CN113746807A - Block chain node point support cryptographic algorithm communication detection method - Google Patents
Block chain node point support cryptographic algorithm communication detection method Download PDFInfo
- Publication number
- CN113746807A CN113746807A CN202110920367.5A CN202110920367A CN113746807A CN 113746807 A CN113746807 A CN 113746807A CN 202110920367 A CN202110920367 A CN 202110920367A CN 113746807 A CN113746807 A CN 113746807A
- Authority
- CN
- China
- Prior art keywords
- password
- suite
- national
- server
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 14
- 238000001514 detection method Methods 0.000 title claims abstract description 9
- 238000004458 analytical method Methods 0.000 claims abstract description 14
- 238000004806 packaging method and process Methods 0.000 claims abstract description 12
- 238000005538 encapsulation Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 1
- 238000000280 densification Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000010561 standard procedure Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a block chain node point support cryptographic algorithm communication detection method, which comprises the following steps: acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name; analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result; packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet; sending the encapsulation protocol packet to the server and the port; and recording and analyzing the data packet in the encapsulation protocol packet. And by repeating the request by using various algorithms, all password suites which can be supported by the current service end node can be judged quickly and accurately.
Description
Technical Field
The invention relates to the field of communication, in particular to a block chain node point support cryptographic algorithm communication detection method.
Background
The national password is a domestic password algorithm identified by the national password administration. There are mainly SM1, SM2, SM3, SM 4. The key length and the packet length are both 128 bits. The national cryptographic algorithm is faster and more secure than the universal cryptographic algorithm in the world. The country is gradually advancing the work of national densification. The block chain is based on a cryptographic algorithm technology, and in the encryption part, the transformation of the encryption is completed by the bottom layer of part of the block chain. How to verify that the system completes the transformation of national encryption does not exist a standard method at present. In order to meet the national requirements for national confidentiality and security, a scheme and a method for detecting whether the block chain is transformed into national confidentiality are needed.
The blockchain is a point-to-point network-based technology, and realizes a distributed network. The communication among a plurality of nodes is realized through SSL or TLS protocol, and the data security is ensured through cryptographic algorithm. The cryptographic algorithms that can be used are determined during the protocol handshake, and it can be determined whether both the client and the server have been modified for encryption.
The secure Sockets Layer (ssl), and its successor transport Layer security (tls) (transport Layer security) are security protocols that provide security and data integrity for network communications. TLS and SSL encrypt the network connection between the transport layer and the application layer.
In the prior art, Wireshark and Tcpdump can acquire information of a network data packet through a monitoring port, a client side can send a supported encryption suite list in a handshake phase, and a server side only receives one encryption algorithm in the handshake phase, so that whether the server side supports other encryption algorithms cannot be known, and if multiple algorithms need to be verified, configuration needs to be modified for many times, and a server node is restarted.
Disclosure of Invention
In view of the above problems, the present invention is proposed to provide a block-link point support cryptographic algorithm communication detection method that overcomes or at least partially solves the above problems, the detection method comprising:
acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name;
analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result;
packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet;
sending the encapsulation protocol packet to the server and the port;
and recording and analyzing the data packet in the encapsulation protocol packet.
Optionally, the analyzing the information of the cryptographic suite of the cryptographic algorithm to obtain an analysis result specifically includes:
analyzing the information of the national cryptographic algorithm password suite, if the information of the national cryptographic algorithm password suite is a password suite code, judging whether the password suite code exists in a national cryptographic algorithm password suite list, and if so, packaging the code of the national cryptographic algorithm password suite into an SSL/TSL protocol data packet; otherwise, outputting 'no error in code';
if the information of the national secret algorithm password suite is the password suite name, judging whether the password suite name exists in a national secret algorithm password suite list, if so, converting the national secret algorithm password suite name into a corresponding password suite code; otherwise, the output "no code error.
Optionally, the recording and analyzing the data packet in the encapsulation protocol packet specifically includes:
if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm;
and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
The invention provides an analysis method of all cryptographic algorithm cipher suites supported by a server, which comprises the following steps:
receiving an IP (Internet protocol) and a port number of a running server to be detected;
packaging the appointed cipher suite code into an SSL/TLS protocol data packet;
sending the encapsulated protocol data packet to a designated server and a designated port, and entering the next step if the protocol data packet with the type of server greeting is received;
if a protocol data packet with the type of non-server hello is received, directly abandoning the data packet and continuously waiting;
recording and analyzing the received data packet: if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm; and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
According to an aspect of the present invention, there is provided an analysis system for all cryptographic algorithm cipher suites supported by a server, the analysis system comprising:
the request module is used for sending a secure socket layer/transport layer secure protocol request to the server side by the client side identity;
the analysis module is used for packaging or analyzing the secure socket layer/transport layer secure protocol data packet;
and the cipher suite module comprises the corresponding relation of codes and names of all international universal cipher suites and national cipher algorithm cipher suites.
And the input and output module is used for receiving the input parameters and outputting the result.
The invention provides a communication detection method for supporting a national cryptographic algorithm by block link points, which limits communication by using the national cryptographic algorithm by actively sending a security socket layer/transmission layer security protocol request to a service end node, and determines whether the current service end node supports the national cryptographic algorithm according to success or failure of a request result. And by repeating the request by using various algorithms, all password suites which can be supported by the current service end node can be judged quickly and accurately. Further proving that the bottom layer technology is subjected to national encryption transformation, and the running server nodes do not need to be shut down and restarted.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a block link point supported cryptographic algorithm communication detection method according to an embodiment of the present invention;
fig. 2 is a schematic composition diagram of an analysis system of all cryptographic algorithm cipher suites supported by a server according to the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprises" and "comprising," and any variations thereof, in the present description and claims and drawings are intended to cover a non-exclusive inclusion, such as a list of steps or elements.
The technical solution of the present invention is further described in detail with reference to the accompanying drawings and embodiments.
Example 1
As shown in fig. 2, the input/output module receives data input by a user, such as: the server IP parameter is 172.16.0.1, the port number is 10000, and the cipher suite of the national cipher algorithm is ECDHE _ SM4_ SM 3.
The cipher suite module analyzes the input data, converts the name of the cipher suite into a cipher suite code, if: ECDHE _ SM4_ SM3 >0xE 011.
The parsing module encapsulates 0xE011 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE011 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is immediately broken, and the packet is sent to the parsing module.
Analyzing the data packet of the Server Hello, finding a Cipher Suite data item, and filtering out a Cipher Suite code, wherein the Cipher Suite code comprises the following steps: 0xE 011. And judging that the current code value (0xE011) of the cipher suite is the same as the value in the cipher suite list (0xE011) sent by the Client Hello, calling the input and output module, and transmitting the parameter support.
The input and output module displays the support cryptographic algorithm ECDHE _ SM4_ SM 3.
Example 2
The input and output module receives the server IP parameter of 172.16.0.1 and the port number of 10000.
The cipher suite module circularly calls a cipher suite code list (such as [0xE013, 0xE011]), such as: currently 0xE013 is selected.
The parsing module encapsulates 0xE013 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE013 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is broken, and the packet is sent to the parsing module.
And analyzing the data packet of the Server Hello, finding a Cipher Suite data item, filtering out a Cipher Suite code, and calling an input-output module to transfer a parameter 'not supported' if the code is not 0xE013 or has an error.
The input and output module displays that the cryptographic algorithm ECC _ SM4_ SM3 is not supported; selecting the next cipher suite code, such as: 0xE 011.
The parsing module encapsulates 0xE011 into the Cipher suite items (i.e. Cipher Suites) of SSL/TLS protocol packet (handshake type is Client Hello, code 0x01, i.e. Client Hello), such as: [0xE011 ].
The request module receives the protocol packet, sends the protocol packet to the designated server (172.16.0.1) and port (10000), and waits to receive return data.
A protocol packet with a handshake protocol type value of 0x02, which is a Server Hello type packet, is received, the connection is immediately broken, and the packet is sent to the parsing module.
Analyzing the data packet of the Server Hello, and filtering out the code of the password suite, such as: 0xE 011.
And judging that the current code value (0xE011) of the cipher suite is the same as the value in the cipher suite list (0xE011) sent by the Client Hello, calling the input and output module, and transmitting the parameter support.
The input and output module displays the support cryptographic algorithm ECDHE _ SM4_ SM 3.
Has the advantages that: the method can actively request and send a protocol data packet, and display whether a server node (including but not limited to a block chain node) supports communication by using a certain cryptographic algorithm;
the method can rapidly analyze all national secret algorithm cipher suites which can be supported by the server node (including but not limited to the blockchain node) by trying to send different national secret algorithm cipher suite codes for multiple times.
