GM/T 0025-2014 (GM/T0025-2014, GMT 0025-2014, GMT0025-2014)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GM/T 0025-2023 | English | RFQ |
ASK
|
3 days [Need to translate]
|
(SSL VPN Gateway Product Specifications)
| Valid |
GM/T 0025-2023
|
GM/T 0025-2014 | English | 150 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
SSL VPN gateway product specification
| Valid |
GM/T 0025-2014
|
Preview PDF: GM/T 0025-2014 Standards related to: GM/T 0025-2014
Standard ID | GM/T 0025-2014 (GM/T0025-2014) | Description (Translated English) | SSL VPN gateway product specification | Sector / Industry | Chinese Industry Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 16,122 | Date of Issue | 2014/2/13 | Date of Implementation | 2014/2/13 | Quoted Standard | GB/T 9813-2000; GB/T 15153.1-1998; GB/T 17964; GM/T 0005; GM/T 0014; GM/T 0015; GM/T 0024 | Drafting Organization | Shanghai Koal Software Co. | Administrative Organization | Password Industry Standardization Technical Committee | Regulation (derived from) | The industry standard for the record Notice 2014 No. 4 (No. 172 overall) | Summary | This standard specifies the SSL VPN gateway product functional requirements, hardware requirements, software requirements, safety requirements and testing requirements and other relevant content. This standard applies to the development, testing, use and |
GM/T 0025-2014
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Reference No.. 44626-2014
SSL VPN gateway product specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms, definitions and abbreviations ... 5
4 Cryptographic algorithm and key type ... 7
5 SSL VPN gateway products requirements ... 9
6 SSL VPN gateway product inspection ... 17
7 Qualification determination... 21
Foreword
This Standard was drafted in accordance with the rules given in GB/T
1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Geer Software Co.,
Ltd., Wuxi Jiangnan Information Security Engineering Technology Center,
Shandong Dean Computer Technology Co., Ltd., Chengdu Guardian
Information Industry Co., Ltd., Shanghai Digital Certificate Certification Center
Co., Ltd., Xingtang Communication Technology Co., Ltd., Beijing Digital
Certified Co., Ltd.
Main drafters of this Standard. Tan Wuzheng, Kong Fanyu, Li Yuanzheng, Liu
Cheng, Li Shusheng, Wang Nina, Han Lin.
SSL VPN gateway product specification
1 Scope
This Standard specifies the functional requirements, hardware requirements,
software requirements, safety requirements and inspection requirements of
SSL VPN gateway products.
This Standard is applicable to guide the development, inspection, use and
management of SSL VPN gateway products.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including
any amendments) applies.
GB/T 9813-2000, Generic specification for microcomputers
GB/T 15153.1-1998, Telecontrol equipment and systems -- Part 2.
Operating conditions Section 1 Power supply and electromagnetic
compatibility
GB/T 17964, Information technology - Security Techniques - Modes of
operation for a block cipher
GM/T 0005, Randomness testing specification
GM/T 0014, Digital Certificate Authentication System Password Protocol
Specification
GM/T 0015, Digital certificate format specification based on SM2 kiln code
algorithm
GM/T 0024, SSL VPN technical specification
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1 cryptographic algorithm
calculation rules of cryptography processing
3.1.2 cryptographic hash algorithm
It is also known as hash algorithm, cryptographic hash algorithm or hash
algorithm; this algorithm maps an arbitrary long bit string to a fixed long bit
string and satisfies the following three characteristics.
(1) it is computationally difficult to find an input that can be mapped to the
output for a given output;
(2) finding another input that can be mapped to the same output for a given
input is computationally difficult;
(3) it is computationally difficult to find that different inputs mapped to the
same output.
3.1.3 asymmetric cryptographic algorithm / public key cryptographic
algorithm
cryptographic algorithm for different keys used by encryption and decryption;
one of the keys (public key) can be public, another key (private key) must be
kept secret, and the calculation for the private key by the public key is not
feasible.
3.1.4 symmetric cryptographic algorithm
cryptographic algorithm of same keys used by encryption and decryption.
3.1.5 block cipher algorithm
a class of symmetric cipher algorithm for dividing the input data into
fixed-length packets for encryption and decryption
3.1.6 cipher block chaining operation mode; CBC
a working mode of block cipher algorithm of which the characteristics is that
the current cipher text grouping is obtained by the current plaintext grouping
is grouped with the previous cipher text via XOR operation and encryption
3.1.7 initialization vector / initialization value; IV
initial data used for data transformation and introduced to increase security or
synchronize cryptographic devices during cryptography conversion
3.1.8 digital certificate
It is also known as public key certificate; a data structure containing public
key owner information, public key, issuer information, expiration date, and
extended information signed by certificate authority; it can be divided into
personal certificate, institutional certificate and equipment certificate
according to category OR signature certificate and encryption certificate
according to use
3.1.9 secure sockets layer protocol; SSL
a transport layer security protocol used to build a safe passage between
client and server
3.1.10 virtual private network; VPN
a technology of using cryptographic technique to build a safe passage in the
communication network
3.1.11 SM2 algorithm
an elliptic curve public key cryptography algorithm with a key length of 256
bits
3.2 Abbreviations
The following abbreviations apply to this document.
CBC. Cipher Block Chaining
IV. Initialization Vector
SSL. Secure Sockets Layer
VPN. Virtual Private Network
4 Cryptographic algorithm and key type
4.1 Algorithm requirements
SSL VPN uses asymmetric cryptographic algorithm, symmetric cryptographic
algorithm, cryptographic hash algorithm, random number generation
algorithm approved by state code management department. Algorithm and
use are as follows.
• asymmetric cryptographic algorithm is used for authentication, digital
signatures and digital envelopes, etc.;
• symmetric cryptographic algorithm uses block cipher algorithm used for
encryption protection of key exchange data and encryption protection of
5 SSL VPN gateway products requirements
5.1 Product functional requirements
5.1.1 Random number generation
SSL VPN gateway products shall have random number generation. The
random number should be generated by multiple hardware noise sources.
5.1.2 Work mode
SSL VPN gateway products work mode is divided into client-server mode and
gateway-gateway mode. The client-server mode is a prerequisite mode while
the gateway-gateway mode is optional.
5.1.3 Key exchange
SSL VPN gateway products shall have key exchange function to generate a
work key by negotiation.
Key exchange shall be carried out according to the requirements of GM/T
0024.
5.1.4 Secure packet transmission
SSL VPN gateway products shall have secure packet transmission function to
endure secure transmission of data.
Secure packet transmission shall be in accordance with requirements of
GM/T 0024.
5.1.5 Identification
SSL VPN gateway products shall have the function of entity authentication.
The identification method uses digital certificate. Digital certificate format shall
meet requirements of GM/T 0015. The identification of the server is a
prerequisite function, and the identification of the client is optional. It shall
support digital certificate (RSA or SM2) or supervision mechanism based on
identification algorithm. Any identification method shall ensure the
completeness and effectiveness of identification.
5.1.6 Access control
SSL VPN gateway products shall have fine-grain access control function,
based on effective control of user or user group on resources. At least the
network access should be controlled to IP addresses, ports and protocols.
The access to the web resource should be controlled at least to the URL and
5.2 Product performance parameters
5.2.1 Maximum number of concurrent users
It refers to the maximum number of simultaneously online users. This
indicator reflects the maximum number of users who can deliver the product
at the same time.
5.2.2 Maximum number of concurrent connections
It refers to the maximum number of simultaneously online SSL connections.
This indicator reflects the maximum number of SSL connections of which a
product can handle at the same time.
5.2.3 Number of new connections per second
The maximum number of SSL connections that can be created per second.
This indicator reflects the ability of the product to access new SSL
connections per second.
5.2.4 Throughput rate
In the case of packet loss rate of 0, the bidirectional data maximum flow
reached by server products on internal network port
5.3 Security requirements
5.3.1 Key security
5.3.1.1 Server end key
The server end signing key pair is generated by the SSL VPN gateway
product itself. Its public key should be exported. A signature certificate is
issued by an external certification authority.
The server encryption key pair is generated by an external key authority and
is issued by an external authentication authority...
......
|