CN117834253B

CN117834253B - Method and device for analyzing TLS (transport layer security) traffic, TLS communication traffic analysis system and machine-readable storage medium

Info

Publication number: CN117834253B
Application number: CN202311864586.1A
Authority: CN
Inventors: 周国华
Original assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Current assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Priority date: 2023-12-29
Filing date: 2023-12-29
Publication date: 2024-09-17
Anticipated expiration: 2043-12-29
Also published as: CN117834253A

Abstract

The application discloses a method and a device for analyzing TLS traffic and a TLS communication traffic analysis system, which belong to the technical field of computer information processing and are applied to the TLS communication traffic analysis system, wherein the method comprises the following steps: when a client initiates a first handshake request for carrying out TLS network session to a server, intercepting a first message carried in the first handshake request through a data filtering module; based on the first message, handshake with the server is completed by the first session manager, the data filtering module and the data injection module instead of the client so as to establish a first session; after the first session is established, based on the server certificate, combining the data filtering module and the data injection module, and completing handshake with the client through a second session manager instead of the server so as to establish a second session; the plain text data of the TLS network session is forwarded between the first session and the second session. The method and the device can realize TLS flow analysis on the client side in a man-in-the-middle mode, and have universality.

Description

Method and device for analyzing TLS (transport layer security) traffic, TLS communication traffic analysis system and machine-readable storage medium

Technical Field

The application relates to the technical field of computer information processing, in particular to a method and a device for analyzing TLS traffic and a TLS communication traffic analysis system.

Background

The transport layer security protocol (TLS, transport Layer Security) is a protocol for securing network communications. TLS plays a key role in internet security, and it helps to protect sensitive data from unauthorized access and attacks. On the other hand, the widespread use of TLS also presents challenges for information security, such as: malicious code may transmit control commands or sensitive information using TLS protocol; users inadvertently upload sensitive information to sites of HTTPS protocol; the mail server in the organization adopts TLS communication, and the user reveals sensitive information through the mail. Because of the secure transmission characteristics of TLS, the transmitted content cannot be detected using conventional packet filtering techniques for these risks. Therefore, under the condition of permission of organization, a technology is adopted to analyze the plaintext content transmitted through TLS, and then detection and interception are common important requirements.

Currently, developers in the prior art use sophisticated libraries (e.g., openssl, winhttp) to develop TLS communication applications, where there is typically a clear text in and out interface function, so that the clear text of the TLS communication can be intercepted by locating the binary feature to the associated interface function and injecting the intercept code using the hooking technique. The libraries available in this approach are not exhaustive, making this approach difficult to use universally. Therefore, the prior art has the problem of not having versatility.

Disclosure of Invention

An objective of the embodiments of the present application is to provide a method, an apparatus, a processor, a TLS communication traffic analyzing system and a machine-readable storage medium for analyzing TLS traffic, so as to solve the problem in the prior art that TLS traffic is not universal.

In order to achieve the above object, a first aspect of the present application provides a method for analyzing TLS communication traffic, which is applied to a TLS communication traffic analysis system, where the TLS communication traffic analysis system includes a data filtering module, a data injection module, a first session manager and a second session manager, the TLS communication traffic analysis system is deployed on a client, and the client communicates with a server, the method includes:

Under the condition that a client initiates a first handshake request for carrying out TLS network session to a server, intercepting a first message carried in the first handshake request through a data filtering module;

based on the first message, handshake with the server is completed by the first session manager instead of the client to establish a first session, wherein the first session comprises a server certificate sent by the server;

after the first session is established, based on the first message and the server certificate, combining a data filtering module and a data injection module, and completing handshake with the client through a second session manager instead of the server so as to establish a second session;

After the second session is established, forwarding data between the first session and the second session to obtain plain text session data of the TLS network session.

In the embodiment of the present application, based on a first message, handshake with a server is completed by a first session manager instead of a client to establish a first session, including: analyzing the first message to obtain an analysis result; setting a first session manager according to the analysis result; after the first session manager is set, outputting a first message to a data injection module through a ciphertext sending port of the first session manager; injecting the first message into a network protocol stack of the client through a data injection module so that the first message is sent to a server through the network protocol stack; intercepting a server response message sent by a server through a data filtering module, and submitting the server response message to a ciphertext receiving port of a first session manager; and completing handshake between the first session manager and the server according to the first message and the server response message so as to establish the first session.

In the embodiment of the present application, after the first session is established, based on the first message and the server certificate, in combination with the data filtering module and the data injection module, handshake with the client is completed by the second session manager instead of the server, so as to establish the second session, including: obtaining a target imitation certificate according to the server certificate; setting a second session manager according to the target imitation certificate; after the second session manager is set, inputting the first message into the second session manager to trigger the handshake process of the second session; outputting the second message to the data injection module through a ciphertext sending port of the second session manager; injecting the second message into a network protocol stack through a data injection module so that the second message is sent to the client through the network protocol stack; intercepting a client response message sent by a client through a data filtering module, and submitting the client response message to a ciphertext receiving port of a second session manager; and completing handshake between the second session manager and the client according to the second message and the client response message so as to establish a second session.

In the embodiment of the present application, obtaining a target imitation certificate according to a server certificate sent by a server includes: acquiring a certificate serial number of a server certificate; searching a pre-stored imitation certificate library based on the certificate serial number to obtain a searching result; and under the condition that the searching is successful, determining the private key corresponding to the certificate chain corresponding to the certificate serial number and the certificate chain end certificate in the searched imitation certificate library as the target imitation certificate.

In an embodiment of the present application, the method further includes: under the condition of failure in searching, an initial imitation certificate is obtained according to the copying of the server certificate; regenerating a key pair of the initial imitation certificate according to a public key algorithm and a key length of the server certificate; a target imitation certificate is determined from the key pair and the initial imitation certificate.

In the embodiment of the present application, after the second session is established, forwarding data between the first session and the second session to obtain plaintext session data of the TLS network session includes: sending the first plaintext data output by the first session manager to a plaintext input port of a second session manager, so that the second session manager outputs first ciphertext data corresponding to the first plaintext data; injecting the first ciphertext data into a network protocol stack of the client through a data injection module so that the first ciphertext data is sent to the client through the network protocol stack; sending the second plaintext data output by the second session manager to a plaintext input port of the first session manager, so that the first session manager outputs second ciphertext data corresponding to the second plaintext data; injecting the second ciphertext data to a network protocol stack of the client through a data injection module so that the second ciphertext data is sent to the server through the network protocol stack; and acquiring the first plaintext data and the second plaintext data to obtain plaintext session data of the TLS network session.

