  • 王泽,李文强,蔡权伟.面向HTTPS的内容分发网络代理关系透明化[J].信息安全学报,2018,3(2):16-30    [点击复制]
  • WANG Ze,LI Wenqiang,CAI Quanwei.Delegation Transparency for HTTPS with CDNs[J].Journal of Cyber Security,2018,3(2):16-30   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭


过刊浏览    高级检索

本文已被:浏览 5623次   下载 5858 本文二维码信息
王泽1,2,3, 李文强1,2,3, 蔡权伟1,2
(1.中国科学院信息工程研究所 北京 中国 100093;2.中国科学院数据与通信保护研究教育中心 北京 中国 100093;3.中国科学院大学网络空间安全学院 北京 中国 100049)
关键词:  公钥基础设施  内容分发网络  安全套接层  安全传输层协议  公开日志  代理  信任
Delegation Transparency for HTTPS with CDNs
WANG Ze1,2,3, LI Wenqiang1,2,3, CAI Quanwei1,2
(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.Data Assurance and Communications Security Center, Chinese Academy of Sciences, Beijing 100093, China;3.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
CDNs (Content Delivery Networks) have been widely deployed to achieve fast content access and better security such as DDoS attack mitigation. However, to support HTTPS services, CDN providers need their custom original websites to share certificates and private keys to establish HTTPS connections with browsers, because browsers require validating the visited website's certificate rather than the connected CDN's certificate. Sharing private keys explicitly conflicts the design principle of PKI and arises deep concerns over CDN's role in standard PKI trust model, considering that the delegation between the CDNs and the original websites is opaque and the original websites lack the capability of rapid updating and revoking such delegation. We present DET (Delegation Transparency for HTTPS with CDNs), a system that provides public and verifiable delegation management for HTTPS with CDNs. In DET, an original website publishes all its delegated CDN providers in a public log, and generates a corresponding delegation proof, which is delivered to the visiting browser along with the CDN's certificate during HTTPS establishment. The visiting browser is able to verify the proof and accept the CDN's certificate without any previous connections to the original website. In DET, the original websites and CDNs manage their SSL private key separately, meanwhile the original websites are able to revoke or update their delegation independently. We have implemented the prototype of DET. The performance evaluation demonstrates that the introduced overhead (in terms of bandwidth, latency and storage) is modest.
Key words:  public key infrastructure  content delivery network  SSL  TLS  public log  delegation  trust