CN116614276A - SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium - Google Patents
SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium Download PDFInfo
- Publication number
- CN116614276A CN116614276A CN202310593549.5A CN202310593549A CN116614276A CN 116614276 A CN116614276 A CN 116614276A CN 202310593549 A CN202310593549 A CN 202310593549A CN 116614276 A CN116614276 A CN 116614276A
- Authority
- CN
- China
- Prior art keywords
- ssl
- protocol
- certificate
- data
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004458 analytical method Methods 0.000 claims abstract description 23
- 230000000007 visual effect Effects 0.000 claims abstract description 12
- 238000012795 verification Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 17
- 238000012360 testing method Methods 0.000 claims description 12
- 238000000605 extraction Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 6
- 230000006798 recombination Effects 0.000 claims description 5
- 238000005215 recombination Methods 0.000 claims description 5
- 230000008521 reorganization Effects 0.000 claims description 4
- 238000005314 correlation function Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 238000012512 characterization method Methods 0.000 claims description 2
- 238000007689 inspection Methods 0.000 claims 1
- 238000010998 test method Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 13
- 230000006854 communication Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 230000011218 segmentation Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides an SSLVPN security authentication gateway service compliance detection system, a method and a computer readable storage medium. And finally, verifying the certificate and the certificate chain through a password tool library, and displaying the result on a Web page of a front-end display in a visual representation manner. The method can simultaneously realize the detection and analysis of the compliance of the SSL/TLS protocol and the national secret TLS protocol, and the protocol and the cipher algorithm suite possibly supported by the VPN product are tested and verified one by using a traversal test method, so that the cipher suite supported by the SSLVPN server is found, and the detection efficiency, the comprehensiveness and the accuracy are improved.
Description
Technical Field
The invention relates to the technical field of data security and communication, in particular to security detection of an SSL VPN security gateway, and particularly relates to a system, a method and a computer readable storage medium for detecting service compliance of an SSL VPN security authentication gateway.
Background
At present, china faces a new round of digital revolution in the world, and passwords are safe basic stones and core technologies of national network space. Under the dual drive of national password application policy and digital economic security requirement, social password consciousness is greatly enhanced compared with the prior art, and the use of commercial passwords to ensure the security of an information system becomes a common consensus. SSL VPN security gateway is one of the most widely applied password products in the current commercial password field, integrates various password technologies, and provides powerful guarantee for information system data communication security by the characteristics of simplicity, rapidness and safety.
The password management department of China has specific technical standards for various commercial password products, and related password products of manufacturers need to pass strict product detection authentication before sales, so that the purpose of ensuring that the password products can provide more reliable security guarantee in practical application is achieved. However, due to strong speciality of the password product, the application deployment threshold is higher, some information system constructors are not familiar with commercial password products, deviation often occurs in the use and configuration processes, so that security risks of different degrees exist for externally provided SSL channels, and even vulnerabilities of some SSL VPN products become breaks invaded by overseas or hackers, so that serious hidden hazards exist for information network security. Therefore, whether the SSL VPN products are used in compliance, correctly and effectively in the information systems used by enterprises and public institutions is a problem that the information system construction, operation maintenance and password evaluation mechanisms need to be faced directly.
At present, the Wireshark is widely applied network packet analysis software, can intercept various network data packets and automatically analyze the data packets, and displays the detailed information of the data packets for users, and the Wireshark tool supports the analysis of SSLVPN protocol data. However, for commercial password application security detection, the Wireshark tool is used as a network packet analysis tool, and can only monitor and intercept actual network communication data, and has no active scanning detection function, so that a security protocol or a password algorithm with high risk is easily omitted in the detection process. In the actual use process, the Wireshark tool simply analyzes and outputs a large amount of information, does not analyze and comb and visually represent, cannot directly identify the national cryptographic TLCP protocol and version information thereof, cannot accurately identify the siedney of all national cryptographic algorithm suite, cannot realize the functions of extracting, analyzing and verifying certificate chains of the national cryptographic double digital certificates, still needs manual operation, has higher requirements on the professional basic knowledge of users, and requires professional cryptographic professionals to analyze, compare and identify when facing the actual use, daily monitoring and maintenance requirements of an information network, so that the wide and universal commercial deployment and use are difficult to realize.
Disclosure of Invention
In view of the defects of the prior art, the invention aims to provide an SSL VPN security authentication gateway service compliance detection system and method, which can realize detection and identification of domestic cryptographic algorithm and national secret TLS protocol application and deployment conditions, and the cryptographic suite supported by an SSL VPN server is found by carrying out test verification on protocols and the cryptographic suite possibly supported by a VPN product one by a traversal test method, so that the detection efficiency, comprehensiveness and accuracy are improved.
According to the SSL VPN security authentication gateway service compliance detection system and method, in an example, the identification and analysis of the national secret algorithm suite, the analysis of the national secret double certificates and the verification of the certificate chain can be realized, and the quick verification of the validity of the certificates can be realized.
According to the SSL VPN security authentication gateway service compliance detection system and method, in an example, a high-risk algorithm and protocol alarm are supported, a password algorithm and a protocol version with high risk are marked in the process of analyzing protocol data, and the problems of incomplete and inaccurate evaluation results caused by horizontal spread of technicians are solved.
According to the SSL VPN security authentication gateway service compliance detection system and method, in an example, the graphical display handshake protocol data interaction and detection results are supported, and the visual characterization problem under the condition of complex protocol packet structure is solved.
According to a first aspect of the present invention, there is provided a method for detecting SSL VPN security authentication gateway service compliance, including:
according to international and national secret network security protocols, respectively selecting different protocol versions to construct an access request based on http, and establishing connection with an SSL server;
receiving a network data packet returned by the SSL server in response to the request, and carrying out TCP segment data recombination on the network data packet to obtain a complete SSL data packet;
using a dpkt.SSL module of Python to analyze and identify the SSL data packet to obtain an SSL protocol and a TLS protocol type and a certificate value;
based on the SSL data packet, tcpdata byte stream data is extracted through a tcp layer, a preset protocol number is modified to be a header protocol number corresponding to a benchmarking international TLS protocol, and a dpkt.SSL module is used for continuously analyzing and extracting a subsequent numerical value and a national secret certificate value; matching the verification file according to a preset rule, and transferring the extracted binary value into a corresponding national encryption code algorithm suite name to finish the identification of the encryption algorithm suite value;
verifying the certificate and the certificate chain of the obtained certificate values of the SSL protocol and the TLS protocol; and
visual representation of the results of checking the international SSL protocol, TLS protocol and national security TLS protocol and certificate chain obtained by the detection.
As an optional example, the establishing the http-based access request according to the international and national secret network security protocols by selecting different protocol versions respectively, and establishing a connection with the SSL server includes:
according to the international SSL protocol, the TLS protocol and the national security TLS protocol, respectively and sequentially selecting different protocol versions and algorithm suites by utilizing a TaSSL tool, constructing access requests based on http, respectively sending connection requests, and carrying out connection test with an SSL server;
for the connection test of each protocol version and algorithm suite, judging whether the current connection is valid or not according to the handshake condition with the SSL server;
judging whether the current connection is effective or not according to the handshake condition returned by the SSL server, and sequentially testing and recording whether the connection is successful or not;
wherein, the protocol version of the SSL protocol at least comprises SSL2.0 and SSL3.0;
the protocol version of the TLS protocol at least comprises TLS1.0, TLS1.1, TLS1.2 and TLS1.3;
the cipher suite of the national cipher TLS protocol at least comprises four national cipher related cipher suites of ECC-SM4-SM3, ECC_SM4_GCM_SM3, ECDHE-SM4-SM3 and ECDHE_SM4_GCM_SM3 conforming to the GB/T38636-2020 specification and TLS_SM4_GCM_SM3 cipher suites conforming to the RFC8998 specification.
As an optional example, the receiving the network data packet returned by the SSL server in response to the request, and performing TCP segment data reassembly on the network data packet, to obtain a complete SSL data packet, includes:
capturing a pcaping data packet returned by the SSL server by using a wireshark tool;
using a dpkt unpacking tool to extract the data of the pcapng data packet in a layered manner;
grouping and reorganizing the segmented message data obtained by layered extraction according to the tcp ack number of the message, and storing the segmented message data into a list structure list; and
traversing the list structure list, and performing check and repeat processing on packet capturing data of the message after the packet is grouped according to the tcp ack number to obtain a complete SSL data packet.
As an optional example, based on the SSL packet, extracting tcpdata byte stream data through tcp layer and modifying a predetermined protocol number to be a header protocol number corresponding to the international TLS protocol, and continuing to parse and extract subsequent values and national certificate values through dpkt.ssl module, including:
extracting tcpdata byte stream data through a tcp layer;
extracting header protocol number information of 0x 0101;
based on international TLS1.1 protocol of national cipher TLS protocol pair, modifying the header protocol number into 0x 0301; and
and continuously analyzing and identifying the SSL data packet with the modified header protocol number through a dpkt.SSL module to extract the subsequent numerical value.
According to a second aspect of the object of the present invention, there is also provided an SSL VPN security authentication gateway service compliance detection system, comprising:
one or more processors;
a memory storing instructions operable to cause, by such execution, the one or more computers to perform operations comprising the flow of the foregoing method.
According to a third aspect of the object of the invention, there is also provided a computer readable medium storing software, characterized in that: the software includes instructions executable by one or more computers which, by such execution, cause the one or more computers to perform operations comprising the flow of the aforementioned method.
By the technical scheme of the aspects, the system and the method for detecting the SSL VPN security authentication gateway service compliance solve the problem of detecting the international SLL, the TLS and the national security TLS of the SSL VPN gateway service compliance, can improve the detection depth, accuracy and efficiency in the security evaluation of commercial password application, and reduce the evaluation error or deviation caused by the capability technical level difference of detection personnel.
The SSL VPN security authentication gateway service compliance detection method solves the problems of national standard TLCP protocol detection and analysis, can realize the identification and analysis of a national cipher algorithm suite, solves the problems of national cipher double certificate analysis and certificate chain verification, and can realize quick certificate validity verification.
It should be understood that all combinations of the foregoing concepts, as well as additional concepts described in more detail below, may be considered a part of the inventive subject matter of the present disclosure as long as such concepts are not mutually inconsistent. In addition, all combinations of claimed subject matter are considered part of the disclosed inventive subject matter.
The foregoing and other aspects, embodiments, and features of the present teachings will be more fully understood from the following description, taken together with the accompanying drawings. Other additional aspects of the invention, such as features and/or advantages of the exemplary embodiments, will be apparent from the description which follows, or may be learned by practice of the embodiments according to the teachings of the invention.
Drawings
The drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures may be represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. Embodiments of various aspects of the invention will now be described, by way of example, with reference to the accompanying drawings.
Fig. 1 is an exemplary flow diagram of a SSL VPN security authentication gateway service compliance detection method according to an embodiment of the present invention.
FIG. 2 is a flow chart of one particular implementation of a method according to the example of FIG. 1.
Fig. 3 is a diagram of a data packet information display interface captured by a Wireshark tool according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an exemplary pcapng packet requiring reassembly in accordance with the present invention.
Fig. 5 is a flowchart of packet reassembly of a packet-grabbing data (tcp message) according to an embodiment of the present invention.
Fig. 6 is a flowchart of a message reassembly method according to an embodiment of the present invention.
Fig. 7-8 are examples of visual display interfaces of detection results (for SSL, TLS) of an SSL VPN security authentication gateway service compliance detection method according to the present invention.
Fig. 9-10 are examples of visual display interfaces of detection results (for national security) of an SSL VPN security authentication gateway service compliance detection method according to the present invention.
Detailed Description
For a better understanding of the technical content of the present invention, specific examples are set forth below, along with the accompanying drawings.
Aspects of the invention are described in this disclosure with reference to the drawings, in which are shown a number of illustrative embodiments. The embodiments of the present disclosure are not necessarily intended to include all aspects of the invention. It should be understood that the various concepts and embodiments described above, as well as those described in more detail below, may be implemented in any of a number of ways, as the disclosed concepts and embodiments are not limited to any implementation. Additionally, some aspects of the disclosure may be used alone or in any suitable combination with other aspects of the disclosure.
In combination with the method for detecting the compliance of the SSL VPN security authentication gateway service of the example shown in fig. 1, through communication between a constructed virtual test request and an SSL server and through packet grabbing of a packet in a communication process by a packet grabbing tool, for example, a pcapng packet (message data) obtained by using a Wireshark tool to grab the packet is further subjected to tcp segmentation recombination and check recombination of the pcapng packet to obtain a complete SSL packet, and then, through packet analysis by a native dkpt.SSL module, the aggregated SSL protocol, the TLS protocol and the national secret TLS protocol are analyzed to obtain protocol data and certificate value data. And finally, verifying the certificate and the certificate chain through a Jsrssign password tool library, and carrying out visual representation display on the result on a Web page of a front-end display. Therefore, the method can simultaneously realize the detection and analysis of the compliance of the SSL/TLS protocol and the national secret TLS protocol.
Fig. 2 shows an example of implementing the foregoing example method of fig. 1, and in combination with the flow shown in fig. 2, the SSL VPN security authentication gateway service compliance detection method includes the following procedures:
step S101, according to international and national secret network security protocols, respectively selecting different protocol versions to construct an access request based on http, and establishing connection with an SSL server;
step S102, receiving a network data packet returned by the SSL server in response to the request, and carrying out TCP segment data recombination on the network data packet to obtain a complete SSL data packet;
step S103, using a dpkt.SSL module to analyze and identify SSL, TLS, national secret TLS protocol and certificate values respectively;
step S104, checking the certificate and the certificate chain of the obtained certificate values of the SSL protocol and the TLS protocol; and
step S110, visual representation of the detected international SSL protocol, TLS protocol, national secret TLS protocol, and verification results of certificates and certificate chains, for example, visual representation transmitted back to the front-end display screen.
In step S103, SSL, TLS protocol and certificate values are respectively resolved and identified by using dpkt.ssl module, including international SSL, TLS protocol, and identification of TLS protocol, which is a national security protocol, that is, a national TLS (also referred to as GMTLS) protocol:
(1) Using a dpkt.SSL module of Python to analyze and identify the SSL data packet to obtain an SSL protocol and a TLS protocol type and a certificate value;
(2) Based on the obtained SSL data packet, extracting tcpdata byte stream data through a tcp layer, modifying a preset protocol number into a header protocol number corresponding to a benchmarking international TLS protocol, and continuously analyzing and extracting a subsequent numerical value and a national secret certificate value through a dpkt.SSL module; and matching the verification file according to a preset rule, and transferring the extracted binary value into a corresponding national encryption code algorithm suite name to finish the identification of the encryption algorithm suite value.
The implementation of the foregoing steps S101-S110 is further illustrated and described below.
Constructing an access request based on http and testing connection with an SSL server
As an optional example, in the foregoing step S101, according to the international and national secret network security protocols, different protocol versions are respectively selected to construct an access request based on http, and a connection is established with the SSL server, including:
according to the international SSL protocol, the TLS protocol and the national security TLS protocol, respectively and sequentially selecting different protocol versions and algorithm suites by utilizing a TaSSL tool, constructing access requests based on http, respectively sending connection requests, and carrying out connection test with an SSL server;
for the connection test of each protocol version and algorithm suite, judging whether the current connection is valid or not according to the handshake condition with the SSL server;
and judging whether the current connection is effective or not according to the handshake condition returned by the SSL server, and sequentially testing and recording whether the connection is successful or not.
The protocol version of the SSL protocol at least includes SSL2.0 and SSL3.0.
The protocol versions of the TLS protocol include at least TLS1.0, TLS1.1, TLS1.2, and TLS1.3.
The cipher suite of the national cipher TLS protocol at least comprises four national cipher related cipher suites of ECC-SM4-SM3, ECC_Sm4_GCM_Sm3, ECDHE-SM4-SM3 and ECDHE_Sm4_GCM_Sm3 conforming to the GB/T38636-2020 specification and TLS_Sm4_GCM_Sm3 cipher suites conforming to the RFC8998 specification.
It should be understood that the SSL (Secure Socket Layer) protocol refers to a network security protocol developed by NetScape corporation in the united states, is a security protocol implemented on a transmission communication protocol (TCP/IP), and uses public key technology to widely support the protocol for secure communication assurance in applications such as browser, mailbox, instant messaging, voIP, and fax.
It should be appreciated that version v1.0 of the SSL protocol is not publicly published. Version V2.0 was released in month 2 of 1995. However, since the v2.0 version has many security holes, the v3.0 version was released immediately after 1996. Because sslv2.0 protocol has many security hole problems, such as using the same encryption key for message authentication and encryption, SSL handshake process does not take any guard, weak message authentication code structure and only supports unsafe MD5 hash functions, closing using TCP connection, only providing a single service and binding a fixed domain name, etc., man-in-the-middle attacks are easily encountered and broken. However, since many systems and Web servers also support sslv2.0 protocol, in order to enhance the security of user browsing Web pages, currently mainstream browsers do not support unsafe SSL v2.0 protocol, but there are still many browsers and applications that support sslv2.0 protocol, for example microsoft from IE browser (IE 7 later) and Google browser will not support sslv2.0 by default setting of the browser, but it is possible that the IE browser retains the option that SSL2.0 can be set by the user to normally access websites that support SSL2.0 only, considering that some websites also support sslv 2.0.
TLS (Transport Layer Security) the secure transport layer protocol, which provides confidentiality and data integrity between two communicating applications, is a development of the SSL protocol. The IETF international organization changes the SSL protocol to TLS with version numbers including TLS1.0, TLS1.1, TLS1.2, and TLS1.3 when standardizing the SSL protocol. Currently, the TLS version 1.3 is mainly used.
In the embodiment of the invention, the cryptographic algorithms with security problems or insufficient security intensity, such as MD5, DES, SHA-1, RSA (less than 2048) and the like, and the dangerous SSL protocols which are found and gradually abandoned, such as SSL2.0, SSL3.0, TLS1.0 and the like, are used for the information system, which may cause the information system to face high risk, so that the risk information is identified and prompted according to preset risk rules in the subsequent process aiming at the identified SSL and TLS protocols.
The packet capturing tool is used for capturing packets in the SSL communication process, and the packet capturing file is subjected to check and reconstruction to obtain complete SSL data
Bag(s)
As an optional example, in step S102, the receiving the network data packet returned by the SSL server in response to the request, and performing TCP segment data reassembly on the network data packet, to obtain a complete SSL data packet, includes:
capturing a pcaping data packet returned by the SSL server by using a wireshark tool;
using a dpkt.SSL module to extract the data of the pcapng data packet in a layering manner;
grouping and reorganizing the segmented message data obtained by layered extraction according to the tcp ack number of the message, and storing the segmented message data into a list structure list; and
traversing the list structure list, and performing check and repeat processing on packet capturing data of the message after the packet is grouped according to the tcp ack number to obtain a complete SSL data packet.
As an example, the present invention adopts a packet grabbing tool to grab SSL communication data. Taking a wireshark tool (a packet analysis tool) as an example, aiming at a packet capturing file, when capturing SSL communication data, the data in the SSL interaction process can be better displayed.
The data packet information display interface captured by the Wireshark tool is shown in fig. 3. For example, when we need to look at the detailed SSL data stream for SSL server (SSL/TLS) of "180.163.248.139", all this IP related TLS packets can be filtered out by entering a search command. Because the SSL protocol working mechanism relies on the TCP protocol, the TCP performs packet segmentation (Segment) when transmitting large data, and the present invention needs complete data content when analyzing the SSL protocol data packet. However, the data captured by the Wireshark tool has some problems on the bottom layer, the Wireshark can perform segment packetization processing on the application layer protocol, and some data show tcp protocol, and although the Wireshark performs packetization, the subsequent processing cannot be performed. The pcaping packet requiring reassembly is illustrated in fig. 4.
Therefore, in the embodiment of the invention, a tcp segmentation message data reorganization method is provided for a pcapng data packet grabbed by a wireframe tool, and packet reorganization is performed according to a tcp ack number of a message.
With reference to the flow shown in fig. 5, the process of the tcp segmentation message data reorganization method includes the following steps:
capturing a data packet (pcapng) returned by the SSL server by using a wireshark tool;
using a dpkt unpacking tool to extract the data of the pcapng data packet in a layering manner, wherein the method adopts a traversal analysis manner to analyze the pcapng data packet (namely, tcp message);
grouping and reorganizing the segmented message data obtained by layered extraction according to the tcp ack number of the message, and storing the segmented message data into a list structure list; and
traversing the list structure list, and performing check and repeat processing on packet capturing data of the packet after the packet is grouped according to the tcp ack number to obtain a complete SSL data packet.
It should be understood that, during the traversing process, the dpkt.ssl module determines whether the message IP is a specified IP address (i.e., the IP address of the SSL server) each time, if so, continues processing, parses the message, extracts the tcp ack number and the corresponding tcpdata, and otherwise traverses to process the next message.
In the embodiment of the present invention, the packet reorganizing the packet data obtained by the layered extraction according to the tcp ack number, and storing the packet data in a list structure list, including:
based on the uniqueness of the tcp ack numbers, the ack numbers of the segmented messages are the same, and the segmented messages are identified as the same group of tcp messages;
and (3) using a python dictionary data structure, wherein key values are tcp ack numbers, storing and extracting tcpdata of the current tcp ack numbers by using value values, arranging according to the time sequence of the packet capturing file, and storing the key values and the value values serving as dictionary values into a List structure List.
As an optional example, in connection with the flow shown in fig. 6, traversing the list structure list, and performing a duplicate checking process on the packet capturing data after the packet is grouped according to the tcp ack number to obtain a complete SSL packet, where the method includes:
inputting the List structure List as an original List-origin, wherein the List structure List comprises all the identification stored tap ack number information and corresponding tcpdata data;
creating an act set structure (set-act) for check and repeat judgment and storing a dictionary of the complete tcp-data;
traversing each result of the List-origin item by item, extracting a single tcp ack message dictionary, obtaining a key value and a value of a subject-origin of each result, storing the key value of the dictionary into a newly built ack aggregate structure (set-act), and judging whether the current tcp ack message dictionary is processed or not by utilizing the element unrepeatable characteristic of the aggregate structure, wherein before processing a single tcp ack message in the List structure, judging whether the dictionary key value exists or not by comparing the dictionary key value:
if not, writing the value of the tcp ack message dictionary into a new ack dictionary, wherein the key value is still the ack number, and the value is tcpdata; if so, splicing the value of the tcp ack message dictionary into the value of the key value corresponding to the ack dictionary;
traversing the List structure List until all tcp ack message dictionary traversing processing is completed, outputting dictionary subject-tcp results, and obtaining message data after query and reconstruction, namely a complete SSL data packet.
Resolving SSL data packet to obtain SSL protocol data
In the aforementioned step S103, for the analysis and identification of the international agreements (SSL, TLS), the native dpkt.ssl module of Python is mainly used for analysis, and the SSL protocol, TLS protocol type and certificate value are obtained.
In the embodiment of the invention, an SSL data packet (namely, a tcp message of check and reconstruction) is identified by using a dpkt.ssl.tls_multi_factor function in a dpkt.SSL module of Python, and various data results of a handshake protocol cluster in an SSL protocol are analyzed, including a handshake protocol, a password specification change protocol and an alarm protocol.
The handshake protocol can identify ClientHello, serverHello, certificate, serverKeyExchange, certificateRequest, serverHelloDone, certificateVerify, clientKeyExchange, finished and other message structure types through dpkt.ssl.tlshandshake functions.
The data contents of the above types are stored in a data structure of a recording dictionary. For each message structure type under the handshake protocol, the key information contained in the message is output in detail, for example, the information such as random, ciphersuites, sessionid, compressionmethods needs to be further output in the ClientHello message.
In step S103, based on the SSL packet, tcpdata byte stream data is extracted through tcp layer and the predetermined protocol number is modified to be the header protocol number corresponding to the international TLS protocol for the opposite sign, and subsequent values and national secret certificate values are continuously parsed and extracted through dpkt.ssl module, including:
extracting tcpdata byte stream data through a tcp layer;
extracting header protocol number information of 0x 0101;
based on international TLS1.1 protocol of national cipher TLS protocol pair, modifying the header protocol number into 0x 0301; and
and continuously analyzing and identifying the SSL data packet with the modified header protocol number through a native dpkt.SSL module to extract the subsequent numerical value.
In the embodiment of the invention, the version number of the national password GMTLS1.1 is '0 x 0101', and the cryptographic algorithm suite is clearly described in GM/T0024-2014 'SSL VPN technical Specification' and GM/T38636-2020 'information security technology Transport Layer Cryptographic Protocol (TLCP)' different from the version number of TLS '0 x03 XX'.
In the parsing process, the native dpkt.ssl module does not support the identifier of the TLS protocol, so in the embodiment of the present invention, the identifier of the SSL protocol header of the packet determined to be the TLS packet is modified to the identifier of the international TLS1.1 protocol, i.e. "0x0301", and then the native dpkt.ssl module can continue to parse the SSL protocol related message data.
As an optional example, after the subsequent numerical value of the national secret TLS protocol is extracted by continuing unpacking through the native dpkt.ssl module, the binary value obtained by extraction is transferred into the corresponding cipher algorithm suite name through the created rule matching check file, so as to realize the identification of the national secret cipher algorithm suite value.
The rule matching verification file comprises a mapping relation between a cipher algorithm suite value and a name. The mapping relation between the cipher algorithm suite value and the name is from GM/T0024-2014 SSL VPN technical Specification and GB/T38636-2020 information safety technology Transport Layer Cipher Protocol (TLCP) standard.
Verification of certificates and certificate chains
For certificate values (server digital certificates, client digital certificates, etc.) obtained by parsing, the Wireshark tool cannot be verified. For this purpose, we further verify the certificate chain and the certificate validity period by means of a password verification tool for the certificate value obtained by the dpkt.ssl module.
As an alternative example, we transmit the certificate value information obtained through the dpkt.ssl module back to the front end, which parses the certificate information through the jsrsassign cryptographic tool library and verifies the certificate chain and the certificate validity period. For example, the certificates of RSA algorithm and the certificates of SM2 algorithm are analyzed and checked through the X509 type correlation function of the Jsrssign password tool library.
It should be understood that the X509-type correlation function can directly implement analysis and verification of the RSA algorithm, but the certificate of the SM2 algorithm has some problems in analysis of public keys, so we further refer to the SM2 cryptographic standard to readjust the public key value of the certificate of the SM2 algorithm obtained by the JS rsign cryptographic tool library, and implement verification of the certificate chain in the JS code.
Specifically, for analysis and verification of certificates in the SM2 encryption algorithm, since the public key format of the certificate extracted by the native Jsrssign encryption tool library does not accord with the standard definition, for this purpose, we refer to the GM/T0003-2012 standard of SM2 elliptic curve public key cryptography algorithm, add "04" mark to the character string header of the extracted hexadecimal public key value, and generate the correct public key value. And verifying and signing the bookmark name domain content abstract through the modified public key value, namely verifying the obtained SM2 algorithm certificate content by using the public key value of the root certificate, thereby realizing the verification of a certificate chain in the JS code.
Finally, on the display of the certificate information, the content of the related OID information is translated and displayed on the Web page at the front end.
Particularly optionally, in the implementation process of the SSL VPN security authentication gateway service compliance detection method of the present invention, the main analysis processing of the packet capture file and the analysis of the SSL protocol are completed by being deployed at the back end of the server, etc., the processing of the analysis and verification of the certificate is deployed at the front end, but not after the back end processing, and the processing is responded, firstly, the method deployment is considered to continue to perfect and optimize, so that the method can be used as a service end to provide services externally, partial calculation is placed at the front end, the pressure of the back end server can be reduced, secondly, the analysis of the certificate data is finally required to be displayed in the page, and the visual processing can be performed by better operation html through js code, thereby improving the code writing efficiency.
Identifying and suggesting risky data information
In the embodiment of the invention, according to the basic requirements of the information system cipher application of the GB/T39786-2021 information security technology, important data are protected by using a cipher algorithm with security problem or insufficient security intensity for the information system, such as MD5, DES, SHA-1, RSA (less than 2048 bits) and other cipher algorithms, and dangerous SSL protocols (SSL 2.0, SSL3.0, TLS 1.0) which are found and gradually abandoned can cause high risk. Therefore, after the SSL data packet is analyzed, the discovered SSL protocol version, the type of the shared suite used in the cipher algorithm suite and the key length of the algorithm certificates used by the server and the client are identified, and the judgment is carried out by combining with a preset early warning rule, so that the risk information is marked and prompted.
As shown in fig. 7 and 8, an example of a visual display interface of the detection result (SSL, TLS) of the SSL VPN security authentication gateway service compliance detection method according to the present invention is shown. Fig. 9 and 10 are examples of a visual display interface of a detection result (GMTLS) of the SSL VPN security authentication gateway service compliance detection method according to the present invention. It should be noted that, in the detection result shown in fig. 8, the following information such as a certificate version number, a serial number, a signature algorithm, an issuer, a user, a validity period, a key usage, a user key identification, an authorizer key identification, and the like, which are not shown in the drawings of the present invention, is further included.
In combination with implementation of the SSL VPN security authentication gateway service compliance detection method according to the above embodiment of the present invention, according to the present disclosure, there is also provided an SSL VPN security authentication gateway service compliance detection system, including: one or more processors and memory.
The foregoing memory is even used to store instructions that are operable to cause the one or more computers to perform operations comprising the flow of the SSL VPN security authentication gateway service compliance detection method of any of the embodiments described above.
In connection with the implementation of the SSL VPN security authentication gateway service compliance detection method according to the above embodiments of the present invention, there is also proposed according to the present disclosure a computer-readable medium storing software comprising instructions executable by one or more computers, the instructions, by such execution, causing the one or more computers to perform operations comprising the flow of the SSL VPN security authentication gateway service compliance detection method according to any of the embodiments described above.
While the invention has been described with reference to preferred embodiments, it is not intended to be limiting. Those skilled in the art will appreciate that various modifications and adaptations can be made without departing from the spirit and scope of the present invention. Accordingly, the scope of the invention is defined by the appended claims.
Claims (11)
1. The SSLVPN security authentication gateway service compliance detection method is characterized by comprising the following steps of:
according to international and national secret network security protocols, respectively selecting different protocol versions to construct an access request based on http, and establishing connection with an SSL server;
receiving a network data packet returned by the SSL server in response to the request, and carrying out TCP segment data recombination on the network data packet to obtain a complete SSL data packet;
using a dpkt.SSL module of Python to analyze and identify the SSL data packet to obtain an SSL protocol and a TLS protocol type and a certificate value;
based on the SSL data packet, extracting tcpdata byte stream data through a tcp layer, modifying a preset protocol number into a header protocol number corresponding to a benchmarking international TLS protocol, and continuously identifying and extracting a subsequent numerical value and a national secret certificate value through a dpkt.SSL module; matching the verification file according to a preset rule, and transferring the extracted binary value into a corresponding national encryption code algorithm suite name to finish the identification of the encryption algorithm suite value;
verifying the certificate and the certificate chain of the obtained certificate values of the SSL protocol and the TLS protocol; and
visual representation of the results of checking the international SSL protocol, TLS protocol and national security TLS protocol and certificate chain obtained by the detection.
2. The method for detecting compliance of SSLVPN security authentication gateway services according to claim 1, wherein the selecting different protocol versions to construct an http-based access request according to international and national security protocols, respectively, establishes a connection with an SSL server, includes:
according to the international SSL protocol, the TLS protocol and the national security TLS protocol, respectively and sequentially selecting different protocol versions and algorithm suites by utilizing a TaSSL tool, constructing access requests based on http, respectively sending connection requests, and carrying out connection test with an SSL server;
for the connection test of each protocol version and algorithm suite, judging whether the current connection is valid or not according to the handshake condition with the SSL server;
judging whether the current connection is effective or not according to the handshake condition returned by the SSL server, and sequentially testing and recording whether the connection is successful or not;
wherein, the protocol version of the SSL protocol at least comprises SSL2.0 and SSL3.0;
the protocol version of the TLS protocol at least comprises TLS1.0, TLS1.1, TLS1.2 and TLS1.3;
the cipher suite of the national cipher TLS protocol at least comprises four national cipher related cipher suites of ECC-SM4-SM3, ECC_SM4_GCM_SM3, ECDHE-SM4-SM3 and ECDHE_SM4_GCM_SM3 conforming to the GB/T38636-2020 specification and TLS_SM4_GCM_SM3 cipher suites conforming to the RFC8998 specification.
3. The method for detecting compliance of SSLVPN security authentication gateway services according to claim 1, wherein the receiving the network data packet returned by the SSL server in response to the request, and performing TCP segment data reassembly on the network data packet, to obtain a complete SSL data packet, includes:
capturing a pcaping data packet returned by the SSL server by using a wireshark tool;
using a dpkt unpacking tool to extract the data of the pcapng data packet in a layered manner;
grouping and reorganizing the segmented message data obtained by layered extraction according to the tcp ack number of the message, and storing the segmented message data into a list structure list; and
traversing the list structure list, and performing check and repeat processing on packet capturing data of the message after the message is grouped according to the tcp ack number to obtain a complete SSL data packet.
4. The SSLVPN security authentication gateway service compliance detection method of claim 3, wherein the packet data obtained by the hierarchical extraction is grouped and reassembled according to a tcp ack number, and stored in a list structure list, and the method comprises:
based on the uniqueness of the tcp numbers, the tcp of the segmented messages are identical, and the tcp messages are marked as the same group of tcp messages;
and (3) extracting tcpdata of the current tcpack number by using a python dictionary data structure, storing the key value as the tcpack number, arranging according to the time sequence of the packet capturing file, and storing the key value and the value as dictionary values into a List structure List.
5. The SSLVPN security authentication gateway service compliance detection method of claim 3, wherein traversing the list structure list, and performing check-repeat processing on packet capture data after the packet is grouped according to a tcp ack number to obtain a complete SSL packet, includes:
traversing the List structure List, extracting a single tcpack message dictionary, storing key values of the dictionary into a newly built ack collection structure, and judging whether the current tcpack message dictionary is processed or not by utilizing the element nonrepeatable characteristic of the collection structure, wherein before processing the single tcpack message in the List structure List, judging whether the dictionary key values are compared with the ack collection or not:
if not, writing the value of the tcpack message dictionary into a new ack dictionary, wherein the key value is still an ack number, and the value is tcpdata; if the value exists, the value of the tcpack message dictionary is spliced into the value of the corresponding key value of the ack dictionary;
traversing the List structure List until all the tcp ack message dictionary traversing processing is completed, and obtaining the message data after the query and the reorganization, namely the complete SSL data packet.
6. The SSLVPN security authentication gateway service compliance detection method of claim 1, wherein the extracting tcpdata byte stream data through tcp layer and modifying a predetermined protocol number to be a header protocol number corresponding to a benchmarking international TLS protocol based on the SSL packet, and continuing to parse and extract subsequent values and national cryptographic certificate values through dpkt.ssl module, includes:
extracting tcpdata byte stream data through a tcp layer;
extracting header protocol number information of 0x 0101;
based on international TLS1.1 protocol of national cipher TLS protocol pair, modifying the header protocol number into 0x 0301; and
and continuously unpacking the SSL data packet with the modified header protocol number through a dpkt.SSL module to extract the subsequent numerical value.
7. The SSLVPN security authentication gateway service compliance detection method according to any one of claims 1 to 6, wherein the verifying the acquired international protocol certificate value and national secret certificate value for the certificate and certificate chain includes:
obtaining certificate value information obtained by a dpkt.SSL module;
based on X509 class correlation functions of the Jsrssign password tool library, analyzing and checking a certificate of an encryption algorithm, and checking a certificate chain and a certificate validity period; for analysis and verification of certificates in an SM2 encryption algorithm, as the public key format of the certificates extracted by a native Jsrssign encryption tool library does not accord with standard definition, a '04' mark is added to the character string header of the extracted hexadecimal public key value by referring to the GM/T0003-2012 'SM 2 elliptic curve public key encryption algorithm' standard, so as to generate a correct public key value; verifying and signing the bookmark name domain content abstract through the modified public key value, namely verifying the obtained SM2 algorithm certificate content by using the public key value of the root certificate, so as to realize verification of a certificate chain in JS codes;
finally, translating the content of the related OID information to present the certificate information in the front-end page.
8. The SSLVPN security authentication gateway service compliance detection method of any one of claims 1 to 6, further comprising the steps of:
and identifying and prompting data information with risk based on preset rules according to the acquired SSL protocol version, the type of the shared suite used in the password suite and the key length of the certificate.
9. The SSLVPN security authentication gateway service compliance detection method of any one of claims 1 to 6, further comprising the steps of:
and providing a front-end interaction and display interface for inputting test parameter information, and visualizing analysis results of the characterization protocol and certificate inspection result information.
10. An SSLVPN security authentication gateway service compliance detection system, comprising:
one or more processors;
a memory storing instructions operable to cause the one or more computers to perform operations comprising the flow of the method of any one of claims 1-9.
11. A computer readable medium storing software, characterized by: the software comprising instructions executable by one or more computers which, by such execution, cause the one or more computers to perform operations comprising the flow of the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593549.5A CN116614276A (en) | 2023-05-24 | 2023-05-24 | SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593549.5A CN116614276A (en) | 2023-05-24 | 2023-05-24 | SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116614276A true CN116614276A (en) | 2023-08-18 |
Family
ID=87676098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310593549.5A Pending CN116614276A (en) | 2023-05-24 | 2023-05-24 | SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116614276A (en) |
-
2023
- 2023-05-24 CN CN202310593549.5A patent/CN116614276A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240089301A1 (en) | Method and system for capture of visited links from encrypted and non-encrypted network traffic | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| Merget et al. | Scalable scanning and automatic classification of {TLS} padding oracle vulnerabilities | |
| US11025612B2 (en) | Intelligent certificate discovery in physical and virtualized networks | |
| CN111783096A (en) | Method and device for detecting security vulnerability | |
| Hu et al. | A large-scale analysis of HTTPS deployments: Challenges, solutions, and recommendations | |
| CN114401097B (en) | HTTPS service flow identification method based on SSL certificate fingerprint | |
| CN113987543A (en) | Online data monitoring method and device | |
| CN115002203A (en) | Data packet capturing method, device, equipment and computer readable medium | |
| CN113872956A (en) | Method and system for inspecting IPSEC VPN transmission content | |
| CN113315678A (en) | Encrypted TCP (Transmission control protocol) traffic acquisition method and device | |
| Mendes et al. | Validating and securing DLMS/COSEM implementations with the ValiDLMS framework | |
| CN116614276A (en) | SSL VPN security authentication gateway service compliance detection system, method and computer readable storage medium | |
| Pukkawanna et al. | Classification of SSL servers based on their SSL handshake for automated security assessment | |
| CN116346688B (en) | SSL VPN security authentication gateway service compliance detection system and method | |
| Oakes et al. | A residential client-side perspective on ssl certificates | |
| CN113645176B (en) | Method and device for detecting fake flow and electronic equipment | |
| CN113162947A (en) | System and method for testing sensor network password security protocol | |
| CN114422200A (en) | Domain name interception method and device and electronic equipment | |
| Gunawan et al. | SSL/TLS vulnerability detection using black box approach | |
| Jawi et al. | Nonintrusive SSL/TLS proxy with JSON-based policy | |
| Koshy et al. | Privacy Leaks Via SNI and Certificate Parsing | |
| EP3989519B1 (en) | Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique | |
| Carvalho | Is Web Browsing Secure? | |
| Sarten | Surveying. NZ TLS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |