Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the Ministry of Public Security of the People's Republic of China.
Security Technical Requirement for the Read-write Equipment of the Electronic Identification of Motor Vehicles
1 Scope
This standard specifies the general requirements, production and discard treatment for the security of read-write equipment of the electronic identification of motor vehicles.
This standard is applicable to the design, development, test and application of read-write equipment and application system of the electronic identification of motor vehicles.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 35789.1-2017 General Specification for the Electronic Identification of Motor Vehicles - Part 1: Automobile
GM/T 0024 SSL VPN Technical Specification
GM/T 0035.1-2014 Specifications of Cryptographic Application for RFID Systems - Part 1: Cryptographic Protection Framework and Security Levels
GM/T 0035.5 Specifications of Cryptographic Application for RFID Systems - Part 5: Specification for Key Management
3 Terms and Definitions
For the purposes of this document, the terms and definitions given in GB/T 35789.1-2017 and the following one apply.
3.1
security module
the components which are embedded in read-write equipment and provide crypto-operation function for read-write equipment
4 Abbreviations
For the purpose of this document, the following abbreviations apply.
PSAM: Purchase Secure Access Module
SSL: Secure Sockets Layer
VPN: Virtual Private Network
5 General Requirements
5.1 Communication Security Requirements
The communication between read-write equipment and electronic identification of motor vehicles shall meet the requirements of 6.2.2 in GM/T 0035.1-2014.
5.2 Basic Structure
The read-write unit of read-write equipment includes communication module, security module, processor module and radio frequency module and the basic structure is detailed in Figure 1. The functions of each module are as follows:
a) Communication module is responsible for the communication between read-write equipment and application system;
b) Radio frequency module is responsible for the physical layer communication between read-write equipment and electronic identification of motor vehicles;
c) Security module is responsible for data access and security protection in usage process, and provides at least 2 PSAM card interfaces;
d) Processor module is responsible for data processing and data forwarding.
Figure 1 Basic Structure
5.3 Cryptographic Algorithm
Cryptographic algorithm approved by national cryptogram management department shall be adopted for security module and PSAM card.
5.4 Key Management
Key management shall meet the following requirements:
a) The generation, injection, storage, dispersion, application etc. of key shall meet the requirements of GM/T 0035.5;
b) The key in security module is in the charge of the organization authorized by public security organization;
c) The key in PSAM card is in the charge of the competent department of application industry.
5.5 Confidentiality
5.5.1 Storage confidentiality
The storage confidentiality shall meet the following requirements:
a) Sensitive information shall be protected via encryption by adopting cryptographic algorithm to avoid unauthorized access;
b) Access authority information and key shall be stored in security module or PSAM card;
c) Asymmetric algorithm key and symmetric algorithm key shall not be read.
5.5.2 Transmission confidentiality
SSL VPN technology complying with GM/T 0024 should be adopted to ensure the transmission confidentiality between read-write equipment and application system.
5.6 Integrity
Encryption technology shall be adopted to verify the sensitive information transmitted between read-write equipment and application system, so as to find such conditions as alteration, deletion and interpolation of information.
Foreword i
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviations
5.1 Communication Security Requirements
5.2 Basic Structure
5.3 Cryptographic Algorithm
5.4 Key Management
5.5 Confidentiality
5.6 Integrity
5.7 Non-repudiation
5.8 Identity Authentication
5.9 Access Control
5.10 Audit Record
6 Production and Discard Treatment
6.1 Production
6.2 Discard Treatment
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the Ministry of Public Security of the People's Republic of China.
Security Technical Requirement for the Read-write Equipment of the Electronic Identification of Motor Vehicles
1 Scope
This standard specifies the general requirements, production and discard treatment for the security of read-write equipment of the electronic identification of motor vehicles.
This standard is applicable to the design, development, test and application of read-write equipment and application system of the electronic identification of motor vehicles.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 35789.1-2017 General Specification for the Electronic Identification of Motor Vehicles - Part 1: Automobile
GM/T 0024 SSL VPN Technical Specification
GM/T 0035.1-2014 Specifications of Cryptographic Application for RFID Systems - Part 1: Cryptographic Protection Framework and Security Levels
GM/T 0035.5 Specifications of Cryptographic Application for RFID Systems - Part 5: Specification for Key Management
3 Terms and Definitions
For the purposes of this document, the terms and definitions given in GB/T 35789.1-2017 and the following one apply.
3.1
security module
the components which are embedded in read-write equipment and provide crypto-operation function for read-write equipment
4 Abbreviations
For the purpose of this document, the following abbreviations apply.
PSAM: Purchase Secure Access Module
SSL: Secure Sockets Layer
VPN: Virtual Private Network
5 General Requirements
5.1 Communication Security Requirements
The communication between read-write equipment and electronic identification of motor vehicles shall meet the requirements of 6.2.2 in GM/T 0035.1-2014.
5.2 Basic Structure
The read-write unit of read-write equipment includes communication module, security module, processor module and radio frequency module and the basic structure is detailed in Figure 1. The functions of each module are as follows:
a) Communication module is responsible for the communication between read-write equipment and application system;
b) Radio frequency module is responsible for the physical layer communication between read-write equipment and electronic identification of motor vehicles;
c) Security module is responsible for data access and security protection in usage process, and provides at least 2 PSAM card interfaces;
d) Processor module is responsible for data processing and data forwarding.
Figure 1 Basic Structure
5.3 Cryptographic Algorithm
Cryptographic algorithm approved by national cryptogram management department shall be adopted for security module and PSAM card.
5.4 Key Management
Key management shall meet the following requirements:
a) The generation, injection, storage, dispersion, application etc. of key shall meet the requirements of GM/T 0035.5;
b) The key in security module is in the charge of the organization authorized by public security organization;
c) The key in PSAM card is in the charge of the competent department of application industry.
5.5 Confidentiality
5.5.1 Storage confidentiality
The storage confidentiality shall meet the following requirements:
a) Sensitive information shall be protected via encryption by adopting cryptographic algorithm to avoid unauthorized access;
b) Access authority information and key shall be stored in security module or PSAM card;
c) Asymmetric algorithm key and symmetric algorithm key shall not be read.
5.5.2 Transmission confidentiality
SSL VPN technology complying with GM/T 0024 should be adopted to ensure the transmission confidentiality between read-write equipment and application system.
5.6 Integrity
Encryption technology shall be adopted to verify the sensitive information transmitted between read-write equipment and application system, so as to find such conditions as alteration, deletion and interpolation of information.
Contents of GB/T 35787-2017
Foreword i
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviations
5.1 Communication Security Requirements
5.2 Basic Structure
5.3 Cryptographic Algorithm
5.4 Key Management
5.5 Confidentiality
5.6 Integrity
5.7 Non-repudiation
5.8 Identity Authentication
5.9 Access Control
5.10 Audit Record
6 Production and Discard Treatment
6.1 Production
6.2 Discard Treatment