| At present, the development of Mobile Internetis fast-changing, meanwhile, the security of e-commerce, online banking and e-government based on Mobile Internet are becoming more and more serious. TLS, as a mainstream security protocol, can provide data integrity, data confidentiality and identity authentication during communication process. Hence, TLS is widely used in HTTPS, wireless communication, VPN. Several implementations of TLS protocol have been achieved, such as OpenSSL, NSS, GnuTLS, PolarSSL, CyaSSL, MatrixSSL, and TLS has become the de facto standard of Transport Layer.Although the TLS standard promulgated by IETF is very perfect, attacks happen to TLS occasionally due to encryption scheme flaws and negligence during implementation of TLS, such as HeartBleed Attack, CCS Injection Vulnerability, Padding Oracle Attack, Renegotiation Attack, etc. Attackers interact with server by man-in-the-middle attack or sending illegal challenge message to acquire user’s sensitive information, such as password, cookie etc.OpenSSL is an open source library, including major cryptographic algorithms, management of key and certificate, implementation of SSL/TLS, and provides a wealth of applications for testing or other purposes. Because of its open-source and popularization, dissertation chooses OpenSSL to be the foundation of system implementation. We start the research from the source code of client TLS under RSA Key Exchange Algorithm and CBC Encryption Mode, track and analyze client handshake process and data encryption process.Taking into account the case if attacks are not via interacting with the server, the attacker can control and achieve the highest authority of target system directly, then, he can eavesdrop TLS keys by analyzing system runtime memory.In view of this situation, dissertation chooses embedded secure operating system as the implementation platform of the scheme, and the principle of the platform is based on TrustZone isolation mechanism which can divide the execution environment into normal environment and secure environment. The secure environment is close-source, and the normal has no right to access the secure. By restructuring TLS HandShake Protocol, we put all relevant operations of TLS keys in secure environment to keep secure storage of TLS keys; by restructuring TLS Record Protocol to achieve secure data encryption/decryption process. Even though the attacker has invaded the client operating system, he has no right to access the secure memory so that the scheme can ensure the secure storage of TLS keys and enhance the security of TLS finally. |
PDF Full Text Request