Research Of SSL/TLS Security

With the development of the Internet,more and more important data are transmitted on the network,and Internet security issues attract more and more attention.As the basis of HTTPS security and even Internet security,the importance of SSL/TLS security is self-evident.Although there are some researches on the security of some parts or components of the SSL/TLS protocol,there is no research or method to have a comprehensive understanding and grasp of the security of the SSL/TLS protocol.This thesis introduces the Software Testing technology and combines the Model Checking technology and Strand Spaces,which are commonly used as formal method in the field of protocol security research,to conduct a comprehensive research on the security of SSL/TLS handshake protocol of current versions and the new version.The main accomplishments of this thesis are as follows:(1)Analyzes the main differences between the current versions and the new version of SSL/TLS,and the security threats that all these versions may face.Based on these,the contents and goals of the test on SSL/TLS security are determined,and the common classification method of software testing is introduced,which divides SSL/TLS handshake protocol security test into positive and negative test.According to the characteristics of these two types of tests,the software testing process is modified and the SSL/TLS protocol security testing structure is designed.(2)According to the characteristics and concerns of the positive test on the SSL/TLS protocol security,the ACC method is introduced and modified from the software testing technology,and the test plan is generated in the light of this method to provide the basis for the design and evaluation of test cases.The Guidebook Tour method and the Cause-Effect Graphs method are introduced and modified for the global and local guidance of the test case design.The Landmark Tour method and the Tour Crasher method are also introduced and modified to combine with each other and form a test map which can be used to improve the efficiency of the test.The model checking technology is applied to perform all the positive test cases.(3)According to the characteristics and concerns of the negative test on the SSL/TLS protocol security,the Pundit's Tour method and the Competitor's Tour method are introduced and modified,and in the light of the existing researches on the security of SSL/TLS protocol and the Penetration testing framework,the negative test case set is designed.The formal method and the static testing technology are applied to perform all the negative test cases.(4)The test results are summarized and analyzed,the effectivity of the test case set is confirmed,the security of current versions and new version is compared,and the main reasons for the security improvement of the new version are analyzed.The method proposed in this paper is compared with the traditional formal analysis methods,and in this way,the comprehensiveness and extensibility of the methods proposed in this paper is expressed.