ZoTrus PQC HTTPS Automation Gateway

1. Product Introduction

ZoTrus PQC HTTPS Automation Gateway (ZoTrus PQC Gateway) is an innovative product for protecting website security that is based on ZoTrus PQC HTTPS Automation Gateway, which has passed the China Commercial Cryptography Product Certification, and adds support for post-quantum cryptography algorithms. It is a high-end high-performance website security hardware gateway device including https encryption acceleration, https offloading and forwarding, SM2 algorithm module, PQC algorithm module, SSL certificate automatic management, and load balancing, it is dedicated to https acceleration and offloading with multiple functions in one, built-in professional-grade high-performance hardware cipher card to achieve high-speed encryption operations and network packet forwarding, and optimized the built-in operating system, network protocol, SSL/TLS protocol, ECC algorithm and the SM2 algorithm professionally to achieve industry leading extreme performance in single device, such as: HTTPS throughput can reach 9Gbps, and HTTPS concurrent connections can reach 1.5 million connections.

The biggest features and characteristics of the ZoTrus PQC HTTPS Automation Gateway are PQC algorithm and SSL certificate automation support with zero application for SSL certificates, zero installation of SSL certificates, automatic implementation of HTTPS encryption and WAF protection, adaptive cryptographic algorithms (PQC/SM2/ECC/RSA). The browsers that support PQC algorithm use PQC algorithm, the browsers that support SM2 algorithm and SM2 Certificate Transparency use the SM2 algorithm to implement https encryption, browsers that do not support PQC and SM2 algorithm use ECC algorithm to implement https encryption. This is an innovative solution with client-cloud integration, the PQC HTTPS Automation Gateway has a built-in SM2 ACME Client, which automatically connects with the ZoTrus Cloud SSL System to complete the automatic application, deployment, and renewal of SSL certificates, ensuring zero change of the business system to achieve https encryption automatically, to provide https encryption service and WAF protection uninterrupted for business systems with up to 255 different domain names.

2. Main Functions

With 90% of websites worldwide now implementing HTTPS encryption, a new security threat is "harvest now, decrypt later". Attackers are now collecting HTTPS encrypted traffic from websites, intending to decrypt it once quantum computers are available. Therefore, government websites, e-government systems, online banking systems, and university websites in Europe and America have already implemented PQC HTTPS encryption. China must also immediately implement PQC HTTPS encryption because even though all website systems have completed commercial cryptography support, they still face the risk of "harvest now, decrypt later" attacks. ZoTrus PQC HTTPS Automation Gateway is specifically designed for post-quantum cryptography migration, helping critical information infrastructure users easily migrate to post-quantum cryptography HTTPS encryption.

The core function of the ZoTrus PQC HTTPS Automation Gateway is zero-modification of the original server. It requires no installation of SSL certificates, ACME client software, or upgrades to support post-quantum cryptography and commercial cryptography algorithms. Simply deploy the PQC Gateway before the original server to automatically implement HTTPS encryption, automating the post-quantum cryptography migration and providing 24/7/365 uninterrupted HTTPS encryption and WAF protection services. The default deployment is recommended to be a dual-machine setup with each machine serving as a hot standby. When enabled, the dual machines can balance the load, otherwise a single machine can handle the load independently.

ZoTrus PQC HTTPS Automation Gateway supports hybrid post-quantum cryptography algorithms (X25519MLKEM768 and SM2DHMLKEM768) for HTTPS encryption. Browsers that support X25519MLKEM768 (such as Google Chrome and Microsoft Edge) use the X25519MLKEM768 hybrid algorithm to achieve HTTPS encryption, as shown in the left figure below (viewable in developer tools). ZT Browser is the world's first and only browser to adopt the SM2DHMLKEM768 hybrid algorithm for HTTPS encryption, as shown in the right figure below.

ZT Browser works closely with ZoTrus PQC HTTPS Automation Gateway, not only realize the ECC/RSA algorithm SSL certificate PQC hybrid (X25519MLKEM768) HTTPS encryption, as shown in the right figure below, the "Connection is encrypted (ECC)" indicates that the website uses an ECC algorithm SSL certificate; but also being the world's first to implement commercial cryptography and post-quantum cryptography hybrid (SM2DHMLKEM768) HTTPS encryption, as shown in the left figure below, the "Connection is encrypted (SM2)" indicates that the website uses an SM2 algorithm SSL certificate. ZT Browser is also the world's only browser to display a "" icon in the address bar, making the post-quantum cryptography HTTPS encryption visible, displays “PQC Algorithm, Quantum-Safe”. This leverages ZoTrus's comprehensive ecosystem of post-quantum cryptography HTTPS encryption applications, helping customers easily migrate to post-quantum cryptography and support commercial cryptography.

The main reason for the continuous shortening of SSL certificate validity periods in international standard setting is to facilitate a smooth migration to post-quantum cryptography. Currently, automatic SSL certificate management is designed to allow for the smooth activation of pure post-quantum cryptography SSL certificates based on the perceived threat level of quantum computers to traditional cryptographic algorithms. One of the core features of ZoTrus PQC HTTPS Automation Gateway is its automatic management of dual-algorithm (SM2/ECC) SSL certificates. In the future, when pure PQC algorithm SSL certificates become available, it will enable automatic management of three-algorithm (PQC/SM2/ECC) SSL certificates. All SSL gateways or PQC gateways that do not support automatic SSL certificate management cannot truly meet users' PQC migration application needs.

The dual-algorithm dual-SSL certificate required for HTTPS encryption is automatically completed by ZoTrus PQC HTTPS Automation Gateway that it connects to the ZoTrus Cloud SSL System to apply for the dual-SSL certificate, validate the domain name, retrieve the issued SSL certificate, install the SSL certificate, and enable the SSL certificate. The automatically configured ECC SSL certificate is globally trusted and supports the certificate transparency, it is issued by ZoTrus brand intermediate root certificate - ZoTrus ECC DV SSL CA or ZoTrus DV TLS ECC CA, its root CA certificate is also using ECC algorithm, and the entire chain uses ECC Algorithm, it is the preferred algorithm for PQC hybrid algorithms, meeting global trust requirements.

The automatically configured SM2 SSL certificate is compliant with the Cryptography Law and trusted by all SM2 browsers. It is currently the only SM2 SSL certificate in the world that supports the SM2 Certificate Transparency. It is issued by ZoTrus brand intermediate root certificate - SM2 SSL Pro CA, its root CA certificate is Guizhou SM2 CA that Guizhou CA has the CA license issued by MIIT and SCA, the entire chain uses the SM2 algorithm, meeting commercial cryptography compliance requirements.

The validity period of the dual SSL certificates automatically configured by ZoTrus PQC HTTPS Automation Gateway is 90 days, which meets the upcoming 90-day certificate policy in advance. The following figure on the left shows the 90-day SM2 OV SSL certificate configured by the gateway by default, and the ECC DV SSL certificate with a 90-day validity period configured by the gateway on the right, and the automatic deployment of the 90-day certificate will greatly improve the security and agility of the HTTPS encryption service. And the dual SSL certificates are based on the elliptic curve algorithm, the certificate chain file is the smallest, which saves the traffic of the IDC and the traffic of user's mobile phone, save the power consumption of the IDC and the power of user's mobile phone, this is more environmentally friendly. Not only is the key shorter, but the encryption speed is also more than 20 times faster than the RSA algorithm, allowing site visitor to access websites faster.

ZoTrus PQC HTTPS Automation Gateway has a built-in WAF module by default, this module is developed based on the open source ModSecurity system, which supports commonly used Web Application Firewall functions, such as: preventing SQL injection, preventing cross-site scripting attacks (XSS), preventing attacks using local files containing vulnerabilities, and preventing the use of remote File (including vulnerabilities) attacks, preventing attacks using remote command execution vulnerabilities, preventing PHP code injection, preventing malicious access that violates the HTTP protocol, preventing attacks using remote proxy infection vulnerabilities, preventing attacks using Shellshock vulnerabilities, and preventing the use of Session sessions Vulnerabilities with the same ID can be used to attack, prevent malicious scanning of websites, prevent source code or error information leakage, blacklist honeypot projects, and perform IP blocking based on judging the IP address attribution, etc. If customer has already purchased a WAF device, it is only necessary to deploy a HTTPS Automation Gateway before the WAF device. The WAF device only needs to be responsible for parsing the cleartext http content to make corresponding protection, and there is no need to apply for SSL certificate from the CA to be deployed on the WAF device.

ZoTrus PQC HTTPS Automation Gateway is also a security authentication gateway, which supports the USB Key SM2 certificate issued by China CA to use two-way authentication (SKF standard), with the two-way authentication support function of ZT Browser, users do not need any additional development, just choose to enable two-way authentication while setting the SM2 HTTPS automation service on the Gateway, users can set multiple client certificate issuance CAs, and the China Public SM2 Root CA certificate has been preset by default. And it supports two-way authentication of RSA algorithm soft certificate and USB Key hard certificate.

There are 12 main functional modules of ZoTrus PQC HTTPS Automation Gateway:

• 1

  PQC algorithm support

  HTTPS encryption is achieved by using a hybrid key encapsulation algorithm that combines internationally adopted traditional cryptographic algorithms and post-quantum cryptographic algorithms. It supports the international hybrid algorithm X25519MLKEM768 and the commercial cryptographic hybrid algorithm SM2DHMLKEM768.
• 2

  Zero reconstruction for https encryption

  The original server does not need to install an SSL certificate, no need to install SM2 ACME client software, zero reconstruction to realize SM2 https encryption, adaptive encryption algorithm, support RSA/ECC/SM2 algorithm to realize https encryption, and it supports two-way authentication.
• 3

  Automatically configure SSL certificates

  By default, dual SSL certificates (ECC/SM2) are automatically configured for the website domain name set by the user for free. Users do not need to apply for an SSL certificate from a CA, and do not need to install and configure an SSL certificate.
• 4

  High-performance https offloading

  Completely take over and assume the SSL encryption function of the original server, greatly reducing the performance pressure on the original server, allowing the original server to be dedicated to the business system, and greatly improving the response speed of client access.
• 5

  Client connection multiplexing

  Adopt dynamic connection pool technology and multiplexing technology to bundle a large number of client connection requests, save most server TCP connections and maintain them continuously, significantly reduce the number of client connections that the original server needs to handle (up to 90%), and speed up connection processing speed and improve the business processing capability of the original server.
• 6

  Web data transmission compression

  Use standard GZIP or Deflate compression algorithm to compress HTTP traffic, reduce bandwidth consumption and cost, improve server response and bandwidth efficiency, shorten end user access and download time, improve user experience and increase satisfaction.
• 7

  Reverse proxy cache

  Use the memory cache and package storage structure to cache website content for a short time, reduce the load pressure on the original server from user access, and improve the processing capacity of the original server and the user's access experience.
• 8

  Multi-algorithm load balancing

  Support seven-layer and four-layer protocols to allocate different server resources for users, support traffic load based on information such as URI, HOST, COOKIE, USER_AGENT and factors such as IP address, application type and content, and support NAT conversion.
• 9

  TCP/UDP/DTLS secure delivery

  Support TCP/UDP/DTLS + SSL/TLS secure transmission channel delivery service, can meet the TCP/UDP/DTLS network application system based on SSL/TLS protocol, realize the encryption and acceleration of the transmission channel, the original server system does not need any customization and transformation.
• 10

  Web Application Firewall Module (ZoTrus PQC Gateway WAF)

  Based on the development of the industry-leading open source ModSecurity system, it supports common Web Application Firewall functions, provides security cleaning protection for https offloading traffic, and only forwards normal and secure traffic to the internal server behind.
• 11

  Security Authentication

  Integrated security authentication function, support the use of two-way authentication (SKF standard) for USB Key SM2 certificates issued by China CAs, seamlessly support the two-way authentication function of ZT Browser, and support SM2/RSA algorithm client soft certificate for secure authentication.
• 12

  Encrypt DNS module

  Based on the open-source Bind 9 DNS system, it supports DoH (DNS Over HTTPS), and automatically configures dual-algorithm SSL certificates (SM2 and ECC) for DoH to realize SM2 DoH encrypted DNS services. It also supports public domain name resolution and internal hostname resolution.

3. Performance Indicators

ZoTrus PQC HTTPS Automation Gateway provides an efficient, secure, transparent, easy-to-deploy, zero-reconstruction, fully automatic innovative solution to realize https encryption, which can effectively expand the bandwidth of network devices and servers, increase throughput, and strengthen network data processing capabilities, improve the flexibility and usability of the network, and improve the user experience of users visiting the website.

ZoTrus PQC HTTPS Automation Gateway provides fully independent and controllable software and hardware integration products, including SSL security gateway software system with completely independent intellectual property rights, cryptographic SM2/ECC/RSA algorithm hardware accelerator card certified by CCPC, self-controllable operating system, support CPU chips such as Haiguang, Loongson and Phytium, adopt supporting independent motherboards, support independent network card, etc. The fully autonomous and controllable software and hardware integrated PQC HTTPS Automation Gateway can meet the application requirements of the government, military industry and other industries that have extremely high requirements for information security control.

Each ZoTrus PQC HTTPS Automation Gateway supports automatic configuration of up to 255 ECC SSL certificates (single certificate) and supports up to 255 pairs of SM2 SSL certificates (one signing certificate and one encrypting certificate), dual-algorithm dual-SSL certificates configuration supports up to 255 website domain names to achieve dual-algorithm adaptive https encryption. How many websites can support https encryption is limited by the number of new connections, throughput and concurrency supported by the Gateway hardware and cipher cards.

Each ZoTrus PQC HTTPS Automation Gateway has a warranty period of 5 years, and automatically configures a globally trusted ECC DV SSL certificate and cryptography compliance SM2 OV SSL certificate for no more than 255 website domain names within 5 years. Calculated according to the price of CerSign OV SSL Certificate Lite (4888 Yuan/year), the value of the SSL certificates that are automatically configured is as high as 6.23 million RMB Yuan (=5*255*4888, equal to US$865K), and the world's exclusive super-value https encryption automation solution!

ZoTrus PQC HTTPS Automation Gateway currently provides 3 products of different specifications, which can be used for cloud high-performance data centers, large and medium-sized enterprise servers, and small organization servers to automatically implement https encryption, especially the application requirements of micro reconstruction to realize PQC migration and SM2 compliance. The product performance index parameters of various models are shown in the table below. For users with different index requirements, products can be customized to meet the requirements.

4. Deployment Solutions

ZoTrus PQC HTTPS Automation Gateway supports multiple network deployment methods, supports cluster deployment of multiple devices. To ensure the high availability of the Gateway, dual-machine deployment is strongly recommended to ensure 24*365 uninterrupted provision of PQC https encryption services and WAF protection.

(1) Provide PQC HTTPS automation service for local web servers (websites)

The traditional way to implement HTTPS encryption is to apply for SSL certificates from CA and manually deploy them on the Web server to implement HTTPS encryption. For users who have multiple websites that need to deploy SSL certificates, this is a very time-consuming and labor-intensive task. However, you can choose the ZoTrus PQC HTTPS Automatic Gateway and deploy it in front of the Web server, then you do not need to apply for SSL certificates from CA. ZoTrus PQC Gateway will automatically connect to the ZoTrus Cloud SSL Service System to automatically configure dual algorithm SSL certificates for the website, automatically implementing PQC HTTPS encryption and WAF protection.

As shown in the figure below, after deploying ZoTrus PQC Gateway, you can still keep the domain name resolution to the public IP address of the web server for a few days, and after the Gateway is deployed and can work normally, you can stop the domain name resolution of the public IP address of the original Web server, and disconnect the Internet connection line on the web server after the domain name resolution TTL expires, and then ZoTrus PQC Gateway will fully take over the HTTPS encryption and WAF protection.

For customers who have purchased load balancing devices, SSL gateways, and WAF devices, the common way is to deploy these devices in front of the Web server, and manually configure the SSL certificate and private key into the device to implement RSA algorithm HTTPS encryption or dual algorithm (RSA/SM2) adaptive HTTPS encryption or HTTPS mode WAF protection. It is also possible to deploy load balancing devices and SSL gateways at the same time, and even add WAF devices, but only one device needs to deploy the SSL certificate. As shown in the figure below.

The deployment principle of ZoTrus PQC Gateway is a solution of zero-transformation, seamless upgrade, and non-interruption for the original system. The core idea is to transfer the SSL certificate deployment and HTTPS encryption and decryption functions of the device that originally installed the SSL certificate to the ZoTrus PQC Gateway. In order not to affect the uninterrupted and reliable operation of the running system, a new HTTPS encryption channel is added for deployment, as shown in the figure below. After the new channel is deployed, the domain name resolution of the old channel can be stopped, or the Internet connection of the old channel can be removed before the SSL certificate of the old channel expires or after the domain name resolution TTL expires. The old channel device can also be left unremoved and can be used as a backup channel for emergency use, but a valid SSL certificate must be manually deployed for emergency use.

If the customer wants to continue to use the purchased WAF device after enabling the ZoTrus PQC Gateway, the WAF device can only be deployed behind the ZoTrus PQC Gateway to achieve WAF protection for HTTP plaintext traffic, or the expired certificate in the WAF device can continue to be used to achieve WAF protection for HTTPS ciphertext traffic.

The default deployment mode for ZoTrus PQC HTTPS Automation Gateway is dual-machine hot standby mode. The dual gateways adopt the master-master mode, that is, Active-Active mode. Both gateway devices act as hosts and process business traffic at the same time, and also serve as backup machines for each other. The two machines share business traffic and do not waste resources. When one of the gateways has a problem and cannot continue to work, the other gateway takes on all the work, thereby ensuring the continuous and reliable operation of the business system. ZoTrus PQC Gateway is guaranteed for 5 years. If there is a fault within 5 years, it will be replaced free of charge to ensure uninterrupted HTTPS encryption automation services and WAF protection services within 5 years.

(2) Provide PQC HTTPS automation service for web servers (websites) that are not local

For customers who not only need to implement PQC HTTPS encryption automation services on local servers, but also have web servers in branches or multiple websites deployed on the cloud that also need HTTPS automation service, ZoTrus PQC Gateway supports both local forwarding mode and remote back-to-origin mode. Regardless of whether the web server (website) is in a foreign computer room or a cloud host, as long as the gateway can access it through the public network or intranet, these websites are back-to-origin origin servers similar to CDN services, and the Gateway can provide HTTPS encryption automation service and WAF protection service for them all. Dual gateways provide HTTPS encryption automation service and WAF protection service for up to 255 websites, and more websites need to purchase more gateways.

To ensure the data security of the website system that is not located in the central computer room, the back-to-origin connection from the gateway to the other location server must be encrypted by HTTPS to achieve full-link encryption. ZoTrus Technology provides a self-signed back-to-origin SSL certificate with a validity period of 5 years for back-to-origin websites for free, and the original website does not need to deploy a globally trusted SSL certificate with a validity period of only one year.

This deployment method is also suitable for service providers who provide website design, web hosting, and SSL certificate sales, and deploy multiple gateways to provide HTTPS encryption automation service and WAF protection service for their own business systems, as well as HTTPS encryption automation service and WAF protection service for their customers, regardless of where the customer's website is hosted, only need it is accessible for HTTP or HTTPS.

(3) Cloud platform PQC HTTPS automatic management cluster deployment solution

For various cloud platforms, such as e-government cloud platforms and public cloud platforms, there are tens of thousands or even millions of websites that need PQC migration and HTTPS encryption, and the only solution can only be done by automation. It is necessary to deploy multiple ZoTrus PQC HTTPS Automation Gateway to form a cluster array - HTTPS Offloading and WAF System, and multiple ZoTrus PQC Gateway work together to share business traffic and serve as hot standby gateways for each other. When a gateway fails, services running on it will be taken over by other gateways to ensure adequate and timely response to service scheduling. Cluster mode is suitable for the deployment of redundant network environments with an emphasis on extremely high-performance throughput.

(4) Optional: ZoTrus PQC HTTPS Automation System

If you have an idle server or are not convenient to deploy the ZoTrus PQC HTTPS Automation Gateway hardware device, you can purchase the ZoTrus PQC HTTPS Automation System and deploy the gateway system on your own bare metal server to achieve the same excellent functions as the ZoTrus PQC HTTPS Automation Gateway.

ZoTrus PQC HTTPS Automation System is a system that integrates Linux operating system (Ubuntu, Kylin OS and UOS optional), Tengine Web server, Tongsuo SSL, ZoTrus PQC HTTPS Automation Gateway core system, which can be directly installed on the bare metal of the server and is dedicated to realizing SM2 HTTPS automation. After the system is installed, the user only needs to log in to the web management interface, configure the website domain name to realize the automatic application and deployment of the dual-algorithm SSL certificate, and support the automatic deployment of the dual-algorithm SSL certificate for 5 years of uninterrupted service of 255 websites by default, and automatically realize the HTTPS encryption of the adaptive algorithm, and the browsers that support the SM2 algorithm such as ZT Browser preferentially use the SM2 algorithm to achieve SM2 HTTPS encryption, and the browsers that do not support SM2 algorithm use the ECC algorithm to achieve PQC HTTPS encryption and WAF protection.

ZoTrus PQC HTTPS Automation System has all the functions of the ZoTrus PQC HTTPS Automation Gateway, binds the physical server and user account, and it is very suitable for customers with their own server hardware, such as e-government cloud platform, commercial public cloud platform, enterprise private cloud platform, etc., and makes full use of the existing idle servers to provide PQC HTTPS Automation service and WAF protection service for various web systems.

(5) Optional: Local deployment of Cloud SSL System

By default, ZoTrus PQC HTTPS Automation Gateway automatically connects with the ZoTrus Cloud SSL System to enable https encryption after obtaining the dual SSL certificates. For cloud platform customers who want to independently issue their own brand of dual SSL certificates that are automatically deployed to the gateway, they can deploy the ZoTrus Cloud SSL System locally to realize automatic issuance of the three algorithm (PQC/SM2/ECC) SSL certificates by custom-branded dedicated SSL intermediate root certificate. The locally deployed system is called the E-government Cloud SSL System or the Public Cloud SSL System.

The e-Government Cloud SSL System is a locally deployed CA system for issuing cryptography-compliant SSL certificates that support SM2 Certificate Transparency. The deployment of the whole system is to realize the completely independent and controllable issuance and management of SM2 SSL certificates for e-government websites and the relatively independent issuance of ECC SSL certificates. To achieve independent and controllable issuance of e-government SSL certificates, first of all, there must be an intermediate root certificate for issuing SSL certificates, so that all e-government systems can reliably realize that all e-government systems only trust SSL certificates issued by their own intermediate root certificates, effectively preventing various SSL man-in-the-middle attacks against e-government websites and other fake e-government website attacks.

5. Summary

ZoTrus PQC HTTPS Automation Gateway global exclusive innovation to achieve zero change of the original Web server to realize automatic PQC https encryption and WAF protection service, PQC/SM2/ECC three-algorithm adaptive https encryption, just configure website domain name and IP address at startup, immediately enable https encryption and acceleration service, WAF protection, TCP/DTLS secure delivery, automatic preparation of dual SSL certificates, global trust and cryptography compliance, high-speed dynamic caching and compression, connection multiplexing, session persistence and load balancing, etc. While ensuring high performance, it provides the industry's highest performance-price ratio.

ZoTrus PQC HTTPS Automation Gateway is plug-and-play, deployed on the front end of the website server, the original website server can be seamlessly migrated to PQC and upgraded from http to https without any modification. The browsers that support PQC algorithms use PQC algorithms, the browsers that support SM2 algorithms and SM2 Certificate Transparency use the SM2 algorithm to implement https encryption, browsers that do not support PQC and SM2 algorithm use ECC algorithm to implement https encryption. Its powerful https acceleration, offloading and forwarding function provides additional performance enhancement support for the website server, not only does not increase the burden of https encryption and decryption, but also enhances the external response capability and the ability to process user requests. The seamless switching of zero-reconstruction, zero-maintenance, and zero-impact of the ZoTrus PQC HTTPS Automation Gateway is the first and must choice for PQC migration, SSL certificate automation, https encryption, WAF protection from http to https.