Skip to product information
1 of 11

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

GM/T 0061-2018 English PDF (GMT0061-2018)

GM/T 0061-2018 English PDF (GMT0061-2018)

Regular price $225.00 USD
Regular price Sale price $225.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0061-2018 to get it for Purchase Approval, Bank TT...

GM/T 0061-2018: Detect specifications of one time password application

This Standard specifies the relevant detection contents of password algorithm, one time token, authentication system and key management system of the one time password system. This Standard applies to the detection of passwords and security functions of one time password-related password products.
GM/T 0061-2018
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Record number: 62996-2018
Detect specifications of one time password application
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 6
5 Detection contents and detection methods ... 7
5.1 One time password generation algorithm ... 7
5.2 One time token detection ... 8
5.3 One time token authentication system ... 22
5.4 Key management system ... 25
6 Inspection technical documentation requirements ... 31
Detect specifications of one time password application
1 Scope
This Standard specifies the relevant detection contents of password algorithm, one time token, authentication system and key management system of the one time password system. This Standard applies to the detection of passwords and security functions of one time password-related password products.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document.
GM/T 0021-2012, One time password application of cryptography algorithm GM/Z 4001-2013, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GM/T 0021-2012, GM/Z 4001-2013 and
the following ones are applicable to this document.
3.1 Challenge code
It is the challenge factor, a kind of data that can participate in the one time password generation process.
3.2 Universal time coordinated
It is the English abbreviation of Universal Time Coordinated, a second-based time scale that is set and recommended by the International Radio Consultative Committee and maintained by the Bureau International de l'Heure (BIH). It is the seconds from 00:00 on January 1, 1970 (Greenwich Mean Time).
3.3 Seed key
It is the token seed key, a key that calculates the one time password.
3.4 Authentication system
A system that authenticates one time passwords and manages one time tokens. The window that is used for token time and system time synchronization; the window size shall not exceed ??2 min.
3.16 Main key
The root key of a certain one time password system, which is used to
decentralize the main key for manufacturer production.
3.17 Encryption key for seed key
The key that is used to encrypt the seed key.
3.18 Main key for manufacturer production
It is used to generate the encryption key for seed key; it is generated from the main key by dispersing the vendor code key.
3.19 Transmit key
It is used to encrypt and protect the main key for manufacturer production, so as to ensure the security of its transmission process.
4??Symbols and abbreviations
The following symbols and abbreviations apply to this document.
Key seed key whose length is not less than 128 bits
Km main key
Kp main key for manufacturer production
Ks encryption key for seed key
Kt transmit key
mAh milliampere hour, the battery power unit
N natural number
PIN personal identification number
PUK PIN Unlocking Key
T time factor that is involved in the operation
TPS transaction per second unit of the authentication system
UTC universal time coordinated
a) Use the SM3 algorithm;
b) Pass through the detection of algorithm consistency.
5.2 One time token detection
5.2.1 PIN code mechanism detection
5.2.1.1 PIN code protection
Detection purpose:
Detect the PIN code protection function of the activated fished token which has the digital and function buttons, so as to ensure that the token is not illegally used by others.
Detection conditions:
Activated finished token.
Detection method and process:
a) The activated token can be used only when it is set to 6~16 digits PIN code; if the PIN code is not set, it cannot be used.
b) After the token is set to the PIN code, turn it off and on again. The token can be used only when the correct PIN code is input; if an incorrect PIN code is input, the token cannot be used and the number of errors will be recorded.
c) The input PIN code has a length limit.
d) The PIN code is automatically turned off when timing out. After it is turned on with the correct PIN code, the token will be automatically turned off if there?€?s no operation within a certain period of time (such as 3 minutes), which is for preventing illegal use.
Qualification judgment conditions:
a) The token can be used only when it is set to 6~16 digits PIN code; when the input length reaches 16 digits, the input cannot be continued;
b) The correct PIN code shall be input to use the token;
c) After it is turned on with the correct PIN code, the token will be
automatically turned off if there?€?s no operation within a certain period of time (such as 3 minutes).
5.2.1.2 PIN code lock and permanent lock
c) When the number of consecutive incorrect PIN codes reaches the set
maximum number of errors (such as 6 times), the token is locked.
d) The token, after being locked, can be used again by unlocking.
e) After the token is locked for the sixth time, it is permanently locked and cannot be unlocked again.
5.2.1.3 PIN code unlocking
Detection purpose:
Detect the unlocking function after the token PIN code is locked, so as to prevent the user from accidentally locking the token, which affects the use. Detection conditions:
The finished token that has been set to a power-on PIN code; locked token. Detection method and process:
a) Automatically unlock:
1) When it arrives the set automatically unlock time, the token is
automatically unlocked, the original PIN code remains unchanged,
and the user is allowed to try to input the PIN code again;
