1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0055-2018 English PDF (GM/T0055-2018)
GM/T 0055-2018 English PDF (GM/T0055-2018)
Regular price
$490.00
Regular price
Sale price
$490.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0055-2018: File cryptographic technical specification
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0055-2018 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0055-2018
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0055-2018
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number: 62990-2018
GB/T 0055-2018
File cryptographic technical specification
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 Labeling mechanism ... 8
5.1 Overall description ... 8
5.2 System architecture of label-based secured file ... 8
5.3 Label-based security mechanisms ... 10
5.4 Middleware’s processing of secured files ... 10
5.5 Storage method of secured files ... 11
5.6 Binding mechanism of label and file ... 12
6 Cryptographic algorithm and cryptographic service ... 14
6.1 Cryptographic mechanism ... 14
6.3 Basic cryptographic services ... 15
6.4 Personalized cryptographic service ... 15
6.5 Key object ... 16
7 Labels ... 16
7.1 Label structure ... 16
7.2 Label attributes ... 21
8 Basic cryptographic operation ... 31
8.1 Overview ... 31
8.2 Label integrity and establishment of binding relationship ... 31
8.3 Label integrity and verification of binding relationship ... 31
8.4 File signature ... 32
8.5 Adding a file signature ... 32
8.6 Verification of file signature ... 33
8.7 File encryption ... 33
8.8 File decryption ... 33
9 Cryptographic service interface of secured file ... 34
9.1 Definition of constant ... 34
9.2 Definition of structure ... 36
9.3 Composition of interface function and function description ... 44
9.4 Definition of interface function ... 44
Appendix A (Informative) Digital watermark ... 86
Appendix B (Informative) Fingerprint recognition ... 87
File cryptographic technical specification
1 Scope
This standard neither standardize the security of the application system, nor
specify specific file types.
This standard is applicable to the relevant standard specifications and
applications that focus on the security of file objects. It is also applicable to the
development and testing of the middleware of cryptographic service of security
electronic files, which can be used to guide the development of application
systems using this middleware.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0009 SM2 Cryptography algorithm application specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0017 Smart token cryptography application interface data format
specification
GM/T 0019 Universal cryptography service interface specification
GM/T 0031 Secure electronic stamp cryptography technical specification
PKCS # 1 RSA Cryptography Standard
PKCS # 5 Password-based Encryption Standard
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Application system
file circulation, rights management; security management services such as
behavior records.
4 Abbreviations
The following abbreviations apply to this document.
API: Application Programming Interface
ASN.1: Abstract Syntax Notation One
CBC: Cipher-book Chain
CFB: Cipher Feedback
ECB: Electronic Codebook
FAR: False Accept Rate
OFB: Output Feedback
PKCS: The Public-Key Cryptography Standard
PKI: Public Key Infrastructure
5 Labeling mechanism
5.1 Overall description
This standard uses cryptographic techniques to ensure the confidentiality,
integrity, validity, non-repudiation of files; abstracts and integrates the
cryptographic services required by the application system. A labeling
mechanism has been designed in this standard, to address security issues
throughout the life cycle of the file.
5.2 System architecture of label-based secured file
The label-based secured file system includes application systems, middleware,
basic cryptographic services, personalized cryptographic services, as shown in
Figure 1. The basic cryptographic services are divided into two categories
according to the usage environment. One is the cryptographic service which
complies with GM/T 0019, the cryptographic service is provided for the
application layer. The other is the cryptographic service which complies with
GM/T 0017. The service is provided for the kernel layer.
fingerprint recognition are implemented by the personalized cryptographic
service. The service interface provided by the middleware is as detailed in
Chapter 9.
5.3 Label-based security mechanisms
In the label-based security mechanism, a secured file consists of two parts: a
file and a label. A file is the result of the original file or the cryptographic
processing of the original file. The label refers to the original label or the result
of cryptographic processing of the original label. There is a unique binding
between files and labels throughout the lifecycle of a secured file. Labels can
only be processed by middleware. The label consists of a label header and a
label body that can be encrypted.
Labels are the basis for the operation of secured files. They describe the
attributes of secured files, including mainly the signature attributes, privilege
attributes, stamp attributes, watermark attributes, fingerprint attributes,
identification attributes, content attributes, extension attributes, log attributes,
etc.
The privilege attribute specifies the cryptographic processing and operation
privileges of the secured file, such as the cryptographic processing method
including encryption, signature, adding stamp, adding watermark, fingerprint
recognition, as well as operation privileges including reading, writing, printing,
etc.
