Ask a martial arts question at the beginning of the article
If an ordinary person obtains the Heavenly Sword and the Dragon Slaying Sword, can he “command the world, dare not follow it”?
I believe that most fans of Jin Yong will sneer: You can’t practice the “Nine Yin Scriptures” and “Wu Mu Sutra” in the Dragon Sword and Yitian Sword. The sword is just a “sharp”.
Next, I will ask industry users a security professional question
On what basis do you think your password protection measures are sufficiently secure?
The vast majority of users will answer: because we have deployed an identity authentication system, a server cryptographic machine, an Electronic signature system, a certificate management server, a security gateway…
Such an answer actually returns to the key point of the question at the beginning of the article. Does having a “sharp” equal to being strong (safe)? Obviously the answer is no. Without a set of scientific and effective cryptographic guarantee systems, it is difficult to maximize the effectiveness of cryptographic devices only by relying on cryptographic equipment for “individual combat”.
However, “easy said, harder to do”, users in the market who can answer which cryptographic devices their units have deployed as smoothly as above are already considered to be a minority, and more users do not even have password protection measures. This is by no means an exaggeration. In the 2018 national survey by the management department, it was found that 75% of information systems with third-level security and above were not protected by passwords. Among the few users who have a password protection system, the actual level of password protection is also worrying: in the first batch of 126 system secret evaluation pilots in 2018-2019, 85% of the information systems using password protection have irregularities and the effect of security protection Greatly discounted.
Beijing Digital Authentication Co., Ltd. (referred to as “digital authentication”) believes that in the current domestic market, there are many cases in which password applications are “used too little”, “should be useless”, and “unintelligible to use indiscriminately”. These chaotic phenomena restrict passwords. The role of technology makes it difficult to exert its due effectiveness. Only by “exhaustive use, scientific application” and building a scientific and effective password protection system, can we escort users to go more stable and go further.
Good password
Start by emphasizing passwords
In fact, the reason for the chaos of password applications is that users do not really realize the value of passwords. In fact, many users question this: Is the construction of a password protection system really a “must option” for industry users and enterprise users? The answer is two words: yes.
As the country’s most important weapon, it is the “lifeline” and “lifeblood” of the party and the country’s security. Cryptography is the basic core technology to ensure the security of cyberspace. It not only provides security protection for the transmission process and storage process of information, prevents unauthorized information leakage and information tampering, but also provides important support for the realization of identity authentication, authorization management and responsibility determination in cyberspace.
For this reason, it is very important to establish a password protection system for user security needs to ensure that password applications are compliant, correct, and effective. Not only must it be used, but it must also be used scientifically. Take common medical record signatures in hospitals as an example. When doctors need to sign medical records, they often just sign the home page of the medical record without signing the overall information of the medical record. On the surface, it is the application of cryptographic signature technology, but in fact, it is impossible to protect the entire medical record. The non-repudiation or completeness of medical records, and a scientific and effective password protection system can perfectly solve these problems.
The state has also released the same signal from the policy. In the “Commercial Password Management Regulations”, “Network Security Level Protection Regulations (Draft for Comment)” and other relevant regulations, it is clearly pointed out that non-secret key information infrastructure, network security level protection systems above the third level, national government information systems, etc. , The use of commercial passwords for protection has become a legal requirement.
“Three Simultaneous One Evaluation”
Let the construction of the password protection system have rules to follow
There are rules to follow to establish a scientific and effective password protection system. The “Measures for the Construction and Management of National Government Information Projects” pointed out: “The project construction unit shall implement the requirements of the relevant laws, regulations and standards of the country’s password management, synchronize planning, construction, and operation of the password security system and conduct regular evaluations.” In digital certification It seems that “three synchronizations and one evaluation” is the overall idea of building a cryptographic security system.
1
Synchronous planning: formulate a scientific and effective cryptographic scheme
In the planning stage, four things must be completed: clarify the protection objects, analyze the password application requirements, design the password application construction plan, and review the password application plan. The core output is to formulate a “cryptographic application construction plan” that meets business needs and business characteristics.
For many users, it is not difficult for a new system to meet the needs in the planning stage. The difficulty is the established system. The suggestion for this digital certification is to add a “gap analysis” link-analyze the existing protection measures of the system and identify residuals. Risks and password application requirements that need to be rectified.
Guide to avoiding pits in digital authentication: The biggest difficulty at this stage is the integration of the password guarantee system and the business system. Never talk about the construction of password applications out of business characteristics. If the cryptographic products are listed item by item against the secret evaluation indicators in a simple and rude manner, it may result in failure to implement the plan or duplicate construction.
2
Simultaneous construction: full use of password protection measures
When the plan is completed, the focus of the next construction will fall to “realization”. At this stage, it is necessary to compile a password application implementation plan, implement password technical measures and password management measures, and evaluate the security of password applications. The procurement of cryptographic products or services, the development of cryptographic functions, and the integration of cryptographic applications that people often discuss are actually the “realization of technical measures” at this stage, and the construction and revision of cryptographic management systems, the establishment and construction of cryptographic management institutions and personnel, and the process of construction Management belongs to the “realization of management measures” at this stage.
Guide to avoiding pits in digital authentication: The core of this stage is the realization of cryptographic technology and management measures. Remember that the correctness of the construction of the password protection system is ultimately determined by the “password application security assessment”. Therefore, the assessment must be comprehensive, pay attention to details, and have measurable standards for reference.
