GM/T 0023-2014 English PDF (GMT0023-2014)
GM/T 0023-2014 English PDF (GMT0023-2014)
Regular price
$150.00 USD
Regular price
Sale price
$150.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0023-2014
Historical versions: GM/T 0023-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0023-2014: IPSec VPN gateway product specification
GM/T 0023-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Record No.. 44624-2014
IPSec VPN Gateway Product Specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms, Definitions and Abbreviations ... 4
4 Cryptographic Algorithms and Key Types ... 7
4.1 Algorithm requirements ... 7
4.2 Key types ... 8
5 IPSec VPN Gateway Product Requirements ... 8
5.1 Product function requirements ... 8
5.2 Product performance parameters ... 10
5.3 Security requirements ... 11
5.4 Management function requirements ... 12
5.5 Hardware requirements ... 16
5.6 Parameter configurable capability requirements ... 19
5.7 Process protection ... 19
6 IPSec VPN Gateway Product Inspection ... 19
6.1 Product function inspection... 19
6.2 Product performance inspection ... 21
6.3 Security inspection ... 22
6.4 Management function inspection ... 22
6.5 Hardware inspection ... 23
6.6 Parameter configurable capability inspection ... 23
6.7 Process protection inspection ... 24
7 Qualification Judgment ... 24
Foreword
This Standard was drafted as per the rules specified in GB/T 1.1-2009.
Please note that some contents of this documents may involve patents. The issuing
agency of this document doesn’t assume the responsibility for identifying these patents.
This Standard was proposed by and under the jurisdiction of National
Technical Committee for Standardization of Cipher Industry.
Drafting organizations of this Standard. Chengdu Westone Information Industry Inc.,
Ltd., Shanghai Koal Software Co., Ltd., Wuxi South-China Information Security
Engineering Technology Center, Xingtang Communication Technology Co., Ltd., and
Shandong De’an Computer Technology Co., Ltd.
Chief drafting staffs of this Standard. Luo Jun, Li Yuanzheng, Tan Wuzheng, Xu Qiang,
Wang Nina, and Kong Fanyu.
IPSec VPN Gateway Product Specification
1 Scope
This Standard specifies the function requirements, hardware requirements, software
requirements, cryptographic algorithm, key requirements, security requirements,
inspection requirements, and the like contents of IPSec VPN gateway product.
This Standard is applicable to the research, inspection, use and management of IPSec
VPN gateway product.
2 Normative References
The following documents are essential to the application of this document. For the
dated documents, only the versions with the dates indicated are applicable to this
document; for the undated documents, only the latest version (including all the
amendments) are applicable to this document.
GB/T 2423-2008 Environmental Testing for Electric and Electronic Products (All
Part)
GB/T 9813-2000 Specification for Microcomputer
GB/T 15153.1-1998 Telecontrol Equipment and Systems - Part 2. Operating
Conditions - Section 1. Power Supply and Electromagnetic Compatibility
GB/T 17964-2008 Information Technology - Security Techniques - Modes of
Operation for a Block Cipher
GM/T 0005 Randomness Test Specification
GM/T 0014 Protocol Specification for Authentication System Password of Digital
Certificate
GM/T 0015 Digital Certificate Format based on SM2 Algorithm
GM/T 0022 IPSec VPN Specification
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
3.1.1 Cryptographic algorithm
Describing the calculation rules during the cipher processing period.
3.1.2 Cryptographic hash algorithm
It is also called hash algorithm, or cipher hash algorithm. Such algorithm maps an
arbitrary-length bit string to a fixed-length bit string, and satisfy the following three
characteristics.
a) It is computationally difficult to find an input that can be mapped to the definite
output;
b) It is computationally difficult to find another input that can be mapped to the
same output with a given input;
c) It is computationally difficult to find different inputs that can be mapped to the
same output.
3.1.3 Asymmetric cryptographic algorithm/public key cryptographic algorithm
Cryptographic algorithm that the encryption and decryption using different keys.
Thereof, one key (public key) can be public, while the other key (private key) must be
kept secret; and the computer is infeasible to solve the private key with the public key.
3.1.4 Symmetric cryptographic algorithm
Cryptographic algorithm that the encryption and decryption using the same keys.
3.1.5 Block cipher algorithm
A symmetric cryptographic algorithm that divide the input data into fixed-length packet
for encryption and decryption.
3.1.6 SM1 algorithm
A block cipher algorithm with packet length of 128 bits, and key length of 128 bits.
3.17 SM2 algorithm
An elliptic curve public key cryptographic algorithm, its key length is 256 bits.
3.1.8 SM3 algorithm
A cryptographic hash algorithm, its output is 256 bits.
3.1.9 SM4 algorithm
A block cipher algorithm with packet length of 128 bits, and key length of 128 bits.
A protocol that is part of IPSec, which is used for providing the data confidentiality of
IP data packet, data integrity, data source authentication, and anti-replay attack
functions.
3.1.18 Virtual private network, VPN
The technology using cryptography to build secure channel in the communication
networks.
3.2 Abbreviations
The following abbreviations are applicable to this document.
AH. Authentication Header
CBC. Cipher Block Chaining
ESP. Encapsulating Security Payload
HMAC. Keyed-HASH Message Authentication Code
IPSec. Internet Protocol Security
IV. Initialization Vector
NAT. Network Address Translation
SA. Security Association
VPN. Virtual Private Network
4 Cryptographic Algorithms and Key Types
4.1 Algorithm requirements
IPSec VPN uses asymmetric cryptographic algorithm, symmetric cryptographic
algorithm, cryptographic hash algorithm, and random number generator algorithm
approved by State Cryptography Administration Authority. The algorithm use
requirements are as follows.
--- Asymmetric cryptographic algorithm is used for authentication, digital signature
and digital envelop, etc.
--- Symmetric cryptographic algorithm uses block cipher algorithm, which is used
for encryption protection for key exchange data, and encryption protection for
message data. The algorithm operating mode uses CBC mode, and shall meet
the requirements of GB/T 17964-2008.
The security message encapsulation protocol can be divided into AH protocol and ESP
protocol.
The AH protocol shall be nested with the ESP protocol, in which case the
authentication operation in the ESP protocol is not enabled.
The ESP protocol can be used alone, in which case the authentication operation in the
ESP protocol shall be enabled.
The security message encapsulation protocol shall meet the requirements of 5.2 in
GM/T 0022.
5.1.5 NAT traversal
IPSec VPN gateway product shall support ESP traversal when ESP is used alone.
NAT traversal protocol shall meet the requirements of 5.1.3 in GM/T 0022.
5.1.6 Authentication mode
IPSec VPN gateway product shall have the entity authentication function, the
authentication mode shall adopt digital certificate. The digital certificate format shall
meet the requirements of GM/T 0015.
5.1.7 IP protocol version support
IPSec VPN gateway product support IPv4 protocol, and opt...
Get QUOTATION in 1-minute: Click GM/T 0023-2014
Historical versions: GM/T 0023-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0023-2014: IPSec VPN gateway product specification
GM/T 0023-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Record No.. 44624-2014
IPSec VPN Gateway Product Specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms, Definitions and Abbreviations ... 4
4 Cryptographic Algorithms and Key Types ... 7
4.1 Algorithm requirements ... 7
4.2 Key types ... 8
5 IPSec VPN Gateway Product Requirements ... 8
5.1 Product function requirements ... 8
5.2 Product performance parameters ... 10
5.3 Security requirements ... 11
5.4 Management function requirements ... 12
5.5 Hardware requirements ... 16
5.6 Parameter configurable capability requirements ... 19
5.7 Process protection ... 19
6 IPSec VPN Gateway Product Inspection ... 19
6.1 Product function inspection... 19
6.2 Product performance inspection ... 21
6.3 Security inspection ... 22
6.4 Management function inspection ... 22
6.5 Hardware inspection ... 23
6.6 Parameter configurable capability inspection ... 23
6.7 Process protection inspection ... 24
7 Qualification Judgment ... 24
Foreword
This Standard was drafted as per the rules specified in GB/T 1.1-2009.
Please note that some contents of this documents may involve patents. The issuing
agency of this document doesn’t assume the responsibility for identifying these patents.
This Standard was proposed by and under the jurisdiction of National
Technical Committee for Standardization of Cipher Industry.
Drafting organizations of this Standard. Chengdu Westone Information Industry Inc.,
Ltd., Shanghai Koal Software Co., Ltd., Wuxi South-China Information Security
Engineering Technology Center, Xingtang Communication Technology Co., Ltd., and
Shandong De’an Computer Technology Co., Ltd.
Chief drafting staffs of this Standard. Luo Jun, Li Yuanzheng, Tan Wuzheng, Xu Qiang,
Wang Nina, and Kong Fanyu.
IPSec VPN Gateway Product Specification
1 Scope
This Standard specifies the function requirements, hardware requirements, software
requirements, cryptographic algorithm, key requirements, security requirements,
inspection requirements, and the like contents of IPSec VPN gateway product.
This Standard is applicable to the research, inspection, use and management of IPSec
VPN gateway product.
2 Normative References
The following documents are essential to the application of this document. For the
dated documents, only the versions with the dates indicated are applicable to this
document; for the undated documents, only the latest version (including all the
amendments) are applicable to this document.
GB/T 2423-2008 Environmental Testing for Electric and Electronic Products (All
Part)
GB/T 9813-2000 Specification for Microcomputer
GB/T 15153.1-1998 Telecontrol Equipment and Systems - Part 2. Operating
Conditions - Section 1. Power Supply and Electromagnetic Compatibility
GB/T 17964-2008 Information Technology - Security Techniques - Modes of
Operation for a Block Cipher
GM/T 0005 Randomness Test Specification
GM/T 0014 Protocol Specification for Authentication System Password of Digital
Certificate
GM/T 0015 Digital Certificate Format based on SM2 Algorithm
GM/T 0022 IPSec VPN Specification
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
3.1.1 Cryptographic algorithm
Describing the calculation rules during the cipher processing period.
3.1.2 Cryptographic hash algorithm
It is also called hash algorithm, or cipher hash algorithm. Such algorithm maps an
arbitrary-length bit string to a fixed-length bit string, and satisfy the following three
characteristics.
a) It is computationally difficult to find an input that can be mapped to the definite
output;
b) It is computationally difficult to find another input that can be mapped to the
same output with a given input;
c) It is computationally difficult to find different inputs that can be mapped to the
same output.
3.1.3 Asymmetric cryptographic algorithm/public key cryptographic algorithm
Cryptographic algorithm that the encryption and decryption using different keys.
Thereof, one key (public key) can be public, while the other key (private key) must be
kept secret; and the computer is infeasible to solve the private key with the public key.
3.1.4 Symmetric cryptographic algorithm
Cryptographic algorithm that the encryption and decryption using the same keys.
3.1.5 Block cipher algorithm
A symmetric cryptographic algorithm that divide the input data into fixed-length packet
for encryption and decryption.
3.1.6 SM1 algorithm
A block cipher algorithm with packet length of 128 bits, and key length of 128 bits.
3.17 SM2 algorithm
An elliptic curve public key cryptographic algorithm, its key length is 256 bits.
3.1.8 SM3 algorithm
A cryptographic hash algorithm, its output is 256 bits.
3.1.9 SM4 algorithm
A block cipher algorithm with packet length of 128 bits, and key length of 128 bits.
A protocol that is part of IPSec, which is used for providing the data confidentiality of
IP data packet, data integrity, data source authentication, and anti-replay attack
functions.
3.1.18 Virtual private network, VPN
The technology using cryptography to build secure channel in the communication
networks.
3.2 Abbreviations
The following abbreviations are applicable to this document.
AH. Authentication Header
CBC. Cipher Block Chaining
ESP. Encapsulating Security Payload
HMAC. Keyed-HASH Message Authentication Code
IPSec. Internet Protocol Security
IV. Initialization Vector
NAT. Network Address Translation
SA. Security Association
VPN. Virtual Private Network
4 Cryptographic Algorithms and Key Types
4.1 Algorithm requirements
IPSec VPN uses asymmetric cryptographic algorithm, symmetric cryptographic
algorithm, cryptographic hash algorithm, and random number generator algorithm
approved by State Cryptography Administration Authority. The algorithm use
requirements are as follows.
--- Asymmetric cryptographic algorithm is used for authentication, digital signature
and digital envelop, etc.
--- Symmetric cryptographic algorithm uses block cipher algorithm, which is used
for encryption protection for key exchange data, and encryption protection for
message data. The algorithm operating mode uses CBC mode, and shall meet
the requirements of GB/T 17964-2008.
The security message encapsulation protocol can be divided into AH protocol and ESP
protocol.
The AH protocol shall be nested with the ESP protocol, in which case the
authentication operation in the ESP protocol is not enabled.
The ESP protocol can be used alone, in which case the authentication operation in the
ESP protocol shall be enabled.
The security message encapsulation protocol shall meet the requirements of 5.2 in
GM/T 0022.
5.1.5 NAT traversal
IPSec VPN gateway product shall support ESP traversal when ESP is used alone.
NAT traversal protocol shall meet the requirements of 5.1.3 in GM/T 0022.
5.1.6 Authentication mode
IPSec VPN gateway product shall have the entity authentication function, the
authentication mode shall adopt digital certificate. The digital certificate format shall
meet the requirements of GM/T 0015.
5.1.7 IP protocol version support
IPSec VPN gateway product support IPv4 protocol, and opt...