Skip to product information
1 of 8

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 36651-2018 English PDF (GBT36651-2018)

GB/T 36651-2018 English PDF (GBT36651-2018)

Regular price $375.00 USD
Regular price Sale price $375.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 36651-2018 to get it for Purchase Approval, Bank TT...

GB/T 36651-2018: Information security techniques -- Biometric authentication protocol framework based on trusted environment

This standard specifies the biometric authentication protocol framework based on trusted environment, including protocol framework, protocol process, protocol rules, protocol interface, etc. This standard applies to the development, test, evaluation of biometric authentication services.
GB/T 36651-2018
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security techniques - Biometric authentication
protocol framework based on trusted environment
ISSUED ON: OCTOBER 10, 2018
IMPLEMENTED ON: MAY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions... 4
4 Abbreviations ... 8
5 Protocol framework ... 8
5.1 Overview ... 8
5.2 Registration ... 11
5.3 Authentication ... 12
5.4 Deregister ... 13
6 Protocol process and rules ... 14
6.1 Registration process ... 14
6.2 Authentication process ... 17
6.3 Deregister process ... 19
7 Protocol interface ... 20
7.1 Overview ... 20
7.2 Interface of biometric authentication key manager ... 21
Appendix A (Informative) Protocol message ... 22
Appendix B (Informative) Protocol message related data structures ... 26 Appendix C (Informative) Protocol interface ... 33
References ... 36
Information security techniques - Biometric authentication
protocol framework based on trusted environment
1 Scope
This standard specifies the biometric authentication protocol framework based on trusted environment, including protocol framework, protocol process, protocol rules, protocol interface, etc.
This standard applies to the development, test, evaluation of biometric authentication services.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010, as well as the following terms and definitions, apply to this document.
3.1
Trusted environment
A secure area on a user's device, that guarantees the security of data, which is loaded into it, including confidentiality, integrity, availability, such as Trusted Execution Environment (TEE), Secure Element (SE), Trusted Cryptographic Module (TCM) or other protected areas with secured boundaries.
3.2
Biometric authentication
The use of biometric authentication technology to identify the user's identity. a trust relationship with the relying party. Figure 1 depicts a scenario on the realization of IdP that has a trust relationship with the relying party. The identity authentication server stores the user's authentication public key, which is the authentication public key, as generated by the biometric authentication key manager, when the user registers with the identity authentication server, using the biometric authentication key manager.
- The biometric authentication key manager is integrated in the trusted environment; it stores the vendor private key and authentication private key. The authentication private key is the authentication private key, which is generated by the biometric authentication key manager, when the user uses the biometric authentication key manager to register, with the identity authentication server; it is used by the identity authentication server, to authenticate the user's identity. The biometric authentication key manager can interact with multiple biometric matchers. This standard does not specify the specific implementation of the IdP's delivery of the identity authentication protocol message to the biometric authentication key manager. E.g.: When the identity authentication server belongs to an IdP independent of the relying party, the relying party can redirect the user equipment to the identity authentication server, using the redirection mechanism, so that the identity authentication server can directly interact with the user equipment, thereby submitting the identity authentication protocol message to the biometric authentication key manager; when the relying party internally deploys the IdP, it shall guarantee the security of the forwarding information.
Any content related to cryptographic algorithms, in this standard, shall be implemented in accordance with relevant national regulations. Those involving the use of cryptographic technology to solve the needs of confidentiality, integrity, authenticity, non-repudiation, must follow the relevant national standards and industry standards for cryptography.
The biometric authentication protocol, based on trusted environment, consists of three sessions between biometric authentication key manager and authentication server. Before conducting these three sessions, the identity authentication server checks whether the user equipment supports this protocol, by calling the discovery method. The three sessions are as follows:
- Registration: The user registers the authentication public key, which is generated by the biometric authentication key manager, to the identity authentication server; - Authentication: The user uses the registered biometric authentication key manager, for identity authentication;
- Deregister: The user will delete the authentication public key, which is registered to the authentication server.
authenticity of the identity authentication server. If the verification is passed, the user will be prompted to select an available biometric matcher; otherwise, the message will be rejected.
c) The user selects the appropriate biometric matcher; uses the biometric information to unlock the biometric authentication key manager (register if the user has not previously registered biometric information to the biometric matcher; if the user has registered, use the registered biometric authentication information to complete the unlocking process), to complete the user's biometric authentication verification. After the user's biometric authentication verification is successful, the biometric authentication key manager creates a pair of unique authentication public and private keys, which are associated with the biometric authentication key manager and the identity authentication server; the authentication private key is stored in the local biometric authentication key manager, it does not allow export from biometric authentication key manager. If the biometric authentication key manager does not have the ability to save the authentication private key, THEN, the biometric authentication key manager encrypts the authentication private key, then saves the encrypted authentication private key in the user equipment. The key, which is used for encrypting the user's private key, is stored in the biometric authentication key manager; it does not allow export from the biometric authentication key manager.
