摘要
内容分发网络可以提高浏览器访问网站的速度和网站安全性(例如防DDo S攻击),已被广泛部署和应用。当浏览器的HTTPS连接被重定向到内容分发网络的代理服务器时,由于浏览器要求收到的证书与访问的网站域名匹配,内容分发网络不能直接使用自己的证书,而是需要使用内容来源网站的有效证书和私钥,才能正确地同浏览器建立HTTPS连接。现在,大量内容分发网络和源网站共用私钥,违背了PKI的设计原则。同时,现有模式下的代理关系对于浏览器是不透明的,内容源网站也无法快速地撤销代理关系。本文提出了一种面向HTTPS的,公开可验证的内容分发网络代理关系管理方案。在本方案中,内容来源网站在公开的日志服务器中发布授权代理其内容的内容分发网络的信息,并产生可验证的代理证据。浏览器使用HTTPS连接内容分发网络代理服务器时,代理服务器推送自己的证书和相应的代理证据。浏览器不必与源网站直接通信,即可验证代理证据,并使用内容分发网络的证书正确地建立HTTPS连接。同时,本方案允许内容分发网络和内容来源网站独立地管理各自的私钥,且内容来源网站可以独立地更新、撤销代理关系。我们实现了本方案的原型系统,并进行了性能评估:实验结果表明,本方案在带宽/延迟/存储等各方面均未造成过大开销。
CDNs (Content Delivery Networks) have been widely deployed to achieve fast content access and better security such as DDoS attack mitigation. However, to support HTTPS services, CDN providers need their custom original websites to share certificates and private keys to establish HTTPS connections with browsers, because browsers require validating the visited website's certificate rather than the connected CDN's certificate. Sharing private keys explicitly conflicts the design principle of PKI and arises deep concerns over CDN's role in standard PKI trust model, considering that the delegation between the CDNs and the original websites is opaque and the original websites lack the capability of rapid updating and revoking such delegation. We present DET (Delegation Transparency for HTTPS with CDNs), a system that provides public and verifiable delegation management for HTTPS with CDNs. In DET, an original website publishes all its delegated CDN providers in a public log, and generates a corresponding delegation proof, which is delivered to the visiting browser along with the CDN's certificate during HTTPS establishment. The visiting browser is able to verify the proof and accept the CDN's certificate without any previous connections to the original website. In DET, the original websites and CDNs manage their SSL private key separately, meanwhile the original websites are able to revoke or update their delegation independently. We have implemented the prototype of DET. The performance evaluation demonstrates that the introduced overhead (in terms of bandwidth, latency and storage) is modest.
作者
王泽
李文强
蔡权伟
WANG Ze;LI Wenqiang;CAI Quanwei(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Data Assurance and Communications Security Center, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
出处
《信息安全学报》
CSCD
2018年第2期16-30,共15页
Journal of Cyber Security
基金
973课题<租户可控的云数据安全理论与方法研究>资助