Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization—Part 1: Rules for the structure and drafting of standardizing documents.
This document replaces GM/T 0008-2012 Cryptography test criteria for security IC, and provides scientific basis for cryptography test and development of security chip. In addition to a number of editorial changes, the following technical deviations have been made with respect to GM/T 0008-2012:
——The definition of the term "security chip" is modified (see 3.1.1 hereof), and the implementation form of security chip is further described;
——The term "cryptographic boundary" and its definition are added (see 3.2 hereof);
——The term “key” and its definition are deleted (see 3.1.1 of Edition 2012);
——The term “block cipher operation mode” and its definition are deleted (see 3.1.5 of Edition 2012);
——The term “public key cipher application mode” and its definition are deleted (see 3.1.6 of Edition 2012);
——The term "operation speed of cryptographic algorithm" and its definition are deleted (see 3.1.7 of Edition 2012);
——The term “physical random source” and its definition are deleted (see 3.1.8 of Edition 2012);
——The term “hardware” and its definition are deleted (see 3.1.10 of Edition 2012);
——The definition of the term “physical interface” is modified (see 3.4 hereof and 3.1.18 of Edition 2012);
——The definition of the term “logical interface” is modified (see 3.5 hereof and 3.1.19 of Edition 2012);
——The definition of the term “convert channel” is modified (see 3.6 hereof and 3.1.15 of Edition 2012);
——The definition of the term “key management” is modified (see 3.7 hereof and 3.1.14 of Edition 2012);
——The definition of the term “permission” is modified (see 3.10 hereof and 3.1.13 of Edition 2012);
——The term “timing attack” and its definition are deleted (see 3.1.20 of Edition 2012);
——The term “power analysis attack” and its definition are deleted (see 3.1.21 of Edition 2012);
——The term “EM analysis attack” and its definition are deleted (see 3.1.22 of Edition 2012);
——The term “fault attack” and its definition are deleted (see 3.1.23 of Edition 2012);
——The term “light attack” and its definition are deleted (see 3.1.24 of Edition 2012);
——The term "reverse engineering" and its definition are added (see 3.11 hereof);
——The term "important file" and its definition are added (see 3.13 hereof);
——The “classification of security level” is modified (see Clause 4 hereof). The security level has changed from three security levels, i.e., security level 1, security level 2 and security level 3, to five security levels, i.e., security level 1, security level 1+, security level 2, security level 2+ and security levels 3;
——The description of "cryptographic algorithm function” is added (see 5.1 hereof);
——The subclause "Random number generation" is modified from three security levels (see 5.1.1 to 5.1.3 of Edition 2012) to five security levels (see 5.1 to 5.5 hereof);
——The subclause "Cryptographic algorithm" is modified from three security levels (see 5.1 to 5.5 of Edition 2012) to five security levels (see 6.1 to 6.6 hereof);
——The clause "Security chip interface" is modified from three security levels (see 6.1 to 6.2 of Edition 2012) to five security levels (see 7.1 to 7.5 hereof);
——The clause "Key management" is modified from three security levels (see 7.1 to 7.7 of Edition 2012) to five security levels (see 8.1 to 8.6 hereof);
——The clause "Sensitive information protection" is modified from three security levels (see 8.1 to 8.4 of Edition 2012) to five security levels (see 9.1 to 9.4 hereof);
——The clause "Firmware security" is modified from three security levels (see 9.1 to 9.3 of Edition 2012) to five security levels (see 10.10.3 hereof);
——The subclause "Self-test” (see 10.1 to 10.3 of Edition 2012) is modified to "Operating mechanism" (see 11.1 to 11.5 hereof);
——The clause “Attack weakening and protection" (see Clause 12 of Edition 2012) is modified to "Protection security" (see Clause 12 hereof);
——The explanation of "power information disclosure" is added (see 12.6 hereof);
——The explanation of "runtime information disclosure" is added (see 12.7 hereof);
——The explanation of "operating mode information disclosure" is added (see 12.8 hereof);
——The explanation of "fault information disclosure" is added (see 12.9 hereof);
——The clause "Audit" is modified from three security levels (see 11.1 to 11.2 of Edition 2012) to five security levels (see 13.1 to 13.5 hereof);
——The clause “Life cycle assurance" (see Clause 13 of Edition 2012) is modified to "Lifecycle security" (see Clause 14 hereof);
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this standard shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of the Cryptography Standardization Technical Committee.
Drafting organizations of this document: Commercial Cryptography Testing Center of State Cryptography Administration, Xingtang Communication Technology Co., Ltd., Hisilicon Technologies Co.,limited, Huada Semiconductor Co.,Ltd., CEC Huada Electronic Design Co.,Ltd., Tongxin Microelectronics Co., Ltd., Beijing Smartchip Microelectronics Technology Company Limited and Beijing Hongsi Electronic Technology Co., Ltd.
