1
/
of
8
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 36651-2018 English PDF (GB/T36651-2018)
GB/T 36651-2018 English PDF (GB/T36651-2018)
Regular price
$380.00
Regular price
Sale price
$380.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 36651-2018: Information security techniques - Biometric authentication protocol framework based on trusted environment
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 36651-2018 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 36651-2018
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 36651-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security techniques - Biometric authentication
protocol framework based on trusted environment
ISSUED ON: OCTOBER 10, 2018
IMPLEMENTED ON: MAY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions... 4
4 Abbreviations ... 8
5 Protocol framework ... 8
5.1 Overview ... 8
5.2 Registration ... 11
5.3 Authentication ... 12
5.4 Deregister ... 13
6 Protocol process and rules ... 14
6.1 Registration process ... 14
6.2 Authentication process ... 17
6.3 Deregister process ... 19
7 Protocol interface ... 20
7.1 Overview ... 20
7.2 Interface of biometric authentication key manager ... 21
Appendix A (Informative) Protocol message ... 22
Appendix B (Informative) Protocol message related data structures ... 26
Appendix C (Informative) Protocol interface ... 33
References ... 36
Information security techniques - Biometric authentication
protocol framework based on trusted environment
1 Scope
This standard specifies the biometric authentication protocol framework based on
trusted environment, including protocol framework, protocol process, protocol rules,
protocol interface, etc.
This standard applies to the development, test, evaluation of biometric authentication
services.
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010, as well as the following
terms and definitions, apply to this document.
3.1
Trusted environment
A secure area on a user's device, that guarantees the security of data, which is loaded
into it, including confidentiality, integrity, availability, such as Trusted Execution
Environment (TEE), Secure Element (SE), Trusted Cryptographic Module (TCM)
or other protected areas with secured boundaries.
3.2
Biometric authentication
The use of biometric authentication technology to identify the user's identity.
a trust relationship with the relying party. Figure 1 depicts a scenario on the
realization of IdP that has a trust relationship with the relying party. The identity
authentication server stores the user's authentication public key, which is the
authentication public key, as generated by the biometric authentication key
manager, when the user registers with the identity authentication server, using the
biometric authentication key manager.
- The biometric authentication key manager is integrated in the trusted environment;
it stores the vendor private key and authentication private key. The authentication
private key is the authentication private key, which is generated by the biometric
authentication key manager, when the user uses the biometric authentication key
manager to register, with the identity authentication server; it is used by the identity
authentication server, to authenticate the user's identity. The biometric
authentication key manager can interact with multiple biometric matchers.
This standard does not specify the specific implementation of the IdP's delivery of the
identity authentication protocol message to the biometric authentication key manager.
E.g.: When the identity authentication server belongs to an IdP independent of the
relying party, the relying party can redirect the user equipment to the identity
authentication server, using the redirection mechanism, so that the identity
authentication server can directly interact with the user equipment, thereby submitting
the identity authentication protocol message to the biometric authentication key
manager; when the relying party internally deploys the IdP, it shall guarantee the
security of the forwarding information.
Any content related to cryptographic algorithms, in this standard, shall be implemented
in accordance with relevant national regulations. Those involving the use of
cryptographic technology to solve the needs of confidentiality, integrity, authenticity,
non-repudiation, must follow the relevant national standards and industry standards for
cryptography.
The biometric authentication protocol, based on trusted environment, consists of three
sessions between biometric authentication key manager and authentication server.
Before conducting these three sessions, the identity authentication server checks
whether the user equipment supports this protocol, by calling the discovery method.
The three sessions are as follows:
- Registration: The user registers the authentication public key, which is generated
by the biometric authentication key manager, to the identity authentication server;
- Authentication: The user uses the registered biometric authentication key manager,
for identity authentication;
- Deregister: The user will delete the authentication public key, which is registered
to the authentication server.
authenticity of the identity authentication server. If the verification is passed, the
user will be prompted to select an available biometric matcher; otherwise, the
message will be rejected.
c) The user selects the appropriate biometric matcher; uses the biometric information
to unlock the biometric authentication key manager (register if the user has not
previously registered biometric information to the biometric matcher; if the user
has registered, use the registered biometric authentication information to
complete the unlocking process), to complete the user's biometric authentication
verification. After the user's biometric authentication verification is successful,
the biometric authentication key manager creates a pair of unique authentication
public and private keys, which are associated with the biometric authentication
key manager and the identity authentication server; the authentication private key
is stored in the local biometric authentication key manager, it does not allow
export from biometric authentication key manager. If the biometric authentication
key manager does not have the ability to save the authentication private key,
THEN, the biometric authentication key manager encrypts the authentication
private key, then saves the encrypted authentication private key in the user
equipment. The key, which is used for encrypting the user's private key, is stored
in the biometric authentication key manager; it does not allow export from the
biometric authentication key manager.
d) The biometric authentication key manager generates key registration data (the key
registration data contains the authentication public key, which is generated in the
previous step); then generates a registration response message (the registration
response message contains the key registration data, as well as the sign value,
which uses the vendor private key to sign the private key registration data); sends
the registration response message to the identity authentication server.
e) The identity authentication server uses the vendor public key, to verify the
signature in the registration response message. If the signature is correct, it
extracts the authentication public key AND saves the authentication public key
(the corresponding relationship between the authentication public key and the
user shall also be saved).
