Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0014-2012 English PDF (GMT0014-2012)

GM/T 0014-2012 English PDF (GMT0014-2012)

Regular price $570.00 USD
Regular price Sale price $570.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GM/T 0014-2012
See Chinese contents: GM/T 0014-2012

GM/T 0014-2012: Digital certificate authentication system cryptography protocol specification

This Standard applies to the design, construction, test, operation and management of the digital certificate authentication systems based on cryptographic technology in electronic government affairs/electronic commerce, normalizes the standardized applications of cryptographic protocols in the digital certificate authentication systems, and promotes the interconnection and mutual authentication of the digital certificate authentication system cryptographic protocols. This Standard can be referred to for the construction, operation and management of the digital certificate authentication system cryptographic protocols which are used within organizations or institutions.
GM/T 0014-2012
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
RECORD NO.. 38312-2013
Digital certificate authentication system
cryptography protocol specification
ISSUED ON. NOVEMBER 22, 2012
IMPLEMENTED ON. NOVEMBER 22, 2012
Issued by. State Cryptography Administration
Table of Contents
Foreword . 4
Introduction .. 5
1 Scope .. 6
2 Normative references .. 6
3 Terms and definitions .. 7
4 Abbreviations .. 8
5 Related protocols .. 8
5.1 Overview and protocol process .. 8
5.1.1 Content overview . 8
5.1.2 Protocol process .. 9
5.2 Related protocol between CA and KM .. 11
5.2.1 Overview .. 11
5.2.2 Protocol content .. 12
5.2.3 Key application protocol .. 13
5.2.4 Response .. 17
5.3 Related protocols between CA and LDAP . 20
5.3.1 Protocol overview . 20
5.3.2 Distribution protocol . 20
5.4 Related protocol between user and LDAP service . 23
5.4.1 Protocol overview . 23
5.4.2 Certificate inquiry and download protocol .. 29
5.4.3 CRL inquiry and download protocol .. 32
5.5 Related distribution protocol between CA and OCSP/SOCSP .. 33
5.5.1 Certificate status distribution protocol .. 33
5.5.2 SOCSP certificate status inquiry protocol .. 34
5.6 Related protocol between user and OCSP/SOCSP service .. 34
5.6.1 OCSP certificate status inquiry protocol . 34
5.6.2 SOCSP certificate status inquiry protocol .. 41
6 Protocol message syntax .. 42
6.1 Encryption data message. 42
6.2 Digest data message .. 42
6.3 Digital signature message .. 42
6.4 Digital envelope message .. 42
Annex A (Normative) Definitions of systems and formats .. 43
A.1 Certificate template format .. 43
A.2 Certificate revocation list CRL format .. 43
A.3 Encrypted value . 44
A.4 PKI message status code and fault message .. 44
A.5 Certificate identity . 46
A.6 Out-of-band root CA public key . 46
A.7 Archive options .. 47
A.8 Publication information .. 47
Annex B (Informative) Related protocol between RA and CA .. 48
B.1 RA service mode .. 48
B.2 RA frontpage program .. 48
B.3 RA background service program . 49
B.4 Certificate application protocol .. 53
B.5 Certificate revocation protocol .. 57
B.6 Certificate update protocol .. 57
B.7 Certificate freezing protocol .. 58
B.8 Certificate thawing protocol .. 58
B.9 Key recovery protocol . 58
Annex C (Informative) Examples of protocol messages .. 59
C.1 Examples of PKIMessage general protocol .. 59
C.2 Examples of certificate applications and response protocol messages .. 60 C.3 Examples of certificate inquiry download protocol messages .. 67
C.4 Examples of OCSP certificate status inquiry protocol messages .. 70 C.5 Key recovery protocol messages .. 72
Annex D (Normative) Non-real-time distributed certificate protocol process .. 73
Digital certificate authentication system
cryptography protocol specification
1 Scope
This Standard applies to the design, construction, test, operation and
management of the digital certificate authentication systems based on
cryptographic technology in electronic government affairs/electronic commerce, normalizes the standardized applications of cryptographic protocols in the digital certificate authentication systems, and promotes the interconnection and mutual authentication of the digital certificate authentication system
cryptographic protocols. This Standard can be referred to for the construction, operation and management of the digital certificate authentication system cryptographic protocols which are used within organizations or institutions. Meanwhile, this Standard can also provide accurate positioning and standard references regarding products and technologies for security product
manufacturers, improving the credibility and interoperability of security products. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition dated applies to this document. For undated references, the latest edition of the referenced
documents (including all amendments) applies to This Standard.
GB/T 16264.8, Information technology - Open systems Interconnection - The directory - Part 8. Public-key and attribute certificate frameworks
GB/T 19713, Information technology - Security techniques - Public key
infrastructure - Online certificate status protocol
GB/T 19714, Information technology - Security technology - Internet public key infrastructure - Certificate management protocol
GB/T 25056, Information security techniques - Specifications of cryptograph and related security technology for certificate authentication system
GB/T 25059, Information security technology - Public Key Infrastructure - Simple Online Certificate Status Protocol
GM/T 0006, Cryptographic application identifier criterion specification GM/T 0009, SM2 Cryptography Algorithm Application Specification
GM/T 0010, SM2 cryptography message syntax specification
GM/T 0015, Digital certificate format based on SM2 algorithm
3 Terms and definitions
3.1
certificate authority revocation list, CARL
A list of CA public certificates whose certificate authority has been revoked, indicating these certificates have been invalid.
3.2
certificate authentication system
A security system through which the whole-process management is conducted for digital certificates within a life cycle.
3.3
certificate path
An ordered sequence of object certificates in a directory information tree. The initial node of path is the public key of the original object to be verified. The public key of the final peak can be obtained through path.
3.4
certificate policy
A specified set of rules which specifies the applicability of certificates to a certain group and/or specific application class having common security
requirements. For example, a certain certificate policy may specify that the applicability of a type of certificates to the authentication of the electronic data processing of commodity transactions under certain price ranges.
3.5
certificate revocation list distribution point
A directory item or distribution source of other certificate revocation lists. A certificate revocation list distributed by a certificate revocation list distribution point, may include the revocation item of a certificate subset in all certificates distributed by a CA.
4 Abbreviations
For the purposes of this Standard, the following abbreviations apply.
DIT Directory information tree
KM Key management
OCSP online certificate status protocol
OID Object identifier
PKCS #1 Public-key cryptography standards (PKCS) # 1 RSA cryptography
PKCS #7 Public-key cryptography standards (PKCS) # 7 cryptographic
message syntax
SOCSP Simple online certificate status protocol
TBS To be signed
5 Related protocols
5.1 Overview and protocol process
5.1.1 Content overview
This Standard gives the related cryptographic protocols of digital certificate authentication systems, which mainly includes security protocols. Any protocol related to interconnection and interworking shall be regarded as standard protocols, e.g. protocols between CA and KM, protocols between RA same- user carriers, certificate authentication, certificate inquiry protocols, etc. need to be unified and normalized, in order to promote the construction of systematic construction of digital certificate authentication system cryptographic protocols. For internal operation protocols not related to interconnection and interworking, this Standard gives basic requirements, provides technical support and tries to make them unified, but they are not compulsory.
The related protocols in this Standard refer to the security protocols which concerns cryptographic techniques in digital certificate authentication systems, especially the security protocols used by certificate authentication systems. These protocols include. security protocols between same RAs at the user terminal; security protocols between RA and CA; security protocols between CA and KM; security protocols between CA and LDAP service; security protocols between CA and OCSP service; security protocols between user?€?s same LDAP services; security protocols between user?€?s same OCSP services, etc.
This Standard gives the content including formats and syntax, which are directly related to protocols. For any content which concerns RSA cryptographic
algorithm, its key structure shall abide by PKCS # 1 specification, and its -- CA identifier;
-- extended request information;
-- signature of request information.
b) Response
It is the processing response of KM to a CA request. The response of KM includes the following data.
-- protocol version (the current version is 2);
-- response identifier;
-- KM identifier;
-- response information;
-- signature of response information.
c) Exception
When any error occurs in the processing of either party of CA system and KM system, an error message needs to be sent to the other party. The errors can be of the following categories.
-- verification request failure. when KM?€?s verification of request data from a CA certificate or CA, CA shall carry out application once again after receiving it; -- internal processing failure. when an error occurs in the process of processing CA request, KM notifies CA of the request processing failure and a re-
application needs to be carried out.
This Standard uses the abstract syntax notation method (ASN.1) to describe the specific protocol content. Unless indicated otherwise, it defaults to using the explicit marks of ASN.1.
5.2.3 Key application protocol
5.2.3.1 Request data format
The basic format of CA request is as follows.
AlgType..= AlgorithmIdentifier, indicates the al...

View full details