1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0116-2021 English PDF (GM/T0116-2021)
GM/T 0116-2021 English PDF (GM/T0116-2021)
Regular price
$280.00
Regular price
Sale price
$280.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0116-2021: Testing and evaluation process guide for information system cryptography application
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0116-2021 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0116-2021
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0116-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Process Guide for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
4.1 Basic Principles ... 5
4.2 Risk Identification of Testing and Evaluation ... 6
4.3 Avoidance of Testing and Evaluation Risks ... 6
4.4 Testing and Evaluation Process ... 7
5 Testing and Evaluation Preparation Activities ... 9
5.1 Workflow of Testing and Evaluation Preparation Activities ... 9
5.2 Main Tasks of Testing and Evaluation Preparation Activities ... 10
5.3 Output Documents of Testing and Evaluation Preparation Activities ... 12
6 Scheme Preparation Activities ... 12
6.1 Workflow of Scheme Preparation Activities ... 12
6.2 Main Tasks of Scheme Preparation Activities ... 13
6.3 Output Documents of Scheme Preparation Activities ... 18
7 On-site Testing and Evaluation Activities ... 19
7.1 Workflow of On-site Testing and Evaluation Activities ... 19
7.2 Main Tasks of On-site Testing and Evaluation Activities ... 19
7.3 Output Documents of On-site Testing and Evaluation Activities ... 22
8 Analysis and Report Preparation Activities ... 22
8.1 Workflow of Analysis and Report Preparation Activities ... 22
8.2 Main Tasks of Analysis and Report Preparation Activities ... 23
8.3 Output Documents of Analysis and Report Preparation Activities ... 28
Testing and Evaluation Process Guide for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation process of information system cryptography
application and standardizes the testing and evaluation activities and work tasks.
This document is suitable for commercial cryptography application security evaluation
institutions and information system responsible organizations to carry out cryptography
application security evaluation work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069-2010 Information Security Technology - Glossary
GM/T 0115 Testing and Evaluation Requirements for Information System Cryptography
Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 25069-2010 and GM/Z 4001, and the following are
applicable to this document.
3.1 testing and evaluation agency
The subject that conducts cryptography application security evaluation (referred to as
“cryptography evaluation”) on information systems.
NOTE: specifically, it can be a commercial cryptography application security evaluation institution
or information system responsible organization.
3.2 agency under testing and evaluation
Information system responsible organization.
3.3 commercial cryptography application security evaluation staff
Personnel engaged in testing and evaluation activities in the testing and evaluation agency.
NOTE: referred to as “cryptography evaluation staff”.
4 Overview
4.1 Basic Principles
When conducting cryptography application security evaluation on an information system, the
testing and evaluation agency shall follow the following principles.
a) Principle of objectivity and impartiality
During the testing and evaluation implementation process, the testing and evaluation
agency shall ensure that the testing and evaluation activities are carried out in
accordance with the cryptography evaluation scheme jointly agreed upon by the
agency under testing and evaluation and based on clearly defined testing and
evaluation modes and explanations, in compliance with the requirements of the
national cryptography management department and with minimal subjective
judgment.
b) Principle of reusability
The testing and evaluation work may reuse existing testing and evaluation results,
including commercial cryptography testing and certification results and the testing
and evaluation results of cryptography application security evaluation, etc. All reuse
results shall be based on the premise that the existing testing and evaluation results
are still applicable to the current information system under test and can objectively
reflect the current security status of the system.
c) Principle of repeatability and reproducibility
In accordance with the same requirements, using the same testing and evaluation
method, and in the same environment, different cryptography evaluation staffs shall
obtain the same results by repeatedly executing each testing and evaluation
implementation process. The difference between repeatability and reproducibility is
that the former focuses on the consistency of the testing and evaluation results by the
same cryptography evaluation staff, while the latter focuses on the consistency of the
testing and evaluation results by different cryptography evaluation staffs.
d) Principle of result perfection
Based on a correct understanding of the content of each requirement of GM/T 0115,
the results generated by testing and evaluation shall objectively reflect the current
status of cryptography application in an information system. The testing and
evaluation process and results shall be based on correct testing and evaluation
methods to ensure that they satisfy the requirements.
4.2 Risk Identification of Testing and Evaluation
The execution of the testing and evaluation work may bring certain risks to the information
system under test. The testing and evaluation agency shall identify risks in a timely manner
before the start of testing and evaluation and during the testing and evaluation process. During
the testing and evaluation process, the risks mainly include the following aspects.
a) Verification test may affect the normal operation of the information system under test
During on-site testing and evaluation, certain verification tests need to be carried out
on the equipment and systems. Some test content requires checking the information
on the computer, which may have an unexpected impact on the operation of the
information system under test.
b) Tool test may affect the normal operation of the information system under test
During on-site testing and evaluation, based on actual demands, some testing and
evaluation tools may be used for the test. When the testing and evaluation tools are
used, redundant data writing may be generated, and meanwhile, it may have a certain
impact on the load of the system, which in turn may cause certain impact or even
damage to the server and network communication in the information system under
test.
c) Possible leakage of sensitive information of the information system under test
During the testing and evaluation process, sensitive information of the information
system under test may be leaked, such as: encryption mechanisms, operational
processes, security mechanisms and related document information, etc.
d) Other possible risks
During the testing and evaluation process, risks may also arise that affect the
availability, confidentiality and integrity of the information system under test.
4.3 Avoidance of Testing and Evaluation Risks
During the testing and evaluation process, the following measures may be taken to avoid risks.
a) Sign a commissioned testing and evaluation agreement
Before the testing and evaluation work official starts, the testing and evaluation
agency and the agency under testing and evaluation need to clarify the goals, scope,
personnel composition, planning arrangements, implementation steps and
requirements, and the responsibilities and obligations of both parties through the
mode of commission agreement, so that both parties of the testing and evaluation can
4.4.2 Testing and evaluation preparation activities
The testing and evaluation preparation activities are the premise and foundation for carrying
out the testing and evaluation work. The main tasks are to grasp the details of the information
system under test, prepare testing and evaluation tools, and prepare for the preparation of
cryptography evaluation scheme.
4.4.3 Scheme preparation activities
Scheme preparation activities are the key activities in carrying out the testing and evaluation
work. The main tasks are to determine the testing and evaluation objects, testing and evaluation
indicators, testing and evaluation inspection points, and testing and evaluation content, etc. that
are suitable for the information system under test, and form a cryptography evaluation scheme
to provide a basis for the implementation of on-site testing and evaluation.
4.4.4 On-site testing and evaluation activities
On-site testing and evaluation activities are the core activities of testing and evaluation work.
The main tasks are to implement all testing and evaluation items step by step in accordance
with the cryptography evaluation scheme, so as to understand the real status of cryptography
application of the information system under test, obtain sufficient evidence and find out the
existing security issues of cryptography application.
4.4.5 Analysis and report preparation activities
The analysis and report preparation activities are activities that provide the results of testing
and evaluation work. The main tasks are to find out the gaps between the security protection
status of cryptography application of the information system under test and the protection
requirements of the corresponding level through methods of unit testing and evaluation, overall
testing and evaluation, quantitative evaluation and risk analysis in accordance with the
cryptography evaluation scheme and the relevant requirements of GM/T 0115; analyze the risks
confronting the information system under test that may be caused by these gaps, thereby
providing the testing and evaluation results of each testing and evaluation object and the
evaluation conclusions of the information system under test, and forming a cryptography
evaluation report.
5 Testing and Evaluation Preparation Activities
5.1 Workflow of Testing and Evaluation Preparation Activities
The goal of the testing and evaluation preparation activities is to successfully start the testing
and evaluation project, prepare relevant information required for testing and evaluation, and
provide conditions for the preparation of the cryptography evaluation scheme. The testing and
evaluation preparation activities include three main tasks: project startup, information
collection and analysis, and tool and form preparation.
5.2 Main Tasks of Testing and Evaluation Preparation Activities
5.2.1 Project startup
In the project startup task, the testing and evaluation agency builds a testing and evaluation
project team to obtain the basic situation of the agency under testing and evaluation and the
information system under test, and prepares for the implementation of the entire testing and
evaluation project in terms of basic information, personnel and planning arrangements, etc.
---Input: commissioned testing and evaluation agreement, confidentiality agreement, etc.
Task description:
a) In accordance with the commissioned testing and evaluation agreement signed by
both parties of the testing and evaluation and the scale of the information system under
test, the testing and evaluation agency shall build a testing and evaluation project team,
make proper personnel arrangements and prepare a project proposal. The project
proposal shall include project overview, work basis, technical ideas, work content and
project organization, etc.
b) The testing and evaluation agency requires the agency under testing and evaluation to
provide basic information to make material preparation for a comprehensive and
preliminary understanding of the information system under test.
---Output: project proposal.
5.2.2 Information collection and analysis
The testing and evaluation agency uses survey form and consults materials on the information
system under test, etc. to understand the composition and cryptography application of the
information system under test, laying the foundation for compiling cryptography evaluation
schemes and carrying out on-site testing and evaluation work.
---Input: survey form.
Task description:
a) The testing and evaluation agency collects the materials required for the testing and
evaluation, including overall description file of the information system under test,
overall description file of the cryptography application of the information system
under test, network security level protection rating report, security demands analysis
report, overall security scheme, detailed security design scheme, cryptography
application scheme, user operation guides for related cryptographic products, various
security rules and regulations on cryptography application, as well as related process
management records and configuration management documents, etc.
b) The testing and evaluation agency submits the basic situation survey form of the
information system under test to the agency under testing and evaluation, and assists
preparation of cryptography evaluation scheme.
6.2 Main Tasks of Scheme Preparation Activities
6.2.1 Determination of testing and evaluation objects
In accordance with the information of the information system under test that has been learned,
analyze the entire information system under test and the operation application systems involved,
as well as the related cryptography application, and determine the testing and determination
objects of the current testing and evaluation.
---Input: completed survey form, various technical information related to the information
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0116-2021 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0116-2021
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0116-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Process Guide for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
4.1 Basic Principles ... 5
4.2 Risk Identification of Testing and Evaluation ... 6
4.3 Avoidance of Testing and Evaluation Risks ... 6
4.4 Testing and Evaluation Process ... 7
5 Testing and Evaluation Preparation Activities ... 9
5.1 Workflow of Testing and Evaluation Preparation Activities ... 9
5.2 Main Tasks of Testing and Evaluation Preparation Activities ... 10
5.3 Output Documents of Testing and Evaluation Preparation Activities ... 12
6 Scheme Preparation Activities ... 12
6.1 Workflow of Scheme Preparation Activities ... 12
6.2 Main Tasks of Scheme Preparation Activities ... 13
6.3 Output Documents of Scheme Preparation Activities ... 18
7 On-site Testing and Evaluation Activities ... 19
7.1 Workflow of On-site Testing and Evaluation Activities ... 19
7.2 Main Tasks of On-site Testing and Evaluation Activities ... 19
7.3 Output Documents of On-site Testing and Evaluation Activities ... 22
8 Analysis and Report Preparation Activities ... 22
8.1 Workflow of Analysis and Report Preparation Activities ... 22
8.2 Main Tasks of Analysis and Report Preparation Activities ... 23
8.3 Output Documents of Analysis and Report Preparation Activities ... 28
Testing and Evaluation Process Guide for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation process of information system cryptography
application and standardizes the testing and evaluation activities and work tasks.
This document is suitable for commercial cryptography application security evaluation
institutions and information system responsible organizations to carry out cryptography
application security evaluation work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069-2010 Information Security Technology - Glossary
GM/T 0115 Testing and Evaluation Requirements for Information System Cryptography
Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 25069-2010 and GM/Z 4001, and the following are
applicable to this document.
3.1 testing and evaluation agency
The subject that conducts cryptography application security evaluation (referred to as
“cryptography evaluation”) on information systems.
NOTE: specifically, it can be a commercial cryptography application security evaluation institution
or information system responsible organization.
3.2 agency under testing and evaluation
Information system responsible organization.
3.3 commercial cryptography application security evaluation staff
Personnel engaged in testing and evaluation activities in the testing and evaluation agency.
NOTE: referred to as “cryptography evaluation staff”.
4 Overview
4.1 Basic Principles
When conducting cryptography application security evaluation on an information system, the
testing and evaluation agency shall follow the following principles.
a) Principle of objectivity and impartiality
During the testing and evaluation implementation process, the testing and evaluation
agency shall ensure that the testing and evaluation activities are carried out in
accordance with the cryptography evaluation scheme jointly agreed upon by the
agency under testing and evaluation and based on clearly defined testing and
evaluation modes and explanations, in compliance with the requirements of the
national cryptography management department and with minimal subjective
judgment.
b) Principle of reusability
The testing and evaluation work may reuse existing testing and evaluation results,
including commercial cryptography testing and certification results and the testing
and evaluation results of cryptography application security evaluation, etc. All reuse
results shall be based on the premise that the existing testing and evaluation results
are still applicable to the current information system under test and can objectively
reflect the current security status of the system.
c) Principle of repeatability and reproducibility
In accordance with the same requirements, using the same testing and evaluation
method, and in the same environment, different cryptography evaluation staffs shall
obtain the same results by repeatedly executing each testing and evaluation
implementation process. The difference between repeatability and reproducibility is
that the former focuses on the consistency of the testing and evaluation results by the
same cryptography evaluation staff, while the latter focuses on the consistency of the
testing and evaluation results by different cryptography evaluation staffs.
d) Principle of result perfection
Based on a correct understanding of the content of each requirement of GM/T 0115,
the results generated by testing and evaluation shall objectively reflect the current
status of cryptography application in an information system. The testing and
evaluation process and results shall be based on correct testing and evaluation
methods to ensure that they satisfy the requirements.
4.2 Risk Identification of Testing and Evaluation
The execution of the testing and evaluation work may bring certain risks to the information
system under test. The testing and evaluation agency shall identify risks in a timely manner
before the start of testing and evaluation and during the testing and evaluation process. During
the testing and evaluation process, the risks mainly include the following aspects.
a) Verification test may affect the normal operation of the information system under test
During on-site testing and evaluation, certain verification tests need to be carried out
on the equipment and systems. Some test content requires checking the information
on the computer, which may have an unexpected impact on the operation of the
information system under test.
b) Tool test may affect the normal operation of the information system under test
During on-site testing and evaluation, based on actual demands, some testing and
evaluation tools may be used for the test. When the testing and evaluation tools are
used, redundant data writing may be generated, and meanwhile, it may have a certain
impact on the load of the system, which in turn may cause certain impact or even
damage to the server and network communication in the information system under
test.
c) Possible leakage of sensitive information of the information system under test
During the testing and evaluation process, sensitive information of the information
system under test may be leaked, such as: encryption mechanisms, operational
processes, security mechanisms and related document information, etc.
d) Other possible risks
During the testing and evaluation process, risks may also arise that affect the
availability, confidentiality and integrity of the information system under test.
4.3 Avoidance of Testing and Evaluation Risks
During the testing and evaluation process, the following measures may be taken to avoid risks.
a) Sign a commissioned testing and evaluation agreement
Before the testing and evaluation work official starts, the testing and evaluation
agency and the agency under testing and evaluation need to clarify the goals, scope,
personnel composition, planning arrangements, implementation steps and
requirements, and the responsibilities and obligations of both parties through the
mode of commission agreement, so that both parties of the testing and evaluation can
4.4.2 Testing and evaluation preparation activities
The testing and evaluation preparation activities are the premise and foundation for carrying
out the testing and evaluation work. The main tasks are to grasp the details of the information
system under test, prepare testing and evaluation tools, and prepare for the preparation of
cryptography evaluation scheme.
