|
US$859.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38556-2020: Information security technology - Technical specifications for one-time-password cryptographic application
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38556-2020 | English | 859 |
Add to Cart
|
7 days [Need to translate]
|
Information security technology - Technical specifications for one-time-password cryptographic application
| Valid |
GB/T 38556-2020
|
PDF similar to GB/T 38556-2020
Standard similar to GB/T 38556-2020 GB/T 38540 GB/T 38626 GB/T 38561 Basic data | Standard ID | GB/T 38556-2020 (GB/T38556-2020) | | Description (Translated English) | Information security technology - Technical specifications for one-time-password cryptographic application | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 46,437 | | Date of Issue | 2020-03-06 | | Date of Implementation | 2020-10-01 | | Quoted Standard | GB/T 2423.1-2008; GB/T 2423.2-2008; GB/T 2423.3-2016; GB/T 2423.7-2018; GB/T 2423.10-2019; GB/T 2423.21-2008; GB/T 2423.22-2012; GB/T 2423.53-2005; GB/T 4208-2017; GB/T 17626.2-2018; GB/T 18336.1; GB/T 18336.2; GB/T 18336.3; GB/T 32905; GB/T 32907 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | | Summary | This standard specifies the dynamic password technical framework, dynamic password generation algorithm, authentication and key management. This standard is applicable to the development, production and application of dynamic password related products, and can also be used to guide the testing of related products. | GB/T 38556-2020: Information security technology - Technical specifications for one-time-password cryptographic application
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical specifications for one-time-password cryptographic application
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Dynamic password password application technical specification
2020-03-06 released
2020-10-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbol 2
5 Technical Framework 3
5.1 Overall Framework 3
5.2 System composition 4
6 Dynamic password generation 5
6.1 Password generation method 5
6.2 Algorithm usage instructions 6
7 Identification 7
7.1 Authentication module description 7
7.2 Authentication module service 8
7.3 Identification module management function 10
7.4 Safety requirements 10
8 Key Management 11
8.1 Overview 11
8.2 Module Architecture 11
8.3 Functional requirements 13
8.4 System security design 14
8.5 Hardware password device interface description 17
Appendix A (Normative Appendix) Hardware Dynamic Token Requirements 19
Appendix B (Informative Appendix) Principles of Dynamic Password Authentication 21
Appendix C (informative appendix) Identification module interface 22
Appendix D (normative appendix) Operation parameters and data description use cases 27
Appendix E (informative appendix) Dynamic password generation algorithm C language implementation use case 28
Appendix F (Normative Appendix) Dynamic Password Generation Algorithm Calculation Input and Output Use Case 40
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Shanghai Zhongren Network Security Technology Co., Ltd., Shanghai Fudan Microelectronics Co., Ltd., Feitian Chengxin Technology
Co., Ltd., Commercial Cryptographic Testing Center of State Cryptography Administration, Beijing Jilian Network Technology Co., Ltd., Shanghai Huahong Integrated Circuit
Limited Liability Company, Ziguang Tongxin Microelectronics Co., Ltd., Shanghai Forest Fruit Industry Co., Ltd. Beijing Technology Branch, Geer Software Co., Ltd.
Limited company.
The main drafters of this standard. Tan Jianfeng, You Lei, Li Kun, Liu Xun, Zheng Qiang, Zhu Pengfei, Tian Minqiu, Lu Chunmei, Guo Sijian, Chen Yan, Li Tian,
Zhou Xueqing and Wang Fengzhen.
Information Security Technology
Dynamic password password application technical specification
1 Scope
This standard specifies the dynamic password technology framework, dynamic password generation algorithm, authentication and key management and other related content.
This standard applies to the development, production and application of dynamic password related products, and can also be used to guide the testing of related products.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
For all undated reference documents, the latest version (including all amendments) applies to this document.
