基于TCM的SSL协议的优化
The Optimization of SSL Protocol Based on TCM
摘要:
可信密码模块TCM是一个可信计算平台的软硬件相结合的模块,为可信计算平台提供密码运算功能,具有受保护的存储空间。通过系统安全芯片可信密码模块建立信任的源头,然后通过硬件、固件、操作系统和应用程序,按照系统启动过程的前后控制关系建立信任链的方法确保计算平台和程序的可信。传统的SSL协议在握手阶段对于中间人攻击基本上是无法防卫的,这是由于握手协议中身份认证阶段没有底层硬件平台的信息。本发明的改进方案基于可信密码模块(TCM)新的实现思想,在分析现有SSL协议的基础上,提出并实现了一种基于可信密码模块TCM的SSL改进协议。该协议涉及客户端和服务器两方的通信,主要从以下方面进行设计,1)利用平台身份证书提供基于硬件和系统层面的认证。2)通过芯片的存储主密钥对预主密钥的保护,使得数据交换前,双方共享密钥的传输得到了更好的保证。本方法将TCM模块应用到SSL协议中,建立通信双方基于硬件和系统层面的认证,并且提升了加密算法,使得握手阶段,双方数据传输得到了更好的保证,为记录协议部分的信息传输提供更强的安全保障,增强了抵御攻击的能力,提高了协议的安全性。
Abstract:
Trusted cryptography module TCM is a module which combines the hardware and software of a trusted computing platform. It provides cryptographic operations for trusted computing platforms and has a protected storage space. TCM establishes the source of trust through the system security chip trusted cryptographic module, and then establishes the trust chain in accordance with the relationships of the system startup process through the hardware, firmware, operating system and application program to ensure the credibility of the computing platform and the program. The traditional SSL protocol is basically impossible to defend against man-in-the-middle attacks in the handshake phase, because the identity authentication phase of the handshake protocol does not have information on the underlying hardware platform. The improved scheme of the present invention is based on the new implementation idea of the trusted cryptography module (TCM). Based on the analysis of the existing SSL protocol, an improved SSL protocol based on the trusted cryptography module TCM is proposed and implemented. The protocol involves the communication be-tween the client and the server, and is mainly designed from the following aspects: 1) Using the platform identity certificate to provide hardware and system-level authentication. 2) The protection of the pre-master key by the storage master key of the chip which ensures the transmission of shared keys of both parties and is better guaranteed before data exchange. This method applies the TCM module to the SSL protocol, and establishes hardware-based and system-level authentication for both parties of the communication. It also improves the encryption algorithm so that during the handshake phase, the data transmission between the two parties is better guaranteed, and pro-vides information transmission for the recording protocol part. Stronger security guarantees en-hance the ability to resist attacks and improve the security of the agreement.
参考文献
|
[1]
|
Noorman, J., Agten, P., Daniels, W., et al. (2013) Sancus: Low-Cost Trustworthy Extensible Networked Devices with a Zero-Software Trusted Computing Base. Usenix Conference on Security, 479-494.
|
|
[2]
|
Liu, J., Sun, J. and Li, T. (2005) An Enhanced Remote Login Authentication with Smart Card. IEEE Workshop on Signal Processing Systems Design and Implementation, 2005. IEEE, 229-232.
|
|
[3]
|
王群, 李馥娟. 可信计算技术及其进展研究[J]. 信息安全研究, 2016, 2(9): 834-843.
|
|
[4]
|
徐震, 陈路, 于爱民. 可信增强 TLS 协议的设计与实现[J]. 华中科技大学学报(自然科学版), 2016, 44(3): 44-48.
|
|
[5]
|
李刚. 创新驱动 构筑网络强国安全保障——沈昌祥院士谈技术可信计算的创新与发展[J]. 中国信息安全, 2015(2): 46-51.
|
|
[6]
|
李海威, 范博, 李文锋. 一种可信虚拟平台构建方法的研究和改进[J]. 信息网络安全, 2015(1): 1-5.
|
|
[7]
|
王佳慧, 刘川意, 王国峰, 等. 基于可验证计算的可信云计算研究[J]. 计算机学报, 2016, 39(2): 286-304.
|
|
[8]
|
吴欢, 詹静, 赵勇, 等. 一种高效虚拟化多级网络安全互联机制[J]. 山东大学学报(理学版), 2016, 51(3): 98-103.
|
|
[9]
|
沈昌祥, 公备. 基于国产密码体系的可信计算体系框架[J]. 密码学报, 2015, 2(5): 381-389.
|
|
[10]
|
沈昌祥, 张焕国, 王怀民, 等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010(2): 139-166.
|
|
[11]
|
孙瑜, 王溢, 洪宇, 等. 可信软件基技术研究及应用[J]. 信息安全研究, 2017, 3(4): 316-322.
|
|
[12]
|
潘柱廷. 从失效和成本两视角看可信计算的应用[J]. 中国信息安全, 2015(2): 57-60.
|