Things about state secret HTTPS (I)


Things about state secret HTTPS (I)


With the promulgation and implementation of the code law, the application and promotion of state secrets finally have laws to follow. For the application of state secrets, it is an important part—-State secret HTTPSCommunication also came into being. In order to better understand the relevant knowledge of state secret HTTPS, I’m going to share with you about state secret HTTPS #. I. talk about HTTPS communication protocol; Talk about why there are these agreements; And how the national secret SSL protocol encrypts the data of a website; Which national secret algorithms are used in the national secret SSL protocol; What is the difference between the double certificate of state secret and the traditional RSA certificate document in handshake negotiation? Due to the long space and limited time, we can only choose to share it with you step by step.

In order to make more friends understand and understand this industry and field and understand the content, this paper uses an easy and pleasant way to express and analyze these boring words.

 1.About HTTPS

When it comes to HTTPS communication, we can’t avoid talking about boring communication protocols. I believe everyone will see it intentionally or unintentionally when surfing the InternetHTTPHTTPSSSLTLS # et alThese keywords or tags. So let’s first briefly understand the meaning they represent, and then sort out the relationship between them.


HTTP:  (HyperText Transfer PHypertext transfer protocol, I believe everyone is familiar with it. You can see it when you open the browser.

SSL:( Secure Sockets L(layer) Security Suite word layer. It can be divided into two layers: SSL record protocol and SSL handshake protocol.

TLS :( Transport Layer SSecurity) transport layer security protocol. It is also divided into two layers: TLS record protocol and TLS handshake protocol.


That’s why you’re so smart. Careful friends will surely find that SSL # and TLS are so similar, aren’t they? yes! Your intuition reflects the relationship between them. TLS is built on ssl3 Protocol above the 0 protocol specification. So many times you will find that they are bound together to present SSL / TLS. To say their relationship, use the current network language to describe it, that is:A bit like CP, but also like front and back waves.How to use these protocols will be introduced later.




Once we have sorted out their relationship, we can even get started. As for whyhttpAgreement becomeshttps。 I believe everyone knows very well, because there is lesss, it’s like running naked in the crowd. As long as others want to see you, your steps will never be faster than what others see you, and even some people will stop and pay attention to you. It seems to rhyme a little, SKR.

So for an HTTP site, there is no privacy, let alone security. So hurry to put “clothes” on your site.

  1. About agreement

HTTPS was mentioned earlier. At this point, the problem comes again. Since the deployment of HTTPS is like putting “clothes” on the website to protect their privacy, how does this “clothes” protect their privacy? Yes, it is through the SSL / TLS protocol. Let’s first take a look at the whole process of the state secret protocol. When looking at the whole process, let’s think about what problems SSL / TLS has solved. How does it protect your data security?


        State secret SSL communicationThe agreement is based on the cryptographic industry standard of the people’s Republic of China, SSL VPN technical specification GM / T 0024-2014. Its protocol flow is basically the same as that of the traditional TLS protocol using RSA certificate, but there are differences, because in the traditional TLS protocolThe server uses the document, andIn the process of handshake between the two sides, the server uses double certificates(signing certificate and encryption certificate).

Let’s look at the main handshake process of guomi SSL:




According to the agreement of SSL VPN technical specification GM / T 0024-2014, we sort out the whole handshake process as follows:


Let’s analyze the whole process.

  1. The client will first send a clienthello message to shake hands with the server. The clienthello message includes encryption suite and random number.
  2. After receiving the handshake request from the client, the server will select the appropriate encryption suite combined with its own certificate and return it to the client, and will generate a random number to send together.
  3. The server will continue to send the certificate message to the client. The certificate message will contain two certificates, namely, the signing certificate and the encryption certificate. The encryption certificate is placed in front of the signing certificate.
  4. The server sends the serverkeyexchange message according to the selected handshake protocol. If ECC is selected_ SM4_ SM3 suite, the message contains the server’s signature of both random numbers and the server’s encryption certificate.
  5. If the server has enabled two-way authentication, it will continue to send the certificaterequest message to the client.
  6. After the client receives the reply from the server, if it receives the message sent in 5, it will reply the clientcertificate message to the server first. If it does not receive it, skip this step.
  7. If the client receives the request of 5, it will send the clientkeyexchange to the server immediately after sending the message of 6. Otherwise, clientkeyexchange is the first message that the client replies to the server after receiving the message from the server. If ECC is selected_ SM4_ SM3 suite, the main content of this message is the pre master secret key encrypted with the public key of the server encryption certificate.
  8. If the client sends a message of 6, it needs to send a certificateverify message to the server, which is used to identify whether the client is the legal holder of the certificate.
  9. Finally, both the server and the client will send the finished message to each other after the password specification change message. It is used to verify whether the secret key exchange process is successful and verify the integrity of the handshake process.
  10. At this point, the whole process of national secret SSL handshake is over. Both parties will use the negotiated symmetric secret key to encrypt and decrypt the communication data.

The above is the whole handshake process of state secret SSL communication.

I don’t know how you feel after reading it? Is it not enough, is it a mixture of five flavors, or is it a little cute? It doesn’t matter. None of this matters! It is important that!!! What problems does SSL / TLS protocol solve? How does it ensure data security through this process? Let’s talk next time!

Tanlang: Original


Application supportState secret algorithmSM2 256 bit encryption certificate