1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GM/T 0116-2021 English PDF (GM/T0116-2021)
GM/T 0116-2021 English PDF (GM/T0116-2021)
Regular price
$280.00 USD
Regular price
Sale price
$280.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0116-2021
Historical versions: GM/T 0116-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0116-2021: Testing and evaluation process guide for information system cryptography application
GM/T 0116-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Process Guide for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
4.1 Basic Principles ... 5
4.2 Risk Identification of Testing and Evaluation ... 6
4.3 Avoidance of Testing and Evaluation Risks ... 6
4.4 Testing and Evaluation Process ... 7
5 Testing and Evaluation Preparation Activities ... 9
5.1 Workflow of Testing and Evaluation Preparation Activities ... 9
5.2 Main Tasks of Testing and Evaluation Preparation Activities ... 10
5.3 Output Documents of Testing and Evaluation Preparation Activities ... 12
6 Scheme Preparation Activities ... 12
6.1 Workflow of Scheme Preparation Activities ... 12
6.2 Main Tasks of Scheme Preparation Activities ... 13
6.3 Output Documents of Scheme Preparation Activities ... 18
7 On-site Testing and Evaluation Activities ... 19
7.1 Workflow of On-site Testing and Evaluation Activities ... 19
7.2 Main Tasks of On-site Testing and Evaluation Activities ... 19
7.3 Output Documents of On-site Testing and Evaluation Activities ... 22
8 Analysis and Report Preparation Activities ... 22
8.1 Workflow of Analysis and Report Preparation Activities ... 22
8.2 Main Tasks of Analysis and Report Preparation Activities ... 23
8.3 Output Documents of Analysis and Report Preparation Activities ... 28
Testing and Evaluation Process Guide for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation process of information system cryptography
application and standardizes the testing and evaluation activities and work tasks.
This document is suitable for commercial cryptography application security evaluation
institutions and information system responsible organizations to carry out cryptography
application security evaluation work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069-2010 Information Security Technology - Glossary
GM/T 0115 Testing and Evaluation Requirements for Information System Cryptography
Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 25069-2010 and GM/Z 4001, and the following are
applicable to this document.
3.1 testing and evaluation agency
The subject that conducts cryptography application security evaluation (referred to as
“cryptography evaluation”) on information systems.
NOTE: specifically, it can be a commercial cryptography application security evaluation institution
or information system responsible organization.
3.2 agency under testing and evaluation
Information system responsible organization.
3.3 commercial cryptography application security evaluation staff
Personnel engaged in testing and evaluation activities in the testing and evaluation agency.
NOTE: referred to as “cryptography evaluation staff”.
4 Overview
4.1 Basic Principles
When conducting cryptography application security evaluation on an information system, the
testing and evaluation agency shall follow the following principles.
a) Principle of objectivity and impartiality
During the testing and evaluation implementation process, the testing and evaluation
agency shall ensure that the testing and evaluation activities are carried out in
accordance with the cryptography evaluation scheme jointly agreed upon by the
agency under testing and evaluation and based on clearly defined testing and
evaluation modes and explanations, in compliance with the requirements of the
national cryptography management department and with minimal subjective
judgment.
b) Principle of reusability
The testing and evaluation work may reuse existing testing and evaluation results,
including commercial cryptography testing and certification results and the testing
and evaluation results of cryptography application security evaluation, etc. All reuse
results shall be based on the premise that the existing testing and evaluation results
are still applicable to the current information system under test and can objectively
reflect the current security status of the system.
c) Principle of repeatability and reproducibility
In accordance with the same requirements, using the same testing and evaluation
method, and in the same environment, different cryptography evaluation staffs shall
obtain the same results by repeatedly executing each testing and evaluation
implementation process. The difference between repeatability and reproducibility is
that the former focuses on the consistency of the testing and evaluation results by the
same cryptography evaluation staff, while the latter focuses on the consistency of the
testing and evaluation results by different cryptography evaluation staffs.
d) Principle of result perfection
Based on a correct understanding of the content of each requirement of GM/T 0115,
the results generated by testing and evaluation shall objectively reflect the current
status of cryptography application in an information system. The testing and
evaluation process and results shall be based on correct testing and evaluation
methods to ensure that they satisfy the requirements.
4.2 Risk Identification of Testing and Evaluation
The execution of the testing and evaluation work may bring certain risks to the information
system under test. The testing and evaluation agency shall identify risks in a timely manner
before the start of testing and evaluation and during the testing and evaluation process. During
the testing and evaluation process, the risks mainly include the following aspects.
a) Verification test may affect the normal operation of the information system under test
During on-site testing and evaluation, certain verification tests need to be carried out
on the equipment and systems. Some test content requires checking the information
on the computer, which may have an unexpected impact on the operation of the
information system under test.
b) Tool test may affect the normal operation of the information system under test
During on-site testing and evaluation, based on actual demands, some testing and
evaluation tools may be used for the test. When the testing and evaluation tools are
used, redundant data writing may be generated, and meanwhile, it may have a certain
impact on the load of the system, which in turn may cause certain impact or even
damage to the server and network communication in the information system under
test.
c) Possible leakage of sensitive information of the information system under test
During the testing and evaluation process, sensitive information of the information
system under test may be leaked, such as: encryption mechanisms, operational
processes, security mechanisms and related document information, etc.
d) Other possible risks
During the testing and evaluation process, risks may also arise that affect the
ava...
Get QUOTATION in 1-minute: Click GM/T 0116-2021
Historical versions: GM/T 0116-2021
Preview True-PDF (Reload/Scroll if blank)
GM/T 0116-2021: Testing and evaluation process guide for information system cryptography application
GM/T 0116-2021
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Testing and Evaluation Process Guide for Information
System Cryptography Application
ISSUED ON: OCTOBER 19, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Overview ... 5
4.1 Basic Principles ... 5
4.2 Risk Identification of Testing and Evaluation ... 6
4.3 Avoidance of Testing and Evaluation Risks ... 6
4.4 Testing and Evaluation Process ... 7
5 Testing and Evaluation Preparation Activities ... 9
5.1 Workflow of Testing and Evaluation Preparation Activities ... 9
5.2 Main Tasks of Testing and Evaluation Preparation Activities ... 10
5.3 Output Documents of Testing and Evaluation Preparation Activities ... 12
6 Scheme Preparation Activities ... 12
6.1 Workflow of Scheme Preparation Activities ... 12
6.2 Main Tasks of Scheme Preparation Activities ... 13
6.3 Output Documents of Scheme Preparation Activities ... 18
7 On-site Testing and Evaluation Activities ... 19
7.1 Workflow of On-site Testing and Evaluation Activities ... 19
7.2 Main Tasks of On-site Testing and Evaluation Activities ... 19
7.3 Output Documents of On-site Testing and Evaluation Activities ... 22
8 Analysis and Report Preparation Activities ... 22
8.1 Workflow of Analysis and Report Preparation Activities ... 22
8.2 Main Tasks of Analysis and Report Preparation Activities ... 23
8.3 Output Documents of Analysis and Report Preparation Activities ... 28
Testing and Evaluation Process Guide for Information
System Cryptography Application
1 Scope
This document specifies the testing and evaluation process of information system cryptography
application and standardizes the testing and evaluation activities and work tasks.
This document is suitable for commercial cryptography application security evaluation
institutions and information system responsible organizations to carry out cryptography
application security evaluation work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069-2010 Information Security Technology - Glossary
GM/T 0115 Testing and Evaluation Requirements for Information System Cryptography
Application
GM/Z 4001 Cryptology Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 25069-2010 and GM/Z 4001, and the following are
applicable to this document.
3.1 testing and evaluation agency
The subject that conducts cryptography application security evaluation (referred to as
“cryptography evaluation”) on information systems.
NOTE: specifically, it can be a commercial cryptography application security evaluation institution
or information system responsible organization.
3.2 agency under testing and evaluation
Information system responsible organization.
3.3 commercial cryptography application security evaluation staff
Personnel engaged in testing and evaluation activities in the testing and evaluation agency.
NOTE: referred to as “cryptography evaluation staff”.
4 Overview
4.1 Basic Principles
When conducting cryptography application security evaluation on an information system, the
testing and evaluation agency shall follow the following principles.
a) Principle of objectivity and impartiality
During the testing and evaluation implementation process, the testing and evaluation
agency shall ensure that the testing and evaluation activities are carried out in
accordance with the cryptography evaluation scheme jointly agreed upon by the
agency under testing and evaluation and based on clearly defined testing and
evaluation modes and explanations, in compliance with the requirements of the
national cryptography management department and with minimal subjective
judgment.
b) Principle of reusability
The testing and evaluation work may reuse existing testing and evaluation results,
including commercial cryptography testing and certification results and the testing
and evaluation results of cryptography application security evaluation, etc. All reuse
results shall be based on the premise that the existing testing and evaluation results
are still applicable to the current information system under test and can objectively
reflect the current security status of the system.
c) Principle of repeatability and reproducibility
In accordance with the same requirements, using the same testing and evaluation
method, and in the same environment, different cryptography evaluation staffs shall
obtain the same results by repeatedly executing each testing and evaluation
implementation process. The difference between repeatability and reproducibility is
that the former focuses on the consistency of the testing and evaluation results by the
same cryptography evaluation staff, while the latter focuses on the consistency of the
testing and evaluation results by different cryptography evaluation staffs.
d) Principle of result perfection
Based on a correct understanding of the content of each requirement of GM/T 0115,
the results generated by testing and evaluation shall objectively reflect the current
status of cryptography application in an information system. The testing and
evaluation process and results shall be based on correct testing and evaluation
methods to ensure that they satisfy the requirements.
4.2 Risk Identification of Testing and Evaluation
The execution of the testing and evaluation work may bring certain risks to the information
system under test. The testing and evaluation agency shall identify risks in a timely manner
before the start of testing and evaluation and during the testing and evaluation process. During
the testing and evaluation process, the risks mainly include the following aspects.
a) Verification test may affect the normal operation of the information system under test
During on-site testing and evaluation, certain verification tests need to be carried out
on the equipment and systems. Some test content requires checking the information
on the computer, which may have an unexpected impact on the operation of the
information system under test.
b) Tool test may affect the normal operation of the information system under test
During on-site testing and evaluation, based on actual demands, some testing and
evaluation tools may be used for the test. When the testing and evaluation tools are
used, redundant data writing may be generated, and meanwhile, it may have a certain
impact on the load of the system, which in turn may cause certain impact or even
damage to the server and network communication in the information system under
test.
c) Possible leakage of sensitive information of the information system under test
During the testing and evaluation process, sensitive information of the information
system under test may be leaked, such as: encryption mechanisms, operational
processes, security mechanisms and related document information, etc.
d) Other possible risks
During the testing and evaluation process, risks may also arise that affect the
ava...
Share
