ProHoster > Блог > ozi ịntanetị > Mwepụta mbụ nke mmejuputa usoro TLS 1.3 na Java na algọridim GOST dịka RFC 9367 si dị

Mwepụta mbụ nke mmejuputa usoro TLS 1.3 na Java na algọridim GOST dịka RFC 9367 si dị

Daalụ crypto-gost-tls13 nwere mmejuputa ya TLS 1.3 (RFC 8446 + RFC 9367) site na iji GOST cryptography. Mwepụta a bụ ụdị mbụ nke ọbá akwụkwọ ahụ ma dị njikere maka ojiji n'ime.

Ihe pụrụ iche nke ọbá akwụkwọ ahụ bụ mmejuputa Java ya dị ọcha. A na-eji ngwaọrụ arụnyere n'ọbá akwụkwọ ahụ eme ọrụ nzuzo niile, na-enweghị ihe ndabere mpụga.

Nke a bụ otu n'ime mmejuputa mbụ nke TLS 1.3 na GOST na Java, yabụ emeela nnwale interop ruo n'ókè kacha nta enwere ike.

N'okpuru ebe a bụ ikike ọbá akwụkwọ.

  1. Usoro iwu:
  • Mkpọ aka: zuru oke (onye ahịa/onye nkesa), mkpụmkpụ (PSK), nkwanyerịta (mTLS).
  • ALPN (RFC 7301) - Mkparịta ụka Usoro Ngwa (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Ihe ngosi aha ihe nkesa maka ntinye ọtụtụ ndị bi n'ụlọ.
  • KeyUpdate (RFC 8446 §4.6.3) – imelite igodo nzuzo okporo ụzọ.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Igodo TLSTREE kwa ndekọ - ịgbanwe igodo nzuzo maka ndekọ TLS ọ bụla.
  • Mbibi na njikọta nke mma aka na ndekọ (RFC 8446 §5.1).
  • Mmaliteghachi nnọkọ: PSK site na NewSessionTicket (PskStore na-echekwa, otu oge).
  • Nkwụsị OCSP: nkesa na-agbakwụnye nzaghachi OCSP na asambodo ahụ.
  • Ozi mgbe a na-ekwe nkwa aka: NewSessionTicket (chekwaa maka PSK).
  1. Ndekọ nzuzo:
  • Usoro ihe omume dị mkpa: HKDF-Streebog (RFC 5869) karịa TLS 1.3 (RFC 8446 §7.1).
  • Nchedo ndekọ: MGM-AEAD (Kuznyechik) na nonce dịka RFC 8446 §5.3 si kwuo.
  • A na-ehichapụ igodo ephemeral mgbe ejiri ya.
  1. Asambodo:
  • Ntugharị X.509v3 (GOST R 34.10-2012) — Ntugharị DER arụnyere n'ime ya.
  • Usoro nkwenye: mbinye aka, DN (onye na-enye → isiokwu), Mmachi Ndị Dị Mkpa, Ojiji Isi, Igodo Gbatịpụrụ * Ojiji (serverAuth / clientAuth), pathLen.
  • Lelee aha onye ọbịa: dNSName + iPAaddress (RFC 6125).
  • Nkwenye nke nzaghachi OCSP (RFC 6960).

4.Transportgbọ njem:

  • TlsTransport - njikọ.
  • InMemoryTlsTransport - maka ule na ọnọdụ otu usoro (n'ahịrị nchekwa).
  • SocketTlsTransport — na-egbochi I/O site na java.net.Socket.
  • ChannelTlsTransport - NIO SocketChannel transport dabere na ya (ụdị mgbochi, enwere ike ịkwụsị ya).
  1. Nkwenye aka nzọụkwụ site na nzọụkwụ:
  • TlsHandshakeEngine bụ igwe steeti maka ikwe aka (nke a na-ewepụ site na I/O). Ọ na-eji TlsSession dị ka onye na-ahazi egwu ma dabara adaba maka ijikọ ya na JSSE (SSLEngine).
  1. API ByteBuffer:
  • TlsRecord.protect/unprotect — ByteBuffer na-ebu ibu maka njikọta efu na NIO. Igodo ndị na-ebugo:
  • Pkcs12Loader — na-agụ PFX (PKCS#12) na PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Ọgwụgwụ nke nnọkọ:
  • close_notify - mmechi ziri ezi dịka usoro ahụ si dị.
  • Ihicha ihe dị mkpa mgbe emechiri ma ọ bụ na-eme njehie.
  • Ịdọ aka ná ntị maka njikwa: ihe na-egbu egbu - mmechi ozugbo + ihichapụ.
  1. Nchekwa mmejuputa:
  • Ntụnyere oge niile maka verify_data na PSK binders (nchedo megide mwakpo oge)
  • Ihichapụ ihe dị mkpa: destroy() na ihe niile site na iji igodo (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), na-eme ihe dị nso, na-egbu egbu, ewezuga na mma aka
  • Nchedo DoS: oke ogologo agbụ asambodo (10), ozi mgbe a gbasịrị aka, nha ndekọ.
  • MGM nonce: A na-ahapụ MSB nke byte mbụ maka ICN (RFC 9058 §3, RFC 9367 §3.3).
  • A ga-ebibi igodo nzuzo ECDHE na ihe odide nkwado aka mgbe emechara nkwado aka ahụ.
  • A na-ehichapụ ihe igodo HMAC mgbe ejiri ya (HkdfStreebog, KdfGostR3411_2012_256).
  1. Nkwenye:
  • PSK maka ịmaliteghachi ọrụ naanị (anaghị akwado 0-RTT na PSK mpụga).
  • Naanị psk_dhe_ke (PSK dị ọcha na-enweghị ECDHE anaghị akwado ya).
  • Anaghị akwado HelloRetryRequest (RFC 8446 §4.1.4) - naanị otu otu aha ka ejiri (GC256A na ndabara).
  • GOST naanị (anaghị akwado usoro nzuzo nke na-abụghị GOST).
  1. Nnwale:
  • Ọbá akwụkwọ ahụ nwere ule azịza a maara ama sitere na RFC 9367 Mgbakwunye A.1 (ụdị L na S)—usoro ihe omume zuru oke, TLSTREE, AEAD, na ECDHE. Ọ na-agafekwa ule KAT niile.
  • Nnwale njikọta anọ (njikọ onwe onye) site na ezigbo oghere TCP.
  • Nnwale Fuzz maka ndị na-enyocha ihe: TlsMessageParser (ụzọ 8), TlsDerParser (ụzọ 3), TlsOcspVerifier (usoro 1), iji hụ na nchekwa na ibelata vektọ mwakpo na ndị na-enyocha ihe.
  1. Ngwọta ụlọ:
  • TlsHandshakeEngine - igwe steeti nke a na-ewepụ site na I/O (maka modulu JSSE n'ọdịnihu).
  • Onu ogugu nke TlsRecord.protect/unprotect nke ByteBuffer buru ibu maka NIO/JSSE.
  • Nchekwa TLSTREE (TlsTreeCache) - ịgbakọghachi ọkwa ndị gbanwere naanị (RFC 9367).
  • InMemoryTlsTransport.Pair bụ ụzọ abụọ maka nnwale na nkwukọrịta otu usoro.

A na-ekesa ọbá akwụkwọ ahụ n'okpuru ikike efu.

isi: linux.org.ru

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster