数据传输安全协议分析改进及测试
|
摘要
通信安全技术已经被认为在当今的信息化社会中关系到国家与社会安全与稳定的关键技术。SSL协议是由Netscape公司研究制定的安全数据传输协议,该协议被广泛应用于安全数据传输与互连网交易中。本文首先介绍了数据传输安全技术和知识,然后对SSL协议进行了系统分析,指出协议的安全作用并提出了相应的改进方案,阐述了数据传输安全协议设计过程中所要求的相关背景知识,对安全网关的设计及其相关产品的测试提出了实际可行的方案并加以验证。
本文的理论贡献是在分析常用的信息技术安全协议的基础上,分析了网络底层的安全协议,提出了椭圆曲线在密钥交换和对RSA进行指数二次加密的解决方案。这些知识对于安全领域和工业界特别是我们自主知识产权的网络安全产品的研制提供了一定的理论参考。同时根据实际在操作系统的选型过程,提出了如何选择操作系统的相关知识。最后提出了数据传输安全协议产品的安全保证要求。并制定了SSL协议产品的测试方法,为今后研究和测试相关安全产品提供了有益的理论指导和参考。
本文的应用成果贡献是针对SSL协议进行了配置,并利用椭圆曲线与二次加密技术对安全协议有所改进,在操作系统内核实现了基于SSL的安全Web服务器和安全浏览器系统。全面分析了WWW安全协议的现状,重点研究了SSL协议,并对该类产品所采用协议一致性等项目进行测试,在实际测试中证明该方法是可行的。
Secure techniques in communications are key problems in the information society, which have near connections to the security and stability of country and society. The SSL protocol developed by Netscape Communications is a famous secure protocol in data transmission process, which is widely applicable in communication security. The paper introduced secure data transmission technique and relevant background knowledge, then the author gave an analyse of SSL protocol. The author pointed out the function of the protocol and gave some improvement schemes, expatiated relevant knowledge in the design of secure data transmission. Advanced a practical scheme in the design and test of secure gateway and correlated products.
The theoretical contributions of this paper are that the author analyzes the bottom layer of the protocol, pointed out the elliptical curve and secondary encryption in RSA based on common used secure protocols. Which is valuable to those whose research field is security and the industrial field especially to those who want to produce our own property right products. The author offered relevant knowledge in the selection of RTOS according the practical experience. At last the author raised requirements of secure function and protection, which may offer theoretical guidance and reference to research and test of such secure products.
The practical contributions of this paper are that the author configured the SSL protocol and improved it by elliptical curve and secondary encryption. Realized the secure server and browser based on SSL protocol in the kernel of the operate system. Entirely analyzed the secure protocols in www especially to SSL protocol. Finished the protocol coherence test etc. It was proved to be viable through the practical testing process.
本文的理论贡献是在分析常用的信息技术安全协议的基础上,分析了网络底层的安全协议,提出了椭圆曲线在密钥交换和对RSA进行指数二次加密的解决方案。这些知识对于安全领域和工业界特别是我们自主知识产权的网络安全产品的研制提供了一定的理论参考。同时根据实际在操作系统的选型过程,提出了如何选择操作系统的相关知识。最后提出了数据传输安全协议产品的安全保证要求。并制定了SSL协议产品的测试方法,为今后研究和测试相关安全产品提供了有益的理论指导和参考。
本文的应用成果贡献是针对SSL协议进行了配置,并利用椭圆曲线与二次加密技术对安全协议有所改进,在操作系统内核实现了基于SSL的安全Web服务器和安全浏览器系统。全面分析了WWW安全协议的现状,重点研究了SSL协议,并对该类产品所采用协议一致性等项目进行测试,在实际测试中证明该方法是可行的。
Secure techniques in communications are key problems in the information society, which have near connections to the security and stability of country and society. The SSL protocol developed by Netscape Communications is a famous secure protocol in data transmission process, which is widely applicable in communication security. The paper introduced secure data transmission technique and relevant background knowledge, then the author gave an analyse of SSL protocol. The author pointed out the function of the protocol and gave some improvement schemes, expatiated relevant knowledge in the design of secure data transmission. Advanced a practical scheme in the design and test of secure gateway and correlated products.
The theoretical contributions of this paper are that the author analyzes the bottom layer of the protocol, pointed out the elliptical curve and secondary encryption in RSA based on common used secure protocols. Which is valuable to those whose research field is security and the industrial field especially to those who want to produce our own property right products. The author offered relevant knowledge in the selection of RTOS according the practical experience. At last the author raised requirements of secure function and protection, which may offer theoretical guidance and reference to research and test of such secure products.
The practical contributions of this paper are that the author configured the SSL protocol and improved it by elliptical curve and secondary encryption. Realized the secure server and browser based on SSL protocol in the kernel of the operate system. Entirely analyzed the secure protocols in www especially to SSL protocol. Finished the protocol coherence test etc. It was proved to be viable through the practical testing process.
引文
1 杨心强,邵军力.数据通信与计算机网络.北京:电子工业出版社,1999:361-398
2 Simson Garfinkel,Gene Spafford.王启智,申功迈译.实用UNIX和INTERNET安全技术.北京:电子工业出版社,1999:321-382
3 Douglas R. Stinson. Cryptology Theory and Practice. CRC Press, 1995:9-16
4 Neal Kibitz. A Course in Number Theory and Cryptography, Springer-Verlag, 1987:23-26
5 J. H. Loxton. Number Theory and Cryptography, Cambridge University Press, 1990:63-98
6 王顺满,王成儒.安全技术的未来走向.计算机安全.2001,(3):4.10
7 王顺满,王成儒,王占禄.电子商务安全协议的分析与比较.信息系统工程2001,(2):38-39
8 Alan O. Freier, Philip Karlton. The SSL Protocol Version 3.0.Internet Draft. 1996,(3)6-89
9 Kipp E.B, Hickman. SSL2.0 Protocol Specification. Netscape Communications Corp. 1994,(11)3-76
10 王顺满,王成儒,王占禄.关于电子商务安全问题的几点思考.计算机安全.2001,(2):16-21
11 Joseph H. Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag Press, 1986:162-166
12 王育民.密码学基础与应用.西安:西安电子科技大学出版社,1990:13-58
13 David Wagner. Bruce Schneider. Analysis of the SSL 3.0 protocol, 1996,(11):1-96
14 T. Dierks, C.Allen. The TLS Protocol Version 1.0. Network Working Group. 1999,(1):1-68
15 Alfred J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers. 1993:45-56
16 Evangelos Krankis. Primality and Cryptography. John Wiley&Sons, 1986: 22-36
17 P. Richard.Common Criteria for Information Technology Security Evaluation. Blue Publisher, 1998:112-125
18 肖国镇,卿斯汉.编码理论.北京:国防工业出版社,1993:65-82
19 华罗庚.数论导引.北京:科学出版社,1995:23-62
20 RFC 2510, PKIX Certificate Management Protocols
21 RFC 2511, PKIX Certificate Request Message Format
22 RFC 2527, Certificate Policy and Certification Practices Framework
23 RFC 2528, Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates
24 Draft-ietf-pkix-dhpop, Diffie-Hellman Proof-of-Possession Algorithms
25 Draft-ietf-pkix-time-stamp, Time Stamp Protocols
26 杨千里,王育民.电子商务技术与应用.北京:电子工业出版社,1999:25-64
27 韦卫,王行刚.安全素数生成算法及其在安全套接字层SSL密钥交换协议中的实现.第五届计算机科学与技术学术论文集.威海,1998:55-58
28 C.Adams. S. Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. Draft-letf-Pkix-Ipki3cmp-07.txt, 1998,(2): 121-132
29 D. koala. Information processing systems-Open System Interconnection Basic Reference Model.Security Architecture. 1989(3)65-124
30 G. J. Simmons. Authentication theory and coding theory. Computer Science. 1985,(9):411-432
31 Kaliski, S.Burton. An Overview of the PKCS Standards. An RSA Laboratories Technical Note. 1993,(11):87-92
32 吴世忠,祝世雄,张文政.应用密码学协议、算法与C源程序.北京:机械工业出版社,1998:23-268
33 R. Housley. Internet X.509 Public Key Infrastructure Operational Protocols. ITU. 1998:65-89
34 ISO/IEC and ITU-T Recommendation X.509. Information Technology Open Systems Interconnection. 1997:36-65
35 S. Kent, Privacy Enhancement for Internet Electronic Mail.1993,(2): 26-85
36 王顺满,王成儒.如何选择实时操作系统.计算机安全.2001,(3):22-25
