ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa koyamba kwa kukhazikitsa kwa protocol ya TLS 1.3 mu Java ndi ma algorithms a GOST motsatira RFC 9367

Kutulutsidwa koyamba kwa kukhazikitsa kwa protocol ya TLS 1.3 mu Java ndi ma algorithms a GOST motsatira RFC 9367

Gawo crypto-gost-tls13 muli ndi kukhazikitsa TLS 1.3 (RFC 8446 + RFC 9367) ndi GOST cryptography. Kutulutsidwa kumeneku ndi mtundu woyamba wa laibulale ndipo ndi wokonzeka kugwiritsidwa ntchito mkati.

Mbali yapadera ya laibulaleyi ndi momwe imagwirira ntchito Java yokha. Ntchito zonse za cryptographic zimachitika pogwiritsa ntchito zida zomangidwa mkati mwa laibulaleyi, popanda kudalira kwina.

Iyi ndi imodzi mwa njira zoyamba zotsegulira TLS 1.3 ndi GOST mu Java, kotero kuyesa kwa interop kwachitika pang'ono momwe zingathere.

Pansipa pali luso la laibulale.

  1. Ma protocol:
  • Kugwirana chanza: zonse (kasitomala/seva), zazifupi (PSK), zogwirizana (mTLS).
  • ALPN (RFC 7301) - Kukambirana kwa Pulogalamu ya Application Layer Protocol (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Chizindikiro cha Dzina Seva kwa anthu ambiri obwereka nyumba.
  • KeyUpdate (RFC 8446 §4.6.3) - kusintha makiyi obisa magalimoto.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Kulembanso TLSTREE pa record — kusintha kiyi yobisa pa record iliyonse ya TLS.
  • Kugawikana ndi kusonkhanitsanso manja ndi zolemba (RFC 8446 §5.1).
  • Kuyambiranso kwa gawo: PSK kudzera pa NewSessionTicket (PskStore mu-memory, yogwiritsidwa ntchito kamodzi).
  • Kuyika ma OCSP: Seva imawonjezera yankho la OCSP ku satifiketi.
  • Mauthenga a pambuyo pa kugwirana chanza: NewSessionTicket (sungani PSK).
  1. Kujambula Zithunzi:
  • Ndondomeko yofunika: HKDF-Streebog (RFC 5869) pa TLS 1.3 (RFC 8446 §7.1).
  • Chitetezo cha zolemba: MGM-AEAD (Kuznyechik) ndi nonce malinga ndi RFC 8446 §5.3.
  • Makiyi a nthawi yochepa amachotsedwa akagwiritsidwa ntchito.
  1. Zikalata:
  • Kusanthula kwa X.509v3 (GOST R 34.10-2012) — chowunikira cha DER chomangidwa mkati.
  • Unyolo wotsimikizira: ma siginecha, DN (wopereka → mutu), Zoletsa Zoyambira, Kugwiritsa Ntchito Kiyi, Kugwiritsa Ntchito Kiyi Yowonjezera * (serverAuth / clientAuth), pathLen.
  • Kuyang'ana dzina la Hostname: dNSName + iPAaddress (RFC 6125).
  • Kutsimikizira mayankho a OCSP (RFC 6960).

4.Mayendedwe:

  • TlsTransport - mawonekedwe.
  • InMemoryTlsTransport - ya mayeso ndi zochitika za njira imodzi (mzere wa mu-memory).
  • SocketTlsTransport — kutseka I/O kudzera pa java.net.Socket.
  • ChannelTlsTransport - NIO SocketMayendedwe otengera Channel (njira yotsekera, yosokoneza).
  1. Kugwirana chanza pang'onopang'ono:
  • TlsHandshakeEngine ndi makina ogwiritsira ntchito manja (osalumikizidwa kuchokera ku I/O). Imagwiritsa ntchito TlsSession ngati okestrator ndipo ndi yoyenera kugwirizanitsidwa ndi JSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer imadzaza kwambiri kuti pasakhale kulembedwa ndi NIO. Makiyi otsegula:
  • Pkcs12Loader — kuwerenga PFX (PKCS#12) ndi PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Mapeto a gawoli:
  • close_notify - konzani kutseka motsatira ndondomeko.
  • Kupukuta mfundo zazikulu mukatseka kapena mukalakwitsa.
  • Chenjezo lothana ndi vuto: loopsa - kutseka nthawi yomweyo + kufufuta.
  1. Chitetezo cha kukhazikitsa:
  • Kuyerekeza nthawi zonse kwa verify_data ndi PSK binders (chitetezo ku ziwopsezo za nthawi)
  • Kupukuta zinthu zofunika: kuwononga () pazinthu zonse ndi makiyi (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), pa nthawi yotseka, chenjezo lakupha, kupatulapo kugwirana chanza
  • Chitetezo cha DoS: malire a kutalika kwa unyolo wa satifiketi (10), mauthenga atatha kugwirana chanza, kukula kwa mbiri.
  • MGM nonce: MSB ya byte yoyamba yachotsedwa ku ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Kiyi yachinsinsi ya ECDHE ndi cholembedwa cha handshake zimawonongeka pambuyo poti handshake yatha.
  • Zipangizo za kiyi ya HMAC zimachotsedwa mutagwiritsa ntchito (HkdfStreebog, KdfGostR3411_2012_256).
  1. Zolepheretsa:
  • PSK yoyambiranso yokha (0-RTT ndi PSK yakunja sizikuthandizidwa).
  • Psk_dhe_ke yokha (PSK yeniyeni yopanda ECDHE siithandizidwa).
  • HelloRetryRequest (RFC 8446 §4.1.4) sichikuthandizidwa - gulu limodzi lokha lotchulidwa ndi lomwe limagwiritsidwa ntchito (GC256A mwachisawawa).
  • GOST yokha (ma suites a cipher omwe si a GOST sathandizidwa).
  1. Kuyesa:
  • Laibulale ili ndi Mayeso Odziwika a Mayankho ochokera ku RFC 9367 Appendix A.1 (zosiyanasiyana za L ndi S)—ndandanda yonse ya makiyi, TLSTREE, AEAD, ndi ECDHE. Imapambananso mayeso onse a KAT.
  • Mayeso 4 ophatikizana (odziyimira pawokha) kudzera m'ma soketi enieni a TCP.
  • Mayeso a Fuzz a owerengera: TlsMessageParser (njira 8), TlsDerParser (njira 3), TlsOcspVerifier (njira imodzi), kuti atsimikizire chitetezo ndikuchepetsa vekitala yowukira pa owerengera.
  1. Mayankho a zomangamanga:
  • TlsHandshakeEngine - makina ogwirizana omwe achotsedwa pa I/O (ya gawo la JSSE lamtsogolo).
  • ByteBuffer imadzaza kwambiri TlsRecord.protect/unprotect ya NIO/JSSE.
  • TLSTREE cache (TlsTreeCache) - kuwerengeranso kwa milingo yosinthidwa yokha (RFC 9367).
  • InMemoryTlsTransport.Pair ndi gulu lolumikizana mbali zonse ziwiri la mayeso ndi kulumikizana kwa njira imodzi.

Laibulaleyi imagawidwa pansi pa chilolezo chaulere.

Source: linux.org.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster