Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0022-2014 English PDF (GMT0022-2014)

GM/T 0022-2014 English PDF (GMT0022-2014)

Regular price $175.00 USD
Regular price Sale price $175.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0022-2014 to get it for Purchase Approval, Bank TT...

GM/T 0022-2014: IPSec VPN specification

This standard specifies the technical protocols, product management and testing of IPSec VPN, AND this standard can be used to guide the RD, detection, use, and management of IPSec VPN products.
GM/T 0022-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number. 44623-2014
IPSec VPN specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms, definitions and abbreviations ... 4
3.1 Terms and definitions ... 4
3.2 Abbreviations ... 8
4 Cryptographic algorithm and key type ... 9
4.1 Cryptographic algorithm ... 9
4.2 Key types ... 10
5 Protocol ... 10
5.1 Key exchange protocol ... 10
5.2 Security message protocol ... 41
6 IPSec VPN product requirements ... 53
6.1 Product functional requirements ... 53
6.2 Product performance parameters ... 55
6.3 Safety management requirements ... 56
7 IPSec VPN product detection ... 59
7.1 Product function detection ... 59
7.2 Product performance testing ... 61
7.3 Security management testing ... 61
8 Qualification judgment ... 63
Appendix A (Informative) IPSec VPN overview ... 64
References ... 71
Foreword
This standard was drafted in accordance with the rules given in GB/T
1.1-2009.
Please note that some of the contents of this document may involve patents. The issuer of this document does not assume responsibility for the
identification of these patents.
This standard was proposed by AND shall be under the jurisdiction of the Cryptographic Industry Standardization Technical Committee.
The drafting organizations of this standard. Wuxi Jiangnan Information
Security Engineering Technology Center, Huawei Technologies Co., Ltd.,
Shenzhen OLYM Technology Co., Ltd., Shenzhen Shenxinfu Electronic
Technology Co., Ltd., Shandong De?€?an Information Technology Co., Ltd.,
Beijing Digital Certification Co., Ltd., Shanghai Koal Software Co., Ltd., Wuhan Erjiang Aerospace Network Communication Co., Ltd., Xia?€?an Jiaotong
University JUMP Network Technology Co., Ltd., Beijing Tianrongxin Network Security Technology Co., Ltd., Maipu Communication Technology Co., Ltd., National Cryptography Authority Commercial Cryptography Testing Center, Hangzhou Yirui Electronics Co., Ltd.
The main drafters of this standard. Liu Ping, Zhu Zhiqiang, Dong Hao, Lei Jian, Liu Jianfeng, Li Xiaojing, Qiu Gang, Xiang Ming, Kong Fanyu, Li Shusheng, Tan Wuzhong, Wang Zhen, Zhang Yong, Pan Limin, Fan Hengying, Luo Peng,
Li Yuchuan.
IPSec VPN specification
1 Scope
This standard specifies the technical protocols, product management and testing of IPSec VPN, AND this standard can be used to guide the R and D,
detection, use, and management of IPSec VPN products.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GM/T 0005 Randomness test specification
GM/T 0009 SM2 cryptography algorithm application specification
GM/T 0014 Protocol specification for authentication system password of
digital certificate
GM/T 0015 Digital certificate format based on SM2 algorithm
RFC 3948 UDP Encapsulation of IPSec ESP Packets January 2005
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Cryptographic algorithm
It refers to the operational rules to describe the cryptographic processing. 3.1.2
Cryptographic hash algorithm
It is also known as hash algorithm, cryptographic hashing algorithm or Hash algorithm. The algorithm maps an arbitrary long bit string to a fixed long bit string AND it satisfies the following three characteristics.
a) It is computationally difficult to find an input that can be mapped to the output for a given output;
b) It is computationally difficult to find another input that can be mapped to the same output for a given input;
c) It is computationally difficult to find that different inputs are mapped to the same output.
3.1.3
Asymmetric cryptographic algorithm/public key cryptography
algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use different keys, wherein one key (public key) may be revealed to the public BUT the other key (private key) must be kept confidential. AND it is computationally impossible to calculate the private key based on the public key.
3.1.4
Symmetric cryptographic algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use same keys.
3.1.5
Block cipher algorithm
It refers to a type of symmetric cipher algorithm which divides the input data into fixed-length blocks for encryption and decryption.
3.1.6
Cipher block chaining operation mode, CBC
It refers to a working mode of the block cipher algorithm, which is
characterized in that the current plaintext block is XORed with the previous ciphertext block AND then encrypted to obtain the current ciphertext block. CBC. (Block Cipher?€?s) Cipher Block Chaining (Working Method)
ESP. Encapsulating Security Payload
HMAC. Keyed-Hash Message Authentication Code
IPSec. Internet Protocol Security
ISAKMP. Internet Security Association and Key Management Protocol
IV. Initialization Vector
NAT. Network Address Translation
SA. Security Association
VPN. Virtual Private Network
4 Cryptographic algorithm and key type
4.1 Cryptographic algorithm
IPSec VPN uses the asymmetric cryptographic algorithms, symmetric
cryptographic algorithms, cryptographic hash algorithms, and random number generation algorithms as approved by the national cryptographic management authority. Algorithm and the method of use are as follows.
- The asymmetric cryptographic algorithm uses the SM2 elliptic curve
cryptographic algorithm AND it also supports the 2048-bit and above RSA algorithms, which is used for the entity verification, digital signatures, and digital envelopes, etc.
- The symmetric cipher algorithm uses the SM1 or SM4 block cipher
algorithm, which is used for encryption protection of key exchange data and encryption protection of message data. The algorithm works in the
CBC mode.
- The cryptographic hash algorithm uses the SM3 or SHA-1 cryptographic
hash algorithm, which is used for integrity verification.
- The random numbers as generated by the random number generation
algorithm shall be able to pass the detection as specified in GM/T 0005. PRF (key, msg). USE the key to perform the data digest operation on the message msg.
5.1.1 Exchange phases and modes
5.1.1.1 Exchange phase
The key exchange phase includes phase I and phase II.
In the phase I of the exchange, the communication parties establish an
ISAKMP SA, which is a shared policy and key used by both parties to protect the communication between them. This SA is used to protect the IPSec SA negotiation process. An ISAKMP SA can be used to establish multiple IPSec SAs.
In the phase II of the exchange, the communication parties use the ISAKMP SA in phase I to establish the IPSec SA through negotiation; AND the IPSec SA is the shared policy and key used to protect the data communication
between them.
5.1.1.2 Exchange mode
This standard specifies two exchange modes, namely, master mode and fast mode.
The master mode is used for the phase I exchange to achieve the identity authentication and key exchange of both parties of the communication AND obtain the work key, which is used to protect the negotiation process of the phase II.
Fast mode is used for the phase II exchange, to achieve the IPSec SA
negotiation between the both parties of communication, AND determine the IPSec security policy and session key between the both parties of
communication.
5...

View full details