Powered by Google www.ChineseStandard.net Database: 189760 (18 May 2024)

GM/T 0034-2014 PDF in English

GM/T 0034-2014 (GM/T0034-2014, GMT 0034-2014, GMT0034-2014)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0034-2014English360 Add to Cart 0-9 seconds. Auto-delivery. Specifications of cryptograph and related security technology for certification system based on SM2 cryptographic algorithm Valid

Standards related to: GM/T 0034-2014

GM/T 0034-2014: PDF in English (GMT 0034-2014)

GM/T 0034-2014
ICS 35.040
L 80
File No.. 44635-2014
Specifications of cryptograph and related
security technology for certification system
based on SM2 cryptographic algorithm
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 4 
1 Scope .. 5 
2 Normative references ... 5 
3 Terms and definitions ... 6 
4 Abbreviations .. 9 
5 Certificate authentication system ... 9 
5.1 Overview ... 9 
5.2 Functional requirements .. 10 
5.3 System design ... 13 
5.4 Digital certificate ... 22 
5.5 Certificate revocation list.. 22 
6 Key management system ... 22 
6.1 Structure description ... 22 
6.2 Functional description ... 23 
6.3 System design ... 24 
6.4 Secure communication protocols between KMC and CA ... 28 
7 Cryptography algorithm, cryptography device and interface ... 28 
7.1 Cryptography algorithm ... 29 
7.2 Cryptography device ... 29 
7.3 Cryptography service interface ... 30 
8 Certificate authentication center ... 31 
8.1 System ... 31 
8.2 Security ... 33 
8.3 Data backup... 37 
8.4 Reliability ... 38 
8.5 Physical security ... 39 
9 Key management center .. 41 
9.1 Construction principles ... 41 
9.2 System ... 41 
9.3 Security ... 43 
9.4 Data backup... 43 
9.5 Reliability ... 43 
9.6 Physical security ... 43 
9.7 Personnel management system .. 44 
10 Certificate authentication center operation and management requirements
... 44 
10.1 Personnel management requirements .. 44 
10.2 CA business operation management requirements .. 45 
10.3 Key management requirements ... 47 
10.4 Safety management requirements ... 48 
10.5 Security audit requirements ... 49 
10.6 File provision requirements .. 49 
11 Key management center operations management requirements .. 51 
11.1 Personnel management requirements .. 52 
11.2 Operation management requirements .. 52 
11.3 Key management requirements ... 52 
11.4 Security management requirements .. 52 
11.5 Security audit requirements ... 53 
11.6 File provision requirements .. 53 
12 Certificate operation process ... 53 
12.1 Certificate application process ... 53 
12.2 Certificate update process ... 54 
12.3 Certificate revocation process ... 54 
12.4 User key recovery process .. 54 
12.5 Judicial key recovery ... 55 
12.6 Certificate suspension process .. 56 
12.7 Release certificate suspension process .. 56 
Appendix A (Informative) Certificate authentication system network structure
... 58 
References ... 61 
Specifications of cryptograph and related
security technology for certification system
based on SM2 cryptographic algorithm
1 Scope
This standard specifies the specifications of cryptograph and related security
technology for digital certificate authentication system based on SM2
cryptographic algorithm, including certificate authentication center, key
management center, cryptography algorithm, cryptography device and
This standard applies to guide the construction and detection assessment of
the digital certificate authentication system of the third-party authority,
standardize the application of cryptograph and related security technology in
digital certificate authentication system. The construction, operation and
management of the digital certificate authentication system of the non-third-
party authority may refer to this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 2887 General specification for computer field
GB/T 6650 Technical conditions for movable floor of computer room
GB/T 9361 Safety requirements for computer field
GB 50174 Code for design of electronic information system room
GM/T 0014 Digital certificate authentication system cryptography protocol
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0016 Smart token cryptography application interface specification
- Online certificate status inquiry. The user or application system queries the
status of a certificate online in real time in accordance with the OCSP
protocol defined in RFC 6960.
In practical applications, it can use either or both of above two inquiry methods
depending on the circumstances.
5.2.6 Certificate management system
The certificate management system is a management control system which
realizes the functions of application, audit, generation, issuance, storage,
distribution, revocation and archiving of certificate/certificate revocation list in
certificate authentication system.
5.2.7 Security management system
Security management system includes security audit system and security
Security audit system provides event-level audit function, for tracking, counting
and analyzing of records related to system security, personnel, time.
Security system provides access control, intrusion detection (intrusion
prevention), vulnerability scanning, virus prevention and other network security
5.3 System design
5.3.1 Overview
The design of certificate authentication system includes the overall design of
the system and the design of each subsystem. This standard provides the
design principles of certificate authentication system and the realization
methods of each subsystem. In the specific realization process, it shall perform
detailed design based on the selected development platform and development
5.3.2 Overall design principles
The overall design principle of certificate authentication system is as follows.
a) Certificate certification system follows the standardized and modular
design principles;
b) The certificate authentication system sets up relatively independent
function modules, realizing various functions through the secure
connection between each module;
5.3.4 Certificate/certificate revocation list generation and issuance
system design Certificate/certificate revocation list generation and issuance
system functions
The certificate/certificate revocation list generation and issuance system are
the core of the certificate authentication system. It not only provides the service
of certificate issuance/certificate revocation lists for the entire certificate
authentication system, but also undertakes the main security management in
the entire certificate authentication system.
Its main functions are as follows.
- Certificate generation and issuance. The user information is read and
verified from the database, and the encryption key pair is applied to the key
management center in accordance with the type of the certificate to be
issued, to generate the user's signature certificate and the encryption
certificate, and the certificate that has been issued is released to the
directory server and database. Depending on the system's configuration
and management policies, different signature keys can be used for different
types or usages of certificates.
- Certificate update. The system shall provide CA certificate and user
certificate update function.
- Certificate revocation list generation and issuance. Receive the revocation
information, verify the signature in the revocation information, and then
issue a certificate revocation list, and issue the issued revocation list to the
database or the directory server. The signature key issuing the certificate
revocation list may be the same or different from the signature key that
issues the certificate.
- Security audit. Be responsible for the inquiry, counting, and statement
printing of the operation log of the administrator and operator of the
certificate/certificate revocation list generation and issuance system.
- Security management. Perform secure access control for the login to the
certificate/certificate revocation list generation and issuance system, and
manage and back up the certificate/certificate revocation list database. Set
up administrators and operators and apply and download digital certificates
for these personnel. Configure different cryptography devices; configure
different certificate templates.
The certificate/certificate revocation list generation and issuance system shall
have the ability to process in parallel.
- CRL inquiry. The user or application system uses the CRL address
identified in the certificate to inquire and download the CRL to the local and
verify the status of the certificate.
- Online certificate status inquiry. The OCSP protocol is used by the user or
application system t...
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.