Mirror flow-based SSL/TLS protocol plaintext data acquisition method
Technical Field
The invention belongs to the technical field of network security communication, and particularly relates to a mirror flow-based SSL/TLS protocol plaintext data acquisition method.
Background
The SSL protocol and its successor TLS protocol are security protocols that provide security and data integrity for network security. The SSL/TLS protocol is located between the TCP/IP protocol and the application layer protocol, and can provide security guarantee for various application layer protocols, such as FTP, TELNET protocol, etc., and at present, the SSL/TLS protocol is most widely applied to protect the HTTP protocol. The SSL/TLS protocol includes two layers: a recording layer protocol and a handshake protocol. The recording protocol provides basic security service for a high-level handshake protocol, and guarantees the integrity of data, and specifically comprises compression and decompression, encryption and decryption, calculation, MAC verification and the like. The handshake layer protocol comprises a handshake protocol, a password parameter modification protocol, an alarm protocol and an application data protocol, and is used for authentication of both communication parties, negotiation of an encryption algorithm, generation of a secret key and the like.
The high-level protocol protected by the SSL/TLS protocol is transmitted between the client and the server as ciphertext data without plaintext, which brings difficulty to data audit. Some technical means are needed to decrypt ciphertext data in the SSL/TLS communication process into plaintext data, and then the corresponding plaintext data is analyzed and audited. As shown in fig. 1, in the prior art, an SSL/TLS proxy server is generally introduced between a client and a server, and the proxy server is connected in series between the client and the server, and two SSL/TLS connections are respectively established with the client and the server. Because the SSL/TLS proxy server decrypts the data to obtain the plaintext data after acquiring the data, and then encrypts and transmits the plaintext data to the client, additional encryption operation brings burden to the system, and the response time of the system is prolonged, and the throughput rate is reduced.
Disclosure of Invention
The invention aims to overcome the defects existing in the prior SSL/TLS communication process when ciphertext data is decrypted into plaintext data, and provides a method for acquiring the plaintext data of an SSL/TLS protocol based on mirror flow.
In order to achieve the above object, the present invention provides a mirror flow-based SSL/TLS protocol plaintext data collection method, where the method includes:
step 1) receiving a mirrored SSL/TLS data packet, extracting records in the data packet, generating a plurality of complete records, and putting the records into a record queue;
step 2) extracting a plurality of complete messages from the records in the record queue and putting the messages into a message queue;
and 3) analyzing the messages in the message queue to obtain plaintext data.
In the above technical solution, the step 1) specifically includes:
step 101) receiving a mirrored SSL/TLS data packet;
step 102) extracting a first record from the data packet, checking whether a record cache region has a cache record, and directly calculating the length of the received first record if the record cache region does not have the cache record; if the record cache region has cache records, splicing the data packet to the cache records, and calculating the length of the first record of the current cache;
step 103) comparing the length of the first record with the length of the data packet, and if the length of the first record plus the length of the recording head is equal to the length of the data packet, turning to step 104); if the length of the first record and the length of the recording head are smaller than the length of the data packet, the step 105) is carried out; if the length of the first record plus the length of the recording head is larger than the length of the data packet, the step 106) is carried out;
step 104) placing the record in a record queue;
step 105) splitting the data packet, circularly extracting a single complete record and putting the single complete record into a record queue, and putting the last incomplete record into a record cache region;
step 106) placing the record in a record buffer area; turning to step 101);
and the incomplete records placed in the record buffer area wait for splicing of subsequent data packets, and then complete records are generated.
In the above technical solution, the step 2) specifically includes:
step 201) takes a record from the record queue as the current record,
step 202) checking the type of the current record, and if the type of the current record is an application data protocol, a password specification changing protocol or an alarm message, turning to step 203); if the current record type is a handshake protocol, go to step 204);
step 203) recording the current information as a single complete information, and putting the information into an information queue;
step 204) checking whether a message cache region has cache messages or not, and if no cache message exists, directly calculating the length of a first message in the current record; if the cache message exists in the cache, the length of the first message of the current cache is calculated after the current record is spliced to the cache message;
step 205) comparing the calculated length of the first message with the current recording length, and if the length of the first message plus the length of the message header is equal to the current recording length, turning to step 206); if the length of the first message plus the length of the message header is smaller than the current recording length, go to step 207); if the length of the first message plus the length of the message header is greater than the current record length, go to step 208);
step 206), currently recording the message as a single complete message, and placing the message into a message queue;
step 207) if the current record contains a plurality of messages, splitting the record, circularly extracting a plurality of complete messages and putting the messages into a message queue; putting the final incomplete message into a message buffer area;
step 208), recording the current message as an incomplete message, putting the message into a message buffer area, and switching to step 201);
the incomplete message put into the message buffer area waits for the subsequent records to be spliced, and then the complete message is generated.
In the above technical solution, the specific implementation process of step 3) is as follows:
taking out a message from the message queue, and if the message type is a handshake protocol, extracting the password specification and the key information; if the message type is the cipher protocol specification changing, the following records are protected by the newly negotiated cipher specification and the secret key; if the message type is the alarm message, analyzing the severity and the alarm description of the message; and if the message type is the application data protocol, decrypting the transmission data by using the extracted password specification and the key to obtain plaintext data.
In the above technical solution, the handshake protocol includes: ClientHello, ServerHello, SeverCertificate, serverhellolodone, clientkeyExange, NewSessionsTicket and Finished, wherein the specific steps of extracting the password specification and the key information are as follows:
step 301) if the handshake protocol type is ClientHello, recording a client random number, a session _ id and a session _ ticket;
step 302), if the handshake protocol type is ServerHello, judging whether session reuse occurs, if the session reuse occurs, extracting a master key and an encryption algorithm specification from the cached session information, and generating a password parameter; if the session reuse does not occur, recording a protocol version, a server random number, a sesseion _ id, an encryption suite and a compression algorithm;
step 303) if the handshake protocol type is the SeverCertification, extracting a server public key, and searching a matching certificate to obtain a server private key;
step 304), if the handshake protocol type is serverhellododone, the server has completed key exchange message at this time;
step 305), if the handshake protocol type is ClientKeyExange, decrypting the pre-master key by using the server, calculating the master key and generating a security parameter; if the conversation is a new conversation, caching the conversation information;
step 306), if the handshake protocol type is NewSessionTicket, if no session reuse occurs at this time, filling the session _ token item in the cached session information, and if the session reuse occurs, updating the session _ token item in the cached session information;
step 307) if the type of the handshake protocol is Finished, verifying all handshake data in the corresponding direction, and after the two parties pass the verification, starting application data transmission.
In the above technical solution, the step 3) further includes: and after the plaintext data is obtained, analyzing the plaintext data, generating an audit log and storing the audit log.
Compared with the prior art, the invention has the advantages that:
1. according to the method, data packets are spliced into the finished record according to the packaging format of the SSL/TLS protocol, the complete single message is further extracted and then processed, no requirement exists on whether a server synthesizes a plurality of messages into one record or packages the single message into a plurality of records, new messages needing to be analyzed can be flexibly selected to be added, and the expandability is good;
2. compared with the traditional method of introducing a proxy server, the method of the invention processes the image data of the switch to obtain the plaintext data, and does not interfere with the original service of the system and influence the performance of the system.
Drawings
FIG. 1 is a diagram of a prior art SSL/TLS protocol plaintext data collection system;
FIG. 2 is a flow chart of the mirror flow-based SSL/TLS protocol plaintext data collection method of the present invention;
fig. 3 is a schematic diagram of a mirror flow-based SSL/TLS protocol plaintext data collection system according to an embodiment of the present invention.
Detailed Description
The invention is described in detail below with reference to the drawings and preferred embodiments.
As shown in fig. 2, a mirror flow-based SSL/TLS protocol plaintext data collection method includes:
step 1) receiving a mirrored SSL/TLS data packet, extracting records in the data packet, generating a plurality of complete records, and putting the records into a record queue; the method specifically comprises the following steps:
step 101) receiving a mirrored SSL/TLS data packet;
step 102) extracting a first record from the data packet, checking whether a record cache region has a cache record, and directly calculating the length of the received first record if the record cache region does not have the cache record; if the record cache region has cache records, splicing the data packet to the cache records, and calculating the length of the first record of the current cache;
the SSL/TLS protocol record encapsulation format is shown in Table 1, where the header has a total of 5 bytes:
TABLE 1
Step 103) comparing the length of the first record with the length of the data packet, and if the length of the first record plus the length of the recording head is equal to the length of the data packet, turning to step 104); if the length of the first record and the length of the recording head are smaller than the length of the data packet, the step 105) is carried out; if the length of the first record plus the length of the recording head is larger than the length of the data packet, the step 106) is carried out;
step 104) placing the record in a record queue;
the record placed in the record queue is a complete record.
