| GB/T 25056-2018 English PDFUS$759.00 ยท In stock Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 25056-2018: Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system Status: Valid GB/T 25056: Historical versions
 Basic dataStandard ID: GB/T 25056-2018 (GB/T25056-2018)Description (Translated English): Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 38,396 Date of Issue: 2018-06-07 Date of Implementation: 2019-01-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 25056-2018: Information security technology -- Specifications of cryptograph and related security technology for certificate authentication system---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology--Specifications of cryptograph and related security technology for certificate authentication system ICS 35.040 L80 National Standards of People's Republic of China Replace GB/T 25056-2010 Information Security Technology Certificate Authentication System Password And related safety technical specifications Published on.2018-06-07 2019-01-01 implementation State market supervision and administration China National Standardization Administration issued ContentForeword III 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 3 5 Certificate Certification System 3 5.1 Overview 3 5.2 Functional Description 4 5.3 System Design 6 5.4 Digital Certificate 11 5.5 Certificate Revocation List 11 6 Key Management System 11 6.1 Structure Description 11 6.2 Functional Description 11 6.3 System Design 12 6.4 KMC and CA Secure Communication Protocol 15 7 cryptographic algorithms, cryptographic devices and interfaces 15 7.1 Cryptographic Algorithm 15 7.2 Password device 15 7.3 Password Service Interface 16 8 Certificate Authority 16 8.1 System 16 8.2 Security 17 8.3 Data Backup 20 8.4 Reliability 20 8.5 Physical Security 20 8.6 Personnel Management System 22 9 Key Management Center 22 9.1 Construction Principles 22 9.2 System 22 9.3 Security 23 9.4 Data Backup 23 9.5 Reliability 23 9.6 Physical Security 23 9.7 Personnel Management System 23 10 Certificate Authority Operation and Management Requirements 23 10.1 Personnel Management Requirements 23 10.2 CA Business Operation Management Requirements 24 10.3 Key Distribution Requirements 25 10.4 Security Management Requirements 25 10.5 Security Audit Requirements 26 10.6 Document Requirements 26 11 Key Management Center Operation Management Requirements 27 11.1 Personnel Management Requirements 27 11.2 Operation Management Requirements 28 11.3 Key Accounting Requirements 28 11.4 Security Management Requirements 28 11.5 Security Audit Requirements 28 11.6 Document Requirements 28 12 Certificate Operation Process 28 12.1 Certificate Application Process 28 12.2 Certificate Update Process 28 12.3 Certificate Revocation Process 29 12.4 User Key Recovery Process 29 12.5 Judicial Key Recovery 29 12.6 Certificate Suspending Process 30 12.7 Releasing the Certificate Suspending Process 30 Appendix A (informative) Network structure of certificate authentication system 31ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces GB/T 25056-2010 "Information Security Technology Certificate Authentication System Password and Related Security Technical Specifications", and The main technical changes compared with GB/T 25056-2010 are as follows. --- Modified the requirements for cryptographic algorithms (see 7.1); --- Modified the requirements for the cryptographic service interface (see 7.3); ---Modified the password protocol of the certificate authentication system, deleted the original standard Chapter 8, and referred to GM/T 0014; ---Modified the message format and secure communication protocol between KMC and CA, deleted Appendix A and Appendix B of the original standard, and changed Quote GM/T 0014; --- Modified the cryptographic interface function definition, deleted the original standard Appendix C, and instead referred to GM/T 0019; --- Added provisions for the certificate operation process (see Chapter 12). Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. Shanghai Digital Certificate Certification Center Co., Ltd., Shanghai Geer Software Co., Ltd., Beijing Digital Certification Co., Ltd., Changchun Jida Zhengyuan Information Technology Co., Ltd., Beijing Haitai Fangyuan Technology Co., Ltd., Wuxi Jiangnan Information Safety Engineering Technology Center, Chengdu Weishitong Information Industry Co., Ltd., Xingtang Communication Technology Co., Ltd., Shanghai Jidong Network Information Company, Wanda Information Co., Ltd., Feitian Integrity Technology Co., Ltd., Beijing Huada Zhibao Electronic System Co., Ltd., Beijing Grip Qi Intelligent Technology Co., Ltd., Shandong Dean Information Technology Co., Ltd., Shanghai Information Security Engineering Technology Research Center, National Cryptography Administration Commercial password detection center. Drafters of this standard. Liu Ping, Cui Jiuqiang, Liu Cheng, Zheng Qiang, Tan Wuzheng, Li Shusheng, Zhao Lili, Liu Zengshou, Xu Mingyi, Li Yuanzheng, Wang Nina, Xia Dongshan, Li Haijie, Yu Huazhang, Chen Yue, Hu Junyi, Kong Fanyu, Yuan Feng, Li Zhiwei. The previous versions of the standards replaced by this standard are. ---GB/T 25056-2010. Information Security Technology Certificate Authentication System Password And related safety technical specifications1 ScopeThis standard specifies the password of the digital certificate authentication system and its related security technical requirements, including. certificate authentication system, key management system System, password algorithm, cryptographic equipment and interface, certificate authentication center, key management center, certificate authentication center operation management requirements, key management Heart operation management requirements, certificate operation procedures, etc. This standard is applicable to the construction, testing and evaluation of the digital certificate authentication system that guides third-party certification bodies, and regulates the digital certificate certification system. The application of passwords and related security technologies. The construction, operation and management of the digital certificate authentication system of non-third-party certification bodies can be referred to This standard.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. For the undated references, the latest edition (including all amendments) applies to this document. GB/T 2887 General Specification for Computer Sites GB/T 9361 computer site safety requirements GB/T 32905 information security technology SM3 password hash algorithm GB/T 32918 (all parts) information security technology SM2 elliptic curve public key cryptography algorithm GB/T 35291-2017 Information Security Technology Smart Password Key Application Interface Specification GB/T 20518-2018 Information Security Technology Public Key Infrastructure Digital Certificate Format GB/T 36322-2018 Information Security Technology Password Device Application Interface Specification GB 50174 Data Center Design Specification BMB3-1999 Technical requirements and test methods for electromagnetic shielding rooms for handling confidential information GM/T 0014-2012 Digital Certificate Authentication System Cryptographic Protocol Specification GM/T 0019-2012 Common Cryptographic Service Interface Specification GM/T 0020-2012 Certificate Application Integrated Service Interface Specification RFC6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (X.509InternetPublicKey InfrastructureOnlineCertificateStatusProtocol)3 Terms and definitionsThe following terms and definitions apply to this document. 3.1 CA certificate CAcertificate A certificate issued by one CA to another CA, a CA can also issue a certificate for itself, which is a self-signed certificate. 3.2 Certificate authentication system certificateauthenticationsystem A system for managing the life cycle of digital certificates such as the issuance, issuance, update, and revocation of digital certificates. 3.3 Certificate policy certificatepolicy A specified set of rules that indicates the appropriateness of the certificate for a particular group and/or specific application class with general security requirements Use sex. Note. A specific certificate policy can indicate the suitability of a type of certificate for the authentication of electronic data processing of commodity transactions at a certain price range. Use sex. 3.4 Certificate revocation list certificaterevocationlist A list of revoked certificates issued and issued by a Certificate Authority (CA). 3.5 Certificate authority An entity that performs full lifecycle management of digital certificates, also known as an electronic certification service. 3.6 CA logout list certificateauthorityrevocationlist Marks a list of CA's public key certificates that have been logged out, indicating that they have been invalidated. 3.7 Certificate revocation list distribution point certificaterevocationlistdistributionpoint CDP A directory entry or other certificate revocation list distribution source, a certificate revocation list issued through a certificate revocation list distribution point, It can include a logout entry for a subset of all certificates issued by one CA, or a logout entry for all certificates. 3.8 Certificate serial number certificateateerialnumber An integer used to uniquely identify a digital certificate in a certificate issued by a certificate authority. 3.9 Digital certificate digitalcertificate Public key certificate Signed by a certificate authority (CA) containing public key owner information, public key, issuer information, expiration date, and extension letter A data structure of interest. According to the category, it can be divided into personal certificate, agency certificate and equipment certificate, which can be divided into signature certificate and encryption according to the purpose. certificate. 3.10 Private key privatekey A non-public key that can only be used by the owner in an asymmetric cryptographic algorithm. 3.11 Public key publickey A key that can be exposed in an asymmetric cryptographic algorithm. 3.12 Certificate authority An entity that accepts applications for the application, renewal, recovery, and cancellation of digital certificates. 3.13 Security policy securitypolicy A set of rules issued by a certificate authority to constrain the use of security services and the way they are used and provided. 3.14 SM2 algorithm SM2algorithm Algorithm defined by GB/T 32918 (all parts). 3.15 SM3 cryptographic hash algorithm SM3cryptographichashalgorithm Algorithm defined by GB/T 32905. 3.16 Trust trust It is generally said that one entity trusts another entity to indicate that the latter entity will perform related activities in full compliance with the provisions of the first entity. In this standard, trust is used to describe the relationship between an authenticating entity and a certificate authority.4 AbbreviationsThe following abbreviations apply to this document. ARL. CA Logout List (CertificateAuthorityRevocationList) CA. Certificate Authority (CertificateAuthority) CRL. Certificate Revocation List (CertificateRevocationList) HTTP. Hypertext Transfer Protocol (HypertextTransferProtocol) HTTPS. Secure Hypertext Transfer Protocol (SecureHypertextTransferProtocol) KMC. Key Management Center (KeyManagementCentre) LDAP. Lightweight Directory Access Protocol (LightweightDirectoryAccessProtocol) OCSP. Online Certificate Status Query Protocol (OnlineCertificateStatusProtocol) OID. Object Identifier (ObjectID) RA. Certificate Authority (RegistrationAuthority)5 Certificate Certification System5.1 Overview The certificate authentication system is a security system that manages the entire process of digital certificates in the life cycle. Certificate certification system should use double certificate Books (certificates for digital signatures and certificates for data encryption) mechanisms and the construction of dual-center (Certificate Authority and Key Management Center). The certificate authentication system can be logically divided into a core layer, a management layer, and a service layer. The core layer is generated by a key management center and a certificate/CRL. It is composed of the issuance system and the certificate/CRL storage and distribution system; the management layer is composed of the certificate management system and the security management system; The book registration management system (including the remote user registration management system) and the certificate status inquiry system are composed. The logical structure of the certificate authentication system should be As shown in Figure 1. Figure 1 The logical structure of the certificate authentication system 5.2 Functional Description 5.2.1 Overview The certificate authentication system provides full-process management of digital certificates in the lifecycle, including user registration management, certificates/ Certificate revocation list generation and issuance, certificate/certificate revocation list storage and distribution, certificate status query, certificate management, and security management And so on. 5.2.2 User Registration Management System 5.2.2.1 Overview The user registration management system is responsible for the user's certificate application, identity review and certificate download, which can be divided into local registration management system and remote injection. Book management system. 