基于模糊综合分析的SSL/TLS协议配置 安全评估模型研究

信息安全研究 ›› 2017, Vol. 3 ›› Issue (6): 538-547.

基于模糊综合分析的SSL/TLS协议配置安全评估模型研究

胡仁林

中国科学院大学

收稿日期:2017-06-19 出版日期:2017-06-15 发布日期:2017-06-19
通讯作者: 胡仁林
作者简介:硕士研究生，主要研究方向为SSLTLS协议应用配置.

Research on SSL/TLS Protocol Configuration Security Assessment Model Based on Fuzzy Comprehensive Analysis

Received:2017-06-19 Online:2017-06-15 Published:2017-06-19

摘要/Abstract

摘要： SSL/TLS协议是加密网络通信的标准.然而，由于协议自身的复杂性和灵活性，使得Web网站在实现和部署SSLTLS协议时，极易导致各种安全缺陷.鉴于SSLTLS协议在Web网站开发中被广泛使用，然而却很少有人关注如何正确部署配置SSLTLS协议及进行相关的安全评估.在详细分析Web网站安全评估自身特点与影响因素的基础上，提出了新的Web网站安全等级定义，并将层次分析法与模糊综合分析法相结合，构建了基于AHP模糊综合分析的Web网站安全评估模型.之后将该模型应用到实际网站评估中，并将评估结果与Qualys SSL Labs以及HighTech的评估结果进行了对比分析，发现该模型能够较好地解决现有评估体系存在的安全等级含义不明确、忽视3DES不安全密码套件以及关键扩展OCSP Stapling等问题，从而较好地说明了该模型的有效性和准确性.

关键词: SSL/TLS, 安全评估, 层次分析法, 模糊综合分析法, 指标体系

Abstract: The SSLTLS protocol is a standard for encrypted network communication. However, due to the complexity of the SSLTLS protocol, Web sites are prone to various security vulnerabilities when implementing and deploying SSLTLS protocols. We feel that there is surprisingly little attention paid to how SSL is configured, given its widespread usage in the Web sites. Based on the detailed analysis of the characteristics and influencing factors of Web sites security assessment, this paper puts forward a new definition of Web sites security level, and combined the analytical hierarchy process (AHP) with fuzzy comprehensive analysis method to construct a Web site security assessment model based on AHPfuzzy comprehensive analysis. Then we apply the model to the actual sites evaluation. By contrast to the evaluation results of Qualys SSL Labs and HighTech, we found that this model can better solve the following issues in the existing evaluation system: security level is not clear, ignoring the 3DES insecure cipher suites and critical expansion OCSP Stapling and so on, so as to better illustrate the validity and accuracy of the model.

Key words: SSL/TLS, security assessment, analytical hierarchy process (AHP), fuzzy comprehensive analysis, index system

胡仁林. 基于模糊综合分析的SSL/TLS协议配置安全评估模型研究[J]. 信息安全研究, 2017, 3(6): 538-547.

参考文献

［1］SAWERS P. Google: HTTPS now represents more than 50% of all pages loaded through Chrome on the desktop［OL］. 2016［20170505］. http:venturebeat.com20161104googletransparencyreporthttps［2］Aas J. Mozilla telemetry shows more than 50% of page loads were HTTPS yesterday. First time that has ever happened［OL］. 2016［20170505］. https:twitter.com0xjoshstatus786971412959420424［3］Durumeric Z, Kasten J, Adrian D, et al. The matter of heartbleed［C］ Proc of Conf on Internet Measurement.New York: ACM, 2014: 475488［4］Zheng X, Jiang J, Liang J, et al. Cookies lack integrity: Realworld implications［C］ Proc of the 24th USENIX Security Symp. Berkeley: USENIX Association, 2015: 707721［5］Aviram N, Schinzel S, Somorovsky J, et al. DROWN: Breaking TLS using SSLv2［C］ Proc of the 25th USENIX Security Symp. Berkeley: USENIX Association, 2016［6］Risti I. Qualys SSL Labs［OL］.［20170505］. https:www.ssllabs.comindex.html［7］HighTech Bridge SA. HighTech Bridge Free SSL Server Test［OL］. 2015［20170505］. https:www.htbridge.comssl［8］Polk T, McKay K, Chokhani S. Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations［JOL］. NIST Special Publication, 2014 ［20170606］. http:nvlpubs.nist.govnistpubsSpecialPublicationsNIST.SP.80052r1.pdf［9］DSS P C I. Requirements and security assessment procedures［JOL］. PCI Security Standards Council, 2008 ［20170606］. https:www.pcisecuritystandards.orgdocumentsPCI_DSS_v32.pdf［10］Centers for Disease Control and Prevention. HIPAA privacy rule and public health［JOL］. 2003 ［20170606］. http:www.hhs.govhipaaforprofessionalsbreachnotific actionguidanceindex.html［11］Hodges J. Hows my SSL?［OL］.［20170505］. https:www.howsmyssl.com［12］Mozilla. CipherScan［OL］.［20170505］. https:github.commozillacipherscan［13］Somorovsky J. Systematic fuzzing and testing of TLS libraries［C］ Proc of ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2016: 14921504［14］Risti I. SSLTLS Deployment Best Practices［OL］. 2016［20170505］. https:github.comssllabsresearchwikiSSLandTLSDeploymentBestPractices［15］Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system［J］. IEEE Security and Privacy, 2006, 4(6): 8589［16］杜栋, 庞庆华. 现代综合评价方法与案例精选［M］. 北京: 清华大学出版社, 2005［17］树柏. 实用决策方法: 层次分析法原理［M］. 天津: 天津大学出版社, 1988

[1]	张丕翠杨建武施水才. 网络空间的舆情态势感知[J]. 信息安全研究, 2019, 5(11): 1013-1019.
[2]	王琼霄王聪丽林璟锵宋利. PKI证书服务的安全增强技术[J]. 信息安全研究, 2019, 5(1): 50-58.
[3]	刘蓉于浩佳陈思远陈波. 基于APP分层结构的Android应用漏洞分类法[J]. 信息安全研究, 2018, 4(9): 792-798.
[4]	景亮方晖蒋坚迪. 城市轨交AFC系统安全建设方案的设计与分析[J]. 信息安全研究, 2018, 4(1): 91-96.
[5]	储忠涛. 基于工作流的舰艇系统脆弱性定量评估方法研究[J]. 信息安全研究, 2017, 3(3): 270-276.
[6]	邓文. 数据本地化立法问题研究[J]. 信息安全研究, 2017, 3(2): 182-187.