Skip to product information
1 of 11

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0059-2018 English PDF (GMT0059-2018)

GM/T 0059-2018 English PDF (GMT0059-2018)

Regular price $245.00 USD
Regular price Sale price $245.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0059-2018 to get it for Purchase Approval, Bank TT...

GM/T 0059-2018: Cryptographic server test specifications

This standard specifies the test requirements and test methods for cryptographic server devices. This standard applies to the testing of cryptographic server devices, as well as the research and amp; development of such cryptographic devices. It may also be used to guide application development based on such cryptographic devices.
GM/T 0059-2018
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number: 62994-2018
GB/T 0059-2018
Cryptographic server test specifications
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Requirements of testing environment ... 7
5.1 Routine testing environment ... 7
5.2 Cross-network testing environment ... 7
6 Testing content ... 8
6.1 Overview ... 8
6.2 Inspection of device appearance and structure ... 9
6.3 Inspection of device?€?s management function ... 10
6.4 Testing of device state ... 10
6.5 Testing of device self-test ... 11
6.6 Testing of device?€?s configuration management ... 11
6.7 Testing of device?€?s key management ... 12
6.8 Testing of correctness and consistency of device?€?s cryptographic algorithm ... 13 6.9 Testing of device?€?s random number quality ... 15
6.10 Testing of device?€?s application interface ... 17
6.11 Testing of device?€?s remote management interface ... 17
6.12 Testing of device access control ... 18
6.13 Testing of device logging ... 19
6.14 Testing of device performance ... 19
6.15 Testing of device?€?s network adaptability ... 21
6.16 Testing of device security ... 21
6.17 Testing of device?€?s environmental adaptability ... 22
6.18 Testing of device reliability ... 22
7 Technical requirements for document-for-inspection ... 22
Appendix A (Informative) List of test items ... 23
Cryptographic server test specifications
1 Scope
This standard specifies the test requirements and test methods for
cryptographic server devices.
This standard applies to the testing of cryptographic server devices, as well as the research and development of such cryptographic devices. It may also be used to guide application development based on such cryptographic devices.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 32905 Information security technology SM3 cryptographic hash
algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm GB/T 32915 Information security technology - Binary sequence randomness testing method
GB/T 32918 Information security techniques - Elliptic curve public - key cryptography
GM/T 0005 Randomness test specification
GM/T 0018 Interface specifications of cryptography device application
GM/T 0030-2014 Cryptographic server technical specification
GM/T 0039 Security test requirements for cryptographic modules
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
A universally applicable infrastructure built using public key cryptography, which provides users with security services such as certificate management and key management.
3.9
Private key access password
A password which is used to verify the private key?€?s usage rights.
3.10
SM1 algorithm
A block cipher algorithm.
3.11
SM2 algorithm
An algorithm as defined by GB/T 32918.
3.12
SM3 algorithm
An algorithm defined by GB/T 32905.
3.13
SM4 algorithm
An algorithm as defined by GB/T 32907.
4 Abbreviations
The following abbreviations apply to this document.
API: Application Program Interface
CBC: Cipher Block Chaining
CFB: Cipher Feedback
CS: Cryptographic Server
ECB: Electronic Codebook
OFB: Output Feedback
j) Testing of device?€?s SM4 cryptographic operation;
k) Testing of device random number?€?s quality;
l) Testing of device?€?s application interface;
m) Testing of device?€?s management interface;
n) Testing of device?€?s access control;
o) Testing of device log;
p) Testing of device performance;
q) Testing of device?€?s network adaptability;
r) Testing of device security;
s) Testing of device?€?s environmental adaptability;
t) Testing of device?€?s reliability.
6.2 Inspection of device appearance and structure
The cryptographic server shall have the following main components or
interfaces:
a) It shall support the state indicator. It may use visual observation to distinguish the normal working state and fault state of the state indicator; b) It shall support the power indicator. It may use visual observation to distinguish whether the device is powered on;
c) It shall support at least two RJ45 network interfaces.
The cryptographic server should have the following main components or
interfaces:
a) It should support one serial port (RJ45 or DB9 form) as the control port; b) It should support the redundant power supply.
The cryptographic server may have the following main components or
interfaces:
a) It may support the manual key destruction switch;
b) It may support DB9 serial port;
automatically enter the initial state. At this time, the cryptographic server cannot provide password service. The user performs the initial configuration of the cryptographic server. The initial configuration shall include user management, key management, system configuration. After the configuration is completed, it shall restart the cryptographic server.
After the initial configuration, the cryptophone is powered on, it can
automatically enter the ready state, then the cryptographic server can provide the cryptographic service.
The cryptographic server in the ready state can only enter the initial state again by triggering the key-destruction mechanism and restarting after power-off. The cryptographic server cannot be changed from the ready state to the initial state through management interface, control port, human-machine interaction
component or other means.
6.5 Testing of device self-test
The cryptographic server shall support the self-test function. The self-test shall include power-on/reset self-test, periodic self-test, self-test after accepting the command. The self-test content includes the validity self-test of physical noise source, validity self-test of cryptographic operation unit, self-test of random number, self-test of cryptographic algorithm?€?s correctness, integrity check of static storage data, etc.
The test results shall be reported after the end of the self-test. If the self-test is successful, the cryptographic server shall enter the ready state. If the self-test fails, the cryptographic server shall record the log and alarm, meanwhile immediately stop providing the cryptographic service externally.
6.6 Testing of device?€?s configuration management
The cryptographic server shall include, but is not limited to, configuration of cryptographic authority, configuration of cryptographic server?€?s network, configuration of cryptographic server?€?s access control, other management functions.
The configuration of cryptographic authority should have:
a) Management of three roles: administrator, security officer, operator; b) The administrator is responsible for the addition, modification, cancellation of security officers and operators;
c) The security officer is responsible for the authority management of the stored can be exported to the outside of the cryptographic server.
6.7.2 Security function of key management
The cryptographic server shall comply with the standard GM/T 0030-2014 and have the following security functions of key management:
a) The management key shall be generated or installed in the initial state by the management tool provided by the cryptographic server manufacturer,
stored securely inside the cryptographic server:
b) The signature key pair of the user key and the device key is generated or installed by the cryptographic server. The random number used by the key shall be generated by the physical noise source chip, the key shall be
generated using a strong prime number. The encryption key pair is
generated by the independent key management system and issued
according to the private key protection structure of the encryption key as specified in GM/T 0018 to the device;
c) The key?€?s encryption key is an optional support item. When the
cryptographic server supports this item, the key shall be generated or
installed by the management tool provided by the cryptographic server?€?s manufacturer and shall support secure storage of a certain amount of
key?€?s encryption key inside the cryptographic server;
d) The session key cannot be exported in plaintext. It shall be encrypted by the use of user key or key?€?s encryption key during export;
e) The symmetric key and asymmetric key stored securely in the
cryptographic server shall be called by the key index number or other form of unique identifier;
f) The cryptographic server shall be able to securely store at least 100 sets of symmetric keys and 32 pairs of asymmetric key pairs;
g) The cryptographic server shall support key backup and key recovery. The backup file shall be stored in a secure storage medium in ciphertext,
meanwhile the same type of cryptographic server by the same
manufacturer shall be able to support mutual backup and recovery.
6.8 Testing of correctness and consistency of device?€?s
cryptographic algorithm
6.8.1 Testing of device?€?s symmetric cryptographic operation
perform the decryption operation, the decrypted result is exactly the same as the given plaintext;
c) After the cryptographic server uses the given key to sign the signature message by calling the cryptographic algorithm, the testing platform
verifies the signed results; the verification shall pass;
d) After the cryptographic server uses the given key to sign the message to be signed by calling the cryptographic algorithm, it calls the cryptographic algorithm to perform the verification operation; the verification passes; e) The cryptographic server uses the given key and key negotiation
parameters, to call the key negotiation algorithm to perform key
negotiation with the testing platform; the negotiation result is correct. 6.8.3 Testing of device?€?s hash cryptographic operation
The cryptographic server shall support the SM3 algorithm. The cryptographic server may call the SM3 algorithm to hash the message. It shall be able to support the hashing operation of the given message and parameters by calling the SM3 algorithm.
a) The cryptographic server calls the SM3 algorithm to calculate the hash value of the given message; the result is exactly the same as the given hash value;
b) The cryptographic server calls the SM3 algorithm to calculate the hash value of the given message and parameters; the result is exactly the same as the given hash value.
6.9 Testing of device?€?s random number quality
The cryptographic server shall have the function of generating random number. It shall have at least 2 independent physical noise sources. The testing of random number?€?s quality shall follow GB/T 32915.
The testing program of random number is designed and provided by a testing organization approved by the national password management department. The testing result of the random number testing of the cryptographic server shall meet the requirements of GM/T 0005.
The random number generator used by the cryptographic server shall be able to pass the random number testing at 4 different application phases: sample delivery testing, exit-factory testing, power-on testing, use testing:
a) Sample delivery testing
2) Single testing
?€? Testing amount: It is determined according to the size of the random
number taken each time in actual application, but the length shall not
be lower than 128 bits. Meanwhile the unused sequence that has
passed the testing can continue to be used;
?€? Testing item: Poker testing, when the sample length is less than 320
bits, the parameter m = 2;
?€? Testing pass criteria: If the test criteria are not passed during the test, the alarm test is unqualified.
It is allowed to repeat the random number collection and testing once. If the repeated testing is still unqualified, it is determined that the random number generator of the product is invalid
6.10 Testing of device?€?s application interface
The application programming interface of the cryptographic server shall follow GM/T 0018.
For the correct calling environment and calling process of the cryptographic server, the API function shall return the correct result and complete the corresponding function. For the set incorrect calling environment or calling process, the API function shall return the corresponding error code. The API interface testing of the cryptographic server shall include the following six categories:
a) Function of device management;
b) Function of key management;
c) Function of symmetric algorithm operation;
d) Function of asymmetric algorithm operation;
e) Function of hash operation;
f) Function of user file operation.
6.11 Testing of device?€?s remote management interface
The cryptographic server shall support the device?€?s remote management
function. If this function is supported, the remote management interface of the cryptographic server shall follow GM/T 0030-2014.
prevent malicious personnel from unauthorized logging in, thereby protecting the security of cryptographic server.
For the private key stored inside the cryptographic server, it can only be used when holding the correct access control code of private key. The calling to the cryptographic server?€?s function and the remote management of the
cryptographic server shall use the IP packet-based authorized access control technology, only a host that has an authorized IP address can normally call the device function or remotely manage the device. A host that does not have an authorized IP cannot call the device function or remotely manage the device. 6.13 Testing of device logging
The cryptographic server shall provide logging, viewing, export functions. The log content of the cryptographic server shall include:
a) Administrator?€?s operation, including login authentication, system
configuration, key management, etc.;
b) Abnormal events, including records of abnormal events such as
authentication failures and illegal access.
The log content of the cryptographic server should include:
a) If connected to the device?€?s management center, record the corresponding operations;
b) Log the calling related to the key management in the application interface. 6.14 Testing of device performance
The password operations of the cryptographic server shall meet certain
performance indicators.
The performance testing of the cryptographic server shall include nine aspects: generation of random number of cryptographic sever, generation of symmetric key of cryptographic server, generation of asymmetric key of cryptographic server, encryption and decryption performance of cryptographic server?€?s SM1 algorithm, encryption and decryption performance of cryptographic server?€?s SM2 algorithm, signature/verification performance of cryptographic server?€?s SM2 algorithm, operation performance of cryptographic server?€?s SM3 algorithm, encryption and decryption performance of cryptographic server?€?s SM4
algorithm, concurrent performance of the cryptographic server. Each
performance of the cryptographic server shall be tested multiple times. Take the completion time T(s). Performance index formula is:
S = 8LN/(1024 ?? 1024 T); the unit is Mbps;
h) The testing of encryption and decryption performance of cryptographic server?€?s SM4 algorithm: send a data message of length L (byte) to the
cryptographic server for encryption/decryption; repeat the operation N
times; calculate the completion time T (s). The performance of the various working modes supported by the SM4 algorithm needs to be tested
separately. The performance index formula is:
S = 8LN/(1024 x 1024T); the unit is Mbps;
i) The testing of concurrent performance of the cryptographic server:
including two indicators of the number of new connections established per second and the maximum number of concurrent connections.
In the testing platform, simulate multiple client behaviors; establish a TCP connection with the cryptographic server in parallel; repeat this process for a period of time; take the average of the number of connections established per second as the test result of the number of new connections per second, the unit is (pieces/s).
In the testing platform, simulate multiple client behaviors; establishes a TCP connection with the cryptographic server in parallel; then continuously adds the client; repeats the process until it cannot establish and maintain the connection. The number of TCP connections that have been accessed is the test result, the unit is piece.
6.15 Testing of device?€?s network adaptability
The cryptographic server shall have good adaptability and scalability to the service mode of the user. It shall meet the application requirements of at least three modes, including:
a) The cryptographic server shall be able to connect directly to the host; b) The cryptographic server shall be able to connect to multiple hosts at the same time through the switch;
c) The cryptographic server shall be able to connect to the hosts of different networks.
6.16 Testing of device security
The testing of security of cryptographic server complies with GM/T 0039.

View full details