1 Scope
The Specification specifies main contents such as the overall frame description, trusted execution environment, communication security, data security and client payment application for mobile terminal payment trusted environment.
The Specifications is applicable to the technical requirements proposed for mobile terminal trusted environment when carrying out mobile payment services, and is also applicable to the design, development, test and relevant product assessment and guidance of mobile terminal payment trusted environment.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 32905-2016 Information Security Techniques - SM3 Cryptographic Hash Algorithm
GB/T 32907-2016 Information Security Technology - SM4 Block Cipher Algorithm
GB/T 32918-2016 Information Security Technology - Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves
GB/T 32915-2016 Information Security Technology - Randomness Test Methods for Binary Sequence
JR/T 0088.1-2012 China Financial Mobile Payment - Application Basis - Part 1: Terminology
JR/T 0092-2012 China Financial Mobile Payment - Technical Specification for Client Software
JR/T 0093.6-2012 China Financial Mobile Payment - Remote Payment Applications - Part 6 Technical Specification for Security Service Based on Secure Element (SE)
JR/T 0025.5-2013 China Financial Integrated Circuit (IC) Card Specification - Part 5: Debit/Credit Application Card Specification
GM/T 0009-2012 SM2 Cryptography Algorithm Application Specification
GM/T 0015-2012 Digital Certificate Format Based on SM2 Algorithm
GM/T 0034-2014 Specifications of Cryptograph and Related Security Technology for Certification System Based on SM2 Cryptographic Algorithm
3 Terms and Definitions
3.1
trusted environment
operating environment provided for mobile payment service by individual mobile terminal based on hardware and software combination security technology
3.2
mobile terminal
mobile computing device belong to individual, generally, referring to smartphone, tablet PC, etc.
3.3
RPMB, replay protected memory block
an anti-rollback replay attack prevention secure memory block with security performance superior to common secure storage, which cannot be accessed by means other than designated RPMB service interface
Foreword i
Introduction ii
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviations
5 General for Mobile Terminal Payment Trusted Environment
5.1 Overall Frame Diagram
5.2 REE
5.3 TEE
5.4 SE
5.5 Peripheral Device
6 Trusted Execution Environment
6.1 Overall Architecture
6.2 Trusted OS
6.3 Secure Start
6.4 Secure Storage
6.5 Encryption and Decryption Services
6.6 Key System
6.7 Access Control
6.8 Trusted User Interface (TUI)
6.9 TA Management
6.10 TA Cross-platform Application Middleware (Optional)
6.11 Trusted Virtualization (Optional)
7 Communication Requirements
7.1 Communication Requirements between REE and TEE
7.2 Communication Security between TEE and Data Acquisition Device
7.3 Communication Security between TEE and SE
8 Data Security
8.1 Data Security Protection Function
8.2 Internal Data Security Requirements
9 Security Element
9.1 TA Access Control over SE
10 Client Payment Application
10.1 General
10.2 Security Requirements for TEE External Interface
10.3 Client Requirements
11 Peripheral Device
11.1 Security Objectives
11.2 Security Requirements
12 Production Requirements for Mobile Terminal Payment Trusted Environment
12.1 General
12.2 Management Requirements
12.3 Network Requirements
12.4 Machine Room and System Requirements
12.5 Key Management
12.6 Hardware Encryption Device
13 Security Classification of Mobile Terminal Payment Trusted Environment
13.1 General for Security Capability Category
13.2 Collection of Requirements for REE Basic Security Capabilities
13.3 Collection of TEE Security Capability Requirements
13.4 SE Security Capability Requirement Set
Annex A (Normative) Detection Specification
Annex B (Normative) Extension Part of Detection Specification
Annex C (Informative) Application Scenarios of Mobile Banking Service
Annex D (Informative) Application Scenarios of Internet Identity Certification