1
/
of
11
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0061-2018 English PDF (GM/T0061-2018)
GM/T 0061-2018 English PDF (GM/T0061-2018)
Regular price
$230.00
Regular price
Sale price
$230.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0061-2018: Detect specifications of one time password application
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0061-2018 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0061-2018
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0061-2018
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Record number: 62996-2018
Detect specifications of one time password application
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 6
5 Detection contents and detection methods ... 7
5.1 One time password generation algorithm ... 7
5.2 One time token detection ... 8
5.3 One time token authentication system ... 22
5.4 Key management system ... 25
6 Inspection technical documentation requirements ... 31
Detect specifications of one time password application
1 Scope
This Standard specifies the relevant detection contents of password algorithm,
one time token, authentication system and key management system of the one
time password system. This Standard applies to the detection of passwords
and security functions of one time password-related password products.
2 Normative references
The following documents are indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GM/T 0021-2012, One time password application of cryptography algorithm
GM/Z 4001-2013, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GM/T 0021-2012, GM/Z 4001-2013 and
the following ones are applicable to this document.
3.1 Challenge code
It is the challenge factor, a kind of data that can participate in the one time
password generation process.
3.2 Universal time coordinated
It is the English abbreviation of Universal Time Coordinated, a second-based
time scale that is set and recommended by the International Radio Consultative
Committee and maintained by the Bureau International de l'Heure (BIH). It is
the seconds from 00:00 on January 1, 1970 (Greenwich Mean Time).
3.3 Seed key
It is the token seed key, a key that calculates the one time password.
3.4 Authentication system
A system that authenticates one time passwords and manages one time tokens.
The window that is used for token time and system time synchronization; the
window size shall not exceed ±2 min.
3.16 Main key
The root key of a certain one time password system, which is used to
decentralize the main key for manufacturer production.
3.17 Encryption key for seed key
The key that is used to encrypt the seed key.
3.18 Main key for manufacturer production
It is used to generate the encryption key for seed key; it is generated from the
main key by dispersing the vendor code key.
3.19 Transmit key
It is used to encrypt and protect the main key for manufacturer production, so
as to ensure the security of its transmission process.
4 Symbols and abbreviations
The following symbols and abbreviations apply to this document.
Key seed key whose length is not less than 128 bits
Km main key
Kp main key for manufacturer production
Ks encryption key for seed key
Kt transmit key
mAh milliampere hour, the battery power unit
N natural number
PIN personal identification number
PUK PIN Unlocking Key
T time factor that is involved in the operation
TPS transaction per second unit of the authentication system
UTC universal time coordinated
a) Use the SM3 algorithm;
b) Pass through the detection of algorithm consistency.
5.2 One time token detection
5.2.1 PIN code mechanism detection
5.2.1.1 PIN code protection
Detection purpose:
Detect the PIN code protection function of the activated fished token which
has the digital and function buttons, so as to ensure that the token is not
illegally used by others.
Detection conditions:
Activated finished token.
Detection method and process:
a) The activated token can be used only when it is set to 6~16 digits PIN
code; if the PIN code is not set, it cannot be used.
b) After the token is set to the PIN code, turn it off and on again. The token
can be used only when the correct PIN code is input; if an incorrect PIN
code is input, the token cannot be used and the number of errors will be
recorded.
c) The input PIN code has a length limit.
d) The PIN code is automatically turned off when timing out. After it is turned
on with the correct PIN code, the token will be automatically turned off if
there’s no operation within a certain period of time (such as 3 minutes),
which is for preventing illegal use.
Qualification judgment conditions:
a) The token can be used only when it is set to 6~16 digits PIN code; when
the input length reaches 16 digits, the input cannot be continued;
b) The correct PIN code shall be input to use the token;
c) After it is turned on with the correct PIN code, the token will be
automatically turned off if there’s no operation within a certain period of
time (such as 3 minutes).
