| OpenSSL Heartbleed漏洞研究及启示 |
| |
| 引用本文: | 杨勇,邹雷.OpenSSL Heartbleed漏洞研究及启示[J].信息安全与通信保密,2014(5):99-102. |
| |
| 作者姓名: | 杨勇 邹雷 |
| |
| 作者单位: | 卫士通信息产业股份有限公司,成都610041 |
| |
| 摘 要: | 2014年4月8日,OpenSSL爆出其加密代码中一种名为Heartbleed的严重安全漏洞。利用该漏洞,攻击者在对客户端OpenSSL代码进行修改后,就能从内存中读取请求存储位置之外的多达64 KB的数据,这段内存数据可能包含证书私钥、用户名与密码、聊天信息、电子邮件、重要的商业文档、通信等数据。目前,绝大多数的电商以及网络支付的登录服务都是使用OpenSSL协议进行搭建的,所以该漏洞有着极为深远的影响。因此第一时间对该漏洞进行研究,分析,修复,是整个安全领域的首要任务。
|
| 关 键 词: | OpenSSL Heartbleed 漏洞 安全 |
OpenSSL Heartbleed Bug and Its Enlightenment |
| |
| YANG Yong,ZOU Lei.OpenSSL Heartbleed Bug and Its Enlightenment[J].China Information Security,2014(5):99-102. |
| |
| Authors: | YANG Yong ZOU Lei |
| |
| Affiliation: | (Westone Information Industry INC, Chengdu Sichuan 610041, China) |
| |
| Abstract: | The OpenSSL Heartbleed bug was open to the public on April 8, 2014. By exploiting the vulnerability, the attacker on the Internet can read the data up to 64 KB from the memory protected by the vulnerable versions of OpenSSL software, and this data may contain private key, user name, password, Email, message and the important business documents. Currently, the vast majority of electronic payment service and network logon service is built up with OpenSSL protocol, and so the Heartbleed bug has a profound influence on this field. The study, analysis and repair of the Heartbleed bug is the primary task for the whole information security domain. |
| |
| Keywords: | OpenSSL heartbleed bug security |
| 本文献已被 CNKI 维普 等数据库收录! |
|
