PDF《一种集成化的 PKI 数字证书验证安全增强方案》

第37 卷第

7 期 计算机应用研究 Vol.

37 No.

7 录用定稿 Application Research of Computers Accepted Paper 收稿日期:2018-11-01;

修回日期:2018-12-19 基金项目:国家自然科学基金资助项目(61772518) 作者简介:刘学忠(1974-),男,吉林镇赉人,工程师,博士,主要研究方向为大型网络安全体系、网络安全风险评估;

李冰雨(1990-),男, 河南安阳人,博士研究生,主要研究方向为网络安全;

王聪丽(1994-),女,河北邢台人,硕士研究生,主要研究方向为网络安全;

林Z锵(1978-), 男(通信作者),福建泉州人,研究员,博导,主要研究方向为网络空间安全([email protected]). 一种集成化的 PKI 数字证书验证安全增强方案 * 刘学忠

1 ,李冰雨 2,

3 ,王聪丽 2,

3 ,林Z锵 2,

3 (1. 神华和利时信息技术有限公司, 北京 100011;

2. 中国科学院信息工程研究所 信息安全国家重点实验室, 北京 100093;

3. 中国科学院大学 网络空间安全学院, 北京 100049) 摘要:近年来,PKI 数字证书服务出现了多次安全事件:CA 机构由于攻击等原因签发虚假的 TLS 服务器数字证 书,将攻击者的公钥绑定在被攻击网站的域名上.因此,研究人员提出了多种 PKI 数字证书验证安全增强方案,用 于消除虚假数字证书的影响,现有各种方案在安全性和效率上各有优劣.本文提出了一种集成化的 PKI 数字证书验 证安全增强方案,以Pinning 方案为基础,利用其他方案来改进 Pinning 方案的缺陷.当浏览器面临 TLS 服务器数 字证书的

3 种Pinning 方案不同状态(初始化、正常使用、更新),兼顾安全性和执行效率、分别综合使用不同的 安全增强方案,整体上达到了最优的安全性和执行效率.本文完成的集成化 PKI 数字证书验证安全增强方案能够有 效解决虚假数字证书的攻击威胁. 关键词:公钥基础设施;

数字证书;

安全增强服务;

传输层安全 中图分类号:TP309.1 doi: 10.19734/j.issn.1001-3695.2018.11.0939 Integrated security-enhanced pki certificate verification scheme Liu Xuezhong1 , Li Bingyu2,

3 , Wang Congli2,

3 , Lin Jingqiang2,

3 (1. Shenhuahelishi Information Technology Limited Company, Beijing 100011, China;

2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;

3. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China) Abstract: Recently, there were several security incidents of certificate services in public key infrastructures (PKIs) : fraudulent TLS server certificates were signed by certification authorities (CAs) due to network attacks, and bound the attacker'

s public key to the victim website'

s domain name. So various security-enhanced certification verification schemes were proposed to defeat against these attacks, and each scheme has its own advantage and disadvantage in security and/or performance. This paper presents an integrated security-enhanced PKI certificate verification scheme based on Pinning, while the disadvantages of Pinning is solved by integrating other schemes. In this scheme, when a browser is faced with three different states of the TLS server certificate (i. e. , initialization, normal usage and update) , multiple security-enhanced verification schemes are integrated comprehensively in different ways. Proposed scheme took both security and perfor- mance into account, and achieve the optimal security and performance over the integrated schemes. The proposed integrated security-enhanced PKI certificate verification scheme effectively defeats the attack of fraudulent TLS server certificates. Key words: public key infrastructure (PKI);