1
/
of
8
PayPal, credit cards. Download editable-PDF & invoice in 1 second!
GB/T 39205-2020 English PDF (GBT39205-2020)
GB/T 39205-2020 English PDF (GBT39205-2020)
Regular price
$205.00 USD
Regular price
Sale price
$205.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 39205-2020 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 39205-2020
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 39205-2020: Information security technology - Light-weight authentication and access control mechanism
GB/T 39205-2020
Information security technology - Light-weight authentication and access control mechanism
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Lightweight authentication and access control mechanism
2020-10-11 released
2021-05-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbols and abbreviations 1
4.1 Symbol 1
4.2 Abbreviations 2
5 Lightweight authentication mechanism 2
5.1 Overview 2
5.2 Authentication mechanism based on exclusive OR operation 2
5.3 Authentication mechanism based on cryptographic hash algorithm 3
5.4 Authentication mechanism based on block cipher algorithm 5
6 Lightweight access control mechanism 6
6.1 Overview 6
6.2 Access control mechanism based on block cipher algorithm 6
6.3 Access control mechanism based on access control list 7
Preface
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., Zhongguancun Wireless Network Security Industry Alliance, National
Radio Monitoring Center Testing Center, Commercial Encryption Testing Center of National Cryptography Administration, China Electronic Technology Standardization Institute, Tianjin No
Line Monitoring Station, Software Research Institute of Chinese Academy of Sciences, National Information Technology Security Research Center, Beijing Digital Certification Co., Ltd., Shuanshi
Technology Co., Ltd., Chongqing University of Posts and Telecommunications, Peking University Shenzhen Graduate School, China General Technology Research Institute, Beijing Computer Technology and
Applied Research Institute.
The main drafters of this standard. Li Qin, Du Zhiqiang, Huang Zhenhai, Zhang Guoqiang, Yan Xiang, Tao Hongbo, Li Dong, Li Bing, Xu Yuna, Liu Jingli, Tie Manxia,
Wang Yuehui, Wu Dongyu, Yu Guangming, Long Zhaohua, Zhu Yuesheng, Zhang Yongqiang, Zhang Yan, Xiong Keqi, Liu Kewei, Zhao Xiaorong, Zhang Bianling, Gao Delong, Zheng Li,
Wang Ying, Zhao Hui, Zhang Lulu, Zhu Zhengmei, Huang Kuigang, Fu Qiang.
introduction
The issuing agency of this document has no position on the authenticity, validity and scope of the above-mentioned patents.
The patent holder has assured the issuing organization of this document that he is willing to work with any applicant under reasonable and non-discriminatory terms and conditions.
Negotiations on patent licensing. The statement of the patent holder has been filed with the issuing agency of this document.
Information Security Technology
Lightweight authentication and access control mechanism
1 Scope
This standard specifies a lightweight authentication mechanism and access control mechanism.
This standard applies to authentication and access control mechanisms in resource-constrained application scenarios such as wireless sensor networks, radio frequency identification, and near field communication.
Design development and application.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 15629.3-2014 Information technology systems telecommunications and information exchange specific requirements for local area networks and metropolitan area networks
Part 3.Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access method and physical layer specification
GB/T 25069 Information Security Technical Terms
GB/T 32905 Information Security Technology SM3 Cipher Hash Algorithm
GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm
ISO /IEC 29180.2012 Information Technology System Remote Communication and Information Exchange Ubiquitous Sensor Network Security Framework
3 Terms and definitions
The following terms and definitions defined in GB/T 25069 apply to this document.
3.1
Authentication mechanism
A mechanism to verify that an entity is what it claims to be.
3.2
Access control
A means to ensure that the resources of the data processing system can only be accessed by authorized subjects in accordance with the authorization method.
3.3
Trusted third party
In terms of security-related activities, security agencies or their agents trusted by other entities.
Note. A trusted third party is a third-party entity trusted by entity A and entity B, and can verify the authenticity of the identity of entity A and entity B.
4 Symbols and abbreviations
4.1 Symbols
The following symbols apply to this document.
. Exclusive OR (XOR)
‖. Message series
< < < . left circular shift
. Modular addition
-. Modular subtraction
On. a binary constant with a length of n bits
Q. A user's access request to a certain resource
4.2 Abbreviations
The following abbreviations apply to this document.
5 Lightweight authentication mechanism
5.1 Overview
The lightweight authentication mechanism reduces the complexity of calculation and communication in the authentication process while realizing the authenticity confirmation between entities.
