Shulou(Shulou.com)06/01 Report--

The emergence of "password method"

On June 25th, 2019, the 11th meeting of the standing Committee of the 13th National people's Congress deliberated the draft password Law for the first time.

On October 26, 2019, the 14th meeting of the standing Committee of the 13th National people's Congress voted to adopt the password Law.

On January 1, 2020, ● formally implemented the password Law. Among them, it is clearly stipulated that "passwords are divided into core passwords, ordinary passwords and commercial passwords, with classified management of passwords, and import licensing and export control for commercial passwords of a specific range."

The formal promulgation and implementation of the password Law indicates that the password will become the core technology to ensure the cyberspace security of our country and the core position of the network security, so that there is a law to follow for information and network security.

Manage and protect which "passwords"

When the word "password" is mentioned in real life, people usually think that it is "account login password", "mailbox login password", "bank card payment password" and so on. In fact, these "passwords" in life are actually "passwords", which is a simple, primary means of identity authentication and a "pass" for accounts.

The password Law aims to standardize the application and management of passwords. The password refers to the products, technologies and services that use specific transformations to encrypt and protect information or secure authentication. Password has two main functions, encryption protection + security authentication. The most common one is online banking USB Key.

Encryption protection refers to the use of mathematical transformation, the original readable information into unrecognizable symbol sequence, to put it simply, the plaintext into ciphertext. Security authentication refers to the use of mathematical transformation to confirm whether the information has been tampered with, whether it comes from a reliable information source and whether the behavior is true, that is, to confirm the true reliability of the subject and the information.

When we browse the website of national government affairs, we sometimes see the word "unsafe" at the far left of the address bar.

What does "unsafe" mean here? What will be the impact? In fact, this is that the HTTP website does not deploy the SSL certificate, and the transmission of data from the user side (browser) to the server side is in unencrypted plaintext form and without secure identity authentication. The possible effects are: all kinds of data browsed through the website are very easy to be illegally stolen and illegally tampered with, and the true identity of the website is likely to be a phishing website, thus suffering image damage or economic losses.

So is it safe just to use a SSL certificate? Not exactly. According to statistics, the proportion of our government website system and important information infrastructure websites using HTTPS encryption deployment is less than 1%. And less than 1% of the websites that have deployed SSL certificates still have security risks, because they basically deploy RSA encryption algorithm SSL certificates issued by foreign CA, which is very likely to revoke and cut off these SSL certificates due to political, economic and trade disputes and other reasons, resulting in various important information infrastructure systems in our country unable to provide services normally.

This time, the "password Law" clearly requires that China's key information infrastructure operators should use commercial passwords for protection. In other words, our government websites and various government service systems must adopt the HTTPS encryption of domestic cryptographic algorithms to realize the ciphertext transmission of Internet data from the user side to the server side, and effectively prevent all kinds of data leakage and data abuse crimes. At this point, choosing the correct SSL certificate is the key. Let's take a look at the correct opening posture of the HTTPS website that has deployed the national secret algorithm SSL certificate.

Impact on enterprises and institutions

Password is a national treasure, an important strategic resource of the country, and the basis, core and support for the protection of network and information security.

The person in charge of the password Administration explained that passwords are the core technology and basic support for ensuring network and information security, and are the most effective, reliable and economical means to solve the problems of network and information security.

According to the type of protection information, passwords can be divided into core passwords, ordinary passwords and commercial passwords. Core passwords and ordinary passwords are passwords used to protect national secret information. Commercial passwords can be used by citizens, legal persons and other organizations in accordance with the law. In particular, commercial passwords are widely used in all aspects of national economic development and social production and life, including finance and communications, public security, taxation, social security, transportation, health, energy, e-government and other important fields. it plays an important role in safeguarding national security, promoting economic and social development, and protecting the legitimate rights and interests of citizens, legal persons and social organizations.

By studying the password method, we explain in detail the contents of the commercial password:

Interpretation 01 Commercial password products should be certified by relevant institutions

Article 26 of Chapter III clearly points out that commercial password products related to national security, national economy and people's livelihood and social and public interests can be sold or provided only after they have been tested and certified by qualified institutions. That is to say, in order to ensure the safety and reliability of products, purchasing commercial password products from formal channels can maximize product security and quality services. Asia Integrity is a professional provider of Internet security products and services, supporting national commercial password algorithms and providing customized services for different scenarios. Its TrustAsia brand SSL certificate has always maintained a leading position in the Chinese market, fully meets the requirements of localization, and is the best choice for your national secret algorithm certificate.

Interpretation 02 facilities protected by commercial passwords should be evaluated for security

Chapter 3, Article 27 requires operators to use commercial passwords for protection and to conduct commercial password application security assessment by themselves or by entrusting commercial password testing institutions. This means that the procurement of network products and services involving commercial passwords must pass commercial secret assessment and national security review. The Asian HTTPS Security Gateway (referred to as "HSG"), independently developed by Asia Credit, is a gateway facility protected by commercial passwords, which contains password modules that meet the security level requirements of GM/T0028-2014 "Security Technical requirements for password Modules" and support SM2 national secret algorithms. Therefore, the combination of sub-HSG equipment can help your enterprise pass the national commercial secret evaluation, and can be used in e-commerce, finance, integration, government affairs, education, energy, industrial control, cloud, big data center and other fields.

Security use in other areas

In the network and information age, a large amount of information is produced every day, and it is not uncommon for the whole network to run naked and big data to abuse it, which seriously threatens the state secret information, enterprise business password and citizens' personal privacy protection.

Yasu Information Technology (Shanghai) Co., Ltd. has been ploughing cryptographic technology for many years, paying attention to the research and application of national commercial cryptographic algorithms, and has provided all-round products and security solutions for various fields. to provide support and guarantee for promoting the construction of a healthy Internet environment in China, and to provide assistance for the implementation and popularization of "password law".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.