Banking—Secure cryptographic devices (retail)—Part 1:Concepts,requirements and evaluation methods
Introduction to standards:
GB/T 21079.1-2011 Banking security cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods
GB/T21079.1-2011
|tt||Standard compression package decompression password: www.bzxz.net
This part of GB/T21079 specifies the requirements for security cryptographic devices based on the cryptographic methods defined in ISO9564, ISO16609 and ISO11568.
This part has the following two main purposes:
a) To specify the operational requirements of SCD and the management requirements throughout its life cycle;
b) To standardize the methods for checking compliance with the above requirements.
class="f14" style="padding-top:10px; padding-left:12px; padding-bottom:10px;">
GB/T21079 "Banking Security Encryption Equipment (Retail)" consists of the following two parts:
———Part 1: Concepts, requirements and evaluation methods;
———Part 2: Equipment security compliance test list for financial transactions.
This part is Part 1 of GB/T21079.
This part was drafted in accordance with the rules given in GB/T1.1-2009.
This part replaces GB/T 21079.1-2007 "Banking Security Encryption Equipment (Retail) Part 1: Concepts, Requirements and Evaluation Methods". The main changes of this part compared with GB/T 21079.1-2007 are as follows:
- Added the description of physical security equipment and equipment using the "one key per transaction" management method in the physical security requirements of SCD (6.2.5 and 6.2.6 of this version);
- Added the requirements of dual control and unique key per device in the logical security requirements of SCD (6.3.1 and 6.3.2 of this version);
- In order to ensure the consistency with Part 2 of this standard: Equipment security compliance test list for financial transactions (which has been published as GB/T 20547.2-2006), the "semi-formal evaluation" in the evaluation method of this part is unified as "quasi-formal evaluation";
——The structure of the standard has been readjusted, and the suspended sections of some chapters in the original standard have been removed (4, 4.1, 4.2, 5.3, 6, 6.2, 6.3, 7, 7.1, 7.3, 7.4 of the 2007 version; 5.1, 5.2.1, 5.3.1, 7.1, 7.3.1, 7.4.1, 8.1.1, 8.3.1, 8.4.1 of this version).
This part uses the translation method equivalent to ISO13491-1:2007 "Secure encryption equipment for banking (retail) Part 1: Concepts, requirements and evaluation methods".
For ease of use, this part has made the following editorial changes:
——Delete the ISO foreword.
The Chinese standards that have a consistent correspondence with the international standards normatively referenced in this part are as follows:
GB/T20547.2 Banking security encryption equipment (retail) Part 2: Equipment security compliance test list in financial transactions (GB/T20547.2-2006, ISO13491-2:2005, MOD)
This part is proposed by the People's Bank of China.
This part is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180).
The responsible drafting unit of this part: China Financial Electronicization Company.
Participating drafting units of this part: People's Bank of China, Industrial and Commercial Bank of China, Bank of China, China Construction Bank, Bank of Communications, China CITIC Bank, Beijing UnionPay Gold Card Technology Co., Ltd.
The main drafters of this part are: Wang Pingwa, Lu Shuchun, Li Shuguang, Yang Qian, Zhao Zhilan, Tian Jie, Zhong Zhihui, Liu Zhigang, Shao Guanjun, Li Yan, Yang Baohui, Jia Jing, Li Mengyan, Jia Shuhui, Liu Yun, Jing Yun.
This part was first published in 2007 and this is the first revision.
The following documents are indispensable for the application of this document. For any dated referenced document, only the dated version applies to this document. For any undated referenced document, the latest version (including all amendments) applies to this document.
