1. 当前位置:
  2. 首页 >
  3. 地方标准 >
  4. DB43/T 1842-2020

DB43/T 1842-2020 区块链应用安全技术测评标准

DB43/T 1842-2020 Blockchain application security technology evaluation standards

湖南省地方标准 简体中文 现行 页数:25页 | 格式:PDF

基本信息

标准号
DB43/T 1842-2020
标准类型
湖南省地方标准
标准状态
现行
中国标准分类号(CCS)
L70/84 信息处理技术
国际标准分类号(ICS)
35.240 信息技术应用
发布日期
2020-09-30
实施日期
2020-12-30
发布单位/组织
湖南省市场监督管理局
归口单位
-
适用范围
-

发布历史

文前页预览

DB43/T 1842-2020 区块链应用安全技术测评标准-第1页
DB43/T 1842-2020 区块链应用安全技术测评标准-第2页
DB43/T 1842-2020 区块链应用安全技术测评标准-第3页
DB43/T 1842-2020 区块链应用安全技术测评标准-第4页
DB43/T 1842-2020 区块链应用安全技术测评标准-第5页
DB43/T 1842-2020 区块链应用安全技术测评标准-第6页
DB43/T 1842-2020 区块链应用安全技术测评标准-第7页

研制信息

起草单位:
起草人:
出版信息:
页数:25页 | 字数:- | 开本: -

内容描述

ICS35.240

L70

DB43

湖南省地方标准

DB43/T1842—2020

信息安全技术

区块链应用安全技术测评要求

Informationsecuritytechnology-Evaluationrequirements

forblockchainapplicationsecuritytechnology

2020-09-30发布2020-12-30实施

湖南省市场监督管理局发布

DB43/T1842—2020

目次

前言························································································································································Ⅲ

1范围····················································································································································1

2规范性引用文件·································································································································1

3术语和定义········································································································································1

4等级测评概述·····································································································································2

4.1等级测评方法·····························································································································2

4.2单项测评·····································································································································2

5第一级测评要求·································································································································2

5.1应用系统测评要求·····················································································································2

5.2漏洞防护测评要求·····················································································································3

5.3安全审计测评要求·····················································································································3

6第二级测评要求·································································································································5

6.1应用系统测评要求·····················································································································5

6.2漏洞防护测评要求·····················································································································6

6.3安全审计测评要求·····················································································································7

7第三级测评要求·································································································································9

7.1应用系统测评要求·····················································································································9

7.2漏洞防护测评要求···················································································································10

7.3安全审计测评要求···················································································································12

8第四级测评要求·······························································································································13

8.1应用系统测评要求···················································································································13

8.2漏洞防护测评要求···················································································································15

8.3安全审计测评要求···················································································································16

9测评结论··········································································································································18

9.1风险分析和评价·······················································································································18

9.2等级测评结论···························································································································18

参考文献················································································································································19

I

DB43/T1842—2020

II

DB43/T1842—2020

前言

本文件按照GB/T1.1—2020给出的规则起草。

本文件由中共湖南省委网络安全和信息化委员会办公室提出。

本文件由湖南省区块链和分布式记账技术标准化技术委员会(筹)归口。

本文件起草单位:湖南链信安科技有限公司、湖南天河国云科技有限公司、湖南省东方区块链安全

技术检测中心、湖南省人民政府发展研究中心、湖南天河云链科技有限公司。

本文件主要起草人:谭林、聂朗、梁琪、杨征、陈昕、李财、聂璐璐、梁亮、尹海波、黄帅、汪武、

柳兴、郭慧、殷新文、丁雅琪、沈浪、张祥、宋姝、姜载乐、刘齐平、郑婷婷、胡钦、邹曼瑜等。

III

DB43/T1842—2020

IV

DB43/T1842—2020

信息安全技术区块链应用安全技术测评要求

1范围

本文件规定了区块链应用安全技术测评指标要求。包括第一级、第二级、第三级和第四级区块链应

用安全技术测评要求。

本文件适用于测评机构对区块链应用安全进行的测评工作,也适用于区块链技术开发者参考使用。

2规范性引用文件

下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中,注日期的引用文件,仅

该日期对应的版本适用于本文件;不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。

GB/T25069—2010信息安全技术术语

GB/T28458—2012信息安全技术安全漏洞标识与描述规范

3术语和定义

GB/T25069—2010、GB/T28458—2012界定的下列术语和定义适用于本文件。

3.1

安全审计securityaudit

对信息系统的各种事件及行为实行监测、信息采集、分析,并针对特定事件及行为采取相应的动作。

[GB/T25069—2010]

3.2

访问控制accesslevel

一种保证数据处理系统的资源只能由被授权主体按授权方式进行访问的手段。

[GB/T25069—2010]

