GM/T 0025-2023 SSL VPN 网关产品规范

ICS35.030

CCSL80

中华人民共和国密码行业标准

GM/T0025—2023

代替GM/T0025—2014

SSLVPN网关产品规范

SSLVPNgatewayproductspecification

2023⁃12⁃04发布2024⁃06⁃01实施

国家密码管理局发布

GM/T0025—2023

目次

前言··························································································································Ⅲ

1范围·······················································································································1

2规范性引用文件········································································································1

3术语和定义··············································································································1

4缩略语····················································································································1

5密码算法和密钥种类··································································································2

5.1算法要求···········································································································2

5.2密钥种类···········································································································2

6SSLVPN网关产品要求·····························································································2

6.1产品功能要求·····································································································2

6.2产品性能参数·····································································································4

6.3产品安全性要求··································································································4

6.4产品管理要求·····································································································5

6.5产品硬件要求·····································································································7

6.6过程保护········································································································7

6.7参数可配置能力要求····························································································7

7SSLVPN网关产品检测要求·······················································································7

7.1检测说明···········································································································7

7.2外观和结构的检查·······························································································8

7.3提交文档的检查··································································································8

7.4产品功能检测·····································································································8

7.5产品性能检测·····································································································9

7.6安全管理检测·····································································································9

7.7硬件检测··········································································································11

8判定规则···············································································································11

Ⅰ

GM/T0025—2023

前言

本文件按照GB/T1.1—2020《标准化工作导则第1部分：标准化文件的结构和起草规则》的规

定起草。

本文件代替GM/T0025—2014《SSLVPN网关产品规范》，与GM/T0025—2014相比，除结构调

整和编辑性改动外，主要技术变化如下：

a）增加了GB/T25069（见第2章）、GM/T0016（见6.3.1）、GM/T0028（见6.3.2.2，6.3.2.3和

6.3.2.4）、GM/T0050（见6.4.1）、GM/T0062（见6.4.2.3.3）和GM/Z4001（见第2章），删除

了GB/T17964和GM/T0014（见2014年版的第2章）；

b）删除了术语“密码算法”（见2014年版的3.1.1）、“密码杂凑算法”（见2014年版的3.1.2）、“非

对称密码算法/公钥密码算法”（见2014年版的3.1.3）、“对称密码算法”（见2014年版的

3.1.4）、“分组密码算法”（见2014年版的3.1.5）、“密文分组链接工作模式”（见2014年版的

3.1.6）、“初始化向量/值”（见2014年版的3.1.7）、“数字证书”（见2014年版的3.1.8）、“SSL

协议”（见2014年版的3.1.9）、“虚拟专用网络”（见2014年版的3.1.10）和“SM2算法”（见

2014年版的3.1.11）；

c）增加了缩略语“GCM”和“TLCP”（见第4章）；

d）增加了GCM模式（见5.1）；

e）增加了对随机数生成的描述（见6.1.1）；

f）更改了产品性能参数要求的描述（见6.2，2014年版的5.2）；

g）更改了密钥安全的描述（见6.3.1，2014年版的5.3.1）；

h）增加了敏感参数配置安全（见6.3.2.2）；

i）增加了应符合GM/T0028对硬件模块物理安全规定的描述（见6.3.2.3）；

j）增加了应符合GM/T0028对软件/固件安全的规定和软件升级相关要求的描述（见

6.3.2.4）；

k）增加了远程管理（见6.4.1）；

l）增加了一些管理员口令量化的指标（见6.4.2.2）；

m）增加了设备管理中注册和监控（6.4.2.3.2）；

n）更改了“随机数发生器”的要求（见6.5.3，2014年版的5.4.4.3）；

o）更改了“加密部件”的描述（6.5.2，2014年版的5.4.4.2）；

p）增加了“检测说明”“外观和结构检查”和“提交文档的检查”（见7.1，7.2和7.3）；

q）增加了安全管理检测的检测方法的描述（见7.6）；

r）增加了敏感参数配置安全检测的描述（见7.6.1.3）；

s）增加了远程管理检测的描述（见7.6.2.4）；

t）增加了硬件要求的检测方法的描述（见7.7）；

u)更改了判定规则（见第8章，2014年版的第7章）。

请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别专利的责任。

本文件由密码行业标准化技术委员会提出并归口。

本文件起草单位：格尔软件股份有限公司、无锡江南信息安全工程技术中心、山东得安信息技术有

限公司、北京信安世纪科技股份有限公司、飞天诚信股份有限公司、广东省电子商务认证有限公司、北

京国脉信安科技有限公司、中电信量子信息科技集团有限公司、山东渔翁信息技术股份有限公司、天融

Ⅲ

GM/T0025—2023

信科技集团股份有限公司、上海数字证书认证中心有限公司、智巡密码（上海）检测技术有限公司、山东

大学、兴唐通信科技有限公司、中电科网络安全科技股份有限公司、北京数字认证股份有限公司。

本文件主要起草人：郑强、谭武征、孔凡玉、胡金山、李元正、汪宗斌、朱鹏飞、梁宁宁、药乐、王鹏、

罗俊、安高峰、刘承、韩玮、李述胜、王丽娜、邱媛、韩琳、董明富。

本文件所代替文件的历次版本发布情况为：

——2014年首次发布为GM/T0025—2014；

——本次为第一次修订。

Ⅳ

GM/T0025—2023

SSLVPN网关产品规范

1范围

本文件规定了SSLVPN网关产品的功能要求、硬件要求、软件要求、安全性要求和检测要求。

本文件适用于SSLVPN网关产品的研发、检测和管理。

2规范性引用文件

下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中，注日期的引用文

件，仅该日期对应的版本适用于本文件；不注日期的引用文件，其最新版本（包括所有的修改单）适用于

本文件。

GB/T9813.3计算机通用规范第3部分：服务器

GB/T15153.1远动设备及系统第2部分：工作条件第1篇：电源和电磁兼容性

GB/T25069信息安全技术术语

GM/T0005随机性检测规范

GM/T0015基于SM2密码算法的数字证书格式规范

GM/T0016智能密码钥匙密码应用接口规范

GM/T0024SSLVPN技术规范

GM/T0028密码模块安全技术要求

GM/T0050密码设备管理设备管理技术规范

GM/T0062密码产品随机数检测要求

GM/Z4001密码术语

3术语和定义

GB/T25069和GM/Z4001界定的术语和定义适用于本文件。

4缩略语

下列缩略语适用于本文件。

CBC：密码分组链接（CipherBlockChaining）

GCM：Galois计数器模式（GaloisCounterMode）

SSL：安全套接层协议（SecureSocketsLayer)

TLCP：传输层密码协议（TransportLayerCryptographyProtocol）

VPN：虚拟专用网络（VirtualPrivateNetwork）

1