HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (15 Mar 2025)

GM/T 0029-2014 PDF English


Search result: GM/T 0029-2014 English: PDF (GM/T0029-2014)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0029-2014English180 Add to Cart 0-9 seconds. Auto-delivery. Sign and verify server technical specification Valid


PDF Preview: GM/T 0029-2014


GM/T 0029-2014: PDF in English (GMT 0029-2014)

GM/T 0029-2014 GM CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 File No.. 44630-2014 Sign and verify server technical specification ISSUED ON. FEBRUARY 13, 2014 IMPLEMENTED ON. FEBRUARY 13, 2014 Issued by. State Cryptography Administration Table of Contents Foreword ... 4  1 Scope .. 5  2 Normative references ... 5  3 Terms and definitions ... 6  4 Abbreviations .. 6  5 Functional requirements of the sign and verify server ... 7  5.1 Initialization function .. 7  5.2 Connection with the CA infrastructure ... 7  5.3 Application management function .. 7  5.4 Certificate management and verification functions ... 7  5.5 Digital signature function ... 8  5.6 Access control function ... 9  5.7 Log management function ... 9  5.8 System self-testing function .. 9  5.9 NTP time source synchronization function ... 10  6 Security requirements of the sign and verify server .. 10  6.1 Cryptography device ... 10  6.2 System requirements .. 10  6.3 Operating requirements ... 10  6.4 Management requirements ... 10  6.5 Physical security protection of the device .. 11  6.6 Network deployment requirements ... 11  6.7 Service interface ... 14  6.8 Environmental adaptability.. 14  6.9 Reliability ... 15  7 Testing requirements of the sign and verify server ... 15  7.1 Appearance and structure check ... 15  7.2 File submission check ... 15  7.3 Function testing ... 15  7.4 Performance testing ... 18  7.5 Environmental adaptability testing .. 18  7.6 Other testing ... 19  8 Qualification determination .. 19  Annex A (Normative) Message protocol syntax specification .. 20  Annex B (Normative) HTTP-based signature message protocol syntax specification ... 48  Annex C (Normative) Definition and description of response code ... 51  Sign and verify server technical specification 1 Scope This Standard specifies the functional requirements, security requirements, interface requirements, testing requirements, message protocol syntax specification and other relevant contents of the sign and verify server. This Standard is applicable to the development and design, application development, management and use of the sign and verify server. It can also be used for guiding the testing of the sign and verify server. 2 Normative references The following documents are essential to the application of this document. For dated references, only the editions with the dates indicated are applicable to this document. For undated references, only the latest editions (including all the amendments) are applicable to this document. GB/T 9813 Generic specification for microcomputer GB/T 19713-2005 Information technology - Security techniques - Public key infrastructure - Online certificate status protocol GM/T 0006-2012 Cryptographic application identifier criterion specification GM/T 0009 SM2 cryptography algorithm application specification GM/T 0010 SM2 cryptography message syntax specification GM/T 0014 Digital certificate authentication system cryptography protocol specification GM/T 0015 Digital certificate format based on SM2 algorithm GM/T 0018 Interface specifications of cryptography device application GM/T 0020 Certificate application integrated service interface specification GM/T 0030 Cryptographic server technical specification PKCS #1 RSA cryptography algorithm application specification PKCS #7 RSA cryptography message syntax specification PKCS. Public-Key Cryptography Standard PKI. Public Key Infrastructure 5 Functional requirements of the sign and verify server 5.1 Initialization function The initialization of the sign and verify server mainly includes the system configuration, administrator creation, etc. so that the device is in normal operating condition. 5.2 Connection with the CA infrastructure The sign and verify server shall support the connection with the CA infrastructure, including the CRL connection configuration, OCSP connection configuration, etc. 5.2.1 CRL connection configuration The sign and verify server shall support the function of CRL connection configuration, and shall be able to get CRL and import CRL from the CRL publishing point through the configuration management interface. 5.2.2 OCSP connection configuration The sign and verify server may support the function of OCSP connection configuration and manage the OCSP service connection configuration through the configuration management interface. The OCSP connection configuration shall comply with GB/T 19713-2005. 5.3 Application management function The application management function of the sign and verify server mainly includes the application entity registration, key configuration, authorization code setting of the private key, etc. In addition, the information of the application entity shall be securely stored in accordance with the security mechanism. The content of the application entity registration shall include the application entity name setting, key index number configuration, certificate import, IP address setting (optional), etc. 5.4 Certificate management and verification functions The management certificates of the sign and verify server include the application entity certificate and user certificate. The sign and verify server shall based on SM2 algorithm, and shall provide the operation modes for various formats such as data, message, file, etc. The sign and verify server may support the digital signature function based on RSA algorithm, among which the modulus length of the RSA algorithm shall be at least above 2,048 bits. In case of SM2 public key algorithm, the data structure of the sign and verify server shall comply with GM/T 0009 or GM/T 0010. In case of RSA public key algorithm, the data structure of the sign and verify server shall comply with the PKCS #1 or PKCS #7 standard. 5.6 Access control function The management interface of the sign and verify server shall have a good identity authentication mechanism to achieve the administrator identity authentication through a combination of the smart cryptographic key, smart IC card and password. The “password” requires a time limit. When the time limit is exceeded, the cryptograph must be forcibly changed. After the administrator logs in successfully, management operations such as application management, certificate management, system configuration, log query, etc. are performed through the management interface. 5.7 Log management function The sign and verify server shall provide log recording, viewing, auditing and exporting functions, with the corresponding configuration management and viewing interfaces. The logs are divided into system management logs, abnormal events, system service logs, etc., including such operations as log-in authentication, system configuration, key management, etc., recording of such abnormal events as authentication failure, unauthorized access, etc., connection with the device management center, recording of corresponding operations, and call logging of the application interface. 5.8 System self-testing function The sign and verify server shall have the self-testing function, including the server self-testing and cryptography device self-testing. The cryptography device used by the sign and verify server shall have the status and function self-testing function, which is able to check the correctness of the cryptographic algorithm, random number generator, integrity of the storage key and data, etc. The self-testing of the sign and verify server includes the cryptographic function testing, integrity check of storage information, etc. 5.9 NTP time source synchronization function The sign and verify server is able to configure the time source server to automatically synchronize the time. 6 Security requirements of the sign and verify server 6.1 Cryptography device The sign and verify server must use the cryptography device approved by the national cryptography authority. The API for calling the cryptography device shall comply with GM/T 0018. 6.2 System requirements The operating system used by the sign and verify server shall be securely reinforced. All unnecessary modules shall be eliminated. All unnecessary ports and services shall be disabled. 6.3 Operating requirements The sign and verify server only accepts valid operational commands. The sign and verify server’s software shall adopt modular design. The technical measures such as identity authentication shall be taken to prevent the user’s illegal calls. 6.4 Management requirements 6.4.1 Management tool The sign and verify server realizes its management function through the management tool. The management tool may be installed on the sign and verify server, or the management terminal out... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.