Commercial bank application programming interface secure management specification
Some standard content:
ICS35.240.40
iikAa~cJouakAa
Financial Industry Standard of the People's Republic of China
JR/T 0185—2020
Commercial bank application programming interface secure management specification managementspecification
2020-02-13Release
People's Bank of China
2020-02-13Implementation
iiiKAa~cJouakAa-
1Scope
2Normative references
3Terms and definitions
4Abbreviations
5Overview
6Interface types and security levels
7Security design
8Security deployment
9Security integration
10Security operation and maintenance
11Service Service termination and system offline
12 Security management
Appendix A (Normative Appendix)
Appendix B (Normative Appendix)
References
iiikAa~cJouakAa-
Commercial bank application interface relationship diagram Commercial bank application interface unified identification code encoding rules.JR/T01852020
JR/T0185—2020
iiiKAacJouaKAa
This standard was drafted in accordance with the rules given in GB/T1.1-2009. This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180). Drafting units of this standard: Technology Department of the People's Bank of China, China Financial Electronicization Corporation, China UnionPay Co., Ltd., Industrial and Commercial Bank of China Co., Ltd., Agricultural Bank of China Co., Ltd., Bank of China Co., Ltd., China Construction Bank Co., Ltd., Postal Savings Bank of China Co., Ltd., China Merchants Bank Co., Ltd., Shanghai Pudong Development Bank Co., Ltd., China CITIC Bank Corporation Limited, Industrial Bank Co., Ltd., China Minsheng Banking Corporation Limited, China Everbright Bank Co., Ltd., Ping An Bank Co., Ltd., China Guangfa Bank Co., Ltd., Bank of Beijing Co., Ltd., Huishang Bank Co., Ltd., Shandong City Commercial Bank Cooperation Alliance Co., Ltd., Qilu Bank Co., Ltd., Zhejiang MyBank Co., Ltd., CITIC Bank A-Bank Co., Ltd., Shandong Rural Credit Cooperatives Union, Beijing CICC Guosheng Certification Co., Ltd., Beijing UnionPay Gold Card Technology Co., Ltd., CICC Financial Certification Center Co., Ltd., and China Foreign Exchange Trade System. The main drafters of this standard are: Li Wei, Li Xingfeng, Qu Weimin, Cheng Sheng, Guo Dong, Duan Liyan, Guo Jingying, Liu Yun, Gao Qiangyi, Chen Cong, Jiang Huike, Jiang Cheng, Meng Xianzhe, Zhuoyue, Wen Tao, Sun Gui, Kong Pengzhi, Zhao Siqi, Bai Fan, Li Peizhao, Li Yiqin, He Weiming, Zhao Peng, Geng Li, Liu Huiming, Li Yanping, Jiang Xiangchao, Wang Jianhua, Zhang Peicheng, Liu Weiwei, Hu Linlong, Jia Haiming, Yun Jing, Liu Shuhong, Chen Miao, Ye Liming, Fang Shaoquan, Xie Zhenzhe, Qiu Jiacheng, Jiang Hong, Shen Tianle, Quan Cheng, Liu Jiawen, Wang Xiaofei, Fu Kaizuo, Du Shouwei, Zuo Min, Deng Xiang, Ding Peng, Liu Weiwei, and Tu Ding.
1 Scope
iiKAacJouaKAa-
Commercial Bank Application Programming Interface Security Management Specification JR/T0185—2020
This standard specifies the types and security levels, security design, security deployment, security integration, security operation and maintenance, service termination and system offline, security management and other security technology and security assurance requirements of commercial bank application programming interfaces. This standard applies to the design and application of commercial bank external interconnection application programming interfaces, to guide banking financial institutions engaged in or participating in commercial bank application programming interface services, and application parties of integrated interface services to carry out related work, and to provide reference for third-party security assessment agencies and other units to carry out security inspections and assessments (for details on the relationship between interface types, see Appendix A). The design and application of other types of application programming interfaces can refer to this standard.
2 Normative References
The following documents are essential for the application of this document. For all dated referenced documents, only the dated version applies to this document. For all undated referenced documents, the latest version (including all amendments) applies to this document. GB/T25069 Information Security Technical Terminology
JR/T0071 Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry JR/T0124—2014 Coding Standards for Financial Institutions 3 Terms and Definitions
The terms and definitions defined in GB/T25069 and the following terms and definitions apply to this document. 3.1
Application Programming Interface application programming interface A group of predefined functions through which developers can conveniently access related services without having to pay attention to the design and implementation of the services.
