DER-encoded Digital Certificate Variation And Its Applicatio

The Secure Sockets Layer or Transport Layer Security(SSL/TLS)protocol is a critical part of the Hypertext Transfer Protocol Secure(HTTPS)that is widely used on the Internet for securing data.The implementations developed based on the SSL/TLS protocol determine whether to conduct encrypted communications by results of digital certificate validation.The correctness of digital certificate validation is a key to the network security.Therefore,it is important to detect the correctness of digital certificate validation in SSL/TLS implementations.How to efficiently generate valid test cases is a key scientific problem in the testing.Digital certificates are frequently encoded in Distinguished Encoding Rules(DER)or Base64.Based on DER,this thesis proposes a perfect approach,namely DERcert,for mutating digital certificates.DERcert generates new digital certificates through mutating DER-encoded digital certificates,and the mutated digital certificates are employed to check certificate validation in SSL/TLS implementations.Firstly,X.509 digital certificates are obtained from the Internet and the seed certificates are stored in a seed certificate library.Secondly,a digital certificate is selected from the seed certificate library.The seed digital certificate is parsed into a tree structure according to the Tag-Length-Value(TLV)structure encoded in DER.Thirdly,the tree structure is applied by mutation strategies including mutating values of leaf nodes,adding or deleting leaf nodes,mutating intermediate nodes,and mutating certificates under the guidance of object identifier.Finally,the mutated binary stream file is saved as a digital certificate file.Such X.509 digital certificates generated by mutating seed digital certificates are employed to conduct the differential testing of digital certificate validation in SSL/TLS implementations to reveal discrepancies and latent flaws.In order to investigate the effectiveness of DERcert,a prototype tool named DERcert DT has been implemented based on DERcert.DERcert DT consists of two modules i.e.,test case generation and differential testing.The first module i.e.,test case generation is composed of four sub-modules: obtaining seed digital certificates,parsing digital certificates,mutating digital certificates,and saving as digital certificate files.Experimental comparison of DERcert DT with the state-of-the-art SADT and Transcert shows that DERcert DT outperforms SADT and Transcert in finding discrepancies and covering codes in SSL/TLS implementations.DERcert and its prototype tool i.e.,DERcert DT are built on the TLV structure of DERencoded digital certificates and employ various mutation strategies to generate diversified X.509 digital certificates to check certificate validation in SSL/TLS implementations.DERcert and DERcert DT are helpful to detecting discrepancies and potential flaws in certificate validation,strengthening the security of SSL/TLS implementations,and enhancing the security of Internet.