According to GB/T 39786 -2021 "Basic Requirements for the Application of Passwords in Information Security Technology and Information Systems", the requirements for the third-level security system are as follows:
Physical and environmental level:
a) Password technology should be used for physical access identification to ensure the authenticity of the identity of personnel entering important areas;
b) Password technology should be used to ensure the storage integrity of the entry and exit record data of the electronic access control system;
c) Encryption technology should be used to ensure the storage integrity of video surveillance audio-visual recording data;
Identification: (High Risk)
Evaluation indicators: use cryptographic technology for physical access identification to ensure the authenticity of the identity of personnel entering important areas (level 1 to level 4).
Evaluation objects: important areas such as the computer room where the information system is located and its electronic access control system.
Possible mitigating measures: 1) Identify people entering important areas based on biometric technology (such as fingerprints);
2) The entrances and exits of important areas are equipped with special personnel on duty and registered, and the video surveillance system is used for real-time monitoring.
Evaluation implementation steps:
①Interview with the person in charge of the system under test, investigate and clarify the location of the physical computer room where the system is located, including but not limited to the IDC computer room, disaster recovery backup computer room, cloud service provider computer room, operator computer room, and other units or departments under the jurisdiction of the system machine room etc.
②Research and find out the product name and model of the security equipment in the physical computer room where the system is located, mainly electronic access control equipment, electronic access control system, etc.
③ It should be noted that packet capture analysis may be involved: capture the data traffic packets of personnel entering and leaving the computer room through the electronic access control card, and analyze its APDU instructions, etc.
Evidence collection materials:
① Photo of electronic access control equipment, photo of electronic access control card (smart IC card), photo of commercial password product certification certificate of smart IC card, commercial password product certification certificate of access control card reader (access control equipment) (marked with password module level), key Photos of injector and access control card issuer, screenshots of smart IC card card issuing interface, screenshots of smart IC card key injection code implementation, PSAM card card issuing interface screenshots, PSAM card key injection implementation code screenshots, smart IC card test verification Screenshots, screenshots of wrong access control card and unauthorized access control unable to open access control verification, photos of computer room entry and exit record registration forms, photos of physical monitoring screens of the system in the computer room, etc. (the latter two evidences are mainly used as mitigation measures), etc.
Example:
Photo of electronic access control equipment (access control card reader)
Access control card reader (access control equipment) commercial password product certification (marked with password module level)
Photo of electronic access control card (smart IC card)
Photo of commercial encryption product certification certificate of smart IC card Photos of Key Injector and Access Control Issuer Screenshot of the issuing interface of the smart IC card
Screenshot of smart IC card key injection code implementation Screenshot of PSAM card issuing interface Screenshot of PSAM card key injection implementation code Screenshot of the smart IC card test and verification pass Wrong access control card and unauthorized access control cannot open the access control verification screenshot / Computer room entry and exit record registration form photo Physical monitoring picture of the system in the computer room ............... ................
②Related description: The electronic access control system that meets the requirements generally realizes identity authentication through a non-contact smart IC card based on the national secret SM4 symmetric cryptographic algorithm and a card reader for national secret access control. The deployed key management system uses the key injector and access control card issuer to realize the key distribution of the CPU card and the PSAM card in the card reader, realizing one card one encryption.(Note: For cryptographic products with newly issued certification certificates, the "Commercial Cryptographic Product Certification Catalog" issued by the State Administration for Market Regulation and the State Cryptography Administration clearly stipulates the types of cryptographic products that the cryptographic module standard applies to. Other products (such as security chips, cryptographic systems, etc.) products, etc.) are not tested and certified according to cryptographic module standards. It should be noted that although cryptographic system products (such as electronic access control systems, CA/KM systems, electronic signature systems, etc.) are not applicable to cryptographic module standards, but Cryptographic products as system components (such as cryptographic machines, cryptographic cards, etc.) are applicable to cryptographic module standards, and also need to be judged based on the security level of cryptographic modules of these cryptographic products during secret evaluation.
Electronic access control record data storage integrity:
Evaluation index: Use cryptographic technology to ensure the storage integrity of the electronic access control system's entry and exit record data (level 1 to level 4).
Evaluation objects: important areas such as the computer room where the information system is located and its electronic access control system.
Evaluation implementation steps: Check whether cryptographic technologies such as message authentication code (MAC) mechanism based on symmetric cryptographic algorithm or cryptographic hash algorithm, and digital signature mechanism based on public key cryptographic algorithm are used to protect and verify the storage integrity of the entry and exit record data of the electronic access control system Whether the integrity protection mechanism is correct and effective, etc.
① Check the entry and exit records of the electronic access control system in the computer room where the system is located.
②Try to modify the relevant data of the electronic access control entry and exit records, and check whether the integrity of the storage is protected by cryptographic technology.
③Analyze the cryptographic technology used by the electronic access control system in the computer room where the tested system is located, and verify whether the DAK meets the requirements.
Evidence collection materials:
①In addition to the relevant evidence of identity authentication, the integrity protection of electronic access control record data may involve PCI-E password cards, or it may be implemented by deploying server cipher machines or other password products to call related cryptography technologies and services. accomplish.
②Taking the PCI-E password card as an example: PCI-E password card commercial password product certification, PCI-E password card key injection implementation code screenshots, password algorithm code implementation screenshots, and electronic access control record data screenshots are required ( Before integrity protection), screenshots of electronic access control record data (after integrity protection), screenshots of integrity verification before and after data modification, etc.
Example:
PCI-E encryption card commercial encryption product certification PCI-E password card key injection implementation code Integrity code implementation screenshot (to be determined)
Summary value generated by Electronic Access Record ................. ................
Video surveillance record data storage integrity:
Evaluation index: Use cryptographic technology to ensure the storage integrity of video surveillance audio-visual recording data (level 3 to level 4).
Evaluation object: important areas such as the computer room where the information system is located and its video surveillance system.
Evaluation implementation steps: Check whether cryptographic technologies such as message authentication code (MAC) mechanism based on symmetric cryptographic algorithm or cryptographic hash algorithm, digital signature mechanism based on public key cryptographic algorithm are used to protect the storage integrity of video surveillance audio and video recording data, and verify Whether the integrity protection mechanism is correct and effective.
① Check the screenshot of the video surveillance screen of the computer room where the system is located.
② Check the video surveillance data, try to modify the relevant data recorded by the video surveillance, and check whether the storage integrity is protected by cryptographic technology.
③Analyze the cryptographic technology used by the video surveillance system in the computer room where the system under test is located, and verify whether the DAK meets the requirements.
Evidence collection materials: Take PCI-E encryption card as an example: PCI-E encryption card commercial encryption product certification, PCI-E encryption card key injection implementation code, video surveillance equipment photos, video surveillance screenshots, video surveillance equipment video recorder NVR equipment Photos, video surveillance system client login interface loading interface, video surveillance system client commercial cipher product certification certificate, video surveillance system server commercial cipher product certification certificate, video surveillance system call integrity algorithm implementation screenshots, video surveillance record data files and Generate summary value screenshots, video surveillance record data storage integrity verification screenshots, etc.
Example:
PCI-E encryption card commercial encryption product certification PCI-E password card key injection implementation code Photo of video surveillance equipment
Video surveillance screenshot Video Surveillance Equipment Video Recorder NVR Equipment Photos
Video surveillance system client login interface loading interface
Video Surveillance System Client Commercial Encryption Product Certification
Video Surveillance System Server Commercial Encryption Product Certification Certificate
Video surveillance system calls integrity algorithm to achieve screenshots
Screenshots of video surveillance recording data files and generating summary values Video surveillance record data storage integrity verification screenshot
........... ...........
