Interface specifications of cryptography device application
1 Scope
This standard specifies the application interface standard for service cryptography devices under the application technology system of public key cryptographic infrastructure.
This standard is applicable to the development and use of service cryptography devices and the application development based on such cryptography devices, and may also be applied to guide the testing of such devices.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0006 Cryptographic application identifier criterion specification
GM/T 0009 SM2 cryptography algorithm application specification
3 Terms and definitions
For the purposes of this standard, the following terms and definitions apply.
3.1
algorithm identifier
symbol used to uniquely identify a cryptographic algorithm
3.2
asymmetric cryptographic algorithm/public key cryptographic algorithm
cryptographic algorithm that uses different keys for encryption and decryption
3.3
decipherment/decryption
inverse of the encryption process
3.4
device key pair
asymmetric key pair stored in the device for device management, including signature key pair and encryption key pair
3.5
encipherment/encryption
process of cryptographic transformation of the data to produce ciphertext
3.6
key encrypt key (KEK)
key that encrypts a key for protection purposes
3.7
public key infrastructure (PKI)
universal infrastructure established by public key cryptography to provide users with security services such as certificate management and key management
3.8
private key access password
password used to verify the authority to use the private key
3.9
symmetric cryptographic technique
cryptographic technique (system) in which both the sender and the receiver use the same secret key for transformation, and the encryption key is the same as the decryption key, or one key can be derived from another
3.10
session key
key that is located at the lowest level in the key hierarchy structure, and used only in one session
3.11
user key
asymmetric key stored in the device for applying cryptographic operations, including signature key pair and encryption key pair
4 Symbols and abbreviations
For the purposes of this document, the following abbreviations apply.
ECC Elliptic Curve Cryptography
IPK Internal Public Key
ISK Internal Private Key
EPK External Public Key
KEK Key Encrypt Key
5 Algorithm identifier and data structure
5.1 Definition of algorithm identifier
See GM/T 0006 for the identifiers of the algorithms used in this standard.
5.2 Definition of device information
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviations
5 Algorithm identifier and data structure
5.1 Definition of algorithm identifier
5.2 Definition of device information
5.3 Definition of key classification and storage
5.3.1 Device key and user key
5.3.2 Key encrypt key
5.3.3 Session key
5.4 Definition of RSA key data structure
5.5 Definition of ECC key data structure
5.6 Definition of ECC encrypted data structure
5.7 Definition of ECC signature data structure
5.8 Protection structure of ECC encrypted key pair
5.8.1 Type definition
5.8.2 Description of data item
6 Description of device interface
6.1 Location of cryptography device application interface in the framework of the application technology system of public key cryptographic infrastructure
6.2 Device management functions
6.2.1 Open the device
6.2.2 Close the device
6.2.3 Open a session
6.2.4 Close the session
6.2.5 Get device information
6.2.6 Generate a random number
6.2.7 Get the right for access to private key
6.2.8 Release the right for access to private key
6.3 Key management functions
6.3.1 Export RSA signature public key:
6.3.2 Export RSA encrypted public key
6.3.3 Generate and output RSA key pair
6.3.4 Generate a session key and output it as encrypted with the internal RSA public key
6.3.5 Generate a session key and output it as encrypted with the external RSA public key
6.3.6 Import the session key and decrypt it with the internal RSA private key
6.3.7 Digital envelope exchange based on RSA algorithm
6.3.8 Export ECC signature public key
6.3.9 Export ECC encryption public key
6.3.10 Generate and output ECC key pair
6.3.11 Generate a session key and output it as encrypted with the internal ECC public key
6.3.12 Generate a session key and output it as encrypted with the external ECC public key
6.3.13 Import the session key and decrypt it with the internal ECC private key
6.3.14 Generate and output a key agreement parameter
6.3.15 Calculate the session key
6.3.16 Generate agreement data and calculate the session key
6.3.17 Digital envelope exchange based on ECC algorithm
6.3.18 Generate a session key and output it as encrypted with the key encrypt key
6.3.19 Import the session key and decrypt it with the key encrypt key
6.3.20 Destroy the session key
6.4 Asymmetric algorithm operation functions
6.4.1 RSA operation of external public key
6.4.2 RSA operation of internal public key
6.4.3 RSA operation of internal private key
6.4.4 ECC verification of external key
6.4.5 ECC signature of internal key
6.4.6 ECC verification of internal key
6.4.7 ECC public key encryption of external key
6.5 Symmetric algorithm operation functions
6.5.1 Symmetric encryption
6.5.2 Symmetric decryption
6.5.3 Calculate MAC
6.6 Hash operation functions
6.6.1 Hash operation initialization
6.6.2 Multi-packet hash operation
6.6.3 Hash operation end
6.7 User file operation functions
6.7.1 Create file
6.7.2 Read file
6.7.3 Write file
6.7.4 Delete file
7 Security requirements
7.1 Key management requirements
7.2 Cryptographic service requirements
7.3 Device state requirements
7.4 Other security requirements
Annex A (Normative) Definition of function return code
Bibliography
Interface specifications of cryptography device application
1 Scope
This standard specifies the application interface standard for service cryptography devices under the application technology system of public key cryptographic infrastructure.
This standard is applicable to the development and use of service cryptography devices and the application development based on such cryptography devices, and may also be applied to guide the testing of such devices.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0006 Cryptographic application identifier criterion specification
GM/T 0009 SM2 cryptography algorithm application specification
3 Terms and definitions
For the purposes of this standard, the following terms and definitions apply.
3.1
algorithm identifier
symbol used to uniquely identify a cryptographic algorithm
3.2
asymmetric cryptographic algorithm/public key cryptographic algorithm
cryptographic algorithm that uses different keys for encryption and decryption
3.3
decipherment/decryption
inverse of the encryption process
3.4
device key pair
asymmetric key pair stored in the device for device management, including signature key pair and encryption key pair
3.5
encipherment/encryption
process of cryptographic transformation of the data to produce ciphertext
3.6
key encrypt key (KEK)
key that encrypts a key for protection purposes
3.7
public key infrastructure (PKI)
universal infrastructure established by public key cryptography to provide users with security services such as certificate management and key management
3.8
private key access password
password used to verify the authority to use the private key
3.9
symmetric cryptographic technique
cryptographic technique (system) in which both the sender and the receiver use the same secret key for transformation, and the encryption key is the same as the decryption key, or one key can be derived from another
3.10
session key
key that is located at the lowest level in the key hierarchy structure, and used only in one session
3.11
user key
asymmetric key stored in the device for applying cryptographic operations, including signature key pair and encryption key pair
4 Symbols and abbreviations
For the purposes of this document, the following abbreviations apply.
ECC Elliptic Curve Cryptography
IPK Internal Public Key
ISK Internal Private Key
EPK External Public Key
KEK Key Encrypt Key
5 Algorithm identifier and data structure
5.1 Definition of algorithm identifier
See GM/T 0006 for the identifiers of the algorithms used in this standard.
5.2 Definition of device information
Contents of GM/T 0018-2012
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviations
5 Algorithm identifier and data structure
5.1 Definition of algorithm identifier
5.2 Definition of device information
5.3 Definition of key classification and storage
5.3.1 Device key and user key
5.3.2 Key encrypt key
5.3.3 Session key
5.4 Definition of RSA key data structure
5.5 Definition of ECC key data structure
5.6 Definition of ECC encrypted data structure
5.7 Definition of ECC signature data structure
5.8 Protection structure of ECC encrypted key pair
5.8.1 Type definition
5.8.2 Description of data item
6 Description of device interface
6.1 Location of cryptography device application interface in the framework of the application technology system of public key cryptographic infrastructure
6.2 Device management functions
6.2.1 Open the device
6.2.2 Close the device
6.2.3 Open a session
6.2.4 Close the session
6.2.5 Get device information
6.2.6 Generate a random number
6.2.7 Get the right for access to private key
6.2.8 Release the right for access to private key
6.3 Key management functions
6.3.1 Export RSA signature public key:
6.3.2 Export RSA encrypted public key
6.3.3 Generate and output RSA key pair
6.3.4 Generate a session key and output it as encrypted with the internal RSA public key
6.3.5 Generate a session key and output it as encrypted with the external RSA public key
6.3.6 Import the session key and decrypt it with the internal RSA private key
6.3.7 Digital envelope exchange based on RSA algorithm
6.3.8 Export ECC signature public key
6.3.9 Export ECC encryption public key
6.3.10 Generate and output ECC key pair
6.3.11 Generate a session key and output it as encrypted with the internal ECC public key
6.3.12 Generate a session key and output it as encrypted with the external ECC public key
6.3.13 Import the session key and decrypt it with the internal ECC private key
6.3.14 Generate and output a key agreement parameter
6.3.15 Calculate the session key
6.3.16 Generate agreement data and calculate the session key
6.3.17 Digital envelope exchange based on ECC algorithm
6.3.18 Generate a session key and output it as encrypted with the key encrypt key
6.3.19 Import the session key and decrypt it with the key encrypt key
6.3.20 Destroy the session key
6.4 Asymmetric algorithm operation functions
6.4.1 RSA operation of external public key
6.4.2 RSA operation of internal public key
6.4.3 RSA operation of internal private key
6.4.4 ECC verification of external key
6.4.5 ECC signature of internal key
6.4.6 ECC verification of internal key
6.4.7 ECC public key encryption of external key
6.5 Symmetric algorithm operation functions
6.5.1 Symmetric encryption
6.5.2 Symmetric decryption
6.5.3 Calculate MAC
6.6 Hash operation functions
6.6.1 Hash operation initialization
6.6.2 Multi-packet hash operation
6.6.3 Hash operation end
6.7 User file operation functions
6.7.1 Create file
6.7.2 Read file
6.7.3 Write file
6.7.4 Delete file
7 Security requirements
7.1 Key management requirements
7.2 Cryptographic service requirements
7.3 Device state requirements
7.4 Other security requirements
Annex A (Normative) Definition of function return code
Bibliography