Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the Cryptography Standardization Technical Committee.
All the contents of this standard in connection with cryptographic algorithm shall be implemented in accordance with the relevant regulations of China.
Drafting organizations of this standard: Beijing Certificate Authority, Commercial Cryptography Testing Center of State Cryptography Administration, Westone Information Industry INC., Jilin University Information Technologies Co., Ltd., China Financial Computerization Corp., Shanghai Jiao Tong University, and Changsha Yinhe Network Co., Ltd.
Drafters of this standard: Zhan Banghua, Deng Kaiyong, Fu Dapeng, Zhong Bo, Yan Shijie, Fu Yong, Yan Xiaqiang, Gao Zhenpeng, Hu Jianxun, Huang Yifei, Zhang Zhong, Yin Ying, Zhou Zhihong, Li Jihong, and Dong Guizhai.
Introduction
As the fundamental core technology of network security, cryptography is the foundation of information protection and network trust system construction, and the key technology to ensure cyberspace security.
This standard mainly puts forward the requirements for cryptography application for different grades of classified protection in terms of physical and environmental security, network and communication security, equipment and computational security, application and data security of the information system, and specifies the requirements for key management and security management of different grades of classified protection.
In this standard, " cryptography " refers to "commercial cryptography".
In the text of this standard, "may", which means it is allowed and permitted, is a declarative description indicating the clauses permitted within the scope of the standard; "should", which means it is recommended and suggested, is a recommendatory description indicating that this clause is preferred but not required; “shall”, which means it is obligatory and required, is a mandatory description indicating the requirements to be met for compliance with the standard.
General requirements for information system cryptography application
1 Scope
This standard specifies the basic requirements for the cryptography application in information system.
This standard is applicable to guiding, regulating and evaluating the cryptography application in information system.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated reference, the latest edition (including any amendments) applies.
GM/T 0005 Randomness test specification
GM/T 0028 Specification for security technology for cryptographic modules
GM/T 0036 Technical guidance of cryptographic application for access control system based on contactless smart card
GM/Z 4001-2013 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001-2013 and the following apply. For the convenience of application, some terms and definitions specified in GM/Z 4001-2013 are listed below.
3.1
one-time-password; OTP; dynamic password
one-time password generated dynamically based on time, events, etc.
3.2
access control
a mechanism that allows or denies the user to access to resources according to specific policies
3.3
confidentiality
the property to ensure that information is not disclosed to unauthorized individuals, processes and other entities
3.4
encipherment; encryption
the process of cryptographic transformation of the data to produce ciphertext
3.5
decipherment; decryption
the inverse of the encryption process
3.6
cryptographic algorithm
the operational rules describing the cipher processing process
3.7
key
critical information or parameters that control the cryptographic algorithm operation
3.8
key management
the management of the key according to the security policy throughout its full life cycle, including generation, distribution, storage, update, archiving, revocation, backup, recovery and destruction, etc.
3.9
authentication
the process of confirming the identity an entity has claimed
3.10
digital signature
the result that the signer obtains through cryptographic operation on the hash value of the data to be signed with the private key, and such result can only be verified by the public key of the signer to confirm the integrity of the data to be signed, the authenticity of the identity of the signer, and the non-repudiation of the signing behavior
3.11
data integrity
the property that data has not been tampered with or destroyed by unauthorized means
3.12
message authentication code; MAC
the output of the message authentication algorithm
3.13
authenticity
the property ensuring that the identity of the subject or resource is exactly what it claims to be; it is applicable to entities such as users, processes, systems, and information
3.14
non-repudiation
the property proving that an operation that has taken place is undeniable
4 Abbreviations
For the purposes of this document, the following abbreviation applies.
MAC: Message Authentication Code
5 General requirements
5.1 Cryptographic algorithm
The cryptographic algorithm applied in the information system shall conform to the provisions of laws and regulations and the relevant requirements of national and professional cryptography standards of China.
5.2 Cryptography
The cryptography applied in the information system shall conform to the relevant requirements of national and professional cryptography standards of China.
5.3 Cryptographic products
The cryptographic products and cryptographic modules applied in the information system shall be approved by the national cryptography administration department of China.
5.4 Cryptographic service
The cryptographic service applied in the information system shall be licensed by the national cryptography administration department of China.
6 Functional requirements for cryptography
6.1 Confidentiality
Confidentiality is realized by cipher encryption function. The objects protected in the information system include:
a) important data, sensitive information data or the whole message transmitted;
b) important data and sensitive information data stored;
c) authentication information;
d) key data.
6.2 Data integrity
Data integrity is realized by using the message authentication code (MAC) or digital signature. The objects protected in the information system include:
a) important data, sensitive information data or the whole message transmitted;
b) important data, files and sensitive information data stored;
c) authentication information;
d) key data;
e) log record;
f) access control information;
g) sensitivity label of important information resources;
h) important programs;
i) using trusted computing technology to establish a trust chain connecting the system to the application;
j) audio and video records of the video surveillance;
k) entry and exit records of the electronic access control system.
6.3 Authenticity
Authenticity is realized by using symmetric encryption, dynamic password, and digital signature. The application scenarios in the information system include:
a) authentication of personnel entering important physical domain;
b) authentication of both the communication parties;
c) authentication upon network equipment access;
d) authentication of the platform using trusted computing technology;
e) authentication of the users logging in the operation system and database system;
f) authentication of the application system users.
6.4 Non-repudiation
The non-repudiation of entity behaviors is realized by using digital signature and other cryptography. For the purpose of all the behaviors for which non-repudiation is essential in the information system, they include sending, receiving, approving, creating, modifying, deleting, adding, configuring, and other operations.
7 Requirements for cryptography application
7.1 Physical and environmental security
7.1.1 General principles
The general principles for the application of physical and environmental security cryptography are as follows:
a) using cryptography to implement physical access control to important places, monitoring equipment, etc.;
b) using cryptography to implement integrity protection for physical and environmental sensitive information data such as physical access control records and monitoring information;
c) the electronic access control system implemented by cryptography shall comply with GM/T 0036.
7.1.2 Information system of classified protection Grade I
The requirements for Grade I information system are as follows:
a) the authenticity function of cryptography may be used to protect physical access control authentication information so as to ensure the authenticity of personnel entering important areas;
b) the integrity function of cryptography may be used to ensure the integrity of the entry and exit records of the electronic access control system.
7.1.3 Information system of classified protection Grade II
The requirements for Grade II information system are as follows:
a) the authenticity function of cryptography should be used to protect physical access control authentication information so as to ensure the authenticity of personnel entering important areas;
b) the integrity function of cryptography should be used to ensure the integrity of the entry and exit records of the electronic access control system;
c) Grade II or better cryptographic modules conforming to GM/T 0028 or hardware cryptographic products approved by the national cryptography administration department of China should be used to realize cryptographic operation and key management.
7.1.4 Information system of classified protection Grade III
The requirements for Grade III information system are as follows:
a) the authenticity function of cryptography shall be used to protect physical access control authentication information so as to ensure the authenticity of personnel entering important areas;
b) the integrity function of cryptography shall be used to ensure the integrity of the entry and exit records of the electronic access control system;
c) the integrity function of cryptography shall be used to ensure the integrity of audio and visual records of video surveillance;
d) Grade III or better cryptographic modules conforming to GM/T 0028 or hardware cryptographic products approved by the national cryptography administration department of China should be used to realize cryptographic operation and key management.
7.1.5 Information system of classified protection Grade IV
The requirements for Grade IV information system are as follows:
a) the authenticity function of cryptography shall be used to protect physical access control authentication information so as to ensure the authenticity of personnel entering important areas;
b) the integrity function of cryptography shall be used to ensure the integrity of the entry and exit records of the electronic access control system;
c) the integrity function of cryptography shall be used to ensure the integrity of audio and visual records of video surveillance;
d) Grade III or better cryptographic modules conforming to GM/T 0028 or hardware cryptographic products approved by the national cryptography administration department of China shall be used to realize cryptographic operation and key management.
Foreword III
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General requirements
5.1 Cryptographic algorithm
5.2 Cryptography
5.3 Cryptographic products
5.4 Cryptographic service
6 Functional requirements for cryptography
6.1 Confidentiality
6.2 Data integrity
6.3 Authenticity
6.4 Non-repudiation
7 Requirements for cryptography application
7.1 Physical and environmental security
7.1.1 General principles
7.1.2 Information system of classified protection Grade I
7.1.3 Information system of classified protection Grade II
7.1.4 Information system of classified protection Grade III
7.1.5 Information system of classified protection Grade IV
7.2 Network and communication security
7.2.1 General principles
7.2.2 Information system of classified protection Grade I
7.2.3 Information system of classified protection Grade II
7.2.4 Information system of classified protection Grade III
7.2.5 Information system of classified protection Grade IV
7.3 Equipment and computational security
7.3.1 General principles
7.3.2 Information system of classified protection Grade I
7.3.3 Information system of classified protection Grade II
7.3.4 Information system of classified protection Grade III
7.3.5 Information system of classified protection Grade IV
7.4 Application and data security
7.4.1 General principles
7.4.2 Information system of classified protection Grade I
7.4.3 Information system of classified protection Grade II
7.4.4 Information system of classified protection Grade III
7.4.5 Information system of classified protection Grade IV
8 Key management
8.1 General principles
8.2 Information system of classified protection Grade I
8.3 Information system of classified protection Grade II
8.4 Information system of classified protection Grade III
8.5 Information system of classified protection Grade IV
9 Security management
9.1 System
9.1.1 Information system of classified protection Grade I
9.1.2 Information system of classified protection Grade II
9.1.3 Information system of classified protection Grade III
9.1.4 Information system of classified protection Grade IV
9.2 Personnel
9.2.1 Information system of classified protection Grade I
9.2.2 Information system of classified protection Grade II
9.2.3 Information system of classified protection Grade III
9.2.4 Information system of classified protection Grade IV
9.3 Implementation
9.3.1 Planning
9.3.2 Construction
9.3.3 Operation
9.4 Emergency
9.4.1 Information system of classified protection Grade I
9.4.2 Information system of classified protection Grade II
9.4.3 Information system of classified protection Grade III
9.4.4 Information system of classified protection Grade IV
Annex A (Informative) Comparison of security requirements
Annex B (Informative) List of cryptography standards
Bibliography