PayPal, credit cards. Download editable-PDF & invoice in 1 second!
GM/T 0055-2018 English PDF (GMT0055-2018)
GM/T 0055-2018 English PDF (GMT0055-2018)
Couldn't load pickup availability
GM/T 0055-2018: File cryptographic technical specification
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number: 62990-2018
GB/T 0055-2018
File cryptographic technical specification
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 Labeling mechanism ... 8
5.1 Overall description ... 8
5.2 System architecture of label-based secured file ... 8
5.3 Label-based security mechanisms ... 10
5.4 Middleware’s processing of secured files ... 10
5.5 Storage method of secured files ... 11
5.6 Binding mechanism of label and file ... 12
6 Cryptographic algorithm and cryptographic service ... 14
6.1 Cryptographic mechanism ... 14
6.3 Basic cryptographic services ... 15
6.4 Personalized cryptographic service ... 15
6.5 Key object ... 16
7 Labels ... 16
7.1 Label structure ... 16
7.2 Label attributes ... 21
8 Basic cryptographic operation ... 31
8.1 Overview ... 31
8.2 Label integrity and establishment of binding relationship ... 31
8.3 Label integrity and verification of binding relationship ... 31
8.4 File signature ... 32
8.5 Adding a file signature ... 32
8.6 Verification of file signature ... 33
8.7 File encryption ... 33
8.8 File decryption ... 33
9 Cryptographic service interface of secured file ... 34
9.1 Definition of constant ... 34
9.2 Definition of structure ... 36
9.3 Composition of interface function and function description ... 44
9.4 Definition of interface function ... 44
Appendix A (Informative) Digital watermark ... 86
Appendix B (Informative) Fingerprint recognition ... 87
File cryptographic technical specification
1 Scope
This standard neither standardize the security of the application system, nor specify specific file types.
This standard is applicable to the relevant standard specifications and applications that focus on the security of file objects. It is also applicable to the development and testing of the middleware of cryptographic service of security electronic files, which can be used to guide the development of application systems using this middleware.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GM/T 0009 SM2 Cryptography algorithm application specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0017 Smart token cryptography application interface data format
specification
GM/T 0019 Universal cryptography service interface specification
GM/T 0031 Secure electronic stamp cryptography technical specification
PKCS # 1 RSA Cryptography Standard
PKCS # 5 Password-based Encryption Standard
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Application system
file circulation, rights management; security management services such as behavior records.
4 Abbreviations
The following abbreviations apply to this document.
API: Application Programming Interface
ASN.1: Abstract Syntax Notation One
CBC: Cipher-book Chain
CFB: Cipher Feedback
ECB: Electronic Codebook
FAR: False Accept Rate
OFB: Output Feedback
PKCS: The Public-Key Cryptography Standard
PKI: Public Key Infrastructure
5 Labeling mechanism
5.1 Overall description
This standard uses cryptographic techniques to ensure the confidentiality, integrity, validity, non-repudiation of files; abstracts and integrates the cryptographic services required by the application system. A labeling
mechanism has been designed in this standard, to address security issues throughout the life cycle of the file.
5.2 System architecture of label-based secured file
The label-based secured file system includes application systems, middleware, basic cryptographic services, personalized cryptographic services, as shown in Figure 1. The basic cryptographic services are divided into two categories according to the usage environment. One is the cryptographic service which complies with GM/T 0019, the cryptographic service is provided for the
application layer. The other is the cryptographic service which complies with GM/T 0017. The service is provided for the kernel layer.
fingerprint recognition are implemented by the personalized cryptographic service. The service interface provided by the middleware is as detailed in Chapter 9.
5.3 Label-based security mechanisms
In the label-based security mechanism, a secured file consists of two parts: a file and a label. A file is the result of the original file or the cryptographic processing of the original file. The label refers to the original label or the result of cryptographic processing of the original label. There is a unique binding between files and labels throughout the lifecycle of a secured file. Labels can only be processed by middleware. The label consists of a label header and a label body that can be encrypted.
Labels are the basis for the operation of secured files. They describe the attributes of secured files, including mainly the signature attributes, privilege attributes, stamp attributes, watermark attributes, fingerprint attributes, identification attributes, content attributes, extension attributes, log attributes, etc.
The privilege attribute specifies the cryptographic processing and operation privileges of the secured file, such as the cryptographic processing method including encryption, signature, adding stamp, adding watermark, fingerprint recognition, as well as operation privileges including reading, writing, printing, etc.
The identification attribute describes the number, creator, creation time of the secured file. The identification attribute cannot be changed when the label is created.
The content attribute describes the basic information of a secured file, such as the basic information including the original file name, original file date, file type, file modification time.
The extension attributes are reserved attributes that are used by the application system to define its own various attributes.
The log attribute records the actions the operator has made on the secured file, such as the type of operation, the operator, the time of operation, and so on. 5.4 Middleware’s processing of secured files
The middleware provides services to the application system according to the request/response mode. After the application system issues an operation request to the middleware, the middleware performs processing as follows: creator: The serial number of the encryption certificate of the label creator; createTime: The time when the label was created, which is the system time; lastAccessTime: The time of the last write operation to the label, which is the system time.
The ASN.1 definition of label’s signature attribute:
SignAttribute: : = SEQUENCE {
Signer Certificate, -- Signature certificate
signAlg ObjectIdentifier, -- Algorithm identifier
signature BIT STRING -- Signature value
Where:
signer: The signer's signature certificate, following the definition of ASN.1 in GM/T 0015;
signAlg: The signature algorithm’s identifier;
signature: The result of the signature of all the contents of the label except the signature value attribute.
The ASN.1 definition of label encryption attribute:
EncryptionAttribute: : = SEQUENCE {
algorithmID ObjectIdentifier, -- Algorithm identifier
algMode INTEGER, -- Algorithm mode
numBits INTEGER, -- Number of feedback bits
decryptorList DECRYPTLIST -- List of decryptors
Where:
algorithmID: Algorithm identifier.
DECRYPTLIST: : = SEQUENCE{
DecryptorSet
The privilege attribute defines the operation privilege for the file. The ASN.1 definition of the privilege attribute:
PrivAttr:: = SEQUENCE {
OPERATORLIST -- List of operator privileges
OPERATORLIST: : = SET OF Operator Attribute
The ASN.1 definition of operator privilege attribute is as follows:
OperatorAttribute: : = SEQUENCE {
operator Decryptor,
privilege SEQUENCE
Where:
operator: The structure is the same as the ASN.1 definition of Decryptor in "7.1.1.2" of this standard.
ASN.1 definition of operator privileges:
privilege: : = SEQUENCE {
cert Certificate, -- The user certificate for this privilege
read BOOLEAN, -- Read privilege
totalRead INTEGER, -- The number of times readable
alreadyRead INTEGER, -- The number of times read
write BOOLEAN, -- Write privilege
delete BOOLEAN, -- Delete privileges
print BOOLEAN, -- Print privilege
totalPrint INTEGER, -- The number of copies printable
alreadyPrint INTEGER, -- The number of copies printed
expri EXPRIVILEGE optional -- Extension privilege
The ASN.1 definition of content attributes:
Content Attribute : : = SEQUENCE {
fileType INTEGER, -- File type
fileLevel INTEGER, -- File level
fileSize INTEGER, -- File size
fileName UTF8String, -- Filename
fileTitle UTF8String, -- File title
fileDate GeneralizedTime, -- The last modification date of the file
expiredDate GeneralizedTime, -- The expiration date
desuetudeDate GeneralizedTime, -- The revocation date
destroyData GeneralizedTime -- The destruction date
Where:
fileType: The file type, the specific meaning is defined by the application; fileLevel: The file level, the specific meaning is defined by the application; fileSize: The number of bytes in the plaintext of the file;
fileName: The file name;
fileTitle: The file title;
fileDate: The last modification date of the file;
expiredDate: The expiration date of the file. If the file exceeds the date, the file will be invalid and cannot be modified, but only be read.
desuetudeDate: The date the file was invalidated during the validity period of the file;
destroyData: The date the file is destroyed. After it expires, the file cannot be read.
