基于模糊综合分析的SSL/TLS协议配置安全评估模型研究  被引量：2

作　　者：胡仁林[1,2] 张立武[2] Hu Renlin Zhang Liwu(University of Chinese Academy of Sciences, Beijing 100190 Institute of Softxvare, Chinese Academy of Sciences, Beijing 100190)

机构地区：[1]中国科学院大学,北京100190 [2]中国科学院软件研究所,北京100190

出　　处：《信息安全研究》2017年第6期538-547,共10页Journal of Information Security Research

基　　金：国家自然科学基金项目(61472409;61303247);国家"九七三"重点基础研究发展计划基金项目(2013CB338003)

摘　　要：SSL/TLS协议是加密网络通信的标准.然而,由于协议自身的复杂性和灵活性,使得Web网站在实现和部署SSL/TLS协议时,极易导致各种安全缺陷,鉴于SSL/TLS协议在Web网站开发中被广泛使用,然而却很少有人关注如何正确部署配置SSL/TLS协议及进行相关的安全评估,在详细分析Web网站安全评估自身特点与影响因素的基础上,提出了新的Web网站安全等级定义,并将层次分析法与模糊综合分析法相结合,构建了基于AHP-模糊综合分析的Web网站安全评估模型,之后将该模型应用到实际网站评估中,并将评估结果与Qualys SSL Labs以及High-Tech的评估结果进行了对比分析,发现该模型能够较好地解决现有评估体系存在的安全等级含义不明确、忽视3DES不安全密码套件以及关键扩展OCSP Stapling等问题,从而较好地说明了该模型的有效性和准确性.The SSL/TLS protocol is a standard for encrypted network communication. However, due to the complexity of the SSL/TLS protocol, Web sites are prone to various security vulnerabilities when implementing and deploying SSL/TLS protocols. We feel that there is surprisingly little attention paid to how SSL is configured？ given its widespread usage in the Web sites. Based on the detailed analysis of the characteristics and influencing factors of Web sites security assessment9 this paper puts forward a new definition of Web sites security level, and combined the analytical hierarchy process （AHP） with fuzzy comprehensive analysis method to construct a Web site security assessment model based on AHP-fuzzy comprehensive analysis. Then we apply the model to the actual sites evaluation. By contrast to the evaluation results of Qualys SSL Labs and High-Tech, we found that this model can better solve the following issues in the existing evaluation system： security level is not clear, ignoring the 3DES insecure cipher suites and critical expansion OCSP Stapling and so on？ so as to better illustrate the validity and accuracy of the model.

关 键 词：SSL/TLS 安全评估 层次分析法 模糊综合分析法 指标体系 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]