GB/T 37373-2019 PDF English
Search result: GB/T 37373-2019 English: PDF (GB/T37373-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 37373-2019 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Intelligent transport -- Data security service
| Valid |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 37373-2019 Related standards: GB/T 37373-2019
PDF Preview: GB/T 37373-2019
GB/T 37373-2019: PDF in English (GBT 37373-2019) GB/T 37373-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 03.220.20
R 85
Intelligent transport - Data security service
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Security support platform ... 7
6 Data security service ... 8
Annex A (informative) Security support platform of internet of vehicles based on
PKI ... 15
Annex B (informative) Certificate authentication system ... 17
Annex C (informative) Authorization management system ... 19
Annex D (informative) Key management system ... 20
Annex E (informative) Security management system ... 22
Bibliography ... 24
Intelligent transport - Data security service
1 Scope
This Standard specifies security support platform and data security service of
intelligent transport system.
This Standard is applicable to intelligent transport system to realize data
security service that is based on cryptography.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 20839-2007, Intelligent transport systems - General terminology
GB/T 22239-2008, Information security technology - Baseline for classified
protection of information system security
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T
20839-2007 and GB/T 25069-2010 as well as the followings apply. To facilitate
the use, some terms and definitions in GB/T 20839-2007 and GB/T 25069-2010
are repeatedly listed below.
3.1 intelligent transport systems; ITS
An integrated transport system that is based on better transportation
infrastructure, that effectively and comprehensively applies advanced science
and technology (information technology, computer technology, data
communication technology, sensor technology, electronic control technology,
automatic control theory, operations research, artificial intelligence, etc.) to
transportation, service control, and vehicle manufacturing, so as to strengthen
the connection between vehicles, roads and users, thus to form a guarantee for
safety, efficiency, environment and energy conservation.
A mode that provides and manages scalable and elastic shared physical and
virtual resource pools through network, in a manner of self-service on demand.
NOTE: Resources include servers, operating systems, networks, software, applications,
and storage devices.
[GB/T 32400-2015, definition 3.2.5]
3.8 data integrity
The property that the data has not been altered or destroyed in an unauthorized
manner.
[GB/T 25069-2010, definition 2.1.36]
3.9 confidentiality
A feature that prevents data from being leaked to or used by unauthorized
individuals, entities, processes.
[GB/T 25069-2010, definition 2.1.1]
3.10 availability
A feature of data and resources that an authorized entity can access and use
as needed.
[GB/T 25069-2010, definition 2.1.20]
3.11 digital certificate
A credible digital file that is digitally signed by a nationally-recognized,
authoritative, credible and fair third-party certificate authority (CA).
[GB/T 20518-2006, definition 3.7]
3.12 digital signature
Data that is attached to the data unit, or cryptographic transformation of data
unit. Such data or transformation allows the receiver of the data unit to verify
the source and integrity of the data unit and protect data from forgery or
repudiation by someone (e.g., recipient).
[GB/T 25069-2010, definition 2.2.2.176]
4 Abbreviations
The following abbreviations apply to this document.
and defense function to provide security management services for the
intelligent transport system, including security policy formulation, security
policy distribution, security audit, security resource management, security
protection, backup and recovery, emergency handling and disaster
recovery. See Annex E for general functional description of the security
management system.
6 Data security service
6.1 Identity authentication
6.1.1 Basic requirements
Identity authentication mainly includes identification registration and
authentication the identity of the device / user.
Participating entities for identity authentication generally include: manufacturer,
registration agency, CA agency. The manufacturer provides globally unique
identification for device. The registration agency issues registration certificate
for user/device based on user/device identity. The CA agency certifies validity
of certificate and authenticates user/device identity.
6.1.2 Identification
The device and the user shall be identified first before accessing to the
intelligent transport system. And ensure the uniqueness in its life cycle. The
system shall manage and maintain the identification information to ensure that
it is not unauthorizedly accessed, modified or deleted, and is associated with
security audit.
The identification in the intelligent transport system mainly includes device
identification and user identification:
a) See Figure 1 for device identification method;
Identity certificate - Temporary identity that is required to apply for communication in the
system;
Identity characteristics - Information or biometrics that identify the user.
NOTE: The above three parts are bound by the registration entity when the device entity
applies for identity.
Figure 2 -- User identification
6.1.3 Registration
6.1.3.1 Application for registration
The registration authority is responsible to receive the registration request from
the device/user and determine if the information provided by the device/user
meets the requirements. Its main functions include:
a) Information input. Input the device/user application information for
registration request, including information required to issue a certificate
and information used to verify identity. Convert such information into the
information that meets system-specific format requirements and store it in
the registry database;
b) Information review. Extract the device/user application information for
registration request. Review its true identity according to certain rules;
c) Qualification issue. When the audit is passed, submit the information
required for certificate issuance to the CA. Issue the certificate to the
device/user;
d) Association binding. Bind the temporary identity information applied by the
device/user to its identity;
e) Security management. Conduct secure access control to registration
agency. Manage and backup the information database.
6.1.3.2 Certificate management
6.1.3.2.1 Overview
After the registration agency reviews the registration application, CA agency
shall issue the certificate to the device/user and manage the certificate.
6.1.3.2.2 Certificate issue
After the device/user submits a request to the registration agency and is
reviewed, the CA agency shall determine if a certificate request from the
device/user is accepted. Verify if the application information of the device/user
authenticate before connecting it to the system, so as to prevent illegal
access to the device;
d) It shall provide the function to authenticate failure. It may end the session,
limit the number of illegal logins, log out automatically or other measures.
6.1.5 Concealing
The intelligent transport system shall realize privacy protection function for the
device/user. Under the premise of confirming its identity, use back-end support
technology to ensure that the temporary identity of the device/user is
untraceable.
6.2 Authorization management
6.2.1 Basic requirements
The intelligent transport system shall realize the authorization management
service on the basis of meeting the security requirements of identify
authentication and authorization certificate.
When the device/user applies for an authorization certificate, it shall present its
registration certificate to the authorization agency. When requesting access to
a specific resource, a valid authorization certificate shall be provided to the
management system that owns the resource.
Basic requirements for authorization management include:
a) Access control policy shall be configured by the authorization agency. It
shall control the device/user’s access to resources according to the
security policy;
b) The coverage of authorization management shall include the subject, the
object and the operation between them related to the resource access;
c) It shall have the ability to set sensitive tags for important information
resources. It shall strictly control the operation of the device/user to the
important information resources that have sensitive tags.
6.2.2 Acquisition of authorization certificate
The device/user applies for and downloads an authorization certificate from one
or more authorized authorities. The basic process to obtain an authorization
certificate includes: requesting authorization, verifying the certificate, and
obtaining authorization.
6.2.3 Update of authorization certificate
processing and interaction, mainly including data integrity, confidentiality,
availability protection.
It may use the verification value to realize data integrity protection. It can use
cryptography to realize data privacy protection.
6.4.2 Integrity protection
It can use additional message authentication code or digital signature to realize
the integrity protection of data transmission.
6.4.3 Privacy protection
It shall use cryptography to realize the confidentiality of system management
data, authentication information and important business data transmission.
6.4.4 Availability protection
It shall use cryptography to guarantee that authorized users or entities can use
and access data or resources when needed.
6.5 Liability determination
The intelligent transport system shall conduct liability determination and
evidence management on the operation behavior of device/user in the system.
Usually, it uses the digital signature technology that is based on digital
certificate to ensure that the subject of sending data can obtain the evidence
that the data is received during the data exchange. This evidence can be
verified by the subject or a third party.
6.6 Security management
The intelligent transport system shall provide security management functions
such as security policy management, log management and core system
security defense, backup recovery, emergency response and disaster recovery
for identity management, resource management, audit management,
authorization management, key management and security services supported
by them, which can be configured according to 7.2 in GB/T 22239-2008.
Annex D
(informative)
Key management system
The key management system shall have key management functions such as
key generation, key storage, access control, key invocation, key backup
migration, and key destruction.
According to the use scope of the key, the key in the intelligent transport system
can be classified into four categories:
a) System identity key: the kay related to identity. The identity key is used to
digitally sign the information inside the cryptographic module, so as to
realize the identify identification between identity subject communication;
b) System data key: is paired with authentication key to form a double key
(that is, double certificate). Encrypt data between communicating entities
to ensure confidentiality;
c) System storage key: encrypt and store keys;
d) User key: is used to realize the password functions required by user, for
example, confidentiality, integrity protection and authentication during
downloading entertainment services, shopping.
The key system of the intelligent transport system uses three types of
algorithms - symmetric cryptographic algorithm, asymmetric cryptographic
algorithm, and data digest algorithm - to implement various functions related to
cryptographic services. The symmetric cryptographic algorithm is for data
encryption / decryption and message authentication. The asymmetric
cryptographic algorithm is for signing / verifying and key exchange. The data
digest algorithm is for digest operation of the message to be signed.
The cryptographic algorithm requirements used by the system are as follows:
a) Symmetric key cryptography algorithm: adopt symmetric cryptographic
algorithm approved for use by national cryptographic authorities;
b) Asymmetric key cryptography algorithm: adopt asymmetric key
cryptographic algorithm approved for use by national cryptographic
authorities;
c) Data digest algorithm: adopt data digest algorithm approved for use by
national cryptographic authorities. During the process of the data digest
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|