GB/T 2423.1-2008 Environmental testing of electric and electronic products Part 2.Test method Test A. Low temperature
GB/T 2423.2-2008 Environmental testing of electric and electronic products Part 2.Test method Test B. High temperature
GB/T 2423.3-2016 Environmental Test Part 2.Test Method Test Cab. Constant Humidity Test
GB/T 2423.7-2018 Environmental test Part 2.Test method Test Ec. Impact caused by rough operation (mainly used for equipment-type samples)
GB/T 2423.10-2019 Environmental Test Part 2.Test Method Test Fc. Vibration (Sine)
GB/T 2423.21-2008 Environmental testing of electric and electronic products Part 2.Test method Test M. Low air pressure
GB/T 2423.22-2012 Environmental Test Part 2.Test Method Test N. Temperature Change
GB/T 2423.53-2005 Environmental testing of electrical and electronic products Part 2.Test methods Test Xb. Wear of marks and printed text caused by hand friction
GB/T 4208-2017 Enclosure protection grade (IP code)
GB/T 17626.2-2018 Electromagnetic compatibility test and measurement technology Electrostatic discharge immunity test
GB/T 18336.1 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 1.Introduction and General Model
GB/T 18336.2 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 2.Security Function Components
GB/T 18336.3 Information Technology Security Technology Information Technology Security Evaluation Criteria Part 3.Security Assurance Components
GB/T 32905 Information Security Technology SM3 Cipher Hash Algorithm
GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm
GB/T 32915 Information Security Technology Binary Sequence Randomness Detection Method
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Dynamic password
A one-time password is generated by calculating the seed key and other data through a specific algorithm.
3.2
Dynamic token
The carrier for generating and displaying dynamic passwords.
3.3
Seed key
Calculate the key of the dynamic password.
Note. The seed key is the token seed key.
3.4
Static password
A password set by the user that will not change unless the user actively changes it.
3.5
Challenge code
A type of data that can participate in the dynamic password generation process.
Note. The challenge code is the challenge factor.
3.6
Big endian
A representation format of data in memory, which stipulates that the left side is the most significant bit and the right side is the least significant bit.
Note. The high-order byte of the number is placed at the low address of the memory, and the low-order byte of the number is placed at the high address of the memory.
3.7
Identification module
A system capable of providing dynamic password identification services for application systems.
3.8
Service report
The system provides a statistical report of the status and results corresponding to the token and the system in different time periods.
3.9
Master key
The system root key used to generate the seed key, the seed key encryption key, and the manufacturer's production master key.
3.10
Seed key encryption key
The key used to encrypt the seed key.
5 Technical framework
5.1 Overall framework
The dynamic password system provides dynamic password authentication services for application systems. It is composed of dynamic token, authentication module and key management module.
The dynamic token generates a dynamic password, the authentication module verifies the correctness of the dynamic password, and the key management module is responsible for the key management of the dynamic password.
The application system sends the dynamic password to the authentication module for authentication according to the specified protocol (message). The dynamic password system architecture is shown in Figure 1.
Figure 1 Dynamic password system architecture
5.2 System composition
5.2.1 Dynamic token
The dynamic token generates a dynamic password as the basis for user identification. See Appendix A for the requirements of hardware dynamic token products.
5.2.2 Authentication module
The authentication module is used to perform dynamic password authentication and token synchronization, as well as the management and configuration of token related states. Identification module
Communicate with the application system through the authentication communication protocol, or support the method of calling the authentication interface to complete the authentication and synchronization of the dynamic password
And other functions. See Appendix B for the principle of dynamic password authentication.
5.2.3 Key Management Module
The key management module is used for the generation, transmission and storage of dynamic token seed keys for security management, including system login authentication sub-module
Block, user management submodule, protection key generation submodule, seed key generation submodule, token sequence number generation submodule, time synchronization submodule
Block (optional), token production configuration sub-module, cryptographic machine interface module and dynamic token read-write interface, etc.
5.2.4 Application system
The application system refers to the integration of the dynamic password according to the authentication communication protocol (or authentication interface) and the authentication module to complete the dynamic password authentication.
For other application programs, the application system can be a software system, a hardware device, or a combination of software and hardware.
5.2.5 Authentication interface
The authentication interface is a collection of interfaces provided by the authentication module to connect the application system and the authentication module. The application system calls the interface,
It can complete functions such as dynamic password identification and synchronization. Refer to Appendix C for the interface of the authentication module.
5.2.6 Authentication communication protocol
Authentication communication protocol is the basis for authentication service to communicate through standard communication protocol and application system. The application system sends
The form of the text completes functions such as identification and synchronization of dynamic passwords.
6 Dynamic password generation
6.1 Password generation method
6.1.1 Calculating the time factor
6.2 Algorithm instructions
6.2.1 Requirements for use
Algorithm usage should meet the following requirements.
---The block cipher algorithm should adopt SM4 algorithm, should meet the requirement of GB/T 32907.Packet length is 128 bits, key length
The degree is 128 bits, the operation mode selects the working mode of ECB encryption, and the length of the encryption result is 128 bits.
---The cryptographic hash algorithm should use SM3 algorithm, which should meet the requirements of GB/T 32905.
--- Algorithms involving random number generation should meet the requirements of GB/T 32915.
6.2.2 Instructions for use of hash algorithm
In the S=F(K,ID) link, when the SM3 algorithm is used, K||ID is the input parameter.
6.2.3 Instructions for grouping algorithm
In the S=F(K,ID) link, when using the SM4 algorithm, K is the operation key, ID is the input parameter, and K or ID is greater than 128 bits
When, the calculation process is as follows.
When K is greater than 128 bits, record the length of K as L1 bit. n is the smallest integer not less than L1/128, filled at the end of K
128*n-L1 bits 0.Then group K with a length of 128 bits, with the high order first, namely K1, K2, and K3Kn.
When the ID is greater than 128 bits, the length of the ID is L2 bits. m is the smallest integer not less than L2/128, filled at the end of ID
128*m-L2 bits 0.Then group the IDs with a length of 128 bits, with the high order first, namely ID1, ID2, and ID3IDm.
The calculation process is shown in Figure 2.
7 Identification
7.1 Description of authentication module
7.1.1 Identification module composition
The authentication module is a service system that provides dynamic token authentication and management for the application system. It consists of two parts.
a) The authentication service sub-module provides authentication and management services to applications.
b) The management sub-module manages the operation of the authentication module.
7.1.2 Status of the token
The status of the token is the working status of the token stored in the authentication module, see Table 1.
7.1.3 Token data
The data of the token should include. token serial number, key data, token status, last use time, number of consecutive errors, token offset,
Other configuration parameters, among them.
a) The key data should be stored encrypted.
b) Other data should adopt a verification mechanism to ensure completeness.
7.1.4 Token synchronization
The authentication module should provide synchronization processing between the internal counter of the token and the token counter of the system. For time tokens, use
Use a two-way time window; for event tokens, use a one-way event window.
The window refers to the window used to synchronize the token time with the system time. Time tokens are based on different token synchronization requirements.
Synchronize windows, middle windows, and small windows.
When using various windows, the requirements are as follows.
a) Large window, the window size should not exceed ±10min. When using large window synchronization, the next consecutive dynamic password matching is required,
At the same time, adjust the token offset of the system. The large window requires the use of restricted synchronization services, that is, further identification or need to change
Only high authority can execute the synchronization service of the large window. The large window can be used by authorized operation and maintenance personnel of the authentication module, and should be
The verification code mechanism of the system is used at the same time.
b) For the middle window, the window size should not exceed ±5min. When window synchronization is in use, the next consecutive dynamic password is required to match.
When adjusting the token offset of the system. The middle window can be used by the token user or the operation and maintenance personnel of the authentication module, and should be related to the application system.
The same verification code mechanism is used at the same time.
c) Small window, the size of the window should not exceed ±2min. When using small window synchronization, the authentication module is
The token offset of the entire system. The small window can be automatically called by the authentication module, and is used when the token user uses a dynamic password for identity authentication.
d) The size of the large window, middle window, and small window of the event token can be negotiated between the user and the manufacturer, but the security and effectiveness of its authentication should be guaranteed.
7.1.5 Automatic lock and automatic unlock
In the process of using the token, if multiple consecutive verification errors exceed the maximum number of times, the authentication module will automatically modify the status of the token to “locked”.
Set". After the set automatic unlocking time is exceeded, the authentication module will automatically unlock the token.
Automatic unlocking can only unlock tokens that are automatically locked.
7.2 Authentication module service
7.2.1 Security Service
7.2.1.1 Dynamic password authentication
A service for authenticating submitted dynamic passwords. The authentication methods include static passwords, dynamic passwords, and dynamic passwords. Of which static port
Let be the static password bound to the dynamic token.
7.2.1.2 Challenge response authentication
The service that authenticates the submitted challenge response code. The authentication methods include. challenge identification and internal challenge identification.
Challenge authentication means that the user enters the challenge code provided by the application service into the token, obtains the corresponding dynamic password, and completes the authentication.
Internal challenge authentication is that the user enters the user's private data such as PIN and static password into the token to obtain the corresponding dynamic password to complete the authentication.
7.2.1.3 Generate challenge code
The challenge code is generated according to the request of the application. The generated challenge code format includes. number type, character type, and number character type. Where the numbers are
Arabic numerals 0-9, the characters are English characters or symbolic characters, case sensitive. The minimum length and maximum length of the challenge code can be identified
The module is set.
7.2.2 Management Service
7.2.2.1 Activation
Make inactive tokens available. The method to activate the dynamic password token is as follows.
a) The window for verifying the dynamic password during activation uses a large window;
b) After the token is successfully activated, the status is set to ready;
c) If the activation is unsuccessful, the number of activation errors will be recorded, but the token will not be locked.
7.2.2.2 Lock
The token sets the token in the ready state to the locked state under operations such as continuous errors and replay attacks. The solution after the token is locked is as follows.
a) After the token is locked, it should be returned to the ready state by unlocking the service;
b) After the token is locked, it should be set to abolished state through the revocation service.
7.2.2.3 Unlock
The locked token is unlocked by static password, static password and dynamic password, and set to ready state. The token unlocking method is as follows.
a) When unlocking, the current dynamic password is required;
b) If a static password is set, it is required to verify the static password;
c) If the verification method of the static password is an internal challenge method, use the internal challenge authentication;
d) If the static password verification method is a static and dynamic hybrid method, use static password and dynamic password authentication.
7.2.2.4 Hang
The method to set the dynamic token to the suspended state is as follows.
a) Only tokens in the ready or locked state should be set to the suspended state;
b) After the token is suspended, it should be set to the revocation status through the revocation service.
7.2.2.5 Unhook
The steps to unsuspend the token are as follows.
a) After successful unhooking, the status of the token is set to the ready state;
b) Request to verify the current dynamic password;
c) If a static password is set, it is required to verify the static password;
d) If the verification method of the static password is an internal challenge method, use the internal challenge authentication;
e) If the verification method of the static password is ordinary, use static password and dynamic password authentication.
7.2.2.6 Set static password
The steps to set the static password for dynamic token binding are as follows.
a) Request to verify the original static password;
b) If the verification method of the static password is an internal challenge method, use the internal challenge authentication;
c) If the authentication method of the static password is static and dynamic hybrid, use static password and dynamic password authentication.
7.2.2.7 Remote PIN solution
The authentication module can provide remote PIN resolution (for tokens with PIN protection). According to the application request, the authentication module generates the current
The previous remote unlocking PIN password should be set from the following methods.
a) The password to unlock the PIN is a string of numbers from 0 to 9, and the length is at least 6 digits;
b) The maximum number of attempts to unlock the PIN cannot exceed 5 times. If the maximum number of attempts is exceeded, wait at least 1h before continuing to try;
c) The maximum number of attempts cannot exceed 5 times, otherwise the token should be permanently locked and cannot be used again.
