GM/T 0085-2020 English PDF (GMT0085-2020)
GM/T 0085-2020 English PDF (GMT0085-2020)
GM/T 0085-2020: Identity-based cryptographic algorithm SM9 based on technology system framework
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
CCS L 80
Identity-based cryptographic algorithm SM9 based on
technology system framework
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 6
4 Abbreviations ... 6
5 Basic features ... 6
6 IBC technical system framework ... 7
7 Key management system framework ... 9
7.1 Key management system relationship structure ... 9
7.2 Upper-level identification key management system ... 10
7.3 Lower-level application key management system ... 11
8 IBC technical standards ... 11
8.1 Classification overview ... 11
8.2 Basic type ... 11
8.3 Application type ... 17
Identity-based cryptographic algorithm SM9 based on
technology system framework
This document describes the identity-based cryptographic algorithm SM9
based on IBC technology application framework, the framework of the
identification cryptographic key management system, and the standard
specifications involved in the application of the SM9 identification cryptographic algorithm.
This document applies to the application system construction, product and system development of SM9 identity-based cryptographic algorithm, the
identification cryptographic key management system construction and
management, and related standard development and inquiries.
2 Normative references
The contents of the following documents constitute the indispensable clauses of this document through normative references in the text. For dated references, only the version corresponding to that date is applicable to this document; for undated references, the latest version (including all amendments) is applicable to this document.
GM/T 0044.1, Identity-based cryptographic algorithms SM9 - Part 1: General GM/T 0044.2, Identity-based cryptographic algorithms SM9 - Part 2: Digital signature algorithm
GM/T 0044.3, Identity-based cryptographic algorithms SM9 - Part 3: Key
GM/T 0044.4, Identity-based cryptographic algorithms SM9 - Part 4: Key
encapsulation mechanism and public key encryption algorithm
GM/T 0086, Specification of key management system based on SM9 identity cryptography algorithm
GM/Z 4001, Cryptology terminology
3 Terms and definitions
Terms determined by GM/T 0044.1 ~ GM/T 0044.4, and GM/Z 4001, and the
following ones are applicable to this document.
Identity-based cryptography; IBC
A cryptographic mechanism for generating a user key based on the unique identity of the user/entity and the system master key within the specified application range.
Public parameter service; PPS
The service of providing users of the IBC system with related public information, including cryptographic algorithm parameters, system policies and user
The following abbreviations apply to this document.
KMS: Key Management Server
PPS: Public Parameter Server
5 Basic features
IBC is a public key cryptography technology. It can calculate the user's public key from the identity of the user/entity (hereinafter collectively referred to as the user) and a set of public mathematical parameters. The corresponding user?€?s private key is calculated from the user ID, a set of public mathematical parameters, and a secret value (system private key and other parameters) within a domain.
This document uses the identity-based cryptographic algorithm of GM/T 0044.1 ~ GM/T 0044.4. It can support cryptographic operations such as digital
signature and verification, data encryption and decryption, key agreement, key encapsulation and transmission, and can realize the basic functions of public key cryptography.
identification status release services, trusted time services, etc. for IBC technology applications. This part relies on the theory of the basic technical part, the calculation support of the cryptographic equipment part and the interface part to complete the functional services of the source of trust; it is used to support various applications of IBC technology.
The cryptographic device service consists of cryptographic machines,
cryptographic cards, smart cryptographic terminals and other devices, and provides basic cryptographic services to the general cryptographic service layer through standard cryptographic device application interfaces.
The main functions include key generation, cryptographic operations and other services.
The cryptographic device accepts the cryptographic device management of the general cryptographic service layer through a unified device management interface.
The cryptographic device shall have functions such as key loading, storage, update, backup and recovery, and ensure the security of the key in the
The general cryptographic service is composed of general cryptographic
services and cryptographic device management services, which provide upper- layer applications with cryptographic services and device management services that are transparent to the underlying specific cryptographic devices.
The general cryptographic service provides general cryptographic services such as identification authentication, confidentiality, integrity and non- repudiation of information to the typical cryptographic service layer and application layer through a unified cryptographic service interface, and transforms the upper-layer cryptographic service requests into specific basic cryptographic operation request, and calls the corresponding cryptographic device through a unified cryptographic device application interface to achieve specific cryptographic operations and key operations.
The cryptographic device management provides a unified device management application interface to the upper management application, provides device management functions for the upper management applications such as remote key management, device maintenance, and device monitoring, and converts the management request of the upper management application into a standard message call, and realizes the message transfer between the management
application and the cryptographic device through a secure channel.
A typical cryptographic service consists of services such as identity
authentication, single sign-on, access control, time stamp and electronic seal, and provides corresponding cryptographic services for upper-level applications. Figure 2 ?€? Key infrastructure relationship architecture diagram
See GM/T 0086 for the technical specifications of the key management system. The distribution method means that the lower-level KMS applies to the upper- level KMS to generate and sign a master key pair through the following process. The reporting method means that the lower-level KMS generates a pair of master keys, and the upper-level KMS signs its master public key through the following process.
The independently deployed identification key management system can
generate the master key and set the application layer master key by itself. 7.2 Upper-level identification key management system
The upper-level identification key management system is divided into two types: the hierarchical management KMS system and the independent KMS
a) KMS system of hierarchical management
The upper-layer identification key management system includes upper-level KMS and upper-level PPS publishing system.
The upper-level KMS is the trust foundation of the IBC system and runs
independently in an offline manner. Class and control the application
infrastructure, to generate the master private key for the key distribution method KMS.
The higher-level PPS publishing system publishes the benchmark algorithm parameters specified by this root, all the information of the application KMS system registered through this root, the PPS address and status, forming a unified management structure and a complete deployment structure, to provide mutual recognition and mutual trust inquiry list for each application IBC system. b) Independent KMS application system
The independent key management infrastructure includes the application KMS and the application PPS publishing system.
Independent KMS, itself, is the source of trust for this IBC system; it operates independently in an online manner to provide key issuance management
services for applications.
The independent PPS publishing system publishes the basic algorithm
parameters and user key status information specified by this root, and provides parameter and key information query services for applications.
7.3 Lower-level application key management system
The lower-level application key management infrastructure is divided into three types: key distribution method, key reporting method, and independent
a) Key distribution method application KMS
The key distribution method application KMS shall apply for registration to the upper-level KMS, and the upper-level KMS shall issue the application master private key from top to bottom, which is controlled by the root.
When the IBC operation system indicates that it can provide users with safe and reliable services, the registered KMS system shall be used to issue private keys for them.
b) Key reporting method application KMS
The key reporting method application KMS is to self-generate the application root key according to the public parameters issued by an upper-level KMS, and report its public key to the upper-level KMS, and accept the supervision and management of the upper-level KMS.
c) Independent deployment method application KMS
The independent deployment method application KMS as a self-generated root key and is managed by itself, without reporting to any root. But the curve and parameters in GM/T 0044 shall be used. The independent deployment method application KMS, if necessary, can apply to a higher-level KMS. After passing the security reinforcement and security review, it can change to the key- reporting method after meeting the requirements for reporting to the higher- level KMS.
8 IBC technical standards
8.1 Classification overview
The IBC technical standard specifications based on the SM9 identity-based cryptographic algorithm include two major categories: basic type and
application type. Among these standards, there are proposed new
developments, proposed revisions to published standards, and published
8.2 Basic type
8.2.1 Overall framework class
SM9 cryptographic algorithm XML encrypted signature message syntax and
Formulation class. It mainly defines the message syntax of the encrypted signature based on XML encapsulation and transmission of SM9 cryptographic algorithm at the application layer. It is used to guide the standardized encapsulation and processing of SM9 encrypted and signed message results using XML.
Identity-based cryptographic application coding specification
Formulation class. It mainly defines the function name of the interface and the error code interval allocated by different systems, which is used to standardize development and user use.
8.2.4 Encryption service class
Cryptographic smart token technical specification
Revision class. Revise the released GM/T 0027-2014; add the relevant terms of the cryptographic smart token based on IBC technology; add functional requirements, hardware requirements, software requirements, performance requirements, security requirements and other related content of the standard IBC cryptographic smart token.
Cryptographic module security technical requirements
See GM/T 0028-2014.
Server cryptographic machine technical specification
Revision class. Revise the released GM/T 0030-2014; add relevant terms for cryptographic machines based on IBC technology; standardize the functional requirements, hardware requirements, software requirements, performance requirements and security requirements of IBC cryptographic machines.
8.2.5 Cryptographic application interface class
Cryptographic smart token cryptographic application interface specification Revision class. Revise the released GM/T 0016-2012; add an application
interface for cryptographic smart token based on the SM9 cryptosystem, to describe the functions, data types, parameter definitions of the application interface, and the security requirements of the device.
Cryptographic smart token cryptographic application interface data format specification
Revision class. Revise the released GM/T 0017-2012; add a smart IC card application interface based on the SM9 algorithm; describe the functions, data types, parameter definitions and device safety requirements of the application interface.
Cryptographic device application interface specification
Revision class. Revise the released GM/T 0018-2012; add a cryptographic device application interface based on the SM9 identity-based cryptographic algorithm; describe the functions, data types, parameter definitions and device security requirements of the application interface.
General cryptography service interface specification
Revision class. Revise the released GM/T 0019-2012; add a unified
cryptographic application interface that defines IBC applications that have nothing to do with cryptographic devices; block the characteristics of
cryptographic devices in the cryptographic application support interface; serve various facility platforms and various IBC applications based on the
cryptographic application support interface.
Signature verification server technical specification
Revision class. Revise the published GM/T 0029-2014; add a signature
verification server application interface based on the SM9 identity-based cryptographic algorithm; describe the application interface functions, data types, parameter definitions and equipment security requirements.
8.2.6 Application protocol class
SM9 cryptographic algorithm usage specification
Formulation class. Describe the use of SM9 cryptographic algorithm; give SM9 key pair, key data structure, signature data structure, encrypted data structure, key encapsulation data format, etc. It is used to guide the use of SM9
cryptographic algorithm, and support the development and testing of equipment and systems of SM9 cryptographic algorithm.
IBC public parameter access specification
Formulation class. Standardize the protocol and format for querying and downloading relevant information from the PPS service. Standardize the
content structure, logical relationship, operation flow, system management, data format of the IBC public parameter service system (PPS). Provide
technical support for the construction and testing of PPS.
Identity authentication protocol specification based on IBC technology