The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (5)
1. A block chain node point support cryptographic algorithm communication detection method is characterized by comprising the following steps:
acquiring an IP (Internet protocol) of a to-be-detected running server, a port number and appointed sent national cryptographic algorithm password suite information, wherein the national cryptographic algorithm password suite information comprises a code and a name;
analyzing the information of the cryptographic suite of the national cryptographic algorithm to obtain an analysis result;
packaging the code of the cryptographic suite of the national cryptographic algorithm into an SSL/TSL protocol data packet to obtain a packaging protocol packet;
sending the encapsulation protocol packet to the server and the port;
and recording and analyzing the data packet in the encapsulation protocol packet.
2. The method for detecting block link point supported cryptographic algorithm communication according to claim 1, wherein the analyzing the cryptographic algorithm cipher suite information to obtain an analysis result specifically includes:
analyzing the information of the national cryptographic algorithm password suite, if the information of the national cryptographic algorithm password suite is a password suite code, judging whether the password suite code exists in a national cryptographic algorithm password suite list, and if so, packaging the code of the national cryptographic algorithm password suite into an SSL/TSL protocol data packet; otherwise, outputting 'no error in code';
if the information of the national secret algorithm password suite is the password suite name, judging whether the password suite name exists in a national secret algorithm password suite list, if so, converting the national secret algorithm password suite name into a corresponding password suite code; otherwise, the output "no code error.
3. The method according to claim 1, wherein the recording and parsing of the data packets in the encapsulation protocol packet specifically comprises:
if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm;
and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
4. An analysis method for all cryptographic algorithm cipher suites supported by a server is characterized by comprising the following steps:
receiving an IP (Internet protocol) and a port number of a running server to be detected;
packaging the appointed cipher suite code into an SSL/TLS protocol data packet;
sending the encapsulated protocol data packet to a designated server and a designated port, and entering the next step if the protocol data packet with the type of server greeting is received;
if a protocol data packet with the type of non-server hello is received, directly abandoning the data packet and continuously waiting;
recording and analyzing the received data packet: if the password suite code in the server hello data packet is consistent with the requested national password algorithm password suite, judging that the server supports the current national password algorithm; and if the password suite code in the server hello data packet is not consistent with the requested national password algorithm password suite, judging that the server does not support the current national password algorithm.
5. An analysis system for all cryptographic algorithm cipher suites supported by a server, the analysis system comprising:
the request module is used for sending a secure socket layer/transport layer secure protocol request to the server side by the client side identity;
the analysis module is used for packaging or analyzing the secure socket layer/transport layer secure protocol data packet;
and the cipher suite module comprises the corresponding relation of codes and names of all international universal cipher suites and national cipher algorithm cipher suites.
And the input and output module is used for receiving the input parameters and outputting the result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110920367.5A CN113746807A (en) | 2021-08-11 | 2021-08-11 | Block chain node point support cryptographic algorithm communication detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110920367.5A CN113746807A (en) | 2021-08-11 | 2021-08-11 | Block chain node point support cryptographic algorithm communication detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113746807A true CN113746807A (en) | 2021-12-03 |
Family
ID=78730751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110920367.5A Pending CN113746807A (en) | 2021-08-11 | 2021-08-11 | Block chain node point support cryptographic algorithm communication detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113746807A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115396240A (en) * | 2022-10-28 | 2022-11-25 | 豪符密码检测技术(成都)有限责任公司 | Method, system and storage medium for luring and detecting state secret SSL protocol |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1710985A (en) * | 2005-06-30 | 2005-12-21 | 中国科学院计算技术研究所 | Enciphered consulating method for speech-sound communication in grouped network |
| CN101567880A (en) * | 2008-04-21 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Method, device and system for encryption suite selection |
| WO2017045552A1 (en) * | 2015-09-15 | 2017-03-23 | 阿里巴巴集团控股有限公司 | Method and device for loading digital certificate in ssl or tls communication |
| CN108566361A (en) * | 2018-01-05 | 2018-09-21 | 武汉信安珞珈科技有限公司 | A kind of safety parameter negotiation method and system based on SSL/TLS agreements |
| CN109067803A (en) * | 2018-10-10 | 2018-12-21 | 深信服科技股份有限公司 | A kind of SSL/TLS encryption and decryption communication means, device and equipment |
| CN109905239A (en) * | 2019-03-07 | 2019-06-18 | 亚数信息科技(上海)有限公司 | A kind of certificate management method and device |
| CN110380852A (en) * | 2019-07-22 | 2019-10-25 | 中国联合网络通信集团有限公司 | Mutual authentication method and communication system |
| CN112217833A (en) * | 2020-10-21 | 2021-01-12 | 新华三信息安全技术有限公司 | Secure socket protocol unloading method and device, storage medium and electronic equipment |
-
2021
- 2021-08-11 CN CN202110920367.5A patent/CN113746807A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1710985A (en) * | 2005-06-30 | 2005-12-21 | 中国科学院计算技术研究所 | Enciphered consulating method for speech-sound communication in grouped network |
| CN101567880A (en) * | 2008-04-21 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Method, device and system for encryption suite selection |
| WO2017045552A1 (en) * | 2015-09-15 | 2017-03-23 | 阿里巴巴集团控股有限公司 | Method and device for loading digital certificate in ssl or tls communication |
| CN108566361A (en) * | 2018-01-05 | 2018-09-21 | 武汉信安珞珈科技有限公司 | A kind of safety parameter negotiation method and system based on SSL/TLS agreements |
| CN109067803A (en) * | 2018-10-10 | 2018-12-21 | 深信服科技股份有限公司 | A kind of SSL/TLS encryption and decryption communication means, device and equipment |
| CN109905239A (en) * | 2019-03-07 | 2019-06-18 | 亚数信息科技(上海)有限公司 | A kind of certificate management method and device |
| CN110380852A (en) * | 2019-07-22 | 2019-10-25 | 中国联合网络通信集团有限公司 | Mutual authentication method and communication system |
| CN112217833A (en) * | 2020-10-21 | 2021-01-12 | 新华三信息安全技术有限公司 | Secure socket protocol unloading method and device, storage medium and electronic equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115396240A (en) * | 2022-10-28 | 2022-11-25 | 豪符密码检测技术(成都)有限责任公司 | Method, system and storage medium for luring and detecting state secret SSL protocol |
| CN115396240B (en) * | 2022-10-28 | 2023-01-24 | 豪符密码检测技术(成都)有限责任公司 | Method, system and storage medium for detecting and detecting national secret SSL protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10880817B2 (en) | Wi-fi configuration method, Wi-Fi mobile terminal, and Wi-Fi device | |
| CN108156178B (en) | SSL/TLS data monitoring system and method | |
| US20130268632A1 (en) | Server assisted authenticated device | |
| CN101309273B (en) | Method and device for generating safety alliance | |
| CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
| US10355961B2 (en) | Network traffic capture analysis | |
| EP3157195B1 (en) | Communication protocol testing method, and tested device and testing platform thereof | |
| CN104601550B (en) | Reverse isolation file transmission system and method based on cluster array | |
| CN112165447B (en) | WAF equipment-based network security monitoring method, system and electronic device | |
| CN110691097A (en) | Industrial honey pot system based on hpfeeds protocol and working method thereof | |
| CN113852595B (en) | Cross-network-segment encryption communication method for embedded equipment | |
| CN107070998B (en) | A kind of safe Internet of Things communications protocol and method | |
| CN113746807A (en) | Block chain node point support cryptographic algorithm communication detection method | |
| WO2022099683A1 (en) | Data transmission method and apparatus, device, system, and storage medium | |
| JPH06318939A (en) | Cipher communication system | |
| CN100353711C (en) | Communication system, communication apparatus, operation control method, and program | |
| CN113992440B (en) | Gateway equipment and method for transmitting local data into IPsec tunnel | |
| US8086908B2 (en) | Apparatus and a method for reporting the error of each level of the tunnel data packet in a communication network | |
| CN115632963A (en) | Method, device, apparatus and medium for confirming tunnel connection state | |
| CN115643297A (en) | Link establishment method and device, nonvolatile storage medium and computer equipment | |
| WO2016189884A1 (en) | Packet relay apparatus and packet relay method | |
| CN115152180A (en) | Improved packet transmission | |
| WO2016180161A1 (en) | Terminal registration method and apparatus | |
| CN116192933B (en) | Method and system for dynamically expanding non-HTTP protocol based on micro-service gateway | |
| CN114553938B (en) | Communication message processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211203 |