1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GM/T 0113-2021 English PDF (GM/T0113-2021)
GM/T 0113-2021 English PDF (GM/T0113-2021)
Regular price
$605.00 USD
Regular price
Sale price
$605.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0113-2021
Historical versions: GM/T 0113-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0113-2021: Fast online identity authentication protocol
GM/T 0113-2021
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
L 80
Fast online identity authentication protocol
在线快捷身份鉴别协议
ISSUED ON: OCTOBER 18, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviations ... 5
5 General online quick identity authentication protocol ... 6
5.1 Protocol architecture ... 6
5.2 Protocol message related data structure ... 11
5.3 Protocol process and requirements ... 17
6 Two-factor online fast identity authentication protocol ... 26
6.1 Protocol architecture ... 26
6.2 Protocol message framework ... 30
6.3 Protocol process and requirements ... 33
Appendix A (Informative) Security risks and recommended measures ... 48
Appendix B (Informative) Trusted environment implementation methods ... 52
Appendix C (Informative) Protocol interface ... 53
References ... 59
Fast online identity authentication protocol
1 Scope
This document specifies the online fast identity authentication protocol, including the
general online fast identity authentication protocol and the two-factor online fast
identity authentication protocol.
This document is applicable to the development, testing, evaluation of online fast
identity authentication services.
2 Normative references
The contents of the following documents constitute the essential terms of this document
through normative references in the text. Among them, for dated references, only the
version corresponding to that date applies to this document; for undated references, the
latest version (including all amendments) applies to this document.
GB/T 16262 (all parts) Information technology - Abstract syntax notation one
(ASN.1)
GB/T 16649.4 Identification Cards - Integrated circuit cards - Part 4: Organization,
security and commands for interchange
GB/T 25069 Information security techniques - Terminology
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32918 (all parts) Information security technology - Public key cryptographic
algorithm SM2 based on elliptic curves
GB/T 35276 Information security technology - SM2 cryptography algorithm usage
specification
GB/T 36651 Information security techniques - Biometric authentication protocol
framework based on trusted environment
GB/T 37092 Information security technology - Security requirements for
cryptographic modules
GB/T 38636 Information security technology - Transport layer cryptography
protocol (TLCP)
user's biometric identification verification. If the user has not registered the
biometric identification information to the biometric identifier before, it will be
registered; if the user has registered, the registered biometric identification
information will be used to complete the unlocking process. After the user's
biometric identification verification is successful, the biometric identification key
manager creates a pair of unique public and private authentication keys associated
with the biometric identification key manager and the identity authentication
server. The authentication private key is stored in the local biometric
identification key manager and is not allowed to be exported from the biometric
identification key manager. If the biometric identification key manager is not
capable of storing the authentication private key, the biometric identification key
manager encrypts the authentication private key and then stores the encrypted
authentication private key in the user device. The key used to encrypt the user's
private key is stored in the biometric identification key manager and is not
allowed to be exported from the biometric identification key manager; the
requirements for the full life cycle management or security management of key
security parameters such as keys in this protocol shall comply with the provisions
of GB/T 37092.
e) The biometric identification key manager generates key registration data; then
generates a registration response message; sends the registration response
message to the identity authentication server. Among them, the key registration
data contains the authentication public key generated in the previous step; the
registration response message contains the key registration data and the signature
value signed by the manufacturer's private key to the key registration data. The
manufacturer's public and private keys are the key pairs pre-implanted in the
biometric key manager by the manufacturer of the user device, to prove the
identity of the biometric key manager.
f) The identity authentication server obtains the manufacturer's public key through
the biometric key manager information in 5.2.7; uses the manufacturer's public
key to verify the signature in the registration response message. If the signature
is correct, the authentication public key is extracted and saved; the corresponding
relationship between the authentication public key and the user shall be saved.
g) The identity authentication server returns the registration result to the relying party.
5.1.3 Authentication
In the authentication process, the user uses the authentication private key to sign the
server challenge through the biometric key manager, to prove to the identity
authentication server that he owns the private key and complete the identity
authentication process. The authentication process is shown in Figure 2. The HTTP
redirection method is used in the Figure to illustrate the protocol process. The detailed
process and messages of the protocol are shown in 5.3.2.
a) The user uses the user agent in the user device to access the relying party.
b) When the user needs to perform biometric identity authentication, the relying
party directs the user to the identity authentication server. The HTTP redirection
method can be used to redirect the user device to the identity authentication server,
or the message forwarding method can be used.
c) The identity authentication server sends an authentication request message to the
biometric key manager in the user device; when the biometric key manager of the
user device receives the authentication request message from the identity
authentication server, it verifies the authenticity of the identity authentication
server. If the verification is successful, it prompts the user to select an available
biometric identifier; otherwise, it rejects the message. The method for the
biometric key manager to verify the authenticity of the identity authentication
server in this document shall adopt a certificate method or other methods, that can
verify the authenticity of the identity authentication server.
d) The user selects a suitable local biometric identifier and uses the biometric
identification information, to unlock the user authentication private key stored in
the biometric key manager, to complete the user biometric identification
verification. After the user biometric identification verification is successful, the
biometric key manager selects the corresponding authentication private key to
sign the signature data.
e) The biometric key manager sends the authentication response message containing
the signature result to the identity authentication server.
f) The identity authentication server verifies the signature using the corresponding
authentication public key. If the verification is successful, ...
Get QUOTATION in 1-minute: Click GM/T 0113-2021
Historical versions: GM/T 0113-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0113-2021: Fast online identity authentication protocol
GM/T 0113-2021
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
L 80
Fast online identity authentication protocol
在线快捷身份鉴别协议
ISSUED ON: OCTOBER 18, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviations ... 5
5 General online quick identity authentication protocol ... 6
5.1 Protocol architecture ... 6
5.2 Protocol message related data structure ... 11
5.3 Protocol process and requirements ... 17
6 Two-factor online fast identity authentication protocol ... 26
6.1 Protocol architecture ... 26
6.2 Protocol message framework ... 30
6.3 Protocol process and requirements ... 33
Appendix A (Informative) Security risks and recommended measures ... 48
Appendix B (Informative) Trusted environment implementation methods ... 52
Appendix C (Informative) Protocol interface ... 53
References ... 59
Fast online identity authentication protocol
1 Scope
This document specifies the online fast identity authentication protocol, including the
general online fast identity authentication protocol and the two-factor online fast
identity authentication protocol.
This document is applicable to the development, testing, evaluation of online fast
identity authentication services.
2 Normative references
The contents of the following documents constitute the essential terms of this document
through normative references in the text. Among them, for dated references, only the
version corresponding to that date applies to this document; for undated references, the
latest version (including all amendments) applies to this document.
GB/T 16262 (all parts) Information technology - Abstract syntax notation one
(ASN.1)
GB/T 16649.4 Identification Cards - Integrated circuit cards - Part 4: Organization,
security and commands for interchange
GB/T 25069 Information security techniques - Terminology
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32918 (all parts) Information security technology - Public key cryptographic
algorithm SM2 based on elliptic curves
GB/T 35276 Information security technology - SM2 cryptography algorithm usage
specification
GB/T 36651 Information security techniques - Biometric authentication protocol
framework based on trusted environment
GB/T 37092 Information security technology - Security requirements for
cryptographic modules
GB/T 38636 Information security technology - Transport layer cryptography
protocol (TLCP)
user's biometric identification verification. If the user has not registered the
biometric identification information to the biometric identifier before, it will be
registered; if the user has registered, the registered biometric identification
information will be used to complete the unlocking process. After the user's
biometric identification verification is successful, the biometric identification key
manager creates a pair of unique public and private authentication keys associated
with the biometric identification key manager and the identity authentication
server. The authentication private key is stored in the local biometric
identification key manager and is not allowed to be exported from the biometric
identification key manager. If the biometric identification key manager is not
capable of storing the authentication private key, the biometric identification key
manager encrypts the authentication private key and then stores the encrypted
authentication private key in the user device. The key used to encrypt the user's
private key is stored in the biometric identification key manager and is not
allowed to be exported from the biometric identification key manager; the
requirements for the full life cycle management or security management of key
security parameters such as keys in this protocol shall comply with the provisions
of GB/T 37092.
e) The biometric identification key manager generates key registration data; then
generates a registration response message; sends the registration response
message to the identity authentication server. Among them, the key registration
data contains the authentication public key generated in the previous step; the
registration response message contains the key registration data and the signature
value signed by the manufacturer's private key to the key registration data. The
manufacturer's public and private keys are the key pairs pre-implanted in the
biometric key manager by the manufacturer of the user device, to prove the
identity of the biometric key manager.
f) The identity authentication server obtains the manufacturer's public key through
the biometric key manager information in 5.2.7; uses the manufacturer's public
key to verify the signature in the registration response message. If the signature
is correct, the authentication public key is extracted and saved; the corresponding
relationship between the authentication public key and the user shall be saved.
g) The identity authentication server returns the registration result to the relying party.
5.1.3 Authentication
In the authentication process, the user uses the authentication private key to sign the
server challenge through the biometric key manager, to prove to the identity
authentication server that he owns the private key and complete the identity
authentication process. The authentication process is shown in Figure 2. The HTTP
redirection method is used in the Figure to illustrate the protocol process. The detailed
process and messages of the protocol are shown in 5.3.2.
a) The user uses the user agent in the user device to access the relying party.
b) When the user needs to perform biometric identity authentication, the relying
party directs the user to the identity authentication server. The HTTP redirection
method can be used to redirect the user device to the identity authentication server,
or the message forwarding method can be used.
c) The identity authentication server sends an authentication request message to the
biometric key manager in the user device; when the biometric key manager of the
user device receives the authentication request message from the identity
authentication server, it verifies the authenticity of the identity authentication
server. If the verification is successful, it prompts the user to select an available
biometric identifier; otherwise, it rejects the message. The method for the
biometric key manager to verify the authenticity of the identity authentication
server in this document shall adopt a certificate method or other methods, that can
verify the authenticity of the identity authentication server.
d) The user selects a suitable local biometric identifier and uses the biometric
identification information, to unlock the user authentication private key stored in
the biometric key manager, to complete the user biometric identification
verification. After the user biometric identification verification is successful, the
biometric key manager selects the corresponding authentication private key to
sign the signature data.
e) The biometric key manager sends the authentication response message containing
the signature result to the identity authentication server.
f) The identity authentication server verifies the signature using the corresponding
authentication public key. If the verification is successful, ...
Share
