(高清版)GB∕T 38636-2020 信息安全技術(shù) 傳輸層密碼協(xié)議（TLCP）

信息安全技術(shù)傳輸層密碼協(xié)議(TLCP)2020-04-28發(fā)布2020-11-01實(shí)施國(guó)家市場(chǎng)監(jiān)督管理總局國(guó)家標(biāo)準(zhǔn)化管理委員會(huì) I 25.1概述 2 3 3 46.1概述 46.2數(shù)據(jù)類(lèi)型定義 4 56.4握手協(xié)議族 6.5密鑰計(jì)算 附錄A(規(guī)范性附錄)GCM可鑒別加密模式 24 I1IBC:標(biāo)識(shí)密碼算法(Identity-BasedCryptoXOR:異或(Exclusive-OR)23P_hash(secret,seed)=HMAC(secret,A(1)+seed)HMAC(secret,A(2)+seed)十HMAC(secret,A(3)+seed)十A(i)=HMAC(secret,A(iPRF(secret,label,seed)=P_hash(secret,l45bulk_cipher_algorit6enum{sha_256,sm3}MAenum{null(0),(255)}Compres由客戶(hù)端產(chǎn)生的32字節(jié)隨機(jī)數(shù)據(jù)。j)server_random由服務(wù)端產(chǎn)生的32字節(jié)隨機(jī)數(shù)據(jù)。 ——服務(wù)端寫(xiě)校驗(yàn)密鑰serverwriteMACsecret。服務(wù)端接收和處理記錄時(shí)使用客戶(hù)端寫(xiě)參數(shù)，客戶(hù)端接收和處理記錄時(shí)使7ProtocolVersionversion;opaquefragment[TLSPlainchange_cipher_spec(20),alert(21),hauint8minor=0x01;}ProtocolVersion;8caseaead:GenericAEADCipher;HMAC_hash(MAC_write_secret,seq_num+TLSCompressed.type+TLSCompresTLSCompressed.length+TLSCompress初始值為零，最大不能超出2??-1。序列號(hào)不能回繞。如果序列號(hào)b)hashopaqueIV[SecurityParameters,record_9opaqueMAC[SecurityParameters.mac_length];uint8padding[GenericBlockCipher.padding_length];b)SecurityParameters.record_iv_leopaquenonce_explicit[SecurityParameters.record_iv_length];opaquecontent[TLSCompressed.length];additional_data=seq_num+TLSCompressed.type十TLSCompressed.version+TLSCompressed.length;隨著不同的TLSCompressed.length值而不同。每個(gè)AEAD密碼算法生成的擴(kuò)展應(yīng)不能多于1024AEADEncrypted=AEAD—Encrypt(write_key,nonce,plaintext,additioTLSCompressed.fragment=AEAD一Decrypt(write_AEADEncrypted,additionalenum{change_cipher_spec(1enum{warning(1),fatal(2),(255unexpected_message(1unsupported_certificate(protocol_version(70).unsupported_site2site(20unsupported_areatype(20unsupported_ibcparam(2AlertDescriptiondescrip值級(jí)別unsupportedcertifi不支持證書(shū)類(lèi)型 拒絕訪問(wèn)內(nèi)部錯(cuò)誤警告警告不支持的保護(hù)域類(lèi)型ClientHello---Finished---ApplicationDataServerHelloDoneApplicationData<------->App client_hello(1),servecertificate(11),server_key_ecertificate_request(13),server_helcertificate_verify(15),client_key_ProtocolVersionclient_version;CipherSuitecipher_suitesCompressionMethodcompression_methorandom_bytes為28個(gè)字節(jié)的隨機(jī)數(shù)。名稱(chēng)加密效驗(yàn)值enum{null(0),(255)}CompreCipherSuitecipher_sCompressionMethodcompression_mopaqueASN.1IBCParab)ibc_parameterenum{ECDHE,ECC,IBSDH,IBC,Digitally-signedstrServerIBSDHParamsparams;ServerIBSDHParamsparams;ClientCertificateTypecertificate_DistinguishedNamecertificate_authorities<0.rsa_sign(1),ecdsa_sign(64),ibc_params(80),b)certificate_authoriopaqueDistinguishedNamopaqueECCEncryptedPreMasteopaqueIBCEncryptedPreMasterSecropaqueRSAEncryptedPreMasterSecra)ClientECDHEParaECParameterscurveb)ClientIBSDHParamsc)ECCEncryptedPreMasterSecretd)IBCEncryptedPre___ PRF(master_secret,finismaster_secret=PRF(pre_master_secret,"mastersecretClientHello.random+ServerHello.random)[0..47]key_block=PRF(SecurityParameters.master_secret,"keyexpansion",SecurityParameters.server_random+SecurityParaclient_write_MAC_secret[SecurityParametserver_write_MAC_secret[SecurityParaclient_write_key[SecurityParameters.key_mserver_write_key[SecurityParameters.keyclient_write_IV[SecurityParameters.fixserver_write_IV[SecurityParameters.上面A.1.2.1所述。輸出是下列之一：A.1.3GCM的數(shù)學(xué)基礎(chǔ)對(duì)于一個(gè)實(shí)數(shù)x,[x]表示≥x的最小整數(shù)，例如[2.1]=3,[4]=4。給定一個(gè)比特串X和一個(gè)非負(fù)整數(shù)s,其中l(wèi)en(X)≥s,LSB,(X)和MSB,(X)分別表示比特串X的最低位(最右)s比特和最高位(最左)s比特。例如LSB?(111011010)=010,MSB?(111011010)=給定一個(gè)比特串X,單比特右移函數(shù)表示為X>1,其右移結(jié)果為MSBen(x)(0||X),例如0110111>給定一個(gè)正整數(shù)s和一個(gè)非負(fù)整數(shù)x,其中x<2s,整數(shù)轉(zhuǎn)比特串的函數(shù)記為[x]s,即將整數(shù)x表示為二進(jìn)制字符串。例如，一個(gè)十進(jìn)制整數(shù)39,其二進(jìn)制表示為100111,[39]8=00100111。給定一個(gè)非空比特串X,比特串轉(zhuǎn)整數(shù)的函數(shù)記為int(X),例如int(00011010)=26。A.1.3.2遞增函數(shù)inc,(X)給定一個(gè)正整數(shù)s和一個(gè)比特串X,其中l(wèi)en(X)≥s,設(shè)inc,(X)為一個(gè)s比特遞增函數(shù)，其定inc?(X)=MSBen(x)—s(x)|I[int(LSB?(X))+1mod此函數(shù)將X的右s比特加1后取模2s,左邊的len(X)一s比特不變。設(shè)R是一個(gè)比特串11100001||o120,給定兩個(gè)分組X和Y,算法1計(jì)算乘積X·Y:算法1:計(jì)算X·Y。c)對(duì)于i從0～127計(jì)算分組Zi+1和V+1如下：模二進(jìn)制多項(xiàng)式的表示。從比特串到二進(jìn)制多項(xiàng)式之間的轉(zhuǎn)換是小端格式(littleendian),即如果令u次數(shù)項(xiàng)的系數(shù)的模2相加。模約多項(xiàng)式是一個(gè)次數(shù)為128的多項(xiàng)式，即R||1。對(duì)于一個(gè)正整數(shù)i,分組X的第i次方表示為Xi,例如H2=H·H,H3=H·H·H。算法2:GHASHH(X)。c)對(duì)于i從1～mX?X?X?XYmA.1.3.5GCTR函數(shù)b)令n=[len(X)/128];e)對(duì)于i從2～nf)對(duì)于i從1～(n—1)h)Y=Y?IIY?Il…|IYn-11Ii)返回Y。X-1X?圖A.2GCTR函數(shù)流程圖A.1.4GCM描述A.1.4.1可鑒別加密函數(shù)算法算法4描述了可鑒別加密函數(shù)的流程。算法4:GCM-AEk(IV,P,A)。已知：分組密碼算法CIPH,其分組長(zhǎng)度為128比特；密鑰K;輸入-輸出長(zhǎng)度定義；與密鑰K相關(guān)的標(biāo)簽tag長(zhǎng)度t。輸入：初始向量IV;明文P;附加的鑒別數(shù)據(jù)A。鑒別標(biāo)簽T。開(kāi)始b)定義一個(gè)分組Jo:v=128·[len(A)/1287-lee)定義一個(gè)分組S,S=GHASHa(A||0°1|C||0“II[len(A)64]lI[len(C)?4];f)T=MSB,(GCTRk(J?,S)