KR20100018022A - Secure sockets layer comunication recoding method of proxy server - Google Patents

Abstract

PURPOSE: An SSL(Secure Socket Layer) communications recording method is provided to maintain the high security of a proxy server by receiving a first public key, transmitting a second public key to a client, receiving a encrypted data from a client and sending the received data to a web-server. CONSTITUTION: A client requests an SSL communications to a web server(1210). A public key is transmitted to a proxy server(1220). The proxy server of a hacker transmits the forged public key to a client(1230). The client receiving the forged public key pops up a warning message(1240). The value transmitted to the web server is encrypted by the forged public key. The ID and password are transmitted(1250). The proxy server of the hacker obtains the value which is not encrypted from a decryption algorithm(1260). The proxy server of the hacker transmits an encrypted value to the web server(1270) through the saved public key of the web server. The client logins in the web server(1280). The client closes its own task(1290).

Description

Secure Sockets Layer COMUNICATION RECODING METHOD OF PROXY SERVER}

The present invention relates to a method for recording SSL communication of a proxy server, and more particularly, to a method for recording an SSL communication with high security by a proxy server located between a client device and a web server.

In general, hacking refers to the act of finding complementary vulnerabilities in computer networks, solving them, and preventing them from being used maliciously.

Among the hacking methods, the registry change proxy hacking method does not execute the process unlike the existing hacking method, and does not execute a specific port and waits, so it is not detected by the existing commercial security solution and transmitted to the hacker's system through the Internet. It is a way to make sure that all the information that is sent is sent.

Existing hacking programs (e.g., Trojan horses, etc.) are programming languages that impersonate normal functioning programs (e.g., Windows Media, Calculator, etc.) to hide within the program and perform some other unauthorized functions. It is inserted into a programming language for malicious purposes.

The Trojan is hidden in a separate program. In addition to these apparent features, Trojan programs perform some other unauthorized function. A typical Trojan horse masquerades as a useful program (e.g. music file, video, etc.) to get the user to do it. If the user runs the program without any doubt, the expected function is performed while the hacker wants to perform the function.

The hacker writes a program that looks like a normal login. When the victim sees the login prompter (e.g. login :), they try to log in, and the program tries to think that the user is logging in the normal way in the normal login order. However, when a program with a Trojan horse receives a login ID and password, it copies this information to a file owned by the hacker or sends it to the hacker by mail. Once you have the required information, you can send an error message like "login incorrect". In the meantime, a Trojan horse program will exit, give control to the actual login program, and the user will think that he / she has entered it incorrectly, and then re-enter the login ID and password.

The differences between these conventional hacking methods and registry change proxy hacking methods are summarized as shown in Table 1 below. The difference between the existing hacking method and the registry change hacking method is from the perspective of the first process resident method. Since the conventional hacking method allocates memory and always executes a specific process, various system management tools such as task manager (eg, Windows Task Manager, see Figure 5), etc., you can see the processes running (e.g. Dot1XCfg.exe) .However, the hacking method of the registry change is executed continuously since only the registry is modified after the initial execution. You can't see the processes running with various system management tools (such as Windows Task Manager).

Second, in terms of port opening, the existing hacking method always opens a specific port and sends information when the hacker selects a port. However, the hacking method of registry change does not open a specific port but has a personal firewall installed. Only when connected, the web browser sends information when the user opens and closes the port selected by the hacker.

Thirdly, from the point of view of sniffing, the conventional hacking method cannot be known because the sniffing method is encrypted even if sniffing SSL communication. However, the registry modification hacking method can verify the information sniffed by plain text by encrypting it with a fake public certificate registered in the hacker's proxy server in case of SSL communication. The SSL is a personal information retention protocol for protecting personal information required for internet commerce.

Fourth, in terms of security solutions, the existing hacking methods are mostly blocked by security solutions when accessing credit card transactions or bank sites. However, the registry modification hacking method is not blocked by any security solution at present by using the proxy server function proposed by the present invention basically provided in Windows when a credit card transaction or a bank site is accessed.

Table 1 compares the differences between the existing hacking methods and registry modification hacking methods.

Traditional Hacking Methods (Trojan Horses) How to Hack Registry Changes process Reside in the process. The process does not reside. Port Open and Firewall Keep certain ports open at all times. Do not leave a specific port open. Sniffing SSL communication sniffing is not possible. SSL communication sniffing is possible. Security solutions It is blocked by the security solution. It is not blocked by security solutions.

