JR/T 0055.4-2009 PDF in English
JR/T 0055.4-2009 (JR/T0055.4-2009, JRT 0055.4-2009, JRT0055.4-2009)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
JR/T 0055.4-2009 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical specifications on bankcard interoperability. Part 4: Data secure transmission control
| Valid |
Standards related to (historical): JR/T 0055.4-2009
PDF Preview
JR/T 0055.4-2009: PDF in English (JRT 0055.4-2009) JR/T 0055.4-2009
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS
File No..
Technical specifications on bankcard interoperability
- Part 4. Data secure transmission control
ISSUED ON. JUNE 1, 2009
IMPLEMENTED ON. JULY 1, 2009
Issued by. People's Bank of China
3. No action is required - Full-copy of this standard will be automatically &
immediately delivered to your EMAIL address in 0~60 minutes.
Table of Contents
Foreword ... 3
1 Scope .. 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Key management and control ... 5
5 Online message PIN encryption and decryption ... 9
6 Calculation of online message MAC .. 11
7 IC card security requirements based on PBOC borrowing credit standard
... 13
8 Switch between new and old keys ... 14
Bibliography ... 15
Foreword
JR/T 0055 Technical specifications on bankcard interoperability consists of the
following five parts.
- Part 1. Transaction processing;
- Part 2. Message interface;
- Part 3. File data format;
- Part 4. Data secure transmission control;
- Part 5. Communication interface.
This Part is Part 4 of JR/T 0055.
This Part was proposed by People's Bank of China.
This Part shall be under the jurisdiction of National Technical Committee on
Finance of Standardization Administration of China.
Main drafting organizations of this Part. People's Bank of China Science and
Technology Division, China UnionPay Co., Ltd.
The drafting organizations of this Part. Industrial and Commercial Bank of China,
Agricultural Bank of China, Bank of China, China Construction Bank, HSBC
Bank, China Financial Computerization Corporation, Bank Card Testing Center.
Main drafters of this Part. Jiang Yunbing, Du Ning, Huang Faguo, Li Jie, Wan
Gaofeng, Lu Erdong, Shi Dapeng, Lin Song, Zeng Zheng, Deng Lifeng, Cao
Ying, Ma Xiaoqiong, Liu Zhigang.
Technical specifications on bankcard interoperability
- Part 4. Data secure transmission control
1 Scope
This Part of this Standard specifies the basic requirements of the key
management mechanism and the safe transfer of transaction data in the
process of bank card interbank transaction transmission, so as to ensure the
security and integrity of transaction information.
This Part of this Standard applies to the switching center, the acquirer, the
issuer who conduct the inter-bank transaction of bank card.
2 Normative references
The provisions in following documents become the provisions of this Standard
through reference in this Standard. For dated references, the subsequent
amendments (excluding corrigendum) or revisions do not apply to this Standard,
however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
ANSI X9.8, Banking - Personal Identification Number Management and
Security
JR/T 0025 (all parts), China Financial Integrated Circuit Card Specifications
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
3.1 personal identification number (PIN)
i.e., personal password; the data information that identifies the legitimacy of
cardholder in online transaction
3.2 message authentication code (MAC)
the data used to validate the source and content of information between sender
and receiver
b) encryption/decryption of key generation, storage, destruction and
transaction information shall be performed in hardware cryptographic
equipment;
c) it shall comply with national standards and international standards related
to data security;
d) it shall strengthen the management requirements for operator;
e) the key shall be changed regularly.
4.1.1 Basic requirements of data secure transmission control
The data secure transmission control requirements shall include, but not limited
to, the following four aspects.
a) key management mechanism. technically implement strict and reliable key
distribution process;
b) encryption-decryption and conversion mechanism of personal
identification number (PIN). PIN plain code is not allowed to appear on
communication line and on manually operable storage media;
c) all agencies shall use hardware encryption;
d) peer-to-peer data encryption and decryption network mechanism.
4.1.2 Basic requirements of hardware encryption machine
The main function of the hardware encryption machine is to encrypt and decrypt
PIN, to verify the correctness of the message source and to store the key. All of
these operations shall be completed in a hardware encryption machine to
ensure that the key and PIN plain code only appear in the encryption machine
to prevent the disclosure of key and PIN. The hardware encryption machine
shall pass the national commercial password department safety certification. In
addition, it shall also meet the following requirements.
a) support single-length (B64, used in single-length key algorithm) and
double-length (B128, used in double-length key algorithm) keys;
b) support the provisions of this Part on PIN, the ciphertext of PIN verification,
conversion;
c) support the provisions of this Part on MAC, verify and generate MAC;
d) verify the key;
e) in the event of an unlawful attack, the cryptographic key is automatically
destroyed.
Then PIN data block shall be. 0x06 0x12 0x34 0x56 0xFF 0xFF 0xFF 0xFF
Exclusive OR. 0x00 0x00 0x67 0x89 0x01 0x23 0x45 0x67
Result. 0x06 0x12 0x53 0xDF 0xFE 0xDC 0xBA 0x98
5.4 Encryption and decryption of PIN
Input the PIN data block generated in 5.3 into the hardware encryption machine.
Then use double length key algorithm to calculate it and PIK that is stored in
the hardware encryption machine. Then the PIN ciphertext shall be obtained.
When a message arrives at an inter-bank transaction network, the PIN has
been encrypted by the recipient's PIK. The switching center decrypts the
ciphertext of the PIN with the PIK of the recipient. After the issuer’s PIK is
encrypted, it shall be sent to the issuer.
6 Calculation of online message MAC
6.1 Conditions for MAC use
MAC is usually used for request message of 01XX, 02XX, 04XX types as well
as successful replay messages of 01XX, 02XX, 04XX (reply code category
means “approved”). The parties involved in the transaction may agree whether
to use the MAC during the online transaction.
6.2 MAC composition rules
6.2.1 Selection of message field
The information involved in forming a MAC data block generally includes the
following message fields.
- data field with uniqueness (such as the system tracking number,
transaction transmission date and time, etc.);
- data field representing message characteristics (message type,
transaction treatment code, service point condition code, etc.);
- transaction related data field (main account, transaction amount, reply
code, acquirer identification code, receiver identification code, etc.).
Message fields involved in MAC calculation in all types of transactions are
agreed upon by the parties involved in the transaction based on the above
principles.
6.2.2 Selection of MAC character
The selected message field used for the composition of MAC data block shall
MAC value agreed by each party. And compare with this MAC value and the
MAC value in the message. If the comparison results are consistent, the
message shall be correct and acceptable, otherwise the message shall be
unreliable and shall be rejected.
6.3.2 Reset key transaction
For the request of resetting key transaction and reply message, the switching
center and the agency shall use the new issued key to calculate MAC. When
resetting PIN key, the MAC calculation shall also use the new issued PIN key.
The MAC field (field 128) in the request message is the combination (8-byte
binary number) that consists of the first half (4-byte binary number) of 8 bytes
of binary data obtained by MAC calculation in single-length key algorithm and
the first half of (4-byte binary number) of 8 bytes of binary data obtained by
check value calculation in single-length key algorithm.
The MAC calculation method of reply message is same with the ordinary
transaction described in 6.3.1. It is unnecessary to calculate the check value
but the key it uses shall still be the new issued key.
The check value is calculated by using a new key for 8-byte binary "0" as a
single-length key.
However, it shall be noted that the MAC value of the reset key message sent
by the switching center is encrypted with the new key value in the message.
Therefore, when the double-length PIK is reset, the MAC of this message shall
be encrypted in double-length key algorithm. This is a special case of MAC
encryption. In the same way, the check value contained in the request message
shall be calculated in double-length key algorithm. The processes of MAC
calculation and check value calculation are identical with the process described
in 6.3.1, i.e., perform the double-length key operation first, then make exclusive
OR to the operation result with the next group of 8-byte MAB. Use the result to
replace the next group of MAB. The rest may be inferred till the last group
completes the double-length key operation.
7 IC card security requirements based on PBOC
borrowing credit standard
Carry out in accordance with relevant requirements in JR/T 0025-2005 China
integrated circuit (IC) card specification.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|