HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (12 Jan 2025)

GM/T 0067-2019 PDF English


Search result: GM/T 0067-2019_English: PDF (GM/T0067-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0067-2019English270 Add to Cart 0-9 seconds. Auto-delivery. Interface specifications of authentication based on digital certificate Valid
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GM/T 0067-2019     Related standards: GM/T 0067-2019

PDF Preview: GM/T 0067-2019


GM/T 0067-2019: PDF in English (GMT 0067-2019)

GM/T 0067-2019 GM CRYPTOGRAPHIC INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Interface specifications of authentication based on digital certificate ISSUED ON: JULY 12, 2019 IMPLEMENTED ON: JULY 12, 2019 Issued by: State Cryptography Administration Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Abbreviations ... 6  5 Implementation method ... 6  5.1 Overview ... 6  5.2 Proxy authentication mode ... 6  5.3 Call mode ... 8  6 Algorithm identification and data structure ... 9  6.1 Algorithm identification definition ... 9  6.2 Data structure definition and description ... 11  7 Interface definitions and functions ... 11  7.1 The position of the identity authentication interface in the framework of the public key infrastructure application technology system ... 11  7.2 Logical structure of identity authentication interface ... 12  7.3 Message definition ... 13  7.4 Function interface definition ... 19  Appendix A (Normative) Definition and description of error code ... 25  Appendix B (Informative) Example of identity authentication’s application process ... 26  References ... 28  Interface specifications of authentication based on digital certificate 1 Scope This standard specifies the digital certificate-based identity authentication interface in the upper application of the public key cryptographic infrastructure system. This standard applies to the development of identity authentication services in the upper application of the public key cryptographic infrastructure system, the R&D and testing of the identity authentication system of the certificate application support platform; it can also be used to guide the application system to standardize the use of certificates for identity authentication. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 15843.1-2017 Information technology - Security techniques - Entity authentication - Part 1: General GB/T 15843.3-2016 Information technology - Security techniques - Entity authentication - Part 3: Mechanisms using digital signature techniques 3 Terms and definitions The following terms and definitions apply to this document. 3.1 Certificate authentication system A system that manages the entire life cycle of digital certificates such as the sign-off, issuance, renewal, revocation of digital certificates. 3.2 An elliptic curve public key cryptographic algorithm, the key length of which is 256 bits. 3.9 SM3 algorithm A cryptographic hash algorithm, the output of which is 256 bits. 4 Abbreviations The following abbreviations apply to this document. CA: Certificate authority CN: Common name CRL: Certificate revocation list DN: Distinguished name LDAP: Lightweight directory access protocol OID: Object identifier PKI: Public key infrastructure 5 Implementation method 5.1 Overview The realization of identity authentication includes proxy identity authentication mode and call mode. Identity authentication T and application B are a mutually trusted whole. The identity authentication mechanism used in these two modes follows GB/T 15843.3-2016. 5.2 Proxy authentication mode In this mode, the identity of user A is authenticated by the proxy identity authentication service T; then the result of the authentication is passed to application B. This identity authentication mode is called proxy identity mode, which is generally implemented by message. The authentication protocol is carried out between the user A and the proxy b) When the proxy identity authentication service T receives a message containing TokenAT, it performs the following steps: 1) Verify the validity of A's certificate, including the validity period, whether it is issued by a trusted organization, the status of the certificate, verification of the certificate key usage; 2) Verify TokenAT. c) The proxy identity authentication service T sends T's certificate and TokenTA to A (see the form of TokenTA in 5.3.2 of GB 15843.3-2016); d) When receiving a message containing TokenTA, user A performs the following steps: 1) Verify the validity of T's certificate, including the validity period, whether it is issued by a trusted organization, whether it is in the blacklist, verification of the certificate key usage; 2) Verify TokenTA. e) The proxy identity authentication service T passes the verified identity of A to application B. 5.3 Call mode After the application obtains the user's identity, it actively calls the external service interface of the identity authentication service to perform identity authentication to obtain the identity authentication result, which is called