According to GB/T 39786 -2021 "Basic Requirements for the Application of Passwords in Information Security Technology and Information Systems", the requirements for the third-level security system are as follows:
Network and communication level:
a) Cryptographic technology should be used to identify the identity of the communication entity to ensure the authenticity of the identity of the communication entity;
b) Encryption technology should be used to ensure the integrity of data during communication;
c) Encryption technology shall be adopted to ensure the confidentiality of important data in the communication process;
d) Encryption technology should be used to ensure the integrity of network border access control information;
e) Cryptographic technology can be used to perform access authentication on devices connected to the internal network from the outside to ensure the authenticity of the identity of the connected devices;
Explanation: Before describing this piece of content, we need to determine the evaluation objects at the network and communication levels (reference document: "Commercial Cryptography Application Security Evaluation FAQ" Second Edition)
Information systems generally achieve interconnection with the outside world through network technology. GB/T 39786-2021 "
Basic Requirements for Cryptography Applications in Information Security Technology Information Systems" specifies the technical
requirements These The requirements involve the main body of communication (communicating parties), the network communication channel established outside the information system and network boundaries, and the equipment, components and products that provide communication protection functions.So how to determine the evaluation object of the network and communication security level? How should the granularity of evaluation objects be selected?
The evaluation object of the network and communication security level is mainly aimed at the communication channel for cross-network access. The cross-network access here
refers to accessing the system under test from an unprotected network area.The evaluation object of the network and communication security level can be determined from two aspects of the communication subject and the network type:
(1) Network type: Here, the classification is mainly based on whether the networks are relatively independent, such as the Internet, government extranets,
corporate private networks , etc.;(2) Communication subject: refers to the parties involved in the communication, typically the client and server. For example, the browser running on the PC
and the web service system running on the server, the APP running on the smart mobile terminal and the application system running on the server; it
can also be the server and the server, for example, between IPSec VPN and IPSec VPN between.
Suppose an OA system exists:
①The communication channel between the national secret browser on the office intranet and the background management system;
② The operation and maintenance communication channel between the Internet VPN and the operation and maintenance SSL VPN;
③The communication channel between IPSec on the extranet of government affairs and IPSec VPN ;
Identification: (High Risk)
Evaluation indicators: 1) Use cryptographic technology to identify the identity of the communication entity to ensure the authenticity of the identity of the communication entity (level 1 to level 3).
2) Use cryptographic technology to conduct two-way identification of communication entities to ensure the authenticity of the identity of communication entities (level 4).
Evaluation objects: network communication channels established outside the boundaries of information systems and networks, as well as equipment or components that provide communication protection functions, and cryptographic products.
Possible mitigating measures: None
Evaluation implementation steps and evidence collection materials:
Evaluation implementation: ①Use Wireshark to capture the data traffic packets of the communication channel between the office intranet state-secret browser and the background management system , and analyze whether the cryptographic algorithm and cryptographic technology used in the communication process meet the security evaluation of commercial cryptographic applications Related standards;
Specific command: ip.addr == xx.xx.xx.xx && tls
ip.addr == xx.xx.xx.xx&& tls && http.request.method == "POST"
If there are other requirements (port number): ip.addr == xx.xx.xx.xx && tls && tcp.port == xxx
Forensic materials: Wireshark captures screenshots of data traffic packets between the office intranet state-secret browser and the background management system, screenshots of exported digital certificates, screenshots of digital certificate validity verification, screenshots of certificate issuer compliance certificates, etc.
Screenshot of the data traffic packet between the office intranet national secret browser and the background management system National secret browser commercial encryption product certification 
Screenshot of the exported digital certificate Screenshot of digital certificate validity verification (validity period, issuer, signature algorithm) Screenshot of Certificate Issuer Compliance Certificate ........ ........
Evaluation implementation: ② Use Wireshark to capture the data traffic packets of the operation and maintenance communication channel between the Internet VPN and the operation and maintenance SSL VPN , and analyze whether the encryption algorithm and encryption technology used in the communication process meet the relevant standards for commercial encryption application security evaluation ;
Specific command: ip.addr == xx.xx.xx.xx && tls
ip.addr == xx.xx.xx.xx&& tls && http.request.method == "POST"
If there are other requirements (port number): ip.addr == xx.xx.xx.xx && tls && tcp.port == xxx
Evidence collection materials: Wireshark captures screenshots of data traffic packets between the Internet VPN and the operation and maintenance communication channel between the operation and maintenance SSL VPN, screenshots of SSL VPN configuration files, SSL VPN commercial encryption product certification certificates, screenshots of digital certificates exported from traffic, digital Screenshots of the validity verification of the certificate, screenshots of the compliance certificate of the certificate issuer, etc.
Wireshark captures screenshots of data traffic packets between the operation and maintenance communication channel between the Internet VPN and the operation and maintenance SSL VPN Screenshot of SSL VPN configuration file SSL VPN commercial encryption product certification certificate Screenshot of digital certificate for traffic export Same operation steps as above (omitted) Screenshot of validity verification of digital certificate Same operation steps as above (omitted) Screenshot of Certificate Issuer Compliance Certificate Same operation steps as above (omitted) ........... ............
Evaluation implementation: ③Use Wireshark to capture the data traffic packets of the communication channel between IPSec and IPSec VPN on the government extranet , and analyze whether the encryption algorithm and encryption technology used in the communication process meet the relevant standards for commercial encryption application security evaluation;
Specific command: ip.addr == xx.xx.xx.xx && isakmp or command plus port restriction, etc.
Evidence collection materials: Wireshark captures screenshots of data flow packets between the communication channel between IPSec and IPSec VPN on the government extranet, screenshots of IPSec VPN configuration files, authentication certificates of IPSec VPN commercial encryption products, screenshots of digital certificates exported from traffic, and screenshots of digital certificates Screenshots of validity verification, screenshots of certificate issuer compliance certification, etc.
Wireshark captures screenshots of data flow packets between the communication channel between IPSec on the government extranet and IPSec VPN Screenshot of IPSec VPN configuration file IPSec VPN commercial encryption product certification certificate Screenshot of digital certificate for traffic export Same operation steps as above (omitted) Screenshot of validity verification of digital certificate Same operation steps as above (omitted) Screenshot of Certificate Issuer Compliance Certificate Same operation steps as above (omitted) ........... ............
Integrity of communication data:
Evaluation index: Encryption technology is used to ensure the integrity of data in the communication process (Level 1 to Level 4).
Evaluation objects: network communication channels established outside the boundaries of information systems and networks, as well as equipment or components that provide communication protection functions, and cryptographic products.
Confidentiality of important data during communication: (high risk)
Evaluation index: Use cryptographic technology to ensure the confidentiality of important data in the communication process (Level 1 to Level 4).
Evaluation objects: network communication channels established outside the boundaries of information systems and networks, as well as equipment or components that provide communication protection functions, and cryptographic products.Possible mitigation measures: At the level of "application and data security", all important data transmissions that need to be protected in the information system are protected by cryptographic techniques that meet the requirements, and the encrypted data stream can cover the network communication channel.
Because the integrity of communication data and the confidentiality of important data in the communication process are generally realized through the synchronization of algorithm suites, they are uniformly described in this section:
Evaluation implementation steps and evidence collection materials:
Evaluation implementation: ①Use Wireshark to capture the data traffic packets of the communication channel between the office intranet state-secret browser and the background management system , and analyze whether the cryptographic algorithm and cryptographic technology used in the communication process meet the security evaluation of commercial cryptographic applications Related standards;
Specific command: ip.addr == xx.xx.xx.xx && tls
ip.addr == xx.xx.xx.xx&& tls && http.request.method == "POST"
If there are other requirements (port number): ip.addr == xx.xx.xx.xx && tls && tcp.port == xxx
Evidence collection materials: wireshark captures screenshots, configuration files, etc. of the data traffic algorithm suite of the communication channel between the office intranet state-secret browser and the background management system.
Wireshark captures a screenshot of the data flow algorithm suite of the communication channel between the office intranet state-secret browser and the background management system ........... ..........
Evaluation implementation: ② Use Wireshark to capture the data traffic packets of the operation and maintenance communication channel between the Internet VPN and the operation and maintenance SSL VPN , and analyze whether the encryption algorithm and encryption technology used in the communication process meet the relevant standards for commercial encryption application security evaluation ;
Specific command: ip.addr == xx.xx.xx.xx && tls
ip.addr == xx.xx.xx.xx&& tls && http.request.method == "POST"
If there are other requirements (port number): ip.addr == xx.xx.xx.xx && tls && tcp.port == xxx
Evidence collection materials: wireshark captures screenshots, configuration files, etc. of the data flow algorithm suite between the Internet VPN and the operation and maintenance communication channel between the operation and maintenance SSL VPN .
Wireshark captures a screenshot of the data flow algorithm suite between the operation and maintenance communication channel between the Internet VPN and the operation and maintenance SSL VPN ............. .............
Evaluation implementation: ③Use Wireshark to capture the data traffic packets of the communication channel between IPSec and IPSec VPN on the government extranet , and analyze whether the encryption algorithm and encryption technology used in the communication process meet the relevant standards for commercial encryption application security evaluation;
Specific command: ip.addr == xx.xx.xx.xx && isakmp or command plus port restriction, etc.
Evidence collection materials: Wireshark captures screenshots and configuration files of the data flow algorithm suite between the communication channel between IPSec on the government extranet and the IPSec VPN .
Wireshark captures a screenshot of the data flow algorithm suite between the communication channel between IPSec on the government extranet and IPSec VPN ............. ..............
Integrity of network border access control information:
Evaluation index: use cryptographic technology to ensure the integrity of network border access control information (level 1 to level 4).
Evaluation objects: network communication channels established outside the boundaries of information systems and networks, as well as equipment or components that provide communication protection functions, and cryptographic products.
Note: In the aspect of network and communication security, the requirement is "using cryptographic technology to ensure the integrity of network border access control information",
emphasizing the network border. Therefore, at this level, access control information mainly includes the access control list deployed in the VPN at the network border
, the access control list of the firewall, the access control list of the border route, and other
information for network border access control.取证材料:SSL VPN/IPSec VPN的商用密码产品认证证书、SSL VPN/IPSec VPN中的访问控制列表等。
SSL VPN/IPSec VPN的商用密码产品认证证书 SSL VPN/IPSec VPN中的访问控制列表 ........... ............
安全接入认证:(高风险、4级要求)
测评对象:采用密码技术对从外部连接到内部网络的设备进行接入认证,确保接入设备身份的真实性(第三级到第四级)。
测评指标:信息系统内部网络,以及提供设备入网接入认证功能的设备或组件、密码产品。
可能缓解的措施:无
注:“安全接入认证”指标适用于设备“物理地”从外部接入信息系统的内部网络之前对设
备的身份鉴别,接入后,该设备将成为信息系统内部网络的一部分。比如移动设备接入 WiFi
的场景,对于移动设备接入的认证属于“安全接入认证”指标的测评范围。说明:目前这块三级指标要求是“可”,具体测评实施要结合专家评审过的密码应用方案和实际测评环境,做出合理的判断(纳入测评范围或列为不适用)。
注:系统在实际的商用密码应用安全性评估的测评过程中可能或涉及到多条证据链来支撑测评结果的正确性(以上测评步骤和取证材料仅为参考)。
其他特殊情况:(流量分析是解析不出来本来的协议)浏览器内部设置问题
①IE浏览器:
打开控制面板→选择Internet选项→管理浏览器加载项→高级
②Google浏览器:
③火狐浏览器(参考: HTTPS背后的加密算法_明潮的博客-CSDN博客)
