摘要
针对当前应用最为广泛的安全传输层(TLS)协议不能解决通信终端被攻击而造成的信息泄露问题,以及在TLS协议中引入对通信终端的完整性证明带来的安全性和兼容性问题,提出了与标准TLS协议兼容,并且支持对通信双方进行完整性证明的可信增强TLS协议的设计与实现方案.该方案完成了通信双方的完整性信息的交换和验证,从而解决了因通信终端的完整性遭到破坏而造成的信息泄露问题.此外,提出了TLS协议中通信终端的身份与完整性信息的绑定方案,从而有效避免了重放攻击.最后对协议的安全性进行了分析证明,并对协议实现情况进行了测试,测试结果表明可信增强TLS协议与标准TLS协议兼容且具有良好的性能.
Transport layer security(TLS)protocol is widely used in the network security field.The TLS protocol does not provide any protection from malicious endpoint and may lead to information leakage.Recent approaches aimed to solve this problem by additionally providing integrity information of the involved endpoints during the handshake process of TLS.However,these solutions have either security or compatibility problems which prevents them from deploying in practice.In this paper,the design and implementation of a trusted enhanced TLS protocol was presented,which supported integrity attestation and was compatible with the standard TLS protocol.Making use of remote attestation proposed by the trusted computing group,trusted platform module(TPM)mechanisms and encrypted tunnel,our design effectively built the linkage between the integrity information and actual tunnel endpoint thus avoiding the relay attack.In the end,the security analysis of the trusted enhanced TLS protocol was given,and the implementation and compatibility test of the protocol was presented.
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2016年第3期44-48,共5页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
中国科学院战略性先导科技专项资助项目(XDA06040502
XDA06010701)
关键词
可信计算
安全传输层(TLS)协议
远程证明
可信平台模块
重放攻击
可信信道
trusted computing
transport layer security(TLS)protocol
remote attestation
trusted platform module
relay attack
trusted channel
