Feature Overview
Cryptographic algorithms are core technologies for ensuring information security. eSurfing Cloud supports NCCA standards to provide more secure cryptographic algorithm solutions for public sectors and enterprises such as financial enterprises.
NCCA Overview
NCCAs are cryptographic algorithm standards and application specifications recognized and released by State Cryptography Administration of China. Some of the cryptographic algorithms have become international standards. For example, SM algorithms are commercial cryptographic algorithms used in commercial industries that do not relate to state secrets.
A large number of cryptographic algorithms are used in commercial industries. The following table lists some commonly used commercial cryptographic algorithms that comply with Chinese standards or international standards.
Algorithm Type | Commercial Cryptographic Algorithms Complying with Chinese Standards | Commercial Cryptographic Algorithms Complying with International Standards | |
Symmetric encryption | Group/Block cipher | SM1/SCB2, SM4/SMS4, and SM7 | DES, IDEA, AES, RC5, and RC6 |
Sequence-based/Stream cipher | ZUC and SSF46 | RC4 | |
Asymmetric/Public-key encryption | Integer factorization | RSA, DSA, ECDSA, and Rabin | |
Discrete logarithm | SM2 and SM9 | DH, DSA, ECC, and ECDH | |
Cryptographic hash | SM3 | MD5, SHA-1, and SHA-2 | |
· SM1 is a block cipher algorithm.
SM1 is a symmetric block algorithm. In SM1, both the block size and key length are 128 bits. The security and confidentiality levels offered by the algorithm are similar to those of AES. SM1 is not disclosed to the public. It is integrated in a chip as an intellectual property (IP) core that can be called through an interface of the encryption chip. Diverse security products have been developed using this algorithm, such as a series of chips, smart IC cards, smart cipher keys, encryption cards, and encryption equipment. These products are widely used in various public services, e-commerce, and other sectors of the national economy, such as public services and police service apps of China.
· SM2 is an asymmetric encryption algorithm.
SM2 is an elliptic curve-based public-key encryption algorithm standard released by State Cryptography Administration of China on December 17, 2010. In SM2, the key length is 256 bits. SM2 can be used for digital signatures, key exchange, and public-key encryption. It serves as an alternative to some cryptographic algorithms that comply with international standards such as RSA, DH, ECDSA, and ECDH. It can meet requirements of applications such as electronic authentication systems. SM2 uses a 256-bit elliptic curve cryptography (ECC) processor. It offers higher security than a 2,048-bit RSA key. SM2 also offers faster computing than RSA.
· SM3 is a hash algorithm.
SM3, released on December 17, 2010, serves as an alternative to some cryptographic algorithms that comply with international standards such as MD5, SHA-1, and SHA-2. SM3 can be used to generate and verify digital signatures and message authentication codes, and generate random numbers. It can meet requirements of applications such as electronic authentication systems. SM3 is developed by optimizing SHA-256. SM3 is a Merkle-Damgard construction that processes 512-bit input message blocks and produces a 256-bit digest value.
· SM4 is a block cipher algorithm.
SM4, similar to SM1, is a symmetric block algorithm developed in China. It serves as an alternative to some cryptographic algorithms that comply with international standards such as DES and AES. Like AES, the block size and key length in SM4 are 128 bits. SM4 was released on March 21, 2012. It is suitable for scenarios where block ciphers are required.
· SM7 is also a block cipher algorithm.
SM7 is not disclosed to the public. It is suitable for contactless IC card applications including identify recognition applications (such as access cards, employee badges, and participant credentials), ticketing applications (such as large-scale event tickets and exhibition tickets), and payment and unified card applications (such as consumer loyalty cards, unified campus ID cards, unified corporate ID cards, and unified public transportation cards).
· SM9 is an identity-based asymmetric cipher algorithm.
SM9 relies on the elliptic curve to implement the identity-based digital signature algorithm, key exchange protocol, key encapsulation mechanism, and public-key encryption and decryption algorithms. It includes digital signature generation and verification algorithms. It also provides the digital signature generation and verification processes. SM9 serves as an alternative to a digital certificate-based public key infrastructure (PKI) or certificate authority (CA) system. SM9 is suitable for user identify verification. SM9 was released on March 28, 2016. As Xinhuanet reported, SM9 provides a security level equivalent to the 3,072-bit key RSA algorithm.
Related standards:
GMT 0024-2014 released by State Cryptography Administration of China in 2014.
· Standardized the following NCCA suites: ECC_SM4_SM3 and ECDHE_SM4_SM3.
GBT_38636-2020 released by Standardization Administration of China in 2020.
1. Renamed the NCCA suites: ECC_SM4_CBC_SM3 and ECDHE_SM4_CBC_SM3.
2. Added the following GCM algorithm suites: ECC_SM4_GCM_SM3 and ECDHE_SM4_GCM_SM3.
3. Added the following RSA certificate-based algorithm suites:
· RSA_SM4_CBC_SM3
· RSA_SM4_GCM_SM3
· RSA_SM4_CBC_SHA256
· RSA_SM4_GCM_SHA256
RFC 8998 released by the Internet Engineering Task Force (IETF) in 2021.
· This standard defines the following NCCA suites based on TLS 1.3: TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3.
· The key exchange mechanism utilizes the ECDHE_SM2 algorithm for key negotiation. Client certificates and dual server certificates are no longer required.
eSurfing Cloud CDN supports the following NCCA suites:
· ECC_SM2_WITH_SM4_CBC_SM3 defined in GBT_38636-2020 and ECC_SM4_SM3 defined in GMT 0024-2014
· ECDHE_SM2_WITH_SM4_CBC_SM3 defined in GBT_38636-2020 and ECDHE_SM4_SM3 defined in GMT 0024-2014
· ECC_SM2_WITH_SM4_GCM_SM3 defined in GBT_38636-2020
· ECDHE_SM2_WITH_SM4_GCM_SM3 defined in GBT_38636-2020
Application Scenarios
NCCA-based HTTPS is suitable for industries that have excessively high requirements for data security, such as banks and stock exchange corporations.
Additional Considerations
· eSurfing Cloud CDN supports SM2 (an elliptic curve-based public-key encryption algorithm) and SM3 (a hash algorithm) standards, providing more secure HTTPS encryption for transmission based on NCCAs.
· If your business needs to support both NCCAs and cryptographic algorithms that comply with international standards, deploy both NCCA certificates and HTTPS certificates.
· To use an NCCA, offer your NCCA signing certificate and the corresponding private key, as well as your NCCA encryption certificate and the corresponding private key.
Procedure
NCCA-based HTTPS cannot be enabled on your own. If you want to enable this feature,please contact our customer support team via hotline (852)31000000 or email global.noc@chinatelecomglobal.com. This feature can only be manually enabled by the technical support team.
Please provide the following information:
Parameter | Description | Default Value |
ssl_certificate | The NCCA signing or encryption certificate for the server. | none |
ssl_certificate_key | The private key of the NCCA signing or encryption certificate for the server. | none |
ssl_protocols | The supported SSL protocols. The value of this parameter is of the enumeration type, and the elements must be native nginx values. Valid values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, and GMTLSv1.1. | TLSv1 TLSv1.1 TLSv1.2 |