HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (8 Feb 2025)

GM/T 0073-2019 English PDF

GM/T 0073-2019_English: PDF (GM/T0073-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GM/T 0073-2019English360 Add to Cart 0--9 seconds. Auto-delivery Cryptography technical requirements for mobile banking information systems Valid GM/T 0073-2019


BASIC DATA
Standard ID GM/T 0073-2019 (GM/T0073-2019)
Description (Translated English) Cryptography technical requirements for mobile banking information systems
Sector / Industry Chinese Industry Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 27,217
Date of Issue 2019
Date of Implementation 2019-07-12


GM/T 0073-2019 GM CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Cryptography technical requirements for mobile banking information systems ISSUED ON: JULY 12, 2019 IMPLEMENTED ON: JULY 12, 2019 Issued by: State Cryptography Administration Table of Contents Foreword ... 4  Introduction ... 5  1 Scope ... 7  2 Normative references ... 7  3 Terms and definitions ... 8  4 Abbreviations ... 9  5 Model of mobile banking information system ... 10  6 Basic requirements and functional requirements for cryptography application ... 11  7 Level 2 requirements for the cryptography security protection of mobile banking information systems ... 11  7.1 Basic technical requirements ... 11  7.2 Cryptography security requirements ... 11  7.2.1 Physical and environmental security ... 11  7.2.2 Network and communication security ... 13  7.2.3 Device and computing security ... 14  7.2.4 Application and data security ... 16  7.2.5 Cryptography allocation policy requirements ... 17  7.3 Key security and management requirements ... 18  7.3.1 General ... 18  7.3.2 Key security ... 19  7.3.3 Key management ... 20  7.4 Security management requirements ... 24  7.4.1 Overview ... 24  7.4.2 Security management system ... 25  7.4.3 Personnel management requirements ... 25  7.4.4 Cryptographic device management ... 26  7.4.5 Password-using service terminal requirements ... 26  8 Level 3 requirements for the cryptography security protection of mobile banking information systems ... 27  8.1 Basic requirements ... 27  8.2 Cryptography security requirements ... 27  8.2.1 Physical and environmental security ... 27  8.2.2 Network and communication security ... 29  8.2.3 Device and computing security ... 31  8.2.4 Application and data security ... 33  8.2.5 Cryptography allocation policy requirements ... 35  8.3 Key security and management requirements ... 36  8.3.1 General ... 36  8.3.2 Key security ... 36  8.3.3 Key management ... 38  8.4 Security management requirements ... 44  8.4.1 Overview ... 44  8.4.2 Security management system ... 44  8.4.3 Personnel management requirements ... 45  8.4.4 Cryptographic device management ... 46  8.4.5 Password-using service terminal requirements ... 46  Appendix A (Normative) Table of comparison of security requirements ... 48  Bibliography ... 50  Cryptography technical requirements for mobile banking information systems 1 Scope On the basis of standards such as GM/T 0054-2018 and JR/T 007-2012; combined with the characteristics of mobile banking information systems, and the application needs of cryptography in the security construction of classified protection of this type of information system; in terms of cryptographic security technical requirements, key security and management requirements, and security management requirements; this Standard puts forward specific requirements for the cryptography in mobile banking information systems with different security protection classes. This Standard applies to the guidance, standardization and evaluation of commercial cryptographic applications in mobile banking information systems. 2 Normative references The following documents are indispensable for the application of this document. For the dated references, only the editions with the dates indicated are applicable to this document. For the undated references, the latest edition (including all the amendments) are applicable to this document. GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2: Security compliance checklists for devices used in financial transactions GB/T 21078.1-2007 Banking - Personal Identification Number management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1: Concepts, requirements and evaluation methods GM/T 0028-2014 Security requirements for cryptographic modules GM/T 0036-2014 Technical guidance of cryptographic application for access control systems based on contactless smart card GM/T 0054-2018 General requirements for information system cryptography application Mobile banking mobile client: It refers to the mobile application client program of mobile banking, which can provide users with local electronic banking services. Mobile banking server: It refers to the server that can provide targeted services, corresponding to the mobile client of mobile banking. The server specified in this Standard includes software programs, as well as hardware devices that carry and run programs. Boundary: It refers to the boundary of interconnection between subjects, including interaction boundary, network boundary, physical boundary, etc. 6 Basic requirements and functional requirements for cryptography application The basic requirements and functional requirements for cryptography application of mobile banking information systems shall comply with the requirements of Clause 5 and Clause 6 of GM/T 0054-2018. 7 Level 2 requirements for the cryptography security protection of mobile banking information systems1) 7.1 Basic technical requirements It shall be in accordance with the requirements of the level 2 indicators in GM/T 0054-2018. 7.2 Cryptography security requirements 7.2.1 Physical and environmental security 7.2.1.1 General Refer to the general rules for cryptography application of physical and environmental security in GM/T 0054-2018. 7.2.1.2 Cryptographic hardware security "Cryptographic hardware security", "physical environment security" and "electronic access control system" are part of the "physical and environmental 1) For comparison of all security requirements of this level with other levels, please refer to Appendix A Table of comparison of security requirements; the same below. c) Corresponding rules and regulations should be developed, to ensure the compliance, correctness and effectiveness of the use of access control system. 7.2.2 Network and communication security 7.2.2.1 General Refer to the general rules for cryptography application of network and communication security in GM/T 0054-2018. 7.2.2.2 Communication security "Communication security" and "identity authentication" are part of the "network and communication security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "network and communication security-communication security" indicator: a) In order to prevent access communication data from being tampered with, intercepted, counterfeited and reused, it is advisable to use the integrity service, confidentiality service and authenticity service of cryptography, to protect the network boundary and system resource access control information; b) During data transmission, cryptography such as digital certificates and encryption-decryption should be used, to establish a secure transport layer session channel. 7.2.2.3 Identity authentication "Communication security" and "identity authentication" are part of the "network and communication security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "network and communication security-identity authentication" indicator: a) When authenticating users who log in to network devices, in order to prevent the authentication information from being reused and counterfeited, it is advisable to use the authenticity service of cryptography, to protect the authentication information from reuse and counterfeiting. Its cryptographic function shall be correct and effective; b) The network device system management user ID shall have the characteristics that it is not easy to be fraudulently used. The static c) When conducting key business processes, such as transfers, transactions, and data modification, it is advisable to use a variety of cryptographic technologies to ensure the authenticity and validity of user identities; d) Operating system and database system management user ID shall have the characteristics that it is not easy to be fraudulently used. The static password of key system shall be more than 6 digits; composed of a mixture of letters, numbers, and symbols; and be replaced regularly. 7.2.3.4 Verification code and dynamic password "Audit record", "identity authentication", "verification code and dynamic password" and "cryptographic module" are part of the "device and computing security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "device and computing security- verification code and dynamic password" indicator: a) When using SMS or other channels to send the verification code, the correct cryptography shall be used, to ensure that the dynamic password sent is completely random and unpredictable; b) When using SMS or other channels to send the verification code, it shall be ensured that the content of the verification code is not disclosed; c) If OTP tokens are used for identity verification, it shall use correct cryptography, to ensure that OTP is completely random and unpredictable. 7.2.3.5 Cryptographic module "Audit record", "identity authentication", "verification code and dynamic password" and "cryptographic module" are part of the "device and computing security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "device and computing security- cryptographic module" indicator: It shall use level 2 and above cryptographic modules meeting GM/T 0028-2014 or hardware cryptographic products approved by the national cryptography administration, to realize cryptographic calculations and key management: a) The system's dedicated hardware or firmware and cryptographic device shall implement security functions, such as authorization control, detection of unauthorized access, and operation status indication; to ensure that the cryptographic module can operate correctly in the approved working mode; level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "application and data security-data storage" indicator: In terms of data storage security, the integrity service of cryptography can be used, to detect the integrity of system management data, authentication information, key configuration information and important business data in the storage process. Its cryptographic function shall be correct and effective. 7.2.4.4 Device application "Data transmission", "data storage" and "device application" are part of the "application and data security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "application and data security-device application" indicator: a) Mobile device applications shall not store the user's password, payment password, PAC, CVV and other sensitive information in plaintext or encoding; b) Mobile device applications shall desensitize sensitive data such as passwords, PACs, and CVVs; c) When mobile device applications process sensitive data entered by users, such as passwords, payment passwords, etc., security measures should be taken; to ensure the confidentiality of sensitive data and ensure that they are not obtained without authorization; d) Mobile device applications shall not leak sensitive data such as user passwords, personal information, PAC, CVV to other entities, such as other local processes, Internet data servers, etc. 7.2.5 Cryptography allocation policy requirements 7.2.5.1 Cryptographic algorithm allocation "Cryptographic algorithm allocation", "cryptographic protocol use" and "cryptographic device use" are part of the "cryptography allocation policy requirements" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "cryptography allocation policy requirements-cryptographic algorithm allocation" indicator: It is advisable to use algorithms approved by the national cryptography administration. 7.3.2 Key security 7.3.2.1 Key generation "Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key generation" indicator: a) A random number generator, which meets national standards, shall be used to generate the key; b) The key shall be produced inside the cryptographic device; must not appear outside the cryptographic device in plaintext; c) It shall have the ability to check and remove weak keys; d) Key pair generation shall be completed by the owner of the key pair or its agent; e) The method of generating asymmetric key pairs shall ensure the confidentiality of the private key and the integrity of the public key. For the generation of asymmetric key pairs used for non-repudiation services, it shall be able to prove the integrity of the public key to a third party. 7.3.2.2 Key storage "Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key storage" indicator: a) The key shall be encrypted and stored. Strict security protection measures shall be taken, to prevent the key from being illegally obtained; b) The key or its modules stored in the system shall be protected by a password. 7.3.2.3 Key distribution "Key generation", "key storage", "key distribution" and "key use" are part of the "key security" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key security- key distribution" indicator: should also be present; AND RECORD the operation memo; submit security audit logs, security audit documents, etc. b) The key transmission, import and export process shall be carried out in accordance with the principle of dual control and key splitting. If it is necessary to use key modules, the required key modules shall be imported by the key module holders, respectively. c) When transferring and importing keys, it shall be confirmed that: - Only when the cryptographic device authenticates at least two or more authorized persons, such as through a password, can the key be transmitted. For keys distributed manually, management procedures, such as paper authorization, shall be used to authenticate the identity of the authorized person. - Only when it is ensured that the cryptographic device has not been tampered with before use that may lead to the disclosure of keys or sensitive data, can the private key be imported into the cryptographic device. - Only when it is ensured that there is no eavesdropping device installed at the interface of the cryptographic device, which may cause the disclosure of any element of the transmission key, can the private key be transmitted between the cryptographic devices. - A cryptographic device shall be used to transfer the private key between the device generating the key and the device using the key. - After importing the key to the target device, the key transportation device shall not retain any information which may reveal the key. - When using a key transportation device, the key (if an explicit key identifier is used, the key identifier is also included) shall be transferred from the cryptographic device that generated the key to the key transportation device. This device shall be physically transported to the location of the cryptographic device that actually uses the key. d) When using the key module, it shall be confirmed that: - The key modules, which constitute the key, shall be imported or exported to the device manually or by the devices of key. The transmission process of the key module shall not disclose any part of the key module to any unauthorized individual. the key envelope to the authorized person. The structure of the key envelope shall make accidental or deceptive openings easy to be discovered by the receiver. If this happens, the key module shall not be used anymore. 7.3.3.3 Key use and replacement "Key import and export", "key storage and custody", "key use and replacement", and "key backup and recovery" are part of the "key management" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key management-key use and replacement" indicator: a) The key shall be clearly used and used correctly according to the purpose; b) A tracking and verification system shall be established for each link of key use; c) In the process of using the key, there shall be security measures preventing the leakage and replacement of the key; d) During the key use process, the key shall be replaced according to the key replacement cycle requirements. The key replacement allows interruption of the system operation; e) When the key is leaked, stop using it immediately; initiate corresponding emergency handling and response measures; f) Manage system administrator passwords, user passwords, and user permissions of cryptographic machines and cryptographic management equipment. In case of leakage or out-of-control authority, the verification and tracking program shall be initiated. The event level shall be assessed according to the out-of-control authority. Relevant keys shall be updated in due course. 7.3.3.4 Key backup and recovery "Key import and export", "key storage and custody", "key use and replacement", and "key backup and recovery" are part of the "key management" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "key management-key backup and recovery" indicator: 7.4.2 Security management system "Security management system", "personnel management requirements", "cryptographic device management" and "password-using service terminal requirements" are part of the "security management requirements" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "security management requirements-security management system" indicator: a) It shall establish a management system for the generation, storage, injection, use, distribution, backup, recovery, archive, and destruction, etc. of all keys; b) It shall establish standard operating procedures for cryptographic device and cryptographic systems; clarify the standard operating process of each step. Operating forms shall be generated for each stage of operation and archived; c) It shall regularly check the security management status of cryptographic device and key systems; in accordance with the requirements of the key security management system, fill in relevant forms and reports. 7.4.3 Personnel management requirements "Security management system", "personnel management requirements", "cryptographic device management" and "password-using service terminal requirements" are part of the "security management requirements" of the mobile banking information system. In the level 2 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "security management requirements-personnel management requirements" indicator: a) According to the requirements of the competent department and the actual situation of the organization, a certain number of post holders such as key managers, security auditors, cryptographic device operators shall be provided. The above-mentioned posts cannot be concurrently held by each other; b) It shall be equipped with full-time key managers. Personnel in this post cannot be concurrently held by personnel in other posts; c) It shall establish a post responsibility system, to clarify the responsibilities and authorities of relevant personnel in the management of cryptographic device and key system management. The management and use account of the related device and system must not be shared by many people; d) When the access control system detects an unrecognized card trying to enter illegally, it shall provide a warning message and be able to locate the illegally attempted card; e) The qualification, architecture, and deployment of the adopted access control system shall comply with the technical specifications of GM/T 0036-2014; f) Corresponding rules and regulations should be developed, to ensure the compliance, correctness and effectiveness of the use of access control system. 8.2.2 Network and communication security 8.2.2.1 General Refer to the general rules for cryptography application of network and communication security in GM/T 0054-2018. 8.2.2.2 Communication security "Communication security" and "identity authentication" are part of the "network and communication security" of the mobile banking information system. In the level 3 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "network and communication security-communication security" indicator: a) In order to prevent access communication data from being tampered with, intercepted, counterfeited and reused, it shall use the integrity service, confidentiality service and authenticity service of cryptography, to protect the network boundary and system resource access control information. Key sensitive data, such as PAC, CVV, etc. are individually encrypted. The cryptographic function shall be correct and effective. b) During data transmission, cryptography such as digital certificates and encryption-decryption shall be used, to establish a secure transport layer session channel. The subject of data transmission shall authenticate the identity information of the object, to ensure the confidentiality of the data. c) When using the transport layer security for data transmission, the subject shall authenticate the identity information of the object, to ensure the confidentiality of the data. d) In order to prevent the data transmission content from being obtained through one end of the control communication, during communication, the a) The system's dedicated hardware or firmware and cryptographic device shall implement security functions, such as authorization control, detection of unauthorized access, and operation status indication; to ensure that the cryptographic module can operate correctly in the approved working mode; b) The system's dedicated hardware or firmware and cryptographic device shall be able to prevent unauthorized disclosure of the module's content or key security parameters; c) The system's dedicated hardware or firmware and cryptographic device shall be able to prevent unauthorized or undetectable modifications to cryptographic modules and cryptographic algorithms; d) The system's dedicated hardware or firmware and cryptographic device shall be able to detect errors in the operation of the cryptographic module; and, to prevent these errors from unauthorized disclosure, modification or use of key security parameters. 8.2.4 Application and data security 8.2.4.1 General Refer to the general rules for cryptography application of application and data security in GM/T 0054-2018. 8.2.4.2 Data transmission "Data transmission", "data storage" and "device application" are part of the "application and data security" of the mobile banking information system. In the level 3 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "application and data security-data transmission" indicator: a) In terms of data transmission security, the integrity service of cryptography should be used to verify the integrity of important user data during transmission. Its cryptographic function shall be correct and effective; b) For systems which provide services to the outside world through the Internet, for the entire message or session during the communication process, a dedicated communication protocol or encryption method shall be used to ensure the confidentiality of the communication process; c) The key message sent through the client shall be digitally signed using cryptography, to ensure the authenticity and non-repudiation of the message; d) Mobile device applications shall not leak sensitive data such as user passwords, personal information, PAC, CVV to other entities, such as other local processes, Internet data servers, etc.; e) The integrity service of cryptography should be used to verify the integrity of important programs. Its cryptographic function shall be correct and effective. 8.2.5 Cryptography allocation policy requirements 8.2.5.1 Cryptographic algorithm allocation "Cryptographic algorithm allocation", "cryptographic protocol use" and "cryptographic device use" are part of the "cryptography allocation policy requirements" of the mobile banking information system. In the level 3 requirements for cryptography security protection of the mobile banking information system, the following requirements are made for the "cryptography allocation policy requirements-cryptographic algorithm allocation" indicator: It shall use algorithms approved by the national cryptography administration. 8.2.5.2 Cryptographic protocol use "Cryptographic algorithm allocation", "cryptographic protocol use" and "cryptographic device use" are part of the "cryptography allocation policy requirements" of the mobile banking information system. In the level 3 requirements for cryptography security protection of the mobile banking i...... ......

Similar standards: GM/T 0078-2020  GM/T 0079-2020  GM/T 0080-2020  
Similar PDFs (Auto-delivered in 9 seconds): GM/T 0073-2019  GA/T 1389-2017  IOT-GUIDELINES-2021