2) After the number of automatically unlock reaches the set upper limit, the token turns off the PIN code automatically unlock function, and the token can only be unlocked by the manual unlock function.
b) Manual unlock:
1) After the token is locked, and the automatic unlocking time is not
reached, the token can be unlocked by the manual unlock function;
2) After the number of automatically unlock reaches the set upper limit, the token turns off the PIN code automatically unlock function, and the token can be unlocked by the manual unlock function;
3) After it is manually unlocked, the power-on password needs to be reset, and the number of automatically unlock is cleared.
Qualification judgment conditions:
The PIN code can be automatically unlocked and manually unlocked under
locked conditions.
5.2.1.4 PUK code lock
c) If two different new power-on PIN codes are input, the modification of the power-on PIN code fails; it?€?s available to input again;
d) If the same new power-on PIN code is input for twice in succession, it?€?s successful in modifying the power-on PIN code.
Qualification judgment conditions:
Restart; input the original power-on PIN code, the verification does not pass; input the modified new PIN code, and the verification passes.
5.2.1.6 PIN code modification protection
Detection purpose:
Detect the token PIN code modification protection function, so as to prevent illegal modification of the PIN code.
Detection conditions:
The finished token that has been set to a power-on PIN code.
Detection method and process:
a) Turn on the token; input the correct power-on PIN code, and it enters the normal work mode;
b) Press the PIN code modification button or the combination button to enter the PIN code modification mode;
c) Before modifying the PIN code, input the original power-on PIN code, so as to prevent accidental modification of the PIN code.
Qualification judgment conditions:
a) Before the PIN code is modified, it enters the normal work mode only when the original power-on PIN code is input.
b) It?€?s necessary to input the correct original PIN code to modify the PIN code. After the token PIN code is modified, it?€?s available to use the new PIN code to enter the normal work mode. The original PIN code cannot be used.
5.2.1.7 Remote PIN unlock
Detection purpose:
Detect the function to remotely unlock the token.
Detection conditions:
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token to generate a time-type one time password;
b) Input the time-type one time password that is generated by the token into the authentication server, to check whether it passes the authentication. Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.4 Challenge password authentication
Detection purpose:
Detect if the token challenge password is correct.
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token, and input the challenge value that is provided by the authentication server, to generate a challenge-type one time password;
b) Input the challenge-type one time password that is generated by the token into the authentication server, to check whether it passes the
authentication.
Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.5 Other parameters password authentication
Detection purpose:
If the token has other factors that are involved in the operation (such as event information), detect whether the password is correct.
Detection conditions:
Activated finished token.
Detection method and process:
The token is successfully synchronized.
5.2.2.9 Token mode
Detection purpose:
Detect if the token mode change in the token authentication system is
correct. The work mode of the token includes: activated, locked/unlocked, hung-up/not hung, and invalidate. In the authentication system, trigger the token mode, and change to the above modes for detection.
Detection conditions:
Finished token.
Detection method and process:
a) Operate the authentication system interface, and input the correct one time password of the token to the not activated token; after successful verification of the one time password, change the token mode to ready
mode;
b) Use the locking service of the authentication system to set the token of the ready mode to the locked mode; for the locked token, the correct one time password fails the authentication;
c) Use the unlocking service of the authentication system to restore the locked token to the ready mode; unlock requires the correct one time
password;
d) Use the hanging-up service of the authentication system to set the ready or locked token to the hung up mode; the correct one time password
authentication of the token in the hung up mode fails;
e) Use the releasing service of the authentication system to restore the hung- up token to the ready mode; releasing requires the correct one time
password;
f) Use the invalidating service of the authentication system to set the locked, hung-up token to the invalid mode; the correct one time password
authentication fails.
Qualification judgment conditions:
The token mode changes correctly.
5.2.2.10 Token system data
Detection purpose:
Perform the detection according to the one time token hardware requirements which are described in Chapter 7 of GM/T 0021-2012, or provide the test report from third-party test organization which has relevant qualifications.
5.3 One time token authentication system
5.3.1 One time password authentication
Detection purpose:
Detect if the calculation of the token authentication system is correct. Including: static password + one time password, one time password. During the detection process, correct password detection, incorrect password
detection, window offset adjustment detection, repeated correct password detection, ultra-small window correct password detection, and detection of the situation where window input errors exceed the maximum number.
Detection conditions:
Activated finished token or software simulation, logged-in authentication system.
Detection method and process:
