HTTPS/TLS协议设计和实现中的安全缺陷综述

韦俊琳; 段海新; 万涛

引用本文：

韦俊琳,段海新,万涛.HTTPS/TLS协议设计和实现中的安全缺陷综述[J].信息安全学报,2018,3(2):1-15 [点击复制]
WEI Junlin,DUAN Haixin,WAN Tao.A Survey of Security Deficiencies in Design and Implementation of HTTPS/TLS[J].Journal of Cyber Security,2018,3(2):1-15 [点击复制]

本文已被：浏览 7406次下载 11342次	码上扫一扫！
HTTPS/TLS协议设计和实现中的安全缺陷综述
韦俊琳¹, 段海新¹, 万涛²
0 字体:加大+\|默认\|缩小-
(1.清华大学, 网络科学与网络空间研究院北京中国 100084;2.华为公司渥太华研究中心渥太华加拿大)

摘要:

SSL/TLS协议是目前广泛使用的HTTPS的核心，实现端到端通信的认证、保密性和完整性保护，也被大量应用到非web应用的其他协议（如SMTP）。因为SSL/TLS如此重要，它的安全问题也引起了研究者们的兴趣，近几年对于SSL/TLS协议的研究非常火热。本文总结了近几年四大安全顶级学术会议（Oakland，CCS，USENIX Secuity和NDSS）发表的相关论文，分析该协议设计的设计问题、实现缺陷以及证书方面的相关研究，希望对SSL/TLS协议的改进和其他协议的安全性设计有参考价值。

关键词: SSL TLS 网络安全证书

DOI：10.19363/j.cnki.cn10-1380/tn.2018.03.01

投稿时间：2018-02-19修订日期：2018-03-05

基金项目:本课题得到国家自然科学基金（No.61472215，No.61636204）资助。

A Survey of Security Deficiencies in Design and Implementation of HTTPS/TLS

WEI Junlin¹, DUAN Haixin¹, WAN Tao²

(1.Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100084, China;2.Huwai Ottawa Research Center, 303 Terry Fox Drive, Ottawa, Ontario K2K 3J1, Canada)

Abstract:

SSL/TLS is the fundamental component of HTTPS, which has been widely adopted in both web applications and other protocols like SMTP. Because the protocol is so critical to most of current web applications, the security issues of SSL/TLS attract so many attentions from scholars all over the world. In this paper, we surveyed related research papers published in the BIG4 top security conferences(Oakland, CCS, USENIX Security and NDSS), and systematically analyzed the security problems in the design and implement phases of SSL/TLS and certificate related concerns. We hope that this survey will increase the security of later version of SSL/TLS and design of other security protocols as well.

Key words: SSL TLS network security certificate