1. SM2 HTTPS encryption reconstruction is very difficult
All websites must implement https encryption, otherwise all browsers will have warning "Not secure", because the various confidential information entered by users on the website will be transmitted to the cloud server in clear text, which is very easy to be illegally intercepted or illegally tampered with that cannot protect the data security of website visitors. Even for pages with only static information, if https encryption is not used, the privacy of website visitors' access behavior will be leaked, and the links to other systems in the page are very easy to be illegally tampered with, resulting in visitor being linked to a fake upstream website or a fake login page that it will also lead to the leakage of the user's confidential information, and affect the user's account security and information security in other systems. This is why the industry has been promoting full-site https encryption. All websites should abandon the http method and implement https encryption.
However, China websites also have compliance requirements for laws and regulations such as "Cryptography Law", "Cyber Security Law", "Data Security Law" and “Personal Data Protection Law”. These regulations require websites to use SM2 algorithms to realize SM2 https encryption! This requires the reconstruction to support SM2 algorithm so that the web server of the website system supports the SM2 https encryption. It is necessary to deploy SM2 SSL certificate on the server and use a browser that supports SM2 algorithm to implement SM2 https encryption. There are ZT Browser as a free SM2 supported browser, which means browser is not a problem; and some CA operators can issue SM2 SSL certificates, and CerSign has free SM2 SSL certificates that can be applied for, which means SSL certificate is also not a problem. The problem is stuck in the upgrade of the web server to support SM2 algorithm and the installation of the SM2 SSL certificate.
Customers can choose to install the completely free ZoTrus SM2 ACME Client software - SM2cerBot on the web server. Once installed, the SM2 SSL certificate and ECC SSL certificate will be automatically configured for free forever. However, this solution currently only supports the Nginx web server of a specific Linux operating system, and it will uninstall the original Nginx and reinstall the new Nginx that supports the SM2 algorithm, which may have a certain impact on the running web system. If the user's web server cannot be uninstalled, this solution is not recommended, unless it is a newly launched website.
The most important thing is that the existing business systems have been in mature operation for many years, such as the e-government service system and enterprise management system. The business of these systems cannot be stopped, and these servers cannot be changed. This is the biggest difficulty in the cryptography reconstruction. It must be reconstructed for compliance but cannot be reconstructed. Ensuring the stable and uninterrupted operation of the business system is the first priority, and https encryption and SM2 https encryption are the second priority. How to do?
2. ZoTrus Website Security Solution
Zero reconstruction of the original website, automatic implementation of SM2 HTTPS encryption, very easy
The principle of ZoTrus Website Security Solution is zero reconstruction, zero installation, and zero maintenance. It does not change the existing web server, does not install software and SSL certificates on the existing server, and deploys plug-and-play hardware devices locally or enable a cloud service, very easy!
As shown in the left figure below, this is a schematic diagram of ZoTrus SM2 HTTPS Automation Cloud Service, this is an innovative value-added cloud service based on Alibaba Cloud CDN/WAF service. Customers only need to do three domain name resolutions to automatically configure SM2 SSL certificates and ECC SSL certificates to Alibaba Cloud WAF/CDN system through ZoTrus Cloud SSL Service, fully automatic implementation of https encryption and offload forwarding, adaptive encryption algorithm, ZT Browser preferentially adopts SM2 algorithm to realize SM2 https encryption. If customers do not want to use cloud service, they can adopt a localized deployment solution, it is shown in the right figure below. A ZoTrus SM2 HTTPS Automation Gateway is deployed locally in the customer computer room. The Gateway connects to the ZoTrus Cloud SSL System to automatically apply SM2 SSL certificate and ECC SSL certificate, and automatically deploys them in the Gateway to realize https encryption with adaptive encryption algorithm, and the Gateway realizes https offloading and forwarding to the internal source website (the original website), and the original website implements SM2 https encryption with zero change.
2.1 ZoTrus SM2 HTTPS Automation Gateway: MG-1
ZoTrus SM2 HTTPS Automation Gateway MG-1 is a high-performance website security hardware gateway device integrating https encryption, https offload forwarding, SM2 algorithm module, SSL certificate automation, load balancing and other functions. High performance hardware cryptographic cards to realize high-speed cryptographic operations and network packet forwarding, and professionally optimize the built-in operating systems, network protocols, SSL/TLS protocols, and cryptographic algorithms to achieve industry-leading extreme performance: HTTPS new connection can reach 50,000 times/second, the HTTPS throughput can reach 32Gbps, and the HTTPS concurrent connection can reach 3 million.
ZoTrus SM2 HTTPS Automation Gateway has applied to the Commercial Cryptography Testing Center of the State Cryptography Administration to apply for commercial cryptography product testing and certification. An important module of the ZoTrus SM2 HTTPS Automation Gateway is the SM2 Algorithm module, which supports the use of the SM2 SSL certificate and the SM2 Algorithm to implement https encryption and supports handshaking with the browser to negotiate encryption protocols that preferred to use SM2 algorithm, making ZT Browser can preferentially use the SM2 Algorithm to establish an https connection with the Gateway. Of course, all international algorithms (RSA and ECC algorithm) are supported, and all browsers are supported to negotiate various crypto suites to implement https encryption, this satisfies the application requirements of cryptography compliance and global trust. Public website system cannot force website visitors to use which browser and must support both SM2 browsers and non- SM2 browsers. Please note that the SM2 HTTPS Automation Gateway supports the http mode to return to the origin server, the origin server does not need to install an SSL certificate, but the transmission from the gateway to the original server is in plaintext. It also supports https mode to return to the origin server, but the origin server must install an SSL certificate, which can be an expired SSL certificate installed before or a self-signed SSL certificate.
The biggest difference between ZoTrus HTTPS Automation Gateway and other similar products is that the built-in SM2 ACME Client software, which automatically connects to the ACME service system of ZoTrus Cloud SSL Service, automatically completes domain control validation, dual-algorithm SSL certificate application, and dual-algorithm SSL certificates collection and deployment to automatically implement https encryption, and it is adaptive encryption and prioritizes the use of SM2 algorithm. Customers do not need to manually apply for an SSL certificate from the CA and manually configure the SSL certificate, and do not need to manually renew the certificate and reinstall the certificate when the certificate expires. There will be no manual management of the SSL certificate and the possibility of forgetting to renew the certificate to cause the system interruption to affect the normal operation of the business. The entire lifecycle management of the SSL certificate is automatically completed by the built-in SM2 ACME Client software, realizing 24 hours x 365 days uninterrupted https encryption service. The automatically configured SM2 SSL certificate supports SM2 Certificate Transparency, and the ECC SSL certificate supports international certificate transparency, which effectively protect the security and trustworthy of dual SSL certificates.
To ensure the uninterrupted HTTPS encryption service of the website system, it is strongly recommended to run in the dual-machine hot standby mode, which can not only achieve dual-machine load balancing (in fourth and seventh network layers), but also realize that once one device fails, the other device will be in seconds level failover. Supports Master/Master and Master/Backup clusters, supports up to 32 cluster nodes, supports various balanced scheduling algorithms, supports session retention, supports round robin, weighted round robin, least connection, shortest response time and IP hash, etc.
ZoTrus SM2 HTTPS Automation Gateway is plug-and-play, deployed at the front end of the web server, the original web server can be seamlessly upgraded from http to https without any modification, and it is a SM2 https encryption that meets the cryptography compliance requirement. Its powerful https offloading and forwarding function provides additional performance enhancement support for the web server, not only does not need to increase the burden of https encryption and decryption, but also enhances the external response capability and the ability to process user requests. The seamless switching from http to https of zero-reconstruction, zero-maintenance, and zero-impact of deploying ZoTrus SM2 HTTPS Automation Gateway is the first choice and must for the SM2 https encryption and system security upgrade from http to https.
Each HTTPS Automation Gateway supports automatic configuration of up to 255 RSA/ECC SSL certificates (single certificate), and both supports up to 255 pairs of SM2 SSL certificates (one signing certificate and one encrypting certificate), standard dual-algorithm dual-SSL certificate configuration supports configuring dual SSL certificates for 255 website domain names to realize dual-algorithm adaptive https encryption. Certainly, how many websites can actually implement https encryption is limited by the number of new connections, throughput and concurrency supported by the Gateway hardware and cryptographic card.
The warranty period of the ZoTrus HTTPS Automation Gateway is 5 years. Within 5 years, the globally trusted ECC DV SSL certificate and the Cryptography Law compliant SM2 DV SSL certificate are automatically configured for no more than 255 website domain names for free. If customer need to automatically configure OV SSL Certificate or EV SSL certificate, please specify when purchasing, additional SSL certificate fee will be added.
2.2 ZoTrus SM2 HTTPS Automation Gateway + WAF Module: MG-2
The SM2 WAF Gateway MG-2 is a WAF module added on the basis of the SM2 HTTPS Automation Gateway MG-1, and the Web Application Firewall module is developed based on the open source ModSecurity system, which supports commonly used Web Application Firewall functions, such as: preventing SQL injection, preventing cross-site scripting attacks (XSS), preventing attacks using local files containing vulnerabilities, and preventing the use of remote File (including vulnerabilities) attacks, preventing attacks using remote command execution vulnerabilities, preventing PHP code injection, preventing malicious access that violates the HTTP protocol, preventing attacks using remote proxy infection vulnerabilities, preventing attacks using Shellshock vulnerabilities, and preventing the use of Session sessions Vulnerabilities with the same ID can be used to attack, prevent malicious scanning of websites, prevent source code or error information leakage, blacklist honeypot projects, and perform IP blocking based on judging the IP address attribution, etc.
If customer has already purchased a WAF device, then no need to purchase this Module, just need to deploy the SM2 HTTPS Automation Gateway before the WAF device. The WAF device only needs to be responsible for parsing the cleartext http content to make corresponding protection, and there is no need to apply for SSL certificate from the CA to be deployed on the WAF device.
2.3 SM2 HTTPS Automation Cloud Service
ZoTrus SM2 HTTPS Automation Cloud Service is an innovative value-added cloud service based on Alibaba Cloud CDN/WAF cloud service. Customers only need to do 3 times domain name resolutions to automatically apply and issue the SM2 SSL certificate and ECC SSL certificate by the ZoTrus Cloud SSL Service, and install the issued SSL certificates into the Alibaba Cloud CDN/WAF system, fully automatic realize https encryption and offload forwarding, adaptive cryptography algorithm, ZT Browser first uses the SM2 algorithm to realize the SM2 https encryption, other browsers that do not support the SM2 algorithm use the ECC algorithm to realize https encryption, which meets the application requirements of cryptography compliance and global trust. Please note that the SM2 HTTPS Automation Cloud Service supports the http mode to return to the origin server, the origin server does not need to install an SSL certificate, but the transmission from the Alibaba Cloud CDN node to the original server is in plaintext. It also supports https mode to return to the origin server, but the origin server must install an SSL certificate, which can be an expired SSL certificate installed before or a self-signed SSL certificate.
ZoTrus SM2 HTTPS Automation Cloud Service is not only a zero-trust security service specially designed for website security, but also a cloud-native service. All services are provided directly through cloud services. Customers do not need to install SSL certificates on their servers, nor do they need to install the ACME Client software, nor do they require to purchase a gateway equipment, just need to do the domain name resolution to automatically realize https encryption, CDN distribution, edge WAF protection and website trusted identity certification, which greatly reduces the threshold and cost for website security. It is a four-in-one three-dimensional protection that efficiently protects website security.
It is recommended to purchase a multi-year service. Customers only need to set up domain name resolution as required when enabling the service, and it will automatically renew the SSL certificate every year. Even if the international standard requires that the validity period of the SSL certificate be shortened to 90 days in the future, there is no need to worry. The HTTPS Automation Cloud Service will automatically configure a 90-day valid dual SSL certificate according to the international standard and the national SM2 standard, which really saves the website administrator from the cumbersome SSL certificate application and management annually.
ZoTrus SM2 HTTPS Automation Cloud Service is based on the industry-leading Alibaba Cloud CDN/WAF, but customers do not need to purchase CDN/WAF services from Alibaba Cloud, nor do they need to apply for SSL certificates from CA, and enjoy Alibaba Cloud https CDN/WAF service with one click, providing high-speed content distribution services for websites, improving the website user experience, and ensuring the security of website web applications. Customers who purchase one-year ZoTrus SM2 HTTPS Automation Cloud Service get one-year Alibaba Cloud CDN/WAF service, and one-year dual-algorithm 3 SSL certificates (1 ECC SSL certificate, 1 SM2 encryption certificate, 1 SM2 signature certificate), and one-year worry-free website security service. Buy multi-year, enjoy multi-year website security and worry-free service.
3. E-government Cloud SM2 HTTPS Automatic Management Platform
Zero reconstruction of the original website, issuing e-government website SSL certificate from the customized SSL Sub CA.
At present, the construction of e-government cloud hardware and software in all provinces and cities in China is very rapid and has formed a certain scale. Some provincial e-government cloud platforms have provided web services for tens of thousands of e-government websites, but it is impossible to deploy SSL certificate for all so many website systems, which is why the current provincial e-government cloud platforms only deploy SSL certificates on provincial portal websites, while other department official websites are "Not secure" as http site! Another reason is to ensure the normal operation of the existing website system, and not affect the normal operation of e-government service in the implementation of https encryption. This is a very contradictory decision, because https encryption is not implemented and there is no security protection, which will also affect the normal operation of e-government service.
The only solution is to achieve SM2 https encryption with zero reconstruction, and it also needs to achieve complete autonomously and controllable, and independently issue SM2 SSL certificates and ECC SSL certificates. This requires the localized deployment of the ZoTrus Cloud SSL System that issues dual SSL certificates for the SM2 HTTPS Automation Gateway in the above solution. As shown in the left figure below, the SM2 HTTPS Automation Gateway cluster provides HTTPS acceleration and HTTPS offloading and forwarding services for all e-government websites in a unified manner. The existing e-government websites do not need to be changed and can be seamlessly upgraded from insecure http websites to secure https website. The locally deployed e-Government Cloud SSL System is responsible for autonomously and controllably providing SM2 SSL certificates and ECC SSL certificates for the SM2 HTTPS Automation Gateway, which are used for HTTPS encryption and adaptive encryption algorithms for all e-government websites to achieve cryptography compliance and global trust. The e-Government Cloud SSL System consists of 7 subsystems, including certificate issuance system (including HSM machine), certificate management system, domain name validation system, ACME service system, certificate agency system, certificate revocation system and SM2 certificate transparent log system, which are jointly implemented to issue dual algorithm SSL certificate for all e-government website independently. The system architecture is shown in the figure on the right below. All systems are dual-machine hot standby to ensure uninterrupted service of issuing SSL certificates.
The e-Government Cloud SSL System is a locally deployed CA system for issuing SM2 SSL certificates that support SM2 Certificate Transparency, it is also an ECC SSL certificates issuing system by connecting with the ECC CA system to issue publicly trusted SSL certificates. The deployment of the whole system is to realize the completely independent and controllable issuance and management of SM2 SSL certificates for e-government website systems and the relatively independent issuance of ECC SSL certificates. To achieve independent and controllable issuance of e-government website SSL certificates, first of all, there must be an intermediate root certificate for issuing SSL certificates, so that all e-government systems can reliably realize that all e-government website systems only trust SSL certificates issued by their own intermediate root certificates, effectively preventing various SSL man-in-the-middle attacks against e-government websites and other fake government website attacks.
According to the characteristics of e-government affairs, it is necessary to customize two SSL intermediate root certificates of the SM2 algorithm, one SSL intermediate root certificate for issuing SM2 OV SSL certificates and one SSL intermediate root certificate for issuing SM2 DV SSL certificates, and one ECC algorithm SSL intermediate root certificate for issuing ECC DV SSL certificates. All SM2 SSL certificates issued from customized SM2 roots support SM2 certificate transparency, and all ECC SSL certificates issued from customized ECC root support international certificate transparency. All e-government websites are automatically configured with dual SSL certificates. SSL certificate combination one is SM2 OV SSL Certificate + ECC DV SSL certificate that it used for public e-government websites; the second SSL certificate combination is SM2 DV SSL certificate + ECC DV SSL certificate that is used for internal e-government management information systems and IoT networking systems.
Three customized intermediate root certificates and user certificate chains are shown in the figure below. The AAA SM2 Root CA has been included and trusted by ZT Browser. It is currently the only root CA in China that supports SM2 certificate transparency. Sectigo ECC root CA is currently the only and oldest ECC algorithm root certificate in the world, supporting all browsers, operating systems, and various new and old devices (including mobile phones). Both the SM2 SSL certificate and the ECC SSL certificate use the elliptic curve algorithm with a short key, which can save the bandwidth, save electricity, save traffic and save electricity for users' mobile phones, and provide users with a better user experience when visiting e-government websites.
The e-Government Cloud SM2 HTTPS Automation Management Platform is shown in the figure below. It is mainly composed of two parts: the e-Government Cloud SSL System and the HTTPS Offloading System composed of the SM2 HTTPS Automation Gateway array that is responsible for issuing dual algorithm SSL certificates for e-government websites from the customized e-government-specific intermediate root certificate. The deployment of multiple SM2 HTTPS Automation Gateway can provide HTTPS acceleration and HTTPS offload forwarding services for multiple e-government websites, so as to achieve the goal of zero reconstruction of the existing e-government website system to achieve https encryption. It is recommended to choose the WAF Module, to provide the security protection of the Web application for the e-government websites, https encryption plus WAF protection, to double protect the security of the e-government websites. All e-government website visitors can use the free ZT Browser that supports SM2 algorithm and SM2 Certificate Transparency to use the SM2 algorithm for https encryption, while other non-SM2-browsers use the ECC algorithm for https encryption, which can meet the cryptography compliance and global trust of the e-government website security requirements.