a) Operate token or software to simulate the calculation and generate one time password (including detections of correct password, incorrect
password, repeated correct password, ultra-small window correct
password, correct password within valid window offset, and situation
where window input errors exceed the maximum number of times);
b) Input the one time password that is generated by the token into the
authentication server, to detect whether it gains the corresponding
detection result.
Qualification judgment conditions:
The correct password is successful authenticated; the incorrect password is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.2 Challenge code generation
Detection purpose:
The correct password is successful authenticated; the incorrect password is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.4 Activation code generation
Detection purpose:
Detect if the token authentication system activation code is correct.
Including: correct activation code and incorrect activation code detections. Detection conditions:
Not activated finished token, logged-in authentication system.
Detection method and process:
a) Operate the authentication system to generate the activation code (correct activation code and incorrect activation code);
b) Input the activation code into the token, to check if it is activated correctly. Qualification judgment conditions:
The incorrect activation code fails to be activated; the correct activation code is activated successfully.
5.3.5 Authentication system management function
The one time token authentication system management function conforms to the security requirements that are described in Chapter 8 of GM/T 0021-2012; it is implemented through the operation interface detection. The detection includes: authority management, parameter configuration, log management, service list, and seed import.
5.3.6 System security
The system security itself complies with the security requirements that are described in Chapter 8 of GM/T 0021-2012. The one time token system security function detection includes: access terminal control, communication sensitive field encryption, information storage encryption, log security, time calibration, etc. Verify the security of the authentication system according to the security requirements that are defined in 8.4 of GM/T 0021-2012.
d) The main key for manufacturer production is obtained from the disperse of the main key to the vendor code.
Qualification judgment conditions:
The key management system satisfies the requirements of a), b), c), and d).
5.4.2 System login
Detection purpose:
Detect if the key management system user login is correct.
Detection conditions:
Not logged key management system.
Detection method and process:
a) Operate the key management system to input the incorrect user name and the random login password. The login password is not displayed in plain text, and the login fails.
b) Operate the key management system to input the correct user name and the random login password. The login password is not displayed in plain text, and the login fails.
c) Operate the key management system to input the correct user name and the correct login password. The login password is not displayed in plain text, and the login succeeds.
d) Operate the key management system to continuously input the correct
user name and the random login password. The login password is not
displayed in plain text; when the number of consecutive inputs exceeds
the number that is set by key management systems, the login is locked.
Qualification judgment conditions:
Users can use correct user name and password to log in.
5.4.3 User management
Detection purpose:
Detect if the token key management system user management is correct.
Detection conditions:
The key generation succeeds.
5.4.5 Serial number generation
Detection purpose:
Detect if the token key management system token serial number
generation module is correct.
Detection conditions:
Logged key management system.
Detection method and process:
a) Operate the key management system to generate a token serial number; b) Check the consistency of the serial number and the generation rules; c) Check the uniqueness of the serial number in the key management system. Qualification judgment conditions:
The unique serial number of the token is generated successfully.
5.4.6 Seed key generation
Detection purpose:
Detect if the token key management system seed key generation module
is correct.
Detection conditions:
Logged key management system.
Detection method and process:
a) Verify the hardware password; the device is used;
b) Operate the key management system to generate the seed key of the key management system;
c) Verify that the seed key in the key management system is encrypted
storage;
d) The generated encrypted seed key file can be used by the authentication system.
Qualification judgment conditions:
5.4.9 Log management
Detection purpose:
Detect if the token key management system log management is correct.
Detection conditions:
Not logged-in key management system.
Detection method and process:
a) Log in to the key management system as a super user;
b) Query the system log; the log record is complete and accurate; the user login, operation, and authentication shall be recorded by the log;
c) It?€?s unsuccessful to modify or delete the log.
Qualification judgment conditions:
The super user can view the log and cannot modify it.
5.4.10 Interface detection
The interface type of the one time token key management system complies with the requirements that are described in Chapter 9 of GM/T 0021-2012; the interface definition is based on the corresponding vendor interface document. The one time token read and write interface shall check the seed key one-way write, interface permission control, write verification mechanism and interface error correction capability.
5.4.11 Performance detection
The performance detection of the key management system is mainly
implemented by a standard stress detection model; the data is used to evaluate the performance of the key management sy...

View full details