-
Notifications
You must be signed in to change notification settings - Fork 1.7k
TLS Cipher Suites with GM algorithms
A TLS cipher suite is a combination of digital signature algorithm, key exchange protocol (or key transport scheme), symmetric encryption with MAC (or AEAD), and pseudo-random functions based on hash functions. The GM standards introduce several new crypto algorithms that can be used to combine pure GM cipher suites. We also want to support some algorithms (such as SHA-256) to be compatible with the existing GM/T 0024 protocol.
The algorithms and schemes:
- Authentication/Digital signature algorithms: SM2SIGN, SM9SIGN, SRP, PSK
- Key exchange: SM2DH, SM2DHE, SM9DH, SM9DHE
- Key transport: SM2ENC, SM9ENC
- Symmetric encryption: SM4-CBC-SM3, SM4-CBC-SHA256, SM1-CBC-SM3, SSF33-CBC-SM3, ZUC
- AEAD: SM4-CCM, SM4-GCM, ZUC-128EEA3, ZUC-Poly1305
- PRF: SM3, SHA256
The TLS protocol use 2-byte number to present cipher suite. The number registry is maintained by IANA. Only 0xFF, 0x00-0xFF 256 numbers are reserved for private use. GM/T 0024 SSL VPN specification use 0xE0, number, but these 12 numbers are not registered to AINA, so these cipher suites might be conflicts with future new cipher suites.
We have two design strategies:
- Follow OSCCA to continue use numbers after 0xE0
- Use the 256 preserved numbers for private use.
31-255 unassigned 261-507 unassigned 508-511, 65024-65279 reserved for private use
- 4-6, 9-223 reserved
- 224-255 reserved for private use
- 7, 9-223 reserved
- 224-255 reserved for private use