d) The biometric authentication key manager generates key registration data (the key registration data contains the authentication public key, which is generated in the previous step); then generates a registration response message (the registration response message contains the key registration data, as well as the sign value, which uses the vendor private key to sign the private key registration data); sends the registration response message to the identity authentication server. e) The identity authentication server uses the vendor public key, to verify the signature in the registration response message. If the signature is correct, it extracts the authentication public key AND saves the authentication public key (the corresponding relationship between the authentication public key and the user shall also be saved).
5.3 Authentication
In the authentication process, the user uses the authentication private key, to challenge the signature to the server, through the biometric authentication key manager; proves to the identity authentication server, that he owns the private key, to complete the authentication process. The authentication process is as shown in Figure 3. The protocol message is as shown in Appendix A.
to the identity authentication server;
j) The identity authentication server uses the vendor public key, to verify the registration response message; stores the relevant information after the verification is successful; otherwise, it returns an error message;
k) The identity authentication server returns the result to the relying party. 6.1.2 Processing rules of registration process
6.1.2.1 Rules for identity authentication server to generate registration request The identity authentication server generates the registration request, in accordance with the following steps:
a) Create a registration request message; initialize the parameters of the registration request message, including at least parameters such as server challenges (see Appendix A);
b) Send a registration request message to the biometric authentication key manager. 6.1.2.2 Rules for biometric authentication key manager to process registration request
The following steps shall be followed by a biometric authentication key manager to process a registration request:
a) Verify the authenticity of the identity authentication server; execute the following steps if the verification is successful; otherwise, reject the message; b) Parse the registration request message; determine whether the registration request message contains the necessary parameters AND whether each parameter meets the requirements; if it meets the requirements, perform the following steps; otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user selects, use the biometric matcher, which is selected by the user, to verify the user. After the verification is passed, perform the following operations; otherwise, return an error; d) Create a registration response message; initialize the parameters of the registration response message, according to the parameters of the registration request message; e) Send the registration response message to the identity authentication server. 6.1.2.3 Rules of identity authentication server to process registration response The authentication server processes the registration response, in accordance with the following steps:
e) The biometric authentication key manager initiates local user verification, prompting the user to use biometric information for identity verification; f) The user submits biometric information, such as fingerprints, iris and other information;
g) The biometric authentication key manager verifies the biometric information, which is submitted by the user; after the verification is passed, generates an authentication response message;
h) The biometric authentication key manager returns an authentication response message, to the identity authentication server;
i) The identity authentication server verifies the authentication response message; j) The identity authentication server returns the result to the relying party. 6.2.2 Processing rules of authentication process
6.2.2.1 Rules of identity authentication server to generate authentication request The identity authentication server shall follow the following steps, to generate an authentication request:
a) Create an authentication request message; initialize various parameters of the authentication request message, including at least parameters such as server challenge (see Appendix A);
b) Send an authentication request message to the biometric authentication key manager.
6.2.2.2 Rules of biometric authentication key manager to process authentication request
The biometric authentication key manager shall follow these steps, to process authentication requests:
a) Verify the authenticity of the identity authentication server; execute the following steps if the verification is successful; otherwise, reject the message; b) Parse the authentication request message; determine whether the authentication request message contains the necessary parameters and whether each parameter meets the requirements; if it meets the requirements, perform the following steps; otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user makes selection, use the biometric matcher, which is selected by the user, to verify the user. After the verification is passed, perform the following operations; otherwise, return an a) The user logs in to the identity authentication server; initiates the deregister process;
b) The identity authentication server generates a deregister request message, to delete the data, which is related to the user;
c) The identity authentication server sends a deregister request message, to the biometric authentication key manager;
d) The biometric authentication key manager deletes user-related data.
6.3.2 Processing rules of deregister process
6.3.2.1 Rules of identity authentication server to generate deregister request The identity authentication server generates a deregister request, in accordance with the following steps:
a) Create a deregister request message; initialize the parameters of the deregister request message (see Appendix A);
b) Delete the data related to the user, on the identity authentication server; c) Send a deregister request message, to the biometric authentication key manager. 6.3.2.2 Rules of biometric authentication key manager to process deregister request
The following steps shall be followed, by a biometric authentication key manager to process a deregister request:
a) Parse the deregister request message; determine whether the deregister response message contains the necessary parameters and whether each parameter meets the requirements; if it meets the requirements, perform the following steps; otherwise, reject the message;
b) Delete the user-related data.
7 Protocol interface
7.1 Overview
The main interface of this protocol is the biometric authentication key manager interface. The relationship is shown in Figure 8:

View full details