HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (5 Oct 2024)

GM/T 0096-2020 PDF in English


GM/T 0096-2020 (GM/T0096-2020, GMT 0096-2020, GMT0096-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0096-2020English440 Add to Cart 0-9 seconds. Auto-delivery. Guide for RFID anti-counterfeiting cipher application Valid
Standards related to (historical): GM/T 0096-2020
PDF Preview

GM/T 0096-2020: PDF in English (GMT 0096-2020)

GM/T 0096-2020 GM CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 CCS L 80 Guide for RFID Anti-counterfeiting Cipher Application ISSUED ON: DECEMBER 28, 2020 IMPLEMENTED ON: JULY 1, 2021 Issued by: State Cryptography Administration Table of Contents Foreword ... 4  1 Scope ... 5  2 Normative References ... 5  3 Terms and Definitions ... 6  4 Abbreviations ... 7  5 Overview ... 8  6 Security Category ... 9  6.1 Security Level ... 9  6.2 Category-A System ... 9  6.3 Category-B System ... 10  7 Category-A System Planning and Implementation ... 10  7.1 System Planning ... 10  7.1.1 System architecture ... 10  7.1.2 Tag issuance system ... 11  7.1.3 Anti-counterfeiting authentication system ... 11  7.1.4 Information processing system ... 12  7.1.5 Key management system ... 12  7.2 Product Selection ... 12  7.2.1 RFID electronic tag ... 12  7.2.2 RF reader ... 14  7.2.3 Security gateway ... 15  7.2.4 Cryptographic machine ... 15  7.3 Implementation Suggestions ... 15  7.3.1 Information processing system ... 15  7.3.2 Middleware ... 15  7.3.3 Key management system ... 16  7.3.4 Requirements for transparent transmission channel - reader ... 16  7.4 Application Scheme ... 17  8 Category-B System Planning and Implementation ... 17  8.1 System Planning ... 17  8.1.1 System architecture ... 17  8.1.2 Tag issuance system ... 18  8.1.3 Anti-counterfeiting authentication system ... 18  8.1.4 Information processing system ... 19  8.1.5 Key management system ... 19  8.1.6 Certificate issuance and identity authentication system ... 19  8.2 Product Selection ... 20  8.2.1 RFID electronic tag ... 20  8.2.2 RF reader ... 21  8.2.3 Security gateway ... 23  8.2.4 Cryptographic machine ... 23  8.3 Implementation Suggestions ... 23  8.3.1 Information processing system ... 23  8.3.2 Middleware ... 23  8.3.3 CA and key management system ... 23  8.3.4 Requirements for transparent transmission channel - reader ... 25  8.4 Application Scheme ... 25  Appendix A (informative) Bidirectional Authentication Realization Mode ... 26  Appendix B (informative) Category-A RFID Anti-counterfeiting Cryptographic Application Scheme ... 27  Appendix C (informative) Category-B RFID Anti-counterfeiting Cryptographic Application Scheme ... 39  Guide for RFID Anti-counterfeiting Cipher Application 1 Scope This Standard specifies the security category, system planning and implementation of RFID anti-counterfeiting application. This Standard is applicable to cryptographic security scheme design, cryptographic product selection and system implementation in RFID anti-counterfeiting application. 2 Normative References The content of the following documents constitutes indispensable clauses of this document through normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 28925 Information Technology - Radio Frequency Identification - Air Interface Protocol at 2.45 GHz GB/T 29768 Information Technology - Radio Frequency Identification - Air Interface Protocol at 800/900 MHz GB/T 32915 Information Security Technology - Binary Sequence Randomness Detection Method GB/T 37033.1-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 1: Cryptographic Protection Framework and Security Levels GB/T 37033.2-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 2: Technical Requirements for Cryptographic Application for RF Tag, Reader and Communication GB/T 37033.3-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 3: Technical Requirements for Key Management GB/T 37092 Information Security Technology - Security Requirements for Cryptographic Modules GM/T 0008 Cryptography Test Criteria for Security IC 7.1.4 Information processing system Information processing system is a processing system that includes multiple types of information, such as: commodity production, storage, transportation and sales, etc. 7.1.5 Key management system Key management system is responsible for the key management functions (such as: generation, dispersion and storage of keys) in the entire system. It is the core of security of the entire system. In order to ensure the security of the system, the key management system is deployed in an independent key management center, which is physically separated from other parts (including information processing system, anti- counterfeiting authentication system and tag issuance system) of the commodity traceability and anti-counterfeiting application system. The keys generated by the key management system are distributed to other parts of the commodity traceability and anti-counterfeiting application system through security measures, for example, key card. 7.2 Product Selection 7.2.1 RFID electronic tag 7.2.1.1 Cryptographic security requirements The RFID electronic tag used in Category-A system shall satisfy the following cryptographic security requirements. a) Comply with Type-I or Type-II test requirements specified in GM/T 0040-2015. b) Identity authentication: it shall support the reader to conduct identity authentication of the electronic tag. The mode, in which, the reader realizes identity authentication of the electronic tag is shown in 8.3.2.2 in GB/T 37033.2-2018. c) Access control: it shall support access control function and ensure that the stored information is accessed under controlled permissions. The mode, in which, the access control of the electronic tag is realized, is shown in 6.1.5 of GB/T 37033.2-2018. The test of access control of electronic tags is shown in 6.5 of GM/T 0040-2015. d) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department shall be adopted. e) Cryptographic products approved by the national cryptographic management department should be selected. 7.2.1.2 Optional cryptographic security requirements 7.2.2 RF reader 7.2.2.1 Cryptographic security requirements The RF reader of cryptographic security functions used in Category-A system may satisfy the following cryptographic security requirements. a) The SAM chip used by the reader shall comply with the test requirements of not lower than the second level specified in GM/T 0008. b) Identity authentication: it shall support the identity authentication of the electronic tag by the reader. The mode, in which, the identity authentication of the electronic tag by the reader is realized, is shown in 8.3.2.2 of GB/T 37033.2-2018. c) It shall support access control function. The mode, in which, reader access control is realized, is shown in 6.2.5 of GB/T 37033.2-2018. d) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department that is compatible with the cryptographic algorithm in the electronic tag shall be adopted. e) Cryptographic products approved by the national cryptographic management department should be selected 7.2.2.2 Optional cryptographic security requirements In accordance with the demands of application, the RF reader of cryptographic security functions used in Category-A system may optionally support the following cryptographic security requirements. a) Confidentiality of stored information: it may optionally support the confidentiality protection of the information stored in the reader. The mode, in which, the confidentiality of the information stored in the reader is realized, is shown in 6.2.1.1 of GB/T 37033.2-2018. b) Confidentiality of transmitted information: it may optionally support the protection function of the information transmitted by the reader. The mode, in which, the confidentiality of the information transmitted by the reader is realized, is shown in 6.2.1.2 of GB/T 37033.2-2018. c) Integrity of stored information: Category-A security level reader may optionally support the integrity protection function of the information stored in the reader. The mode, in which, the integrity of the information stored in the reader is realized, is shown in 6.2.2.1 of GB/T 37033.2-2018. d) Integrity of transmitted information: it may optionally support the integrity protection function of the information transmitted by the reader. The mode, in 8.1.4 Information processing system Information processing system is a processing system that includes multiple types of information, such as: commodity production, storage, transportation and sales, etc. 8.1.5 Key management system Key management system is responsible for the key management functions (such as: generation, dispersion and storage of keys) in the entire system. It is the core of security of the entire system. In order to ensure the security of the system, the key management system is deployed in an independent key management center, which is physically separated from other parts (including information processing system, anti- counterfeiting authentication system and tag issuance system) of the commodity traceability and anti-counterfeiting application system. The keys generated by the key management system are distributed to other parts of the commodity traceability and anti-counterfeiting application system through security measures, for example, key card. 8.1.6 Certificate issuance and identity authentication system The cryptographic module is integrated in the devices of each link of the electronic tag and the anti-counterfeiting system. The enterprise applies for the enterprise root certificate from the CA and uses the root certificate to issue the second-level certificate. The second-level certificate is used to issue the third-level certificate and establish a certificate chain, which serves as the basis for the identity authentication between the electronic tag and the operation system, and between two operation systems. Identity authentication shall be carried out in accordance with the following requirements. a) During the communication between two operation systems, adopt the asymmetric algorithm to realize identity authentication. b) During the communication between the operation system and the electronic tag, adopt the asymmetric algorithm for identity authentication. c) When the reader of the operation system writes information into the electronic tag, the operation system and the reader shall perform bidirectional authentication. After passing the bidirectional authentication, the information may be written. See Appendix A for the bidirectional authentication. d) When the reader of the operation system reads information from the electronic tag, perform unidirectional authentication on the reader. After passing the authentication, the information is read. e) The information written in the reader and the electronic tag is signed with the private key of the writer, so as to ensure the integrity and non-repudiation of the information. 8.2 Product Selection 8.2.1 RFID electronic tag 8.2.1.1 Cryptographic security requirements The RFID electronic tag used in Category-B system shall satisfy the following cryptographic security requirements. a) The RFID electronic tag shall comply with the Type-II test requirements specified in GM/T 0040-2015. The chip used in RFID electronic tag shall comply with the test requirements of not lower than the second level specified in GM/T 0008. b) Confidentiality of stored information: it shall support the confidentiality protection of the information stored in the electronic tag. The mode, in which, the confidentiality of the information stored in the electronic tag is realized, is shown in 6.1.1.1 of GB/T 37033.2-2018. The test of the confidentiality of the information stored in the electronic tag is shown in 6.3.3 of GM/T 0040-2015. c) Confidentiality of transmitted information: it shall support the protection information of information transmitted by the electronic tag. The mode, in which, the confidentiality of the information transmitted by the electronic tag is realized, is shown in 6.1.1.2 of GB/T 37033.2-2018. The test of the confidentiality of the information transmitted by the electronic tag is shown in 6.3.2 of GM/T 0040-2015. d) Integrity of stored information: it shall support the integrity protection function of the information stored in the electronic tag. The mode, in which, the integrity of the information stored in the electronic tag is realized, is