Interpretation and Compliance Suggestions for Basic Hardware and Identity Management

1. Background and Basis

Basic hardware, as the lowest layer of the security system framework, is fundamental to ensuring the overall system security. Due to the similarity with traditional IT system security requirements, the “Security Norms” follow the national standard “Basic Requirements for Cybersecurity Level Protection” GB/T 22239-2019, considering the relevant requirements of existing financial industry standards that can be directly applied or modified, forming security requirements for basic hardware.

2. Core Elements

The core elements of physical security include site, hardware devices, node deployment, and hardware encryption devices. The core elements of network security include network architecture and communication transmission.

3. Key Interpretation

In the financial sector, industry standards related to basic hardware security are relatively mature. In the “Security Norms”, in addition to meeting the requirements of existing standards, special attention needs to be paid to the security of hardware encryption devices. This is because on the server side, it undertakes functions such as verifying incoming communications, hashing data on the distributed ledger, encrypting/decrypting data in communication channels, encrypting and decrypting the data on the distributed ledger itself, and protecting communication channels; on the client side, it is necessary to protect private keys (or other credentials) to prevent impersonation. Clause 6.2.4 states that “the encryption devices used on the server side must comply with the requirements of GM/T 0045-2016 issued by the national cryptography management department,” and on the client side, “the personal cryptographic devices used (such as Ukey, encryption cards, mobile terminals with SE or TEE, etc.) must comply with the requirements of the industry regulatory authorities and the national cryptography management department.”

It should be noted that Clause 6.2.3 on node deployment security (site security) forms a complete security requirement for nodes together with Clauses 9, 16, and 17.

4. Compliance Suggestions

The implementation difficulty of the basic hardware part of financial distributed ledger identity management lies in the requirements for hardware encryption devices. As a recommended industry standard, institutions engaged in the construction of financial distributed ledger systems should cooperate with the national information security standards and the requirements of the national cryptography management department to implement the deployment of basic hardware. The draft of the “Evaluation Indicators for the Application of Financial Distributed Ledger Technology” by the People’s Bank of China has been completed, which includes more specific indicator requirements that can be compared with compliance standards later. Additionally, attention should also be paid to the physical location and heterogeneity of the machine room and cloud deployment.

1. Background and Basis

Currently, issues such as illegal collection, leakage, and misuse of personal information are becoming increasingly serious. Especially in the financial industry, relevant institutions face severe challenges in protecting personal financial information. The source of personal information protection is the construction of identity management systems, and the emergence of distributed ledger technology poses new ideas for identity management, but how to correspond distributed ledger identities with users’ real identities is a significant challenge. The “Identity Management” section of the “Security Norms” fully considers the three elements of information security CIA (Confidentiality, Integrity, and Availability), follows the national standard “Personal Information Security Specification” GB/T 35273-2017 (which was upgraded to the 2020 version in March 2020), as well as relevant documents from the China Banking and Insurance Regulatory Commission and the People’s Bank of China.

2. Core Elements

These include identity definition, account management, credential lifecycle management, identity verification, node identification management, identity information security, and identity regulatory audit requirements.

3. Key Interpretation

The identity management section focuses on concepts related to the identity lifecycle, avoiding specifics tied to particular identity management solutions.

Firstly, it innovatively defines financial distributed ledger identity, accounts, credentials, and their corresponding relationships. By linking distributed ledger accounts with real identities, it ensures regulatory and auditing. Through the circulation of compliant credentials, it reduces the disclosure of personal information.

Clause 13.2 describes the definitions of identity, accounts, and credentials, using the expression method of identity credentials instead of the conventional CA certificate, breaking the limitations on implementation solutions and laying the foundation for the emergence and use of new identity management solutions in the future. “Identity refers to the collection of attributes related to natural persons and legal entities, and identity can be digitally identified (referred to as digital identity).” “An account is a collection of identity attributes,” “one identity can correspond to multiple accounts,” “each account should be associated with an identity identifier, i.e., an identity credential,” “an identity credential is a trusted electronic credential issued to the user by the verifier after identity verification, including but not limited to digital certificates and public-private key pairs.”

Secondly, it strengthens access control requirements. In the registration process, a lack of appropriate identity verification procedures can create greater vulnerabilities for the system. The “Security Norms” regulate the access security system of financial distributed ledger through Clause 13.3 “Identity Registration” and Clause 13.4 “Identity Verification.” Clause 13.4 particularly states: “For financial distributed ledger systems with privacy protection needs, anonymous identity authentication may be used, but it should follow the principle of ‘voluntary in front, real name behind’; using anonymous identifiers in front, while the back-end should be able to restore the real-name identity of the registered entity.”

Clause 13.5 “Account Management” allows for differentiated management of access permissions by pre-defining user levels (ordinary user accounts, administrator accounts, and other specific permissions). By pre-defining access control settings for common user levels, it reduces management complexity and enhances the robustness and security of financial distributed ledgers.

Thirdly, credential lifecycle management. Clause 13.6.1 states that “the management of credentials for financial distributed ledgers should include the entire process management of credential generation, storage, usage, revocation, and termination,” and “for the information, data format, and encryption/decryption rules contained in credentials required for different financial businesses, dedicated documentation should be prepared to explain them.” Combined with the definition of credentials in Clause 13.2, it provides possibilities for digital credential solutions beyond CA certificates (public-private key pairs), such as verifiable credentials in distributed identity.

Clause 13.6.4 clarifies that “credentials should be securely stored by both the user and the credential provider,” and requires an explanation of “the purpose, method, and location of persistent storage.” This ensures the security of personal information from a management perspective, and combined with technical means such as the data format and encryption rules of digital credentials, it ensures that credential information does not leak.

Clause 13.6.5 states that “the circulation of credentials should be initiated by the user, and access to credential information should be authorized by the user,” emphasizing that the user is the main body of identity information from both technical and management perspectives.

Fourthly, support for identity regulatory audits. Clause 13.11.1 stipulates that “in special circumstances, regulatory agencies do not need to obtain the authorization and consent of the information subject, including the following 11 items.”

Clause 13.11.2 stipulates that “secure audit functions should be provided for access and changes to identity, accounts, and credentials, with audit records including the date, time, user identification, data, and other audit-related information of access.”

4. Compliance Suggestions

The implementation difficulty of the identity management part of financial distributed ledgers lies in clarifying the concepts of identity, accounts, and credentials, as well as ensuring that identity management meets regulatory audit requirements. Institutions engaged in the construction of financial distributed ledger systems should design the correspondence between users’ real identities and ledger accounts, as well as the data content, structure, and encryption/decryption methods of credentials based on application scenarios, and carry out foundational work such as identity registration and review, predefined user levels, etc. At the same time, the design should fully consider compliance with the “Technical Specifications for Personal Financial Information Protection” JR/T 0171-2020 issued in February 2020, as well as documents from the People’s Bank of China and the China Banking and Insurance Regulatory Commission regarding personal financial information protection. Furthermore, the “Security Norms” leave room for innovation in identity management solutions, with distributed identity being one of the most discussed solutions currently, aiming to achieve user ownership, control, and management of their identity, ensuring the security, privacy protection, and non-repudiation of digital identities, and facilitating the secure circulation of trusted data. The focus of future research will be how to leverage the advantages of cryptographic technical solutions while meeting the stringent regulatory requirements of the financial sector.

In promoting the application of distributed ledgers, financial institutions face stricter requirements than other industries. The implementation of the “Security Norms” helps standardize the application of financial distributed ledgers and assists financial institutions in designing, deploying, and operating systems according to the security requirements specified by the standards, making it the most guiding “compliance manual” at this stage. It is recommended that enterprises and institutions engaged in the construction and service operation of distributed ledgers compare their existing or in-development products to confirm compliance and regulatory capability. Other parts of the series of standards for financial distributed ledger technology by the People’s Bank of China will be released successively, and a complete standard system will promote the sustainable development of financial distributed ledgers.