GB/T 38540-2020 English PDF (GBT38540-2020)

This Standard specifies the definition of the data structure of electronic seals and electronic signatures using cryptographic technology, and the corresponding generation and verification process. This Standard is applicable to the development and use of electronic seal systems and may also be used to guide the detection of such systems.

GB/T 38540-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Technical
Specification of Secure Electronic Seal Signature
Cryptography
ISSUED ON: MARCH 06, 2020
IMPLEMENTED ON: OCTOBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Abbreviations ... 6
5 Overview ... 6
6 Electronic Seal ... 7
6.1 Data format ... 7
6.2 Generation process of electronic seal ... 11
6.3 Verification process of electronic seal ... 12
7 Electronic Seal Signature ... 13
7.1 Data format ... 13
7.2 Generation process of electronic seal signature ... 15
7.3 Verification process of electronic seal signature ... 16
Information Security Technology - Technical
Specification of Secure Electronic Seal Signature
Cryptography
1 Scope
This Standard specifies the definition of the data structure of electronic seals and electronic signatures using cryptographic technology, and the corresponding generation and verification process.
This Standard is applicable to the development and use of electronic seal systems and may also be used to guide the detection of such systems.
2 Normative References
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document.
GB/T 20518 Information Security Technology - Public Key Infrastructure - Digital Certificate Format
GB/T 20520 Information Security Technology - Public Key Infrastructure - Time Stamp Specification
GB/T 32905 Information Security Technology SM3 Cryptographic Hash Algorithm GB/T 32918 (all parts) Information Security Techniques – SM2 Elliptic Curve Public Key Cryptography
GB/T 33560 Information Security Technology - Cryptographic Application Identifier Criterion Specification
GB/T 35276 Information Security Technology - SM2 Cryptography Algorithm Usage Specification
3 Terms and Definitions
For the purpose of this document, the following terms and definitions apply. electronic seal.
3.8 SM2 algorithm
An elliptic curve cryptographic algorithm that is defined by GB/T 32918. 3.9 SM3 algorithm
A hash algorithm that is defined by GB/T 32905.
4 Abbreviations
For the purpose of this document, the following abbreviations apply.
ANS.1: Abstract Syntax Notation One
BMP: Bitmap
DER: Distinguished Encoding Rules
GIF Graphics Interchange Format
JPG: Joint Photographic Experts Group
OID: Object Identifier
PKI: Public Key Infrastructure
SVG: Scalable Vector Graphics
5 Overview
Secure electronic seal signature is a combination of digital image processing technology and electronic signature technology by using PKI public key cryptography technology to digitally sign electronic documents with stamped image data in electronic form, to ensure the authenticity of the document source and the document Integrity, prevent unauthorized tampering of documents, and ensure the non-repudiation of signatures.
In order to ensure the integrity, unforgeability of the electronic seal, and only legal users can use it, a secure electronic seal data format needs to be defined. Through digital signature, the image data of the seal is securely bound to the seal attributes such as the signer to form a secure electronic seal. In the process of using the seal, the electronic seal shall be verified for security.
In the process of electronically signing various documents using electronic seals, the signature operation on the seal information field of procedure a) above to form a signature value;
c) The data of procedures a) and b) above, as well as the electronic seal marker certificate and the signature algorithm identification, form the electronic seal data format defined in 6.1.1.
6.3 Verification process of electronic seal
The verification process of electronic seal is as follows:
a) Verify the correctness of the electronic seal data format
Analyze the electronic seal according to the electronic seal format and verify whether it conforms to the electronic seal data format defined in 6.1.
If the data format of the electronic seal is incorrect, the verification fails, then it shall return an error code and exit the verification process.
b) Verify whether the electronic seal signature value is correct
Verify whether the signature value in the electronic seal is correct based on the seal information, electronic seal maker certificate, and signature algorithm identification.
If the verification of the electronic seal signature fails, it shall return an error code and exit the verification process.
c) Verify the validity of the electronic seal maker certificate
To verify the validity of the seal maker certificate, the verification items include at least: verification of the seal maker certificate trust chain, verification of the validity period of the electronic seal maker certificate, whether the electronic seal maker certificate is revoked, and whether the key usage is correct.
If the verification of the electronic seal maker certificate fails, it shall return an error code and the exit verification process.
d) Verify the validity of the electronic seal
According to the start time and end time of the seal validity period the in the seal attributes, verify whether the electronic seal has expired.
If the electronic seal has expired, the verification fails, it shall return an error code and exit the verification process.
If the verification of the above procedures is successful, the electronic seal verification is correct and effective, and the verification process may be exited normally. the electronic seal signer; note that the algorithm used for the original text hash in the signature process shall be coordinated with the signature algorithm. If the signature algorithm is SM2, the hash algorithm shall use the SM3 algorithm.
If the signature algorithm uses SM2, it shall comply with the provisions of GB/T 35276. 7.1.6 Time stamp
timeStamp: time stamp on signature value shall comply with the provisions of GB/T 20520; the time stamp format shall be stored in the DER encoding.
7.2 Generation process of electronic seal signature
The generation process of electronic seal signature is as follows:
a) Prepare the electronic seal; and verify the correctness and validity of the electronic seal. The specific procedures are as follows:
1) Verify the electronic seal. Verify the correctness and validity of the electronic seal in accordance with 6.3.
2) Select the electronic seal signer certificate to be electronically signed and verify the validity of the certificate. The verification items include at least: certificate trust chain, verification of certificate validity period, whether the certificate is revoked, and whether the key usage is correct.
3) According to the certificate list type of electronic seal signer in the electronic seal, extract the certificate information list of electronic seal signer in the electronic seal and use it to judge whether the selected electronic seal signer certificate in procedure 2) is in the list. If the value of the certificate information type is 1, the certificate is directly compared; if the value is 2, the hash of the certificate in procedure 2) is calculated and then compared:
--- If the person who intends to sign the seal is in the list of electronic seal signers of the electronic seal, the subsequent process will be carried out; --- If the comparison fails, it shall return an error code and exit the seal signature process. According to the error code, if the comparison fails because the electronic seal signer's certificate is updated and reissued, the program shall prompt to re-make the seal.
b) Electronically sign the original text, the specific procedures are as follows: 1) Prepare the original text to be signed according to the signature protection scope in propertyInfo;
2) Perform a hash calculation on the original text data to be signed to form the certificates in certificate information list of electronic seal signer in the electronic seal. If both of the comparisons fail, it shall return an error code and exit the verification process.
3) If the certificate information type of the above-mentioned electronic seal signer is 2, then compare the hash value of the certificate. Firstly, calculate procedure a) to analyze the hash value of the electronic seal signer certificate; and then compare it with the hash values in the certificate information list of the electronic seal signer in the electronic seal one by one. If the comparisons fail, then it shall return an error code and exit the verification process. d) Verify the validity of the electronic seal
1) Extract the electronic seal from the electronic seal signature information; and verify the validity of the seal according to the 6.3 verification process of electronic seal. If the verification fails, it shall be comprehensively judge based on the seal signature time in the seal signature information.
2) If the invalidity of the electronic seal is caused by the invalidity of the electronic seal maker certificate, and the electronic seal maker certificate is also invalid at the time point of seal signature, it shall be recorded as the reminding information.
3) If the invalidity of the electronic seal is due to expiration or revocation, and the seal signature time is not within the validity period of the electronic seal, or the electronic seal is not in a normal state at that time, it shall return an error code and exit the verification process.
4) Verify whether the electronic seal is in a normal state at the moment of seal signature. If it is not, it shall return an error code and exit the verification process.
e) Verify the validity of the electronic seal signer certificate
1) Obtain the electronic seal signer certificate from the electronic seal signature data and verify the validity of the electronic seal signer certificate. The verification items include at least: verification of certificate trust chain, verification of certificate validity period, whether the certificate is revoked, and whether the key usage is correct.
2) If the validity verification of electronic seal signer certificate fails and is due to verification of certificate trust chain or key usage is incorrect, it shall return an error code and the exit the verification process.
3) If the validity verification of the electronic seal signer certificate fails and is due to the expiration of the certificate or the certificate status has been revoked,