In an embodiment of the present application, the method further includes: under the condition that the establishment of a newly-built network session is detected, matching the network session with a preset filtering rule, wherein the preset filtering rule comprises IP address information and port information; and under the condition of successful matching, monitoring the newly-built network session through the data filtering module.

A second aspect of an embodiment of the present application provides a processor configured to perform the above-described method for resolving TLS traffic.

A third aspect of the embodiments of the present application provides a device for analyzing TLS traffic, which is applied to a TLS communication traffic analysis system, where the TLS communication traffic analysis system includes a data filtering module, a data injection module, a first session manager and a second session manager, the TLS communication traffic analysis system is deployed on a client, and the client communicates with a server, and the device includes:

the message interception unit is used for intercepting a first message carried in a first handshake request through the data filtering module under the condition that a client initiates the first handshake request for carrying out TLS network session to a server;

the first session establishment unit is used for completing handshake with the server by replacing the client by the first session manager based on the first message so as to establish a first session, wherein the first session comprises a server certificate sent by the server;

the second session establishment unit is used for completing handshake with the client through a second session manager instead of the server based on the first message and the server certificate after the first session is established and combining the data filtering module and the data injection module so as to establish a second session;

and the session data acquisition unit is used for forwarding data between the first session and the second session after the second session is established so as to acquire plaintext session data of the TLS network session.

A fourth aspect of the present application provides a TLS communication traffic analysis system, including: a data filtering module; a data injection module; a first session manager; a second session manager; the processor described above or the means for resolving TLS traffic described above.

A fifth aspect of embodiments of the present application provides a machine-readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the above-described method for resolving TLS traffic.

The technical scheme is applied to the TLS communication flow analysis system, the TLS communication flow analysis system comprises a data filtering module, a data injection module, a first session manager and a second session manager, the TLS communication flow analysis system is deployed on a client, the client communicates with the server, under the condition that the client initiates a first handshake request for performing a TLS network session to the server, a first message carried in the first handshake request is intercepted through the data filtering module, then based on the first message, the first session manager replaces the client to complete handshake with the server so as to establish a first session, wherein the first session comprises a server certificate sent by the server, then after the first session is established, based on the first message and the server certificate, the data filtering module and the data injection module are combined, the second session manager replaces the server to complete handshake with the client so as to establish a second session, and finally after the second session is established, data is forwarded between the first session and the second session so as to obtain the plaintext session data of the TLS network. The method and the device can realize TLS flow analysis on the client side in a man-in-the-middle mode, and have universality.

Additional features and advantages of embodiments of the application will be set forth in the detailed description which follows.

Drawings

The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain, without limitation, the embodiments of the application. In the drawings:

fig. 1 is a schematic structural diagram of a TLS communication model according to an embodiment of the present application;

Fig. 2 is a flow chart of a method for analyzing TLS traffic according to an embodiment of the present application;

fig. 3 is a schematic structural diagram of a TLS communication traffic analysis system according to an embodiment of the present application;

FIG. 4 is a flow chart of a method for certificate imitation according to an embodiment of the present application;

Fig. 5 is a schematic structural diagram of an apparatus for analyzing TLS traffic according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the detailed description described herein is merely for illustrating and explaining the embodiments of the present application, and is not intended to limit the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

It should be noted that, if directional indications (such as up, down, left, right, front, and rear … …) are included in the embodiments of the present application, the directional indications are merely used to explain the relative positional relationship, movement conditions, etc. between the components in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indications are correspondingly changed.

In addition, if there is a description of "first", "second", etc. in the embodiments of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.

Fig. 1 is a schematic structural diagram of a TLS communication model according to an embodiment of the present application. It can be appreciated that fig. 1 is a TLS communication model for resolving TLS communication traffic after the method according to the embodiment of the present application. As shown in fig. 1, on the basis of an original TLS model, the embodiment of the present application implements TLS traffic parsing for a TLS network session between a client and a server by adding a data filtering module, a man-in-the-middle service program, and a data injection module to the client.

Specifically, the data filtering module and the data injection module work on the upper edge of the kernel layer network protocol stack of the client, and by means of an interface provided by an operating system, the connection established by the transmission layer can be captured, the inbound/outbound session data can be intercepted according to the connection, and the outbound/inbound session data can be injected according to the connection.

The middleman service program establishes a pair of session managers, including a first session manager and a second session manager, for each hijacked TLS network session to implement a middleman agent at the data plane. The man-in-the-middle service program pumps the data of the network session from the kernel layer and sends the data to the corresponding port of the corresponding session manager. For example, messages outbound from the client will be pumped to the ciphertext receiving port (NR 2) of the intermediate second session manager and messages inbound from the server will be pumped to the ciphertext receiving port (NR 1) of the intermediate first session manager. The man-in-the-middle service program reinjects the data output by the first session manager and the second session manager to the network session through the kernel layer data injection module. For example, data output from the second session manager ciphertext transmission port (NT 2) will be injected as inbound data into the network session, and data output from the first session manager ciphertext transmission port (NT 1) will be injected as outbound data into the network session. It will be appreciated that the plaintext data transferred between the first session and the second session (DI-DO), i.e. the plaintext data of the TLS network session. In this way, operations such as detecting, intercepting or modifying plaintext data for a TLS network session may be implemented based on the first session and the second session.

Fig. 2 is a flowchart of a method for analyzing TLS traffic according to an embodiment of the present application. As shown in fig. 2, an embodiment of the present application provides a method for analyzing TLS communication traffic, which is applied to a TLS communication traffic analysis system, where the TLS communication traffic analysis system includes a data filtering module, a data injection module, a first session manager and a second session manager, and the TLS communication traffic analysis system is deployed on a client, and the client communicates with a server, and the method may include the following steps.

Step S101, under the condition that a client initiates a first handshake request for carrying out TLS network session to a server, a first message carried in the first handshake request is intercepted by a data filtering module.

Step S102, based on the first message, handshake with the server is completed by the first session manager instead of the client to establish a first session, wherein the first session comprises a server certificate sent by the server.

Step S103, after the first session is established, based on the first message and the server certificate, the data filtering module and the data injection module are combined, and handshake with the client is completed by the second session manager instead of the server, so as to establish the second session.

Step S104, after the second session is established, forwarding data between the first session and the second session to obtain plain text session data of the TLS network session.

In the embodiment of the application, in order to acquire plaintext data when the client and the server perform TLS network session, the embodiment of the application realizes TLS flow analysis by deploying a TLS communication flow analysis system at the client side and adopting a man-in-the-middle mode. The TLS communication flow analysis system comprises a data filtering module, a data injection module, a first session manager and a second session manager, wherein the data filtering module is respectively communicated with the first session manager and the second session manager. Specifically, in an initial stage of establishing a TLS network session between a client and a server, a TLS session manager is established for the TLS network session, where the TLS session manager includes a first session manager and a second session manager, and the TLS session manager may also be referred to as a man-in-the-middle module or a man-in-the-middle service program. In the handshake phase of TLS, first the client initiates a first handshake request to the server to establish a TLS network session, i.e. a client handshake request. At this time, the data filtering module intercepts a first message carried in the first handshake request, that is, a client handshake message, and submits the message to a first session manager in a man-in-the-middle service process. The first session manager may complete a handshake with the server instead of the client to establish the first session. It will be appreciated that the server certificate sent by the server may be obtained during the first session establishment procedure. After the first session is established, based on the server certificate, the second session manager can replace the server to complete handshake with the client to establish the second session in combination with the data filtering module and the data injection module. Thus, after the handshake is completed, the session manager can acquire the TLS application layer data of the plaintext in the first session and the second session, and then detect, intercept or modify the data.

Thus, the TLS flow analysis is realized by the man-in-the-middle mode at the client side, the method has universality, compared with man-in-the-middle equipment connected in series on a physical network, no extra equipment is required to be introduced, no network topology is required to be changed, and compared with man-in-the-middle mode realized at the server side, the method is not limited to a specific TLS server.

In the embodiment of the present application, the TLS traffic parsing system further includes a data injection module, and based on the first message, the first session manager replaces the client to complete handshake with the server, so as to establish a first session, which may include: analyzing the first message to obtain an analysis result; setting a first session manager according to the analysis result; after the first session manager is set, outputting a first message to a data injection module through a ciphertext sending port of the first session manager; injecting the first message into a network protocol stack of the client through a data injection module so that the first message is sent to a server through the network protocol stack; intercepting a server response message sent by a server through a data filtering module, and submitting the server response message to a ciphertext receiving port of a first session manager; and completing handshake between the first session manager and the server according to the first message and the server response message so as to establish the first session.

Specifically, in the handshake phase of the TLS network session, a client handshake message (i.e., a first message) sent by the client is intercepted by the data filtering module and submitted to the man-in-the-middle module, which temporarily stores the message. The man-in-the-middle module parses the client handshake message and creates a new TLS client session according to the same specification to obtain the first session manager. And the client handshake message output by the NT port of the first session manager is injected into a network protocol stack of the client by the data injection module in an outbound mode, and the network protocol stack sends the client handshake message to the server. Further, the inbound message of the server response, that is, the server response message is intercepted by the data filtering module and submitted to the ciphertext receiving port of the first session manager, and the handshake of the first session is continued. The client handshake message output by the ciphertext sending port of the first session manager is injected into a network protocol stack by a data injection module in an outbound mode and is sent to a server. The above steps are repeated until the first session handshake is completed. In this manner, the first session manager is implemented to complete a handshake with the server instead of the client to establish the first session.

In the embodiment of the present application, after the first session is established, based on the first message and the server certificate, in combination with the data filtering module and the data injection module, handshake with the client is completed by the second session manager instead of the server, so as to establish the second session, which may include: obtaining a target imitation certificate according to the server certificate; setting a second session manager according to the target imitation certificate; after the second session manager is set, inputting the first message into the second session manager to trigger the handshake process of the second session; outputting the second message to the data injection module through a ciphertext sending port of the second session manager;

Injecting the second message into a network protocol stack through a data injection module so that the second message is sent to the client through the network protocol stack; intercepting a client response message sent by a client through a data filtering module, and submitting the client response message to a ciphertext receiving port of a second session manager; and completing handshake between the second session manager and the client according to the second message and the client response message so as to establish a second session.

Specifically, in the handshake phase of the TLS network session, the second session manager replaces the server to complete the handshake with the client. A server certificate is first extracted from a first session, and a target imitation certificate is obtained according to the server certificate. The target imitation certificate is an imitation certificate which corresponds to the server certificate and can be verified by the client. In one example, the TLS traffic parsing system further includes a certificate manager that can call the certificate manager based on the server certificate to obtain the target imitation certificate, where the certificate manager firstly queries the cached imitation certificate through the certificate serial number of the server certificate, and if the discovery is successful, directly returns the imitation certificate and its private key; if the searching fails, the root certificate and the private key thereof are used for issuing an imitation certificate as a target imitation certificate, and the imitation certificate and the private key thereof are cached and returned.

Further, the man-in-the-middle module creates a new TLS server session, i.e. the second session manager, using the imitated certificate, sends the client handshake message temporarily stored in the first session manager to the ciphertext receiving port of the second session manager, and starts the handshake of the second session. And a second message output by the ciphertext sending port of the second session manager, namely a server handshake message is injected into a network protocol stack by the data injection module in an inbound mode, and message data is submitted to the client. And the outbound message of the client response, namely the client response message is intercepted by the data filtering module and submitted to the ciphertext receiving port of the second session, and handshake is continued. In the process, a server handshake message output by a ciphertext sending port of the second session manager is injected into a network protocol stack of the client by a data injection module in an inbound mode, and the network protocol stack submits the server handshake message to the client. Repeating the steps until the second session handshake is completed. In this way, the second session manager is implemented to complete a handshake with the server instead of the client to establish the second session.

Thus, the inbound data is only operated on the network protocol stack of the client to realize man-in-the-middle, the common local network agent program is not needed, the network configuration is not needed to be modified, additional network connection is not needed to be established, the detection mechanism is more hidden, and the security is higher.

In the embodiment of the present application, after the second session is established, forwarding data between the first session and the second session to obtain plaintext session data of the TLS network session may include: sending the first plaintext data output by the first session manager to a plaintext input port of a second session manager, so that the second session manager outputs first ciphertext data corresponding to the first plaintext data; injecting the first ciphertext data into a network protocol stack of the client through a data injection module so that the first ciphertext data is sent to the client through the network protocol stack; sending the second plaintext data output by the second session manager to a plaintext input port of the first session manager, so that the first session manager outputs second ciphertext data corresponding to the second plaintext data; injecting the second ciphertext data to a network protocol stack of the client through a data injection module so that the second ciphertext data is sent to the server through the network protocol stack; and acquiring the first plaintext data and the second plaintext data to obtain plaintext session data of the TLS network session.