Application Agency application agency
The agency that calls the commercial bank's application program interface. 3.3
Application Programming Interface Unique ID application programming interface unique ID is defined by the commercial bank itself and is used to distinguish the unique ID of the commercial bank's application program interface function. 3.4
Application Programming Interface Uniform ID uniform application programming interface ID The commercial bank generates the commercial bank's application program interface uniform ID according to the coding rules issued by the industry regulatory department. Note: It is used to identify the commercial bank's institution code, interface type, service category, interface sequence number, etc. 1
JR/T0185—2020
iiiKAacJouaKAa
Application software development kitsoftware developmentkitA collection of software development tools used to build applications based on specific software packages, software frameworks, hardware platforms, operating systems, etc. 3.6
Application unique identifierapplicationuniqueIDAfter the identity of the application party is verified, it is a unique identifier granted by the commercial bank to it according to the type of financial products and services it calls. Note: It includes server-side application identifiers and mobile terminal application software identifiers. 3.7
Application authentication ciphertextapplicationsecretApplication legitimacy authentication certificate, used in conjunction with the application unique identifier to verify the legitimacy of the application accessed through the API. After the access verification is passed, the system docking can be completed, and the application interface can be called or the functions and data provided by the application interface can be used. 3.8
Mobile financial client application software financialmobileapplicationsoftware Application software that provides financial transaction services to users on mobile terminals. Note: Including but not limited to executable files, components, etc. 3.9
Personal financial information personalfinancialinformation Personal information obtained, processed and stored by financial institutions through the provision of financial products and services or other channels Note 1: Including account information, identification information, financial transaction information, personal identity information, property information, loan information and other information reflecting certain circumstances of specific individuals
Note 2: Rewrite GB/T35273-2017, definition 3.1. 3.10
Payment sensitive information paymentsensitiveinformation Important information in payment information involving the privacy and identity identification of the payment subject Note: Including but not limited to bank card track or chip information, card verification code, card validity period, bank card password, online payment transaction password, etc. 3.11
Payment account paymentaccount
The code of the bank account with financial transaction function and the payment account of a non-bank payment institution and the bank card number. [JR/T0149—2016, definition 3.1]
Explicit consent
The subject of personal financial information makes a written statement or takes an affirmative action to explicitly authorize the specific processing of his/her personal financial information.
Note: Affirmative actions include the subject of personal information taking the initiative to make a statement (electronic or paper form), take the initiative to check, take the initiative to click "agree", "register", "send", "call", etc.
iiiKAacJouaKAa
[GB/T35273—2017, definition 3.6]
4 Abbreviations
The following abbreviations apply to this document.
API: Application Programming Interface API ID: Application Programming Interface unique ID App_ID: Application unique ID App_Secret: Application Secret DDoS: Distributed Denial of Service JR/T0185—2020
U_API_ID: Uniform Application Programming Interface ID SDK: Software Development Kit SSL: Secure Sockets Layer TLS: Transport Layer Security MAC: Message Authentication Code 5 Overview
Commercial bank application program interface service is a financial service model that relies on API technology to achieve internal and external interconnection. Commercial banks provide partners with application program interfaces for interconnection, export their own financial service capabilities and information technology capabilities, and provide a useful supplement to increase the stickiness of the financial ecosystem. External institutions can call the commercial bank application program interface (external API, see Appendix A for details) through the Internet channel to obtain various services provided by the commercial bank. Its logical structure is shown in Figure 1. The participants in the commercial bank application program interface service mainly include users, application parties and commercial banks. Commercial banks provide application program interface services to application parties and users through API direct connection or SDK indirect connection to realize the external output of commercial bank services. Users initiate commercial bank application program interface application requests and receive processing results returned by the application party or commercial bank. The application party is responsible for receiving and processing user requests, submitting relevant requests to the commercial bank through the application program interface, receiving return results, and processing service requests or feedback to users according to the process. Commercial banks build commercial bank application program interfaces, application program interface service layers and banking business systems to provide commercial bank application program interface services. The commercial bank application program interface service layer forwards the application party's request to the banking business system for processing, and feedbacks the processing results to the application party or user. It includes functions such as authentication, flow control, monitoring and analysis, message exchange, and service combination. It does not involve specific business logic processing and realizes the management of commercial bank application program interfaces and application parties. 3
JR/T0185—2020
Interface type and security level
6.1 Interface type
iiiKAa~cJouakAa-
Application side
Authentication
Monitoring and analysis
Flow three monitoring
Message exchange
Service combination
Diye Bank Application Interface Service Layer
Banking business system
Figure 1 Logical structure diagram of commercial bank application interface Encryption and decryption
According to the application integration method, the commercial bank application interface is divided into server-to-server integration method and mobile terminal-to-server integration method.