The identification attribute describes the number, creator, creation time of the
secured file. The identification attribute cannot be changed when the label is
created.
The content attribute describes the basic information of a secured file, such as
the basic information including the original file name, original file date, file type,
file modification time.
The extension attributes are reserved attributes that are used by the application
system to define its own various attributes.
The log attribute records the actions the operator has made on the secured file,
such as the type of operation, the operator, the time of operation, and so on.
5.4 Middleware’s processing of secured files
The middleware provides services to the application system according to the
request/response mode. After the application system issues an operation
request to the middleware, the middleware performs processing as follows:
creator: The serial number of the encryption certificate of the label creator;
createTime: The time when the label was created, which is the system time;
lastAccessTime: The time of the last write operation to the label, which is the
system time.
The ASN.1 definition of label’s signature attribute:
SignAttribute: : = SEQUENCE {
Signer Certificate, -- Signature certificate
signAlg ObjectIdentifier, -- Algorithm identifier
signature BIT STRING -- Signature value
Where:
signer: The signer's signature certificate, following the definition of ASN.1 in
GM/T 0015;
signAlg: The signature algorithm’s identifier;
signature: The result of the signature of all the contents of the label except the
signature value attribute.
The ASN.1 definition of label encryption attribute:
EncryptionAttribute: : = SEQUENCE {
algorithmID ObjectIdentifier, -- Algorithm identifier
algMode INTEGER, -- Algorithm mode
numBits INTEGER, -- Number of feedback bits
decryptorList DECRYPTLIST -- List of decryptors
Where:
algorithmID: Algorithm identifier.
DECRYPTLIST: : = SEQUENCE{
DecryptorSet
The privilege attribute defines the operation privilege for the file. The ASN.1
definition of the privilege attribute:
PrivAttr:: = SEQUENCE {
OPERATORLIST -- List of operator privileges
OPERATORLIST: : = SET OF Operator Attribute
The ASN.1 definition of operator privilege attribute is as follows:
OperatorAttribute: : = SEQUENCE {
operator Decryptor,
privilege SEQUENCE
Where:
operator: The structure is the same as the ASN.1 definition of Decryptor in
"7.1.1.2" of this standard.
ASN.1 definition of operator privileges:
privilege: : = SEQUENCE {
cert Certificate, -- The user certificate for this privilege
read BOOLEAN, -- Read privilege
totalRead INTEGER, -- The number of times readable
alreadyRead INTEGER, -- The number of times read
write BOOLEAN, -- Write privilege
delete BOOLEAN, -- Delete privileges
print BOOLEAN, -- Print privilege
totalPrint INTEGER, -- The number of copies printable
alreadyPrint INTEGER, -- The number of copies printed
expri EXPRIVILEGE optional -- Extension privilege
The ASN.1 definition of content attributes:
Content Attribute : : = SEQUENCE {
fileType INTEGER, -- File type
fileLevel INTEGER, -- File level
fileSize INTEGER, -- File size
fileName UTF8String, -- Filename
fileTitle UTF8String, -- File title
fileDate GeneralizedTime, -- The last modification date of the file
expiredDate GeneralizedTime, -- The expiration date
desuetudeDate GeneralizedTime, -- The revocation date
destroyData GeneralizedTime -- The destruction date
Where:
fileType: The file type, the specific meaning is defined by the application;
fileLevel: The file level, the specific meaning is defined by the application;
fileSize: The number of bytes in the plaintext of the file;
fileName: The file name;
fileTitle: The file title;
fileDate: The last modification date of the file;
expiredDate: The expiration date of the file. If the file exceeds the date, the file
will be invalid and cannot be modified, but only be read.
desuetudeDate: The date the file was invalidated during the validity period of
the file;
destroyData: The date the file is destroyed. After it expires, the file cannot be
read.
7.2.8 Identity attributes
The identity attribute is the unique identifier of the file. The identity is determined
8 Basic cryptographic operation
8.1 Overview
Basic cryptographic operations refer to the various common cryptographic
operations that middleware implements on labels and files. The validity of digital
certificate used in the middleware cryptographic operation is ensured by the
application system, then it can perform cryptographic operation.
8.2 Label integrity and establishment of binding relationship
This is required when the label is established and updated. The process is as
follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute
(SFL_Head:signAttr) of the label header;
b) Use the hash algorithm as specified in the algorithm identifier to calculate
the abstract of all label contents except for the signature value of the label
header;
c) Use the public key algorithm as specified in the algorithm identifier and the
private key of the operator signature to carry out digital signature for the
abstract as generated in the step b);
d) Fill the signature value in the signature attribute (SFL_Head: signAttr) of
the label header;
e) If the encryption attribute (SFL_Head: encryptionAttr) of the label header
is not empty, use the block cipher algorithm as specified in the algorithm
identifier to encrypt the entire label body. The encryption key is randomly
generated. Use the public key algorithm as specified in the algorithm
identifier and the operator's encrypted public key to generate a digital
envelope, which is stored in the decryptor list (SFL_ Head: encryptionAttr:
decryptorList) of the encryption attribute of the label header.
8.3 Label integrity and verification of binding relationship
The middleware shall perform this verification operation before operating the
secured file. The process is as follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute
(SFL_Head:signAttr) of the label header;
9.3 Composition of interface function and function description
9.3.1 Overview
The interface function consists of the following parts:
a) Initialization function;
b) Label and file operation functions;
c) Attribute operation function;
d) Password initialization function.
9.3.2 Initialization function
Initialize the function user system’s initial parameter settings and device
connections, etc.
9.3.3 Label and file operation functions
The label operation function opens, reads, modifies, saves, closes the user
label, meanwhile processes the encryption and decryption operations of the file.
9.3.4 Attribute operation functions
Add, modify, delete, obtain the label attributes.
9.3.5 Cryptographic operation function
The cryptographic operation function is used to encrypt, decrypt, sign and verify
the segmented data blocks.
9.4 Definition of interface function
9.4.1 Initialization function
9.4.1.1 Overview
The initialization function includes the following specific functions:
Non-0: Failed, return error code, wherein the definition of error code is
as shown in Table 3.
9.4.2 Function of label and file operations
9.4.2.1 Overview
Label and file operations include the following specific functions:
a) Open the secured file label memory: SFF_OpenSFLB
b) Read the external secured file memory: SFF_ExternalReadSFB
c) Read internal secured file memory: SFF_InternalReadSFB
d) Modify the external secured file memory: SFF_ExternalWriteSFB
e) Modify the internal secured file memory: SFF_InternalWriteSFB
f) Add file signature: SFF_AddSignAttr
g) Save secured file memory: SFF_SaveSFLB
h) Open secured file label: SFF_OpenSFL
i) Read external secured file: SFF_ExternalReadSF
j) Read internal se...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0055-2018 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0055-2018
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0055-2018
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number: 62990-2018
GB/T 0055-2018
File cryptographic technical specification
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 Labeling mechanism ... 8
5.1 Overall description ... 8
5.2 System architecture of label-based secured file ... 8
5.3 Label-based security mechanisms ... 10
5.4 Middleware’s processing of secured files ... 10
5.5 Storage method of secured files ... 11
5.6 Binding mechanism of label and file ... 12
6 Cryptographic algorithm and cryptographic service ... 14
6.1 Cryptographic mechanism ... 14
6.3 Basic cryptographic services ... 15
6.4 Personalized cryptographic service ... 15
6.5 Key object ... 16
7 Labels ... 16
7.1 Label structure ... 16
7.2 Label attributes ... 21
8 Basic cryptographic operation ... 31
8.1 Overview ... 31
8.2 Label integrity and establishment of binding relationship ... 31
8.3 Label integrity and verification of binding relationship ... 31
8.4 File signature ... 32
8.5 Adding a file signature ... 32
8.6 Verification of file signature ... 33
8.7 File encryption ... 33
8.8 File decryption ... 33
9 Cryptographic service interface of secured file ... 34
9.1 Definition of constant ... 34
9.2 Definition of structure ... 36
9.3 Composition of interface function and function description ... 44
9.4 Definition of interface function ... 44
Appendix A (Informative) Digital watermark ... 86
Appendix B (Informative) Fingerprint recognition ... 87
File cryptographic technical specification
1 Scope
This standard neither standardize the security of the application system, nor
specify specific file types.
This standard is applicable to the relevant standard specifications and
applications that focus on the security of file objects. It is also applicable to the
development and testing of the middleware of cryptographic service of security
electronic files, which can be used to guide the development of application
systems using this middleware.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0009 SM2 Cryptography algorithm application specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0017 Smart token cryptography application interface data format
specification
GM/T 0019 Universal cryptography service interface specification
GM/T 0031 Secure electronic stamp cryptography technical specification
PKCS # 1 RSA Cryptography Standard
PKCS # 5 Password-based Encryption Standard
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Application system
file circulation, rights management; security management services such as
behavior records.
