HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (6 Oct 2024)

JR/T 0055.4-2009 PDF in English


JR/T 0055.4-2009 (JR/T0055.4-2009, JRT 0055.4-2009, JRT0055.4-2009)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
JR/T 0055.4-2009English150 Add to Cart 0-9 seconds. Auto-delivery. Technical specifications on bankcard interoperability. Part 4: Data secure transmission control Valid
Standards related to (historical): JR/T 0055.4-2009
PDF Preview

JR/T 0055.4-2009: PDF in English (JRT 0055.4-2009)

JR/T 0055.4-2009 JR FINANCIAL INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS File No.. Technical specifications on bankcard interoperability - Part 4. Data secure transmission control ISSUED ON. JUNE 1, 2009 IMPLEMENTED ON. JULY 1, 2009 Issued by. People's Bank of China 3. No action is required - Full-copy of this standard will be automatically & immediately delivered to your EMAIL address in 0~60 minutes. Table of Contents Foreword ... 3  1 Scope .. 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Key management and control ... 5  5 Online message PIN encryption and decryption ... 9  6 Calculation of online message MAC .. 11  7 IC card security requirements based on PBOC borrowing credit standard ... 13  8 Switch between new and old keys ... 14  Bibliography ... 15  Foreword JR/T 0055 Technical specifications on bankcard interoperability consists of the following five parts. - Part 1. Transaction processing; - Part 2. Message interface; - Part 3. File data format; - Part 4. Data secure transmission control; - Part 5. Communication interface. This Part is Part 4 of JR/T 0055. This Part was proposed by People's Bank of China. This Part shall be under the jurisdiction of National Technical Committee on Finance of Standardization Administration of China. Main drafting organizations of this Part. People's Bank of China Science and Technology Division, China UnionPay Co., Ltd. The drafting organizations of this Part. Industrial and Commercial Bank of China, Agricultural Bank of China, Bank of China, China Construction Bank, HSBC Bank, China Financial Computerization Corporation, Bank Card Testing Center. Main drafters of this Part. Jiang Yunbing, Du Ning, Huang Faguo, Li Jie, Wan Gaofeng, Lu Erdong, Shi Dapeng, Lin Song, Zeng Zheng, Deng Lifeng, Cao Ying, Ma Xiaoqiong, Liu Zhigang. Technical specifications on bankcard interoperability - Part 4. Data secure transmission control 1 Scope This Part of this Standard specifies the basic requirements of the key management mechanism and the safe transfer of transaction data in the process of bank card interbank transaction transmission, so as to ensure the security and integrity of transaction information. This Part of this Standard applies to the switching center, the acquirer, the issuer who conduct the inter-bank transaction of bank card. 2 Normative references The provisions in following documents become the provisions of this Standard through reference in this Standard. For dated references, the subsequent amendments (excluding corrigendum) or revisions do not apply to this Standard, however, parties who reach an agreement based on this Standard are encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. ANSI X9.8, Banking - Personal Identification Number Management and Security JR/T 0025 (all parts), China Financial Integrated Circuit Card Specifications 3 Terms and definitions For the purpose of this document, the following terms and definitions apply. 3.1 personal identification number (PIN) i.e., personal password; the data information that identifies the legitimacy of cardholder in online transaction 3.2 message authentication code (MAC) the data used to validate the source and content of information between sender and receiver b) encryption/decryption of key generation, storage, destruction and transaction information shall be performed in hardware cryptographic equipment; c) it shall comply with national standards and international standards related to data security; d) it shall strengthen the management requirements for operator; e) the key shall be changed regularly. 4.1.1 Basic requirements of data secure transmission control The data secure transmission control requirements shall include, but not limited to, the following four aspects. a) key management mechanism. technically implement strict and reliable key distribution process; b) encryption-decryption and conversion mechanism of personal identification number (PIN). PIN plain code is not allowed to appear on communication line and on manually operable storage media; c) all agencies shall use hardware encryption; d) peer-to-peer data encryption and decryption network mechanism. 