CN113746807A - Block chain node point support cryptographic algorithm communication detection method - Google Patents

Block chain node point support cryptographic algorithm communication detection method Download PDF

Info

Publication number
CN113746807A
CN113746807A CN202110920367.5A CN202110920367A CN113746807A CN 113746807 A CN113746807 A CN 113746807A CN 202110920367 A CN202110920367 A CN 202110920367A CN 113746807 A CN113746807 A CN 113746807A
Authority
CN
China
Prior art keywords
password
suite
national
server
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110920367.5A
Other languages
Chinese (zh)
Inventor
于震
郑丽艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beiyin Financial Technology Co ltd
Original Assignee
Beiyin Financial Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beiyin Financial Technology Co ltd filed Critical Beiyin Financial Technology Co ltd
Priority to CN202110920367.5A priority Critical patent/CN113746807A/en
Publication of CN113746807A publication Critical patent/CN113746807A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a block chain node point support cryptographic algorithm communication detection method, which comprises the following steps: acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name; analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result; packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet; sending the encapsulation protocol packet to the server and the port; and recording and analyzing the data packet in the encapsulation protocol packet. And by repeating the request by using various algorithms, all password suites which can be supported by the current service end node can be judged quickly and accurately.

Description

Block chain node point support cryptographic algorithm communication detection method
Technical Field
The invention relates to the field of communication, in particular to a block chain node point support cryptographic algorithm communication detection method.
Background
The national password is a domestic password algorithm identified by the national password administration. There are mainly SM1, SM2, SM3, SM 4. The key length and the packet length are both 128 bits. The national cryptographic algorithm is faster and more secure than the universal cryptographic algorithm in the world. The country is gradually advancing the work of national densification. The block chain is based on a cryptographic algorithm technology, and in the encryption part, the transformation of the encryption is completed by the bottom layer of part of the block chain. How to verify that the system completes the transformation of national encryption does not exist a standard method at present. In order to meet the national requirements for national confidentiality and security, a scheme and a method for detecting whether the block chain is transformed into national confidentiality are needed.
The blockchain is a point-to-point network-based technology, and realizes a distributed network. The communication among a plurality of nodes is realized through SSL or TLS protocol, and the data security is ensured through cryptographic algorithm. The cryptographic algorithms that can be used are determined during the protocol handshake, and it can be determined whether both the client and the server have been modified for encryption.
The secure Sockets Layer (ssl), and its successor transport Layer security (tls) (transport Layer security) are security protocols that provide security and data integrity for network communications. TLS and SSL encrypt the network connection between the transport layer and the application layer.
In the prior art, Wireshark and Tcpdump can acquire information of a network data packet through a monitoring port, a client side can send a supported encryption suite list in a handshake phase, and a server side only receives one encryption algorithm in the handshake phase, so that whether the server side supports other encryption algorithms cannot be known, and if multiple algorithms need to be verified, configuration needs to be modified for many times, and a server node is restarted.
Disclosure of Invention
In view of the above problems, the present invention is proposed to provide a block-link point support cryptographic algorithm communication detection method that overcomes or at least partially solves the above problems, the detection method comprising:
acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name;
analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result;
packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet;
sending the encapsulation protocol packet to the server and the port;
and recording and analyzing the data packet in the encapsulation protocol packet.
Optionally, the analyzing the information of the cryptographic suite of the cryptographic algorithm to obtain an analysis result specifically includes:
analyzing the information of the national cryptographic algorithm password suite, if the information of the national cryptographic algorithm password suite is a password suite code, judging whether the password suite code exists in a national cryptographic algorithm password suite list, and if so, packaging the code of the national cryptographic algorithm password suite into an SSL/TSL protocol data packet; otherwise, outputting 'no error in code';
if the information of the national secret algorithm password suite is the password suite name, judging whether the password suite name exists in a national secret algorithm password suite list, if so, converting the national secret algorithm password suite name into a corresponding password suite code; otherwise, the output "no code error.
Optionally, the recording and analyzing the data packet in the encapsulation protocol packet specifically includes:
if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm;
and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
The invention provides an analysis method of all cryptographic algorithm cipher suites supported by a server, which comprises the following steps:
receiving an IP (Internet protocol) and a port number of a running server to be detected;
packaging the appointed cipher suite code into an SSL/TLS protocol data packet;
sending the encapsulated protocol data packet to a designated server and a designated port, and entering the next step if the protocol data packet with the type of server greeting is received;
if a protocol data packet with the type of non-server hello is received, directly abandoning the data packet and continuously waiting;
recording and analyzing the received data packet: if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm; and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
According to an aspect of the present invention, there is provided an analysis system for all cryptographic algorithm cipher suites supported by a server, the analysis system comprising:
the request module is used for sending a secure socket layer/transport layer secure protocol request to the server side by the client side identity;
the analysis module is used for packaging or analyzing the secure socket layer/transport layer secure protocol data packet;
and the cipher suite module comprises the corresponding relation of codes and names of all international universal cipher suites and national cipher algorithm cipher suites.
And the input and output module is used for receiving the input parameters and outputting the result.
The invention provides a communication detection method for supporting a national cryptographic algorithm by block link points, which limits communication by using the national cryptographic algorithm by actively sending a security socket layer/transmission layer security protocol request to a service end node, and determines whether the current service end node supports the national cryptographic algorithm according to success or failure of a request result. And by repeating the request by using various algorithms, all password suites which can be supported by the current service end node can be judged quickly and accurately. Further proving that the bottom layer technology is subjected to national encryption transformation, and the running server nodes do not need to be shut down and restarted.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a block link point supported cryptographic algorithm communication detection method according to an embodiment of the present invention;
fig. 2 is a schematic composition diagram of an analysis system of all cryptographic algorithm cipher suites supported by a server according to the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprises" and "comprising," and any variations thereof, in the present description and claims and drawings are intended to cover a non-exclusive inclusion, such as a list of steps or elements.
The technical solution of the present invention is further described in detail with reference to the accompanying drawings and embodiments.
Example 1
As shown in fig. 2, the input/output module receives data input by a user, such as: the server IP parameter is 172.16.0.1, the port number is 10000, and the cipher suite of the national cipher algorithm is ECDHE _ SM4_ SM 3.
The cipher suite module analyzes the input data, converts the name of the cipher suite into a cipher suite code, if: ECDHE _ SM4_ SM3 >0xE 011.
The parsing module encapsulates 0xE011 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE011 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is immediately broken, and the packet is sent to the parsing module.
Analyzing the data packet of the Server Hello, finding a Cipher Suite data item, and filtering out a Cipher Suite code, wherein the Cipher Suite code comprises the following steps: 0xE 011. And judging that the current code value (0xE011) of the cipher suite is the same as the value in the cipher suite list (0xE011) sent by the Client Hello, calling the input and output module, and transmitting the parameter support.
The input and output module displays the support cryptographic algorithm ECDHE _ SM4_ SM 3.
Example 2
The input and output module receives the server IP parameter of 172.16.0.1 and the port number of 10000.
The cipher suite module circularly calls a cipher suite code list (such as [0xE013, 0xE011]), such as: currently 0xE013 is selected.
The parsing module encapsulates 0xE013 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE013 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is broken, and the packet is sent to the parsing module.
And analyzing the data packet of the Server Hello, finding a Cipher Suite data item, filtering out a Cipher Suite code, and calling an input-output module to transfer a parameter 'not supported' if the code is not 0xE013 or has an error.
The input and output module displays that the cryptographic algorithm ECC _ SM4_ SM3 is not supported; selecting the next cipher suite code, such as: 0xE 011.
The parsing module encapsulates 0xE011 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE011 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is immediately broken, and the packet is sent to the parsing module.
Analyzing the data packet of the Server Hello, and filtering out the code of the password suite, such as: 0xE 011.
And judging that the current code value (0xE011) of the cipher suite is the same as the value in the cipher suite list (0xE011) sent by the Client Hello, calling the input and output module, and transmitting the parameter support.
The input and output module displays the support cryptographic algorithm ECDHE _ SM4_ SM 3.
Has the advantages that: the method can actively request and send a protocol data packet, and display whether a server node (including but not limited to a block chain node) supports communication by using a certain cryptographic algorithm;
the method can rapidly analyze all national secret algorithm cipher suites which can be supported by the server node (including but not limited to the blockchain node) by trying to send different national secret algorithm cipher suite codes for multiple times.
The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (5)

1. A block chain node point support cryptographic algorithm communication detection method is characterized by comprising the following steps:
acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name;
analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result;
packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet;
sending the encapsulation protocol packet to the server and the port;
and recording and analyzing the data packet in the encapsulation protocol packet.
2. The method for detecting block link point supported cryptographic algorithm communication according to claim 1, wherein the analyzing the cryptographic algorithm cipher suite information to obtain an analysis result specifically includes:
analyzing the information of the national cryptographic algorithm password suite, if the information of the national cryptographic algorithm password suite is a password suite code, judging whether the password suite code exists in a national cryptographic algorithm password suite list, and if so, packaging the code of the national cryptographic algorithm password suite into an SSL/TSL protocol data packet; otherwise, outputting 'no error in code';
if the information of the national secret algorithm password suite is the password suite name, judging whether the password suite name exists in a national secret algorithm password suite list, if so, converting the national secret algorithm password suite name into a corresponding password suite code; otherwise, the output "no code error.
3. The method according to claim 1, wherein the recording and parsing of the data packets in the encapsulation protocol packet specifically comprises:
if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm;
and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
4. An analysis method for all cryptographic algorithm cipher suites supported by a server is characterized by comprising the following steps:
receiving an IP (Internet protocol) and a port number of a running server to be detected;
packaging the appointed cipher suite code into an SSL/TLS protocol data packet;
sending the encapsulated protocol data packet to a designated server and a designated port, and entering the next step if the protocol data packet with the type of server greeting is received;
if a protocol data packet with the type of non-server hello is received, directly abandoning the data packet and continuously waiting;
recording and analyzing the received data packet: if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm; and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
5. An analysis system for all cryptographic algorithm cipher suites supported by a server, the analysis system comprising:
the request module is used for sending a secure socket layer/transport layer secure protocol request to the server side by the client side identity;
the analysis module is used for packaging or analyzing the secure socket layer/transport layer secure protocol data packet;
and the cipher suite module comprises the corresponding relation of codes and names of all international universal cipher suites and national cipher algorithm cipher suites.
And the input and output module is used for receiving the input parameters and outputting the result.
CN202110920367.5A 2021-08-11 2021-08-11 Block chain node point support cryptographic algorithm communication detection method Pending CN113746807A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110920367.5A CN113746807A (en) 2021-08-11 2021-08-11 Block chain node point support cryptographic algorithm communication detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110920367.5A CN113746807A (en) 2021-08-11 2021-08-11 Block chain node point support cryptographic algorithm communication detection method

Publications (1)

Publication Number Publication Date
CN113746807A true CN113746807A (en) 2021-12-03

Family

ID=78730751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110920367.5A Pending CN113746807A (en) 2021-08-11 2021-08-11 Block chain node point support cryptographic algorithm communication detection method

Country Status (1)

Country Link
CN (1) CN113746807A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115396240A (en) * 2022-10-28 2022-11-25 豪符密码检测技术(成都)有限责任公司 Method, system and storage medium for luring and detecting state secret SSL protocol

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710985A (en) * 2005-06-30 2005-12-21 中国科学院计算技术研究所 Enciphered consulating method for speech-sound communication in grouped network
CN101567880A (en) * 2008-04-21 2009-10-28 成都市华为赛门铁克科技有限公司 Method, device and system for encryption suite selection
WO2017045552A1 (en) * 2015-09-15 2017-03-23 阿里巴巴集团控股有限公司 Method and device for loading digital certificate in ssl or tls communication
CN108566361A (en) * 2018-01-05 2018-09-21 武汉信安珞珈科技有限公司 A kind of safety parameter negotiation method and system based on SSL/TLS agreements
CN109067803A (en) * 2018-10-10 2018-12-21 深信服科技股份有限公司 A kind of SSL/TLS encryption and decryption communication means, device and equipment
CN109905239A (en) * 2019-03-07 2019-06-18 亚数信息科技(上海)有限公司 A kind of certificate management method and device
CN110380852A (en) * 2019-07-22 2019-10-25 中国联合网络通信集团有限公司 Mutual authentication method and communication system
CN112217833A (en) * 2020-10-21 2021-01-12 新华三信息安全技术有限公司 Secure socket protocol unloading method and device, storage medium and electronic equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710985A (en) * 2005-06-30 2005-12-21 中国科学院计算技术研究所 Enciphered consulating method for speech-sound communication in grouped network
CN101567880A (en) * 2008-04-21 2009-10-28 成都市华为赛门铁克科技有限公司 Method, device and system for encryption suite selection
WO2017045552A1 (en) * 2015-09-15 2017-03-23 阿里巴巴集团控股有限公司 Method and device for loading digital certificate in ssl or tls communication
CN108566361A (en) * 2018-01-05 2018-09-21 武汉信安珞珈科技有限公司 A kind of safety parameter negotiation method and system based on SSL/TLS agreements
CN109067803A (en) * 2018-10-10 2018-12-21 深信服科技股份有限公司 A kind of SSL/TLS encryption and decryption communication means, device and equipment
CN109905239A (en) * 2019-03-07 2019-06-18 亚数信息科技(上海)有限公司 A kind of certificate management method and device
CN110380852A (en) * 2019-07-22 2019-10-25 中国联合网络通信集团有限公司 Mutual authentication method and communication system
CN112217833A (en) * 2020-10-21 2021-01-12 新华三信息安全技术有限公司 Secure socket protocol unloading method and device, storage medium and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115396240A (en) * 2022-10-28 2022-11-25 豪符密码检测技术(成都)有限责任公司 Method, system and storage medium for luring and detecting state secret SSL protocol
CN115396240B (en) * 2022-10-28 2023-01-24 豪符密码检测技术(成都)有限责任公司 Method, system and storage medium for detecting and detecting national secret SSL protocol

Similar Documents

Publication Publication Date Title
US10880817B2 (en) Wi-fi configuration method, Wi-Fi mobile terminal, and Wi-Fi device
CN108156178B (en) SSL/TLS data monitoring system and method
US20130268632A1 (en) Server assisted authenticated device
CN101309273B (en) Method and device for generating safety alliance
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
US10355961B2 (en) Network traffic capture analysis
EP3157195B1 (en) Communication protocol testing method, and tested device and testing platform thereof
CN104601550B (en) Reverse isolation file transmission system and method based on cluster array
CN112165447B (en) WAF equipment-based network security monitoring method, system and electronic device
CN110691097A (en) Industrial honey pot system based on hpfeeds protocol and working method thereof
CN113852595B (en) Cross-network-segment encryption communication method for embedded equipment
CN107070998B (en) A kind of safe Internet of Things communications protocol and method
CN113746807A (en) Block chain node point support cryptographic algorithm communication detection method
WO2022099683A1 (en) Data transmission method and apparatus, device, system, and storage medium
JPH06318939A (en) Cipher communication system
CN100353711C (en) Communication system, communication apparatus, operation control method, and program
CN113992440B (en) Gateway equipment and method for transmitting local data into IPsec tunnel
US8086908B2 (en) Apparatus and a method for reporting the error of each level of the tunnel data packet in a communication network
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
CN115643297A (en) Link establishment method and device, nonvolatile storage medium and computer equipment
WO2016189884A1 (en) Packet relay apparatus and packet relay method
CN115152180A (en) Improved packet transmission
WO2016180161A1 (en) Terminal registration method and apparatus
CN116192933B (en) Method and system for dynamically expanding non-HTTP protocol based on micro-service gateway
CN114553938B (en) Communication message processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211203