1. “Password” and “Passphrase”
In real life, the term “password” refers to things like the startup “password” for devices, WeChat “passwords”, and bank card payment “passwords”. These “passwords” are actually passphrases. A passphrase is merely a “pass” to access personal computers, mobile phones, email accounts, or personal bank accounts; it is a simple, basic method of identity authentication. These passphrases differ from the “passwords” defined in the draft of the Password Law. The real “passwords” are hidden within secure payment devices and network systems, quietly guarding the security of national secret information and our personal information.
In the Password Law, the term “password” refers to products, technologies, and services that encrypt and protect information using specific transformation methods for secure authentication. The Password Law consists of five chapters and forty-four articles, categorizing passwords into core passwords, ordinary passwords, and commercial passwords for management. Core passwords and ordinary passwords are used to protect national secret information, with core passwords safeguarding the highest level of confidentiality, and ordinary passwords protecting information at the secret level. Both core and ordinary passwords are classified as national secrets. The password management department implements strict and unified management of core and ordinary passwords according to this law and relevant laws, regulations, and national provisions. Commercial passwords are used to protect information that is not classified as national secrets. Citizens, legal persons, and other organizations may use commercial passwords to protect network and information security according to the law.
1
2. Commercial Passwords
China’s independently developed and controllable commercial password algorithms mainly include: ZUC, SM2, SM3, SM4, and SM9, covering symmetric passwords such as stream ciphers and block ciphers, asymmetric passwords like elliptic curve cryptography, and cryptographic hash algorithms. These algorithms can provide a solid and reliable foundation for various industry applications that require password technology.
1. Symmetric Password Algorithms
The stream cipher ZUC (Zu Chongzhi) algorithm and the block cipher (SM4) algorithm are both symmetric password algorithms, meaning that both the encryption and decryption parties use the same key for encryption and decryption, thus providing confidentiality guarantees.
The ZUC algorithm is primarily used in the communication field. In September 2011, China’s ZUC-based encryption algorithm 128-EEA3 and integrity protection algorithm 128-EIA3 became part of the international standard for 4G mobile communication algorithms, alongside the US AES and Europe’s SNOW 3G.
The SM4 algorithm was initially released as a dedicated password algorithm for China’s self-developed wireless LAN security standard WAPI, later becoming a national industry standard for block cipher algorithms. Since SM4 was initially used in wireless LAN chips under the WAPI protocol, over 350 models of WAPI wireless LAN chips supporting the SM4 algorithm have been released, with a total global shipment exceeding 7 billion units. In the financial sector, the shipment of smart password keys supporting the SM4 algorithm has exceeded 150 million units.
2. Asymmetric Password Algorithms
Asymmetric password algorithms, also known as public key cryptography, include two main purposes: public key encryption and private key signing (i.e., digital signatures, which provide authenticity and non-repudiation guarantees). This breaks the limitation of symmetric password algorithms requiring the same key for encryption and decryption. In asymmetric algorithms, different keys are used for encryption and decryption. The encryption key is made public and is called the public key, while the decryption key is kept secret and is called the private key. The public and private keys are closely related; the public key can be derived from the private key, but deriving the private key from the public key is computationally infeasible. The SM2 algorithm (elliptic curve public key cryptography) and the SM9 algorithm (identity-based cryptography) are public key algorithms among the commercial password standards issued in China, while common foreign public key algorithms include RSA and ECDSA.
The digital signature technology based on the SM2 algorithm has been widely applied in China’s electronic certification field. The SM2 algorithm was adopted by the International Organization for Standardization (ISO) in 2017, becoming part of the international standard ISO/IEC 14888-3. The SM9 algorithm uses user identifiers (like email addresses, mobile numbers, QQ numbers, etc.) as public keys, eliminating the need for digital certificates, certificate repositories, or key stores, simplifying the process of exchanging digital certificates and public keys, making security systems easier to deploy and manage, and is very suitable for end-to-end offline secure communication, cloud data encryption, attribute-based encryption, and policy-based encryption scenarios. Together with the SM2 algorithm, the SM9 digital signature algorithm was also adopted by ISO in 2017, becoming part of the international standard ISO/IEC 14888-3.
3. Cryptographic Hash Algorithms
Cryptographic hash algorithms, also known as hash functions, convert an input string of arbitrary length into a fixed-length output string. The cryptographic hash algorithm in China’s commercial password standards is the SM3 algorithm, which became an international standard in October 2018. The output length of the SM3 algorithm is fixed at 256 bits, while the input length is theoretically unlimited. In practice, based on padding specifications, the input length cannot exceed 264 bits. Using only the SM3 algorithm cannot provide integrity protection, but it needs to be used with a key, i.e., a keyed hash algorithm (HMAC): using a hash algorithm, a key and a message are input to generate a message digest as output. HMAC can be used for data integrity verification, checking whether data has been altered without authorization; it can also be used for message authentication, ensuring the legitimacy of the message source.
The SM3 algorithm is widely applied. For example, in the smart grid sector, nearly 1 billion users are using smart meters that employ the SM3 algorithm, all operating safely and stably. In the financial system, approximately 700 million bank magnetic stripe cards have been upgraded to password chip cards, with a total of 77.26 million dynamic tokens issued, all of which use the SM3 algorithm.
2
3. Passwords in Level Protection
We see that there are many password-related requirements in level protection. The GB/T 22239-2019 “Information Security Technology Basic Requirements for Network Security Level Protection” outlines the following password-related requirements:
1. Authenticity
Before communication, parties should be verified or authenticated based on password technology; user identity verification should use two or more combination authentication technologies, including passwords, passphrases, and biometrics, with at least one authentication technology using password technology.
2. Confidentiality
Password technology should be used to ensure the confidentiality of data during communication. Password technology should ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data, and important personal information; it should also ensure the confidentiality of important data during storage.
3. Integrity
Password technology or verification technology should be employed to ensure data integrity during communication; it should also ensure the integrity of important data during transmission and storage, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information.
4. Non-repudiation
In applications that may involve legal liability, password technology should provide original evidence and data receipt evidence to achieve non-repudiation for data origination and data receipt.
5. Password Management Requirements
Ensure that the procurement and use of password products and services comply with the requirements of the national password management authority. Conduct security testing before going live and provide a security testing report, which should include content related to the security testing of password applications. Password management should adhere to national standards and industry standards related to passwords; it should use password technologies and products certified and approved by the national password management authority.
6. Problems That Can Be Effectively Solved Using Password Technology
Trusted verification: Trusted verification can be performed on system boot programs, system programs, important configuration parameters, and boundary protection applications based on trusted roots, with dynamic trusted verification at all execution stages of applications. If the integrity is found to be compromised, alarms should be triggered, and the verification results should be recorded and sent to the security management center for dynamic correlation awareness; a trusted verification mechanism should be used to verify devices accessing the network, ensuring the authenticity of devices connecting to the network.
Remote management: When conducting remote management, necessary measures should be taken to prevent authentication information from being intercepted during network transmission.
Centralized management: A secure information transmission path should be established to manage security devices or components in the network.
3
4. Conclusion
Today, the application of password technology in protecting information security is becoming increasingly widespread, promoting the vigorous development of new technology industries such as cloud computing, big data, artificial intelligence, blockchain, mobile internet, and the Internet of Things. With the promulgation and implementation of the “Cryptography Law of the People’s Republic of China” and the implementation of the level protection system, it is believed that China’s digital economy will continue to develop at a high quality.
4
-END-
Source: National Engineering Research Center for Information Security