|
US$759.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 25056-2018: Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system
Status: Valid GB/T 25056: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 25056-2018 | English | 759 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system
| Valid |
GB/T 25056-2018
|
| GB/T 25056-2010 | English | RFQ |
ASK
|
3 days [Need to translate]
|
Information security techniques -- Specifications of cryptograph and related security technology for certificate authentication system
| Obsolete |
GB/T 25056-2010
|
PDF similar to GB/T 25056-2018
Basic data | Standard ID | GB/T 25056-2018 (GB/T25056-2018) | | Description (Translated English) | Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 38,396 | | Date of Issue | 2018-06-07 | | Date of Implementation | 2019-01-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 25056-2018: Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Specifications of cryptograph and related security technology for certificate authentication system
ICS 35.040
L80
National Standards of People's Republic of China
Replace GB/T 25056-2010
Information Security Technology Certificate Authentication System Password
And related safety technical specifications
Published on.2018-06-07
2019-01-01 implementation
State market supervision and administration
China National Standardization Administration issued
Content
Foreword III
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 3
5 Certificate Certification System 3
5.1 Overview 3
5.2 Functional Description 4
5.3 System Design 6
5.4 Digital Certificate 11
5.5 Certificate Revocation List 11
6 Key Management System 11
6.1 Structure Description 11
6.2 Functional Description 11
6.3 System Design 12
6.4 KMC and CA Secure Communication Protocol 15
7 cryptographic algorithms, cryptographic devices and interfaces 15
7.1 Cryptographic Algorithm 15
7.2 Password device 15
7.3 Password Service Interface 16
8 Certificate Authority 16
8.1 System 16
8.2 Security 17
8.3 Data Backup 20
8.4 Reliability 20
8.5 Physical Security 20
8.6 Personnel Management System 22
9 Key Management Center 22
9.1 Construction Principles 22
9.2 System 22
9.3 Security 23
9.4 Data Backup 23
9.5 Reliability 23
9.6 Physical Security 23
9.7 Personnel Management System 23
10 Certificate Authority Operation and Management Requirements 23
10.1 Personnel Management Requirements 23
10.2 CA Business Operation Management Requirements 24
10.3 Key Distribution Requirements 25
10.4 Security Management Requirements 25
10.5 Security Audit Requirements 26
10.6 Document Requirements 26
11 Key Management Center Operation Management Requirements 27
11.1 Personnel Management Requirements 27
11.2 Operation Management Requirements 28
11.3 Key Accounting Requirements 28
11.4 Security Management Requirements 28
11.5 Security Audit Requirements 28
11.6 Document Requirements 28
12 Certificate Operation Process 28
12.1 Certificate Application Process 28
12.2 Certificate Update Process 28
12.3 Certificate Revocation Process 29
12.4 User Key Recovery Process 29
12.5 Judicial Key Recovery 29
12.6 Certificate Suspending Process 30
12.7 Releasing the Certificate Suspending Process 30
Appendix A (informative) Network structure of certificate authentication system 31
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 25056-2010 "Information Security Technology Certificate Authentication System Password and Related Security Technical Specifications", and
The main technical changes compared with GB/T 25056-2010 are as follows.
--- Modified the requirements for cryptographic algorithms (see 7.1);
--- Modified the requirements for the cryptographic service interface (see 7.3);
---Modified the password protocol of the certificate authentication system, deleted the original standard Chapter 8, and referred to GM/T 0014;
---Modified the message format and secure communication protocol between KMC and CA, deleted Appendix A and Appendix B of the original standard, and changed
Quote GM/T 0014;
--- Modified the cryptographic interface function definition, deleted the original standard Appendix C, and instead referred to GM/T 0019;
--- Added provisions for the certificate operation process (see Chapter 12).
Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents.
This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This standard was drafted. Shanghai Digital Certificate Certification Center Co., Ltd., Shanghai Geer Software Co., Ltd., Beijing Digital Certification
Co., Ltd., Changchun Jida Zhengyuan Information Technology Co., Ltd., Beijing Haitai Fangyuan Technology Co., Ltd., Wuxi Jiangnan Information
Safety Engineering Technology Center, Chengdu Weishitong Information Industry Co., Ltd., Xingtang Communication Technology Co., Ltd., Shanghai Jidong Network Information
Company, Wanda Information Co., Ltd., Feitian Integrity Technology Co., Ltd., Beijing Huada Zhibao Electronic System Co., Ltd., Beijing Grip
Qi Intelligent Technology Co., Ltd., Shandong Dean Information Technology Co., Ltd., Shanghai Information Security Engineering Technology Research Center, National Cryptography Administration
Commercial password detection center.
Drafters of this standard. Liu Ping, Cui Jiuqiang, Liu Cheng, Zheng Qiang, Tan Wuzheng, Li Shusheng, Zhao Lili, Liu Zengshou, Xu Mingyi, Li Yuanzheng, Wang Nina,
Xia Dongshan, Li Haijie, Yu Huazhang, Chen Yue, Hu Junyi, Kong Fanyu, Yuan Feng, Li Zhiwei.
The previous versions of the standards replaced by this standard are.
---GB/T 25056-2010.
Information Security Technology Certificate Authentication System Password
And related safety technical specifications
1 Scope
This standard specifies the password of the digital certificate authentication system and its related security technical requirements, including. certificate authentication system, key management system
System, password algorithm, cryptographic equipment and interface, certificate authentication center, key management center, certificate authentication center operation management requirements, key management
Heart operation management requirements, certificate operation procedures, etc.
This standard is applicable to the construction, testing and evaluation of the digital certificate authentication system that guides third-party certification bodies, and regulates the digital certificate certification system.
The application of passwords and related security technologies. The construction, operation and management of the digital certificate authentication system of non-third-party certification bodies can be referred to
This standard.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article.
For the undated references, the latest edition (including all amendments) applies to this document.
GB/T 2887 General Specification for Computer Sites
GB/T 9361 computer site safety requirements
GB/T 32905 information security technology SM3 password hash algorithm
GB/T 32918 (all parts) information security technology SM2 elliptic curve public key cryptography algorithm
GB/T 35291-2017 Information Security Technology Smart Password Key Application Interface Specification
GB/T 20518-2018 Information Security Technology Public Key Infrastructure Digital Certificate Format
GB/T 36322-2018 Information Security Technology Password Device Application Interface Specification
GB 50174 Data Center Design Specification
BMB3-1999 Technical requirements and test methods for electromagnetic shielding rooms for handling confidential information
GM/T 0014-2012 Digital Certificate Authentication System Cryptographic Protocol Specification
GM/T 0019-2012 Common Cryptographic Service Interface Specification
GM/T 0020-2012 Certificate Application Integrated Service Interface Specification
RFC6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (X.509InternetPublicKey
InfrastructureOnlineCertificateStatusProtocol)
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
CA certificate CAcertificate
A certificate issued by one CA to another CA, a CA can also issue a certificate for itself, which is a self-signed certificate.
3.2
Certificate authentication system certificateauthenticationsystem
A system for managing the life cycle of digital certificates such as the issuance, issuance, update, and revocation of digital certificates.
3.3
Certificate policy certificatepolicy
A specified set of rules that indicates the appropriateness of the certificate for a particular group and/or specific application class with general security requirements
Use sex.
Note. A specific certificate policy can indicate the suitability of a type of certificate for the authentication of electronic data processing of commodity transactions at a certain price range.
Use sex.
3.4
Certificate revocation list certificaterevocationlist
A list of revoked certificates issued and issued by a Certificate Authority (CA).
3.5
Certificate authority
An entity that performs full lifecycle management of digital certificates, also known as an electronic certification service.
3.6
CA logout list certificateauthorityrevocationlist
Marks a list of CA's public key certificates that have been logged out, indicating that they have been invalidated.
3.7
Certificate revocation list distribution point certificaterevocationlistdistributionpoint
CDP
A directory entry or other certificate revocation list distribution source, a certificate revocation list issued through a certificate revocation list distribution point,
It can include a logout entry for a subset of all certificates issued by one CA, or a logout entry for all certificates.
3.8
Certificate serial number certificateateerialnumber
An integer used to uniquely identify a digital certificate in a certificate issued by a certificate authority.
3.9
Digital certificate digitalcertificate
Public key certificate
Signed by a certificate authority (CA) containing public key owner information, public key, issuer information, expiration date, and extension letter
A data structure of interest. According to the category, it can be divided into personal certificate, agency certificate and equipment certificate, which can be divided into signature certificate and encryption according to the purpose.
certificate.
3.10
Private key privatekey
A non-public key that can only be used by the owner in an asymmetric cryptographic algorithm.
3.11
Public key publickey
A key that can be exposed in an asymmetric cryptographic algorithm.
3.12
Certificate authority
An entity that accepts applications for the application, renewal, recovery, and cancellation of digital certificates.
3.13
Security policy securitypolicy
A set of rules issued by a certificate authority to constrain the use of security services and the way they are used and provided.
3.14
SM2 algorithm SM2algorithm
Algorithm defined by GB/T 32918 (all parts).
3.15
SM3 cryptographic hash algorithm SM3cryptographichashalgorithm
Algorithm defined by GB/T 32905.
3.16
Trust trust
It is generally said that one entity trusts another entity to indicate that the latter entity will perform related activities in full compliance with the provisions of the first entity.
In this standard, trust is used to describe the relationship between an authenticating entity and a certificate authority.
4 Abbreviations
The following abbreviations apply to this document.
ARL. CA Logout List (CertificateAuthorityRevocationList)
CA. Certificate Authority (CertificateAuthority)
CRL. Certificate Revocation List (CertificateRevocationList)
HTTP. Hypertext Transfer Protocol (HypertextTransferProtocol)
HTTPS. Secure Hypertext Transfer Protocol (SecureHypertextTransferProtocol)
KMC. Key Management Center (KeyManagementCentre)
LDAP. Lightweight Directory Access Protocol (LightweightDirectoryAccessProtocol)
OCSP. Online Certificate Status Query Protocol (OnlineCertificateStatusProtocol)
OID. Object Identifier (ObjectID)
RA. Certificate Authority (RegistrationAuthority)
5 Certificate Certification System
5.1 Overview
The certificate authentication system is a security system that manages the entire process of digital certificates in the life cycle. Certificate certification system should use double certificate
Books (certificates for digital signatures and certificates for data encryption) mechanisms and the construction of dual-center (Certificate Authority and Key Management Center).
The certificate authentication system can be logically divided into a core layer, a management layer, and a service layer. The core layer is generated by a key management center and a certificate/CRL.
It is composed of the issuance system and the certificate/CRL storage and distribution system; the management layer is composed of the certificate management system and the security management system;
The book registration management system (including the remote user registration management system) and the certificate status inquiry system are composed. The logical structure of the certificate authentication system should be
As shown in Figure 1.
Figure 1 The logical structure of the certificate authentication system
5.2 Functional Description
5.2.1 Overview
The certificate authentication system provides full-process management of digital certificates in the lifecycle, including user registration management, certificates/
Certificate revocation list generation and issuance, certificate/certificate revocation list storage and distribution, certificate status query, certificate management, and security management
And so on.
5.2.2 User Registration Management System
5.2.2.1 Overview
The user registration management system is responsible for the user's certificate application, identity review and certificate download, which can be divided into local registration management system and remote injection.
Book management system.
5.2.2.2 Certificate application
Certificate applications can be either online or offline.
a) Online mode. Users log in to the user registration management system to apply for a certificate through the Internet;
b) Offline mode. The user applies for a certificate to the designated registration authority.
5.2.2.3 Identity review
The auditor conducts an identity review of the certificate applicant through the user registration management system.
5.2.2.4 Certificate download
Certificate downloads can be either online or offline.
a) Online mode. Users log in to the user registration management system to download certificates through the Internet;
b) Offline mode. The user downloads the certificate to the designated registration authority.
5.2.3 Certificate/Certificate Revocation List Generation and Issuance System
5.2.3.1 Features
The certificate/certificate revocation list generation and issuance system is responsible for generating, issuing digital certificates and certificate revocation lists.
5.2.3.2 Type of certificate
According to the subject object, the certificate is divided into three types. personnel certificate, device certificate and agency certificate.
According to the function, the certificate is divided into two types. encryption certificate and signature certificate.
5.2.3.3 Certificate mechanism
The certificate authentication system uses a dual certificate mechanism. Each user has two digital certificates, one for digital signatures and one for data
encryption. A key pair for digital signature can be generated by a user using a certificate carrier having a cryptographic operation function; a secret for data encryption
The key pair is generated by the Key Management Center and is responsible for security management. The signed certificate and the encrypted certificate are stored in the user's certificate carrier.
5.2.3.4 Certificate Generation/Issuance
The user's digital certificate is issued by the CA of the system, and the digital certificate of the root CA is issued by the root CA itself, and the digital certificate of the lower level CA is issued.
Issued by a superior CA.
5.2.3.5 Certificate Revocation List
The certificate revocation list is the information of the termination certificate used by the CA within the validity period of the certificate, and is divided into the user certificate revocation list.
(CRL) and CA Certificate Revocation List (ARL). During the use of the certificate, the application system obtains the CRL/ARL by checking
The status of the certificate.
5.2.4 Certificate/Certificate Revocation List Storage and Distribution System
The certificate/certificate revocation list storage and distribution system is responsible for the storage and distribution of digital certificates, certificate revocation lists.
According to the application environment, the certificate/certificate revocation list storage and publishing system should adopt the database or directory service mode to implement the number.
The function of storing, backing up and restoring the word certificate/certificate revocation list and providing query service.
Using the directory service method, the master and slave directory server structure should be adopted to ensure the security of the home directory server, while the slave directory server
It can be set up in a distributed manner to increase the efficiency of the system. Users can only access the slave directory server.
5.2.5 Certificate Status Query System
The certificate status query system shall provide certificate status query services for users and application systems, including.
a) CRL query. the user or application system uses the CRL address identified in the digital certificate to download the CRL and verify the validity of the certificate;
b) Online certificate status inquiry. the user or application system can query the certificate online in real time according to the method specified in RFC6960.
status.