4 Abbreviations
The following abbreviations apply to this document.
API: Application Programming Interface
ASN.1: Abstract Syntax Notation One
CBC: Cipher-book Chain
CFB: Cipher Feedback
ECB: Electronic Codebook
FAR: False Accept Rate
OFB: Output Feedback
PKCS: The Public-Key Cryptography Standard
PKI: Public Key Infrastructure
5 Labeling mechanism
5.1 Overall description
This standard uses cryptographic techniques to ensure the confidentiality,
integrity, validity, non-repudiation of files; abstracts and integrates the
cryptographic services required by the application system. A labeling
mechanism has been designed in this standard, to address security issues
throughout the life cycle of the file.
5.2 System architecture of label-based secured file
The label-based secured file system includes application systems, middleware,
basic cryptographic services, personalized cryptographic services, as shown in
Figure 1. The basic cryptographic services are divided into two categories
according to the usage environment. One is the cryptographic service which
complies with GM/T 0019, the cryptographic service is provided for the
application layer. The other is the cryptographic service which complies with
GM/T 0017. The service is provided for the kernel layer.
fingerprint recognition are implemented by the personalized cryptographic
service. The service interface provided by the middleware is as detailed in
Chapter 9.
5.3 Label-based security mechanisms
In the label-based security mechanism, a secured file consists of two parts: a
file and a label. A file is the result of the original file or the cryptographic
processing of the original file. The label refers to the original label or the result
of cryptographic processing of the original label. There is a unique binding
between files and labels throughout the lifecycle of a secured file. Labels can
only be processed by middleware. The label consists of a label header and a
label body that can be encrypted.
Labels are the basis for the operation of secured files. They describe the
attributes of secured files, including mainly the signature attributes, privilege
attributes, stamp attributes, watermark attributes, fingerprint attributes,
identification attributes, content attributes, extension attributes, log attributes,
etc.
The privilege attribute specifies the cryptographic processing and operation
privileges of the secured file, such as the cryptographic processing method
including encryption, signature, adding stamp, adding watermark, fingerprint
recognition, as well as operation privileges including reading, writing, printing,
etc.
The identification attribute describes the number, creator, creation time of the
secured file. The identification attribute cannot be changed when the label is
created.
The content attribute describes the basic information of a secured file, such as
the basic information including the original file name, original file date, file type,
file modification time.
The extension attributes are reserved attributes that are used by the application
system to define its own various attributes.
The log attribute records the actions the operator has made on the secured file,
such as the type of operation, the operator, the time of operation, and so on.
5.4 Middleware’s processing of secured files
The middleware provides services to the application system according to the
request/response mode. After the application system issues an operation
request to the middleware, the middleware performs processing as follows:
creator: The serial number of the encryption certificate of the label creator;
createTime: The time when the label was created, which is the system time;
lastAccessTime: The time of the last write operation to the label, which is the
system time.
The ASN.1 definition of label’s signature attribute:
SignAttribute: : = SEQUENCE {
Signer Certificate, -- Signature certificate
signAlg ObjectIdentifier, -- Algorithm identifier
signature BIT STRING -- Signature value
Where:
signer: The signer's signature certificate, following the definition of ASN.1 in
GM/T 0015;
signAlg: The signature algorithm’s identifier;
signature: The result of the signature of all the contents of the label except the
signature value attribute.
The ASN.1 definition of label encryption attribute:
EncryptionAttribute: : = SEQUENCE {
algorithmID ObjectIdentifier, -- Algorithm identifier
algMode INTEGER, -- Algorithm mode
numBits INTEGER, -- Number of feedback bits
decryptorList DECRYPTLIST -- List of decryptors
Where:
algorithmID: Algorithm identifier.
DECRYPTLIST: : = SEQUENCE{
DecryptorSet
The privilege attribute defines the operation privilege for the file. The ASN.1
definition of the privilege attribute:
PrivAttr:: = SEQUENCE {
OPERATORLIST -- List of operator privileges
OPERATORLIST: : = SET OF Operator Attribute
The ASN.1 definition of operator privilege attribute is as follows:
OperatorAttribute: : = SEQUENCE {
operator Decryptor,
privilege SEQUENCE
Where:
operator: The structure is the same as the ASN.1 definition of Decryptor in
"7.1.1.2" of this standard.
ASN.1 definition of operator privileges:
privilege: : = SEQUENCE {
cert Certificate, -- The user certificate for this privilege
read BOOLEAN, -- Read privilege
totalRead INTEGER, -- The number of times readable
alreadyRead INTEGER, -- The number of times read
write BOOLEAN, -- Write privilege
delete BOOLEAN, -- Delete privileges
print BOOLEAN, -- Print privilege
totalPrint INTEGER, -- The number of copies printable
alreadyPrint INTEGER, -- The number of copies printed
expri EXPRIVILEGE optional -- Extension privilege
The ASN.1 definition of content attributes:
Content Attribute : : = SEQUENCE {
fileType INTEGER, -- File type
fileLevel INTEGER, -- File level
fileSize INTEGER, -- File size
fileName UTF8String, -- Filename
fileTitle UTF8String, -- File title
fileDate GeneralizedTime, -- The last modification date of the file
expiredDate GeneralizedTime, -- The expiration date
desuetudeDate GeneralizedTime, -- The revocation date
destroyData GeneralizedTime -- The destruction date
Where:
fileType: The file type, the specific meaning is defined by the application;
fileLevel: The file level, the specific meaning is defined by the application;
fileSize: The number of bytes in the plaintext of the file;
fileName: The file name;
fileTitle: The file title;
fileDate: The last modification date of the file;
expiredDate: The expiration date of the file. If the file exceeds the date, the file
will be invalid and cannot be modified, but only be read.
desuetudeDate: The date the file was invalidated during the validity period of
the file;
destroyData: The date the file is destroyed. After it expires, the file cannot be
read.
7.2.8 Identity attributes
The identity attribute is the unique identifier of the file. The identity is determined
8 Basic cryptographic operation
8.1 Overview
Basic cryptographic operations refer to the various common cryptographic
operations that middleware implements on labels and files. The validity of digital
certificate used in the middleware cryptographic operation is ensured by the
application system, then it can perform cryptographic operation.
8.2 Label integrity and establishment of binding relationship
This is required when the label is established and updated. The process is as
follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute
(SFL_Head:signAttr) of the label header;
b) Use the hash algorithm as specified in the algorithm identifier to calculate
the abstract of all label contents except for the signature value of the label
header;
c) Use the public key algorithm as specified in the algorithm identifier and the
private key of the operator signature to carry out digital signature for the
abstract as generated in the step b);
d) Fill the signature value in the signature attribute (SFL_Head: signAttr) of
the label header;
e) If the encryption attribute (SFL_Head: encryptionAttr) of the label header
is not empty, use the block cipher algorithm as specified in the algorithm
identifier to encrypt the entire label body. The encryption key is randomly
generated. Use the public key algorithm as specified in the algorithm
identifier and the operator's encrypted public key to generate a digital
envelope, which is stored in the decryptor list (SFL_ Head: encryptionAttr:
decryptorList) of the encryption attribute of the label header.
8.3 Label integrity and verification of binding relationship
The middleware shall perform this verification operation before operating the
secured file. The process is as follows:
a) Obtain an algorithm identifier (algorithmID) from the signature attribute
(SFL_Head:signAttr) of the label header;
9.3 Composition of interface function and function description
9.3.1 Overview
The interface function consists of the following parts:
a) Initialization function;
b) Label and file operation functions;
c) Attribute operation function;
d) Password initialization function.
9.3.2 Initialization function
Initialize the function user system’s initial parameter settings and device
connections, etc.
9.3.3 Label and file operation functions
The label operation function opens, reads, modifies, saves, closes the user
label, meanwhile processes the encryption and decryption operations of the file.
9.3.4 Attribute operation functions
Add, modify, delete, obtain the label attributes.
9.3.5 Cryptographic operation function
The cryptographic operation function is used to encrypt, decrypt, sign and verify
the segmented data blocks.
9.4 Definition of interface function
9.4.1 Initialization function
9.4.1.1 Overview
The initialization function includes the following specific functions:
Non-0: Failed, return error code, wherein the definition of error code is
as shown in Table 3.
9.4.2 Function of label and file operations
9.4.2.1 Overview
Label and file operations include the following specific functions:
a) Open the secured file label memory: SFF_OpenSFLB
b) Read the external secured file memory: SFF_ExternalReadSFB
c) Read internal secured file memory: SFF_InternalReadSFB
d) Modify the external secured file memory: SFF_ExternalWriteSFB
e) Modify the internal secured file memory: SFF_InternalWriteSFB
f) Add file signature: SFF_AddSignAttr
g) Save secured file memory: SFF_SaveSFLB
h) Open secured file label: SFF_OpenSFL
i) Read external secured file: SFF_ExternalReadSF
j) Read internal se...
Share