5.3 Authentication
In the authentication process, the user uses the authentication private key, to challenge
the signature to the server, through the biometric authentication key manager; proves to
the identity authentication server, that he owns the private key, to complete the
authentication process. The authentication process is as shown in Figure 3. The protocol
message is as shown in Appendix A.
to the identity authentication server;
j) The identity authentication server uses the vendor public key, to verify the
registration response message; stores the relevant information after the
verification is successful; otherwise, it returns an error message;
k) The identity authentication server returns the result to the relying party.
6.1.2 Processing rules of registration process
6.1.2.1 Rules for identity authentication server to generate registration request
The identity authentication server generates the registration request, in accordance with
the following steps:
a) Create a registration request message; initialize the parameters of the registration
request message, including at least parameters such as server challenges (see
Appendix A);
b) Send a registration request message to the biometric authentication key manager.
6.1.2.2 Rules for biometric authentication key manager to process registration
request
The following steps shall be followed by a biometric authentication key manager to
process a registration request:
a) Verify the authenticity of the identity authentication server; execute the following
steps if the verification is successful; otherwise, reject the message;
b) Parse the registration request message; determine whether the registration request
message contains the necessary parameters AND whether each parameter meets
the requirements; if it meets the requirements, perform the following steps;
otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user selects, use the
biometric matcher, which is selected by the user, to verify the user. After the
verification is passed, perform the following operations; otherwise, return an error;
d) Create a registration response message; initialize the parameters of the registration
response message, according to the parameters of the registration request message;
e) Send the registration response message to the identity authentication server.
6.1.2.3 Rules of identity authentication server to process registration response
The authentication server processes the registration response, in accordance with the
following steps:
e) The biometric authentication key manager initiates local user verification,
prompting the user to use biometric information for identity verification;
f) The user submits biometric information, such as fingerprints, iris and other
information;
g) The biometric authentication key manager verifies the biometric information,
which is submitted by the user; after the verification is passed, generates an
authentication response message;
h) The biometric authentication key manager returns an authentication response
message, to the identity authentication server;
i) The identity authentication server verifies the authentication response message;
j) The identity authentication server returns the result to the relying party.
6.2.2 Processing rules of authentication process
6.2.2.1 Rules of identity authentication server to generate authentication request
The identity authentication server shall follow the following steps, to generate an
authentication request:
a) Create an authentication request message; initialize various parameters of the
authentication request message, including at least parameters such as server
challenge (see Appendix A);
b) Send an authentication request message to the biometric authentication key
manager.
6.2.2.2 Rules of biometric authentication key manager to process authentication
request
The biometric authentication key manager shall follow these steps, to process
authentication requests:
a) Verify the authenticity of the identity authentication server; execute the following
steps if the verification is successful; otherwise, reject the message;
b) Parse the authentication request message; determine whether the authentication
request message contains the necessary parameters and whether each parameter
meets the requirements; if it meets the requirements, perform the following steps;
otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user makes selection,
use the biometric matcher, which is selected by the user, to verify the user. After
the verification is passed, perform the following operations; otherwise, return an
a) The user logs in to the identity authentication server; initiates the deregister
process;
b) The identity authentication server generates a deregister request message, to
delete the data, which is related to the user;
c) The identity authentication server sends a deregister request message, to the
biometric authentication key manager;
d) The biometric authentication key manager deletes user-related data.
6.3.2 Processing rules of deregister process
6.3.2.1 Rules of identity authentication server to generate deregister request
The identity authentication server generates a deregister request, in accordance with the
following steps:
a) Create a deregister request message; initialize the parameters of the deregister
request message (see Appendix A);
b) Delete the data related to the user, on the identity authentication server;
c) Send a deregister request message, to the biometric authentication key manager.
6.3.2.2 Rules of biometric authentication key manager to process deregister
request
The following steps shall be followed, by a biometric authentication key manager to
process a deregister request:
a) Parse the deregister request message; determine whether the deregister response
message contains the necessary parameters and whether each parameter meets the
requirements; if it meets the requirements, perform the following steps; otherwise,
reject the message;
b) Delete the user-related data.
7 Protocol interface
7.1 Overview
The main interface of this protocol is the biometric authentication key manager
interface. The relationship is shown in Figure 8:
GB/T 366...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 36651-2018 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 36651-2018
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 36651-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security techniques - Biometric authentication
protocol framework based on trusted environment
ISSUED ON: OCTOBER 10, 2018
IMPLEMENTED ON: MAY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions... 4
4 Abbreviations ... 8
5 Protocol framework ... 8
5.1 Overview ... 8
5.2 Registration ... 11
5.3 Authentication ... 12
5.4 Deregister ... 13
6 Protocol process and rules ... 14
6.1 Registration process ... 14
6.2 Authentication process ... 17
6.3 Deregister process ... 19
7 Protocol interface ... 20
7.1 Overview ... 20
7.2 Interface of biometric authentication key manager ... 21
Appendix A (Informative) Protocol message ... 22
Appendix B (Informative) Protocol message related data structures ... 26
Appendix C (Informative) Protocol interface ... 33
References ... 36
Information security techniques - Biometric authentication
protocol framework based on trusted environment
1 Scope
This standard specifies the biometric authentication protocol framework based on
trusted environment, including protocol framework, protocol process, protocol rules,
protocol interface, etc.
This standard applies to the development, test, evaluation of biometric authentication
services.
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010, as well as the following
terms and definitions, apply to this document.
3.1
Trusted environment
A secure area on a user's device, that guarantees the security of data, which is loaded
into it, including confidentiality, integrity, availability, such as Trusted Execution
Environment (TEE), Secure Element (SE), Trusted Cryptographic Module (TCM)
or other protected areas with secured boundaries.
3.2
Biometric authentication
The use of biometric authentication technology to identify the user's identity.
a trust relationship with the relying party. Figure 1 depicts a scenario on the
realization of IdP that has a trust relationship with the relying party. The identity
authentication server stores the user's authentication public key, which is the
authentication public key, as generated by the biometric authentication key
manager, when the user registers with the identity authentication server, using the
biometric authentication key manager.
- The biometric authentication key manager is integrated in the trusted environment;
it stores the vendor private key and authentication private key. The authentication
private key is the authentication private key, which is generated by the biometric
authentication key manager, when the user uses the biometric authentication key
manager to register, with the identity authentication server; it is used by the identity
authentication server, to authenticate the user's identity. The biometric
authentication key manager can interact with multiple biometric matchers.
This standard does not specify the specific implementation of the IdP's delivery of the
identity authentication protocol message to the biometric authentication key manager.
E.g.: When the identity authentication server belongs to an IdP independent of the
relying party, the relying party can redirect the user equipment to the identity
authentication server, using the redirection mechanism, so that the identity
authentication server can directly interact with the user equipment, thereby submitting
the identity authentication protocol message to the biometric authentication key
manager; when the relying party internally deploys the IdP, it shall guarantee the
security of the forwarding information.
Any content related to cryptographic algorithms, in this standard, shall be implemented
in accordance with relevant national regulations. Those involving the use of
cryptographic technology to solve the needs of confidentiality, integrity, authenticity,
non-repudiation, must follow the relevant national standards and industry standards for
cryptography.
The biometric authentication protocol, based on trusted environment, consists of three
sessions between biometric authentication key manager and authentication server.
Before conducting these three sessions, the identity authentication server checks
whether the user equipment supports this protocol, by calling the discovery method.
The three sessions are as follows:
- Registration: The user registers the authentication public key, which is generated
by the biometric authentication key manager, to the identity authentication server;
- Authentication: The user uses the registered biometric authentication key manager,
for identity authentication;
- Deregister: The user will delete the authentication public key, which is registered
to the authentication server.
authenticity of the identity authentication server. If the verification is passed, the
user will be prompted to select an available biometric matcher; otherwise, the
message will be rejected.
c) The user selects the appropriate biometric matcher; uses the biometric information
to unlock the biometric authentication key manager (register if the user has not
previously registered biometric information to the biometric matcher; if the user
has registered, use the registered biometric authentication information to
complete the unlocking process), to complete the user's biometric authentication
verification. After the user's biometric authentication verification is successful,
the biometric authentication key manager creates a pair of unique authentication
public and private keys, which are associated with the biometric authentication
key manager and the identity authentication server; the authentication private key
is stored in the local biometric authentication key manager, it does not allow
export from biometric authentication key manager. If the biometric authentication
key manager does not have the ability to save the authentication private key,
THEN, the biometric authentication key manager encrypts the authentication
private key, then saves the encrypted authentication private key in the user
equipment. The key, which is used for encrypting the user's private key, is stored
in the biometric authentication key manager; it does not allow export from the
biometric authentication key manager.
d) The biometric authentication key manager generates key registration data (the key
registration data contains the authentication public key, which is generated in the
previous step); then generates a registration response message (the registration
response message contains the key registration data, as well as the sign value,
which uses the vendor private key to sign the private key registration data); sends
the registration response message to the identity authentication server.
e) The identity authentication server uses the vendor public key, to verify the
signature in the registration response message. If the signature is correct, it
extracts the authentication public key AND saves the authentication public key
(the corresponding relationship between the authentication public key and the
user shall also be saved).
