|
US$839.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36322-2018: Information security technology -- Cryptographic device application interface specifications
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 36322-2018 | English | 839 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology -- Cryptographic device application interface specifications
| Valid |
GB/T 36322-2018
|
PDF similar to GB/T 36322-2018
Basic data | Standard ID | GB/T 36322-2018 (GB/T36322-2018) | | Description (Translated English) | Information security technology -- Cryptographic device application interface specifications | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 42,482 | | Date of Issue | 2018-06-07 | | Date of Implementation | 2019-01-01 | | Regulation (derived from) | National Standards Announcement No. 9 of 2018 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 36322-2018: Information security technology -- Cryptographic device application interface specifications
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Cryptographic device application interface specifications
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology
Cryptographic device application interface specification
Published on.2018-06-07
2019-01-01 implementation
State market supervision and administration
China National Standardization Administration issued
Content
Foreword I
Introduction II
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 symbols and abbreviations 2
5 algorithm identification and data structure 2
5.1 Algorithm Identification Definition 2
5.2 Basic data type definition 2
5.3 Device Information Definition 3
5.4 Key Classification and Storage Definition 3
5.5 RSA Key Data Structure Definition 4
5.6 ECC Key Data Structure Definition 5
5.7 ECC Encrypted Data Structure Definition 6
5.8 ECC signature data structure definition 6
6 Device Interface Description 7
6.1 Location of the cryptographic device application interface in the framework of the public key cryptographic infrastructure application technology architecture
6.2 Device Management Class Function 7
6.3 Key Management Class Function 9
6.4 Asymmetric Algorithm Operational Functions 27
6.5 Symmetric algorithm operation class function 31
6.6 hash operation class function 33
6.7 User File Operations Class Functions 34
Appendix A (Normative) Function Return Code Definition 37
Reference 39
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents.
This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This standard was drafted. Weishitong Information Industry Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center, Sichuan University, Shanghai
Geer Software Co., Ltd., Beijing Digital Certification Co., Ltd., Xingtang Communication Technology Co., Ltd., Shandong Dean Information Technology
Co., Ltd., Beijing Sanweixin Technology Development Co., Ltd., Haitai Fangyuan Technology Co., Ltd., Shandong University.
The main drafters of this standard. Liu Ping, Luo Jun, Gong Xun, Li Yuanzheng, Xu Qiang, Zheng Qiang, Li Shusheng, Li Yufeng, Kong Fanyu, Ma Hongfu, Gao Zhiquan,
Xu Mingyi, Liu Zengshou, Jiang Hongyu.
Introduction
The goal of this standard is to develop a uniform application interface for service-type cryptographic devices under the public key cryptographic infrastructure application framework.
The password device is invoked through this interface to provide the basic password service to the upper layer. Provide labels for the development, use and detection of such cryptographic devices
The basis and guidance will help improve the productization, standardization and serialization level of this type of cryptographic equipment.
The relevant content of the cryptographic algorithm involved in this standard is implemented in accordance with relevant national laws and regulations.
Information security technology
Cryptographic device application interface specification
1 Scope
This standard specifies the application interface standard for service cryptographic equipment under the public key cryptographic infrastructure application technology system.
This standard applies to the development and use of service cryptographic equipment, as well as application development based on such cryptographic equipment, and can also be used to guide
Detection of cryptographic devices.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article.
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 33560 Information Security Technology Password Application Specification
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Algorithm identification algorithm identifier
A symbol used to uniquely identify a cryptographic algorithm.
3.2
Asymmetric cryptographic algorithm asymmetriccryptographicalgorithm/publickeycryptographicalgorithm
Public key cryptography
Encryption and decryption using a different key cryptographic algorithm.
3.3
Decryption/decryption
The inverse process corresponding to the encryption process.
3.4
Device key devicekeypair
An asymmetric key pair for device management stored inside the device, including a signature key pair and an encryption key pair.
3.5
Encrypt encipherment/encryption
The process of cryptographically transforming data to produce ciphertext.
