《计算机应用研究》|Application Research of Computers

一种集成化的PKI数字证书验证安全增强方案

Integrated security-enhanced PKI certificate verification scheme

免费全文下载 (已被下载 次)  
获取PDF全文
作者 刘学忠,李冰雨,王聪丽,林璟锵
机构 1.神华和利时信息技术有限公司,北京 100011;2.中国科学院信息工程研究所 信息安全国家重点实验室,北京 100093;3.中国科学院大学 网络空间安全学院,北京 100049
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2020)07-037-2104-04
DOI 10.19734/j.issn.1001-3695.2018.11.0939
摘要 近年来,PKI数字证书服务出现了多次安全事件:CA机构由于攻击等原因签发虚假的TLS服务器数字证书,将攻击者的公钥绑定在被攻击网站的域名上。因此,研究人员提出了多种PKI数字证书验证安全增强方案,用于消除虚假数字证书的影响,现有各种方案在安全性和效率上各有优劣。提出了一种集成化的PKI数字证书验证安全增强方案,以Pinning方案为基础,利用其他方案来改进Pinning方案的缺陷。当浏览器面临TLS服务器数字证书的三种Pinning方案不同状态(初始化、正常使用、更新),兼顾安全性和执行效率、分别综合使用不同的安全增强方案,整体上达到了最优的安全性和执行效率。完成的集成化PKI数字证书验证安全增强方案能够有效解决虚假数字证书的攻击威胁。
关键词 公钥基础设施; 数字证书; 安全增强服务; 传输层安全
基金项目 国家自然科学基金资助项目(61772518)
本文URL http://www.arocmag.com/article/01-2020-07-037.html
英文标题 Integrated security-enhanced PKI certificate verification scheme
作者英文名 Liu Xuezhong, Li Bingyu, Wang Congli, Lin Jingqiang
机构英文名 1.Shenhuahelishi Information Technology Limited Company,Beijing 100011,China;2.State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;3.School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China
英文摘要 Recently, there were several security incidents of certificate services in public key infrastructures(PKI): fraudulent TLS server certificates were signed by certification authorities(CA) due to network attacks, and bound the attacker's public key to the victim website's domain name. So various security-enhanced certification verification schemes were proposed to defeat against these attacks, and each scheme has its own advantage and disadvantage in security and/or performance. This paper presented an integrated security-enhanced PKI certificate verification scheme based on Pinning, while the disadvantages of Pinning was solved by integrating other schemes. In this scheme, when a browser was faced with three different states of the TLS server certificate(i. e., initialization, normal usage and update), multiple security-enhanced verification schemes are integrated comprehensively in different ways. This scheme took both security and performance into account, and achieve the optimal security and performance over the integrated schemes. The proposed integrated security-enhanced PKI certificate verification scheme effectively defeats the attack of fraudulent TLS server certificates.
英文关键词 public key infrastructure(PKI); certificate; security-enhanced service; transport layer security(TLS)
参考文献 查看稿件参考文献
 
收稿日期 2018/11/1
修回日期 2018/12/19
页码 2104-2107
中图分类号 TP309.2
文献标志码 A