摘要: |
SSL/TLS协议是目前广泛使用的HTTPS的核心,实现端到端通信的认证、保密性和完整性保护,也被大量应用到非web应用的其他协议(如SMTP)。因为SSL/TLS如此重要,它的安全问题也引起了研究者们的兴趣,近几年对于SSL/TLS协议的研究非常火热。本文总结了近几年四大安全顶级学术会议(Oakland,CCS,USENIX Secuity和NDSS)发表的相关论文,分析该协议设计的设计问题、实现缺陷以及证书方面的相关研究,希望对SSL/TLS协议的改进和其他协议的安全性设计有参考价值。 |
关键词: SSL TLS 网络安全 证书 |
DOI:10.19363/j.cnki.cn10-1380/tn.2018.03.01 |
投稿时间:2018-02-19修订日期:2018-03-05 |
基金项目:本课题得到国家自然科学基金(No.61472215,No.61636204)资助。 |
|
A Survey of Security Deficiencies in Design and Implementation of HTTPS/TLS |
WEI Junlin,DUAN Haixin,WAN Tao |
Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100084, China;Huwai Ottawa Research Center, 303 Terry Fox Drive, Ottawa, Ontario K2K 3J1, Canada |
Abstract: |
SSL/TLS is the fundamental component of HTTPS, which has been widely adopted in both web applications and other protocols like SMTP. Because the protocol is so critical to most of current web applications, the security issues of SSL/TLS attract so many attentions from scholars all over the world. In this paper, we surveyed related research papers published in the BIG4 top security conferences(Oakland, CCS, USENIX Security and NDSS), and systematically analyzed the security problems in the design and implement phases of SSL/TLS and certificate related concerns. We hope that this survey will increase the security of later version of SSL/TLS and design of other security protocols as well. |
Key words: SSL TLS network security certificate |