1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0122-2022 English PDF (GM/T0122-2022)
GM/T 0122-2022 English PDF (GM/T0122-2022)
Regular price
$260.00
Regular price
Sale price
$260.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0122-2022: Cryptography test specification for blockchain
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0122-2022 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0122-2022
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0122-2022
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Cryptography test specification for blockchain
ISSUED ON: NOVEMBER 20, 2022
IMPLEMENTED ON: JUNE 01, 2023
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviated terms ... 8
5 Technical architecture for blockchain cryptographic application ... 9
6 Overall test requirements for blockchain cryptography ... 9
6.1 Cryptographic algorithm ... 9
6.2 Random number test ... 11
6.3 Cryptographic protocol ... 11
6.4 Key management ... 11
6.5 Certificate management ... 12
6.6 Cryptographic devices ... 12
7 Cryptography test requirements for blockchain cryptographic modules ... 13
7.1 Identity management ... 13
7.2 On-chain transaction ... 14
7.3 Off-chain transaction ... 17
7.4 Ledger storage ... 18
7.5 Communication security ... 19
7.6 Consensus mechanism ... 19
7.7 Smart contracts ... 20
7.8 Privacy protection ... 21
7.9 Transaction supervision ... 21
7.10 Performance test ... 22
8 Inspection technical documentation requirements ... 23
9 Qualification criteria ... 23
Cryptography test specification for blockchain
1 Scope
This document specifies the test content, test methods and qualification criteria for
relevant cryptographic technologies in blockchain cryptographic modules.
This document applies to the test of blockchain cryptographic modules and can be used
to guide the design of blockchain cryptographic modules and the use of cryptographic
technologies.
2 Normative references
The following documents are referred to in the text in such a way that some or all of
their content constitutes requirements of this document. For dated references, only the
version corresponding to that date is applicable to this document; for undated references,
the latest version (including all amendments) is applicable to this document.
GB/T 15843.2, Information technology - Security techniques - Entity authentication
- Part 2: Mechanisms using symmetric encipherment algorithms
GB/T 15843.3, Information technology - Security techniques - Entity authentication
- Part 3: Mechanisms using digital signature techniques
GB/T 15843.4, Information technology - Security techniques - Entity authentication
- Part 4: Mechanisms using a cryptographic check function
GB/T 15843.5, Information technology - Security techniques - Entity authentication
- Part 5: Mechanisms using zero knowledge techniques
GB/T 15852.2, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-function
GB/T 20518, Information security technology - Public key infrastructure - Digital
certificate format
GB/T 32905, Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907, Information security technology - SM4 block cipher algorithm
GB/T 32918 (all parts), Information security technology - Public key cryptographic
algorithm SM2 based on elliptic curves
b) Perform decryption operation on the given key and ciphertext according to the
specified operation mode, and the result shall be exactly the same as the given
plaintext.
6.1.3 Hash cryptographic algorithm implementation correctness test
For given messages and parameters, call the hash algorithm, to test the correctness of
its operation results, including:
a) Call the hash algorithm operation interface for the given message to calculate the
hash value, and the result shall be exactly the same as the given hash value;
b) Call the hash algorithm operation interface for the given message and parameters
to calculate the hash value, and the result shall be exactly the same as the given
hash value.
6.1.4 Asymmetric cryptographic algorithm encryption and decryption
implementation correctness test
For the given key and plaintext (ciphertext), call the asymmetric cryptographic
algorithm, to test the correctness of its operation results, including:
a) Call the asymmetric cryptographic algorithm encryption operation interface to
perform encryption operation on the given plaintext and key, and test the tool’s
decryption operation on the ciphertext. The decryption result shall be exactly the
same as the given plaintext;
b) Call the asymmetric cryptographic algorithm decryption operation interface to
perform decryption operation on the given ciphertext and key, and the decryption
result shall be exactly the same as the given plaintext.
6.1.5 Asymmetric cryptographic algorithm digital signature and signature
verification implementation correctness test
Call the asymmetric cryptographic algorithm to perform signature/verification
operation on the data, and test the correctness of the operation results, including:
a) Call the asymmetric cryptographic algorithm signature operation interface to
perform signature operation on the given message to be signed and the key, and
test the tool’s verification operation on the signature result, where it shall pass the
signature verification;
b) Call the asymmetric cryptographic algorithm signature verification operation
interface to perform signature verification on the given signature result, the
message to be signed, and the key, where it shall pass the signature verification.
6.1.6 Asymmetric key pair consistency test
For the generated public and private keys, call the asymmetric cryptographic algorithm
to test the correctness of the operation results, including:
a) Use the public key to encrypt the plaintext, and use the private key to decrypt the
ciphertext. The decrypted result shall be the same as the original plaintext;
b) Test the asymmetric key pair consistency by calculating and verifying a digital
signature, where the digital signature shall be verified.
6.2 Random number test
Random numbers shall be generated using cryptographic components or modules that
have passed cryptographic testing and certification, and the quality of random numbers
shall comply with the requirements of GM/T 0005.
6.3 Cryptographic protocol
The cryptographic protocols used shall comply with the relevant cryptographic
requirements of national standards and industry standards:
a) When using the TLCP protocol, it shall comply with GB/T 38636;
b) When using IPSec protocol, it shall comply with GM/T 0022;
c) When using zero knowledge proof, ring signature, group signature, secure multi-
party computing, etc. that have been reviewed and authenticated by the national
cryptography authorities, protocol interaction data shall be collected to verify
correctness and consistency.
6.4 Key management
Key management security shall meet the following requirements:
a) The key generation shall be done inside the cryptographic component or module
that has passed the cryptographic testing and certification; the generation and
negotiation of private keys and symmetric keys shall use random numbers that
meet the requirements of GM/T 0005;
b) Symmetric keys and private keys shall be stored in a secure form or in encrypted
form;
c) If the key distribution process is involved, security measures such as identity
authentication shall be in place to ensure the authenticity of the key;
cryptographic technologies such as digital signature and HMAC shall be used to
ensure the integrity of the distributed key, where HMAC shall comply with GB/T
15852.2; security measures shall be in place to ensure the confidentiality of the
key;
cryptographic machine, VPN, cryptographic smart token, timestamp server, signature
verification server, etc.
7 Cryptography test requirements for blockchain
cryptographic modules
7.1 Identity management
7.1.1 Account creation
Test requirements:
During the account creation phase, a transaction address that can identify the user shall
be generated, and a public-private key pair of the SM2 algorithm shall be generated
using a cryptographic component or module that has passed the cryptographic testing
and certification. The user's private key shall be securely generated and stored inside
the cryptographic module, which shall meet the relevant requirements of GM/T 0028.
Test steps:
a) Simulate account creation process;
b) Verify the public-private key pair mechanism for generating the SM2 algorithm
during account creation, and verify whether the cryptographic components or
modules that have passed the cryptographic testing and certification are used for
generation;
c) Verify and analyze whether the user's private key is generated and stored in a
cryptographic component or module that has passed cryptographic testing and
certification.
Result judgment:
If the results of a) ~ c) are positive, the test item is judged PASS.
7.1.2 Real-name authentication
Test requirements:
When real-name transactions are required, digital certificate technology shall be used
to verify the legitimacy and validity of the user's identity.
Test steps:
a) Simulate the real-name authentication process to verify whether the real-name
information can be recorded;
b) Verify whether digital certificate technology is used to authenticate user identity.
Result judgment:
If the results of a) and b) are positive, the test item is judged PASS.
7.1.3 Authentication
Test requirements:
In the blockchain, the identifiability and legitimacy of all nodes and user identities
between blockchain cryptographic modules shall be ensured. The entry or exit of nodes
should use digital certificate technology to verify node identity, authorize node
permissions, and generate audit logs. The authentication mechanism for nodes and user
identities shall comply with one of the requirements in GB/T 15843.2, GB/T 15843.3,
GB/T 15843.4, and GB/T 15843.5.
Test steps:
a) Verify and analyze whether the user's identity authentication mechanism adopts
an authentication mechanism based on cryptographic technology;
b) Simulate the transaction process on the user chain. The authentication of
legitimate user shall be successful, and the authentication of illegal user shall fail.
The access to the blockchain network through secure communication shall fail,
or the transaction verification shall fail;
c) Simulate the node admission process. The legal node identity shall be
successfully authenticated and admitted, and the illegal user identity shall fail to
be authenticated and the node shall not be allowed to enter;
d) Simulate the process of node access and on-chain transactions. When using legal
nodes for authorized permission operation, the node operations shall be allowed;
when using legal nodes for unauthorized permission operations, the node
operations shall not be allowed;
e) Check whether audit logs are generated, and verify the integrity of audit logs;
f) If the user's identity authentication mechanism uses digital certificate technology,
it shall pass the test in Clause 6.5.
Result judgment:
If the results of a) ~ e) are positive, the test item is judged PASS. If f) is involved and
the result is positive, the test item is judged PASS.
7.2 On-chain transaction
7.2.1 Transaction creation
g) If a third-party trusted timestamp is included in the block, verify and analyze
whether the timestamp used in the transaction creation process complies with
GM/T 0033;
h) Check whether the transaction adds nonce value counts and other anti-replay
attack measures;
i) If blind signature, ring signature, group signature, etc. that have been reviewed
and authenticated by the national cryptographic authority are used, verify the
correctness and consistency of the implementation of the relevant technologies.
Result judgment:
If the results of the test steps a) ~ e) and h) are positive, the test item is judged PASS. If
the items in test steps f), g) and i) are involved and the results are positive, the test item
is judged PASS.
7.2.2 Transaction verification
Test requirements:
After a transaction is created, it needs to be broadcast to the nodes in the blockchain
network, which then verify the transaction, package it into blocks, and run the
consensus protocol to ensure that the nodes in the network reach a consensus on all
legal transactions.
The cryptographic requirements of the blockchain cryptographic module in the process
of reaching consensus on transactions shall meet the following conditions.
a) If a digital certificate is used, the validity of the digital certificate shall be verified
first, including the certificate trust chain verification, certificate validity period
verification, whether the certificate has been revoked, and whether the usage
policy is correct.
b) Verify the digital signature in the transaction record to ensure the authenticity of
the transaction initiator and the integrity of the transaction record.
c) Verify the validity of transaction record time, etc.
d) The validity verification of the block shall ensure the validity of the hash value
of the previous block recorded in the block. Other aspects of verification are
similar to transaction verification.
e) If a third-party trusted timestamp is included in the block, check the validity of
the timestamp digital signature in accordance with GM/T 0033 and check whether
the timestamp signature certificate is connected to the trusted root CA.
Test steps:
a) Simulate transaction verification process;
b) If digital certificate is used, whether it can pass the test in Clause 6.5;
c) Check whether the transaction record has a digital signature and whether the
digital signature can be verified;
d) Check whether the transaction record is provided with the anti-replay attack
measure, modify the transaction signature time or nonce value count and other
information, and see whether errors can be handled in a timely manner;
e) If a third-party trusted timestamp is included in the block, verify compliance with
GM/T 0033 and check whether the timestamp signature certificate is connected
to a ...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0122-2022 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0122-2022
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0122-2022
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Cryptography test specification for blockchain
ISSUED ON: NOVEMBER 20, 2022
IMPLEMENTED ON: JUNE 01, 2023
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviated terms ... 8
5 Technical architecture for blockchain cryptographic application ... 9
6 Overall test requirements for blockchain cryptography ... 9
6.1 Cryptographic algorithm ... 9
6.2 Random number test ... 11
6.3 Cryptographic protocol ... 11
6.4 Key management ... 11
6.5 Certificate management ... 12
6.6 Cryptographic devices ... 12
7 Cryptography test requirements for blockchain cryptographic modules ... 13
7.1 Identity management ... 13
7.2 On-chain transaction ... 14
7.3 Off-chain transaction ... 17
7.4 Ledger storage ... 18
7.5 Communication security ... 19
7.6 Consensus mechanism ... 19
7.7 Smart contracts ... 20
7.8 Privacy protection ... 21
7.9 Transaction supervision ... 21
7.10 Performance test ... 22
8 Inspection technical documentation requirements ... 23
9 Qualification criteria ... 23
Cryptography test specification for blockchain
1 Scope
This document specifies the test content, test methods and qualification criteria for
relevant cryptographic technologies in blockchain cryptographic modules.
This document applies to the test of blockchain cryptographic modules and can be used
to guide the design of blockchain cryptographic modules and the use of cryptographic
technologies.
2 Normative references
The following documents are referred to in the text in such a way that some or all of
their content constitutes requirements of this document. For dated references, only the
version corresponding to that date is applicable to this document; for undated references,
the latest version (including all amendments) is applicable to this document.
GB/T 15843.2, Information technology - Security techniques - Entity authentication
- Part 2: Mechanisms using symmetric encipherment algorithms
GB/T 15843.3, Information technology - Security techniques - Entity authentication
- Part 3: Mechanisms using digital signature techniques
GB/T 15843.4, Information technology - Security techniques - Entity authentication
- Part 4: Mechanisms using a cryptographic check function
GB/T 15843.5, Information technology - Security techniques - Entity authentication
- Part 5: Mechanisms using zero knowledge techniques
GB/T 15852.2, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-function
GB/T 20518, Information security technology - Public key infrastructure - Digital
certificate format
GB/T 32905, Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907, Information security technology - SM4 block cipher algorithm
GB/T 32918 (all parts), Information security technology - Public key cryptographic
algorithm SM2 based on elliptic curves
b) Perform decryption operation on the given key and ciphertext according to the
specified operation mode, and the result shall be exactly the same as the given
plaintext.
6.1.3 Hash cryptographic algorithm implementation correctness test
For given messages and parameters, call the hash algorithm, to test the correctness of
its operation results, including:
a) Call the hash algorithm operation interface for the given message to calculate the
hash value, and the result shall be exactly the same as the given hash value;
b) Call the hash algorithm operation interface for the given message and parameters
to calculate the hash value, and the result shall be exactly the same as the given
hash value.
6.1.4 Asymmetric cryptographic algorithm encryption and decryption
implementation correctness test
For the given key and plaintext (ciphertext), call the asymmetric cryptographic
algorithm, to test the correctness of its operation results, including:
a) Call the asymmetric cryptographic algorithm encryption operation interface to
perform encryption operation on the given plaintext and key, and test the tool’s
decryption operation on the ciphertext. The decryption result shall be exactly the
same as the given plaintext;
b) Call the asymmetric cryptographic algorithm decryption operation interface to
perform decryption operation on the given ciphertext and key, and the decryption
result shall be exactly the same as the given plaintext.
6.1.5 Asymmetric cryptographic algorithm digital signature and signature
verification implementation correctness test
Call the asymmetric cryptographic algorithm to perform signature/verification
operation on the data, and test the correctness of the operation results, including:
a) Call the asymmetric cryptographic algorithm signature operation interface to
perform signature operation on the given message to be signed and the key, and
test the tool’s verification operation on the signature result, where it shall pass the
signature verification;
b) Call the asymmetric cryptographic algorithm signature verification operation
interface to perform signature verification on the given signature result, the
message to be signed, and the key, where it shall pass the signature verification.
6.1.6 Asymmetric key pair consistency test
For the generated public and private keys, call the asymmetric cryptographic algorithm
to test the correctness of the operation results, including:
a) Use the public key to encrypt the plaintext, and use the private key to decrypt the
ciphertext. The decrypted result shall be the same as the original plaintext;
b) Test the asymmetric key pair consistency by calculating and verifying a digital
signature, where the digital signature shall be verified.
6.2 Random number test
Random numbers shall be generated using cryptographic components or modules that
have passed cryptographic testing and certification, and the quality of random numbers
shall comply with the requirements of GM/T 0005.
6.3 Cryptographic protocol
The cryptographic protocols used shall comply with the relevant cryptographic
requirements of national standards and industry standards:
a) When using the TLCP protocol, it shall comply with GB/T 38636;
b) When using IPSec protocol, it shall comply with GM/T 0022;
c) When using zero knowledge proof, ring signature, group signature, secure multi-
party computing, etc. that have been reviewed and authenticated by the national
cryptography authorities, protocol interaction data shall be collected to verify
correctness and consistency.
6.4 Key management
Key management security shall meet the following requirements:
a) The key generation shall be done inside the cryptographic component or module
that has passed the cryptographic testing and certification; the generation and
negotiation of private keys and symmetric keys shall use random numbers that
meet the requirements of GM/T 0005;
b) Symmetric keys and private keys shall be stored in a secure form or in encrypted
form;
c) If the key distribution process is involved, security measures such as identity
authentication shall be in place to ensure the authenticity of the key;
cryptographic technologies such as digital signature and HMAC shall be used to
ensure the integrity of the distributed key, where HMAC shall comply with GB/T
15852.2; security measures shall be in place to ensure the confidentiality of the
key;
cryptographic machine, VPN, cryptographic smart token, timestamp server, signature
verification server, etc.
7 Cryptography test requirements for blockchain
cryptographic modules
7.1 Identity management
7.1.1 Account creation
Test requirements:
During the account creation phase, a transaction address that can identify the user shall
be generated, and a public-private key pair of the SM2 algorithm shall be generated
using a cryptographic component or module that has passed the cryptographic testing
and certification. The user's private key shall be securely generated and stored inside
the cryptographic module, which shall meet the relevant requirements of GM/T 0028.
Test steps:
a) Simulate account creation process;
b) Verify the public-private key pair mechanism for generating the SM2 algorithm
during account creation, and verify whether the cryptographic components or
modules that have passed the cryptographic testing and certification are used for
generation;
c) Verify and analyze whether the user's private key is generated and stored in a
cryptographic component or module that has passed cryptographic testing and
certification.
Result judgment:
If the results of a) ~ c) are positive, the test item is judged PASS.
7.1.2 Real-name authentication
Test requirements:
When real-name transactions are required, digital certificate technology shall be used
to verify the legitimacy and validity of the user's identity.
Test steps:
a) Simulate the real-name authentication process to verify whether the real-name
information can be recorded;
b) Verify whether digital certificate technology is used to authenticate user identity.
Result judgment:
If the results of a) and b) are positive, the test item is judged PASS.
7.1.3 Authentication
Test requirements:
In the blockchain, the identifiability and legitimacy of all nodes and user identities
between blockchain cryptographic modules shall be ensured. The entry or exit of nodes
should use digital certificate technology to verify node identity, authorize node
permissions, and generate audit logs. The authentication mechanism for nodes and user
identities shall comply with one of the requirements in GB/T 15843.2, GB/T 15843.3,
GB/T 15843.4, and GB/T 15843.5.
Test steps:
a) Verify and analyze whether the user's identity authentication mechanism adopts
an authentication mechanism based on cryptographic technology;
b) Simulate the transaction process on the user chain. The authentication of
legitimate user shall be successful, and the authentication of illegal user shall fail.
The access to the blockchain network through secure communication shall fail,
or the transaction verification shall fail;
c) Simulate the node admission process. The legal node identity shall be
successfully authenticated and admitted, and the illegal user identity shall fail to
be authenticated and the node shall not be allowed to enter;
d) Simulate the process of node access and on-chain transactions. When using legal
nodes for authorized permission operation, the node operations shall be allowed;
when using legal nodes for unauthorized permission operations, the node
operations shall not be allowed;
e) Check whether audit logs are generated, and verify the integrity of audit logs;
f) If the user's identity authentication mechanism uses digital certificate technology,
it shall pass the test in Clause 6.5.
Result judgment:
If the results of a) ~ e) are positive, the test item is judged PASS. If f) is involved and
the result is positive, the test item is judged PASS.
7.2 On-chain transaction
7.2.1 Transaction creation
g) If a third-party trusted timestamp is included in the block, verify and analyze
whether the timestamp used in the transaction creation process complies with
GM/T 0033;
h) Check whether the transaction adds nonce value counts and other anti-replay
attack measures;
i) If blind signature, ring signature, group signature, etc. that have been reviewed
and authenticated by the national cryptographic authority are used, verify the
correctness and consistency of the implementation of the relevant technologies.
Result judgment:
If the results of the test steps a) ~ e) and h) are positive, the test item is judged PASS. If
the items in test steps f), g) and i) are involved and the results are positive, the test item
is judged PASS.
7.2.2 Transaction verification
Test requirements:
After a transaction is created, it needs to be broadcast to the nodes in the blockchain
network, which then verify the transaction, package it into blocks, and run the
consensus protocol to ensure that the nodes in the network reach a consensus on all
legal transactions.
The cryptographic requirements of the blockchain cryptographic module in the process
of reaching consensus on transactions shall meet the following conditions.
a) If a digital certificate is used, the validity of the digital certificate shall be verified
first, including the certificate trust chain verification, certificate validity period
verification, whether the certificate has been revoked, and whether the usage
policy is correct.
b) Verify the digital signature in the transaction record to ensure the authenticity of
the transaction initiator and the integrity of the transaction record.
c) Verify the validity of transaction record time, etc.
d) The validity verification of the block shall ensure the validity of the hash value
of the previous block recorded in the block. Other aspects of verification are
similar to transaction verification.
e) If a third-party trusted timestamp is included in the block, check the validity of
the timestamp digital signature in accordance with GM/T 0033 and check whether
the timestamp signature certificate is connected to the trusted root CA.
Test steps:
a) Simulate transaction verification process;
b) If digital certificate is used, whether it can pass the test in Clause 6.5;
c) Check whether the transaction record has a digital signature and whether the
digital signature can be verified;
d) Check whether the transaction record is provided with the anti-replay attack
measure, modify the transaction signature time or nonce value count and other
information, and see whether errors can be handled in a timely manner;
e) If a third-party trusted timestamp is included in the block, verify compliance with
GM/T 0033 and check whether the timestamp signature certificate is connected
to a ...
Share
