|
US$629.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38636-2020: Information security technology - Transport layer cryptography protocol (TLCP)
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38636-2020 | English | 629 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology - Transport layer cryptography protocol (TLCP)
| Valid |
GB/T 38636-2020
|
PDF similar to GB/T 38636-2020
Standard similar to GB/T 38636-2020 GB/T 38626 GB/T 38671 GB/T 38628 Basic data | Standard ID | GB/T 38636-2020 (GB/T38636-2020) | | Description (Translated English) | Information security technology - Transport layer cryptography protocol (TLCP) | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 34,352 | | Date of Issue | 2020-04-28 | | Date of Implementation | 2020-11-01 | | Quoted Standard | GB/T 20518; GB/T 35275; GB/T 35276 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | | Summary | This standard specifies transport layer cryptographic protocols, including record layer protocols, handshake protocol suites and key computation. This standard is applicable to the development of transport layer cryptographic protocol related products (such as SSL VPN gateways, browsers, etc.), and can also be used to guide the detection, management and use of transport layer cryptographic protocol related products. | GB/T 38636-2020: Information security technology - Transport layer cryptography protocol (TLCP)---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Transport layer cryptography protocol (TLCP)
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology Transport Layer Cryptographic Protocol (TLCP)
2020-04-28 release
2020-11-01 implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Management Committee
Contents
Foreword I
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbols and abbreviations 1
5 Cryptographic algorithms and key types 2
5.1 Overview 2
5.2 Cryptographic algorithm 3
5.3 Key types 3
6 Agreement 4
6.1 Overview 4
6.2 Data type definition 4
6.3 Recording layer protocol 5
6.4 Handshake protocol family 10
6.5 Key calculation 23
Appendix A (Normative Appendix) GCM discernable encryption mode 24
Reference 31
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some content of this document may involve patents. The issuer of this document does not assume responsibility for identifying these patents.
This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This standard was drafted by. Shandong Dean Information Technology Co., Ltd., Gore Software Co., Ltd., Beijing Xinan Century Technology Co., Ltd.
Division, Chengdu Weishitong Information Industry Co., Ltd., Changchun Jida Zhengyuan Information Technology Co., Ltd., Beijing Qiqi Intelligent Technology Co., Ltd.
The company, Beijing Sanwei Xin'an Technology Development Co., Ltd., Beijing Haitai Fangyuan Technology Co., Ltd., and State Password Administration are in commercial password testing.
Xin, Beijing Jiangnan Tianan Technology Co., Ltd., CICC Financial Certification Center Co., Ltd., Beijing Tianrongxin Network Security Technology Co., Ltd.
The main drafters of this standard. Zheng Qiang, Ma Hongfu, Wang Zongbin, Luo Jun, Zhao Lili, Zhang Liting, Wang Xuelin, Tian Minqiu, Zhang Yuegong, Jiang Hongyu,
Lu Chunmei, Li Guo, Sun Shengnan, Lei Xiaofeng.
Information Security Technology Transport Layer Cryptographic Protocol (TLCP)
1 Scope
This standard specifies the transport layer cryptographic protocol, including the record layer protocol, handshake protocol family and key calculation.
This standard applies to the development of transport layer cryptographic protocol related products (such as SSLVPN gateways, browsers, etc.), and can also be used to guide transmission
The detection, management and use of products related to the layer cryptographic protocol.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this article
Pieces. For the cited documents without date, the latest version (including all amendments) applies to this document.
GB/T 20518 Information Security Technology Public Key Infrastructure Digital Certificate Format Specification
GB/T 35275 Information Security Technology SM2 Cryptographic Algorithm Encrypted Signature Message Syntax Specification
GB/T 35276 Information Security Technology SM2 Cryptographic Algorithm Usage Specification
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Digital certificate
Contains public key owner information, public key, issuer information, validity period, and extension letter signed by a certificate certification authority (CA)
A data structure of interest.
Note. It can be divided into personal certificate, institution certificate and equipment certificate by category, and it can be divided into signature certificate and encryption certificate by usage.
3.2
IBC algorithm identitybased cryptography algorithm
An asymmetric cryptographic algorithm that can use any identifier as the public key and does not need to use a digital certificate to prove the public key.
3.3
IBC logo IBCidentity
A string representing the identity or attribute of an entity.
3.4
IBC public parameters
Contains the public parameter information such as the name, operation curve, identification coding method and key generation algorithm of the IBC key management center.
Note. The parameter information is used to convert the entity identification into a public key.
3.5
Initialization vector/value initializationvector; initializationvalue; IV
In the password conversion, it is used as the starting data for data conversion to increase the security or synchronize the password devices.
4 Symbols and abbreviations
4.1 Symbol
The following symbols apply to this document.
. Tandem.
⊕. XOR operation.
0s. A bit string containing s '0' bits.
CIPHK(X). The output of the packet ciphertext with key K and packet X.
GCTRK(ICB,X). For the bit string X, the initial technical grouping is ICB, and the key is the output of the GCTR function K
GHASHH(X). For GHASH with hash key H and bit string H.
HMAC(X,Y). Perform cryptographic hash operation on Y with X as the key.
incs(X). The incremental output of the rightmost s-bit of the bit string X.
int(X). integer representation of the bit string X.
len(X). the length of the bit string X.
LSBs(X). The rightmost s-bit bit string of the bit string X.
MSBs(X). The leftmost s-bit bit string of bit string X.
X||Y. The connection between bit string X and bit string Y.
A. Additional identifiable data.
C. Cipher text.
H. Hash subkey.
K. Group key.
P. Plain text.
R. Constant used for group multiplication in the algorithm.
T. Identification label.
t. identify the length of the label.
4.2 Abbreviations
The following abbreviations apply to this document.
AEAD. Authentication encryption with additional data (AuthenticatedEncryptionwithAddationData)
ADD. Additional authentication data (AdditionalAuthenticatedData)
CBC. CipherBlockChaining working mode
CTR. Counter
DN. Distinguished Name (DistinguishedName)
GCM. Galois Counter Mode (GaloisCounterMode)
HMAC. message authentication code (Hash-basedMessageAuthenticationCode) calculated using a hash algorithm
IBC. Identity-Based Cryptography
ICB. Initial Counter Block (InitialCounterBlock)
IV. Initialization Vector
LSB. Least Significant Bit
MSB. Most Significant Bit (MostSignificantBit)
TLCP. Transport Layer Cryptography Protocol (TransportLayerCryptographyProtocol)
XOR. Exclusive-OR
5 Cryptographic algorithms and key types
5.1 Overview
TLCP uses cryptographic technology to provide confidentiality and data integrity between two applications. The cryptographic algorithm used by the protocol
Contains asymmetric cryptographic algorithms, block cipher algorithms, cryptographic hash algorithms, data expansion functions and pseudo-random functions
Contains server key, client key, pre-master key, master key and work key.
5.2 Cryptographic algorithm
5.2.1 Asymmetric cryptographic algorithm
Used for identity authentication, digital signature, key exchange, etc.
5.2.2 Block cipher algorithm
It is used for encryption protection of key exchange data and encryption protection of message data. The working mode adopted should be GCM or CBC mode.
5.2.3 Password hashing algorithm
Used for symmetric key generation and integrity verification.
5.2.4 Data expansion function P_hash
The P_hash function is defined as follows.
P_hash(secret,seed) = HMAC(secret,A(1) seed)
HMAC(secret, A(2) seed)
HMAC(secret, A(3) seed)
..
among them.
The secret is the key required for the calculation.
The seed is the data required for the calculation.
A(0)=seed
A(i) = HMAC(secret, A(i-1))
P_hash can iterate repeatedly until it produces data of the required length.
5.2.5 PRF
The calculation method of PRF is as follows.
PRF(secret,label,seed)=P_hash(secret,label seed)
5.3 Key types
5.3.1 Overview
Asymmetric cryptographic algorithm is used for identity authentication and key exchange. After the identity authentication is passed, the pre-master key is negotiated.
Key, and then derive the working key. Use the working key for encryption and decryption and integrity verification.
5.3.2 Server key
The server key is an asymmetric cryptographic algorithm key pair, including a signing key pair and an encryption key pair, where the signing key is used for handshake
In the process of server identity authentication, encryption key pair is used for pre-master key negotiation.
5.3.3 Client key
The client key is an asymmetric cryptographic algorithm key pair, including a signing key pair and an encryption key pair, where the signing key is used for handshake
In the process of client identity authentication, encryption key pair is used for pre-master key negotiation.
5.3.4 Pre-master key
The pre-master key (pre_master_secret) is the key material generated by the two parties through negotiation and is used to generate the master key.
5.3.5 Master key
The master key (master_secret) is generated by the pre-master key, the client random number, the server random number, and the constant string.
The 48-byte key material is used to generate a working key.
5.3.6 Work key
The working key includes a data encryption key and a verification key. The data encryption key is used for data encryption and decryption, and the verification key is used
For data integrity calculation and verification. The work key used by the sender is called the write key, and the work key used by the receiver is called the read key.
6 Agreement
6.1 Overview
TLCP includes record layer protocol and handshake protocol family. The handshake protocol family includes password specification change protocol, alarm protocol and handshake protocol.
6.2 Data type definition
6.2.1 Basic data types
Six basic data types are defined, namely opaque, uint8, uint16, uint24, uint32, uint64.All types
The network byte order indicates that the minimum data size is an 8-bit byte.
opaque. any type of data, 1 byte.
uint8.Unsigned 8-bit integer, 1 byte.
uint16.Unsigned 16-bit integer, 2 bytes.
uint24.Unsigned 24-bit integer, 3 bytes.
uint32.Unsigned 32-bit integer, 4 bytes.
uint64.Unsigned 64-bit integer, 8 bytes.
6.2.2 Vector
Vectors are data sequences of a given type. There are two types of vectors. fixed length and variable length. The fixed-length vector is represented by [x]; variable length
Vector \u003cx.y\u003e To indicate, where x represents the lower limit and y represents the upper limit, if only the upper limit needs to be expressed, use \u003cy\u003e Said. The length of all vectors
Degrees are in bytes. The variable-length vector header represents the actual length of the vector, and the size of the header is the maximum that can accommodate the maximum length of the variable-length vector
The number of small bytes.
6.2.3 Enumerated types
Enumerated (Enumerateds) is a series of specific value field collection, usually each field includes a name and value. If it contains
An unnamed value, this value represents the specified maximum value. If only the name is included and no value is defined, it can only be used to refer to the status value, not
Can be used in actual coding. For example, enum{red(0), green(1), (255)}color. The size of the enumeration variable can accommodate the largest enumeration
The minimum number of bytes for the value.
6.2.4 Structure type
Structured types (ConstructedTypes) are defined by struct, which is similar to the C language struct syntax. The fields in the struct are pressed
Encode in series according to the order. If a struct is included in another struct, you can omit the name of the struct.
6.2.5 Variation type
Variants are defined with select and case, and are used to define structures that depend on external information to change, similar to C language
CHOICE of union or ASN.1.
6.3 Record layer protocol
6.3.1 Overview
The record layer protocol is hierarchical, and each layer includes a length field, a description field and a content field. Record layer protocol reception will be transmitted
The input message divides the data into blocks, compresses (optional), calculates HMAC, encrypts, and then transmits. The received data is decrypted, verified, and decompressed
Shrink (optional), repackage and then transfer to high-level applications.
Record layer protocols include. handshake, alarm, password specification change and other types. In order to support the expansion of the protocol, the record layer protocol can support other
Record type. Any new record type should be assigned in addition to the content type value assigned to the above type. If you receive a
Unrecognized record types should be ignored.
6.3.2 Connection status
The connection status is the operating environment of the record layer protocol. Includes four typical connection states. current read state, write state, pending read state
Status, pending write status. Among them, reading means receiving data, writing means sending data. All records are processed in the current read and write state.
The security parameters of the pending state can be set by the handshake protocol, and the password specification change message can change the pending state to the current state. Except the most
In addition to the initial current state, the current state should include negotiated security parameters.
The safety parameter structure of the connection status is as follows.
struct{
ConnectionEnd entity;
BulkCipherAlgorithm bulk_cipher_algorithm;
CipherType cipher_type;
uint8 key_material_length;
MACAlgorithm mac_algorithm;
uint8 hash_size;
CompressionMethod compression_algorithm;
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
uint8 record_iv_length;
uint8 fixed_iv_length;
uint8 mac_length;
}SecurityParameters;
among them.
a) ConnectionEnd
Represents the role of the local end in the connection, as a client or server. defined as.
enum{server,client}ConnectionEnd.
b) BulkCipherAlgorithm
Cryptographic algorithm used for data encryption and decryption. defined as.
enum{sm4}BulkCipherAlgorithm.
c) CipherType
Represents the type of cryptographic algorithm. defined as.
enum{block}CipherType.
d) key_material_length
Represents the length of key material.
e) MACAlgorithm
A cryptographic hash algorithm used to calculate and verify the integrity of messages. defined as.
enum{sha_256,sm3}MACAlgorithm.
f) hash_size
Indicates the length of the hash.
g) CompressionMethod
Algorithm used for data compression. defined as.
enum{nul(0),(255)}CompressionMethod.
h) master_secret
A 48-byte key calculated by the pre-master key, client random number, and server random number during the negotiation process
i) client_random
32 bytes of random data generated by the client.
j) server_random
32 bytes of random data generated by the server.
k) record_iv_length
The length of the initial vector.
l) fixed_iv_length
Fixed initial vector length.
m) mac_length
MAC length.
The recording layer will use the above security parameters to generate the following.
---Client write verification key clientwriteMACsecret.
---The server writes the verification key serverwriteMACsecret.
---Client write key clientwritekey.
---Server write key server write key.
---Client write initial vector clientwriteiv.
---Server write initial vector serverwriteiv.
The server uses the client to write parameters when receiving and processing records, and the server uses the server to write parameters when receiving and processing records. Yongan
For full-parameter algorithm for generating these keys, see 6.5.After the key is generated, the connection state can be changed to the current state.
6.3.3 Record layer
6.3.3.1 Overview
The recording layer receives non-empty continuous data of any size from the upper layer, segments the data, compresses it, calculates the check code, encrypts it, and transmits it.
The received data is decrypted, verified, decompressed, repackaged, and then transmitted to high-level applications.
6.3.3.2 Segment
The recording layer divides the data into 214-byte or smaller segments.
The structure of each fragment is as follows.
struct{
ContentTypetype;
ProtocolVersionversion;
uint16length;
opaquefragment[TLSPlaintext.length];
}TLSPlaintext;
among them.
a) Type.
The recording layer protocol type of the fragment. defined as.
enum{
change_cipher_spec(20), alert(21), handshake(22),
application_data(23),(255)
}ContentType;
b) Version.
The version number of the protocol used. The version number here is 1.1.defined as.
struct{
uint8major=0x01,
uint8minor=0x01;
}ProtocolVersion;
c) length
The fragment length in bytes is less than or equal to 214.
d) fragment
The data to be transferred. The record layer protocol does not care about the specific data content.
6.3.3.3 Compression and decompression
All records are compressed using the compression algorithm specified by the current session state. The compression algorithm specified by the current session state is initialized
Turned into an empty algorithm.
The compression algorithm converts the data of a TLS Plaintext structure into the data of a TLS Compressed structure.
The compressed data length can only increase up to 1024 bytes. If the length of the decompressed data exceeds 214 bytes, the report
Report a fatal error decompressionfailure.
The compressed data structure is as follows.
struct{
ContentTypetype;
ProtocolVersionversion;
uint16length;
opaquefragment[TLSCompressed.length];
}TLSCompressed;
among them.
a) The definitions of type and version are the same as a) and b) in 6.3.3.2.
b) length
The length of TLSCompressed.fragment in bytes is less than or equal to 214 1024.
c) fragment
The compressed form of TLSPlaintext.fragment.
6.3.3.4 Encryption and verification
6.3.3.4.1 Overview
Encryption and verification operations convert data from a TLSCompressed structure to data from a TLSCiphertext structure.
The decryption operation performs the opposite operation.
The encrypted data structure is as follows.
struct{
ContentTypetype;
ProtocolVersionversion;
uint16length;
select(CipherSpec.cipher_type){
caseblock.GenericBlockCipher;
caseaead.GenericAEADCipher;
}fragment;
}TLSCiphertext;
among them.
a) The definitions of type and version are the same as a) and b) in 6.3.3.2.
b) length
The length of TLSCiphertext.fragment in bytes is less than or equal to 214 2048.
c) fragment
TLSCompressed.fragment encryption form with check code.
6.3.3.4.2 Data processing of the verification algorithm
The verification code is calculated before encryption, and the calculation method is as follows.
HMAC_hash(MAC_write_secret,seq_num TLSCompressed.type TLSCompressed.version
TLSCompressed.length TLSCompressed.fragment)
among them.
a) seq_num
serial number. Each read and write state maintains a monotonically increasing serial number. The type of serial number is uint64, serial number
The initial value is zero, and the maximum cannot exceed 264-1.The serial number cannot be rewound. If the serial number overflows, it should be restarted
Shaking hands.
b) hash
The hash algorithm used when calculating the check code.
6.3.3.4.3 Data processing of block cipher algorithm
When using the block cipher algorithm to encrypt and decrypt data, the encryption operation and check operation are used to combine a TLSCompressed.fragment
The structured data is converted into a TLSCiphertext.fragment structure data. The encrypted data includes the result of the check operation.
The data structure before encryption processing is as follows.
struct{
opaqueIV[SecurityParameters,record_iv_length];
block-cipheredstruct{
opaquecontent[TLScompressed.length];
opaqueMAC[SecurityParameters.mac_length];
uint8padding_length;
uint8padding[GenericBlockCipher.padding_length];
};
}GenericBlockCipher;
among them.
a) IV
The initialization vector transmitted in GenericBlockCipher. This vector should be randomly generated.
b) SecurityParameters.record_iv_length
The length of IV, the default value is related to the cipher suite used.
c) SecurityParameters.mac_length
The length of the MAC, the default value is related to the cipher suite used.
d) Content
Plaintext data before encryption.
e) MAC
Check value of Content.
f) Padding
Populated data. Before the data is encrypted, the data needs to be filled with an integer multiple of the packet length of the cryptographic algorithm. The length of the padding cannot be
More than 255 bytes. The content of each byte filled is the number of bytes filled. The receiver should check this padding
Wrong, send bad_record_mac alarm message.
6.3.3.4.4 Data processing of authentication encryption algorithm (AEAD)
When using the authentication encryption algorithm for encryption and decryption, the authentication encryption function is in the TLSCompressed.fragment structure and the authentication encryption TLSCi-
Convert between phertext.fragment structures.
The input of authentication encryption AEAD password is a key, a random number, plain text and additional authentication data. The key is the client secret
The key or server writes the key, which is determined according to which end is encrypted.
struct{
opaquenonce_explicit[SecurityParameters.record_iv_length];
aead-cipheredstruct{
opaquecontent[TLSCompressed.length];
};
}GenericAEADCipher;
Each AEAD cipher suite should specify how to construct the random numbers provided for AEAD operations, as well as GenericAEADCipher.
The length of the nonce_explicit part. AEAD encryption mode generally uses counter mode. The random number used by AEAD should be displayed by
It consists of two parts. implicit and explicit. The explicit part is nonceexplicit. The implicit parts used by the client and server come from client_
write_iv and server_write_iv. Refer to RFC5116 for the structure of the random numbers and counters used by AEAD.
The additional authentication data (additional_data) is defined as follows.
additional_data=seq_num TLSCompressed.type
TLSCompressed.version TLSCompressed.length;
The output of AEAD is composed of the ciphertext output of the AEAD encryption operation. Its length is usually longer than TLSCompressed.length,
However, the extra length is not uniform in the AEAD cryptographic algorithm. Because the cryptographic algorithm may include padding, the amount of overhead may be
It varies with different TLSCompressed.length values. Each AEAD cryptographic algorithm should generate no more than 1024 extensions
Bit.
AEADEncrypted = AEAD-Encrypt(write_key, nonce, plaintext, additional_data)
For decryption and verification, the cryptographic algorithm takes the key, random number, additional_data, and AAEDecrypted values as input. Output
It is plain text or an error indicating that decryption failed. There is no additional integrity check. which is.
TLSCompressed.fragment = AEAD-Decrypt(write_key,nonce,
AEADEncrypted, additional_data)
If decryption fails, a fatal bad_record_mac warning should be generated.
See Appendix A for GCM's discernable encryption mode.
6.4 Handshake protocol family
6.4.1 Overview
The handshake protocol family consists of three sub-protocols. password specification change protocol, handshake protocol and alarm protocol, which are used by both parties to negotiate for the recording layer
Use the security parameters to authenticate and report errors to the other party.
The handshake protocol family is responsible for negotiating a session, which includes.
a) Session identification. an arbitrary sequence of bytes selected by the server to identify active or recoverable sessions.
b) Certificate. Digital certificate in X509v3 format, in accordance with GB/T 20518.
c) Compression method. Algorithm for compressing data.
d) Password specifications. the specified password algorithm.
e) Master key. a 48-byte key shared by the client and server.
f) Reuse logo. The logo indicating whether a new connection can be initiated using the session. This standard only supports the reuse mode of session identification.
It is clear whether the existing or current session can be reused without renegotiating security parameters.
Using the above data, safety parameters can be generated. Using the reuse feature of the handshake protocol, multiple connections can be established using the same session.
6.4.2 Password specification change agreement
The password specification change protocol is used to notify the change of the password specification, that is, notify the other party to use the security parameters just negotiated to protect the next
The data. The protocol consists of a message, which is compressed with the current compression algorithm and encrypted with the current password specification.
During the consultation, the message was in plain text.
The length of the message is one byte, and i...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38636-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38636-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38636-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38636-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|