The “new regulations” for commercial passwords were reviewed and approved to build a “firewall” for the Internet of Things. On May 24, 2023, the official draft of the 2023 revised version of the “Regulations on the Management of Commercial Cryptography” (hereinafter referred to as the “Regulations”) was released on the website of the Central People’s Government of the People’s Republic of China. The full text of the Regulations was revised and adopted at the 4th executive meeting of the State Council on April 14, 2023. It is hereby announced and will come into effect on July 1, 2023.
The “Regulations” aim to standardize the application and management of commercial encryption, encourage and promote the development of the commercial encryption industry, ensure network and information security, safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations.
Industry insiders believe that with the increasing importance of data security, the scale of my country’s encryption industry market has gradually expanded, and the average growth rate in recent years has been higher than the global growth rate. According to statistics from relevant research institutions, the overall size of my country’s commercial encryption market is expected to reach 98.585 billion yuan in 2023, a year-on-year increase of 39.32%.
Three major changes
As early as 1999, our country promulgated and took effect the “Regulations on the Management of Commercial Passwords”; in 2019, because the “Regulations on the Management of Commercial Passwords” can no longer adapt to the development requirements of the times, our country has structurally reshaped the commercial password management system, thus promulgating the “Regulations on the Management of Commercial Passwords”. Cryptozoology Law of the People’s Republic of China (“Cryptozoology Law”).
As of August 10, 2020, with the “Cryptography Law of the People’s Republic of China” as the superior law, the State Cryptozoology Administration issued the “Regulations on the Management of Commercial Cryptography (Revised Draft for Comments)”, which revised the 1999 “Regulations on the Management of Commercial Cryptography” Completely revised.
Some experts in the industry believe that the official announcement of the Regulations will further standardize the password application market and bring about the following important changes:
1. Urge platform companies to fulfill their password protection responsibilities in accordance with the law
The “Regulations” further implement the management requirements of the “Cryptozoology Law”. In addition to the requirements for cryptography applications themselves, it also puts forward relevant requirements for testing and certification, electronic certification, import and export management, etc., so that platforms and enterprises have laws to follow.
2. Commercial passwords gradually change from “recommended” to “mandatory”
The “Regulations” clearly stipulate that non-confidential critical information infrastructure, networks with network security protection level 3 or above, and national government information systems and other networks and information systems are required to “carry out commercial cryptography application security on their own or entrust commercial cryptography testing institutions.” Sexual Assessment”.
For non-confidential critical information infrastructure, the Regulations stipulate that operators should use commercial passwords for protection, conduct commercial password application security assessments, use commercial encryption technologies listed in the encryption technology guidance catalog, and purchase network products and services. National security review and other obligations.
3. “Secret reviews” become an indicator to measure the degree of password construction
The “Regulations” also point out that the network and information systems listed in the previous paragraph must pass the commercial encryption application security assessment (i.e., “secret assessment”) before they can be put into operation. After operation, the assessment shall be conducted at least once a year, and the assessment results shall be reported to the local district. Register with the municipal password management department.
Build a “firewall” for the Internet of Things
After more than ten years of development, the scale of my country’s Internet of Things industry has reached nearly 3 trillion yuan, and it has been widely used in various fields such as industrial manufacturing and social and people’s livelihood. As hundreds of billions of IoT devices are connected to the network, the security threats faced by the IoT are becoming increasingly prominent, and IoT passwords are receiving more and more attention.
Industry experts believe that the main security risks of IoT networks focus on six aspects:
1. IoT devices
An attacker can exploit the weakness in the identification mechanism to maliciously deploy the same model or clone a similar device and access the system to carry out attacks.
2. Security gateway
Since IoT terminals may collect and process a large amount of sensitive data, if the security gateway does not encrypt the data forwarding, problems such as data theft may easily occur.
3. Wireless security
There are a large number of nodes in the Internet of Things and data transmission uses wireless radio frequency signals. There are risks such as attackers can cause communication interruption by transmitting interference signals, or hijack, eavesdrop, and tamper with data during signal transmission.
4.Data transmission
The transport layer faces security issues such as cross-network authentication in heterogeneous networks. In addition, data packets transmitted on the Internet of Things are not encrypted and signed, and are prone to problems such as eavesdropping, tampering, forgery, and sender denial.
5. Business platform
Due to the wide variety of access device types and varying capabilities, there are security risks such as identity forgery and unauthorized access.
6. IoT terminal
Attackers can use information collection equipment to detect and collect all leaked information related to confidential data. There are also malfunction attacks in which attackers use destructive or non-destructive techniques to disrupt the chip encryption system to obtain the key. In addition, software forms are more likely to cause sensitive data leakage.
Commercial passwords are required in the Internet of Things to protect the following four points:
1. Identity authentication
Establish a PKI/CA infrastructure based on industry algorithms to issue certificates to each device and cloud in the Internet of Things scenario. By identifying the device and binding it to the certificate, each device can be registered, so that in progress In the identity authentication stage, through two-way identity, the device cannot be impersonated, and the cloud service also intercepts it.
2.Data transmission
Through the combined use of SM2 and SM4, the transmitted data packets are signed and encrypted in the transmission link where the SSL secure channel is not established, which also ensures the security and trustworthiness of the data.
3.Data exchange
Point-to-point encryption mechanisms and end-to-end encryption mechanisms can be adopted to ensure transport layer security, and protocols such as SSL/TLS and IPSec can also be used to provide communication encryption and authentication functions to ensure the security of transmission and exchange between communicating parties.
4. Terminal security
Using the more lightweight SM2 threshold cryptographic algorithm implemented in pure software, the signature and signature verification processes are calculated separately on the terminal and server and then merged.
Overall, cryptography technology plays a fundamental supporting role in emerging fields such as cloud computing, big data, the Internet of Things, and artificial intelligence. Commercial secrets are an important means of protecting data security. The emergence of emerging fields has also brought new market space.