Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0026-2014 English PDF (GMT0026-2014)

GM/T 0026-2014 English PDF (GMT0026-2014)

Regular price $145.00 USD
Regular price Sale price $145.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0026-2014 to get it for Purchase Approval, Bank TT...

GM/T 0026-2014: Security authentication gateway product specification

This Standard specifies the cryptographic algorithms and key types, functional requirements, hardware requirements, software requirements, security requirements and testing requirements of security authentication gateway product. This Standard is applicable to guide the development, testing, use and management of security authentication gateway product.
GM/T 0026-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44627-2014
Security authentication gateway product specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction .. 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviation ... 8
5 Overview of security authentication gateway ... 8
6 Cryptographic algorithm and key type ... 9
7 Security authentication gateway product requirements ... 9
8 Security authentication gateway product testing ... 23
9 Determination of qualification ... 28
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Attention is drawn to the possibility that some of the elements of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Geer Software Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center, Shanghai Digital Certificate Certification Center Co., Ltd.
Main drafters of this Standard. Tan Wuzheng, Xu Qiang, Liu Cheng, Han Lin, Liu Xin.
Security authentication gateway product specification
1 Scope
This Standard specifies the cryptographic algorithms and key types, functional requirements, hardware requirements, software requirements, security
requirements and testing requirements of security authentication gateway product.
This Standard is applicable to guide the development, testing, use and
management of security authentication gateway product.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 9813-2000, Specification for microcomputer
GB/T 15153.1-1998, Telecontrol equipment and systems - Part 2. Operating conditions Section 1. Power supply and electromagnetic compatibility
GB/T 15843.3, Information technology - Security techniques - Entity
authentication - Part 3. Mechanisms using digital signature techniques
GB/T 17964, Information technology - Security techniques - Modes of
operation for a block cipher
GM/T 0005, Randomness Test Specification
GM/T 0014, Digital certificate authentication system cryptography protocol specification
GM/T 0022, IPSec VPN specification
GM/T 0024, SSL VPN specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 3.10 secure socket layer protocol
a transport layer security protocol used to build secure channel between client and server
3.11 authentication header, AH
a protocol that is part of IPSec that provides data integrity, data source authentication, and anti-replay attack capabilities for IP packets, but does not provide data confidentiality
3.12 encapsulating security payload; ESP
a kind of IPSec protocol that is used to provide confidentiality of IP packets, data integrity, authentication of data sources, and replay attack resistance 3.13 virtual private network; VPN
a technique to build secure channels in communication networks by using cryptography
3.14 secure message
the purpose of secure message is to ensure the data confidentiality, the data integrity and the authentication of data sender; the data integrity and the authentication of data sender are ensured through message authentication code (MAC), the data confidentiality is ensured through data encryption 3.15 SM1 algorithm
a block cipher algorithm with a packet length of 128 bits and a key length of 128 bits
3.16 SM2 algorithm
an elliptic curve public key cryptosystem with key length of 256 bits
3.17 SM3 algorithm
a cryptographic hash algorithm with an output of 256 bits
3.18 SM4 algorithm
a block cipher algorithm with a packet length of 128 bits and a key length of 128 bits
3.19 security authentication gateway
security authentication gateway is a product that uses digital certificate to actual situation, the security certification gateway can support physical deployment in series mode, the physical parallel deployment. But it must provide for application the technique means to identify whether the user access through the gateway.
6 Cryptographic algorithm and key type
6.1 Algorithm requirements
Security authentication gateway uses asymmetric cryptographic algorithm, symmetric cryptographic algorithm, cryptographic hash algorithm and random number generation algorithm approved by national cryptography management authorities. The algorithm and methods of use are as follows.
?€? asymmetric cryptographic algorithm is used for certification, digital signature and digital envelope;
?€? symmetric cryptographic algorithm uses block cipher algorithm; it is used for encryption protection of key exchange data and packet data encryption protection; the working mode of the algorithm uses CBC mode, in
accordance with the requirements of GB/T 17964;
?€? cryptographic hash algorithm is used for symmetric key generation and integrity verification;
?€? generated random number shall pass the testing specified in GM/T 0005. 6.2 Key type
Security authentication gateway uses the following keys.
?€? device key. public-private key pair used by asymmetric algorithm is for entity authentication, digital signature, and digital envelope;
?€? work key. the key obtained during the first phase of key exchange, for the protection of session key exchange process when symmetric
cryptographic algorithm is used;
?€? session key. the key obtained during the second phase of key exchange, for the protection of data packet encryption and integrity when symmetric cryptographic algorithm is used.
7 Security authentication gateway product
with test device or network packet interception tool, the replayed data message must not be tested in the intranet port of the testing device.
7.1.14 Security check of client host
Security authentication gateway product shall have security check function of client host. When the client is connected to the server, according to the client- side security policy issued by the server, check the security of user operation system. The user who fails to comply with the security policy shall be unable to use security authentication gateway.
The client security policy shall at least contain one of the following conditions. ?€? whether anti-virus software is installed and enabled;
?€? whether personal firewall is installed and enabled;
?€? whether the latest operating system security patch is installed;
?€? whether a login password has been set for system.
7.2 Product performance parameters
7.2.1 Performance parameters that follow IPSec protocol
7.2.1.1 Encryption and decryption throughput
The encryption and decryption throughput refer to the maximum bidirectional data flow on the intranet port of IPSec VPN gateway product when the packet loss rate is 0 at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length, respectively. The product shall meet the requirements of user network environment on network data encryption and decryption
throughput performance.
7.2.1.2 Encryption and decryption delay
The encryption and decryption delay of the average time consumed that a plaintext data flow is encrypted to be a ciphertext then is decrypted back to be plaintext at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length when the IPSec VPN packet loss rate is 0. The product shall meet the requirements of user network environment on network data encryption and decryption delay performance.
7.2.1.3 Encryption and decryption packet loss rate
The encryption and decryption packet loss rate refers to the percentage of total number of packets sent or received in error per unit time at 64 bytes Ethernet frame length and 1428 (1Pv4) / 1408 (1Pv6) Ethernet frame length when the certificate is issued by an external certification agency.
The device signature key pair is generated by an external key management agency. The encryption certificate is issued by an external certification agency. See GM/T 0014 for the private key protection method of encryption key pair. The private key of the signature certificate, the encrypted certificate, and the encryption key pair shall be imported to the security authentication gateway product.
In security authentication gateway product, the p...

View full details