GB/T 17901.1-2020 English PDFUS$489.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 17901.1-2020: Information technology - Security techniques - Key management - Part 1: Framework Status: Valid GB/T 17901.1: Historical versions
Basic dataStandard ID: GB/T 17901.1-2020 (GB/T17901.1-2020)Description (Translated English): Information technology - Security techniques - Key management - Part 1: Framework Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 26,266 Date of Issue: 2020-03-06 Date of Implementation: 2020-10-01 Older Standard (superseded by this standard): GB/T 17901.1-1999 Quoted Standard: GB/T 15843.1; GB/T 15843.2; GB/T 15843.3; GB/T 15843.4; GB/T 15843.5; GB/T 15843.6; GB/T 17903.2; GB/T 18794.1; GB/T 32907; GB/T 32918.1; GB/T 32918.2; GB/T 32918.3; GB/T 32918.4; GB/T 32918.5; GB/T 37092-2018; ISO/IEC 18014-1; ISO/IEC 18014-2; ISO/IEC 18 Adopted Standard: ISO/IEC 11770-1-2010, MOD Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration Summary: This standard specifies the following: a) establish a general model for key management mechanisms; b) define the basic concepts of key management common to GB/T 17901; c) define the characteristics of key management services; General principles for managing keys during their lifetime; e) establishing a conceptual model of key distribution for communications. This standard applies to establishing key management models and designing key management methods. GB/T 17901.1-2020: Information technology - Security techniques - Key management - Part 1: Framework---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology - Security techniques - Key management - Part 1.Framework ICS 35.040 L80 National Standards of People's Republic of China Replace GB/T 17901.1-1999 Information technology security technology key management Part 1.Frame 2020-03-06 released 2020-10-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee Table of contentsPreface Ⅲ Introduction Ⅴ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Symbols and abbreviations 3 4.1 Symbol 3 4.2 Abbreviations 3 5 General model of key management 4 5.1 Overview 4 5.2 Key protection 4 5.3 General model of key life cycle 5 6 Basic content of key management 6 6.1 Key Management Service 6 6.2 Support Services 9 7 Conceptual model of key distribution between two entities 10 7.1 Overview of key distribution 10 7.2 Key distribution between communicating entities 10 7.3 Single domain key distribution 10 7.4 Key distribution between domains 12 8 Providers of specific services 13 Appendix A (informative appendix) Security threats to key management 14 Appendix B (informative appendix) Password application classification 15 Appendix C (Informative Appendix) Key Management Information Object 17 Reference 18ForewordGB/T 17901 "Information Technology Security Technology Key Management" is planned to be divided into 6 parts. ---Part 1.Framework; ---Part 2.Mechanisms using symmetric technology; ---Part 3.The mechanism of adopting asymmetric technology; ---Part 4.Mechanism based on weak secrets; ---Part 5.Group key management; ---Part 6.Key Derivation. This part is Part 1 of GB/T 17901. This section was drafted in accordance with the rules given in GB/T 1.1-2009. This part replaces GB/T 17901.1-1999 "Information Technology Security Technology Key Management Part 1.Framework", and Compared with GB/T 17901.1-1999, the main technical changes are as follows. ---New reference documents have been added to the normative reference documents (see Chapter 2); --- Deleted "decryption, encryption, key confirmation, key control, key distribution center (KDC), key material, key management, key transfer The terms and definitions of KTC, public key information, random numbers, sequence numbers, and “hash function, key derivation letter” have been added The terms and definitions of "number, key establishment, key token, message authentication code, signature system" (see Chapter 3, Chapter 3 of the.1999 edition); --- Added Chapter 4 "Symbols and Abbreviations" (see Chapter 4); ---Chapter 4 "Summary of Key Management" of the.1999 edition was revised to Chapter 5 "General Model of Key Management", and.1999 was deleted Version 4.1.2, adding 5.1, 5.3.1, and modifying part of the content (see Chapter 5, Chapter 4 of the.1999 edition); ---Chapter 6 "Conceptual Model of Key Distribution" of the.1999 edition was revised to Chapter 7 "Conceptual Model of Key Distribution between Two Entities", adding 7.1 has been added and part of the content has been modified (see Chapter 7, Chapter 6 of the.1999 edition); --- Deleted Appendix D of the.1999 edition, and the relevant content is consistent with the existing national standards and cryptographic industry standards. This section uses the redrafting law to modify and adopt ISO /IEC 11770-1.2010 "Information Technology Security Technology Key Management Part 1.Framework". Compared with ISO /IEC 11770-1.2010, the structure of this part has been adjusted. Chapter 2 has been added. Subsequent clause numbers have been sequentially changed and adjusted. 4.2.3~4.2.5 are 5.2.2, 5.2.3.1 and 5.2.3.2, adjust Appendix B to Appendix C, and Appendix C to Appendix B. The technical differences between this part and ISO /IEC 11770-1.2010 and the reasons are as follows. ---Chapter 2 normative references have been added (see Chapter 2); --- Deleted some terms and definitions (see Chapter 2 of ISO /IEC 11770-1.2010); --- The symbols of "CA" and "RA" are deleted (see 3.1 of ISO /IEC 11770-1.2010); ---Chapter 5 clarifies that "cryptographic algorithms recognized by the national cryptographic management department should be used", and ISO /IEC 11770-1.2010 The referenced cryptographic algorithm standards are modified to quote the corresponding cryptographic algorithm standards of our country for ease of use (see Chapter 5). This section also made the following editorial changes. ---Delete the informative appendix D of ISO /IEC 11770-1.2010, and the relevant content is consistent with the existing national standards and cryptographic industry standards. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This part is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this section. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., National Engineering Laboratory of Wireless Network Security Technology, Zhongguancun Wireless Network Security Industry Alliance, Commercial Password Testing Center of National Cryptography Administration, Peking University Shenzhen Graduate School, China Electronics The 30th Research Institute of Science and Technology Group Corporation, National Radio Monitoring Center Testing Center, China Electronic Technology Standardization Institute, China General Technology Technology Research Institute, China Network Security Review Technology and Certification Center, Tianjin Radio Monitoring Station, Beijing Institute of Computer Technology and Application, Tianjin Electronic and Mechanical Products Testing Center, Chongqing University of Posts and Telecommunications. The main drafters of this section. Du Zhiqiang, Li Qin, Lang Yuan, Zhu Yuesheng, Liu Kewei, Zhou Guoliang, Tao Hongbo, Wang Yuehui, Tie Manxia, Zhang Bianling, Peng Xiao, Li Bing, Xu Yuna, Huang Zhenhai, Buning, Zhang Lulu, Yu Guangming, Yan Xiang, Zhang Guoqiang, Liu Jingli, Li Dong, Shang Jun, Zhao Hui, Wang Ying, Zhu Zhengmei, Gao Delong, Zheng Li, Xiong Keqi, Huang Kuigang, Long Zhaohua, Wu Dongyu. The previous releases of the standards replaced by this part are. ---GB/T 17901.1-1999.IntroductionIn information technology, the need to use password mechanisms to protect data from illegal theft or tampering, to achieve entity identification and non-repudiation is increasing. increase. The security and reliability of these mechanisms directly depend on the management and protection of keys. If there are weak links in key management, then It invalidates all the cryptographic functions it claims, so safe management of keys is essential for integrating cryptographic functions into the system. Key management The purpose is to provide key processing procedures used in symmetric or asymmetric cryptographic mechanisms. This part of the revision adopts ISO /IEC 11770-1.2010 "Information Technology Security Technology Key Management Part 1.Framework", suitable Used for the management of communication keys. ISO /IEC 11770 defines a general model of key management, which does not depend on the specific cryptographic algorithm used. But some key distribution mechanisms depend on the characteristics of specific algorithms, such as asymmetric algorithm characteristics. If the non-repudiation function is needed in key management, see GB/T 17903. This section describes both automatic and manual key management methods, including the data element framework and the operations used to obtain key management services. Work process, but does not elaborate on the details required for protocol exchange. Like other security services, key management only provides key management services in the defined security policy, but the definition of security policy exceeds Out of the scope of this section. The fundamental problem of key management is to confirm the key material by all parties involved, and ensure its source, integrity, and immediacy to direct and indirect users And (in the case of secret keys) confidentiality. Key management includes generating, storing, distributing, deleting and archiving keys according to a certain security policy (GB/T 9387.2-1995) and other functions. Information technology security technology key management Part 1.Frame1 ScopeThis part of GB/T 17901 contains the following. a) Establish a general model of key management mechanism; b) Define the basic concept of key management common to GB/T 17901; c) Define the characteristics of the key management service; d) Provide general principles for the management of keys during their life cycle; e) Establish a conceptual model of communication key distribution. This section applies to the establishment of key management models and design key management methods.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 15843 (all parts) Information technology security technology entity authentication [ISO /IEC 9798 (all parts)] GB/T 17903.2 Information technology security technology anti-repudiation Part 2.Mechanisms using symmetric technology (GB/T 17903.2-2008, ISO /IEC 13888-2.1998, IDT) GB/T 18794.1 Information Technology Open System Interconnection Open System Security Framework Part 1.Overview (GB/T 18794.1-2002, idtISO /IEC 10181-1.1996) GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm GB/T 32918 (all parts) Information security technology SM2 elliptic curve public key cryptographic algorithm GB/T 37092-2018 Information Security Technology Cryptographic Module Security Requirements ISO /IEC 18014 (all parts) Information technology security technology time stamp service ISO /IEC 18031 Information Technology Security Technology Random Number Generation3 Terms and definitionsThe following terms and definitions apply to this document. 3.1 Asymmetric cryptography Two related transformations are used, the public transformation defined by the public key and the private transformation defined by the private key. Note. These two transformations have the following characteristics, that is, it is computationally infeasible to derive the private key for a given public key. 3.2 Asymmetric key pair A pair of related keys, where the private key specifies the private transformation, and the public key specifies the public transformation. [ISO /IEC 11770-3.2008, definition 3.3] 3.3 Private key In an asymmetric key pair of an entity, the key used only by the entity. 3.4 Public key In an entity's asymmetric key pair, the key that can be disclosed. 3.5 Certification authority An authority trusted by users that is responsible for generating, issuing, and managing certificates. Note. The user can select the institution to create a specific key for it. 3.6 digital signature The data attached to the data unit, or the cryptographic transformation done on the data unit. Note. This data or transformation allows the recipient of the data unit to confirm the source and integrity of the data unit and protect the data from being 者) Forgery or denial. 3.7 Hash function A function that maps a bit string to a fixed-length bit string. Note. This function meets the following two characteristics. a) For a given output, it is computationally infeasible to find the input mapped to that output. b) For a given input, it is computationally infeasible to find the second input that maps to the same output. 3.8 Key A symbol sequence used to control cryptographic transformation operations (such as encryption, decryption, cryptographic verification function calculation, signature generation, or signature verification). 3.9 Key agreement The process of establishing a shared secret key between entities, in which no entity can determine the value of the key in advance. 3.10 Key derivation function A function to generate one or more shared secret keys by acting on the shared secret and other parameters known to both parties. 3.11 Key establishment The process of generating a usable and shared secret key for one or more entities, including key agreement and key transmission. [ISO /IEC 11770-3.2008, definition 3.22] 3.12 Key token During the execution of the key establishment mechanism, one entity sends a key establishment message to another entity. 3.13 Message authentication code The bit string output by the message authentication code algorithm. 3.14 Primary identification Confirmation that the received data source is consistent with the claim. 3.15 Public key certificate The non-forgeable data structure of the public key information issued by the certification authority to an entity. 3.16 Secret key A key used in symmetric cryptography, and used only by a set of specified entities. 3.17 Signature system Based on asymmetric cryptography, its private key is used to sign the transformation, and its public key is used to verify the transformed system. 3.18 Timestamp According to a common time base to represent the time-varying parameters at a certain point in time. 3.19 Time-varying parameters A data item used to verify that the data is not reused, such as a random number, a serial number, or a timestamp. Note. Timestamp can be used while keeping the clock synchronization between entities. The sequence can be used while maintaining and verifying the synchronization of the sequence number counter between the entities Column number. 3.20 Trusted third party In terms of security-related activities, security agencies or their agents trusted by other entities.4 Symbols and abbreviations4.1 Symbols The following symbols apply to this document. A, B. distinguishable identifier of the entity. DIR. Directory maintenance certification body. KDC. Key Distribution Center. KG. Key generator. KTC. Key Exchange Center. SA. Entity A's signing key. VA. Entity A's verification key. X. The distinguishable identifier of the certification body. 4.2 Abbreviations The following abbreviations apply to this document.5 General model of key management5.1 Overview The goal of key management is to manage and use key services safely, and key protection is extremely important. The key management process depends on the basic cryptographic mechanism, the intended use of the key, and the security policy used. Key management is also included in Functions performed in cryptographic devices. Anyone involving the use of cryptographic technology to solve the requirements of confidentiality, integrity, authenticity, and non-repudiation shall follow the national and industry standards related to cryptography. 5.2 Key protection 5.2.1 Basic concepts of key management The key is a key part in all security systems that rely on cryptographic technology. The proper protection of keys depends on many factors, Such as the application type of the key, the threats faced, the different states that the key may appear, etc., the key should be protected from being leaked, modified, destroyed and reused. It depends on the cryptographic technique used. See Appendix A for examples of possible threats to keys, and multiple protections may be required in actual use Technology resists these threats. The validity of the key should be limited in time and the number of uses, these restrictions depend on the key recovery attack The amount of time and data required, and the value of the information acquired over time. The original key used to derive the key is The key needs more protection. Another important aspect of key protection is to avoid abuse, such as using key encryption keys to encrypt data. 5.2.2 Protection using password technology The use of cryptographic techniques can resist some threats to the key. For example, use encryption to resist key leakage and unauthorized use; use data integrity Sex mechanism to resist tampering; use data original authentication mechanism, digital signature and entity authentication mechanism to resist forgery. This part shall adopt the password algorithm approved by the national password management department. For example, the encryption algorithm adopts GB/T 32907; the data integrity machine The system adopts GB/T 32918; the digital signature adopts GB/T 32918; the entity authentication mechanism adopts GB/T 15843. The password separation mechanism can resist the abuse of the key, and the use according to the function can be completed by combining the information and the key. For example. control The combination of information and key ensures that a specific key is used for specific tasks (such as key encryption, data integrity), and uses symmetric cryptographic technology to resist The denial mechanism requires key control. Regarding the use of symmetric cryptography to achieve non-repudiation, see GB/T 17903.2.See Appendix B for the classification of password applications. The timestamp can be used to limit the use of the key within a certain validity period, and it can be used with the serial number to resist the recorded key Replay attack of negotiation information. See ISO /IEC 18014 for time stamp technology. 5.2.3 Protection by other means 5.2.3.1 Protection by physical means The keys used by cryptographic devices in the security system should be protected to prevent threats such as tampering, deletion, and disclosure (except public keys). This These devices generally provide a secure area for key storage, key use, and implementation of cryptographic algorithms. The methods provided include. a) Load the key from an independent secure key storage device; b) Interact with cryptographic algorithms in independent security devices (such as smart cards); c) Offline storage key (such as memory card). Security zones are generally protected by physical security mechanisms. Physical security mechanisms can include. passive mechanisms to prevent direct access to the security zone And an active tampering detection mechanism that destroys key data when the security zone may be invaded. The physical security mechanism used depends on the key importance. See GB/T 37092-2018 for the security protection of cryptographic equipment. 5.2.3.2 Protection by organizational means One method of key protection is to manage it into a key hierarchy. Except for the lowest level of the structure, the secrets on each level The key is only used to protect subordinate keys. Only the lowest level key is directly used to provide data security services. This classification method limits the use of keys Therefore, it reduces the possibility of leaking the key and increases the difficulty of the attack. For example, revealing a single session key will only reveal the information protected by that key. Allowing access to keys can lead to some serious problems, including key disclosure and key abuse (especially non-repudiation). Only in safety equipment The plaintext of the key can only be obtained internally. If you need to export them, you should take some special measures, for example, to decompose the key into several parts, and not allow someone to obtain all parts. The use of the key should also be controlled to prevent the disclosure of the key or the information it protects. 5.3 General model of key lif......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 17901.1-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 17901.1-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 17901.1-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 17901.1-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 17901.1-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 17901.1-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
