• 沒有找到結果。

全球資訊網站安全機制與安全通訊協定之研究

N/A
N/A
Protected

Academic year: 2021

Share "全球資訊網站安全機制與安全通訊協定之研究"

Copied!
5
0
0

加載中.... (立即查看全文)

全文

(1)

(2)    

(3)  A Study on the WWW Security Monitoring Mechanism and Secure Communications Protocol. NSC87-2416-H-009-010  86 8 1

(4) 87 7 31

(5)   ! meet the web’s security requirements, several secure communications protocols, such as Netscape’s Secure Socket Layer (SSL), and CommerceNet Consortium’s Secure HyperText Transport Protocol (S-HTTP), have been proposed. Protection and attack are the same thing. If you really want to protect your system, you have to understand all possible attacks in the first place. First, will investigate all possible attacks on the web. Then, on the basis of these attacks, we will suggest a security monitoring mechanism. This security monitoring mechanism is an active control mechanism, which is different from the traditional passive mechanisms, like Sniffer. This active security monitoring mechanism will allow the system administrator to actively protect his web site. We also construct a prototype to examine its feasibility..  " # $%$&'()*+,$ (World Wide Web, WWW) -'./01

(6) 234*56789:;<='> &?@A WWW 'B+CD*EF'B+ GHI7JKL*MNO Netscape KL ' Secure Socket Layer (SSL) P O CommerceNet Consortium KL' Secure HTTP (S-HTTP)? QRPSTU:V'WX*YZ[Q R\]*^_`abST'cd?ef gh`eST'ijk#l*@A+ ,$'STcm*nopKL:q+ ,$r'B+stuv?:w$&s xyV (Sniffer)*ze{|}~sx'C D*€dK‚\]ƒtv'Z „* †J‡'cmˆ‰ŠfghA†‹ Œ'B+uv:Ž*‘zZ X’'B+“”•STcm*–KL:; ‡m'$&B+stuv*—\] ƒ˜™sxš*›ŒZ„otv?A† œ‡mB+stuv*fgIž™: ;Ÿ ¡žk¢£‘z¤?. KeywordsWWW, Active, Security Monitoring Mechanism.  . F¥¦+,$§‡m§B+st uv. +,$¨1 TCP/IP GH* ©œfgª TCP/IP k#l*«+, $r'B+“”?¬`$r'B+ “”PSTcd*–KL:;‡m'B +stuvˆ6­n@A‹ŒB+GH' ®j¯e°o*e±²‡m'STd? ³´µ'U¶·Z[()L:qŒ¸. Abstract With the advent of the Internet, doing business on the World Wide Web (WWW) is becoming more and more popular. In order to. 1.

(7) Server. 'B+±Ruv*–¹1†+,$ -?Yº»¼½W¾ 1.¿L:qÀ1†$r'‡mB+ stuv 2.¿L:qÀ1†$rÁÂ.Ã01 '<:ÄB+GH. LIST EN SYN-RECEIV ED. C lient SYN, CLT_SEQ_0. SYN/ACK, SVR_SEQ_0, CLT_SE Q_0 + 1 RST, CLT _SEQ_0 + 1. CLOSED SYN-RECEIV ED.   1. . CLOSED SYN-SENT. EST AB LISHED. SYN, ATK_SE Q_0 SYN/ACK, SVR_SEQ_0' , ATK_SEQ_0 + 1 ACK, AT K_SEQ_0 + 1, SVR_SEQ_0' + 1. EST ABLIS HED. ʼnŠh TCP ÆÇÈ9É;ÊËÆ ÇÌ (Opening a connection)§ÍÎ (Message exchange) •ÆÇÏÐ (Closing a connection) ÊË*ŜÑÒÓÔÕfgÖ ×ØÅÆǝÌÊËÕNÙo‡mS T? ‡mSTdYUYÚ8ÆÛWÜ ÝÞß (Desynchronization) 'àá*Iâ U—Wãäeåæ' Sequence number Ú8 Ý:ç'‹è*‰éê뺻 Server Ü´ Sequence/Acknowledgment number (SVR_SEQ § SVR_ACK) • Client Ü ´ Sequence/Acknowledgment number (CLT_SEQ §CLT_ACK)?ÅÆǝÌÊ Ë'STcmU@A TCP/IP ´ Three-way Handshake k'*Ú8Ý:ç'cmì 9 Early desynchronization*‘íîNï: ð? ï:Õ´ñÛòóÄôSTƒõö '÷º?‘STøîùúN¼ - ¬`*Client öLûü´ CLT_SEQ_0 P SYN flag YDÆÛ*Server ý0‘ ûü´ SVR_SEQ_0§CLT_SEQ_0 + 1 P SYN/ACK flag*Client þ|­o ESTABLISHED à á * ‘   R ' Seq./Ack. Number 9 [CLT_SEQ_0 + 1, SVR_SEQ_0 + 1]?. ï:§ÆǝÌÊË´‡mSTd - œ~STƒe Client ´ CLT_SEQ_0 + 1 öL RST flag  Server*†U Server ÏМÆÇ*U Client Ý? - STƒ-Ç#e Client ´ IP  ( L :;ÆÇ*öL‘ûü´ ATK_SEQ_0 P SYN flag  Server* Server ý 0 : ; û ü ' SVR_SEQ_0’ § ATK_SEQ_0 + 1 P SYN/ACK flag * Client © ‘ Seq. Number

(8) p *œ~STƒ ý0 ATK_SEQ_0 + 1§SVR_SEQ_0’ + 1 P ACK flag  Server*Server œ Io ESTABLISHED àá*‘ R ' Seq./Ack. Number 9 [SVR_SEQ_0’ + 1, ATK_SEQ_0 + 1]* pSTƒR' Seq./Ack. Number 9 [ATK_SEQ_0 + 1, SVR_SEQ_0’ + 1]  Server Ü• [SVR_SEQ_0 + 1, CLT_SEQ_0 + 1]  Client Ü? œ * S T ƒ   8 Client Ü P Server *p Client ܀© Seq. Number ÝAp  Server ö'Í*‘ö Í©œJ Server  *֌STƒZ [PWÜ*©œSTƒ^_9 Wƒ´ '*cõÍ*pÅ œ~*STƒÝZ[|Wƒ´ õ 'ŒÍ*!Z["#$'%&"' ()*§+°•,˜‘ 'Í?. 2.

(9) Client. 2. 

(10)  Client  SSL ?  

(11). .  . SSL Handsha ke Protoc ol. .   .  .  ?  . . ï-§‡m$rstøî. ïI§‡mB+stuv¡žï hþok'÷ºÈ1* JK›L9Lk'Í?

(12) tv÷ºÈ1MK§÷ºH MKN÷ºþöMK? O O PstƒQYAÅ$&-õR'S; ͍b12‡~*stƒTí !"A

(13) ¼{þ÷º'UV*

(14) ntv*Tí$& WhQYþ'Í÷ºþok?P †X HÍ'÷ºYþok­* Zh‰é÷ºõ*h ÷ºÈ1K*›L9stƒz[\' Í*õýstƒ?O O E]'*PstƒQYöLÍ~* ZhQYö'Í? O

(15) Ô^_hÍ H8Ù`am'÷º*b­÷ºnO öLc?O O Pd1‡mstuv~*stƒY `‡×ÆÛ?stƒTí ! "Ô^

(16) Yst'ÆÛ*P Oþ|'÷º È1'ÍÕ(‹Yse'ÆÛ~* Z#‡

(17) *œ ~

(18) âZtvöLfÍ*89: ; *×ÆÛse?Pst ƒQY×ÆÛ~*nÔ

(19) ?# # ghij. 1.Clie ntHe llo with C’s public ke y. 4.Server Hello with M ’s public key. Server 2.Clie ntHe llo with M’ s public key 3.Server Hello w ith S’ s public key 6.Finished. 8.Finished Monitor. 

(20) . . . 5.Finished. .  ?. . . Client. Server. 7.Finished. ïɧ@A¨1 SSL B+uv´‡mB +støî :w$r'B+stcmŒ./0È 1d•J‡msxd2*˜™‰écd* fg013XKL'‡mSTd*K LÀ1†+,$r'‡mB+st uv?Nï-ð? @A$r¨1 SSL •4Œ¨1 SSL ' 56*‡m'stuv´¹øîNï -ð?pe3XK' SSL ST7M9 M*Ũ1 SSL B+uv'56¼*‡ mB+uv'¹íîNïÉ? ¨1‡mSTdze89:J‡m STd (Sniffer) !;'t<*eœcd k=$&stîmhze—\]ƒ >Œ!Z„*I!ZR\]'B+? ?z@A*zBA*ܨ1ƒNÙC 1‰D'EF? 3. 

(21)  h÷ºöLGþ? hÍH8÷º?. 3.

(22) . Server Ük ulSUN Sparc /\]SunOS 4.1.4 WWW Server  Apache 1.2.5 + SSL patch for Apache 1.13 SSL LibrarySSLeay 0.8.1b Client ÜPstÜk ulPC /\]Win95/98 mnlNetscape Communicator 4.5. [1] S. Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer Communications Review 19:2, April 1989, pp.32-48 [2] R. Morris, “A Weakness in the 4.2BSD UNIX TCP/IP Software”, Bell Labs Computing Science Technical Report #117, February 1985 [3] L. Joncheray, “A Simple Active Attack Against TCP”, Proceedings of the Fifth UNIX Security Symposium, June 1995 [4] M. Neuman, “Monitoring and Controlling Suspicious Activity in Real-time With IPWatcher, En Garde Systems, 1996 [5] I. Goldberg, D. Wagner, “Randomness and the Netscape Browser”, Dr. Dobb’s Journal, January 1996 [6] Ray Bird, Amir Herzberg, Phillippe A. Janson, Shay Kutten, Refik Molva, Moti Yung, “Systematic Design of a Family if AttackResistant Authentication Protocols”, IEEE Journal on Selected Areas in Communications. Vol.11, No.5, June 1993 [7] Colin Boyd, Wenbo Mao, “Development of Authentication Protocols: Some Misconceptions and a New Approach”, IEEE Communications, 1994 [8] Michael Burrows, Martin Abadi, Roger Needham, “A Logic of Authentication”, ACM Transactions on Computer Systems, vol. 8, no. 1,pp.18-36 [9] Santosh Chokhani, “Toward a National Public Key Infrastructure”, IEEE Communication Magazine, September 1994 [10] Dorothy E.Denning, Giovanni Maria Sacco, “Timestamps in Key Distribution Protocols”, Communications of the ACM, Vol.24, No.8, pp.533-536, Dec.1981 [11] W. Diffie and M. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, Vol.IT-22, No.6, pp.644654, 1976 [12] Warwick Ford, “Computer Communication Security: Principles, Standard Protocols and Techniques”, Prentice Hall, 1994 [13] Li Gong, Mark A. Lomas, Roger M. Needham, and Jerome H. Saltzer. “Protecting Poorly Chosen Secrets from Guessing Attacks”, IEEE Journal on Selected Areas in Communications. Vol.11, No.5, June 1993 [14] Li Gong, “Optimal Authentication Protocols Resistant to Password Guessing Attacks”, IEEE Communications, 1995 [15] “Entity Authentication Using Symmetric Techniques,” ISO-IEC Jtc1.27.02.2(20.03.1.2), June 1990 [16] Charle Kaufman, Radia Perlamn, Mike Speciner, “Network Security: PRIVATE Communication in a PUBLIC World,” Pentice Hall, 1995. e ¼ 9œ‡mstîm´oÈ X.  ³L³pq9É '*µ 39r: ´8s*¿L:qÀ1† $r'‡mB+stuv?³ tfg @A+,$rÅÁÂ.Ã-'01* eN‘XA'B+“”§7'STc d*•‹Œ'B+uv:Ž*n@ AB+CD*KL:q‡m'B+st uv*–¿LŸ \]¢£‘z¤* Z[u+{|v´wV8s?År-. fgh¿L:q‡mB+stxw* 9\]y´B+Rxw? 4.

(23) [17] S.P. Miller, B.C. Neuman, J.I. Schiller, and J.H.Saltzer, “Kerberos Authentication and Authorization System, ”Project Athena Technical Plan, Section E.2.1, MIT Project Athena, Cambridge MA, December 1987. [18] Needham, R. M. , and Schroeder, M. D. ,“Using encryption for authentication in large networks of computers”, Communications of the ACM, Vol21, December 1978, pp.993-999. [19] Donal O‘Mahony, Neil Weldon, “X.500 directory service support for Electronic Data Interchange”, Computer Networks and ISDN System 27 (1995), pp.691-701 [20] Bruce Schneier, “Applied cryptography: Protocols, algorithms, and source code in C”, Wiley [21] “”, Nov. 1994. 5.

(24)

參考文獻

相關文件

國立高雄師範大學數學教育研究所碩士論文。全國博碩士論文資訊網 全國博碩士論文資訊網 全國博碩士論文資訊網,

 法國農業四個機構跨業合作研發成功的 Pl@ntNet App, 目 前已經可以辨識八百多種歐洲植物,中長期目標希望

 駭客集團「Gameover Zeus」被指自 2006 年起就散播病毒,入侵企業及個人 電腦,並利用儲存於電腦內的使用者密 碼與私人資料 登入銀行戶頭盜取資 金 ;此外,Gameover

除了上述的議題外,今日的資訊倫理還包含了提 高使用者的倫理道德或社會使命感、建立正確價 值觀、建立自律自重的守法美德等。這些議題可 參考美國電腦倫理協會( Computer Ethics

近期全球各地皆藉由停止上班上課以遏制新冠肺炎疫情的傳播,正是需要遠端視訊或會 議軟體的時刻,然而視訊會議工具 Zoom

近期全球各地皆藉由停止上班上課以遏制新冠肺炎疫情的傳播,正是需要遠端視訊或會 議軟體的時刻,然而視訊會議工具 Zoom

Hong Kong Internet Registration Corporation Limited All Rights Reserved.. Hong Kong Internet Registration

 其中包括有多款燈具、兩款床頭櫃, 以及可以單獨購買用來給 現有家居升級的充電墊配件 。 據悉這些產品全都是基於 Qi 標 準,市面上主流的那些 無線充電手機應該都可以使用