Compared with the usual mechanism, the lightweight authentication mechanism has the following measurement angles.
a) Less occupancy of computing resources;
b) Less interactive messages;
c) Short time-consuming;
d) Less storage space required.
5.2 Identification mechanism based on exclusive OR operation
Based on the identification mechanism of exclusive OR operation, the authenticity of the identity between entity A and entity B is realized through simple exclusive OR and shift operations
The identification process is shown in Figure 1.
Encryption Algorithm;
c) After the user receives the authentication response message from DAE, it first determines whether the random number N1 in the message is the random number selected by the user.
If it is not, discard the message directly; if it is, use the shared key KACr with ACr, User calculates ET2=E
(KACr,User,N1), calculate the message authentication code MIC1=HMAC(KACr,User,N1‖IDDAE‖ET1‖ET2), construct the entity
The authentication request message N1‖IDDAE‖ET1‖ET2‖MIC1 is sent to ACr, where IDDAE is the identity of DAE;
d) After ACr receives the user's entity authentication request message, it first judges the integrity of the message according to MIC1.
Abandon the message; if the verification is passed, use the shared key KACr with DAE, DAE decrypts ET1, if the decrypted N1 and
The N1 sent by the User in step c) is not equal, and ACr constructs an entity authentication response message N1‖IDDAE‖RES(DAE)‖
MIC2 is sent to User, where MIC2=HMAC(KACr,User,N1‖IDDAE‖RES(DAE)), Res(DAE)=
Failure indicates that ACr failed to authenticate DAE; if the N1 obtained after decryption is equal to the N1 sent by the User in step c),
ACr uses the key KACr shared with User, User decrypts ET2, if the decrypted N1 and User are sent in step c)
If N1 is not equal, the authentication is terminated; if the N1 obtained after decryption is equal to the N1 sent by the User in step c), ACr is generated
The session key KDAE, User between User and DAE, and query ACL according to User's identity, obtain User's access control
The control information ACLUser, together with the User’s access period TV, uses KACr, DAE to calculate ET3=E(KACr, DAE, IDUser‖
KDAE,User‖TV‖ACLUser), and use KAC,User to calculate ET4=E(KACr,User,KDAE,User), calculate MIC2=
HMAC(KACr,User,N1‖IDDAE‖RES(DAE)‖ET3‖ET4), construct entity authentication response message N1‖IDDAE
‖RES(DAE)‖ET3‖ET4‖MIC2 is sent to User, where RES(DAE)=True means ACr successfully authenticated DAE;
e) After the user receives the entity authentication response message from ACr, it first judges whether the random number N1 is the random number selected by the user, if not
If yes, discard the message; if yes, judge the integrity of the message according to MIC2; if the verification fails, discard the message; if the verification passes,
User judges the legality of DAE according to RES(DAE).If RES(DAE)=Failure, it means that DAE is illegal and User ends
Stop access; if RES(DAE)=True, User decrypts ET4 in the message and generates random number N3, together with the random number of DAE
The access request of N2 and User uses the session key KDAE obtained after decryption with the target access entity, and User calculates ET5
=E(KDAE,User,N2‖N3‖IDUser‖QUser), calculate MIC3=HMAC(KDAE,User,ET3‖ET5), construct access
The request message ET3‖ET5‖MIC3 is sent to DAE;
f) After DAE receives User's access request, it first decrypts ET3, obtains the session key KDAE, User, and judges that the message is complete according to MIC3
Integrity, if the verification fails, access is denied; if the verification is passed, use KDAE, User to decrypt ET5, and determine that the N2 obtained after decryption is
No is N2 selected by DAE, if not, access is denied; if yes, confirm whether the IDUser obtained after decrypting ET5 is a request for access
The identity of the User asked, if not, deny access; if so, record the current time TC, from TC to (TC TV)
Time is the user’s access validity period. The user can only access network data during this validity period. DAE judges according to ACLUser
User's access request QUser is legal, if not legal, deny access; if legal, generate response data RDAE, together with N3 benefit
Use KDAE, User to calculate ET6=E(KDAE,User,N3‖RDAE), calculate MIC4=HMAC(KDAE,User,ET6), construct access
The response message ET6‖MIC4 is sent to User;
g) After receiving the access response message, the User first judges the integrity of the message according to MIC4.If it is incomplete, discard the message; if it is complete,
Use KDAE, User to decrypt ET6, determine whether the N3 obtained by decryption is the N3 selected by User, if not, discard the message; if
Yes, User saves the response data RDAE, and subsequent access requests and response data between User and DAE are protected by KDAE and User.
6.3 Access control mechanism based on access control list
The access control mechanism based on the access control list is suitable for network access control to all kinds of users. See ISO /IEC 29180.2012 for this mechanism, and the interaction process is shown in Figure 5.
P, indicates that the user authentication is successful; if the PASS ticket received by the entity in the gateway is less than the threshold P, it indicates that the authentication has failed, and finally
Stop the user's access; the threshold P is defined by the network owner, which can be a fixed value of PASS votes, or
It is the proportional value of a PASS ticket, etc.;
2) After the authentication is successful, the entity in the current temporary access control gateway will be based on the user's
The movement direction, movement speed, etc. are measured to the position that the user will reach, and the user will reach
All entities in the single-hop area with the location as the center constitute the next temporary access control gateway. Current temporary
The entity in the access control gateway sends the user authentication success message to the next temporary access control gateway after t time
In the entity, the next temporary access control gateway will be based on whether the number of received user authentication messages reaches the threshold
The value P is used to judge whether the user is successfully authenticated. If the user is still within the validity period VP, and the received user authentication is successful
If the number of messages is greater than or equal to the threshold P, the next temporary access control gateway will recognize the legitimacy of the user and change
After time t, the authentication success message is sent again to the entity in the next new temporary access control gateway. Identified as
Work messages are transmitted in a secure manner between entities.
c) After the user is successfully authenticated, the destination access entity is accessed through the temporary access control gateway, and the process is as follows.
1) After the user is successfully authenticated, an access request message is sent to the temporary access control gateway in a secure manner. The request message includes
Contains access request Q, Q contains the data type requested by the user;
2) After the temporary access control gateway receives the user's access request message, it first determines whether the user identity authentication is passed and the user
Whether it is in the valid period, if the user's identity is authenticated and the identity is in the valid period, the user's
The legality of Q. If it is legal, Q will be sent to the destination entity in a secure manner, and the entity will be deemed
Q The Q forwarded by the control gateway is legal, and an access response message will be generated according to Q, and the response message will be sent to
Temporary access control gateway, which will forward access response messages to users. During the visit, if the user is no longer valid
During the period, or if the user is within the validity period but Q is illegal, the destination access entity will directly discard the user’s Q and terminate the user’s access.
Get Quotation: Click GB/T 39205-2020 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 39205-2020
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 39205-2020: Information security technology - Light-weight authentication and access control mechanism
GB/T 39205-2020
Information security technology - Light-weight authentication and access control mechanism
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Lightweight authentication and access control mechanism
2020-10-11 released
2021-05-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbols and abbreviations 1
4.1 Symbol 1
4.2 Abbreviations 2
5 Lightweight authentication mechanism 2
5.1 Overview 2
5.2 Authentication mechanism based on exclusive OR operation 2
5.3 Authentication mechanism based on cryptographic hash algorithm 3
5.4 Authentication mechanism based on block cipher algorithm 5
6 Lightweight access control mechanism 6
6.1 Overview 6
6.2 Access control mechanism based on block cipher algorithm 6
6.3 Access control mechanism based on access control list 7
Preface
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., Zhongguancun Wireless Network Security Industry Alliance, National
Radio Monitoring Center Testing Center, Commercial Encryption Testing Center of National Cryptography Administration, China Electronic Technology Standardization Institute, Tianjin No
Line Monitoring Station, Software Research Institute of Chinese Academy of Sciences, National Information Technology Security Research Center, Beijing Digital Certification Co., Ltd., Shuanshi
Technology Co., Ltd., Chongqing University of Posts and Telecommunications, Peking University Shenzhen Graduate School, China General Technology Research Institute, Beijing Computer Technology and
Applied Research Institute.
The main drafters of this standard. Li Qin, Du Zhiqiang, Huang Zhenhai, Zhang Guoqiang, Yan Xiang, Tao Hongbo, Li Dong, Li Bing, Xu Yuna, Liu Jingli, Tie Manxia,
Wang Yuehui, Wu Dongyu, Yu Guangming, Long Zhaohua, Zhu Yuesheng, Zhang Yongqiang, Zhang Yan, Xiong Keqi, Liu Kewei, Zhao Xiaorong, Zhang Bianling, Gao Delong, Zheng Li,
Wang Ying, Zhao Hui, Zhang Lulu, Zhu Zhengmei, Huang Kuigang, Fu Qiang.
introduction
The issuing agency of this document has no position on the authenticity, validity and scope of the above-mentioned patents.
