Take you to understand the TLS protocol of the data warehouse security test

Abstract: The SSL/TLS protocol is a commonly used encryption communication protocol in the industry. Through this protocol, the identity authentication of the communication parties, session key negotiation, communication content encryption and integrity protection can be completed.

This article is shared from the Huawei Cloud Community " GaussDB (DWS) Security Test TLS Protocol ", author: ACBD.

1. Protocol security mechanism

The SSL/TLS protocol is a commonly used encryption communication protocol in the industry, through which the identity authentication of the communication parties, session key negotiation, communication content encryption and integrity protection can be completed. The algorithm suite of the SSL/TLS protocol includes 4 algorithms: key exchange, authentication, encryption, and MAC algorithm. For example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 algorithm suite, DHE is a key exchange algorithm, RSA is an authentication algorithm, AES_128_CBC is a symmetric encryption algorithm, and SHA256 is a MAC algorithm for integrity protection. If the key exchange algorithm and authentication algorithm are not displayed, then both are RSA algorithms, such as: TLS _RSA_WITH_AES_128_CBC_SHA. If an algorithm in the suite is not safe, then the algorithm suite should be disabled.

SSL/TLS protocol architecture

The security mechanisms implemented by the SSL/TLS protocol include:

• The security of key distribution: the key agreement algorithm is used to ensure the security of the key itself.
• Confidentiality of data transmission: Use a symmetric key algorithm to encrypt the transmitted data.
• Identity verification mechanism: The server and the client are authenticated by a digital signature method based on the certificate, and the client's identity verification is optional.
• Message integrity verification: MAC algorithm is used to verify the integrity of the message during message transmission.

The above four parts constitute the SSL/TLS encryption suite.

For example, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is composed of protocol name TLS, key exchange algorithm KeyExchange (key agreement) ECDHE, authentication algorithm Au (identity verification) RSA, symmetric encryption algorithm Enc (information encryption) AES_256_CBC and message digest Mac (integrity check) SHA384 .

SSL/TLS protocol composition

The function realization of TLS/SSL mainly relies on three types of basic algorithms: asymmetric encryption, symmetric encryption and hash function Hash. It uses asymmetric encryption to achieve identity authentication and key negotiation, and the symmetric encryption algorithm uses negotiated keys to encrypt data. , Verify the integrity of the information based on the hash function.

2. Test focus

• Protocol version
• SSL protocol: Each version of the SSL protocol has security vulnerabilities, so its use is prohibited, including 0, 2.0, and 3.0.
• TLS protocol: It is forbidden to use 0, TLS1.1 protocol, it is recommended to use TLS1.2 or TLS1.3.
• Key agreement exchange algorithm

Before the client and server begin to exchange encrypted information protected by TLS, they must securely exchange or agree on encryption keys and passwords to be used when encrypting data. The DH/ECDH key agreement protocol cannot authenticate the server or user, and is vulnerable to man-in-the-middle attacks, so it cannot be used. The DHE/ECDHE algorithm that can provide forward secrecy is required, and the use of RSA as a key exchange algorithm is prohibited.

• Authentication algorithm

The current mainstream is the RSA algorithm. It should be noted that the algorithm length is less than 2048bits as an insecure algorithm. It is recommended to use a secure algorithm with a length greater than 3072bits.

• Encryption Algorithm

Data encryption uses symmetric encryption algorithms. Common encryption algorithms are AES-CBC, 3DES, AES-GCM, etc. Pay attention to the use of secure encryption algorithms, and the use of algorithms that have been considered insecure should be prohibited.

In the case of packet encryption, the product should give priority to the GCM mode. The selection of TLS algorithm suites is matched one by one from front to back in order. The preferred suite should be placed in the front, and the second-chosen one should be placed in the back.

• Integrity algorithm

In order to prevent the data transmitted in the network from being illegally tampered with, SSL/TLS uses the MAC algorithm based on MD5 or SHA to ensure the integrity of the message. Among them, MD5-based algorithms have been proven to be insecure and prohibited from being used. SHA-based algorithms must use secure SHA3, SHA25 or above.

If you want to know more about GuassDB (DWS), welcome to search "GaussDB DWS" on WeChat and follow the WeChat official account, and share with you the latest and most complete PB-level digital warehouse black technology. You can also get a lot of learning materials in the background~

Click to follow and learn about Huawei Cloud's fresh technology for the first time~