For the server-to-server integration method, there are mainly two implementation forms: the application side server directly calls the commercial bank application interface (such as REST, SOAP protocol). The application side server uses the server SDK provided by the commercial bank to indirectly access the commercial bank application interface. Among them, the server SDK mainly implements the encapsulation of the general access algorithm of commercial banks. In order to reduce the difficulty of access development for the application side, such SDK generally does not contain business logic.
For the integration of mobile terminals to the server, there are mainly two forms of implementation: the application software of the mobile terminal of the application side directly calls the application program interface of the commercial bank. -The application software of the mobile terminal of the application side uses the mobile terminal application SDK provided by the commercial bank to indirectly access the application program interface of the commercial bank.
Among them, the method in which the application software of the mobile terminal of the application side directly calls the application program interface of the commercial bank is mainly based on financial services that are not directly related to individual users, such as providing public information query and public service query of commercial banks. In addition to encapsulating the general access algorithm of commercial banks, the mobile terminal application SDK can also encapsulate business logic, personal financial information security protection (such as security reinforcement of password data) and other functions. In the mobile terminal to server mode, for the case of using only H5 (Hypertext Markup Language Version 5.0) technology to provide access links to banking financial products and services, since the H5 page itself does not directly call (or encapsulate) the commercial bank application programming interface, it will not be separately listed as a type of commercial bank application programming interface. 6.2 Security Level
JR/T0185—2020
According to the service type, the security level of commercial bank application program interfaces is divided into two levels, and the security protection requirements decrease from A2 to A1: A2: Fund transaction and account information query application category. Such financial products and services are directly related to individual users and implement a high level of security protection strength. Such commercial bank application program interfaces include but are not limited to: Commercial banks provide fund transaction services such as payment, transfer, and purchase of financial products and services through SDK: Commercial banks provide user account information query services such as account balance, transaction history, account limit, payment time, financial product and service holdings, etc. through SDK; For the above services, if it is necessary to use API direct connection to call the service, commercial banks should assess the access risks, formulate special interfaces to connect with the application party, and implement high-level security protection strength requirements. 1. A1: Financial product and service information query application category. Such financial products and services are not directly related to individual users and implement general security protection strength. Such commercial bank application interfaces include but are not limited to: commercial banks provide "read-only" query services for detailed information on bank financial products and services. 7 Security Design
7.1 Basic Design Requirements
The basic requirements for the security design of commercial bank application interfaces are as follows: The cryptographic algorithms, technologies and products used should comply with the requirements of the national cryptographic management department and the competent industry department. A secure coding specification should be formulated.
Developers should be trained in secure coding and development should be carried out in accordance with the secure coding specification. If third-party application components are required during development, the components should be verified for security, and the information disclosure and update of relevant platforms should be continuously monitored, and relevant components should be updated in a timely manner. A special code security audit should be conducted on commercial bank application interfaces. The audit work can be carried out manually or through tool automation.
The source code and commercial bank application interface version management and control procedures should be formulated to standardize the source code and commercial bank application interface version management, and keep information synchronized with the application party on the abolition and change of the interface. The exception and debugging information provided by commercial banks to the application party should not leak software and hardware information such as servers, middleware, databases, or internal network information.
7.2 Interface Security Design
7.2.1 Authentication security
a) Interface authentication security requirements are as follows: 1) The verification elements used for application authentication include: - App_ID, App_Secret.
- App_ID, digital certificate.
- App_ID, public-private key pair.
- A combination of the above three solutions.
2) For A2 level interfaces and application authentication, two-way authentication should be performed using a method including digital certificates or public-private key pairs.
b) User identity authentication security requirements are as follows: 5
JR/T01852020
iiiKAacJouaKAa
1) Commercial banks should design different levels of user identity authentication mechanisms for commercial bank application interfaces with different security levels in combination with financial service scenarios:
User identity authentication should be performed in commercial banks. For fund transaction services in A2-level interfaces, user login identity 2)
Authentication should use at least two-factor authentication to protect account property security. 7.2.2 Interface interaction security
The commercial bank application interface interaction security requirements are as follows: 一一The commercial bank application interface should verify the validity of the connection, such as whether the interface version, parameter format and other elements are consistent with the platform design.
一一The data interacted through the commercial bank application interface should be protected for integrity. For A2-level interfaces, commercial banks and application parties should use digital signatures to ensure the integrity and non-repudiation of data. 1. For personal financial information such as payment sensitive information, the following measures should be taken for secure interaction: During the data interaction process, payment sensitive information such as login passwords and payment passwords should use security protection measures including but not limited to replacing the original text of the input box, customizing the soft keyboard, preventing keyboard eavesdropping, and preventing screenshots to ensure that the plain text of payment sensitive information cannot be obtained:
Personal financial information such as account number, card number, card expiration date, name, ID number, mobile phone number, etc. should be encrypted using the encryption component integrated in the SDK during transmission, or the relevant messages should be encrypted as a whole; if it is necessary to use the commercial bank application program interface to feedback the account number, card number, and name to the application party, they should be desensitized or de-identified. If it is necessary to transmit the payment account number such as the card number to the application party due to the needs of clearing and settlement, error reconciliation, etc., they should be transmitted through an encrypted channel, and measures should be taken to ensure the integrity of the information: For A2 type read-only information inquiries such as financial product holdings and user points, the API direct connection method can be used to connect the query request. Encryption and other measures should be taken to ensure the integrity and confidentiality of the query information, and the query results shall not be saved locally on the application party.
一一After the transaction authentication is completed, the user's sensitive payment information should be cleared in time to prevent attackers from obtaining all or part of the user information by reading temporary files, memory data, etc. 7.3 Service Security Design
7.3.1 Authorization Management
Commercial banks should manage the authorization of corresponding interface permissions according to the service requirements of different application parties and the principle of minimum authorization. When the service requirements change, the interface permissions should be evaluated and adjusted in time. 7.3.2 Attack Protection
Service security design should have the following attack protection capabilities: 一一API and SDK should have security protection capabilities against common network attacks. 一一Mobile terminal application SDK should have static reverse analysis protection capabilities to prevent attackers from obtaining technical details about SDK implementation methods through static disassembly, string analysis, import and export function identification, configuration file analysis, etc. 一一Mobile terminal application SDK should have dynamic debugging protection capabilities, including but not limited to: the ability to prevent attackers from controlling program behavior by attaching dynamic debuggers and dynamically tracking programs: the ability to prevent attackers from controlling program behavior by tampering with files and dynamically modifying memory codes. 7.3.3 Security Monitoring
Security Monitoring Security requirements are as follows:
iiiKAacJouaKAa
一Commercial banks should monitor the use of interfaces and fully record interface access logs. The logs should meet the following requirements:
JR/T0185—2020
Related logs of commercial banks should at least include transaction serial number, application unique identifier, interface unique identifier, call time, time stamp, return result (success or failure), etc.: Due to business needs such as clearing and settlement, error reconciliation, etc., the payment account (or its equivalent information) should be recorded in a partially shielded manner in the application side interface log. Other personal financial information should not be recorded in the application side interface log. 7.3.4 Key Management
Key Management Security requirements are as follows:
一Encryption and signature should be assigned different keys and separated from each other. 1. The private key plaintext (or ciphertext) should not be written in the commercial bank application code in an encoded manner. App_Secret or private key should not be stored in the local configuration files of the commercial bank and the application party to prevent key leakage due to code leakage. 1. Different key validity periods should be set according to the commercial bank application interface level, and the keys should be updated regularly. Secure deployment
Commercial banks and application parties should follow the commercial bank application interface network deployment logical structure diagram, see Figure 2, to carry out the secure deployment of the commercial bank application interface. Commercial banks and application parties should deploy network security protection measures such as firewalls, IDS/IPS, DDoS protection, etc. with access control and intrusion prevention capabilities at the Internet border7
JR/T01852020
Application end
iiikAa~cJouakAa
Mobile terminal
To the server
Direct connection
Communication network
Commercial bank application program interface
Service layer
Message exchange
Bank business layer
Indirect connection
Internet/mobile Internet
Network security protection measures
Service combination
Authentication
Business system1
Authentication
Traffic Control
API business processing transfer service
Network security protection measures
Message exchange
Service combination
API business processing transfer service
Application bus
Network security protection measures
Direct connection
Monitoring and analysis
Indirect connection
Business system 2
Business system 3
Core internal system
Business system.
Figure 2 Schematic diagram of commercial bank application program interface network deployment service side
Server side integration
The commercial bank application program interface service layer should deploy services such as flow control, monitoring and analysis, authentication and authorization, message exchange, and service combination, among which authentication and authorization, message exchange, and service combination can also be deployed in the bank business layer. Network security protection measures such as firewalls with relevant access control and intrusion prevention security protection capabilities should be deployed between the commercial bank application program interface service layer and the bank business layer. The application server should be deployed in a logical isolation area behind the application's Internet access security protection equipment, and access the application services related to the commercial bank's application program interface through the Internet and mobile Internet networks. The security control requirements of commercial banks are based on JR/T0071 to deploy security control measures of corresponding levels. The application party's deployment of security control measures related to the commercial bank's application program interface should comply with the national network security level protection standards and above security requirements.2 Interface interaction security
The commercial bank application program interface interaction security requirements are as follows: 一一The commercial bank application program interface should verify the validity of the connection, such as whether the interface version, parameter format and other elements are consistent with the platform design.
一一The data interacted through the commercial bank application program interface should be protected for integrity. For A2-level interfaces, commercial banks and application parties should use digital signatures to ensure the integrity and non-repudiation of data. 1. For personal financial information such as payment sensitive information, the following measures should be taken for secure interaction: During the data interaction process, payment sensitive information such as login passwords and payment passwords should use security protection measures including but not limited to replacing the original text of the input box, customizing the soft keyboard, preventing keyboard eavesdropping, and preventing screenshots to ensure that the plain text of payment sensitive information cannot be obtained:
Personal financial information such as account number, card number, card expiration date, name, ID number, mobile phone number, etc. should be encrypted using the encryption component integrated in the SDK during transmission, or the relevant messages should be encrypted as a whole; if it is necessary to use the commercial bank application program interface to feedback the account number, card number, and name to the application party, they should be desensitized or de-identified. If it is necessary to transmit the payment account number such as the card number to the application party due to the needs of clearing and settlement, error reconciliation, etc., they should be transmitted through an encrypted channel, and measures should be taken to ensure the integrity of the information: For A2 type read-only information inquiries such as financial product holdings and user points, the API direct connection method can be used to connect the query request. Encryption and other measures should be taken to ensure the integrity and confidentiality of the query information, and the query results shall not be saved locally on the application party.
一一After the transaction authentication is completed, the user's sensitive payment information should be cleared in time to prevent attackers from obtaining all or part of the user information by reading temporary files, memory data, etc. 7.3 Service Security Design
7.3.1 Authorization Management
Commercial banks should manage the authorization of corresponding interface permissions according to the service requirements of different application parties and the principle of minimum authorization. When the service requirements change, the interface permissions should be evaluated and adjusted in time. 7.3.2 Attack Protection
Service security design should have the following attack protection capabilities: 一一API and SDK should have security protection capabilities against common network attacks. 一一Mobile terminal application SDK should have static reverse analysis protection capabilities to prevent attackers from obtaining technical details about SDK implementation methods through static disassembly, string analysis, import and export function identification, configuration file analysis, etc. 一一Mobile terminal application SDK should have dynamic debugging protection capabilities, including but not limited to: the ability to prevent attackers from controlling program behavior by attaching dynamic debuggers and dynamically tracking programs: the ability to prevent attackers from controlling program behavior by tampering with files and dynamically modifying memory codes. 7.3.3 Security MonitoringwwW.bzxz.Net
Security Monitoring Security requirements are as follows:
iiiKAacJouaKAa
一Commercial banks should monitor the use of interfaces and fully record interface access logs. The logs should meet the following requirements:
JR/T0185—2020
Related logs of commercial banks should at least include transaction serial number, application unique identifier, interface unique identifier, call time, time stamp, return result (success or failure), etc.: Due to business needs such as clearing and settlement, error reconciliation, etc., the payment account (or its equivalent information) should be recorded in a partially shielded manner in the application side interface log. Other personal financial information should not be recorded in the application side interface log. 7.3.4 Key Management
Key Management Security requirements are as follows:
一Encryption and signature should be assigned different keys and separated from each other. 1. The private key plaintext (or ciphertext) should not be written in the commercial bank application code in an encoded manner. App_Secret or private key should not be stored in the local configuration files of the commercial bank and the application party to prevent key leakage due to code leakage. 1. Different key validity periods should be set according to the commercial bank application interface level, and the keys should be updated regularly. Secure deployment
Commercial banks and application parties should follow the commercial bank application interface network deployment logical structure diagram, see Figure 2, to carry out the secure deployment of the commercial bank application interface. Commercial banks and application parties should deploy network security protection measures such as firewalls, IDS/IPS, DDoS protection, etc. with access control and intrusion prevention capabilities at the Internet border7
JR/T01852020
Application end
iiikAa~cJouakAa
Mobile terminal
To the server
Direct connection
Communication network
Commercial bank application program interface
Service layer
Message exchange
Bank business layer
Indirect connection
Internet/mobile Internet
Network security protection measures
Service combination
Authentication
Business system1
Authentication
Traffic Control
API business processing transfer service
Network security protection measures
Message exchange
Service combination
API business processing transfer service
Application bus
Network security protection measures
Direct connection
Monitoring and analysis
Indirect connection
Business system 2
Business system 3
Core internal system
Business system.
Figure 2 Schematic diagram of commercial bank application program interface network deployment service side
Server side integration
The commercial bank application program interface service layer should deploy services such as flow control, monitoring and analysis, authentication and authorization, message exchange, and service combination, among which authentication and authorization, message exchange, and service combination can also be deployed in the bank business layer. Network security protection measures such as firewalls with relevant access control and intrusion prevention security protection capabilities should be deployed between the commercial bank application program interface service layer and the bank business layer. The application server should be deployed in a logical isolation area behind the application's Internet access security protection equipment, and access the application services related to the commercial bank's application program interface through the Internet and mobile Internet networks. The security control requirements of commercial banks are based on JR/T0071 to deploy security control measures of corresponding levels. The application party's deployment of security control measures related to the commercial bank's application program interface should comply with the national network security level protection standards and above security requirements.2 Interface interaction security
The commercial bank application program interface interaction security requirements are as follows: 一一The commercial bank application program interface should verify the validity of the connection, such as whether the interface version, parameter format and other elements are consistent with the platform design.
一一The data interacted through the commercial bank application program interface should be protected for integrity. For A2-level interfaces, commercial banks and application parties should use digital signatures to ensure the integrity and non-repudiation of data. 1. For personal financial information such as payment sensitive information, the following measures should be taken for secure interaction: During the data interaction process, payment sensitive information such as login passwords and payment passwords should use security protection measures including but not limited to replacing the original text of the input box, customizing the soft keyboard, preventing keyboard eavesdropping, and preventing screenshots to ensure that the plain text of payment sensitive information cannot be obtained:
Personal financial information such as account number, card number, card expiration date, name, ID number, mobile phone number, etc. should be encrypted using the encryption component integrated in the SDK during transmission, or the relevant messages should be encrypted as a whole; if it is necessary to use the commercial bank application program interface to feedback the account number, card number, and name to the application party, they should be desensitized or de-identified. If it is necessary to transmit the payment account number such as the card number to the application party due to the needs of clearing and settlement, error reconciliation, etc., they should be transmitted through an encrypted channel, and measures should be taken to ensure the integrity of the information: For A2 type read-only information inquiries such as financial product holdings and user points, the API direct connection method can be used to connect the query request. Encryption and other measures should be taken to ensure the integrity and confidentiality of the query information, and the query results shall not be saved locally on the application party.
一一After the transaction authentication is completed, the user's sensitive payment information should be cleared in time to prevent attackers from obtaining all or part of the user information by reading temporary files, memory data, etc. 7.3 Service Security Design
7.3.1 Authorization Management
Commercial banks should manage the authorization of corresponding interface permissions according to the service requirements of different application parties and the principle of minimum authorization. When the service requirements change, the interface permissions should be evaluated and adjusted in time. 7.3.2 Attack Protection
Service security design should have the following attack protection capabilities: 一一API and SDK should have security protection capabilities against common network attacks. 一一Mobile terminal application SDK should have static reverse analysis protection capabilities to prevent attackers from obtaining technical details about SDK implementation methods through static disassembly, string analysis, import and export function identification, configuration file analysis, etc. 一一Mobile terminal application SDK should have dynamic debugging protection capabilities, including but not limited to: the ability to prevent attackers from controlling program behavior by attaching dynamic debuggers and dynamically tracking programs: the ability to prevent attackers from controlling program behavior by tampering with files and dynamically modifying memory codes. 7.3.3 Security Monitoring
Security Monitoring Security requirements are as follows:
iiiKAacJouaKAa
一Commercial banks should monitor the use of interfaces and fully record interface access logs. The logs should meet the following requirements:
JR/T0185—2020
Related logs of commercial banks should at least include transaction serial number, application unique identifier, interface unique identifier, call time, time stamp, return result (success or failure), etc.: Due to business needs such as clearing and settlement, error reconciliation, etc., the payment account (or its equivalent information) should be recorded in a partially shielded manner in the application side interface log. Other personal financial information should not be recorded in the application side interface log. 7.3.4 Key Management
Key Management Security requirements are as follows:
一Encryption and signature should be assigned different keys and separated from each other. 1. The private key plaintext (or ciphertext) should not be written in the commercial bank application code in an encoded manner. App_Secret or private key should not be stored in the local configuration files of the commercial bank and the application party to prevent key leakage due to code leakage. 1. Different key validity periods should be set according to the commercial bank application interface level, and the keys should be updated regularly. Secure deployment
Commercial banks and application parties should follow the commercial bank application interface network deployment logical structure diagram, see Figure 2, to carry out the secure deployment of the commercial bank application interface. Commercial banks and application parties should deploy network security protection measures such as firewalls, IDS/IPS, DDoS protection, etc. with access control and intrusion prevention capabilities at the Internet border7
JR/T01852020
Application end
iiikAa~cJouakAa
Mobile terminal
To the server
Direct connection
Communication network
Commercial bank application program interface
Service layer
Message exchange
Bank business layer
Indirect connection
Internet/mobile Internet
Network security protection measures
Service combination
Authentication
Business system1
Authentication
Traffic Control
API business processing transfer service
Network security protection measures
Message exchange
Service combination
API business processing transfer service
Application bus
Network security protection measures
Direct connection
Monitoring and analysis
Indirect connection
Business system 2
Business system 3
Core internal system
Business system.
Figure 2 Schematic diagram of commercial bank application program interface network deployment service side
Server side integration
The commercial bank application program interface service layer should deploy services such as flow control, monitoring and analysis, authentication and authorization, message exchange, and service combination, among which authentication and authorization, message exchange, and service combination can also be deployed in the bank business layer. Network security protection measures such as firewalls with relevant access control and intrusion prevention security protection capabilities should be deployed between the commercial bank application program interface service layer and the bank business layer. The application server should be deployed in a logical isolation area behind the application's Internet access security protection equipment, and access the application services related to the commercial bank's application program interface through the Internet and mobile Internet networks. The security control requirements of commercial banks are based on JR/T0071 to deploy security control measures of corresponding levels. The application party's deployment of security control measures related to the commercial bank's application program interface should comply with the national network security level protection standards and above security requirements.3 Security Monitoring
Security Monitoring Security requirements are as follows:
iiiKAacJouaKAa
一Commercial banks should monitor the use of interfaces and fully record interface access logs. The logs should meet the following requirements:
JR/T0185—2020
Related logs of commercial banks should at least include transaction serial number, application unique identifier, interface unique identifier, call time, time stamp, return result (success or failure), etc.: Due to business needs such as clearing and settlement, error reconciliation, etc., the payment account (or its equivalent information) should be recorded in a partially shielded manner in the application side interface log. Other personal financial information should not be recorded in the application side interface log. 7.3.4 Key Management
Key management security requirements are as follows:
一Encryption and signature should be assigned different keys and separated from each other. 1. The private key plaintext (or ciphertext) should not be written in the commercial bank application code in an encoded manner. App_Secret or private key should not be stored in the local configuration files of the commercial bank and the application party to prevent key leakage due to code leakage. 1. Different key validity periods should be set according to the commercial bank application interface level, and the keys should be updated regularly. Secure deployment
Commercial banks and application parties should follow the commercial bank application interface network deployment logical structure diagram, see Figure 2, to carry out the secure deployment of the commercial bank application interface. Commercial banks and application parties should deploy network security protection measures such as firewalls, IDS/IPS, DDoS protection, etc. with access control and intrusion prevention capabilities at the Internet border7
JR/T01852020
Application end
iiikAa~cJouakAa
Mobile terminal
To the server
Direct connection
Communication network
Commercial bank application program interface
Service layer
Message exchange
Bank business layer
Indirect connection
Internet/mobile Internet
Network security protection measures
Service combination
Authentication
Business system1
Authentication
Traffic Control
API business processing transfer service
Network security protection measures
Message exchange
Service combination
API business processing transfer service
Application bus
Network security protection measures
Direct connection
Monitoring and analysis
Indirect connection
Business system 2
Business system 3
Core internal system
Business system.
Figure 2 Schematic diagram of commercial bank application program interface network deployment service side
Server side integration
The commercial bank application program interface service layer should deploy services such as flow control, monitoring and analysis, authentication and authorization, message exchange, and service combination, among which authentication and authorization, message exchange, and service combination can also be deployed in the bank business layer. Network security protection measures such as firewalls with relevant access control and intrusion prevention security protection capabilities should be deployed between the commercial bank application program interface service layer and the bank business layer. The application server should be deployed in a logical isolation area behind the application's Internet access security protection equipment, and access the application services related to the commercial bank's application program interface through the Internet and mobile Internet networks. The security control requirements of commercial banks are based on JR/T0071 to deploy security control measures of corresponding levels. The application party's deployment of security control measures related to the commercial bank's application program interface should comply with the national network security level protection standards and above security requirements.3 Security Monitoring
Security Monitoring Security requirements are as follows:
iiiKAacJouaKAa
一Commercial banks should monitor the use of interfaces and fully record interface access logs. The logs should meet the following requirements:
JR/T0185—2020
Related logs of commercial banks should at least include transaction serial number, application unique identifier, interface unique identifier, call time, time stamp, return result (success or failure), etc.: Due to business needs such as clearing and settlement, error reconciliation, etc., the payment account (or its equivalent information) should be recorded in a partially shielded manner in the application side interface log. Other personal financial information should not be recorded in the application side interface log. 7.3.4 Key Management
Key management security requirements are as follows:
一Encryption and signature should be assigned different keys and separated from each other. 1. The private key plaintext (or ciphertext) should not be written in the commercial bank application code in an encoded manner. App_Secret or private key should not be stored in the local configuration files of the commercial bank and the application party to prevent key leakage due to code leakage. 1. Different key validity periods should be set according to the commercial bank application interface level, and the keys should be updated regularly. Secure deployment
Commercial banks and application parties should follow the commercial bank application interface network deployment logical structure diagram, see Figure 2, to carry out the secure deployment of the commercial bank application interface. Commercial banks and application parties should deploy network security protection measures such as firewalls, IDS/IPS, DDoS protection, etc. with access control and intrusion prevention capabilities at the Internet border7
JR/T01852020
Application end
iiikAa~cJouakAa
Mobile terminal
To the server
Direct connection
Communication network
Commercial bank application program interface
Service layer
Message exchange
Bank business layer
Indirect connection
Internet/mobile Internet
Network security protection measures
Service combination
Authentication
Business system1
Authentication
Traffic Control
API business processing transfer service
Network security protection measures
Message exchange
Service combination
API business processing transfer service
Application bus
Network security protection measures
Direct connection
Monitoring and analysis
Indirect connection
Business system 2
Business system 3
Core internal system
Business system.
Figure 2 Schematic diagram of commercial bank application program interface network deployment service side
Server side integration
The commercial bank application program interface service layer should deploy services such as flow control, monitoring and analysis, authentication and authorization, message exchange, and service combination, among which authentication and authorization, message exchange, and service combination can also be deployed in the bank business layer. Network security protection measures such as firewalls with relevant access control and intrusion prevention security protection capabilities should be deployed between the commercial bank application program interface service layer and the bank business layer. The application server should be deployed in a logical isolation area behind the application's Internet access security protection equipment, and access the application services related to the commercial bank's application program interface through the Internet and mobile Internet networks. The security control requirements of commercial banks are based on JR/T0071 to deploy security control measures of corresponding levels. The application party's deployment of security control measures related to the commercial bank's application program interface should comply with the national network security level protection standards and above security requirements.
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.