Introduction: With the wide application of mobile intelligent terminals, sensitive information is easy to be monitored or stolen, bringing great political and economic losses to the country, enterprises and individuals. Various enterprises in finance and important fields are gradually implementing and completing the work of domestic password transformation. In order to solve the customer side due to the replacement of encryption algorithm caused by various inconveniences, mPaaS now supports mobile gateway services compatible with a variety of encryption methods. This article will elaborate on how to generate SM2 keys and complete the CONFIGURATION of mPaaS.
With the wide application of mobile intelligent terminals, sensitive information is easy to be monitored or stolen, bringing great political and economic losses to the country, enterprises and individuals. Various enterprises in finance and important fields are gradually implementing and completing the work of domestic password transformation.
Some users who use the mPaaS framework need to change the gateway encryption algorithm to national secret because most of them used RSA encryption or ECC encryption configured on the gateway in the early stage.
In order to solve the customer side due to the replacement of encryption algorithm caused by various inconveniences, mPaaS now supports mobile gateway services compatible with a variety of encryption methods.
This article will elaborate on how to generate SM2 keys and complete the CONFIGURATION of mPaaS.
Generate SM2 country secret
1.1. Under the Mac OS
Mac OSX usually comes with OpenSSL. Since 10.11 El Capitan, Mac OSX has replaced OpenSSL with LibreSSL.
LibreSSL should be able to replace OpenSSL in all of these systems, except for the actual test. Most of the others have not yet replaced the system’s built-in OpenSSL with LibreSSL, which is more troublesome and may not be a complete replacement.
However, for compile-installed software, you can replace OpenSSL with LibreSSL whenever possible.
(Other systems that replace OpenSSL with LibreSSL include OpenBSD since 5.6 and Alpine Linux since 3.5.0.)
Therefore, OpenSSL will need to install OpenSSL to generate SM2 key on Mac. There is a way to directly change and replace the LibreSSL of Mac OS. In order not to affect the daily use of Mac users, we do not use this way. Instead, download the OpenSSL version on your Mac, decompress it, and use it alone without affecting the original LibreSSL.
Take the OpenSSL 1.1.1d implementation as an example:
STEP1 download the openssl source code
The curl - o openssl - 1.1.1 which ar. Gz https://www.openssl.org/source/openssl-1.1.1d.tar.gzCopy the code
STEP2 decompress the source code package
The tar - XVF openssl - 1.1.1 which ar. GzCopy the code
STEP3 go to the openssl directory
CD openssl - 1.1.1 dCopy the code
STEP4 configure the makefile generation
./config --prefix=/usr/local/openssl
Copy the code
STEP5 installation
Sudo make install sudo make install sudo make installCopy the code
STEP6 set openssl lib. so to load the configuration
// This step can be ignored. Run the SM2 echo "/usr/local/openssl/lib" >> /etc/ld.soCopy the code
STEP7 generate SM2 key
I. Go to the directory where the key file is generated and run the following command to generate a private key
/usr/local/openssl/bin/openssl ecparam -genkey -name SM2 -out SM2PrivateKey.pem
Copy the code
Ii. Go to the directory where the key file is generated and generate the public key
/usr/local/openssl/bin/openssl ec -in SM2PrivateKey.pem -pubout -out SM2PublicKey.pem
Copy the code
1.2. Under Windows
Windows also requires some way to generate SM2 country secret keys.
The OpenSSL official website does not provide the Windows installation package. You can choose tools provided by other open source platforms. Download: slproweb.com/products/Wi…
STEP1 download the tool
Choose a 32-bit or 64-bit version to download, such as Win64OpenSSL_light-1_0_2H.exe.
STEP2 install Win64OpenSSL
Set environment variables to determine the installation position.
STEP3 open the Win64OpenSSL software and run the following command:
ecparam -genkey -name SM2 -out priv.key
ec -in priv.key -pubout -out pub.key
Copy the code
Configure the mPaaS national secret
1. Configure encryption for the first time
1.1. Development platform configuration
STEP1 log in to the mPaaS console -> mobile gateway -> gateway management -> data encryption -> open
STEP2 select the encryption mode and key. Select SM2 and fill in the corresponding private key.
1.2. Client Configuration
1.2.1. The iOS side
The encryption mode and public key of the iOS client are configured in info.plist, as shown in the figure
Among them:
- MPaaSCrypt: the primary key of the encryption configuration. The value is of the Dictionary type and contains information about the Settings required by the client encryption.
- Crypt: indicates whether to encrypt. Value is a Boolean. YES indicates encryption, and NO indicates NO encryption.
- GWWhiteList: indicates the gateway address of the current environment. Without this key, all requests are not encrypted.
- RSA/ECC/SM2: indicates the asymmetric encryption algorithm. Value is a String and can only be RSA, ECC, or SM2.
- PubKey: asymmetric encryption public key. Value is a String, consistent with the selected asymmetric encryption algorithm.
Note: The iOS PubKey format must contain —–BEGIN PUBLIC KEY—– and —–END PUBLIC KEY—–. Do not allow space, self-wrapping, etc., the format must be correct.
1.2.2. Android end
The encryption mode and public key on Android are configured in the mpaas_netconfig.properties file, as shown in the figure below:
Among them:
- Crypt: indicates whether to enable self-encryption. True indicates that self-encryption is enabled. False indicates that self-encryption is disabled.
- RSA/ECC/SM2: indicates the asymmetric encryption algorithm to be used. The value can be filled only with RSA, ECC, or SM2.
- PubKey: indicates the public key of the selected asymmetric encryption algorithm.
- GWWhiteList: indicates the gateway address of the current environment. Without this key, all requests are not encrypted.
Note: The value of the Properties file in Android must be on the same line. Therefore, be careful when filling the public key.
2. Replace the encryption configuration
2.1. Development platform configuration (Note: MGS version requires >=1.34.10)
STEP1 open the mobile development platform -> mobile gateway -> gateway management: the current gateway has enabled data encryption (RSA in this example)
STEP2 prepare a pair of generated SM2 public and private keys to change the national secret. Reference: help.aliyun.com/document\_d…
STEP3 under the console-gateway management, first disable data encryption and then immediately enable data encryption. A popup window for re-selecting the encryption algorithm and filling in the corresponding key will appear, as shown in the following figure:
Note: The SM2 public and private keys must be turned off before being turned on. Therefore, you must generate the SM2 public and private keys in advance and ensure their correctness and format.
STEP4 enter the SM2 private key in the input box in the correct format and click submit. Then you can see the two encryption modes configured here:
The operation of replacing the gateway key is complete.
2.2. Client Configuration
2.2.1. IOS terminal
STEP1 the encryption mode and public key of iOS client are configured under info.plist. See figure for details:
STEP2 replace the value of PubKey in info.plist with the generated SM2 public key in the correct format, and change the encryption algorithm to SM2.
The encryption mode and public key on iOS have been changed.
2.2.2. Android end
STEP1 the encryption mode and public key on Android are configured in the mpaas_netconfig.properties file, as shown in the figure:
STEP2 replace the generated SM2 public key value in mpaas_netconfig.properties with the correct value. The following figure shows the new value:
Therefore, the encryption mode and public key on Android have been replaced.
2.3 summary
At this point, both the server and the client have changed the encryption mode, and the old App can still access the gateway normally, and so can the new App. Later, you need to wait for the full upgrade of the users of the old App, and then modify the old encryption mode of the gateway, of course, you can keep it all the time.
conclusion
From the generation of their own national secret SM2, to the complete configuration of encryption. The App data encryption mode from the client to the mPaaS gateway meets the requirements of various policies.
At the same time, the mPaaS team will also make efforts to advance on the road of more complete support for national security of the whole link. A more comprehensive, more convenient and deeper state secret support scheme will be released later.
Author: Ali Cloud mPaaS TAM team (YuxueRongyang)
The original link
This article is the original content of Aliyun and shall not be reproduced without permission.