3
Synchronous operation regular evaluation: continue to play the role of password protection
When it comes to the synchronous operation stage, users must implement operation management and control, focus on supervision and inspection, ensure that emergency response and guarantees are in place, and conduct password application security assessments on a regular basis. At this time, the system supervisor will carry out supervision and inspection of password application activities in accordance with the relevant national and industry-related password application supervision and inspection requirements and standards; the system evaluation party will regularly carry out commercial password application security assessments to ensure that the password application measures of the information system comply with Corresponding safety requirements; system operators need to correctly implement operation management and control in accordance with the division of responsibilities and rules and regulations.
Guidelines for avoiding pits in digital authentication: The correct operation of the password protection system is directly related to the effect of security protection, and full cooperation between the system operator, the regulator, and the evaluation party is required. Some users have the mentality of “passing the customs with full marks”, feeling that as long as the regulatory authorities pass the inspections, the password protection system can be shelved. This idea is not desirable. For the implementation of the password protection system, this stage is just a starting point.
Although the core idea of ”Three Synchronization and One Evaluation” is clear and clear, it is still very difficult for users to build a high-quality password protection system: First, the construction of a password system is highly professional, and the user’s There are few cryptographic professionals; secondly, cryptographic systems must be deeply integrated with business systems, and security requirements must be fully understood and accurate; finally, in terms of compliance and stability, companies need more professional services to ensure that cryptographic systems meet regulatory requirements.
In view of this, digital authentication makes full use of the technical capabilities and experience of password security system planning, password security system construction, and password security system operation formed over the years to form a scientific method system to provide users with full life cycle password security services. These services are currently It has been applied and recognized by many users.
How to set up a scientific and reasonable password protection system?
The “methodology” of digital authentication is open!
Although the password applications of industry users and enterprise users are not the same, everyone has the same goal of building a scientific and reasonable password protection system. There are some “methodology” contents that can cover the commonality of requirements and help everyone achieve their goals faster. “Clarifying the scope and protection objects, analyzing the design of password application requirements, and formulating a password application plan” are the core elements of the digital authentication methodology.
1
The first step is to conduct a needs analysis, that is, to find out the information that needs to be protected. Clear the scope of information protection by sorting out the flow of important data and information and the carrying entities (physical security boundaries, computing environment).
This step may seem simple, but in fact it is very difficult. Take the hospital’s information system as an example. First of all, we must distinguish which information is public, which information involves personal privacy and needs to be protected, which information is medical data that needs to be transmitted, etc. It can be divided into public information, general information and important information. . When the information is sorted out, the flow direction and scope of the information are also determined, then the corresponding protection measures can be formulated accordingly: if you need to keep it locally, you only need to do terminal encryption protection. Then deploy network transmission encryption; for information that needs to be transmitted over the WAN, in addition to network transmission encryption, it also needs to be prevented from being intercepted and tampered with.
The practice of digital authentication at this stage is to conduct risk analysis from four aspects of confidentiality, integrity, authenticity, and non-repudiation based on the information flow of important data to the node, thereby forming a comprehensive and detailed list of password requirements. For example, analyze the source of threat, vulnerability, and degree of impact for a certain important information, confirm which type of risk exists, and finally determine whether precision protection, integrity protection, or authenticity protection is needed, with a targeted.
2
The second step is to design the password application scheme of the password protection system. Based on the analysis of the requirements of the password application of the password protection system in the previous step, a password application construction plan including technical measures such as trusted identity, transmission security, storage security, computing environment protection, non-repudiation, and security management measures was designed to meet GB/ T 39786-2021 “Basic Requirements for the Application of Ciphers in Information Systems”.
At this stage, there are three main principles for users to refer to and learn from:
01
General principle
From the perspective of protection integrity, the top-level design of the password application of this platform is carried out, the requirements and expected goals of the password application are clarified, and it is combined with the network security protection level of this platform.
02
Maturity principle
The commercial cryptographic products used in the plan are all mature commercial cryptographic products that have been sold and applied for a long time in the market, and all have the commercial cryptographic product qualification approved by the cryptographic management department.
03
Economic principle
In terms of function and performance, it can be quickly expanded and designed to meet the password application transformation plan of GB/T 39786, ensuring that the platform’s password application transformation investment is reasonable, the scale is appropriate, and the waste of funds and excessive protection are avoided.
In the second step of the design process, digital certificate and key management, and self-evaluation of password application solutions are also very important. Especially for self-evaluation, users may wish to conduct self-evaluation on the designed password application scheme in accordance with the relevant requirements of GB/T 39786-2021 and the evaluation mechanism of quantitative scoring + high-risk determination. Only when the score exceeds the threshold and there are no high-risk items can the password protection system be judged as “basically compliant.” The benefit of this is that in the future, when users conduct actual secret evaluations, since they have fully understood their strengths and weaknesses in advance, the evaluation work of the secret evaluation agency will become smoother.
Currently in the critical stage of the development of cryptographic applications to standardization, digital certification, as a cryptographic technology service provider with core capabilities, takes the lead in formulating the top-level secret evaluation standard GB/T 39786-2021 “Basic Requirements for Information Security Technology Information System Cryptographic Applications”. Have an in-depth understanding of password standards and compliant password applications. In the future, digital authentication will continue to cultivate in the industry, through continuous conceptual innovation, technological innovation, and model innovation, to help customers build correct, compliant, and effective password protection systems, and work with the industry to build a more secure and credible cyberspace.
The Links: CM50E3U-24H PM75CSD120