ISO11568-1 Banking—Key management (retail)—Part 1: Principles
ISO11568-2:2005 Banking—Key management (retail)—Part 2: Symmetric ciphers, their key management and life cycle
ISO11568-4 Banking—Key management (retail)—Part 4: Asymmetric cryptosystems—Key management and life cycle
ISO13491-2 Banking—
Secure Cryptographic Equipment (Retail) Part 2: Security compliance checklists for devices used in financial transactions
Foreword III
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions 4 Abbreviations
5
Secure cryptographic device (SCD)
5.1 Overview
5.2 Attack scenarios 5.3
Defense measures 6
Requirements for device security features 6.1
Overview 6.2
Physical security requirements for SCD
6.3 Logical security requirements for SCD
7 Equipment management requirements 10
7.1 Overview 10
7.2 Life cycle stages 10
7.3 Protection requirements for life cycle stages 11
7.4 Protection methods for life cycle stages 12
7.5 Responsibility 14
7.6 Audit and control principles for equipment management 14
8 Assessment methods 15
8.1 Overview 15
8.2 Risk assessment 16
8.3 Informal assessment methods 17
8.4 Semi-formal assessment methods 19
8.5 Formal assessment methods 20
Appendix A (Informative) Concepts related to system security levels 21
References 24
Some standard content:
ICS 35.240.40
National Standard of the People's Republic of China
CB/T 21079.1—2011/1SO 13491-1:2007 Generation GB/T21070.1—2007
Banking--Secure cryptographic devices (retail)--Part 1 :Concepts, reguirements and evaluation methods(IS0 13491-1:2007, IDT)
Published on December 30, 2011
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Standardization Administration of the People's Republic of China
Implementation on February 1, 2012
Normative References
Terms and Definitions
Abbreviations
Secure Cryptographic Device (SCD)
5.2 Attack Scenarios
5.3 Defense Measures
6 Requirements for Device Security Features
Physical Security Requirements for SCD
Logical Security Requirements for SCD
7 Device Management requirements·
Life cycle stage
Protection requirements for life cycle stage·
7.4 Protection methods for life cycle stage
7.5 Risk assessment
7.6 Audit and control principles for equipment management·8 Evaluation methods
8.2 Risk assessment
8.3 Informal evaluation methods
8.4 Quasi-formal evaluation methods·bZxz.net
8.5 Formal evaluation methods
Appendix A (Informative Appendix)
Concepts related to system safety levels
References
TTTKANTKACA
GB/T CB/T 21079.1--2011/ISO 13491-1:2007GB/T 21079 Banking Security Encryption Equipment (Retail) consists of the following two parts: Part 1: Concepts, requirements and evaluation methods: Part 2: Equipment security compliance test list for financial transactions. This part is Part 1 of GB/T 21079. This part was drafted in accordance with the rules given in GB/T1.1-2009. This part replaces GB/T21079.1-2007 Banking Security Cryptographic Equipment (Retail) Part 1: Concepts, Requirements and Evaluation Methods. Compared with GB/T21079.1-2007, the main changes in this part are as follows: Added in the physical security requirements of SCD: Physical security equipment and equipment managed by "one cryptographic device per transaction" (6.2.5 and 6.2.6 of this version); Added in the logical security requirements of SCD: Dual control, each device The device uses a unique key requirement (6.3.1 and 6.3.2 of this version), - To ensure the consistency with Part 2 of this standard: Equipment security compliance test list for financial transactions (has been published as GB/T20547.22006, the "semi-formal evaluation" in the evaluation method of this part is unified into "quasi-formal evaluation"; the structure of the standard is readjusted, and the suspension sections of some chapters in the original standard are removed (4, 4.1, 4.2, 5.3, 6, 6.2, 6. 3, 7, 7.1, 7.3, 7.4; 5. 1, 5. 2. 1, 5. 3. 1, 7.1.7.3. 1, 7. 4. 1, 8. 1. 1, 8. 3. 18.4.1 of this edition).
This part uses the translation method equivalent to ISO13491-1:2007 "Banking security encryption equipment (retail) Part 1: Concepts, requirements and evaluation methods".
For ease of use, this part has made the following editorial changes: Delete the ISO foreword.
The Chinese standards that have a consistent correspondence with the international standards referenced in this part are as follows: GB/T 20547.2 Banking security encryption equipment (basic sales) Part 2: Equipment security compliance test list for financial transactions (GB/T 20547.2 2006, ISO 13491-2:2005, MOD) This part was proposed by the People's Bank of China.
This part is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180). The responsible drafting unit of this part is China Financial Electronicization Company. The participating drafting units of this part are: People's Bank of China, Industrial and Commercial Bank of China, Bank of China, China Construction Bank, Bank of Communications, Zhongsu Bank, Beijing UnionPay Gold Card Technology Co., Ltd. The main drafters of this part are Wang Pingwa, Lu Shuchun, Ji Shuguang, Yang Qian, Zhao Lianlan, Tian Jie, Zhong Zhihui, Liu Zhigang, Shao Guanjun, Li Yan, Yang Baohui, Jia Jing, Li Mengyan, Jia Shuhui, Liu Yun, Jing Yun. This part was first issued in 2007, and this is the first revision. Date| |tt||TTTKAONYKACA
CB/T21079.1—2011/S013491-1:2007 Introduction
This part specifies the physical, logical and management requirements of secure cryptographic devices (SCDs) used to protect messages, passwords and other sensitive data in retail financial services.
The security of retail electronic payment systems depends largely on the security of these cryptographic devices, which are based on the following assumptions:
Computer files may be illegally accessed and processed; communication lines may be "eavesdropped";
Legitimate data and control instructions input into the system may be replaced without authorization. When processing PINs (personal identification numbers), MAEs (message authentication codes), keys and other confidential data on these cryptographic devices, there is a risk of data leakage or tampering.
Through reasonable use and proper management of secure cryptographic devices with specific physical and logical security characteristics, financial risks can be reduced. TTTKAONTKACA
1 Scope
GB/T 21079.1—2011/ISO 13491-1:2007 Banking security cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods This part of GB/T21079 specifies the requirements for security cryptographic devices (hereinafter referred to as SCD) based on the cryptographic methods defined in IS09561, ISO16609 and TS011568. This part has two main purposes:
a) To specify the operational requirements of SCD and its management requirements throughout its life cycle: To standardize the compliance test methods for the above requirements. SCD should have appropriate device characteristics and perform appropriate device management. The former ensures the operational performance of SCD and provides adequate protection for its internal data. The latter ensures the legitimacy of SCI, that is, SCD will not be changed in an unauthorized manner (such as installing a "listening device", etc.) and any sensitive data (such as encryption keys) in it will not be leaked or modified. Absolute security is not achievable. The security of SCDs depends on the combination of proper management and secure cryptographic features at every stage of the life cycle. Management procedures can reduce the chance of SCD security being compromised through preventive measures, with the goal of increasing the likelihood of detecting unauthorized access to sensitive or confidential data when the device's own features cannot prevent or detect security attacks: Appendix A describes the concepts of security levels applicable to SCDs mentioned in this part in the form of informative information. This part does not address issues arising from SCD denial of service, nor does it address specific requirements for device features and management of different SCDs in retail financial services. For this part, see [SO13491-2 This part applies to the secure management of secure cryptographic devices in retail financial services. 2 Normative references
The following documents are essential for the application of this document. For any referenced document with a date, only the dated version applies to this document. For any undated referenced document, the latest version (including all amendments) applies to this document. IS(11568-1 Banking—Key management (retail)—Part 1: Principles IS011568-2, 2005 Banking—Key management (retail)—Part 2: Symmetric ciphers, their management and life cycle
IS011568·4 Banking—Key management (retail)—Part 4: Asymmetric cryptosystems—Key management and life cycle
ISO13491-2 Banking—Key management (retail)—Part 2: Security compliance checklists for devices used in financial transactions
3 Terms and definitions
The following terms and definitions apply to this document. 1
TTTKAONYKACA
CB/T 21079.1-2011/1SO 13491-1:20073. 1
Accreditation body acereditation authority An institution responsible for accrediting an assessment body and supervising its work to ensure that the assessment results are reproducible. 3.2
Accredited evaluation body
accreditedevaluationauthorits An organization that is engaged in evaluation work after being accredited by an accreditation body in accordance with relevant regulations. Note: For examples of accreditation rules, see ISU/TEC17025.3.3
L assessment check-list
Assessment check list
Declaration form for the preparation of the connection equipment type, see JSO 13491-2 for detailed introduction.3.4
assessmentreport
Informal evaluation report
The organization that conducts the informal evaluation review issues a detailed report based on the evaluation results of the evaluator. 3.5
Informal Assessment Review Body
Assessment Review Body
An organization responsible for verifying and approving the assessment results of the assessor3. 6
Assessor
A person who inspects, evaluates, reviews and assesses the SCD in an informal manner on behalf of the initiator or the informal assessment review body. 3.7
Attack
An attacker attempts to obtain (modify) sensitive data from the device, or attempts to obtain (modify) unauthorized services. 3.8
Certification ReportA report issued by the assessment review body based on the results of the litigation of the accredited assessment body: 3.9
Controller
An entity responsible for the security management of the SCLD.
