Web网站SSL/TLS协议配置安全研究

SSL/TLS协议是目前通信安全和身份认证方面应用最为广泛的安全协议之一,对于保障信息系统的安全有着十分重要的作用.然而,由于SSL/TLS协议的复杂性,使得Web网站在实现和部署SSL/TLS协议时,很容易出现代码实现漏洞、部署配置缺陷和证书密钥管理问题等安全缺陷.这类安全问题在Web网站中经常发生,也造成了许多安全事件,影响了大批网站.因此,本文首先针对Web网站中安全检测与分析存在工具匮乏、检测内容单一、欠缺详细分析与建议等问题,设计并实现了Web网站SSL/TLS协议部署配置安全漏洞扫描分析系统,本系统主要从SSL/TLS协议基础配置、密码套件支持以及主流攻击测试三方面进行扫描分析;之后使用该检测系统对Alexa排名前100万网站进行扫描,并做了详细的统计与分析,发现了不安全密码套件3DES普遍被支持、关键扩展OCSP Stapling支持率不足25%、仍然有不少网站存在HeartBleed攻击等严重问题;最后,针对扫描结果中出现的主要问题给出了相应的解决方案或建议.     

针对SSL/TLS协议会话密钥的安全威胁与防御方法

分析安全套接层/安全传输层(SSL/TLS)协议在客户端的具体实现,利用浏览器处理SSL/TLS协议会话主密钥和协议握手过程中传递安全参数存在的漏洞与缺陷,结合Netfilter机制进行会话劫持,提出一种针对SSL/TLS协议的安全威胁方案(SKAS)并对其进行安全研究,给出随机数单向加密、双向加密及保护会话主密钥安全的3种防御方法。经过实验验证了SKAS威胁的有效性,其攻击成功率达到90%以上且攻击范围广、威胁程度高,提出的3种防御方法均能抵御SKAS威胁,保证了客户端和服务器间SSL/TLS协议的数据通信安全。     

一种基于SSL/TLS的Web安全代理的设计与实现

SSL Web代理能有效保护Internet上数据传输和存有敏感信息的Web服务器的安全。但是SSL协议中大量的数据处理带来的性能瓶颈和协议实现中受到的安全威胁将严重影响SSL Web代理的效用。该文在分析SSL／TLS协议性能和安全的基础上，设计并实现了一种高效的、安全的SSL／TLS Web代理。     

安全FTP系统的设计与实现

FTP协议是一种简单易用的文件传输协议,应用十分广泛,但是其安全问题不容忽视.在当前常用的基于SSL/TLS协议的FTP应用的基础上,设计并实现了一系列安全措施,从而大大提高了FTP系统中的用户认证、传输和文件存储安全性.     

基于SSL VPN的无线安全接入系统终端研究与实现

随着无线终端远程访问的日益普及,无线远程访问的安全性受到越来越多的关注,利用安全套接层协议（SSL）在公共网上建立虚拟专用通道来保护数据安全是一种有效的解决方法。背景为基于SSL协议在公用网络中建立和维护一个安全可信任的私有SSL VPN通道的途径,首先简要介绍SSL／TLS协议,然后阐述了一种基于SSL／TLS的安全接入系统的终端架构设计与实现分析。     

WAP安全协议在移动终端中的研究与实现

分析WAP1.2与2 .0安全协议的差异,指出了WAP2 .0中的SSL/TLS协议具备的极大优势。在此基础上结合当前移动终端的特点,给出了一个完整的SSL/TLS客户端协议分析实现方案。     

基于SSL/TLS的安全文件传输系统

为了保证Internet上数据的安全传输,加密传输得到越来越多的应用。主要阐述了如何通过JSSE实现基于SSL/TLS协议的安全文件传输系统,给出了使用JSSE创建安全套接字连接的具体方法。系统具有跨平台、传输性能高效等特点。在此基础上分析了基于SSL/TLS协议的文件传输系统的安全性。由于数据加密往往是很耗时的,会在一定程度上影响传输效率,所以还通过将本系统与一般的文件传输系统相比较,分析了基于SSL/TLS安全文件传输系统的传输效率。     

Internet安全体系结构的分析与比较

本文简要介绍了Internet的网络安全体系结构的现状和发展趋势,其中重点分析和比较了IPSec和SSL/TLS。文中详细阐述了IPSec和SSL/TLS的体系结构、它们所采用的安全技术、所能提供的安全服务以及它们的实现方式;并且对这两种协议的特点、应用范围、优缺点进行了介绍和比较。     

基于流谱理论的SSL/TLS协议攻击检测方法

网络攻击检测在网络安全中扮演着重要角色.网络攻击检测的对象主要为僵尸网络、SQL注入等攻击行为.随着安全套接层/安全传输层(SSL/TLS)加密协议的广泛使用,针对SSL/TLS协议本身发起的SSL/TLS攻击日益增多,因此通过搭建网络流采集环境,构建了包含4种SSL/TLS攻击网络流与正常网络流的网络流数据集.针对当...     

基于Web服务的校园数据集成的安全模型设计与实现

Web服务被广泛应用于校园数据集成当中,其安全问题也日益受到重视.在分析现有的安全解决方案SSL/TLS存在的缺陷的基础上,以教务管理信息系统和财务管理信息系统的数据共享服务为背景,研究了WS-Security及以其为基础的WS-SecureConversation、WS-Trust等规范.结合SSL/TLS优势,设计了基于WS-*的Web服务安全模型,并在.NET平台上使用WSE3.0实现了该模型,对于数字化校园及企业信息集成的安全解决方案有参考价值.     

Secure and Light Weight Elliptic Curve Cipher Suites in SSL/TLS

In the current circumstance, e-commerce through an online banking system plays a significant role. Customers may either buy goods from E-Commerce websites or use online banking to move money to other accounts. When a user participates in these types of behaviors, their sensitive information is sent to an untrustworthy network. As a consequence, when transmitting data from an internal browser to an external E-commerce web server using the cryptographic protocol SSL/TLS, the E-commerce web server ensures the security of the user’s data. The user should be pleased with the confidentiality, authentication, and authenticity properties of the SSL/TLS on both the user’s web browser and the remote E-commerce web server. E-Commerce web servers should choose the best SSL/TLS cipher suites for negotiating the user in order to attain such optimistic scenarios, as the cipher suite used in SSL/TLS plays an important role in securing E-Commerce web servers. The paper primarily focuses on analyzing the SSL/TLS cipher and elliptic curves. The paper also recommends the best elliptic curve cipher suites for E-Commerce and online banking servers, based on their power consumption, handshake execution time, and key exchange and signature verification time.     

Why Johnny can't surf (safely)? Attacks and defenses for web users

In their seminal article “Why Johnny Can't Encrypt” [Whitten A, Tygar JD. Why Johnny can't encrypt: a usability case study of PGP 5.0. In: Proceedings of the eighth USENIX security symposium; August 1999.], Whitten and Tygar showed that usability weaknesses of encryption software may result in failure to protect users, in spite of good cryptography. A similar situation happens, on a huge scale, on the Web: the widely deployed SSL/TLS protocols provide good cryptography, yet there is a growing amount of successful attacks on web users, causing massive damages. In this article, we focus on password theft via fake websites, to which we refer as phishing. We believe that phishing is currently the most severe threat facing web users.We begin with a brief review of SSL/TLS. Many sensitive sites do not use SSL/TLS, or use it incorrectly (e.g. to encrypt password, filled into an unprotected login form); we explain why.Even if sites use SSL/TLS (correctly), this may not be enough to prevent phishing – at least, using the basic security and identification indicators of most browsers (URL, padlock and HTTPS). We discuss basic and advanced indicators, and their usability problems. We review recent usability studies, whose results are rather alarming, and put in question the ability of users to avoid phishing sites based on security and identification indicators.     

高速网络安全协处理器中PCI-X接口设计

介绍高速网络安全协处理器中PCI-X接口模块的设计方法,利用IPSec和SSL／TLS2种协议优化系统,并配置各种算法引擎。协处理器采用具有更高性能的PCI-X总线接口及SoC芯片,能够同时满足PCI-X总线协议和协处理器内部的特殊传输要求。实验结果表明,该设计方法是可行的。     

TCP/IP网络安全协议分析

本文对TCP/IP不同协议层次的网络安全协议进行归纳,对它们的优缺点进行了分析。包括Internet层的IPSec;传输层的TLS,SSL;应用层的S-HTTP,SET,S/MIME。     

Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, the author examines these issue and its consequences. OpenSSL is an open source library implementing the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. Several widely deployed applications on many OSs rely on it for secure communications, particularly Linux and BSD-based systems. Where in use, it's a critical part of the OS's security subsystem.     

Managing the Performance Impact of Web Security

Security and performance are usually at odds with each other. Current implementations of security on the web have been adopted at the extreme end of the spectrum, where strong cryptographic protocols are employed at the expense of performance. The SSL protocol is not only computationally intensive, but it makes web caching impossible, thus missing out on potential performance gains. In this paper we discuss the requirements for web security and present a solution that takes into account performance impact and backwards compatibility.     

A technique to circumvent SSL/TLS validations on iOS devices

SSL/TLS validations such as certificate and public key pinning can reinforce the security of encrypted communications between Internet-of-Things devices and remote servers, and ensure the privacy of users. However, such implementations complicate forensic analysis and detection of information disclosure; say, when a mobile app breaches user’s privacy by sending sensitive information to third parties. Therefore, it is crucial to develop the capacity to vet mobile apps augmenting the security of SSL/TLS traffic. In this paper, we propose a technique to bypass the system’s default certificate validation as well as built-in SSL/TLS validations performed in iOS apps. We then demonstrate its utility by analysing 40 popular iOS social networking, electronic payment, banking, and cloud computing apps.