chacha20 poly1305

In recent years, Google, Baidu, Facebook and other internet giants vigorously implement HTTPS, many large internet companies at home and abroad have also enabled full-site https. Google also launched a new encryption suite chacha20-poly1305 for mobile optimization.Pat Cloud CDN has fully supported Google's launch of the mobile-optimized encryption Suite--chacha20

Keeping an eye on the JDK process or Oracle's children's shoes all know that JDK 11 has entered the Rampdown Phase one phase at the end of June, when all new features of JDK 11 have been frozen and no longer added to the new JEP. Since some recent posts about the Des,3des and AES algorithms have been written, it is very interesting to note that one of the 17 new Jep included in JDK11---ChaCha20 and Poly1305

the site and the performance of the server consumption. Let's look at some of the problems that HTTPS faces. HTTPS multiple handshake, will reduce the user access speed to some extent After the site has switched to HTTPS, the way HTTP jumps to HTTPS increases user access time (most sites use 301, 302 jumps) HTTPS involves a security algorithm that consumes CPU resources and requires a large number of machines to be added (HTTPS access processes need to be decrypted) SSL cer

the site and the performance of the server consumption. Let's look at some of the problems that HTTPS faces. HTTPS multiple handshake, will reduce the user access speed to some extent After the site has switched to HTTPS, the way HTTP jumps to HTTPS increases user access time (most sites use 301, 302 jumps) HTTPS involves a security algorithm that consumes CPU resources and requires a large number of machines to be added (HTTPS access processes need to be decrypted) SSL cer

Google has recently accelerated the browsing of Android platform security pages by controlling browsers and the sites it accesses--Elie Bursztein, head of Google's Anti-Abuse research team, said in a Thursday blog post that Google has launched a faster new encryption algorithm These two cryptographic algorithms, named ChaCha20 and Poly1305, are added to the Chrome browser. "

developing a platform-independent, pure Java implementation. Because the proposal uses complex and sophisticated modulo arithmetic, it is risky.The flight recorder (Flight Recorder) will provide a low-overhead data collection framework for debugging Java applications and the hotspot JVM. Flight data recorder is the functionality of Oracle's commercial JDK, but in JDK 11, its code is moved to the public code base so that everyone can use it. Iclouded will act as an API to generate or consume dat

Client will include the list of supported CipherSuite in Client Hello, and the Server will select one from it and return it through Server Hello. If the CipherSuite list supported by the client does not overlap with the CipherSuite list configured by the server, negotiation cannot be completed and the handshake fails. CipherSuite includes multiple technologies, suchAuthentication AlgorithmAuthentication,Encryption AlgorithmEncryption,Message Authentication Code AlgorithmMessage Authentication C

; ssl_trusted_certificate /usr/local/nginx/ssl_cert/trustchain.crt; reasonable configuration of 2.4 TLS protocolThe first thing to do is to specify the version of the TLS protocol, and the unsafe SSL2 and SSL3 are discarded.ssl_protocols TLSv1 TLSv1.1 TLSv1.2;Second, it is recommended to enable Ssl_prefer_server_ciphers, which tells Nginx to enable the server algorithm first in the TLS handshake, and the server chooses the adaptation algorithm instead of the client:onThen, choose the optim

and passesServer Hello. If the CipherSuite list supported by the client does not overlap with the CipherSuite list configured by the server, negotiation cannot be completed and the handshake fails. CipherSuite includes multiple technologies, such as Authentication algorithm, Encryption algorithm, Message Authentication Code (MAC), and Key Exchange algorithm) and Key Derivation Function ). The SSL CipherSuite negotiation mechanism has good scalability. Each CipherSuite needs to be registered in

; Listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved permanently response. Return 301 https://$host $request_uri;} server {Listen 443 SSL http2; Listen [::]:443 SSL HTTP2; # Certs sent to the client in SERVER HELLO is concatenated in Ssl_certificate Ssl_certificate/path/to/signed_cert_plu S_intermediates; Ssl_certificate_key/path/to/private_key; Ssl_session_timeout 1d; Ssl_session_cache shared:ssl:50m; Ssl_session_tickets off; # Di

~ "fandenggui.com") { return https://www.fandenggui.com; } location / { return https://www.fandenggui.com; }}Official Virtual Host ConfigurationMany details require the reader to understand the role of the configuration to modify itself, there is no excessive explanation.server {Listen 80; Listen 443 SSL HTTP2; server_name www.fandenggui.com; # Access control # include acl/your_acl_rule.conf; # Certs sent to the client in SERVER HELLO is concatenated in Ssl_certi

to your needs. Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ' ecdhe-ecdsa-chacha20-poly1305:ecdhe-rsa-chacha20-poly1305:ecdhe-ecdsa-aes128-gcm-sha256: Ecdhe-rsa-aes128-gcm-sha256:ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes128-sha

; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-EC

by the browser to encrypt the data after the handshake process is finished.HTTPS Handshake ProcessHTTPS Encryption algorithmTo protect data security, HTTPS uses a number of cryptographic algorithms:1, symmetric encryption: There are two types of streaming, grouping, encryption and decryption are used the same key.For example: DES, AES-GCM, chacha20-poly1305 and so on.2, Asymmetric encryption: encryption us

some of the processing. Finally, it is important to note that all of these recommendations apply only to the AMD64 architecture because it enables fast, constant-level cryptographic primitives (AES-GCM, chacha20-poly1305, P256), and other architectures may not be suitable for product-level applications. Since it is a service to be burst with the Internet, it requires a publicly trusted certificate. By Let’

(secure Sockets layer), the first few versions (SSL 1.0, SSL 2.0, SSL 3.0) developed by Netscape, from 3.1 began to be standardized by the IETF and renamed, the development so far has TLS 1.0, TLS 1.1, TLS 1.2 three versions. SSL 1.0 has never been exposed, and SSL 2.0 and SSL 3.0 are security issues and are not recommended for use. Nginx starts with 1.9.1 only three versions of TLS are supported by default4,KX=ECDH identification using ECDH for key exchange5,AU=RSA identification using RSA for

IETF approves TLS 1.3 as the internet standard, ietftls The IETF of the Internet Engineering Task Group approves TLS 1.3 as the internet standard. The IETF has officially approved TLS 1.3 as the next major version of Transport Layer Security (TLS) protocol, the IETF organization is an organization that specifically approves Internet standards and protocols. This decision was proposed after four years of discussion and 28 draft protocols, and the 28th draft was selected as the final version. T

@openssh.com, chacha20-poly1305@openssh.comSsh client prompt: Server responded "Algorithm negotiation failed"Key exchange with the remote host failed. This can happenExample computer does not support the selected algorthms. ------------------------------------------- The problem has been solved. Modify the ssh configuration file/etc/ssh/sshd_config.Add the following in the configuration file:Ciphers aes1

In the past, the author has analyzed many methods which can reduce the delay of HTTPS transmission, such as the reuse of distributed Session;With HSTS enabled, the client opens HTTPS jump by default, adopts HTTP/2 transport protocol, and uses chacha20-poly1305 algorithm to reduce the CPU time of the mobile terminal.These methods can greatly optimize the delay of HTTPS in transmission, and bring a better exp

ClientHello process , the encrypted application data is attached directly, which results in a faster access experience.2. Enhanced SecurityThe development of TLS has a history of more than 20 years, in the previous version, TLS 1.2 is highly configurable, in order to better compatible with the older version of the browser, which means that those vulnerable sites are always running insecure encryption algorithms, which gives internet hackers an opportunity. TLS 1.3 Removes unsecured cryptographi