HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GM/T 0059-2018 PDF in English


GM/T 0059-2018 (GM/T0059-2018, GMT 0059-2018, GMT0059-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GM/T 0059-2018English250 Add to Cart 0-9 seconds. Auto-delivery. Cryptographic server test specifications Valid
Standards related to (historical): GM/T 0059-2018
PDF Preview

GM/T 0059-2018: PDF in English (GMT 0059-2018)

GM/T 0059-2018 CRYPTOGRAPHIC INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Registration number: 62994-2018 GB/T 0059-2018 Cryptographic server test specifications ISSUED ON: MAY 02, 2018 IMPLEMENTED ON: MAY 02, 2018 Issued by: State Cryptography Administration Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Abbreviations ... 6  5 Requirements of testing environment ... 7  5.1 Routine testing environment ... 7  5.2 Cross-network testing environment ... 7  6 Testing content ... 8  6.1 Overview ... 8  6.2 Inspection of device appearance and structure ... 9  6.3 Inspection of device’s management function ... 10  6.4 Testing of device state ... 10  6.5 Testing of device self-test ... 11  6.6 Testing of device’s configuration management ... 11  6.7 Testing of device’s key management ... 12  6.8 Testing of correctness and consistency of device’s cryptographic algorithm ... 13  6.9 Testing of device’s random number quality ... 15  6.10 Testing of device’s application interface ... 17  6.11 Testing of device’s remote management interface ... 17  6.12 Testing of device access control ... 18  6.13 Testing of device logging ... 19  6.14 Testing of device performance ... 19  6.15 Testing of device’s network adaptability ... 21  6.16 Testing of device security ... 21  6.17 Testing of device’s environmental adaptability ... 22  6.18 Testing of device reliability ... 22  7 Technical requirements for document-for-inspection ... 22  Appendix A (Informative) List of test items ... 23  Cryptographic server test specifications 1 Scope This standard specifies the test requirements and test methods for cryptographic server devices. This standard applies to the testing of cryptographic server devices, as well as the research & development of such cryptographic devices. It may also be used to guide application development based on such cryptographic devices. 2 Normative references The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 32905 Information security technology SM3 cryptographic hash algorithm GB/T 32907 Information security technology - SM4 block cipher algorithm GB/T 32915 Information security technology - Binary sequence randomness testing method GB/T 32918 Information security techniques - Elliptic curve public - key cryptography GM/T 0005 Randomness test specification GM/T 0018 Interface specifications of cryptography device application GM/T 0030-2014 Cryptographic server technical specification GM/T 0039 Security test requirements for cryptographic modules 3 Terms and definitions The following terms and definitions apply to this document. 3.1 A universally applicable infrastructure built using public key cryptography, which provides users with security services such as certificate management and key management. 3.9 Private key access password A password which is used to verify the private key’s usage rights. 3.10 SM1 algorithm A block cipher algorithm. 3.11 SM2 algorithm An algorithm as defined by GB/T 32918. 3.12 SM3 algorithm An algorithm defined by GB/T 32905. 3.13 SM4 algorithm An algorithm as defined by GB/T 32907. 4 Abbreviations The following abbreviations apply to this document. API: Application Program Interface CBC: Cipher Block Chaining CFB: Cipher Feedback CS: Cryptographic Server ECB: Electronic Codebook OFB: Output Feedback j) Testing of device’s SM4 cryptographic operation; k) Testing of device random number’s quality; l) Testing of device’s application interface; m) Testing of device’s management interface; n) Testing of device’s access control; o) Testing of device log; p) Testing of device performance; q) Testing of device’s network adaptability; r) Testing of device security; s) Testing of device’s environmental adaptability; t) Testing of device’s reliability. 6.2 Inspection of device appearance and structure The cryptographic server shall have the following main components or interfaces: a) It shall support the state indicator. It may use visual observation to distinguish the normal working state and fault state of the state indicator; b) It shall support the power indicator. It may use visual observation to distinguish whether the device is powered on; c) It shall support at least two RJ45 network interfaces. The cryptographic server should have the following main components or interfaces: a) It should support one serial port (RJ45 or DB9 form) as the control port; b) It should support the redundant power supply. The cryptographic server may have the following main components or interfaces: a) It may support the manual key destruction switch; b) It may support DB9 serial port; automatically enter the initial state. At this time, the cryptographic server cannot provide password service. The user performs the initial configuration of the cryptographic server. The initial configuration shall include user management, key management, system configuration. After the configuration is completed, it shall restart the cryptographic server. After the initial configuration, the cryptophone is powered on, it can automatically enter the ready state, then the cryptographic server can provide the cryptographic service. The cryptographic server in the ready state can only enter the initial state again by triggering the key-destruction mechanism and restarting after power-off. The cryptographic server cannot be changed from the ready state to the initial state through management interface, control port, human-machine interaction component or other means. 