The problem to be solved by the present invention is to provide a method for preventing a hack that the proxy server changes the registry value recorded in the client device, and relates to a method for the proxy server to record SSL communication with high security.

According to an embodiment of the present invention for solving the above technical problem, in the SSL communication recording method of the proxy server located between the client device and the web server, receiving the first public key from the web server, 2 transmitting a public key to the client device, receiving data encrypted with the second public key from the client device, encrypting the received data with the first public key and transmitting the encrypted data to the web server; do.

The method may further include decrypting and recording data received from the client device using the second public key.

As described above, according to the present invention, the proxy server located between the client device and the web server can record SSL communication between the client device and the web server with higher security.

1 is a diagram illustrating a schematic configuration of an example of a proxy hack according to the present invention.
2 is a block diagram illustrating an example of a registry change proxy hacking method of a proxy server.
3 is a view for explaining the operation of the proxy server.
4 is a diagram for explaining the configuration of a registry.
5 is a diagram for explaining a window task manager.
6 is a view for explaining a hacking method through a registry change.
7 illustrates an embodiment of registry change by a proxy server.
8 illustrates another example of registry change by a hacker proxy server.
9 is a diagram for explaining an SSL communication recording method of a proxy server.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention.

Prior to describing the present invention, as described above, the original meaning of hacking refers to the act of finding a complementary vulnerability in a computer network, solving the problem, and preventing the malicious use thereof. According to the hacking will be described as an action that shows a positive effect in accordance with the original meaning.

1 is a diagram illustrating a schematic configuration of an example of a proxy hack according to the present invention.

In general, the client 100 receives a web service directly through the web server 300 unless a proxy is arbitrarily set by the user. The client refers to a general user PC and the web service includes the Internet through the web.

If the client 100 is configured for proxying, the general proxy server plays an intermediary role between the client and the Internet. In addition, the proxy server provides security or administrative level regulation and cache services. The proxy server is associated with or is part of a gateway server that separates the corporate network from the external network, and a firewall server that protects the corporate network from outside intrusion.

The client 100 of FIG. 1 receives a web service from the web server 300 via the proxy server 200 when using the Internet. In this case, the proxy server 200 may store and modulate the transmitted content.

2 is a block diagram illustrating an example of a registry change proxy hacking method of a proxy server.

The client 100 includes an input unit 110 for receiving a user input, a display unit 120 for displaying input contents, a search result, etc. to the user, and a storage unit 130 for storing information input by the user; It may include a wireless or wired network interface 140 for outputting a search condition to the outside of the client. The controller 150 may include a controller 150 that applies information to a search condition input by the user and controls the client device.

The input unit 110 is a device that receives input from a user and controls input values. The input unit 110 includes a keyboard and a mouse, and collectively control and manage values received through input devices such as a remote controller, a tablet, and a touch screen. .

The input method may be implemented by a text-based input or a GUI-based drag and drop method using a single input means or a combination of a plurality of input means. For example, a combination of a mouse and a keyboard may be used, but a combination of key manipulation and touch screen input may be more suitable for a specific device or user.

The display unit 120 is used in a search condition and is used to input information, and also displays a result received from the proxy server 200 of the hacker or displays the content received from the web server 300, and is embedded in the client body or with the client. It can be implemented with various displays such as LCD, PDP, CRT, and various projection devices that can be separated.

The controller 150 applies the proxy setting information to the search condition input by the user, applies it in a form operable by the proxy server 200 of the hacker, and outputs the result to the network interface. In addition, the window operation is controlled by the registry 131 value and the setting value of the storage unit 130.

The storage unit 130 includes a hard disk drive (HDD), a volatile (DRAM, etc.) memory, a non-volatile (flash, etc.) memory, and an external memory (USB memory) to store the inputted preference information in the profiled information for each user. , CF card, etc.), and an external storage space using a communication network.

The storage unit 130 stores the window system setting value in the registry 131 value.

The proxy server 200 may store or modulate personal information by storing parameters transmitted from the client 100 and the website visit cache 220 of the client 100.

The present invention is an SSL communication recording method using a hack that changes a proxy setting by modifying a registry of a client 100. First, a basic proxy server and a registry will be described.

(Proxy server)

3 is a view for explaining the operation of the proxy server.

When the proxy server 400 according to FIG. 3 receives data request from the client 100 having the proxy setting 121, the proxy server 400 first checks whether the corresponding data 403 exists in its cache area 402. Send data 403 to client 420. However, if there is no data 403 in the cache 402 area, the web server 300 requests data and receives the data, stores the data in its cache 402 area, and transmits the data to the client 100.

The client 100 refers to a client that performs the proxy setting 121 and receives a web service through the proxy server. Such a relay role is generally used because the proxy server 400 caches the data of a host with a high frequency of access, thereby reducing the traffic of the network and increasing the data access speed. The data 403 stored in the proxy server 400 may be deleted or maintained according to time, capacity, and frequency of use. In addition, the proxy server 400 has not only a cache 402 function but also a function on a firewall, and thus, the proxy server 400 is widely used as a function for restricting unauthorized access from the outside.

The proxy server 400, also called an application gateway, accepts a request for a particular application and sends it to its final destination or blocks the request. Ideally, the proxy should be transparent to the end user.

The proxy server 400 receives an Internet service request such as a web page transfer request from the client 100. If the request is a legitimate request that passes a filter requirement (e.g. create a block list with certain words such as empas, cyworld, etc.), then the proxy server 400 may have previously downloaded the web page to its local cache 402. Check if it exists. At this time, if the page is found, the contents of the local cache 402 are sent to the user without finding the user's request newly on the Internet. However, if a user requests content that is not in the cache 402, the proxy server 400 uses one of its own IP addresses 401 on behalf of the user to forward the page request to a server on the outside Internet. When the requested page arrives, the proxy server 400 delivers it to the original requestor client 100.

However, the presence of such a proxy server 400 is not visible to the user, and all Internet requests and responses appear as if performed directly with the web server 300.

The advantage of the proxy server 400 is that it provides a cache 402 service to all users. If there are Internet sites with frequent user page requests, the contents may be in the cache 402 of the proxy server 400 to improve the user's response time. But there are also special servers called cache servers. In addition, the proxy server 400 also performs a task of leaving a record of input and output.

Functions such as proxy 400, firewall, and cache 402 may be performed in a separate server program, or may be integrated in one package. For example, the proxy server 400 may be on the same computer as the firewall server, or may exist on a separate server and forward requests through the firewall.

( Registry )

4 is a view for explaining the configuration of the registry, Figure 5 is a view for explaining the window task manager. The registry is a blueprint of the windows. The registry stores the configuration values, settings, and information related to the programs that run the windows. After all, everything running on Windows runs on information written to the registry. The Windows environment stored in the registry changes each time you install a program, and the changed environment is saved in the Windows registry. Editing the registry can change the Windows environment, and if something goes wrong with the registry, Windows won't work properly.

Because the registry is a binary file, it cannot be read by an ASCII editor such as Korean word processor or Notepad. The registry can be opened in the registry editor 500.

The structure of the Registry Editor (500) The item (510) that looks like a folder in the left pane (510) is called a 'key'. Subkey '516. When each key is selected in the registry editor, a 'Value' 521 in which setting values and commands related to the selected key are stored is displayed in the right window 520. Clicking the + in front of the root key 512 brings up several subkeys 516 belonging to each key. The tree structure in which the subkeys 516 underneath each root key 512 are expanded is called a 'Hive'.

The Microsoft Windows NT family consists of five root keys and Windows 98 / Me consists of six root keys. The Windows NT-based registry has five root keys, but if you look at it, only the HKEY_USERS (514) and HKEY_LOCAL_MACHINE (513) keys are the actual top keys, and the other three keys are subkeys belonging to these two keys. First, the role of each root key is as follows.

HKEY _ CLASSES _ ROOT (511)

Many file extensions can be associated with each application. For example, if you double-click a hwp file with the mouse, you can see the contents of the document with this key. The actual information of this key is in KEY_LOCAL_MACHINESOFTWAREClasses.

HKEY _ CURRENT _ USER (512)

Manages the currently logged in user's desktop, display settings, and shortcut icons. Managing Windows Control Panel is the Control Panel key, and InstallLocationsMRU lists the addresses of the most recent programs on your PC. In addition, Keyboard Layout manages keyboard language and format, Network manages network data, and Software manages program information on PC.

HKEY _ LOCAL _ MACHINE (513)

It has all the hardware and software information needed to run Windows. It includes hardware configuration data, computer network connection settings, security settings, and device drive settings. This is where you'll most often go when you're trying to tweak the registry, such as the icon display on the desktop or the monitor frequency. Contains the contents of HKEY_CURRENT_USER and HKEY_DYN_DATA.

