HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (8 Dec 2024)

GM/T 0095-2020 PDF in English


GM/T 0095-2020 (GM/T0095-2020, GMT 0095-2020, GMT0095-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0095-2020English255 Add to Cart 0-9 seconds. Auto-delivery. Technical requirements for applications of cryptography in electronic bidding Valid
Standards related to (historical): GM/T 0095-2020

Preview PDF (Powered by Google. Reload if blank, scroll for next page)

GM/T 0095-2020: PDF in English (GMT 0095-2020)

GM/T 0095-2020 GM CRYPTOGRAPHIC INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 CCS L 80 Technical requirements for applications of cryptography in electronic bidding ISSUED ON: DECEMBER 28, 2020 IMPLEMENTED ON: JULY 01, 2021 Issued by: National Cryptography Administration Table of Contents Foreword ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 6  4 Abbreviations ... 8  5 Reference model ... 8  6 Cryptographic application requirements for electronic bidding business process ... 10  6.1 User registration ... 10  6.2 Bidding plan ... 10  6.3 Tender invitation ... 10  6.4 Bid issuing ... 11  6.5 Tendering ... 11  6.6 Bid opening ... 12  6.8 Bid awarding ... 13  6.9 Objection ... 13  6.10 Supervision ... 13  6.11 Bidding exception ... 14  6.12 Filing ... 14  7 Technical requirements for applications of cryptography in electronic bidding ... 14  7.1 Algorithm requirements ... 14  7.2 Cryptographic device requirements ... 14  7.3 Identity authentication technical requirements ... 15  7.4 Data encryption technology requirements ... 16  7.5 Technical requirements for electronic signature ... 16  7.6 Electronic seal ... 17  7.7 Key management requirements ... 17  7.8 Certificate management requirements ... 18  7.9 Emergency remediation requirements ... 20  Annex A (informative) Examples of typical electronic bidding business process ... 21  Annex B (informative) Examples of emergency remedies ... 23  Bibliography ... 25  Technical requirements for applications of cryptography in electronic bidding 1 Scope This document specifies the technical requirements for the application of cryptographic technology in electronic bidding, including in the electronic bidding process, the technical requirements for the use of cryptographic algorithms and cryptographic products. This document is applicable to guiding the design, implementation and use of the cryptographic subsystem in the electronic bidding system. The test and management of the cryptographic subsystem in the electronic bidding system can use it as reference. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 20518, Information security technology - Public key infrastructure - Digital certificate format GB/T 32905, Information security technology SM3 cryptographic hash algorithm GB/T 32907, Information security techno1ogy - SM4 block cipher algorithm GB/T 32918 (all parts), Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves GB/T 35275, Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification GB/T 35276, Information security technology - SM2 cryptography algorithm usage specification GM/T 0031, Secure electronic seal cryptography technical specification GM/T 0054, General requirements for information system cryptography A: User registration B: Bidding plan C: Tender invitation D: Bid Issuing E: Tendering F: Bid opening G: Bid evaluation H: Bid awarding I: Objection J: Supervision K: Bidding exception L: Filing 1: Business participant identity authentication service 2: Electronic signature and verification service of bidding document 3: Encryption and decryption service of bidding document 4: Electronic seal and verification service of bidding document 5: Digital certificate service of electronic bidding system 6: Key management service of electronic bidding system a: Digital signature system b: Electronic seal system c: Time stamp system d: Encryption and decryption system Figure 1 -- Reference model of cryptographic application of electronic bidding system The reference model of the cryptographic application of the electronic bidding system is a security service system based on cryptographic technology. It provides cryptographic services such as authenticity, confidentiality, integrity and non-repudiation, to form a complete security support system, so as to protect the security of electronic bidding business. The reference model of the cryptographic application of the electronic bidding system is guided by laws, regulations and standards. It is divided into electronic bidding business layer, cryptographic service layer, cryptographic support layer, and infrastructure layer. Its functions are divided as follows: a) Business layer The business layer refers that the electronic bidding business system, in all processes of its bidding business, uses the services provided by the business support layer to complete the business of electronic bidding. b) Cryptographic service layer The cryptographic service layer comprehensively uses the cryptographic functions provided by the cryptographic infrastructure to provide a series of comprehensive cryptographic services for the business layer, including identity authentication service for business participants, electronic signature and verification services for bidding documents, encryption and decryption services for bidding documents, electronic signature and verification services for bidding documents, electronic bidding system digital certificate service, key management service of electronic bidding system. c) Cryptographic support layer certificate of the tenderee or agency to conduct electronic signature to documents such as procurement bidding announcements, prequalification announcements and tender invitations. It shall be time stamped at the same time. It is advisable to use electronic signature at the same time. When the relevant parties receive the documents, they shall check the validity of electronic signature, electronic signature and time stamp. If the bidder is required to issue a receipt, the bidder shall, according to the business process requirements, provide the requested receipt to the tenderee. It shall be electronically signed before submitting the receipt. After the tenderee receives the receipt submitted by the bidder, it shall verify its electronic signature. Confirm that the bidder has received the sent documents or responded as required. Electronic signature and verification shall follow the requirements of 7.5. Electronic sesal and verification shall follow the requirements of 7.6. 6.4 Bid issuing During the bid issuing, the tenderee shall conduct electronic signature and time stamp to the published documents. It is advisable to use electronic seal at the same time. The bidding documents can include bidding announcements, bidding change announcements, bidding documents, bidding changes/supplementary documents, prequalification changes/supplementary announcements, site survey notices, document clarification and Q&A, document clarification instructions, and download receipts. After the bidder receives the corresponding documents, it shall verify the electronic signature and time stamp of the documents. According to business process requirements, provide the required documents to the tenderee, including announcement of document receipt and document clarification. The documents shall be electronically signed before submission. After the tenderer receives the receipt and documents submitted by the bidder, it shall verify the electronic signature of the documents. Confirm that the bidder has received the sent documents or responded as required. Electronic signature and verification shall meet the requirements of 7.5. 6.5 Tendering During the tendering process, the bidder shall electronically sign the original tendering documents including pre-qualification documents, application documents and tendering files. It is advisable to affix the electronic seal at the same time. During the bid evaluation, bid evaluation experts shall be able to electronically sign electronic data such as clarification of questions, response receipts, bid evaluation reports, and bid evaluation forms. The bidder shall be able to verify the electronic signature on documents such as clarification questions given by the bid evaluation expert. Electronically sign the responses, clarifications and supplementary documents required during the bid evaluation process. Submit to the electronic bidding business system. During the bid evaluation process, the system shall verify the bidder’s responses, clarifications and electronic signatures in supplementary documents, so as to ensure the integrity and non-repudiation of information and documents. Electronic signature and verification shall meet the requirements of 7.5. 6.8 Bid awarding During the bid awarding process, the tenderee shall be able to electronically sign the announced announcement of successful bid candidates, the announcement of the winning bid result, the bid winning notice/prequalification result/tender result notice. Electronic signature shall be used. Time stamp can be sealed. The bidder shall be able to verify the electronic signature and time stamp of the documents published by the tenderee. The tenderee and bidder shall be able to electronically sign the winning contract through the electronic bidding business system. It is advisable to use electronic signatures at the same time. Time stamp can also be used at the same time. At the same time verify the other party's electronic signature, electronic seal and time stamp. Electronic signature and verification shall meet the requirements of 7.5. 6.9 Objection When the bidder raises objections to the prequalification documents, bidding documents, bid opening process, prequalification results, and bid evaluation results, the content of the objection submitted shall be electronically signed. The tenderee shall electronically sign the content of the objection and stamp it with a time stamp. Electronic signature and verification shall meet the requirements of 7.5. 6.10 Supervision When exchanging supervisory data with supervisory authorities, the electronic bidding system shall electronically sign the supervision data. These data into client cryptographic devices and server cryptographic devices. The cryptographic devices shall obtain the qualification certificate issued by the national cryptographic management authority. 7.2.2 Client device The client of the electronic bidding system shall use smart cryptographic keys, IC cards and other equipment to provide the client's cryptographic calculation and key management. The device shall obtain the qualification certificate issued by the national cryptographic management authority. Complete the initialization in a safe environment. 7.2.3 Server cryptographic device The electronic bidding system shall use server cryptographic devices, such as cryptographic server, signature verification server, time stamp server, cryptographic card and other cryptographic devices to provide server cryptographic operations, certificate management and key management. All these cryptographic devices shall obtain the qualification certificate issued by the national cryptographic management authority. They are deployed in a safe and reliable environment. The functions and performance shall meet the index requirements of the electronic bidding system. 7.3 Identity authentication technical requirements The electronic bidding system shall identify the true identity of each visiting entity. Clarify the access control authority of the access entity. Ensure that each entity can only use the functions provided by the system in accordance with the scope set by the system. Before the visiting entity is successfully authenticated, the electronic bidding system shall prohibit any operation on behalf of the visiting entity. The electronic bidding system shall establish a unified identity authentication system. Based on PKI/CA technology, realize a secure identity authentication mechanism centered on digital certificates. Tenderees, bidding agencies, bidders, authorized bid evaluation experts and other users shall use digital certificates to complete identity authentication. User login shall use digital certificate. Certificate login shall conduct digital signature verification and certificate validity verification. The process includes: a) Each login authentication is based on random number signature and verification to prevent replay attacks; b) Verify the trust chain of the user certificate; c) Verify the validity period of the user certificate; the chain of trust, the validity period and whether it has been revoked. When the parties in bidding and tendering are performing important operations, the confirmation information of the bidding documents shall be digitally signed. The electronic signature shall adopt the digital signature data format specified in GB/T 35275. 7.6 Electronic seal The electronic bidding system shall adopt electronic seal and other forms to conduct electronic signature on various documents required in Clause 6 that need to be signed and other documents that need to be signed in the business. For details, refer to Clause 6 Cryptographic application requirements for electronic bidding business process. When the electronic bidding system uses electronic seal to sign, the generation and use of electronic seal shall follow GM/T 0031. To verify the electronic seal, the validity of the certificate shall also be verified at the same time, including the trust chain, validity period and revocation list. 7.7 Key management requirements 7.7.1 Goal of key management security The security of the key is the basis of data security in the bidding industry. Use multiple keys in the electronic bidding system, including the identity keys of various entities participating in electronic bidding activities, the keys used to sign entities and systems electronically, and the encryption keys used to encrypt data messages and communication data. The specific requirements for key management are: a) The generation and use of the key shall be completed in the hardware cryptographic device; b) There shall be a safe and reliable management mechanism for the generation and use of keys; c) The key shall have a safe and reliable backup and recovery mechanism. 7.7.2 Key life cycle management According to the way the key is generated and stored, the key used by the electronic bidding system can be divided into the key stored in the smart cryptographic key and the key stored in the server hardware cryptographic device. The key stored in the smart cryptographic key is divided into a signature key and an encryption key. The key management lifecycle management requirements include: d) Ensure a smooth transition when the CA signed certificate is updated; e) Ensure that CA institutions can cancel their certificates for users with severely degraded credit ratings; f) Prevent invalid certificates from being used illegally. 7.8.2 Certificate classification The digital certificates used in the electronic bidding system are distinguished from the owners, including personal certificates and institutional certificates. From the perspective of usage, it can be divided into signature certificates and encryption certificates. Signing certificates re only used for digital signatures to ensure the integrity and non-repudiation of the data. Encryption certificates are used for data encryption to ensure data confidentiality protection. 7.8.3 Certificate certification authority The electronic bidding system shall adopt a legal digital certificate, including digital certificate issued by third-party electronic certification authority and certification authority recognized by the competent authority of the electronic bidding system. The electronic bidding system shall support the digital certificates of multiple institutions. 7.8.4 Digital certificate format The digital certificate format shall follow GB/T 20518. 7.8.5 Certificate life cycle management 7.8.5.1 Certificate application Certificate user shall go to the designated certificate business acceptance point for identity confirmation. The operator conducts a credible and effective review and confirmation of the applicant's true identity and application materials. 7.8.5.2 Certificate update When the end user certificate is about to expire, it shall be updated. It can be confirmed at the designated reception point. If the electronic certification body supports remote certificate update, it can also be updated remotely. 7.8.5.3 Certificate invalidation When the end user certificate is lost or the media is damaged, the user shall go to the business acceptance point where the certificate is issued to invalidate the certificate. After passing the review, the staff at the acceptance point will notify the CA certification system of the invalidation information. Then the CA Annex B (informative) Examples of emergency remedies In the bidding activities of electronic bidding, in order to ensure the data encryption requirements of the bid content, generally, the bidder uses his own encryption certificate, according to the encrypted data format specified in GB/T 35275, to encrypt the bid content. In this way, at the time of bid opening, the bidder can, in the electronic bidding system, use his own decryption certificate mechanism to decrypt the cipher text. In this case, if at the time of bid opening, in the event that the user's decryption medium (such as the cryptographic password key) is damaged or lost, the electronic bidding business will not be able to proceed smoothly. Therefore, in the 6.6 "Bid opening" process, put forward "a plan that shall be designed for emergency remediation". When sending this kind of situation, carry out emergency treatment to ensure business continuity. A typical reference emergency remedy plan is when user tenders, in addition to using the bidder's own encryption certificate to encrypt the content of the bid, he also uses the public key of an "emergency certificate" provided by the electronic bidding system for encryption. The encrypted data format also conforms to the encrypted data format specified in GB/T 35275. The encryption certificate is generated by the electronic bidding system when an electronic bidding project is started. Use its public key to encrypt the content of the bid when tendering. Only when the bid opening process fails due to medium failure and other reasons and the bid cannot be opened normally, the private key of the “emergency certificate” can be used to complete the decryption operation. Disable archiving after the bidding project ends. The system shall strictly control the use of this emergency certificate, including: a) Use time limit: the key shall only be used during the bid opening time; b) Use authorization: the use of the key shall be controlled by the authority, and the key can be enabled only with the corresponding authority; c) Use audit: the use of emergency key shall be recorded in the log, including the time, reason and authorization information of using the emergency key, as well as the authorized person's signature information. The log information shall be strictly audited, including to verify the digital signature of the authorized person. Strictly control the use of the key through these ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.