Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0029-2014 English PDF (GMT0029-2014)

GM/T 0029-2014 English PDF (GMT0029-2014)

Regular price $175.00 USD
Regular price Sale price $175.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0029-2014 to get it for Purchase Approval, Bank TT...

GM/T 0029-2014: Sign and verify server technical specification

This Standard specifies the functional requirements, security requirements, interface requirements, testing requirements, message protocol syntax specification and other relevant contents of the sign and verify server. This Standard is applicable to the development and design, application development, management and use of the sign and verify server. It can also be used for guiding the testing of the sign and verify server.
GM/T 0029-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44630-2014
Sign and verify server technical specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 6
4 Abbreviations .. 6
5 Functional requirements of the sign and verify server ... 7
5.1 Initialization function .. 7
5.2 Connection with the CA infrastructure ... 7
5.3 Application management function .. 7
5.4 Certificate management and verification functions ... 7
5.5 Digital signature function ... 8
5.6 Access control function ... 9
5.7 Log management function ... 9
5.8 System self-testing function .. 9
5.9 NTP time source synchronization function ... 10
6 Security requirements of the sign and verify server .. 10
6.1 Cryptography device ... 10
6.2 System requirements .. 10
6.3 Operating requirements ... 10
6.4 Management requirements ... 10
6.5 Physical security protection of the device .. 11
6.6 Network deployment requirements ... 11
6.7 Service interface ... 14
6.8 Environmental adaptability.. 14
6.9 Reliability ... 15
7 Testing requirements of the sign and verify server ... 15
7.1 Appearance and structure check ... 15
7.2 File submission check ... 15
7.3 Function testing ... 15
7.4 Performance testing ... 18
7.5 Environmental adaptability testing .. 18
7.6 Other testing ... 19
8 Qualification determination .. 19
Annex A (Normative) Message protocol syntax specification .. 20
Annex B (Normative) HTTP-based signature message protocol syntax
specification ... 48
Annex C (Normative) Definition and description of response code ... 51 Sign and verify server technical specification
1 Scope
This Standard specifies the functional requirements, security requirements, interface requirements, testing requirements, message protocol syntax
specification and other relevant contents of the sign and verify server. This Standard is applicable to the development and design, application
development, management and use of the sign and verify server. It can also be used for guiding the testing of the sign and verify server.
2 Normative references
The following documents are essential to the application of this document. For dated references, only the editions with the dates indicated are applicable to this document. For undated references, only the latest editions (including all the amendments) are applicable to this document.
GB/T 9813 Generic specification for microcomputer
GB/T 19713-2005 Information technology - Security techniques - Public key infrastructure - Online certificate status protocol
GM/T 0006-2012 Cryptographic application identifier criterion specification GM/T 0009 SM2 cryptography algorithm application specification
GM/T 0010 SM2 cryptography message syntax specification
GM/T 0014 Digital certificate authentication system cryptography protocol specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0018 Interface specifications of cryptography device application
GM/T 0020 Certificate application integrated service interface specification GM/T 0030 Cryptographic server technical specification
PKCS #1 RSA cryptography algorithm application specification
PKCS #7 RSA cryptography message syntax specification
PKCS. Public-Key Cryptography Standard
PKI. Public Key Infrastructure
5 Functional requirements of the sign and verify
server
5.1 Initialization function
The initialization of the sign and verify server mainly includes the system configuration, administrator creation, etc. so that the device is in normal operating condition.
5.2 Connection with the CA infrastructure
The sign and verify server shall support the connection with the CA
infrastructure, including the CRL connection configuration, OCSP connection configuration, etc.
5.2.1 CRL connection configuration
The sign and verify server shall support the function of CRL connection configuration, and shall be able to get CRL and import CRL from the CRL publishing point through the configuration management interface.
5.2.2 OCSP connection configuration
The sign and verify server may support the function of OCSP connection
configuration and manage the OCSP service connection configuration through the configuration management interface. The OCSP connection configuration shall comply with GB/T 19713-2005.
5.3 Application management function
The application management function of the sign and verify server mainly includes the application entity registration, key configuration, authorization code setting of the private key, etc. In addition, the information of the application entity shall be securely stored in accordance with the security mechanism. The content of the application entity registration shall include the application entity name setting, key index number configuration, certificate import, IP address setting (optional), etc.
5.4 Certificate management and verification functions
The management certificates of the sign and verify server include the
application entity certificate and user certificate. The sign and verify server shall based on SM2 algorithm, and shall provide the operation modes for various formats such as data, message, file, etc.
The sign and verify server may support the digital signature function based on RSA algorithm, among which the modulus length of the RSA algorithm shall be at least above 2,048 bits.
In case of SM2 public key algorithm, the data structure of the sign and verify server shall comply with GM/T 0009 or GM/T 0010.
In case of RSA public key algorithm, the data structure of the sign and verify server shall comply with the PKCS #1 or PKCS #7 standard.
5.6 Access control function
The management interface of the sign and verify server shall have a good identity authentication mechanism to achieve the administrator identity authentication through a combination of the smart cryptographic key, smart IC card and password. The ?€?password?€? requires a time limit. When the time limit is exceeded, the cryptograph must be forcibly changed. After the administrator logs in successfully, management operations such as application management, certificate management, system configuration, log query, etc. are performed through the management interface.
5.7 Log management function
The sign and verify server shall provide log recording, viewing, auditing and exporting functions, with the corresponding configuration management and viewing interfaces. The logs are divided into system management logs,
abnormal events, system service logs, etc., including such operations as log-in authentication, system configuration, key management, etc., recording of such abnormal events as authentication failure, unauthorized access, etc.,
connection with the device management center, recording of corresponding operations, and call logging of the application interface.
5.8 System self-testing function
The sign and verify server shall have the self-testing function, including the server self-testing and cryptography device self-testing. The cryptography device used by the sign and verify server shall have the status and function self-testing function, which is able to check the correctness of the cryptographic algorithm, random number generator, integrity of the storage key and data, etc. The self-testing of the sign and verify server includes the cryptographic function testing, integrity check of storage information, etc.
5.9 NTP time source synchronization function
The sign and verify server is able to configure the time source server to automatically synchronize the time.
6 Security requirements of the sign and verify server
6.1 Cryptography device
The sign and verify server must use the cryptography device approved by the national cryptography authority. The API for calling the cryptography device shall comply with GM/T 0018.
6.2 System requirements
The operating system used by the sign and verify server shall be securely reinforced. All unnecessary modules shall be eliminated. All unnecessary ports and services shall be disabled.
6.3 Operating requirements
The sign and verify server only accepts valid operational commands. The sign and verify server?€?s software shall adopt modular design. The technical
measures such as identity authentication shall be taken to prevent the user?€?s illegal calls.
6.4 Management requirements
6.4.1 Management tool
The sign and verify server realizes its management function through the management tool.
The management tool may be installed on the sign and verify server, or the management terminal out...

View full details