The Ssl Security Analysis And The Research Of Middleman Attack And Prevention

With the development of e-commerce, transaction security issues have become the focus of attention of many users. SSL provides safe and reliable network environment for online transactions, so it is widely used. The SSL provides data encryption, authentication and other security services, but not without flaws. The vulnerability of SSL may cause users to suffer great economic losses and middleman attack is a common way of making use of the vulnerabilities to make attacks. Therefore, how to improve immunity of SSL and ensure the safety of sensitive information has become the focus of solving information security issues.Firstly, from the study of the SSL protocol, the paper describes the design goal of the SSL protocol, its frame structure and so on. On this basis, it further analyses the implementation of the SSL protocol security mechanisms, also raises the SSL protocol defects and analyze possible attacks.Subsequently, it analyzes the SSL middleman attacks in detail and implements the middleman attack with key forged attack. In the process of implementing the man-in-the-middle attack, firstly it compares the ways of packet interception:ARP spoofing and installs Trojan in the client, and finally chooses to replace SPI DLL to intercept and forward packets, secondly it uses OpenSSL technology to pretend to be SSL client and SSL server, finally shows the results of the middleman attack in order to clearly show the process of man-in-the-middle attack.SSL middleman attack prevention is another major problem. It analyzes the safety of SSL two-way authentication, uses two different ways to attack the SSL two-way authentication and according to the working process of the two-way authentication, further analyzes the reason for failure of the attack, and thus proves that the SSL two-way authentication is effective for preventing middleman attack. But the great challenge for the two-way authentication is how to ensure the safety of the client certificate and private key, it finally puts forward to mobile key system which is different from USB KEY, and begins to design and implement the system. The system can be good way to ensure the security of user’s private key, solve the problem of implementing the SSL two-way authentication, and thus be effective to ensure protection against man-in-the-middle attack.