6.5 Testing of device self-test The cryptographic server shall support the self-test function. The self-test shall include power-on/reset self-test, periodic self-test, self-test after accepting the command. The self-test content includes the validity self-test of physical noise source, validity self-test of cryptographic operation unit, self-test of random number, self-test of cryptographic algorithm’s correctness, integrity check of static storage data, etc. The test results shall be reported after the end of the self-test. If the self-test is successful, the cryptographic server shall enter the ready state. If the self-test fails, the cryptographic server shall record the log and alarm, meanwhile immediately stop providing the cryptographic service externally. 6.6 Testing of device’s configuration management The cryptographic server shall include, but is not limited to, configuration of cryptographic authority, configuration of cryptographic server’s network, configuration of cryptographic server’s access control, other management functions. The configuration of cryptographic authority should have: a) Management of three roles: administrator, security officer, operator; b) The administrator is responsible for the addition, modification, cancellation of security officers and operators; c) The security officer is responsible for the authority management of the stored can be exported to the outside of the cryptographic server. 6.7.2 Security function of key management The cryptographic server shall comply with the standard GM/T 0030-2014 and have the following security functions of key management: a) The management key shall be generated or installed in the initial state by the management tool provided by the cryptographic server manufacturer, stored securely inside the cryptographic server: b) The signature key pair of the user key and the device key is generated or installed by the cryptographic server. The random number used by the key shall be generated by the physical noise source chip, the key shall be generated using a strong prime number. The encryption key pair is generated by the independent key management system and issued according to the private key protection structure of the encryption key as specified in GM/T 0018 to the device; c) The key’s encryption key is an optional support item. When the cryptographic server supports this item, the key shall be generated or installed by the management tool provided by the cryptographic server’s manufacturer and shall support secure storage of a certain amount of key’s encryption key inside the cryptographic server; d) The session key cannot be exported in plaintext. It shall be encrypted by the use of user key or key’s encryption key during export; e) The symmetric key and asymmetric key stored securely in the cryptographic server shall be called by the key index number or other form of unique identifier; f) The cryptographic server shall be able to securely store at least 100 sets of symmetric keys and 32 pairs of asymmetric key pairs; g) The cryptographic server shall support key backup and key recovery. The backup file shall be stored in a secure storage medium in ciphertext, meanwhile the same type of cryptographic server by the same manufacturer shall be able to support mutual backup and recovery. 6.8 Testing of correctness and consistency of device’s cryptographic algorithm 6.8.1 Testing of device’s symmetric cryptographic operation perform the decryption operation, the decrypted result is exactly the same as the given plaintext; c) After the cryptographic server uses the given key to sign the signature message by calling the cryptographic algorithm, the testing platform verifies the signed results; the verification shall pass; d) After the cryptographic server uses the given key to sign the message to be signed by calling the cryptographic algorithm, it calls the cryptographic algorithm to perform the verification operation; the verification passes; e) The cryptographic server uses the given key and key negotiation parameters, to call the key negotiation algorithm to perform key negotiation with the testing platform; the negotiation result is correct. 6.8.3 Testing of device’s hash cryptographic operation The cryptographic server shall support the SM3 algorithm. The cryptographic server may call the SM3 algorithm to hash the message. It shall be able to support the hashing operation of the given message and parameters by calling the SM3 algorithm. a) The cryptographic server calls the SM3 algorithm to calculate the hash value of the given message; the result is exactly the same as the given hash value; b) The cryptographic server calls the SM3 algorithm to calculate the hash value of the given message and parameters; the result is exactly the same as the given hash value. 6.9 Testing of device’s random number quality The cryptographic server shall have the function of generating random number. It shall have at least 2 independent physical noise sources. The testing of random number’s quality shall follow GB/T 32915. The testing program of random number is designed and provided by a testing organization approved by the national password management department. The testing result of the random number testing of the cryptographic server shall meet the requirements of GM/T 0005. The random number generator used by the cryptographic server shall be able to pass the random number testing at 4 different application phases: sample delivery testing, exit-factory testing, power-on testing, use testing: a) Sample delivery testing 2) Single testing • Testing amount: It is determined according to the size of the random number taken each time in actual application, but the length shall not be lower than 128 bits. Meanwhile the unused sequence that has passed the testing can continue to be used; • Testing item: Poker testing, when the sample length is less than 320 bits, the parameter m = 2; • Testing pass criteria: If the test criteria are not passed during the test, the alarm test is unqualified. It is allowed to repeat the random number collection and testing once. If the repeated testing is still unqualified, it is determined that the random number generator of the product is invalid 6.10 Testing of device’s application interface The application programming interface of the cryptographic server shall follow GM/T 0018. For the correct calling environment and calling process of the cryptographic server, the API function shall return the correct result and complete the corresponding function. For the set incorrect calling environment or calling process, the API function shall return the corresponding error code. The API interface testing of the cryptographic server shall include the following six categories: a) Function of device management; b) Function of key management; c) Function of symmetric algorithm operation; d) Function of asymmetric algorithm operation; e) Function of hash operation; f) Function of user file operation. 6.11 Testing of device’s remote management interface The cryptographic server shall support the device’s remote management function. If this function is supported, the remote management interface of the cryptographic server shall follow GM/T 0030-2014. prevent malicious personnel from unauthorized logging in, thereby protecting the security of cryptographic server. For the private key stored inside the cryptographic server, it can only be used when holding the correct access control code of private key. The calling to the cryptographic server’s function and the remote management of the cryptographic server shall use the IP packet-based authorized access control technology, only a host that has an authorized IP address can normally call the device function or remotely manage the device. A host that does not have an authorized IP cannot call the device function or remotely manage the device. 6.13 Testing of device logging The cryptographic server shall provide logging, viewing, export functions. The log content of the cryptographic server shall include: a) Administrator’s operation, including login authentication, system configuration, key management, etc.; b) Abnormal events, including records of abnormal events such as authentication failures and illegal access. The log content of the cryptographic server should include: a) If connected to the device’s management center, record the corresponding operations; b) Log the calling related to the key management in the application interface. 6.14 Testing of device performance The password operations of the cryptographic server shall meet certain performance indicators. The performance testing of the cryptographic server shall include nine aspects: generation of random number of cryptographic sever, generation of symmetric key of cryptographic server, generation of asymmetric key of cryptographic server, encryption and decryption performance of cryptographic server’s SM1 algorithm, encryption and decryption performance of cryptographic server’s SM2 algorithm, signature/verification performance of cryptographic server’s SM2 algorithm, operation performance of cryptographic server’s SM3 algorithm, encryption and decryption performance of cryptographic server’s SM4 algorithm, concurrent performance of the cryptographic server. Each performance of the cryptographic server shall be tested multiple times. Take the completion time T(s). Performance index formula is: S = 8LN/(1024 × 1024 T); the unit is Mbps; h) The testing of encryption and decryption performance of cryptographic server’s SM4 algorithm: send a data message of length L (byte) to the cryptographic server for encryption/decryption; repeat the operation N times; calculate the completion time T (s). The performance of the various working modes supported by the SM4 algorithm needs to be tested separately. The performance index formula is: S = 8LN/(1024 x 1024T); the unit is Mbps; i) The testing of concurrent performance of the cryptographic server: including two indicators of the number of new connections established per second and the maximum number of concurrent connections. In the testing platform, simulate multiple client behaviors; establish a TCP connection with the cryptographic server in parallel; repeat this process for a period of time; take the average of the number of connections established per second as the test result of the number of new connections per second, the unit is (pieces/s). In the testing platform, simulate multiple client behaviors; establishes a TCP connection with the cryptographic server in parallel; then continuously adds the client; repeats the process until it cannot establish and maintain the connection. The number of TCP connections that have been accessed is the test result, the unit is piece. 6.15 Testing of device’s network adaptability The cryptographic server shall have good adaptability and scalability to the service mode of the user. It shall meet the application requirements of at least three modes, including: a) The cryptographic server shall be able to connect directly to the host; b) The cryptographic server shall be able to connect to multiple hosts at the same time through the switch; c) The cryptographic server shall be able to connect to the hosts of different networks. 6.16 Testing of device security The testing of security of cryptographic server complies with GM/T 0039. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.