GBT 28826.4-2022 信息技术 公用生物特征识别交换格式框架 第4部分：安全块格式规范(正式版)

公用生物特征识别交换格式框架第4部分：安全块格式规范国家市场监督管理总局国家标准化管理委员会I Ⅲ V 1 1 2 4 46只包含签名的安全块格式 7国内商用密码通用安全块格式 附录A(规范性)通用安全块格式的ASN.1代码 附录B(规范性)国内商用密码通用安全块格式的ASN.1代码 26Ⅲ 第4部分：安全块格式规范。本文件修改采用ISO/IEC19785-4:2010《信息技术公用生物特征识别交换格式框架第4部全称和中文释义，以便于对本文件的理解和应用(见第4章),因此不再引用ISO/IECh)用规范性引用的GB/T16263.4替换了ISO/IEC8825-3(见5.4、6.4、7.4),以修改i)用规范性引用的GB/T28826.1替换了ISO/IEC19785-1(见),以适应我国的技术1)增加了规范性引用文件GB/Ta)将ISO/IEC19785-4:2010/CORR1:2013《信息技术公用生物特征识别交换格式框架第4V 定义的其中一种安全块格式或者其他安全块格式，或者可以包含CBEFF数据元素CBEFF_SB_V特征的系统的安全级别。可选择使用ACBio实例是提供远程生物认证基础设施(TAI)的重要组成1GB/T16263.4信息技术ASN.1编码规则第4部分：XML编码规则(XER)(GB/T16263.4—GB/T28826.1信息技术公用生物特征识别交换格式框架第1部分：数据元素规范(GB/T28826.1—2012,GB/T28826.2—2020信息技术公用生物特征识别交换格式框架第2部分：生物特征识别注2GB/T33560—2017信息安全技术密码应用标识规范GB/T38635.2信息安全技术SM9标识密码算法第2部分：算法ISO/IEC19785-2信息技术公用生物特征识别交换格式框架第2部分：生物特征识别注册机构(Informationtechnology—CommonbioISO/IEC24761信息技术安全技术生物特征识别鉴别上下文(Informationtechnology-RFC5911加密消息语法(CMS)和S/MIME的新ASN.1模块[NewtographicMessageSyntax(CMS)3在符合GB/T28826.2—2020的生物特征识别登记机构登记时，分配给CBEFF生物特征信息记录(3.4)中具有已定义格式的、包括生物特征信息记录(3.4)中生物特征数据块BioAPI单元BioAPIunit由生物特征识别服务供方或BioAPI功能供方直接管理的软件或硬件资源单元。由符合ISO/IEC24761—2009的生物特征处理单元(3.16)生成的报告，以显示在生4CBEFF公用生物特征识别交换格式框架(CommonBiometricExchangeFormatsFrame-5{isoregistration-authoritycbefgeneral-purpose(0)der-en{isoregistration-authoritycbefgeneral-purpose(0)per-en{isoregistration-authoritycbefgeneral-purpose(0)xer-en{isoregistration-authoritycbeff(19785)organizations(0)jtcpurpose(0)ber-encoding(76它是一个ASN.1类型CBEFFSecCBEFFSecurityBlock::=SEQUENCEOFCBEFFSecurityBlockElementaccumulatedACBioInstancesA类型ContentInfoCBEFFSB定义为：contentTypeCONTENT-TYPE.&id({ContentTypeCBEFF}),({ContentTypeCBEFF}}类型ContentInfoCBEFFSB由两个组件组成：contentType和content。第一个组件contentTypesignatureRelatedData|authenticenvelopeRelatedDataCONTENT-TYPE::={}7encryptionRelatedDataCONTENT-TYPE::={}}authenticationRelatAuthenticationRelat}id-envelopeRelatedDataOBJECTIDENTIFIER::iso(1)standard(0)cbeff(19785)contentType(1)envelopeR}id-encryptionRelatedDataOBJiso(1)standard(0)cbeff(19785)contentType(1)encryptionR}id-signatureRelatedDataOBJECTIDENTIFIER::={iso(1)standard(0)cbeff(19785)contentType(1)signatureR}id-authenticationRelaiso(1)standard(0)cbeff(19785)contentType(1)authenticationR}字段contentType应取值id-envelopeRelatedData或id-encryptionRelatedData。BlockForACBio字段。该数据应交换给BioAPI单元的连续BPU。类型SubBlockForACBio定义bpuIOIndexINTEGER,}作为第二个BPU的输入。第二个组件是由第一个BPU生成的ACBio实例。详细信息见ISO/类型ACBioInstances的accumulatedACBioInstances字段应用于记录除最新实例之外的8即，对于id-envelopeRelatedData采用EnvelopeRelatedData,对于id-encrypt.1内容类型envelopeRelatedData关联中所述的ASN.1类型EnvelopeRelatedData的.2类型EnvelopeRelatedData定义如下：EnvelopeRelatedData::originatorInfo[0]IMPLICITOriginatorInfoOPrecipientInfosRecipiencryptedContentRelatedInfoEncryptedContentRelatedInfo}CBEFFSBVersion::=INTEGER{vb)类型OriginatorInfo的originatorInfo字段视需要提供有关发起者的信息。仅在密钥管理算法要求时才存在。它可以包含证书和CRLs。有关类型OriginatorInfo的详细信息，见9EncryptedContentRelatedInfo::=SEQUENCE{contentTypeIdentifierEncryptecontentEncryptionAlgorithmContentEncryptionAlgorithmIdentifier}IdentifierEncryptedContentOBJECTIDENTIFIER::={id-cbeffBDB}内容类型encryptionRelatedData关符id-encryptionRelatedData。EncryptionRelatedData::encryptedContentRelatedInfoEncrypt}如果SBH中存在CBEFF_BIR_integritSBH和可能加密的BDB编码组成的数据。和RFC3852和RFC5911中定义的内容类型3)对于每个签名者，签名值(图1中的DS)和该签名者的其他信息被收集到signerInfo值编码组成数据的消息摘要(图1中的MD′)。此消息摘要和签名者的公钥(图1中的PbK)通过比较验证器(图1中的MD′)计算的消息摘要和签名者(图1中的MD')计算的消息摘要验证签名值(图1中的DS);签名者计算的消息摘要使用签名者特定的签名算法(图1中的DS)二.2类型SignaturSignatureRelatedDatadigestAlgorithmsDigestAlgorencapContentRelatedInfoEncapsulatedConcrls[1]IMPLICITRevocatio}e)signerInfos是每个签名者信息的集合。集合中可以包含任意数量的元素。有关类型EncapsulatedContentReeContentTypeIdentifierEncapsulatedConteIdentifierEncapsulatedContentOBJECTIDENTIFIER::={id-cbeffSBHAndBD.1内容类型authenticationRelatedData与中描述的ASN.13)对于每个接收者，鉴别密钥密文和其他特定接收者的信息被收集到RecipientInAuthenticationRelatedData::=SoriginatorInfo[0]IMPLICITrecipientInfosRecipimacAlgorithmMessageAuthenticationCoencapContentRelatedInfoEncapsulatemacMessageAuthenticatio_b)生成类型EnvelopeRelatedData{isoregistration-authoritycbeff(19785)biometric-organization(0)jtcl-sc37(257)sbformatnature-only(2)der-encoding{isoregistration-authoritycbeff(19785)biometric-organization(0)jtcl-sc37(257)sbfosignature-only(2)pe{isoregistration-authoritycbeff(19785)biometric-organization(O)jtcl-sc37(257)sbformats(3)sinature-only(2)xer-encoding{isoregistration-authoritycbeff(19785)biometric-organization(0)jtcl-sc37(257)sbfosignature-only(2)beISO/IECJTC1/SC37signature-onlysecurityblockformat应为RFC3852中指定的编码或该RFC中指定的ASN.1数据类型SignedData。a)CMSVersion应为v3;b)encapcontentInfo应省略eContent字段；{iso,member-bodycnbiometrics-registration-center{isomember-bodycnbiometrics-registr{isomember-bodycnbiometrics-registration-center{isomember-bodycnbiometrics-registration-center此国内商用密码通用安全块适用于使用国内商用密码消息语法进行完整性校验和/或数据加密的7.7版本标识符rityBlockCN,它是一个ASN.1类型CBEFFSecurityBlockCN::=SEQUENCEOFCCBEFFSecurityBlockElementCN::=SEQUENCE{contentTypeCONTENT-TYPE.&id({ContentTypeCBEFFCN}),GB/T28826.4—2022({ContentTypeCBEFFCN}{}类型CBEFFSecurityBlockElementCN由两个组件组成：contentType和content。第一个组件CBEFFSecurityBlockEleenvelopeRelatedDataCNIencryptionRelatedDataCNIsignatureReltionRelatedDataCN}encryptionRelatedDataCNCONTENT-TYPE::={IDENTIFIEDBYid-encryptionRelatedDataCN}IDENTIFIEDBYid-signatureRelatedDataCN}authenticationRelatedDataCNCONTENT-TYPE::={AuthenticationRelatedIDENTIFIEDBYid-authentica}以上三种类型EnvelopedData、EncryptedData、SignedData及其对象标识符完全引用GB/T35275—2017的定义。三个对象标识符的定义说明如下：id-envelopeRelatedDataCNOBJECTIDENTIFIER::={iso(1)member-body(2)cn(156)ccstc(10197)standardclass(6)securitymechan}id-encryptionRelatedDataCNOBJECTIDENTIFIERiso(1)member-body(2)cn(156)ccstc(10197)standardclass(6)securitymechan}在XML值表示法中可表示为：id-signatureRelatedDataCNOBJECTIDENTIFIER::={iso(1)member-body(2)cn(156)ccstc(10197)standardclass(6)securitymechanism(1)}tionRelatedDataCNOBJECT}如果数据元素CBEFF_BDB_encryption_options(生物特征数据块加密选项)存在并包含EN-entType应取值id-envelopeRelatedDataCN或entType应取值id-signatureRelatedDataCN或id-signat如果SBH中的CBEFF_BDB_encryption_opvelopeRelatedDataCN或id-encryptionRelatedDataCN。中所见；第二组件的类型由第一组件的值确定，即，对于id-envelopeRelatedDataCN采用EnvelopedData,对于id-encryptionRelatedDataCN采用EncryptedData。BDB包含加密形式的生物特数据)。signatureRelatedDataCN或id-authenticatioAuthenticationRelatedDataCN用于id-authenticationRelatedDataCN。当使用数字签名来确保完整性.1内容类型authenticationRelatedDataCN与中描述的ASNb)构造AuthenticationRelatedDataCN的过程包括2017的RecipientInfo值中；见GB/T33560—2017中6.2.1中SGDAuthenticationRelatedDataCN::=SrecipientInfosRecipientInfomacAlgorithmMessageAuthenticationCoencapContentRelatedInfoEncapsulatedContentRelatemacMessageAuthenticRecipientInfos::=SETOFRecipientInfo2017中关于recipientInfos的定义。c)macAlgorithm是消息鉴别码(MAC)相关参数。应符合GB/T33560—201EncapsulatedContentRelatedInfo:eContentTypeIdentifierEncapsulatedContIdentifierEncapsulatedContentOBJECTIDENTIFIER::={id-cbeid-cbeffSBHAndBDBOBJECTIDENTIFIER::={iso(1)standard(0)cbeff(19785)contentType(1)sb}c)附录B中规定的CBEFFSecurityBlockCN的编码应符合7.5的规定。CBEFF-GENERAL-PURPOSE-SECContentEncryptionAlgoritDigestAlgorithmIdentifiers,SignerInfos,MessageAuthenticationCodDigestAlgorithmldentifier,AuthAttributes,MessageAuthentiFROMCryptographicMesiso(1)member-body(2)us(840)rsadspkcs(1)pkcs-9(9)smime(16)modules(0)cms—2004(2—ISO/IEC24761AuthenticaACBioInstance,CertificateSet,RevocationInFROMAuthenticationContextForiso(1)standard(0)acbio(24761)module(1)acbioCONTENT-TYPE::=TYPE-CBEFFSecurityBlock::=SEQUENCEOFCBEFFSecuritelementCBEFFSBContenaccumulatedACBioInstances}contentTypeCONTENT-TYPE.&id({ContentTcontent[0]EXPLI({ContentTypeCBEFF}}ContentTypeCBEFFCONTENT-TYPE::={envelopeRelatedData|encryptionRelaEnvelopeRelatedData::originatorInfo[0]IMPLICITOriginatorecipientInfosRecipientInfoencryptedContentRelatedInfoEncrypt}CBEFFSBVersion::=INTEGER{vEncryptedContentRelatedInfo::contentTypeIdentifierEncryptedContent,contentEncryptionAlgorithmContentEncryptionAlgori}IdentifierEncryptedContentOBJECTIDENTIFIER::={id-cbeffBDB}EncryptionRelatedDatencryptedContentRelatedInfoEncrypt}digestAlgorithmsDigestAlgorithmIdentifiers,encapContentRelatedInfoEncapsulatedContentRelate}EncapsulatedContentRelateeContentTypeIdentifier}IdentifierEncapsulatedContentOBJECTIDENTIFIER::={id-cbeffSBHAndBDAuthenticationRelatedData::=SoriginatorInfo[0]IMPLICITOriginatorInfoOPrecipientInfosRecipientInfos,macAlgorithmMessageAuthenticationCoencapContentRelatedInfoEncapsulatedContentRelate}}ACBioInstances::=SEQUENCEOFiso(1)standard(0)cbeff(19785)contentType(1)envelopeR}iso(1)standard(0)cbeff(19785)contentType(1)encryptionRe}id-signatureRelatedDataOBJiso(1)standard(0)cbeff(19785)contentType(1)signatureR}id-authenticationRelatedDataOBJECTiso(1)standard(O)cbeff(19785)contentType(1)authentication}iso(1)standard(0)cbeff(19785)contentTyp}iso(1)standard(0)cbeff(19785)contentType(1)sb}—ContentTypeobjectsenvelopeRelatedDataCONTENT-TYPE::={IDENTIFIEDBYid-envelope}encryptionRelatedDataCONTENT-TY}signatureRelatedDataCONTENT-TYPE::={IDENTIFIEDBYid-signatureRelatedauthenticationRelatedDataCONTENT-AuthenticationRelatIDENTIFIEDBYid-authentiNATIONAL-GENERAL-PURPOSE-SECURITY-BLOCKDEFINITIONSAUTOMATICCONTENT-TYPE::=TYPE-CBEFFSecurityBlockCN::=SEQUENCEOFCBEFFSecurityBloCBEFFSecurityBlockElementcontentTypeCONTENT-TYPE.&id({ContentTypeCBEFFCN}),({ContentTypeCBEFFCN}}CBEFFSecurityBlockElementCNenvelopeRelatedDataCNIencryauthenticationRelatedDataCN}EncapsulatedContentRelatedInfo::=SEQUENCE{eContentTypeIdentifier}IdentifierEncapsulat