一种集成化的PKI数字证书验证安全增强方案  被引量：4

作　　者：刘学忠 李冰雨 王聪丽 林璟锵[2,3] Liu Xuezhong;Li Bingyu;Wang Congli;Lin Jingqiang(Shenhuahelishi Information Technology Limited Company,Beijing 100011,China;State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]神华和利时信息技术有限公司,北京100011 [2]中国科学院信息工程研究所信息安全国家重点实验室,北京100093 [3]中国科学院大学网络空间安全学院,北京100049

出　　处：《计算机应用研究》2020年第7期2104-2107,共4页Application Research of Computers

基　　金：国家自然科学基金资助项目(61772518)。

摘　　要：近年来,PKI数字证书服务出现了多次安全事件:CA机构由于攻击等原因签发虚假的TLS服务器数字证书,将攻击者的公钥绑定在被攻击网站的域名上。因此,研究人员提出了多种PKI数字证书验证安全增强方案,用于消除虚假数字证书的影响,现有各种方案在安全性和效率上各有优劣。提出了一种集成化的PKI数字证书验证安全增强方案,以Pinning方案为基础,利用其他方案来改进Pinning方案的缺陷。当浏览器面临TLS服务器数字证书的三种Pinning方案不同状态(初始化、正常使用、更新),兼顾安全性和执行效率、分别综合使用不同的安全增强方案,整体上达到了最优的安全性和执行效率。完成的集成化PKI数字证书验证安全增强方案能够有效解决虚假数字证书的攻击威胁。Recently,there were several security incidents of certificate services in public key infrastructures(PKI):fraudulent TLS server certificates were signed by certification authorities(CA)due to network attacks,and bound the attacker’s public key to the victim website’s domain name.So various security-enhanced certification verification schemes were proposed to defeat against these attacks,and each scheme has its own advantage and disadvantage in security and/or performance.This paper presented an integrated security-enhanced PKI certificate verification scheme based on Pinning,while the disadvantages of Pinning was solved by integrating other schemes.In this scheme,when a browser was faced with three different states of the TLS server certificate(i.e.,initialization,normal usage and update),multiple security-enhanced verification schemes are integrated comprehensively in different ways.This scheme took both security and performance into account,and achieve the optimal security and performance over the integrated schemes.The proposed integrated security-enhanced PKI certificate verification scheme effectively defeats the attack of fraudulent TLS server certificates.

关 键 词：公钥基础设施 数字证书 安全增强服务 传输层安全 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]