BCYCP HVKTMM

BCYCP HVKTMM

BCYCP HVKTMM

BAN C YU CHNH PH Hc vin K thut Mt m

Bo co Tng kt Khoa hc v K thut ti: NGHIN CU MT S VN BO MT v an ton thng tin cho cc mng dng giao thc lin mng my tnh IP

TS o Vn Gi, TS. Trn Duy Lai

H Ni, 1-2005

Ban C yu Chnh ph Hc vin K thut Mt m

Bo co Tng kt Khoa hc v K thut ti: NGHIN CU MT S VN BO MT v an ton thng tin cho cc mng dng giao thc lin mng my tnh IP

TS o Vn Gi, TS. Trn Duy Lai

H Ni, 1-2005

Ti liu ny c chun b trn c s kt qu thc hin ti cp Nh nc, m s KC.01.01

Danh sch nhng ngi thc hin Nhm th nht : Cc nghin cu tng quan, tm hiu gii php A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 PGS TS Hong Vn To Hc vin K thut Mt m 2 PGS TS L M T Hc vin K thut Mt m 3 TS Nguyn Hng Quang Phn vin NCKTMM- HVKTMM 4 ThS ng Ho Phng QLNCKH- HVKTMM 5 TS Nguyn Nam Hi Trung tm Cng ngh Thng tin 6 TS ng V Sn V Khoa hc Cng ngh 7 TS Trn Duy Lai Phn vin NCKHMM- HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 ThS Nguyn Ngc ip Phng QLNCKH- HVKTMM 2 ThS Nguyn c Tm Khoa Tin hc- HVKTMM 3 ThS Nguyn ng Lc Phn vin NCNVMM- HVKTMM 4 ThS on Ngc Uyn Khoa Tin hc- HVKTMM 5 ThS Nguyn Anh Tun Phn vin NCKHMM- HVKTMM 6 KS L Khc Lu Phn vin NCKTMM- HVKTMM 7 ThS o Hng Vn Trung tm Cng ngh Thng tin 8 KS Nguyn Cnh Khoa Phn vin NCKHMM-HVKTMM 9 KS Nguyn Cng Chin Phng QLNCKH-HVKTMM Sn phm t c: - 07 bo co khoa hc (cc quyn 1A, 1B, 1C, 2A, 2B, 5A v 5B) Nhm th hai: Cc phn mm bo mt gi IP A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Nguyn Nam Hi Trung tm Cng ngh Thng tin 2 TS ng V Sn V Khoa hc Cng ngh 3 TS Trn Duy Lai Hc vin K thut Mt m B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 KS Nguyn Cnh Khoa Phn vin KHMM- HVKTMM 2 KS Nguyn Quc Ton Phn vin KHMM- HVKTMM 3 KS inh Quc Tin Phn vin KHMM- HVKTMM 4 KS Nguyn Tin Dng Trung tm Cng ngh Thng tin 5 KS Nguyn Thanh Sn Khoa Mt m- HCKTMM 6 KS Nguyn Nh Tun Khoa Mt m- HVKTMM Sn phm t c: - 03 bo co khoa hc (cc quyn 3A, 3B v 3C) - 05 phn mm bo mt gi IP ( 01 trn Windows; 01 trn Solaris; 03 trn Linux)

Nhm th ba: Cung cp v s dng chng ch s A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Trn Duy Lai Phn vin NCKHMM-HVKTMM 2 PGS TS L M T Hc vin K thut Mt m 3 ThS ng Ho Phng QLNCKH-HVKTMM 4 TS Nguyn Hng Quang Phn vin NCKTMM-HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 ThS Hong Vn Thc Phn vin NCKHMM-HVKTMM 2 KS Phm Vn Lc Phn vin NCKHMM-HVKTMM 3 KS Cao Thanh Nam Phn vin NCKTMM-HVKTMM 4 ThS La Hu Phc Phn vin NCKTMM-HVKTMM 5 ThS Trnh Minh Sn Phn vin NCNVMM-HVKTMM 6 ThS Hong Thu Hng Phn vin NCNVMM-HVKTMM Sn phm t c: - 05 bo co khoa hc (cc quyn 6A, 7A, 8A, 8B v 9A) - 03 phn mm (cp v thu hi chng ch s, th vin ch k s, bo mt Web dng Proxy Server) - 01 thit b phn cng ghi kho c giao din USB Nhm th t: m bo ton hc A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Lu c Tn Phn vin NCKHMM-HVKTMM 2 TS Trn Vn Trng Phn vin NCKHMM-HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 TS Nguyn Ngc Cng Phn vin NCKHMM-HVKTMM 2 KS Trn Hng Thi Phn vin NCKHMM-HVKTMM 3 ThS Trn Quang K Phn vin NCKHMM-HVKTMM 4 ThS Phm Minh Ho Phn vin NCKHMM-HVKTMM 5 KS Nguyn Quc Ton Phn vin NCKHMM-HVKTMM C Cng tc vin 1 TS Nguyn L Anh i hc Xy dng 2 TSKH Phm Huy in Vin Ton hc Sn phm t c: - 03 bo co khoa hc (cc quyn 3A, 3B v 3C) - 02 phn mm (sinh tham s an ton cho h mt RSA v Elgamal)

Bi tm tt Kt qu ca ti KC.01.01 gm 18 bo co khoa hc v 10 sn phm phn mm. Cc quyn bo co khoa hc c nh s ph hp vi 9 mc sn phm nh c ng k trong bn hp ng thc hin ti. Tuy nhin, xt v ni dung th cc sn phm c th c xp vo 4 nhm sau: Nhm th nht: cc nghin cu tng quan, tm hiu gii php cho cc c ch m bo an ninh, an ton mng. Nhm th hai: cc sn phm bo mt gi IP trn cc h iu hnh Linux, Solaris, Windows. Nhm th ba: cung cp v s dng chng ch s. Nhm th t : nghin cu m bo ton hc v cch dng v sinh tham s an ton cho cc h mt kho cng khai cng nh xy dng h m khi. ti tp trung gii quyt mt s vn v an ninh v bo mt i vi thng tin c vn chuyn trn mng dng giao thc IP. Nhng kt qu nghin cu mang tnh tng quan, tm hiu gii php cho cc c ch m bo an ninh an ton mng bao gm: quyn 1A Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t; quyn 1B Nc Nga v ch k in t s; quyn 1C Tm hiu kh nng cng ngh cng ho thut ton mt m; quyn 2AGiao thc TCP/IP v gii php bo mt cc tng khc nhau; quyn 2B Tng quan v an ton Internet; quyn 5A An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux; quyn 5B C ch an ton ca cc h iu hnh mng, Network hacker, virut my tnh. Bi ton bo mt gi IP c gii quyt kh trit , chng ti c cc phn mm m ho gi IP chy trn 3 loi h iu hnh mng tiu biu, l Microsoft Windows, Sun Solaris v Linux. c bit, s dng kh nng m ngun m ca h iu hnh Linux, chng ti to ra mt h cc sn phm bo mt gi IP. Ba bo co dnh cho cc phn mm m gi IP l: quyn 4A Cc phn mm bo mt gi IP trn h iu hnh Linux, quyn 4B H thng an ton mng trn mi trng mng Sun Solaris v quyn 4C Phn mm bo mt trn mi trng Windows. Nu nh gii php bo mt trn Linux l m ngun m th trn Windows l thay th Winsock bng winsock mt m, cn trn Solaris l s dng cng ngh lp trnh STREAMS can thip vo chng giao thc IP. Thng mi in t l mt trong nhng ci th hin xu hng ton cu ho trong tin hc. Mt m khng nhng c s dng bo mt thng tin, m mt mt ng dng rt c a chung ca n l ng dng xc thc. Mt m c dng xc thc l mt m kho cng khai. Mi ngi s dng kho cng khai c mt cp kho: mt kho b mt v mt kho cng khai. Ngi ta dng kho b mt k vn bn cn dng kho b mt ca ngi khc kim tra ch k m ngi k to ra. Kho cng khai th c th cng b cng khai, bng cch in nh danh b in thoi, nhng ly g m bo tnh chn thc ca nhng kho cng khai c cng b. Rt hay l chnh bn thn mt m kho cng khai li c s dng gii quyt bi ton ny, ngi ta dng ch k ca CA (Certificate Authority) k vo mt vn

bn c bit bao gm 2 thng tin chnh l nh danh ca ngi s dng v kho cng khai ca ngi . Ci c gi l chng ch s v gp phn to nn c s h tng kho cng khai (PKI- Public Key Infrastructure). Nhng chng ch s sinh ra cn phi c s dng vo cc ng dng trn mng, trong c cc ng dng thng mi in t vi hai dch v c bn l Mail v Web. Mt lot cc bo co tp trung gii quyt vn ny, l quyn 6A Mt h thng sinh chng ch s theo m hnh sinh kho tp trung; quyn 7A Mt h ch k s c s dng RSA; quyn 8A Dng chng ch s vi cc ng dng Web v Mail; quyn 8B Bo mt dch v Web thng qua Proxy Server v quyn 9A Mt s thit b c s dng ghi kho. Trn y im qua cc kt qu nghin cu pht trin sn phm phn mm trong 2 lnh vc l bo mt gi IP c truyn thng trn mng v bo mt cc dch v Web v Mail trong thng mi in t. Th nhng ci li mt m trong cc sn phm y chnh l cc thut ton, cc tham s mt m. Trong khun kh phm vi ca ti cng hon thnh 3 kt qu nghin cu nhm m bo ton hc cho an ton mt m, l: quyn 3A Sinh tham s an ton cho h mt RSA; quyn 3B Sinh tham s an ton cho h mt Elgamal; quyn 3C Nghin cu xy dng thut ton m khi an ton hiu qu. Hai nhm sn phm v bo mt gi IP v cung cp/s dng chng ch s c trin khai th nghim. C nhng sn phm sau c hon thin nng cp trin khai thc t.

Mc lc Trang 2 4 6 7 9 11 11 24 31 36 42 46 47 48

Danh sch nhng ngi thc hin Bi tm tt Mc lc Bng ch gii cc ch vit tt, k hiu, n v o, t ngn hoc thut ng Li m u Tng kt cc ni dung nghin cu v kt qu chnh 1. Nhm th nht : Nghin cu tng quan, tm hiu gii php cho cc c ch m bo an ninh an ton mng 2. Nhm th hai : Cc sn phm bo mt gi IP trn cc mi trng Linux, Solaris v Windows 3. Nhm th ba : Cung cp v s dng chng ch s 4. Nhm th t : m bo ton hc 5. Mt s ni dung khc Kt lun v kin ngh Li cm n Ti liu tham kho

Bng ch gii cc ch vit tt, k hiu, n v o, t ngn hoc thut ng ACL AD AH ARP AS ASET ASIC ASN.1 ASSP BGP CA CAD CDFS CFS CIPE CLNP CTL CRL CRT DAC DARPA DSP EDI EFS EGP ESP FAT FEK FPGA GGP GSS-API ICMP IDS IEC IPSEC ISAKMP IKE IHL ITU ISO L2F L2TP LDAP LSA MIME Access Control List Active Directory Authentication Header Address Resolution Protocol Autonomous System Automated Security Enhancement Tool Application-Specific Integrated Circuit Abstract Syntax Notation One Application-Specific Standard Product Border Gateway Protocol Certificate Authority Computer-Aided Design CDROM File System Cryptographic Gile System Cryptographic IP Encapsulation Connectionless Network Protocol Certificate Trust List Certificate Revocation List Chinese Residual Theorem Discretionary Access Controls Defence Advanced Research Projects Agency Digital Signal Processor Electronic Data Interchange Encryption File System Exterior Gateway Protocol Encapsulation Security Payload File Allocation Table File Encryption Key Field Programmable Gate Array Gateway to Gateway Protocol General Security Services Application Programming Interface Internet Control Message Protocol Intrusion Detection System International Electrotechnical Commission IP Security Intenet Security Association and Key Management Protocol Internet Key Exchange Internet Header Length International Telecommunication Union International Organization for Standardization Layer 2 Forwarding Layer 2 Transfer Protocol Light Directory Access Protocol Local Security Authority Multipurpose Internet Mail Extensions

MSP MTA MTU NLSO NTFS PAM PGP PEM PKI PPTP RFC RISC/GPP SET SA S-HTTP S/MIME RAS RPC RSA SAM SID SPI SRM SSL TCFS TCP/IP TLSP TMT TPDU UDP VPN

Message Security Protocol Message Transfer Agent Maximum Transfer Unit Network-Layer Security Protocol New Technology File System Pluggable Authentication Module Pretty Good Privacy Privacy Enhanced Mail Public Key Infrastructure Point to Point Transfer Protocol Request For Comment Reduced Instruction Set Computer/ General Purpose Processor Secure Electronic Transaction Security Association Secure Hyper Text Transfer Protocol Secure Multipurpose Internet Mail Extensions Remote Access Service Remote Procedure Call Rivest- Shamir- Adleman Security Account Manager Security Identifier Security Parameters Index Security Reference Monitor Secure Socket Layer Transparent Cryptographic File System Transmission Control Protocol/ Internet Protocol Transport Layer Security Protocol Thng mi in t Transport Protocol Data Unit User Datagram Protocol Virtual Private Network

Li m u Cc ni dung m ti tin hnh nhm thc hin 2 mc tiu c ng k trong bn thuyt minh ti, l: Nghin cu mt s cng ngh, gii php nhm m bo an ton, an ninh thng tin cho cc mng dng giao thc IP, t xut m hnh ph hp c im s dng Vit Nam Phc v vic pht trin thng mi in t (TMT) ca Vit Nam, hng ti hi nhp khu vc S pht trin ca cc mng my tnh ni ring v mng Internet ni chung lm cho nhu cu m bo an ninh an ton thng tin trn mng ngy cng tng. C nhiu cng ngh mng (v d nh Ethernet v Token Ring), c nhiu giao thc mng (v d nh TCP/IP, IPX/SPX v NETBEUI,...), nhng do s pht trin vt tri ca giao thc IP so vi cc giao thc khc trn th gii, v cn c vo c im cng ngh mng c trin khai ti Vit Nam, chng ta thy rng c th bo m c an ninh an ton cho hu ht cc dch v mng th ch cn tp trung vo gii quyt cc bi ton i vi giao thc IP. Nu c gii php v sn phm bo mt tt cho mi trng IP, khi gp phi cc mi trng truyn thng khc chng ta c th dng cc thit b chuyn i (v d nh E1-IP) s dng c cc gii php v sn phm c. Vit Nam ang trong qu trnh hi nhp khu vc v hi nhp quc t. Thng mi in t chnh l mt cng c c lc phc v cho qu trnh hi nhp y. trong nc cng ang qu trnh xy dng chnh ph in t ( n 112 ca Chnh ph v Tin hc ho qun l hnh chnh). cho thng mi in t cng nh chnh ph in t pht trin c u cn c s h tr ca cc cng c/sn phm m bo an ninh bo mt thng tin trn cc mng truyn thng tin hc. Cc sn phm ca ti (bo co khoa hc v phn mm) p ng y cc cc ni dung ng k trong mc 16 Yu cu khoa hc i vi sn phm to ra ca bn thuyt minh ti, cng nh bng 2 Danh mc sn phm khoa hc cng ngh ca bn hp ng thc hin ti. Bo co khoa hc ca ti gm 18 quyn nh sau: tt 1 Tn bo co Bo co cp nht cc kt qu mi trong lnh vc bo mt mng v thng mi in t: Quyn 1A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t Quyn 1B: Nc Nga v ch k in t s Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m M hnh bo mt thng tin cho cc mng my tnh Quyn 2A: Giao thc TCP/IP v gii php bo mt cc tng khc nhau Quyn 2B: Tng quan v an ton Internet Nghin cu m bo ton hc Quyn 3A: Sinh tham s an ton cho h mt RSA Quyn 3B: Sinh tham s an ton cho h mt Elgamal

2 3

6 7 8 9

Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu Ph lc: Mt s nghin cu v hm bm v giao thc mt m H thng phn mm bo mt mng Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux Quyn 4B: H thng an ton trn mi trng mng Sun Solaris Quyn 4C: Phn mm bo mt trn mi trng Windows An ninh, an ton ca cc h iu hnh mng Quyn 5A: An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux Quyn 5B: C ch an ton ca cc h iu hnh mng, Network Hacker, Virut my tnh H thng cung cp PKI Quyn 6A: Mt h thng cung cp chng ch s theo m hnh sinh kho tp trung B chng trnh cung cp ch k in t Quyn 7A: Mt h ch k s c s dng RSA H thng chng trnh xc thc trong thng mi in t Quyn 8A: Dng chng ch s vi cc dch v Web v Mail Quyn 8B: Bo mt dch v Web thng qua Proxy Server Cc sn phm nghip v v qui ch s dng Quyn 9A: Mt s thit b c s dng ghi kho

Cc sn phm phn mm/thit b bao gm: 1 Phn mm bo mt gi IP: - Trn mi trng Windows (SECURE SOCKET) - Trn mi trng Linux (TRANSCRYPT, IP-CRYPTOR, DLCRYPTOR) 2 Phn mm v chng ch s: - Sinh chng ch s theo m hnh sinh kho tp trung - Th vin ch k s - Dng chng ch s bo mt dch v Web thng qua Proxy Server 3 Phn mm m bo ton hc: - Phn mm sinh tham s an ton cho h mt RSA - Phn mm sinh tham s an ton cho h mt Elgamal 4 Thit b nghip v: - Thit b ghi kho vi giao din USB

10

Tng kt cc ni dung nghin cu v kt qu chnh 1. Nhm th nht: Nghin cu tng quan, tm hiu gii php cho cc c ch m bo an ninh an ton mng 1.1 Quyn 1 A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t. Ch tr nhm nghin cu: PGS. TS. Hong Vn To Tn ca bo co th hin 3 ni dung s c cp n trong 3 chng. Ton b bo co gm 44 trang. Chng 1 Gii thiu v IPSEC trnh by v mt trong cc cng ngh to nn mng ring o (VPN), cc dch v IPSEC cho php bn xy dng cc ng hm an ton thng tin qua cc mng khng tin cy (v d nh Internet) vi c hai kh nng xc thc v bo mt. Cc vn c i su l: - Cc c tnh ca IPSEC l: phn tch cc chc nng xc thc v bo mt (tt nhin, chng c th kt hp vi nhau); c ci t tng mng; h tr 2 dng kt ni l host-to-host v gateway-to-gateway; h tr kh nng qun l kho thun tin (kho phin c th phn phi t ng hay th cng) - Cc khi nim c bn: Security Association (SA), Security Parameters Index (SPI), Authentication Header (AH), Encapsulation Security Payload (ESP), Internet Security Association and Key Management Protocol (ISAKMP), - Nhng ni c th dng c IPSEC (hay m hnh p dng), u im ca IPSEC, cc hn ch ca IPSEC (xc thc my, khng xc thc ngi dng; khng chng c tn cng t chi dch v, khng chng c tn cng phn tch mng), cc mode dng IPSEC (ch xc thc, m ho + xc thc) Chng 2 c tn l Pht hin xm nhp: lm th no tn dng mt cng ngh cn non nt. Trong phn t vn u chng ni r v cc bc tng la v cc chnh sch an ninh an ton l cha ngn chn mi tn cng ph hoi, cho nn cn n h pht hin xm nhp (IDS - Intrusion Detection System). Cc vn sau c trnh by: - Pht hin xm nhp l g? (n bao gm c vic pht hin s lm dng ca ngi trong cng nh ngi ngoi). Ti sao li dng tin ch pht hin xm nhp? (n thay cho nhiu con ngi, n c th phn ng li cc xm nhp). C ch lm vic ca cc IDS. - Cc gii php pht hin xm nhp bao gm: cc h thng pht hin d thng; cc h thng pht hin lm dng; cc h thng gim st ch - Nhng u im ca IDS : gim gi thnh so vi vic dng con ngi, pht hin ngn chn v khi phc, nht k v kh nng php l. Nhng nhc im: hy cn non nt, pht hin sai, suy gim hiu sut, chi ph ban u,... - Vic s dng IDS: n c lin quan ti vic nh gi ri ro; khi mua mt sn phm IDS cn ch ti chi ph, chc nng, kh nng m rng,...; khi s dng cn ch ti mt khi nim c gi l khai thc mt kin trc pht hin xm nhp. Chng 3 Thng mi in t cp n: - Cc hnh thc hot ng ch yu ca TMT: th, thanh ton in t, trao i d liu, ..

11

Tnh hnh pht trin TMT trn th gii: qu trnh pht trin c th chia thnh 3 giai on; im qua tnh hnh pht trin TMT mt s nc nh M, Canada, Nht, EU,... Tnh hnh pht trin TMT Vit Nam: mi trng ng ngha cho TMT Vit Nam cha hnh thnh; cui chng c cp n mt s khuyn ngh trn con ng tin ti TMT nc ta. An ton trong TMT: im qua cc mi e do n s an ton ca TMT; nhng yu cu bo v thng tin v gii php m bo;

1.2 Quyn 1B: Nc Nga v ch k in t s. Ch tr nhm nghin cu: PGS. TS. Hong Vn To Ngy 10 thng 1 nm 2002, tng thng Nga V. Putin k sc lnh lin bang v ch k in t s. i ti Lut v ch k in t s, nc Nga c mt qu trnh chun b k cng t trc. Lin quan n vn ny, trong bo co cp ti cc ni dung sau: - Bi vit ca 3 chuyn gia FAPSI l tin s ton-l A.C. Kuzmin, ph tin s k thut A.B. Korolkov v ph tin s ton-l N.N. Murasov trong tp ch chuyn ngnh v an ninh thng tin CBCNTVS MTPJGFCYJCNB s ra thng 2-3 nm 2001 Nhng cng ngh ha hn trong lnh vc ch k in t s: cp ti d n chun quc gia mi ca Nga v ch k s. - Bi ca cc chuyn gia V. Miaxnhiankin v A. Mejutkov Ch k in t hay con ng gian kh thot khi giy t trong tp ch CBCNTVS MTPJGFCYJCNB, s ra thng 8-9 nm 2001: khc vi ch k vit tay, ch k s ph thuc vo vn bn c k. - Vy nc Nga dng chun ch k s no? Chng ti m t: (1) chun ch k s GOST P 34.10-94 ; (2) chun ch k s GOST P 34.10-2001; (3) chun hm bm GOST P.34.11-94; (4) chun m khi GOST 24187-89 (do chun hm bm GOST P.34.11-94 c s dng thut ton GOST 24187-89) - Trong bo co chng ti dch ton b B lut Lin bang v ch k in t gm 5 chng v 21 iu. - tin so snh, trong 5 ph lc chng ti trnh by v: (1) m t thut ton DSS ca M, chun ny c cng b ngy 7 thng 1 nm 2000 thay cho chun c a ra t nhiu nm trc y (1994); (2) m t h cc hm bm SHA ca M; (3) m t thut ton m khi Rijndael; (4) Gii thiu bi bo ca 2 tc gi ngi Nga so snh thut ton m khi GOST 24187-89 ca Nga v thut ton Rijndael l thut ton s c chp nhn l chun m d liu mi ca M (AES) thay cho DES; (5) Bn cnh cn c mt bi bo ca tc C. Charnes, L. OConnor, J. Pieprzyk, R. Safavi-Naini, Y. Zheng vit v chun GOST 24187-89 ca Nga. 1.3 Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m. Ch tr nhm nghin cu: Nguyn Hng Quang Mt m c th thc hin theo cch th cng hoc t ng vi s tr gip ca my mc. Trong thi i in t, truyn thng v tin hc ngy nay cc ngun tin ngy cng a dng; mi thng tin u c s ha vi khng l tr lng ti ch v lu lng trn knh; i hi ca ngi dng ngy cng cao v mt, tc , an

12

ton, tnh tin dng... Trong tnh hnh , ch c mt la chn duy nht l thc hin mt m vi s tr gip ca my mc. Phn 1 So snh thc hin mt m bng phn cng v phn mm l tr li cu hi: nn thc hin mt m trn c s phn cng (hardware) hay phn mm (software)? tr li cho cu hi cn phn tch cc u nhc im ca hai platform ny, xc nh nhng yu cu chung cho mt thit b in t v yu cu ring mang tnh c th ca thit b mt m, cc yu t cn cn nhc khi s dng thc t. Cui phn 1 c so snh v an ton gia 2 platform: s dng chung khng gian nh RAM; m bo ton vn; thm ngc thit k; tn cng phn tch nng lng; vn lu tr kho di hn; ph thuc vo an ton ca h iu hnh. Phn 2 La chn cng ngh cho cng ho mt m. Gi thit yu cu t ra l bo mt thng tin trong khu vc Chnh ph, An ninh v Quc phng i hi an ton cao v tc ln, r rng platform la chn phi l hardware. Khng nh lnh vc khc ch cn chn ng cng ngh thc hin bi ton t ra sao cho ti u v gi thnh, d pht trin, nhanh ra th trng, c kh nng upgrade... l . Vi ngnh mt m, ngoi vic chn cng ngh thch hp cho encryption, cng quan trng khng km l cng ngh c bo m security khng. Cng cn ch thch l trong s 7 cng ngh c phn tch, nhiu cng ngh l s pha trn gia hardware v software trn c s lp trnh cho chip. Tuy nhin khc vi software nh cp phn trc ch software cho chip thc hin trn hardware c thit k ring, chuyn dng, ng kn, khng dng chung b nh v h iu hnh, c t vt l trn chip. V nh vy c th xp chng vo hardware platform. Cc cng ngh c a ra xem xt l: (1) ASIC (2) ASSP (Application-Specific Standard Product); (3) Configurable Processor; (4) DSP (Digital Signal Processor); (5) FPGA (Field Programmable Gate Array); (6) MCU (Microcontroller); (7) RISC/GPP (Reduced Instruction Set Computer/ General Purpose Processor). Cc phng din c so snh l: (1) thi gian a sn phm ra th trng; (2) nng lc thc hin; (3) gi thnh; (4) tnh d pht trin; (5) nng lng tiu th; (6) tnh mm do. Trong phn 2 cng dnh nhiu trang trnh by k v cng ngh FPGA, bi v cng ngh thch hp nht cng ho mt m chnh l FPGA, l cc ni dung: cu trc FPGA; kh nng cu hnh li FPGA; nhng u im ca FPGA i vi mt m. Tip theo trnh by v vic dng FPGA cng ho cc loi thut ton mt m khc nhau, l: (1) sinh kho dng; (2) cc php nhn v modulo; (3) m khi (AES); (4) mt m elliptic; (5) hm hash; (6) sinh s ngu nhin. Cui phn 2 trnh by v an ton mt m da trn hardware: tn cng ln hardware ni chung v tn cng ln FPGA ni ring (tn cng kiu hp en; tn cng kiu c li; tn cng nhi li SRAM FPGA; thm ngc thit k t chui bit; tn cng vt l i vi cc cng ngh SRAM FPGAS/ ANTIFUSE FPGAS/ FLASH FPGAS; tn cng side channel gm c Simple Power Analysis v Different Power Analysis. Phn 3 Chun b cng ho mt m xoay quanh FPGA. Hai ni dung c trnh by. Trc ht l nhng kin thc cn thit thc hin FPGA bao gm: kin thc v ton; kin thc v k thut; kin thc v cng ngh; kin thc v th trng vi mch. Th hai l cc cng c cn thit thc hin FPGA bao gm: cng c thit k (CAD); thit b (my tnh, b np); nhn lc. Cui ca phn ny c gii thiu mt s hng sn xut FPGA nh Xilinx v Altera cng nh tng lai ca FPGA.

13

1.4 Quyn 2A: Giao thc TCP/IP v cc gii php bo mt cc tng khc nhau. Ch tr nhm nghin cu: ThS. ng Ho Mun nghin cu gii php bo mt cho giao thc IP th cn phi hiu r n. Chnh v vy m bo co khoa hc gm c 2 phn, phn I Giao thc mng TCP/IP gm c 9 chng, phn II Gii php bo mt gm c 3 chng dnh cho 3 tng: tng mng, tng giao vn v tng ng dng. Ch rng, khi nim tng 3 chng cui li theo m hnh ISO. Chng 1 Gii thiu v khi qut trnh by lch s ca TCP/IP, n bt u t DARPA. 4 c tnh ca TCP/IP c nu ra (khng ph thuc h iu hnh; khng ph thuc phn cng; ch nh a ch chung v chun ho cc b giao thc tng trn). N c cc dch v tiu biu tng ng dng l th in t, chuyn file, truy cp t xa v www. Trong khi , cc dch v tng mng c th chia lm 2 loi: dch v khng lin kt chuyn gi tin v dch v vn ti dng d liu tin cy. Cc ti liu chun v TCP/IP dng RFC, c th ti xung t a ch ftp://nic.ddn.mil/rfc/rfcxxxx.txt. Internet pht trin rt nhanh v tng lai ca IP s l IP v6. Chng 2 Cu trc phn tng ca m hnh TCP/IP nhm trnh v 4 tng: tng ng dng (Telnet, FTP,...); tng vn ti (TCP, UDP,...); tng Internet (IP) (hay cn gi l tng mng); v tng tip cn mng (Ethernet, ATM,...). Trong tng tip cn mng cn ch vic chuyn i gia a ch IP v a ch vt l. Trong tng Internet cn ch n bi ton dn ng ca gi tin (routing). C hai bin a ch quan trng: (1) bin a ch giao thc (ngn cch a ch ca tng thp v tng cao); (2) bin h iu hnh (ngn cch h thng vi cc chng trnh ng dng). Tng Tng ng dng Tng vn ti Tng Internet Tng tip cn mng Phn cng Chng 3 Cc a ch Internet trnh by v 5 lp a ch mng l A, B, C, D v E. Khi nim mng con (subnet) i km vi khi nim a ch mng v subnet mask. Cch nh a ch Internet cng c mt s nhc im, l: a ch hng ti ng lin kt ch khng hng ti my; a ch nhm C ch gm 255 my nn khi vt qu th phi chuyn sang lp B; i vi my dng nhiu a ch IP (c nhiu card mng chng hn) th vic vch ng dn ph thuc vo a ch c s dng. Chng 4 c tn l Tng ng a ch Internet vi a ch vt l. Do cui cng vic truyn thng phi c thc hin trong mng vt l nh s dng a ch vt l m phn cng cung cp nn phi c cch nh x gia a ch IP v a ch vt l. Giao thc Gii quyt a ch ARP cung cp mt c ch hiu qu v d duy tr, y l gii php gii quyt nh tng ng ng. Trong mi thit b mng s c mt cache gii quyt a ch. Bin Phn mm ngoi h iu hnh Phn mm trong h iu hnh Ch s dng cc a ch IP S dng cc a ch vt l

14

Chng 5 Giao thc Internet: chuyn gi tin khng c lin kt trnh by v dch v chuyn gi tin khng lin kt (khng chc chn, mi gi tin l c lp vi gi tin khc, dch v c coi l chuyn c gng nht). Trong chng ny gii thiu nh dng ca gi tin IP (a ch ngun, a ch ch, IHL, ...), c i su vo mt s trng nh kch thc ca gi tin, MTU v Fragmentation Offset. Trong h thng chuyn gi tin, vic vch ng dn l qu trnh chn ng gi gi tin, v b nh tuyn (router) l mt my tnh bt k lm chc nng vch ng dn. Mt vi giao thc dn ng c im qua: GGP, EGP, BGP. Chng 6 Giao thc Internet: cc thng bo iu khin v bo li tho lun c cu m cc cng v cc my s dng trao i s iu khin hoc thng bo li. C cu ny c gi l Giao thc Thng bo iu khin Internet - Internet Control Message Protocol (ICMP). Giao thc ny c coi l mt phn ca Giao thc Internet, v phi c trong mi thc hin ca giao thc IP. Thng bo ICMP c bao bc trong gi tin IP, n lt gi tin IP c bao bc trong gi d liu ca mng vt l truyn. Thng bo ICMP c nh dng nh sau: TYPE (8 bit), CODE (8 bit), CHECKSUM (16 bit), header v 64 bit d liu u ca gi tin sinh ra li. Mt s chc nng chnh ca ICMP l: iu khin dng thng tin; pht hin khng ti c my ch; chuyn ng; kim tra my xa. Chng 7 Giao thc gi tin ca ngi s dng UDP trnh by v nh dng ca gi tin UDP, cch bc gi tin UDP vo gi tin IP. Giao thc UDP chp nhn cc gi tin t nhiu chng trnh ng dng v chuyn chng n giao thc IP truyn, v n chp nhn cc gi tin UDP n t giao thc IP v chuyn chng n cc chng trnh ng dng thch hp. Mt cch khi nim, ton b vic phn cng v hp cng gia phn mm UDP v chng trnh ng dng xy ra qua c ch cng. Chng 8 Giao thc iu khin truyn tin TCP nu ln 5 tnh cht ca TCP: hng n dng d liu; lin kt mch o; truyn c phn m; dng d liu khng c cu trc; lin kt 2 chiu. Phi c mt c ch gip cho TCP cung cp s tin cy, l xc nhn v truyn li, l cc ca s trt, thit lp mt lin kt TCP. Bo co cng trnh by v khi nim cng ca TCP, nh dng ca on TCP. Chng 9 H thng tn vng trnh by v cc tn vng quen thuc nh GOV, EDU, COM,..,; tng ng gia tn vng v a ch. C cu tn vng tng ng cc tn vi cc a ch gm cc h thng hp tc, c lp gi l cc chng trnh ch cung cp tn (name servers). Chng 10 An ton tng mng cp ti : - Phn bit end system (h thng u cui) v intermediate system (h trung gian). - Connectionless Network Protocol (CLNP) cung cp dch v mng kiu khng lin kt trong vai tr SNICP vai tr (subnetwork-independent convergence protocol) - An ton mc h thng cui (end system-level security): n lin quan ti hoc Transport layer hoc subnetwork-independent network layer protocol. Tuy nhin, ci t an ton cho h thng cui tng mng l c u tin hn. - An ton mc mng con (subnetwork-level security): khc vi end system-level security. - Network-Layer Security Protocol (NLSP) c cng b trong ISO/IEC 11577. Trong NLSP c hai giao din: giao din dch v NLSP v giao din dch v mng c s (UN-underlying network). NLSP cng cung cp subnetwork level security.

15

M hnh by tng ISO 7 6 5 4 3 2 1 Tng ng dng Tng trnh din Tng phin Tng giao vn Tng mng Tng lin kt d liu Tng vt l SSL IPSEC PPTP, swIPe VPDN, L2F, L2TP Fiber Optics PEM, S-HTTP, SET

Chng 11 An ton tng giao vn trnh by v: - Cc th tc tng giao vn gm c: assignment to a network connection (gn lin kt mng); transport protocol data unit transfer (truyn TPDU); segmentation and reasembling (phn on v rp li); ... - Transport Layer Security Protocol (TLSP) c m t chun ISO/IEC 10736. N c t hon ton trong tng giao vn. TLSP c thit k b sung vo cc giao thc tng giao vn thng thng m khng phi thay i chng. - Cc c ch an ton: Hm ng gi ca TLSP h tr vic cung cp mt vi dch v an ton v c th ko theo t hp cc c ch an ton no c yu cu. Cc c ch ny l nhn an ton, con tr hng, gi tr kim tra ton vn (ICV), m m ho (padding) v m ho. Chng 12 Cc giao thc an ton tng ng dng ca cc mng i vo 3 lnh vc: - Trao i tin t. SET (giao dch in t an ton) l mt giao thc an ton cn c vo ng dng do Visa v MasterCard cng nhau pht trin. Trong bo co trnh by k 5 bc ca SET. S/PAY c RSA Data Security pht trin l mt ci t ca SET - Gi thng bo in t: PEM, RIPEM, S/MIME, PGP - Cc giao dch www: SSL, S-HTTP 1.5 Quyn 2B: Tng quan v an ton Internet. Ch tr nhm nghin cu: PGS. TS. L M T Internet vi chi ph thp v tn ti mi ni lm cho cc ng dng thng mi in t tr nn kh thi. Th nhng, cc ri ro khi s dng Internet c th gy ra hin tng nn ch. Chng 1 An ton Internet trnh by cc vn sau: - Ba kha cnh ca bi ton an ton l: an ton mng (bao gm Authentication and integrity, Confidentiality, Access control); an ton ng dng v an ton h thng - An ton giao thc mng: hai k thut an ton IP l Authentication Header v Encapsulating Security Payload. ESP c 2 ch , l: tunnel mode v transport mode. Nhng ni dung c trnh by y c trnh by chng 1 Gii thiu IPSEC quyn 1A.

16

Cc bc tng la m bo an ton h thng: im qua mt s khi nim nh Screening routers, Proxy servers, Perimeter network. Trong phn trnh by v An ton dch v gi tin cp n: Cc dch v bo v thng bo (Message origin authentication Xc thc ngun gc ca thng bo; Content integrity-Ton vn ni dung; Content confidentiality-S tin cy ca ni dung; Non-repudiation of origin-Chng chi b ngun gc) v Cc dch v xc nhn (confirmation service) (Proof of delivery Chng minh s chuyn giao; Proof of submission Chng minh s xem xt; Non-repudiation of deliveryChng chi b s chuyn giao; Non-repudiation of submission- Chng chi b s xem xt). C 6 ng dng c bo mt c cp n l: (1) PEM (Privacy Enhanced Mail); (2) MIME (Multipurpose Internet Mail Extensions) vi Security Multipats for MIME v MIME Object Security Services (MOSS); (3) S/MIME vi Signed data, Enveloped data v Signed and Enveloped data; (4) PGP (Pretty Good Privacy); (5) X.400 Security; (6) MSP (Message Security Protocol) An ton Web: Phn ny trnh by 3 vn l: (1) SSL; (2) S-HTTP v (3) Phn mm c kh nng ti xung. SSL cung cp hng lot cc dch v an ton cho cc client-server session: Server authentication; Client authentication; Integrity v Confidentiality. SSL gm c 2 giao thc nh: SSL Record Protocol v SSL Handshake Protocol. S-HTTP c thit k nh l mt m rng an ton cho HTTP, v bn cht n l mt giao thc giao dch yu cu-p ng. Cc dch v an ton c S-HTTP cung cp ging vi cc dch v c SSL cung cp. Cc chng trnh Java, c gi l cc applet, c ti xung mt cch t ng t mt my ch thng qua vic truy nhp vo cc trang Web c sn, sau c cc browser ca cc my khch thng dch v biu din. H thng ActiveX ca Microsoft cng c kh nng ti xung. Cc h thng dnh cho vic xc thc ngun ca phn mm c kh nng ti xung cng v ang c pht trin , v d, h thng Authenticode ca Microsoft. An ton i vi cc ng dng thng mi in t : trnh by 3 vn l (1) An ton EDI (Electronic Data Interchange); (2) Giao thc SET cho thanh ton th ngn hng v (3) Cc m hnh thanh ton an ton khc trn Internet (Cyber Cash, CheckFree, First Virtual, DigiCash, Mondex,...) Cc tho thun ca cc nh cung cp dch v Internet bao gm: s dng v chp nhn; cc nh ngha dch v; s dng hp php v kim sot ca cc nh cung cp dch v i vi ni dung thng tin; cht lng ca thng tin; an ton mt khu; s lm dng; ...

Chng 2 Nhu cu thc t v bo mt cp ti cc vn : Tnh hnh pht pht trin ca CNTT trn th gii; Tnh hnh pht trin CNTT trong nc; M t kt qu mng ca B Ti chnh (tuy rng s liu tng i c). C th ni tm li, vi s trin khai ca cc n 112 v 47 th nhu cu bo mt cc dch v mng trong nc ta thi im ny l rt ln. 1.6 Quyn 5A : An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux. Ch tr nhm nghin cu: TS. Nguyn Nam Hi, ThS. ng Ho, TS. Trn Duy Lai Bo co gm c 3 phn: phn I dnh cho Linux (cc trang 1 48), phn II dnh cho Solaris (cc trang 49-140) v phn III dnh cho h Microsoft Windows (cc trang 141-167)

17

Phn I. An ton ca h iu hnh Linux Chng 1 Linux Security c vit theo cc ti liu dng HOWTO ca Linux: - Vi phng php bo v vt l cng c kh nhiu ci phi lm, l: kho my tnh; dng cc la chn ca BIOS; bo v trnh Boot Loader l LILO (thng qua cc tham s trong file lilo.conf); kho mn hnh bng xlock v vlock. - An ton ti khon truy nhp: Bo v bng cch phn quyn ti thiu; trnh ng nhp vi ti khon root hay su - An ton file v h thng file: thit lp umask; phn bit r owner/group/other; Cc thuc tnh: read/write/Execute/Save/SUID/SGID - An ton mt khu: /etc/passwd v /etc/shadow - M ho: Linux h tr PGP, SLL, S-HTTP, S/MIME, IPSEC, ssh, stelnet, PAM, CIPE, Kerberos, CFS v TCFS - An ton giao din ho: khc vi Microsoft Wimdows, Xwindow trong Linux chy nh mt ng dng. Chnh v vy m c kh nhiu ci mt an ton t c th. Nhng ci cn quan tm ti gm c X11, SVGA v GGI (Generic Graphic Interface). - An ton nhn: c nhiu tu chn khi dch nhn c lin quan n kh nng an ninh an ton, v d nh CONFIG_FIREWALL; cc thit b nhn nh /dev/random hay /dev/urandom. - An ton mng (c rt nhiu vn ): trnh packet sniffer; file /etc/services; trnh tcp_wrappers; trnh inetd; an ton NFS (network file system); ... Chng 2 Login v xc thc ngi dng m t chi tit v qu trnh ng nhp (t khi du nhc login cho ti khi xc thc xong v h thng a ra du nhc shell), phng php xc thc ngi dng cng nh cch qun l ngi dng trn h thng Linux: - Trnh by lu ca vic ng nhp bng trnh getty v login - Qun l ti khon v mt khu vi file /etc/passwd v /etc/group. Hm crypt() c s dng m mt khu (c dng DES hay MD5 trong vi tham s salt. Mt khu shadow l mt cch tng cng an ninh an ton. Trong Linux c h tr cng c Cracklib v Cracklib_dict nh gi mnh ca mt khu v nhc nh ngi dng. - PAM (Pluggable Authentication Modules) l cc th vin chia s (shared libraries), cho php ngi qun tr h thng la chn cch xc thc ngi dng. Ni cch khc, ta khng phi bin dch li cc ng dng s dng PAM (PAMaware), v vn c th chuyn i cch xc thc khc nhau. Linux PAM c 4 kiu tc v (qun l) c lp l: qun l xc thc (authentication), qun l ti khon (account), qun l phin (session), v qun l mt khu (password). T hp cc lc qun l v cch i x vi mt ng dng c thit lp bi cc mc trong file cu hnh ca Linux PAM. C php ca cc file cu hnh ny c m t trong bo co ( l file /etc/pam.conf hoc mt s file trong th mc /etc/pam.d/). Trong bo co c nu ra n 33 modules kh dng, l: pam_cracklib; pam_deny; pam_limits; pam_nologin;... Vi mi module, trong bo co c cp n cc thng tin nh: m t chc nng; cch dng; thnh phn xc thc; ....Cui cng c lit k cc gi v th vin m PAM yu cu, l: ld-linux.so.2, libcrypt.so.1, ....

18

Phn II An ninh ca h iu hnh Sun Solaris Chng 1 Gii thiu v nh gi kh nng an ton ca Solaris trnh by v 4 mc bo v trong Solaris: (1) iu khin ng nhp: xc nhn mt khu dng file che; nh thi gian c liu lc, hn ch s gi truy nhp; khng cho php mt khu c; mt khu phi di; cm sau nhiu ln b t chi; t ng kho mn hnh v ra khi mng; bo v truy nhp t xa; ch c bit n root/su. (2) iu khin truy nhp ti nguyn h thng: thit lp v kim tra thc trng an ton; bo v file; kim ton; (3) Cc dch v phn tn an ton v nhng nn tng pht trin: c cc dch v xc thc, b mt v ton vn; PAM; GSS-API (General Security Services Application Programming Interface); c dch v cp php ; cc tin ch an ton t xa (rcp, rsh, rlogin) (4) iu khin truy nhp ti mng vt l: phng t bn trong v bn ngoi vi Solstice Firewall-1 v Solstice Sunscreen. Chng 2 Qun l h thng an ton bao gm 4 vn : (1) Cho php truy nhp ti h thng my tnh: Duy tr an ton cng vt l; Duy tr iu khin ng nhp; Hn ch truy nhp ti d liu trong cc file; Duy tr iu khin mng; Kim sot vic s dng h thng; t bin ng dn mt cch ng n; An ton cc file; Theo di vic ng nhp ca siu ngi dng (root); Ci t firewall; S dng cng c tng cng an ton t ng (2) An ton file: Cc lnh qun l file; M ho file; Cc danh sch iu khin truy nhp ACL. (3) An ton h thng: Nhng hn ch ng k truy nhp; Cc cch ng nhp c bit; Qun l thng tin mt khu (file NIS, NIS+, /etc/passwd, /etc/shadow); S dng Shell hn ch; Theo di ng nhp ca superuser. (4) An ton mng: Cc h thng firewall; Xc thc v cp php; Chia x cc file; Hn ch truy nhp ca superuser; S dng cc cng b mt; S dng ASET. Chng 3 Cc tc v an ton file m u bng vic trnh by v cc tnh nng an ton file: cc lp ngi dng; cc quyn i vi file; cc quyn i vi th mc; cc quyn c bit; umask mc nh. Sau m t chi tit cc thao tc : hin th thng tin v file; thay i quyn s hu file; thay i cc quyn i vi file; kim sot cc quyn c bit; s dng cc danh sch iu khin truy nhp (ACL). Chng 4 Cc tc v an ton h thng ch dn tng bc : hin th trng thi ng nhp ca ngi dng; hin th nhng ngi dng khng c mt khu; v hiu ho tm thi ng nhp ca ngi dng; lu li nhng cuc ng nhp tht bi; to mt mt khu quay s; v hiu ho tm thi cc cuc ng nhp bng quay s; hn ch Superuser (root) ng nhp ti thit b iu khin; gim st nhng ngi s dng lnh su; hin th nhng ln th truy nhp ti thit b iu khin ca Superuser (root). Chng 5 S dng cc dch v xc thc gm cc ni dung sau: - RPC an ton l cch thc xc thc xc nhn c my ch v ngi dng. RPC an ton dng xc thc hoc Diffie-Hellman hoc Kerberos. C hai c ch xc thc ny dng m DES. Mi trng NFS dng RPC an ton v c hiu nh NFS an ton. C hai kiu xc thc Diffie-Hellman v Kerberos version 4 u c h tr. - i vi xc thc Diffie-Hellman th kho cng khai v b mt c lu trong CSDL NIS hoc NIS+. Sau y l cc giao dch trong mt phin clien-server c s dng AUTH_DH: sinh cp kho (bng lnh newkey hoc nisaddcred); thc

19

hin lnh keylogin; sinh kho giao tip; lin lc ln u vi server; gii m kho giao tip; lu thng tin trn server; gi tr nhn xc minh cho client; client xc thc server. Kerberos tin hnh xc thc mt khu ng nhp ca ngi dng. Ngi dng a vo lnh kinit thu c th ph chun thi gian ca phin (hoc 8 gi, l thi gian phin mc nh) t server xc thc Kerberos. Khi ngi dng logout, th c th b hu (dng lnh kdestroy). PAM cung cp cch thc "ti vo" cc dch v xc thc v m bo tr gip nhiu dch v xc thc. PAM cho php bn "cm thm" cng ngh xc thc mi m khng cn thay i cc dch v h thng tip nhn nh login, ftp, telnet v ..... Nhng li ch ca vic dng PAM: linh hot, d dng, ... 4 kiu ca PAM: xc thc; ti khon; phin; mt khu PAM cung cp mt phng php xc thc ngi dng nhiu dch v bng stacking. Phng php stacking c th i hi mt ngi dng nh mt vi mt khu. Vi tnh nng nh x mt khu, mt khu chnh c dng gii m cc mt khu khc, nn ngi dng khng cn nh hay a vo nhiu mt khu Phn mm PAM gm c: th vin PAM (/usr/bib/libpam); cc modules; file cu hnh pam.conf Cc modules PAM: pam_unix; dial_auth;... Thao tc vi PAM gm c: lp s ; cm truy nhp tri php t xa bng PAM; b sung PAM module; kch hot thng bo li ca PAM; ....

Chng 6 S dng cng c tng cng an ton t ng m t cch dng cng c tng cng an ton t ng (ASET- Automated Security Enhancement Tool) gim st hoc hn ch truy nhp ti cc file h thng v cc th mc. - ASET c 3 mc an ton: an ton thp, an ton trung bnh v an ton cao. Cc file c bn ca ASET: tune.low, tune.med, tune.high, uid_aliases, cc file Checklist v file m trng asetenv. - ASET c c thy 7 tc v: Kim chng cc quyn i vi cc file h thng; kim sot cc file h thng; kim sot ngi dng/nhm; kim sot cc file cu hnh h thng; kim tra mi trng; kim tra eeprom; thit lp firewall. Th mc /usr/aset/reports/latest cha cc bo co gn nht cho tng tc v (tune.rpt, cklist.rpt, usrgrp.rpt,....). - Cu hnh ASET bao gm: thay i file mi trng asetenv; chn cc tc v chy (TASK); lp k hoch thc hin(PERIODIC_SCHEDULE); c t file b danh (UID_ALIASES); kim tra m rng i vi NIS+ (YPCHECK); bin i cc file iu chnh (tune.low, tune.med, tune. High); khi phc cc file h thng do ASET bin i - Bn cng c th dng ASET trong mi trng phn tn NFS. Vi t cch ngi gim qun mng, bn c trch nhim ci t, chy v qun l cc tc v qun tr i vi tt c client ca bn. - Cc bin mi trng ca ASET bao gm: ASETDIR, ASETSECLEVEL , ... - C 2 cch chy ASET: trc tuyn hoc nh k - ASET h tr vic sa cha cc s c. Phn III An ninh ca cc h iu hnh h Microsoft Windows Chng 1 Tng quan nhc li m hnh lp mng trong mi trng Windows.

20

Mng c hnh thnh gm c hai phn chnh: ch (server) iu hnh v cung cp cc dch v, khch (client) nhn dch v v chu s iu hnh. V c bn c hai m hnh lp mng trong mi trng Windows: m hnh nhm lm vic (workgroup model) v m hnh min (domain model). Sau nh gi khi qut v an ninh an ton ca hai mi trng l Windows9x vWindowsNT. i vi WinNT gii thiu: cu trc h thng; kh nng bo v nh thit k hng i tng; cc h con bo mt ca WinNT (bao gm Local Security Authority; Logon Process; Security Account Manager; Security Reference Monitor; Directory database; Discretionary Access Controls) Chng 2 ng nhp, s dng dch v cp n vn ht sc kinh in, l mt khu. Cn phn bit mt khu Windows 9x vi mt khu WinNT. Mt khu WinNT c dng DES lm hm mt chiu, cn Win2000 ngm nh s dng giao thc thm nh quyn Kerberos v5. C th dng cc thit b bo mt bn th ba (v d nh th kho) ci thin h bo mt cho ngi s dng quay s vt trn mc bo mt sn c ca cc dch v Windows NT RAS. Chng 3 Phn quyn i vi th mc, tp trnh by v cc h thng file c trong h Windows, bao gm: FAT, NTFS, CDFS, HPFS. Phn quyn i vi th mc v tp thc cht l bo mt cc ti nguyn mng thng qua permission chia s. C 4 loi giy php, l: No access; Read; Change v Full Control. Chng 4 NTFS trnh by cc tnh nng ca NTFS, l: h tr tn tp di; h tr nn tp,.. i vi tp NTFS c 4 loi quyn: No Access, Read, Change v Full Conttrol. i vi th mc NTFS c 8 loi quyn: No Access, List, Read, Add, Add&Read, Change, Full Control, Special File Access. Cn ch phn bit permission ca c nhn v ca nhm, permission cc b v trn mng, permission chia s v NTFS. Win2000 cn h tr m ho tp vi EFS. 1.7 Quyn 5B: C ch an ton ca cc h iu hnh mng, Network hacker, Virut my tnh. Ch tr nhm nghin cu: TS. ng V Sn Bo co gm c 3 phn. Phn I Kh nng an ton ca cc h iu hnh mng gm c 3 mc v Ph lc. Phn II Network hacker c 5 mc v Ph lc. Phn III Virt my tnh c 5 mc v Ph lc. Phn I Kh nng an ton ca cc h iu hnh mng . Mc 1 Tng quan v h iu hnh : - H iu hnh l g? H iu hnh l mt chng trnh qun l ti nguyn (b x l, b nh, I/O, thit b lu tr v cc thit b khc, a thnh phn (to ra nhiu bn copy) v chuyn i (lm cho d s dng hn) cc ti nguyn phn cng. H iu hnh cng l chng trnh qun l my tnh o m cung cp cc my tnh o vi cc tin trnh (processes) chy trn . - Phn loi h iu hnh: n/a chng trnh; phn chia thi gian/thi gian thc; tp trung/phn tn. - Lch s pht trin ca h iu hnh - Cn c vo 6 yu cu chun tc nh gia h thng my tnh tin cy, B Quc phng M a ra 4 cp nh gi: D, C (c C1 v C2), B (c B1, B2 v B3), A (c A v A1).

21

Mc 2 C ch an ton ca h iu hnh trnh by 3 vn an ton chung i vi cc tt c cc h iu hnh mng: - An ton truy nhp mng: bao gm Xc nh tnh chn thc ca ngi dng; Xc nh trm lm vic m ngi dng c php truy nhp vo mng t ;Xc nh ngi l mt; Ngy mn hn ca khon mc ngi dng;... c bit, bnh lun v cch kim tra mt khu ca WinNT, Novell Netware v Unix - An ton h thng: Cc thao tc i vi ti khon (to/xa ngi dng/nhm, ...); Cc thao tc i vi thit b (tt my, dng my in, backup d liu,...) - An ton file v th mc: quyn truy nhp cc b; quyn truy nhp t xa. C phn tch k i vi Win2000. Mc 3 Cc l hng an ton nu ra : - i vi h iu hnh Windows nu ra mt s li gy ra do Internet Information Services; Dch v d liu t xa (Remote Data Services); SQL Server; NETBIOS; Anonymous Logon; LAN Manager Authentication; General Windows Authentication; IE; Remote Registry Access; Windows Scripting Host - i vi h iu hnh Unix nu ra mt s li gy ra bi Remote Procedure Calls; Apache Web Server; Secure Shell; SNMP; FTP; R-sevices Trust Relationship; Line Printer Daemon; Sendmail; BIND/DNS; General Unix Authentication - Cc l hng c th n t: (1) h iu hnh v cc ng dng; (2) do ngi s dng; (3) do ngi lp trnh. Trong ti liu c nu chi tit nhiu trng hp c th thuc 3 kiu trn. - Mt s h iu hnh c l hng v mt m (v d nh FTP daemon ca Unix) Ph lc c gii thiu Nessus l mt phn mm gim st an ninh mng. gii thiu cch ci t, cu hnh, chy khai thc chng trnh km theo file nht k kt qu chy trnh. Phn II Network hacker Mc 1 Hacker l ai phn ra black hat v white hat, hacher thng dn, hacker chnh tr, hacker l ngi trong cuc v hacker l ti phm c t chc. Mc 2 Hacker hack nh th no nu ra qui trnh 9 bc hack, l: FootPrinting, Scanning, Enumeration, Gaining Access, Escalating Priviliges, Pilfering, Covering Tracks, Creating Back Doors, Denial of Services. Hacker hot ng hiu qu l do: cu hnh sai my ch, li trong cc ng dng, nh cung cp thiu trch nhim, thiu ngi c trnh . Mc 3 Nhng li ca h iu hnh m hacker c th khai thc lit k ra: li trn b m, gi IP b chn bt v b phn tch (bng Sniffer chng hn), mt khu yu, ... Cui mc c a ra mt v d thc hin tn cng h thng Unix: thu thp thng tin v mc tiu; khai thc FTP, TFTP bug; khai thc cc dch v khc nh RPC, NIS; khai thc Sendmail; crack unix password file; khai thc l hng WU-FTP Server. Mc 4 Mt m v cc vn lin quan n hacker t ra cu hi l: c th s dng mt m chng hacker hay khng? Mt m c th dng vo 2 vic: bo v mt khu v m d liu c lu tr. Mc 5 Phng chng hacker nu ra 3 nguyn nhn khin ngi ta quan tm ti vic bo v thng tin trn Internet, l: bo v d liu, bo v ti nguyn mng,

22

bo v danh ting ca c quan. nu ra mt hng dn bo mt cho h thng gm 6 bc: (1) thnh lp b phn chuyn trch v vn bo mt; (2) thu thp thng tin; (3) thm nh tnh ri ro ca h thng; (4)xy dng gii php (dng firewall, IDS, VPN, sinh trc hc, smart card,...); (5) thc hin v gio dc; (6) tip tc kim tra, phn tch v thc hin. Ph lc gii thiu phn mm gim st an ninh mng SNORT. y l mt Network IDS. N c cc ch lm vic sau: Sniffer mode, Packet Logger mode, Network Intrusion Detection Mode. SNORT s dng mt ngn ng n gin v d hiu m t cc rule, gm c t kho Include, cc Variables, t kho Config vi cc directives. Mt rule gm c rule header v rule options. Rule header li gm c rule actions (c th l alert, log, pass, activate v dynamic), protocol (TCP, UDP, ICMP), IP address, cng dch v v ton t nh hng. Phn cui c nu kt qu thc nghim kho st mng bng SNORT. Phn III Virut my tnh Mc 1 Tng quan v virus my tnh dnh phn u tr li cu hi virus my tnh l g. Tip theo l phn loi virus: theo i tng ly nhim (B-virus v Fvirus), theo phng php ly nhim, theo mc ph hoi, theo h virus. Virus cng c tn gi khc l trojan horse hay worm. Mc 2 B-virus nu c ch ly lan ca B-virus. B-virus c th chia ra Single BVirus v Doublr B-Virus. Mt B-virus gm c phn install v phn thn (gm 4 phn nh l phn ly lan, phn ph hoi, phn d liu v phn Boot record). Cc c tnh ca mt B-virus gm c: tnh tn ti duy nht (trn a/trong vng nh); tnh thng tr; tnh ly lan; tnh ph hoi (nh thi/ngu nhin v lin tc); tnh gy nhim v ngu trang; tnh tng thch. Phn cui mc c phn tch k thut cc c tnh trn, ngoi ra cn c: k thut nh v chng trnh; k thut a hnh; k thut bin hnh; k thut chng m phng; k thut chng theo di; k thut ng hm-ca hu; k thut anti-tunnel. Mc 3 F-virus xt n 2 mi trng l DOS v Win32. i vi cc virus trn DOS cp n: phng php ly lan; phn loi thnh 2 loi (Transient File Virus v Resident File Virus); Cu trc ca TF-virus gm 3 phn: ly lan, ph hoi, buffer. Cu trc ca RF-virus gm 4 phn: install, ly, ph, buffer. Cng nh Bvirus, mt F-virus c cc yu cu: tnh tn ti duy nht (trong vng nh, trn file), tnh ly lan (nh v trn file, tm file i tng), tnh ph hoi (vi TF-virus, vi RFvirus), tnh thng tr (trc khi tr quyn iu khin, sau khi ot li quyn iu khin), tnh k tha. Sau , bo co c phn tch k thut i vi cc c tnh va nu cng vi k thut gy nhiu v ngu trang, k thut ly ngt. i vi F-virus trn Win32 phn tch v cc rings ca mi trng hot ng Windows v cc k thut nh: ly nhim, kim tra s tn ti, s dng Structured Exception Handling, nh v, cng ngh thng tr, tm kim file i tng, to o gip, ngu trang, chng m phng. Mc 4 Phn tch k thut virus trn mng cp ti mng LAN v Internet. Mt s cu hi c bn lun l: th no l trojan? B nhim trojan nh th no? Trojan nguy him nh th no? Trojan hot ng nh th no? Trojan c nhng loi g? Dng chng trnh no chng li?

23

Mc 5 Mt m v virus cp n mt ch kh, liu c th dng mt m pht hin v phng chng virus hay khng? i vi B-virus th mt m khng phng chng c, cn i vi F-virus th c th phng chng bng cch i tn file. C th dng ch k s pht hin file b virus. Cch thc phng chng virut c ghp vo cui mc ny (nu a thnh mc ring th hay hn) Ph lc l mt danh sch cc loi virus tiu biu cng vi m t ca chng: Nimda, Code Red, Chernobyl,... 2. Nhm th hai: Cc sn phm bo mt gi IP trn cc mi trng Linux, Solaris v Windows 2.1 Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux. Ch tr nhm nghin cu: TS. Trn Duy Lai Bo co gm 2 phn. Phn I c tn l Lp trnh mng trong Linux c 2 chng. Chng 1 l Mng IP trong Linux v chng 2 l Lp trnh mng trong Linux. Phn II Cc sn phm bo mt gi IP c 4 mc. Ba mc A, B v C trnh by v 3 phn mm TRANSCRIPT, IP-CRYPTO v DL-CRYPTO. Mi mc A, B v C u c 2 chng, chng u gii thiu v gii php v chng th hai gii thiu v sn phm phn mm. Ring mc th t l mc D c 2 chng trnh by v gii php mt m bao gm : m d liu bng m khi v trao i kho t ng. Phn I Lp trnh mng trong Linux Chng 1 Mng IP trong Linux cp n cc ni dung sau: - Chng giao thc (protocol stack) l mt phn trong kernel code, n gm c SOCKET layer, INET layer, TCP/UDP layer, IP layer, Network device layer. - Cu trc ca socket buffer gm: sk, stamp, dev, h,.... Cc lnh lm vic vi sk_buff bao gm: skb_dequeue(), skb_queue_head(), ... - File /proc/net/route cha Forwarding Information Base. - Trnh by tng qut v qu trnh khi to mng khi h iu hnh khi ng, cch s dng trnh ifconfig v route thit lp kt ni mng, cc th tc c lin quan(devinet_ipctl(), ifconfig_main(), INET_rprint(),....) - Trnh by v qu trnh kt ni (connection): cu trc ca socket; socket v nh tuyn; qu trnh kt ni gm gethostbyname(), socket(), connect(), close(). - Cc bc gi d liu gm: ghi d liu vo socket; to mt gi UDP/TCP; bc gi trong IP; truyn mt gi. - Cc bc nhn d liu: c d liu t socket; nhn mt gi; chy bottom half; hu bc gi trong IP; chp nhn gi UDP/TCP; c t socket phn 2 - Cc bc ca IP Forwarding: nhn mt gi; chy bottom half; kim tra gi trong IP; chuyn gi trong IP; truyn mt gi - Internet Routing Protocol: Neighbor Table; Forwarding Information Base v Routing Cache; cc cu trc fn_zone (network zone), fib_node (network node information), fib_info (network protocol information), rtable (routing table entry), dst_entry (destination cache), neighbor (neighbor link) Chng 2 Lp trnh mng trong Linux : H iu hnh Linux p dng chun cng nghip Berkeley socket API, socket ny c ngun gc trong s pht trin BSD Unix (4.2/4.3/4.4 BSD). Trong chng ny xem xt cch qun l b nh v b m

24

 c ci t trong tng mng v trong cc trnh iu khin thit b ca nhn Linux. - Trnh by chi tit v sk_buffs, y l mt danh sch lin kt 2 chiu. - Cc th tc h tr mc cao hn l sock_queue_rcv_skb() v sock_alloc_send_skb() - Thit b mng: t tn cho thit b; ng k mt thit b; cc hm dev_queue_xmit() v netif_rx(); cu trc ca thit b gm c tn, cc tham s giao din bus (a ch v ngt), cc bin tng giao thc, cc bin tng lin kt, cc c; hng i. Cc hm (methods) ca thit b mng gm: setup; truyn (devhard_start_xmit()); Frame Headers (devhard_header); nhn (dev_alloc_skb()). Ngoi ra, cn trnh by v Activation, Shutdown, Configuration v Statistics ca thit b mng. - Trong chng ny cng c cp n IP-multicasting v cc th tc h tr Ethernet l eth_header(), eth_rebuild_header(), eth_type_trans(), eth_copy_and_sum() Nghin cu k, nm chc cch x l gi tin mng trong Linux l nhn t quyt nh c th thc hin thnh cng cc gii php can thip mt m nhm bo mt gi tin c truyn trn mng. Phn II Cc sn phm bo mt gi IP A. Phn mm TRANSCRYPT Chng 1 Gii php Transcrypt : Transcrypt da trn phn mm CIPE (Crypto IP Encapsulation). Cc cng vic c lm l: khai thc lm ch hot ng ca h thng v thay i phn mt m (bao gm thut ton m d liu v ton b phn trao i kho). Transcrypt bao bc cc gi tin IP ( c m ho) bi cc gi tin UDP v gi chng bng k thut UDP thng thng. y l s khc bit vi vic bao bc IP trong IP. Trong bo co trnh by v vic m ho gi tin v trnh trao i kho Kex.

IP

data

New IP

UDP

IP

data

Chng 2 Phn mm Transcrypt trnh by v m ngun ca Transcrypt, cch bin dch v ci t, cch thit lp cu hnh v cch chy chng trnh (gm cc bc np module v chy chng trnh daemon transcryptd. Trong bo co cng trnh by cc tu chn cu hnh phn mm. Transcrypt h tr np kho bng 2 cch: kt ni bng kho b mt trao i trc hoc trao i kho phin t ng bng trnh Kex. B. Phn mm IP-CRYPTO Phn mm IP-CRYPTO phng theo FreeS/WAN nhng ch h tr mt mode tunnel

25

vi nhng thut ton mt m c thay th (m d liu v trao i kho). Chng 1 Gii php bo mt ca IP-CRYPTO cp n: - K thut to card mng o v cch gi gi tin qua card mng o - Cch nhn gi tin mng trong nhn Linux - Ch ng hm (tunnel mode), Encapsulating Security Payload Packet Format (vi cc trng Connetion Identifier Index, Sequence Number,... ) - Phn tch chng trnh ngun ca qu trnh gi v nhn gi tin trong IP-Crypto
Outer IP header IP header IP Payload IP header IP Payload

My 1

Encapsulator

Decapsulator

My 2

Chng 2 Phn mm IP-Crypto trnh by v m ngun v b ci t ca IPCrypto; cch bin dch v ci t n; cch thit lp cu hnh (gm c cu hnh mng, trao i kho th cng, trao i kho t ng, s dng trnh keyingd); m hnh chy th nghim. C. Phn mm DL-CRYPTOR Chng 1 Bo mt tng DataLink trnh by v gii php can thip mt m. Cu trc gi tin MAC (Medium Access Control) vi cc phn Preamble, Header v CRC c trnh by. Trong nhn linux vic gi v nhn gi tin mng c cha trong cu trc cha gi tin struct sk_buff. Mi x l cc tng khc nhau u x l trn cu trc ny. Ta thy trong nhn linux vic gi v nhn gi tin tng data link c thc hin nh hai hm l dev_queue_xmit() trong trng hp gi gi tin i v net_bh() trong trng hp nhn gi tin. Hm dev_queue_xmit() s chuyn d liu vo hng i cho giao din vt l gi gi tin i. Mt khc hm net_bh() s ly gi tin do giao din vt l nhn c a vo b m hng i chuyn ln cho cc giao thc trn x l. V vy chng ta thy can thip mt m vo tng data link th gii php can thip vo hai hm ny l phng php ti u nht. Khi gi tin c truyn i, hm dev_queue_xmit() s thc hin vic m ho v sang bn nhn hm net_bh() s thc hin vic gii m. Nh vy, i vi cc giao thc mng tng cao hn (v d, giao thc tng mng IP) hai my l trong sut. Chng 2 Phn mm DL-Cryptor trnh by v m ngun ca DL-Cryptor, cch bin dch v ci t, cch thit lp cu hnh v 2 ch lm vic ca DL-Cryptor (trao i kho th cng v t ng). D. Gii php mt m Chng 1 M d liu bng m khi trnh by v 2 ch lm vic ca m khi

26

c dng n trong khi m gi IP l OFB (Output Feedback Mode) v CBC(Cipher Block Chaining Mode). Chng 2 Trao i kho t ng trnh by v giao thc trao i kho STS (Station-To-Station), n c u im l chng li c tn cng ngi ng gia. Giao thc STS c ci tin tr thnh giao thc STS i xng nh sau:
Alice g gy EK(SIGA{gx, gy}) EK(SIGB{gy, gx})
x

Bob

Trong chng ny trnh by v vic lp trnh giao thc STS i xng c trnh trao i kho Kex, cch s dng trnh Kex v c bit l vic dng trnh trao i kho i km vi 3 phn mm bo mt l Transcrypt, IP-Crypto v DL-Cryptor. 2.2 Quyn 4B: H thng an ton trn mi trng mng Sun Solaris. Ch tr nhm nghin cu: TS. ng V Sn y l mt gii php bo mt c nghin cu trong Ban C yu. Do u t ca ti KC.01.01, kt qu ny c hon thin, c bit l ni dung ca chng 4 c thc hin thm. Tuy vy, v mt ti liu th bo co vn c vit thnh 4 chng, trong 3 chng u nhm gii thiu cch tip cn dng cng ngh lp trnh STREAMS can thip mt m vo Solaris. Chng 1 Khi qut chung v gii php bo v gi IP bng k thut mt m thc s l mt bi tng quan v cng ngh IPSEC. Nhm nghin cu phn tch kh nng bo v thng tin khi can thip mt m vo mi tng ca giao thc TCP/IP, nh gi u nhc im ca gii php can thip mt m vo tng IP. Phn tch c ch truyn d liu ca giao thc TCP/IP, cc dch v bo v gi IP bng k thut mt m. T a ra m hnh chc nng ca h thng bo v gi IP bng k thut mt m. Chng 2 C ch qun l d liu ca giao thc TCP/IP trn Solaris thc cht l trnh by v gii php, cch tip cn, phng php nghin cu : streamS l phn b xung mi y ti kin trc ca nhn (kernel) UNIX.. StreamS c thit k gii quyt mt vi hn ch ca m hnh SOCKET, c bit trong lnh vc mng v truyn thng. Ct li ca m hnh StreamS l n c ci t ging nh chng giao thc. Mt chng STREAMS hay cn gi l mt lung (stream) bao gm mt trnh iu khin lung y (STREAMS driver) iu khin giao din vi phn cng, khng c hoc c mt s m un (STREAMS module) tng ng cc mc giao thc khc nhau v mt u lung (stream head) iu khin giao din gia lung v tin trnh ngi dng (user process).

27

Cc thnh phn ca lung gm: cc hng i (queue); cc thng bo (message); cc module; cc trnh iu khin (driver). Cc thao tc trn lung gm: open, read, write, close, ioctl, getmsg, getpmsg, putmsg, putpmsg, poll, pipe Vic xy dng lung gm c: m mt file thit b STREAMS; thm v hu cc module; ng mt lung. Cc trnh x l lung gm c: put v service Cc thng bo l phng tin truyn thng trong lung. Cc thng bo thng M hnh STREAMS thng: M_BREAK, M_CTL, M_DATA,... Tt c cc thng bo c to bi mt hoc nhiu khi thng bo. Mt khi thng bo l mt danh sch lin kt ca cc b ba (triples), mi b bao gm hai cu trc (mt khi thng bo (msgb) v mt khi d liu (datab) v mt vng nh m. Trong bo co cp n: vic gi v nhn thng bo; cu trc hng i; vic x l cc thng bo; giao din dch v v mt s cu trc d liu c dng trong lung (Streamtab, queue, qint, module_info, msgb, datab) Trong STREAMS cc trnh iu khin c m (opened) v cc m un c chn vo (pushed). C ba kiu ca trnh iu khin thit b:Trnh iu khin phn cng (Hardware Driver); Trnh iu khin o (Pseudo Driver); Trnh iu khin a lung (Multiplexer Driver). Trong bo co i su vo vic xy dng a lung STREAMS TCP/IP.

Chng 3 Gii php bo v d liu trong nhn h iu hnh Solaris trnh by gii php bt gi IP thc hin vic m ho trong m hnh STREAMS TCP/IP l xy dng v chn tng lc gi IPF thm vo. C ch m ho l: Gi IP c sinh ra bi cc ng dng trn mng Lan c truyn theo cp mng n giao din elx1 ca nt m ho ca mng LAN v c cha trong hng i c ca giao din elx1. Tip gi IP ln lt c chuyn ln hng i c ca tng IPF v hng i c ca tng IP. Ti y a ch ch ca gi IP c s dng h thng quyt nh ng i tip theo nh vo cc lnh route. Gi IP c chuyn sang hng i vit ca tng IP, sau c chuyn xung hng i vit ca tng IPF. Ti hng i vit ca tng IPF, phn on TCP (TCP segment) c m ho v c chuyn tip xung hng i vit ca giao din elx0 v c chuyn theo ln mng i tip. tit kim v mt thit b, chng ta nn tch hp nt m ho vi Router lc gi. Chng 4 Kho st kh nng chng li cc phn mm hacker v tc truyn d liu ca h thng bo v gi IP trn Solaris kho st kh nng ngn chn ca mt s phn mm hacker ca b phn mm IPSEC_SUN, l: Sniffit V.0.3.5, IPSCAN, Packetboy, ICMP_Bomber. Hn th na, nhng kh nng ny ca b phn

28

mm IPSEC_SUN cn c so snh vi b phn mm IPSEC trn Linux l FreeS/WAN. Bn cnh , nhm nghin cu cng kho st nh hng ca b phn mm IPSEC_SUN i vi thi gian truyn d liu ca dch v FTP v so snh vi FreeS/WAN. 2.3 Quyn 4C: Phn mm bo mt trn mi trng Windows. Ch tr nhm nghin cu: TS Nguyn Nam Hi Trong iu kin ca nc ta l mt nc ph thuc hon ton vo cng ngh nhp ngoi th vn an ton cng cn phi c nghin cu sao cho ph hp vi hon cnh ca chng ta. Lm th no va tn dng c sc mnh ca cc h thng phn mm thng mi hin nay nhng vn kim sot c mc an ton ca thng tin trn mng l mt trong nhng vn ng c quan tm. Ni dung nghin cu phn ny nhm mc ch nghin cu xy dng gii php bo v thng tin trn cc mng my tnh c xy dng trn nn tng m hnh mng Winsock. M hnh mng Winsock l mt m hnh mng c pht trin mnh m s dng rng ri ngy nay. Do vy nh hng nghin cu vo m hnh ny l cn thit v c ngha thc tin. Gii php v k thut c s dng: Ton b dng thng tin trn mng trong cc Platform Windows u chuyn qua Winsock. Vn t ra l lm th no c th khng ch c dng thng tin ny phc v cho cc mc tiu ring bit. Can thip trc tip vo cc Modul trong Winsock l mt vic lm kh c th thc hin c bi i vi nhng ngi pht trin ng dng th Winsock ch nh mt chic hp en. Chng ta ch c th bit c giao din vi Winsock m thi. Vy cch tip cn l nh th no. Chng ti tip cn theo kiu xy dng mt API mi trn Windows Socket API. Dng thng tin trc khi chuyn qua Winsock s qua mt tng mi do ta xy dng v tng ny chng ta c th khng ch c dng thng tin mng. MS Windows Khi xy dng mt tng mi trn tng Winsock c nhiu k thut phi gii quyt. Mt trong nhng k thut cn phi quan tm l x l cc message c gi t Winsock cho ng dng. Nu khng chn c dng message ny th khng th iu khin c qu trnh truyn thng gia ng dng ti client v phn ng dng ti server. Chng hn khi ta chn thm mt packet vo dng packet ca ng dng. Nu ta khng x l c cc message gi t Winsock cho ng dng th hu nh chc chn connection gia client v server s b hu b v qu trnh trao i thng tin gia client v server s b hu gia chng. K thut c chn x l y l s dng k thut subclass. Mc tiu chnh ca n l chn ton b cc message gi t Winsock cho ng dng, x l nhng message cn thit v tr li nhng message ca ng dng cho ng dng x l. Chng I M hnh Winsock dnh phn u trnh by v 3 thnh t ca m hnh mng Winsock,

New API message filter

Task A

Task B

New API DLL

Winsock DLL

29

 l: (1) Winsock application: cung cp nhng chc nng ca cc tng 5, 6, 7 trong m hnh OSI. N l mt chng trnh ng dng cng vi giao din ngi dng, n cng c th l mt th vin ng DLL trung gian cng vi API mc cao hn v cc ng dng ca n. Trong m hnh Winsock ta xem mt ng dng bt k m truy nhp Winsock DLL nh l mt ng dng ca Winsock; (2) Network system: cung cp cc chc nng ca cc tng 1, 2, 3, 4 trong m hnh OSI; (3) Winsock API: nm gia 2 tng trn, cung cp truy nhp ti c network system v cc ng dng ca Winsock s dng cc dch v ca h thng gi v nhn thng tin. Mt lin kt gia Client v Server trong m hnh Winsock gm 5 thnh phn: Giao thc, a ch IP ca Client, s hiu cng ca Client, a ch IP ca Server, s hiu cng ca Server. Socket c trng thi, trng thi hin thi ca socket xc nh cc php ton mng no s c tip tc, cc php ton no s b treo li v nhng php ton mng no s b hu. C hai kiu socket: Datagram Socket v Stream socket. Mi kiu socket c nhng trng thi v nhng php chuyn khc nhau. Chng II Xy dng socket an ton m t cu trc ca Secure Socket, cch thc lm vic v li ch i vi mi trng truyn thng t xa. Nhm nghin cu pht trin giao din ti tng giao vn cho truyn thng TCP/IP c gi l Secure Socket phc v cho mc tiu nn v m ho d liu truyn qua Internet v cc mng PSTN.Secure Socket c ci t ti cc trm, Server v trong FireWall m bo an ton v truyn thng tc cao gia trm v cc my trm. Secure Socket cung cp giao din lp trnh ng dng Winsock chun cho cc ng dng TCP/IP chng hn nh Web Browser, telnet, ftp m khng bt k s thay i no i vi cc trnh ng dng v TCP/IP. Cc yu cu c t ra khi thit k l: kh nng thch nghi; trong sut; c kh nng m rng; d ci t v hiu qu. Secure socket bao gm th vin lin kt ng tng giao vn. N c t gia cc chng trnh ng dng v TCP/IP, cc trnh tin dng tng tc vi ngi dng. Ti cc PC client th Winsock l giao din lp trnh ng dng chun cho TCP/IP. Chng ta c th thc hin nn, m ho v xc thc d liu m khng cn thay i phn mm ng dng hoc TCP/IP. - C mt vi cch chn cc lnh ca Winsock : Thay th cc a ch hm; Thay i thng tin lin kt; i tn th vin Winsock. Nhm ti chn cch th 3 thc hin. - Khi s dng cc hm ca Winsock, c hai dng thao tc: Dng ng b v dng d b. Nhm nghin cu chn thao tc kiu d b, s dng hm Winsock WSAAsynselect (hm ny c dng ng k hm ca Windows) nhn thng bo v thay i Mode v d b. Secure Socket chn WSAAsynselect v thay th tham s Windows handle ca n bng Windows handle ca Secure socket. Sau pht li lnh ti Winsock.Dll. Hm send() dng d b hm cn chn v x l. Trong chng III c m t li thut ton m khi IDEA c dng m d liu. Phn ph lc trnh by trnh by nhng modul c bn phc v cho th nghim t tng thit k trnh by trong phn trc. Chng trnh th nghim gm cc phn c bn sau: Cc m un thuc socket c thit k li; Cc m un phc v cho m ho ni dung cc gi d liu; Cc m un phc v cho vic xc thc ni dung cc gi d liu; Cc m un phc v cho vic to kho phin. Nhng k thut mt m trnh by trong phn ny ch nhm mc ch khng nh nhng tng thit k trong phn trc l hon ton kh thi. Cc giao thc hi thoi gia client v server c thit k nhm khng nh nhm nghin cu c th ch ng thc hin hi thoi gia Client v Server theo bt k giao thc an ton no.

30

3. Nhm th ba: Cung cp v s dng chng ch s 3.1 Quyn 6A: Mt h thng cung cp chng ch s theo m hnh sinh kho tp trung. Ch tr nhm nghin cu: TS. Trn Duy Lai Trn nn ca phn mm c m ngun m OpenCA, chng ti xy dng mt h thng cp chng ch vi m hnh n gin: trung tm sinh cp kho v ch c RootCA. phc v cho quy m nh, c th chng ta khng cn n c my RA (v c my RAO na cng khng cn n). Chng 1 Ci t thit lp cu hnh cho my CA dnh phn u gii thiu v PKI, CA, RA, X.509 v 3 certificate, certification paths, revocation. Sau i vo trnh by cch vn hnh my CA: - ci t my CA cn c RedHat Linux 7.2, Perl version 5.6.0 v Apache version 1.3.12. Trong bo co m t chi tit cc bc cu hnh cho Apache Server, cho MySSL v MyCA. Cc th mc v tp c lin quan c m t km theo chc nng. Menu chnh gm 4 mc: Initiazation, Process Cert Request, Certificates v CRL. Cc chc nng trong mi mc cng c lit k. - Tip theo, bo co m t vic Khi to cho CA gm c 3 bc l: (1) Initialize local Perl Database; (2) Generate RootCA Key pair and Self sign Certificate; (3) Export Root CA Certificate and Empty CRL to LDAP. Chng 2 LDAP v Public Database trong h thng MyCA dnh cho vic lu tr chng ch s cn hiu lc hay b hu b sao cho vic khai thc s dng c tin li. Ngi ta thng dng LDAP Server lm vic ny, mc d v mt nguyn tc c th dng mt database server bt k. - Trc ht, vic ci t v cu hnh LDAP Server c trnh by. Trn nn ca LDAP Server, mt database c khi to, chnh l Public Database. Trong ti liu c m t chc nng ca cc th mc v tp c lin quan n Public Database. Trn trang giao din chnh ca Public Database cc chc nng c phn lm 3 nhm, l: Download CA Certificates Chain From LDAP, Download Certifcates from LDAP v Update CRLs. - Trong ti liu m t chi tit cc thao tc sau: Ti chng ch ca CA t Public Database Server (c phn bit cho ngi dng s dng Windows hay Linux); Ti chng ch ca ngi khc t Public Database Server (phn bit ngi s dng dng Windows hay Linux); Cp nht CRLs (phn bit cho trnh duyt Netscape, cho Apache Server, cho IE hay IIS. Chng 3 Qui trnh pht hnh chng ch s m t 6 bc cng vic sau: (1) Nhp thng tin v ngi c cp; (2) K yu cu cp chng ch; (3) Chuyn i nh dng ca chng ch; (4) Cp chng ch cho ngi dng; (5) Cp nht chng ch va pht hnh ln LDAP server; (6) In ni dung chng ch. Chng 4 Quy trnh hu b chng ch s m t bc cng vic sau: (1) Hu b mt chng ch bi ngi qun tr; (2) Pht hnh CRL v cp nht ln LDAP; (3) Ti CRL t my LDAP v my phc v; (4) In chng nhn hu b chng ch cho ngi s dng.

31

3.2 Quyn 7A: Mt h ch k s c s dng RSA. Ch tr nhm nghin cu: TS. Trn Duy Lai i vi nhiu loi d liu th tnh xc thc i khi li cn hn tnh bo mt. Mt m kho cng khai gii quyt c bi ton xc thc bng h ch k s (vi s tr gip ca hm bm). C nhiu thut ton ch k s, nhng RSA l mt thut ton quen thuc v n c trong chun ca nhiu nc, nhiu t chc quc t. Th nhng dng ng thut ton ch k s RSA khng phi l mt vic d. Bn cnh vic la chn tham s sao cho an ton, chng ta cn phi ch ti cch chun b d liu k, ch khng phi c vic lu tha vi s m l kho b mt l xong. Trong vic chn tham s an ton th khng ch c p v q, m cn c c e v d na. C mt iu cn ch l tiu chun an ton i vi RSA m khc vi RSA k. Chng I Ch k s da trn mt m hin i cp ti mt s ci mang tnh l thuyt, l: nh ngha v tnh cht ca php k/php kim tra; Ch k s t h m c th o ngc; Lc ch k s cng vi appendix; Lc k khi phc thng bo; im qua cc kiu tn cng trn lc k; Hm bm ( k c nhanh). Chng II Lc ch k s RSA im qua cc tn cng i vi ch k RSA: phn tch s nguyn; tnh cht nhn ca RSA; bi ton reblocking; ....Trong ti liu c trnh by 2 nh dng chun, l ISO/IEC 9796 v PKCS#1, trong PKCS#1 (ca hng RSA) c chn lp trnh. Trong ti liu trnh by thut ton k theo PKCS#1 phin bn 1.5, y cha phi l chun k dng RSA tt nht. Chun k tt nht dng RSA l RSA-PSS trong PKCS#1 phin bn 2.1. Chng III Module thc hin k v kim tra ch k s s dng chng ch s trnh by mt s cng ngh c lin quan ti vic to ra ch k theo chun. C mt s PKCS (Public Key Cryptography Standard) c cp n, u tin l PKCS#1, sau l PKCS#7 (Cryptographic Message Syntax Standard), PKCS#8 (Private-Key Information Syntax Standard). Trong chng ny module thc hin vic k v kim tra mt tp d liu c s dng chng ch s (kho c ly ra t chng ch s). Cc tp header v th vin cn thit l: libcrypto.a, sign.o, sign.h, verify.o v verify.h. 3.3 Quyn 8A: Dng chng ch s vi cc dch v Web v Mail. Ch tr nhm nghin cu: PGS. TS. L M T Chng 1 Giao thc Secure Socket Layer cn thit bi v y chnh l gii php bo mt giao dch gia Web Server v Web Client. SSL v3 gm c SSL Record Protocol, SSL Handshake Protocol, SSL Change Cipher Specification v SSL Alert Protocol.

32

ClientHello ServerHello Certificate Certificate Request ServerHelloDone Certificate Certificate Verify ChangeCipherSpec Finished ChangeCipherSpec Finished

Thit lp protocol version, ID phin, thut ton m ho, phng php nn, trao i gi tr random

Server gi certificate v yu cu Client gi li certificate nu c thit lp xc thc client Client gi certificate nu c yu cu

Change CipherSuit v kt thc giai on Handshake

Client

Server

i vi Application data, SSL Record Protocol thc hin 3 vic: phn mnh d liu (frame); (2) nn d liu (3) m ho v to MAC ri chuyn xung tng TCP. Cc tham s mt m lin quan n mt phin lin lc c thc hin thng qua SSLv3 Handshake Protocol. Khi SSL client v SSL server bt u mt phin lin lc chng cn thng nht v phin bn ca giao thc s c dng, la chn thut ton m ho cho phin lin lc, c th c hoc khng vic xc thc ln nhau, v s dng thut ton m ho kho cng khai sinh kho chung cho phin lin lc . Trong bo co trnh by c th qu trnh thc hin SSLv3 Handshake qua cc bc gia client/server nh sau: Client Hello; Server Hello; Certificate; Certificate Request; ServerHelloDone; Certificate; Certificate Verify; ChangeCipherSpec; Finished; ChangeCipherSpec; Finished. Cc d liu c trao i gm c: Hello Messages; Server Cerificate; Server Key Exchange Message; Certificate Request; Server Hello Done; Client Certificate; Client Key Exchange Message; Certificate Verify v Finished. cui chng c trnh by cch tnh kho cho phin lin lc. Chng 2 S dng chng ch s vi dch v Web trnh by cc thao tc sau: - Ci t chng ch cho trnh duyt Web: xt hai trng hp l IE v Netscape. i vi IE, trc khi Ci t chng ch cn phi Ci t tin ch tr gip. - Cp nht CTL v CRL t Public Database Server - Ci t v thit lp cu hnh cho phn mm E-shop c s dng chng ch trn Apache Server - S dng lnh https truy nhp ti E-shop bng IE hoc Netscape: nu c hai chng ch cn hiu lc th kt ni s thnh cng, ngc li, nu mt trong hai chng ch ht hiu lc th kt ni s khng thnh cng. Chng 3 S dng chng ch s vi dch v Mail trnh by cch a chng ch s vo trnh th tn Outlook Express, cch dng chng ch s m ho v xc thc

33

th, cch cp nht cc CRL. Ch rng i vi Outlook Express, chng ta ch c th dng nhng thut ton m d liu c sn nh DES. 3.4 Quyn 8B: Bo mt dch v Web thng qua Proxy Server. Ch tr nhm nghin cu: ThS. ng Ho Chng 1 SQUID Proxy Server : - Squid l proxy caching server c m ngun m cho cc my khch s dng web, h tr cc i tng d liu ca cc giao thc FTP, gopher v HTTP. Squid c s dng 2 ch : ch tng tc http (httpd-accelerator) tng kh nng cung cp ca Web server, v ch proxy-caching server m ta thng s dng. - Cc thut ng c s dng vi Squid gm c: Internet Object; Internet Object Caching; Cache Hierarchy; parent cache; sibling cache; Internet Cache Protocol; Hyper Text Caching Protocol; Squid cache resolution algorithm. - Tp cu hnh squid.conf kh phc tp. Trong tp ny c 7 th lin quan n mng; c 9 th lin quan n cy lu tr; c 12 th lin quan n cache size; c 15 th lin quan ti th mc lu tr v tp log; c 18 th lin quan n cc chng trnh bn ngoi; c 14 th iu chnh cache; c 10 th lin quan n gii hn thi gian kt ni; c 7 th dnh cho iu khin truy nhp; c 6 th lin quan ti qun tr h thng; c 4 th dnh cho vic ng k cache server; c 5 th tng tc Web; c 41 th gii hn bng tn v ngoi ra cn mt s tu chn khc na. - Chng ta quan tm ti nhng la chn h tr SSL, l https_port v ssl_unclean_shutdown. Chng 2 Tch hp mt m cho Proxy trnh by v MySSL. Mt cch tm tt, MySSL nhn c t OpenSSL sau khi thc hin cc cng vic sau: Loi b nhng phn m ngun khng s dng n; Loi b giao thc SSL v2; Loi b cc thut ton m c sn, thay vo l thut ton M khi ca Ngnh CY; Loi b cc thut ton bm tr MD5 v SHA-1; Loi b cc thut ton k, tr RSA; Loi b chng trnh sinh s nguyn t xc sut, thay vo l thut ton sinh tham s RSA an ton. Trong ti liu c m t cu trc file v th mc ca MySSL v phn tch nhng on chng trnh ngun quan trng c lin quan n: thut ton m khi (cc tp mk1_core.c, mk1_cbc.c, ...); thut ton m v k RSA; thut ton bm MD5 v SHA-1; th vin HMAC. Cui chng c trnh by cch bin dch v ci t MySSL cng nh cch bin dch v ci t SQUID c h tr dch v mt m t MySSL. Chng 3 Trnh duyt MyBrowser v tch hp mt m cho trnh duyt MyBrowser gm cc ni dung sau: - Gii thiu Mozzila 1.0 cng cc cng ngh chnh c s dng trong l XPCOM, XPToolkit vi XUL (XML-based User Interface Language) v XBL (eXtensible Binding Language) - NSS l b chng trnh ngun cung cp mt th vin c lp thc hin cc dch v bo mt phc v cho vic pht trin cc ng dng cross-platform. Khi xy dng mt ng dng s dng NSS, ng dng c th c cung cp cc giao thc SSL v1, SSL v2, TLS, cc chun mt m kho cng khai PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, chng ch s theo chun X.509 v3 v rt nhiu cc chun mt m khc. - Trnh duyt MyBrowser nhn c t Mozzila 1.0 bng cch ti thiu ho v tch hp mt m. Trong ti liu c trnh by cch bin dch ra MyBrowser.

34

Chng 4 Bo mt dch v web thng qua Proxy gm cc thng tin sau: - Ci t v cu hnh Web Server: c th dng Apache Web Server hoc IIS. - Thit lp cu hnh cho Proxy Server - Ci t trnh duyt MyBrowser v ci t chng ch s cho MyBrowser - M hnh th nghim nh sau:
Squid MySSL (Linux)

Web Client (Linux, Win)

128.1.1.3/16

128.1.1.2/16

200.1.1.2/24

Web Server (Linux, Win)

200.1.1.1/24

HUB 1
-

HUB 2

Cc thao tc c th nghim: truy nhp trang web; ghi trang web vo h thng v ti tp.

3.5 Quyn 9A: Mt s thit b c s dng ghi kho. Ch tr nhm nghin cu: TS. Nguyn Hng Quang Chng 1 S dng iKey 1000 lu chng ch s v kho b mt gii thiu thit b iKey ca hng Rainbow Technologies. Trong ti liu gii thiu chi tit cc thao tc cn lm khi ci t phn mm i km vi thit b ln my tnh. Tip theo trnh by cc bc nhm dng iKey lu chng ch s v kho b mt, l: khi to nh dng cho iKey; thit lp tn cho iKey; khi to (hay t li) vng lu chng ch s; thay i mt khu; lu chng ch s. Sau l cch ng k chng ch s vi cc ng dng nh IE v Outlook Express. Chng 2 Thit k mt loi thit b nghip v trnh by vic thit k, xy dng mt loi thit b nghip v c giao din USB. S khi tng qut ca thit b gm c 3 khi: khi giao din, khi vi x l v khi nh. Khi giao din s dng linh kin IC USB FT245 BM ca hng FTDI. Khi vi x l s dng linh kin AT89C2051 ca hng Atmel. Khi nh s dng linh kin AT24C64 ca hng Atmel. Qu trnh lm vic ca thit b c m t nh sau: Khi cm thit b vo trong my tnh, my tnh s c ngun cho thit b v thit b s hot ng, trao i vi my tnh my tnh nhn bit thit b l mt thit b USB chun, sau thit b s i xc nh qu trnh tip theo l c hay ghi v thc hin theo chc nng cho n kt thc. Qu trnh lm vic ny c m t nh lu i km. Trong bo co c trnh by lu ca thut ton c/ghi d
Start

My tnh nhn TB S Ghi? c Ghi

End

35

liu. 4. Nhm th t: m bo ton hc 4.1 Quyn 3A: Sinh tham s an ton cho h mt RSA. Ch tr nhm nghin cu: TS. Lu c Tn Mt m kho cng khai cn c s nguyn t ln, nhng ch ln khng th cha . Khng phi s nguyn t no cng dng cho mt m kho cng khai c mt cch ni chung v cho mt h mt c th no ni ring (v d nh RSA hay Elgamal). Chng I H tiu chun cho h mt RSA cp n 4 tiu chun cho s nguyn t dng cho RSA ca chun X9.31 (y l mt chun ca cc t chc ti chnh M). Trn c s 4 tiu chun , cng vi vic xt cc tn cng phn tch s bng phng php sng trng s, tn cng phn tch s da vo ng cong elliptic, phng php phn tch s p1 ca Williams, tn cng kiu gii h phng trnh v phn tch s da vo gcd(p1, q1), nhm nghin cu a ra h tiu chun ca mnh vi nhng ngng c th. an ton ca bi ton phn tch s ph thuc vo s pht trin ca cng ngh tnh ton, nu ly lut Moore lm c s (sau 18 thng cng sut tnh ton tng gp i vi cng gi thnh) th nhm cc tc gi a ra mt h d kin gm 5 tiu chun cho cc tham s p v q dng cho h mt RSA dng vo thi im nm 2003 vi thi gian an ton l y nm, l: - S modulo N phi c ln c n bt vi n tho mn bt ng thc
4.91n (ln n + ln ln 2) E vi E c tnh theo cng thc : E = 56 +
1 3 2 3

Y + y 2003 1.5

Cc s nguyn t p v u xp x N gcd(p-1, q-1) phi c c nguyn t ln khng di E bit max{gcd(p1, q1)} khng qu
n 2E bit 4

(p1) phi c c nguyn t ln khng di 2E bit.

Chng II Xy dng phn mm sinh s nguyn t dng cho h mt RSA bt u bng cc nh l Pocklington v Lucas, trn c s cc hm PocklingtonPrimeTest, LucasPrimeTest v LucasPocklingtonPrimeTest (dng PocklingtonPrimeTest v LucasPrimeTest) c xy dng. Tip , thut ton sinh s nguyn t bng phng php tng dn di c trnh by (s dng LucasPocklingtonPrimeTest), v mt l thuyt c nh gi s ln dn trung bnh v mt s nguyn t sinh c theo cch ny. S nguyn t tho mn cc iu kin 2 v 5 trong s 5 iu kin trn c gi l s RSA-mnh. Thut ton StrongPrimeGenerator (theo kiu ca Gordon) c xy dng sinh s RSAmnh (thut ton ny c dng n hm PrimeP-1Generator(k), hm ny sinh ra s nguyn t vi p-1 c c nguyn t k bit, hm PrimeP-1Generator c dng n PocklingtonPrimeTest). Lc lng cc s RSA-mnh c sinh theo thut ton StrongPrimeGenerator c nh gi v mt l thuyt. Cui cng, cc cp s nguyn t p v q tho mn cc iu kin 3 v 4 trong s 5 iu kin c k trn c gi l cp s nguyn t c quan h mnh. Hm RSA-Generator c thit k sinh ra nhng s nh vy, hm ny c gi n hm PrimeP-1Generator v hm GordonGenerator. n lt mnh, hm GordonGenerator li c xy dng trn c s hm LucasPocklingtonPrimeTest v thut ton CRT.

36

4.2 Quyn 3B: Sinh tham s an ton cho h mt Elgamal. Ch tr nhm nghin cu: TS. Lu c Tn Trong chng I, vi tiu "Vai tr ca s nguyn t mnh dng p=2q+1 trong mt m", gii quyt vn s nguyn t mnh dng u v c th hn l im ra 3 ng dng ch yu trong mt m l bi ton bo mt tin dng h mt Elgamal, bi ton xc thc tin theo s ch k Elgamal v bi ton tho thun kho theo s Diffie-Hellman. c im chung ca cc loi hnh trn l tnh an ton ca chng u c coi l tng ng vi tnh kh gii ca bi ton logarit trn trng GF(p), chnh v th phn 2 ca chng i vo trnh by cc thut ton gii bi ton ny vi mc ch khng g khc l dn ra c cu tr li l " m bo tnh an ton cho cc loi hnh trn th tham s nguyn t c s dng phi l nhng s ln c trn 500 bit v c dng p=2q+1 vi q nguyn t". Chng II, "Sinh s nguyn t bng phng php tng dn di", trnh by mt phng php sinh s nguyn t hon ton da vo nh l Pocklington. Mc d rng trn gc thi gian tnh th cc thut ton kim tra tnh nguyn t da vo nh l Pocklington ch c ngha i vi cc lp s nguyn nh th nhng thut ton ca chng ti a ra dng sinh cc s nguyn t ln khng theo phng thc sinh truyn thng l Ly ngu nhin mt s nguyn Kim tra tnh nguyn t ca n, cho n khi tm c s nguyn t m theo cch Sinh cc s nguyn t nh dng chng lm c s sinh cc s nguyn t ln hn cho n khi c s nguyn t c di mong mun. V mt l thuyt th bt c mt s nguyn t no cng c th c sinh t phng php ca chng ti tt nhin vi kh nng khng nh nhau. Quan trng hn c trong vic a ra thut ton ny l n c th sinh cc s nguyn t dng trong h mt Elgamal mt cch rt hiu qu. Chng III, "Chng trnh sinh s nguyn t cho h mt Elgamal", i vo gii quyt vn xy dng c s l thuyt ca thut ton v hin thc ho bng mt chng trnh sinh s nguyn t mnh trn mt lp s nguyn c th: - Phn 1 ca chng ny gii thiu v lp Lp(k) vi y vic nh gi v lc lng s nguyn t trong lp v thut ton sinh cc s nguyn t trong , vi s la chn p =2, bng cch da vo nh l Pepin v quan trng l Ch 3.3 chng ti ch ra c mt thut ton cc nhanh sinh cc s nguyn t Pepin (cc s nguyn t dng q1=r2k+1 vi r l v c di bit khng qu k) v sau l vi p l s c di c mt na di s nguyn t cn sinh chng ta c c mt kiu sinh rt nhanh cc nhn nguyn t q c dng q=Rq1+1 vi R chn v R q1 (nhng s nguyn dng trn c kim tra nhanh tnh nguyn t bng nh l Pocklington v chng ti gi nhng s nguyn t ny l nhng s Pocklington) vi di ln (t 500 n 1500 bit). y chnh l lp s m chng ti quyt nh la chn xy dng phn mm tm cc s nguyn t ln trn . - Phn 2, "Vic sinh cc s nguyn t mnh v gn mnh", ngoi vic thng nht bng cch a ra nh ngha cho khi nim gn mnh trong phn ny a ra mt kt qu cc k n gin nhng rt hiu qu khng nh tnh mnh ca mt s nguyn t l nh l 3.5. Theo kt qu trn th vi q l s nguyn t l, chng t p=2q+1 nguyn t (tc l s nguyn t mnh) ta ch cn kim tra ng thc 22q =1 (mod p) v 3 khng phi l c ca p. Nh vy cng vi phn 1,

37

n y chng ta c c y c s l thuyt cho mt thut ton nhanh dng sinh cc s nguyn t mnh. Phn 3, "Tnh ton trn cc s ln", nhm hin thc ho c thut ton ch ra 2 phn trn bng mt chng trnh phn mm sinh s nguyn t mnh. Vic tnh ton trn cc s ln l mt vic lm rt quen thuc cho nn chng ti khng trnh by t m mi th tc v hm tnh ton s hc ni chung m ch yu i vo phn tch nhng ci tin nh m chng ti thc hin khi lp trnh trong ba php ton c cp n l php nhn, php chia v php lu tha cc s ln. Bng vic thc hin php lu tha theo phng php xt s m vi c s thay i v tnh sn 32 lu tha t x32 n x63 (mod N) mi khi cn tnh xy (mod N), chng trnh sinh s nguyn t mnh ca nhm ti c c s ci thin ng k v tc sinh bi v php lu tha l php ton ch yu trong thut ton sinh v cng l php ton chim nhiu thi gian nht.

Ph lc "Mt s kt qu th nghim", nhm gii thiu mt s kt qu th nghim ca phn mm vit sinh cc tham s cho h mt Elgamal bao gm cc ni dung: - Mt s kt qu thng k thu c v thi gian sinh trung bnh cng mt trung bnh ca s nguyn t mnh v gn mnh theo mt s di c th nh 512, 1024 v 1500 bit. - V d v ton b cc s nguyn t Pepin dng q1=r216+1 vi r l v q1<232, s lng cc s nguyn t Pocklington dng q=Rq1+1 vi R chn v q<232 v ton b cc s nguyn t Sophie trong cc s nu trn (vic tm cc s trn c thc hin bng phng php sng Erathostenes). nh gi chung: Vn c t ra nhm xy dng c mt phn mm nhm sinh ra cc tham s phc v cho mt lp cc h mt kho cng khai hin ang c s dng ngy cng ph bin trong lnh vc bo mt v an ton thng tin. Cng nh mi sn phm khoa hc khc, yu cu ti thiu v tin quyt i vi phn mm (vi t cch l mt my sinh cc s nguyn t) l nhng s nguyn t c n sinh ra dng u (h mt no), ch tiu cht lng ca chng ra sao (ch yu l ch tiu lin quan n mt ca h mt) v sau cng l hiu qu ca chng trnh (tnh chp nhn c v thi gian sinh). C th ho nhng vn trn, trong cng ca ti chng ti ng k l xy dng phn mm sinh cc s nguyn t dng p=2q+1 vi q cng nguyn t trong mt lp s c th no . 4.3 Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu. Ch tr nhm nghin cu: TS. Trn Vn Trng Chng 1 M u v m khi gii thiu chung v m hnh ton hc ca h m khi kho b mt. an ton ca h m khi trc Gi thuyt ni ting ca Kerckhoff: Thm m i phng l c bit ton b chi tit ca qu trnh m ha v gii m ch tr gi tr kha b mt. T dn ti mt s dng tn cng thm m chung nht i vi m khi, ng thi cng t ra ngay mt s yu cu ti thiu i vi mt h m khi an ton l phi c c khi v c kho ln. m bo tnh hiu qu mt h m khi cn phi c cu trc u, i xng m/dch v cc thnh phn ca n cng phi d dng trong qu trnh cng ho hay chng trnh ho mc cao. Chng ny cng gii thiu mt s cu trc m khi c bn nh cu trc i xng thun nghch Feistel, cu trc truy hi Matsui, cu trc cng-nhn Massey...v

38

mt s thut ton m khi c th minh ho nh thut ton GOST ca Lin bang Nga, thut ton IDEA. Chng 2 Thm m khi :Mt s nhng cng vic quan trng khi u cho qu trnh thit k xy dng m khi l cn thit nghin cu nhng phng php thm m khi in hnh, t rt ra nhng c trng an ton c bn ca mt h m khi. Chng ny tp trung nghin cu l thuyt v cc phng php thm m khi c bn nh thm m vi sai, thm m vi sai bc cao, thm m tuyn tnh v cc dng c bit ca thm m tuyn tnh, thm m ni suy, thm m kho quan h.. ch yu p dng trn chun m d liu DES. V mt l thuyt chng ti ch nu nhng nguyn tc thm m c bn i vi m khi (da trn chun m d liu DES) m khng trnh by chi tit thut ton (v c th tm thy trong nhiu ti liu khc). Phn thc hnh, chng ti tp trung nghin cu khai thc phng php thm m phi tuyn da trn tng thm m tuyn tnh xy dng thut ton thm h DES rt gn 8-vng nhm tm 56 bt kho ca chng. Cc vn c trnh by l: - Thm m vi sai c pht minh t nm 1991 bi cc nh mt m Biham v Shamir. y l tn cng u tin ph chun m d liu DES ca M vi phc tp tn cng nh hn phc tp ca phng php vt cn kho. tng c bn ca phng php ny l thm m vi sai xoay quanh vic so snh kt qu ca php XOR gia hai bn r vi kt qu ca php XOR gia hai bn m tng ng. Vi gi thit rng cc bn r c ly ngu nhin u trn khng gian cc u vo c th, hy th xem phn b ca cc kt qu php XOR u ra c tun theo phn b ngu nhin u hay khng. Nu bng phn b l khng u, th thm m c th li dng xy dng phng php tn cng ln h mt bng kiu tn cng bn r chn lc. i vi chun m d liu DES, xut pht t thnh phn phi tuyn duy nht v cng kh tuyn tnh ho nht l cc hp th cc tc gi tm ra c im yu v t thc trin ra thnh cc c trng vi sai vi xc xut ln c th s dng tn cng tm kho ti vng cui cng. phc tp ca tn cng do Biham v Shamir xut trn DES vo c 247 s vi phng php duyt kho l 256 nh ni trn. - Thm m tuyn tnh c pht minh bi Mitsuru Matsui nm 1993 tn cng tm 56 bt kho ca DES vi phc tp 243 nh hn phng php thm vi sai. Nguyn l chung ca phng php thm m tuyn tnh i vi h DES l do h DES cng khai ton b cc php bin i trong n, trong ch c cc hp nn mi l cc php bin i phi tuyn. Ci b mt cn li duy nht khi s dng DES l kho K c s dng c th. Nu tt c cc php bin i ca DES u l tuyn tnh, th vi n s l kho K cho trc c nh, bng cng c m phng trn my tnh v s dng cc cp bn r-m tng ng ta c th thit lp c h thng phng trnh tuyn tnh tm li c cc bt kho K trong thi gian a thc. Tuy nhin, cc hp nn (thnh phn quan trng nht ca h DES) l cc php bin i phi tuyn c chn la cn thn, nn mun thm DES th phi tn cng vo chnh thnh tr ny. Mc ch ca phng php thm m tuyn tnh trn DES l tm mt biu din xp x tuyn tnh cho h ny c th ph chng nhanh hn phng php tn cng vt kit. V tt nhin, nhng nhc im ca cc hp nn s li c tip tc khai thc cho mc ch ny. Qua kho st c th 8 hp nn ca DES, Matsui xy dng c cc xp x tuyn tnh trn ton h m vi xc sut ng c lch klh xa so vi 1/2. T hnh thnh nn tn cng tuyn tnh vi cc h m khi ni chung. Sau tng cng thm tnh hiu qu ca phng php ny, nhiu bi bo xut thm cc dng tn cng dng xp x nhiu ln, xp x phi tuyn...Chng ti thc

39

hnh mt phng php tn cng phi tuyn vi DES 8-vng, bng chng trnh my tnh c th, chng ti tm c 56 bt kho trn mt my tnh 933 MHz vi thi gian trung bnh mt c 1 ngy. Chng trnh thm m DES 8-vng c lit k trong Ph lc A. Nu ta coi mi bit u ra ca h m khi l mt hm Boolean trn cc bt u vo, th vi gi thit bc i s ca cc hm boolean ny nh, ta c th hnh thnh nn mt tn cng vi sai bc cao (tng t nh o hm bc cao ca mt a thc bc thp s nhanh chng bin thnh hng s vi xc sut 1). Mt khc nu xem ton b u ra ca h m khi nh l hm ca ton b u vo tng ng, v vi gi thit rng hm vc t Boolean c th biu din xp x bi mt a thc bc thp vi s cc s hng c h s khc khng nh trn GF(2)n th c th dng phng php ni suy Lagrange lp li c hm ny, v t c hnh thnh nn kiu tn cng ni suy. Ngoi ra, lc kho ca h m khi c nhng mi quan h nht nh gia cc kho con vng cng s dn n kiu tn cng kho quan h, tn cng kiu trt khi... Phn cui ca chng xut pht t cc kiu tn cng trn a ra yu cu c bn ca mt h m khi an ton, hiu qu: H m phi c di khi r, khi kho ln (khng gian r v kho ln) trnh tn cng vt kit trn khng gian r cng nh khng gian kho (thng di c khi ln hn hoc bng 128); H m phi c o vi sai v o lch tuyn tnh ti thiu trnh c hai kiu tn cng nguy him nht l tn cng vi sai v tn cng tuyn tnh theo cc nguyn l nh trnh by trn; Cc hp th, cc php bin i phi tuyn cn phi c bc i s cao trnh tn cng ni suy, tn cng vi sai bc cao. Tng tuyn tnh trong cc hm vng cn phi c la chn cn thn khi phi hp vi tng phi tuyn phi to ra h m c tnh khuych tn tt theo cc nguyn l ca chng 1, trnh cc tn cng a phng trn cc khi m nh. Cc php bin i u vo u ra ca mt h m khi cng khng c qu n gin (nh DES) m cn phi l tng che du, ngn cn vic thit lp cc vi sai hay cc mng nh du tuyn tnh cc vng u cui bit trc i vi thm m. Lc to kho cn phi trnh c cc lp kho yu, v ni chung nn dng kiu kho phin c lp (nu c th c). c bit lc kho khng tn ti nhng quan h kho n gin do tnh u, hay cn xng trong lc gy nn, nhng li phi m bo cc kho l tt nh nhau trnh cc kiu tn cng kho quan h, tn cng trt khi da trn tnh ging nhau trong cc phn on to kho con (khng ph thuc s vng ca h m).

Chng 3 Kho st h m khi an ton theo cc c trng o gii tch. Nh chng ta bit m hnh chung ph bin ca mt h m khi gm hai phn: phn ngu nhin ho d liu v phn lc to kho cho h m. Phn ngu nhin ho d liu gm cc cu trc c bn gii thiu trong chng 1, c th thy n thng cha ba lp: cc hp th (lp trong cng), hm vng (lp gia) v cu trc m-dch (lp ngoi cng). Phn lc kho cng s c gii thiu cui chng, n c th gm lc on-line (tnh cng qu trnh m-dch), hay off-line (tnh trc qu trnh m-dch), hoc l lc kho c lp vi phn ngu nhin ho d liu hay ph thuc phn ngu nhin ho d liu. cho h m l an ton chng c cc tn

40

cng nu, cn phi thit k xy dng cc hp th, hm vng v nghin cu la chn cu trc m-dch sao cho hn ch ti a cc tn cng phn tch m hoc v hiu ho cc phng php thm m c th. ng thi lc kho phi trnh c cc quan h kho n gin hoc trnh cc s tng t gia cc cng on to kho...Mun vy chng ta phi xy dng v theo di c s nh hng ln nhau gia cc o an ton ca cc thnh phn cu to nn h m. V th, ni dung chnh ca Chng 3 s gm cc nghin cu kho st v xy dng cc thnh phn c bn ca h m khi l:Nghin cu v cc hp th ca m khi; Nghin cu v cc dng hm vng an ton; Nghin cu an ton thc t ca cu trc m-dch kiu Feistel; Nghin cu v cc lc to kho ca m khi. Kt qu c th ca chng l gii thiu c cc o an ton c bn lin quan n hp th, hm vng, trnh by cc dng thit k hp th nh l hm vc t Boolean c cc tnh cht u, bc i s cao, phi tuyn cao, o vi sai nh u v lch tuyn tnh nh...Cu trc ngoi cng y c la chn trnh by l dng Feistel c cc nh mt m th gii ch ra c o an ton v c l thuyt v thc t. l nhng c s cn thit thit k xy dng cho thut ton m khi c th. Chng 4 Kho st m khi theo nhm sinh ca cc hm m ho. Vic tm cc tnh yu ca mt h m khi cn c vo nhng c tnh c th ca nhm sinh ca cc hm m ho ca h m trn c s hnh thnh nn nhng tiu chun khi thit k xy dng cc h m khi an ton l mt hng i c mt s tc gi nh Kennth G. Paterson, Ralph Wernsdorf, Sarval Patel, Zulfikar Ramran v Ganapathy...quan tm v cng a ra c nhng kt qu c ngha. Trong chng ny chng ti bt chc theo nhng tng ca cc tc gi nu trn, trong c trnh by li kt qu theo chng ti cho l c ngha nht v mt mt m l khi nim nguyn thu ca nhm cc php th ca tc gi Kennth G. Paterson ri ly lm trong tm pht trin. Cng lao ch yu ca chng ti a ra trong bi ny l a ra cc kt qu lin quan n khi nim t-pht tn v t-pht tn mnh cng vi ngha mt m ca chng. Qua cc kt qu a ra cng tot ln mt vn rt thc t l mi tnh yu v nhm cc php th c nh hng n tnh an ton ca h mt th vic loi b chng ch l cn thit v rt d khc phc cc khuyt tt hnh thc trn nhm sinh (ch bng cch b xung vo tp cc hm m ho cng lm l 2 hm n gin) trong khi bn cht mt m ch ph thuc vo chnh tp cc hm m ho. Cng c th ni rng tnh pht tn v tnh nguyn thu ca h m khi lin quan cht ch vi khi nim khuych tn (diffusion) nh Shannon cp lin quan ti cc h m tch. Chng 5 Kho st cc c trng ca m khi theo quan im xch Markov. Cc h m khi hin ti u thuc dng thut ton m ho tin hnh lp i lp li mt hm (thng c gi l hm vng). Hai phng php tn cng rt ni ting i vi loi m khi ny l tn cng vi sai v tn cng tuyn tnh nh ni trong chng 2. Hiu qu ca hai phng php ny c th hin trn cc phng din sau y: tp cc cp r, v cc cp m tng ng (trong tn cng vi sai), tp cc cp r/ m tng ng (trong tn cng tuyn tnh) c ln l bao nhiu th xc sut thnh cng ca ngi m thm cao? Khi c tp ny ri th thi gian tin hnh c thc t hay khng? Kh nng thc t trong vic thu thp tp hp ny? i vi ngi lp m, cc cu hi thng c t ra nh sau: Hm vng phi c thit k nh th no cc cng thc trn ng vi xc sut b? S vng lp ti thiu phi l bao nhiu khin cho lc lng cn thit ca tp r/m lm nn lng cc nh m thm? Vic nghin cu m khi trn quan im xch Markov gip cc nh mt m tr li cc

41

cu hi trn nhng im ln, khi qut. C th trong chng gii thiu cc xich Markov thm vi sai v thm tuyn tnh i vi h m khi tho mn cc tnh cht no . Khi nim mt m Markov v cc nhm lun phin trong khi kho st an ton ca hm m khi cng lin quan cht ch vi nhau. C th vi cc h m DES v IDEA ta c khng nh, nu gi thit tng ng ngu nhin ng cho phn mt m tng ng, th DES v IDEA(32) l an ton chng li thm vi sai sau nhiu vng i vi tt c cc mt m Markov ny. Nhng kt qu ny cn ng cho tt c cc mt m lp r vng, nu cc hm mt vng l tng t DES sinh ra nhm lun phin. Kt lun rt ra ca chng ny l: - Khi nghin cu m khi di gc mt m Markov, ngi ta tm cch chng minh mt m ny c xch Markov tng ng l bt kh quy v khng c chu k. Nu lm c iu ny th c th khng nh mt m l an ton trc tn cng vi sai v tn cng tuyn tnh khi s vng lp ln. - c hai cch chng minh xch Markov l bt kh quy v khng c chu k. Mt l dng l thuyt th ngu nhin, v phng php th hai l s dng tnh cht ca nhm lun phin. Phng php th hai l kh song kt qu ca n l tt nh. - Nhn chung ta vn cha a ra c "s vng ln" l bao nhiu? - Gi thit tng ng ngu nhin khng phi lun lun ng v vy chng minh mt m khi l an ton trn quan im xch Markov cng cn rt nhiu vic phi lm. Chng 6: Xy dng thut ton m khi MK_KC-01-01. Trong chng ny chng ti thit k mt thut ton m khi c th m bo cc thng s an ton, hiu qu phc v cho ti: - Trc ht, phn ngu nhin ho d liu c xy dng theo cu trc 3 lp: trong, gia v ngoi cng. Lp ngoi cng chng ti chn cu trc Feistel c th nh gi c cc o an ton trc cc tn cng mnh nht hin nay. Lp gia l c cu trc kiu mng thay th hon v 2-SPN (c 2 tng phi tuyn c xen gia bi 1 tng tuyn tnh) nh nu trong chng 3. Lp trong cng l cc hp th phi tuyn. Cc hp th ny c la chn t 2 hp th S1 v S2 c kho st trong chng 3 c cc o an ton tt trnh cc kiu tn cng kho st. Ngoi ra cc php hon v, php dch vng c la chn cn thn sao cho h m c tnh khuych tn ngu nhin u. Cc php bin i u vo v u ra u ly l php XOR vi kho tng ng. - Phn lc kho, dng ngu nhin mt mm kho c di 128-bit thnh cc kho con cho cc vng lp v cc php bin i u vo v u ra. Phn lc kho cng ch trnh tn cng kiu trt khi, ng thi s dng ti a cc hp th phi tuyn ca phn ngu nhin ho d liu. - M hnh m, gii m; cc tham s c th trong m hnh v lc to kho c trnh by trong chng. Cc thng s an ton l thuyt v thc nghim ch ra rng h m khi MK_KC-01-01 p ng c cc yu cu an ton v hiu qu. 4.4 Ph lc: Mt s nghin cu v hm bm v giao thc mt m M u Ph lc l kt qu Nghin cu thm m MD4. Trn c s kt qu ca Dobbertin cng b nm 1997, mt thnh vin tham gia ti tnh li cc xc sut thnh cng, cn chnh li mt s cng thc cho c chnh xc, lp trnh thc

42

hin thut ton tm va chm i vi MD4, ng thi thc hnh chy trn my Dell Power Edge 450 Mhz. Trong ph lc cn c trnh by li 2 bi bo ca cc tc gi nc ngoi l Va chm vi sai ca SHA-0 v Phn tch SHA-1 trong ch m ho. L do 2 bi bo ny c la chn l v: SHA-1 c pht trin trn c s nhng ci tng t trc l MD2, MD4, MD5, SHA-0 v SHA-1. Do SHA-0 c va chm, cho nn n c sa thnh SHA-1. Bi bo phn tch SHA-1 trong ch m ho cho thy n l mt thut ton m ho SHACAL da trn SHA-1 l mt thut ton tt. Cn xt SHA-1 nh mt hm bm th sao? t ra n cng ng vng c 9 nm, cho ti u thng 2 nm 2005, th c 3 nh mt m hc ngi Trung quc tm c thut ton ph n vi thi gian nhanh hn vt cn, rt tic bi bo y v thut ton ny cha c cng b. Kt qu t ph ny c gii thiu qua bi vit Cp nht thng tin v hm SHA-1. Nh tc gi Bruce Schneier vit ngy 18 thng 2 nm 2005 sau s kin SHA-1 b tn cng: Cc hm bm l thnh t mt m c hiu bit t, cc k thut bm c pht trin t hn so vi cc k thut m ho. Cho nn nhm ti cng cha c c nhng nghin cu su sc, bi v c nhiu k thut cha c nhun nhuyn. Trong ph lc cng c trnh by li 4 bi bo theo 3 hng nghin cu v thit k cc hm bm, l: Phng php thit k cc hm bm da trn m khi, Nguyn tc thit k hm bm , Hm bm nhanh an ton da trn m sa sai v mt ca hm bm lp da trn m khi. Cui ph lc l mt nghin cu tng quan v giao thc mt m v trnh by mt bi bo v giao thc STS. y l giao thc da trn giao thc Diffie-Hellman chun nhng c ci bin chng li tn cng ngi ng gia. Giao thc ny c nhm ti s dng lp trnh thc hin giao thc trao i kho phc v cc phn mm m gi IP trn mi trng Linux. 5. Mt s ni dung khc 5.1 V tnh sng to, tnh mi ca cc kt qu nghin cu thuc ti Khi ng k thc hin ti KC.01.01, i ng nhng ngi nghin cu ca Hc vin K thut Mt m ni ring v Ban C yu Chnh ph ni chung cng c quan tm ti bi ton bo mt thng tin trn cc mng dng giao thc IP ni ring (v giao thc mng ni chung), ti vn m bo tnh chn thc ca kho cng khai i km vi tnh danh ca ngi dng ni chung (sao cho Public Key Of User A ng l ca A), nhng c th ni l cha state-of-the-art. Cc sn phm bo mt th tn in t ni ring v cc gii php bo mt tng ng dng ni chung c quan tm ti t rt sm, cn cc gii php bo mt tng IP th mi t c nhng kt qu bc u. Vn chng ch s cng vy, chng ti cha quan tm ti nhng chun ca PKI nh khun dng chng ch X.509, cch hu b chng ch,... Trn c s sn phm phn mm IP-Crypto v 1.0, Hc vin KTMM tip tc nng cp hon thin c nhng ng dng thc t. Trn c s phn mm cp chng ch s vi m hnh sinh kho tp trung, Ban CYCP cng c u t cho ra sn phm vi m hnh ngi dng t sinh cp kho b mt/cng khai (ri gi kho cng khai cho trung tm k). So vi m hnh sinh kho tp trung th m hnh ny phc tp hn.

43

 Trn c s pht trin gii php can thip mt m tng DataLink trong mi trng Linux, bn cnh sn phm DL-Cryptor ca ti KC.01.01, mt h phn mm bo mt gi IP mi vi gii php can thip mt m vo tng cu (Bridge) ra i. Phn mm ny c u im l m c c nhng gi tin IP-multicast (dng cho Video Conferencing). Nhng cn b tham gia thc hin ti KC.01.01 cng nghin cu gii php can thip mt m bo v gi IP tng vt l (can thip vo trnh iu khin card mng). Bng cch ny c th m rng ra vic bo mt cc mi trng truyn thng khc vi Ethernet (nh E1). 5.2 V phng php nghin cu, bo co khoa hc Trong qu trnh nghin cu, chng ti da vo h iu hnh Linux ni ring i su khai thc cc phn mm c m ngun m ni chung. M ngun m l mt iu kin tt lm vic tch hp mt m. Trn c s khai thc Linux, chng ti to ra sn phm bo mt vi gii php can thip mt m tng IP v DataLink. Bng cch i su vo tng DataLink, sau ny, chng ti to ra mt dng sn phm vi gii php can thip mt m tng cu, n cho php bo mt cc gi IP-multicast c dng trong cc ng dng Video Conferencing. Vic can thip mt m tng thp hn cn gip chung ti bo mt c d liu trong cc mi trng khc vi Ethernet (nh E1) v khng c phi dng giao thc mng IP. Gii php bo mt dch v Web thng qua SQUID Proxy Server cng c thc hin nh vo vic tn dng m ngun m. Cc bo co khoa hc c vit chi tit, c cc hnh v minh ho i km gip cho ngi c d nm bt c vn (i vi mt s phn mm chnh l cc giao din). 5.3 Nhng bi bo, nhng bo co kt qu nghin cu ca ti ti tham d ICT IRDA04 vi 5 bo co: Tt Tn bo co Tc gi 1 Linux Bridge v dng Linux bo mt KS Nguyn Cnh Khoa, TS Trn Duy Lai 2 Gii thiu mt phn mm cung cp chng ch PGS TS L M T, s KS Hong Vn Thc, KS inh Quc Tin 3 Mt gii php bo mt mng ti tng ThS ng Ho, DataLink trong m hnh OSI KS Nguyn Quc Ton KS Nguyn Cnh Khoa 4 Kho st m khi theo nhm sinh ca cc TS Lu c Tn hm m ho 5 Mt vi ci bin cho thut ton sinh s TS Trn Duy Lai nguyn t theo nh l Pocklington Mt s kt qu nghin cu ca KC.01.01 cng c bo co trong Hi ngh khoa hc nm 2002 ca Hc vin KTMM v gii thiu trong K yu cc kt qu nghin cu ca Hc vin. 5.4 V gi tr ng dng v trin vng p dng kt qu KHCN

44

 Phn mm IP-Crypto v1.0 c nng cp ln thnh IP-Crypto 2.0 ci t vo thit b chuyn dng do X nghip M2 ch to trn nn mt my tnh nhng vi h iu hnh Linux c ti thiu. Phn mm ny hin nay c nng cp ln thnh IP-Crypto v 3.0 c h tr chng ch s bo mt 4 mng LAN ca Tng cc An ninh- B Cng An. Phn mm cung cp chng ch s c s dng th ti Cc E15-Tng cc VI- B Cng An vi dch v th tn. Vic bo mt dch v WEB vi chng ch s cng c dng th ti Cc C yu- BTTM (nhm m rng cc dch v c h tr bo mt trn trc mng). 5.5 V hiu qu kinh t v hiu qu kinh t x hi: Cc phn mm bo mt mng dng giao thc IP ang c m rng din s dng (ti B Cng An, trc ht l 13 mng LAN ca Tng cc An ninh; sau l 30 mng LAN thuc trung tm ch huy; mng ca Chnh ph theo n 112;...) Hin nay, Cc Qun l K thut Nghip v Mt m- Ban C yu Chnh ph ang xy dng d n cung cp chng ch s cho khu vc Nh nc. Vn trin khai s dng chng ch s trong khu vc dn s cng ang c nhiu c quan quan tm (nht l B Bu chnh Vin thng). 5.6 nh gi v kt qu o to v nhng ng gp khc ca ti Sau y l mt s lun vn Cao hc (chuyn ngnh K thut Mt m) c lin quan n ti KC.01.01 c hon thnh: tt 1 2 3 4 Tn lun vn V mt phng php bo mt th tn in t trn mng Internet Sinh tham s cho h mt RSA Ngi thc Ngi hng dn hin/n v Hong Th Thu PGS-TS Hng/ HVKTMM L M T Kiu Vn Hng/ TS Lu c Tn Cc V18-BCA Hong Vn Thc/ TS Trn Duy Lai HVKTMM TS. Nguyn Nam Hi

Tch hp mt m v kim sot h thng cho mt h th tn in t m ngun m Nghin cu m bo vn o Th Hng chng thc trong cc hot ng Vn/ HVKTMM thng mi in t

Mt s cn b tr tham gia thc hin ti, c iu kin lm vic v trng thnh nh Hong Vn Thc (cp chng ch s dng vi Mail/Web), Nguyn Cnh Khoa (gii php bo mt cc tng khc nhau), Trn Hng Thi (thm m khi v tm va chm ca hm bm), Nguyn Quc Ton (tip cn vi mt m ng cong elliptic) Qua qu trnh lm ti, nhng ngi lm ti cng c kinh nghim hn trong vic hnh thnh nhng ti nhnh trong mt ti ln.

45

Kt lun v kin ngh ti KC.01.01 c thc hin trong thi gian hn 3 nm, tt c cc sn phm ng k c hon thnh. Bn nhm sn phm (bo co khoa hc, phn mm, thit b) c hnh thnh, l: (1) nhng nghin cu tng quan, tm hiu gii php; (2) cc phn mm bo mt gi IP; (3) cung cp v s dng chng ch s; (4) m bo ton hc. Mt s sn phm ca ti c Ban C yu tip tc u t pht trin nng cp v c nhng ng dng thc t mang li hiu qu thc s v gp phn thc y qu trnh thc hin nhu cu bo mt thng tin trn cc mng ca cc n 112 ca Chnh ph (trc ht l ti B Cng An). Nhng kt qu nghin cu t c ca ti KC.01.01 c tip tc hon thin to ra nhng sn phm mi, v d nh phn mm m tng cu bo mt hi ngh truyn hnh. Trong mt tng lai gn, thng mi in t v chnh ph in t s pht trin mnh nc ta. l mi trng thun li cho nhng sn phm h tr PKI pht trin. Nhng n cng lm ny sinh mt vn ht sc quan trng, l nhu cu cn c mt b chun cc thut ton mt m dng chung cho cc sn phm . y l mt cng vic ln, hin ang c cc cn b nghin cu thc hin ti KC.01.01 ni ring v i ng cn b nghin cu trong Ban C yu Chnh ph ni ring tp trung gii quyt.

46

Li cm n Vic thc hin ti KC.01.01 gip cho nhiu sn phm quan trng i vi Ngnh C yu c hnh thnh nhanh hn. iu quan trng na l, vi ti KC.01.01, nhng ngi lm cng tc nghin cu trong Ngnh C yu c iu kin tip cn vi nhim v bo mt cc mt loi hnh thng tin mi, l cc thng tin kinh t x hi, p ng nhu cu s dng sn phm mt m cho cc lnh vc khng phi l an ninh quc phng. y l mt cng vic ln, bi v bn cnh cc thng tin tc nghip ca cc c quan ng v Nh nc (nh chnh ph in t), cn c cc thng tin phc v pht trin kinh t ca cc doanh nghip, cng ty,... Bn cnh cc gii php k thut, vn ny cn ph thuc vo cc yu t khc nh chnh sch qun l, cc vn bn php qui khc,... Nhm ti xin chn thnh cm n B Khoa hc Cng ngh, V Khoa hc Cc ngnh Kinh t K thut, Ban Ch nhim chng trnh KC.01, GS TS V nh C (Ch nhim chng trnh KC.01) to iu kin gip ti c tin hnh. Nhm ti cng chn thnh cm n cc ng ch Lnh o Ban C yu Chnh ph, Hc vin K thut Mt m v cc c quan nh V Khoa hc Cng ngh (Ban CYCP), V K hoch Ti chnh (Ban CYCP), Phng Qun l Nghin cu Khoa hc v Phng K hoch Ti chnh ca Hc vin KTMM to iu kin thun li v c nhng ng gp cho ti.

47

Ti liu tham kho Quyn 1A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t 1. An Introduction to IPSEC, Bill Stackpole, Information Security Management Hanbook, 4th edition, Chapter 14, Boca Raton-London- New York-Washington, editors Harold F.Tipton and Micki Krause, 2000. 2. Ti liu km theo phn mm FreeS/WAN (http://www.freeswan.org) 3. Cohen, F., Managing network security- Part 14: 50 ways to defeat your intrusion detection system. Network Security, December, 1997, pp.11-14. 4. Crosbie, M. and Spafford, E.H., Defending a computer system using autonomous agents. Proceedings of 18th National Information System Security Conference, 1995, pp. 549-558. 5. Garfinkel, S. and Spafford, G., Practical Unix and Internet Security, OReilly & Associates, Inc., 1996. 6. Garfinkel, S. and Spafford, G., Web Security & Commerce, OReilly & Associates, Inc., 1997. 7. Herringshaw, C. Detecting attacks on networks. IEEE Computer, 1997, Vol, Vol. 30 (12), pp. 16-17. 8. Mukherjee, B., Heberlein, L. T., and Levitt, K.N., Network intrusion detection. IEEE Network, 1994, Vol.8 (3), pp.26-41. 9. Power Richard, Issues and Trends: 1999 CSI/FBI computer crime and security survey, Computer Security Journal, Vol.XV, No.2, Spring 1999. 10. Schultz, E.E. and Wack, J., Responding to computer security incidents, in M. Krause and H.F. Tipton (Eds.), Handbook of Information Security. Boston:Auerbach, 1996, pp.53-68. 11. Van Wyk, K.R., Threats to DoD Computer Systems. Paper presented at 23rd Information Integrity Institute Forum Quyn 1B: Nc Nga v ch k in t s 1. C.U.Mfhbxtd, D.D. Ujyxfhjd, H.T.Cthjd, Jcyjds cjdhtvtyyjq rhbgnjuhfabb, Vjcrdf, Ujhzxfz kbybz-Ntktrjv, 2002, cnh. 9698. 2. S. Even and O. Goldreich. Des-like functions can generate the alternating group. IEEE Transactions on Information Theory, 29(6):863-865, November 1983. 3. National Soviet Bureau of Standards. Information Processing Systems. Cryptographic Protection. Cryptographic Algorithm. GOST 28147-89, 1989. 4. J. P. Pierrzyk and Xian-Mo Zhang. Permutation generators of alternating groups. In Advances in Cryptology- AUSCRYPT90, J.Sebery, J. Pieprzyk (Eds), Lecture Notes in Computer Science, Vol.453, pages 237-244. Springer Verlag, 1990. Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m 1. FIPS 140-1 - Security Requirements for Cryptographic Modules., 1994 January 11. 2. Leon Adams., Choosing the Right Architecture for Real-Time Signal Processing Designs., White Paper., SPRA879 - November 2002.

48

3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

17. 18. 19. 20.

Christof Paar., Reconfigurable Hardware in Modern Cryptography., ECC 2000 October 4-6., Essen, Germany. Hagai Bar-El., Security Implications of Hardware vs. Software Cryptographic Modules., Information Security Analyst., October 2002. Cryptology., http://www.cyphernet.org/cyphernomicon/5.html Leon Adams., Choosing the Right Architecture for Real-Time Signal Processing Designs., SPRA879 - November 2002 Stephen Brown and Jonathan Rose., Architecture of FPGAs and CPLDs: A Tutorial., Department of Electrical and Computer Engineering University of Toronto. Khary Alexander, Ramesh Karri, Igor Minkin, Kaijie Wu, Piyush Mishra, Xuan Li., Towards 10-100 Gbps Cryptographic Architectures., IBM Corporation, Poughkeepsie, NY, 12601. AJ Elbirt, C Paar., Towards an FPGA Architecture Optimized for Public-Key Algorithms., Cryptography and Information Security Laboratory, Worcester, MA 01609. Thomas Blum., Modular Exponentiation on Reconfigurable Hardware., Thesis., WORCESTER POLYTECHNIC INSTITUTE. M. Shand and J. Vuillemin. Fast implementations of RSA cryptography. In Proceedings 11th IEEE Symposium on Computer Arithmetic, pages 252259, 1993. H.Orup. Simplifying quotient determination in high-radix modular multiplication., In Proceedings 12th Symposium on Computer Arithmetic, pages 1939, 1995. K. Iwamura, T. Matsumoto, and H. Imai. Montgomery modular-multiplication., method and systolic arrays suitable for modular exponentiation. Electronics and Communications in Japan, Part 3, 77(3):4051, March 1994. J.-P. Kaps. High speed FPGA architectures for the Data Encryption Standard., Masters thesis, ECE Dept., Worcester Polytechnic Institute, Worcester, USA, May 1998. Ahmed Shihab, Alcahest; and Martin Langhammer, Altera., Implementing IKE Capabilities in FPGA Designs., Dec 05, 2003 URL: http://www.commsdesign.com/showArticle.jhtml?article-ID=16600061 Alexander Tiountchik, Institute of Mathematics, National Academy of Sciences of Belarus v Elena Trichina, Advanced Computing Research Centre, University of South Australia., FPGA Implementation of Modular Exponentiation. Hauck, S. (1998). The Roles of FPGAs in Reprogrammable Systems Proceedings of the IEEE 86(4): 615-638. Kris Gaj and Pawel Chodowiec., Hardware performance of the AES finalists survey and analysis of results., George Mason University. AJ Elbirt, W Yip, B Chetwynd, C Paar., An FPGA-Based Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists., ECE Department, Worcester Polytechnic Institute. Kris Gaj and Pawel Chodowiec., Comparison of the hardware performance of the AES candidates using reconfigurable hardware., George Mason University.

49

21. Bruce Schneier, John Kelseyy, Doug Whitingz, David Wagnerx, Chris Hall, Niels Ferguson., Performance Comparison of the AES Submissions., January 3, 1999. 22. J. P. Kaps and C. Paar, Fast DES implementation on FPGAs and its application to a universal key-search machine, in Fifth Annual Workshop on Selected Areas in Cryptography, vol. LNCS 1556, Springer-Verlag, August 1998. 23. O. Mencer, M. Morf, and M. J. Flynn, Hardware Software Tri-Design of Encryption for Mobile Communication Units, in Proceedings of International Conference on Acoustics, Speech, and Signal Processing, vol. 5, (New York, New York, USA). 24. K. H. Leung, K. W. Ma, W. K. Wong v P. H. W. Leong., FPGA Implementation of a Microcoded Elliptic Curve Cryptographic Processor., Department of Computer Science and Engineering, The Chinese University of Hong Kong. 25. M. Rosner Elliptic Curve Cryptosystems on reconfigurable hardware., Masters Thesis Worcester., Polytechnic Institute Worcester USA 1998. 26. G. Orlando and C. Paar., A super-serial Galois field multiplier for FPGAs and its application to public key algorithms., Proceedings of the IEEE Symposium on Field-programmable custom computing machines., trang 232-239., 1999. 27. T. Grembowski, R. Lien, K. Gaj, N. Nguyen, P. Bellows, J. Flidr, T. Lehman, B. Schott., Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512., Electrical and Computer Engineering, George Mason University, 4400 University Drive, University of Southern California Information Sciences Institute. 28. Thomas Wollinger and Christof Paar., How Secure Are FPGAs in Cryptographic Applications?., Report 2003/119, http://eprint.iacr.org/, 5. June 2003 29. Ross Anderson Markus Kuhn., Tamper Resistance - a Cautionary Note., The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp 1-11, ISBN 1-880446-83-9. 30. S Blythe, B Fraboni, S Lall, H Ahmed, U deRiu, Layout Reconstruction of Complex Silicon Chips, IEEE Journal of Solid-State Circuits v 28 no 2 (Feb 93) pp 138-145. 31. B. Dipert. Cunning circuits confound crooks., http://www.einsite.net/ednmag/contents/images/21df2.pdf. 32. G. Richard., Digital Signature Technology Aids IP Protection., EETimes News, 1998. http://www.eetimes.com/news/98/1000news/digital.html. 33. K.H. Tsoi, K.H. Leung and P.H.W. Leong., Compact FPGA-based True and Pseudo Random Number Generators., Department of Computer Science and Engineering, The Chinese University of Hong Kong, Shatin, NT Hong Kong. 34. V. Fischer and M. Drutarovsky. True random number generator embedded in reconfigurable hardware. Trong Proceedings Cryptographic Hardware and Embedded Systems Workshop (CHES), trang 415-430, 2002. Quyn 2A: Giao thc TCP/IP v gii php bo mt cc tng khc nhau. 1. Network Layer Security, Steven F. Blanding, Chapter 8, Information Security

50

Management Hanbook, 4th edition, Boca Raton-London- New York-Washington, editors Harold F.Tipton and Micki Krause 2. Transport Layer Security, Steven F. Blanding, Chapter 9, Information Security Management Hanbook, 4th edition, Boca Raton-London- New YorkWashington, editors Harold F.Tipton and Micki Krause 3. Application- Layer Security Protocols for Network, Bill Stackpole, Chapter 10, Information Security Management Hanbook, 4th edition, Boca Raton-LondonNew York-Washington, editors Harold F.Tipton and Micki Krause Quyn 3A: Sinh tham s an ton cho h mt RSA 1. Lu c Tn, Mt s thut ton kim tra tnh nguyn t i vi mt s lp s. Lun n ph tin s khoa hc ton l, H ni 1994. 2. Ian Blanke, Gadiel Seroussi & Nigel Smart. Elliptic Curves in Cryptography. Cambridge Universty press 1999. 3. D. M. Gordon, Strong Primes Are Ease to Find, Advances in CryptologyProceedings of EUROCRYPT 84 (LNCS 209), 216-223, 1985. 4. Hans Riesel, Prime Number and Computer Methods for Factorization, Progress in Mathematics, 57, 1985. 5. R. L. Rivest and R. D. Silverman, Are Strong Primes Needed for RSA? 6. Robert D. Silverman, Fast Generation of Random, Strong RSA Primes. The Technical Newsletter of RSA Laborastories. Spring 1997. 7. N.M.Stephens, Lenstras Factorisation Based On Elliptic Curves. Springer-Verlag 1998, pp. 409-416. Quyn 3B: Sinh tham s an ton cho h mt Elgamal 1. Douglas Robert Stinson, Mt m L thuyt v Thc hnh. Bn dch ting Vit H ni 1995. 2. Lu c Tn. Mt s thut ton kim tra nhanh tnh nguyn t ca cc s trn mt s lp s. Lun n ph tin s H ni 1993. 3. Paulo Ribenboim. The Little Book of Big Primes. Springe-Verlag 1991 Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu 1. AES (nhiu tc gi), Tuyn tp 15 h m khi d tuyn chun m tin tin (AES), Ti liu t Internet. 2. E. Biham, New types of cryptanalytic attacks using related keys, EUROCRYPT' 93, pp. 398-409. 3. A. Biryukov, D. Wagner, Slide Attacks, Fast Software Encryption, 1999, pp. 245259. 4. A. Biryukov, D. Wagner, Advanced Slide Attacks, EUROCRYPT' 2000, pp. 589606. 5. S. Burton, Jr. Kaliski, M.J.B. Robshaw, Linear Cryptanalysis using Multiple Approximations, CRYPTO'94, pp. 26-39. 6. G. Carter, E. Dawson, and L. Nielsen, Key Schedules of Iterative Block Ciphers, Ti liu t Internet, (10 trang). 7. F. Chabaud and S. Vaudenay, Links between differential and linear cryptanalysis, Eurocrypt' 94, pp. 256-365.

51

8. C. Charnes, L. OConnor, J. Pieprzyk, R. Safavi-Naimi, Y. Zeng, Comments on Soviet Encryption Algorithm GOST, EUROCRYPT'94, pp. 433-438. 9. L. J. O'Conner and J. Dj Golic', A unified markov approach to differential and linear cryptanalysis, Asiacrypt, November 1994. 10. L. J. O'Conner, Design Product Ciphers Using Markov Chain, Selected Area in Cryptography 1994. 11. L. J. O'Conner, Convergence in Differential Distributions, Crypto'95, pp.13-23. 12. I. I. Ghicman, A.V. Skorokhod, Nhp mn v l thuyt cc qu trnh ngu nhin, NXB "HAYKA", Maxcova 1977. 13. G. Hornauer, W. Stephan, R.Wernsdorf, Markov Ciphers and Alternating Groups, Eurocrypt'93, p.453-460. 14. T. Jacobsen, L.R. Knudsen, Interpolation Attacks on the Block Cipher, Fast Software Encryption, 1997, pp 28-40. 15. Y. Kaneko, F. Sano, K. Sakurai, On Provable Security against Differential and Linear Cryptanalysis in Generalized Feistel Ciphers with Mutiple Random Functions, Ti liu t Internet, 15 trang. 16. J. Kelsy, B. Schneier, and D. Wagner, Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SEFER, and Triple-DES, CRYPTO'96, pp 237-251 17. L. R. Knudsen, Block Ciphers-Analysis, Design and Applications, July, 1, 1994 (Ph. D Thesis). 18. L. R. Knudsen, Practically secure Feistel ciphers, Fast Software Encryption, 1993, pp. 211-221. 19. L.R. Knudsen, New potentially "weak keys for DES and LOKI, EUROCRYPT' 94, pp. 419-424. 20. L. R. Knudsen, M.J.B. Robshaw, Non-linear Approximations in Linear Cryptanalysis, EUROCRYPT' 96, pp. 224-236. 21. M. Kwan, J. Pieprzyk, A General purpose Technique for Locating Key Scheduling Weaknesses in DES-like Cryptosystems, ASIACRYPT'91, pp. 237246. 22. X. Lai, On the Design and Security of Block Ciphers, Hartung-Gorre Verlag Konstanz, 1995 23. X. Lai, J.L. Massey and S. Murphy, Markov Ciphers and Differential cryptanalysis, Eurocrypt' 91, pp.17-38. 24. M. Matsui, New Block Encryption Algorithm MISTY, Fast Software Encryption, 1997, FSE97, pp. 54-68 25. M. Matsui, New structure of block ciphers with provable security against differential and linear cryptanalysis, Fast software Encryption, 1996, pp. 21-23. 26. M. Matsui, Linear Cryptanalysic Method for DES Cipher, EUROCRYPT' 93, pp. 386-397. 27. M. Matsui, The First Experimental Cryptanalysic of the Data Encryption Standard, CRYTO' 94, pp. 1-11. 28. S. Moriai, T. Shimoyama, T. Kaneko, Interpolation Attacks of the Block Cipher: SNACK, Fast Software Encryption, 1999, pp. 275-289. 29. K. Nyberg, Differentially uniform mappings for cryptography, EUROCRYPT'93, pp. 55-64, 1994. 30. K. Nyberg, Linear Approximation of Block Ciphers, Eurocrypt'94, pp.439-444.

52

31. K. Nyberg, L. R. Knudsen, Provable security against a differetial cryptanalysis, Journal of Cryptology, Vol. 8, pp. 27-37, 1995. 32. Savan Patel, Zulfikar Ramzan, and Ganapathy S. Sundaram, Towards Making Luby-Rackoff Ciphers Optimal and Practical, Fast Software Encryption, 1999, pp. 171-185. 33. Kenneth G. Paterson, Imprimitive Permutation Groups and Trapdoor in Iterated Block Ciphers, Fast Software Encryption, 1999, pp. 201-214. 34. T. Shimoyama, T. Kaneko, Quadratic Relation of S-box and Its Application to the Limear Attack of Full Round DES, CRYPTO'98, pp. 200-211. 35. J. Seberry, X. M. Zhang and Y. Zheng, Relationships Among Nonlinearity Criteria, EUROCRYPT'94, pp. 76-388, 1995. 36. D. R. Stinson, