SSL协议安全性分析及其在WWW系统的应用研究
|
摘要
随着计算机网络技术特别是Internet技术的发展,网络安全日益受到人们的重视。网络环境中的数据安全传输协议,对于应用的安全性起着非常重要的作用,已经成为影响网络进一步发展的重要因素。目前,国外著名的商用浏览器和Web服务器都内嵌地支持SSL协议,SSL己成为最流行的WWW安全协议。
但是,国外主流的电子商务安全协议在核心密码算法上都有出口限制,如只允许40位或56位的RC4和512位的RSA算法出口等,而且协议源代码不公开,根本无法满足我国电子商务实际应用当中的安全需求。因此,在国际同行的研究基础上,尽量吸取和掌握其思想、原理的先进性,结合我国自有密码算法,设计或者改造相关的安全传输协议,将这些协议实现与现有应用系统和操作系统结合起来是十分有意义的工作。
本文首先介绍了密码学方面的基础知识,接着介绍了身份认证中的消息摘要算法和数字签名的原理以及X.509证书,这些是公钥加密体系中身份认证的基础。然后分析了SSL协议,着重分析了SSL握手协议及SSL协议各部分的安全性和抗攻击能力,并在SSL(Secure Sockets Layer)协议的研究基础上,详细介绍了一个基于JAVA的SSL安全Web系统的设计方案、技术特点与实现方法。最后指出了需要进一步完善的工作。
With the development of computer network especially the Internet, the security of network receives more and more attention. The secure transport of data has become the emphasis of network environment and one of important factors of network development. Presently, many of the famous commercial products of browsers and web servers support SSL internally. SSL has become the most prevailing WWW secure protocol.
However, most of the electronic business secure protocols are subject to the limitation of export regulations. For example, only 40 bits or 56 bits of RC4 algorithm and 512 bits of RSA algorithm are permitted to export, and its source code isn't published. It isn't satisfied with the secure requirement of the electronic business in our country. It's very significant to design or rebuild the secure transport protocol with our own cryptogram algorithm based on the research of its idea and principle.
In this article, the fundamental knowledge of cryptography are introduced first. The author introduces the message digest algorithm, digital signature and X.509 certificate which are the foundations of authentication in public-key systems. Next, SSL protocol is analyzed. SSL handshake protocol and the security of SSL are described in detail. Then, the system design plan, critical technology and implement method of a secure web system based on JAVA are proposed. In the end, the author points out the work should be improved in the future.
但是,国外主流的电子商务安全协议在核心密码算法上都有出口限制,如只允许40位或56位的RC4和512位的RSA算法出口等,而且协议源代码不公开,根本无法满足我国电子商务实际应用当中的安全需求。因此,在国际同行的研究基础上,尽量吸取和掌握其思想、原理的先进性,结合我国自有密码算法,设计或者改造相关的安全传输协议,将这些协议实现与现有应用系统和操作系统结合起来是十分有意义的工作。
本文首先介绍了密码学方面的基础知识,接着介绍了身份认证中的消息摘要算法和数字签名的原理以及X.509证书,这些是公钥加密体系中身份认证的基础。然后分析了SSL协议,着重分析了SSL握手协议及SSL协议各部分的安全性和抗攻击能力,并在SSL(Secure Sockets Layer)协议的研究基础上,详细介绍了一个基于JAVA的SSL安全Web系统的设计方案、技术特点与实现方法。最后指出了需要进一步完善的工作。
With the development of computer network especially the Internet, the security of network receives more and more attention. The secure transport of data has become the emphasis of network environment and one of important factors of network development. Presently, many of the famous commercial products of browsers and web servers support SSL internally. SSL has become the most prevailing WWW secure protocol.
However, most of the electronic business secure protocols are subject to the limitation of export regulations. For example, only 40 bits or 56 bits of RC4 algorithm and 512 bits of RSA algorithm are permitted to export, and its source code isn't published. It isn't satisfied with the secure requirement of the electronic business in our country. It's very significant to design or rebuild the secure transport protocol with our own cryptogram algorithm based on the research of its idea and principle.
In this article, the fundamental knowledge of cryptography are introduced first. The author introduces the message digest algorithm, digital signature and X.509 certificate which are the foundations of authentication in public-key systems. Next, SSL protocol is analyzed. SSL handshake protocol and the security of SSL are described in detail. Then, the system design plan, critical technology and implement method of a secure web system based on JAVA are proposed. In the end, the author points out the work should be improved in the future.
引文
[1] Naganand Doraswamy,Dan Harkins著,IPSec新一代因特网安全标准,京京工作室译,第1版,[2000/1],机械工业出版社,P136-140
[2] Douglas E.Comer著,用TCP/IP进行网际互连-第一卷原理、协议和体系结构,林瑶、蒋慧、杜蔚轩等译,第2版,[1998/6],电子工业出版社,P225-P227
[3] Douglas E.Comer,David L.Stevens著,用TCP/IP进行网际互连-第三卷客户机-服务器编程和应用,赵刚、林瑶、蒋慧等译,第2版,[1998/6],电子工业出版社,P240-255
[4] W.Richard Stevens著,TCP/IP详解——卷1:协议,范建华、胥光辉、张涛等译,第1版,[2000/4],机械工业出版社,P167-180
[5] Bruce Schneier著,应用密码学——协议、算法与C源程序,吴世忠译,第1版,[2000/01],机械工业出版社,P223-230
[6] 卿斯汉著,密码学与计算机网络安全,第1版,[2001/7],清华大学出版社,P1-15,P23-26
[7] 贾晶,陈元、王丽娜著,信息系统的安全与保密,第1版,[1999/1],清华大学出版社,P21-23
[8] Gong L著,Java2平台安全技术—结构、API设计和实现,王运凯译,[2000/02]机械工业出版社,P49-57
[9] 陈如刚、杨小虎著,电子商务安全协议,第1版,[2000/7],浙江大学出版社,P146-148,P160-165
[10] 杨波著,网络安全理论与应用,第1版,[2002/1],电子工业出版社,P1-4,P9-12,P219-226
[11] 宋玲、吕立坚、蒋华,基于PKI实现网络通信安全性的研究,计算机工程与应用,2002,Vol38(13)
[12] 孟桂娥、董玮文、杨宇航,公钥基础设施PKI的设计,计算机工程,2001,Vol27(6)
[13] 莫鸿强、侯小梅、毛宗源,基于SSL协议的电子商务解决方案,计算机工程与应用,2001,Vol37(8)
[14] 韦卫、王德杰、张英、王行刚,基于SSL的安全www系统的研究与实现,计算机研究与发展,1998,Vol36(5)
[15] 李益发、南相浩、宋志敏,一种对SSL V3.0的攻击,计算机工程与应用,2001,Vol37(16)
[16] 谭毓安,在Java中实现SSL端到端加密,计算机应用研究,2002,Vol19(8)
[17] 施雪松、丁岳伟、袁健,基于Java2的SSL代理的实现,计算机工程,2002,Vol28(8)
[18] 张峰、杨根兴、王小妮,采用SSL保障系统安全的一种方法,北京机械工业学院学报(综合版),2001,Vol16(3)
[19] R. Rivest, MD5 Message-Digest Algorithm, RFC1321, April 1992
[20] Frier P Karlton, P Kocher, The SSL3.0 Protocol, Netscape Communication Corp, 1996
[21] Tim Dierks, Christopher Allen, The TLS Protocol Version 1.0, IETF RFC2246, January 1999
[22] Bruce Schneier, Applied Cryptography—Protocols, Algrithms and Source Code in C(Second Edition), John Wiley & Sons Inc, 1996
[23] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401, November 1998.
[24] E. Gerck, Overview of Certification Systems:X. 509, CA, PGP and SKIP, 1998
[25] J. Myers, Simple Authentication and Security Layer(SASL), RFC2222, October, 1997.
[26] R. Rousley, W. Ford, W. Polk, D. Solo, Internet X. 509 Public Key Infrastructure Certificate and CRL Profile, RFC2459, January 1999.
[27] C. Adams, S. Farrell, Internet X. 509 Public Key Infrastructure Certificate Management Protocols. RFC2510, March 1999.
[28] ITU-T, Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, ITU-T Recommendation X. 509,1997
[2] Douglas E.Comer著,用TCP/IP进行网际互连-第一卷原理、协议和体系结构,林瑶、蒋慧、杜蔚轩等译,第2版,[1998/6],电子工业出版社,P225-P227
[3] Douglas E.Comer,David L.Stevens著,用TCP/IP进行网际互连-第三卷客户机-服务器编程和应用,赵刚、林瑶、蒋慧等译,第2版,[1998/6],电子工业出版社,P240-255
[4] W.Richard Stevens著,TCP/IP详解——卷1:协议,范建华、胥光辉、张涛等译,第1版,[2000/4],机械工业出版社,P167-180
[5] Bruce Schneier著,应用密码学——协议、算法与C源程序,吴世忠译,第1版,[2000/01],机械工业出版社,P223-230
[6] 卿斯汉著,密码学与计算机网络安全,第1版,[2001/7],清华大学出版社,P1-15,P23-26
[7] 贾晶,陈元、王丽娜著,信息系统的安全与保密,第1版,[1999/1],清华大学出版社,P21-23
[8] Gong L著,Java2平台安全技术—结构、API设计和实现,王运凯译,[2000/02]机械工业出版社,P49-57
[9] 陈如刚、杨小虎著,电子商务安全协议,第1版,[2000/7],浙江大学出版社,P146-148,P160-165
[10] 杨波著,网络安全理论与应用,第1版,[2002/1],电子工业出版社,P1-4,P9-12,P219-226
[11] 宋玲、吕立坚、蒋华,基于PKI实现网络通信安全性的研究,计算机工程与应用,2002,Vol38(13)
[12] 孟桂娥、董玮文、杨宇航,公钥基础设施PKI的设计,计算机工程,2001,Vol27(6)
[13] 莫鸿强、侯小梅、毛宗源,基于SSL协议的电子商务解决方案,计算机工程与应用,2001,Vol37(8)
[14] 韦卫、王德杰、张英、王行刚,基于SSL的安全www系统的研究与实现,计算机研究与发展,1998,Vol36(5)
[15] 李益发、南相浩、宋志敏,一种对SSL V3.0的攻击,计算机工程与应用,2001,Vol37(16)
[16] 谭毓安,在Java中实现SSL端到端加密,计算机应用研究,2002,Vol19(8)
[17] 施雪松、丁岳伟、袁健,基于Java2的SSL代理的实现,计算机工程,2002,Vol28(8)
[18] 张峰、杨根兴、王小妮,采用SSL保障系统安全的一种方法,北京机械工业学院学报(综合版),2001,Vol16(3)
[19] R. Rivest, MD5 Message-Digest Algorithm, RFC1321, April 1992
[20] Frier P Karlton, P Kocher, The SSL3.0 Protocol, Netscape Communication Corp, 1996
[21] Tim Dierks, Christopher Allen, The TLS Protocol Version 1.0, IETF RFC2246, January 1999
[22] Bruce Schneier, Applied Cryptography—Protocols, Algrithms and Source Code in C(Second Edition), John Wiley & Sons Inc, 1996
[23] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401, November 1998.
[24] E. Gerck, Overview of Certification Systems:X. 509, CA, PGP and SKIP, 1998
[25] J. Myers, Simple Authentication and Security Layer(SASL), RFC2222, October, 1997.
[26] R. Rousley, W. Ford, W. Polk, D. Solo, Internet X. 509 Public Key Infrastructure Certificate and CRL Profile, RFC2459, January 1999.
[27] C. Adams, S. Farrell, Internet X. 509 Public Key Infrastructure Certificate Management Protocols. RFC2510, March 1999.
[28] ITU-T, Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, ITU-T Recommendation X. 509,1997