Powered by Google www.ChineseStandard.net Database: 189759 (7 Apr 2024)

GM/T 0073-2019 (GMT0073-2019)

GM/T 0073-2019_English: PDF (GMT 0073-2019, GMT0073-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GM/T 0073-2019English360 Add to Cart 0--9 seconds. Auto-delivery Cryptography technical requirements for mobile banking information systems Valid GM/T 0073-2019

BASIC DATA
Standard ID GM/T 0073-2019 (GM/T0073-2019)
Description (Translated English) Cryptography technical requirements for mobile banking information systems
Sector / Industry Chinese Industry Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 27,217
Date of Issue 2019
Date of Implementation 2019-07-12

Standards related to: GM/T 0073-2019

GM/T 0073-2019
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for mobile
banking information systems
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 7 
2 Normative references ... 7 
3 Terms and definitions ... 8 
4 Abbreviations ... 9 
5 Model of mobile banking information system ... 10 
6 Basic requirements and functional requirements for cryptography application
... 11 
7 Level 2 requirements for the cryptography security protection of mobile
banking information systems ... 11 
7.1 Basic technical requirements ... 11 
7.2 Cryptography security requirements ... 11 
7.2.1 Physical and environmental security ... 11 
7.2.2 Network and communication security ... 13 
7.2.3 Device and computing security ... 14 
7.2.4 Application and data security ... 16 
7.2.5 Cryptography allocation policy requirements ... 17 
7.3 Key security and management requirements ... 18 
7.3.1 General ... 18 
7.3.2 Key security ... 19 
7.3.3 Key management ... 20 
7.4 Security management requirements ... 24 
7.4.1 Overview ... 24 
7.4.2 Security management system ... 25 
7.4.3 Personnel management requirements ... 25 
7.4.4 Cryptographic device management ... 26 
7.4.5 Password-using service terminal requirements ... 26 
8 Level 3 requirements for the cryptography security protection of mobile
banking information systems ... 27 
8.1 Basic requirements ... 27 
8.2 Cryptography security requirements ... 27 
8.2.1 Physical and environmental security ... 27 
8.2.2 Network and communication security ... 29 
8.2.3 Device and computing security ... 31 
8.2.4 Application and data security ... 33 
8.2.5 Cryptography allocation policy requirements ... 35 
8.3 Key security and management requirements ... 36 
8.3.1 General ... 36 
8.3.2 Key security ... 36 
8.3.3 Key management ... 38 
8.4 Security management requirements ... 44 
8.4.1 Overview ... 44 
8.4.2 Security management system ... 44 
8.4.3 Personnel management requirements ... 45 
8.4.4 Cryptographic device management ... 46 
8.4.5 Password-using service terminal requirements ... 46 
Appendix A (Normative) Table of comparison of security requirements ... 48 
Bibliography ... 50 
Cryptography technical requirements for mobile
banking information systems
1 Scope
On the basis of standards such as GM/T 0054-2018 and JR/T 007-2012;
combined with the characteristics of mobile banking information systems, and
the application needs of cryptography in the security construction of classified
protection of this type of information system; in terms of cryptographic security
technical requirements, key security and management requirements, and
security management requirements; this Standard puts forward specific
requirements for the cryptography in mobile banking information systems with
different security protection classes.
This Standard applies to the guidance, standardization and evaluation of
commercial cryptographic applications in mobile banking information systems.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2:
Security compliance checklists for devices used in financial transactions
GB/T 21078.1-2007 Banking - Personal Identification Number management
and security - Part 1: Basic principles and requirements for online PIN
handling in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0028-2014 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
application
Mobile banking mobile client: It refers to the mobile application client program
of mobile banking, which can provide users with local electronic banking
services.
Mobile banking server: It refers to the server that can provide targeted services,
corresponding to the mobile client of mobile banking. The server specified in
this Standard includes software programs, as well as hardware devices that
carry and run programs.
Boundary: It refers to the boundary of interconnection between subjects,
including interaction boundary, network boundary, physical boundary, etc.
6 Basic requirements and functional requirements for
cryptography application
The basic requirements and functional requirements for cryptography
application of mobile banking information systems shall comply with the
requirements of Clause 5 and Clause 6 of GM/T 0054-2018.
7 Level 2 requirements for the cryptography security
protection of mobile banking information systems1)
7.1 Basic technical requirements
It shall be in accordance with the requirements of the level 2 indicators in GM/T
0054-2018.
7.2 Cryptography security requirements
7.2.1 Physical and environmental security
7.2.1.1 General
Refer to the general rules for cryptography application of physical and
environmental security in GM/T 0054-2018.
7.2.1.2 Cryptographic hardware security
"Cryptographic hardware security", "physical environment security" and
"electronic access control system" are part of the "physical and environmental
1) For comparison of all security requirements of this level with other levels, please refer
to Appendix A Table of comparison of security requirements; the same below.
c) Corresponding rules and regulations should be developed, to ensure the
compliance, correctness and effectiveness of the use of access control
system.
7.2.2 Network and communication security
7.2.2.1 General
Refer to the general rules for cryptography application of network and
communication security in GM/T 0054-2018.
7.2.2.2 Communication security
"Communication security" and "identity authentication" are part of the "network
and communication security" of the mobile banking information system. In the
level 2 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "network and
communication security-communication security" indicator:
a) In order to prevent access communication data from being tampered with,
intercepted, counterfeited and reused, it is advisable to use the integrity
service, confidentiality service and authenticity service of cryptography, to
protect the network boundary and system resource access control
information;
b) During data transmission, cryptography such as digital certificates and
encryption-decryption should be used, to establish a secure transport
layer session channel.
7.2.2.3 Identity authentication
"Communication security" and "identity authentication" are part of the "network
and communication security" of the mobile banking information system. In the
level 2 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "network and
communication security-identity authentication" indicator:
a) When authenticating users who log in to network devices, in order to
prevent the authentication information from being reused and
counterfeited, it is advisable to use the authenticity service of cryptography,
to protect the authentication information from reuse and counterfeiting. Its
cryptographic function shall be correct and effective;
b) The network device system management user ID shall have the
characteristics that it is not easy to be fraudulently used. The static
c) When conducting key business processes, such as transfers, transactions,
and data modification, it is advisable to use a variety of cryptographic
technologies to ensure the authenticity and validity of user identities;
d) Operating system and database system management user ID shall have
the characteristics that it is not easy to be fraudulently used. The static
password of key system shall be more than 6 digits; composed of a
mixture of letters, numbers, and symbols; and be replaced regularly.
7.2.3.4 Verification code and dynamic password
"Audit record", "identity authentication", "verification code and dynamic
password" and "cryptographic module" are part of the "device and computing
security" of the mobile banking information system. In the level 2 requirements
for cryptography security protection of the mobile banking information system,
the following requirements are made for the "device and computing security-
verification code and dynamic password" indicator:
a) When using SMS or other channels to send the verification code, the
correct cryptography shall be used, to ensure that the dynamic password
sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall
be ensured that the content of the verification code is not disclosed;
c) If OTP tokens are used for identity verification, it shall use correct
cryptography, to ensure that OTP is completely random and unpredictable.
7.2.3.5 Cryptographic module
"Audit record", "identity authentication", "verification code and dynamic
password" and "cryptographic module" are part of the "device and computing
security" of the mobile banking information system. In the level 2 requirements
for cryptography security protection of the mobile banking information system,
the following requirements are made for the "device and computing security-
cryptographic module" indicator:
It shall use level 2 and above cryptographic modules meeting GM/T 0028-2014
or hardware cryptographic products approved by the national cryptography
administration, to realize cryptographic calculations and key management:
a) The system's dedicated hardware or firmware and cryptographic device
shall implement security functions, such as authorization control,
detection of unauthorized access, and operation status indication; to
ensure that the cryptographic module can operate correctly in the
approved working mode;
level 2 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "application
and data security-data storage" indicator:
In terms of data storage security, the integrity service of cryptography can be
used, to detect the integrity of system management data, authentication
information, key configuration information and important business data in the
storage process. Its cryptographic function shall be correct and effective.
7.2.4.4 Device application
"Data transmission", "data storage" and "device application" are part of the
"application and data security" of the mobile banking information system. In the
level 2 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "application
and data security-device application" indicator:
a) Mobile device applications shall not store the user's password, payment
password, PAC, CVV and other sensitive information in plaintext or
encoding;
b) Mobile device applications shall desensitize sensitive data such as
passwords, PACs, and CVVs;
c) When mobile device applications process sensitive data entered by users,
such as passwords, payment passwords, etc., security measures should
be taken; to ensure the confidentiality of sensitive data and ensure that
they are not obtained without authorization;
d) Mobile device applications shall not leak sensitive data such as user
passwords, personal information, PAC, CVV to other entities, such as
other local processes, Internet data servers, etc.
7.2.5 Cryptography allocation policy requirements
7.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are part of the "cryptography allocation policy
requirements" of the mobile banking information system. In the level 2
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "cryptography
allocation policy requirements-cryptographic algorithm allocation" indicator:
It is advisable to use algorithms approved by the national cryptography
administration.
7.3.2 Key security
7.3.2.1 Key generation
"Key generation", "key storage", "key distribution" and "key use" are part of the
"key security" of the mobile banking information system. In the level 2
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "key security-
key generation" indicator:
a) A random number generator, which meets national standards, shall be
used to generate the key;
b) The key shall be produced inside the cryptographic device; must not
appear outside the cryptographic device in plaintext;
c) It shall have the ability to check and remove weak keys;
d) Key pair generation shall be completed by the owner of the key pair or its
agent;
e) The method of generating asymmetric key pairs shall ensure the
confidentiality of the private key and the integrity of the public key. For the
generation of asymmetric key pairs used for non-repudiation services, it
shall be able to prove the integrity of the public key to a third party.
7.3.2.2 Key storage
"Key generation", "key storage", "key distribution" and "key use" are part of the
"key security" of the mobile banking information system. In the level 2
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "key security-
key storage" indicator:
a) The key shall be encrypted and stored. Strict security protection measures
shall be taken, to prevent the key from being illegally obtained;
b) The key or its modules stored in the system shall be protected by a
password.
7.3.2.3 Key distribution
"Key generation", "key storage", "key distribution" and "key use" are part of the
"key security" of the mobile banking information system. In the level 2
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "key security-
key distribution" indicator:
should also be present; AND RECORD the operation memo; submit
security audit logs, security audit documents, etc.
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key splitting. If it is
necessary to use key modules, the required key modules shall be
imported by the key module holders, respectively.
c) When transferring and importing keys, it shall be confirmed that:
- Only when the cryptographic device authenticates at least two or more
authorized persons, such as through a password, can the key be
transmitted. For keys distributed manually, management procedures,
such as paper authorization, shall be used to authenticate the identity of
the authorized person.
- Only when it is ensured that the cryptographic device has not been
tampered with before use that may lead to the disclosure of keys or
sensitive data, can the private key be imported into the cryptographic
device.
- Only when it is ensured that there is no eavesdropping device installed
at the interface of the cryptographic device, which may cause the
disclosure of any element of the transmission key, can the private key be
transmitted between the cryptographic devices.
- A cryptographic device shall be used to transfer the private key between
the device generating the key and the device using the key.
- After importing the key to the target device, the key transportation device
shall not retain any information which may reveal the key.
- When using a key transportation device, the key (if an explicit key
identifier is used, the key identifier is also included) shall be transferred
from the cryptographic device that generated the key to the key
transportation device. This device shall be physically transported to the
location of the cryptographic device that actually uses the key.
d) When using the key module, it shall be confirmed that:
- The key modules, which constitute the key, shall be imported or exported
to the device manually or by the devices of key. The transmission
process of the key module shall not disclose any part of the key module
to any unauthorized individual.
the key envelope to the authorized person. The structure of the key
envelope shall make accidental or deceptive openings easy to be
discovered by the receiver. If this happens, the key module shall not be
used anymore.
7.3.3.3 Key use and replacement
"Key import and export", "key storage and custody", "key use and replacement",
and "key backup and recovery" are part of the "key management" of the mobile
banking information system. In the level 2 requirements for cryptography
security protection of the mobile banking information system, the following
requirements are made for the "key management-key use and replacement"
indicator:
a) The key shall be clearly used and used correctly according to the purpose;
b) A tracking and verification system shall be established for each link of key
use;
c) In the process of using the key, there shall be security measures
preventing the leakage and replacement of the key;
d) During the key use process, the key shall be replaced according to the
key replacement cycle requirements. The key replacement allows
interruption of the system operation;
e) When the key is leaked, stop using it immediately; initiate corresponding
emergency handling and response measures;
f) Manage system administrator passwords, user passwords, and user
permissions of cryptographic machines and cryptographic management
equipment. In case of leakage or out-of-control authority, the verification
and tracking program shall be initiated. The event level shall be assessed
according to the out-of-control authority. Relevant keys shall be updated
in due course.
7.3.3.4 Key backup and recovery
"Key import and export", "key storage and custody", "key use and replacement",
and "key backup and recovery" are part of the "key management" of the mobile
banking information system. In the level 2 requirements for cryptography
security protection of the mobile banking information system, the following
requirements are made for the "key management-key backup and recovery"
indicator:
7.4.2 Security management system
"Security management system", "personnel management requirements",
"cryptographic device management" and "password-using service terminal
requirements" are part of the "security management requirements" of the
mobile banking information system. In the level 2 requirements for cryptography
security protection of the mobile banking information system, the following
requirements are made for the "security management requirements-security
management system" indicator:
a) It shall establish a management system for the generation, storage,
injection, use, distribution, backup, recovery, archive, and destruction, etc.
of all keys;
b) It shall establish standard operating procedures for cryptographic device
and cryptographic systems; clarify the standard operating process of each
step. Operating forms shall be generated for each stage of operation and
archived;
c) It shall regularly check the security management status of cryptographic
device and key systems; in accordance with the requirements of the key
security management system, fill in relevant forms and reports.
7.4.3 Personnel management requirements
"Security management system", "personnel management requirements",
"cryptographic device management" and "password-using service terminal
requirements" are part of the "security management requirements" of the
mobile banking information system. In the level 2 requirements for cryptography
security protection of the mobile banking information system, the following
requirements are made for the "security management requirements-personnel
management requirements" indicator:
a) According to the requirements of the competent department and the actual
situation of the organization, a certain number of post holders such as key
managers, security auditors, cryptographic device operators shall be
provided. The above-mentioned posts cannot be concurrently held by
each other;
b) It shall be equipped with full-time key managers. Personnel in this post
cannot be concurrently held by personnel in other posts;
c) It shall establish a post responsibility system, to clarify the responsibilities
and authorities of relevant personnel in the management of cryptographic
device and key system management. The management and use account
of the related device and system must not be shared by many people;
d) When the access control system detects an unrecognized card trying to
enter illegally, it shall provide a warning message and be able to locate
the illegally attempted card;
e) The qualification, architecture, and deployment of the adopted access
control system shall comply with the technical specifications of GM/T
0036-2014;
f) Corresponding rules and regulations should be developed, to ensure the
compliance, correctness and effectiveness of the use of access control
system.
8.2.2 Network and communication security
8.2.2.1 General
Refer to the general rules for cryptography application of network and
communication security in GM/T 0054-2018.
8.2.2.2 Communication security
"Communication security" and "identity authentication" are part of the "network
and communication security" of the mobile banking information system. In the
level 3 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "network and
communication security-communication security" indicator:
a) In order to prevent access communication data from being tampered with,
intercepted, counterfeited and reused, it shall use the integrity service,
confidentiality service and authenticity service of cryptography, to protect
the network boundary and system resource access control information.
Key sensitive data, such as PAC, CVV, etc. are individually encrypted. The
cryptographic function shall be correct and effective.
b) During data transmission, cryptography such as digital certificates and
encryption-decryption shall be used, to establish a secure transport layer
session channel. The subject of data transmission shall authenticate the
identity information of the object, to ensure the confidentiality of the data.
c) When using the transport layer security for data transmission, the subject
shall authenticate the identity information of the object, to ensure the
confidentiality of the data.
d) In order to prevent the data transmission content from being obtained
through one end of the control communication, during communication, the
a) The system's dedicated hardware or firmware and cryptographic device
shall implement security functions, such as authorization control,
detection of unauthorized access, and operation status indication; to
ensure that the cryptographic module can operate correctly in the
approved working mode;
b) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized disclosure of the module's content
or key security parameters;
c) The system's dedicated hardware or firmware and cryptographic device
shall be able to prevent unauthorized or undetectable modifications to
cryptographic modules and cryptographic algorithms;
d) The system's dedicated hardware or firmware and cryptographic device
shall be able to detect errors in the operation of the cryptographic module;
and, to prevent these errors from unauthorized disclosure, modification or
use of key security parameters.
8.2.4 Application and data security
8.2.4.1 General
Refer to the general rules for cryptography application of application and data
security in GM/T 0054-2018.
8.2.4.2 Data transmission
"Data transmission", "data storage" and "device application" are part of the
"application and data security" of the mobile banking information system. In the
level 3 requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "application
and data security-data transmission" indicator:
a) In terms of data transmission security, the integrity service of cryptography
should be used to verify the integrity of important user data during
transmission. Its cryptographic function shall be correct and effective;
b) For systems which provide services to the outside world through the
Internet, for the entire message or session during the communication
process, a dedicated communication protocol or encryption method shall
be used to ensure the confidentiality of the communication process;
c) The key message sent through the client shall be digitally signed using
cryptography, to ensure the authenticity and non-repudiation of the
message;
d) Mobile device applications shall not leak sensitive data such as user
passwords, personal information, PAC, CVV to other entities, such as
other local processes, Internet data servers, etc.;
e) The integrity service of cryptography should be used to verify the integrity
of important programs. Its cryptographic function shall be correct and
effective.
8.2.5 Cryptography allocation policy requirements
8.2.5.1 Cryptographic algorithm allocation
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are part of the "cryptography allocation policy
requirements" of the mobile banking information system. In the level 3
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "cryptography
allocation policy requirements-cryptographic algorithm allocation" indicator:
It shall use algorithms approved by the national cryptography administration.
8.2.5.2 Cryptographic protocol use
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are part of the "cryptography allocation policy
requirements" of the mobile banking information system. In the level 3
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "cryptography
allocation policy requirements-cryptographic protocol use" indicator:
It shall adopt a cryptographic protocol which has passed the security review of
the national cryptography administration.
8.2.5.3 Cryptographic device use
"Cryptographic algorithm allocation", "cryptographic protocol use" and
"cryptographic device use" are part of the "cryptography allocation policy
requirements" of the mobile banking information system. In the level 3
requirements for cryptography security protection of the mobile banking
information system, the following requirements are made for the "cryptography
allocation policy requirements-cryptographic device use" indicator:
a) It shall use cryptographic devices certified and approved by the national
cryptography administration;
b) The key transmission, import and export process shall be carried out in
accordance with the principle of dual control and key splitting. If it is
necessary to use key modules, the required key modules shall be
imported by the key module holders, respectively.
c) When transferring and importing keys, it shall be confirmed that:
- Only when the cryptographic device authenticates at least two or more
authorized persons, such as through a password, can the private key be
transmitted. For keys distributed manually, management procedures,
such as paper authorization, shall be used to authenticate the identity of
the authorized person.
- Only when it is ensured that the cryptographic device has not been
tampered with before use that may lead to the disclosure of keys or
sensitive data, can the private key be imported into the cryptographic
device.
- Only when it is ensured that there is no eavesdropping device installed
at the interface of the cryptographic device, which may cause the
disclosure of any element of the transmission key, can the private key be
transmitted between the cryptographic devices.
- The device, used to transmit the private key between the device
generating the key and the device using the key, shall be a cryptographic
device.
- After importing the key to the target device, the key transportation device
shall not retain any information which may reveal the key.
- When using a key transportation device, the key (if an explicit key
identifier is used, the key identifier is also included) shall be transferred
from the cryptographic device that generated the key to the key
transportation device. This device shall be physically transported to the
location of the cryptographic device that actually uses the key.
d) When using the key module, it shall be confirmed that:
- The key modules, which constitute the key, shall be imported to the
device manually or by the devices of key. The transmission process of
the key module shall not disclose any part of the key module to any
unauthorized individual.
- When the key modules are distributed in a reada...
...