4.4.3 Scheme preparation activities
Scheme preparation activities are the key activities in carrying out the testing and evaluation
work. The main tasks are to determine the testing and evaluation objects, testing and evaluation
indicators, testing and evaluation inspection points, and testing and evaluation content, etc. that
are suitable for the information system under test, and form a cryptography evaluation scheme
to provide a basis for the implementation of on-site testing and evaluation.
4.4.4 On-site testing and evaluation activities
On-site testing and evaluation activities are the core activities of testing and evaluation work.
The main tasks are to implement all testing and evaluation items step by step in accordance
with the cryptography evaluation scheme, so as to understand the real status of cryptography
application of the information system under test, obtain sufficient evidence and find out the
existing security issues of cryptography application.
4.4.5 Analysis and report preparation activities
The analysis and report preparation activities are activities that provide the results of testing
and evaluation work. The main tasks are to find out the gaps between the security protection
status of cryptography application of the information system under test and the protection
requirements of the corresponding level through methods of unit testing and evaluation, overall
testing and evaluation, quantitative evaluation and risk analysis in accordance with the
cryptography evaluation scheme and the relevant requirements of GM/T 0115; analyze the risks
confronting the information system under test that may be caused by these gaps, thereby
providing the testing and evaluation results of each testing and evaluation object and the
evaluation conclusions of the information system under test, and forming a cryptography
evaluation report.
5 Testing and Evaluation Preparation Activities
5.1 Workflow of Testing and Evaluation Preparation Activities
The goal of the testing and evaluation preparation activities is to successfully start the testing
and evaluation project, prepare relevant information required for testing and evaluation, and
provide conditions for the preparation of the cryptography evaluation scheme. The testing and
evaluation preparation activities include three main tasks: project startup, information
collection and analysis, and tool and form preparation.
5.2 Main Tasks of Testing and Evaluation Preparation Activities
5.2.1 Project startup
In the project startup task, the testing and evaluation agency builds a testing and evaluation
project team to obtain the basic situation of the agency under testing and evaluation and the
information system under test, and prepares for the implementation of the entire testing and
evaluation project in terms of basic information, personnel and planning arrangements, etc.
---Input: commissioned testing and evaluation agreement, confidentiality agreement, etc.
Task description:
a) In accordance with the commissioned testing and evaluation agreement signed by
both parties of the testing and evaluation and the scale of the information system under
test, the testing and evaluation agency shall build a testing and evaluation project team,
make proper personnel arrangements and prepare a project proposal. The project
proposal shall include project overview, work basis, technical ideas, work content and
project organization, etc.
b) The testing and evaluation agency requires the agency under testing and evaluation to
provide basic information to make material preparation for a comprehensive and
preliminary understanding of the information system under test.
---Output: project proposal.
5.2.2 Information collection and analysis
The testing and evaluation agency uses survey form and consults materials on the information
system under test, etc. to understand the composition and cryptography application of the
information system under test, laying the foundation for compiling cryptography evaluation
schemes and carrying out on-site testing and evaluation work.
---Input: survey form.
Task description:
a) The testing and evaluation agency collects the materials required for the testing and
evaluation, including overall description file of the information system under test,
overall description file of the cryptography application of the information system
under test, network security level protection rating report, security demands analysis
report, overall security scheme, detailed security design scheme, cryptography
application scheme, user operation guides for related cryptographic products, various
security rules and regulations on cryptography application, as well as related process
management records and configuration management documents, etc.
b) The testing and evaluation agency submits the basic situation survey form of the
information system under test to the agency under testing and evaluation, and assists
preparation of cryptography evaluation scheme.
6.2 Main Tasks of Scheme Preparation Activities
6.2.1 Determination of testing and evaluation objects
In accordance with the information of the information system under test that has been learned,
analyze the entire information system under test and the operation application systems involved,
as well as the related cryptography application, and determine the testing and determination
objects of the current testing and evaluation.
---Input: completed survey form, various technical information related to the information
Share
