|
US$339.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38542-2020: Information security technology - Technical framework for authentication of mobile smart terminals based on biometric
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38542-2020 | English | 339 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Technical framework for authentication of mobile smart terminals based on biometric
| Valid |
GB/T 38542-2020
|
PDF similar to GB/T 38542-2020
Basic data | Standard ID | GB/T 38542-2020 (GB/T38542-2020) | | Description (Translated English) | Information security technology - Technical framework for authentication of mobile smart terminals based on biometric | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 18,170 | | Date of Issue | 2020-03-06 | | Date of Implementation | 2020-10-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 38542-2020: Information security technology - Technical framework for authentication of mobile smart terminals based on biometric
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical framework for authentication of mobile smart terminals based on biometric
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology based on biometric mobile
Intelligent terminal identification technology framework
2020-03-06 released
2020-10-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Foreword Ⅰ
Introduction Ⅱ
1 Scope 1
2 Normative references 1
3 Terms and definitions, abbreviations 1
3.1 Terms and definitions 1
3.2 Abbreviations 2
4 Overview 3
5 Technical architecture 3
5.1 Overall Architecture 3
5.2 Mobile smart terminal side functional unit 4
5.3 Server side functional unit 5
6 Business Process 6
7 Communication protocol 6
7.1 Identity Authentication Protocol 6
7.2 Trusted Management Protocol 6
8 Functional requirements 6
8.1 Mobile smart terminal side functional unit 6
8.2 Server side functional unit 8
9 Safety requirements 8
9.1 Security requirements for mobile smart terminals 8
9.2 Server-side security requirements 9
9.3 Communication security requirements 10
9.4 Security requirements for identity authentication protocols 10
Appendix A (informative appendix) Identification application based on fingerprint recognition 11
Appendix B (informative appendix) Trusted Environment Safety Instructions 13
Reference 14
Information security technology based on biometric mobile
Intelligent terminal identification technology framework
1 Scope
This standard specifies the technical framework of mobile smart terminal identity authentication based on biometrics, including technical architecture, business processes,
Functional requirements and safety requirements.
This standard applies to the design, development and integration of mobile smart terminal identification systems based on biometrics.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 26238-2010 Information technology biometric terms
GB/T 34975-2017 Information security technology mobile smart terminal application software security technical requirements and test evaluation methods
GB/T 34978-2017 Information Security Technology Mobile Smart Terminal Personal Information Protection Technical Requirements
GB/T 35273-2017 Information Security Technology Personal Information Security Specification
GB/T 35281-2017 Information Security Technology Mobile Internet Application Server Security Technical Requirements
GB/T 36651-2018 Information Security Technology Biometric Identification Protocol Framework Based on Trusted Environment
3 Terms and definitions, abbreviations
3.1 Terms and definitions
The following terms and definitions defined in GB/T 26238-2010 apply to this document. For ease of use, the following is repeated
Some terms and definitions in GB/T 26238-2010.
3.1.1
Biometrics
Automatic identification of the individual based on the individual's behavioral and biological characteristics.
Note. "Individual" is limited to people.
[GB/T 26238-2010, definition 2.1.2]
3.1.2
Biometric item
A numerical value or marker extracted from a biometric sample for comparison.
[GB/T 26238-2010, definition 2.2.2.2.2.4]
3.1.3
Biometric identifier
Component used when performing user authentication based on individual behavioral and biological characteristics.
3.1.4
Biometric sample
It is the representation of the analog or digital biometric features obtained from the biometric acquisition subsystem prior to the extraction of biometric items.
[GB/T 26238-2010, definition 2.2.2.2.2.10]
3.1.5
Biometric template
The set of reference biometric items, the set of stored biometric items, can be directly linked to the biometric items of the probe biometric sample
Compare.
[GB/T 26238-2010, definition 2.2.2.2.2.9.2]
3.1.6
Comparison
Estimate, calculate or measure the similarity and dissimilarity between the biometric probe and the biometric reference.
[GB/T 26238-2010, definition 2.2.4.1.2]
3.1.7
Execution environment
A collection of software and hardware that exists in mobile devices and can provide necessary capabilities to support the running of applications in mobile devices.
Note. Generally include hardware processing unit, volatile storage unit, non-volatile storage unit, operating system, calling interface and other components.
3.1.8
Identification
The act of verifying the claimed identity of an entity.
3.1.9
Presentation attack
To interfere with the operation of the biometric identification system, an attack against the biometric data collection module.
[ISO /IEC 30107-1.2016, definition 3.5]
3.1.10
Relying party
Rely on the user's authentication results provided by other entities (such as the identity authentication server), and the resources or system used by the user
The entity that authorizes the system.
[GB/T 36651-2018, definition 3.6]
3.1.11
Mobile smart terminal
Can access the mobile communication network, have an open operating system that can provide application development interfaces, and can install and run application software
Piece of mobile terminal.
3.1.12
Trusted application
Software that runs in a trusted environment and provides security-related services for client software or other applications.
3.1.13
Trusted application management
A system that provides application release management and security module management functions.
3.1.14
Trusted environment
The security area on the user's device can ensure the security of the data loaded into it, including confidentiality, integrity and availability, etc.
Trusted execution environment (TEE), secure element (SE), trusted cryptographic module (TCM) or other protected areas with security boundaries.
[GB/T 36651-2018, definition 3.1]
3.2 Abbreviations
The following abbreviations apply to this document.
Note. REE (Rich Execution Environment) generally refers to the open execution environment running in mobile devices, which provides open and rich operating capabilities for applications running in it
Strong support, but relatively weak security protection capabilities.
5.2.2 Identity authentication middleware
Identity authentication middleware is an independent identity authentication system software or service program located between the underlying system resources and applications.
It can apply different operating systems and hardware platforms, provide mobile applications with relevant operating interfaces for identity authentication services, and is responsible for REE
Communication related to identity authentication between mobile applications and trusted applications in the trusted environment.
The identity authentication middleware can be the identity authentication system service integrated in the mobile smart terminal operating system, or it can be integrated in the mobile
The proprietary SDK in the application, or the independent application software running in the mobile smart terminal.
5.2.3 Identity authentication trusted application
The identity authentication trusted application is responsible for the analysis and processing of the identity authentication protocol, and is responsible for managing the biometric identifiers it supports.
The biometric identifier selected in the authentication protocol completes the process of biometric verification of the user.
The identity authentication trusted application is responsible for the management of user authentication keys related to identity authentication, including the generation, storage, and
Use and delete.
The identity authentication trusted application can be installed in the mobile smart terminal before the factory through the preset method, or through the remote dynamic download method
Installed in the mobile smart terminal.
5.2.4 Biometric recognizer
The biometric identification device is a biometric identification system located on a mobile smart terminal, which can be based on biometric identification technology.
The verification of user biometrics is generally composed of a feature collection module, a feature storage module, and a feature comparison module, among which.
a) The feature collection module collects the user’s biometric samples through the biometric collection component,
The biological feature samples are further extracted from the biological feature items to be used in the subsequent feature storage module or feature comparison module;
b) The feature storage module is used to store the biometric template entered by the user;
c) The feature comparison module compares the entered user biometric probe with one or more biometrics entered in the feature storage module.
The feature templates are compared, and the results are compared to make a recognition decision, and judge whether the user has passed the verification.
5.2.5 Acquisition components
The collection element is connected with the biometric recognizer and can be called by the biometric recognizer and collect the user's biometric samples.
5.3 Server side functional unit
5.3.1 Relying party
The relying party is mainly responsible for providing the background services of the mobile application, based on the identity authentication protocol with the mobile application and the identity authentication server
Interaction to complete the various business processes of identity authentication.
In the identity authentication process, the relying party obtains the user’s identity authentication result from the identity authentication server, and provides corresponding
Authorized service or resource.
5.3.2 Identity authentication server
5.3.2.1 Overview
The identity authentication server includes an identity authentication service module and a trusted management module. Among them, the identity authentication service module is a required module, and the main
Responsible for managing the identity authentication registration relationship on the server side, analyzing and verifying the identity authentication protocol, and providing identity to the relying party
Identification results. The trusted management module is mainly responsible for trusted management of mobile smart terminals and identity authentication trusted applications.
5.3.2.2 Identity authentication service module
The identity authentication service module is mainly responsible for.
a) In the identity authentication registration business process, verify the authenticity and integrity of the biometric identifier used in the registration process, and create
And store the identity authentication registration relationship of the user's new application, store the user authentication key generated during the registration process and the registration relationship
Bind;
b) In the identity authentication business process, verify the authenticity and integrity of the biometric identifier used in the authentication process, and identify the
The identity authentication registration relationship used in the business, and the bound user authentication key is used to enter the information in the identity authentication protocol
Line verification;
c) In the identity authentication cancellation business process, delete the corresponding identity authentication registration relationship and the bound user authentication key;
d) Transmit the identity authentication result to the relying party in a credible way.
5.3.2.3 Trusted management
Trusted management is an optional functional module, which mainly includes.
a) Trusted application management module, responsible for the life cycle management of identity authentication trusted applications, including downloading, installing, updating and deleting
And so on. If a secure element is used on the mobile smart terminal side, it is also responsible for the life cycle of trusted applications in the secure element
To manage.
b) The trusted device management module is responsible for managing the trusted device list of mobile smart terminals.
6 Business Process
The identity authentication of mobile smart terminals based on biometrics generally includes three business processes. registration, authentication, and cancellation.
GB/T 36651-2018 regulations on business processes.
7 Communication protocol
7.1 Identity authentication protocol
The identity authentication protocol should comply with the provisions and descriptions of the protocol interface in Chapter 7 and Appendix C of GB/T 36651-2018.
7.2 Trusted Management Protocol
The server side can manage the life cycle of trusted applications and trusted devices on the smart terminal side through the trusted management protocol, including
Management operations such as application installation, uninstallation, and update. This standard does not specify a trusted management protocol.
Before the management operation, the communication parties should be authenticated and a secure channel should be established.
8 Functional requirements
8.1 Mobile smart terminal side functional unit
8.1.1 Mobile Application
The mobile application requirements are as follows.
a) It should be able to interact with the relying party based on the identity authentication protocol to realize identity authentication registration, identity authentication, identity authentication cancellation, etc.
Business process;
b) It should be able to interact with trusted applications for identity authentication by invoking identity authentication middleware to realize identity authentication registration, identity authentication,
Business processes such as identity verification and cancellation;
c) It should be able to uniquely identify the user's identity, one user can correspond to multiple identity authentication registration relationships, and one identity authentication registration
The relationship should only correspond to one user;
d) A limit on the number of failed biometric authentication attempts should be set. After the number of failed attempts exceeds the limit, users should be restricted from continuing to try.
Try or guide users to use other methods for identification.
8.1.2 Identity authentication middleware
The functional interface requirements provided by the identity authentication middleware are as follows.
a) It is advisable to support obtaining the version number of a trusted application for identity authentication;
b) It should support the acquisition of biometric identifier information that can be supported by trusted applications for identity authentication, such as the implementation model of biometric identifiers.
Type (fingerprint, iris, face, etc.), version number, etc.;
c) It should support identity authentication registration, identity authentication and identity authentication cancellation operation interface, etc.;
d) It should support obtaining the unique identification of mobile smart terminals;
e) It can verify the calling authority of mobile applications, such as by directly interacting with the identity authentication server.
8.1.3 Identity authentication trusted application
The requirements for trusted applications for identity authentication are as follows.
a) It should be able to provide the identity authentication credible application version number to the identity authentication middleware;
b) It should be able to analyze the identity authentication protocol and verify its authenticity and integrity, and realize identity authentication registration, identity authentication and identity verification.
Business processes such as authentication and cancellation;
c) It should be able to support the management of the identity authentication registration relationship on the side of the mobile smart terminal, including the user bound to the registration relationship
The management of authentication keys, such as generation, storage, use, and deletion;
d) It is advisable to establish a correspondence between the verification process of the biometric identifier and the user identity authentication and registration relationship, such as through biometrics
Association of template summary values, etc.;
e) It should be able to manage the supported biometric identifiers located in mobile smart terminals, including obtaining biometric identifiers
Information, call the biometric identifier to verify the user's identity and obtain the verification result, etc.;
f) There should be control over the use of user authentication keys, only when the verification result obtained from the biometric identifier indicates the user's identity
The user authentication key can only be used after verification;
g) The mobile smart terminal should be uniquely identified for the trusted device management on the server side.
8.1.4 Biometric recognizer
The functional requirements of the biometric identifier are as follows.
a) Model and version information should be provided, and have a unique identification.
b) It should have the ability to detect and prevent appearance attacks.
c) Feature acquisition module.
1) It should support the use of collection components to collect user biometric samples and convert them into data suitable for biometric identification processing.
According to the format;
2) There should be clear user prompts to inform users that their biometric samples have been collected. If the collection process is divided into multiple entries
Yes, it should be clear to the user the progress of each collection;
3) It should support the quality judgment of the collected user biometric samples, and use the user biometric samples that pass the quality judgment.
Extract user biometric items in this book for subsequent biometric storage or biometric comparison;
4) It is advisable to use irreversible methods to extract biometric items from user biometric samples.
d) Feature storage module.
1) The same user should only correspond to a unique identity in the same biometric storage module; the same user identity cannot be used
To identify two or more different users; it should be possible to associate the registered user’s biometric template with the user’s identity
Logo for association;
2) Only entities with legal authority should be allowed to enter, access, read or delete user biometrics in the biometric storage module.
Levy data;
3) It should support the same user to register two or more biometric templates in the biometric storage module;
4) It should have the ability to determine and handle abnormal situations, such as when the registration, reading or deletion of the biometric template fails.
理mechanism.
e) Feature comparison module.
1) It should be able to perform the input user biometric probe and the biometric template registered in the biometric storage module
Compare, calculate the comparison score, judge the recognition result based on the comparison score, and be able to output the recognition result;
2) It shall have the function of judging and handling abnormal situations, including but not limited to the corresponding handling when the comparison fails and the identification decision fails
mechanism.
8.2 Server side functional unit
8.2.1 Relying party
The relying party requirements are as follows.
a) It should be able to interact with mobile applications based on the identity authentication protocol to realize identity authentication registration, identity authentication, identity authentication cancellation, etc.
Business Process;
b) It should be able to interact with the identity authentication server based on the identity authentication protocol to realize identity authentication registration, identity authentication, and identity authentication
Business processes such as cancellation;
c) It should be able to authorize users to access corresponding services or resources of the server based on the result of identity authentication.
8.2.2 Identity authentication server
The authentication server requirements are as follows.
a) It should be able to interact with the relying party based on the identity authentication protocol, analyze and verify the identity authentication protocol, and realize the identity authentication.
Business processes such as registration, identity authentication, and identity authentication cancellation;
b) It should be able to manage the identity authentication registration relationship on the server side, including generation, maintenance, and deletion;
c) The corresponding relationship between the verification process of the biometric identifier and the user identity authentication registration relationship should be verified on the server side.
Through biometric template summary values, etc.;
d) It should be capable of trusted application management and trusted device management.
9 Safety requirements
9.1 Security requirements for mobile smart terminals
9.1.1 Mobile Application
The mobile application requirements are as follows.
a) It should meet the safety requirements specified in Chapter 4 of GB/T 34975-2017;
b) Effective technical means should be adopted to confirm the authenticity of the relying party or identity authentication server communicating with it.
9.1.2 Trusted environment
The trusted environment should have a security boundary, and technical means should be provided within the environment to ensure the security of the code and data in the trusted environment
Provide guarantees such as confidentiality, integrity and availability. Please refer to Appendix B for instructions on trusted environment security.
9.1.3 Identity authentication trusted application
Effective technical means should be adopted to ensure the safety of life cycle management of trusted applications such as download, installation, update, uninstall, etc.
Controllable. The security requirements for identity authentication trusted applications are as follows.
a) Effective technical means can be adopted to verify the authenticity and completeness of the biometric identifier;
b) There should be an access control mechanism to ensure that only mobile applications with access rights can authenticate the identity through the identity authentication middleware.
Don't use trusted applications to make access calls;
c) It should support the verification of the authenticity and completeness of the biometric identifier;
d) After completing the identity authentication business process, the identity authentication trusted application should clear the temporary data in the memory in time;
e) Effective technical means should be adopted to ensure the randomness of the user authentication key generated in the identity authentication registration process, and
Effective technical means to ensure the safe storage and use of the generated user authentication key.
9.1.4 Biometric recognizer
There should be effective technical means to verify the authenticity and completeness of the biometric identifier. Safety requirements for biometrics
as follows.
a) Feature acquisition module.
1) There should be an effective security mechanism to ensure the collection of biometric samples, quality judgment, presentation of attack detection, and biometric item extraction.
The confidentiality and integrity of the user's biometric data in the process of retrieval and transmission;
2) The user's biometric samples that have not passed the quality judgment should be removed in time, and it should be ensured that they are unrecoverable;
3) After the extraction of biometric items is completed, the user's biometric samples should be cleared in time and ensure that they are unrecoverable;
4) The above-mentioned security mechanism should be implemented in combination with the trusted execution environment or secure elements of the mobile smart terminal.
b) Feature storage module.
1) There should be an effective security mechanism to ensure the correct association between the registered user's biometric template and the user ID
System to prevent illegal modification and acquisition;
2) There should be an effective security mechanism to ensure that when operating the user's biometric data in the biometric storage module, such as
When storing and transmitting, the confidentiality and integrity of the user's biometric data, and the
Time data (such as data stored in the dynamic memory of the device and biometric samples during storage or transmission), conduct and
Clear at time and ensure that it is unrecoverable;
3) It is advisable to use encryption to store user biometric template data;
4) The deleted user biometric template data should be cleared in time and ensure that it is unrecoverable;
5) The above security mech...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38542-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38542-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38542-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38542-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|