The "Commercial Cryptography Application Security Evaluation Quantitative Evaluation Rules" (2023 Edition) was released in July 2023 and will be officially implemented on August 1. Compared with the 2021 version, the new version has multiple content updates, including 5 minor adjustments and 5 major updates.
Fine-tuning part (5 places)
| serial number | 2021 version | 2023 version |
| 1 | This document is applicable to guide and standardize the planning, construction, operation and evaluation of cryptographic applications in information systems . | This document is applicable to standardize the security assessment of cryptographic applications in information systems , and to guide the planning and construction of related information systems. |
| 2 | Encourage the use of cryptographic technology; especially encourage the use of compliant cryptographic algorithms/technologies/products/services; | Encourage the use of compliant cryptographic algorithms/technologies/products/services |
| 3 | Cryptography Algorithm/Technique compliance (Cryptography Algorithm/Technique compliance) refers to whether the cryptographic algorithm used in the information system complies with the provisions of laws and regulations and the relevant requirements of national and industry standards related to cryptography. Whether it follows national and industry standards related to passwords or is approved by the national password management department. | Cryptography Algorithm/Technique compliance (Cryptography Algorithm/Technique compliance) refers to whether the cryptographic algorithm used in the information system complies with the relevant requirements of laws, administrative regulations, relevant national regulations , and national standards and industry standards related to cryptography. Whether the encryption technology follows the relevant national and industry standards for encryption or has passed the examination and appraisal of the national encryption management department . |
| 4 | 5. Quantification rules | 5. Quantitative evaluation rules |
| 5 | 6. Overall conclusion judgment | 6. Quantify evaluation thresholds |
Update part (5 places)
| serial number | 2021 edition | 2023 Edition |
| 1 | The evaluation object score ranges from {0, 0.25, 0.5, 1} | The value range of the evaluation object score is [0, 1] If the evaluation object A makes up for the deficiency of the evaluation object B, the score of the evaluation object A is PA, and the score of the evaluation object B before making up is PB, then the score of the evaluation object B after compensation is MAX(0.5×PA, PB) , that is, the larger value between 0.5×PA and PB (rounded to 4 decimal places). |
| 2 | No Ra correction, equivalent to Ra=1 |
Increase the cryptographic algorithm/technical compliance correction parameter Ra The value range of Ra is {0.2, 0.5, 1} When the security strength of the algorithm is less than 80 bits, Ra=0.2 When the security strength of the algorithm is less than 112 bits, Ra=0.5 When the security strength of the algorithm is not less than 112 bits, Ra=1 |
| 3 | No Rk correction, equivalent to Rk=1 | Increase key management security correction parameter Rk The value range of Rk {1, 1.2, 1.5} For level 1 and level 2 information systems: Rk=1 For level 3 information system: use level 1 cryptographic module and meet the requirements of GMT0115 5.5, Rk=1.2, otherwise Rk=1 For level 4 information systems: use level 2 cryptographic modules and meet the requirements of GMT0115 5.5, Rk=1.5, and Rk=1 in other cases |
| 4 | Quantitative evaluation result S is the weighted average of all n security level evaluation results Si
|
The two parts of password application technical requirements and password application management requirements remain fixed (technical and management scores are independently affected)
|
| 5 | If the overall quantitative evaluation result S is 100 points, it is determined that the information system under test meets the corresponding level requirements of GB/T 39786-2021; The information system basically complies with the corresponding grade requirements of GB/T 39786-2021; otherwise, it is determined that the information system under test does not meet the corresponding grade requirements of GB/T39786-2021. | When using this document for quantitative assessment, the score threshold in GM/T 0115-2021 "9. Assessment Conclusion" is 60 points . |
