GM/T 0022-2023 PDF English
US$755.00 · In stock · Download in 9 secondsGM/T 0022-2023: IPSec VPN technical specification Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedureStatus: Valid GM/T 0022: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivery | Name of Chinese Standard | Status |
| GM/T 0022-2023 | English | 755 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
IPSec VPN technical specification
| Valid |
| GM/T 0022-2014 | English | 180 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
IPSec VPN specification
| Obsolete |
Excerpted PDFs (Download full copy in 9 seconds upon purchase)PDF Preview: GM/T 0022-2023
Similar standards GM/T 0015 GM/T 0022-2023: IPSec VPN technical specification---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GMT0022-2023
GM
CRYPTOGRAPHY INDUSTRY STANDARD
ICS 35.030
CCS L 80
Replacing GM/T 0022-2014
IPSec VPN Technical Specification
Issued on: DECEMBER 4, 2023
Implemented on: JUNE 1, 2024
Issued by. State Cryptography Administration
Table of Contents
Foreword... 3
1 Scope... 5
2 Normative References... 5
3 Terms and Definitions... 6
4 Symbols and Abbreviations... 7
4.1 Symbols... 7
4.2 Abbreviations... 8
5 Cryptographic Algorithms and Key Categories... 9
5.1 Cryptographic Algorithms... 9
5.2 Key Categories... 9
6 Protocols... 10
6.1 Key Exchange Protocol... 10
6.2 Security Message Protocol... 42
7 IPSec VPN Product Requirements... 55
7.1 Product Functional Requirements... 55
7.2 Product Performance Parameters... 56
7.3 Security Management Requirements... 57
8 IPSec VPN Product Testing... 59
8.1 Product Function Testing... 59
8.2 Product Performance Testing... 61
8.3 Security Management Testing... 62
9 Determination Rules... 63
Appendix A (informative) A Brief Introduction to IPSec VPN... 64
Bibliography... 70
IPSec VPN Technical Specification
1 Scope
This document specifies the technical protocols and product functions of IPSec VPN, including
the key exchange protocol and security message protocol, as well as product functional
requirements and security management requirements.
This document applies to the development, testing, use and management of IPSec VPN
products.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 20518-2018 Information Security Technology - Public Key Infrastructure - Digital
Certificate Format
GB/T 32905-2016 Information Security Techniques - SM3 Cryptographic Hash Algorithm
GB/T 32907-2016 Information Security Technology - SM4 Block Cipher Algorithm
GB/T 35276-2017 Information Security Technology - SM2 Cryptographic Algorithm Usage
Specification
GB/T 36624-2018 Information Technology - Security Techniques - Authenticated Encryption
GM/T 0005-2021 Randomness Test Specification
GM/T 0016 Smart Token Cryptography Application Interface Specification
GM/T 0062-2018 Random Number Test Requirements for Cryptographic Modules
GM/T 0092-2020 Specification of Certificate Request Syntax Based on SM2 Cryptographic
Algorithm
GM/Z 4001 Cryptology Terminology
RFC 2408 Internet Security Association and Key Management Protocol
RFC 3947 Negotiation of NAT-traversal in the IKE
RFC 3948 UDP Encapsulation of IPSec ESP Packets
RFC 4304 Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation
(DOI) for ISAKMP
3 Terms and Definitions
The terms and definitions defined in GM/Z 4001 and the following are applicable to this
document.
3.1 security association
An agreement that is established through negotiation between two communicating entities.
NOTE 1.it describes how the entities utilize security services for secure communication.
NOTE 2.security association includes all information required to execute various network security
services, such as IP layer services (such as header authentication and payload
encapsulation), transport layer and application layer services, or self-protection of
negotiated communications.
3.2 payload
The data format of messages exchanged between ISAKMP communicating parties.
NOTE. the payload is the basic unit of ISAKMP message construction.
3.3 authentication header
An IPSec protocol that is used to provide the functions of data integrity, data origin
authentication and anti-replay attack for IP data packets, but it does not provide the function of
data confidentiality.
3.4 encapsulating security payload
An IPSec protocol that is used to provide the functions of confidentiality, data integrity, data
origin authentication and anti-replay attack for IP data packets.
3.5 data origin authentication
A mechanism that confirms that received data is the source claimed.
3.6 authenticated encryption mechanism
The cryptographic technology that is used to protect data confidentiality and provide data
integrity and data origin authentication.
NOTE. it includes both encryption and decryption.
[source. GB/T 36624-2018, 3.2, modified]
3.7 virtual private network
Use cryptographic technology to establish a secure channel within a communication network.
3.8 IPSec implementation
Software and hardware products that specifically implement the IPSec VPN protocol.
NOTE. IPSec implementation includes hardware products in a hardware-software-integrated form,
as well as IPsec VPN products implemented purely by software (for example, IPsec VPN
products in a virtual machine or container form).
4 Symbols and Abbreviations
4.1 Symbols
The following symbols apply to this document.
HDR. an ISAKMP header.
HDR*. indicates that the payload following the ISAKMP header is encrypted.
SA. security association payload with one or multiple proposal payloads.
IDi. initiator’s identification payload.
IDr. responder’s identification payload.
