GM/T 0096-2020 PDF in English
GM/T 0096-2020 (GM/T0096-2020, GMT 0096-2020, GMT0096-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0096-2020 | English | 440 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Guide for RFID anti-counterfeiting cipher application
| Valid |
Standards related to (historical): GM/T 0096-2020
PDF Preview
GM/T 0096-2020: PDF in English (GMT 0096-2020) GM/T 0096-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Guide for RFID Anti-counterfeiting Cipher Application
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 1, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 6
4 Abbreviations ... 7
5 Overview ... 8
6 Security Category ... 9
6.1 Security Level ... 9
6.2 Category-A System ... 9
6.3 Category-B System ... 10
7 Category-A System Planning and Implementation ... 10
7.1 System Planning ... 10
7.1.1 System architecture ... 10
7.1.2 Tag issuance system ... 11
7.1.3 Anti-counterfeiting authentication system ... 11
7.1.4 Information processing system ... 12
7.1.5 Key management system ... 12
7.2 Product Selection ... 12
7.2.1 RFID electronic tag ... 12
7.2.2 RF reader ... 14
7.2.3 Security gateway ... 15
7.2.4 Cryptographic machine ... 15
7.3 Implementation Suggestions ... 15
7.3.1 Information processing system ... 15
7.3.2 Middleware ... 15
7.3.3 Key management system ... 16
7.3.4 Requirements for transparent transmission channel - reader ... 16
7.4 Application Scheme ... 17
8 Category-B System Planning and Implementation ... 17
8.1 System Planning ... 17
8.1.1 System architecture ... 17
8.1.2 Tag issuance system ... 18
8.1.3 Anti-counterfeiting authentication system ... 18
8.1.4 Information processing system ... 19
8.1.5 Key management system ... 19
8.1.6 Certificate issuance and identity authentication system ... 19
8.2 Product Selection ... 20
8.2.1 RFID electronic tag ... 20
8.2.2 RF reader ... 21
8.2.3 Security gateway ... 23
8.2.4 Cryptographic machine ... 23
8.3 Implementation Suggestions ... 23
8.3.1 Information processing system ... 23
8.3.2 Middleware ... 23
8.3.3 CA and key management system ... 23
8.3.4 Requirements for transparent transmission channel - reader ... 25
8.4 Application Scheme ... 25
Appendix A (informative) Bidirectional Authentication Realization Mode ... 26
Appendix B (informative) Category-A RFID Anti-counterfeiting Cryptographic
Application Scheme ... 27
Appendix C (informative) Category-B RFID Anti-counterfeiting Cryptographic
Application Scheme ... 39
Guide for RFID Anti-counterfeiting Cipher Application
1 Scope
This Standard specifies the security category, system planning and implementation of
RFID anti-counterfeiting application.
This Standard is applicable to cryptographic security scheme design, cryptographic
product selection and system implementation in RFID anti-counterfeiting application.
2 Normative References
The content of the following documents constitutes indispensable clauses of this
document through normative references in the text. In terms of references with a
specified date, only versions with a specified date are applicable to this document. In
terms of references without a specified date, the latest version (including all the
modifications) is applicable to this document.
GB/T 28925 Information Technology - Radio Frequency Identification - Air Interface
Protocol at 2.45 GHz
GB/T 29768 Information Technology - Radio Frequency Identification - Air Interface
Protocol at 800/900 MHz
GB/T 32915 Information Security Technology - Binary Sequence Randomness
Detection Method
GB/T 37033.1-2018 Information Security Technology - Technical Requirements for
Cryptographic Application for Radio Frequency Identification Systems - Part 1:
Cryptographic Protection Framework and Security Levels
GB/T 37033.2-2018 Information Security Technology - Technical Requirements for
Cryptographic Application for Radio Frequency Identification Systems - Part 2:
Technical Requirements for Cryptographic Application for RF Tag, Reader and
Communication
GB/T 37033.3-2018 Information Security Technology - Technical Requirements for
Cryptographic Application for Radio Frequency Identification Systems - Part 3:
Technical Requirements for Key Management
GB/T 37092 Information Security Technology - Security Requirements for
Cryptographic Modules
GM/T 0008 Cryptography Test Criteria for Security IC
7.1.4 Information processing system
Information processing system is a processing system that includes multiple types of
information, such as: commodity production, storage, transportation and sales, etc.
7.1.5 Key management system
Key management system is responsible for the key management functions (such as:
generation, dispersion and storage of keys) in the entire system. It is the core of
security of the entire system. In order to ensure the security of the system, the key
management system is deployed in an independent key management center, which is
physically separated from other parts (including information processing system, anti-
counterfeiting authentication system and tag issuance system) of the commodity
traceability and anti-counterfeiting application system. The keys generated by the key
management system are distributed to other parts of the commodity traceability and
anti-counterfeiting application system through security measures, for example, key
card.
7.2 Product Selection
7.2.1 RFID electronic tag
7.2.1.1 Cryptographic security requirements
The RFID electronic tag used in Category-A system shall satisfy the following
cryptographic security requirements.
a) Comply with Type-I or Type-II test requirements specified in GM/T 0040-2015.
b) Identity authentication: it shall support the reader to conduct identity
authentication of the electronic tag. The mode, in which, the reader realizes
identity authentication of the electronic tag is shown in 8.3.2.2 in GB/T
37033.2-2018.
c) Access control: it shall support access control function and ensure that the
stored information is accessed under controlled permissions. The mode, in
which, the access control of the electronic tag is realized, is shown in 6.1.5 of
GB/T 37033.2-2018. The test of access control of electronic tags is shown in
6.5 of GM/T 0040-2015.
d) Cryptographic algorithm: the cryptographic algorithm approved by the national
cryptographic management department shall be adopted.
e) Cryptographic products approved by the national cryptographic management
department should be selected.
7.2.1.2 Optional cryptographic security requirements
7.2.2 RF reader
7.2.2.1 Cryptographic security requirements
The RF reader of cryptographic security functions used in Category-A system may
satisfy the following cryptographic security requirements.
a) The SAM chip used by the reader shall comply with the test requirements of
not lower than the second level specified in GM/T 0008.
b) Identity authentication: it shall support the identity authentication of the
electronic tag by the reader. The mode, in which, the identity authentication of
the electronic tag by the reader is realized, is shown in 8.3.2.2 of GB/T
37033.2-2018.
c) It shall support access control function. The mode, in which, reader access
control is realized, is shown in 6.2.5 of GB/T 37033.2-2018.
d) Cryptographic algorithm: the cryptographic algorithm approved by the national
cryptographic management department that is compatible with the
cryptographic algorithm in the electronic tag shall be adopted.
e) Cryptographic products approved by the national cryptographic management
department should be selected
7.2.2.2 Optional cryptographic security requirements
In accordance with the demands of application, the RF reader of cryptographic security
functions used in Category-A system may optionally support the following
cryptographic security requirements.
a) Confidentiality of stored information: it may optionally support the
confidentiality protection of the information stored in the reader. The mode, in
which, the confidentiality of the information stored in the reader is realized, is
shown in 6.2.1.1 of GB/T 37033.2-2018.
b) Confidentiality of transmitted information: it may optionally support the
protection function of the information transmitted by the reader. The mode, in
which, the confidentiality of the information transmitted by the reader is
realized, is shown in 6.2.1.2 of GB/T 37033.2-2018.
c) Integrity of stored information: Category-A security level reader may optionally
support the integrity protection function of the information stored in the reader.
The mode, in which, the integrity of the information stored in the reader is
realized, is shown in 6.2.2.1 of GB/T 37033.2-2018.
d) Integrity of transmitted information: it may optionally support the integrity
protection function of the information transmitted by the reader. The mode, in
8.1.4 Information processing system
Information processing system is a processing system that includes multiple types of
information, such as: commodity production, storage, transportation and sales, etc.
8.1.5 Key management system
Key management system is responsible for the key management functions (such as:
generation, dispersion and storage of keys) in the entire system. It is the core of
security of the entire system. In order to ensure the security of the system, the key
management system is deployed in an independent key management center, which is
physically separated from other parts (including information processing system, anti-
counterfeiting authentication system and tag issuance system) of the commodity
traceability and anti-counterfeiting application system. The keys generated by the key
management system are distributed to other parts of the commodity traceability and
anti-counterfeiting application system through security measures, for example, key
card.
8.1.6 Certificate issuance and identity authentication system
The cryptographic module is integrated in the devices of each link of the electronic tag
and the anti-counterfeiting system. The enterprise applies for the enterprise root
certificate from the CA and uses the root certificate to issue the second-level certificate.
The second-level certificate is used to issue the third-level certificate and establish a
certificate chain, which serves as the basis for the identity authentication between the
electronic tag and the operation system, and between two operation systems. Identity
authentication shall be carried out in accordance with the following requirements.
a) During the communication between two operation systems, adopt the
asymmetric algorithm to realize identity authentication.
b) During the communication between the operation system and the electronic
tag, adopt the asymmetric algorithm for identity authentication.
c) When the reader of the operation system writes information into the electronic
tag, the operation system and the reader shall perform bidirectional
authentication. After passing the bidirectional authentication, the information
may be written. See Appendix A for the bidirectional authentication.
d) When the reader of the operation system reads information from the electronic
tag, perform unidirectional authentication on the reader. After passing the
authentication, the information is read.
e) The information written in the reader and the electronic tag is signed with the
private key of the writer, so as to ensure the integrity and non-repudiation of
the information.
8.2 Product Selection
8.2.1 RFID electronic tag
8.2.1.1 Cryptographic security requirements
The RFID electronic tag used in Category-B system shall satisfy the following
cryptographic security requirements.
a) The RFID electronic tag shall comply with the Type-II test requirements
specified in GM/T 0040-2015. The chip used in RFID electronic tag shall
comply with the test requirements of not lower than the second level specified
in GM/T 0008.
b) Confidentiality of stored information: it shall support the confidentiality
protection of the information stored in the electronic tag. The mode, in which,
the confidentiality of the information stored in the electronic tag is realized, is
shown in 6.1.1.1 of GB/T 37033.2-2018. The test of the confidentiality of the
information stored in the electronic tag is shown in 6.3.3 of GM/T 0040-2015.
c) Confidentiality of transmitted information: it shall support the protection
information of information transmitted by the electronic tag. The mode, in
which, the confidentiality of the information transmitted by the electronic tag
is realized, is shown in 6.1.1.2 of GB/T 37033.2-2018. The test of the
confidentiality of the information transmitted by the electronic tag is shown in
6.3.2 of GM/T 0040-2015.
d) Integrity of stored information: it shall support the integrity protection function
of the information stored in the electronic tag. The mode, in which, the integrity
of the information stored in the electronic tag is realized, is shown in 6.1.2.1
of GB/T 37033.2-2018. The integrity test of the information stored in the
electronic tag is shown in 6.3.5 of GM/T 0040-2015.
e) Integrity of transmitted information: it shall support the integrity protection
function of the information transmitted by the electronic tag. The mode, in
which, the integrity of the information transmitted by the electronic tag is
realized, is shown in 6.1.2.2 of GB/T 37033.2-2018. The integrity test of the
information transmitted by the electronic tag is shown in 6.3.4 of GM/T 0040-
2015.
f) Identity authentication: when writing-in the electronic tag information, it shall
support the bidirectional authentication between the reader and the electronic
tag; when reading the electronic tag information, it shall support the identity
authentication of the electronic tag by the reader. The mode, in which, the
identity authentication of the electronic tag by the reader is realized, is shown
in 8.3.2.2 of GB/T 37033.2-2018. The mode, in which, the bidirectional
authentication between the reader and the electronic tag is realized, is shown
b) Confidentiality of transmitted information: it shall support the protection
function of the information transmitted by the reader. The mode, in which, the
confidentiality of the information transmitted by the reader is realized, is
shown in 6.2.1.2 of GB/T 37033.2-2018.
