ProHoster > Блог > wararka internetka > Siideynta ugu horreysa ee hirgelinta borotokoolka TLS 1.3 ee Java iyadoo la adeegsanayo algorithms-ka GOST iyadoo la raacayo RFC 9367

Siideynta ugu horreysa ee hirgelinta borotokoolka TLS 1.3 ee Java iyadoo la adeegsanayo algorithms-ka GOST iyadoo la raacayo RFC 9367

Module crypto-gost-tls13 waxa ku jira hirgelinta TLS 1.3 (RFC 8446 + RFC 9367) iyadoo la adeegsanayo GOST cryptography. Soo saaristani waa nooca bilowga ah ee maktabadda waxayna diyaar u tahay isticmaalka gudaha.

Astaanta gaarka ah ee maktabadda waa hirgelinta Java ee saafiga ah. Dhammaan hawlgallada sirta ah waxaa lagu sameeyaa iyadoo la adeegsanayo qalabka maktabadda ku dhex jira, iyada oo aan lahayn ku-tiirsanaan dibadda ah.

Kani waa mid ka mid ah hirgelinta isha furan ee ugu horreysa ee TLS 1.3 oo leh GOST Java, sidaa darteed tijaabinta interop-ka waxaa la sameeyay ilaa inta ugu yar ee suurtogalka ah.

Hoos waxaa ku qoran awoodaha maktabadda.

  1. Habraacyada:
  • Gacan-qaadis: buuxa (macmiil/server), gaaban (PSK), wadajir (mTLS).
  • ALPN (RFC 7301) - Wadahadalka Hab-maamuuska Lakabka Codsiga (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Tilmaamaha Magaca server loogu talagalay dejinta kiraysteyaal badan.
  • KeyUpdate (RFC 8446 §4.6.3) – cusbooneysiinta furayaasha sirta taraafikada.
  • Suites Cipher: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Dib-u-furaha TLSTREE ee rikoodh kasta - beddelka furaha sirta ah ee diiwaan kasta oo TLS ah.
  • Kala-goynta iyo dib-u-ururinta is-gacan-qaadka iyo diiwaannada (RFC 8446 §5.1).
  • Dib u bilaabashada kalfadhiga: PSK iyada oo loo marayo NewSessionTicket (PskStore xusuusta dhexdeeda, hal mar la isticmaalo).
  • Qalabka lagu xiro OCSP: server wuxuu ku darayaa jawaabta OCSP shahaadada.
  • Farriimaha salaanta kadib: NewSessionTicket (kaydso PSK).
  1. Sirta qoraalka:
  • Jadwalka muhiimka ah: HKDF-Streebog (RFC 5869) oo ka badan TLS 1.3 (RFC 8446 §7.1).
  • Ilaalinta diiwaanka: MGM-AEAD (Kuznyechik) oo leh nonce sida ku xusan RFC 8446 §5.3.
  • Furaha wakhti-gaaban waa la tirtiraa ka dib isticmaalka.
  1. Shahaadooyinka:
  • Falanqaynta X.509v3 (GOST R 34.10-2012) — Falanqeeyaha DER ee ku dhex jira.
  • Silsiladda xaqiijinta: saxiixyada, DN (soo saaraha → mawduuca), Xaddidaadaha Aasaasiga ah, Isticmaalka Muhiimka ah, Furaha La Kordhiyay * Isticmaalka (serverAuth / clientAuth), pathLen.
  • Hubi magaca martida: dNSName + iPAaddress (RFC 6125).
  • Xaqiijinta jawaabaha OCSP (RFC 6960).

4.Gaadiidka:

  • TlsTransport - is-dhexgalka.
  • InMemoryTlsTransport - tijaabooyinka iyo xaaladaha hal-hawlgalka ah (saf-xasuusta).
  • SocketTlsTransport — xannibaya I/O marka loo eego java.net.Socket.
  • ChannelTlsTransport - Gaadiidka ku salaysan SocketChannel ee NIO (qaabka xannibaadda, waa la joojin karaa).
  1. Gacan-qaad tallaabo-tallaabo ah:
  • TlsHandshakeEngine waa mashiin xaaladeed oo loogu talagalay is-gacan-qaadka (laga soocay I/O). Waxay u isticmaashaa TlsSession sidii orkester waxayna ku habboon tahay is-dhexgalka JSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer wuxuu culeys badan saaraa isku-darka eber-nuqulka ah ee NIO. Furaha la soo dejinayo:
  • Pkcs12Loader — akhrinta PFX (PKCS#12) oo leh PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Dhammaadka kalfadhiga:
  • xidhitaan_xiritaan - xidhitaan sax ah sida waafaqsan hab-maamuuska.
  • Tirtirka walxaha muhiimka ah marka la xirayo ama la sameynayo qalad.
  • Digniinta maaraynta: dhimasho - xidhitaan degdeg ah + tirtirid.
  1. Amniga hirgelinta:
  • Isbarbardhig waqti-joog ah oo loogu talagalay verify_data iyo PSK-ga xidhmooyinka (ilaalinta weerarrada waqtiga)
  • Tirtiridda walxaha muhiimka ah: baabi'i() dhammaan walxaha iyadoo la adeegsanayo furaha (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), digniin dhow, dhimasho leh, marka laga reebo gacan-qaadista
  • Ilaalinta DoS: xaddidaadaha dhererka silsiladda shahaadada (10), farriimaha salaanta kadib, cabbirka duubista.
  • MGM nonce: MSB ee byte-ka ugu horreeya waxaa loo oggolaaday ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Furaha gaarka ah ee ECDHE iyo qoraalka gacanta lagu salaamo waa la burburiyaa ka dib marka gacanta la salaamo.
  • Agabka furaha HMAC waa la tirtiraa ka dib isticmaalka (HkdfStreebog, KdfGostR3411_2012_256).
  1. Xaddidaadyada:
  • Dib u bilaabista PSK oo keliya (0-RTT iyo PSK dibadda ah lama taageerayo).
  • Kaliya psk_dhe_ke (PSK saafi ah oo aan lahayn ECDHE lama taageerayo).
  • HelloRetryRequest (RFC 8446 §4.1.4) lama taageero - hal koox oo la magacaabay oo keliya ayaa la isticmaalaa (GC256A si caadi ah).
  • GOST oo keliya (qalabka sirta ah ee aan GOST ahayn lama taageerayo).
  1. Tijaabinaya:
  • Maktabaddu waxay ka kooban tahay Imtixaanada Jawaabaha La Yaqaan ee ka socda RFC 9367 Lifaaqa A.1 (noocyada L iyo S) - jadwalka muhiimka ah ee buuxa, TLSTREE, AEAD, iyo ECDHE. Waxay sidoo kale ka gudubtaa imtixaanada KAT ee buuxa.
  • 4 tijaabo oo is-dhexgal ah (is-dhexgal) iyada oo loo marayo godadka TCP ee dhabta ah.
  • Tijaabooyinka Fuzz ee baarayaasha: TlsMessageParser (8 hab), TlsDerParser (3 hab), TlsOcspVerifier (1 hab), si loo hubiyo amniga loona yareeyo fallaadhaha weerarka ee baarayaasha.
  1. Xalalka dhismaha:
  • TlsHandshakeEngine - mashiinka gobolka oo laga saaray I/O (mustaqbalka JSSE).
  • Xad-dhaafka xad-dhaafka ah ee ByteBuffer ee TlsRecord.protect/unprotect ee NIO/JSSE.
  • Kaydka TLSTREE (TlsTreeCache) - dib u xisaabinta heerarka la beddelay oo keliya (RFC 9367).
  • InMemoryTlsTransport.Pair waa lammaane laba-geesood ah oo loogu talagalay tijaabooyinka iyo isgaarsiinta hal-hawlgalaha ah.

Maktabadda waxaa lagu qaybiyaa shati bilaash ah.

Source: linux.org.ru

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster