TLS协议现状与研究综述
|
摘要
传输层安全协议是互联网上一种应用广泛的安全协议,已成为传输层安全的事实标准。在多年的应用过程中,不断出现针对协议的攻击,围绕协议的安全性,出现了大量的研究成果。同时,由于协议为系统带来额外负载,协议的执行效率一直是研究的热点。提升协议安全性与提高协议性能,对于协议的普及发展具有重要的意义。本文针对传输层安全协议的安全性和性能研究进展进行了分析和总结。
Transport Layer Security(TLS)is a security protocol which is widely used on the Internet,and is has become the de facto standard for the security of the transport layer.In the course of many years of application,many attacks against the protocol continue to occur,and a great deal of research results have appeared around the security of the protocol.At the same time,because the protocol brings extra load to the system,the execution efficiency of the protocol has always been a research hotspot.Improving the security and performance of the protocol is of great significance to the popularization of the protocol.This article analyzes and summarizes the research progress of the security and performance on TLS.
Transport Layer Security(TLS)is a security protocol which is widely used on the Internet,and is has become the de facto standard for the security of the transport layer.In the course of many years of application,many attacks against the protocol continue to occur,and a great deal of research results have appeared around the security of the protocol.At the same time,because the protocol brings extra load to the system,the execution efficiency of the protocol has always been a research hotspot.Improving the security and performance of the protocol is of great significance to the popularization of the protocol.This article analyzes and summarizes the research progress of the security and performance on TLS.
引文
[1]RFC 2246,The transport layer security(TLS)protocol version 1.0[S].IETF,1991.
[2]RFC 4346,The transport layer security(TLS)protocol version 1.1[S].IETF,2006.
[3]RFC 5246,The transport layer security(TLS)protocol version 1.2[S].IETF,2008.
[4]RTC 6101,The secure sockets layer(SSL)protocol version 3.0[S].IETF,2011.
[5]Mozilla.Analysis of the Alexa Top 1M sites[EB/OL].https://blog.mozilla.org/security/2018/02/28/analysis-alexa-top-1m-sites-2/.
[6]Clark J,van Oorschot P C.So K:SSL and HTTPS:Revisiting past challenges and evaluating certificate trust model enhancements[C]//Security and Privacy(SP),2013 IEEE Symposium on.IEEE,2013:511-525.
[7]Meyer C,Schwenk J.Lessons Learned From Previous SSL/TLS Attacks-A Brief Chronology Of Attacks And Weaknesses[J].IACR Cryptology EPrint Archive,2013,2013:49.
[8]Stricot-Tarboton S,Chaisiri S,Ko R K L.Taxonomy of Man-in-the-Middle Attacks on HTTPS[C]//Trustcom/Big Data SE/I SPA,2016 IEEE.IEEE,2016:527-534.
[9]Moixe M.New Tricks For Defeating SSL in Practice[C]//Black Hat Conference,USA.2009.
[10]RFC 6797,Http strict transport security(hsts)[S].IETF,2012.
[11]Kranch M,Bonneau J.Upgrading HTTPS in mid-air:An empirical study of strict transport security and key pinning[C]//NDSS.2015.
[12]Felt A P,Barnes R,King A,et al.Measuring HTTPS adoption on the web[C]//26th USENIX Security Symposium.2017:1323-1338.
[13]Dolnk I,Litvik J.Introduction to HTTP security headers and implementation of HTTP strict transport security(HSTS)header for HTTPS enforcing[C]//Emerging e Learning Technologies and Applications(ICETA),2017 15th International Conference on.IEEE,2017:1-4.
[14]RFC 5746,Transport layer security(TLS)renegotiation indication extension[S].IETF,2010.
[15]Giesen F,Kohlar F,Stebila D.On the security of TLS renegotiation[C]//Proceedings of the 2013 ACM SIGSAC conference on Computer&communications security.ACM,2013:387-398.
[16]Bhargavan K,Lavaud A D,Fournet C,et al.Triple handshakes and cookie cutters:Breaking and fixing authentication over TLS[C]//Security and Privacy(SP),2014 IEEE Symposium on.IEEE,2014:98-113.
[17]Durumeric Z,Kasten J,Bailey M,et al.Analysis of the HTTPS certificate ecosystem[C]//Proceedings of the 2013 conference on Internet measurement conference.ACM,2013:291-304.
[18]Amann B,Sommer R,Vallentin M,et al.No attack necessary:The surprising dynamics of SSL trust relationships[C]//Proceedings of the 29th annual computer security applications conference.ACM,2013:179-188.
[19]Holz R,Braun L,Kammenhuber N,et al.The SSL landscape:a thorough analysis of the x.509 PKI using active and passive measurements[C]//Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference.ACM,2011:427-444.
[20]Georgiev M,Iyengar S,Jana S,et al.The most dangerous code in the world:validating SSL certificates in non-browser software[C]//Proceedings of the 2012 ACM conference on Computer and communications security.ACM,2012:38-49.
[21]Huang L S,Rice A,Ellingsen E,et al.Analyzing forged SSL certificates in the wild[C]//Security and privacy(sp),2014ieee symposium on.IEEE,2014:83-97.
[22]Acer M E,Stark E,Felt A P,et al.Where the wild warnings are:Root causes of Chrome HTTPS certificate errors[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.ACM,2017:1407-1420.
[23]Zhu L,Amann J,Heidemann J.Measuring the latency and pervasiveness of TLS certificate revocation[C]//International Conference on Passive and Active Network Measurement.Springer,Cham,2016:16-29.
[24]Santesson S,Myers M,Ankney R,et al.X.509 Internet public key infrastructure online certificate status protocol-OCSP[R].2013.
[25]Chariton A A,Degkleri E,Papadopoulos P,et al.DCSP:Performant Certificate Revocation a DNS-based approach[C]//Proceedings of the 9th European Workshop on System Security.ACM,2016:1.
[26]Szalachowski P,Chuat L,Perrig A.PKI safety net(PKISN):Addressing the too-big-to-be-revoked problem of the TLSecosystem[C]//Security and Privacy(Euro S&P),2016 IEEE European Symposium on.IEEE,2016:407-422.
[27]Alrawais A,Alhothaily A,Yu J,et al.Secureguard:a certificate validation system in public key infrastructure[J].IEEETransactions on Vehicular Technology,2018,67(6):5399-5408.
[28]Jarmoc J,Unit D.SSL/TLS interception proxies and transitive trust[C]//Black Hat Europe,2012.
[29]de Carnavalet X C,Mannan M.Killed by proxy:Analyzing client-end TLS interception software[C]//Network and Distributed System Security Symposium.2016.
[30]Lesniewski-Laas C,Kaashoek M F.SSL splitting:Securely serving data from untrusted caches[J].Computer Networks,2005,48(5):763-779.
[31]Stebila D,Sullivan N.An analysis of TLS handshake proxying[C]//Trustcom/Big Data SE/ISPA,2015 IEEE.IEEE,2015,1:279-286.
[32]Bhargavan K,Boureanu I,Fouque P A,et al.Content delivery over tls:A cryptographic analysis of keyless ssl[C]//Security and Privacy(Euro S&P),2017 IEEE European Symposium on.IEEE,2017:1-16.
[33]Ouvrier G,Laterman M,Arlitt M,et al.Characterizing the HTTPS trust landscape:a passive view from the edge[J].IEEECommunications Magazine,2017,55(7):36-42.
[34]Xiao Y,Li M,Chen S,et al.Stacco:Differentially analyzing side-channel traces for detecting SSL/TLS vulnerabilities in secure enclaves[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.ACM,2017:859-874.
[35]Al Fardan N J,Paterson K G.Lucky thirteen:Breaking the TLS and DTLS record protocols[C]//Security and Privacy(SP),2013 IEEE Symposium on.IEEE,2013:526-540.
[36]Gunawan D,Sitorus E H,Rahmat R F,et al.SSL/TLS Vulnerability Detection Using Black Box Approach[J].Journal of Physics:Conference Series.IOP Publishing,2018,978(1):012121.
[37]Durumeric Z,Kasten J,Adrian D,et al.The matter of heartbleed[C]//Proceedings of the 2014 Conference on Internet Measurement Conference.ACM,2014:475-488.
[38]Poll E,De Ruiter J,Schubert A.Protocol state machines and session languages:specification,implementation,and security flaws[C]//Security and Privacy Workshops(SPW),2015 IEEE.IEEE,2015:125-133.
[39]De Ruiter J,Poll E.Protocol state fuzzing of TLS implementations[C]//24th USENIX Security Symposium(USENIX Security15).2015:193-206.
[40]Beurdouche B,Bhargavan K,Delignat-Lavaud A,et al.A messy state of the union:Taming the composite state machines of TLS[C]//2015 IEEE Symposium on Security and Privacy.IEEE,2015:535-552.
[41]Karapanos N,Capkun S.On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications[C]//USE-NIX security symposium.2014,23:671-686.
[42]Naylor D,Finamore A,Leontiadis I,et al.The cost of the S in HTTPS[C]//Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies.ACM,2014:133-140.
[43]Apostolopoulos G,Peris V,Saha D.Transport Layer Security:How much does it really cost?[C]//INFOCOM’99.Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies.Proceedings.IEEE.IEEE,1999,2:717-725.
[44]Kant K,Iyer R,Mohapatra P.Architectural impact of secure socket layer on internet servers[C]//Computer Design,2000.Proceedings.2000 International Conference on.IEEE,2000:7-14.
[45]Vargas M P P,Rodriguez R A A,Parra O J S.Algorithm for the Optimization of RSA Based on Parallelization over GPU SSL/TLS Protocol[C]//Smart Cloud(Smart Cloud),2017 IEEE International Conference on.IEEE,2017:294-297.
[46]Springall D,Durumeric Z,Halderman J A.Measuring the security harm of TLS crypto shortcuts[C]//Proceedings of the 2016Internet Measurement Conference.ACM,2016:33-47.
[47]Mraz R,Witting K,Dantzig P.Using SSL Session ID Reuse for Characterization of Scalable Secure Web Servers[D].Technical Re-port RC22323(Revised May 5,2002),IBM Research Division,Yorktown Heights,NY,2002.
[48]Stevens R,Chen H.Predictive Eviction:A Novel Policy for Optimizing TLS Session Cache Performance[C]//Global Communications Conference(GLOBECOM),2015 IEEE.IEEE,2015:1-7.
[49]董海韬,陈君,杨军.SSL反向代理网关请求分发的系统架构设计[J].网络新媒体技术,2016(3):49-54.
[50]RFC 7918,Transport layer security(TLS)false start[S].IETF,2016.
[51]Stark E,Huang L S,Israni D,et al.The Case for Prefetching and Prevalidating TLS Server Certificates[C]//NDSS.2012.
[52]Dong H,Song L,Wang J,et al.SSLSARD:A request distribution technique for distributed SSL reverse proxies[J].Journal of Communications,2016,11(4):374-382.
[53]E.Rescorla.The Transport Layer Security(TLS)Protocol Version 1.3(draft-ietf-tls-tls13-latest),Jan.2018.https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html.
[54]Cremers C,Horvat M,Scott S,et al.Automated analysis and verification of TLS 1.3:0-RTT,resumption and delayed authentication[C]//Security and Privacy(SP),2016 IEEE Symposium on.IEEE,2016:470-485.
[55]Li X,Xu J,Zhang Z,et al.Multiple handshakes security of TLS 1.3 candidates[C]//Security and Privacy(SP),2016 IEEESymposium on.IEEE,2016:486-505.
[56]Delignat-Lavaud A,Fournet C,Kohlweiss M,et al.Implementing and proving the TLS 1.3 record layer[C]//Security and Privacy(SP),2017 IEEE Symposium on.IEEE,2017:463-482.
[2]RFC 4346,The transport layer security(TLS)protocol version 1.1[S].IETF,2006.
[3]RFC 5246,The transport layer security(TLS)protocol version 1.2[S].IETF,2008.
[4]RTC 6101,The secure sockets layer(SSL)protocol version 3.0[S].IETF,2011.
[5]Mozilla.Analysis of the Alexa Top 1M sites[EB/OL].https://blog.mozilla.org/security/2018/02/28/analysis-alexa-top-1m-sites-2/.
[6]Clark J,van Oorschot P C.So K:SSL and HTTPS:Revisiting past challenges and evaluating certificate trust model enhancements[C]//Security and Privacy(SP),2013 IEEE Symposium on.IEEE,2013:511-525.
[7]Meyer C,Schwenk J.Lessons Learned From Previous SSL/TLS Attacks-A Brief Chronology Of Attacks And Weaknesses[J].IACR Cryptology EPrint Archive,2013,2013:49.
[8]Stricot-Tarboton S,Chaisiri S,Ko R K L.Taxonomy of Man-in-the-Middle Attacks on HTTPS[C]//Trustcom/Big Data SE/I SPA,2016 IEEE.IEEE,2016:527-534.
[9]Moixe M.New Tricks For Defeating SSL in Practice[C]//Black Hat Conference,USA.2009.
[10]RFC 6797,Http strict transport security(hsts)[S].IETF,2012.
