摘要
针对当前大量HTTPS应用复用证书存在安全风险问题,借鉴了零信任模型中安全策略动态授权的思路,提出了一种基于现有互联网基础设施DNS来扩展增强认证功能的方案,通过在现有DNS权威服务器上额外配置增强的认证信息来对HTTPS访问请求进行动态认证,从而能实时验证当前HTTPS证书的安全状态。该方案通过可信易得的DNS基础设施解决了当前普遍存在的HTTPS证书复用带来的安全问题,是一种灵活高效并且可扩展的零信任安全增强认证架构。
The article addresses the security risks associated with the widespread reuse of certificates in current HTTPS applications.Drawing on the idea of dynamic authorization of security policies in the Zero Trust model,it proposes a solution that enhances authentication capabilities by leveraging the existing Internet infrastructure,specifically DNS.This solution involves dynamically authenticating HTTPS access requests by adding enhanced authentication information to existing DNS authoritative servers.By doing so,it enables real-time validation of the security status of current HTTPS certificates.This approach effectively tackles the security issues arising from the common practice of certificate reuse in HTTPS,utilizing the trusted and readily available DNS infrastructure.It represents a flexible,efficient,and scalable Zero Trust security enhancement authentication framework.
作者
邹立刚
张逸凡
张新跃
袁建廷
Zou Ligang;Zhang Yifan;Zhang Xinyue;Yuan Jianting(Beijing Guoke Cloud Computing Technology Co.,Ltd.,Beijing 100190,China;China Internet Network Information Center,Beijing 100190,China;School of Information Science and Engineering,Xinjiang University,Unumqi 830046,China)
出处
《网络安全与数据治理》
2024年第7期21-25,共5页
CYBER SECURITY AND DATA GOVERNANCE
基金
科技部重点研发专项项目(2022YFB3103000)。
