中南民族大学硕士学位论文基于SSL协议构建灵活高效的敏感数据安全传输通道姓名:欧阳杰平申请学位级别:硕士专业:计算机应用指导教师:喻成20060508IInternetHTTPFTPTelnetInternetWEBSSL(SecureSocketLayer)SSLTCPSSL2.03.0SSL(HTTPFTP)SSLSSL//SSLSSLSSLOpenSSLJSSESSLIIAbstractWiththefastdevelopmentofsoftwareandhardwareandnetworktechnologies,Internethasbecomethebackboneoftheinformationtechnology,HTTP,FTP,Telnetandotherinternetserviceshavebecomethepartofourhumandailylifeandanessentialplatformandservicefore-business.Astheresultoftheglobal,open,mutualsharingcharacteristics,thefastdevelopmentofInternethascausedgreatconvenienceinhumancommunicationaswellasterriblethreatinthesecurityforthenation,enterpriseandindividuals,thus,howtomaintainthesecurityinweb-baseddatatransmissionhasbeenanimportantcontentinnetworksecurity.Inthepresenceofthesecuritythreatinthepresente-businessoperation,SSL,SecureSocketLayer,hasbeenwidelyused.Theuseofsuchsecuritytechnologyasencryption,digitalcertificate,digitalsignature,anddigitalfingerprintcanensurethesecrecy,reliabilityandintegralityinthee-businessoperations.SSL,basedonTCP,hastwoversions,version2.0andversion3.0,withtheapplicationofpublickeycryptography,toassurethesecurityandreliabilitybetweentwoapplications.SSLissimultaneousapplicablebetweentheServerandClient.Astheprotocolofapplicationlayer(eg.HTTP,FTP)istransparentlybasedonSSL,theconfirmationofcryptographyandkey,andtheauthenticationoftheServer,etchavebeendonebeforeSSLhasbeenappliedtotheprotocolsofapplicationlayer,thusleadingtothedeficiencythatallthedataareencrypted,theamountofencryptionislarge,andthereisnopertinence.Thishascausedthetwopartiesinvolvedtobeoverburdened,requiringextraandspecialhardwaretoencryptanddecrypt.Soitismorecomplicatedforcommonuserstoconfiguretheirsoftwareandhardware.Tosolvethisproblem,thisthesisprovidesaSSL-basedsolutionthatonlyencryptsthespecialandkeywordsdata.Thissolutioncanavoidencryptingthosedatathatareunnecessarytoencrypt,andcanencryptthedataaccordingtothedifferentlevelofthespecialandkeywordsdata.Thissolutioncanensuretheestablishmentofaencryptedchannelwhichcannotonlyensurethesecurityofthesystembutalsoraisetheoperationefficiencyofthesystem.ThissolutioniscalledaSSL-basedselectivetransmitschannel.KeyWordsSSL;Cryptography;OpenSSL;JSSE1______2()11InternetTCP/IPInternetInternetTCP/IPInternetInternet31.1Web1.1Web[1]WebDNSSSL2InternetIP/IPSecSSL/TLSSSHSocketTCP/IPIPIP()(IETF)1994IPIPTCP/IPTCP/IP1.1HTTPFTPSMTPTCPIP/IPSecSSL/TLSSSHSocketS/MIMEPGPSETHTTPFTPSMTPTCPIP/IPSecSSL/TLSSSHSocketS/MIMEPGPSET1.1TCP/IP1.1TCP/IPOSI31.1TCP/IP(IPARP)[2]1.2(IETF)1994IPIP(IPSEC)IPsec(IPSecurity)IP199810IPSec(RFC2402~2412)94IPSec,IPSecIPSec,IP,,[3]IPSec(TCPSec)IPSecTCPSSLTLSTCPTCPTCPTCPTCPTCP()IPSecTCPIPSecIPSecTCPSSL41.3TCPInternet(ClientServer)(IPC)SSL(SecureSocketsLayer)/TLS(TransportLayerSecurity)SSH(SecureShell)(SocketSecurity)1.3.1SSL/TLS(SSL)NetscapeInternet(HTTPTelnetNNTPFTP)TCP/IP(TCP)(UDP)TCP/IP(TLS)1996SSL(TLSP)IESG(TLS)TLSTLS(SSL)1.3.2SSH(SecureShellSSH)T.YlonenSSHClient/ServerSSH5TCP/IPX-WindowIETFSSHInternetSSH(SSHTLP)(SSHAP)(SSHCP)SSH()SSHSSLPCT[4]1.3.3(SOCKS)TCPUDP/SOCKSSOCKS4SOCKS5SOCKS4TCP/(TelnetFTPhttp)SOCKS5RFCl928SOCKS4UDPIPV6[5]SOCKSSOCKS(SOCKS)(telnetFTPFingerwhois)SOCKSSOCKSRSADESTripleDESIETFTLS(TransportlayerSecurity)SSLPCTInternetIPCInternetUDP()[6]SSL61.4Internet/IPInternetClient/Server1.5InternetInternetInternetInternetSSL1.27VPN1.6InternetSSLTCPSSLSSL8SSL2.12.2WebNetscapeWebSSL2.03.0SSLSSLInternetWebHTTPSSLSSLInternet/SSLTCP(HTTPSMTPFTPTELNETLDQPIMAP)SSL(TCP)SSLSSLSSLSSL[7](1)SSLSSL9DESRC4IDEA(2)RSADSS(3)MD5SHAHASHMAC2.3SSLSSLWebWebWebSSLWebSSLWeb(HTTP)2.3.1SSLv2.01994SSLv2.0[8]Web2.3.2SSLv3.0SSLv3.0[9]SSLv2.02.4SSLSSLSSL10SSLSSLSSLTCP2100[10]80/2080%20%20%80%SSLSSLSSLSSL2.12.1[11]5728B12920B38191B62779B()94.10%84.40%64.09%49.20%()5.90%15.60%35.91%50.80%2.15728B16162779B1112.5SSLSSLSSLSSLSSL12SSL3.1SSLSSL()3.1SSLSSLTCPIPSSLSSLSSLSSLTCPIPSSLSSL3.1SSL[12]SSLISO(RecodeProtocol)(handshakeprotocol)(changecipherspecprotocol)(alertprotocol)(applicationdataprotocol)SSLSSL3.1.13.2131:m2:mi3:ni4:MACsi5:pi6:6':m5':mi4':ni3':si2':pi1':3.2SSL[13](1)(2)12SSLv3.016KB=2(3)(6)(3)ii(NULL)(4)MACi=i+MAC(i)(5)ii(6)ii=12(1)(5)(1)i(2)ii(3)iiMAC(i)MAC(i)(4)iiSSL14(5)12(6)3.1.23.2(1)(2)(3)SSLSSL3.1.2.1SSLClient1ClientHello7Certificate(optional)8ClientKeyExchange11Finished10ChangeCipherSpec9CertificateVerify(optional)2ServerHello13Finished12ChangeCipherSpec6ServerHelloDone3Certificate(optional)5ServerKeyExchange(optional)4CertificateRequest(optional)14EncryptedDataServerClient1ClientHello7Certificate(optional)8ClientKeyExchange11Finished10ChangeCipherSpec9CertificateVerify(optional)2ServerHello13Finished12ChangeCipherSpec6ServerHelloDone3Certificate(optional)5ServerKeyExchange(optional)4CertificateRequest(optional)14EncryptedDataServer3.3SSL15SSL2.3SSL(1)ClientHelloSSLID(2)ServerHello(3)Certificate(4)CertificateRequest(5)ServerKeyExchange(6)ServerHelloDone(7)Certificate(8)ClientKeyExchangeRivest-Shamir-Adelman(RSA)(9)CertificateVerify(10)ChangeCipherSpec(11)Finished(12)ChangeCipherSpec(13)FinishedSSL(14)Encryp