5.3 Authentication
In the authentication process, the user uses the authentication private key, to challenge
the signature to the server, through the biometric authentication key manager; proves to
the identity authentication server, that he owns the private key, to complete the
authentication process. The authentication process is as shown in Figure 3. The protocol
message is as shown in Appendix A.
to the identity authentication server;
j) The identity authentication server uses the vendor public key, to verify the
registration response message; stores the relevant information after the
verification is successful; otherwise, it returns an error message;
k) The identity authentication server returns the result to the relying party.
6.1.2 Processing rules of registration process
6.1.2.1 Rules for identity authentication server to generate registration request
The identity authentication server generates the registration request, in accordance with
the following steps:
a) Create a registration request message; initialize the parameters of the registration
request message, including at least parameters such as server challenges (see
Appendix A);
b) Send a registration request message to the biometric authentication key manager.
6.1.2.2 Rules for biometric authentication key manager to process registration
request
The following steps shall be followed by a biometric authentication key manager to
process a registration request:
a) Verify the authenticity of the identity authentication server; execute the following
steps if the verification is successful; otherwise, reject the message;
b) Parse the registration request message; determine whether the registration request
message contains the necessary parameters AND whether each parameter meets
the requirements; if it meets the requirements, perform the following steps;
otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user selects, use the
biometric matcher, which is selected by the user, to verify the user. After the
verification is passed, perform the following operations; otherwise, return an error;
d) Create a registration response message; initialize the parameters of the registration
response message, according to the parameters of the registration request message;
e) Send the registration response message to the identity authentication server.
6.1.2.3 Rules of identity authentication server to process registration response
The authentication server processes the registration response, in accordance with the
following steps:
e) The biometric authentication key manager initiates local user verification,
prompting the user to use biometric information for identity verification;
f) The user submits biometric information, such as fingerprints, iris and other
information;
g) The biometric authentication key manager verifies the biometric information,
which is submitted by the user; after the verification is passed, generates an
authentication response message;
h) The biometric authentication key manager returns an authentication response
message, to the identity authentication server;
i) The identity authentication server verifies the authentication response message;
j) The identity authentication server returns the result to the relying party.
6.2.2 Processing rules of authentication process
6.2.2.1 Rules of identity authentication server to generate authentication request
The identity authentication server shall follow the following steps, to generate an
authentication request:
a) Create an authentication request message; initialize various parameters of the
authentication request message, including at least parameters such as server
challenge (see Appendix A);
b) Send an authentication request message to the biometric authentication key
manager.
6.2.2.2 Rules of biometric authentication key manager to process authentication
request
The biometric authentication key manager shall follow these steps, to process
authentication requests:
a) Verify the authenticity of the identity authentication server; execute the following
steps if the verification is successful; otherwise, reject the message;
b) Parse the authentication request message; determine whether the authentication
request message contains the necessary parameters and whether each parameter
meets the requirements; if it meets the requirements, perform the following steps;
otherwise, reject the message;
c) Prompt the user to select the biometric matcher. After the user makes selection,
use the biometric matcher, which is selected by the user, to verify the user. After
the verification is passed, perform the following operations; otherwise, return an
a) The user logs in to the identity authentication server; initiates the deregister
process;
b) The identity authentication server generates a deregister request message, to
delete the data, which is related to the user;
c) The identity authentication server sends a deregister request message, to the
biometric authentication key manager;
d) The biometric authentication key manager deletes user-related data.
6.3.2 Processing rules of deregister process
6.3.2.1 Rules of identity authentication server to generate deregister request
The identity authentication server generates a deregister request, in accordance with the
following steps:
a) Create a deregister request message; initialize the parameters of the deregister
request message (see Appendix A);
b) Delete the data related to the user, on the identity authentication server;
c) Send a deregister request message, to the biometric authentication key manager.
6.3.2.2 Rules of biometric authentication key manager to process deregister
request
The following steps shall be followed, by a biometric authentication key manager to
process a deregister request:
a) Parse the deregister request message; determine whether the deregister response
message contains the necessary parameters and whether each parameter meets the
requirements; if it meets the requirements, perform the following steps; otherwise,
reject the message;
b) Delete the user-related data.
7 Protocol interface
7.1 Overview
The main interface of this protocol is the biometric authentication key manager
interface. The relationship is shown in Figure 8:
GB/T 366...
Share
