|
US$339.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38541-2020: Information security technology - Guidance of cryptographic application for electronic records
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38541-2020 | English | 339 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Guidance of cryptographic application for electronic records
| Valid |
GB/T 38541-2020
|
PDF similar to GB/T 38541-2020
Basic data | Standard ID | GB/T 38541-2020 (GB/T38541-2020) | | Description (Translated English) | Information security technology - Guidance of cryptographic application for electronic records | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 18,184 | | Date of Issue | 2020-03-06 | | Date of Implementation | 2020-10-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 38541-2020: Information security technology - Guidance of cryptographic application for electronic records
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Guidance of cryptographic application for electronic records
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology Electronic File Password Application Guide
2020-03-06 released
2020-10-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Overview 2
5.1 Cryptographic Application Technology Framework 2
5.2 Safety goal 2
5.3 Application System 3
5.4 User 3
5.5 Electronic file 3
5.6 Cryptographic Algorithms and Cryptographic Services 3
6 Password operation method of electronic files 4
6.1 Basic Principle 4
6.2 Confidentiality 4
6.3 Completeness 5
6.4 Authenticity 6
6.5 Non-repudiation 6
7 Password application method of application system 7
7.1 Basic principles 7
7.2 Identification 7
7.3 Access control 7
7.4 Storage Security 7
7.5 Exchange Security 7
7.6 Audit Trail 9
8 Electronic file password application reference 9
Appendix A (informative appendix) Example of the application of passwords for the electronic document formation and processing system 10
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Zhongan Wangmai (Beijing) Technology Co., Ltd., Beijing Electronic Technology Institute, Beijing Guomai Xinan Technology Co., Ltd.
Company, Commercial Cryptographic Testing Center of National Cryptography Administration, Beijing Haitai Fangyuan Technology Co., Ltd., Beijing Shusheng Electronic Technology Co., Ltd.,
China Software and Technology Services Co., Ltd.
The main drafters of this standard. Tong Xinhai, Wu Keke, Feng Yan, Liu Xin, Xie Sijiang, Wang Jianing, Wang Tianshun, Yuan Feng, Lu Chunmei, Jiang Hongyu,
Hao Lichen, Zheng Zhimei, Li Qiang.
Information Security Technology Electronic File Password Application Guide
1 Scope
This standard proposes the technical framework and security goals for the cryptographic application of electronic files, and describes the methods for cryptographic operations on electronic files
And electronic file application systems using cryptographic technology.
This standard applies to the development and use of electronic document application systems.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 20518 Information Security Technology Public Key Infrastructure Digital Certificate Format
GB/T 25069-2010 Information Security Technical Terms
GB/T 31913-2015 General functional requirements for the formation and processing system of electronic documents
GB/T 32905 Information Security Technology SM3 Cipher Hash Algorithm
GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm
GB/T 32918 (all parts) Information security technology SM2 elliptic curve public key cryptographic algorithm
GB/T 35275 Information Security Technology SM2 Cryptographic Algorithm Encrypted Signature Message Syntax Specification
GM/T 0019 General Cryptographic Service Interface Specification
GM/T 0031 Technical Specification for the Application of Secure Electronic Signature and Password
GM/T 0033 Time Stamp Interface Specification
GM/T 0054 Information system password application basic requirements
GM/T 0055-2018 Technical Specification for Electronic File Encryption Application
3 Terms and definitions
GB/T 31913-2015, GB/T 25069-2010, GM/T 0055-2018 defined and the following terms and definitions apply to
This document. For ease of use, some terms and definitions in GM/T 0055-2018 are listed repeatedly below.
3.1
Electronic document
Formed in digital equipment and the environment, stored in digital form on tapes, disks, CDs, smart cryptographic keys and other carriers, relying on computers
Text, graphics, audio, video and other different forms of documents that can be read and processed by digital devices and can be transmitted on the communication network are determined by the content of the documents.
And file attributes.
Note. Rewrite GB/T 31913-2015, definition 3.1.
3.2
Electronic Documents
Electronic documents reflecting various management activities such as party affairs, government affairs, production and operation management.
3.3
label
A segment of digital entity bound to an electronic file, used to identify the attributes and status of the file, and define the operation object, operation behavior and
Access authority, record the operator's operation behavior in the file processing link, ensure that the file is created, modified, authorized, read, signed, stamped, and typed.
The operation of printing, adding watermark, circulation, archiving, and destruction is always in a safe and controllable state, providing traceability and auditing for application systems.
in accordance with.
[GM/T 0055-2018, definition 3.3]
3.4
operating system
Taking electronic files as the processing object, creating, modifying, authorizing, reading, signing, stamping, printing, adding watermarks, circulation,
System for archiving and destruction operations.