c) Integrity of stored information: it shall support the integrity protection function
of the information stored in the reader. The mode, in which, the integrity of the
information stored in the reader is realized, is shown in 6.2.2.1 of GB/T
37033.2-2018.
d) Integrity of transmitted information: it shall support the integrity protection
function of the information transmitted by the reader. The mode, in which, the
integrity of the information transmitted by the reader is realized, is shown in
6.2.2.2 of GB/T 37033.2-2018.
e) Identity authentication: when Category-B security level reader writes-in
information, it shall support the identity authentication of the reader by the
electronic tag. When reading the information, it may optionally support the
identity authentication of the reader by the electronic tag. The mode, in which,
the identity authentication of the reader by the electronic tag is realized, is
shown in 8.3.2.1 of GB/T 37033.2-2018. The identity authentication of the
reader by the electronic tag shall be tested in accordance with 6.2 and 6.3 of
GM/T 0040-2015.
f) Non-repudiation of origin of electronic tag: it shall support the function of non-
repudiation of origin of the electronic tag. The mode, in which, the non-
repudiation of origin of the electronic tag is realized, it shown in 6.2.3.1 of
GB/T 37033.2-2018. The test of the non-repudiation of origin of electronic tag
is shown in 6.6.1 of GM/T 0040-2015.
g) Non-repudiation of reader: it shall support the function of non-repudiation of
the reader by the electronic tag. The mode, in which, the non-repudiation of
the reader by the electronic tag is realized, is shown in 6.2.3.3 of GB/T
37033.2-2018.
h) Access control: it shall support the function of access control. The mode, in
which, the access control of the reader is realized, is shown in 6.2.5 of GB/T
37033.2-2018.
i) Audit: it shall support the audit function. The mode, in which, the audit record
of the reader is realized, is shown in 6.2.6 of GB/T 37033.2-2018.
j) Cryptographic algorithm: the cryptographic algorithm approved by the national
cryptographic management department that is compatible with the
cryptographic algorithm in the electronic tag shall be adopted.
k) Cryptographic products approved by the national cryptographic management
an asymmetric key as a signed key pair.
The enterprise submits the enterprise information and public key signed to the CA
center. The CA center verifies the identity of the enterprise, then, issues a digital
certificate signed by the CA private key to the enterprise.
The digital certificate includes the enterprise’s basic information, the enterprise’s public
key, the issuance institution and the expiration date, etc.
8.3.3.3 Enterprise certificate system’s issuance of application certificate
The certificates issued by this system are all used for the internal production and
management of the enterprise. The cryptographic modules of the production
management system, the issuance system, the production system and the commodity
management system generate a public-private key pair; the public key is signed by the
enterprise’s root private key, and the certificates are respectively issued. The
production management certificate, issuance certificate, production certificate and
sales management certificate are used for identification in the process of interacting
with other systems.
The cryptographic module can be packaged in the form of a smart cryptographic key
or TF card, issued and integrated into the corresponding system.
8.3.3.4 Sales management certificate system’s issuance of sales management
certificate
The certificates issued by this system are all used for the external channels, sales and
after-sales of the enterprise. They correspondingly manage non-core anti-
counterfeiting information (such as: channel management information, personalized
information, sales date and after-sales and maintenance records, etc.) in the anti-
counterfeiting tag.
The cryptographic modules of the sales system and the after-sales system generate a
public-private key pair. The public key is signed by the private key of the sales
management system, and the certificates are respectively issued. The sales certificate
and the after-sales certificate are used for identification in the process of interacting
with other systems.
In consideration of the high mobility of the points of sales and after-sales of the
commodities, outlets will be added at any time. In order to control the frequency of use
of the root shield of the enterprise’s certificate issuance system and protect the security
of the root shield, the sales management system will issue third-level certificates for
the points of sales and after-sales.
The cryptographic module can be packaged in the form of a smart cryptographic key
or TF card, issued and integrated into the corresponding system.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|