The patent holder has assured the issuing organization of this document that he is willing to work with any applicant under reasonable and non-discriminatory terms and conditions.
Negotiations on patent licensing. The statement of the patent holder has been filed with the issuing agency of this document.
Information Security Technology
Lightweight authentication and access control mechanism
1 Scope
This standard specifies a lightweight authentication mechanism and access control mechanism.
This standard applies to authentication and access control mechanisms in resource-constrained application scenarios such as wireless sensor networks, radio frequency identification, and near field communication.
Design development and application.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 15629.3-2014 Information technology systems telecommunications and information exchange specific requirements for local area networks and metropolitan area networks
Part 3.Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access method and physical layer specification
GB/T 25069 Information Security Technical Terms
GB/T 32905 Information Security Technology SM3 Cipher Hash Algorithm
GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm
ISO /IEC 29180.2012 Information Technology System Remote Communication and Information Exchange Ubiquitous Sensor Network Security Framework
3 Terms and definitions
The following terms and definitions defined in GB/T 25069 apply to this document.
3.1
Authentication mechanism
A mechanism to verify that an entity is what it claims to be.
3.2
Access control
A means to ensure that the resources of the data processing system can only be accessed by authorized subjects in accordance with the authorization method.
3.3
Trusted third party
In terms of security-related activities, security agencies or their agents trusted by other entities.
Note. A trusted third party is a third-party entity trusted by entity A and entity B, and can verify the authenticity of the identity of entity A and entity B.
4 Symbols and abbreviations
4.1 Symbols
The following symbols apply to this document.
. Exclusive OR (XOR)
‖. Message series
< < < . left circular shift
. Modular addition
-. Modular subtraction
On. a binary constant with a length of n bits
Q. A user's access request to a certain resource
4.2 Abbreviations
The following abbreviations apply to this document.
5 Lightweight authentication mechanism
5.1 Overview
The lightweight authentication mechanism reduces the complexity of calculation and communication in the authentication process while realizing the authenticity confirmation between entities.
Compared with the usual mechanism, the lightweight authentication mechanism has the following measurement angles.
a) Less occupancy of computing resources;
b) Less interactive messages;
c) Short time-consuming;
d) Less storage space required.
5.2 Identification mechanism based on exclusive OR operation
Based on the identification mechanism of exclusive OR operation, the authenticity of the identity between entity A and entity B is realized through simple exclusive OR and shift operations
The identification process is shown in Figure 1.
Encryption Algorithm;
c) After the user receives the authentication response message from DAE, it first determines whether the random number N1 in the message is the random number selected by the user.
If it is not, discard the message directly; if it is, use the shared key KACr with ACr, User calculates ET2=E
(KACr,User,N1), calculate the message authentication code MIC1=HMAC(KACr,User,N1‖IDDAE‖ET1‖ET2), construct the entity
The authentication request message N1‖IDDAE‖ET1‖ET2‖MIC1 is sent to ACr, where IDDAE is the identity of DAE;
d) After ACr receives the user's entity authentication request message, it first judges the integrity of the message according to MIC1.
Abandon the message; if the verification is passed, use the shared key KACr with DAE, DAE decrypts ET1, if the decrypted N1 and
The N1 sent by the User in step c) is not equal, and ACr constructs an entity authentication response message N1‖IDDAE‖RES(DAE)‖
MIC2 is sent to User, where MIC2=HMAC(KACr,User,N1‖IDDAE‖RES(DAE)), Res(DAE)=
Failure indicates that ACr failed to authenticate DAE; if the N1 obtained after decryption is equal to the N1 sent by the User in step c),
ACr uses the key KACr shared with User, User decrypts ET2, if the decrypted N1 and User are sent in step c)
If N1 is not equal, the authentication is terminated; if the N1 obtained after decryption is equal to the N1 sent by the User in step c), ACr is generated
The session key KDAE, User between User and DAE, and query ACL according to User's identity, obtain User's access control
The control information ACLUser, together with the User’s access period TV, uses KACr, DAE to calculate ET3=E(KACr, DAE, IDUser‖
KDAE,User‖TV‖ACLUser), and use KAC,User to calculate ET4=E(KACr,User,KDAE,User), calculate MIC2=
HMAC(KACr,User,N1‖IDDAE‖RES(DAE)‖ET3‖ET4), construct entity authentication response message N1‖IDDAE
‖RES(DAE)‖ET3‖ET4‖MIC2 is sent to User, where RES(DAE)=True means ACr successfully authenticated DAE;
e) After the user receives the entity authentication response message from ACr, it first judges whether the random number N1 is the random number selected by the user, if not
If yes, discard the message; if yes, judge the integrity of the message according to MIC2; if the verification fails, discard the message; if the verification passes,
User judges the legality of DAE according to RES(DAE).If RES(DAE)=Failure, it means that DAE is illegal and User ends
Stop access; if RES(DAE)=True, User decrypts ET4 in the message and generates random number N3, together with the random number of DAE
The access request of N2 and User uses the session key KDAE obtained after decryption with the target access entity, and User calculates ET5
=E(KDAE,User,N2‖N3‖IDUser‖QUser), calculate MIC3=HMAC(KDAE,User,ET3‖ET5), construct access
The request message ET3‖ET5‖MIC3 is sent to DAE;
f) After DAE receives User's access request, it first decrypts ET3, obtains the session key KDAE, User, and judges that the message is complete according to MIC3
Integrity, if the verification fails, access is denied; if the verification is passed, use KDAE, User to decrypt ET5, and determine that the N2 obtained after decryption is
No is N2 selected by DAE, if not, access is denied; if yes, confirm whether the IDUser obtained after decrypting ET5 is a request for access
The identity of the User asked, if not, deny access; if so, record the current time TC, from TC to (TC TV)
Time is the user’s access validity period. The user can only access network data during this validity period. DAE judges according to ACLUser
User's access request QUser is legal, if not legal, deny access; if legal, generate response data RDAE, together with N3 benefit
Use KDAE, User to calculate ET6=E(KDAE,User,N3‖RDAE), calculate MIC4=HMAC(KDAE,User,ET6), construct access
The response message ET6‖MIC4 is sent to User;
g) After receiving the access response message, the User first judges the integrity of the message according to MIC4.If it is incomplete, discard the message; if it is complete,
Use KDAE, User to decrypt ET6, determine whether the N3 obtained by decryption is the N3 selected by User, if not, discard the message; if
Yes, User saves the response data RDAE, and subsequent access requests and response data between User and DAE are protected by KDAE and User.
6.3 Access control mechanism based on access control list
The access control mechanism based on the access control list is suitable for network access control to all kinds of users. See ISO /IEC 29180.2012 for this mechanism, and the interaction process is shown in Figure 5.
P, indicates that the user authentication is successful; if the PASS ticket received by the entity in the gateway is less than the threshold P, it indicates that the authentication has failed, and finally
Stop the user's access; the threshold P is defined by the network owner, which can be a fixed value of PASS votes, or
It is the proportional value of a PASS ticket, etc.;
2) After the authentication is successful, the entity in the current temporary access control gateway will be based on the user's
The movement direction, movement speed, etc. are measured to the position that the user will reach, and the user will reach
All entities in the single-hop area with the location as the center constitute the next temporary access control gateway. Current temporary
The entity in the access control gateway sends the user authentication success message to the next temporary access control gateway after t time
In the entity, the next temporary access control gateway will be based on whether the number of received user authentication messages reaches the threshold
The value P is used to judge whether the user is successfully authenticated. If the user is still within the validity period VP, and the received user authentication is successful
If the number of messages is greater than or equal to the threshold P, the next temporary access control gateway will recognize the legitimacy of the user and change
After time t, the authentication success message is sent again to the entity in the next new temporary access control gateway. Identified as
Work messages are transmitted in a secure manner between entities.
c) After the user is successfully authenticated, the destination access entity is accessed through the temporary access control gateway, and the process is as follows.
1) After the user is successfully authenticated, an access request message is sent to the temporary access control gateway in a secure manner. The request message includes
Contains access request Q, Q contains the data type requested by the user;
2) After the temporary access control gateway receives the user's access request message, it first determines whether the user identity authentication is passed and the user
Whether it is in the valid period, if the user's identity is authenticated and the identity is in the valid period, the user's
The legality of Q. If it is legal, Q will be sent to the destination entity in a secure manner, and the entity will be deemed
Q The Q forwarded by the control gateway is legal, and an access response message will be generated according to Q, and the response message will be sent to
Temporary access control gateway, which will forward access response messages to users. During the visit, if the user is no longer valid
During the period, or if the user is within the validity period but Q is illegal, the destination access entity will directly discard the user’s Q and terminate the user’s access.
Share
