Banking - Secure cryptographic devices(retail) - Part 2: Security compliance checklists for devices used in financial transactions
Some standard content:
ICS 35.240.40
National Standard of the People's Republic of China
GB/T20547.2—2006
Banking—Secure cryptographic devices (retail)-Part 2: Security compliance checklists for devices used in financial transactions transactions(ISO13491-2:2005,MOD)
2006-09-18 Issued
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Standardization Administration of China
2007-03-01 Implementation
Normative references
3 Terms and definitions
4 Use of safety compliance test list
Appendix A (Normative Appendix)
Appendix B (Normative Appendix)
Appendix C (Normative Appendix)
Appendix D (Normative Appendix) )
Appendix E (Normative Appendix)
Appendix F (Normative Appendix)
Appendix G (Normative Appendix)
Appendix H (Normative Appendix)
Basic physical, logical and device management characteristics of security and encryption devices Equipment with PIN input function
Equipment with PIN management function
Equipment with message authentication function
Equipment with key generation function
Equipment with key transmission and loading function
Equipment with digital signature function
Environmental classification
GB/T 20547.2—2006
GB/T20547 "Security and encryption equipment for banking business (retail)" is divided into the following parts: Part 1: Concepts, requirements and evaluation methods - Part 2: Checklist for security compliance test of equipment in financial transactions This part is Part 2 of GB/T20547. GB/T20547.2-2006
This part is modified to adopt the international standard ISO13491-2:2005 "Banking security encryption equipment (retail) Part 2: Equipment security compliance test list in financial transactions" (English version). The modifications made to ISO13491-2:2005 in this part mainly include the following: 1. The international standards cited in this part are changed to international standards and relevant domestic regulations. 2. Some normative references that are not currently applicable in China are deleted. Appendix A, Appendix B, Appendix C, Appendix D, Appendix E, Appendix F, Appendix G and Appendix H of this part are normative appendices. This part is proposed by the People's Bank of China.
This part is managed by the National Financial Standardization Technical Committee. Drafting units of this part: China UnionPay Co., Ltd., the People's Bank of China, Industrial and Commercial Bank of China, Bank of China Co., Ltd., China Construction Bank Corporation, Bank of Communications, Beijing UnionPay Gold Card Technology Co., Ltd. The main drafters of this part are: Liu Zhong, Sun Ping, Huang Faguo, Xu Zhizhong, Wen Yongsheng, Lu Shuchun, Liu Yun, Zhao Hongxin, Xue Wei, Zhang Xiaodong, Chen Liqun, Qian Fei, Li Shuguang, Liu Zhigang, Ren Guanhua, Jiang Hong, Li Jie. This standard was first issued in 2006.
GB/T 20547.2—2006
This part of GB/T 20547 specifies the physical characteristics, logical characteristics and management requirements of security encryption devices used to protect messages, keys and other sensitive information in retail financial services. The security of retail electronic banking services depends to a large extent on the security of encryption devices. The security requirements of encryption devices are based on the assumption that computer files may be illegally accessed and processed, communication lines may be "eavesdropped", and legal data and control instructions may be replaced by illegal operations. Although some encryption devices (such as host security modules) are placed in processing centers with relatively high security, most encryption devices used in retail banking services (such as password keyboards, etc.) are in an unsafe environment. Therefore, when PINs (personal identification numbers), MACs (message authentication codes), keys and other confidential data are processed on these cryptographic devices, there is a risk of device intrusion, data leakage or tampering.
Financial risk reduction can be ensured by the appropriate use and proper management of secure cryptographic devices with specific physical and logical security features. To ensure that secure cryptographic devices have appropriate physical and logical security features, they should be evaluated. This part provides a security compliance checklist for evaluating secure cryptographic devices based on the requirements for secure cryptographic devices in financial services systems in ISO13491-1. Other assessment frameworks exist and are also suitable for formal security assessments, such as parts 1 to 3 of ISO/IEC15408 and ISO/IEC19790, but these are beyond the scope of this part of ISO13491. Cryptographic devices should have appropriate features to ensure that they are appropriately operable and provide adequate protection for the data inside. Proper device management is essential to ensure the legitimacy of the device, that is, the device cannot be modified by unauthorized means (such as installing a "listening device"), and that sensitive data in the device cannot be leaked or tampered with. Absolute security is not achievable. Cryptographic security relies on the effective combination of each stage of the secure cryptographic device lifecycle and the appropriate device management procedures and secure cryptographic features. The management procedures can reduce the possibility of device security being breached through preventive measures. These protective measures are intended to increase the likelihood of detecting illegal access to sensitive or confidential data when the device's own characteristics cannot prevent or detect security attacks. V
1 Scope
Secure cryptographic devices for banking (retail) Part 2: Checklist for security compliance testing of devices in financial transactions
GB/T 20547.2--2006
This part of GB/T20347 is in accordance with the encryption algorithms used by cryptographic devices specified in international or domestic regulations, and specifies the security compliance testing procedures for evaluating secure cryptographic devices in financial service systems. IC payment cards should comply with the requirements of this part before issuance, and are not within the scope of this part as a personal device after issuance. This part does not deal with problems caused by the failure of security equipment. In Appendix A ~ Government violence, it is not feasible because the implementation of this policy attack does not involve malicious reputation damage. Normative references The following documents explain the following documents, which are subsequently amended by the parties to the agreement through the amendment of the terms (excluding the required part). ISO 95 H2002 Bank PIN protection principle requirements ISO 115 ISO 1349 ISO 16609 ISO 18031
3 Terms and definitions
Limited to certain parts
Banking
Wei business
The latest version of the document.
The attack is technically possible but economically unsustainable, except for purely economic gains
The benefits are much greater.
Include the verbatim text of this part. Where dated references are used in this part, however, it is encouraged that the latest version of the referenced document, which is dated in accordance with this part, applies to this part: Online banking in ATM and POS systems: concepts, requirements and evaluation methods
Competitive part (the terms and definitions defined in ISO 13491-1 are used in the same column in this part). The following terms and definitions
Auditor
A person with audit and evaluation capabilities who makes an informal assessment on behalf of the initiator or audit organization. Data integrity
The property that data has not been altered or corrupted in an unauthorized manner. Dual control dual control
Use two or more entities (usually personnel) to cooperate with each other to protect sensitive functions or information, thereby ensuring that no single entity can access or use these sensitive functions or information alone. 3.4
Exclusive or
Modular 2 addition of binary numbers of equal length.
GB/T 20547.2--2006
Security compliance checklist security compliance checklist A list of audit requirements established according to this specification and by equipment type. 3.6
sensitive statesensitive state
The state of a device that provides a secure operator interface and that can only be accessed under dual or multiple control. 4 Use of security compliance checklists
4.1 Overview
The checklists listed in this part are used by sponsors who wish to evaluate the reliability of cryptographic equipment. Sponsors should use some or all of the content in the appendix to:
a) approve the evaluation organization selected by the system supplier and participants; b) establish an audit organization to audit the completed audit checklist. Appendix A to Appendix H give the minimum evaluation checklist for evaluating the reliability of cryptographic equipment. Additional tests can be performed to reflect the technical level of the equipment when evaluated.
As stated in this part, the evaluation can be either "informal" or "formal", depending on the nature of the evaluation organization recognized by the sponsor. Unless the sponsor decides to conduct a "formal" evaluation, the evaluation conclusions cannot be used directly and can only be used as a reference for preparing a "formal statement".
Note: These formal statements are beyond the scope of this part. Each cryptographic device achieves security through its inherent characteristics and the environment in which the device is installed. The environment in which the device is installed must be considered when completing these audit checklists. For example, the same device used in a public environment may require higher intrinsic security than the same device used in a controlled environment. This part of the standard provides a suggestion for environmental classification in Annex H so that the assessment agency does not need to investigate the specific environment in which the device may be placed during the assessment. The device can be deployed in a designated facility, and the assessment agency can assess the operation of the device in the designated environment as long as the facility itself has been assessed to provide the determined environment. Of course, these assessment checklists can also be used for environmental categories other than those specified in Annex H. 4.2, 4.3, and 4.4 describe the three assessment methods specified in this part of the standard. 4.2 Informal Assessment
In an informal assessment, an independent auditor should complete the appropriate checklist for the device to be assessed. 4.3 Semi-Formal Assessment
In a semi-formal assessment, the manufacturer or sponsor should ask the assessment agency to provide a device for testing according to the appropriate checklist.
4.4 Formal Assessment
In a formal assessment, the manufacturer or sponsor shall provide a device to a qualified assessment organization to select the corresponding test checklist for the content of the formal statement and conduct an assessment. 2
A.1 Overview
Appendix A
(Normative Appendix)
Basic physical, logical and device management characteristics of security and encryption equipment GB/T 20547.22006
The content of this appendix can be used for the assessment of any security device and should be completed before the assessment of the device's proprietary security compliance checklist. The following security compliance checklists require the auditor to provide detailed explanations using "Compliant (T)", "Non-Compliant (F)" and \Not Applicable (N/A). The "Non-Compliant" mark does not mean that the item is unacceptable in practice, but a written explanation should be given. Written explanations should also be given for the checklists marked as "N/A".
A.2 Equipment Characteristics
A.2.1 Physical Security
A,2.1.1 Overview
All secure cryptographic equipment should meet the requirements of A,2.1.2 General Security and A.2.1.3 Anti-Attack Characteristics. Although many equipment should also meet the requirements of A.2.1.4 Anti-Attack or A.2.1.5 Anti-Attack, some equipment only needs to meet general security and anti-attack characteristics. These equipment should meet the following requirements: a) The equipment cannot retain the security keys that have been used to encrypt data, as well as any data information that may be used to derive the keys, even data that has existed in plain text.
Equipment management should be adopted in the following manner: When the device loses connection or is obviously damaged, it should be able to promptly report the corresponding situation. b)
When a report is received that a device has lost connection or is damaged, all facilities that communicate with the device in encrypted form should no longer process ciphertext data from the device.
A.2.1.2 General security
When conducting security assessment, the assessment agency should clearly understand the technical methods of physical and logical attacks on the equipment. These attack methods include (but are not limited to) the following methods:
-Chemical attack (various solvents);
Scanning attack (electron microscope scanning): Mechanical attack (drilling, cutting, probe probing, etc.),-Temperature attack (high and low temperature limit test);
Ray attack (X-ray);
-Information leakage through covert (lateral) means (such as through power consumption, timing, etc.); Fault attack
Give the corresponding conclusion according to the contents shown in Table A.1. Table A.1
Safety compliance statement
When the equipment is working in the expected environment, it cannot be monitored (such as electromagnetic radiation of the equipment with or without equipment operators) to obtain personal identification code (PIN), key or other secret information.
Equipment vents and other access points should be located and protected so that an attacker cannot use these access points to detect the contents of the device, such as plain text PINs, access codes and keys, or to defeat the device's protection mechanisms.
Non-Compliance
Not Applicable
GB/T 20547.2--2006
Safety Compliance Statement
Table A, 1 (Continued)
All sensitive data and encryption keys, including residual data, are stored in the security module.
All transmission mechanisms in the equipment must ensure that no unauthorized disclosure of information can be obtained through monitoring equipment.
When the equipment is in an operational state, any access points to the internal circuits of the equipment should be locked by one or more anti-cover devices or similar security devices. The equipment design should ensure that it cannot be assembled from commercially available components. For example, the housing used to cover electronic components is generally not available. A.2.1.3 Anti-attack performance The assessment agency shall provide the corresponding Table A.2 according to the contents of Table A.2. Table A.2. Anxin Health Statement The equipment shall be reasonably designed so that the following cannot be done by intrusion: a) Add, replace, obtain or modify any sensitive information (keys) to the equipment software or hardware. Without special skills and tools, the following shall not be discovered: a) Equipment damage; the equipment cannot be found to be removed or moved from the designated location. A.2.1.4 Anti-attack performance The assessment agency shall provide the corresponding Table A.3 according to the contents of Table A.3. The physical protection measures adopted by the equipment shall make it impossible to obtain codes and encryption and implement physical protection attempts. Even if the device can be accessed at will, no secret information in the single A. 2. 1. 5
Anti-attack
device can be obtained.
The assessment agency shall give the corresponding practice theory according to the content of Table A.4
Security compliance statement
.Ey.o.
Each device shall have the following protection function, that is, once any possible sabotage activity is detected, all keys and sensitive data will be immediately erased. When the device casing is removed under authorized or unauthorized circumstances and any entrance to the internal parts of the device is opened, the device shall automatically erase the keys and sensitive data stored inside.
Non-compliant
Non-compliant
Non-compliant
Not applicable
Not applicable
Not applicable
Table A.4 (Continued)
Security Compliance Statement
There shall be a method to ensure that when a cryptographic unit is permanently removed from use, the secret data and used keys are erased and that any cryptographic keys in the unit are invalid for all devices with communication encryption capabilities. All intrusion detection/key erasure mechanisms shall be effective even when the power is off. If the equipment does not have a security mechanism to detect when it has been removed from the operating location, it shall be ensured that even if the equipment is removed from the operating environment, the intrusion detection mechanism cannot be easily defeated to obtain the target equipment confidential information without the tools and skills required to attack the equipment.
Note: For example, obtaining such confidential information requires a considerable amount of time, such as the preparation time - which may include the time to analyze other equipment - after the target equipment has been freely entered, at least one week of effort is required to obtain the data of the equipment. If the equipment has a safety mechanism to detect when it is moved from the operating location, it should be ensured that it is not feasible to damage the equipment or obtain information from the target device. It should also be ensured that the device or technology that damages the equipment is not easy to be used at the location of the equipment, nor is it easy to reach the location of the equipment. Note: For example, obtaining information requires considerable time, such as the time for other equipment to be removed, who can enter at will A.2.2 Logical safety The assessment agency shall give the corresponding co
requirements in Table A.5. The equipment shall have self-test
manually or automatically started.
The equipment only runs the designed performance
to ensure that the equipment is basic
The equipment should be designed
before the inspection process is completed,
including not being able to load all necessary
and other related
It is not feasible to obtain
information of the equipment through diagnosis or special
testing.
It can run normally. Self-test can
operate services, and also
the encryption algorithm used by the equipment, and the encryption key length should comply with relevant regulations.
Equipment key management is based on relevant domestic and US regulations. Each key can only be used for one encryption
purpose (key variants can be used for different purposes, and the variants change one form of the key into another form through the algorithm).
The function of the device should ensure that: except for authorized methods, no other method can obtain the plaintext secret information (such as PIN or encryption key) from the device or the secret information encrypted by illegal secrets.
If the device is composed of multiple components, it should be ensured that the key in the high-security component cannot be transferred to the low-security component.
Keys must be loaded in the following situations:
The device is in a sensitive state;
The key loading behavior puts the device in a mode where all attack protection mechanisms are activated. Compliant
GB/T 20547.2--2006
Not Compliant
Not Compliant
Not Applicable
GB/T 20547.2-2006
Safety Compliance Statement
Table A.5 (Continued)
The following operator functions that may affect the safety of the equipment are only allowed to be operated when the equipment is in a sensitive A24
state, that is, in a dual or multiple control state: - Turning off or starting the equipment:
Changing the password or data that puts the equipment into a sensitive state. The safety operator interface should be designed so that at least two sets of passwords (or equivalent dual or multiple control mechanisms) are required to put the equipment into a sensitive state. The design of the safety operator interface should ensure that the equipment cannot be left in a sensitive state inadvertently.
If multiple limits are set for sensitive states (e.g., function call limit and time limit), the device should return to normal state when a certain limit is reached. The password or other plaintext data that puts the device into sensitive state should be protected equally with other confidential and sensitive data.
If the password is lost due to any other reason such as long-term power failure of the device, the device will enter an inoperable state.
Function requests and sensitive state operator functions in the device should be approved by the initiator or supported by the system used by the device.
It is not allowed to convert the ciphertext encrypted by one key variant into the ciphertext encrypted by another key variant.
A.3 Equipment Management
Basic Requirements
Non-Compliance
Not Applicable
At each life cycle stage: The organization responsible for filling in the inspection list for this stage should provide the audit organization with the correspondence materials shown in Table A.8.
Security Compliance Statement
For audit and control purposes, the device's identity (e.g., serial number) can be determined by: an external anti-counterfeit label or tag, or by a command to display the identity on an interface or display. When the device is at a certain life cycle stage with encryption keys loaded, the device's identity can easily determine the identity of the keys contained (if the device is lost or stolen, these keys can be invalidated).
Any physical key used to open or operate the device must be strictly controlled and can only be used by authorized personnel.
If a device containing encryption keys is attacked or stolen, the relevant department responsible for device security must be notified immediately upon discovery.
If a device that does not have secure encryption keys loaded is attacked or stolen, appropriate mechanisms should be in place to prevent the use of the attacked or stolen device to replace other legitimate devices that do not have secure encryption keys loaded.
If the device does not have a sensitive state, the loading of plaintext keys must be carried out under dual control.
Non-compliance
Not applicable
A.3.2 Safety protection in equipment production
The equipment manufacturer or independent auditor shall provide the auditing agency with credible materials as shown in Table A, 7. Table A.7
Safety compliance statement
The software and hardware design in the equipment has been carefully evaluated to ensure that the functions provided by the equipment are legal and documented. There are no unauthorized functions (such as Trojan horses) in the equipment software.
The equipment itself, including the software, shall be produced in a controlled environment and controlled by qualified personnel to ensure that the equipment cannot be physically or functionally modified without authorization. A.3.3 Equipment security protection after leaving the factory and before use Complies with
GB/T 20547.2—2006
Not Compliant
Not Applicable
Equipment manufacturers, personnel responsible for shipping, repairing and storing equipment (before downloading or reloading the initial key), and independent auditors should provide the auditing agency with assurances as shown in Table A.8. Table A.8
Security compliance statement
The transmission mechanism for inputting plaintext keys, key components or passwords should be protected and/or checked to prevent all types of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment should be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. Equipment should be shipped in anti-attack packaging and tested for illegal access: Before downloading encryption keys from the equipment, professionals should conduct strict inspections to ensure that the equipment has not been physically or functionally modified; if an attack is found during the shipment of equipment with secret information, the secret information should be deleted to ensure that the user confirms that the equipment is authentic and has not been leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing equipment Complies
Not Complies
Not applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency should provide the audit agency with the assurance shown in Table A, 9.
Security Compliance Statement
Any uninstalled equipment must be controlled to prevent or detect unauthorized access, and records must be kept for auditing to detect and report equipment theft and loss. Security protection after equipment installation
Non-compliance
The consignee and independent auditor should provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not applicable5 The corresponding co
requirements are given in the narrow range. The equipment should have self-test
manual or automatic start. The equipment only runs the designed kinetic energy
to ensure that the basic
equipment should be designed
before the completion of the test process, including not being able to load all necessary
and other related
porcelain. It is not feasible to obtain equipment
information through diagnosis or special test
methods.
operation is normal. Self-test can
operational services, also
the encryption algorithm used by the equipment, you simulation test, encryption key length should comply with relevant regulations.
Equipment key management is based on relevant domestic and US regulations. A key can only be used for one encryption
purpose (a variant of a key can be used for different purposes, and a variant of a key is converted from one form to another form through an algorithm).
The function of the device should ensure that: except for authorized methods, no other method can obtain the plaintext secret information (such as PIN or encryption key) from the device or the secret information encrypted by illegal secrets.
If the device is composed of multiple components, it should be ensured that the key in the high-security component cannot be transferred to the low-security component.
Keys must be loaded in the following situations:
The device is in a sensitive state;
The key loading behavior puts the device in a mode where all attack protection mechanisms are activated. Compliant
GB/T 20547.2--2006
Not Compliant
Not Compliant
Not Applicable
GB/T 20547.2-2006
Safety Compliance Statement
Table A.5 (Continued)
The following operator functions that may affect the safety of the equipment are only allowed to be operated when the equipment is in a sensitive A24
state, that is, in a dual or multiple control state: - Turning off or starting the equipment:
Changing the password or data that puts the equipment into a sensitive state. The safety operator interface should be designed so that at least two sets of passwords (or equivalent dual or multiple control mechanisms) are required to put the equipment into a sensitive state. The design of the safety operator interface should ensure that the equipment cannot be left in a sensitive state inadvertently.
If multiple limits are set for sensitive states (e.g., function call limit and time limit), the device should return to normal state when a certain limit is reached. The password or other plaintext data that puts the device into sensitive state should be protected equally with other confidential and sensitive data.
If the password is lost due to any other reason such as long-term power failure of the device, the device will enter an inoperable state.
Function requests and sensitive state operator functions in the device should be approved by the initiator or supported by the system used by the device.
It is not allowed to convert the ciphertext encrypted by one key variant into the ciphertext encrypted by another key variant. wwW.bzxz.Net
A.3 Equipment Management
Basic Requirements
Non-Compliance
Not Applicable
At each life cycle stage: The organization responsible for filling in the inspection list for this stage should provide the audit organization with the correspondence materials shown in Table A.8.
Security Compliance Statement
For audit and control purposes, the device's identity (e.g., serial number) can be determined by: an external anti-counterfeit label or tag, or by a command to display the identity on an interface or display. When the device is at a certain life cycle stage with encryption keys loaded, the device's identity can easily determine the identity of the keys contained (if the device is lost or stolen, these keys can be invalidated).
Any physical key used to open or operate the device must be strictly controlled and can only be used by authorized personnel.
If a device containing encryption keys is attacked or stolen, the relevant department responsible for device security must be notified immediately upon discovery.
If a device that does not have secure encryption keys loaded is attacked or stolen, appropriate mechanisms should be in place to prevent the use of the attacked or stolen device to replace other legitimate devices that do not have secure encryption keys loaded.
If the device does not have a sensitive state, the loading of plaintext keys must be carried out under dual control.
Non-compliance
Not applicable
A.3.2 Safety protection in equipment production
The equipment manufacturer or independent auditor shall provide the auditing agency with credible materials as shown in Table A, 7. Table A.7
Safety compliance statement
The software and hardware design in the equipment has been carefully evaluated to ensure that the functions provided by the equipment are legal and documented. There are no unauthorized functions (such as Trojan horses) in the equipment software.
The equipment itself, including the software, shall be produced in a controlled environment and controlled by qualified personnel to ensure that the equipment cannot be physically or functionally modified without authorization. A.3.3 Equipment security protection after leaving the factory and before use Complies with
GB/T 20547.2—2006
Not Compliant
Not Applicable
Equipment manufacturers, personnel responsible for shipping, repairing and storing equipment (before downloading or reloading the initial key), and independent auditors should provide the auditing agency with assurances as shown in Table A.8. Table A.8
Security compliance statement
The transmission mechanism for inputting plaintext keys, key components or passwords should be protected and/or checked to prevent all types of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment should be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. Equipment should be shipped in anti-attack packaging and tested for illegal access: Before downloading encryption keys from the equipment, professionals should conduct strict inspections to ensure that the equipment has not been physically or functionally modified; if an attack is found during the shipment of equipment with secret information, the secret information should be deleted to ensure that the user confirms that the equipment is authentic and has not been leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing equipment Complies
Not Complies
Not applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency should provide the audit agency with the assurance shown in Table A, 9.
Security Compliance Statement
Any uninstalled equipment must be controlled to prevent or detect unauthorized access, and records must be kept for auditing to detect and report equipment theft and loss. Security protection after equipment installation
Non-compliance
The consignee and independent auditor should provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not applicable5 The corresponding co
requirements are given in the narrow range. The equipment should have self-test
manual or automatic start. The equipment only runs the designed kinetic energy
to ensure that the basic
equipment should be designed
before the completion of the test process, including not being able to load all necessary
and other related
porcelain. It is not feasible to obtain equipment
information through diagnosis or special test
methods.
operation is normal. Self-test can
operational services, also
the encryption algorithm used by the equipment, you simulation test, encryption key length should comply with relevant regulations.
Equipment key management is based on relevant domestic and US regulations. A key can only be used for one encryption
purpose (a variant of a key can be used for different purposes, and a variant of a key is converted from one form to another form through an algorithm).
The function of the device should ensure that: except for authorized methods, no other method can obtain the plaintext secret information (such as PIN or encryption key) from the device or the secret information encrypted by illegal secrets.
If the device is composed of multiple components, it should be ensured that the key in the high-security component cannot be transferred to the low-security component.
Keys must be loaded in the following situations:
The device is in a sensitive state;
The key loading behavior puts the device in a mode where all attack protection mechanisms are activated. Compliant
GB/T 20547.2--2006
Not Compliant
Not Compliant
Not Applicable
GB/T 20547.2-2006
Safety Compliance Statement
Table A.5 (Continued)
The following operator functions that may affect the safety of the equipment are only allowed to be operated when the equipment is in a sensitive A24
state, that is, in a dual or multiple control state: - Turning off or starting the equipment:
Changing the password or data that puts the equipment into a sensitive state. The safety operator interface should be designed so that at least two sets of passwords (or equivalent dual or multiple control mechanisms) are required to put the equipment into a sensitive state. The design of the safety operator interface should ensure that the equipment cannot be left in a sensitive state inadvertently.
If multiple limits are set for sensitive states (e.g., function call limit and time limit), the device should return to normal state when a certain limit is reached. The password or other plaintext data that puts the device into sensitive state should be protected equally with other confidential and sensitive data.
If the password is lost due to any other reason such as long-term power failure of the device, the device will enter an inoperable state.
Function requests and sensitive state operator functions in the device should be approved by the initiator or supported by the system used by the device.
It is not allowed to convert the ciphertext encrypted by one key variant into the ciphertext encrypted by another key variant.
A.3 Equipment Management
Basic Requirements
Non-Compliance
Not Applicable
At each life cycle stage: The organization responsible for filling in the inspection list for this stage should provide the audit organization with the correspondence materials shown in Table A.8.
Security Compliance Statement
For audit and control purposes, the device's identity (e.g., serial number) can be determined by: an external anti-counterfeit label or tag, or by a command to display the identity on an interface or display. When the device is at a certain life cycle stage with encryption keys loaded, the device's identity can easily determine the identity of the keys contained (if the device is lost or stolen, these keys can be invalidated).
Any physical key used to open or operate the device must be strictly controlled and can only be used by authorized personnel.
If a device containing encryption keys is attacked or stolen, the relevant department responsible for device security must be notified immediately upon discovery.
If a device that does not have secure encryption keys loaded is attacked or stolen, appropriate mechanisms should be in place to prevent the use of the attacked or stolen device to replace other legitimate devices that do not have secure encryption keys loaded.
If the device does not have a sensitive state, the loading of plaintext keys must be carried out under dual control.
Non-compliance
Not applicable
A.3.2 Safety protection in equipment production
The equipment manufacturer or independent auditor shall provide the auditing agency with credible materials as shown in Table A, 7. Table A.7
Safety compliance statement
The software and hardware design in the equipment has been carefully evaluated to ensure that the functions provided by the equipment are legal and documented. There are no unauthorized functions (such as Trojan horses) in the equipment software.
The equipment itself, including the software, shall be produced in a controlled environment and controlled by qualified personnel to ensure that the equipment cannot be physically or functionally modified without authorization. A.3.3 Equipment security protection after leaving the factory and before use Complies with
GB/T 20547.2—2006
Not Compliant
Not Applicable
Equipment manufacturers, personnel responsible for shipping, repairing and storing equipment (before downloading or reloading the initial key), and independent auditors should provide the auditing agency with assurances as shown in Table A.8. Table A.8
Security compliance statement
The transmission mechanism for inputting plaintext keys, key components or passwords should be protected and/or checked to prevent all types of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment should be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. Equipment should be shipped in anti-attack packaging and tested for illegal access: Before downloading encryption keys from the equipment, professionals should conduct strict inspections to ensure that the equipment has not been physically or functionally modified; if an attack is found during the shipment of equipment with secret information, the secret information should be deleted to ensure that the user confirms that the equipment is authentic and has not been leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing equipment Complies
Not Complies
Not applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency should provide the audit agency with the assurance shown in Table A, 9.
Security Compliance Statement
Any uninstalled equipment must be controlled to prevent or detect unauthorized access, and records must be kept for auditing to detect and report equipment theft and loss. Security protection after equipment installation
Non-compliance
The consignee and independent auditor should provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not applicable5 (Continued)
The following operator functions that may affect the safety of the equipment are only allowed when the equipment is in a sensitive A24
state, i.e., in a dual or multiple control state:
Shutting down or starting up the equipment:
Changing the password or data that puts the equipment into a sensitive state. The safety operator interface should be designed to require at least two sets of passwords (or an equivalent dual or multiple control mechanism) to put the equipment into a sensitive state. The safety operator interface should be designed to ensure that the equipment cannot be left in a sensitive state inadvertently.
If multiple limits are set for the sensitive state (for example, a limit on the number of function calls and a time limit), the equipment should return to the normal state when a certain limit is reached. The password or other plain text data that puts the equipment into a sensitive state should be protected in the same way as other confidential and sensitive data.
If the password is lost due to any other reason, such as a long-term power failure of the equipment, the equipment will enter an inoperable state.
Both function requests and sensitive state operator functions in the equipment should be approved by the initiator or supported by the system used by the equipment.
It is not allowed to convert a key from a ciphertext encrypted by one key variant to a ciphertext encrypted by another key variant.
A.3 Equipment Management
Basic Requirements
Non-Compliance
Not Applicable
At each life cycle stage: The organization responsible for filling in the inspection list for this stage shall provide the audit organization with the letter materials shown in Table A.8.
Safety Compliance Statement
For the convenience of audit and control, the identification of the equipment (such as serial number) can be determined by the following methods: external anti-counterfeiting trademarks or labels, or commands to display the identification on the interface or display. When the device is at a certain life cycle stage with encryption keys loaded, the identification of the keys contained can be easily determined by the device identification (if the device is lost or stolen, these keys can be invalidated).
Any physical key used to open or operate the equipment must be strictly controlled and can only be used by authorized persons.
If the device containing encryption keys is attacked or stolen, the relevant department responsible for equipment security must be notified immediately upon discovery.
If a device without security encryption keys loaded is attacked or stolen, there should be an appropriate mechanism to prevent the use of the attacked or stolen device to replace other legitimate devices that have not yet loaded security encryption keys.
If the device does not have a sensitive state, the loading of plaintext keys must be carried out under dual control.
Non-compliant
Not applicable
A.3.2 Security protection in equipment production
The equipment manufacturer or independent auditor shall provide the auditing agency with credible materials as shown in Table A, 7. Table A.7
Security compliance statement
The software and hardware design of the equipment has been carefully evaluated to ensure that the functions provided by the equipment are legal and documented. There are no unauthorized functions (such as Trojan horses) in the equipment software.
The equipment itself, including the software, should be produced in a controlled environment and controlled by qualified personnel to ensure that the equipment cannot be physically or functionally modified without authorization. A.3.3 Equipment security protection after leaving the factory and before use Complies with
GB/T 20547.2—2006
Not Compliant
Not Applicable
Equipment manufacturers, personnel responsible for shipping, repairing and storing equipment (before downloading or reloading the initial key), and independent auditors should provide the auditing agency with assurances as shown in Table A.8. Table A.8
Security compliance statement
The transmission mechanism for inputting plaintext keys, key components or passwords should be protected and/or checked to prevent all types of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment should be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. Equipment should be shipped in anti-attack packaging and tested for illegal access: Before downloading encryption keys from the equipment, professionals should conduct strict inspections to ensure that the equipment has not been physically or functionally modified; if an attack is found during the shipment of equipment with secret information, the secret information should be deleted to ensure that the user confirms that the equipment is authentic and has not been leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing equipment Complies
Not Complies
Not applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency should provide the audit agency with the assurance shown in Table A, 9.
Security Compliance Statement
Any uninstalled equipment must be controlled to prevent or detect unauthorized access, and records must be kept for auditing to detect and report equipment theft and loss. Security protection after equipment installation
Non-compliance
The consignee and independent auditor should provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not applicable5 (Continued)
The following operator functions that may affect the safety of the equipment are only allowed when the equipment is in a sensitive A24
state, i.e., in a dual or multiple control state:
Shutting down or starting up the equipment:
Changing the password or data that puts the equipment into a sensitive state. The safety operator interface should be designed to require at least two sets of passwords (or an equivalent dual or multiple control mechanism) to put the equipment into a sensitive state. The safety operator interface should be designed to ensure that the equipment cannot be left in a sensitive state inadvertently.
If multiple limits are set for the sensitive state (for example, a limit on the number of function calls and a time limit), the equipment should return to the normal state when a certain limit is reached. The password or other plain text data that puts the equipment into a sensitive state should be protected in the same way as other confidential and sensitive data.
If the password is lost due to any other reason, such as a long-term power failure of the equipment, the equipment will enter an inoperable state.
Both function requests and sensitive state operator functions in the equipment should be approved by the initiator or supported by the system used by the equipment.
It is not allowed to convert a key from a ciphertext encrypted by one key variant to a ciphertext encrypted by another key variant.
A.3 Equipment Management
Basic Requirements
Non-Compliance
Not Applicable
At each life cycle stage: The organization responsible for filling in the inspection list for this stage shall provide the audit organization with the letter materials shown in Table A.8.
Safety Compliance Statement
For the convenience of audit and control, the identification of the equipment (such as serial number) can be determined by the following methods: external anti-counterfeiting trademarks or labels, or commands to display the identification on the interface or display. When the device is at a certain life cycle stage with encryption keys loaded, the identification of the keys contained can be easily determined by the device identification (if the device is lost or stolen, these keys can be invalidated).
Any physical key used to open or operate the equipment must be strictly controlled and can only be used by authorized persons.
If the device containing encryption keys is attacked or stolen, the relevant department responsible for equipment security must be notified immediately upon discovery.
If a device without security encryption keys loaded is attacked or stolen, there should be an appropriate mechanism to prevent the use of the attacked or stolen device to replace other legitimate devices that have not yet loaded security encryption keys.
If the device does not have a sensitive state, the loading of plaintext keys must be carried out under dual control.
Non-compliant
Not applicable
A.3.2 Security protection in equipment production
The equipment manufacturer or independent auditor shall provide the auditing agency with credible materials as shown in Table A, 7. Table A.7
Security compliance statement
The software and hardware design of the equipment has been carefully evaluated to ensure that the functions provided by the equipment are legal and documented. There are no unauthorized functions (such as Trojan horses) in the equipment software.
The equipment itself, including the software, should be produced in a controlled environment and controlled by qualified personnel to ensure that the equipment cannot be physically or functionally modified without authorization. A.3.3 Equipment security protection after leaving the factory and before use Complies with
GB/T 20547.2—2006
Not Compliant
Not Applicable
Equipment manufacturers, personnel responsible for shipping, repairing and storing equipment (before downloading or reloading the initial key), and independent auditors should provide the auditing agency with assurances as shown in Table A.8. Table A.8
Security compliance statement
The transmission mechanism for inputting plaintext keys, key components or passwords should be protected and/or checked to prevent all types of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment should be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. Equipment should be shipped in anti-attack packaging and tested for illegal access: Before downloading encryption keys from the equipment, professionals should conduct strict inspections to ensure that the equipment has not been physically or functionally modified; if an attack is found during the shipment of equipment with secret information, the secret information should be deleted to ensure that the user confirms that the equipment is authentic and has not been leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing equipment Complies
Not Complies
Not applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency should provide the audit agency with the assurance shown in Table A, 9.
Security Compliance Statement
Any uninstalled equipment must be controlled to prevent or detect unauthorized access, and records must be kept for auditing to detect and report equipment theft and loss. Security protection after equipment installation
Non-compliance
The consignee and independent auditor should provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not applicable8
Security Compliance Statement
The transmission mechanism for inputting plaintext keys, key components or passwords shall be protected and/or checked to prevent any type of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment shall be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. The equipment shall be shipped in anti-attack packaging and tested for illegal access: before downloading encryption keys from the equipment, professionals shall strictly check to ensure that the equipment has not been physically or functionally modified; when shipping equipment with secret information, if it is found to have been attacked, the secret information shall be deleted to ensure that the user confirms that the equipment is authentic and not leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing the equipment Complies
Not Compliant
Not Applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency shall provide the audit agency with the assurance shown in Table A, 9.
Security compliance statement
Any uninstalled equipment shall be controlled to prevent or detect unauthorized access to the room, and records shall be kept for auditing in order to detect and report theft and loss of equipment. Security protection after equipment installation
Not Compliant
The consignee and the independent auditor shall provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not Applicable8
Security Compliance Statement
The transmission mechanism for inputting plaintext keys, key components or passwords shall be protected and/or checked to prevent any type of surveillance that may lead to the disclosure of the contents of keys, key components or passwords. After manufacturing and before shipment, the equipment shall be stored in a secure protection area or packaged in anti-attack packaging to prevent undetected illegal access. The equipment shall be shipped in anti-attack packaging and tested for illegal access: before downloading encryption keys from the equipment, professionals shall strictly check to ensure that the equipment has not been physically or functionally modified; when shipping equipment with secret information, if it is found to have been attacked, the secret information shall be deleted to ensure that the user confirms that the equipment is authentic and not leaked. Note: An example of secret information is the private key in an asymmetric encryption algorithm, where the public key of the equipment is signed by a private key known only to the supplier.
The initial key can only be loaded when it is reasonably confirmed that the equipment has not been illegally modified physically and functionally.
A.3.4 Security protection before using and installing the equipment Complies
Not Compliant
Not Applicable
The personnel responsible for equipment storage and transportation, the personnel loading the initial key, and the independent auditor approved by the verification agency shall provide the audit agency with the assurance shown in Table A, 9.
Security compliance statement
Any uninstalled equipment shall be controlled to prevent or detect unauthorized access to the room, and records shall be kept for auditing in order to detect and report theft and loss of equipment. Security protection after equipment installation
Not Compliant
The consignee and the independent auditor shall provide the audit agency with credible materials that the measures shown in Table A.10 have been adopted. Not Applicable
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.