the call mode. It is generally implemented by interface functions. In this mode, application B starts the verification process and authenticates user A. It controls the uniqueness and timeliness of the authentication protocol by generating and verifying random numbers RB (see Appendix B of GB/T 15843.1-2017). The verification mechanism is as shown in Figure 3: Figure 5 -- Structure of identity authentication interface system The identity authentication service module on which the identity authentication interface specification is based on is located between the application system and the cryptographic service interface. It provides identity authentication service for the application system through this interface. The cryptographic operations required by the identity authentication module are implemented by invoking cryptographic services through the cryptographic service interface specification. The identity authentication interface is logically divided into two parts, namely: environment function and identity authentication function. 7.2.2 Environmental functions The environment function is responsible for creating and managing the secure program space, responsible for creating and managing the various resources and signals required in the secure program space, ensuring that the secure program space will not be illegally accessed during the running of the application program, thereby causing information leakage. The environment function is responsible for completing the secure connection with the identity authentication service, ensuring that the subsequent security operations are carried out in a secured and trusted program space. When an application uses the identity authentication interface, it must first call the initialization environment function (SIF_Initialize) to create and initialize a secure application space; complete the connection and initialization with the identity authentication service. Before the application program is terminated, it shall call the clear environment function (SIF_Finalize) to terminate the connection with the identity authentication service, destroy the created security program space, prevent the security risks caused by memory residue. 7.2.3 Identity authentication function The identity authentication function realizes the acquisition of user information and the verification of user identity (the main means are through certificate verification and analysis of the certificate revocation list). The application program realizes the identity authentication based on the digital certificate by calling the identity authentication function. 7.3 Message definition 7.3.1 Message format definition The message includes two parts: the message header and the message body, < msg> < msg_head> < msg_type>0< /msg_type> < msg_id>0100< /msg_id> < version>1< /version> < /msg_head> < msg_body> < connectid> Connect ID < /connectid> < /msg_body> < /msg> b) User identity gets response < ? xmlversion = "1.0" encoding = "UTF-8"?> < msg> < msg_head> < msg_type>1 or 2< /msg_type> < msg_id>0100< /msg_id> < version>1< /version> < /msg_head> < msg_body> < connectid> Connect ID < /connectid> < userinfo> Identity information < /userinfo> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.3.4 User credential generation message < msg> < msg_head> < msg_type>0< /msg_type> < msg_id>1000< /msg_id> < version>1< /version> < /msg_head> < msg_body> < userseed> Random information (Base64 encoding) < /userseed> < cert> Certificate (Base64 encoded) for generating user credentials < /cert> < /msg_body> < /msg> d) User credential generation response < ? xmlversion = "1.0" encoding = "UTF-8"?> < msg> < msg_head> < msg_type>1 or 2< /msg_type> < msg_id>1000< /msg_id> < version>1< /version> < /msg_head> < msg_body> < usertoken> Generated user credentials (Base64 encoding) < /usertoken> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.3.5 User credential verification message identity authentication service (Base64 encoding) < /resultsign> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.4 Function interface definition 7.4.1 Overview Interface functions include the following specific functions. For the return value of each function, please refer to Appendix A for the definition of error codes: a) Initialization: SIF_Initialize b) Termination: SIF_Finalize c) Get interface version: SIF_GetVersion d) Random information needed to generate user credentials: SIF_GenRandom e) Generate user credentials: SIF_GenUserToken f) Verify user credentials: SIF_VerifyUserToken g) Confirm the authenticity of the verification result: SIF_VerifyResult h) Get user identity: SIF_GetUserInfo 7.4.2 Initialization function Prototype: SGD_INT32SIF_Initialize(SGD _CHAR* pucIpAddr, SGD_INTiPort,SGD_VOID* phHandle); Description: Initialize the identity authentication service and create an identity authentication service handle Parameter: pucIpAddr [in]: The address of the identity authentication server; it may be NULL, which means that the remote service is not connected ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.