计算机应用 ›› 2015, Vol. 35 ›› Issue (10): 2891-2895.DOI: 10.11772/j.issn.1001-9081.2015.10.2891

• 信息安全 • 上一篇    下一篇

适用于网络内容审计的SSL/TLS保密数据高效明文采集方法

董海韬1,2,3, 田静1, 杨军1, 叶晓舟2, 宋磊2   

  1. 1. 中国科学院声学研究所 中国科学院噪声与振动重点实验室, 北京 100190;
    2. 中国科学院声学研究所 国家网络新媒体工程技术研究中心, 北京 100190;
    3. 中国科学院大学, 北京 100190
  • 收稿日期:2015-05-04 修回日期:2015-07-15 出版日期:2015-10-10 发布日期:2015-10-14
  • 通讯作者: 田静(1960-),男,安徽蒙城人,研究员,博士,主要研究方向:数字信号处理,tianjing@cashq.ac.cn
  • 作者简介:董海韬(1988-),男,黑龙江大庆人,博士研究生,主要研究方向:网络信息安全;杨军(1968-),男,安徽安庆人,研究员,博士,主要研究方向:数字信号处理;叶晓舟(1980-),男,河北秦皇岛人,副研究员,博士,主要研究方向:宽带网络通信;宋磊(1986-),男,安徽芜湖人,助理研究员,博士,主要研究方向:宽带网络通信。
  • 基金资助:
    中国科学院战略性先导科技专项(XDA06010302);中国科学院声学研究所知识创新工程项目(Y154191601)。

Efficient plaintext gathering method for data protected by SSL/TLS protocol in network auditing

DONG Haitao1,2,3, TIAN Jing1, YANG Jun1, YE Xiaozhou2, SONG Lei2   

  1. 1. Key Laboratory of Noise and Vibration Research, Institute of Acoustics, Chinese Academy of Sciences, Beijing 100190, China;
    2. National Network New Media Engineering Research Center, Institute of Acoustics, Chinese Academy of Sciences, Beijing 100190, China;
    3. University of Chinese Academy of Sciences, Beijing 100190, China
  • Received:2015-05-04 Revised:2015-07-15 Online:2015-10-10 Published:2015-10-14

摘要: 为解决互联网上使用安全套接层/传输层安全(SSL/TLS)协议保密的数据难以审计的问题,提出了一种基于中间人原理的SSL/TLS保密网络数据的明文采集方法,将作为合法中间人的数据采集器串行接入服务端与客户端之间,在SSL/TLS握手阶段通过修改通信双方传输的握手消息,取得通信双方用于数据加密的密钥,达到解密保密数据、采集其明文的目的。该方法比已有的基于代理服务器原理的采集方法传输时延更短,SSL吞吐率更大,占用内存资源更少;比已有的采集器持有服务端私钥的方案应用范围更广,且不受网络丢包的影响。实验结果表明提出的方法与基于代理服务器原理的采集方法相比,传输时延降低了约27.5%;SSL吞吐率提高了约10.4%,且SSL吞吐率已接近理想情况下的上限值。

关键词: 安全套接层协议, 传输层安全协议, 网络内容审计, 网络数据采集

Abstract: In order to solve the problem of auditing the data protected by Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol on the Internet, a plaintext gathering method for network data protected by SSL/TLS protocol based on the principles of man-in-the-middle was proposed. A data gatherer was connected between the server and the client in series, which was able to get the encryption key by modifying handshake messages during SSL/TLS handshake, so as to decrypt the secure data and then gather its plaintext. Compared with the existing gathering method based on the principles of proxy server, the proposed method has a shorter transmission delay, a larger SSL throughput and a smaller memory occupation. Compared with the existing gathering method in which the gatherer possesses the server's private key, the proposed method has a wider application scope, and also has the advantage of being unaffected by packet losses on the Internet. The experimental results show that the proposed method has a decrease in transmission delay of about 27.5% and an increase in SSL throughput of about 10.4% compared with the method based on the principles of proxy server. The experimental results also show that the SSL throughput of the proposed method approaches the ideal maximum value.

Key words: Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) protocol, network auditing, network data gathering

中图分类号: