1. SM2 HTTPS encryption reconstruction is very difficult
All websites must implement https encryption, otherwise all browsers will have warning "Not secure", because the various confidential information entered by users on the website will be transmitted to the cloud server in clear text, which is very easy to be illegally intercepted or illegally tampered with that cannot protect the security of website visitors. Even for pages with only static information, if https encryption is not used, the privacy of website visitors' access behavior will be leaked, and the links to other systems in the page are very easy to be illegally tampered with, resulting in visitor being linked to a fake upstream website or a fake login page that it will also lead to the leakage of the user's confidential information, and affect the user's account security and information security in other systems. This is why the industry has been promoting full-site https encryption. All websites should abandon the http method and implement https encryption.
However, China websites also have compliance requirements for laws and regulations such as "Cryptography Law", "Cyber Security Law" and "Data Security Law". These regulations require websites to use SM2 algorithms to realize SM2 https encryption! This requires the reconstruction to support SM2 algorithm so that the web server of the website system supports the SM2 https encryption. It is necessary to deploy SM2 SSL certificate on the server and use a browser that supports SM2 algorithm to implement SM2 https encryption. There are ZT Browser as a free SM2 supported browser, which means browser is not a problem; and some CA operators can issue SM2 SSL certificates, and CerSign has free SM2 SSL certificates that can be applied for, which means SSL certificate is also not a problem. The problem is stuck in the upgrade of the web server and the installation of the SSL certificate. Of course, users can choose ZoTrus Website Security Cloud Service to realize SM2 https encryption with zero reconstruction, but some customers have their own machine rooms and servers, hoping to achieve complete autonomy and control without relying on third-party services.
The most important thing is that the existing business systems have been in mature operation for many years, such as the e-government service system and enterprise management system. The business of these systems cannot be stopped, and these servers cannot be changed. This is the biggest difficulty in the cryptography reconstruction. It must be reconstructed for compliance but cannot be reconstructed. Ensuring the stable and uninterrupted operation of the business system is the first priority, and https encryption and SM2 https encryption are the second priority. How to do?
2. ZoTrus Solution-Zero reconstruction of the original website, automatic implementation of SM2 HTTPS encryption, very easy
The solution of ZoTrus Technology is to turn the Website Security Cloud Service that automatically realizes SM2 https encryption into a local deployable product for local deployment to also realize SM2 https encryption with zero reconstruction!
As shown in the left figure below, this is a schematic diagram of ZoTrus Website Security Cloud Service. Users only need to do three domain name resolutions to automatically configure SM2 SSL certificates and ECC SSL certificates to Alibaba Cloud WAF + CDN system through ZoTrus Cloud SSL System, fully automatic implementation of https encryption and offload forwarding, adaptive encryption algorithm, ZT Browser preferentially adopts SM2 algorithm to realize SM2 https encryption. The localized deployment solution is shown in the right figure below. A ZoTrus SM2 HTTPS encryption gateway is deployed locally in the user computer room. The Gateway connects to the ZoTrus Cloud SSL System to automatically apply SM2 SSL certificate and ECC SSL certificate, and automatically deploys them in the Gateway to realize https encryption with adaptive encryption algorithm, and the SM2 HTTPS Automation Gateway realizes https offloading and forwarding to the internal source website (the original website), and the original website implements SM2 https encryption with zero change.
2.1 SM2 HTTPS Automation Gateway: MHG-1
ZoTrus SM2 HTTPS Automation Gateway MHG-1 is a high-performance website security hardware gateway device integrating https encryption, https offload forwarding, SM2 algorithm module, SSL certificate automation, load balancing and other functions. High performance hardware cryptographic cards and hardware accelerator cards realize high-speed cryptographic operations and network packet forwarding, and professionally optimize the built-in operating systems, network protocols, SSL/TLS protocols, and cryptographic algorithms to achieve industry-leading extreme performance: HTTPS new connection can reach 50,000 times/second, the HTTPS throughput can reach 32Gbps, and the HTTPS concurrent connection can reach 3 million.
An important module of the ZoTrus SM2 HTTPS Automation Gateway is the SM2 Algorithm module, which supports the use of the SM2 SSL certificate and the SM2 Algorithm to implement https encryption and supports handshaking with the browser to negotiate encryption protocols that preferred to use SM2 algorithm, making ZT Browser can preferentially use the SM2 Algorithm to establish an https connection with the Gateway. Of course, all international algorithms (RSA and ECC algorithm) are supported, and all browsers are supported to negotiate various crypto suites to implement https encryption, this satisfies the application requirements of cryptography compliance and global trust. Public website system cannot force website visitors to use which browser and must support both SM2 browsers and non- SM2 browsers.
The biggest difference between ZoTrus HTTPS Automation Gateway and other similar products is that the built-in SM2 ACME client software, which automatically connects to the ACME service system of ZoTrus Cloud SSL System, automatically completes domain control validation, dual-algorithm SSL certificate application, and dual-algorithm SSL certificates collection and deployment to automatically implement https encryption, and it is adaptive encryption and prioritizes the use of SM2 algorithm. Customers do not need to manually apply for an SSL certificate from the CA and manually configure the SSL certificate, and do not need to manually renew the certificate and reinstall the certificate when the certificate expires. There will be no manual management of the SSL certificate and the possibility of forgetting to renew the certificate to cause the system interruption to affect the normal operation of the business. The entire lifecycle management of the SSL certificate is automatically completed by the built-in SM2 ACME client software, realizing 24 hours x 365 days uninterrupted https encryption service. The automatically configured SM2 SSL certificate supports SM2 Certificate Transparency, and the ECC SSL certificate supports international certificate transparency, which effectively protect the security and trustworthy of dual SSL certificates.
To ensure the uninterrupted HTTPS encryption service of the website system, it is strongly recommended to run in the dual-machine hot standby mode, which can not only achieve dual-machine load balancing (in fourth and seventh network layers), but also realize that once one device fails, the other device will be in seconds level failover. Supports Master/Master and Master/Backup clusters, supports up to 32 cluster nodes, supports various balanced scheduling algorithms, supports session retention, supports round robin, weighted round robin, least connection, shortest response time and IP hash, etc.
ZoTrus SM2 HTTPS Automation Gateway is plug-and-play, deployed at the front end of the web server, the original web server can be seamlessly upgraded from http to https without any modification, and it is a SM2 https encryption that meets the cryptography compliance requirement. Its powerful https offloading and forwarding function provides additional performance enhancement support for the web server, not only does not need to increase the burden of https encryption and decryption, but also enhances the external response capability and the ability to process user requests. The seamless switching from http to https of zero-reconstruction, zero-maintenance, and zero-impact of deploying ZoTrus SM2 HTTPS Automation Gateway is the first choice and must for the SM2 https encryption and system security upgrade from http to https.
2.2 SM2 HTTPS Automation Gateway + WAF module / WAF device
This solution is to add a WAF module on the basis of the SM2 HTTPS Automation Gateway, which supports commonly used Web Application Firewall functions, such as: preventing SQL injection, preventing cross-site scripting attacks (XSS), preventing attacks using local files containing vulnerabilities, and preventing the use of remote File (including vulnerabilities) attacks, preventing attacks using remote command execution vulnerabilities, preventing PHP code injection, preventing malicious access that violates the HTTP protocol, preventing attacks using remote proxy infection vulnerabilities, preventing attacks using Shellshock vulnerabilities, and preventing the use of Session sessions Vulnerabilities with the same ID can be used to attack, prevent malicious scanning of websites, prevent source code or error information leakage, blacklist honeypot projects, and perform IP blocking based on judging the IP address attribution, etc.
If customer has already purchased a WAF device, there is no need to purchase the WAF module. It is only necessary to deploy a SM2 HTTPS Automation Gateway before the WAF device. The WAF device only needs to be responsible for parsing the cleartext http content to make corresponding protection, and there is no need to apply for SSL certificate from the CA to be deployed on the WAF device.
3. The e-Government Cloud SM2 HTTPS Automatic Management Platform, seamless switching from http to https of zero-reconstruction
At present, the construction of e-government cloud hardware and software in all provinces and cities in China is very rapid and has formed a certain scale. Some provincial e-government cloud platforms have provided web services for tens of thousands of e-government websites, but it is impossible to deploy SSL certificate for all so many website systems, which is why the current provincial e-government cloud platforms only deploy SSL certificates on provincial portal websites, while other department official websites are "Not secure" as http site! Another reason is to ensure the normal operation of the existing website system, and not affect the normal operation of e-government service in the implementation of https encryption. This is a very contradictory decision, because https encryption is not implemented and there is no security protection, which will also affect the normal operation of e-government service.
The only solution is to achieve SM2 https encryption with zero reconstruction, and it also needs to achieve complete autonomously and controllable, and independently issue SM2 SSL certificates and ECC SSL certificates. This requires the localized deployment of the ZoTrus Cloud SSL System that issues dual SSL certificates for the SM2 HTTPS Automation Gateway in the above solution. As shown in the left figure below, the SM2 HTTPS Automation Gateway cluster provides HTTPS acceleration and HTTPS offloading and forwarding services for all e-government websites in a unified manner. The existing e-government websites do not need to be changed and can be seamlessly upgraded from insecure http websites to secure https website. The locally deployed e-Government Cloud SSL System is responsible for autonomously and controllably providing SM2 SSL certificates and ECC SSL certificates for the SM2 HTTPS Automation Gateway, which are used for HTTPS encryption and adaptive encryption algorithms for all e-government websites to achieve cryptography compliance and global trust. The e-Government Cloud SSL System consists of 7 subsystems, including certificate issuance system (including HSM machine), certificate management system, domain name validation system, ACME service system, certificate agency system, certificate revocation system and SM2 certificate transparent log system, which are jointly implemented to issue dual algorithm SSL certificate for all e-government website independently. The system architecture is shown in the figure on the right below. All systems are dual-machine hot standby to ensure uninterrupted service of issuing SSL certificates.
The e-Government Cloud SSL System is a locally deployed CA system for issuing SM2 SSL certificates that support SM2 Certificate Transparency, it is also an ECC SSL certificates issuing system by connecting with the ECC CA system to issue publicly trusted SSL certificates. The deployment of the whole system is to realize the completely independent and controllable issuance and management of SM2 SSL certificates for e-government website systems and the relatively independent issuance of ECC SSL certificates. To achieve independent and controllable issuance of e-government website SSL certificates, first of all, there must be an intermediate root certificate for issuing SSL certificates, so that all e-government systems can reliably realize that all e-government website systems only trust SSL certificates issued by their own intermediate root certificates, effectively preventing various SSL man-in-the-middle attacks against e-government websites and other fake government website attacks.
According to the characteristics of e-government affairs, it is necessary to customize two SSL intermediate root certificates of the SM2 algorithm, one SSL intermediate root certificate for issuing SM2 OV SSL certificates and one SSL intermediate root certificate for issuing SM2 DV SSL certificates, and one ECC algorithm SSL intermediate root certificate for issuing ECC DV SSL certificates. All SM2 SSL certificates issued from customized SM2 roots support SM2 certificate transparency, and all ECC SSL certificates issued from customized ECC root support international certificate transparency. All e-government websites are automatically configured with dual SSL certificates. SSL certificate combination one is SM2 OV SSL Certificate + ECC DV SSL certificate that it used for public e-government websites; the second SSL certificate combination is SM2 DV SSL certificate + ECC DV SSL certificate that is used for internal e-government management information systems and IoT networking systems.
Three customized intermediate root certificates and user certificate chains are shown in the figure below. The AAA SM2 Root CA has been included and trusted by ZT Browser. It is currently the only root CA in China that supports SM2 certificate transparency. Sectigo ECC root CA is currently the only and oldest ECC algorithm root certificate in the world, supporting all browsers, operating systems, and various new and old devices (including mobile phones). Both the SM2 SSL certificate and the ECC SSL certificate use the elliptic curve algorithm with a short key, which can save the bandwidth, save electricity, save traffic and save electricity for users' mobile phones, and provide users with a better user experience when visiting e-government websites.
The e-Government Cloud SM2 HTTPS Automation Management Platform is shown in the figure below. It is mainly composed of two parts: the e-Government Cloud SSL System and the HTTPS Offloading System composed of the SM2 HTTPS Automation Gateway array that is responsible for issuing dual algorithm SSL certificates for e-government websites from the customized e-government-specific intermediate root certificate. The deployment of multiple SM2 HTTPS Automation Gateway can provide HTTPS acceleration and HTTPS offload forwarding services for multiple e-government websites, so as to achieve the goal of zero reconstruction of the existing e-government website system to achieve https encryption. Between the e-government website and the HTTPS Offloading System, a WAF device can be added to be responsible for the security protection of the web application, https encryption plus WAF protection, to double protect the security of the e-government websites. All e-government website visitors can use the free ZT Browser that supports SM2 algorithm and SM2 Certificate Transparency to use the SM2 algorithm for https encryption, while other non-SM2-browsers use the ECC algorithm for https encryption, which can meet the cryptography compliance and global trust of the e-government website security requirements.
