适用于网络内容审计的SSL/TLS保密数据高效明文采集方法  被引量:7

Efficient plaintext gathering method for data protected by SSL/TLS protocol in network auditing

在线阅读下载全文

作  者:董海韬[1,2,3] 田静[1] 杨军[1] 叶晓舟[2] 宋磊[2] 

机构地区:[1]中国科学院声学研究所中国科学院噪声与振动重点实验室,北京100190 [2]中国科学院声学研究所国家网络新媒体工程技术研究中心,北京100190 [3]中国科学院大学,北京100190

出  处:《计算机应用》2015年第10期2891-2895,共5页journal of Computer Applications

基  金:中国科学院战略性先导科技专项(XDA06010302);中国科学院声学研究所知识创新工程项目(Y154191601)

摘  要:为解决互联网上使用安全套接层/传输层安全(SSL/TLS)协议保密的数据难以审计的问题,提出了一种基于中间人原理的SSL/TLS保密网络数据的明文采集方法,将作为合法中间人的数据采集器串行接入服务端与客户端之间,在SSL/TLS握手阶段通过修改通信双方传输的握手消息,取得通信双方用于数据加密的密钥,达到解密保密数据、采集其明文的目的。该方法比已有的基于代理服务器原理的采集方法传输时延更短,SSL吞吐率更大,占用内存资源更少;比已有的采集器持有服务端私钥的方案应用范围更广,且不受网络丢包的影响。实验结果表明提出的方法与基于代理服务器原理的采集方法相比,传输时延降低了约27.5%;SSL吞吐率提高了约10.4%,且SSL吞吐率已接近理想情况下的上限值。In order to solve the problem of auditing the data protected by Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol on the Internet, a plaintext gathering method for network data protected by SSL/TLS protocol based on the principles of man-in-the-middle was proposed. A data gatherer was connected between the server and the client in series, which was able to get the encryption key by modifying handshake messages during SSL/TLS handshake, so as to decrypt the secure data and then gather its plaintext. Compared with the existing gathering method based on the principles of proxy server, the proposed method has a shorter transmission delay, a larger SSL throughput and a smaller memory occupation. Compared with the existing gathering method in which the gatherer possesses the server's private key, the proposed method has a wider application scope, and also has the advantage of being unaffected by packet losses on the Internet. The experimental results show that the proposed method has a decrease in transmission delay of about 27.5% and an increase in SSL throughput of about 10.4% compared with the method based on the principles of proxy server. The experimental results also show that the SSL throughput of the proposed method approaches the ideal maximum value.

关 键 词:安全套接层协议 传输层安全协议 网络内容审计 网络数据采集 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象