5.2.2.2 Certificate application Certificate applications can be either online or offline. a) Online mode. Users log in to the user registration management system to apply for a certificate through the Internet; b) Offline mode. The user applies for a certificate to the designated registration authority. 5.2.2.3 Identity review The auditor conducts an identity review of the certificate applicant through the user registration management system. 5.2.2.4 Certificate download Certificate downloads can be either online or offline. a) Online mode. Users log in to the user registration management system to download certificates through the Internet; b) Offline mode. The user downloads the certificate to the designated registration authority. 5.2.3 Certificate/Certificate Revocation List Generation and Issuance System 5.2.3.1 Features The certificate/certificate revocation list generation and issuance system is responsible for generating, issuing digital certificates and certificate revocation lists. 5.2.3.2 Type of certificate According to the subject object, the certificate is divided into three types. personnel certificate, device certificate and agency certificate. According to the function, the certificate is divided into two types. encryption certificate and signature certificate. 5.2.3.3 Certificate mechanism The certificate authentication system uses a dual certificate mechanism. Each user has two digital certificates, one for digital signatures and one for data encryption. A key pair for digital signature can be generated by a user using a certificate carrier having a cryptographic operation function; a secret for data encryption The key pair is generated by the Key Management Center and is responsible for security management. The signed certificate and the encrypted certificate are stored in the user's certificate carrier. 5.2.3.4 Certificate Generation/Issuance The user's digital certificate is issued by the CA of the system, and the digital certificate of the root CA is issued by the root CA itself, and the digital certificate of the lower level CA is issued. Issued by a superior CA. 5.2.3.5 Certificate Revocation List The certificate revocation list is the information of the termination certificate used by the CA within the validity period of the certificate, and is divided into the user certificate revocation list. (CRL) and CA Certificate Revocation List (ARL). During the use of the certificate, the application system obtains the CRL/ARL by checking The status of the certificate. 5.2.4 Certificate/Certificate Revocation List Storage and Distribution System The certificate/certificate revocation list storage and distribution system is responsible for the storage and distribution of digital certificates, certificate revocation lists. According to the application environment, the certificate/certificate revocation list storage and publishing system should adopt the database or directory service mode to implement the number. The function of storing, backing up and restoring the word certificate/certificate revocation list and providing query service. Using the directory service method, the master and slave directory server structure should be adopted to ensure the security of the home directory server, while the slave directory server It can be set up in a distributed manner to increase the efficiency of the system. Users can only access the slave directory server. 5.2.5 Certificate Status Query System The certificate status query system shall provide certificate status query services for users and application systems, including. a) CRL query. the user or application system uses the CRL address identified in the digital certificate to download the CRL and verify the validity of the certificate; b) Online certificate status inquiry. the user or application system can query the certificate online in real time according to the method specified in RFC6960. status. In practical applications, one or both of the above two query methods may be adopted according to specific situations. 5.2.6 Certificate Management System The certificate management system implements the application, review, generation, issuance, storage, and release of the certificate/certificate revocation list in the certificate authentication system. Management and control system for functions such as logout and archiving. 5.2.7 Security Management System The security management system mainly includes a security audit system and a security protection system. The security audit system provides event-level auditing to track, count, and record records, behaviors, personnel, and time related to system security. analysis. The security system provides network security features such as access control, intrusion detection (intrusion prevention), vulnerability scanning, and virus prevention. 5.3 System Design 5.3.1 Overview The design of the certificate certification system includes the overall design of the system and the design of each subsystem. This standard provides the design principles of the certificate certification system. And the implementation of each subsystem, in the specific implementation process, should be based on the selected development platform and development environment for detailed design. 5.3.2 General design principles The overall design principles of the certificate certification system are as follows. a) The certificate certification system follows the principles of standardized and modular design; b) The certificate authentication system sets relatively independent functional modules, and realizes various functions through secure connections between the modules; c) that the communication between the modules uses a secure communication protocol based on an identity authentication mechanism; d The cryptographic operations used by each module must be completed in the cryptographic device; e) The audit log files generated by each module are ...... |