GB/T 14805.7-1999 Application-level syntax rules for electronic data interchange for administration, commerce and transport (Syntax version number: 4) Part 7: Security rules for batch electronic data interchange (confidentiality)
Some standard content:
National Standard of the People's Republic of China
GB/T14805.7—1999
idtIS09735-7:1998
Electronic data interchange for administration,commerce and transport (EDIFACT)-Application level syntax rules (Syntax version number :4)-Part 7:Security rules for batch EDI (confidentiality)Published on November 11, 1999
Implementation on May 1, 2000
Published by the State Administration of Quality and Technical Supervision
GB/T14805.7—1999
KAoNiKAca-
This standard is equivalent to ISO9735-7:1998 "Application-level syntax rules for electronic data interchange for administration, commerce and transport (Syntax version number: 4) Part 7: Security rules for batch electronic data interchange (confidentiality)". The GB/T14805 series of standards, under the general title of "Application-level syntax rules for electronic data interchange for administration, commerce and transport (Syntax version number: 4)", includes the following 10 parts: Part 1: Syntax rules common to all parts and a directory of syntax services for each part Part 2: Syntax rules specific to batch electronic data interchange Part 3: Syntax rules specific to interactive electronic data interchange Part 4: Syntax and service report message for batch electronic data interchange (message type is CONTRL) Part 5: Security rules for batch electronic data interchange (authenticity, integrity and non-repudiation of origin) Part 6: Security authentication and confirmation message (message type is AUTACK) Part 7: Security rules for batch electronic data interchange (confidentiality) Part 8: Related data in electronic data interchange Part 9: Key and certificate management message (message type is KEYMAN) Part 10: Security rules for interactive electronic data interchange New parts may be added in the future.
GB/T14805.X-1999 corresponds to the fourth edition of ISO9735. Its release and implementation do not affect the national standard GB/T14805-1993 formulated in 1993 according to ISO9735:1988. This standard is proposed by the State Information Office of the People's Republic of my country. This standard is under the jurisdiction of the National Technical Committee for Standardization of File Formats and Data Elements and the National Technical Committee for Standardization of Information Technology. The drafting units of this standard are: Data Communication Technology Research Institute of the Ministry of Posts and Telecommunications, Standardization Research Institute of the Ministry of Electronics Industry, and China Institute of Standardization and Information Classification and Coding.
The main drafters of this standard are: Zhang Zezhong, Wu Zhigang, Wang Yanzun, Liu Bisong, Zhang Ping, Xu Dongmei, Wang Xin, and Yuan Lin. I
GB/T14805.7—1999
ISO Foreword
ISO (International Organization for Standardization) is a worldwide alliance of national standard organizations (ISO national member bodies). The formulation of international standards is generally completed through ISO technical committees. Each member body interested in the subject of an established technical committee has the right to express its opinion on that technical committee. Any international organization, official or non-official, in liaison with ISO may participate directly in the preparation of international standards. ISO works closely with the IEC (International Electrotechnical Commission) in all fields of electrotechnical standards. Draft international standards formally adopted by the technical committee shall be circulated to the member bodies for voting before being accepted as international standards by the ISO Council. According to ISO's working procedures, the draft standard becomes an international standard only after at least 75% of the member bodies vote in favor.
This fourth edition of the international standard ISO9735 was drafted by the United Nations Economic Commission for Europe Working Group 4 (UN/ECE/WP.4) (as part of UN/EDIFACT) and adopted as an existing standard by ISO/TC154 (Documents and data elements in administration, commerce and industry) through the "fast voting procedure".
ISO/IEC9735 consists of the following parts under the general title of "United Nations application-level syntax rules for electronic data interchange for administration, commerce and transport":
ISO9735-1 Syntax rules common to all parts and directory of syntax services for each part ISO9735-2 Syntax rules specific to batch electronic data interchange ISO9735-3 Syntax rules specific to interactive electronic data interchange ISO9735-4 Syntax and service report messages for batch electronic data interchange (message type CONTRL) ISO9735-5 Security rules for batch electronic data interchange (authenticity, integrity and non-repudiation of origin) ISO9735-6 Security authentication and confirmation messages (message type AUTACK) ISO9735-7 Security rules for batch electronic data interchange (confidentiality) ISO9735-8 Related data in electronic data interchange ISO9735-9 Key and certificate management messages (message type KEYMAN) ISO9735-10 Security rules for interactive electronic data interchange New parts may be added in the future.
GB/T14805.7—1999
ISO Introduction
KAOMikaca-
Based on the needs of batch or interactive processing, this standard contains application-level rules for structuring data in electronic messages exchanged in an open environment. The United Nations Economic Commission for Europe (UN/ECE) has agreed to use these rules as application-level syntax rules for electronic data interchange (EDIFACT) for administration, commerce and transport. These rules are part of the United Nations Trade Data Interchange Self-Recording (UNTDID). UNTDID also contains guidelines for batch and interactive message design. Communication specifications and protocols are not within the scope of this standard. This standard is a new addition to ISO9735. It provides optional capabilities for confidentiality of EDIFACT structures (messages, packages, groups or exchanges).
1 Scope
National Standard of the People's Republic of China
Electronic data interchange for administration, commerce and transport (EDIFACT)-Application level syntax rules (Syntax version number :4)Part 7:Security rules for batch EDI (confidentiality)GB/T14805.7—1999
idtISO 9735-7:1998
This standard specifies confidentiality at the message/packet level, group level and interchange level in accordance with the established security mechanisms. 2 Conformancewww.bzxz.net
Conformance to a standard implies support for all its requirements, including all options. If not all options are supported, any conformance statement shall include a statement identifying those options that are claimed to be consistent with it. If the structure and representation of the exchanged data conform to the grammatical rules specified in this standard, the data are in a conformant state. Devices supporting this standard are in a conformant state when they can create and/or interpret data whose structure and representation are consistent with this standard.
Conformance with this standard shall include conformance with GB/T14805.1, GB/T14805.2 and GB/T14805.5. When clauses defined in related standards are identified in this standard, these clauses shall constitute an integral part of the conformance determination criteria. 3 Referenced standards
The clauses contained in the following standards constitute the clauses of this standard through reference in this standard. When this standard was published, the versions shown were valid. All standards are subject to revision, and parties using this standard should explore the possibility of using the latest versions of the following standards. ISO/IEC10181-5:1996 Information technology security framework for open systems Part 5: Confidentiality 4 Definitions
The definitions adopted in this standard are given in Appendix A of GB/T14805.1-1999 and Appendix A of GB/T14805.5-1999. 5 Batch EDI confidentiality rules
5.1 EDIFACT confidentiality
GB/T14805.5—1999Appendix C and Appendix D describe security threats associated with EDIFACT data transmission and security services to address these threats.
This clause describes solutions to provide confidentiality security services to EDIFACT structures.Approved by the State Administration of Quality and Technical Supervision on November 11, 1999 and implemented on May 1, 2000
GB/T14805.7—1999
KANiKAca-
Confidentiality of EDIFACT structures (messages, packets, segments or exchanges) is provided by encrypting the message body, object, message/packet or individual message/packet/groups through appropriate encryption algorithms, together with any security header and security trailer segments. The encrypted data may be filtered for use in communication networks with limited capabilities. 5.1.1 Confidentiality of Batch EDI
5.1.1 Confidentiality of Exchanges
Figure 1 shows the structure of an exchange that is securely processed through confidentiality. The service chain announcement (UNA), exchange header (UNB) and exchange trailer (UNZ) are not affected by encryption. If compression is used, it should be used before encryption. The encryption algorithm, compression algorithm and filtering algorithm and related parameters should be specified in the security header group. Transformation
UNAUINESecurity Group:
UNAUNPSecurity Header Group UST
Message, Packet Segment
Encryption
Security Trailer Group UNZ
Security Section Group UN
Figure 1: Structure of an exchange whose content (message/packet or group) has been encrypted (schematic diagram) 5.1.1.2 Confidentiality of Groups
Figure 2 shows the structure of an exchange containing an encryption group that has been secured for other security services. The group header (UNG) and group trailer (UNE) are not affected by encryption. If compression is used, it should be used before encryption. The encryption algorithm, compression algorithm and filtering algorithm and related parameters should be specified in the security header group. Handover
UNAUNRI
UNG Security Header
UNG|Full Header Group US
Arrival Packet
Additional Data
Secure Header Group UNE
USU Secure Header Group UNE
Figure 2 Structure of an Exchange containing a Group whose contents (Group Body and its corresponding Security Header Group and Security Trailer Group) have been encrypted 5.1.1.3 Confidentiality of Messages
Figure 3 shows the structure of an exchange containing an encrypted message that has been securely processed for other security services. The Message Header (UNH) and Message Trailer (UNT) are not affected by encryption. If compression is used, it should be used before encryption. The encryption algorithm, compression algorithm and filtering algorithm and related parameters should be specified in the Security Header Group. 2
UNALUNE
NF Security Section Barrier
GB/T14805.7—1999
UN Security U
Find the text you
Add the data
Security Enterprise Civil Section System UNT
su Full Residence Set UNT
Contains its content (message body and its corresponding security header section group and security trailer section group) Figure 3
Structure of an exchange of an encrypted message (schematic diagram) 5.1.1.4 Confidentiality of Packets
Figure 4 shows the structure of an exchange containing an encrypted packet, which has been securely processed for other security services. The packet header section (UNO) and the packet trailer section (UNP) are not affected by encryption. If compression technology is used, the encryption algorithm, compression algorithm and filtering algorithm and related parameters should be specified in the security header section group before encryption. Security frequency
UNOSecurity header segment group SD
Security segment
USuSecurity tail segment UINP
Figure 4 Structure of an exchange of a packet whose content (object and its corresponding security header segment group and security tail segment group) has been encrypted (schematic diagram) 5.1.2 Structure of data encryption header and tail segment (see Figure 5) 3
Segment group 1
Security algorithm
Segment group 2
Security algorithm
Security Result
Data encryption header
Encrypted data
Data encryption tail
Security tail
Security result
GB/T14805.7—1999
Maximum number of states
Figure 5 Segment table of security header segment group and security tail segment group iKAoNiKAca-
Note: USH, USA, USC, USR and UST segments are specified in GB/T14805.5. In this part, they are not further described. 5.1.3 Data segment description
Segment group 1: USH-USA-SG2 (security header segment group) This segment group identifies the security service and security mechanism used, and contains the data required to perform the confirmation calculation. Only the security header segment group used for confidentiality should be included here.
USH, Security Header
This section specifies the confidentiality security services (as defined in GB/T 14805.5) to be applied to the EDIFACT structure including this section.
USA, Security Algorithm
This section identifies the security algorithm and the use of the algorithm and contains the required technical parameters. The algorithm shall be the algorithm to be applied to the message body, object, message/packet or message/packet/group. These algorithms shall be owner symmetric algorithms, owner compression algorithms or owner compression integrity algorithms.
Asymmetric algorithms shall not be referenced directly in the USA section of section group 1 and may only appear in section group 2 triggered by the USC section. If the data is compressed before encryption, USA is used to specify the algorithm and optional operation mode. Additional parameters (such as the initial directory tree) may be specified as parameter values in the USA section. If compression is used and the compression algorithm used does not include an embedded integrity check, it may be specified using the USA section. The integrity check value is calculated from the compressed text before encryption. The location (i.e., octet offset) of the integrity verification value within the compressed data may be specified as a parameter value. The size (in octets) of the integrity verification value is given indirectly by the integrity verification algorithm used. Segment Group 2: USC-USA-USR (Certificate Segment Group) When an asymmetric algorithm is used, this segment group contains the data required to verify the security method applied to the EDIFACT structure (as defined in GB/T 14805.5).
USC, Certificate 14805
GB/T 14805.7—1999
This segment contains the credentials of the certificate owner and identifies the certification authority that generated the certificate (as defined in GB/T 14805.5). USA, Security Algorithm
This segment identifies the security algorithm and its usage and contains the required technical parameters. (See definitions in GB/T 14805.5.
USR, Security Result
This section contains the result of the security functions applied by the certification authority to the certificate (see definitions in GB/T 14805.5).USD, Data Encryption Header
This section specifies the octet sizes for compressed (optional), encrypted, and filtered (optional) data. A reference number may be specified to identify the encrypted EDIFACT structure. If a reference number is given, the same reference number shall be used in the USD and USU sections. If padding is used before encryption, the number of octets of padding shall be stated.Encrypted Data
This section contains the encrypted data after encryption using the encryption algorithm and mechanism specified in the Security Header section group.USU, Data Encryption Trailer
This section specifies the octet sizes for compressed (optional), encrypted, and filtered (optional) data. A reference number may be specified to identify the encrypted E Reference number of the DIFACT structure. If a reference number is given, the same reference number shall be used in the USD and USU segments. Segment Group n: UST-USR (Security Trailer Segment Group) This segment group contains a link to the Security Header Segment Group and the results of the security functions applied to the EDIFACT structure (as defined in ISO 14805.5).
UST, Security Trailer
This segment establishes a link between the Security Header Segment Group and the Security Trailer Segment Group and specifies the number of security segments (including USD and USU segments) contained in these groups (as defined in ISO 14805.5). USR, Security Result
This segment contains the results of the security functions applied to the EDIFACT structure as specified in the linked Security Header Segment Group (as defined in ISO 14805.5). This segment shall not appear for security services related to confidentiality. 5.1.4 Data Encryption Header and Data Encryption Trailer for Confidentiality The EDIFACT structure encrypted into encrypted data is encapsulated in the Data Encryption Header and Data Encryption Trailer. The encrypted data and its associated Security Header Group and Security Trailer Group will replace the original message body, object or message/packet/group. The encryption measures adopted do not affect the encrypted EDIFACT structure header and trailer.
The encrypted data shall immediately follow the delimiter that ends the USD segment. The USD segment shall specify the length of the encrypted data in octets. The USU segment follows the encrypted data. The USU segment once again specifies the length of the encrypted data in octets. Its length shall be the same as that in the USD segment.
5.1.5 The Security Header Group and Security Trailer Group for Confidentiality shall contain a Security Header Group that specifies confidentiality and a corresponding Security Trailer Group as defined in GB/T 14805.5. The Security Trailer Group for Confidentiality shall include only one UST segment. Once an EDIFACT structure is encrypted, no other EDIFACT security services shall be provided for the structure. 5
5.2 Principles of Use
5.2.1 Multiple Security Services
GB/T14805.7—1999
KAONiKAca-
If more than one security service is required in addition to confidentiality, the sender of the EDIFACT structure shall implement the other security services before encryption and the receiver shall perform the relevant verification after decryption in accordance with the principles established in GB/T14805.5.
5.2.2 Confidentiality
Confidentiality of the EDIFACT structure shall be handled in accordance with the principles established in ISO10181-5. The security services for confidentiality shall be specified in the security header segment group and the relevant algorithms shall be identified in the USA segment of segment group 1. The USA segment may also include data required to establish key communication between the secure sender and the secure receiver. The security initiator shall encrypt the EDIFACT structure starting after the segment terminator of the header (interchange, group, message or packet) of the structure and ending before the first character of the segment end (interchange, group, message or packet) of the structure, and the result shall be considered as encrypted data. When receiving the encrypted data, the secure receiver shall decrypt the encrypted data and restore it to the original EDIFACT structure without the header and trailer segments. 5.2.3 Internal Representation and Filter Functions
The result of the encryption process is a nearly random bit string. This may cause problems in some limited-capability communication networks. To avoid such problems, filter functions may be used to reversibly map the bit string to a specific set of characters. The result of using filter functions is an increase in the length of the encrypted data. Different filter functions may use different expansion factors. Some filter functions allow the filtered text to contain any character in the target character set, including service characters such as segment terminators, while other filter functions may filter out these service characters. The length of the data transmitted in the data element "octet data length" in the USD and USU segments shall represent the length of the (compressed,) encrypted (and filtered) data. This data will be used to determine the end of the encrypted data. The filter function used should be indicated in 0505 (Filter Function, Code Type) of the USH segment in the Confidentiality Security Header Group. 5.2.4 Compression Technology Before Encryption
The overhead of encryption calculation is related to the size of the encrypted data, so it is very effective to compress the data before encryption. Most compression techniques will not affect the encrypted text, even the filtered text, if compression is required, it should be performed before encryption. Therefore, when compression technology is used for confidentiality security services, the Security Header Group can include an indication that the data has been compressed before encryption, and can also identify the compression algorithm and optional parameters used. In this case, when the encrypted data is decrypted, the data should be decompressed before restoring the original EDIFACT structure. 5.2.5 Order of Operations
5.2.5.1 Encryption and Related Operations
When applying confidentiality security processing to an EDIFACT structure, the following operations shall be performed: a) compress the EDIFACT structure (optional) and calculate an integrity value based on the compressed data (optional); b) encrypt the (compressed and integrity-protected) EDIFACT structure; ) filter the (compressed and integrity-protected) encrypted data (optional). 5.2.5.2 Decryption and Related Operations
When restoring an encrypted EDIFACT structure to its original EDIFACT structure, the following operations shall be performed: a) unfilter the filtered encrypted data (if filtered); b) decrypt the encrypted data;
c) verify the integrity value of the compressed data (if an integrity value exists) and expand (i.e., decompress) the decrypted data to restore it to the original EDIFACT structure (if compressed).
A1 Section Directory
A1.1 Section Directory Specification
Functions of the Function Section.
GB/T14805.7—1999
Appendix A
(Appendix to the standard)
Syntax Service Directory
(Segments, compound data elements and simple data elements) Position Sequential position number of an independent data element or a compound data element in the segment table. Tags The tags of all service segments in the segment directory begin with the letter "U". The tags of all service compound data elements begin with the letter "s", and the tags of all service simple data elements begin with the number "0". The English names of compound data elements are expressed in uppercase letters. Name
The English names of independent data elements are expressed in uppercase letters. The English names of component data elements are expressed in lowercase letters. The status of an independent data element or a compound data element in a segment (M indicates mandatory type, C indicates conditional type), or the status of a component data element in a compound data element Status
Maximum number of times an independent data element or a component data element appears in a segment. The data value representing an independent data element or component data element in a composite data element is represented as follows: a
alphabetic character,
numeric character;
alphanumeric character;
3 alphabetic characters, fixed length,
3 numeric characters, fixed length,
3 alphanumeric characters, fixed length,
at most 3 alphabetic characters;
at most 3 numeric characters,
at most 3 alphanumeric characters.
Dependent annotation identifier
One and only one
All or nothing
One or more
One or nothing
If the first item is present, all are present
If the first item is present, at least one item is present
If the first item is present, all other items are absent
For the definition of dependent annotation identifiers, refer to 11.5 of GB/T 14805.1-1999. A1.3 Segment index arranged by tag
Data encryption headerData encryption trailer7
A1.4 Segment index arranged by English name
GB/T14805.7—1999
Data encryption headerData encryption trailerA1.5 Segment description
Note: Only segments not defined in other parts of GB/T14805 are included here. USD
Data encryption header
Function: Specifies the size of the encrypted data following the segment terminator (i.e., the length of the 8-bit data). Position
Length of 8-bit data
Encryption reference number
Number of padding bytes
Data encryption trailer
Function: Provide the end of the encrypted data.
Length of the 8-bit data
Encryption reference number
10556This value shall be the same as the value 0556 in the corresponding USD segment. 20518This value shall be the same as the value 0518 in the corresponding USD segment. Directory of simple data elements
A2.1 Simple data element specification
Maximum number
Maximum number
The tags of all service simple data elements in the simple data element directory begin with the number "0". NameThe name of the simple data element.
Description of the simple data element.
The data value of a simple data element is represented as follows:
Alphabetic characters;
Digital characters;
Alphanumeric characters;
3-digit alphabetic characters, fixed length;
3-digit numeric characters, fixed length;
3-digit alphabetic characters, fixed length;
3-digit alphabetic characters at most;
3-digit numeric characters at most;
3-digit alphanumeric characters at most.
A2.2 Simple data element index flag arranged by tag
Encryption reference number (Encryption reference number) 8-bit data length (Length of data inoctets of bits) Note
KANiKAca-
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.