Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 38556-2020 English PDF

Q: How long will the true-PDF of English version of GB/T 38556-2020 be delivered?

Upon your order, we will start to translate GB/T 38556-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 38556-2020_English with my colleagues?

Yes. The purchased PDF of GB/T 38556-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$859.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38556-2020: Information security technology - Technical specifications for one-time-password cryptographic application
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 38556-2020	859	Add to Cart	7 days	Information security technology - Technical specifications for one-time-password cryptographic application	Valid

Similar standards

GB/T 38540 GB/T 38626 GB/T 38561

Basic data

Standard ID: GB/T 38556-2020 (GB/T38556-2020)
Description (Translated English): Information security technology - Technical specifications for one-time-password cryptographic application
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 46,437
Date of Issue: 2020-03-06
Date of Implementation: 2020-10-01
Quoted Standard: GB/T 2423.1-2008; GB/T 2423.2-2008; GB/T 2423.3-2016; GB/T 2423.7-2018; GB/T 2423.10-2019; GB/T 2423.21-2008; GB/T 2423.22-2012; GB/T 2423.53-2005; GB/T 4208-2017; GB/T 17626.2-2018; GB/T 18336.1; GB/T 18336.2; GB/T 18336.3; GB/T 32905; GB/T 32907
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration
Summary: This standard specifies the dynamic password technical framework, dynamic password generation algorithm, authentication and key management. This standard is applicable to the development, production and application of dynamic password related products, and can also be used to guide the testing of related products.

GB/T 38556-2020: Information security technology - Technical specifications for one-time-password cryptographic application

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical specifications for one-time-password cryptographic application ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Dynamic password password application technical specification 2020-03-06 released 2020-10-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee

Preface Ⅲ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Symbol 2 5 Technical Framework 3 5.1 Overall Framework 3 5.2 System composition 4 6 Dynamic password generation 5 6.1 Password generation method 5 6.2 Algorithm usage instructions 6 7 Identification 7 7.1 Authentication module description 7 7.2 Authentication module service 8 7.3 Identification module management function 10 7.4 Safety requirements 10 8 Key Management 11 8.1 Overview 11 8.2 Module Architecture 11 8.3 Functional requirements 13 8.4 System security design 14 8.5 Hardware password device interface description 17 Appendix A (Normative Appendix) Hardware Dynamic Token Requirements 19 Appendix B (Informative Appendix) Principles of Dynamic Password Authentication 21 Appendix C (informative appendix) Identification module interface 22 Appendix D (normative appendix) Operation parameters and data description use cases 27 Appendix E (informative appendix) Dynamic password generation algorithm C language implementation use case 28 Appendix F (Normative Appendix) Dynamic Password Generation Algorithm Calculation Input and Output Use Case 40

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. Shanghai Zhongren Network Security Technology Co., Ltd., Shanghai Fudan Microelectronics Co., Ltd., Feitian Chengxin Technology Co., Ltd., Commercial Cryptographic Testing Center of State Cryptography Administration, Beijing Jilian Network Technology Co., Ltd., Shanghai Huahong Integrated Circuit Limited Liability Company, Ziguang Tongxin Microelectronics Co., Ltd., Shanghai Forest Fruit Industry Co., Ltd. Beijing Technology Branch, Geer Software Co., Ltd. Limited company. The main drafters of this standard. Tan Jianfeng, You Lei, Li Kun, Liu Xun, Zheng Qiang, Zhu Pengfei, Tian Minqiu, Lu Chunmei, Guo Sijian, Chen Yan, Li Tian, Zhou Xueqing and Wang Fengzhen. Information Security Technology Dynamic password password application technical specification

1 Scope

This standard specifies the dynamic password technology framework, dynamic password generation algorithm, authentication and key management and other related content. This standard applies to the development, production and application of dynamic password related products, and can also be used to guide the testing of related products.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article For all undated reference documents, the latest version (including all amendments) applies to this document. GB/T 2423.1-2008 Environmental testing of electric and electronic products Part 2.Test method Test A. Low temperature GB/T 2423.2-2008 Environmental testing of electric and electronic products Part 2.Test method Test B. High temperature GB/T 2423.3-2016 Environmental Test Part 2.Test Method Test Cab. Constant Humidity Test GB/T 2423.7-2018 Environmental test Part 2.Test method Test Ec. Impact caused by rough operation (mainly used for equipment-type samples) GB/T 2423.10-2019 Environmental Test Part 2.Test Method Test Fc. Vibration (Sine) GB/T 2423.21-2008 Environmental testing of electric and electronic products Part 2.Test method Test M. Low air pressure GB/T 2423.22-2012 Environmental Test Part 2.Test Method Test N. Temperature Change GB/T 2423.53-2005 Environmental testing of electrical and electronic products Part 2.Test methods Test Xb. Wear of marks and printed text caused by hand friction GB/T 4208-2017 Enclosure protection grade (IP code) GB/T 17626.2-2018 Electromagnetic compatibility test and measurement technology Electrostatic discharge immunity test GB/T 18336.1 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 1.Introduction and General Model GB/T 18336.2 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 2.Security Function Components GB/T 18336.3 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 3.Security Assurance Components GB/T 32905 Information Security Technology SM3 Cipher Hash Algorithm GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm GB/T 32915 Information Security Technology Binary Sequence Randomness Detection Method

3 Terms and definitions

The following terms and definitions apply to this document. 3.1 Dynamic password A one-time password is generated by calculating the seed key and other data through a specific algorithm. 3.2 Dynamic token The carrier for generating and displaying dynamic passwords. 3.3 Seed key Calculate the key of the dynamic password. Note. The seed key is the token seed key. 3.4 Static password A password set by the user that will not change unless the user actively changes it. 3.5 Challenge code A type of data that can participate in the dynamic password generation process. Note. The challenge code is the challenge factor. 3.6 Big endian A representation format of data in memory, which stipulates that the left side is the most significant bit and the right side is the least significant bit. Note. The high-order byte of the number is placed at the low address of the memory, and the low-order byte of the number is placed at the high address of the memory. 3.7 Identification module A system capable of providing dynamic password identification services for application systems. 3.8 Service report The system provides a statistical report of the status and results corresponding to the token and the system in different time periods. 3.9 Master key The system root key used to generate the seed key, the seed key encryption key, and the manufacturer's production master key. 3.10 Seed key encryption key The key used to encrypt the seed key.

5 Technical framework

5.1 Overall framework The dynamic password system provides dynamic password authentication services for application systems. It is composed of dynamic token, authentication module and key management module. The dynamic token generates a dynamic password, the authentication module verifies the correctness of the dynamic password, and the key management module is responsible for the key management of the dynamic password. The application system sends the dynamic password to the authentication module for authentication according to the specified protocol (message). The dynamic password system architecture is shown in Figure 1. Figure 1 Dynamic password system architecture 5.2 System composition 5.2.1 Dynamic token The dynamic token generates a dynamic password as the basis for user identification. See Appendix A for the requirements of hardware dynamic token products. 5.2.2 Authentication module The authentication module is used to perform dynamic password authentication and token synchronization, as well as the management and configuration of token related states. Identification module Communicate with the application system through the authentication communication protocol, or support the method of calling the authentication interface to complete the authentication and synchronization of the dynamic password And other functions. See Appendix B for the principle of dynamic password authentication. 5.2.3 Key Management Module The key management module is used for the generation, transmission and storage of dynamic token seed keys for security management, including system login authentication sub-module Block, user management submodule, protection key generation submodule, seed key generation submodule, token sequence number generation submodule, time synchronization submodule Block (optional), token production configuration sub-module, cryptographic machine interface module and dynamic token read-write interface, etc. 5.2.4 Application system The application system refers to the integration of the dynamic password according to the authentication communication protocol (or authentication interface) and the authentication module to complete the dynamic password authentication. For other application programs, the application system can be a software system, a hardware device, or a combination of software and hardware. 5.2.5 Authentication interface The authentication interface is a collection of interfaces provided by the authentication module to connect the application system and the authentication module. The application system calls the interface, It can complete functions such as dynamic password identification and synchronization. Refer to Appendix C for the interface of the authentication module. 5.2.6 Authentication communication protocol Authentication communication protocol is the basis for authentication service to communicate through standard communication protocol and application system. The application system sends The form of the text completes functions such as identification and synchronization of dynamic passwords.

6 Dynamic password generation

6.1 Password generation method 6.1.1 Calculating the time factor 6.2 Algorithm instructions 6.2.1 Requirements for use Algorithm usage should meet the following requirements. ---The block cipher algorithm should adopt SM4 algorithm, should meet the requirement of GB/T 32907.Packet length is 128 bits, key length The degree is 128 bits, the operation mode selects the working mode of ECB encryption, and the length of the encryption result is 128 bits. ---The cryptographic hash algorithm should use SM3 algorithm, which should meet the requirements of GB/T 32905. --- Algorithms involving random number generation should meet the requirements of GB/T 32915. 6.2.2 Instructions for use of hash algorithm In the S=F(K,ID) link, when the SM3 algorithm is used, K||ID is the input parameter. 6.2.3 Instructions for grouping algorithm In the S=F(K,ID) link, when using the SM4 algorithm, K is the operation key, ID is the input parameter, and K or ID is greater than 128 bits When, the calculation process is as follows. When K is greater than 128 bits, record the length of K as L1 bit. n is the smallest integer not less than L1/128, filled at the end of K 128*n-L1 bits 0.Then group K with a length of 128 bits, with the high order first, namely K1, K2, and K3Kn. When the ID is greater than 128 bits, the length of the ID is L2 bits. m is the smallest integer not less than L2/128, filled at the end of ID 128*m-L2 bits 0.Then group the IDs with a length of 128 bits, with the high order first, namely ID1, ID2, and ID3IDm. The calculation process is shown in Figure 2.

7 Identification

7.1 Description of authentication module 7.1.1 Identification module composition The authentication module is a service system that provides dynamic token authentication and management for the application system. It consists of two parts. a) The authentication service sub-module provides authentication and management services to applications. b) The management sub-module manages the operation of the authentication module. 7.1.2 Status of the token The status of the token is the working status of the token stored in the authentication module, see Table 1. 7.1.3 Token data The data of the token should include. token serial number, key data, token status, last use time, number of consecutive errors, token offset, Other configuration parameters, among them. a) The key data should be stored encrypted. b) Other data should adopt a verification mechanism to ensure completeness. 7.1.4 Token synchronization The authentication module should provide synchronization processing between the internal counter of the token and the token counter of the system. For time tokens, use Use a two-way time window; for event tokens, use a one-way event window. The window refers to the window used to synchronize the token time with the system time. Time tokens are based on different token synchronization requirements. Synchronize windows, middle windows, and small windows. When using various windows, the requirements are as follows. a) Large window, the window size should not exceed ±10min. When using large window synchronization, the next consecutive dynamic password matching is required, At the same time, adjust the token offset of the system. The large window requires the use of restricted synchronization services, that is, further identification or need to change Only high authority can execute the synchronization service of the large window. The large window can be used by authorized operation and maintenance personnel of the authentication module, and should be The verification code mechanism of the system is used at the same time. b) For the middle window, the window size should not exceed ±5min. When window synchronization is in use, the next consecutive dynamic password is required to match. When adjusting the token offset of the system. The middle window can be used by the token user or the operation and maintenance personnel of the authentication module, and should be related to the application system. The same verification code mechanism is used at the same time. c) Small window, the size of the window should not exceed ±2min. When using small window synchronization, the authentication module is The token offset of the entire system. The small window can be automatically called by the authentication module, and is used when the token user uses a dynamic password for identity authentication. d) The size of the large window, middle window, and small window of the event token can be negotiated between the user and the manufacturer, but the security and effectiveness of its authentication should be guaranteed. 7.1.5 Automatic lock and automatic unlock In the process of using the token, if multiple consecutive verification errors exceed the maximum number of times, the authentication module will automatically modify the status of the token to “locked”. Set". After the set automatic unlocking time is exceeded, the authentication module will automatically unlock the token. Automatic unlocking can only unlock tokens that are automatically locked. 7.2 Authentication module service 7.2.1 Security Service 7.2.1.1 Dynamic password authentication A service for authenticating submitted dynamic passwords. The authentication methods include static passwords, dynamic passwords, and dynamic passwords. Of which static port Let be the static password bound to the dynamic token. 7.2.1.2 Challenge response authentication The service that authenticates the submitted challenge response code. The authentication methods include. challenge identification and internal challenge identification. Challenge authentication means that the user enters the challenge code provided by the application service into the token, obtains the corresponding dynamic password, and completes the authentication. Internal challenge authentication is that the user enters the user's private data such as PIN and static password into the token to obtain the corresponding dynamic password to complete the authentication. 7.2.1.3 Generate challenge code The challenge code is generated according to the request of the application. The generated challenge code format includes. number type, character type, and number character type. Where the numbers are Arabic numerals 0-9, the characters are English characters or symbolic characters, case sensitive. The minimum length and maximum length of the challenge code can be identified The module is set. 7.2.2 Management Service 7.2.2.1 Activation Make inactive tokens available. The method to activate the dynamic password token is as follows. a) The window for verifying the dynamic password during activation uses a large window; b) After the token is successfully activated, the status is set to ready; c) If the activation is unsuccessful, the number of activation errors will be recorded, but the token will not be locked. 7.2.2.2 Lock The token sets the token in the ready state to the locked state under operations such as continuous errors and replay attacks. The solution after the token is locked is as follows. a) After the token is locked, it should be returned to the ready state by unlocking the service; b) After the token is locked, it should be set to abolished state through the revocation service. 7.2.2.3 Unlock The locked token is unlocked by static password, static password and dynamic password, and set to ready state. The token unlocking method is as follows. a) When unlocking, the current dynamic password is required; b) If a static password is set, it is required to verify the static password; c) If the verification method of the static password is an internal challenge method, use the internal challenge authentication; d) If the static password verification method is a static and dynamic hybrid method, use static password and dynamic password authentication. 7.2.2.4 Hang The method to set the dynamic token to the suspended state is as follows. a) Only tokens in the ready or locked state should be set to the suspended state; b) After the token is suspended, it should be set to the revocation status through the revocation service. 7.2.2.5 Unhook The steps to unsuspend the token are as follows. a) After successful unhooking, the status of the token is set to the ready state; b) Request to verify the current dynamic password; c) If a static password is set, it is required to verify the static password; d) If the verification method of the static password is an internal challenge method, use the internal challenge authentication; e) If the verification method of the static password is ordinary, use static password and dynamic password authentication. 7.2.2.6 Set static password The steps to set the static password for dynamic token binding are as follows. a) Request to verify the original static password; b) If the verification method of the static password is an internal challenge method, use the internal challenge authentication; c) If the authentication method of the static password is static and dynamic hybrid, use static password and dynamic password authentication. 7.2.2.7 Remote PIN solution The authentication module can provide remote PIN resolution (for tokens with PIN protection). According to the application request, the authentication module generates the current The previous remote unlocking PIN password should be set from the following methods. a) The password to unlock the PIN is a string of numbers from 0 to 9, and the length is at least 6 digits; b) The maximum number of attempts to unlock the PIN cannot exceed 5 times. If th......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 38556-2020_English be delivered?

Answer: Upon your order, we will start to translate GB/T 38556-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 38556-2020_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 38556-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.