GM/T 0026-2014 (GM/T 0026-2023 Newer Version) PDF English
Search result: GM/T 0026-2014 (GM/T 0026-2023 Newer Version)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0026-2023 | English | 419 |
Add to Cart
|
4 days
|
(Security Authentication Gateway Product Specification)
| Valid |
GM/T 0026-2014 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Security authentication gateway product specification
| Obsolete |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GM/T 0026-2014 Newer/related standards: GM/T 0026-2023
PDF Preview: GM/T 0026-2014
GM/T 0026-2014: PDF in English (GMT 0026-2014) GM/T 0026-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44627-2014
Security authentication gateway product specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction .. 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviation ... 8
5 Overview of security authentication gateway ... 8
6 Cryptographic algorithm and key type ... 9
7 Security authentication gateway product requirements ... 9
8 Security authentication gateway product testing ... 23
9 Determination of qualification ... 28
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code
Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Geer Software Co., Ltd.,
Wuxi Jiangnan Information Security Engineering Technology Center, Shanghai
Digital Certificate Certification Center Co., Ltd.
Main drafters of this Standard. Tan Wuzheng, Xu Qiang, Liu Cheng, Han Lin,
Liu Xin.
Security authentication gateway product specification
1 Scope
This Standard specifies the cryptographic algorithms and key types, functional
requirements, hardware requirements, software requirements, security
requirements and testing requirements of security authentication gateway
product.
This Standard is applicable to guide the development, testing, use and
management of security authentication gateway product.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 9813-2000, Specification for microcomputer
GB/T 15153.1-1998, Telecontrol equipment and systems - Part 2. Operating
conditions Section 1. Power supply and electromagnetic compatibility
GB/T 15843.3, Information technology - Security techniques - Entity
authentication - Part 3. Mechanisms using digital signature techniques
GB/T 17964, Information technology - Security techniques - Modes of
operation for a block cipher
GM/T 0005, Randomness Test Specification
GM/T 0014, Digital certificate authentication system cryptography protocol
specification
GM/T 0022, IPSec VPN specification
GM/T 0024, SSL VPN specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.10 secure socket layer protocol
a transport layer security protocol used to build secure channel between client
and server
3.11 authentication header, AH
a protocol that is part of IPSec that provides data integrity, data source
authentication, and anti-replay attack capabilities for IP packets, but does not
provide data confidentiality
3.12 encapsulating security payload; ESP
a kind of IPSec protocol that is used to provide confidentiality of IP packets,
data integrity, authentication of data sources, and replay attack resistance
3.13 virtual private network; VPN
a technique to build secure channels in communication networks by using
cryptography
3.14 secure message
the purpose of secure message is to ensure the data confidentiality, the data
integrity and the authentication of data sender; the data integrity and the
authentication of data sender are ensured through message authentication
code (MAC), the data confidentiality is ensured through data encryption
3.15 SM1 algorithm
a block cipher algorithm with a packet length of 128 bits and a key length of 128
bits
3.16 SM2 algorithm
an elliptic curve public key cryptosystem with key length of 256 bits
3.17 SM3 algorithm
a cryptographic hash algorithm with an output of 256 bits
3.18 SM4 algorithm
a block cipher algorithm with a packet length of 128 bits and a key length of 128
bits
3.19 security authentication gateway
security authentication gateway is a product that uses digital certificate to
actual situation, the security certification gateway can support physical
deployment in series mode, the physical parallel deployment. But it must
provide for application the technique means to identify whether the user access
through the gateway.
6 Cryptographic algorithm and key type
6.1 Algorithm requirements
Security authentication gateway uses asymmetric cryptographic algorithm,
symmetric cryptographic algorithm, cryptographic hash algorithm and random
number generation algorithm approved by national cryptography management
authorities. The algorithm and methods of use are as follows.
• asymmetric cryptographic algorithm is used for certification, digital
signature and digital envelope;
• symmetric cryptographic algorithm uses block cipher algorithm; it is used
for encryption protection of key exchange data and packet data encryption
protection; the working mode of the algorithm uses CBC mode, in
accordance with the requirements of GB/T 17964;
• cryptographic hash algorithm is used for symmetric key generation and
integrity verification;
• generated random number shall pass the testing specified in GM/T 0005.
6.2 Key type
Security authentication gateway uses the following keys.
• device key. public-private key pair used by asymmetric algorithm is for
entity authentication, digital signature, and digital envelope;
• work key. the key obtained during the first phase of key exchange, for the
protection of session key exchange process when symmetric
cryptographic algorithm is used;
• session key. the key obtained during the second phase of key exchange,
for the protection of data packet encryption and integrity when symmetric
cryptographic algorithm is used.
7 Security authentication gateway product
with test device or network packet interception tool, the replayed data message
must not be tested in the intranet port of the testing device.
7.1.14 Security check of client host
Security authentication gateway product shall have security check function of
client host. When the client is connected to the server, according to the client-
side security policy issued by the server, check the security of user operation
system. The user who fails to comply with the security policy shall be unable to
use security authentication gateway.
The client security policy shall at least contain one of the following conditions.
• whether anti-virus software is installed and enabled;
• whether personal firewall is installed and enabled;
• whether the latest operating system security patch is installed;
• whether a login password has been set for system.
7.2 Product performance parameters
7.2.1 Performance parameters that follow IPSec protocol
7.2.1.1 Encryption and decryption throughput
The encryption and decryption throughput refer to the maximum bidirectional
data flow on the intranet port of IPSec VPN gateway product when the packet
loss rate is 0 at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6)
Ethernet frame length, respectively. The product shall meet the requirements of
user network environment on network data encryption and decryption
throughput performance.
7.2.1.2 Encryption and decryption delay
The encryption and decryption delay of the average time consumed that a
plaintext data flow is encrypted to be a ciphertext then is decrypted back to be
plaintext at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6)
Ethernet frame length when the IPSec VPN packet loss rate is 0. The product
shall meet the requirements of user network environment on network data
encryption and decryption delay performance.
7.2.1.3 Encryption and decryption packet loss rate
The encryption and decryption packet loss rate refers to the percentage of total
number of packets sent or received in error per unit time at 64 bytes Ethernet
frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length when the
certificate is issued by an external certification agency.
The device signature key pair is generated by an external key management
agency. The encryption certificate is issued by an external certification agency.
See GM/T 0014 for the private key protection method of encryption key pair.
The private key of the signature certificate, the encrypted certificate, and the
encryption key pair shall be imported to the security authentication gateway
product.
In security authentication gateway product, the p...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|