Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0024-2014 English PDF (GMT0024-2014)

GM/T 0024-2014 English PDF (GMT0024-2014)

Regular price $485.00 USD
Regular price Sale price $485.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0024-2014 to get it for Purchase Approval, Bank TT...

GM/T 0024-2014: SSL VPN specification

This Standard specifies the technical agreement, product functionality, performance and management, and inspection of SSL VPN. This Standard is applicable to the development of SSL VPN products. It can be also used to guide the inspection, management and use of SSL VPN products.
GM/T 0024-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Reference No.. 44625-2014
SSL VPN specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. National Cryptography Authority of China
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Symbols and abbreviations ... 7
5 Cryptography algorithm and key type ... 8
6 Protocol ... 10
7 Product requirements ... 40
8 Production detection ... 44
9 Qualification determination ... 47
Bibliography ... 48
Foreword
This Standard was drafted in accordance with the rules given in GB/T
1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of
Cryptographic Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Geer Software Co., Ltd., Huawei Technologies Co., Ltd., Shenzhen Shen Xinfu Electronics
Technology Co., Ltd., Shenzhen Austrian Union Technology Co., Ltd., Net Yu Shenzhou Technology (Beijing) Co., Ltd., Chengdu Weishitong Information Industry Co., Ltd., Beijing Oriental Huaxin Information Technology Co., Ltd., China International Electronic Commerce Limited, Lenovo Network
Technology (Beijing) Limited, Shanghai Anderson Information Security Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center, Beijing Tianrong letter Network Security Technology Co., Ltd.
Main drafters of this Standard. Liu Ping, Tan Wuzheng, Huang Min, Zeng
Jianfa, Dan Bo, Liu Jianfeng, Luo Jun, Li Zhichao, Li Feibo, He Zhiyu, Chen Kai, Zhu Zhengchao, Ni Yongnian, Han Lin.
SSL VPN specification
1 Scope
This Standard specifies the technical agreement, product functionality, performance and management, and inspection of SSL VPN.
This Standard is applicable to the development of SSL VPN products. It can be also used to guide the inspection, management and use of SSL VPN
products.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0005, Randomness testing specification
GM/T 0009, SM2 cryptography algorithm usage specification
GM/T 0010, SM2 cryptography algorithm encryption signature message
syntax specification
GM/T 0014, Digital certificate authentication system password protocol
specification
GM/T 0015, Digital certificate format specification based on SM2
cryptography algorithm
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 3.1 digital certificate
also known as a public key certificate, a data structure that contains public key owner information, public key, issuer information, expiration date, and extended information signed by the certificate authority (CA); it can be divided into personal certificate, institutional certificate and equipment certificate according to category OR signature certificate and encryption certificate according to use
3.2 identity based cryptography algorithm
the IBC algorithm is also known as the identity cipher algorithm; it is an asymmetric cryptography algorithm that can be arbitrarily identified as a public key and does not require a digital certificate to prove the public key 3.3 IBC identity
an IBC identity is a string that represents an entity's identity or attribute 3.4 IBC public parameter
IBC public parameter contains the public parameter information such as
name, calculation curve, identification coding method and key generation algorithm of IBC key management center; the information is used to convert the entity ID to public key
3.5 initialization vector / initialization value; IV
initial data used for data transformation and introduced to increase security or synchronize cryptographic devices during password conversion
3.6 secure sockets layer protocol
a transport layer security protocol used to build a secure channel between client and server
3.7 payload
the data format of the ISAKMP communication exchange message, the basic unit of the ISAKMP message
3.8 session
the association between client and server created by the handshake protocol; a session can be shared by multiple connections
3.9 SM1 algorithm
a packet cipher algorithm with a packet length of 128 bits and a key length of 128 bits
3.10 SM2 algorithm
an elliptic curve public key cryptography algorithm with key length of 256 bits 3.11 SM3 algorithm
A (0) = seed;
A (i) = HMAC (secret, A (i-1));
P_hash can iterate iteratively until the data of required length is generated. 5.1.5 Pseudo-random function PRF
The calculation method of PRF is as follows.
PRF (secret, label, seed) = P_SM3 (secret, label + seed)
5.2 Key type
5.2.1 Overview
In this Standard, it uses asymmetric cryptography algorithm to carry out identity authentication and key exchange. Identify the pre-master key after post-negotiation. Each party calculates the master key, and then derives the work key. Use the work key for encryption and decryption and integrity
verification.
5.2.2 Server key
When server key is the key of asymmetric cryptography algorithm, including signature key pair and encryption key pair. The signature key pair is
generated by the VPN self-password module. The encryption key is applied to KMC through the CA Certification Center, used for negotiation of
server-side identity authentication and pre-master key during handshaking. 5.2.3 Client key
The client key is the key pair of the asymmetric cryptography algorithm, including signature key pair and encryption key pair. The signature key pair is generated by the VPN self-password module. The encryption key is applied to KMC through the CA Certification Center, used for negotiation of
server-side identity authentication and pre-master key during handshaking. 5.2.4 Pre_master_secret
Pre_master_secret is the key material generated by both parties, used to generate master secret.
5.2.5 Master_secret
The master secret is the key material consisted of pre-master secret, client random number, server random number, constant string after calculation, used to generate work key.
lower limit and y represents the upper limit; if it only needs to express the upper limit, use < y>. The length of all vectors is in bytes. The variable length vector represents the actual length of the vector whose header size is the minimum number of bytes that can accommodate the maximum length of the
variable length vector.
6.2.3 Enumerateds
Enumerateds are a field collection of a set of specific values. Usually each field includes a name and a value. If it contains an unnamed value, this value shall represent the specified maximum value. If it only includes a name without defining a value, it shall only be used to refer to a state value and can not be used in actual encoding. For example, enum {red (0), green (1), (255)} color. Enumerated variable size is the minimum number of bytes that can hold the maximum enumeration value.
6.2.4 Constructed types
Constructed Types are defined by struct, similar to the struct syntax of C language. The fields in the struct are concatenated in sequence. If a struct is included in another struct, it shall omit the name of the struct.
6.2.5 Variants
Variables types are defined by select, case, used to define structures that depend on external information, similar to union or ASN.1 CHOICE in C
language.
6.3 Record layer protocol
The record layer protocol is hierarchical, and each layer includes length field, description field, and content field. The record layer protocol receives messages that shall be transmitted, blocks the data, compresses (optional), computes HMAC, encrypts, and then transfers. The received data is
decrypted, verified, decompressed (optional), re-encapsulated and then
passed to high-level applications. Record layer protocol includes. handshake, alarm, password specification change and gateway to gateway and other
types. To support protocol extensions, the record layer protocol can support other record types. Any new record types must be allocated outside of the content type assigned to the above types. If an unrecognized record type is received, it shall be ignored.
6.3.1 Connection state
The connection state is the operating environment of the record layer protocol. It includes four typical connecti...

View full details