Skip to product information
1 of 10

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

GM/T 0096-2020 English PDF (GMT0096-2020)

GM/T 0096-2020 English PDF (GMT0096-2020)

Regular price $440.00 USD
Regular price Sale price $440.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0096-2020 to get it for Purchase Approval, Bank TT...

GM/T 0096-2020: Guide for RFID anti-counterfeiting cipher application

This document specifies the transmission syntax of information, such as certificates and keys, including private keys, certificates, certificate revocation lists, various forms of secret values, as well as their extended standardized packaging. This document is suitable for application scenarios, where personal SM2 algorithm certificates and keys and other information are migrated between different platforms.
GM/T 0096-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Guide for RFID Anti-counterfeiting Cipher Application
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 1, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 6
4 Abbreviations ... 7
5 Overview ... 8
6 Security Category ... 9
6.1 Security Level ... 9
6.2 Category-A System ... 9
6.3 Category-B System ... 10
7 Category-A System Planning and Implementation ... 10
7.1 System Planning ... 10
7.1.1 System architecture ... 10
7.1.2 Tag issuance system ... 11
7.1.3 Anti-counterfeiting authentication system ... 11
7.1.4 Information processing system ... 12
7.1.5 Key management system ... 12
7.2 Product Selection ... 12
7.2.1 RFID electronic tag ... 12
7.2.2 RF reader ... 14
7.2.3 Security gateway ... 15
7.2.4 Cryptographic machine ... 15
7.3 Implementation Suggestions ... 15
7.3.1 Information processing system ... 15
7.3.2 Middleware ... 15
7.3.3 Key management system ... 16
7.3.4 Requirements for transparent transmission channel - reader ... 16 7.4 Application Scheme ... 17
8 Category-B System Planning and Implementation ... 17
8.1 System Planning ... 17
8.1.1 System architecture ... 17
8.1.2 Tag issuance system ... 18
8.1.3 Anti-counterfeiting authentication system ... 18
8.1.4 Information processing system ... 19
8.1.5 Key management system ... 19
8.1.6 Certificate issuance and identity authentication system ... 19
8.2 Product Selection ... 20
8.2.1 RFID electronic tag ... 20
8.2.2 RF reader ... 21
8.2.3 Security gateway ... 23
8.2.4 Cryptographic machine ... 23
8.3 Implementation Suggestions ... 23
8.3.1 Information processing system ... 23
8.3.2 Middleware ... 23
8.3.3 CA and key management system ... 23
8.3.4 Requirements for transparent transmission channel - reader ... 25 8.4 Application Scheme ... 25
Appendix A (informative) Bidirectional Authentication Realization Mode ... 26 Appendix B (informative) Category-A RFID Anti-counterfeiting Cryptographic Application Scheme ... 27
Appendix C (informative) Category-B RFID Anti-counterfeiting Cryptographic Application Scheme ... 39
Guide for RFID Anti-counterfeiting Cipher Application
1 Scope
This Standard specifies the security category, system planning and implementation of RFID anti-counterfeiting application.
This Standard is applicable to cryptographic security scheme design, cryptographic product selection and system implementation in RFID anti-counterfeiting application. 2 Normative References
The content of the following documents constitutes indispensable clauses of this document through normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 28925 Information Technology - Radio Frequency Identification - Air Interface Protocol at 2.45 GHz
GB/T 29768 Information Technology - Radio Frequency Identification - Air Interface Protocol at 800/900 MHz
GB/T 32915 Information Security Technology - Binary Sequence Randomness Detection Method
GB/T 37033.1-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 1: Cryptographic Protection Framework and Security Levels
GB/T 37033.2-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 2: Technical Requirements for Cryptographic Application for RF Tag, Reader and Communication
GB/T 37033.3-2018 Information Security Technology - Technical Requirements for Cryptographic Application for Radio Frequency Identification Systems - Part 3: Technical Requirements for Key Management
GB/T 37092 Information Security Technology - Security Requirements for
Cryptographic Modules
GM/T 0008 Cryptography Test Criteria for Security IC
7.1.4 Information processing system
Information processing system is a processing system that includes multiple types of information, such as: commodity production, storage, transportation and sales, etc. 7.1.5 Key management system
Key management system is responsible for the key management functions (such as: generation, dispersion and storage of keys) in the entire system. It is the core of security of the entire system. In order to ensure the security of the system, the key management system is deployed in an independent key management center, which is physically separated from other parts (including information processing system, anti- counterfeiting authentication system and tag issuance system) of the commodity traceability and anti-counterfeiting application system. The keys generated by the key management system are distributed to other parts of the commodity traceability and anti-counterfeiting application system through security measures, for example, key card.
7.2 Product Selection
7.2.1 RFID electronic tag
7.2.1.1 Cryptographic security requirements
The RFID electronic tag used in Category-A system shall satisfy the following cryptographic security requirements.
a) Comply with Type-I or Type-II test requirements specified in GM/T 0040-2015. b) Identity authentication: it shall support the reader to conduct identity authentication of the electronic tag. The mode, in which, the reader realizes identity authentication of the electronic tag is shown in 8.3.2.2 in GB/T 37033.2-2018.
c) Access control: it shall support access control function and ensure that the stored information is accessed under controlled permissions. The mode, in which, the access control of the electronic tag is realized, is shown in 6.1.5 of GB/T 37033.2-2018. The test of access control of electronic tags is shown in 6.5 of GM/T 0040-2015.
d) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department shall be adopted.
e) Cryptographic products approved by the national cryptographic management department should be selected.
7.2.1.2 Optional cryptographic security requirements
7.2.2 RF reader
7.2.2.1 Cryptographic security requirements
The RF reader of cryptographic security functions used in Category-A system may satisfy the following cryptographic security requirements.
a) The SAM chip used by the reader shall comply with the test requirements of not lower than the second level specified in GM/T 0008.
b) Identity authentication: it shall support the identity authentication of the electronic tag by the reader. The mode, in which, the identity authentication of the electronic tag by the reader is realized, is shown in 8.3.2.2 of GB/T 37033.2-2018.
c) It shall support access control function. The mode, in which, reader access control is realized, is shown in 6.2.5 of GB/T 37033.2-2018.
d) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department that is compatible with the
cryptographic algorithm in the electronic tag shall be adopted.
e) Cryptographic products approved by the national cryptographic management department should be selected
7.2.2.2 Optional cryptographic security requirements
In accordance with the demands of application, the RF reader of cryptographic security functions used in Category-A system may optionally support the following cryptographic security requirements.
a) Confidentiality of stored information: it may optionally support the confidentiality protection of the information stored in the reader. The mode, in which, the confidentiality of the information stored in the reader is realized, is shown in 6.2.1.1 of GB/T 37033.2-2018.
b) Confidentiality of transmitted information: it may optionally support the protection function of the information transmitted by the reader. The mode, in which, the confidentiality of the information transmitted by the reader is realized, is shown in 6.2.1.2 of GB/T 37033.2-2018.
c) Integrity of stored information: Category-A security level reader may optionally support the integrity protection function of the information stored in the reader. The mode, in which, the integrity of the information stored in the reader is realized, is shown in 6.2.2.1 of GB/T 37033.2-2018.
d) Integrity of transmitted information: it may optionally support the integrity protection function of the information transmitted by the reader. The mode, in 8.1.4 Information processing system
Information processing system is a processing system that includes multiple types of information, such as: commodity production, storage, transportation and sales, etc. 8.1.5 Key management system
Key management system is responsible for the key management functions (such as: generation, dispersion and storage of keys) in the entire system. It is the core of security of the entire system. In order to ensure the security of the system, the key management system is deployed in an independent key management center, which is physically separated from other parts (including information processing system, anti- counterfeiting authentication system and tag issuance system) of the commodity traceability and anti-counterfeiting application system. The keys generated by the key management system are distributed to other parts of the commodity traceability and anti-counterfeiting application system through security measures, for example, key card.
8.1.6 Certificate issuance and identity authentication system
The cryptographic module is integrated in the devices of each link of the electronic tag and the anti-counterfeiting system. The enterprise applies for the enterprise root certificate from the CA and uses the root certificate to issue the second-level certificate. The second-level certificate is used to issue the third-level certificate and establish a certificate chain, which serves as the basis for the identity authentication between the electronic tag and the operation system, and between two operation systems. Identity authentication shall be carried out in accordance with the following requirements. a) During the communication between two operation systems, adopt the
asymmetric algorithm to realize identity authentication.
b) During the communication between the operation system and the electronic tag, adopt the asymmetric algorithm for identity authentication.
c) When the reader of the operation system writes information into the electronic tag, the operation system and the reader shall perform bidirectional
authentication. After passing the bidirectional authentication, the information may be written. See Appendix A for the bidirectional authentication.
d) When the reader of the operation system reads information from the electronic tag, perform unidirectional authentication on the reader. After passing the authentication, the information is read.
e) The information written in the reader and the electronic tag is signed with the private key of the writer, so as to ensure the integrity and non-repudiation of the information.
8.2 Product Selection
8.2.1 RFID electronic tag
8.2.1.1 Cryptographic security requirements
The RFID electronic tag used in Category-B system shall satisfy the following cryptographic security requirements.
a) The RFID electronic tag shall comply with the Type-II test requirements specified in GM/T 0040-2015. The chip used in RFID electronic tag shall comply with the test requirements of not lower than the second level specified in GM/T 0008.
b) Confidentiality of stored information: it shall support the confidentiality protection of the information stored in the electronic tag. The mode, in which, the confidentiality of the information stored in the electronic tag is realized, is shown in 6.1.1.1 of GB/T 37033.2-2018. The test of the confidentiality of the information stored in the electronic tag is shown in 6.3.3 of GM/T 0040-2015. c) Confidentiality of transmitted information: it shall support the protection information of information transmitted by the electronic tag. The mode, in which, the confidentiality of the information transmitted by the electronic tag is realized, is shown in 6.1.1.2 of GB/T 37033.2-2018. The test of the
confidentiality of the information transmitted by the electronic tag is shown in 6.3.2 of GM/T 0040-2015.
d) Integrity of stored information: it shall support the integrity protection function of the information stored in the electronic tag. The mode, in which, the integrity of the information stored in the electronic tag is realized, is shown in 6.1.2.1 of GB/T 37033.2-2018. The integrity test of the information stored in the electronic tag is shown in 6.3.5 of GM/T 0040-2015.
e) Integrity of transmitted information: it shall support the integrity protection function of the information transmitted by the electronic tag. The mode, in which, the integrity of the information transmitted by the electronic tag is realized, is shown in 6.1.2.2 of GB/T 37033.2-2018. The integrity test of the information transmitted by the electronic tag is shown in 6.3.4 of GM/T 0040- 2015.
f) Identity authentication: when writing-in the electronic tag information, it shall support the bidirectional authentication between the reader and the electronic tag; when reading the electronic tag information, it shall support the identity authentication of the electronic tag by the reader. The mode, in which, the identity authentication of the electronic tag by the reader is realized, is shown in 8.3.2.2 of GB/T 37033.2-2018. The mode, in which, the bidirectional
authentication between the reader and the electronic tag is realized, is shown b) Confidentiality of transmitted information: it shall support the protection function of the information transmitted by the reader. The mode, in which, the confidentiality of the information transmitted by the reader is realized, is shown in 6.2.1.2 of GB/T 37033.2-2018.
c) Integrity of stored information: it shall support the integrity protection function of the information stored in the reader. The mode, in which, the integrity of the information stored in the reader is realized, is shown in 6.2.2.1 of GB/T 37033.2-2018.
d) Integrity of transmitted information: it shall support the integrity protection function of the information transmitted by the reader. The mode, in which, the integrity of the information transmitted by the reader is realized, is shown in 6.2.2.2 of GB/T 37033.2-2018.
e) Identity authentication: when Category-B security level reader writes-in information, it shall support the identity authentication of the reader by the electronic tag. When reading the information, it may optionally support the identity authentication of the reader by the electronic tag. The mode, in which, the identity authentication of the reader by the electronic tag is realized, is shown in 8.3.2.1 of GB/T 37033.2-2018. The identity authentication of the reader by the electronic tag shall be tested in accordance with 6.2 and 6.3 of GM/T 0040-2015.
f) Non-repudiation of origin of electronic tag: it shall support the function of non- repudiation of origin of the electronic tag. The mode, in which, the non- repudiation of origin of the electronic tag is realized, it shown in 6.2.3.1 of GB/T 37033.2-2018. The test of the non-repudiation of origin of electronic tag is shown in 6.6.1 of GM/T 0040-2015.
g) Non-repudiation of reader: it shall support the function of non-repudiation of the reader by the electronic tag. The mode, in which, the non-repudiation of the reader by the electronic tag is realized, is shown in 6.2.3.3 of GB/T 37033.2-2018.
h) Access control: it shall support the function of access control. The mode, in which, the access control of the reader is realized, is shown in 6.2.5 of GB/T 37033.2-2018.
i) Audit: it shall support the audit function. The mode, in which, the audit record of the reader is realized, is shown in 6.2.6 of GB/T 37033.2-2018.
j) Cryptographic algorithm: the cryptographic algorithm approved by the national cryptographic management department that is compatible with the
cryptographic algorithm in the electronic tag shall be adopted.
k) Cryptographic products approved by the national cryptographic management an asymmetric key as a signed key pair.
The enterprise submits the enterprise information and public key signed to the CA center. The CA center verifies the identity of the enterprise, then, issues a digital certificate signed by the CA private key to the enterprise.
The digital certificate includes the enterprise?€?s basic information, the enterprise?€?s public key, the issuance institution and the expiration date, etc.
8.3.3.3 Enterprise certificate system?€?s issuance of application certificate The certificates issued by this system are all used for the internal production and management of the enterprise. The cryptographic modules of the production management system, the issuance system, the production system and the commodity management system generate a public-private key pair; the public key is signed by the enterprise?€?s root private key, and the certificates are respectively issued. The production management certificate, issuance certificate, production certificate and sales management certificate are used for identification in the process of interacting with other systems.
The cryptographic module can be packaged in the form of a smart cryptographic key or TF card, issued and integrated into the corresponding system.
8.3.3.4 Sales management certificate system?€?s issuance of sales management certificate
The certificates issued by this system are all used for the external channels, sales and after-sales of the enterprise. They correspondingly manage non-core anti- counterfeiting information (such as: channel management information, personalized information, sales date and after-sales and maintenance records, etc.) in the anti- counterfeiting tag.
The cryptographic modules of the sales system and the after-sales system generate a public-private key pair. The public key is signed by the private key of the sales management system, and the certificates are respectively issued. The sales certificate and the after-sales certificate are used for identification in the process of interacting with other systems.
In consideration of the high mobility of the points of sales and after-sales of the commodities, outlets will be added at any time. In order to control the frequency of use of the root shield of the enterprise?€?s certificate issuance system and protect the security of the root shield, the sales management system will issue third-level certificates for the points of sales and after-sales.
The cryptographic module can be packaged in the form of a smart cryptographic key or TF card, issued and integrated into the corresponding system.

View full details