What are the password requirements for waiting insurance 2.0? What are the legal bases?

Equal insurance 2.0 The policy has made it clear that cryptography , Cryptographic technology mainly appears in Level 3 and level 4 security requirements , It mainly involves secure communication network 、 Secure computing environment 、 Safety transportation management, etc . Then wait for me 2.0 What are the specific requirements for passwords ？ What is the legal basis ？

Equal insurance 2.0 What are the password requirements ？

1、 Authenticity

Both sides of the communication shall be verified or authenticated based on cryptographic technology before communication ;

Password should be used 、 Cryptography 、 Biometrics and other two or more combinations of authentication technology to identify users , And at least one of the authentication techniques should be implemented by using cryptography .

2、 confidentiality

Password technology shall be adopted to ensure the confidentiality of data during communication .

Password technology shall be adopted to ensure the confidentiality of important data during transmission , Including but not limited to identification data 、 Important business data and important personal information ;

Password technology should be used to ensure the confidentiality of important data in the storage process , Including but not limited to identification data 、 Important business data and important personal information .

3、 integrity

Verification technology or password technology shall be used to ensure the integrity of data in the communication process ;

Password technology shall be adopted to ensure the integrity of important data in the transmission process , Including but not limited to identification data 、 Important business data 、 Important audit data 、 Important configuration data 、 Important video data, important personal information, etc ;

Password technology shall be adopted to ensure the integrity of important data in the storage process , Including but not limited to identification data 、 Important business data 、 Important audit data 、 Important configuration data 、 Important video data, important personal information, etc .

4、 Non repudiation

In the application that may involve the identification of legal liability , Cryptographic technology shall be used to provide evidence of data origin and data reception , Realize the repudiation of data original behavior and data receiving behavior .

5、 Password management requirements

Ensure that the procurement and use of password products and services meet the requirements of the national password management authority ;

The security test before going online shall be carried out , And issue the safety test report , The security test report shall include the content related to password application security test ;

Password management shall comply with relevant national and industrial standards for passwords ;

Password management shall use the password technology and products certified and approved by the competent national password management department .

6、 Problems that can be effectively solved by using cryptographic technology

① Trusted verification ：

The system bootstrap can be based on a trusted root 、 System program 、 Trusted verification of important configuration parameters and boundary protection applications , Dynamic trusted verification is carried out in all execution links of the application , Alarm when it detects that its credibility is damaged , And send the audit records of the verification results to the safety management center , And conduct dynamic association perception ;

The trusted verification mechanism shall be adopted to conduct trusted verification on the equipment connected to the network , Ensure that the devices connected to the network are authentic ;

② Remote management ： When it comes to remote management , Necessary measures shall be taken to prevent the identification information from being eavesdropped during network transmission ;

③ centralized management ： It should be able to establish a secure information transmission path , Manage the security devices or security components in the network .

Equal insurance 2.0 What is the legal basis for password requirements ？

1、 Network security law

“ Network security law ” Article 10 of the general provisions specifies ,“ Maintain the integrity of network data 、 Confidentiality and availability ”.

Article 21 states “ The State implements the network security level protection system , Protect the network from interference 、 Sabotage or unauthorized access , Prevent network data from leaking or being stolen 、 Tampering , And data classification is required 、 Important data backup and encryption measures ”. The above contents can be correctly 、 Effectively use cryptographic techniques to meet the corresponding needs , Among them, the use of password technology to encrypt data can prevent data leakage , Using the integrity function of cryptographic technology can prevent attackers from tampering with data .

2、 Cryptology

Cryptology ” Article 8 states “ citizens 、 Legal persons and other organizations can use commercial passwords to protect network and information security according to law ”.

Article 27 “ law 、 Administrative regulations and relevant national regulations require the use of commercial passwords for the protection of key information infrastructure , Its operators should use commercial passwords to protect , Carry out the security evaluation of commercial password application by itself or by entrusting the commercial password detection agency . The security evaluation of commercial password application should be evaluated with the security detection of key information infrastructure 、 Network security level evaluation system is connected , Avoid double evaluation 、 Evaluation ”. At the same time, it has established a password system with the domestic password as the core ：1） The state establishes and improves the standard system of commercial passwords ;2） Promote the construction of commercial password detection and authentication system ;3） Detection and certification of commercial cryptographic products ;4） The key information infrastructure is subject to the security assessment of commercial password application by the commercial password detection agency ;5） Using commercial encryption technology to engage in e-government e-authentication services .

3、 Management measures for information security level protection

Article 34 The State Password Administration Department shall carry out classified and hierarchical management of passwords with classified protection of information security . According to the national security of the protected object 、 Social stability, 、 Role and importance in economic construction , Safety protection requirements and confidentiality degree of the protected object , The damage degree of the protected object after being destroyed and the nature of the password using department , Determine the level protection criteria for passwords .

Information system operation 、 The user adopts password for level protection , Should follow 《 Administrative measures for classified protection passwords of information security 》、《 Technical requirements for classified protection of information security commercial passwords 》 And other password management regulations and relevant standards .

Article 35 password allocation in security classification protection of information system 、 Use and management, etc , The relevant provisions of the state on password management shall be strictly implemented .