ProHoster > Blog > litaba tsa inthanete > Tokollo ea pele ea ts'ebetsong ea protocol ea TLS 1.3 ho Java ka li-algorithms tsa GOST ho latela RFC 9367

Tokollo ea pele ea ts'ebetsong ea protocol ea TLS 1.3 ho Java ka li-algorithms tsa GOST ho latela RFC 9367

Module crypto-gost-tls13 e na le ts'ebetsong TLS 1.3 (RFC 8446 + RFC 9367) ka GOST cryptography. Tokollo ena ke mofuta oa pele oa laeborari 'me e loketse ho sebelisoa ka hare.

Tšobotsi e ikhethang ea laeborari ke ts'ebetsong ea eona e hloekileng ea Java. Mesebetsi eohle ea cryptographic e etsoa ho sebelisoa lisebelisoa tse hahiloeng kahare ho laeborari, ntle le ho itšetleha ka kantle.

Ena ke e 'ngoe ea mekhoa ea pele ea ho kenya tšebetsong mohloli o bulehileng oa TLS 1.3 ka GOST ho Java, kahoo liteko tsa interop li entsoe ka tekanyo e fokolang kamoo ho ka khonehang.

Ka tlase ke bokgoni ba laeborari.

  1. Melao-motheo:
  • Ho tshwarana ka matsoho: e felletseng (moreki/seva), e kgutshwane (PSK), e tshwanang (mTLS).
  • ALPN (RFC 7301) - Puisano ea Protocole ea Lera la Kopo (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Letšoao la Lebitso seva bakeng sa ho kenngoa ha batho ba bangata ba hirileng.
  • KeyUpdate (RFC 8446 §4.6.3) – ho ntlafatsa dinotlolo tsa ho patela sephethephethe.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Ho kenya TLSTREE hape ka rekoto — ho fetola senotlolo sa encryption bakeng sa rekoto ka 'ngoe ea TLS.
  • Ho aroloa le ho kopanngoa hape ha ho ts'oarana ka matsoho le lirekoto (RFC 8446 §5.1).
  • Ho qala hape ha seboka: PSK ka NewSessionTicket (PskStore e memoring, e sebediswa hanngoe feela).
  • Ho kopanya OCSP: seva e eketsa karabo ea OCSP ho setifikeiti.
  • Melaetsa ea kamora ho ts'oarana ka matsoho: NewSessionTicket (boloka bakeng sa PSK).
  1. Cryptography:
  • Kemiso ea bohlokoa: HKDF-Streebog (RFC 5869) holim'a TLS 1.3 (RFC 8446 §7.1).
  • Tšireletso ea rekoto: MGM-AEAD (Kuznyechik) e nang le nonce ho latela RFC 8446 §5.3.
  • Linotlolo tsa nakoana lia hlakoloa ka mor'a ho sebelisoa.
  1. Litifikeiti:
  • Ho hlahloba X.509v3 (GOST R 34.10-2012) — sehlahlobi sa DER se hahiloeng kahare.
  • Ketane ea netefatso: li-signature, DN (mofani → sehlooho), Lithibelo tsa Motheo, Tšebeliso ea Senotlolo, Tšebeliso ea Senotlolo se Atolositsoeng * (serverAuth / clientAuth), pathLen.
  • Tlhahlobo ea lebitso la moamoheli: dNSName + iPAddress (RFC 6125).
  • Netefatso ea likarabo tsa OCSP (RFC 6960).

