The promulgation and implementation of the Password Law is intended to further improve the level of legal management and security of passwords in China, promote the development of China's password industry, safeguard network and information security, safeguard national security, and safeguard the legitimate rights and interests of citizens, legal persons and other organizations.
There are five chapters and forty-four articles in the Password Law, which define the leadership and management system of password work, that is, the central leading agency for password work exercises unified leadership over the national password work, the national password management department is responsible for managing the national password work, and the password management departments at all levels are responsible for managing the password work in their own administrative regions; It is clear that passwords are managed according to three categories: core password, ordinary password and commercial password. Core password and ordinary password are used to protect state secret information, and commercial password is used to protect information that is not a state secret.
Cryptography is a professional and technical national law. As a scientific and technological worker who has been engaged in the research of cryptography theory and technology for a long time, the author expresses his heartfelt pleasure and firm support for the introduction of cryptography. Here, the author would like to talk about the learning experience of the password law, and some ideas on how to thoroughly implement the password law and promote the formulation of commercial password standards and industrial development.
First, the password law accurately defines the definition and connotation of password.
As the core technology and basic support to ensure network and information security, password law gives the definition and connotation of password, and clearly stipulates that "password refers to the technology, product and service that uses specific transformation methods to encrypt, protect and secure information". Encryption protection refers to the use of encryption technology (i.e. encryption algorithm) and related technologies to ensure the confidentiality of sensitive information. It realizes the confidentiality function to ensure that information is not stolen and obtained. Security authentication not only includes the authenticability and non repudiation of the information itself, but also includes the authenticability and non repudiation of the information source, especially the identity of the information sender or generator. It should also be emphasized that security authentication also includes the integrity detection and authentication of information, and the guarantee information is the original information that has not been tampered with. Security authentication mainly involves two cryptographic techniques (algorithms), digital signature and cryptographic hash function.
It is worth noting that, because the attack difficulty of high security cryptography is based on the difficulty of solving mathematical problems, the use of existing computing resources usually requires more than billions of years of computing power, which is very difficult to solve. However, network security identity authentication methods based on simple password, fingerprint, face recognition and other biometric passwords cannot fully meet the application requirements of commercial passwords for identity authentication due to the lack of support from mathematical problems.
Second, accelerate the development of the commercial password industry, top-level design and improve the commercial password detection and authentication system.
The Cryptography Law fully considers the requirements of the transformation of government functions and the reform of "decentralization, regulation and service", stipulates that the State encourages the research and development, academic exchanges, achievements transformation, promotion and application of commercial cryptography technology, improves the unified, open, competitive and orderly commercial cryptography market system, and encourages and promotes the development of commercial cryptography industry. It provides for equal treatment in accordance with the law for commercial password research, production, sales, service, import and export and other units, including foreign-funded enterprises.
At present, China has made greater efforts to develop the password industry in digital finance, public communications and information services, transportation, energy, water conservancy, electricity, information for the benefit of the people, industrial manufacturing, e-government, smart cities, basic software and hardware security and other fields. It is urgent to sort out the business systems and security needs of different industries at the top level, and increase the design and innovation of password systems, Build a research and evaluation authentication system for password application technology in different password industries, and develop the password evaluation industry.
It is suggested to improve the independent innovation ability of password analysis and increase the construction of security evaluation capability of password system based on artificial intelligence in-depth learning, automated search technology and high-performance computing; Develop the security evaluation technology of cryptographic software and hardware infrastructure, improve the analysis and evaluation capability of cryptographic system, and provide a technical support platform for the cryptographic industry; Adopt the mode of combining academic education and in-service education, and increase the training of professionals in the commercial password evaluation industry; Focus on the development of password software protection capability and password chip evaluation capability, focus on high-level password talents to increase password software security protection research, and solve the weakness and technical difficulties of password software security protection; Design chip architecture against side channel attacks to solve the "choke" technology of cryptographic chips.
Third, increase the independent innovation ability and standard formulation of the core key technologies of passwords, and contribute to the wisdom and solutions of Chinese passwords.
In recent years, with the strong promotion of the National Information Security Standardization Technical Committee and the Cryptographic Industry Standards Technical Committee, China has successfully promoted the cryptographic algorithm standard SM2/3/9 to become an international ISO/IEC cryptographic standard, which is a breakthrough in the development of international standards in the field of cryptography in China and contributes Chinese wisdom.
With the vigorous development of the new generation of information technology industry, the new generation of general cryptographic standards and resources applicable to new industries and new formats are limited. The research and standard formulation of new cryptographic algorithms in cloud environment and artificial intelligence environment still need to be strengthened. The formulation of cryptographic standards will promote the overall level of cryptographic theory research in China.
It is suggested to refer to the design of 3G/4G/5G mobile phone password communication standard, as well as the computer network password security communication system SSL Successful experience in cryptographic protocol design such as TLS and IPsec, early deployment of the design of environmental cryptographic security communication systems such as the Internet of Things, the Internet of Vehicles, industrial control systems, and artificial intelligence, and promotion of standard formulation and revision, vigorously develop the cryptographic industry, and escort high-quality development of China's digital economy.
Fourth, accelerate the synchronous planning and construction of password protection system in Xiong'an New Area.
The National Development and Reform Commission, the Ministry of Industry and Information Technology, the People's Bank of China, the Ministry of Transport, the National Health Commission, the Ministry of Public Security, the Ministry of Science and Technology, the State Password Administration and other relevant departments analyzed the architecture and top-level design of Xiong'an New Area's information industry cluster, key information infrastructure, and smart city construction. At the beginning of the construction of the New Area, they planned in a systematic way, To ensure the construction of network and information security protection system supported by password security protection technology. In view of the characteristics of artificial intelligence, Internet of Things, intelligent manufacturing, big data, cloud computing and other fields, we will increase the development of a password protection system that matches and integrates perfectly with it, develop relevant industry password standards and specifications, and increase the promotion of password technology in different industries. With the goal of building a "global leading digital intelligent city", Xiong'an New Area will become a new benchmark for the construction of a global safe and intelligent city. It is suggested that an industry cluster of password applications that can be replicated and popularized nationwide should be formed as soon as possible, and international standards for cryptographic algorithms and cryptographic information systems in key information fields should be formulated first, so as to form a batch of world leading commercial cryptographic industry standards, promote the internationalization process of China's cryptographic technology, and promote the opening-up, diplomacy of major countries with Chinese characteristics, and the "Belt and Road" initiative Construction provides password service guarantee.
Fifthly, accelerate the development and pilot project of blockchain technology supported by cryptography, and accelerate the development process of blockchain industry standards, national standards and international standards.
Cryptographic hash function is the original technology of blockchain. The development of blockchain started from Bitcoin, namely blockchain 1.0. As a simple application of cryptographic hash function, Bitcoin has attracted great attention and favor from the industry and investors in a certain period of time. At present, the development of blockchain technology is far beyond the scope of Bitcoin, developing a multi technology, multi platform blockchain business form. All kinds of technologies have their own characteristics. They are integrated with cryptographic hash functions and combined with other cryptographic technologies such as digital signatures and encryption algorithms, forming the current diversified development trend of blockchain. Blockchain technology makes full use of cryptographic hash function to prevent transaction information from being tampered, which can solve the pain point problem of data tampering in many fields, and quickly authenticate according to the information on the chain, greatly improving the efficiency of traditional industries. In 2005, the author presented the collision attack of two international common hash function standards, MD5 and SHA-1. The research level is leading in the world, and it has the foundation to continue to increase the independent innovation capability of the blockchain by taking advantage of research advantages.
At present, the standard of blockchain technology has not been formed, and the development of the industry is restricted to some extent. Due to the lack of high-level password designers, various blockchain applications also have many security risks. Some blockchain applications with currency and payment functions are more likely to cause financial risks to a certain extent. It is also an important part of blockchain research to increase financial risk control and ensure the security and controllability of digital currency. In order to standardize the development of the blockchain industry, it is suggested to improve the independent innovation capability in the blockchain field, deploy standard formulation, and support the healthy, rapid and orderly development of the industry as soon as possible.
Sixth, promote the construction and discipline development of cryptography specialty, and strengthen the large-scale cultivation of cryptography talents.
The promulgation and implementation of the Password Law will promote the development of China's password industry from the aspects of password management, password security, scientific and technological innovation, standard promotion and formulation, and industrial development. In the final analysis, the development of cryptography depends on talents. In 2015, the Ministry of Education approved the establishment of the first level discipline of cyberspace security, and increased the cultivation of master and doctoral students in five second level disciplines, including cryptography, network security, system security, basic theory of cyberspace security, and application security. In 2016, the Central Cyberspace Office, the National Development and Reform Commission, the Ministry of Education, the Ministry of Science and Technology, and the Ministry of Industry and Information Technology jointly promoted the construction of cyberspace security colleges in colleges and universities, forming an integrated training model of undergraduate, postgraduate, and doctoral students, which plays an important role in promoting the cultivation of password talents in China. The promulgation and implementation of the password law will further expand the demand for password professionals, presenting a situation of more demand than supply. It is suggested that we should promote the first level discipline of cryptography or set up the direction of cryptography under the first level discipline of cyberspace security as soon as possible, make every effort to build a first-class cryptography specialty, strengthen the scale and level of cultivation of cryptography professionals, and at the same time, increase social training efforts to meet the needs of cryptography professionals at different levels and in different industries.
(The author is an academician of the Chinese Academy of Sciences)
