ProHoster > Блог > xov xwm hauv internet > Thawj qhov kev tso tawm ntawm TLS 1.3 protocol kev siv hauv Java nrog GOST algorithms raws li RFC 9367

Thawj qhov kev tso tawm ntawm TLS 1.3 protocol kev siv hauv Java nrog GOST algorithms raws li RFC 9367

Module crypto-gost-tls13 muaj cov kev siv TLS 1.3 (RFC 8446 + RFC 9367) nrog GOST cryptography. Qhov kev tso tawm no yog thawj version ntawm lub tsev qiv ntawv thiab npaj txhij rau kev siv sab hauv.

Ib qho tshwj xeeb ntawm lub tsev qiv ntawv yog nws txoj kev siv Java ntshiab. Txhua txoj haujlwm cryptographic yog ua tiav los ntawm kev siv cov cuab yeej ua hauv tsev qiv ntawv, tsis muaj kev vam khom sab nraud.

Qhov no yog ib qho ntawm thawj qhov kev siv qhib ntawm TLS 1.3 nrog GOST hauv Java, yog li kev sim interop tau ua tiav rau qhov tsawg kawg nkaus li ua tau.

Hauv qab no yog cov peev xwm ntawm lub tsev qiv ntawv.

  1. Cov Txheej Txheem:
  • Kev sib tuav tes: puv (tus neeg siv khoom/tus neeg rau zaub mov), luv (PSK), sib koom tes (mTLS).
  • ALPN (RFC 7301) - Kev Sib Tham Txog Txheej Txheem Daim Ntawv Thov (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Kev Qhia Npe neeg rau zaub mov rau kev xa tawm ntau tus neeg xauj tsev.
  • KeyUpdate (RFC 8446 §4.6.3) - hloov kho cov yuam sij encryption tsheb khiav.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-ntsis), CryptoPro-B (512-ntsis)
  • Kev rov ua dua TLSTREE rau ib daim ntawv - hloov tus yuam sij encryption rau txhua daim ntawv TLS.
  • Kev faib ua feem thiab rov sib sau ua ke ntawm kev sib tuav tes thiab cov ntaub ntawv (RFC 8446 §5.1).
  • Rov pib dua kev sib tham: PSK ntawm NewSessionTicket (PskStore hauv-nco, siv ib zaug xwb).
  • OCSP stapling: neeg rau zaub mov ntxiv cov lus teb OCSP rau daim ntawv pov thawj.
  • Cov lus tom qab sib tuav tes: NewSessionTicket (txuag rau PSK).
  1. Kev sau ntawv zais cia:
  • Lub sijhawm tseem ceeb: HKDF-Streebog (RFC 5869) hla TLS 1.3 (RFC 8446 §7.1).
  • Kev tiv thaiv cov ntaub ntawv: MGM-AEAD (Kuznyechik) nrog nonce raws li RFC 8446 §5.3.
  • Cov yuam sij ib ntus raug rho tawm tom qab siv.
  1. Daim ntawv pov thawj:
  • X.509v3 kev txheeb xyuas (GOST R 34.10-2012) — tus neeg txheeb xyuas DER uas ua tiav.
  • Cov saw hlau lees paub: kos npe, DN (tus muab → lub ntsiab lus), Cov Kev Txwv Tseem Ceeb, Kev Siv Tus yuam sij, Kev Siv Tus yuam sij txuas ntxiv * (serverAuth / clientAuth), pathLen.
  • Kev kuaj xyuas lub npe ntawm tus tswv tsev: dNSName + iPAddress (RFC 6125).
  • Kev txheeb xyuas cov lus teb ntawm OCSP (RFC 6960).

4.Thauj:

  • TlsTransport - interface.
  • InMemoryTlsTransport - rau kev sim thiab cov xwm txheej ib zaug xwb (hauv kab cim xeeb).
  • SocketTlsTransport — thaiv I/O hla java.net.Socket.
  • ChannelTlsTransport - NIO SocketChannel-raws li kev thauj mus los (hom thaiv, cuam tshuam tau).
  1. Cov kauj ruam ntawm kev sib tuav tes:
  • TlsHandshakeEngine yog lub tshuab xeev rau kev sib tuav tes (tsis koom nrog I/O). Nws siv TlsSession ua tus orchestrator thiab tsim nyog rau kev koom ua ke nrog JSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer overloads rau kev koom ua ke xoom-copy nrog NIO. Loading keys:
  • Pkcs12Loader — nyeem PFX (PKCS#12) nrog PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Xaus ntawm kev sib tham:
  • close_notify - kaw kom raug raws li cov txheej txheem.
  • So cov khoom tseem ceeb thaum kaw lossis ua yuam kev.
  • Kev ceeb toom txog kev tuav pov hwm: ua rau tuag taus - kaw tam sim ntawd + rho tawm.
  1. Kev ruaj ntseg ntawm kev siv:
  • Kev sib piv tas li rau cov ntaub ntawv pov thawj thiab PSK binders (kev tiv thaiv kev tawm tsam lub sijhawm)
  • So cov khoom tseem ceeb: rhuav tshem () ntawm txhua yam khoom nrog cov yuam sij (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), thaum kaw, ceeb toom txog kev tuag taus, kev zam hauv kev sib tuav tes
  • Kev tiv thaiv DoS: kev txwv rau qhov ntev ntawm daim ntawv pov thawj (10), cov lus tom qab sib tuav tes, qhov loj ntawm cov ntaub ntawv.
  • MGM nonce: MSB ntawm thawj byte raug tshem tawm rau ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Tus yuam sij ntiag tug ECDHE thiab cov ntaub ntawv sau txog kev sib tuav tes raug rhuav tshem tom qab kev sib tuav tes tiav.
  • Cov khoom siv tseem ceeb HMAC raug rho tawm tom qab siv (HkdfStreebog, KdfGostR3411_2012_256).
  1. Cov kev txwv:
  • Tsuas yog rov pib dua PSK xwb (0-RTT thiab PSK sab nraud tsis txhawb nqa).
  • Tsuas yog psk_dhe_ke xwb (PSK ntshiab uas tsis muaj ECDHE tsis raug txhawb nqa).
  • Tsis txhawb nqa HelloRetryRequest (RFC 8446 §4.1.4) - tsuas yog siv ib pawg neeg uas muaj npe xwb (GC256A los ntawm lub neej ntawd).
  • Tsuas yog GOST xwb (tsis txhawb nqa cov ntaub ntawv cipher uas tsis yog GOST).
  1. Kev kuaj:
  • Lub tsev qiv ntawv muaj cov Kev Xeem Lus Teb Paub los ntawm RFC 9367 Appendix A.1 (L thiab S variants) - lub sijhawm tseem ceeb tag nrho, TLSTREE, AEAD, thiab ECDHE. Nws kuj dhau tag nrho cov kev xeem KAT.
  • 4 qhov kev sim kev koom ua ke (tus kheej-interop) ntawm cov qhov (sockets) TCP tiag tiag.
  • Kev ntsuam xyuas Fuzz rau cov parsers: TlsMessageParser (8 txoj kev), TlsDerParser (3 txoj kev), TlsOcspVerifier (1 txoj kev), kom ntseeg tau tias muaj kev ruaj ntseg thiab txo qhov kev tawm tsam ntawm cov parsers.
  1. Kev daws teeb meem ntawm kev tsim vaj tsev:
  • TlsHandshakeEngine - lub tshuab xeev raug txiav tawm ntawm I/O (rau JSSE module yav tom ntej).
  • ByteBuffer overloads ntawm TlsRecord.protect/unprotect rau NIO/JSSE.
  • TLSTREE cache (TlsTreeCache) - rov suav dua ntawm cov theem hloov pauv xwb (RFC 9367).
  • InMemoryTlsTransport.Pair yog ib khub ob txoj kev rau kev sim thiab kev sib txuas lus ib zaug xwb.

Lub tsev qiv ntawv tau muab faib raws li daim ntawv tso cai pub dawb.

Tau qhov twg los: linux.org.ru ua

Yuav txhim khu kev qha hosting rau cov chaw nrog DDoS tiv thaiv, VPS VDS servers 🔥 Yuav lub vev xaib hosting txhim khu kev qha nrog kev tiv thaiv DDoS, VPS VDS servers | ProHoster