Introduction -TLS 1.3 protocol and SM algorithm
Speaking of TLS, we will not be unfamiliar, TLS can be said to be the cornerstone of the entire Internet security, to protect the security of our communication data. Since Heartbleed vulnerability was discovered in 2014, network security has attracted more and more attention. In order to be more secure and faster, TLS 1.3 protocol was proposed accordingly, and its corresponding RFC was officially released in 2018. With more and more attention paid to network security, the security strategy has gradually risen to the height of national strategy. The National Cryptography Administration published the self-developed “Elliptic Curve Public Key Cryptography Algorithm” (SM2 algorithm) at the end of 2010, and then successively released the national secret algorithm SM1-SM9 (SM stands for business secret in capital letters). Today we are going to share something about TLS 1.3 and national secrets.
To give you an idea of the relationship between the two, let’s take a typical key suite in TLS 1.2 as an example:
Corresponding to the algorithm of our national secret, the corresponding suite of each algorithm is as follows:
1, the key exchange algorithm: ECC-SM2, ECDHE-SM2 (here is not a detailed expansion, just a brief introduction, the State Secret key exchange algorithm based on the current elliptic curve algorithm designed two special algorithms, and the corresponding curve is the SM2 curve);
2. Digital signature algorithm: SM2 (SM2 is the name of the signature algorithm, and the corresponding curve name in the elliptic curve algorithm is also called SM2, some blog documents also refer to the key exchange algorithm as SM2, readers please be careful not to confuse);
3. Symmetric encryption algorithm: SM4;
4. Hash algorithm: SM3.
In other words, the State Secret Service has developed an autonomous and controllable algorithm for each stage of the secure handshake.
02 Why State Secrets? Why not state secrets?
First talk about why to use the State Secret, the State Secret algorithm as the main product of the State Secret Bureau, must have advantages in many places, first to summarize the typical advantages of the State Secret:
More secure: SM2 as an ECC algorithm (256-bit) is more secure than 2048-bit RSA. At the same time, SM3’s digest length is 256 bits, which is higher than the mainstream MD5 algorithm and SHA1 algorithm at that time.
2. Faster: In the process of communication, the 256-bit SM2 algorithm can transmit less data compared with the 2048-bit RSA algorithm (RSA2048 is the mainstream signature algorithm in the design of the national secret algorithm, so ECDSA and other algorithms are not discussed here for the time being), which means less transmission time. In theory, The computing speed of SM2 signature algorithm is much faster than that of RSA2048.
3, independent control: in the current international situation, this is the most critical point!
It sounds like an innovation of Chinese password, but it has not been widely carried out in recent years, which indicates that there must be some problems in it. Here, aside from some small details, we will talk about some of the thorny problems encountered in the large-scale implementation of the national secret algorithm:
1. Not fast enough (Trouble Index ★★★)
Compared with the mainstream international algorithms, the performance of several algorithms involved in the whole TLS session flow of the State Secret is relatively weak in most cases. Here is a simple performance comparison table for some of them:
Performance comparison of symmetric encryption algorithms:
Signature algorithm performance comparison:
Hash algorithm performance comparison:
From the comparison, we can see that the performance of these algorithms of the State Secret and the international algorithms is often not the same order of magnitude, whether it is symmetric encryption or asymmetric encryption part. The fundamental reason is that all kinds of universal international algorithms are too popular, and there are corresponding multi-level optimization (hardware calculation and various soft acceleration means) in engineering. Take symmetric encryption as an example: The symmetric encryption algorithm SM4 on the target algorithm is AES-128. From the point of view of the encryption principle itself, SM4 will not have such a big gap with AES-128 in theory. However, AES is too strong due to its universality. Typical AES implementations are based on Intel’s SIMD instruction set to parallelize and accelerate it, while SM4 currently only has a pure soft implementation, performance naturally has a large gap. Moreover, the current mainstream symmetric encryption modes are GCM and CCM, and the idea behind them is encryption as authentication technology (AEAD). However, the national secret algorithm does not support this mode, and there are some weaknesses in security.
2. Double certificates required (★★★★)
To explain the double certificate clearly, we first need to understand the PKI key negotiation mechanism. Typical key negotiation algorithms are divided into two kinds: RSA and ECDHE. ECC-SM2 key negotiation process of State Secret is similar to that of RSA. The core nature of the algorithm is that the data encrypted with the public key can be decrypted with the private key. The whole key negotiation process is simplified as follows:
ECDHE-SM2 is similar to ECDHE algorithm, both are based on DH and ECC algorithm, it is easier to understand, and the process is simplified as shown in the figure below:
We’ll talk about the double certificate, certificate of double divided into signing certificate and encryption certificate, the purpose of this system is to meet national strong control demands for sensitive data, namely as long as can catch all packets, the control organization can restore out all clear data in theory, which spawned encryption certificate on this item, the private key encryption certificate need at special purpose. Let’s look at the key exchange process of RSA. As long as the private key is possessed, the material generated by the middle key (random number) can also be theoretically exported. For ECDHE-SM2, the export process of symmetric key is not only determined by the random number A/C, but also requires the private key corresponding to the encryption certificate to participate in the calculation (the specific process is more cumbersome, which will not be expanded here, readers can refer to GM/T 0024 standard to read the details), which means that when the private key is supervised, Then the symmetric key can theoretically be derived.
This system is very strong, but the difficulty is that all the mainstream cryptography libraries, such as OpenSSL and BoringSSL, do not support this system, which means that if we want to promote the popularization of this system, we must develop it based on the mainstream cryptography libraries, promote the acceptance of the open source community, and then slowly penetrate the domestic users to use this system. Or in the case of compatible with the current password system as far as possible to develop a new password base and force domestic users to replace, each method has no small difficulty.
3. Requires the client to also hold the certificate (★★★★★)
The GM/T 0024 standard defines the key exchange process based on ECDHE-SM2 algorithm, but the requirements of this algorithm are very strict, and the Client must also hold the certificate. It does improve the security to a certain degree, but the trouble will follow. The Alipay Client does not have the certificate at present. If the certificate is added, the APP will be heavier and the handshake interaction data will be more, which will greatly reduce the user experience. If these problems are not fatal enough, how to manage the huge number of on-hand certificates is the real headache.
You may ask: it would be better not to use ECDHE, but from the evolution trend of technology, efficient/security is our tireless pursuit, and the RSA-like handshake process from the root limit the ECC key exchange process can not be evolved to 1-RTT handshake, 0-RTT information transmission. Not only that, but the security and performance of ECHDE are much better. In the 1RTT standard handshake process of TLS 1.3, it is explicitly defined to abolish the RSA handshake and support ECDHE only. If you want to use TLS 1.3->, you need ecdhe-> if the Client has a certificate -> has no certificate and does not want to use a certificate -> has no solution.
03 blockbuster launch, TLS 1.3+ national secret algorithm suite
In view of these pain points in the landing process of the State Secret Service, in August 2019, a TLS 1.3+ State Secret Service Algorithm Draft was written, led by Ant’s classmates, and finally became an IETF standard document:
The core idea of the whole standard design is: integrate the advantages of the current state secret algorithm, fully fit the international security technology ideas, the bad things are temporarily removed, enhance the influence of the state secret algorithm in the domestic and international, so that more organizations and individuals can participate in the use and construction of the state secret algorithm. Based on this idea, we joined forces with 360 and other companies and formally launched relevant standards after repeated communication with the State Secret Bureau. In the whole process, we have cancelled the requirement of Client certificate in the ECDHE algorithm, and temporarily relaxed the requirement of double certificate. Thus, we have launched two complete national secret algorithm suites, and determined the signature algorithm and the standard number of the curve. At the same time, based on the AEAD requirements of TLS 1.3, we defined the GCM mode and CCM mode of SM4, and implemented them.
The whole draft defines the following standards (currently these standards have been obtained the corresponding standard number) : the standard number of the SM2 curve of the State Secret: CurveSM2 (41). This standard number allows clients and servers to use curveSM2 as the convention curve for the TLS 1.3 handshake. This makes ECDHE_SM2 the international standard in TLS 1.3 (although there is no need for clients to hold certificates here).
Signature algorithm based on SM2 and SM3 SM2SIG_SM3 (0x0708), this standard number is used in TLS 1.3, if the server has a national secret certificate, it can be used as the signature algorithm by default, and its significance is that the national secret certificate has become a standard.
Key suite based on TLS 1.3 and SM2,SM3,SM4 algorithms:
TLS_SM4_GCM_SM3 (0x00,0xC6) and TLS_SM4_CCM_SM3 (0x00,0xC7), which means that from now on you can use the 1RTT handshake + national secret algorithm of TLS 1.3 according to the standard, which meets the national standard requirements and is fast and convenient. SM4 also uses a more secure GCM/CCM mode.
Of course, the standard also needs to be implemented by engineering, and often engineering implementation is the absolute factor that really determines whether an algorithm is good or not. To solve the problem of poor SM2/3/4 performance, we designed and implemented many solutions for optimization, such as: asynchronous SM2 hardware acceleration process; SM4 soft optimization based on SIMD. Based on these technologies, it can be used in production and the cost is controllable.
04 summary
That day in hand, the present end tied dragon. Looking back, it took about two years for the agreement to be implemented from a draft to an official IETF standard document. During this period, there were many rounds of discussions with the IETF working group, and the draft also went through many rounds of revisions. It was not easy for the agreement to come to a final conclusion. With TLS 1.3+ Country Secret officially becoming a nationally/internationally accepted standard (RFC8998), we have officially supported and open sourced the capabilities in BabAsSL and built the BabAsSL community.
The so-called Pengbei Sea, Phoenix Sun, and the vast road with books and swords. The original intention of BABASSL construction is to create a unified/easy-to-use national secret cryptography database for the economy. However, the landing and realization of a standard of national secret will not be the end of BABASSL, and BABASSL will always strive towards the distant sea of stars. We are actively implementing quantum random numbers, MPK, Delegated Crendential and other cutting-edge technologies. Of course, that’s another story.
Read this week
- Explore the secret ecology of Anolisos. It is enough to understand this article
- MOSN sub-project Layotto: Open a new chapter of service grid + application runtime
- A new chapter of Cloud Native MOSN – Fusing Envoy and Golang Eco
- MOSN multi-protocol extension development practice
For more articles, please scan the code to pay attention to the official account of “Financial-grade Distributed Architecture”