Skip to product information
1 of 8

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0099-2020 English PDF (GMT0099-2020)

GM/T 0099-2020 English PDF (GMT0099-2020)

Regular price $380.00 USD
Regular price Sale price $380.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0099-2020 to get it for Purchase Approval, Bank TT...

GM/T 0099-2020: Cryptography application technical specification of open fixed layout documents

This Standard regulates the use of cryptographic technology to sign, encrypt and protect the integrity of open format documents. This Standard is applicable to guiding the development, use and testing of products and systems related to open-format document encryption applications.
GM/T 0099-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Cryptography application technical specification of
open fixed layout documents
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviations ... 5
5 Cryptography application mechanism ... 6
6 Cryptography application requirements ... 8
7 Cryptography application protocol ... 9
Annex A (normative) Cryptography protection scheme identification and
protection method ... 15
Annex B (informative) OFD signature description extension scheme ... 18 Annex C (informative) OFD encryption description scheme ... 25
Annex D (informative) OFD integrity protection scheme ... 32
Cryptography application technical specification of
open fixed layout documents
1 Scope
This Standard regulates the use of cryptographic technology to sign, encrypt and protect the integrity of open format documents.
This Standard is applicable to guiding the development, use and testing of products and systems related to open-format document encryption applications. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20518, Information security technology - Public key infrastructure - Digital certificate format
GB/T 20520, Information security technology - Public key infrastructure - Time stamp specification
GB/T 32905, Information security technology SM3 cryptographic hash
algorithm
GB/T 32907, Information security techno1ogy - SM4 block cipher algorithm GB/T 32918 (all parts), Information security techniques - Elliptic Curve public - key cryptography
GB/T 33190-2016, Electronic files storage and exchange formats - Fixed
layout documents
GB/T 35275, Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification
GB/T 35276, Information security technology - SM2 cryptography algorithm usage specification
GB/T 38540-2020, Information security technology - Technical specification scope, signature scheme, signature value data file path.
During confidentiality protection, according to OFD encryption protocol, local encryption can be performed on the description file or other key resources containing key information in OFD. Or encrypt all the files in the package involved in the OFD document as a whole. The decryption entry file
(Encryptions.xml, which will be added in OFD 2.0) generated by encryption is stored in the OFD root directory. The decryption entry file is used to describe the brief information of the encryption operation, the encryption scheme, the plain and ciphertext mapping table (EntriesMap.xml or entriesmap.dat), and the key description data (decryptseed.dat) file path.
During integrity protection, the entire ZIP package can be protected according to OFD integrity protection protocol. The generated integrity description file (OFDEntries.xml, will be added in OFD 2.0) is saved in the OFD root directory. Describe the file list, signature scheme, saved signature value in the package that support the integrity of the file.
The above-mentioned three kinds of cryptographic application related
documents work together to ensure the confidentiality, integrity, authenticity and non-repudiation of OFD during storage and transmission.
6 Cryptography application requirements
The goal of OFD's cryptographic application is to ensure the confidentiality, integrity, authenticity and non-repudiation of documents.
When OFD uses a cryptography mechanism for security protection, it shall be ensured that the operators of each operation are undeniable. The independent imaging effect of each layer and the superimposed imaging effect are true and effective. The confidentiality of the content that requires confidentiality protection shall be guaranteed. The integrity of the OFD file itself shall also be guaranteed.
Ensure the confidentiality of the page. The key information description file shall be encrypted. Ensure the authenticity and completeness of the page and page overlay effect. Ensure that the page operator's undeniable operation behavior. The operator's signature private key shall be used to digitally sign all description files on each page. Ensure the integrity of OFD. The list of valid files in the package shall be constructed according to OFD standards. Use the signature private key of the OFD file operator to digitally sign the list.
b) When the signature type is digital signature and the signature algorithm uses SM2, the signature value data shall follow GB/T 35275;
c) When the signature type is digital signature and the signature algorithm is other, the signature value data shall follow the data value specification corresponding to the algorithm.
7.2.3 Cryptography algorithm requirements
The requirements of OFD signature to cryptography algorithm are as follows: a) When the signature algorithm uses SM2, it shall follow GB/T 32918 (all parts) and GB/T 35276;
b) When the hash algorithm uses SM3, it shall follow GB/T 32905.
7.2.4 Digital certificate requirements
The digital certificate requirements for OFD signature are as follows:
a) The algorithm used in the certificate shall adopt the algorithm approved by the national password management authority;
b) When using a certificate based on the SM2 algorithm, GB/T 20518 shall be followed;
c) When using certificates of other algorithms, they shall meet the
requirements of national cryptographic standards and industry standards. 7.2.5 Timestamp requirements
The requirements of OFD signature for timestamp are as follows:
a) The signature value can include a timestamp;
b) When the signature value contains a timestamp, the format and use of the timestamp shall follow GB/T 20520.
7.2.6 Signature process
The OFD digital signature process requirements are as follows:
a) Confirm the list of documents participating in the signature;
b) According to the signature scheme, call the hash algorithm to calculate the hash value of each file;
c) See the data structure shown in Annex B to assemble the signature file; 7.3.3 Cryptography algorithm requirements
The algorithm requirements for OFD encryption are as follows:
a) The encryption scheme shall meet the requirements of the national
cryptography management authority;
b) When the encryption algorithm adopts SM2, follow GB/T 32918 (all parts) and GB/T 35276;
c) When the encryption algorithm adopts SM4, follow GB/T 32907;
d) When the encryption algorithm adopts other algorithms, it shall comply with the requirements of national encryption standards and industry
standards.
7.3.4 Encryption process
Encrypt files according to the encryption scheme. The process is as follows: a) Generate a symmetric key for file encryption in the ZIP package;
b) According to the encryption scheme, use the file encryption symmetric key generated in step a) to call the symmetric cryptographic algorithm to
encrypt the files in the package and write them into the ZIP package;
c) According to the encryption scheme, the plaintext file that has been generated ciphertext is processed, and part of it is written into the ZIP package;
d) Assemble the plain-ciphertext mapping table file. Encrypt it according to the encryption scheme or write it directly into the ZIP package;
e) Assemble the encrypted entry file and write the plain text into the ZIP package;
f) According to the encryption scheme, perform key packaging or asymmetric encryption on the file encryption symmetric key to generate a packaging key for file symmetric encryption;
g) If there are multiple visitors to the electronic file, repeat step e) of 7.3.4; h) Assemble the key description file and write it into the ZIP package. 7.3.5 Decryption process
Decrypt the file according to the encryption scheme. The process is as follows: a) Obtain the packaging key for symmetric encryption of the file from the 7.4.4 Digital certificate requirements
The digital certificate requirements for OFD signature are as follows:
a) The algorithm used in the certificate shall adopt the algorithm approved by the national password management authority;
b) When using a certificate based on the SM2 algorithm, GB/T 20518 shall be followed;
c) When using certificates based on other algorithms, they shall meet the requirements of national cryptographic standards and industry standards. 7.4.5 Generation process
The OFD integrity protection signature process is as follows:
a) Confirm all files in the file package;
b) Assemble signature integrity protection documents;
c) According to the signature scheme, calculate the hash value of the
integrity protection file;
d) According to the signature scheme, use the signature private key of the composer of the format file to digitally sign the hash value;
e) Write the digital signature result to the signature value file.
7.4.6 Verification process
The OFD integrity protection verification signature process is as follows: a) Read the integrity protection description file;
b) According to the signature scheme, call the hash algorithm to calculate the hash value of the integrity protection file;
c) Read the signature value file and verify the signature.
symmetric key;
b) Use symmetric algorithm. Use the file encryption symmetric key to encrypt the original file;
c) Pass the password through the key derivation function to generate the key for the encrypted file encryption symmetric key. When using the key
derivation function, it shall follow GB/T 32918;
d) Use symmetric algorithm. Use the calculation result in step b) as the encryption key. Encrypt the file encryption symmetric key. The packaging key of the generated file symmetric encryption is put into the key
description file.
A.2.2 Decryption scheme
The encryption method is as follows:
a) Pass the password through the key derivation function to generate the key for decrypting the file encryption symmetric key. When using the key
derivation function, it shall follow GB/T 32918;
b) Use symmetric algorithm. Use the calculation result in step a) as the decryption key. Decrypt the packaging key of the symmetric encryption of the file, and generate the symmetric key of the file encryption;
c) Use symmetric algorithm. Use the file encryption symmetric key to decrypt the file and get the original text.
A.3 Certificate encryption scheme
A.3.1 Encryption scheme
The encryption method is as follows:
a) Call the cryptography service module to generate file encryption
symmetric key;
b) Use symmetric cryptographic algorithm. Use file encryption symmetric key to encrypt the original file;
c) Use asymmetric cryptographic algorithm. Use the public key of the
electronic file visitor to encrypt the file encryption symmetric key. The packaging key of the generated file symmetric encryption is put into the key description file.
A.3.2 Decryption scheme
The decryption method is as follows:

View full details