计算机工程

• 安全技术 • 上一篇    下一篇

针对SSL/TLS协议会话密钥的安全威胁与防御方法

刘新亮  1,杜瑞颖  1,陈晶  1,王持恒  1,姚世雄  1,陈炯  2   

  1. (1.武汉大学 空天信息安全与可信计算教育部重点实验室,武汉 430072; 2.湖北省人民检察院 检察技术信息处,武汉 430072)
  • 收稿日期:2016-03-07 出版日期:2017-03-15 发布日期:2017-03-15
  • 作者简介:刘新亮(1987—),男,硕士研究生,主研方向为信息安全、网络安全;杜瑞颖,教授、博士、博士生导师;陈晶,副教授、博士生导师;王持恒、姚世雄,博士研究生;陈炯,工程师、硕士研究生。
  • 基金项目:
    国家自然科学基金(61572380);最高人民检察院技术信息研究中心中央级公益性科研院所基本科研业务费专项资金(JBKY20150620)。

Security Threat and Defense Method for SSL/TLS Protocol Session Key

LIU Xinliang  1,DU Ruiying  1,CHEN Jing  1,WANG Chiheng  1,YAO Shixiong  1,CHEN Jiong  2   

  1. (1.Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,Wuhan University,Wuhan 430072,China; 2. Procuratorial Technical Information Office,The People’s Procuratorate of Hubei,Wuhan 430072,China)
  • Received:2016-03-07 Online:2017-03-15 Published:2017-03-15

摘要: 分析安全套接层/安全传输层(SSL/TLS)协议在客户端的具体实现,利用浏览器处理SSL/TLS协议会话主密钥和协议握手过程中传递安全参数存在的漏洞与缺陷,结合Netfilter机制进行会话劫持,提出一种针对SSL/TLS协议的安全威胁方案(SKAS)并对其进行安全研究,给出随机数单向加密、双向加密及保护会话主密钥安全的3种防御方法。经过实验验证了SKAS威胁的有效性,其攻击成功率达到90%以上且攻击范围广、威胁程度高,提出的3种防御方法均能抵御SKAS威胁,保证了客户端和服务器间SSL/TLS协议的数据通信安全。

关键词: 安全套接层协议, 安全传输层协议, 会话密钥, Netfilter机制, 会话劫持, 安全防御

Abstract: Through analyzing the specific implementation of the Security Socket Layer/Transport Layer Security(SSL/TLS) protocol in the client,this paper takes advantage of the vulnerabilities and flaws of SSL/TLS protocol session master key which is handled by browser and the secure parameters which are delivered in the process of protocol handshake. Combined with the Netfilter mechanism to hijack the session,it proposes a new security threat scheme for SSL/TLS protocol(SKAS). What’s more,it gives three defense methods of random number one-way encryption,bidirectional encryption and protection session master key security based on the security research of SKAS scheme. After the actual experiments,it is verified the feasibility of SKAS threat scheme. The success rate of attacks can reach more than 90% and this scheme also can achieve a wide attack and a deep threat. The three kinds of defense method can resist the SKAS threat and guarantee communication data security of SSL/TLS protocol between the client and server.

Key words: Security Socket Layer(SSL) protocol, Transport Layer Security(TLS) protocol, session key, Netfilter mechanism, session hijacking, security defense

中图分类号: