Interpretation of Basic Hardware and Identity Management

In the financial sector, industry standards related to basic hardware security are relatively mature. In the “Security Specification”, in addition to meeting the requirements of existing standards, special attention needs to be paid to the security of hardware encryption devices. This is because on the server side, it undertakes functions such as verifying incoming communications, hashing data on the distributed ledger, encrypting/decrypting data on communication channels, and encrypting/decrypting data on the distributed ledger itself, as well as protecting communication channels; while on the client side, it is necessary to protect private keys (or other credentials) to prevent impersonation. Article 6.2.4 stipulates that the “encryption machine used on the server side must comply with the requirements of GM/T 0045-2016 issued by the National Cryptography Administration”, and on the client side, “the personal encryption devices used (such as Ukey, encryption cards, mobile terminals with SE or TEE, etc.) must comply with the requirements of the industry authorities and the National Cryptography Administration”.

It should be noted that Article 6.2.3 on node deployment security (site security) and Sections 9, 16, and 17 constitute the complete security requirements for nodes.

The implementation difficulty of the basic hardware part of the financial distributed ledger identity is the requirements for hardware encryption devices. As a recommended industry standard, institutions engaged in the construction of financial distributed ledger systems should cooperate with national standards for information security and the requirements of the National Cryptography Administration to implement the deployment of basic hardware. The People’s Bank of China has completed the draft of the “Evaluation Index for the Application of Financial Distributed Ledger Technology”, which includes more specific indicator requirements for future comparison with compliance standards. In addition, attention should also be paid to the physical location and heterogeneity of the machine room and cloud deployment.

Identity Management

Currently, illegal collection, leakage, and abuse of personal information are becoming increasingly serious security issues. Especially in the financial industry, the protection of personal financial information by relevant institutions faces severe challenges. The source of personal information protection is the construction of identity management systems. The emergence of distributed ledger technology presents new ideas for identity management, but how to correspond the distributed ledger identity with the user’s real identity is a significant challenge. The “Security Specification” for “Identity Management” fully considers the three elements of information security CIA (Confidentiality, Integrity, and Availability), adheres to the national standard “Information Security Technology – Personal Information Security Specification” GB/T 35273-2017 (upgraded to the 2020 version in March 2020), as well as relevant documents from the CBIRC and the People’s Bank of China.

Including identity definition, account management, credential lifecycle management, identity verification, node identification management, identity information security, and identity regulatory audit requirements.

The identity management section focuses on concepts related to the identity lifecycle, avoiding specifics related to particular identity management solutions.

First, it defines financial distributed ledger identity, accounts, credentials, and their corresponding relationships. By linking distributed ledger accounts with real identities, it ensures regulation and auditing. Through the circulation of compliant credentials, it reduces the disclosure of personal information.

In Article 13.2 “Identity Definition”, definitions of identity, accounts, and credentials and their relationships are described. The method of expressing identity credentials replaces the conventional CA certificate, breaking the limitations on implementation solutions and laying the foundation for the emergence and use of new identity management solutions in the future. “Identity refers to the collection of attributes related to natural persons and legal persons, which can be digitally identified (referred to as digital identification).” “An account is a collection of identity attributes,” “One identity can correspond to multiple accounts,” “Each account should be associated with an identity identifier, namely the identity credential,” “An identity credential is a trusted electronic credential issued to the user by the verifier after identity verification, including but not limited to digital certificates and public-private key pairs.”

Second, it strengthens access control requirements. During the registration process, the lack of appropriate identity verification procedures can create greater vulnerabilities for the system. The “Security Specification” regulates the access security system for financial distributed ledger through Article 13.3 “Identity Registration” and Article 13.4 “Identity Verification”. Article 13.4 particularly notes: “Financial distributed ledger systems with privacy protection needs may use anonymous identity authentication, but must adhere to the principle of ‘voluntary front-end, real-name back-end’, where the front end uses anonymous identifiers, and the back end must be able to restore the real-name identity of the registered entity.”

Article 13.5 “Account Management” allows for differentiated management of access permissions by pre-defining user levels (ordinary user accounts, administrator accounts, and other specific permissions). By pre-defining access control settings for common user levels, it reduces management complexity and enhances the robustness and security of the financial distributed ledger.

Third, credential lifecycle management. Article 13.6.1 states that “the credential management of financial distributed ledgers should include the management of the entire process of credential generation, storage, use, revocation, and termination”, “Documentation should be prepared to explain the information, data format, and encryption and decryption rules contained in the credentials required for different financial services.” Combined with the definition of credentials in Article 13.2, it provides possibilities for digital credential solutions beyond CA certificates (public-private key pairs), such as verifiable credentials in distributed identity.

Article 13.6.4 clarifies that “credentials should be securely stored by both the user and the credential provider”, and requires clarification of “the purpose, method, and location of persistent storage”. This ensures the security of personal information from a management perspective, combining technical means such as data formats for digital credentials and encryption rules to ensure that credential information is not disclosed.

Article 13.6.5 proposes that “the circulation of credentials should be initiated by the user, and access to credential information should be authorized by the user”, emphasizing that the user is the subject of identity information from both a technical and management perspective.

Fourth, support for identity regulatory audits. Article 13.11.1 stipulates that “in special circumstances, regulatory agencies do not need to obtain the authorization and consent of the information subject, including the following 11 items”.

Article 13.11.2 stipulates that “security audit functions should be provided for access and changes to identities, accounts, and credentials, with audit records including the date, time, user identification, data, and other audit-related information”.

The implementation difficulty of the identity management part of the financial distributed ledger is clarifying the concepts of identity, accounts, and credentials, as well as ensuring that identity management meets regulatory audit requirements. Institutions engaged in the construction of financial distributed ledger systems should design and implement the correspondence between real user identities and ledger accounts, as well as the data content, structure, and encryption/decryption methods of credentials based on application scenarios, and ensure proper identity registration and review, and pre-defined user levels. At the same time, the design should fully consider compliance with the “Technical Specification for Personal Financial Information Protection” JR/T 0171-2020 issued in February 2020, as well as documents from the People’s Bank of China and the CBIRC regarding personal financial information protection. In addition, the “Security Specification” leaves room for innovation in identity management solutions. Distributed identity, as one of the most discussed solutions, aims to enable users to own, control, and manage their identities, achieve security, privacy protection, and non-repudiation of digital identities, and ensure the secure flow of trusted data. How to leverage its advantages while meeting stringent financial regulatory requirements will be a key focus of future research.

Conclusion

In promoting the application of distributed ledgers, financial institutions face stricter requirements than other industries. The implementation of the “Security Specification” helps standardize the application of financial distributed ledgers and assists financial institutions in designing, deploying, and operating systems according to the security requirements specified in the standards, making it the most instructive “compliance manual” at this stage. It is recommended that enterprises and institutions engaged in distributed ledger construction and service operations compare their existing or in-development products to confirm compliance and regulatory capability. Other parts of the People’s Bank of China’s series of specifications for financial distributed ledger technology will be released in succession, and a complete standard system will promote the sustainable development of financial distributed ledgers.