1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GM/T 0115-2021 English PDF (GMT0115-2021)
GM/T 0115-2021 English PDF (GMT0115-2021)
Regular price
$635.00 USD
Regular price
Sale price
$635.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0115-2021
Historical versions: GM/T 0115-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0115-2021: Testing and evaluation requirements for information system cryptography application
GM/T 0115-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Requirements for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
5 General Testing and Evaluation Requirements ... 8
5.1 Compliance of Cryptographic Algorithms ... 8
5.2 Compliance of Cryptographic Technology ... 8
5.3 Compliance of Cryptographic Products ... 9
5.4 Compliance of Cryptographic Services ... 10
5.5 Key Management Security ... 10
6 Testing and Evaluation Requirements for Cryptography Application Technology and
Cryptography Application Management ... 11
6.1 Physical and Environmental Security ... 11
6.2 Network and Communication Security ... 14
6.3 Equipment and Computing Security ... 19
6.4 Application and Data Security ... 24
6.5 Management Systems ... 31
6.6 Personnel Management ... 36
6.7 Construction and Operation ... 41
6.8 Emergency Response ... 45
7 Overall Testing and Evaluation Requirements ... 48
7.1 Overview ... 48
7.2 Inter-unit Testing and Evaluation ... 48
7.3 Inter-level Testing and Evaluation ... 49
8 Risk Analysis and Evaluation ... 49
9 Testing and Evaluation Conclusions ... 50
Appendix A (informative) Key Lifecycle Management Inspection Points ... 51
Appendix B (informative) Typical Cryptographic Product Application Testing and
Evaluation Technology ... 57
Appendix C (informative) Typical Cryptographic Function Testing and Evaluation
Technology ... 61
Bibliography ... 64
Testing and Evaluation Requirements for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation requirements for different levels of
cryptography application in information systems. From the perspectives of cryptographic
algorithm compliance, cryptographic technology compliance, cryptographic product
compliance, cryptographic service compliance and key management security, etc., it proposes
the general testing and evaluation requirements for cryptography application from Level 1 to
Level 5. From four technological levels: physical and environmental security of information
systems, network and communication security, equipment and computing security, application
and data security, etc., it proposes the testing and evaluation requirements for cryptography
application technology from Level 1 to Level 4. From four management perspectives:
management system, personnel management, construction and operation, and emergency
response, it proposes the testing and evaluation requirements for cryptography application
management from Level 1 to Level 4. In addition, the requirements for the testing and
evaluation links, such as: overall testing and evaluation, risk analysis and evaluation, and testing
and evaluation conclusions, etc., are provided.
This document is applicable to guide and standardize the security evaluation of commercial
cryptography application in the planning, construction and operation of information system
cryptography application.
NOTE: for Level 5 cryptography application testing and evaluation requirements, only general
testing and evaluation requirements are described in this document.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 39786-2021 Information Security Technology - Baseline for Information System
Cryptography Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 39786-2021 and GM/Z 4001, and the following are
applicable to this document.
3.1 commercial cryptography application security evaluation staff
Personnel engaged in security evaluation of commercial cryptography application in a
commercial cryptography application security evaluation institution.
NOTE: referred to as “cryptography evaluation staff”.
3.2 examine
The process, in which, the cryptography evaluation staff observes, inspects and analyzes the
testing and evaluation object, which helps the cryptography evaluation staff understand, clarify
or obtain evidence.
4 Overview
In accordance with GB/T 39786-2021, the testing and evaluation requirements for information
system cryptography application are divided into general testing and evaluation requirements,
testing and evaluation requirements for cryptography application technology, and testing and
evaluation requirements for cryptography application management. Chapter 5 is used to guide
the implementation of Chapter 6. The testing and evaluation will not be separately implemented,
nor will it be separately reflected in the unit testing and evaluation results and overall testing
and evaluation results of the security evaluation report on cryptography application. Appendix
A is a reference for the implementation of testing and evaluation of 5.5. Appendix B and
Appendix C respectively provide the testing and evaluation technology for typical
cryptographic product application and the testing and evaluation technology for typical
cryptographic function, as a reference for the cryptography evaluation staff when implementing
the testing and evaluation of the specifically used cryptographic products or applied
cryptographic functions in information system.
The testing and evaluation unit in this document corresponds to a relatively independent and
complete set of testing and evaluation content, consisting of testing and evaluation indicators,
testing and evaluation objects, testing and evaluation implementation and result determination.
a) Testing and evaluation indicators: derived from the requirements at all levels in GB/T
39786-2021. The security level corresponding to the indicator is indicated after each
indicator.
b) Testing and evaluation objects: objects affected by different testing and evaluation
methods in the information system cryptography application testing and evaluation
process, including related physical security facilities, communication channels,
cryptographic products, general equipment, applications, personnel and institutional
documents, etc.
c) Testing and evaluation implementation: for a certain testing and evaluation indicator,
the key points for the testing and evaluation of information system cryptography
application are specified.
d) Result determination: in accordance with the evidence obtained through testing and
evaluation implementation, determine whether the cryptography application of an
information system satisfies the method and principle requested by a certain testing
and evaluation indicator.
If the testing and evaluation unit involves two or more testing and evaluation objects, then, each
testing and evaluation object needs to be respectively subjected to the testing and evaluation
implementation and result determination. The result of the testing and evaluation unit is
summarized from the results of testing and evaluation implementation of all testing and
evaluation objects involved in...
Get QUOTATION in 1-minute: Click GM/T 0115-2021
Historical versions: GM/T 0115-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0115-2021: Testing and evaluation requirements for information system cryptography application
GM/T 0115-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Requirements for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
5 General Testing and Evaluation Requirements ... 8
5.1 Compliance of Cryptographic Algorithms ... 8
5.2 Compliance of Cryptographic Technology ... 8
5.3 Compliance of Cryptographic Products ... 9
5.4 Compliance of Cryptographic Services ... 10
5.5 Key Management Security ... 10
6 Testing and Evaluation Requirements for Cryptography Application Technology and
Cryptography Application Management ... 11
6.1 Physical and Environmental Security ... 11
6.2 Network and Communication Security ... 14
6.3 Equipment and Computing Security ... 19
6.4 Application and Data Security ... 24
6.5 Management Systems ... 31
6.6 Personnel Management ... 36
6.7 Construction and Operation ... 41
6.8 Emergency Response ... 45
7 Overall Testing and Evaluation Requirements ... 48
7.1 Overview ... 48
7.2 Inter-unit Testing and Evaluation ... 48
7.3 Inter-level Testing and Evaluation ... 49
8 Risk Analysis and Evaluation ... 49
9 Testing and Evaluation Conclusions ... 50
Appendix A (informative) Key Lifecycle Management Inspection Points ... 51
Appendix B (informative) Typical Cryptographic Product Application Testing and
Evaluation Technology ... 57
Appendix C (informative) Typical Cryptographic Function Testing and Evaluation
Technology ... 61
Bibliography ... 64
Testing and Evaluation Requirements for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation requirements for different levels of
cryptography application in information systems. From the perspectives of cryptographic
algorithm compliance, cryptographic technology compliance, cryptographic product
compliance, cryptographic service compliance and key management security, etc., it proposes
the general testing and evaluation requirements for cryptography application from Level 1 to
Level 5. From four technological levels: physical and environmental security of information
systems, network and communication security, equipment and computing security, application
and data security, etc., it proposes the testing and evaluation requirements for cryptography
application technology from Level 1 to Level 4. From four management perspectives:
management system, personnel management, construction and operation, and emergency
response, it proposes the testing and evaluation requirements for cryptography application
management from Level 1 to Level 4. In addition, the requirements for the testing and
evaluation links, such as: overall testing and evaluation, risk analysis and evaluation, and testing
and evaluation conclusions, etc., are provided.
This document is applicable to guide and standardize the security evaluation of commercial
cryptography application in the planning, construction and operation of information system
cryptography application.
NOTE: for Level 5 cryptography application testing and evaluation requirements, only general
testing and evaluation requirements are described in this document.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 39786-2021 Information Security Technology - Baseline for Information System
Cryptography Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 39786-2021 and GM/Z 4001, and the following are
applicable to this document.
3.1 commercial cryptography application security evaluation staff
Personnel engaged in security evaluation of commercial cryptography application in a
commercial cryptography application security evaluation institution.
NOTE: referred to as “cryptography evaluation staff”.
3.2 examine
The process, in which, the cryptography evaluation staff observes, inspects and analyzes the
testing and evaluation object, which helps the cryptography evaluation staff understand, clarify
or obtain evidence.
4 Overview
In accordance with GB/T 39786-2021, the testing and evaluation requirements for information
system cryptography application are divided into general testing and evaluation requirements,
testing and evaluation requirements for cryptography application technology, and testing and
evaluation requirements for cryptography application management. Chapter 5 is used to guide
the implementation of Chapter 6. The testing and evaluation will not be separately implemented,
nor will it be separately reflected in the unit testing and evaluation results and overall testing
and evaluation results of the security evaluation report on cryptography application. Appendix
A is a reference for the implementation of testing and evaluation of 5.5. Appendix B and
Appendix C respectively provide the testing and evaluation technology for typical
cryptographic product application and the testing and evaluation technology for typical
cryptographic function, as a reference for the cryptography evaluation staff when implementing
the testing and evaluation of the specifically used cryptographic products or applied
cryptographic functions in information system.
The testing and evaluation unit in this document corresponds to a relatively independent and
complete set of testing and evaluation content, consisting of testing and evaluation indicators,
testing and evaluation objects, testing and evaluation implementation and result determination.
a) Testing and evaluation indicators: derived from the requirements at all levels in GB/T
39786-2021. The security level corresponding to the indicator is indicated after each
indicator.
b) Testing and evaluation objects: objects affected by different testing and evaluation
methods in the information system cryptography application testing and evaluation
process, including related physical security facilities, communication channels,
cryptographic products, general equipment, applications, personnel and institutional
documents, etc.
c) Testing and evaluation implementation: for a certain testing and evaluation indicator,
the key points for the testing and evaluation of information system cryptography
application are specified.
d) Result determination: in accordance with the evidence obtained through testing and
evaluation implementation, determine whether the cryptography application of an
information system satisfies the method and principle requested by a certain testing
and evaluation indicator.
If the testing and evaluation unit involves two or more testing and evaluation objects, then, each
testing and evaluation object needs to be respectively subjected to the testing and evaluation
implementation and result determination. The result of the testing and evaluation unit is
summarized from the results of testing and evaluation implementation of all testing and
evaluation objects involved in...
Share
