ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kokuqala kokusetshenziswa kwephrothokholi ye-TLS 1.3 ku-Java ngama-algorithms e-GOST ngokuhambisana ne-RFC 9367

Ukukhishwa kokuqala kokusetshenziswa kwephrothokholi ye-TLS 1.3 ku-Java ngama-algorithms e-GOST ngokuhambisana ne-RFC 9367

Imodyuli i-crypto-gost-tls13 iqukethe ukusetshenziswa I-TLS 1.3 (RFC 8446 + RFC 9367) nge-GOST cryptography. Lokhu kukhishwa kuyinguqulo yokuqala yomtapo wolwazi futhi kulungele ukusetshenziswa ngaphakathi.

Isici esiyingqayizivele somtapo wolwazi ukusetshenziswa kwawo kwe-Java okumsulwa. Yonke imisebenzi ye-cryptographic yenziwa kusetshenziswa amathuluzi akhelwe ngaphakathi omtapo wolwazi, ngaphandle kokuxhomekeka kwangaphandle.

Lokhu kungenye yezindlela zokuqala zokusebenzisa i-TLS 1.3 ene-GOST ku-Java, ngakho-ke ukuhlolwa kwe-interop kwenziwe ngezinga elincane ngangokunokwenzeka.

Ngezansi amakhono omtapo wolwazi.

  1. Izinqubo Zokusebenza:
  • Ukuxhawulana: okugcwele (iklayenti/iseva), okufushane (i-PSK), okuhlangene (i-mTLS).
  • I-ALPN (RFC 7301) - Ingxoxo Yephrothokholi Yesindlalelo Sohlelo Lokusebenza (HTTP/2, HTTP/1.1).
  • I-SNI (RFC 6066) - Inkomba Yegama iseva ukuthunyelwa kwabaqashi abaningi.
  • Ukuvuselelwa Kwe-Key (RFC 8446 §4.6.3) – ukubuyekeza okhiye bokubethela ithrafikhi.
  • Ama-cipher suite: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • I-ECDHE: I-CryptoPro-A (256-bit), i-CryptoPro-B (512-bit)
  • Ukufaka kabusha i-TLSTREE ngerekhodi ngalinye — ukushintsha ukhiye wokubethela werekhodi ngalinye le-TLS.
  • Ukuhlukaniswa kanye nokuhlanganiswa kabusha kokuxhawulana namarekhodi (RFC 8446 §5.1).
  • Ukuqala kabusha kweseshini: I-PSK nge-NewSessionTicket (i-PskStore ikwimemori, isetshenziswa kanye kuphela).
  • Ukuhlanganisa i-OCSP: isifiso ifaka impendulo ye-OCSP esitifiketini.
  • Imiyalezo yangemva kokuxhawulana: I-NewSessionTicket (gcina i-PSK).
  1. I-Cryptography:
  • Ishejuli ebalulekile: HKDF-Streebog (RFC 5869) ngaphezulu kwe-TLS 1.3 (RFC 8446 §7.1).
  • Ukuvikelwa kwerekhodi: MGM-AEAD (Kuznyechik) nge-nonce ngokusho kwe-RFC 8446 §5.3.
  • Okhiye besikhashana bayasulwa ngemva kokusetshenziswa.
  1. Izitifiketi:
  • Ukuhlaziya kwe-X.509v3 (GOST R 34.10-2012) — i-DER parser eyakhelwe ngaphakathi.
  • Uchungechunge lokuqinisekisa: amasignesha, i-DN (umkhiphi → isihloko), Izithiyo Eziyisisekelo, Ukusetshenziswa Kwesihluthulelo, Ukusetshenziswa Kwesihluthulelo Esandisiwe * (i-serverAuth / i-clientAuth), i-pathLen.
  • Ukuhlolwa kwegama lomphathi: dNSName + iPAddress (RFC 6125).
  • Ukuqinisekiswa kwezimpendulo ze-OCSP (RFC 6960).