4.Lipalangwa:

  • TlsTransport - sebopeho.
  • InMemoryTlsTransport - bakeng sa liteko le maemo a ts'ebetso e le 'ngoe (mola o ka har'a memori).
  • SocketTlsTransport — e thibela I/O hodima java.net.Socket.
  • ChannelTlsTransport - NIO SocketSepalangoang se thehilweng ho Channel (mokgwa wa ho thibela, o ka sitiswang).
  1. Ho ts'oarana ka letsoho mohato ka mohato:
  • TlsHandshakeEngine ke mochini oa boemo bakeng sa ho ts'oarana ka matsoho (o arotsoe ho tloha ho I/O). E sebelisa TlsSession e le okhestrator 'me e loketse ho kopanngoa le JSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer e jara ka bongata bakeng sa kopanyo ya lefela le NIO. Dinotlolo tsa ho kenya:
  • Pkcs12Loader — ho bala PFX (PKCS#12) ka PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Qetellong ea thuto:
  • tsebiso_ya_close - ho lokisa ho koala ho latela mokhoa oa tsamaiso.
  • Ho hlakola thepa ea bohlokoa ha ho koaloa kapa ho etsoa phoso.
  • Temoso ea ho sebetsana le eona: e bolaeang - ho koala hang-hang + ho hlakola.
  1. Tšireletso ea ts'ebetsong:
  • Lipapiso tsa nako e sa fetoheng bakeng sa li-verify_data le li-binder tsa PSK (tšireletso khahlanong le litlhaselo tsa nako)
  • Ho hlakola thepa ea senotlolo: senya() linthong tsohle ka linotlolo (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), ha ho koaloa, ho lemosoa kotsi, mokhelo ha ho ts'oaroa ka letsoho
  • Tšireletso ea DoS: meeli ea bolelele ba ketane ea setifikeiti (10), melaetsa ea kamora ho ts'oarana ka letsoho, boholo ba rekoto.
  • MGM nonce: MSB ea byte ea pele e hlakotsoe bakeng sa ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Senotlolo sa poraefete sa ECDHE le mongolo wa ho tshwarana ka letsoho di a senngwa ka mora hore ho tshwarana ka letsoho ho phethelwe.
  • Thepa ea senotlolo sa HMAC e hlakoloa kamora ho sebelisoa (HkdfStreebog, KdfGostR3411_2012_256).
  1. Meeli:
  • PSK ea ho qala hape feela (0-RTT le PSK ea kantle ha li tšehetsoe).
  • Ke psk_dhe_ke feela (PSK e hloekileng ntle le ECDHE ha e tšehetsoe).
  • HelloRetryRequest (RFC 8446 §4.1.4) ha e tshehetswe - ho sebediswa sehlopha se le seng feela se rehelletsweng lebitso (GC256A ka tlwaelo).
  • GOST feela (li-cipher suites tse seng tsa GOST ha li tšehetsoe).
  1. Teko:
  • Laeborari e na le Liteko tse Tsejoang tsa Likarabo tse tsoang ho RFC 9367 Appendix A.1 (mefuta ea L le S)—kemiso e felletseng ea senotlolo, TLSTREE, AEAD, le ECDHE. E boetse e feta mefuta eohle ea liteko tsa KAT.
  • Liteko tse 4 tsa kopanyo (self-interop) ka li-socket tsa 'nete tsa TCP.
  • Liteko tsa Fuzz bakeng sa li-pars: TlsMessageParser (mekhoa e 8), TlsDerParser (mekhoa e 3), TlsOcspVerifier (mokhoa o le mong), ho netefatsa ts'ireletso le ho fokotsa vector ea tlhaselo ho li-pars.
  1. Litharollo tsa meralo:
  • TlsHandshakeEngine - mochini oa boemo o arotsoeng ho tloha ho I/O (bakeng sa mojule oa JSSE oa nakong e tlang).
  • ByteBuffer e jara TlsRecord.protect/unprotect ka bongata bakeng sa NIO/JSSE.
  • TLSTree cache (TlsTreeCache) - ho bala botjha maemo a fetohileng feela (RFC 9367).
  • InMemoryTlsTransport.Pair ke para e shebaneng le diteko le puisano ya tshebetso e le nngwe.

Laeborari e abuoa tlasa laesense ya mahala.

Source: linux.org.ru

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster