GM/T 0117-2022 PDF English
Search result: GM/T 0117-2022 English: PDF (GM/T0117-2022)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GM/T 0117-2022 | English | 395 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical requirements for cryptographic applications of identity service in network
| Valid |
PDF Preview: GM/T 0117-2022
GM/T 0117-2022: PDF in English (GMT 0117-2022) GM/T 0117-2022
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Technical Requirements for Cryptographic Applications of
Identity Service in Network
ISSUED ON: NOVEMBER 20, 2022
IMPLEMENTED ON: JUNE 1, 2023
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 5
4 Abbreviations ... 7
5 Overview ... 7
5.1 Network Identity Service Model ... 7
5.2 Security Levels of Network Identity Service ... 9
5.3 Cryptographic Application Demands Framework ... 11
6 Cryptographic Application Security Objective for Identity Service in Network ... 12
6.1 Overview ... 12
6.2 Confidentiality ... 13
6.3 Integrity ... 13
6.4 Authenticity ... 13
6.5 Non-repudiation ... 13
7 Technical Requirements for Cryptographic Applications of Identity Service in
Network ... 13
7.1 General Requirements ... 13
7.2 Requirements for Identity Proofing Service ... 14
7.3 Requirements for Identity Authentication Service ... 16
7.4 Requirements for Identity Federation Service ... 24
Appendix A (informative) Risk Mitigation of Identity Services in Network ... 34
Appendix B (informative) Authenticator Types and Authentication Modes ... 37
Bibliography ... 40
Technical Requirements for Cryptographic Applications of
Identity Service in Network
1 Scope
This document stipulates the technical requirements for cryptographic applications of identity
service in network for natural persons, provides network identity service model, network
identity service security level, cryptographic application demands framework and
cryptographic application security objective, and provides specific technical requirements for
cryptographic applications of identity verification service, identity authentication service and
identity federation service.
This document is applicable to the planning, design, development, deployment and application
of cryptographic applications of identity service in network for natural persons.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 15843 (all parts) Information Technology - Security Techniques - Entity Authentication
GB/T 22239 Information Security Technology - Baseline for Classified Protection of
Cybersecurity
GB/T 25069 Information Security Techniques - Terminology
GB/T 35273 Information Security Technology - Personal Information Security Specification
GB/T 37036 (all parts) Information Technology - Biometrics Used with Mobile Devices
GB/T 37092 Information Security Technology - Security Requirements for Cryptographic
Modules
GB/T 38556 Information Security Technology - Technical Specifications for One-time-
password Cryptographic Application
GB/T 39786 Information Security Technology - Baseline for Information System Cryptography
Application
GB/T 40660 Information Security Technology - General Requirements of Biometric
Information Protection
6.2 Confidentiality
Important data in network identity services (such as: identity authentication information,
sensitive personal information and authenticator keys, etc.) will not be obtained by
unauthorized entities during the collection, storage, use and transmission, etc., and thus be
exploited or leaked. Confidentiality is achieved using encryption and decryption techniques,
etc.
6.3 Integrity
Important data in network identity services (such as: identity authentication information,
sensitive personal information and authenticator keys, etc.) will not be modified or destroyed
without authorization during the collection, storage, use and transmission, etc. Integrity is
achieved using cryptographic technology, such as: message authentication code mechanisms
based on symmetric cryptographic algorithms or cryptographic hash algorithms, and digital
signature mechanisms based on public key cryptographic algorithms, etc.
6.4 Authenticity
In identity services in network, confirm the authenticity of the identities of participating entities
to prevent identities from being appropriated or counterfeited. Authenticity is achieved using
cryptographic technology, such as: message authentication code mechanisms based on
symmetric cryptographic algorithms or cryptographic hash algorithms, digital signature
mechanisms based on public key cryptographic algorithms, and dynamic password mechanisms,
etc.
6.5 Non-repudiation
Participating entities in identity services in network cannot deny their data originating behavior
and data receiving behavior in the network identity services. Non-repudiation is achieved using
cryptographic technology, for example, digital signature mechanisms based on public key
cryptographic algorithms.
7 Technical Requirements for Cryptographic Applications of
Identity Service in Network
7.1 General Requirements
In identity proofing service, identity authentication service and identity federation service,
Level 1 to Level 4 shall comply with the following general requirements:
a) The cryptographic algorithms, cryptographic technology, cryptographic products and
cryptographic services used in network identity services shall comply with the
provisions of laws and regulations, and the relevant requirements of cryptography-
related national standards and industry standards;
b) The collection, storage, use, entrusted processing, sharing, transfer and public
disclosure of personal information, and the handling of personal information security
incidents shall comply with the provisions of GB/T 35273, and the protection
requirements for biometric features recognition shall comply with the provisions of
GB/T 40660.
7.2 Requirements for Identity Proofing Service
7.2.1 Level 1
The requirements for Level 1 are as follows.
a) Requirements for identity proofing: real names are not required, and anonymous,
pseudonymous or real names may be used.
b) Requirements for communication protection: cryptographic technology may be
adopted to ensure the integrity of data in the communication process; cryptographic
technology may be adopted to ensure the confidentiality of important data in the
communication process; cryptographic technology may be adopted to authenticate
communication entities.
c) Requirements for recording and storage:
1) The identity service provider shall record and store the necessary information for
the identity proofing service, including but not limited to collected user identity
information and identification documents, process information generated by
identity proofing, and proofing results, etc.;
2) Cryptographic technology may be adopted to ensure the confidentiality and
integrity of important data storage.
d) Requirements for risk mitigation: see A.1 in Appendix A for possible risks.
Cryptographic technology may be adopted to mitigate possible risks.
e) Requirements for system security protection: the network identity service system
shall at least comply with Level 1 security requirements specified in GB/T 22239 and
shall at least comply with Level 1 cryptographic application technical requirements
specified in GB/T 39786.
7.2.2 Level 2
The requirements for Level 2 are as follows.
a) Requirements for identity proofing: user identity shall be verified using any mode of
remote identity proofing, in-person over remote channel identity proofing and in-
person identity proofing, and real-name verification shall be performed.
b) Requirements for communication protection: cryptographic technology may be used
data storage, and cryptographic technology shall be adopted to ensure the
confidentiality of important data storage.
d) Requirements for risk mitigation: see A.1 for possible risks. When there are means of
cryptographic technology that can mitigate risks, cryptographic technology shall be
adopted to deal with the risks.
e) Requirements for system security protection: the network identity service system
shall at least comply with Level 2 security requirements specified in GB/T 22239 and
shall at least comply with Level 2 cryptographic application technical requirements
specified in GB/T 39786.
7.2.4 Level 4
The requirements for Level 4 are as follows.
a) Requirements for identity proofing: user identity shall be verified using the mode of
in-person identity proofing, and real-name verification shall be performed.
b) Requirements for communication protection: cryptographic technology should be
used to ensure the integrity of data in the communication process. Cryptographic
technology should be adopted to ensure the confidentiality of important data in the
communication process (such as: citizen identity numbers, addresses, and scanned
copies of important documents, etc.), and cryptographic technology shall be adopted
to perform two-way authentication on communication entities.
c) Requirements for recording and storage:
1) The identity service provider shall record and store the necessary information for
the identity proofing service, including but not limited to the collected user
identity information and identification documents, process information
generated by identity proofing, and proofing results, etc.;
2) Cryptographic technology shall be adopted to ensure the integrity and
confidentiality of important data storage.
d) Requirements for risk mitigation: see A.1 for possible risks. When there are means of
cryptographic technology that can mitigate risks, cryptographic technology shall be
adopted to deal with the risks.
e) Requirements for system security protection: the network identity service system
shall at least comply with Level 3 security requirements specified in GB/T 22239 and
shall at least comply with Level 3 cryptographic application technical requirements
specified in GB/T 39786.
7.3 Requirements for Identity Authentication Service
7.3.1 Level 1
The requirements for Level 1 are as follows.
a) Requirements for authentication mode: it shall support at least single-factor
authentication mode, and any type of authenticator may be used for identity
authentication (see Appendix B for authenticator types and authentication modes).
b) Requirements for authentication protocol:
1) Dynamic information (such as: random numbers and challenge codes) and
timestamps, etc. shall be adopted to prevent replay attacks;
2) When using cryptographic technology for identity authentication, it shall comply
with the provisions of GB/T 15843 (all parts);
3) The number of identity authentication attempts within a certain period of time
shall be limited, for example, the number of attempts within one minute shall not
be higher than 5 times;
4) The requirements for biometric features recognition of mobile equipment shall
comply with the provisions of GB/T 37036 (all parts);
5) If dynamic passwords are involved in the authentication, the technical
requirements for cryptographic applications of dynamic passwords shall comply
with the provisions of GB/T 38556.
c) Requirements for authenticator life cycle management:
1) Authenticator binding: two or more types of authenticators may be bound to user
identities (see Appendix B for authenticator types and authentication modes);
2) Requirements for authenticator update: users shall be required to update the
authenticator at an appropriate time before the existing authenticator expires;
shall maintain consistent with the initial authenticator issuance procedure; after
the update is successful, the replaced authenticator shall be revoked;
3) Requirements for authenticator theft, damage and duplication: security measures
shall be taken to prevent the secret information in the authenticator from being
extracted; the suspension and re-activation of the authenticator shall be supported;
re-proofing of user identity and binding of a new authenticator shall be supported;
4) Requirements for authenticator expiration: expired authenticators shall no longer
be used for identity authentication; when users use an expired authenticator, they
shall be informed that the authenticator has expired; expired authenticators shall
be properly disposed of;
5) Requirements for authenticator revocation: regularly check whether the identity
exists, whether the identity satisfies the qualification requirements, and the risk
status of the authenticator, etc. When the identity does not exist, or when the user
b) Requirements for authentication protocol:
1) Dynamic information (such as: random numbers and challenge codes) and
timestamps, etc. shall be adopted to prevent replay attacks;
2) Cryptographic technology should be used for identity authentication. When
using cryptographic technology for identity authentication, it shall comply with
the provisions of GB/T 15843 (all parts);
3) The number of identity authentication attempts within a certain period of time
shall be limited, for example, the number of attempts within one minute shall not
be higher than 5 times;
4) If biometric features are used for authentication, the requirements for biometric
features recognition of mobile equipment shall comply with the provisions of
GB/T 37036 (all parts);
5) If dynamic passwords are involved in the authentication, the technical
requirements for cryptographic applications of dynamic passwords shall comply
with the provisions of GB/T 38556.
c) Requirements for authenticator life cycle management:
1) Authenticator binding: two or more types of authenticators should be bound to
user identities (see Appendix B for authenticator types and authentication modes);
2) Requirements for authenticator update: users shall be required to update the
authenticator at an appropriate time before the existing authenticator expires;
shall maintain consistent with the initial authenticator issuance procedure; after
the update is successful, the replaced authenticator shall be revoked;
3) Requirements for authenticator theft, damage and duplication: security measures
shall be taken to prevent the secret information in the authenticator from being
extracted; the suspension and re-activation of the authenticator shall be supported;
re-proofing of user identity and binding of a new authenticator shall be supported;
4) Requirements for authenticator expiration: expired authenticators shall no longer
be used for identity authentication; when users use an expired authenticator, they
shall be informed that the authenticator has expired; expired authenticators shall
be properly disposed of;
5) Requirements for authenticator revocation: regularly check whether the identity
exists, whether the identity satisfies the qualification requirements, and the risk
status of the authenticator, etc. When the identity does not exist, or when the user
makes a revocation request, or when it is determined that the identity no longer
satisfies the qualification requirements, or after the authenticator is updated, the
authenticator bound to the identity shall be revoked in time; the revoked
authenticator shall no longer be used for identity authentication; when the
authenticator is revoked, the authenticator shall be properly disposed of, such as:
by destroying it after recycling, and completely eliminating relevant data of the
authenticator, etc.
d) Requirements for session management: after identity authentication is successful,
cryptographic technology may be used to establish a secure session between the
identity service provider and the user. Effective technical means shall be adopted to
ensure the randomness of information related to the session identifier and to ensure
the secure storage and use of generated session-related secret information.
e) Requirements for communication protection: cryptographic technology may be
adopted to ensure the integrity of data in the communication process, cryptographic
technology should be adopted to ensure the confidentiality of important data in the
communication process, and cryptographic technology should be adopted to
authenticate communication entities.
f) Requirements for recording and storage:
1) The identity service provider shall record and store the necessary information for
identity authentication, including but not limited to the identity authentication
protocols used, identity authentication methods, authenticator-related data,
process information generated by identity authentication, and authentication
results, etc.;
2) Cryptographic technology should be adopted to ensure the confidentiality and
integrity of important data storage.
g) Requirements for risk mitigation: see A.2 for possible risks. Cryptographic
technology should be adopted to mitigate the possible risks.
h) Requirements for system security protection: the network identity service system
shall at least comply with Level 1 security requirements specified in GB/T 22239 and
shall at least comply with Level 1 cryptographic application technical requirements
specified in GB/T 39786.
7.3.3 Level 3
The requirements for Level 3 are as follows.
a) Requirements for authentication mode: multi-factor authentication mode shall be used,
at least one of the authentication factors is implemented using a cryptographic
software authenticator or a cryptographic device authenticator, and the cryptographic
module used shall reach Level 2 and above security requirements in GB/T 37092.
b) Requirements for authentication protocol:
authenticator, etc.
d) Requirements for session management: after identity authentication is successful,
cryptographic technology may be used to establish a secure session between the
identity service provider and the user. Effective technical means shall be adopted to
ensure the randomness of information related to the session identifier and to ensure
the secure storage and use of generated session-related secret information.
e) Requirements for communication protection: cryptographic technology should be
adopted to ensure the integrity of data in the communication process, cryptographic
technology shall be adopted to ensure the confidentiality of important data in the
communication process, and cryptographic technology shall be adopted to
authenticate communication entities.
f) Requirements for recording and storage:
1) The identity service provider shall record and store the necessary information for
identity authentication, including but not limited to the identity authentication
protocols used, identity authentication methods, authenticator-related data,
process information generated by identity authentication, and authentication
results, etc.;
2) Cryptographic technology should be adopted to ensure the integrity of important
data storage, and cryptographic technology shall be adopted to ensure the
confidentiality of important data storage.
g) Requirements for risk mitigation: see A.2 for possible risks. When there are means of
cryptographic technology that can mitigate risks, cryptographic technology shall be
adopted to deal with the risks.
h) Requirements for system security protection: the network identity service system
shall at least comply with Level 2 security requirements specified in GB/T 22239 and
shall at least comply with Level 2 cryptographic application technical requirements
specified in GB/T 39786.
7.3.4 Level 4
The requirements for Level 4 are as follows.
a) Requirements for authentication mode: multi-factor authentication mode shall be used,
at least one of the authentication factors is implemented using a cryptographic device
authenticator, and the cryptographic module used shall reach Level 3 and above
security requirements in GB/T 37092. The multi-factor authentication mode should
include biometric features authentication factors, including but not limited to face,
voiceprint, fingerprint and iris, etc.
b) Requirements for authentication protocol:
1) Dynamic information (such as: random numbers and challenge codes) and
timestamps, etc. shall be adopted to prevent replay attacks;
2) Cryptographic technology shall be used for identity authentication and shall
comply with the provisions of GB/T 15843 (all parts);
3) The number of identity authentication attempts within a certain period of time
shall be limited, for example, the number of attempts within one minute shall not
be higher than 5 times;
4) If biometric features are used for authentication, the requirements for biometric
features recognition of mobile equipment shall comply with the provisions of
GB/T 37036 (all parts);
5) If dynamic passwords are involved in the authentication, the technical
requirements for cryptographic applications of dynamic passwords shall comply
with the provisions of GB/T 38556.
c) Requirements for authenticator life cycle management:
1) Authenticator binding: two or more types of authenticators should be bound to
user identities (see Appendix B for authenticator types and authentication modes);
2) Requirements for authenticator update: users shall be required to update the
authenticator at an appropriate time before the existing authenticator expires;
shall maintain consistent with the initial authenticator issuance procedure; after
the update is successful, the replaced authenticator shall be revoked;
3) Requirements for authenticator theft, damage and duplication: security measures
shall be taken to prevent the secret information in the authenticator from being
extracted; the suspension and re-activation of the authenticator shall be supported;
re-proofing of user identity and binding of a new authenticator shall be supported;
4) Requirements for authenticator expiration: expired authenticators shall no longer
be used for identity authentication; when users use an expired authenticator, they
shall be informed that the authenticator has expired; expired authenticators shall
be properly disposed of;
5) Requirements for authenticator revocation: regularly check whether the identity
exists, whether the identity satisfies the qualification requirements, and the risk
status of the authenticator, etc. When the identity does not exist, or when the user
makes a revocation request, or when it is determined that the identity no longer
satisfies the qualification requirements, or after the authenticator is updated, the
authenticator bound to the identity shall be revoked in time; the revoked
authenticator shall no longer be used for identity authentication; when the
authenticator is revoked, the authenticator shall be properly disposed of, such as:
by destroying it after recycling, and completely eliminating relevant data of the
1) Subject [required]: user’s identifier;
2) Issuer [required]: identifier of the identity service provider that issues the
assertion;
3) Receiver [required]: identifier of the relying party that receivers the assertion;
4) Issuance time [required]: timestamp when the identity service provider issues the
assertion;
5) Deadline [required]: timestamp of when the assertion expires;
6) Identifier [required]: a value that uniquely identifies this assertion;
7) Signature [required]: the identity service provider’s digital signature or message
authentication code for the assertion;
8) Authentication time [required]: timestamp of the last time that the identity
service provider performs identity authentication on the user;
9) Key binding [optional]: key identifier or public key owned by the user;
10) Attributes and attribute references [optional]: user attribute information;
11) Attribute metadata [optional]: additional information describing user attributes.
c) The assertions can be divided into bearer assertion and holder-of-key assertion. When
using bearer assertion, there is no need to verify that the holder of the assertion is the
assertion subject. When using holder-of-key assertion, it is necessary to adopt
cryptographic technology to verify that the holder of the assertion is the assertion
subject. The assertion type may use bearer assertion or holder-of-key assertion.
d) The assertion shall be signed. See the requirements below:
1) The signature content shall cover all important fields, including but not limited
to identifier, issuer, recipient, subject and deadline;
2) The assertion shall be signed by the identity service provider, and the signature
of the identity service provider shall be verified by the relying party to ensure the
integrity of the assertion;
3) Assertion signature can be implemented in the following modes:
---Use the signature private key of the identity service provider to generate the
digital signature of the assertion;
---Use the secret information shared by the identity service provider and the
relying party to generate the message authentication code of the assertion;
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|