Step 105) splitting the data packet, circularly extracting a single complete record and putting the single complete record into a record queue, and putting the last incomplete record into a record cache region;
step 106) placing the record in a record buffer area; turning to step 101);
and the incomplete records placed in the record buffer area wait for splicing of subsequent data packets, and then complete records are generated.
Step 2) extracting a plurality of complete messages from the records in the record queue and putting the messages into a message queue;
because the SSL/TLS protocol record is not used as the boundary of the message, after the complete record is extracted, the complete message needs to be further extracted, and the step 2) specifically includes:
step 201) takes a record from the record queue as the current record,
step 202) checking the type of the current record, and if the type of the current record is an application data protocol, a password specification changing protocol or an alarm message, turning to step 203); if the current record type is a handshake protocol, go to step 204);
the SSL/TLS record handshake message format is shown in table 2, where the header is 4 bytes:
TABLE 2
Step 203) recording the current information as a single complete information, and putting the information into an information queue;
step 204) checking whether a message cache region has cache messages or not, and if no cache message exists, directly calculating the length of a first message in the current record; if the cache message exists in the cache, the length of the first message of the current cache is calculated after the current record is spliced to the cache message;
step 205) comparing the calculated length of the first message with the current recording length, and if the length of the first message plus the length of the message header is equal to the current recording length, turning to step 206); if the length of the first message plus the length of the message header is smaller than the current recording length, go to step 207); if the length of the first message plus the length of the message header is greater than the current record length, go to step 208);
step 206), currently recording the message as a single complete message, and placing the message into a message queue;
step 207) if the current record contains a plurality of messages, splitting the record, circularly extracting a plurality of complete messages and putting the messages into a message queue; putting the final incomplete message into a message buffer area;
step 208), recording the current message as an incomplete message, putting the message into a message buffer area, and switching to step 201);
the incomplete message put into the message buffer area waits for the subsequent records to be spliced, and then the complete message is generated.
Step 3) analyzing the messages in the message queue to obtain plaintext data;
taking out a message from the message queue, and if the message type is a handshake protocol, extracting the password specification and the key information; if the message type is the cipher protocol specification changing, the following records are protected by the newly negotiated cipher specification and the secret key; if the message type is the alarm message, analyzing the severity and the alarm description of the message; and if the message type is the application data protocol, decrypting the transmission data by using the extracted password specification and the key to obtain plaintext data.
The handshake protocol includes: ClientHello, ServerHello, SeverCertificate, serverhellolodone, clientkeyExange, NewSessionsTicket and Finished, wherein the specific steps of extracting the password specification and the key information are as follows:
step 301) if the handshake protocol type is ClientHello, recording a client random number, a session _ id and a session _ ticket;
step 302), if the handshake protocol type is ServerHello, judging whether session reuse occurs, if the session reuse occurs, extracting a master key and an encryption algorithm specification from the cached session information, and generating a password parameter; if the session reuse does not occur, recording a protocol version, a server random number, a sesseion _ id, an encryption suite and a compression algorithm;
step 303) if the handshake protocol type is the SeverCertification, extracting a server public key, and searching a matching certificate to obtain a server private key;
step 304), if the handshake protocol type is serverhellododone, the server has completed key exchange message at this time;
step 305), if the handshake protocol type is ClientKeyExange, decrypting the pre-master key by using the server, calculating the master key and generating a security parameter; if the conversation is a new conversation, caching the conversation information;
step 306), if the handshake protocol type is NewSessionTicket, if no session reuse occurs at this time, filling the session _ token item in the cached session information, and if the session reuse occurs, updating the session _ token item in the cached session information;
step 307) if the type of the handshake protocol is Finished, verifying all handshake data in the corresponding direction, and after the two parties pass the verification, starting application data transmission.
In the embodiment, the plaintext data is HTTP data, and the plaintext data is analyzed to obtain URL and other fields to generate and store an audit log for an auditor to audit subsequently.
As shown in fig. 3, by the method of the present invention, the client establishes SSL/TLS connection with the server, the collection device obtains the interactive data between the client and the server by using the switch image, and the collection device legally holds the server certificate and the private key.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.