4.1.2 Basic requirements of hardware encryption machine The main function of the hardware encryption machine is to encrypt and decrypt PIN, to verify the correctness of the message source and to store the key. All of these operations shall be completed in a hardware encryption machine to ensure that the key and PIN plain code only appear in the encryption machine to prevent the disclosure of key and PIN. The hardware encryption machine shall pass the national commercial password department safety certification. In addition, it shall also meet the following requirements. a) support single-length (B64, used in single-length key algorithm) and double-length (B128, used in double-length key algorithm) keys; b) support the provisions of this Part on PIN, the ciphertext of PIN verification, conversion; c) support the provisions of this Part on MAC, verify and generate MAC; d) verify the key; e) in the event of an unlawful attack, the cryptographic key is automatically destroyed. Then PIN data block shall be. 0x06 0x12 0x34 0x56 0xFF 0xFF 0xFF 0xFF Exclusive OR. 0x00 0x00 0x67 0x89 0x01 0x23 0x45 0x67 Result. 0x06 0x12 0x53 0xDF 0xFE 0xDC 0xBA 0x98 5.4 Encryption and decryption of PIN Input the PIN data block generated in 5.3 into the hardware encryption machine. Then use double length key algorithm to calculate it and PIK that is stored in the hardware encryption machine. Then the PIN ciphertext shall be obtained. When a message arrives at an inter-bank transaction network, the PIN has been encrypted by the recipient's PIK. The switching center decrypts the ciphertext of the PIN with the PIK of the recipient. After the issuer’s PIK is encrypted, it shall be sent to the issuer. 6 Calculation of online message MAC 6.1 Conditions for MAC use MAC is usually used for request message of 01XX, 02XX, 04XX types as well as successful replay messages of 01XX, 02XX, 04XX (reply code category means “approved”). The parties involved in the transaction may agree whether to use the MAC during the online transaction. 6.2 MAC composition rules 6.2.1 Selection of message field The information involved in forming a MAC data block generally includes the following message fields. - data field with uniqueness (such as the system tracking number, transaction transmission date and time, etc.); - data field representing message characteristics (message type, transaction treatment code, service point condition code, etc.); - transaction related data field (main account, transaction amount, reply code, acquirer identification code, receiver identification code, etc.). Message fields involved in MAC calculation in all types of transactions are agreed upon by the parties involved in the transaction based on the above principles. 6.2.2 Selection of MAC character The selected message field used for the composition of MAC data block shall MAC value agreed by each party. And compare with this MAC value and the MAC value in the message. If the comparison results are consistent, the message shall be correct and acceptable, otherwise the message shall be unreliable and shall be rejected. 6.3.2 Reset key transaction For the request of resetting key transaction and reply message, the switching center and the agency shall use the new issued key to calculate MAC. When resetting PIN key, the MAC calculation shall also use the new issued PIN key. The MAC field (field 128) in the request message is the combination (8-byte binary number) that consists of the first half (4-byte binary number) of 8 bytes of binary data obtained by MAC calculation in single-length key algorithm and the first half of (4-byte binary number) of 8 bytes of binary data obtained by check value calculation in single-length key algorithm. The MAC calculation method of reply message is same with the ordinary transaction described in 6.3.1. It is unnecessary to calculate the check value but the key it uses shall still be the new issued key. The check value is calculated by using a new key for 8-byte binary "0" as a single-length key. However, it shall be noted that the MAC value of the reset key message sent by the switching center is encrypted with the new key value in the message. Therefore, when the double-length PIK is reset, the MAC of this message shall be encrypted in double-length key algorithm. This is a special case of MAC encryption. In the same way, the check value contained in the request message shall be calculated in double-length key algorithm. The processes of MAC calculation and check value calculation are identical with the process described in 6.3.1, i.e., perform the double-length key operation first, then make exclusive OR to the operation result with the next group of 8-byte MAB. Use the result to replace the next group of MAB. The rest may be inferred till the last group completes the double-length key operation. 7 IC card security requirements based on PBOC borrowing credit standard Carry out in accordance with relevant requirements in JR/T 0025-2005 China integrated circuit (IC) card specification. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.