3.3

安全漏洞vulnerability

计算机信息系统在需求、设计、实现、配置、运行等过程中,有意或无意产生的缺陷。这些缺陷以

不同形式存在于计算机信息系统的各个层次和环节之中,一旦被恶意主体所利用,就会对计算机信息系

统的安全造成损害,从而影响计算机信息系统的正常运行。

[GB/T28458—2012]

3.4

联盟链consortiumblockchain

联盟链是一种共识过程受到预先设定节点控制的区块链类型,只限于预先选定的联盟成员参与,每

个联盟成员作为一个节点,各个节点在链上的权限按联盟共同制定的规则来设定。

3.5

私有链privateblockchain

私有链是一种中心化的区块链类型,它所有的权限由这个中心化的组织和机构来控制。

1

DB43/T1842—2020

4等级测评概述

4.1等级测评方法

等级测评实施的基本方法是针对待定的测评对象,采用相关的测评手段,遵从一定的测评规程,获

取需要的证据数据,给出是否达到特定级别安全保护能力的评判。

本标准中针对每一个要求项的测评就构成一个单项测评,针对某个要求项的所有具体测评内容构成

测评实施。根据调研结果,分析等级保护对象的业务流程和数据流,确定测评工作范围。结合等级保护

对象的安全级别进行综合分析,测评对象可以根据类别加以描述,包括业务平台安全、漏洞防护、安全

审计。

本标准账中每个级别测评要求都包括业务平台安全测评要求、漏洞防护测评要求、安全审计测评要

求三部分内容。

4.2单项测评

单项测评是针对各安全要求项的测评,支持测评结果的可重复性和可再现性。本标准中单项测评包

括测评指标、测评对象、测评实施和测评判定结果构成。

5第一级测评要求

5.1应用系统测评要求

5.1.1用户身份鉴别

该测评单元包括以下要求:

a)测评指标:应保证用户身份被安全认证,且具有唯一标识特性。

b)测评对象:用户身份认证机制。

c)测评实施包括以下内容:

1)用户身份标识是否具有唯一性,身份鉴别信息定期更换;

2)是否具备对同一用户采用两种或以上组合的身份认证技术,实现多因子用户身份认证,包

括但不限于密钥、登录码、手机动态码等方式。

d)测评判定:如果以上测评实施内容均为肯定,则符合本测评单元指标要求,否则不符合或部分

符合本测评单元指标要求。

5.1.2访问控制

该测评单元包括以下要求:

a)测评指标:应保证区块链系统具备有效的访问控制策略。

b)测评对象:访问控制策略。

c)测评实施包括以下内容:

1)是否按照权限最小化、相互制约原则,为用户分配访问权限;

2)每个用户交互时是否均检测其访问控制状态。

d)测评判定:如果以上测评实施内容均为肯定,则符合本测评单元指标要求,否则不符合或部分

符合本测评单元指标要求。

2

DB43/T1842—2020

5.1.3配置管理

该测评单元包括以下要求:

a)测评指标:应提供安全配置策略。

b)测评对象:配置信息。

c)测评实施包括以下内容:

1)是否提供配置管理功能,对所有配置项进行维护,并唯一标识配置项。

d)测评判定:如果以上测评实施内容为肯定,则符合本测评单元指标要求,否则不符合本测评单

元指标要求。

5.2漏洞防护测评要求

5.2.1系统配置类漏洞防护

该测评单元包括以下要求:

a)测评指标:针对安全配置等系统配置类漏洞,应具备安全防护措施。

b)测评对象:漏洞防护方法。

c)测评实施包括以下内容:

1)开发环境、预发布环境和生产环境是否配置相同,且使用不同的密码;

2)在各组件之间是否提供一种应用程序框架,可提供有效的组件分离和安全性保障功能。

d)测评判定:如果以上测评实施内容均为肯定,则符合本测评单元指标要求,否则不符合或部分

符合本测评单元指标要求。

5.2.2访问控制类漏洞防护

该测评单元包括以下要求:

a)测评指标:针对功能级访问控制缺失等访问控制类漏洞,应具备安全防护措施。

b)测评对象:漏洞防护方法。

c)测评实施包括以下内容:

1)是否设置检测攻击机制,例如检测合法用户无法正常输入、异常使用、重复请求等。

d)测评判定:如果以上测评实施内容为肯定,则符合本测评单元指标要求,否则不符合本测评单

元指标要求。

5.2.3数据泄露类漏洞防护

该测评单元包括以下要求:

a)测评指标:针对敏感数据泄露等数据泄露类漏洞,应具备安全防护措施。

b)测评对象:漏洞防护方法。

c)测评实施包括以下内容:

1)针对没必要存放的、重要的敏感数据,是否设置清除机制。

d)测评判定:如果以上测评实施内容为肯定,则符合本测评单元指标要求,否则

定制服务

    推荐标准

    相似标准推荐

    更多>