Understanding of the m1 problem
After the m1 issue came out, the government and the industry paid great attention to it. Is the existing system safe? How is the new system done? I have participated in the safety assessment of several IC card application systems. m1 has made great contributions to the promotion and application of IC cards. It is estimated that there are 2 billion globally and hundreds of millions of domestic ones are in use, so I would like to discuss IC with you today. The cost and risk of card application security.
I think the definition of security level is very important for the upgrade of old systems and the construction of new systems. IC card application security is a concrete realization of information security, and it must have a correct understanding of IC card application security:
(1) Security is a system concept (2) Security technology is relative (3) Security is costly and costly (4) Security technology is developmental and dynamic (5) Different applications, security requirements are not the same
Therefore, we only have a correct understanding of the IC card application security issues, what measures will be taken to make the correct judgment and decision on the security of the IC card application system.
IC card application classification
(1) Identification (about 45%)
Access control documents (ID card, e-passport, etc.)
parking lot
(2) Payment (about 35%)
Bus card, campus card, ETC fee
(3) Others (about 20%)
Anti-counterfeiting (object is an item)
IC card application security classification
At present, there is no uniform classification of IC card application security, and different applications should have different security levels. In addition, is it necessary to use a CPU card? There are many factors that should be considered here:
(1) Identification (person, certificate consistency, verification time limit)
Access control (different areas have different security levels)
Documents (certificate holders have different security levels)
Parking lot (vehicle importance, regional importance determines the level of security is different)
(2) Payment (single function or one card multi-use, large or small payment, regional or national use, etc. should be different in security level)
Bus card, campus card, ETC fee
(3) Other
Anti-counterfeiting (the value of anti-counterfeiting objects, regional or national circulation, online or offline query)
Safety costs and risks
At the end of 2008, the State Council jointly issued a document requesting all industries to investigate the application security of IC cards and timely identify and solve problems. The Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Security, the State Secrets Bureau, the Ministry of Construction, and the Ministry of Communications conduct comprehensive and systematic security inspections of IC card applications. Among them, access control and card use of m1 technology in China are the focus of security inspection. In fact, this is not just a question of how much it costs. There are still many issues to consider, such as the balance between cost and risk, the relationship between wooden houses and bunkers, political costs and risks, economic costs and risks, the possibility of copying and tampering with costs. And how is security controlled? To what extent? Who has the final say?
Security of existing systems
For China's major IC card application systems such as city card, ETC, and subway stored value cards, especially the system using m1 logic encryption card, some experts recommend the following measures to prevent the impact of such unsafe factors:
(1) Perform real-time transaction data upload, analyze and process abnormal recharge data in real time, and immediately use the blacklist to reach the terminal device in real time;
(2) Expanding the blacklist capacity of the read/write terminal to more than 200,000, and performing incremental update in real time;
(3) Establish a wireless communication mode based on GPRS to ensure the real-time data;
(4) Strengthen the management of the UID by the chip manufacturer to ensure that the UID cannot be changed after the chip is shipped from the factory;
(5) Strict management and control of the recharge machine, prohibiting any possible illegal data collection; increasing transaction data signature verification;
(6) Optimize the transaction process and prohibit the write back function.
For the already running IC card system, the CPU card can be gradually absorbed, and the logical encryption card of m1 is gradually replaced, and the transition from unregistered to registered, the fixed key system is developed to the dynamic key system, and the password risk is completely independent of the logical encryption card. Impact.
New system security
Here are three suggestions:
(1) It is recommended to use m1's logical encryption card carefully, comprehensive card cost and system performance are unified, and encourage the use of intelligent CPU card as payment medium. (2) The most thorough method is to establish a completely autonomous system (autonomous standard, autonomous algorithm, autonomy). Development)
(3) Should refer to the "Information Security Level Protection Management Measures" model, comprehensively affect various factors affecting security, evaluate the security of IC cards, and use different technologies for different security levels to truly achieve cost and risk. balance
Looking forward to the government's introduction of regulations
I believe that for IC card application security issues, through the previous stage of investigation and analysis, the competent national authorities should sum up experience and issue a set of guiding documents similar to the "Information Security Level Protection Management Measures", which should include: Management Specifications , technical standards, etc. These documents are necessary to guide the security of IC card applications. The five levels of the "Information Security Level Protection Management Measures" can be used as a reference:
"Information Security Level Protection Management Measures"
Article 7 The security protection level of information systems is divided into the following five levels:
At the first level, after the information system is destroyed, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm national security, social order and public interest.
At the second level, after the information system is destroyed, it will seriously damage the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it will not harm national security.
At the third level, after the information system is destroyed, it will cause serious damage to the social order and the public interest, or cause damage to the national security.
At the fourth level, after the information system is destroyed, it will cause particularly serious damage to the social order and the public interest, or cause serious damage to the national security.
At the fifth level, after the information system is destroyed, it will cause particularly serious damage to national security.
Ice Pack For Breast Milk,Ice Pack Cooler For Kids,Ice Pack For Travel,Ice Pack For Travel
Changzhou Jisi Cold Chain Technology Com,Ltd , https://www.cooler-boxs.com