GM/T 0036-2014 PDF in English
GM/T 0036-2014 (GM/T0036-2014, GMT 0036-2014, GMT0036-2014)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0036-2014 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical guidance of cryptographic application for access control systems based on contactless smart card
| Valid |
Standards related to (historical): GM/T 0036-2014
PDF Preview
GM/T 0036-2014: PDF in English (GMT 0036-2014) GM/T 0036-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44641-2014
Technical guidance of cryptographic application for
access control system based on contactless smart card
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope .. 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 7
5 General description on cryptographic system .. 7
6 Cryptography-related security requirements... 9
7 Cryptographic application solution reference ... 10
8 Other security factors to be considered ... 10
Appendix A ... 12
Appendix B ... 15
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Fudan Microelectronics
Group Co., Ltd, Shanghai Huahong Integrated Circuit Co., Ltd, Xing Tang
Communication Technology Co., Ltd, Beijing CEC Huada Electronics Design
Co., Ltd, Shanghai Huashen Smart Card Application System Co., Ltd, Tongfang
Microelectronics Co., Ltd, Aerospace Information Co., Ltd, Beijing Huada Chi
Po Electronic Systems Co., Ltd, Fudan University.
Main drafters of this Standard. Yu Jun, Dong Haoran, Liang Shaofeng, Wu
Xingjun, Zhou Jiansuo, Wang Junfeng, Xie Wenlu, Liu Xun, Chen Yue, Gu Zhen,
Wang Yunsong, Xu Shumin, Wang Junyu.
Technical guidance of cryptographic application for
access control system based on contactless smart card
1 Scope
This Standard specifies the related requirements of encryption device, cryptographic
algorithm, cryptographic protocol and key management which are applied for access
control system using cryptographic security technology based on contactless smart
card.
This Standard is applicable to guide the research, usage and management of products
related to access control system based on contactless smart card.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GM/T 0002-2012 SM4 block cipher algorithm
GM/T 0035.4-2014 Specifications of cryptographic application for RFID systems -
Part 4. Specification of cryptographic application for communication between RFID
tag and reader
3 Terms and definitions
The following terms and definitions apply to this document.
3.1 Secure access module
Cryptography module built in the reader to provide security services.
3.2 RFID tag
A carrier for radio frequency identification containing electronic identification
information relevant to the intended application. Each tag has a unique electronic code
which usually consists of coupled components and chips, including contactless CPU
card and contactless memory card.
Management of key generation, distribution, storage, update, archiving, revocation,
backup, recovery and destruction of keys throughout the life cycle according to security
policy.
3.15 Radio frequency identification
The radio frequency signal that is used to achieve the contactless transmission of
information through space coupling (alternating magnetic field or electromagnetic field),
and the purpose of identification by the transmitted information.
3.16 Audit
Independent observation and assessment of the records and activities of the
information system.
3.17 Data integrity
The nature of data not being tampered with or compromised in an unauthorized
manner.
3.18 SM1 algorithm
A block cipher algorithm, with a block length of 128 bits and a key length of 128 bits.
3.19 SM4 algorithm
A block cipher algorithm, with a block length of 128 bits and a key length of 128 bits.
3.20 SM7 algorithm
A block cipher algorithm, with a block length of 64 bits and a key length of 128 bits.
3.21 Random number
A data sequence that is unpredictable and has no periodicity.
3.22 Message authentication code
Also known as message verification code. It is the output of message authentication
algorithm.
3.23 Unique identifier
A unique identifier that is solidified in the tag chip by the tag chip manufacturer,
containing unique information such as the chip production serial number, the registered
manufacturer code, and so on.
3.24 Subject
6.5.1 Key generation
The key should be generated by random numbers that meet the requirements of
national cryptography management, and the confidentiality and randomness of the
generated keys shall be guaranteed. Ensure the process of key generation is non-
predictable, and any two keys generated in the key space have the same probability.
6.5.2 Key injection
The following two points of key injection should be noted when issuing the access card
and the cryptographic module.
a) No part of the plaintext key shall be disclosed during key injection;
b) The key can only be injected into the cryptographic device when the
cryptographic device, interface, and transmission channel are not subjected to
any situation that may cause the key or sensitive data to be compromised or
tampered with.
6.5.3 Other requirements
Throughout the whole process of key generation, injection, update and storage, make
sure that the key is not disclosed.
7 Cryptographic application solution reference
This standard provides the following cryptographic application solutions as reference.
a) The contactless logic encryption card solution based on the national
cryptographic algorithm SM7, see Appendix A;
b) The contactless CPU card solution (including scheme 1 and scheme 2) based on
the national cryptographic algorithm SM1/SM4, see Appendix B.
8 Other security factors to be considered
This standard only stressed on the security requirements for cryptographic applications.
The following factors should be taken into account in the implementation of the system
for the overall security of the system.
a) Management requirements of background management system;
b) Security of access card reader and background management system;
c) Other management and technical measures not related to cryptographic security,
such as code recognition, biometric identification, personnel guard and so on.
Figure B.3 -- Schematic block diagram of contactless CPU card solution based
on SM1/SM4 algorithm scheme 2
In the scheme, the radio frequency interface module is responsible for radio frequency
communication between the card reader and the access card; the MCU controls the
communication between the radio frequency interface module and the access card
AND is responsible for realizing the data transfer inside the card reader and the
communication with the background management system.
B.3 Cryptographic security application process
B.3.1 Key management and card issuing system
a) Security module distribution
The background management system of access control uses the key
management subsystem cryptographic device to generate the access system
derivation key, which must be securely transferred to the security module.
b) Access card issuing
The background management system uses the SM1/SM4 algorithm to distribute
the system derivation key and achieve one cipher for one key. Through a card
issuing reader, the background management system carries out card
identification, directory application and initialization of data structure such as
document system using the SM1/SM4 algorithm and process key AND
completes downloading of the card key (Keyc). It also writes in the card the user
information and information of the issuing agency. The process uses the CPU
card issuing process to ensure the security of the information writing and
confidentiality of data.
B.3.2 Access control system
The two schemes described in B.2 are explained as follows.
a) Scheme 1
In scheme 1, the access card reader directly authenticates the access card and
controls the implementation of the access control function according to the result.
This process is similar to that of the logic encryption card using the SM7
algorithm, so it will not be discussed here. The difference is using the internal
authentication command of CPU card to authenticate the identity of CPU access
card rather than the special command of logic encryption card.
b) Scheme 2
In mode 2, the access card reader does not directly authenticate the access card
BUT uses the background management system (through a secure access
module supporting the SM1/SM4 algorithm) to authenticate the card AND
controls the implementation of access control functio...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|