7.2.8 Identity attributes
The identity attribute is the unique identifier of the file. The identity is determined 8 Basic cryptographic operation
8.1 Overview
Basic cryptographic operations refer to the various common cryptographic operations that middleware implements on labels and files. The validity of digital certificate used in the middleware cryptographic operation is ensured by the application system, then it can perform cryptographic operation.
8.2 Label integrity and establishment of binding relationship
This is required when the label is established and updated. The process is as follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute (SFL_Head:signAttr) of the label header;
b) Use the hash algorithm as specified in the algorithm identifier to calculate the abstract of all label contents except for the signature value of the label header;
c) Use the public key algorithm as specified in the algorithm identifier and the private key of the operator signature to carry out digital signature for the abstract as generated in the step b);
d) Fill the signature value in the signature attribute (SFL_Head: signAttr) of the label header;
e) If the encryption attribute (SFL_Head: encryptionAttr) of the label header is not empty, use the block cipher algorithm as specified in the algorithm identifier to encrypt the entire label body. The encryption key is randomly generated. Use the public key algorithm as specified in the algorithm
identifier and the operator's encrypted public key to generate a digital envelope, which is stored in the decryptor list (SFL_ Head: encryptionAttr: decryptorList) of the encryption attribute of the label header.
8.3 Label integrity and verification of binding relationship
The middleware shall perform this verification operation before operating the secured file. The process is as follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute (SFL_Head:signAttr) of the label header;
9.3 Composition of interface function and function description
9.3.1 Overview
The interface function consists of the following parts:
a) Initialization function;
b) Label and file operation functions;
c) Attribute operation function;
d) Password initialization function.
9.3.2 Initialization function
Initialize the function user system’s initial parameter settings and device connections, etc.
9.3.3 Label and file operation functions
The label operation function opens, reads, modifies, saves, closes the user label, meanwhile processes the encryption and decryption operations of the file. 9.3.4 Attribute operation functions
Add, modify, delete, obtain the label attributes.
9.3.5 Cryptographic operation function
The cryptographic operation function is used to encrypt, decrypt, sign and verify the segmented data blocks.
9.4 Definition of interface function
9.4.1 Initialization function
9.4.1.1 Overview
The initialization function includes the following specific functions:
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.2 Function of label and file operations
9.4.2.1 Overview
Label and file operations include the following specific functions:
a) Open the secured file label memory: SFF_OpenSFLB
b) Read the external secured file memory: SFF_ExternalReadSFB
c) Read internal secured file memory: SFF_InternalReadSFB
d) Modify the external secured file memory: SFF_ExternalWriteSFB
e) Modify the internal secured file memory: SFF_InternalWriteSFB
f) Add file signature: SFF_AddSignAttr
g) Save secured file memory: SFF_SaveSFLB
h) Open secured file label: SFF_OpenSFL
i) Read external secured file: SFF_ExternalReadSF
j) Read internal secured file: SFF_InternalReadSF
k) Modify external secured file: SFF_ExternalWriteSF
l) Modify internal secured file: SFF_InternalWriteSF
m) Save secured file: SFF_SaveSFL
n) Close secured file: SFF_CloseSFL
o) Generate electronic signature: SFF_Stamp
p) Verify electronic signature: SFF_VerifyStamp
q) Add watermark: SFF_SetWaterMarkInfo
r) Extract watermark: SFF_GetWaterMarkInfo
s) Release watermark attribute memory: SFF_FreetWaterMarkInfo
9.4.2.2 Open secured file label memory
Prototype: int SFF_OpenSFLB(IN const SToken * pToken,
Description: Add the signature of the file to the end of the signature collection. Parameters:
IN HSFL: Label handle, returned by SFF_OpenSFL or SFF_OpenSFLB.
Return value:
0: Success.
Non-0: Failed.
9.4.2.8 Save secured file memory
Prototype: int SFL_API SFF_SaveSFLB (IN HSFL hSfl,
OUT FileBuffer * pSFLBuffer);
Description:
a) If it is internal, encrypt the plaintext data;
b) Sign the label body;
c) Encrypt the label body;
d) Generate labels.
Parameters:
IN hSfl: Label handle, returned by SFF_OpenSFL or SFF_OpenSFLB;
OUT pSFLBuffer: Label data.
Return value:
0: Success.
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.2.9 Open security electronic file label
Prototype: int SFL_API SFF_OpenSFL(IN const SToken * pToken,
IN const char * pszSFL,
OUT HSFL * phSfl);
Description:
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.2.11 Read internal secured files
Prototype: int SFL_API SFF_InternalReadSF(IN HSFL hSfl,
IN const char * pszDstFile);
Description:
a) Determine user privileges;
b) Obtain ciphertext from the internal label;
c) Decrypt the ciphertext file.
Parameters:
IN hSfl: Label handle, returned by SFF_OpenSFL or SFF_OpenSFLB;
IN pszDstFile: The plaintext file after decryption.
Return value:
0: Success.
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.2.12 Modify external secured file
Prototype: int SFL.API SFF_ExternalWriteSF(IN HSFL hSfl,
IN const char * pszSrcFile,
IN const char * pszDstFile)
Description:
a) Determine user privileges;
b) Encrypt plaintext files.
Parameters:
IN hSfl: Label handle, returned by SFF_OpenSFL or SFF_OpenSFLB;
IN pszSrcFile: New plaintext file;
OUT WaterMarkAttr ** ppAttr);
Description: Extract the watermark attributes.
Parameters:
IN hSfl: Label handle, returned by SFF_OpenSFL or SFF_OpenSFLB;
OUT ppAttr: Returns the watermark attribute.
Return value:
0: Success.
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.2.20 Release watermark attribute memory
Prototype: int SFL_API SFF_FreetWaterMarklnfo(IN WaterMarkAttr * pAttr); Description: Release the watermark attribute memory.
Parameters:
IN pAttr: Watermark attribute.
Return value:
0: Success.
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.3 Attribute operation interface
9.4.3.1 Overview
Attribute operations include the following specific functions:
a) Set algorithm attribute: SFF_SetAlgAttr
b) Get algorithm attribute: SFF_GetAlgAttr
c) Add privilege attribute: SFF_AddPrivilegeAttr
d) Get privilege attribute: SFF_GetPrivilegeAttr
e) Get the number of privileges: SFF_GetPrivilegeCount
ff) Add the extension attribute: SFF_AddExtendAttr
gg) Get the extension attribute: SFF_GetExtendAttr
hh) Get the number of extension attributes: SFF_GetExtendCount
ii) Get the extension attribute by serial number: SFF_GetExtend
jj) Delete extension attributes: SFF_DelExtendAttr
kk) Release extension attribute memory: SFF_FreeExAttr
ll) Add file operation log: SFF_AddLogAttr
mm) Get the number of logs: SFF_GetLogCount
nn) Get the log: SFF_GetLogAttr
oo) Delete all logs: SFF_DelAlLogAttr
pp) Release the log memory: SFF_FreeLogAttr
qq) Set the stamp attribute; SFF_SetStampInfo
rr) Get the stamp attribute: SFF_GetStampInfo
ss) Release stamp attribute memory: SFF_FreetStampInfo
tt) Set the fingerprint attribute: SFF_SetFingerPrintInfo
uu) Get the fingerprint attribute: SFF_GetFingerPrintInfo
vv) Release fingerprint attribute structure memory: SFF_FreeFingerPrintInf ww) Get the label attribute by the ID: SFF_GetAttribute
xx) Set the label attribute by the ID: SFF_SetAttribute
yy) Release label attribute memory: SFF_FreeAttribute
zz) Set the label size: SFF_SetLabelSize
aaa) Get the label size: SFF_GetLabelSize
9.4.3.2 Set algorithm attribute
Prototype: int SFL_API SFF_SetAlgAttr(IN HSFL hSfl,
IN const lAlgAttr * pAttr);
Description:
Prototype: void SFL_API SFF_FreePrivilegeAttr(IN IPrivilegeAttr * pAttr); Description: Release the privilege memory.
Parameters:
IN pAttr: The privilege structure to be released.
Return value:
0: Success.
Non-0: Failed, return error code, wherein the definition of error code is as shown in Table 3.
9.4.3.9 Set...
Share











