Understanding Cybersecurity Level Protection and the Password Law

01

“Passwords” and “Passcodes”

The term “password” mentioned in real life, such as the boot “password”, WeChat “password”, and bank card payment “password”, actually refers to passcodes. A passcode is merely a “ticket” to access personal computers, mobile phones, email accounts, or personal bank accounts; it is a simple, basic means of identity authentication. These passcodes differ from the “passwords” in the draft of the Password Law. The real “passwords” are hidden within secure payment devices and network systems, silently protecting national secret information and the personal information security of each individual.

In the Password Law, passwords refer to products, technologies, and services that use specific transformation methods to encrypt and protect information and provide security authentication. The Password Law consists of five chapters and forty-four articles, categorizing passwords into core passwords, ordinary passwords, and commercial passwords for management. Among them, core passwords and ordinary passwords are used to protect national secret information, with core passwords protecting information classified as top secret and ordinary passwords protecting information classified as confidential. Core passwords and ordinary passwords are considered state secrets. The password management department implements strict and unified management of core passwords and ordinary passwords according to this law and relevant laws, administrative regulations, and national provisions. Commercial passwords are used to protect information that does not belong to state secrets. Citizens, legal persons, and other organizations may legally use commercial passwords to protect network and information security.

02

Commercial Passwords

The commercially available password algorithms independently developed in our country mainly include: ZUC, SM2, SM3, SM4, and SM9, among others. These password algorithms cover sequence passwords and block ciphers in symmetric encryption, as well as elliptic curve cryptography and hash algorithms in asymmetric encryption. Combining these can provide a solid and reliable foundation for various industry applications that require password technology support.

1. Symmetric Encryption Algorithms

The sequence password ZUC (Zu Chongzhi) algorithm and the block cipher (SM4) algorithm fall under symmetric encryption algorithms, which means that both the encryption and decryption parties use the same key for encryption and decryption, thereby ensuring confidentiality.

The ZUC algorithm is currently primarily used in the communications field. In September 2011, the encryption algorithm 128-EEA3 and the integrity protection algorithm 128-EIA3, based on the ZUC algorithm, became international standards for 4G mobile communication encryption algorithms, alongside the US AES and European SNOW 3G.

The SM4 algorithm was initially released as a dedicated encryption algorithm for our country’s autonomous wireless LAN security standard WAPI, later becoming the national industry standard for block cipher algorithms. Since the SM4 algorithm was initially used in wireless LAN chips for the WAPI protocol, over 350 models of WAPI wireless LAN chips supporting the SM4 algorithm have been produced, with a cumulative global shipment exceeding 7 billion units. In the financial sector, the shipment of smart password keys supporting the SM4 algorithm alone has exceeded 150 million units.

2. Asymmetric Encryption Algorithms

Asymmetric encryption algorithms, also known as public key cryptography, include two main uses: public key encryption and private key signing (i.e., digital signatures, which can provide authenticity and non-repudiation guarantees). This breaks the limitation of symmetric encryption algorithms, which require the same key for both encryption and decryption. In public key encryption algorithms, different keys are used for encryption and decryption. The encryption key is made public and is called the public key; the decryption key is kept secret and is called the private key. The public and private keys are closely related; the public key can be derived from the private key, but deriving the private key from the public key is computationally infeasible. The SM2 algorithm (elliptic curve public key cryptography) and the SM9 algorithm (identity-based cryptography) are public key cryptography standards issued in our country, while common foreign public key algorithms include RSA and ECDSA.

The digital signature technology based on the SM2 algorithm has been widely applied in our country’s electronic certification field. The SM2 algorithm was adopted by the International Organization for Standardization (ISO) in 2017, becoming part of the international standard ISO/IEC 14888-3. The SM9 algorithm uses the user’s identifier (such as email address, mobile number, QQ number, etc.) as the public key, eliminating the need for digital certificates, certificate repositories, or key stores, simplifying the process of exchanging digital certificates and public keys, making the security system easy to deploy and manage, and is very suitable for end-to-end offline secure communication, cloud data encryption, attribute-based encryption, and policy-based encryption in various scenarios. Like the SM2 algorithm, the SM9 digital signature algorithm was also adopted by ISO in 2017, becoming part of the international standard ISO/IEC 14888-3.

3. Hash Algorithms

Hash algorithms, also known as hash functions, are functions that convert an input string of arbitrary length into a fixed-length output string. The hash algorithm in our commercial password standards is the SM3 algorithm, which became an international standard in October 2018. The SM3 algorithm has a fixed output length of 256 bits, and the input length is theoretically unlimited. In practice, due to padding specifications, the input length cannot exceed 264 bits. Using only the SM3 algorithm cannot provide integrity protection; it must be used with a key, i.e., a keyed hash algorithm (HMAC): using the hash algorithm, a key and a message are input to generate a message digest as output. HMAC can be used for data integrity verification, checking whether data has been altered without authorization; it can also be used for message authentication, ensuring the legitimacy of the message source.

The SM3 algorithm has a wide range of applications. For example, in the smart grid sector, nearly 1 billion users are using smart meters based on the SM3 algorithm, which are operating securely and stably. In the financial system, approximately 700 million magnetic stripe bank cards have been updated to password chip cards, and a total of 77.26 million dynamic tokens have been issued, all of which use the SM3 algorithm.

03

Passwords in Level Protection

We see that there are many password-related requirements in level protection. The GB/T 22239-2019 “Basic Requirements for Cybersecurity Level Protection” includes the following password-related requirements:

1. Authenticity

Before communication, both parties should be verified or authenticated based on password technology; two or more combined identification technologies, including passcodes, password technology, and biometric technology, should be used for user identity verification, with at least one of the identification technologies implemented using password technology.

2. Confidentiality

Password technology should be used to ensure data confidentiality during communication. Password technology should ensure the confidentiality of important data during transmission, including but not limited to identification data, important business data, and important personal information; password technology should ensure the confidentiality of important data during storage, including but not limited to identification data, important business data, and important personal information.

3. Integrity

Password technology or verification technology should be used to ensure data integrity during communication; password technology should ensure the integrity of important data during transmission, including but not limited to identification data, important business data, important audit data, important configuration data, important video data, and important personal information; password technology should ensure the integrity of important data during storage, including but not limited to identification data, important business data, important audit data, important configuration data, important video data, and important personal information.

4. Non-repudiation

In applications that may involve legal responsibility, password technology should be used to provide original evidence of data and data receipt evidence, achieving non-repudiation of data origination and data receipt actions.

5. Password Management Requirements

Password products and services should be procured and used in accordance with the requirements of the national password management authority. Security testing should be conducted before going live, and a security testing report should be issued, which should include content related to the security testing of password applications. Password management should comply with national standards and industry standards related to passwords; password management should use password technologies and products certified and approved by the national password management authority.

6. Problems that Can Be Effectively Solved Using Password Technology

Trusted verification: Trusted verification can be performed based on a trusted root for system boot programs, system programs, important configuration parameters, and boundary protection applications, and dynamic trusted verification can be performed at all execution stages of the application. If its trustworthiness is compromised, it should issue an alarm and generate audit records to send to the security management center, enabling dynamic correlation awareness; trusted verification mechanisms should be used to verify devices connected to the network, ensuring that the devices accessing the network are genuine and trustworthy.

Remote management: When performing remote management, necessary measures should be taken to prevent authentication information from being intercepted during network transmission.

Centralized management: A secure information transmission path should be established to manage security devices or components in the network.

04

Conclusion

Today, the application of password technology in protecting information security is becoming increasingly widespread, promoting the vigorous development of new technology industries such as cloud computing, big data, artificial intelligence, blockchain, mobile internet, and the Internet of Things.With the promulgation and implementation of the “Cryptography Law of the People’s Republic of China” and the implementation of the level protection system, it is believed that our country’s digital economy will continue to develop in a high-quality manner.

Understanding Cybersecurity Level Protection and the Password Law

Leave a Comment