3.5
Digital envelope
A data structure that contains a ciphertext encrypted with a symmetric key and the symmetric key encrypted with a public key.
4 Abbreviations
The following abbreviations apply to this document.
5 overview
5.1 Cryptographic Application Technology Framework
The technical framework of the cryptographic application of electronic files is shown in Figure 1.
All cryptographic algorithms and cryptographic protocols involved in this standard should follow cryptographic-related national standards and industry standards.
Figure 1 Technical framework of electronic file password application
5.2 Safety goals
The security goals of electronic file management include confidentiality, integrity, authenticity and non-repudiation.
In order to achieve the security goals of electronic file management, cryptographic technology should be used to ensure the security of the entire life cycle of electronic files. Guaranteed electricity
The formation process of the sub-file is true and reliable, to ensure that the electronic file has not been tampered with during the process of transmission (exchange), reception and storage, and to ensure that the electronic file
Documents are not leaked to unauthorized visitors, ensuring that the operator of the electronic document cannot deny its operation and processing results.
The security of electronic files is guaranteed by the security of file content and the security of file attributes.
5.3 Application system
Following GB/T 31913-2015, in the full life cycle of electronic documents, three types of systems are generally experienced, namely business systems, electronic documents
Document management system and long-term storage system for electronic files.
The business system is also called the electronic document formation and processing system, which mainly provides the information involved in the process from formation to handling of electronic documents.
Business functions, and provide data interfaces to connect with other systems. The electronic document management system is responsible for capturing electronic documents from the business system, maintaining
It protects the various associations between documents, documents and businesses, supports inquiry and utilization, and handles them in an orderly, systematic and auditable manner.
The electronic file long-term preservation system maintains and provides use of electronic files in a correct and long-term effective way.
5.4 Users
The user is the operator of the application system, including the business operator of the electronic file and the system manager of the application system.
Business operators refer to the creation of electronic files in the business system, electronic file management system, and electronic file long-term storage system.
Personnel who create, modify, authorize, read, sign for approval, stamp, print, transfer, archive, and destroy.
System administrators refer to the personnel who manage and maintain the application system, including system administrators, audit administrators and confidentiality administrators.
5.5 Electronic documents
Electronic files are the operating objects of the application system.
The file content can contain one or more files.
File attributes include identification attributes, metadata attributes, security attributes, batch attributes, seal attributes, watermark attributes, permission attributes, and log attributes.
Sex and extended attributes. The identification attribute is the unique identification of the file. The identification is determined when the electronic file is created and is used throughout the life of the electronic file.
It remains unchanged during the period; metadata attributes describe the background, content, structure and data of the entire management process of electronic files; security attributes describe and
Data related to the attributes and status of electronic file password operations, including encryption and signature of file content and related file attributes.
The algorithm identification of the algorithm used, the digital certificate information, the signature result, etc.; the signature attribute defines the signature and verification of the file
The batch behavior performs the operation of signing, including the information of the person who signed the batch, the time of the batch, the content of the batch, etc.; the seal attribute defines the file
Chapter and verification operations, including the information of the person who signed the seal, signing time, electronic signature, etc.; the watermark attribute defines the operation of embedding/extracting the watermark on the file
It includes watermark setting person, watermark setting time, watermark content, watermark location, etc.; permission attributes define the reading, writing, printing, and encryption of files
Operation permissions such as code operations; log attributes define the log information during file operations; extended attributes are attributes customized by the application system
The application system defines its structure and the meaning of each element according to actual application needs.
File attributes can be organized as tags in accordance with GM/T 0055-2018.There is a unique binding relationship between electronic files and tags.
Linked storage can also be externally linked.
File attributes can also be organized by the application system in a self-maintaining manner. The application system can customize the fields contained in the attributes according to the meaning of the attributes.
And directly perform password operations on file attributes to ensure the security of file attributes and maintain its association with electronic files.
5.6 Cryptographic Algorithms and Cryptographic Services
5.6.1 Cryptographic Algorithm
The cryptographic operations of electronic files should use symmetric algorithms, asymmetric algorithms, and hash algorithms, and GB/T 32918,
GB/T 32905, GB/T 32907 or other cryptographic algorithms approved by the national cryptographic management department.
Symmetric algorithms are used to encrypt and decrypt file content and file attributes. Asymmetric algorithms are used to encrypt and decrypt symmetric keys, and perform digital
Signature and signature verification. The hash algorithm is used for integrity calculation and verification. The symmetric algorithm can use multiple modes such as CBC, OFB, CFB, CTR, etc.
formula. When using OFB and CFB modes, the application system should set the number of feedback bits.