Submittals
Documents, equipment and any other items and information required by the assessor in assessing the SCD. 3.11
Device compromisedevicetomprnmise
The potential for the disclosure of confidential information or unauthorized use of an SCD as a result of the physical or logical protection provided by the SCD. 3.12
Device securitydevicesecurity
The security of an SCD that is independent of the specific operating environment and relies solely on its own characteristics. 3,13
Environment-dependentsecurityenvironment-dependentsecurityThe security of an SCD as part of its operating environment. 3.14
Evaluation agencyevaluation agency
An organization commissioned by the designer, manufacturer or sponsor of an SCI to evaluate the performance of an SCD in accordance with this part of the standard (using professional techniques and tools).
Evaluation report
GB/T21079.T-2011/S013491-1:2007Report issued by the evaluation review agency based on the evaluation results of the evaluation organization or the auditor. 3. 16
Evaluation review agency
Evaluation review hady
An organization responsible for verifying and approving the evaluation results of the evaluation agency. 3. 17
Formal statement
Statement of the characteristics and functions of the SCD.
Logical security
The ability of the device to resist attacks in terms of function. 3.19
Operational environmentThe use environment of the SCD. Including application system, use place, operators and equipment that is familiar with them, etc. 3.20
physical security
physical security
The ability of a device to resist attacks based on its physical structure. This includes physical characteristics such as electromagnetic radiation and electrical current, as well as analysis of the potential for side-channel attacks.
secure cryptographic device;ScD Hardware devices that provide a range of secure cryptographic services and storage and that have physical and logical protection features (such as PIN input devices or hardware security modules).
These devices may be integrated into a larger system such as an automated teller machine (ATM) or point-of-sale terminal (POS)3.22
sensitive data
sensitive data
sengitivcinformatior
sensitive information
data, information, and keys that are protected from unauthorized disclosure, modification, or destruction. 3.23
Sensitive state
Device state that provides access to a secure operator interface. In this state, access can only be accepted when the device is under effective weight or multiple control.
spoasoringauthority
sponsor
the individual, company or organization that evaluates the SCD. 3.25
tamper-evident characteristic
the characteristic that can provide evidence of an attack.
tamper-resistant characteristicThe characteristic that provides physical protection against attacks. 3
GB/T 21079.1—2011/ISO 13491-1:20073.27
tamper-responsivecharacteristicThe characteristic that actively reacts to a detected attack to prevent or attack. Abbreviations
automated teller machine automated teller machine message authentication code message authentication code personal identification number point of sale terminal
secure cryptographic device
secure cryptographic device
secure cryptographic device (SCD)
5.1 Overview
Financial retail services use cryptographic techniques to ensure: the integrity and authenticity of sensitive data, such as transaction details through MAC; confidentiality of secret information, such as encrypted user PIN, confidentiality, integrity and authenticity of passwords; security of other sensitive operations, such as PIN verification. To ensure the above goals, the following security threats should be prevented in the cryptographic process: leakage or modification of cryptographic keys and other sensitive data; unauthorized use of cryptographic keys and services. SCD is a hardware device that can provide cryptographic services, access control, key storage and physical and logical protection functions to prevent the above mentioned threats. The requirements of this standard apply only to the SCD itself and do not involve the assembly or system of SCDs.Analyzing the interface between the SCD and other parts of the system plays an important role in ensuring that the SCD is not attacked. Since absolute security is actually unattainable, it is unrealistic to describe an SCD as absolutely "attack-resistant" or "physically secure". In fact, any security solution may be breached if sufficient expenditure, effort and technology are invested. Moreover, as technology continues to develop, a system that was originally considered to be difficult to breach may be attacked by new technologies. Therefore, a more realistic approach is to determine a security level for security equipment to resist attacks, and an acceptable security level is: after analyzing the equipment, technology and other costs required for the attacker to carry out a successful attack and the possible benefits obtained from it, it is considered sufficient to prevent foreseeable attacks during the operation cycle of the equipment.
The security of the seasonal payment system should take into account the physical and logical security of the equipment. The security of the operating environment and the management of the equipment. These factors combine to form the security of the equipment and its applications. The source of security requirements is the assessment of the risks that may arise from system applications. The requirements for security features depend on the specific application of the SCD, the operating environment, and the types of attacks considered. The most appropriate way to evaluate the security performance of the equipment is to conduct a risk assessment and decide whether the equipment can be used in a specific application and environment based on the assessment results. Chapter 8 gives a standard assessment method.
5.2 Attack scenarios
5.2.1 Overview
SCD is mainly vulnerable to the following five types of attacks, which may be used in combination:
—Monitoring,
—Manipulation;
—-Modification;
—Replacement,
The following describes these forms of attack
CB/T21079.1—2011/IS0 13491-1:2007 Note: The attack scenarios described here are not comprehensive, and only the key scenarios that deserve attention are pointed out. 5.2.2 Penetration is an attack that involves the use of physical perforation techniques or unauthorized opening of a device to obtain sensitive data such as keys. 5.2. 3 Monitoring
Monitoring is an attack that involves detecting sensitive data in a device by monitoring electromagnetic radiation, differential energy analysis, time characteristics, etc., or by monitoring sensitive data input to a device by visual, auditory or electronic means. 5.2.4 Manipulation
Manipulation refers to the unauthorized sending of a series of input messages to a device, changing the device's external input (such as power or clock signals) or subjecting the device to other external influences, thereby leaking sensitive data in the device or obtaining services in an unauthorized manner. For example, putting the device into "adaptation mode" to leak sensitive data or damage the integrity of the device. 5.2.5 Modification
Modification refers to unauthorized modification or change of the physical or logical properties of a device, such as inserting a device that leaks the PIN between the PIN input point and the PIN encryption point in the PIN pad. Note that the purpose of this modification is to tamper with the device rather than immediately leak the information contained in the device. For the attack to be successful, the device should enter (or remain) in an operational state after the modification. Unauthorized replacement of the PIN in a device is a form of modification attack.
5.2.6 Replacement
Replacement is the unauthorized replacement of a device. The replacement device may be a look-alike or a fake device that contains all or part of the original device's logical features or adds some unauthorized functions (such as a PIN leak device). The replacement device may also be a legitimate device that was replaced by another legitimate device after unauthorized modification.
Removal is also a type of replacement, and its purpose is to conduct a penetration or modification attack in a more suitable environment. Replacement can be seen as a special case of modification, where the attacker does not actually modify the target device, but replaces it with another modified substitute. 5.3 Defense Measures
5.3.1 Overview
To defend against the attack scenarios discussed above, the following three elements can be used in combination to provide the required security: - Device characteristics;
Device management:
. - Environment.
Although in some cases a single element, such as device characteristics, may dominate, in general, all of the above elements are necessary to achieve the desired result. 5
GB/T 21079.1—2011/ISO 13491-1:20075.3.2 Device characteristics
SCD should consider logical and physical security in its design and implementation to resist the attack scenarios described in 5.2. Physical security characteristics can be divided into the following categories: - Anti-attack;
- Anti-attack;
Anti-attack,
Implementing physical security of equipment is a combination of the above three types of characteristics. Other physical security features can be used to resist some passive attacks, such as monitoring. Physical security features can also be used to assist in resisting modification and substitution attacks. The purpose of anti-attack is to provide evidence of the attempted attack and whether the attack resulted in the unauthorized disclosure, use or modification of sensitive data. The attempted attack can be shown by physical evidence (such as damage to the packaging). Evidence also includes that the device is not in its location. The purpose of anti-attack is to prevent attacks through passive defense measures or logical features. Defense measures are usually single and used to prevent a specific attack, such as penetration attack. Logical protection methods are usually used to prevent the leakage of sensitive data or to prevent illegal modification of application systems or application software.
The purpose of anti-attack is to prevent political attacks with active mechanisms. When the device senses an abnormal working state, it will trigger active protection mechanisms. These mechanisms can make the protected information unusable. The implementation of various protection features depends largely on the designer's knowledge and experience of known attacks. Therefore, attack tests usually focus on discovering whether there are known attacks that the defender has not involved, and will also try to find new attack methods that the defender is not aware of. The assessment of SCD security is difficult and uncertain, because the assessment can usually only prove that the design has successfully defended against currently known attacks, but does not or cannot evaluate the defense capabilities against unknown attacks. 5.3.3 Device Management
Device management refers to the external control of devices during the device life cycle and the environment in which they are located (see Chapter 7). These controls include: - External confidentiality management methods;
Safety measures;
Operational procedures.
The level of security may vary during the life cycle of a device. A major goal of device management is to ensure that device characteristics are not subject to unauthorized changes during the life cycle.
5.3.4 Environment
The goal of environmental security is to control access to the SCD and its services, thereby preventing a threat actor from at least detecting an attack on the SCD. During the life cycle of the SCD, it may be used in different environments (see Chapter 7). These environments can be classified by the degree of control. A highly controlled environment includes continuous monitoring by trusted individuals, while a minimally controlled environment may not include any special environmental security facilities. If the security of an SCD relies on some functions of the controlled environment, it should be fully demonstrated that the controlled environment does provide these functions.
6 Requirements for device security features
6.1 Overview
The device characteristics of an SCD can be classified as physical or logical. Physical security describes the characteristics of the components that make up the SCD and the way the components construct the device: logical characteristics describe the way the device processes inputs and produces outputs or changes logical states. The security of the SCD should ensure that any sensitive data input or output in the device or its interface and the data stored or processed in the device are not leaked.
CB/T 21079.1—2011/IS0 13491-1:2007When the SCD operates in a controlled environment, the requirements for device characteristics depend on the degree of protection provided by the controlled environment and device management.
6.2 Physical security requirements for SCD
6.2.1 General requirements
SCD should be designed as follows: Any failure of components within the device or use outside the specified scope of the device.The SCD should be designed and constructed as follows: Authorized access to or modification of sensitive data entered, stored or processed in the device (including device software) should not be possible without physical penetration of the device. NOTE 1: It is recommended that the SCD should be designed and constructed so that any externally attached device that is used to intercept or replace the input and output data of the SCD for spoofing purposes should have a high probability of detection, or be identified as not a legitimate device. When the design of the SCD allows access to internal areas (such as for maintenance), if such access would cause a security threat and cannot be prevented by other means, there should be a mechanism so that these accesses will immediately cause the erasure of keys and other sensitive data. NOTE 2: Equipment maintenance in this part should include the following three situations: Service: maintenance and maintenance to ensure the normal operating status of the equipment; physical inspection of the equipment and assessment of the actual operating status; repair: restoring the equipment to a normal working state. Through design, construction and configuration, the SCD and its data input functions should be able to prevent direct or indirect monitoring, so as to ensure that there is no feasible attack that can lead to the leakage of confidential or sensitive data. The integrity of the anti-attack mechanism should be ensured. This integrity can be achieved by using other anti-attack mechanisms, such as layered defense. 6.2.2 Anti-attack requirements
6.2.2.1 If the device relies on an anti-attack mechanism to resist substitution, penetration, or modification attacks, the device shall be protected against modification in the manner described in 6.2.2.2 to 6.2.2.1. 6.2.2.2 Replacement
To prevent substitution with counterfeit or modified devices, the device shall be designed so that an attacker cannot use commercially available components to construct a replica that could be mistaken for the real device. 6.2.2.3 Penetration
To ensure that penetration of the SCD can be detected, the device shall be designed and constructed so that any successful penetration will inevitably cause physical damage to the device or cause it to be temporarily removed from its original location. Such an investment will detect the base being attacked when it is returned to the original service.
6.2.2.4 Modifications
To ensure that modifications can be controlled, design and construct equipment in such a way that any modification will not physically damage the equipment or cause it to be removed from its legitimate location for a long time, so that the equipment can detect that it has been modified when it is returned to its original service.
6.2.3 Anti-attack requirements
6.2.3.1 If the equipment relies on anti-attack mechanisms to resist penetration, modification, monitoring, or replacement/removal attacks, then the methods used to resist these attacks can be described in 6.2.3.26.2.3.5. 6.2.3.2 Penetration
To prevent the equipment from being attacked by penetration, the SC shall achieve the following anti-attack level: whether in the equipment's intended operating environment or placed in a special facility, if an attempt is made to use special equipment to conduct penetration attacks, the passive defense of the equipment is sufficient to prevent penetration attacks.
GB,/T 21079.1—2011/IS0 13491-1:2007
6.2.3. 3 Modification
Unless a special device is used to destroy the equipment and make it inoperable, it is impossible to modify the keys or sensitive data stored in the SCD without authorization, or to place a tap device (such as active, passive, wireless, etc.) in the equipment to record the sensing data. 6.2.3.4 Anti-attack characteristics of the equipment should be able to resist monitoring attacks. Passive physical shielding should include the following aspects: Shielding electromagnetic radiation that may cause confidential information in the equipment to be leaked due to monitoring: Privacy shielding, in normal operation, the input of private information is not easily observed by others (e.g., the design and installation of the equipment should facilitate the shielding of the user's body to prevent others from observing). If some components of the equipment cannot be properly protected to prevent monitoring, then the part of the equipment should not store, transmit or process sensitive data.
The equipment should be designed and constructed in such a way that there is a high probability of detection of unauthorized attachments to monitor sensitive data before monitoring occurs.
6,2.3.5 Replacement/Removal
If it is necessary to prevent replacement/removal attacks, the equipment should be protected in such a way that it is not economically feasible to remove the equipment from its intended operating location.
6.2.4 Anti-attack requirements
6.2.4.1 SCI) When using anti-attack mechanisms, the integrity of the mechanism should be ensured by adopting anti-attack and/or anti-attack features. If the device relies on anti-attack mechanisms to protect against penetration, tampering, or substitution/removal, the device may be protected against such attacks in the manner described in 6.2.4.2 to 6.2.4.4. 6.2.4.2 Penetration
Anti-attack devices shall be designed and constructed in such a way that penetration attacks on the device result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.3 Modification
Anti-attack devices shall be designed in such a way that any unauthorized modification can be detected and result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.4 Substitution/removal
When a device is moved from its operating environment, the removal of the device may be the first step in the implementation of an attack. If the security of the device depends on its operating environment, unauthorized removal results in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device.
6.2.5 Physical security equipment
A physical security equipment should be a hardware device that cannot cause any related keys, PINs or other confidential data in the device to be fully or partially leaked through penetration or certain operations. When the device is attacked by penetration, all PINs, keys, other confidential data and useful data in the device should be automatically erased immediately, that is, the device should have anti-attack capabilities.
A device should only be used as a physical security device when it is ensured that the internal operation of the device has not been modified to allow penetration attacks (such as adding active or passive "tapping" devices inside the device). 6.2.6 The key management technology implemented by devices using the "one key per transaction" management method should ensure that even if a penetration attack is carried out on the SCD, it cannot be obtained by obtaining the data stored in the device and any related data outside the device (except for those in another SCI) Secret or sensitive data, such as keys carried in the device2 Penetration
To prevent the equipment from being attacked by penetration, the SC should achieve the following anti-attack level: whether in the equipment's intended operating environment or placed in a special facility, if an attempt is made to use special equipment to conduct penetration attacks, the passive defense of the equipment is sufficient to prevent penetration attacks. 7
GB,/T 21079.1—2011/IS0 13491-1:2007.
6.2.3. 3 Modification
Unless a special device is used to destroy the equipment and make it inoperable, it is impossible to modify the keys or sensitive data stored in the SCD without authorization, or to place a tap device (such as active, passive, wireless, etc.) in the equipment to record the sensing data. 6.2.3.4 Anti-attack equipment characteristics should be able to resist monitoring attacks. Passive physical shielding should include the following aspects: Shielding electromagnetic radiation that may cause confidential information in the equipment to be leaked due to monitoring: Privacy shielding, in normal operation, the input of private information is not easily observed by others (e.g., the design and installation of the equipment should facilitate the shielding of the user's body to prevent others from observing). If some components of the equipment cannot be properly protected to prevent monitoring, then the part of the equipment should not store, transmit or process sensitive data.
The equipment should be designed and constructed in such a way that there is a high probability of detection of unauthorized attachments to monitor sensitive data before monitoring occurs.
6,2.3.5 Replacement/Removal
If it is necessary to prevent replacement/removal attacks, the equipment should be protected in such a way that it is not economically feasible to remove the equipment from its intended operating location.
6.2.4 Anti-attack requirements
6.2.4.1 SCI) When using anti-attack mechanisms, the integrity of the mechanism should be ensured by adopting anti-attack and/or anti-attack features. If the device relies on anti-attack mechanisms to protect against penetration, tampering, or substitution/removal, the device may be protected against such attacks in the manner described in 6.2.4.2 to 6.2.4.4. 6.2.4.2 Penetration
Anti-attack devices shall be designed and constructed in such a way that penetration attacks on the device result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.3 Modification
Anti-attack devices shall be designed in such a way that any unauthorized modification can be detected and result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.4 Substitution/removal
When a device is moved from its operating environment, the removal of the device may be the first step in the implementation of an attack. If the security of the device depends on its operating environment, unauthorized removal results in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device.
6.2.5 Physical security equipment
A physical security equipment should be a hardware device that cannot cause any related keys, PINs or other confidential data in the device to be fully or partially leaked through penetration or certain operations. When the device is attacked by penetration, all PINs, keys, other confidential data and useful data in the device should be automatically erased immediately, that is, the device should have anti-attack capabilities.
A device should only be used as a physical security device when it is ensured that the internal operation of the device has not been modified to allow penetration attacks (such as adding active or passive "tapping" devices inside the device). 6.2.6 The key management technology implemented by devices using the "one key per transaction" management method should ensure that even if a penetration attack is carried out on the SCD, it cannot be obtained by obtaining the data stored in the device and any related data outside the device (except for those in another SCI) Secret or sensitive data, such as keys carried in the device2 Penetration
To prevent the equipment from being attacked by penetration, the SC should achieve the following anti-attack level: whether in the equipment's intended operating environment or placed in a special facility, if an attempt is made to use special equipment to conduct penetration attacks, the passive defense of the equipment is sufficient to prevent penetration attacks. 7
GB,/T 21079.1—2011/IS0 13491-1:2007.
6.2.3. 3 Modification
Unless a special device is used to destroy the equipment and make it inoperable, it is impossible to modify the keys or sensitive data stored in the SCD without authorization, or to place a tap device (such as active, passive, wireless, etc.) in the equipment to record the sensing data. 6.2.3.4 Anti-attack equipment characteristics should be able to resist monitoring attacks. Passive physical shielding should include the following aspects: Shielding electromagnetic radiation that may cause confidential information in the equipment to be leaked due to monitoring: Privacy shielding, in normal operation, the input of private information is not easily observed by others (e.g., the design and installation of the equipment should facilitate the shielding of the user's body to prevent others from observing). If some components of the equipment cannot be properly protected to prevent monitoring, then the part of the equipment should not store, transmit or process sensitive data.
The equipment should be designed and constructed in such a way that there is a high probability of detection of unauthorized attachments to monitor sensitive data before monitoring occurs.
6,2.3.5 Replacement/Removal
If it is necessary to prevent replacement/removal attacks, the equipment should be protected in such a way that it is not economically feasible to remove the equipment from its intended operating location.
6.2.4 Anti-attack requirements
6.2.4.1 SCI) When using anti-attack mechanisms, the integrity of the mechanism should be ensured by adopting anti-attack and/or anti-attack features. If the device relies on anti-attack mechanisms to protect against penetration, tampering, or substitution/removal, the device may be protected against such attacks in the manner described in 6.2.4.2 to 6.2.4.4. 6.2.4.2 Penetration
Anti-attack devices shall be designed and constructed in such a way that penetration attacks on the device result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.3 Modification
Anti-attack devices shall be designed in such a way that any unauthorized modification can be detected and result in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device. 6.2.4.4 Substitution/removal
When a device is moved from its operating environment, the removal of the device may be the first step in the implementation of an attack. If the security of the device depends on its operating environment, unauthorized removal results in the immediate and automatic deletion of all keys, other sensitive data, and any useful remnants of sensitive data on the device.
6.2.5 Physical security equipment
A physical security equipment should be a hardware device that cannot cause any related keys, PINs or other confidential data in the device to be fully or partially leaked through penetration or certain operations. When the device is attacked by penetration, all PINs, keys, other confidential data and useful data in the device should be automatically erased immediately, that is, the device should have anti-attack capabilities.
A device should only be used as a physical security device when it is ensured that the internal operation of the device has not been modified to allow penetration attacks (such as adding active or passive "tapping" devices inside the device). 6.2.6 The key management technology implemented by devices using the "one key per transaction" management method should ensure that even if a penetration attack is carried out on the SCD, it cannot be obtained by obtaining the data stored in the device and any related data outside the device (except for those in another SCI) Secret or sensitive data, such as keys carried in the device
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.