shown in 6.1.2.1 of GB/T 37033.2-2018. The integrity test of the information stored in the electronic tag is shown in 6.3.5 of GM/T 0040-2015. e) Integrity of transmitted information: it shall support the integrity protection function of the information transmitted by the electronic tag. The mode, in which, the integrity of the information transmitted by the electronic tag is realized, is shown in 6.1.2.2 of GB/T 37033.2-2018. The integrity test of the information transmitted by the electronic tag is shown in 6.3.4 of GM/T 0040- 2015. f) Identity authentication: when writing-in the electronic tag information, it shall support the bidirectional authentication between the reader and the electronic tag; when reading the electronic tag information, it shall support the identity authentication of the electronic tag by the reader. The mode, in which, the identity authentication of the electronic tag by the reader is realized, is shown in 8.3.2.2 of GB/T 37033.2-2018. The mode, in which, the bidirectional authentication between the reader and the electronic tag is realized, is shown b) Confidentiality of transmitted information: it shall support the protection function of the information transmitted by the reader. The mode, in which, the confidentiality of the information transmitted by the reader is realized, is shown in 6.2.1.2 of GB/T 37033.2-2018. c) Integrity of stored information: it shall support the integrity protection function of the information stored in the reader. The mode, in which, the integrity of the information stored in the reader is realized, is shown in 6.2.2.1 of GB/T 37033.2-2018. d) Integrity of transmitted information: it shall support the integrity protection function of the information transmitted by the reader. The mode, in which, the integrity of the information transmitted by the reader is realized, is shown in 6.2.2.2 of GB/T 37033.2-2018. e) Identity authentication: when Category-B security level reader writes-in information, it shall support the identity authentication of the reader by the electronic tag. When reading the information, it may optionally support the identity authentication of the reader by the electronic tag. The mode, in which, the identity authentication of the reader by the electronic tag is realized, is shown in 8.3.2.1 of GB/T 37033.2-2018. The identity authentication of the reader by the electronic tag shall be tested in accordance with 6.2 and 6.3 of GM/T 0040-2015. f) Non-repudiation of origin of electronic tag: it shall support the function of non- repudiation of origin of the electronic tag. The mode, in which, the non- repudiation of origin of the electronic tag is realized, it shown in 6.2.3.1 of GB/T 37033.2-2018. The test of the non-repudiation of origin of electronic tag is shown in 6.6.1 of GM/T 0040-2015. g) Non-repudiation of reader: it shall support the function of non-repudiation of the reader by the electronic tag. The mode, in which, the non-repudiation of the reader by the electronic tag is realized, is shown in 6.2.3.3 of GB/T 37033.2-2018. h) Access control: it shall support the function of access control. The mode, in which, the access control of the reader is realized, is shown in 6.2.5 of GB/T 37033.2-2018. i) Audit: it shall support the audit function. The mode, in which, the audit record of the reader is realized, is shown in 6.2.6 of GB/T 37033.2-2018. j) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department that is compatible with the cryptographic algorithm in the electronic tag shall be adopted. k) Cryptographic products approved by the national cryptographic management an asymmetric key as a signed key pair. The enterprise submits the enterprise information and public key signed to the CA center. The CA center verifies the identity of the enterprise, then, issues a digital certificate signed by the CA private key to the enterprise. The digital certificate includes the enterprise’s basic information, the enterprise’s public key, the issuance institution and the expiration date, etc. 8.3.3.3 Enterprise certificate system’s issuance of application certificate The certificates issued by this system are all used for the internal production and management of the enterprise. The cryptographic modules of the production management system, the issuance system, the production system and the commodity management system generate a public-private key pair; the public key is signed by the enterprise’s root private key, and the certificates are respectively issued. The production management certificate, issuance certificate, production certificate and sales management certificate are used for identification in the process of interacting with other systems. The cryptographic module can be packaged in the form of a smart cryptographic key or TF card, issued and integrated into the corresponding system. 8.3.3.4 Sales management certificate system’s issuance of sales management certificate The certificates issued by this system are all used for the external channels, sales and after-sales of the enterprise. They correspondingly manage non-core anti- counterfeiting information (such as: channel management information, personalized information, sales date and after-sales and maintenance records, etc.) in the anti- counterfeiting tag. The cryptographic modules of the sales system and the after-sales system generate a public-private key pair. The public key is signed by the private key of the sales management system, and the certificates are respectively issued. The sales certificate and the after-sales certificate are used for identification in the process of interacting with other systems. In consideration of the high mobility of the points of sales and after-sales of the commodities, outlets will be added at any time. In order to control the frequency of use of the root shield of the enterprise’s certificate issuance system and protect the security of the root shield, the sales management system will issue third-level certificates for the points of sales and after-sales. The cryptographic module can be packaged in the form of a smart cryptographic key or TF card, issued and integrated into the corresponding system. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.