[11]Kranch M,Bonneau J.Upgrading HTTPS in mid-air:An empirical study of strict transport security and key pinning[C]//NDSS.2015.
[12]Felt A P,Barnes R,King A,et al.Measuring HTTPS adoption on the web[C]//26th USENIX Security Symposium.2017:1323-1338.
[13]Dolnk I,Litvik J.Introduction to HTTP security headers and implementation of HTTP strict transport security(HSTS)header for HTTPS enforcing[C]//Emerging e Learning Technologies and Applications(ICETA),2017 15th International Conference on.IEEE,2017:1-4.
[14]RFC 5746,Transport layer security(TLS)renegotiation indication extension[S].IETF,2010.
[15]Giesen F,Kohlar F,Stebila D.On the security of TLS renegotiation[C]//Proceedings of the 2013 ACM SIGSAC conference on Computer&communications security.ACM,2013:387-398.
[16]Bhargavan K,Lavaud A D,Fournet C,et al.Triple handshakes and cookie cutters:Breaking and fixing authentication over TLS[C]//Security and Privacy(SP),2014 IEEE Symposium on.IEEE,2014:98-113.
[17]Durumeric Z,Kasten J,Bailey M,et al.Analysis of the HTTPS certificate ecosystem[C]//Proceedings of the 2013 conference on Internet measurement conference.ACM,2013:291-304.
[18]Amann B,Sommer R,Vallentin M,et al.No attack necessary:The surprising dynamics of SSL trust relationships[C]//Proceedings of the 29th annual computer security applications conference.ACM,2013:179-188.
[19]Holz R,Braun L,Kammenhuber N,et al.The SSL landscape:a thorough analysis of the x.509 PKI using active and passive measurements[C]//Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference.ACM,2011:427-444.
[20]Georgiev M,Iyengar S,Jana S,et al.The most dangerous code in the world:validating SSL certificates in non-browser software[C]//Proceedings of the 2012 ACM conference on Computer and communications security.ACM,2012:38-49.
[21]Huang L S,Rice A,Ellingsen E,et al.Analyzing forged SSL certificates in the wild[C]//Security and privacy(sp),2014ieee symposium on.IEEE,2014:83-97.
[22]Acer M E,Stark E,Felt A P,et al.Where the wild warnings are:Root causes of Chrome HTTPS certificate errors[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.ACM,2017:1407-1420.
[23]Zhu L,Amann J,Heidemann J.Measuring the latency and pervasiveness of TLS certificate revocation[C]//International Conference on Passive and Active Network Measurement.Springer,Cham,2016:16-29.
[24]Santesson S,Myers M,Ankney R,et al.X.509 Internet public key infrastructure online certificate status protocol-OCSP[R].2013.
[25]Chariton A A,Degkleri E,Papadopoulos P,et al.DCSP:Performant Certificate Revocation a DNS-based approach[C]//Proceedings of the 9th European Workshop on System Security.ACM,2016:1.
[26]Szalachowski P,Chuat L,Perrig A.PKI safety net(PKISN):Addressing the too-big-to-be-revoked problem of the TLSecosystem[C]//Security and Privacy(Euro S&P),2016 IEEE European Symposium on.IEEE,2016:407-422.
[27]Alrawais A,Alhothaily A,Yu J,et al.Secureguard:a certificate validation system in public key infrastructure[J].IEEETransactions on Vehicular Technology,2018,67(6):5399-5408.
[28]Jarmoc J,Unit D.SSL/TLS interception proxies and transitive trust[C]//Black Hat Europe,2012.
[29]de Carnavalet X C,Mannan M.Killed by proxy:Analyzing client-end TLS interception software[C]//Network and Distributed System Security Symposium.2016.
[30]Lesniewski-Laas C,Kaashoek M F.SSL splitting:Securely serving data from untrusted caches[J].Computer Networks,2005,48(5):763-779.
[31]Stebila D,Sullivan N.An analysis of TLS handshake proxying[C]//Trustcom/Big Data SE/ISPA,2015 IEEE.IEEE,2015,1:279-286.
[32]Bhargavan K,Boureanu I,Fouque P A,et al.Content delivery over tls:A cryptographic analysis of keyless ssl[C]//Security and Privacy(Euro S&P),2017 IEEE European Symposium on.IEEE,2017:1-16.
[33]Ouvrier G,Laterman M,Arlitt M,et al.Characterizing the HTTPS trust landscape:a passive view from the edge[J].IEEECommunications Magazine,2017,55(7):36-42.
[34]Xiao Y,Li M,Chen S,et al.Stacco:Differentially analyzing side-channel traces for detecting SSL/TLS vulnerabilities in secure enclaves[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.ACM,2017:859-874.
[35]Al Fardan N J,Paterson K G.Lucky thirteen:Breaking the TLS and DTLS record protocols[C]//Security and Privacy(SP),2013 IEEE Symposium on.IEEE,2013:526-540.
[36]Gunawan D,Sitorus E H,Rahmat R F,et al.SSL/TLS Vulnerability Detection Using Black Box Approach[J].Journal of Physics:Conference Series.IOP Publishing,2018,978(1):012121.
[37]Durumeric Z,Kasten J,Adrian D,et al.The matter of heartbleed[C]//Proceedings of the 2014 Conference on Internet Measurement Conference.ACM,2014:475-488.
[38]Poll E,De Ruiter J,Schubert A.Protocol state machines and session languages:specification,implementation,and security flaws[C]//Security and Privacy Workshops(SPW),2015 IEEE.IEEE,2015:125-133.
[39]De Ruiter J,Poll E.Protocol state fuzzing of TLS implementations[C]//24th USENIX Security Symposium(USENIX Security15).2015:193-206.
[40]Beurdouche B,Bhargavan K,Delignat-Lavaud A,et al.A messy state of the union:Taming the composite state machines of TLS[C]//2015 IEEE Symposium on Security and Privacy.IEEE,2015:535-552.
[41]Karapanos N,Capkun S.On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications[C]//USE-NIX security symposium.2014,23:671-686.
[42]Naylor D,Finamore A,Leontiadis I,et al.The cost of the S in HTTPS[C]//Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies.ACM,2014:133-140.
[43]Apostolopoulos G,Peris V,Saha D.Transport Layer Security:How much does it really cost?[C]//INFOCOM’99.Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies.Proceedings.IEEE.IEEE,1999,2:717-725.
[44]Kant K,Iyer R,Mohapatra P.Architectural impact of secure socket layer on internet servers[C]//Computer Design,2000.Proceedings.2000 International Conference on.IEEE,2000:7-14.
[45]Vargas M P P,Rodriguez R A A,Parra O J S.Algorithm for the Optimization of RSA Based on Parallelization over GPU SSL/TLS Protocol[C]//Smart Cloud(Smart Cloud),2017 IEEE International Conference on.IEEE,2017:294-297.
[46]Springall D,Durumeric Z,Halderman J A.Measuring the security harm of TLS crypto shortcuts[C]//Proceedings of the 2016Internet Measurement Conference.ACM,2016:33-47.
[47]Mraz R,Witting K,Dantzig P.Using SSL Session ID Reuse for Characterization of Scalable Secure Web Servers[D].Technical Re-port RC22323(Revised May 5,2002),IBM Research Division,Yorktown Heights,NY,2002.
[48]Stevens R,Chen H.Predictive Eviction:A Novel Policy for Optimizing TLS Session Cache Performance[C]//Global Communications Conference(GLOBECOM),2015 IEEE.IEEE,2015:1-7.
[49]董海韬,陈君,杨军.SSL反向代理网关请求分发的系统架构设计[J].网络新媒体技术,2016(3):49-54.
[50]RFC 7918,Transport layer security(TLS)false start[S].IETF,2016.
[51]Stark E,Huang L S,Israni D,et al.The Case for Prefetching and Prevalidating TLS Server Certificates[C]//NDSS.2012.
[52]Dong H,Song L,Wang J,et al.SSLSARD:A request distribution technique for distributed SSL reverse proxies[J].Journal of Communications,2016,11(4):374-382.
[53]E.Rescorla.The Transport Layer Security(TLS)Protocol Version 1.3(draft-ietf-tls-tls13-latest),Jan.2018.https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html.
[54]Cremers C,Horvat M,Scott S,et al.Automated analysis and verification of TLS 1.3:0-RTT,resumption and delayed authentication[C]//Security and Privacy(SP),2016 IEEE Symposium on.IEEE,2016:470-485.
[55]Li X,Xu J,Zhang Z,et al.Multiple handshakes security of TLS 1.3 candidates[C]//Security and Privacy(SP),2016 IEEESymposium on.IEEE,2016:486-505.
[56]Delignat-Lavaud A,Fournet C,Kohlweiss M,et al.Implementing and proving the TLS 1.3 record layer[C]//Security and Privacy(SP),2017 IEEE Symposium on.IEEE,2017:463-482.