WebSocket子协议的设计与实现

Design and Implementation of WebSocket Sub-Protocol

2011年HTML5提出了一种持久化的协议——WebSocket协议,该协议作为一种全双工通信协议在实时通信方面很受欢迎.但是该协议不受同源策略的限制,则可能会存在跨站劫持的风险,一些不法分子趁机冒充用户和服务端通信从而窃取隐私数据.目前针对WebSocket协议的安全问题研究甚少,为了提高WebSocket的安全性,针对WebSocket协议的跨站劫持漏洞设计并实现了一种WebSocket子协议"Security-WebSocket",该子协议规定在成功连接建立后客户端需要协议认证和身份认证,在认证完成之后服务端需要发送密钥给客户端,以后每次传输数据时客户端都需要使用AES对称加密算法加密数据并携带认证信息发送到服务器,服务器验证身份信息无误后才可以进行通信.实验结果表明Security-WebSocket子协议虽然在传输时间上比WebSocket协议多一点,但是在可控范围之内,该协议可以在一定程度上预防跨站劫持漏洞,从而提高了WebSocket的安全性.

In 2011,HTML5 proposed a persistent protocol—WebSocket protocol,which is very popular in real-time communication as a full-duplex communication protocol.However,the agreement is not restricted by the same-origin policy,and there may be a risk of cross-site hijacking.Some criminals take the opportunity to impersonate users and communicate with the server to steal private data.At present,there is very little research on the security issues of the WebSocket protocol.In order to improve the security of WebSocket,this article designs and implements a WebSocket sub-protocol"Security-WebSocket"against the cross-site hijacking vulnerabilities of the WebSocket protocol.Later,the client needs protocol authentication and identity authentication.After the authentication is completed,the server needs to send the key to the client.After each data transmission,the client needs to use the AES symmetric encryption algorithm to encrypt the data and send the authentication information to the server.Communication can only be carried out after verifying the identity information.The experimental results show that although the Security-WebSocket sub-protocol has a little longer transmission time than the WebSocket protocol,within the controllable range,the protocol can prevent crosssite hijacking vulnerabilities to a certain extent,thereby improving the security of WebSocket.