GM/T 0095-2020 PDF in English
GM/T 0095-2020 (GM/T0095-2020, GMT 0095-2020, GMT0095-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0095-2020 | English | 255 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical requirements for applications of cryptography in electronic bidding
| Valid |
Standards related to (historical): GM/T 0095-2020
Preview PDF (Powered by Google. Reload if blank, scroll for next page)
GM/T 0095-2020: PDF in English (GMT 0095-2020) GM/T 0095-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Technical requirements for applications of
cryptography in electronic bidding
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 Reference model ... 8
6 Cryptographic application requirements for electronic bidding business
process ... 10
6.1 User registration ... 10
6.2 Bidding plan ... 10
6.3 Tender invitation ... 10
6.4 Bid issuing ... 11
6.5 Tendering ... 11
6.6 Bid opening ... 12
6.8 Bid awarding ... 13
6.9 Objection ... 13
6.10 Supervision ... 13
6.11 Bidding exception ... 14
6.12 Filing ... 14
7 Technical requirements for applications of cryptography in electronic bidding
... 14
7.1 Algorithm requirements ... 14
7.2 Cryptographic device requirements ... 14
7.3 Identity authentication technical requirements ... 15
7.4 Data encryption technology requirements ... 16
7.5 Technical requirements for electronic signature ... 16
7.6 Electronic seal ... 17
7.7 Key management requirements ... 17
7.8 Certificate management requirements ... 18
7.9 Emergency remediation requirements ... 20
Annex A (informative) Examples of typical electronic bidding business process
... 21
Annex B (informative) Examples of emergency remedies ... 23
Bibliography ... 25
Technical requirements for applications of
cryptography in electronic bidding
1 Scope
This document specifies the technical requirements for the application of
cryptographic technology in electronic bidding, including in the electronic
bidding process, the technical requirements for the use of cryptographic
algorithms and cryptographic products.
This document is applicable to guiding the design, implementation and use of
the cryptographic subsystem in the electronic bidding system. The test and
management of the cryptographic subsystem in the electronic bidding system
can use it as reference.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 20518, Information security technology - Public key infrastructure -
Digital certificate format
GB/T 32905, Information security technology SM3 cryptographic hash
algorithm
GB/T 32907, Information security techno1ogy - SM4 block cipher algorithm
GB/T 32918 (all parts), Information security technology - Public key
cryptographic algorithm SM2 based on elliptic curves
GB/T 35275, Information security technology - SM2 cryptographic algorithm
encrypted signature message syntax specification
GB/T 35276, Information security technology - SM2 cryptography algorithm
usage specification
GM/T 0031, Secure electronic seal cryptography technical specification
GM/T 0054, General requirements for information system cryptography
A: User registration B: Bidding plan C: Tender invitation D: Bid Issuing E: Tendering F: Bid
opening G: Bid evaluation H: Bid awarding I: Objection J: Supervision K: Bidding exception
L: Filing
1: Business participant identity authentication service
2: Electronic signature and verification service of bidding document
3: Encryption and decryption service of bidding document
4: Electronic seal and verification service of bidding document
5: Digital certificate service of electronic bidding system
6: Key management service of electronic bidding system
a: Digital signature system
b: Electronic seal system
c: Time stamp system
d: Encryption and decryption system
Figure 1 -- Reference model of cryptographic application of electronic
bidding system
The reference model of the cryptographic application of the electronic bidding
system is a security service system based on cryptographic technology. It
provides cryptographic services such as authenticity, confidentiality, integrity
and non-repudiation, to form a complete security support system, so as to
protect the security of electronic bidding business.
The reference model of the cryptographic application of the electronic bidding
system is guided by laws, regulations and standards. It is divided into electronic
bidding business layer, cryptographic service layer, cryptographic support layer,
and infrastructure layer. Its functions are divided as follows:
a) Business layer
The business layer refers that the electronic bidding business system, in
all processes of its bidding business, uses the services provided by the
business support layer to complete the business of electronic bidding.
b) Cryptographic service layer
The cryptographic service layer comprehensively uses the cryptographic
functions provided by the cryptographic infrastructure to provide a series
of comprehensive cryptographic services for the business layer, including
identity authentication service for business participants, electronic
signature and verification services for bidding documents, encryption and
decryption services for bidding documents, electronic signature and
verification services for bidding documents, electronic bidding system
digital certificate service, key management service of electronic bidding
system.
c) Cryptographic support layer
certificate of the tenderee or agency to conduct electronic signature to
documents such as procurement bidding announcements, prequalification
announcements and tender invitations. It shall be time stamped at the same
time. It is advisable to use electronic signature at the same time. When the
relevant parties receive the documents, they shall check the validity of
electronic signature, electronic signature and time stamp.
If the bidder is required to issue a receipt, the bidder shall, according to the
business process requirements, provide the requested receipt to the tenderee.
It shall be electronically signed before submitting the receipt.