The call to the cryptographic algorithm is completed through the identification of the cryptographic algorithm.
5.6.2 General Password Service
General cryptographic services include digital certificate services, encryption/decryption services, signature/verification services, hash computing services, etc. Universal password service
Services are provided by cryptographic infrastructure such as certificate authentication systems, cryptographic equipment/components, etc., and are implemented by calling related service interfaces. Provide password service
The certification system and cryptographic equipment/components of the company should follow relevant national standards and industry standards, and be certified by the national cryptographic management department.
The password service interface should follow GM/T 0019.The digital certificate format should follow GB/T 20518.The signature syntax should follow GB/T 35275.
5.6.3 Typical Password Service
Typical cryptographic services include identity authentication services, electronic seal services, and time stamp services.
The identity authentication service is used to realize user identity authentication based on digital certificates.
The electronic seal service is used to stamp, verify and read the seal of electronic documents. The electronic seal service interface should follow GM/T 0031.
The time stamp service is used to provide time information for digital signatures and electronic seals. The time stamp service interface should follow GM/T 0033.
5.6.4 Key
The keys involved in electronic files are divided into symmetric keys and asymmetric keys according to their types, and are divided into user keys and system keys according to their use.
The symmetric key is generated by the general cryptographic service and used to encrypt electronic files; the asymmetric key includes a signature key pair and an encryption key pair, which can be
Derived from the certificate authentication system, the signature key pair is used for the signature and verification of electronic files in the transmission, exchange and storage process, and the encryption key pair
Used for symmetric key encryption and decryption.
User keys include user signature public and private key pairs and user encryption public and private key pairs. All users in the system should be equipped with corresponding signature certificates and
Encryption certificate; the system key includes a system signature key pair and a system encryption key pair. All electronic file application systems should be equipped with corresponding signature certificates and encryption certificates.
6 Password operation method of electronic file
6.1 Basic principles
In the application system, encryption technology can be used to protect the confidentiality, integrity, authenticity and non-repudiation of electronic files. In reality
In the process of international use, the security goals of electronic files can be determined according to the importance and application scenarios of electronic files. Guarantee documents when needed
Confidentiality and integrity of the electronic file should be protected first, and then the confidentiality of the electronic file should be protected.
6.2 Confidentiality
6.2.1 Confidentiality of document content
The digital envelope method can be used to encrypt the content of the file to ensure the confidentiality of the file content.
When the file attributes are organized by label, the application system should follow GM/T 0055-2018 and call the electronic file password service center
The file performs encryption and decryption operations on the specified file content.
When the file attributes are maintained by the application system, the application system can directly encrypt and decrypt the specified file content.
The symmetric key of the encryption operation should be randomly generated, and one document should be encrypted, and the application system cannot obtain the clear symmetric key.
The file content encryption operation method is as follows.
a) Obtain the symmetric algorithm and asymmetric algorithm identification;
b) Call the general cryptographic service to generate a symmetric key;
c) Call the symmetric encryption service to use the symmetric key to encrypt the file content;
d) Invoke the asymmetric encryption service to encrypt the symmetric key with the public key of the electronic file recipient or the application system;
e) Encapsulate the encrypted symmetric key and the file content encrypted by the symmetric key in a digital envelope format to form the encrypted file content;
If there are multiple recipients of the electronic file, each recipient's encryption public key is used to encrypt the symmetric key, and all recipients'
Encrypted symmetric key, the content of the file encrypted by the symmetric key is encapsulated in the head of the digital envelope;
f) Store the algorithm identification, algorithm mode, and number of feedback bits in the security attribute.
The operation method of file content decryption is as follows.
a) Obtain the symmetric algorithm and asymmetric algorithm identification of encrypted electronic files from the security attributes;
b) Call the asymmetric decryption service according to the asymmetric algorithm identification, and use the encrypted private key to decrypt the encrypted symmetric key to obtain the symmetric key;
c) Call the symmetric decryption service according to the symmetric algorithm identification, and use the symmetric key to decrypt the file content.
6.2.2 Confidentiality of document attributes
According to the needs, the digital envelope can be used to determine the metadata attributes, seal attributes, watermark attributes, and permissions attributes in the file attributes.
The sex information is encrypted to ensure the confidentiality of the corresponding attribute information.
When file attributes are organized by label, the confidentiality protection of the corresponding attributes should be followed in GM/T 0055-2018.
When the file attributes are maintained by the application system, the application system can use the encapsulated digital envelope method to control metadata attributes, seal attributes, etc.