HASHi. initiator’s hash payload.
HASHr. responder’s hash payload.
HASH_< n>. intermediate hash data used in the negotiation interaction between two parties.
SIGi. initiator’s signature payload.
SIGr. responder’s signature payload.
CERT_sig_r. signature certificate payload.
CERT_enc_r. encryption certificate payload.
Ni. initiator’s nonce payload.
Nr. responder’s nonce payload.
< p>_b. the body of payload1) < p>.
1) Including the payload without the ISAKMP generic header.
VPN. Virtual Private Network
5 Cryptographic Algorithms and Key Categories
5.1 Cryptographic Algorithms
The asymmetric cryptographic algorithm, symmetric cryptographic algorithm, cryptographic
hash algorithm and random number generation algorithm used in IPSec VPN shall comply with
the relevant requirements of national and industry cryptographic standards. The various
algorithms and their usage requirements are as follows.
a) The asymmetric cryptographic algorithm shall support the SM2 elliptic curve
cryptography algorithm for entity authentication, digital signature and digital
envelope.
b) The symmetric cryptographic algorithm shall support the SM4 block cipher algorithm
for encryption and protection of key exchange data and message data. The algorithm
shall operate in either CBC or GCM mode. The use of the SM4 algorithm shall
comply with GB/T 32907-2016.The use of the GCM mode shall comply with
mechanism 5 of GB/T 36624-2018.
c) The cryptographic hash algorithm shall support the SM3 cryptographic hash
algorithm for integrity check. The use of the SM3 algorithm shall comply with GB/T
32905-2016.
d) Random numbers generated by the random number generation algorithm shall
comply with the requirements of GM/T 0005-2021 and the provisions of GM/T 0062-
2018 for Class E products.
5.2 Key Categories
IPSec VPN uses the following key categories.
a) Device key. public and private key pairs used by asymmetric algorithm, including
signature key pairs and encryption key pairs, used for entity authentication, digital
signature and digital envelope.
NOTE. the devices include both hardware-implemented products (for example, hardware-
software-integrated products) and purely software-implemented products (for
example, virtual machine form products).
b) Work key. the key obtained in the first phase of key exchange, used to protect the
session key exchange process.
c) Session key. the key obtained in the second phase of key exchange, used for the
encryption and integrity check of data message.
6 Protocols
6.1 Key Exchange Protocol
6.1.1 Definitions of related functions
Asymmetric_Encrypt (msg, pub_key). use the asymmetric algorithm Asymmetric, with
pub_key as the key to encrypt the input message msg_b, and its output is the concatenation of
the generic payload header and ciphertext of msg. For example, SM2_Encrypt (Ski, pub_key)
indicates the use of SM2 algorithm to encrypt Ski_b by using the public key pub_key, and its
output is the concatenation of the generic payload header and ciphertext of Ski.
Asymmetric_Sign (msg, priv_key). use the asymmetric algorithm Asymmetric, with priv_key
as the key to digitally sign msg.
Symmetric_Encrypt (msg, key). use the symmetric encryption algorithm Symmetric, with key
as the key to encrypt the input message msg_b, and its output is the concatenation of the generic
payload header and ciphertext of msg. For example, SM4_Encrypt (Ni, key) indicates the use
of SM4 algorithm to encrypt Ni_b by using key as the key, and its output is the concatenation
of the generic payload header and ciphertext of Ni.
HASH (msg). use the cryptographic hash algorithm to perform a data digest operation on msg.
The hash function calculates a fixed-length value. If the SM3 cryptographic hash algorithm is
used to calculate the data digest of msg, then, a 256-bit hash value is calculated.
PRF (key, msg). use the key “key” to perform a data digest operation on the message msg. The
calculation result is a fixed-length value. The PRF is calculated as follows.
PRF (key, msg) = HMAC (key, msg), in which, HMAC is implemented based on SM3.
6.1.2 Exchange phase and mode
6.1.2.1 Exchange phase
The key exchange protocol defines the process and message format for negotiating, establishing,
altering and deleting security associations. Protocol messages shall be transmitted using UDP
protocol port 500 or 4500.
The key exchange protocol consists of two phases. Phase 1 and Phase 2.
In the Phase 1 exchange, the communicating parties establish an ISAKMP security association.
This security association is the shared policy and key used by the negotiating parties to protect
their communications. This security association is used to protect the IPSec security association
negotiation process. A single ISAKMP security association can be used to establish multiple
IPSec security associations.
In the Phase 2 exchange, the communicating parties use the ISAKMP security association of
......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Tips & Frequently Asked QuestionsQuestion 1: How long will the true-PDF of English version of GM/T 0022-2023 be delivered?Answer: The full copy PDF of English version of GM/T 0022-2023 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice. Question 2: Can I share the purchased PDF of GM/T 0022-2023_English with my colleagues?Answer: Yes. The purchased PDF of GM/T 0022-2023_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GM/T 0022-2023 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds. Question 5: Should I purchase the latest version GM/T 0022-2023?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GM/T 0022-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. How to buy and download a true PDF of English version of GM/T 0022-2023?A step-by-step guide to download PDF of GM/T 0022-2023_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GM/T 0022-2023".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9
|