SSL Relay 之延伸與改進

Abstract

在本篇論文中，我將基於劉家佑學長所提出之SSL Relay 多功能轉接之架構的實作，針對其系統實作所產生的問題和缺點，提出解決的方法並加以實作。 在 SSL Relay 多功能轉接架構下，使用者將不用擔心網路應用程式是否具備加解密的能力，卻可以享有使用SSL/TLS 保護通訊資料流的功能。不僅可以做到使用者驗證、存取控制、機密性及資料完整性，更可以藉由繞路設定，服務來自不同信任區域的信任主機，將其安全地接駁到目的主機。 雖然此系統功能強大，但在實作上仍有些缺點和需要改進的地方： 1. 考慮到相容於各種OS平台，但是在使用者介面上的設計卻十分的粗糙 2. 參數放置在以明文存在 .ini 檔裡面，容易遭人竄改或刪除、有大小的限制、存取速度較慢、缺乏統一階層標準及缺乏標準符合性等 3. 安裝以及初始化不易 4. 主程式和管理程式分開，執行檔過於分散 針對這幾個缺點，在實務上我提出的改進的方法： 1. 針對 Windows 系統作開發，強化使用者介面 2. 參數放置在Registry 裡面，提供較快的存取速度和安全性 3. 簡化安裝程序，並在安裝過程當中完成初始化的動作 4. 整合主程式和管理程式 關鍵字：VPN、SSL/TLS、X.509。

The improvement of SSL Relay Student: Lien-Jean Lee Advisor:Dr. Yi-Shiung Yeh Institute of Computer Science and Information Engineering National Chiao Tung University Abstract In this thesis, I base on the thesis “A multipurpose SSL Relay Model” of Pluto Liu. Focusing on the drawbacks of the actual implementation of this system, I will propose some methods to deal with these shortcomings. In the model of the multipurpose SSL Relay, users will not need to concern about encryption and decryption of application functionality, but have communication environment protected by SSL/TLS protocol. This model not only provides users with authentication, access control, confidentiality and data integrity, but also services trusted hosts and relay their data to the destination hosts securely by route setup. Although this system is very powerful, there are still some drawbacks need to improve as I mention earlier: 1. Concerning carefully about the flexibility of different OS but very rough on interface with users. 2. Putting the arguments in the “.ini files”, and it is easy to alter or delete the data, size is also limited, access speed is slower than registry, lack of uniform layer standard. 3. Difficult of setup and initialize. 4. The main and manage program is separate. Focusing on these drawbacks, I propose some methods to improve: 1. Focus on Windows OS, strengthen the interface with users. 2. Putting the arguments in the registry to provide higher speed and security. 3. Simplify the setup and initialization process. 4. Combine the main and manage program to ONE system. Keywords: VPN, SSL/TLS, X.509