3.6
Key encryption key keyencryptionkey
The key that encrypts the key.
3.7
Public key infrastructure publickeyinfrastructure
A universally applicable infrastructure built using public key cryptography provides users with security services such as certificate management and key management.
3.8
Private key access control code privatekeyaccesspassword
A password used to verify the private key usage rights.
3.9
Symmetric cryptography technology symmetriccryptographictechnique
Symmetric cryptosystem
A cryptographic technique (institution) in which both the originator and the receiver use the same secret key for conversion.
Note. The encryption key is the same as the decryption key, or a cryptosystem in which one key can be derived from another key.
3.10
Session key sessionkey
The lowest layer in the hierarchical key structure, the key used only in one session.
3.11
User key userkey
An asymmetric key stored in the device for applying cryptographic operations, including a signature key pair and an encryption key pair.
4 symbols and abbreviations
The following symbols and abbreviations apply to this document.
ECC Elliptic Curve Algorithm (ElipticCurveCryptography)
EPK External Encryption Public Key (ExternalPublicKey)
IPK internal encryption public key (InternalPublicKey)
ISK internal encryption private key (InternalPrivateKey)
KEK key encryption key (KeyEncryptKey)
5 algorithm identification and data structure
5.1 Algorithm Identification Definition
The algorithm identification of the algorithm used in this standard can be found in GB/T 33560. The algorithm identifier of the symmetric encryption algorithm contains its working mode.
5.2 Basic data type definition
The byte arrays in this standard are all stored and exchanged in the high-order byte (Big-Endian) mode. Basic data type definitions are shown in Table 1.
Shown.
Table 1 Basic data types
Type name description definition
BYTE byte type, unsigned 8-bit character typedefunsignedcharBYTE
CHAR character type, unsigned 8-bit character typedefunsignedcharCHAR
LONG long integer, signed 32-bit integer typedefintLONG
ULONG long integer, unsigned 32-bit integer typedefunsignedintULONG
FLAGS flag type, unsigned 32-bit integer typedefunsignedintFLAGS
LPSTR 8-bit string pointer, storing and exchanging typedefCHAR*LPSTR in UTF8 format
HANDLE handle, pointing to the starting address of any data object typedefvoid* HANDLE
5.3 Device Information Definition
The device information is described in Table 2.
Table 2 Description of device information
Field name data length (bytes) Meaning
IssuerName 40 Equipment Manufacturer Name
DeviceName 16 device model
DeviceSerial 16 device number, including. date (8 characters), batch number (3 characters), serial number (5 characters)
DeviceVersion 4 The version number of the internal software of the password device
InterfaceVersion Version Number Supported by StandardVersion 4 Password Device
AsymAlgAbility 8
The first 4 bytes represent the supported algorithms, and the representation method is an asymmetric algorithm that identifies bitwise OR operations.
The result; the last 4 bytes represent the maximum modulus length of the algorithm, and the representation method is the supported mode length bitwise or transport.
Calculated result
SymAlgAbility 4 All supported symmetric algorithms, represented by a symmetric algorithm that identifies the result of a bitwise OR operation
HashAlgAbility 4 All supported hash algorithms, the representation method is the hash algorithm to identify the result of a bitwise OR operation
Maximum file storage space supported by BufferSize 4 (in bytes)
Actual data structure definition.
typedefstructDeviceInfo_st{
CHARIssuerName[40];
CHARDeviceName[16];
CHARDeviceSerial[16]
ULONGDeviceVersion;
ULONGStandardVersion;
ULONGAsymAlgAbility[2];
ULONGSymAlgAbility;
ULONGHashAlgAbility;
ULONGB ufferSize;
}DEVICEINFO;
5.4 Key classification and storage definition
5.4.1 Device Key and User Key
The device key can only be generated or installed when the device is initialized, and the user key is generated or installed by the password device management tool.
The device key and the user key are stored in the key storage area, and the index number is searched from 0, and each index number corresponds to a signature key pair and
An encryption key pair. The index number is 0, indicating the device key. Index number 1 begins to represent the user key. Device key and user secret
The key storage description is shown in Table 3.
Table 3 Device Key and User Key Storage Description
Key pair index number public key private key
0x00
Device signature public key device signature private key
Device encryption public key device encryption private key
0x01
User signature public key user signature private key
User encrypted public key user encrypted private key
5.4.2 Key Encryption Key
The key encryption key is generated or installed by the password device management tool. The key length is 128 bits and is stored in the key storage area.
Quotation marks start at 1. The key encryption key storage description is shown in Table 4.
Table 4 Key Encryption Key Storage Description
Key index number key encryption key
0x01 key encryption key 001
5.4.3 Session Key
The session key is generated or imported using the device interface function, and the session key is retrieved using the handle.
5.5 RSA key data structure definition
The order of the RSA key structure is stored from high to low, that is, the key is stored from the highest bit of the key structure array, and the highest byte is filled.
In the highest bit, the insufficient bits fill the data 0. The RSA key data structure is shown in Table 5.
Table 5 RSA key data structure
Category field name data length (bytes) Meaning
Public key
Bits 4
m 256 mod N
e 256 public key index
Private key
Bits 4
m 256 mod N
e 256 public key index
d 256 private key index
Prime[2] 128*2 prime numbers p and q
Pexp[2] 128*2 Dp and Dq
Coef 128 coefficient i
Actual data structure definition.
typedefstructRSArefPrivateKey_st
ULONGbits;
BYTEm[RSAref_MAX_LEN];
BYTEe[RSAref_MAX_LEN];
BYTEd[RSAref_MAX_LEN];
BYTEprime[2][RSAref_MAX_PLEN];
BYTEpexp[2][RSAref_MAX_PLEN];
BYTEcoef[RSAref_MAX_PLEN];
}RSArefPrivateKey;
5.6 ECC key data structure definition
The ECC key data structure is shown in Table 6.
Table 6 ECC key data structure
Category field name data length (bytes) Meaning
Public key
Bits 4 key length
x ECCref_MAX_LEN public key x coordinate
y ECCref_MAX_LEN public key y coordinate
Private key
Bits 4 key length
K ECCref_MAX_LEN private key
Actual data structure definition.
CL ciphertext data
Actual data structure definition.
typedefstructECCCipher_st
BYTEx[ECCref_MAX_LEN];
BYTEy[ECCref_MAX_LEN];
BYTEM[32];
ULONGL;
BYTEC[1];
}ECCCipher;
5.8 ECC signature data structure definition
The ECC signature data structure is shown in Table 8.
Table 8 ECC signature data structure
Field name data length (bytes) Meaning
r ECCref_MAX_LEN The r part of the signature
s ECCref_MAX_LEN The s part of the signature
Actual data structure definition.
typedefstructECCSignature_st
BYTEr[ECCref_MAX_LEN];
BYTEs[ECCref_MAX_LEN];
}ECCSignature;
6 Device Interface Description
6.1 Location of the cryptographic device application interface in the framework of the public key cryptographic infrastructure application technology architecture
In the framework of the public key cryptosystem application technology system, the cryptographic device service layer is set by a cipher machine, a cipher card, a smart cipher terminal, etc.
The backup component provides the basic password service to the universal password service layer through the password device application interface specified in this standard. As shown in Figure 1.
The basic cryptographic services include services such as key generation, single cryptographic operations, file management, and the like.
This standard uses C language to describe interface functions. Unless otherwise stated, the length unit of the parameter in the function is the number of bytes.
Figure 1 Location of the cryptographic device application interface in the framework of the public key cryptographic infrastructure application technology architecture
6.2 Device Management Class Functions
6.2.1 Overview
The device management class function provides device opening and closing, session creation and shutdown, device information acquisition, random number generation, and private key permission acquisition.
Functions such as release and release, as shown in Table 9, the return codes of each function are shown in Appendix A.
Table 9 Device Management Class Functions
Function name function
SDF_OpenDevice to open the device
SDF_CloseDevice turns off the device
SDF_OpenSession creates a session
SDF_CloseSession closes the session
SDF_GetDeviceInfo Get device information
SDF_GenerateRandom generates random numbers
SDF_GetPrivateKeyAccessRight Get private key usage rights
SDF_ReleasePrivateKeyAccessRigh releases private key usage rights
6.2.2 Opening the device
Prototype. LONGSDF_OpenDevice(HANDLE*phDeviceHandle);
Description. Turn on the password device.
Parameters. device handle returned by phDeviceHandle[out]
Return value. 0 Success
Non-zero failure, return error code
Note. phDeviceHandle is initialized by the function and fills in the content.
6.2.3 Turning off the device
Prototype. LONGSDF_CloseDevice(HANDLEhDeviceHandle);
Description. Turn off the password device and release related resources.
Parameters. hDeviceHandle[in] Opened device handle
Return value. 0 Success
Non-zero failure, return error code
6.2.4 Creating a Session
Prototype. LONGSDF_OpenSession(HANDLEhDeviceHandle,HANDLE*phSessionHandle);
Description. Create a session with a password device.
Parameters. hDeviceHandle[in] Opened device handle
phSessionHandle[out] returns a new session handle established with the cryptographic device
Return value. 0 Success
Non-zero failure, return error code
6.2.5 Closing a session
Prototype. LONGSDF_CloseSession(HANDLEhSessionHandle);
Description. Closes the established session with the password device and releases the related resources.
Parameters. hSessionHandle[in] The session handle that has been established with the cryptographic device
Return value. 0 Success
Non-zero failure, return error code
6.2.6 Obtaining Device Information
Prototype. LONGSDF_GetDeviceInfo(
HANDLEhSessionHandle,
DEVICEINFO*pstDeviceInfo);
Description. Get a description of the cryptographic device capability.
Parameters. hSessionHandle[in] Session handle established with the device
pstDeviceInfo[out] device capability description information, content and format, see device information definition
Return value. 0 Success
Non-zero failure, return error code
6.2.7 Generating random numbers
Prototype. LONGSDF_GenerateRandom(
HANDLEhSessionHandle,
ULONGuiLength,
BYTE*pucRandom);
Description. Gets a random number of the specified length.
Parameters. hSessionHandle[in] Session handle established with the device
uiLength[in] Get the length of the random number
pucRandom[out] buffer pointer for storing the obtained random number
Return value. 0 Success
Non-zero failure, return error code
6.2.8 Obtaining Private Key Usage Rights
Prototype. LONGSDF_GetPrivateKeyAccessRight(
HANDLEhSessionHandle,
ULONGuiKeyIndex,
LPSTRpucPassword,
ULONGuiPwdLength);
Description. Gets the right to use the specified index private key stored inside the cryptographic device.
Parameters. hSessionHandle[in] Session handle established with the device
uiKeyIndex[in] The password device stores the index value of the private key.
pucPassword[in] private key access control code
uiPwdLength[in] private key access control code length, not less than 8 bytes
Return value. 0 Success
Non-zero failure, return error code
Note. This standard involves the initial index value of the key pair index value stored by the cryptographic device, which is 1 and the maximum is n. The actual storage capacity of the cryptographic device determines the value of n.
6.2.9 Release the private key usage rights
Prototype. LONGSDF_ReleasePrivateKeyAccessRight(
HANDLEhSessionHandle,
ULONGuiKeyIndex);
Description. Releases the license for the specified index private key stored by the cryptographic device.
Parameters. hSessionHandle[in] Session handle established with the device
uiKeyIndex[in] cryptographic device stores private key index value
Return value. 0 Success
Non-zero failure, return error code
6.3 Key Management Class Functions
6.3.1 Overview
The key management class function provides functions such as key generation and import and export, including the export of the signed public key and the encrypted public key, and the asymmetric key.
Generation and output of pairs, generation and output of session keys, import of session keys, digital envelope conversion, generation of key agreement parameters and transmission
Output, calculation of session key, calculation of IKE work key, calculation of IPSEC session key, calculation of SSL work key, and session secret
The functions such as the destruction of the key are shown in Table 10. The return codes of each function are shown in Appendix A.
Table 10 Key Management Class Functions
Function name function
SDF_ExportSignPublicKey_RSA Export RSA Signature Public Key
SDF_ExportEncPublicKey_RSA Export RSA Encrypted Public Key
SDF_GenerateKeyPair_RSA generates an RSA asymmetric key pair and outputs
SDF_GenerateKeyWithIPK_RSA generates a session key and encrypts the output with the internal RSA public key
SDF_GenerateKeyWithEPK_RSA generates a session key and encrypts the output with an external RSA public key
SDF_ImportKeyWithISK_RSA Import session key and decrypt with internal RSA private key
SDF_ExchangeDigitEnvelopeBaseOnRSA Digital envelope conversion based on RSA algorithm
SDF_ExportSignPublicKey_ECC Export ECC Signature Public Key
SDF_ExportEncPublicKey_ECC Export ECC Encryption Public Key
SDF_GenerateKeyPair_ECC generates an ECC asymmetric key pair and outputs
SDF_GenerateKeyWithIPK_ECC generates a session key and encrypts the output with the internal ECC public key
SDF_GenerateKeyWithEPK_ECC generates a session key and encrypts the output with an external ECC public key
SDF_ImportKeyWithISK_ECC Import session key and decrypt with internal ECC private key
SDF_GenerateAgreementDataWithECC generates key negotiation parameters and outputs
SDF_GenerateKeyWithECC Calculate session key
SDF_GenerateAgreementDataAndKeyWithECC generates negotiation data and calculates session key
SDF_ExchangeDigitEnvelopeBaseOnECC ECC algorithm based digital envelope conversion
SDF_GenerateKeyWithKEK generates a session key and encrypts the output with a key encryption key
SDF_ImportKeyWithKEK imports the session key and decrypts it with the key encryption key
SDF_GenerateKeywithIKE calculates the IKE work key
SDF_GenerateKeywithEPK_IKE computes the IKE work key and encrypts the output with an external ECC public key
SDF_GenerateKeywithIPSEC calculates the IPSEC session key
SDF_GenerateKeywithEPK_IPSEC calculates the IPSEC session key and encrypts the output with the external ECC public key
SDF_GenerateKeywithSSL computes the SSL work key
SDF_GenerateKeywithEPK_SSL computes the SSL working key and encrypts the output with an external ECC public key
SDF_GenerateKeywithECDHE_SSL Calculate SSL Work Key (ECDHE)
SDF_GenerateKeywithEPK_ECDHE_SSL computes the SSL working key and encrypts the output with an external ECC public key (ECDHE)
SDF_DestroyKey destroys the session key
6.3.2 Exporting an RSA Signature Public Key
Prototype. LONGSDF_ExportSignPublicKey_RSA(
HANDLEhSessionHandle,
ULONGuiKeyIndex,
RSArefPublicKey*pucPublicKey);
Description. Exports the signed public key of the specified index location stored inside the cryptographic device.
Parameters. hSessionHandle[in] Session handle established with the device
uiKeyIndex[in] RSA key pair index value stored by the cryptographic device
pucPublicKey[out] RSA public key structure
Return value. 0 Success
Non-zero failure, return error code
6.3.3 Exporting RSA Encrypted Public Keys
Prototype. LONGSDF_ExportEncPublicKey_RSA(
HANDLEhSessionHandle,
ULONGuiKeyIndex,
RSArefPublicKey*pucPublicKey);
Description. Exports the encrypted public key at the specified index location stored inside the cryptographic device.
Parameters. hSessionHandle[in] Session handle established with the device
uiKeyIndex[in] RSA key pair index value stored by the cryptographic device
pucPublicKey[out] RSA public key structure
Return value. 0 Success
Non-zero failure, return error code
6.3.4 Generating an RSA Key Pair and Outputting
Prototype. LONGSDF_GenerateKeyPair_RS.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 36322-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 36322-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 36322-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 36322-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|