GM/T 0022-2014 English PDF (GMT0022-2014)
GM/T 0022-2014 English PDF (GMT0022-2014)
Regular price
$180.00 USD
Regular price
Sale price
$180.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0022-2014
Historical versions: GM/T 0022-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0022-2014: IPSec VPN specification
GM/T 0022-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number. 44623-2014
IPSec VPN specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms, definitions and abbreviations ... 4
3.1 Terms and definitions ... 4
3.2 Abbreviations ... 8
4 Cryptographic algorithm and key type ... 9
4.1 Cryptographic algorithm ... 9
4.2 Key types ... 10
5 Protocol ... 10
5.1 Key exchange protocol ... 10
5.2 Security message protocol ... 41
6 IPSec VPN product requirements ... 53
6.1 Product functional requirements ... 53
6.2 Product performance parameters ... 55
6.3 Safety management requirements ... 56
7 IPSec VPN product detection ... 59
7.1 Product function detection ... 59
7.2 Product performance testing ... 61
7.3 Security management testing ... 61
8 Qualification judgment ... 63
Appendix A (Informative) IPSec VPN overview ... 64
References ... 71
Foreword
This standard was drafted in accordance with the rules given in GB/T
1.1-2009.
Please note that some of the contents of this document may involve patents.
The issuer of this document does not assume responsibility for the
identification of these patents.
This standard was proposed by AND shall be under the jurisdiction of the
Cryptographic Industry Standardization Technical Committee.
The drafting organizations of this standard. Wuxi Jiangnan Information
Security Engineering Technology Center, Huawei Technologies Co., Ltd.,
Shenzhen OLYM Technology Co., Ltd., Shenzhen Shenxinfu Electronic
Technology Co., Ltd., Shandong De’an Information Technology Co., Ltd.,
Beijing Digital Certification Co., Ltd., Shanghai Koal Software Co., Ltd., Wuhan
Erjiang Aerospace Network Communication Co., Ltd., Xia’an Jiaotong
University JUMP Network Technology Co., Ltd., Beijing Tianrongxin Network
Security Technology Co., Ltd., Maipu Communication Technology Co., Ltd.,
National Cryptography Authority Commercial Cryptography Testing Center,
Hangzhou Yirui Electronics Co., Ltd.
The main drafters of this standard. Liu Ping, Zhu Zhiqiang, Dong Hao, Lei Jian,
Liu Jianfeng, Li Xiaojing, Qiu Gang, Xiang Ming, Kong Fanyu, Li Shusheng,
Tan Wuzhong, Wang Zhen, Zhang Yong, Pan Limin, Fan Hengying, Luo Peng,
Li Yuchuan.
IPSec VPN specification
1 Scope
This standard specifies the technical protocols, product management and
testing of IPSec VPN, AND this standard can be used to guide the R and D,
detection, use, and management of IPSec VPN products.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0005 Randomness test specification
GM/T 0009 SM2 cryptography algorithm application specification
GM/T 0014 Protocol specification for authentication system password of
digital certificate
GM/T 0015 Digital certificate format based on SM2 algorithm
RFC 3948 UDP Encapsulation of IPSec ESP Packets January 2005
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Cryptographic algorithm
It refers to the operational rules to describe the cryptographic processing.
3.1.2
Cryptographic hash algorithm
It is also known as hash algorithm, cryptographic hashing algorithm or Hash
algorithm. The algorithm maps an arbitrary long bit string to a fixed long bit
string AND it satisfies the following three characteristics.
a) It is computationally difficult to find an input that can be mapped to the
output for a given output;
b) It is computationally difficult to find another input that can be mapped to
the same output for a given input;
c) It is computationally difficult to find that different inputs are mapped to the
same output.
3.1.3
Asymmetric cryptographic algorithm/public key cryptography
algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use different keys, wherein one key (public key) may be revealed
to the public BUT the other key (private key) must be kept confidential. AND
it is computationally impossible to calculate the private key based on the
public key.
3.1.4
Symmetric cryptographic algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use same keys.
3.1.5
Block cipher algorithm
It refers to a type of symmetric cipher algorithm which divides the input data
into fixed-length blocks for encryption and decryption.
3.1.6
Cipher block chaining operation mode, CBC
It refers to a working mode of the block cipher algorithm, which is
characterized in that the current plaintext block is XORed with the previous
ciphertext block AND then encrypted to obtain the current ciphertext block.
