Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GM/T 0067-2019 PDF English

US$270.00 · In stock · Download in 9 seconds
GM/T 0067-2019: Interface specifications of authentication based on digital certificate
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid
Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GM/T 0067-2019270 Add to Cart Auto, 9 seconds. Interface specifications of authentication based on digital certificate Valid

Similar standards

GB/T 15843.1   GA/T 1389   GM/T 0066   

GM/T 0067-2019: Interface specifications of authentication based on digital certificate

---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GMT0067-2019
GM CRYPTOGRAPHIC INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Interface specifications of authentication based on digital certificate ISSUED ON: JULY 12, 2019 IMPLEMENTED ON: JULY 12, 2019 Issued by: State Cryptography Administration

Table of Contents

Foreword ... 3 1 Scope ... 4 2 Normative references ... 4 3 Terms and definitions ... 4 4 Abbreviations ... 6 5 Implementation method ... 6 5.1 Overview ... 6 5.2 Proxy authentication mode ... 6 5.3 Call mode ... 8 6 Algorithm identification and data structure ... 9 6.1 Algorithm identification definition ... 9 6.2 Data structure definition and description ... 11 7 Interface definitions and functions ... 11 7.1 The position of the identity authentication interface in the framework of the public key infrastructure application technology system ... 11 7.2 Logical structure of identity authentication interface ... 12 7.3 Message definition ... 13 7.4 Function interface definition ... 19 Appendix A (Normative) Definition and description of error code ... 25 Appendix B (Informative) Example of identity authentication’s application process ... 26 References ... 28 Interface specifications of authentication based on digital certificate

1 Scope

This standard specifies the digital certificate-based identity authentication interface in the upper application of the public key cryptographic infrastructure system. This standard applies to the development of identity authentication services in the upper application of the public key cryptographic infrastructure system, the R&D and testing of the identity authentication system of the certificate application support platform; it can also be used to guide the application system to standardize the use of certificates for identity authentication.

2 Normative references

The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 15843.1-2017 Information technology - Security techniques - Entity authentication - Part 1: General GB/T 15843.3-2016 Information technology - Security techniques - Entity authentication - Part 3: Mechanisms using digital signature techniques

3 Terms and definitions

The following terms and definitions apply to this document. 3.1 Certificate authentication system A system that manages the entire life cycle of digital certificates such as the sign-off, issuance, renewal, revocation of digital certificates. 3.2 An elliptic curve public key cryptographic algorithm, the key length of which is 256 bits. 3.9 SM3 algorithm A cryptographic hash algorithm, the output of which is 256 bits.

4 Abbreviations

The following abbreviations apply to this document. CA: Certificate authority CN: Common name CRL: Certificate revocation list DN: Distinguished name LDAP: Lightweight directory access protocol OID: Object identifier PKI: Public key infrastructure

5 Implementation method

5.1 Overview The realization of identity authentication includes proxy identity authentication mode and call mode. Identity authentication T and application B are a mutually trusted whole. The identity authentication mechanism used in these two modes follows GB/T 15843.3-2016. 5.2 Proxy authentication mode In this mode, the identity of user A is authenticated by the proxy identity authentication service T; then the result of the authentication is passed to application B. This identity authentication mode is called proxy identity mode, which is generally implemented by message. The authentication protocol is carried out between the user A and the proxy b) When the proxy identity authentication service T receives a message containing TokenAT, it performs the following steps: 1) Verify the validity of A's certificate, including the validity period, whether it is issued by a trusted organization, the status of the certificate, verification of the certificate key usage; 2) Verify TokenAT. c) The proxy identity authentication service T sends T's certificate and TokenTA to A (see the form of TokenTA in 5.3.2 of GB 15843.3-2016); d) When receiving a message containing TokenTA, user A performs the following steps: 1) Verify the validity of T's certificate, including the validity period, whether it is issued by a trusted organization, whether it is in the blacklist, verification of the certificate key usage; 2) Verify TokenTA. e) The proxy identity authentication service T passes the verified identity of A to application B. 5.3 Call mode After the application obtains the user's identity, it actively calls the external service interface of the identity authentication service to perform identity authentication to obtain the identity authentication result, which is called the call mode. It is generally implemented by interface functions. In this mode, application B starts the verification process and authenticates user A. It controls the uniqueness and timeliness of the authentication protocol by generating and verifying random numbers RB (see Appendix B of GB/T 15843.1-2017). The verification mechanism is as shown in Figure 3: Figure 5 -- Structure of identity authentication interface system The identity authentication service module on which the identity authentication interface specification is based on is located between the application system and the cryptographic service interface. It provides identity authentication service for the application system through this interface. The cryptographic operations required by the identity authentication module are implemented by invoking cryptographic services through the cryptographic service interface specification. The identity authentication interface is logically divided into two parts, namely: environment function and identity authentication function. 7.2.2 Environmental functions The environment function is responsible for creating and managing the secure program space, responsible for creating and managing the various resources and signals required in the secure program space, ensuring that the secure program space will not be illegally accessed during the running of the application program, thereby causing information leakage. The environment function is responsible for completing the secure connection with the identity authentication service, ensuring that the subsequent security operations are carried out in a secured and trusted program space. When an application uses the identity authentication interface, it must first call the initialization environment function (SIF_Initialize) to create and initialize a secure application space; complete the connection and initialization with the identity authentication service. Before the application program is terminated, it shall call the clear environment function (SIF_Finalize) to terminate the connection with the identity authentication service, destroy the created security program space, prevent the security risks caused by memory residue. 7.2.3 Identity authentication function The identity authentication function realizes the acquisition of user information and the verification of user identity (the main means are through certificate verification and analysis of the certificate revocation list). The application program realizes the identity authentication based on the digital certificate by calling the identity authentication function. 7.3 Message definition 7.3.1 Message format definition The message includes two parts: the message header and the message body, < msg> < msg_head> < msg_type>0< /msg_type> < msg_id>0100< /msg_id> < version>1< /version> < /msg_head> < msg_body> < connectid> Connect ID < /connectid> < /msg_body> < /msg> b) User identity gets response < ? xmlversion = "1.0" encoding = "UTF-8"?> < msg> < msg_head> < msg_type>1 or 2< /msg_type> < msg_id>0100< /msg_id> < version>1< /version> < /msg_head> < msg_body> < connectid> Connect ID < /connectid> < userinfo> Identity information < /userinfo> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.3.4 User credential generation message < msg> < msg_head> < msg_type>0< /msg_type> < msg_id>1000< /msg_id> < version>1< /version> < /msg_head> < msg_body> < userseed> Random information (Base64 encoding) < /userseed> < cert> Certificate (Base64 encoded) for generating user credentials < /cert> < /msg_body> < /msg> d) User credential generation response < ? xmlversion = "1.0" encoding = "UTF-8"?> < msg> < msg_head> < msg_type>1 or 2< /msg_type> < msg_id>1000< /msg_id> < version>1< /version> < /msg_head> < msg_body> < usertoken> Generated user credentials (Base64 encoding) < /usertoken> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.3.5 User credential verification message identity authentication service (Base64 encoding) < /resultsign> < error_no> Error code < /error_no> < /msg_body> < /msg> 7.4 Function interface definition 7.4.1 Overview Interface functions include the following specific functions. For the return value of each function, please refer to Appendix A for the definition of error codes: a) Initialization: SIF_Initialize b) Termination: SIF_Finalize c) Get interface version: SIF_GetVersion d) Random information needed to generate user credentials: SIF_GenRandom e) Generate user credentials: SIF_GenUserToken f) Verify user credentials: SIF_VerifyUserToken g) Confirm the authenticity of the verification result: SIF_VerifyResult h) Get user identity: SIF_GetUserInfo 7.4.2 Initialization function Prototype: SGD_INT32SIF_Initialize(SGD _CHAR* pucIpAddr, SGD_INTiPort,SGD_VOID* phHandle); Description: Initialize the identity authentication service and create an identity authentication service handle Parameter: pucIpAddr [in]: The address of the identity authentication server; it may be NULL, which means that the remote service is not connected ......

Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GM/T 0067-2019 be delivered?Answer: The full copy PDF of English version of GM/T 0067-2019 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GM/T 0067-2019_English with my colleagues?Answer: Yes. The purchased PDF of GM/T 0067-2019_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GM/T 0067-2019 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

How to buy and download a true PDF of English version of GM/T 0067-2019?

A step-by-step guide to download PDF of GM/T 0067-2019_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GM/T 0067-2019".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3    Steps 4~6    Step 7    Step 8    Step 9