7.2.2.8 Synchronization and window requirements
The authentication module provides token synchronization services as follows.
a) Verify the two consecutive dynamic passwords of the token in the large window and the middle window. If successful, adjust the system offset of the token;
b) Verify the current dynamic password of the token in the small window, if successful, adjust the system offset of the token;
c) The token synchronization service does not change the token status.
7.2.2.9 Repeal
After the token is damaged or invalid, you can use the revocation service of the authentication module to revoke it. The revoked token can no longer be used for user authentication
Do not verify with transaction. The system only keeps the usage history of the token.
7.2.2.10 Token information query
The authentication module should provide the token information query service, including. the current status of the token, the time of last use, the current cumulative error times, etc.
The information query service does not change the token status.
7.3 Authentication module management function
7.3.1 Rights Management
The authentication module should take authority control for the visiting personnel, and the visiting personnel of different roles shall be given different operation authorities.
7.3.2 Parameter configuration
The authentication module should be able to configure the authentication and management function parameters.
7.3.3 Log Management
Log management includes log writing, query and other functions. Each log records at least the date and time of the event, event type, and body
Copy, event result (success or failure), log level. The following events should be logged.
a) Dynamic password authentication, the result of synchronization;
b) Changes in the status of the token system;
c) The log should be kept for at least 2 years.
7.3.4 Service Report
The authentication module should provide a statistical report of the status and results of the token and the system in different time periods.
7.3.5 Seed import
The authentication module should be able to import the seed key of the token and set the initial state of the token.
7.3.6 Backup and recovery
The authentication module should be able to backup and restore sensitive information.
7.4 Safety requirements
7.4.1 Access control
The authentication module should have methods and measures to control the secure access of the application system.
7.4.2 Encryption of communication sensitive fields
In order to prevent eavesdropping and analysis of the authentication data in the form of network monitoring, the communication data between the authentication module and the application system should be
Do encryption processing on it.
7.4.3 Seed key storage encryption
The seed key in the authentication module is encrypted and stored. When the authentication module receives an authentication request, the authentication module should first decrypt the seed key.
The key encrypts the key ciphertext, and then reads the corresponding dynamic password through information such as the seed key and time factor, and compares it with the received dynamic password
Compare, thus complete dynamic password identification.
7.4.4 Token Security Control
7.4.4.1 Lock and unlock
Provide a locking mechanism. When the cumulative number of consecutive failed authentication attempts for a token reaches the upper limit, the token should be locked and manual
Unlock and automatic unlock mechanism.
7.4.4.2 Anti-duplicate authentication
For the dynamic password that has passed the authentication, the authentication module will be invalidated, and the dynamic password that has passed the authentication cannot be authenticated again.
7.4.4.3 Log Security
The log information should have a check code, and the user can modify the log information through the check code.
Sensitive data should have a backup and recovery mechanism.
The authentication module should have corresponding access control strategies for log access, and log operations should be recorded to ensure the integrity and security of the log.
7.4.4.4 Access control
The identification module should have time calibration processing methods and measures.
7.4.4.5 Authentication module security
The security of the authentication module should meet the security requirements of the target application service or system.
8 key management
8.1 Overview
Key management mainly refers to the security management of the generation, transmission and storage of the seed key. Whether the seed key is safe or not directly affects the entire
Identify whether the module is safe. It should be protected from the following aspects.
a) generated security;
b) the security of transmission;
c) Storage security;
d) The safety of use.
8.2 Module architecture
8.2.1 Module composition
8.2.1.1 Key management module composition
The key management module is mainly composed of the system login authentication sub-module, user management sub-module, protection key generation sub-module, and seed key generation
Sub-module, token serial number generation sub-module, time synchronization sub-mo...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38556-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38556-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38556-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38556-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|