Chief drafter of this document: Luo Peng, Cui Yongna, Wang Junfeng, Wang Nina, Zhang Xiaohu, Shen Hongwei, Liu Jian, Kang Bo, Mao Yingying, Hu Xiaobo and Zhang Wenjing.
This document replaces GM/T 0008-2012.
The previous editions of GM/T 0008-XXXX are as follows:
——It was firstly issued in 2012 as GM/T 0008-2012.
——This edition is the first revision.
Introduction
Security chip is an important basic security function unit, which is widely used in various information products and systems. The security chip in this document refers to the integrated circuit chip which implements the function of cryptographic algorithm and directly or indirectly adopts cryptographic technology to process keys and sensitive information.
Based on the cryptographic algorithm implemented, the security chip must meet various security capabilities according to different designs and applications. This document divides security capability into nine parts: cryptographic algorithm, security chip interface, key management, sensitive information protection, security chip firmware security, operating mechanism, protection security, audit and lifecycle security. Each security capability is classified into five security levels according to different security requirements, and each security level is required to increase step by step.
In order to provide the intended security service, the security level of the deployed security chip shall adapt to the application and environmental security requirements, so as to ensure that the information products and systems using the security chip establish a security foundation from the chip level.
This document is applicable to cryptography test of security chips, and may also serve as a guide for the development of security chips and as a reference for selecting security chips that meet the requirements of application and environment security.
Cryptography test criteria for security IC
1 Scope
This document specifies the five security levels in the security objectives and security requirements of the security chip, as well as the corresponding cryptography test requirements.
This document is applicable to cryptography test of security chips, and may also serve as a guide for the development of security chips and as a reference for selecting security chips that meet the requirements of application and environment security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0005 Randomness test specification
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 and the following apply.
3.1
security chip
integrated circuit chip which implements the function of cryptographic algorithm and directly or indirectly uses cryptographic technology to process keys and sensitive information. The implementation forms of it include single chip, multi-chip (refers to the chip implementation form formed by sealing multiple single chips on the same substrate) and specific physical region on the chip
3.2
security capability
capability of security chip to provide direct or indirect guarantee and protection measures for key and sensitive information
3.3
cryptographic boundary
physical and logical boundaries of the security chip clearly defined according to the security objectives of the security chip, including the hardware, software and firmware of the security chip. The physical and logical boundaries of the security chip may not correspond completely on the premise of ensuring the security of the cryptography
3.4
interface
input or output point of a security chip that provides an entry or exit to the input or output chip for information flow, including physical and logical interfaces
3.5
physical interface
interface of security chip used to connect various physical transmission media or transmission devices
3.6
logical interface
rules and configuration to realize the interaction between security chip and external information through physical interface
3.7
convert channel
transmission channel, both physical and logical, that can be used to transmit information in a manner that violates security requirements
3.8
key management
rules and requirements for operations e.g. generation, storage, use, update, import, export, clearing, etc. of the key according to the security policy
3.9
firmware
program code solidified in the cryptographic boundary of the security chip, which is responsible for implementing and controlling the security function of the security chip
3.10
sensitive information
data in a security chip that needs to be protected except the key
3.11
permission
a set of rules that define the permitted operation scope of security chip users
3.12
reverse engineering
operation to obtain the key and sensitive information protected by the security chip through reverse analysis, or simulate the function of the security chip
3.13
source file
design files involved in the development of security chip, such as software source code, layout, HDL source code, etc.
3.14
important file
various normative and explanatory files such as security chip configuration management, delivery and operation, development security, design description, tool use, etc.
3.15
lifecycle
whole process of the security chip from development to delivery to users
3.16
identification
a set of data solidified within the physical boundary of a security chip to identify different security chips
3.17
zeroization
a method of erasing electronic data to prevent data recovery
3.18
intellectual property core
a proven, reusable integrated circuit design module with certain exact functions
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
HDL: Hardware Description Language
HMAC: Keyed-Hash Message Authentication Code
5 Classification of security level
5.1 Security level 1
Security chips reaching security level 1 are applicable to application scenarios where their own security protection requirements are insensitive to external environmental risks, and the risks and losses incurred by attacks on external applications after deployment are controllable.
Security level 1 provides the minimum security capability and meets the minimum requirements for security functions of security chips. Security level 1 requires the correctness of cryptographic algorithms, and provides basic protection for keys and sensitive information.
5.2 Security level 1+
Security chips reaching security level 1+ are applicable to application scenarios where their own security protection requirements are certainly sensitive to external environmental risks, and the risks and losses incurred by attacks on external applications after deployment are controlled in a small range.
On the basis of security level 1, it is required to generate random numbers based on physical noise sources. The cryptographic security design can provide basic protection for core data such as keys and sensitive information, and has basic lifecycle management of chips.