GB/T 36644-2018 English PDF (GBT36644-2018)

This standard specifies a set of methods for obtaining security attestations for digital signature application, to standardize the process of security attestations for digital signature application. This standard is applicable to signature application scenarios that need to provide the security of the digital signature generation process and have clear requirements for the signature generation time.

GB/T 36644-2018
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Methods for
obtaining security attestations for digital signature
applications
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 7
5 Acquisition of security attestations for digital signature application ... 7 5.1 Overview ... 7
5.2 Acquisition of attestation of private key possession ... 9
5.2.1 Determined acquisition timeliness model of attestation of private key possession at the time of proof ... 9
5.2.2 Undetermined acquisition timeliness model of attestation of private key possession at the time of proof ... 10
5.2.3 The process of obtaining the attestation of private key possession ... 11 5.2.4 Specific acquisition flow of attestation of private key possession... 17 5.3 Obtain the security attestation of public key validity ... 24
5.3.1 General ... 24
5.3.2 Obtaining the attestation of public key validity ... 25
5.3.3 Verifier obtains a security attestation of public key validity ... 25 5.3.4 Verification process of public key validity ... 26
5.4 Obtain security attestation of the generation time of digital signature ... 26 5.4.1 General ... 26
5.4.2 Obtain attestation of signature timeliness from TTSA ... 26
5.4.3 Use the data provided by the verifier to obtain attestation of signature generation time ... 42
Appendix A (Informative) Acquisition process of SM2 signature algorithm public key validity ... 49
References ... 50
Information security technology - Methods for
obtaining security attestations for digital signature
applications
1 Scope
This standard specifies a set of methods for obtaining security attestations for digital signature application, to standardize the process of security attestations for digital signature application.
This standard is applicable to signature application scenarios that need to provide the security of the digital signature generation process and have clear requirements for the signature generation time.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document.
GB/T 20520-2006 Information security technology - Public key infrastructure - Time stamp specification
GB/T 25069-2010 Information security technology - Terminology
GB/T 32918.1-2016 Information security technology - SM2 elliptic curve
public key cryptography algorithm - Part 1: General rules
GB/T 32918.2-2016 Information security technology - SM2 elliptic curve
public key cryptography algorithm - Part 2: Digital signature algorithm 3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
includes: the acquisition of the security attestation of the attributes of the private key, the acquisition of the security attestation of public key validity, the acquisition of the security attestation of the generation time of the digital signature.
The owner of the private key refers to the entity that is authorized to use the private key in the public-private key pair for digital signature generation. The generated digital signature can be verified by the corresponding public key. Being authorized to use the private key to generate a signature does not mean that the owner actually knows the correct private key. Therefore, before the owner performs a digital signature, it is necessary to obtain a attestation of private key possession.
According to the different generation methods of signature public-private key pairs, the ways in which the private key is known can be divided into the following five types:
a) The owner generates and maintains a public-private key pair; only the owner knows the private key;
b) The owner generates a public-private key pair with the help of TTP;
however, the private key can only be known by the owner;
c) The public-private key pair is generated by TTP and provided to the owner; the owner and TTP know the private key at the same time;
d) The public-private key pair is generated by the method a); then provided to the TTP acting as the key server, so that the owner and the TTP know the private key at the same time;
e) The public-private key pair is generated by means of b); then provided to the TTP acting as the key server, so that the owner and the TTP acting as the key server know the private key at the same time.
The latter three methods need to be established on the trust that TTP will not generate a digital signature with a private key. The public-private key pair owner, the signature verifier, other signature relying parties must be able to share this trust. The methods c), d), e) have a lower level of credibility than the method a) and b).
The usage scenarios of the attestation of private key possession are as follows: ●The owner of the public-private key pair needs to obtain a security
attestation of the attributes of the private key before or at the same time the signature is generated;
●Before or at the same time, the verifier needs to obtain the security
t1 - The time when the relying party trusts the proof generation ahead of tG; t2 - The time when the relying party trusts the proof generation lags of tG; d - The difference between t1 and t2;
tA - The designated attestation time, which shall satisfy t1 ≤ tA ≤ t2. For convenience, it may specify tA = t1, or tA = t2.
a, b, c, d are determined by the relying party of the signature or its organization, considering the following factors:
●The values of a, b, c are determined according to the requirements of the organization's policy on the security attestation of digital signatures; at the same time, it shall also consider the difficulty of obtaining the attestation of private key possession used;
●The value of d shall be less than half of the minimum value of a and b, that is, d < 1/2 min (a, b), meanwhile the determination of d shall also consider the error estimate of the signature acquisition time tG. In addition, the determination of d also considers the time of secure transmission of the security attestation on the network.
According to the estimated acquisition time tA of the attestation of private key possession, the relying party can determine the proof level at different times. As shown in Figure 2, at the time tA - (a - d) and tA + (b - d), the security attestation obtained has a high or medium attestation level, which depends on the process of obtaining the security attestation. After tA + (b - d), the attestation level gradually decreases. At tA + (b - d) + c, the security attestation level drops to a low level. After that, the security attestation level will remain low. If the policy requires a high level of security attestation, then the security attestation needs to be re-obtained.
See 5.2.4 for the determination of specific security attestation’s timeliness model parameters.
5.2.3 The process of obtaining the attestation of private key possession 5.2.3.1 General
The attestation of private key possession can be obtained by one or more of the following methods:
a) The owner of the private key uses the private key to sign a new digital signature; then uses its corresponding public key to verify;
b) Regenerate the public-private key pair; then compare it with the public- possession, the entity obtaining the attestation will be assigned to an attribute security attestation message, referred to as the attestation message for short. Then the owner of the private key signs the message; this signature is called a attestation signature.
The attestation message shall include the following information:
a) The identity of the signer;
b) The identity of the potential verifier;
c) Time stamp token TST: the TST is generated by a trusted time stamp
authority (TTSA) trusted by all relying parties. TST can be obtained from TTSA by the signer, or from TTSA by potential verifiers, then passed to the signer. All relying parties shall recognize the strength of TTSA's
signature security;
d) A nonce value provided by a verifier. If a nonce is selected, the
randomness of the nonce value must be equal to or exceed the
randomness of the private key to be certified. If the attestation message does not contain TST, whilst the relying party requires that the attestation time be recorded when verifying the attestation signature, the nonce value needs to include a timestamp provided by the verifier, to indicate the time when the nonce value was provided to the attestation message.
It is not necessary to prove that the public key corresponding to the private key in the message is displayed. However, the inclusion of the public key display information must be determined strictly according to the following description: ●If the signer who generated the attestation signature can successfully display the public key before obtaining the attestation message, the public key information can be removed from the attestation message;
●If the attestation message contains TST, the public key display shall be before the time marked by TST. If there is no TST, the public key shall be displayed before the time included in the nonce value; if there is no TST and the nonce value does not include time, evidence that can be trusted by all parties shall be shown to prove that the public key is displayed before the attestation signature is generated;
●The public key can be displayed as an attestation with a time stamp;
●The public key can also be displayed as a signature previously issued by the signer. The private key used for signing the signature shall be the same as the private key for obtaining the attestation, that is, the same public key can be used for verification. The signature is issued earlier than the time when the attestation message is sent to the signer;
for the assignment of t1.
The relying party selects the most credible time source from the above t1 assignment candidates for t1 assignment. In the case of equal credibility, the latest time shall be selected first for the assignment of t1.
As described in 5.2.2, t2 is a time point lagging behind or equal to the time when the attestation signature is generated. Several possible assignments of t2 are as follows:
●If the attestation signature’s generation time is included in a TST issued by a TTSA trusted by all relying parties, the time included in the TST can be used as a candidate for the assignment of t2;
●If the verifier records the time of receipt of the attestation signature, the recorded time can be used as a candidate for the assignment of t2;
● If the verifier records the time at which the attestation signature was verified, the recorded time can be used as a candidate for the assignment of t2.
The relying party selects the most credible time source from the above t2 assignment candidates for t2 assignment. In the case of equal credibility, the earliest time shall be selected first for the assignment of t2.
If the attestation signature has been successfully verified, meanwhile the relying party has determined the error accuracy d of the attestation time, the attestation time tA can be estimated as follows:
- If t2 - t1 ≤ d, meanwhile the credibility of t1 is not less than t2, t1 shall be selected as the attestation time tA;
- If t2 - t1 ≤ d, meanwhile the credibility of t1 is less than t2, t2 shall be selected as the attestation time tA;
- If t2 - t1 > d, then it does not obtain the attestation of the private key possession, there is no need to assign the attestation time tA.
If the attestation signature cannot be verified, then it does not obtain the attestation of the private key possession, there is no need to assign the attestation time tA.
5.2.3.2.3 Specify the initial attestation level
After the attestation signature is verified and the attestation time is specified, the initial level of the attestation needs to be specified. The initial level of attestation is specified as follows:
same time, or after the attestation time of the attestation of private key possession of the corresponding private key.
The generation time of the ordinary message signature is represented by ts. The ts may have a certain value, or a range of values, or a completely uncertain value. If ts has a value with sufficient precision, meanwhile the attestation of the private key possession corresponding to the private key has obtained, then it may follow the timeliness model in 5.1.1 and use the following method to determine the level of the security attestation of this ordinary message signature:
a) If (tA - (a - d)) ≤ ts ≤ (tA + (b - d)), then the security attestation level of the ordinary message signature is equal to the initial attestation level of the acquired attestation of the private key possession;
b) If (tA - (a - d)) ≤ ts ≤ (tA + (b - d) +c), then the security attestation level of the ordinary message signature will gradually decrease from the initial state to a low level;
c) ts > (tA + (b - d) + c), then the security attestation level of the ordinary message signature is low.
If ts does not have a certain value, the security attestation level of the ordinary message signature is determined to be low.
5.2.4 Specific acquisition flow of attestation of private key possession 5.2.4.1 Public-private key pair owner obtaining the attestation of private key possession
The owner of a public-private key pair can use one or more of the following methods to obtain attestation of private key possession:
a) The public-private key owner adopts the attestation signature to obtain the attestation of private key possession:
The public-private key pair owner needs to complete the following:
1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) Determine a credible t1 value;
3) Generate a new attestation message for obtaining the attestation of
private key possession;
4) Use the private key to obtain the certificate to sign the certificate t2; the entity specifying the initial attestation level shall also know the method to determine the value of t1 and t2;
●The owner of the public-private key must record the attestation time
and initial attestation level.
c) The owner of the public-private key pair obtains the attestation of private key possession through key regeneration:
The public-private key pair owner needs to complete the following:
1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) Determine a credible t1 value;
3) Choose one of the following operations:
●Regenerate the key pair corresponding to the private key to be
certified;
●Regenerate a key in the key pair corresponding to the private key to
be certified.
4) Compare the value of the regenerated key pair (key) with the value of the key currently owned;
5) If the match is successful:
●Determine a credible value for t2;
●If t1 ≤ t2 ≤ t1 + d, specify and record the attestation time; specify the initial attestation level.
d) The owner of the public-private key pair obtains the attestation of the private key possession from the TTP through key regeneration:
1) The owner of the public-private key must determine the appropriate
value of d. For example, according to the timeliness model in 5.2.2, the value of d can be determined on the basis of determining the
appropriate values of a, b, c; if the TTP is responsible for specifying the attestation time, the value of d must be known to TTP;
2) The public-private key pair owner and/or TTP must determine a t1 value, which must be trusted by the public-private key pair owner;
3) The owner of the public-private key pair shall provide the key held by it 1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) The public-private key owner generates a new attestation message for the attestation of private key possession;
3) The owner of the public-private key signs the attestation message with the private key to be certified to generate an attestation signature;
4) The public-private key owner provides the attestation message,
attestation signature and other necessary data to TTP;
5) TTP determines a credible value for t1;
6) TTP verifies the attestation signature with the public key corresponding to the private key to obtain the attestation;
7) If the verification is successful:
●TTP determines a credible value for t2;
●If t1 ≤ t2 ≤ t1 + d, TTP begins to specify the attestation time and initial attestation level;
● TTP records the attestation time and initial attestation level;
meanwhile these values shall also be provided to the owner of the
public-private key pair.
b) TTP obtains the attestation of private key possession from the owner of the public-private key pair through the method of key (key pair)
regeneration:
1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) The public-private key pair owner provides the key information to be certified and any other necessary data to TTP;
3) TTP determines a credible value for t1;
4) TTP needs:
●Regenerate the entire key pair of the owner of the public-private key
pair;
●Or regenerate a key in the entire key pair of the owner of the public- attestation signature, to obtain the attestation of private key possession: 1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) The owner of the public-private key must provide a new attestation
message, attestation signature and other necessary data to the verifier; 3) The verifier must determine a credible value for t1;
4) The verifier verifies the attestation signature with the public key
corresponding to the private key which needs obtaining the attestation; 5) If the attestation signature verification is passed:
●The verifier must determine a credible value for t2;
●If t1 ≤ t2 ≤ t1 + d, the verifier starts to specify the attestation time and initial attestation level;
●The verifier records the attestation time and initial attestation level. b) The verifier obtains the attestation of private key possession by
cooperating with TTP:
1) Determine the appropriate value of d, for example, it can determine the value of d after determining the appropriate values of a, b, c according to the timeliness model in 5.2.2.
2) The verifier asks TTP for the attestation of private key possession; If TTP successfully obtains the attesta...