5.2.1.2 PIN code lock and permanent lock
c) When the number of consecutive incorrect PIN codes reaches the set
maximum number of errors (such as 6 times), the token is locked.
d) The token, after being locked, can be used again by unlocking.
e) After the token is locked for the sixth time, it is permanently locked and
cannot be unlocked again.
5.2.1.3 PIN code unlocking
Detection purpose:
Detect the unlocking function after the token PIN code is locked, so as to
prevent the user from accidentally locking the token, which affects the use.
Detection conditions:
The finished token that has been set to a power-on PIN code; locked token.
Detection method and process:
a) Automatically unlock:
1) When it arrives the set automatically unlock time, the token is
automatically unlocked, the original PIN code remains unchanged,
and the user is allowed to try to input the PIN code again;
2) After the number of automatically unlock reaches the set upper limit,
the token turns off the PIN code automatically unlock function, and the
token can only be unlocked by the manual unlock function.
b) Manual unlock:
1) After the token is locked, and the automatic unlocking time is not
reached, the token can be unlocked by the manual unlock function;
2) After the number of automatically unlock reaches the set upper limit,
the token turns off the PIN code automatically unlock function, and the
token can be unlocked by the manual unlock function;
3) After it is manually unlocked, the power-on password needs to be reset,
and the number of automatically unlock is cleared.
Qualification judgment conditions:
The PIN code can be automatically unlocked and manually unlocked under
locked conditions.
5.2.1.4 PUK code lock
c) If two different new power-on PIN codes are input, the modification of the
power-on PIN code fails; it’s available to input again;
d) If the same new power-on PIN code is input for twice in succession, it’s
successful in modifying the power-on PIN code.
Qualification judgment conditions:
Restart; input the original power-on PIN code, the verification does not pass;
input the modified new PIN code, and the verification passes.
5.2.1.6 PIN code modification protection
Detection purpose:
Detect the token PIN code modification protection function, so as to prevent
illegal modification of the PIN code.
Detection conditions:
The finished token that has been set to a power-on PIN code.
Detection method and process:
a) Turn on the token; input the correct power-on PIN code, and it enters the
normal work mode;
b) Press the PIN code modification button or the combination button to enter
the PIN code modification mode;
c) Before modifying the PIN code, input the original power-on PIN code, so
as to prevent accidental modification of the PIN code.
Qualification judgment conditions:
a) Before the PIN code is modified, it enters the normal work mode only when
the original power-on PIN code is input.
b) It’s necessary to input the correct original PIN code to modify the PIN code.
After the token PIN code is modified, it’s available to use the new PIN code
to enter the normal work mode. The original PIN code cannot be used.
5.2.1.7 Remote PIN unlock
Detection purpose:
Detect the function to remotely unlock the token.
Detection conditions:
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token to generate a time-type one time password;
b) Input the time-type one time password that is generated by the token into
the authentication server, to check whether it passes the authentication.
Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.4 Challenge password authentication
Detection purpose:
Detect if the token challenge password is correct.
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token, and input the challenge value that is provided by the
authentication server, to generate a challenge-type one time password;
b) Input the challenge-type one time password that is generated by the token
into the authentication server, to check whether it passes the
authentication.
Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.5 Other parameters password authentication
Detection purpose:
If the token has other factors that are involved in the operation (such as
event information), detect whether the password is correct.
Detection conditions:
Activated finished token.
Detection method and process:
The token is successfully synchronized.
5.2.2.9 Token mode
Detection purpose:
Detect if the token mode change in the token authentication system is
correct. The work mode of the token includes: activated, locked/unlocked,
hung-up/not hung, and invalidate. In the authentication system, trigger the
token mode, and change to the above modes for detection.
Detection conditions:
Finished token.
Detection method and process:
a) Operate the authentication system interface, and input the correct one
time password of the token to the not activated token; after successful
verification of the one time password, change the token mode to ready
mode;
b) Use the locking service of the authentication system to set the token of
the ready mode to the locked mode; for the locked token, the correct one
time password fails the authentication;
c) Use the unlocking service of the authentication system to restore the
locked token to the ready mode; unlock requires the correct one time
password;
d) Use the hanging-up service of the authentication system to set the ready
or locked token to the hung up mode; the correct one time password
authentication of the token in the hung up mode fails;
e) Use the releasing service of the authentication system to restore the hung-
up token to the ready mode; releasing requires the correct one time
password;
f) Use the invalidating service of the authentication system to set the locked,
hung-up token to the invalid mode; the correct one time password
authentication fails.
Qualification judgment conditions:
The token mode changes correctly.
5.2.2.10 Token system data
Detection purpose:
Perform the detection according to the one time token hardware requirements
which are described in Chapter 7 of GM/T 0021-2012, or provide the test report
from third-party test organization which has relevant qualifications.
5.3 One time token authentication system
5.3.1 One time password authentication
Detection purpose:
Detect if the calculation of the token authentication system is correct.
Including: static password + one time password, one time password. During
the detection process, correct password detection, incorrect password
detection, window offset adjustment detection, repeated correct password
detection, ultra-small window correct password detection, and detection of
the situation where window input errors exceed the maximum number.
Detection conditions:
Activated finished token or software simulation, logged-in authentication
system.
Detection method and process:
a) Operate token or software to simulate the calculation and generate one
time password (including detections of correct password, incorrect
password, repeated correct password, ultra-small window correct
password, correct password within valid window offset, and situation
where window input errors exceed the maximum number of times);
b) Input the one time password that is generated by the token into the
authentication server, to detect whether it gains the corresponding
detection result.
Qualification judgment conditions:
The correct password is successful authenticated; the incorrect password
is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is
unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error
within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.2 Challenge code generation
Detection purpose:
The correct password is successful authenticated; the incorrect password
is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is
unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error
within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.4 Activation code generation
Detection purpose:
Detect if the token authentication system activation code is correct.
Including: correct activation code and incorrect activation code detections.
Detection conditi...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0061-2018 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0061-2018
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0061-2018
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Record number: 62996-2018
Detect specifications of one time password application
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 6
5 Detection contents and detection methods ... 7
5.1 One time password generation algorithm ... 7
5.2 One time token detection ... 8
5.3 One time token authentication system ... 22
5.4 Key management system ... 25
6 Inspection technical documentation requirements ... 31
Detect specifications of one time password application
1 Scope
This Standard specifies the relevant detection contents of password algorithm,
one time token, authentication system and key management system of the one
time password system. This Standard applies to the detection of passwords
and security functions of one time password-related password products.
2 Normative references
The following documents are indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GM/T 0021-2012, One time password application of cryptography algorithm
GM/Z 4001-2013, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GM/T 0021-2012, GM/Z 4001-2013 and
the following ones are applicable to this document.
3.1 Challenge code
It is the challenge factor, a kind of data that can participate in the one time
password generation process.
3.2 Universal time coordinated
It is the English abbreviation of Universal Time Coordinated, a second-based
time scale that is set and recommended by the International Radio Consultative
Committee and maintained by the Bureau International de l'Heure (BIH). It is
the seconds from 00:00 on January 1, 1970 (Greenwich Mean Time).
3.3 Seed key
It is the token seed key, a key that calculates the one time password.
3.4 Authentication system
A system that authenticates one time passwords and manages one time tokens.
The window that is used for token time and system time synchronization; the
window size shall not exceed ±2 min.
3.16 Main key
The root key of a certain one time password system, which is used to
decentralize the main key for manufacturer production.
3.17 Encryption key for seed key
The key that is used to encrypt the seed key.
3.18 Main key for manufacturer production
It is used to generate the encryption key for seed key; it is generated from the
main key by dispersing the vendor code key.
3.19 Transmit key
It is used to encrypt and protect the main key for manufacturer production, so
as to ensure the security of its transmission process.
4 Symbols and abbreviations
The following symbols and abbreviations apply to this document.
Key seed key whose length is not less than 128 bits
Km main key
Kp main key for manufacturer production
Ks encryption key for seed key
Kt transmit key
mAh milliampere hour, the battery power unit
N natural number
PIN personal identification number
PUK PIN Unlocking Key
T time factor that is involved in the operation
TPS transaction per second unit of the authentication system
UTC universal time coordinated
a) Use the SM3 algorithm;
b) Pass through the detection of algorithm consistency.
5.2 One time token detection
5.2.1 PIN code mechanism detection
5.2.1.1 PIN code protection
Detection purpose:
Detect the PIN code protection function of the activated fished token which
has the digital and function buttons, so as to ensure that the token is not
illegally used by others.
Detection conditions:
Activated finished token.
Detection method and process:
a) The activated token can be used only when it is set to 6~16 digits PIN
code; if the PIN code is not set, it cannot be used.
b) After the token is set to the PIN code, turn it off and on again. The token
can be used only when the correct PIN code is input; if an incorrect PIN
code is input, the token cannot be used and the number of errors will be
recorded.
c) The input PIN code has a length limit.
d) The PIN code is automatically turned off when timing out. After it is turned
on with the correct PIN code, the token will be automatically turned off if
there’s no operation within a certain period of time (such as 3 minutes),
which is for preventing illegal use.
Qualification judgment conditions:
a) The token can be used only when it is set to 6~16 digits PIN code; when
the input length reaches 16 digits, the input cannot be continued;
b) The correct PIN code shall be input to use the token;
c) After it is turned on with the correct PIN code, the token will be
automatically turned off if there’s no operation within a certain period of
time (such as 3 minutes).
5.2.1.2 PIN code lock and permanent lock
c) When the number of consecutive incorrect PIN codes reaches the set
maximum number of errors (such as 6 times), the token is locked.
d) The token, after being locked, can be used again by unlocking.
e) After the token is locked for the sixth time, it is permanently locked and
cannot be unlocked again.
5.2.1.3 PIN code unlocking
Detection purpose:
Detect the unlocking function after the token PIN code is locked, so as to
prevent the user from accidentally locking the token, which affects the use.
Detection conditions:
The finished token that has been set to a power-on PIN code; locked token.
Detection method and process:
a) Automatically unlock:
1) When it arrives the set automatically unlock time, the token is
automatically unlocked, the original PIN code remains unchanged,
and the user is allowed to try to input the PIN code again;
2) After the number of automatically unlock reaches the set upper limit,
the token turns off the PIN code automatically unlock function, and the
token can only be unlocked by the manual unlock function.
b) Manual unlock:
1) After the token is locked, and the automatic unlocking time is not
reached, the token can be unlocked by the manual unlock function;
2) After the number of automatically unlock reaches the set upper limit,
the token turns off the PIN code automatically unlock function, and the
token can be unlocked by the manual unlock function;
3) After it is manually unlocked, the power-on password needs to be reset,
and the number of automatically unlock is cleared.
Qualification judgment conditions:
The PIN code can be automatically unlocked and manually unlocked under
locked conditions.
5.2.1.4 PUK code lock
c) If two different new power-on PIN codes are input, the modification of the
power-on PIN code fails; it’s available to input again;
d) If the same new power-on PIN code is input for twice in succession, it’s
successful in modifying the power-on PIN code.
Qualification judgment conditions:
Restart; input the original power-on PIN code, the verification does not pass;
input the modified new PIN code, and the verification passes.
5.2.1.6 PIN code modification protection
Detection purpose:
Detect the token PIN code modification protection function, so as to prevent
illegal modification of the PIN code.
Detection conditions:
The finished token that has been set to a power-on PIN code.
Detection method and process:
a) Turn on the token; input the correct power-on PIN code, and it enters the
normal work mode;
b) Press the PIN code modification button or the combination button to enter
the PIN code modification mode;
c) Before modifying the PIN code, input the original power-on PIN code, so
as to prevent accidental modification of the PIN code.
Qualification judgment conditions:
a) Before the PIN code is modified, it enters the normal work mode only when
the original power-on PIN code is input.
b) It’s necessary to input the correct original PIN code to modify the PIN code.
After the token PIN code is modified, it’s available to use the new PIN code
to enter the normal work mode. The original PIN code cannot be used.
5.2.1.7 Remote PIN unlock
Detection purpose:
Detect the function to remotely unlock the token.
Detection conditions:
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token to generate a time-type one time password;
b) Input the time-type one time password that is generated by the token into
the authentication server, to check whether it passes the authentication.
Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.4 Challenge password authentication
Detection purpose:
Detect if the token challenge password is correct.
Detection conditions:
An activated finished token.
Detection method and process:
a) Operate the token, and input the challenge value that is provided by the
authentication server, to generate a challenge-type one time password;
b) Input the challenge-type one time password that is generated by the token
into the authentication server, to check whether it passes the
authentication.
Qualification judgment conditions:
The token successfully passes the authentication.
5.2.2.5 Other parameters password authentication
Detection purpose:
If the token has other factors that are involved in the operation (such as
event information), detect whether the password is correct.
Detection conditions:
Activated finished token.
Detection method and process:
The token is successfully synchronized.
5.2.2.9 Token mode
Detection purpose:
Detect if the token mode change in the token authentication system is
correct. The work mode of the token includes: activated, locked/unlocked,
hung-up/not hung, and invalidate. In the authentication system, trigger the
token mode, and change to the above modes for detection.
Detection conditions:
Finished token.
Detection method and process:
a) Operate the authentication system interface, and input the correct one
time password of the token to the not activated token; after successful
verification of the one time password, change the token mode to ready
mode;
b) Use the locking service of the authentication system to set the token of
the ready mode to the locked mode; for the locked token, the correct one
time password fails the authentication;
c) Use the unlocking service of the authentication system to restore the
locked token to the ready mode; unlock requires the correct one time
password;
d) Use the hanging-up service of the authentication system to set the ready
or locked token to the hung up mode; the correct one time password
authentication of the token in the hung up mode fails;
e) Use the releasing service of the authentication system to restore the hung-
up token to the ready mode; releasing requires the correct one time
password;
f) Use the invalidating service of the authentication system to set the locked,
hung-up token to the invalid mode; the correct one time password
authentication fails.
Qualification judgment conditions:
The token mode changes correctly.
5.2.2.10 Token system data
Detection purpose:
Perform the detection according to the one time token hardware requirements
which are described in Chapter 7 of GM/T 0021-2012, or provide the test report
from third-party test organization which has relevant qualifications.
5.3 One time token authentication system
5.3.1 One time password authentication
Detection purpose:
Detect if the calculation of the token authentication system is correct.
Including: static password + one time password, one time password. During
the detection process, correct password detection, incorrect password
detection, window offset adjustment detection, repeated correct password
detection, ultra-small window correct password detection, and detection of
the situation where window input errors exceed the maximum number.
Detection conditions:
Activated finished token or software simulation, logged-in authentication
system.
Detection method and process:
a) Operate token or software to simulate the calculation and generate one
time password (including detections of correct password, incorrect
password, repeated correct password, ultra-small window correct
password, correct password within valid window offset, and situation
where window input errors exceed the maximum number of times);
b) Input the one time password that is generated by the token into the
authentication server, to detect whether it gains the corresponding
detection result.
Qualification judgment conditions:
The correct password is successful authenticated; the incorrect password
is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is
unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error
within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.2 Challenge code generation
Detection purpose:
The correct password is successful authenticated; the incorrect password
is unsuccessfully authenticated; the repeated correct password is
unsuccessfully authenticated; the ultra-small window correct password is
unsuccessfully authenticated; the offset within the valid window is
successfully authenticated and the window offset is adjusted; the input error
within the window that exceeds the maximum times of token is
unsuccessfully authenticated.
5.3.4 Activation code generation
Detection purpose:
Detect if the token authentication system activation code is correct.
Including: correct activation code and incorrect activation code detections.
Detection conditi...
Share