The attribute information that needs to be protected is encrypted and decrypted. The specific encryption and decryption method is the same as 6.2.1.
6.3 Completeness
6.3.1 Integrity of file content
The file content can be signed to ensure the integrity of the file content.
When the file attributes are organized by label, the application system should follow GM/T 0055-2018 and call the electronic file password service center
The file performs signature operations and verification operations on the specified file content.
When the file attributes are maintained by the application system, the file content can be signed to ensure the integrity of the file content. The process of adding a signature is as follows.
a) Obtain the signature algorithm and hash algorithm identification;
b) Call the hash algorithm service to calculate the summary of the content of the file in plain text;
c) Use the signature private key of the business operator or application system to digitally sign the digest value;
d) Fill the signature value, algorithm ID and signature certificate into the security attributes in order.
The integrity of the file content can be verified by verifying and signing the file content. The process is as follows.
a) Obtain the hash algorithm identifier, signature algorithm identifier, signature certificate information and signature value of the electronic file signature from the security attributes;
b) According to the hash algorithm identification, call the hash algorithm service to calculate the summary of the file content;
c) Call the signature verification service according to the signature algorithm identification, and use the signature public key and digest value to verify the signature value of the file content.
6.3.2 Integrity of file attributes
When the file attributes are organized by label, it should follow GM/T 0055-2018, and use the method of signing the label to ensure
The integrity of file attributes.
When the file attributes are maintained by the application system, the method of signing the file attributes can be used to ensure the file attributes (excluding date and time).
Log attributes). The application system can ensure the integrity of the log attributes of a single file by protecting the integrity of the application system log.
When file attributes (excluding log attributes) are formed or updated, the signature operation process is as follows.
a) Obtain the signature algorithm and hash algorithm identification;
b) Call the hash algorithm service to calculate the summary for other attributes except security attributes;
c) Call the hash algorithm service to calculate the digest for the content in the security attribute except the self-signed information;
d) Assemble all calculated summaries according to established rules;
e) Call the hash algorithm service to recalculate the summary of the assembled data;
f) Invoke the signature algorithm service to digitally sign the digest value using the signature private key of the business operator or application system;
g) Fill the signature value, algorithm ID and signature certificate in order into the self-signed information of the security attribute.
The integrity of the file attributes (excluding log attributes) can be verified by verifying the signature. The signature verification operation method is as follows.
a) Obtain the hash algorithm ID, signature algorithm ID, signature certificate information and signature value of the file attribute signature from the security attributes;
b) According to the hash algorithm identification, call the hash algorithm service to calculate the digest for other attributes except security attributes;
c) Call the hash algorithm service to calculate the digest for the content in the security attribute except the self-signed information;
d) Assemble all calculated summaries according to established rules;
e) Call the hash algorithm service to recalculate the summary of the assembled data;
f) Call the signature verification service according to the signature algorithm identification, and use the signature public key and the digest value to verify the file attribute signature value.
6.4 Authenticity
6.4.1 The authenticity of the file content
The authenticity of the file content is guaranteed by the file’s signature, seal, and watermark attributes. The digital signature generation process is as follows.
a) Signing attributes. Use the signer’s signature private key to digitally sign the signed data, the signature content includes the signer’s information and the time of signing
Time, signed batch content, document content, etc.;
b) Seal attributes. use the signature private key of the signature person to digitally sign the signature data to form an electronic seal, and the signature data includes the signature person
Information, signature time, document content, etc.;
c) Watermark attributes. Use the private key of the watermark setter to digitally sign the watermark data. The watermark data includes the watermark setter, watermark
Setting time, watermark content, watermark location, etc.
The operation method to verify the authenticity of the file content is as follows.
a) Verification of the signature and batch attributes. the digital signature of the signature and batch attributes is verified by the signer's signature public key;
b) Verify seal attributes. use the signature public key of the signer to verify the digital signature of the seal attributes;
c) Verify watermark attributes. Use the public key of the watermark setter to verify the digital signature of the watermark attributes.
6.4.2 The authenticity of file attributes
The authenticity of the file attributes is guaranteed by the digital signature of the file attributes. The signature and verification operations are the same as 6.3.2.
6.5 Non-repudiation
The non-repudiation of the operation behavior and operation result of the electronic file by the business operator can be determined by the signature attribute, seal attribute and watermark attribute
It can be guaranteed by the digital signature in, and it can also be guaranteed by the business operator log.
The digital signature and verification process in the batch attribute, seal attribute and watermark attribute are the same as 6.4.1.
When a business operator operates on a file, a business operator log...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38541-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38541-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38541-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38541-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|