摘要
近年来,PKI数字证书服务出现了多次安全事件:CA机构由于攻击等原因签发虚假的TLS服务器数字证书,将攻击者的公钥绑定在被攻击网站的域名上。因此,研究人员提出了多种PKI数字证书验证安全增强方案,用于消除虚假数字证书的影响,现有各种方案在安全性和效率上各有优劣。提出了一种集成化的PKI数字证书验证安全增强方案,以Pinning方案为基础,利用其他方案来改进Pinning方案的缺陷。当浏览器面临TLS服务器数字证书的三种Pinning方案不同状态(初始化、正常使用、更新),兼顾安全性和执行效率、分别综合使用不同的安全增强方案,整体上达到了最优的安全性和执行效率。完成的集成化PKI数字证书验证安全增强方案能够有效解决虚假数字证书的攻击威胁。
Recently,there were several security incidents of certificate services in public key infrastructures(PKI):fraudulent TLS server certificates were signed by certification authorities(CA)due to network attacks,and bound the attacker’s public key to the victim website’s domain name.So various security-enhanced certification verification schemes were proposed to defeat against these attacks,and each scheme has its own advantage and disadvantage in security and/or performance.This paper presented an integrated security-enhanced PKI certificate verification scheme based on Pinning,while the disadvantages of Pinning was solved by integrating other schemes.In this scheme,when a browser was faced with three different states of the TLS server certificate(i.e.,initialization,normal usage and update),multiple security-enhanced verification schemes are integrated comprehensively in different ways.This scheme took both security and performance into account,and achieve the optimal security and performance over the integrated schemes.The proposed integrated security-enhanced PKI certificate verification scheme effectively defeats the attack of fraudulent TLS server certificates.
作者
刘学忠
李冰雨
王聪丽
林璟锵
Liu Xuezhong;Li Bingyu;Wang Congli;Lin Jingqiang(Shenhuahelishi Information Technology Limited Company,Beijing 100011,China;State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)
出处
《计算机应用研究》
CSCD
北大核心
2020年第7期2104-2107,共4页
Application Research of Computers
基金
国家自然科学基金资助项目(61772518)。
关键词
公钥基础设施
数字证书
安全增强服务
传输层安全
public key infrastructure(PKI)
certificate
security-enhanced service
transport layer security(TLS)