After the tenderee receives the receipt submitted by the bidder, it shall verify its
electronic signature. Confirm that the bidder has received the sent documents
or responded as required.
Electronic signature and verification shall follow the requirements of 7.5.
Electronic sesal and verification shall follow the requirements of 7.6.
6.4 Bid issuing
During the bid issuing, the tenderee shall conduct electronic signature and time
stamp to the published documents. It is advisable to use electronic seal at the
same time. The bidding documents can include bidding announcements,
bidding change announcements, bidding documents, bidding
changes/supplementary documents, prequalification changes/supplementary
announcements, site survey notices, document clarification and Q&A,
document clarification instructions, and download receipts.
After the bidder receives the corresponding documents, it shall verify the
electronic signature and time stamp of the documents. According to business
process requirements, provide the required documents to the tenderee,
including announcement of document receipt and document clarification. The
documents shall be electronically signed before submission.
After the tenderer receives the receipt and documents submitted by the bidder,
it shall verify the electronic signature of the documents. Confirm that the bidder
has received the sent documents or responded as required.
Electronic signature and verification shall meet the requirements of 7.5.
6.5 Tendering
During the tendering process, the bidder shall electronically sign the original
tendering documents including pre-qualification documents, application
documents and tendering files. It is advisable to affix the electronic seal at the
same time.
During the bid evaluation, bid evaluation experts shall be able to electronically
sign electronic data such as clarification of questions, response receipts, bid
evaluation reports, and bid evaluation forms.
The bidder shall be able to verify the electronic signature on documents such
as clarification questions given by the bid evaluation expert. Electronically sign
the responses, clarifications and supplementary documents required during the
bid evaluation process. Submit to the electronic bidding business system.
During the bid evaluation process, the system shall verify the bidder’s
responses, clarifications and electronic signatures in supplementary
documents, so as to ensure the integrity and non-repudiation of information and
documents.
Electronic signature and verification shall meet the requirements of 7.5.
6.8 Bid awarding
During the bid awarding process, the tenderee shall be able to electronically
sign the announced announcement of successful bid candidates, the
announcement of the winning bid result, the bid winning notice/prequalification
result/tender result notice. Electronic signature shall be used. Time stamp can
be sealed.
The bidder shall be able to verify the electronic signature and time stamp of the
documents published by the tenderee.
The tenderee and bidder shall be able to electronically sign the winning contract
through the electronic bidding business system. It is advisable to use electronic
signatures at the same time. Time stamp can also be used at the same time. At
the same time verify the other party's electronic signature, electronic seal and
time stamp.
Electronic signature and verification shall meet the requirements of 7.5.
6.9 Objection
When the bidder raises objections to the prequalification documents, bidding
documents, bid opening process, prequalification results, and bid evaluation
results, the content of the objection submitted shall be electronically signed.
The tenderee shall electronically sign the content of the objection and stamp it
with a time stamp. Electronic signature and verification shall meet the
requirements of 7.5.
6.10 Supervision
When exchanging supervisory data with supervisory authorities, the electronic
bidding system shall electronically sign the supervision data. These data
into client cryptographic devices and server cryptographic devices. The
cryptographic devices shall obtain the qualification certificate issued by the
national cryptographic management authority.
7.2.2 Client device
The client of the electronic bidding system shall use smart cryptographic keys,
IC cards and other equipment to provide the client's cryptographic calculation
and key management. The device shall obtain the qualification certificate
issued by the national cryptographic management authority. Complete the
initialization in a safe environment.
7.2.3 Server cryptographic device
The electronic bidding system shall use server cryptographic devices, such as
cryptographic server, signature verification server, time stamp server,
cryptographic card and other cryptographic devices to provide server
cryptographic operations, certificate management and key management. All
these cryptographic devices shall obtain the qualification certificate issued by
the national cryptographic management authority. They are deployed in a safe
and reliable environment. The functions and performance shall meet the index
requirements of the electronic bidding system.
7.3 Identity authentication technical requirements
The electronic bidding system shall identify the true identity of each visiting
entity. Clarify the access control authority of the access entity. Ensure that each
entity can only use the functions provided by the system in accordance with the
scope set by the system. Before the visiting entity is successfully authenticated,
the electronic bidding system shall prohibit any operation on behalf of the
visiting entity.
The electronic bidding system shall establish a unified identity authentication
system. Based on PKI/CA technology, realize a secure identity authentication
mechanism centered on digital certificates. Tenderees, bidding agencies,
bidders, authorized bid evaluation experts and other users shall use digital
certificates to complete identity authentication.
User login shall use digital certificate. Certificate login shall conduct digital
signature verification and certificate validity verification. The process includes:
a) Each login authentication is based on random number signature and
verification to prevent replay attacks;
b) Verify the trust chain of the user certificate;
c) Verify the validity period of the user certificate;
the chain of trust, the validity period and whether it has been revoked.
When the parties in bidding and tendering are performing important operations,
the confirmation information of the bidding documents shall be digitally signed.
The electronic signature shall adopt the digital signature data format specified
in GB/T 35275.
7.6 Electronic seal
The electronic bidding system shall adopt electronic seal and other forms to
conduct electronic signature on various documents required in Clause 6 that
need to be signed and other documents that need to be signed in the business.
For details, refer to Clause 6 Cryptographic application requirements for
electronic bidding business process. When the electronic bidding system uses
electronic seal to sign, the generation and use of electronic seal shall follow
GM/T 0031. To verify the electronic seal, the validity of the certificate shall also
be verified at the same time, including the trust chain, validity period and
revocation list.
7.7 Key management requirements
7.7.1 Goal of key management security
The security of the key is the basis of data security in the bidding industry. Use
multiple keys in the electronic bidding system, including the identity keys of
various entities participating in electronic bidding activities, the keys used to
sign entities and systems electronically, and the encryption keys used to encrypt
data messages and communication data. The specific requirements for key
management are:
a) The generation and use of the key shall be completed in the hardware
cryptographic device;
b) There shall be a safe and reliable management mechanism for the
generation and use of keys;
c) The key shall have a safe and reliable backup and recovery mechanism.
7.7.2 Key life cycle management
According to the way the key is generated and stored, the key used by the
electronic bidding system can be divided into the key stored in the smart
cryptographic key and the key stored in the server hardware cryptographic
device. The key stored in the smart cryptographic key is divided into a signature
key and an encryption key. The key management lifecycle management
requirements include:
d) Ensure a smooth transition when the CA signed certificate is updated;
e) Ensure that CA institutions can cancel their certificates for users with
severely degraded credit ratings;
f) Prevent invalid certificates from being used illegally.
7.8.2 Certificate classification
The digital certificates used in the electronic bidding system are distinguished
from the owners, including personal certificates and institutional certificates.
From the perspective of usage, it can be divided into signature certificates and
encryption certificates. Signing certificates re only used for digital signatures to
ensure the integrity and non-repudiation of the data. Encryption certificates are
used for data encryption to ensure data confidentiality protection.
7.8.3 Certificate certification authority
The electronic bidding system shall adopt a legal digital certificate, including
digital certificate issued by third-party electronic certification authority and
certification authority recognized by the competent authority of the electronic
bidding system. The electronic bidding system shall support the digital
certificates of multiple institutions.
7.8.4 Digital certificate format
The digital certificate format shall follow GB/T 20518.
7.8.5 Certificate life cycle management
7.8.5.1 Certificate application
Certificate user shall go to the designated certificate business acceptance point
for identity confirmation. The operator conducts a credible and effective review
and confirmation of the applicant's true identity and application materials.
7.8.5.2 Certificate update
When the end user certificate is about to expire, it shall be updated. It can be
confirmed at the designated reception point. If the electronic certification body
supports remote certificate update, it can also be updated remotely.
7.8.5.3 Certificate invalidation
When the end user certificate is lost or the media is damaged, the user shall go
to the business acceptance point where the certificate is issued to invalidate
the certificate. After passing the review, the staff at the acceptance point will
notify the CA certification system of the invalidation information. Then the CA
Annex B
(informative)
Examples of emergency remedies
In the bidding activities of electronic bidding, in order to ensure the data
encryption requirements of the bid content, generally, the bidder uses his own
encryption certificate, according to the encrypted data format specified in GB/T
35275, to encrypt the bid content. In this way, at the time of bid opening, the
bidder can, in the electronic bidding system, use his own decryption certificate
mechanism to decrypt the cipher text.
In this case, if at the time of bid opening, in the event that the user's decryption
medium (such as the cryptographic password key) is damaged or lost, the
electronic bidding business will not be able to proceed smoothly. Therefore, in
the 6.6 "Bid opening" process, put forward "a plan that shall be designed for
emergency remediation". When sending this kind of situation, carry out
emergency treatment to ensure business continuity.
A typical reference emergency remedy plan is when user tenders, in addition to
using the bidder's own encryption certificate to encrypt the content of the bid,
he also uses the public key of an "emergency certificate" provided by the
electronic bidding system for encryption. The encrypted data format also
conforms to the encrypted data format specified in GB/T 35275.
The encryption certificate is generated by the electronic bidding system when
an electronic bidding project is started. Use its public key to encrypt the content
of the bid when tendering. Only when the bid opening process fails due to
medium failure and other reasons and the bid cannot be opened normally, the
private key of the “emergency certificate” can be used to complete the
decryption operation. Disable archiving after the bidding project ends.
The system shall strictly control the use of this emergency certificate, including:
a) Use time limit: the key shall only be used during the bid opening time;
b) Use authorization: the use of the key shall be controlled by the authority,
and the key can be enabled only with the corresponding authority;
c) Use audit: the use of emergency key shall be recorded in the log, including
the time, reason and authorization information of using the emergency key,
as well as the authorized person's signature information. The log
information shall be strictly audited, including to verify the digital signature
of the authorized person. Strictly control the use of the key through these
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|