It can be understood that after the first session and the second session are established, that is, after the handshake phase is finished, data can be forwarded between the first session and the second session, so as to obtain plaintext session data of the TLS network session, and processes such as checking or modifying the plaintext session data of the TLS network session according to actual requirements. Specifically, the plaintext (i.e., the first plaintext data) of the first session manager is output and sent to the plaintext input port of the second session manager, the second session manager outputs the corresponding ciphertext (i.e., the first ciphertext data), and the data injection module injects the corresponding ciphertext into the network protocol stack, so that the corresponding ciphertext is sent to the client through the network protocol stack. And outputting and sending the plaintext (namely second plaintext data) of the second session manager to a plaintext input port of the first session manager, wherein the first session manager outputs the corresponding ciphertext (namely second ciphertext data), and the corresponding ciphertext is injected to the network protocol stack through the data injection module so that the corresponding ciphertext is sent to the server through the network protocol stack. The first plaintext data and the second plaintext data in the process are plaintext session data of a TLS network session established by the client and the server, and filtering processing such as detection, modification and the like can be performed on the plaintext session data in the process.

In the embodiment of the application, the TLS communication traffic parsing system may further include an external filtering module. For application data transfer after handshake is completed, the man-in-the-middle module (i.e., TLS session manager) submits the plaintext to the external filtering module for detection or other processing before forwarding it between the first session and the second session. In one example, for inbound messages from a server, the data filtering module intercepts the message and submits it to the middleman module, which sends the message to the NR port of the first session manager, reads out the plaintext from the DI port, and submits it to the external filtering module. And sending the plaintext which is returned by the external filtering module and possibly modified to the DO port of the second session manager, reading the ciphertext from the NT port, injecting the ciphertext into a network protocol stack by the data injection module in an inbound mode, and submitting the message to a client. In another example, for outbound messages from clients, the data filtering module intercepts the messages and submits them to the middle mannequin, and then the man-in-the-middle module sends the message to an NR port of the second session manager, reads out a plaintext from the DI port and submits the plaintext to the external filtering module. And sending the plaintext which is returned by the external filtering module and possibly modified to the DO port of the first session manager, reading the ciphertext from the NT port, injecting the ciphertext into the network protocol stack by the data injection module in an outbound mode, and sending the message to the server. In this way, the plaintext data that can be transferred between the first session and the second session, i.e. the plaintext data of the TLS session, is sent to the external filtering module to perform operations such as content filtering, modification or blocking.

In an embodiment of the present application, obtaining the target imitation certificate according to the server certificate sent by the server may include: acquiring a certificate serial number of a server certificate; searching a pre-stored imitation certificate library based on the certificate serial number to obtain a searching result; and under the condition that the searching is successful, determining the private key corresponding to the certificate chain corresponding to the certificate serial number and the certificate chain end certificate in the searched imitation certificate library as the target imitation certificate.

It will be appreciated that the root certificate for signing the emulated server is installed at the client to add the certificate to the certificate storage area of the operating system (the trusted root certificate of Windows) or to the certificate library of the target application (typically a browser) before the client establishes a network session with the server, thereby completing the construction of the emulated certificate library. In the embodiment of the application, the TLS communication flow analysis system further comprises a certificate manager, and the certificate manager can acquire the target imitation certificate through the server certificate sent by the server. Specifically, after receiving a request for obtaining an imitation certificate, the certificate manager uses an opensl library to load an incoming server certificate chain, extracts a serial number of a terminal certificate, and uses the serial number to search the generated imitation certificate in the imitation certificate library. If the searching is successful, the private key corresponding to the certificate chain and the terminal certificate corresponding to the certificate serial number in the searched imitation certificate library is directly returned to the caller as the target imitation certificate.

In an embodiment of the present application, the method may further include: under the condition of failure in searching, an initial imitation certificate is obtained according to the copying of the server certificate; regenerating a key pair of the initial imitation certificate according to a public key algorithm and a key length of the server certificate; a target imitation certificate is determined from the key pair and the initial imitation certificate.

It will be appreciated that in the event that the target imitation certificate is not found in the imitation certificate store, the target imitation certificate may be generated from the server imitation certificate. Specifically, a certificate storage context is first created, and the whole server certificate chain is loaded, including a terminal entity certificate, a plurality of intermediate certificates and a root certificate. Then, from the end of the current certificate chain, the certificates are cloned step by step, and the process of cloning the certificates mainly comprises two cases. In one example, if the original certificate (i.e., the server certificate) exists in the previous stage certificate, and the previous stage certificate is not the root certificate, the process is iterated to obtain a copy of the previous stage certificate (including the private key), a new certificate is copied from the original certificate, and all information of the original certificate is retained. And (3) reassigning a pair of keys for the certificate according to the public key algorithm and the key length of the original certificate, setting the public key into the certificate, reserving the private key, recalculating the key identification of the new certificate by using the newly generated public key, and setting the key identification to be expanded. In another example, if the original certificate has a previous-stage certificate, it is determined whether the previous-stage certificate is a root certificate. If the previous-level certificate is a root certificate, an issuer of the new certificate is set as a root certificate of the imitation certificate, and the new certificate is signed using a private key of the root certificate of the imitation certificate. If the previous-level certificate is not the root certificate, but is a middle-level certificate, the new certificate is signed using the private key of the last-level imitation certificate. And finally, taking the certificate chain and the private key obtained after cloning as target imitation certificates. Preferably, after each cloning is completed, the imitated certificate chain and the private key are added to the imitated certificate library by using the certificate serial number as a key.

In an embodiment of the present application, the method may further include: under the condition that the establishment of a newly-built network session is detected, matching the network session with a preset filtering rule, wherein the preset filtering rule comprises IP address information and port information; and under the condition of successful matching, monitoring the newly-built network session through the data filtering module.

It is understood that a newly created network session refers to a session layer above the transport layer in the OSI layered model. Specifically, in order to implement targeted processing on the TLS network session, after a new network session is established, that is, after a new network session is detected to be established, a data filtering module of the client kernel layer matches the new network session with a preset filtering rule. If the matching is successful, monitoring session data of the newly-built network session. In one example, the preset filtering rules may be specified by a middle man module (TLS session manager), which may specify the preset filtering rules and activate the kernel layer data filtering module. The preset filtering rules may include local/remote IP addresses or ports, names or classifications of client applications, SNI (server name indication) information in TLS requests. In this way, the support of the client process condition in the preset filtering rule can determine which addresses and ports to analyze, and also determine which processes' TLS traffic needs to analyze. Thereby improving the flexibility of data processing.

Fig. 3 is a schematic structural diagram of a TLS traffic flow analysis system according to an embodiment of the present application. As shown in fig. 3, an embodiment of the present application provides a TLS traffic flow analysis system. The TLS communication flow analysis system comprises a man-in-the-middle module, a certificate manager, a data filtering module, a data injection module and an external filtering module. The middle man module is a TLS network session manager, and can be respectively communicated with the certificate manager, the data filtering module, the data injection module and the external filtering module.

Specifically, the certificate manager module is used for realizing verification, cloning and caching of the server certificate.

(1) And (3) checking: the validity of the TLS server certificate is verified, including whether the root certificate is trusted, validity period, use match, etc.

(2) Cloning: for a TLS origin server certificate, a new imitation certificate is issued with a locally trusted, known private key root certificate, which has the same serial number, principal name, validity period, user and usage, alternate name, etc. extensions as the original certificate, except for the issuer, public key and key identification. Alternatively, the entire certificate chain may also be cloned in steps for intermediate certificates on the original certificate chain.

(3) And (3) caching: the certificate manager may store the signed dummy certificate in terms of the serial number and key identification of the original certificate.

And the man-in-the-middle module is mainly used for data pumping, TLS session management and data injection.

(1) Pumping data: the data of the network session is extracted from the kernel layer data filtering module according to specified conditions (client application, port number, IP address). The network session refers to a session layer above a transport layer in the OSI layered model, and data of the network session is a payload of the transport layer.

(2) TLS session management: establishing a TLS session manager for each TLS network session

In the handshake phase of TLS, a session manager replaces a client to finish handshake with a server, and a first session is established; after the first session is established, the session manager also obtains the imitation certificate from the certificate manager module according to the server certificate, and replaces the server to complete handshake with the client to establish the second session.

After the handshake is completed, the session manager can acquire plain text TLS application layer data in the first session and the second session, and can submit the plain text TLS application layer data to an external filtering module for processing, and the external filtering module can detect or modify the session data according to requirements.

(3) Data injection: the session manager sends back the message generated in the handshake stage and the message generated in the application data transmission stage to the TLS network session through the data injection module of the kernel layer, the message of the first session is sent to the server, and the message of the second session is submitted to the receiving buffer area of the client.

The data filtering module works in the kernel layer of the operating system and is used for filtering the data of the session layer, judging whether TLS traffic is carried out according to the preamble message of each connection session, and then judging whether to submit the session data to the middle man module of the upper layer according to the appointed conditions (application program, port number and IP address).

The data injection module is used for injecting the data reinjected by the man-in-the-middle module into the appointed TLS session, and the data injection module can directly inject the data of the session layer into an existing connection according to the direction by using the function provided by the operating system network protocol stack without considering checksum calculation, fragmentation and recombination of a transmission layer and layers below.

In one embodiment of the present application, the method for analyzing TLS traffic provided by the present application is applied to the embodiment Winows of the system. One embodiment of the present application uses a kernel layer annotation driver of the Windows filter platform (Windows Filtering Platform, WFP) to decide whether to filter the streaming data of TCP according to the conditions specified by the user after the TCP connection is established. Wherein the user-specified condition means that the user can specify a particular client process, remote address, and/or remote port. And when stream data is out, judging whether the data stream is a client handshake message of TLS. If yes, the stream data is uploaded to a man-in-the-middle service process of the user layer through the IO queue. Next, the middleman service creates two TLS session managers for this TLS session using the openssl library, respectively completing the handshake and application data forwarding for the first session (middleman-to-server) and the second session (client-to-middleman). During the handshake process, the intermediary generates a dummy certificate from the server certificate returned during the first session handshake with the TLS server, and completes the handshake with the second session with the client using the dummy certificate. In the subsequent data transmission process, the plaintext data transmitted between the first session and the second session is sent to the detection module for filtering. In the process, ciphertext data sent by the session manager is transmitted into a kernel layer WFP driver through equipment IO, and the driver re-uses an injection support routine of the WFP to reinject the data to the TLS network session in an outbound direction.

Specifically, the workflow after the method for analyzing TLS traffic is applied to Winows systems may include the following parts:

1. Initial processing of installation

At the initial installation of the system, the root certificate used to generate the emulated certificate is imported into the "trusted root certificate" store of the Windows system via a certificate management related API or registry. When the system is installed, a TLS data filtering driver is also installed, and the driver is automatically started along with the starting of the TCPIP protocol stack driver.

2. Driver initialization flow

1. A named device object (i.e., TLS data filter device object) is created to provide the IO interface to the upper layer program.

2. Judging whether the Basic Filter Engine (BFE) state of Windows is ready or not, if so, performing the following processing, and if not, registering a callback function with the changed BFE state, and further performing the following processing in the callback function:

(1) Two stream injection handles are created: the outbound stream injection handle and the inbound stream injection handle are used to inject outbound data and inbound data, respectively.

(2) A data pumping queue is created, which comprises two sub-queues, namely an IRP queue and a stream data queue. The IRP queue is used for queuing read requests of upper layer pumping stream data, and the stream data queue is used for queuing and caching the stream data when the IRP queue is empty.

(3) A mapping of flow id-flow context is created to quickly obtain the local address, local port, remote address, remote port (hereinafter referred to as quadruple) and process information (process id, process name, process executable, etc.) corresponding to the flow id.

(4) And establishing a labeling callback function for the IPv4 and IPv6 added flows to capture the establishment of the TCP connection.

(5) And adding stream data annotation callback functions for the IPv4 and the IPv 6.

3. Data detection service start-up procedure

1. The certificate manager is initialized.

2. The TLS data filtering device object is opened.

3. Creating a plurality of TLS session processing threads according to the number of the CPU, queuing a plurality of read requests for pumping streaming data, and waiting for the read requests to be completed one by the TLS session processing threads under the condition that no streaming data arrives.

4. Creating a WFP flow with specified filtering conditions to establish a filter, wherein the filtering conditions are TCP connection in the outbound direction, and the method can further comprise client process identification, mirror path, remote address, remote port and the like, wherein the action of the filter is specified as a flow establishment mark. The layering of the stream build filter is identified by the WFP layering and IP protocol version as FWPM _LA_YE_FLOW_ESTABLISHED_V4 and FWPM _LAYE_ALE_FLOW_ESTABLISHED_V6.

4. TLS data processing flow

1. And establishing TCP connection meeting the filtering condition, and establishing an annotation callback function for the incoming stream.

2. TCP connection information is extracted from inMetaValues parameters of a WFP incoming stream establishing and labeling callback function, and a stream context is constructed, wherein the stream context comprises four-tuple information, process information and stream tracking state of connection.

3. The WFP incoming stream is taken to establish a stream handle (inMetaValues- > flowHandle) of the callback function as a stream identifier, the FwpsFlowAssociateContext is used for associating the stream identifier, the stream context and the stream data annotation, and therefore subsequent stream data is processed by the callback function.

4. After the first stream data arrives, the stream data marking callback function judges whether the stream data is in the outbound direction, and whether the data format is matched with the ClientHello message format of TLS, and according to the situation:

(1) If not, the flow tracking state in the flow context is set to "not tracking" and this data is released and not processed.

(2) If the data is matched, setting the flow tracking state in the flow context as tracking, blocking the data, constructing a data packet structure, wherein the data packet structure comprises a flow identifier, a data direction (outbound/inbound), a flow mark (the setting condition of a plurality of flag bits of TCP comprises PUSH, RST, FIN and the like), the flow context and the flow data, and queuing the data packet structure to a data pumping queue. Specifically, if the IRP queue is empty, the packet will be added to the streaming data queue. If the IRP queue is not empty, a pending read request is dequeued from the head of the queue, the contents of the data packet is copied to the buffer of the read request, and the read request is completed.

5. Subsequent stream data enters the data pumping queue, and the data packet structure is constructed and queued to the data pumping queue according to the stream tracking state in the stream context, or is released or blocked.

6. After the TLS session handling thread pumps the data packet, it looks up the TLS man-in-the-middle session object based on the flow identification in the data packet, and if not found (typically this happens after the first flow data arrives), it creates a TLS man-in-the-middle session object and builds a mapping of the flow identification to the man-in-the-middle session.

7. After the first ClientHello packet arrives, a TLS man-in-the-middle session object is created, and the following processing is performed:

(1) The ClientHello message is cached for subsequent initiation of the second session.

(2) And analyzing the ClientHello message, and extracting information such as a password suite and SNI.

(3) An SSL client context is created by using an opensl library, SSL client context options are set by using a password suite and SNI extracted from a ClientHello message, an SSL session is created by the SSL client context, and a handshake process to a server is started as a first session manager.

(4) The message output by the first session handshake process is sent to an injection module of the TLS data filtering driver through the device IO together with the flow identifier, and after the message is injected into the flow designated by the flow identifier by using the outbound flow injection handle, the message is sent to the server through the TCP/IP protocol stack.

(5) The message returned by the server is processed by the stream data marking callback function, and according to step 5, the inbound message is sent to the TLS session processing thread again along with the data packet and is sent to the first session manager of the TLS man-in-the-middle session object corresponding to the stream identifier for processing.

(6) Until the handshake of the first session is completed, the man-in-the-middle session object will extract the server certificate from the SSL session, call the certificate manager to obtain/generate an imitation certificate as the TLS server to establish the second session to the client.

8. The second session establishment procedure is as follows:

(1) An SSL server context is created using an openssl library, and the dummy certificate obtained in the 7- (6) process is set to the SSL server context. And creates a new SSL session from this SSL server context as a second session manager.

(2) The ClientHello report Wen Songru cached in the 7- (1) procedure is used as a second session manager to start the handshake procedure of the second session.

(3) The message output by the second session handshake process is sent to an injection module of the TLS data filtering driver through the device IO together with the flow identifier, and after the message is injected to the flow designated by the flow identifier by using the inbound flow injection handle, the message is submitted to the client process through the TCP/IP protocol stack.

(4) The message sent by the client process is processed by the stream data marking callback function, and according to step 5, the outbound message is sent to the TLS session processing thread along with the data packet and is processed by the second session manager of the TLS man-in-the-middle session object corresponding to the stream identifier.

(5) Until the second session establishment is completed.

9. So far, both the first session and the second session of the TLS man-in-the-middle session object have been successfully established, i.e. the entire TLS session has been successfully established, in the subsequent application data transmission process:

(1) The encrypted message sent to the server by the client process is processed by the stream data marking callback function, the same as the processing of the step 8- (4), the outbound message enters the second session manager as input, the plaintext output by the second session manager is sent to the content detection module for processing, the processed plaintext is sent to the first session manager, the ciphertext encrypted by the first session is injected into the stream according to the same processing of the step 7- (4), and the processed plaintext is sent to the server.

(2) The message received from the server will be processed by the stream data marking callback function as well, the same as the processing of step 7- (5), the inbound message enters as input into the first session manager, the plaintext outputted by the first session manager will be sent to the content detection module for processing, the processed plaintext will be sent to the second session manager, the ciphertext encrypted by the second session will be injected into the stream according to the same processing of 8- (3), and submitted to the client process.

Fig. 4 is a flowchart of a method for certificate imitation according to an embodiment of the present application. As shown in FIG. 4, one embodiment of the present application provides a method of certificate emulation, which includes the following steps.

S1: starting.

S2: and searching the imitation certificate from the cache database according to the server certificate.

S3: and judging whether the search is successful. If yes, go to step S11, otherwise go to step S4.

S4: it is determined whether a superior certificate exists. If yes, go to step S5, otherwise go to step S6.

S5: and judging whether the upper certificate is a root certificate, if so, proceeding to step S6, otherwise, proceeding to step S10.

S6: a new certificate is copied.

S7: a public key pair is created and the key identification is updated.

S8: the new certificate is signed using the emulated root certificate.

S9: the imitation certificate is added to the cache database. Step S11 is entered.

S10: a dummy certificate of the superior certificate is acquired, and recursion starts from step S1.

S11: returning the imitation certificate and the private key. Returns the intermediate-level copy certificate and proceeds to step S12.

S12: a new certificate is copied.

S13: a public key pair is created and the key identification is updated.

S14: the new certificate is signed using the superior imitation middle-level certificate. Step S9 is entered.

Specifically, after receiving a request for obtaining an imitation certificate based on the process certificate manager, the process certificate manager uses an opensl library to load an incoming server certificate chain, extracts a serial number of a terminal certificate, uses the serial number to search the generated imitation certificate in an imitation certificate cache database, and if the search is successful, directly returns private keys corresponding to the certificate chain and the terminal certificate to a caller. If the lookup fails, the certificate manager makes it possible to clone the emulated certificate with the openssl library. The certificate manager enables cloning of a imitated certificate using an opensl library comprising the steps of:

1. And creating a certificate storage context, and loading a whole server certificate chain, wherein the whole server certificate chain comprises a terminal entity certificate, a plurality of intermediate certificates and a root certificate.

2. And starting at the tail end of the current certificate chain, cloning the certificates step by step, wherein the process of cloning the certificates mainly comprises the following steps of:

(1) If the original certificate exists in the previous-stage certificate and the previous-stage certificate is not the root certificate, the process is iterated to obtain an imitation certificate (including a private key) of the previous-stage certificate.

(2) A new certificate is copied from the original certificate, and all information of the original certificate is reserved.

(3) And reassigning a pair of keys for the certificate according to the public key algorithm and the key length of the original certificate, setting the public key into the certificate, and reserving the private key.

(4) The key identification of the new certificate is recalculated with the newly generated public key, and set to the key identification extension.

(5) If the original certificate exists in the previous-stage certificate, judging whether the previous-stage certificate is a root certificate or not. If the previous-level certificate is a root certificate, an issuer of the new certificate is set as a root certificate of the imitation certificate, and the new certificate is signed using a private key of the root certificate of the imitation certificate. If the previous-level certificate is not the root certificate, but is a middle-level certificate, the new certificate is signed using the private key of the last-level imitation certificate.

3. After each cloning is completed, the imitated certificate chain and the private key are added to the imitated certificate cache database by taking the certificate serial number as a key, and then returned to the caller.

Thus, the TLS flow analysis is realized by the man-in-the-middle mode at the client side, the method has universality, compared with man-in-the-middle equipment connected in series on a physical network, no extra equipment is required to be introduced, no network topology is required to be changed, and compared with man-in-the-middle mode realized at the server side, the method is not limited to a specific TLS server. In addition, the inbound data is only operated on the network protocol stack of the client to realize the man-in-the-middle, the common local network agent program is not needed, the network configuration is not needed to be modified, the additional network connection is not needed to be established, the detection mechanism is more hidden, and the security is higher.

The embodiment of the application also provides a processor configured to execute the method for analyzing the TLS traffic in the embodiment.

Fig. 5 is a schematic structural diagram of an apparatus for analyzing TLS traffic according to an embodiment of the present application. As shown in fig. 5, an embodiment of the present application further provides an apparatus 500 for analyzing TLS traffic, which is applied to a TLS traffic analysis system, where the TLS traffic analysis system includes a data filtering module, a data injection module, a first session manager, and a second session manager, the TLS traffic analysis system is deployed on a client, and the client communicates with a server, where the apparatus 500 includes:

The message interception unit 510 is configured to intercept, by using the data filtering module, a first message carried in a first handshake request when the client initiates the first handshake request for performing a TLS network session to the server.

The first session establishment unit 520 is configured to complete handshake with the server by using the first session manager instead of the client based on the first message, so as to establish a first session, where the first session includes a server certificate sent by the server.

And the second session establishment unit 530 is configured to, after the first session is established, complete handshake with the client through the second session manager instead of the server based on the first message and the server certificate in combination with the data filtering module and the data injection module, so as to establish the second session.

And a session data obtaining unit 540, configured to forward data between the first session and the second session after the second session is established, so as to obtain plaintext session data of the TLS network session.

The device 500 for analyzing TLS traffic is applied to a TLS traffic analyzing system, where the TLS traffic analyzing system includes a data filtering module, a data injection module, a first session manager and a second session manager, the TLS traffic analyzing system is deployed on a client, the client communicates with a server, in the case that the client initiates a first handshake request for performing a TLS network session to the server, the first message carried in the first handshake request is intercepted by the data filtering module, then based on the first message, the handshake with the server is completed by the first session manager instead of the client to establish the first session, where the first session includes a server certificate sent by the server, then after the first session is established, based on the first message and the server certificate, the data filtering module and the data injection module are combined, the handshake with the client is completed by the second session manager instead of the server to establish the second session, and finally, after the second session is established, data is forwarded between the first session and the second session to obtain the plaintext data of the TLS network session. The method and the device can realize TLS flow analysis on the client side in a man-in-the-middle mode, and have universality.

In one embodiment, the first session establishment unit 520 is further configured to: analyzing the first message to obtain an analysis result; setting a first session manager according to the analysis result; after the first session manager is set, outputting a first message to a data injection module through a ciphertext sending port of the first session manager; injecting the first message into a network protocol stack of the client through a data injection module so that the first message is sent to a server through the network protocol stack; intercepting a server response message sent by a server through a data filtering module, and submitting the server response message to a ciphertext receiving port of a first session manager; and completing handshake between the first session manager and the server according to the first message and the server response message so as to establish the first session.

In one embodiment, the second session establishment unit 530 is further configured to: obtaining a target imitation certificate according to the server certificate; setting a second session manager according to the target imitation certificate; after the second session manager is set, inputting the first message into the second session manager to trigger the handshake process of the second session; outputting the second message to the data injection module through a ciphertext sending port of the second session manager; injecting the second message into a network protocol stack through a data injection module so that the second message is sent to the client through the network protocol stack; intercepting a client response message sent by a client through a data filtering module, and submitting the client response message to a ciphertext receiving port of a second session manager; and completing handshake between the second session manager and the client according to the second message and the client response message so as to establish a second session.

In one embodiment, obtaining the target replica certificate from the server certificate sent by the server includes: acquiring a certificate serial number of a server certificate; searching a pre-stored imitation certificate library based on the certificate serial number to obtain a searching result; and under the condition that the searching is successful, determining the private key corresponding to the certificate chain corresponding to the certificate serial number and the certificate chain end certificate in the searched imitation certificate library as the target imitation certificate.

In one embodiment, the session data acquisition unit 540 is further configured to: sending the first plaintext data output by the first session manager to a plaintext input port of a second session manager, so that the second session manager outputs first ciphertext data corresponding to the first plaintext data; injecting the first ciphertext data into a network protocol stack of the client through a data injection module so that the first ciphertext data is sent to the client through the network protocol stack; sending the second plaintext data output by the second session manager to a plaintext input port of the first session manager, so that the first session manager outputs second ciphertext data corresponding to the second plaintext data; injecting the second ciphertext data to a network protocol stack of the client through a data injection module so that the second ciphertext data is sent to the server through the network protocol stack; and acquiring the first plaintext data and the second plaintext data to obtain plaintext session data of the TLS network session.

In one embodiment, the method further comprises: under the condition of failure in searching, an initial imitation certificate is obtained according to the copying of the server certificate; regenerating a key pair of the initial imitation certificate according to a public key algorithm and a key length of the server certificate; a target imitation certificate is determined from the key pair and the initial imitation certificate.

In one embodiment, the method further comprises: under the condition that the establishment of a newly-built network session is detected, matching the network session with a preset filtering rule, wherein the preset filtering rule comprises IP address information and port information; and under the condition of successful matching, monitoring the newly-built network session through the data filtering module.

The embodiment of the application also provides a TLS communication flow analysis system, which comprises: a data filtering module; a data injection module; a first session manager; a second session manager; the processor in the above embodiment or the device for resolving TLS traffic in the above embodiment.

The embodiment of the application also provides a machine-readable storage medium, wherein a program or an instruction is stored on the machine-readable storage medium, and when the program or the instruction is executed by a processor, the method for analyzing the TLS flow in the embodiment is realized.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. The method for analyzing the TLS communication flow is characterized by being applied to a TLS communication flow analysis system, wherein the TLS communication flow analysis system comprises a data filtering module, a data injection module, a first session manager and a second session manager, the TLS communication flow analysis system is deployed on a client, and the client is communicated with a server, and the method comprises the following steps:

Under the condition that the client initiates a first handshake request for carrying out TLS network session to the server, intercepting a first message carried in the first handshake request through the data filtering module;

After the first session is established, based on the first message and the server certificate, combining the data filtering module and the data injection module, and completing handshake with the client by replacing the server by the second session manager to establish a second session;

After the second session is established, forwarding data between the first session and the second session to obtain clear text session data of the TLS network session;

Wherein the handshake with the server is completed by the first session manager instead of the client based on the first message to establish a first session, including:

Analyzing the first message to obtain an analysis result;

setting the first session manager according to the analysis result;

After the first session manager is set, outputting the first message to the data injection module through a ciphertext sending port of the first session manager;

injecting the first message into a network protocol stack of the client through the data injection module so that the first message is sent to the server through the network protocol stack;

Intercepting a server response message sent by the server through the data filtering module and submitting the server response message to a ciphertext receiving port of the first session manager;

Completing handshake between the first session manager and the server according to the first message and the server response message so as to establish the first session;

The step of completing handshake with the client by the second session manager instead of the server based on the first message and the server certificate in combination with the data filtering module and the data injection module to establish a second session includes:

Obtaining a target imitation certificate according to the server certificate;

setting the second session manager according to the target imitation certificate;

after the second session manager is set, inputting the first message into the second session manager to trigger a handshake process of the second session;

outputting a second message to the data injection module through a ciphertext sending port of the second session manager;

Injecting the second message into the network protocol stack through the data injection module so that the second message is sent to the client through the network protocol stack;

Intercepting a client response message sent by the client through the data filtering module and submitting the client response message to a ciphertext receiving port of the second session manager;

Completing handshake between the second session manager and the client according to the second message and the client response message to establish the second session;

And after the second session is established, forwarding data between the first session and the second session to obtain plaintext session data of the TLS network session, including:

Sending the first plaintext data output by the first session manager to a plaintext input port of the second session manager, so that the second session manager outputs first ciphertext data corresponding to the first plaintext data;

Injecting the first ciphertext data into a network protocol stack of the client through the data injection module so that the first ciphertext data is sent to the client through the network protocol stack;

Sending the second plaintext data output by the second session manager to a plaintext input port of the first session manager, so that the first session manager outputs second ciphertext data corresponding to the second plaintext data;

Injecting the second ciphertext data into a network protocol stack of the client through the data injection module so that the second ciphertext data is sent to the server through the network protocol stack;

And acquiring the first plaintext data and the second plaintext data to obtain plaintext session data of the TLS network session.

2. The method of claim 1, wherein the obtaining the target imitation certificate from the server certificate sent by the server comprises:

Acquiring a certificate serial number of the server certificate;

searching a pre-stored imitation certificate library based on the certificate serial number to obtain a searching result;

and under the condition that the searching is successful, determining the searched certificate chain corresponding to the certificate serial number and the private key corresponding to the certificate at the tail end of the certificate chain in the imitation certificate library as the target imitation certificate.

3. The method according to claim 2, wherein the method further comprises:

Under the condition of failure in searching, an initial imitation certificate is obtained according to the server certificate replication;

regenerating a key pair of the initial imitation certificate according to a public key algorithm and a key length of the server certificate;

The target imitation certificate is determined from the key pair and the initial imitation certificate.

4. The method according to claim 1, wherein the method further comprises:

under the condition that the establishment of a new network session is detected, matching the new network session with a preset filtering rule, wherein the preset filtering rule comprises IP address information and port information;

and under the condition that the matching is successful, monitoring the newly-built network session through the data filtering module.

5. A processor configured to perform the method for resolving TLS traffic according to any of claims 1 to 4.

6. An apparatus for resolving TLS traffic, the apparatus being applied to a TLS traffic resolving system, the TLS traffic resolving system including a data filtering module, a data injection module, a first session manager, and a second session manager, the TLS traffic resolving system being deployed on a client, the client being in communication with a server, the apparatus comprising:

a message interception unit, configured to intercept, by using the data filtering module, a first message carried in a first handshake request when the client initiates the first handshake request for performing a TLS network session to the server;

a first session establishment unit, configured to complete handshake with the server by using the first session manager instead of the client based on the first message, so as to establish a first session, where the first session includes a server certificate sent by the server;

The second session establishment unit is used for combining the data filtering module and the data injection module based on the first message and the server certificate after the first session is established, and completing handshake with the client through the second session manager instead of the server so as to establish a second session;

A session data obtaining unit, configured to forward data between the first session and the second session after the second session is established, so as to obtain plaintext session data of the TLS network session;

Analyzing the first message to obtain an analysis result;

setting the first session manager according to the analysis result;

Obtaining a target imitation certificate according to the server certificate;

7. A TLS traffic parsing system, comprising:

a data filtering module;

a data injection module;

A first session manager;

A second session manager;

A processor according to claim 5 or an apparatus for resolving TLS traffic according to claim 6.

8. A machine-readable storage medium having stored thereon a program or instructions, which when executed by a processor, implement a method for resolving TLS traffic according to any of claims 1 to 4.