CBC. (Block Cipher’s) Cipher Block Chaining (Working Method)
ESP. Encapsulating Security Payload
HMAC. Keyed-Hash Message Authentication Code
IPSec. Internet Protocol Security
ISAKMP. Internet Security Association and Key Management Protocol
IV. Initialization Vector
NAT. Network Address Translation
SA. Security Association
VPN. Virtual Private Network
4 Cryptographic algorithm and key type
4.1 Cryptographic algorithm
IPSec VPN uses the asymmetric cryptographic algorithms, symmetric
cryptographic algorithms, cryptographic hash algorithms, and random number
generation algorithms as approved by the national cryptographic management
authority. Algorithm and the method of use are as follows.
- The asymmetric cryptographic algorithm uses the SM2 elliptic curve
cryptographic algorithm AND it also supports the 2048-bit and above RSA
algorithms, which is used for the entity verification, digital signatures, and
digital envelopes, etc.
- The symmetric cipher algorithm uses the SM1 or SM4 block cipher
algorithm, which is used for encryption protection of key exchange data
and encryption protection of message data. The algorithm works in the
CBC mode.
- The cryptographic hash algorithm uses the SM3 or SHA-1 cryptographic
hash algorithm, which is used for integrity verification.
- The random numbers as generated by the random number generation
algorithm shall be able to pass the detection as specified in GM/T 0005.
PRF (key, msg). USE the key to perform the data digest operation on the
message msg.
5.1.1 Exchange phases and modes
5.1.1.1 Exchange phase
The key exchange phase includes phase I and phase II.
In the phase I of the exchange, the communication parties establish an
ISAKMP SA, which is a shared policy and key used by both parties to protect
the communication between them. This SA is used to protect the IPSec SA
negotiation process. An ISAKMP SA can be used to establish multiple IPSec
SAs.
In the phase II of the exchange, the communication parties use the ISAKMP
SA in phase I to establish the IPSec SA through negotiation; AND the IPSec
SA is the shared policy and key used to protect the data communication
between them.
5.1.1.2 Exchange mode
This standard specifies two exchange modes, namely, master mo...
Get QUOTATION in 1-minute: Click GM/T 0022-2014
Historical versions: GM/T 0022-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0022-2014: IPSec VPN specification
GM/T 0022-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number. 44623-2014
IPSec VPN specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms, definitions and abbreviations ... 4
3.1 Terms and definitions ... 4
3.2 Abbreviations ... 8
4 Cryptographic algorithm and key type ... 9
4.1 Cryptographic algorithm ... 9
4.2 Key types ... 10
5 Protocol ... 10
5.1 Key exchange protocol ... 10
5.2 Security message protocol ... 41
6 IPSec VPN product requirements ... 53
6.1 Product functional requirements ... 53
6.2 Product performance parameters ... 55
6.3 Safety management requirements ... 56
7 IPSec VPN product detection ... 59
7.1 Product function detection ... 59
7.2 Product performance testing ... 61
7.3 Security management testing ... 61
8 Qualification judgment ... 63
Appendix A (Informative) IPSec VPN overview ... 64
References ... 71
Foreword
This standard was drafted in accordance with the rules given in GB/T
1.1-2009.
Please note that some of the contents of this document may involve patents.
The issuer of this document does not assume responsibility for the
identification of these patents.
This standard was proposed by AND shall be under the jurisdiction of the
Cryptographic Industry Standardization Technical Committee.
The drafting organizations of this standard. Wuxi Jiangnan Information
Security Engineering Technology Center, Huawei Technologies Co., Ltd.,
Shenzhen OLYM Technology Co., Ltd., Shenzhen Shenxinfu Electronic
Technology Co., Ltd., Shandong De’an Information Technology Co., Ltd.,
Beijing Digital Certification Co., Ltd., Shanghai Koal Software Co., Ltd., Wuhan
Erjiang Aerospace Network Communication Co., Ltd., Xia’an Jiaotong
University JUMP Network Technology Co., Ltd., Beijing Tianrongxin Network
Security Technology Co., Ltd., Maipu Communication Technology Co., Ltd.,
National Cryptography Authority Commercial Cryptography Testing Center,
Hangzhou Yirui Electronics Co., Ltd.
The main drafters of this standard. Liu Ping, Zhu Zhiqiang, Dong Hao, Lei Jian,
Liu Jianfeng, Li Xiaojing, Qiu Gang, Xiang Ming, Kong Fanyu, Li Shusheng,
Tan Wuzhong, Wang Zhen, Zhang Yong, Pan Limin, Fan Hengying, Luo Peng,
Li Yuchuan.
IPSec VPN specification
1 Scope
This standard specifies the technical protocols, product management and
testing of IPSec VPN, AND this standard can be used to guide the R and D,
detection, use, and management of IPSec VPN products.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0005 Randomness test specification
GM/T 0009 SM2 cryptography algorithm application specification
GM/T 0014 Protocol specification for authentication system password of
digital certificate
GM/T 0015 Digital certificate format based on SM2 algorithm
RFC 3948 UDP Encapsulation of IPSec ESP Packets January 2005
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Cryptographic algorithm
It refers to the operational rules to describe the cryptographic processing.
3.1.2
Cryptographic hash algorithm
It is also known as hash algorithm, cryptographic hashing algorithm or Hash
algorithm. The algorithm maps an arbitrary long bit string to a fixed long bit
string AND it satisfies the following three characteristics.
a) It is computationally difficult to find an input that can be mapped to the
output for a given output;
b) It is computationally difficult to find another input that can be mapped to
the same output for a given input;
c) It is computationally difficult to find that different inputs are mapped to the
same output.
3.1.3
Asymmetric cryptographic algorithm/public key cryptography
algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use different keys, wherein one key (public key) may be revealed
to the public BUT the other key (private key) must be kept confidential. AND
it is computationally impossible to calculate the private key based on the
public key.
3.1.4
Symmetric cryptographic algorithm
It refers to the cryptographic algorithms in which the encryption and
decryption use same keys.
3.1.5
Block cipher algorithm
It refers to a type of symmetric cipher algorithm which divides the input data
into fixed-length blocks for encryption and decryption.
3.1.6
Cipher block chaining operation mode, CBC
It refers to a working mode of the block cipher algorithm, which is
characterized in that the current plaintext block is XORed with the previous
ciphertext block AND then encrypted to obtain the current ciphertext block.
CBC. (Block Cipher’s) Cipher Block Chaining (Working Method)
ESP. Encapsulating Security Payload
HMAC. Keyed-Hash Message Authentication Code
IPSec. Internet Protocol Security
ISAKMP. Internet Security Association and Key Management Protocol
IV. Initialization Vector
NAT. Network Address Translation
SA. Security Association
VPN. Virtual Private Network
4 Cryptographic algorithm and key type
4.1 Cryptographic algorithm
IPSec VPN uses the asymmetric cryptographic algorithms, symmetric
cryptographic algorithms, cryptographic hash algorithms, and random number
generation algorithms as approved by the national cryptographic management
authority. Algorithm and the method of use are as follows.
- The asymmetric cryptographic algorithm uses the SM2 elliptic curve
cryptographic algorithm AND it also supports the 2048-bit and above RSA
algorithms, which is used for the entity verification, digital signatures, and
digital envelopes, etc.
- The symmetric cipher algorithm uses the SM1 or SM4 block cipher
algorithm, which is used for encryption protection of key exchange data
and encryption protection of message data. The algorithm works in the
CBC mode.
- The cryptographic hash algorithm uses the SM3 or SHA-1 cryptographic
hash algorithm, which is used for integrity verification.
- The random numbers as generated by the random number generation
algorithm shall be able to pass the detection as specified in GM/T 0005.
PRF (key, msg). USE the key to perform the data digest operation on the
message msg.
5.1.1 Exchange phases and modes
5.1.1.1 Exchange phase
The key exchange phase includes phase I and phase II.
In the phase I of the exchange, the communication parties establish an
ISAKMP SA, which is a shared policy and key used by both parties to protect
the communication between them. This SA is used to protect the IPSec SA
negotiation process. An ISAKMP SA can be used to establish multiple IPSec
SAs.
In the phase II of the exchange, the communication parties use the ISAKMP
SA in phase I to establish the IPSec SA through negotiation; AND the IPSec
SA is the shared policy and key used to protect the data communication
between them.
5.1.1.2 Exchange mode
This standard specifies two exchange modes, namely, master mo...