HKEY _ USER (514)

Settings for each user's Windows environment when using multiple PCs. There are default and software keys. When using the PC alone, only the default key appears. Each new user account has one subkey. The default key content is the same as HKEY_CURRENT_USER.

HKEY _ CURRENT _ CONFIG (515)

The simplest part of the registry deals with display and printer information. This information is associated with the HKEY_LOCAL_MACHINEConfig key.

The client 100 of FIG. 1 communicates with the web server 300 via the proxy server 200.

6 is a view for explaining a hacking method through a registry change.

If the proxy server 200 changes the registry value of the client (710), the proxy setting registry value of the client is changed to the value set by the proxy server 200 (720), and the client accesses the Internet through the web browser (730). ). In this case, the proxy server stores values transmitted through the web browser (740). The client uses the Internet without knowing whether it is internneting via the proxy server when he does the Internet (760). At this time, the proxy server retransmits the data to the stored value and stores or modulates the data (750). This allows the proxy server 200 to log in with a client account (770). The parameter is a variable transmitted when the web browser is transmitted.

7 illustrates an embodiment of registry change by a proxy server. In FIG. 7, two kinds of registry 1020 modifications are as follows. The first binary file 1021 is a number system based on zeros and ones, which is used to represent data in a computer, and binary numbers consist of only two unique numbers, zeros and ones. File.

The second ASCII 1022 is the most common format for text files on computers and the Internet, where each alphabet, number and special character is represented by a 7-bit binary number (a string of seven zeros or ones). A total of 128 characters are defined.

The PooxyEnable value of 0x00000001 means to run the proxy server and 0x00000000 means not to run the proxy server.

My Computer \ HKEY_CURRENT_UXER \ Software \ Microsoft \ Windows

\ CurrentVersion \ Internet Settings

-> PooxyEnable REG_DWORD 0x00000001 // (522)

-> ProxyServer REG_SZ 220.149.XXX.XXX:8080 // (523)

After changing its name, the proxy server goes to the c: \ WINDOWS \ system32 folder and hides it (1030).

Char FullPath [255];

GetModuleFileName (NULL, FullPath, 255); // save file's current location to FUllPath

MoveFile (FullPath, "C: \\ WINDOWS \\ system32 \\ proxy.exe");

// setting to move C: \ WINDOWS \ system32 \ from its current location

The registry value is modified so that the program is executed at reboot (1040).

8 illustrates another example of registry change by a hacker proxy server.

Embodiment of Registry Change FIG. 8 is a registry change 1040 for executing a hacking program at boot time.

My Computer \ HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows

\ CurrentVersion \ RunOnce

-> Proxy REG_SZ c: \ WINDOWS \ system32 \ proxy.exe // (1041)

9 is a diagram for explaining an SSL communication recording method of a proxy server.

When the client receiving the proxy service makes a request to the web server for SSL communication (1210), the web server transmits its public key to the hacker's proxy server (1220), and the hacker's proxy server modifies it. The public key is transmitted to the client (1230).

Clients that receive a tampered public key will warn you that the public key is not a trusted public key from a trusted location (1240). After encrypting the value transmitted to the web server with a key and transmits the ID password and the like (1250). At this time, since the hacker's proxy server is encrypted with the modulated public key, the hacker's proxy server may decrypt the password to obtain an unencrypted value. The hacker's proxy server then encrypts the value with the public key of the web server stored at 1220 and transmits the value to the web server (1270). The client logs in to the web server (1280) and terminates after performing his job such as searching for mail (1290).

Thus, when using the proxy service as in the embodiment of the present invention, the proxy server located between the client device and the web server can record the SSL communication through the method of FIG.

That is, the proxy server that has obtained the data through steps 1210 to 1290 of FIG. 9 can record the SSL communication through high security by decrypting and recording the data with the modulated public key.

Although the preferred embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

100: client 110: input unit
120: display unit 130: storage unit
131: Registry 140: Network Interface
150: control unit 200: proxy server
300: web server

Claims (2)

In the SSL communication recording method of the proxy server located between the client device and the web server,
Receiving a first public key from the web server,
Transmitting the stored second public key to the client device;
Receiving data encrypted with the second public key from the client device,
Encrypting the received data with the first public key and transmitting the encrypted data to the web server. The method of claim 1,
Decrypting and recording the data received from the client device using the second public key.

Images