GM/T 0104-2021 Specifications of cloud host cryptographic server
1 Scope
This document defines the terms related to cloud host cryptographic server and specifies the general structure, functional requirements, hardware requirements, software requirements, security requirements, test requirements and other related contents of cloud host cryptographic server.
This document is applicable to the development and use of cloud host cryptographic server, and can also be used to guide the test of cloud host cryptographic server.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 9813.3-2017 General specification for computer - Part 3: Server
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32915-2016 Information security technology - Randomness test methods for binary sequence
GB/T 35293-2017 Information technology - Cloud computing - General technical requirements of virtual machine management
GB/T 36322-2018 Information security technology - Cryptographic device application interface specifications
GB/T 37092-2018 Information security technology - Security requirements for cryptographic modules
GB/T 36968-2018 Information security technology - IPSec VPN technical specification
GB/T 38636-2020 Information security technology - Transport layer cryptography protocol (TLCP)
GB/T 38625-2020 Information security technology - Security test requirements for cryptographic modules
GM/T 0030-2014 Cryptographic server technical specification
GM/T 0062-2018 Random number test requirements for cryptographic modules
GM/T 0088-2020 Cloud cryptographic server management interface specification
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 and the following apply.
3.1
cloud computing
mode of accessing an extensible and flexible physical or virtual resource pool through the network, and obtaining and managing resources on demand
3.2
cloud-hosted hardware security module(CHSM)/cloud host cryptographic server
cryptographic server that uses virtualization technology to provide cryptographic services to the application systems of multiple tenants in the form of a network in the cloud computing environment
3.3
host
physical equipment that provides operational environment and hardware resources for virtual security module. Multiple virtual security modules in the same host share cryptographic operation resources and key storage resources in the host
3.4
single root I/O virtualization; SRIOV
specification that enables single PCIE physical device under a single port to appear as multiple separate virtual PCIE equipment (VF) to the administrative procedure or guest operating system.
3.5
private key access password
password used to verify private key usage permission
3.6
virtual security module; VSM
password service instance created using virtualization technology on a cloud host cryptographic server that provides similar physical security module services
3.7
VSM data image
including the configuration, keys and sensitive information related to users in the virtual security module. The security of VSM data image is protected by encryption and signature mechanism
It is used for the virtual security module drift process.
GM/T 0104-2021 Specifications of cloud host cryptographic server
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Functional requirements
5.1 Equipment form
5.2 Equipment management
5.3 Cryptographic operation
5.4 Log audit
5.5 Equipment self-test
5.6 Use of equipment
5.7 Virtualization
6 Security requirements
6.1 Key management
6.2 Access control and identity authentication
6.3 Random number generation and inspection
6.4 Hardware security
6.5 Software security
6.6 Virtual machine security
6.7 Security isolation
6.8 Secure drift
6.9 Equipment state
7 Hardware requirements
7.1 External interfaces
7.2 Random number generator
7.3 Environmental adaptability
7.4 Reliability
8 Software requirements
8.1 Basic requirements
8.2 Management tools
9 Interface specification
9.1 Service interface
9.2 Management interface
10 Test requirements
10.1 Test description
10.2 Appearance and structure inspection
10.3 Inspection of submitted documents
10.4 Functional tests
10.5 Performance test
10.6 Environmental adaptability test
11 Qualification judgment
Annex A (Informative) Message syntax of CHSM Web service interface
GM/T 0104-2021 Specifications of cloud host cryptographic server
1 Scope
This document defines the terms related to cloud host cryptographic server and specifies the general structure, functional requirements, hardware requirements, software requirements, security requirements, test requirements and other related contents of cloud host cryptographic server.
This document is applicable to the development and use of cloud host cryptographic server, and can also be used to guide the test of cloud host cryptographic server.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 9813.3-2017 General specification for computer - Part 3: Server
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32915-2016 Information security technology - Randomness test methods for binary sequence
GB/T 35293-2017 Information technology - Cloud computing - General technical requirements of virtual machine management
GB/T 36322-2018 Information security technology - Cryptographic device application interface specifications
GB/T 37092-2018 Information security technology - Security requirements for cryptographic modules
GB/T 36968-2018 Information security technology - IPSec VPN technical specification
GB/T 38636-2020 Information security technology - Transport layer cryptography protocol (TLCP)
GB/T 38625-2020 Information security technology - Security test requirements for cryptographic modules
GM/T 0030-2014 Cryptographic server technical specification
GM/T 0062-2018 Random number test requirements for cryptographic modules
GM/T 0088-2020 Cloud cryptographic server management interface specification
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 and the following apply.
3.1
cloud computing
mode of accessing an extensible and flexible physical or virtual resource pool through the network, and obtaining and managing resources on demand
3.2
cloud-hosted hardware security module(CHSM)/cloud host cryptographic server
cryptographic server that uses virtualization technology to provide cryptographic services to the application systems of multiple tenants in the form of a network in the cloud computing environment
3.3
host
physical equipment that provides operational environment and hardware resources for virtual security module. Multiple virtual security modules in the same host share cryptographic operation resources and key storage resources in the host
3.4
single root I/O virtualization; SRIOV
specification that enables single PCIE physical device under a single port to appear as multiple separate virtual PCIE equipment (VF) to the administrative procedure or guest operating system.
3.5
private key access password
password used to verify private key usage permission
3.6
virtual security module; VSM
password service instance created using virtualization technology on a cloud host cryptographic server that provides similar physical security module services
3.7
VSM data image
including the configuration, keys and sensitive information related to users in the virtual security module. The security of VSM data image is protected by encryption and signature mechanism
It is used for the virtual security module drift process.
Contents of GM/T 0104-2021
GM/T 0104-2021 Specifications of cloud host cryptographic server
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Functional requirements
5.1 Equipment form
5.2 Equipment management
5.3 Cryptographic operation
5.4 Log audit
5.5 Equipment self-test
5.6 Use of equipment
5.7 Virtualization
6 Security requirements
6.1 Key management
6.2 Access control and identity authentication
6.3 Random number generation and inspection
6.4 Hardware security
6.5 Software security
6.6 Virtual machine security
6.7 Security isolation
6.8 Secure drift
6.9 Equipment state
7 Hardware requirements
7.1 External interfaces
7.2 Random number generator
7.3 Environmental adaptability
7.4 Reliability
8 Software requirements
8.1 Basic requirements
8.2 Management tools
9 Interface specification
9.1 Service interface
9.2 Management interface
10 Test requirements
10.1 Test description
10.2 Appearance and structure inspection
10.3 Inspection of submitted documents
10.4 Functional tests
10.5 Performance test
10.6 Environmental adaptability test
11 Qualification judgment
Annex A (Informative) Message syntax of CHSM Web service interface