4.EzokuThutha:

  • I-TlsTransport - isikhombimsebenzisi.
  • I-InMemoryTlsTransport - yokuhlolwa kanye nezimo zenqubo eyodwa (umugqa wememori).
  • I-SocketTlsTransport — ivimba i-I/O phezu kwe-java.net.Socket.
  • I-ChannelTlsTransport - I-NIO SocketEzokuthutha ezisekelwe ku-Channel (imodi yokuvimba, ephazamisekayo).
  1. Ukuxhawulana kancane kancane:
  • I-TlsHandshakeEngine iwumshini wesimo sokuxhawulana (ohlukaniswe kusuka ku-I/O). Isebenzisa i-TlsSession njenge-orchestrator futhi ifanele ukuhlanganiswa ne-JSSE (SSLEngine).
  1. I-ByteBuffer API:
  • I-TlsRecord.protect/unprotect — I-ByteBuffer ilayisha ngokweqile ukuze kuhlanganiswe i-zero-copy ne-NIO. Izinkinobho zokulayisha:
  • I-Pkcs12Loader — ifunda i-PFX (PKCS#12) nge-PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Ukuphela kweseshini:
  • vala_ukwazisa - lungisa ukuvala ngokwephrothokholi.
  • Ukusula izinto ezibalulekile uma uvala noma wenza iphutha.
  • Isexwayiso sokuphatha: okubulalayo - ukuvala ngokushesha + ukusula.
  1. Ukuphepha kokusetshenziswa:
  • Ukuqhathaniswa kwesikhathi esiqhubekayo kwe-verify_data kanye ne-PSK binders (ukuvikelwa ekuhlaselweni kwesikhathi)
  • Ukusula izinto eziyisihluthulelo: destroy() kuzo zonke izinto ngezihluthulelo (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), uma uvala, uxwayisa ngokufa, okuhlukile uma uxhawulana
  • Ukuvikelwa kwe-DoS: imikhawulo yobude beketanga lesitifiketi (10), imiyalezo yangemva kokuxhawulana, usayizi werekhodi.
  • I-MGM nonce: I-MSB yebhayithi yokuqala isuliwe ye-ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Ukhiye wangasese we-ECDHE kanye nombhalo we-handshake kuyabhujiswa ngemva kokuba ukuxhawulana sekuqediwe.
  • Izinto eziyisihluthulelo ze-HMAC ziyasulwa ngemva kokusetshenziswa (HkdfStreebog, KdfGostR3411_2012_256).
  1. Ukulinganiselwa:
  • I-PSK yokuqalisa kabusha kuphela (i-0-RTT kanye ne-PSK yangaphandle azisekelwa).
  • I-psk_dhe_ke kuphela (i-PSK emsulwa ngaphandle kwe-ECDHE ayisekelwa).
  • I-HelloRetryRequest (RFC 8446 §4.1.4) ayisekelwa - kusetshenziswa iqembu elilodwa eliqanjwe ngegama (GC256A ngokuzenzakalelayo).
  • I-GOST kuphela (ama-cipher suites angewona awe-GOST awasekelwa).
  1. Ukuhlola:
  • Umtapo wolwazi uqukethe i-Known Answer Tests evela ku-RFC 9367 Appendix A.1 (izinhlobo ze-L ne-S)—isheduli ephelele yokhiye, i-TLSTREE, i-AEAD, kanye ne-ECDHE. Uphinde udlule uhla oluphelele lwezivivinyo ze-KAT.
  • Ukuhlolwa kokuhlanganiswa okungu-4 (self-interop) ngokusebenzisa amasokhethi e-TCP angempela.
  • Ukuhlolwa kwe-Fuzz kwabahlaziyi: I-TlsMessageParser (izindlela ezingu-8), i-TlsDerParser (izindlela ezingu-3), i-TlsOcspVerifier (indlela engu-1), ukuqinisekisa ukuphepha nokunciphisa i-vector yokuhlasela kubahlaziyi.
  1. Izixazululo zokwakha:
  • I-TlsHandshakeEngine - umshini wesimo ohlukaniswe kusuka ku-I/O (wemojula ye-JSSE yesikhathi esizayo).
  • Ukulayisha ngokweqile kwe-ByteBuffer kwe-TlsRecord.protect/unprotect ye-NIO/JSSE.
  • I-TLSTREE cache (i-TlsTreeCache) - ukubalwa kabusha kwamazinga ashintshiwe kuphela (RFC 9367).
  • I-InMemoryTlsTransport.Pair iyibhangqa eliqondiswe kabili lokuhlola kanye nokuxhumana kwenqubo eyodwa.

Umtapo wolwazi usatshalaliswa ngaphansi kwelayisensi yamahhala.

Source: linux.org.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster