GB/T 38542-2020 English PDFUS$339.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 38542-2020: Information security technology - Technical framework for authentication of mobile smart terminals based on biometric Status: Valid
Basic dataStandard ID: GB/T 38542-2020 (GB/T38542-2020)Description (Translated English): Information security technology - Technical framework for authentication of mobile smart terminals based on biometric Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 18,170 Date of Issue: 2020-03-06 Date of Implementation: 2020-10-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 38542-2020: Information security technology - Technical framework for authentication of mobile smart terminals based on biometric---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology - Technical framework for authentication of mobile smart terminals based on biometric ICS 35.040 L80 National Standards of People's Republic of China Information security technology based on biometric mobile Intelligent terminal identification technology framework 2020-03-06 released 2020-10-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee Table of contentsForeword Ⅰ Introduction Ⅱ 1 Scope 1 2 Normative references 1 3 Terms and definitions, abbreviations 1 3.1 Terms and definitions 1 3.2 Abbreviations 2 4 Overview 3 5 Technical architecture 3 5.1 Overall Architecture 3 5.2 Mobile smart terminal side functional unit 4 5.3 Server side functional unit 5 6 Business Process 6 7 Communication protocol 6 7.1 Identity Authentication Protocol 6 7.2 Trusted Management Protocol 6 8 Functional requirements 6 8.1 Mobile smart terminal side functional unit 6 8.2 Server side functional unit 8 9 Safety requirements 8 9.1 Security requirements for mobile smart terminals 8 9.2 Server-side security requirements 9 9.3 Communication security requirements 10 9.4 Security requirements for identity authentication protocols 10 Appendix A (informative appendix) Identification application based on fingerprint recognition 11 Appendix B (informative appendix) Trusted Environment Safety Instructions 13 Reference 14 Information security technology based on biometric mobile Intelligent terminal identification technology framework1 ScopeThis standard specifies the technical framework of mobile smart terminal identity authentication based on biometrics, including technical architecture, business processes, Functional requirements and safety requirements. This standard applies to the design, development and integration of mobile smart terminal identification systems based on biometrics.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 26238-2010 Information technology biometric terms GB/T 34975-2017 Information security technology mobile smart terminal application software security technical requirements and test evaluation methods GB/T 34978-2017 Information Security Technology Mobile Smart Terminal Personal Information Protection Technical Requirements GB/T 35273-2017 Information Security Technology Personal Information Security Specification GB/T 35281-2017 Information Security Technology Mobile Internet Application Server Security Technical Requirements GB/T 36651-2018 Information Security Technology Biometric Identification Protocol Framework Based on Trusted Environment 3 Terms and definitions, abbreviations 3.1 Terms and definitions The following terms and definitions defined in GB/T 26238-2010 apply to this document. For ease of use, the following is repeated Some terms and definitions in GB/T 26238-2010. 3.1.1 Biometrics Automatic identification of the individual based on the individual's behavioral and biological characteristics. Note. "Individual" is limited to people. [GB/T 26238-2010, definition 2.1.2] 3.1.2 Biometric item A numerical value or marker extracted from a biometric sample for comparison. [GB/T 26238-2010, definition 2.2.2.2.2.4] 3.1.3 Biometric identifier Component used when performing user authentication based on individual behavioral and biological characteristics. 3.1.4 Biometric sample It is the representation of the analog or digital biometric features obtained from the biometric acquisition subsystem prior to the extraction of biometric items. [GB/T 26238-2010, definition 2.2.2.2.2.10] 3.1.5 Biometric template The set of reference biometric items, the set of stored biometric items, can be directly linked to the biometric items of the probe biometric sample Compare. [GB/T 26238-2010, definition 2.2.2.2.2.9.2] 3.1.6 Comparison Estimate, calculate or measure the similarity and dissimilarity between the biometric probe and the biometric reference. [GB/T 26238-2010, definition 2.2.4.1.2] 3.1.7 Execution environment A collection of software and hardware that exists in mobile devices and can provide necessary capabilities to support the running of applications in mobile devices. Note. Generally include hardware processing unit, volatile storage unit, non-volatile storage unit, operating system, calling interface and other components. 3.1.8 Identification The act of verifying the claimed identity of an entity. 3.1.9 Presentation attack To interfere with the operation of the biometric identification system, an attack against the biometric data collection module. [ISO /IEC 30107-1.2016, definition 3.5] 3.1.10 Relying party Rely on the user's authentication results provided by other entities (such as the identity authentication server), and the resources or system used by the user The entity that authorizes the system. [GB/T 36651-2018, definition 3.6] 3.1.11 Mobile smart terminal Can access the mobile communication network, have an open operating system that can provide application development interfaces, and can install and run application software Piece of mobile terminal. 3.1.12 Trusted application Software that runs in a trusted environment and provides security-related services for client software or other applications. 3.1.13 Trusted application management A system that provides application release management and security module management functions. 3.1.14 Trusted environment The security area on the user's device can ensure the security of the data loaded into it, including confidentiality, integrity and availability, etc. Trusted execution environment (TEE), secure element (SE), trusted cryptographic module (TCM) or other protected areas with security boundaries. [GB/T 36651-2018, definition 3.1] 3.2 Abbreviations The following abbreviations apply to this document. Note. REE (Rich Execution Environment) generally refers to the open execution environment running in mobile devices, which provides open and rich operating capabilities for applications running in it Strong support, but relatively weak security protection capabilities. 5.2.2 Identity authentication middleware Identity authentication middleware is an independent identity authentication system software or service program located between the underlying system resources and applications. It can apply different operating systems and hardware platforms, provide mobile applications with relevant operating interfaces for identity authentication services, and is responsible for REE Communication related to identity authentication between mobile applications and trusted applications in the trusted environment. The identity authentication middleware can be the identity authentication system service integrated in the mobile smart terminal operating system, or it can be integrated in the mobile The proprietary SDK in the application, or the independent application software running in the mobile smart terminal. 5.2.3 Identity authentication trusted application The identity authentication trusted application is responsible for the analysis and processing of the identity authentication protocol, and is responsible for managing the biometric identifiers it supports. The biometric identifier selected in the authentication protocol completes the process of biometric verification of the user. The identity authentication trusted application is responsible for the management of user authentication keys related to identity authentication, including the generation, storage, and Use and delete. The identity authentication trusted application can be installed in the mobile smart terminal before the factory through the preset method, or through the remote dynamic download method Installed in the mobile smart terminal. 5.2.4 Biometric recognizer The biometric identification device is a biometric identification system located on a mobile smart terminal, which can be based on biometric identification technology. The verification of user biometrics is generally composed of a feature collection module, a feature storage module, and a feature comparison module, among which. a) The feature collection module collects the user’s biometric samples through the biometric collection component, The biological feature samples are further extracted from the biological feature items to be used in the subsequent feature storage module or feature comparison module; b) The feature storage module is used to store the biometric template entered by the user; c) The feature comparison module compares the entered user biometric probe with one or more biometrics entered in the feature storage module. The feature templates are compared, and the results are compared to make a recognition decision, and judge whether the user has passed the verification. 5.2.5 Acquisition components The collection element is connected with the biometric recognizer and can be called by the biometric recognizer and collect the user's biometric samples. 5.3 Server side functional unit 5.3.1 Relying party The relying party is mainly responsible for providing the background services of the mobile application, based on the identity authentication protocol with the mobile application and the identity authentication server Interaction to complete the various business processes of identity authentication. In the identity authentication process, the relying party obtains the user’s identity authentication result from the identity authentication server, and provides corresponding Authorized service or resource. 5.3.2 Identity authentication server 5.3.2.1 Overview The identity authentication server includes an identity authentication service module and a trusted management module. Among them, the identity authentication service module is a required module, and the main Responsible for managing the identity authentication registration relationship on the server side, analyzing and verifying the identity authentication protocol, and providing identity to the relying party Identification results. The trusted management module is mainly responsible for trusted management of mobile smart terminals and identity authentication trusted applications. 5.3.2.2 Identity authentication service module The identity authentication service module is mainly responsible for. a) In the identity authentication registration business process, verify the authenticity and integrity of the biometric identifier used in the registration process, and create And store the identity authentication registration relationship of the user's new application, store the user authentication key generated during the registration process and the registration relationship Bind; b) In the identity authentication business process, verify the authenticity and integrity of the biometric identifier used in the authentication process, and identify the The identity authentication registration relationship used in the business, and the bound user authentication key is used to enter the information in the identity authentication protocol Line verification; c) In the identity authentication cancellation business process, delete the corresponding identity authentication registration relationship and the bound user authentication key; d) Transmit the identity authentication result to the relying party in a credible way. 5.3.2.3 Trusted management Trusted management is an optional functional module, which mainly includes. a) Trusted application management module, responsible for the life cycle management of identity authentication trusted applications, including downloading, installing, updating and deleting And so on. If a secure element is used on the mobile smart terminal side, it is also responsible for the life cycle of trusted applications in the secure element To manage. b) The trusted device management module is responsible for managing the trusted device list of mobile smart terminals.6 Business ProcessThe identity authentication of mobile smart terminals based on biometrics generally includes three business processes. registration, authentication, and cancellation. GB/T 36651-2018 regulations on business processes.7 Communication protocol7.1 Identity authentication protocol The identity authentication protocol should comply with the provisions and descriptions of the protocol interface in Chapter 7 and Appendix C of GB/T 36651-2018. 7.2 Trusted Management Protocol The server side can manage the life cycle of trusted applications and trusted devices on the smart terminal side through the trusted management protocol, including Management operations such as application installation, uninstallation, and update. This standard does not specify a trusted management protocol. Before the management operation, the communication parties should be authenticated and a secure channel should be established.8 Functional requirements8.1 Mobile smart terminal side functional unit 8.1.1 Mobile Application The mobile application requirements are as follows. a) It should be able to interact with the relying party based on the identity authentication protocol to realize identity authentication registration, identity authentication, identity authentication cancellation, etc. Business process; b) It should be able to interact with trusted applications for identity authentication by invoking identity authentication middleware to realize identity authentication registration, identity authentication, Business processes such as identity verification and cancellation; c) It should be able to uniquely identify the user's identity, one user can correspond to multiple identity authentication registration relationships, and one identity authentication registration The relationship should only correspond to one user; d) A limit on the number of failed biometric authentication attempts should be set. After the number of failed attempts exceeds the limit, users should be restricted from continuing to try. Try or guide users to use other methods for identification. 8.1.2 Identity authentication middleware The functional interface requirements provided by the identity authentication middleware are as follows. a) It is advisable to support obtaining the version number of a trusted application for identity authentication; b) It should support the acquisition of biometric identifier information that can be supported by trusted applications for identity authentication, such as the implementation model of biometric identifiers. Type (fingerprint, iris, face, etc.), version number, etc.; c) It should support identity authentication registration, identity authentication and identity authentication cancellation operation interface, etc.; d) It should support obtaining the unique identification of mobile smart terminals; e) It can verify the calling authority of mobile applications, such as by directly interacting with the identity authentication server. 8.1.3 Identity authentication trusted application The requirements for trusted applications for identity authentication are as follows. a) It should be able to provide the identity authentication credible application version number to the identity authentication middleware; b) It should be able to analyze the identity authentication protocol and verify its authenticity and integrity, and realize identity authentication registration, identity authentication and identity verification. Business processes such as authentication and cancellation; c) It should be able to support the management of the identity authentication registration relationship on the side of the mobile smart terminal, including the user bound to the registration relationship The management of authentication keys, such as generation, storage, use, and deletion; d) It is advisable to establish a correspondence between the verification process of the biometric identifier and the user identity authentication and registration relationship, such as through biometrics Association of template summary values, etc.; e) It should be able to manage the supported biometric identifiers located in mobile smart terminals, including obtaining biometric identifiers Information, call the biometric identifier to verify the user's identity and obtain the verification result, etc.; f) There should be control over the use of user authentication keys, only when the verification result obtained from the biometric identifier indicates the user's identity The user authentication key can only be used after verification; g) The mobile smart terminal should be uniquely identified for the trusted device management on the server side. 8.1.4 Biometric recognizer The functional requirements of the biometric identifier are as follows. a) Model and version information should be provided, and have a unique identification. b) It should have the ability to detect and prevent appearance attacks. c) Feature acquisition module. 1) It should support the use of collection components to collect user biometric samples and convert them into data suitable for biometric identification processing. According to the format; 2) There should be clear user prompts to inform users that their biometric samples have been collected. If the collection process is divided into multiple entries Yes, it should be clear to the user the progress of each collection; 3) It should support the quality judgment of the collected user biometric samples, and use the user biometric samples that pass the quality judgment. Extract user biometric items in this book for subsequent biometric storage or biometric comparison; 4) It is advisable to use irreversible methods to extract biometric items from user biometric samples. d) Feature storage module. 1) The same user should only correspond to a unique identity in the same biometric storage module; the same user identity cannot be used To identify two or more different users; it should be possible to associate the registered user’s biometric template with the user’s identity Logo for association; 2) Only entities with legal authority should be allowed to enter, access, read or delete user biometrics in the biometric storage module. Levy data; 3) It should support the same user to register two or more biometric templates in the biometric storage module; 4) It should have the ability to determine and handle abnormal situations, such as when the registration, reading or deletion of the biometric template fails. 理mechanism. e) Feature comparison module. 1) It should be able to perform the input user biometric probe and the biometric template registered in the biometric storage module Compare, calculate the comparison score, judge the recognition result based on the comparison score, and be able to output the recognition result; 2) It shall have the function of judging and handling abnormal situations, including but not limited to the corresponding handling when the comparison fails and the identification decision fails mechanism. 8.2 Server side functional unit 8.2.1 Relying party The relying party requirements are as follows. a) It should be able to interact with mobile applications b......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38542-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38542-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 38542-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38542-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
