GM/T 0025-2014 English PDF (GMT0025-2014)
GM/T 0025-2014 English PDF (GMT0025-2014)
GM/T 0025-2014: SSL VPN gateway product specification
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
Reference No.. 44626-2014
SSL VPN gateway product specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms, definitions and abbreviations ... 5
4 Cryptographic algorithm and key type ... 7
5 SSL VPN gateway products requirements ... 9
6 SSL VPN gateway product inspection ... 17
7 Qualification determination... 21
This Standard was drafted in accordance with the rules given in GB/T
Attention is drawn to the possibility that some of the elements of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Geer Software Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center, Shandong Dean Computer Technology Co., Ltd., Chengdu Guardian
Information Industry Co., Ltd., Shanghai Digital Certificate Certification Center Co., Ltd., Xingtang Communication Technology Co., Ltd., Beijing Digital Certified Co., Ltd.
Main drafters of this Standard. Tan Wuzheng, Kong Fanyu, Li Yuanzheng, Liu Cheng, Li Shusheng, Wang Nina, Han Lin.
SSL VPN gateway product specification
This Standard specifies the functional requirements, hardware requirements, software requirements, safety requirements and inspection requirements of SSL VPN gateway products.
This Standard is applicable to guide the development, inspection, use and management of SSL VPN gateway products.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 9813-2000, Generic specification for microcomputers
GB/T 15153.1-1998, Telecontrol equipment and systems -- Part 2.
Operating conditions Section 1 Power supply and electromagnetic
GB/T 17964, Information technology - Security Techniques - Modes of
operation for a block cipher
GM/T 0005, Randomness testing specification
GM/T 0014, Digital Certificate Authentication System Password Protocol
GM/T 0015, Digital certificate format specification based on SM2 kiln code algorithm
GM/T 0024, SSL VPN technical specification
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1 cryptographic algorithm
calculation rules of cryptography processing
3.1.2 cryptographic hash algorithm
It is also known as hash algorithm, cryptographic hash algorithm or hash algorithm; this algorithm maps an arbitrary long bit string to a fixed long bit string and satisfies the following three characteristics.
(1) it is computationally difficult to find an input that can be mapped to the output for a given output;
(2) finding another input that can be mapped to the same output for a given input is computationally difficult;
(3) it is computationally difficult to find that different inputs mapped to the same output.
3.1.3 asymmetric cryptographic algorithm / public key cryptographic
cryptographic algorithm for different keys used by encryption and decryption; one of the keys (public key) can be public, another key (private key) must be kept secret, and the calculation for the private key by the public key is not feasible.
3.1.4 symmetric cryptographic algorithm
cryptographic algorithm of same keys used by encryption and decryption. 3.1.5 block cipher algorithm
a class of symmetric cipher algorithm for dividing the input data into
fixed-length packets for encryption and decryption
3.1.6 cipher block chaining operation mode; CBC
a working mode of block cipher algorithm of which the characteristics is that the current cipher text grouping is obtained by the current plaintext grouping is grouped with the previous cipher text via XOR operation and encryption 3.1.7 initialization vector / initialization value; IV
initial data used for data transformation and introduced to increase security or synchronize cryptographic devices during cryptography conversion
3.1.8 digital certificate
It is also known as public key certificate; a data structure containing public key owner information, public key, issuer information, expiration date, and extended information signed by certificate authority; it can be divided into personal certificate, institutional certificate and equipment certificate according to category OR signature certificate and encryption certificate according to use
3.1.9 secure sockets layer protocol; SSL
a transport layer security protocol used to build a safe passage between client and server
3.1.10 virtual private network; VPN
a technology of using cryptographic technique to build a safe passage in the communication network
3.1.11 SM2 algorithm
an elliptic curve public key cryptography algorithm with a key length of 256 bits
The following abbreviations apply to this document.
CBC. Cipher Block Chaining
IV. Initialization Vector
SSL. Secure Sockets Layer
VPN. Virtual Private Network
4 Cryptographic algorithm and key type
4.1 Algorithm requirements
SSL VPN uses asymmetric cryptographic algorithm, symmetric cryptographic algorithm, cryptographic hash algorithm, random number generation
algorithm approved by state code management department. Algorithm and
use are as follows.
?€? asymmetric cryptographic algorithm is used for authentication, digital signatures and digital envelopes, etc.;
?€? symmetric cryptographic algorithm uses block cipher algorithm used for encryption protection of key exchange data and encryption protection of 5 SSL VPN gateway products requirements
5.1 Product functional requirements
5.1.1 Random number generation
SSL VPN gateway products shall have random number generation. The
random number should be generated by multiple hardware noise sources.
5.1.2 Work mode
SSL VPN gateway products work mode is divided into client-server mode and gateway-gateway mode. The client-server mode is a prerequisite mode while the gateway-gateway mode is optional.
5.1.3 Key exchange
SSL VPN gateway products shall have key exchange function to generate a work key by negotiation.
Key exchange shall be carried out according to the requirements of GM/T 0024.
5.1.4 Secure packet transmission
SSL VPN gateway products shall have secure packet transmission function to endure secure transmission of data.
Secure packet transmission shall be in accordance with requirements of
SSL VPN gateway products shall have the function of entity authentication. The identification method uses digital certificate. Digital certificate format shall meet requirements of GM/T 0015. The identification of the server is a
prerequisite function, and the identification of the client is optional. It shall support digital certificate (RSA or SM2) or supervision mechanism based on identification algorithm. Any identification method shall ensure the
completeness and effectiveness of identification.
5.1.6 Access control
SSL VPN gateway products shall have fine-grain access control function, based on effective control of user or user group on resources. At least the network access should be controlled to IP addresses, ports and protocols. The access to the web resource should be controlled at least to the URL and 5.2 Product performance parameters
5.2.1 Maximum number of concurrent users
It refers to the maximum number of simultaneously online users. This
indicator reflects the maximum number of users who can deliver the product at the same time.
5.2.2 Maximum number of concurrent connections
It refers to the maximum number of simultaneously online SSL connections. This indicator reflects the maximum number of SSL connections of which a product can handle at the same time.
5.2.3 Number of new connections per second
The maximum number of SSL connections that can be created per second.
This indicator reflects the ability of the product to access new SSL
connections per second.
5.2.4 Throughput rate
In the case of packet loss rate of 0, the bidirectional data maximum flow reached by server products on internal network port
5.3 Security requirements
5.3.1 Key security
220.127.116.11 Server end key
The server end signing key pair is generated by the SSL VPN gateway
product itself. Its public key should be exported. A signature certificate is issued by an external certification authority.
The server encryption key pair is generated by an external key authority and is issued by an external authentication authority...