HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (18 Jan 2025)

GM/T 0026-2014 (GM/T 0026-2023 Newer Version) PDF English


Search result: GM/T 0026-2014 (GM/T 0026-2023 Newer Version)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0026-2023English419 Add to Cart 4 days (Security Authentication Gateway Product Specification) Valid
GM/T 0026-2014English150 Add to Cart 0-9 seconds. Auto-delivery. Security authentication gateway product specification Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GM/T 0026-2014     Newer/related standards: GM/T 0026-2023

PDF Preview: GM/T 0026-2014


GM/T 0026-2014: PDF in English (GMT 0026-2014)

GM/T 0026-2014 GM CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 File No.. 44627-2014 Security authentication gateway product specification ISSUED ON. FEBRUARY 13, 2014 IMPLEMENTED ON. FEBRUARY 13, 2014 Issued by. State Cryptography Administration Table of Contents Foreword ... 3  Introduction .. 4  1 Scope .. 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Abbreviation ... 8  5 Overview of security authentication gateway ... 8  6 Cryptographic algorithm and key type ... 9  7 Security authentication gateway product requirements ... 9  8 Security authentication gateway product testing ... 23  9 Determination of qualification ... 28  Foreword This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Attention is drawn to the possibility that some of the elements of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights. This Standard was proposed by and shall be under the jurisdiction of Code Industry Standardization Technical Committee. Main drafting organizations of this Standard. Shanghai Geer Software Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center, Shanghai Digital Certificate Certification Center Co., Ltd. Main drafters of this Standard. Tan Wuzheng, Xu Qiang, Liu Cheng, Han Lin, Liu Xin. Security authentication gateway product specification 1 Scope This Standard specifies the cryptographic algorithms and key types, functional requirements, hardware requirements, software requirements, security requirements and testing requirements of security authentication gateway product. This Standard is applicable to guide the development, testing, use and management of security authentication gateway product. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 9813-2000, Specification for microcomputer GB/T 15153.1-1998, Telecontrol equipment and systems - Part 2. Operating conditions Section 1. Power supply and electromagnetic compatibility GB/T 15843.3, Information technology - Security techniques - Entity authentication - Part 3. Mechanisms using digital signature techniques GB/T 17964, Information technology - Security techniques - Modes of operation for a block cipher GM/T 0005, Randomness Test Specification GM/T 0014, Digital certificate authentication system cryptography protocol specification GM/T 0022, IPSec VPN specification GM/T 0024, SSL VPN specification 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.10 secure socket layer protocol a transport layer security protocol used to build secure channel between client and server 3.11 authentication header, AH a protocol that is part of IPSec that provides data integrity, data source authentication, and anti-replay attack capabilities for IP packets, but does not provide data confidentiality 3.12 encapsulating security payload; ESP a kind of IPSec protocol that is used to provide confidentiality of IP packets, data integrity, authentication of data sources, and replay attack resistance 3.13 virtual private network; VPN a technique to build secure channels in communication networks by using cryptography 3.14 secure message the purpose of secure message is to ensure the data confidentiality, the data integrity and the authentication of data sender; the data integrity and the authentication of data sender are ensured through message authentication code (MAC), the data confidentiality is ensured through data encryption 3.15 SM1 algorithm a block cipher algorithm with a packet length of 128 bits and a key length of 128 bits 3.16 SM2 algorithm an elliptic curve public key cryptosystem with key length of 256 bits 3.17 SM3 algorithm a cryptographic hash algorithm with an output of 256 bits 3.18 SM4 algorithm a block cipher algorithm with a packet length of 128 bits and a key length of 128 bits 3.19 security authentication gateway security authentication gateway is a product that uses digital certificate to actual situation, the security certification gateway can support physical deployment in series mode, the physical parallel deployment. But it must provide for application the technique means to identify whether the user access through the gateway. 6 Cryptographic algorithm and key type 6.1 Algorithm requirements Security authentication gateway uses asymmetric cryptographic algorithm, symmetric cryptographic algorithm, cryptographic hash algorithm and random number generation algorithm approved by national cryptography management authorities. The algorithm and methods of use are as follows. • asymmetric cryptographic algorithm is used for certification, digital signature and digital envelope; • symmetric cryptographic algorithm uses block cipher algorithm; it is used for encryption protection of key exchange data and packet data encryption protection; the working mode of the algorithm uses CBC mode, in accordance with the requirements of GB/T 17964; • cryptographic hash algorithm is used for symmetric key generation and integrity verification; • generated random number shall pass the testing specified in GM/T 0005. 6.2 Key type Security authentication gateway uses the following keys. • device key. public-private key pair used by asymmetric algorithm is for entity authentication, digital signature, and digital envelope; • work key. the key obtained during the first phase of key exchange, for the protection of session key exchange process when symmetric cryptographic algorithm is used; • session key. the key obtained during the second phase of key exchange, for the protection of data packet encryption and integrity when symmetric cryptographic algorithm is used. 7 Security authentication gateway product with test device or network packet interception tool, the replayed data message must not be tested in the intranet port of the testing device. 7.1.14 Security check of client host Security authentication gateway product shall have security check function of client host. When the client is connected to the server, according to the client- side security policy issued by the server, check the security of user operation system. The user who fails to comply with the security policy shall be unable to use security authentication gateway. The client security policy shall at least contain one of the following conditions. • whether anti-virus software is installed and enabled; • whether personal firewall is installed and enabled; • whether the latest operating system security patch is installed; • whether a login password has been set for system. 7.2 Product performance parameters 7.2.1 Performance parameters that follow IPSec protocol 7.2.1.1 Encryption and decryption throughput The encryption and decryption throughput refer to the maximum bidirectional data flow on the intranet port of IPSec VPN gateway product when the packet loss rate is 0 at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length, respectively. The product shall meet the requirements of user network environment on network data encryption and decryption throughput performance. 7.2.1.2 Encryption and decryption delay The encryption and decryption delay of the average time consumed that a plaintext data flow is encrypted to be a ciphertext then is decrypted back to be plaintext at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length when the IPSec VPN packet loss rate is 0. The product shall meet the requirements of user network environment on network data encryption and decryption delay performance. 7.2.1.3 Encryption and decryption packet loss rate The encryption and decryption packet loss rate refers to the percentage of total number of packets sent or received in error per unit time at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length when the certificate is issued by an external certification agency. The device signature key pair is generated by an external key management agency. The encryption certificate is issued by an external certification agency. See GM/T 0014 for the private key protection method of encryption key pair. The private key of the signature certificate, the encrypted certificate, and the encryption key pair shall be imported to the security authentication gateway product. In security authentication gateway product, the p... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.