In practical applications, one or both of the above two query methods may be adopted according to specific situations.
5.2.6 Certificate Management System
The certificate management system implements the application, review, generation, issuance, storage, and release of the certificate/certificate revocation list in the certificate authentication system.
Management and control system for functions such as logout and archiving.
5.2.7 Security Management System
The security management system mainly includes a security audit system and a security protection system.
The security audit system provides event-level auditing to track, count, and record records, behaviors, personnel, and time related to system security.
analysis.
The security system provides network security features such as access control, intrusion detection (intrusion prevention), vulnerability scanning, and virus prevention.
5.3 System Design
5.3.1 Overview
The design of the certificate certification system includes the overall design of the system and the design of each subsystem. This standard provides the design principles of the certificate certification system.
And the implementation of each subsystem, in the specific implementation process, should be based on the selected development platform and development environment for detailed design.
5.3.2 General design principles
The overall design principles of the certificate certification system are as follows.
a) The certificate certification system follows the principles of standardized and modular design;
b) The certificate authentication system sets relatively independent functional modules, and realizes various functions through secure connections between the modules;
c) that the communication between the modules uses a secure communication protocol based on an identity authentication mechanism;
d The cryptographic operations used by each module must be completed in the cryptographic device;
e) The audit log files generated by each module are transmitted and stored in a unified format;
f) User registration management system, certificate/certificate revocation list generation and issuance system and key management center can set independent numbers
Database
g) Each module of the certificate authentication system shall be provided with effective system management functions;
h) The system should have access control functions;
i) The system should fully consider the security of the system while implementing the certificate management function.
5.3.3 User Registration Management System Design
5.3.3.1 User Registration Management System Functions
The user registration management system is responsible for the application, audit and certificate creation of the user certificate/certificate revocation list. Its main functions are as follows.
a) User information entry. Enter the user's application information, the user application information includes the information required to issue the certificate, and also includes
Information for verifying the identity of the user, which is stored in the database of the user registration management system. User registration management system
It should be possible to batch receive user information generated from an external system and stored in an electronic document.
b) Review of user information. extract the user's application information, review the user's true identity, and, when the approval is passed, issue the certificate.
The required information is submitted to the issuance system.
c) User certificate download. The user registration management system provides the certificate download function. When the issuing system issues a certificate for the user, the user notes.
The book management system can download the user certificate and write the user certificate into the specified user certificate carrier and distribute it to the user.
d) Security audit. responsible for querying, counting and reporting the operation logs of the administrators and operators of the user registration management system
Table printing, etc.
e) Security management. secure access control to the login of the user registration management system, and manage the user information database and
Backup.
f) Multi-level audit. The user registration management system can adopt the hierarchical deployment mode as needed, and the certificates of different types and levels can be
Audited by different levels of user registration management systems. User registration management system should be able to support multi-level registration as needed
Management system establishment and multi-level audit mode.
The user registration management system should have the ability to process in parallel.
5.3.3.2 User Registration Management System Structure
The user registration management system has two methods. local registration management and remote registration management, which are respectively registered management, database, information entry,
Part of the composition review, certificate production, security management and security audit. Its structure is shown in Figure 2.
Figure 2 User registration management system logical structure
5.3.4 Certificate/Certificate Revocation List Generation and Issuance System Design
5.3.4.1 Certificate/Certificate Revocation List Generation and Issuance System Functions
The certificate/certificate revocation list generation and issuance system is the core of the certificate authentication system, and not only provides the issuance certificate for the entire certificate authentication system.
The book/certificate revocation list service also undertakes the main security management work in the entire certificate authentication system. Its main functions are as follows.
a) Certificate generation and issuance. reading and checking user information from the database, applying to the key management center according to the type of certificate to be issued
Encrypt the key pair, generate the user's signature certificate and encryption certificate, and publish the signed certificate to the directory server and data.
In the library. Depending on the configuration and management policy of the system, different types or uses of certificates can use different signature keys.
b) Certificate update. The system should provide the update function of CA certificate and user certificate.
c) Certificate revocation list generation and issuance. receiving the cancellation information, verifying the signature in the cancellation information, and then issuing a certificate revocation list,
The signed-out logout list is published to the database or directory server. Signing the certificate revocation list can be signed and signed
The certificate's signature key is the same or different.
d) Security audit. responsible for the operation log of the manager/operator of the certificate/certificate revocation list generation and issuance system
Query, statistics, and report printing.
e) Security management. secure access control for certificate/certificate revocation list generation and login system login, and withdrawal of certificate/certificate
Sales list database for management and backup; set up administrators, operators, and apply for and download digital certificates for these people; configuration
Different password devices; configure different certificate templates.
The certificate/certificate re...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 25056-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 25056-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 25056-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 25056-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 25056-2018?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 25056-2018 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|