37 Rebecca Thomas. Advanced programmer's Guild to Unix System V. Blue Cat Press, 1987:69-102
38 雷澎.LINUX的管理与配置.北京:机械工业出版社,2000:85-151
39 曾志峰,杨义先.互连网安全关键技术.计算机安全.2001,(4):14-18
40 王行刚.计算机网组网技术.北京:科学出版社,1993:30-165
41 邓亚平.计算机网络.北京:邮电大学出版社,1999:22-35
42 李献刚.流密码体制的研究与分析.[西安电子科技大学博士论文].1994:12-33
43 王育民,刘建伟.通信网的安全理论与技术.西安:西安电子科技大学出版社,1998:96-153
44 Michael K. Johnson. Linux Kernel Hacker's Guide. 1995,(3): 56-59
45 Paul C. Oorschot, Michael J. Wiener. On Diffie-Hellman Key Agreement with Short Exponentd. Springer-Verlag:1996, 85-96
46 Stephen C. Pohlig, Martin E. Hellman. An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance. Information Theory, 1978,(1):58-69
47 U. M. Maurer, Fast Generation of Prime Numbers and Secure Public Key Cryptographic Parameters. Cryptology Press, 1995:123-156
48 Shawn Abbot. On the Performance of SSL and an evolution to Cryptographic coprocessors. Rainbow Technologies. 1997,(1):78-96
49 X. Lai. On the Design and Security of Block Ciphers. ETH Series in Information Press, 1992.54-59
50 David P. Jablon. Strong Password-Only Authenticated Key Exchange. ACM SIGCOMM, 1996:5-25
51 Shawn Abbott, Stephen Keung. On the performance of web servers using SSL. Rainbow Technologies. 1997,(11):45-65
52 李洪峰.LINUX权威指南.北京:中国电力出版社,2000:75-92
53 刘彪.RED HAT LINUX 6.0.北京:机械工业出版社,1999:32-159
54 王顺满,王成儒.安全套接层协议及其设计.计算机安全.2001,(4):30-35
55 王保定,周祖伦,胡苏太.UNIX SYSTEM V应用、管理和开发技术.北京:电子工业出版社.1995:150-178
56 张银福,陈曙晖,赵振宇.LINUX网络应用技术.北京:机械工业出版社,1999:105-159
57 A.Tanenbaum.计算机网络.北京:清华大学出版社,1997:56-101
58 E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer Verlag, 1993:66-89
59 J. Myers. Simple Authentication and Security Layer. RFC 2222, 1997: 25-60
60 崔屹.数据结构与C语言程序设计.北京:希望出版社,1991:102-109
61 A.S.坦南鲍姆.操作系统教程MINIX设计与实现.北京:世界图书出版公司,1990:35-98
62 王成儒,王顺满.VPN安全网关及其相关技术.中国数据通信.2001,(11):10-13
2 Simson Garfinkel,Gene Spafford.王启智,申功迈译.实用UNIX和INTERNET安全技术.北京:电子工业出版社,1999:321-382
3 Douglas R. Stinson. Cryptology Theory and Practice. CRC Press, 1995:9-16
4 Neal Kibitz. A Course in Number Theory and Cryptography, Springer-Verlag, 1987:23-26
5 J. H. Loxton. Number Theory and Cryptography, Cambridge University Press, 1990:63-98
6 王顺满,王成儒.安全技术的未来走向.计算机安全.2001,(3):4.10
7 王顺满,王成儒,王占禄.电子商务安全协议的分析与比较.信息系统工程2001,(2):38-39
8 Alan O. Freier, Philip Karlton. The SSL Protocol Version 3.0.Internet Draft. 1996,(3)6-89
9 Kipp E.B, Hickman. SSL2.0 Protocol Specification. Netscape Communications Corp. 1994,(11)3-76
10 王顺满,王成儒,王占禄.关于电子商务安全问题的几点思考.计算机安全.2001,(2):16-21
11 Joseph H. Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag Press, 1986:162-166
12 王育民.密码学基础与应用.西安:西安电子科技大学出版社,1990:13-58
13 David Wagner. Bruce Schneider. Analysis of the SSL 3.0 protocol, 1996,(11):1-96
14 T. Dierks, C.Allen. The TLS Protocol Version 1.0. Network Working Group. 1999,(1):1-68
15 Alfred J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers. 1993:45-56
16 Evangelos Krankis. Primality and Cryptography. John Wiley&Sons, 1986: 22-36
17 P. Richard.Common Criteria for Information Technology Security Evaluation. Blue Publisher, 1998:112-125
18 肖国镇,卿斯汉.编码理论.北京:国防工业出版社,1993:65-82
19 华罗庚.数论导引.北京:科学出版社,1995:23-62
20 RFC 2510, PKIX Certificate Management Protocols
21 RFC 2511, PKIX Certificate Request Message Format
22 RFC 2527, Certificate Policy and Certification Practices Framework
23 RFC 2528, Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates
24 Draft-ietf-pkix-dhpop, Diffie-Hellman Proof-of-Possession Algorithms
25 Draft-ietf-pkix-time-stamp, Time Stamp Protocols
26 杨千里,王育民.电子商务技术与应用.北京:电子工业出版社,1999:25-64
27 韦卫,王行刚.安全素数生成算法及其在安全套接字层SSL密钥交换协议中的实现.第五届计算机科学与技术学术论文集.威海,1998:55-58
28 C.Adams. S. Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. Draft-letf-Pkix-Ipki3cmp-07.txt, 1998,(2): 121-132
29 D. koala. Information processing systems-Open System Interconnection Basic Reference Model.Security Architecture. 1989(3)65-124
30 G. J. Simmons. Authentication theory and coding theory. Computer Science. 1985,(9):411-432
31 Kaliski, S.Burton. An Overview of the PKCS Standards. An RSA Laboratories Technical Note. 1993,(11):87-92
32 吴世忠,祝世雄,张文政.应用密码学协议、算法与C源程序.北京:机械工业出版社,1998:23-268
33 R. Housley. Internet X.509 Public Key Infrastructure Operational Protocols. ITU. 1998:65-89
34 ISO/IEC and ITU-T Recommendation X.509. Information Technology Open Systems Interconnection. 1997:36-65
35 S. Kent, Privacy Enhancement for Internet Electronic Mail.1993,(2): 26-85
36 王顺满,王成儒.如何选择实时操作系统.计算机安全.2001,(3):22-25
37 Rebecca Thomas. Advanced programmer's Guild to Unix System V. Blue Cat Press, 1987:69-102
38 雷澎.LINUX的管理与配置.北京:机械工业出版社,2000:85-151
39 曾志峰,杨义先.互连网安全关键技术.计算机安全.2001,(4):14-18
40 王行刚.计算机网组网技术.北京:科学出版社,1993:30-165
41 邓亚平.计算机网络.北京:邮电大学出版社,1999:22-35
42 李献刚.流密码体制的研究与分析.[西安电子科技大学博士论文].1994:12-33
43 王育民,刘建伟.通信网的安全理论与技术.西安:西安电子科技大学出版社,1998:96-153
44 Michael K. Johnson. Linux Kernel Hacker's Guide. 1995,(3): 56-59
45 Paul C. Oorschot, Michael J. Wiener. On Diffie-Hellman Key Agreement with Short Exponentd. Springer-Verlag:1996, 85-96
46 Stephen C. Pohlig, Martin E. Hellman. An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance. Information Theory, 1978,(1):58-69
47 U. M. Maurer, Fast Generation of Prime Numbers and Secure Public Key Cryptographic Parameters. Cryptology Press, 1995:123-156
48 Shawn Abbot. On the Performance of SSL and an evolution to Cryptographic coprocessors. Rainbow Technologies. 1997,(1):78-96
49 X. Lai. On the Design and Security of Block Ciphers. ETH Series in Information Press, 1992.54-59
50 David P. Jablon. Strong Password-Only Authenticated Key Exchange. ACM SIGCOMM, 1996:5-25
51 Shawn Abbott, Stephen Keung. On the performance of web servers using SSL. Rainbow Technologies. 1997,(11):45-65
52 李洪峰.LINUX权威指南.北京:中国电力出版社,2000:75-92
53 刘彪.RED HAT LINUX 6.0.北京:机械工业出版社,1999:32-159
54 王顺满,王成儒.安全套接层协议及其设计.计算机安全.2001,(4):30-35
55 王保定,周祖伦,胡苏太.UNIX SYSTEM V应用、管理和开发技术.北京:电子工业出版社.1995:150-178
56 张银福,陈曙晖,赵振宇.LINUX网络应用技术.北京:机械工业出版社,1999:105-159
57 A.Tanenbaum.计算机网络.北京:清华大学出版社,1997:56-101
58 E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer Verlag, 1993:66-89
59 J. Myers. Simple Authentication and Security Layer. RFC 2222, 1997: 25-60
60 崔屹.数据结构与C语言程序设计.北京:希望出版社,1991:102-109
61 A.S.坦南鲍姆.操作系统教程MINIX设计与实现.北京:世界图书出版公司,1990:35-98
62 王成儒,王顺满.VPN安全网关及其相关技术.中国数据通信.2001,(11):10-13