effective;
g) To enter the computer room area, except for the use of induction card, it is
also necessary to adopt the thermal fingerprint verification system to
rigorously control the access of irrelevant personnel; the access control
system shall be equipped with alarms for illegal intrusion, excessive opening
time and broken glass, and the anti-return function. In order to coordinate the
anti-return function, the computer rooms shall all be equipped with microwave
and passive infrared mobile alarms. When all the legally authorized persons
provide evidences of original data issuance and data reception, so as to
implement the non-repudiation of original data issuance and data reception
behavior; it shall be ensured that its cryptographic function is correct and
effective;
e) For systems that provide services to the outside world through the Internet, in
terms of the entire message or conversation process during the
communication, the mode of dedicated communication protocol or encryption
shall be adopted to ensure the confidentiality of the communication process;
f) The secure channel transmission protocol (SSL / TLS, and shall comply with
the requirements of GM/T 0024) of transaction information shall be used for
encrypted transmission;
g) When establishing a secure communication transmission path, the
authenticity service of cryptographic technique shall be used to implement
identity authentication of the communication subject; it shall be ensured that
its cryptographic function is correct and effective.
8.2.2.3 Identity authentication
“Communication security”, “identity authentication”, “secure access path” and “audit
record” are the constituent parts of “network and communication security” of the core
banking system. In Level-4 requirements of cryptographic technical security protection
of the core banking information system, the following requirements are made for the
“network and communication security - identity authentication” indicator:
a) When authenticating the identity of users logging in network devices, in order
to prevent the authentication information from being reused or counterfeited,
the authenticity service of cryptographic technique shall be adopted to protect
the authentication information from reuse and counterfeiting; it shall be
ensured that its cryptographic function is correct and effective;
b) In the execution of remote network management, in order to prevent the
authentication information from being leaked during the transmission process,
the confidentiality service of cryptographic technique shall be adopted to
protect the confidentiality of the authentication information; it shall be ensured
that its cryptographic function is correct and effective;
c) The network device system management of user identification shall have the
characteristic of not easy to be fraudulently used. The static password of key
network device shall be more than 10 digits, and consist of a combination of
letters, numbers and symbols, which shall be regularly replaced;
d) For entities that have passed the identity authentication, the information
system shall adopt cryptographic technique to generate a unique random
prevent the authentication information from being eavesdropped during
network transmission;
j) Two or more combined authentication techniques should be adopted to
perform identity authentication of the user being managed. In addition, at least
one kind of the identity authentication information shall be not easy to forge.
For example, key certificate, dynamic password card and biometric
characteristic may be used as identity authentication information;
k) Every quarter, unnecessary user accounts in the host device shall be checked,
locked or cancelled;
l) The system shall force the clients to change the initial password when logging
in for the first time;
m) When changing the password, the newly set password is not allowed to be
the same as the old password.
8.2.3.4 Access control
“Audit record”, “identity authentication”, “access control” and “cryptographic module”
are the constituent parts of “device and computational security” of the core banking
system. In Level-4 requirements of cryptographic technical security protection of the
core banking information system, the following requirements are made for the “device
and computational security - access control” indicator:
a) From the perspective of access control mechanism, in order to prevent
system resource access control information from being tampered with, the
integrity service of cryptographic technique should be adopted to implement
the integrity protection of system resource access control information; it shall
be ensured that its cryptographic function is correct and effective;
b) The integrity function of cryptographic technique should be adopted to ensure
the integrity of sensitive marks of important information resources.
8.2.3.5 Cryptographic module
“Audit record”, “identity authentication”, “access control” and “cryptographic module”
are the constituent parts of “device and computational security” of the core banking
system. In Level-4 requirements of cryptographic technical security protection of the
core banking information system, the following requirements ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.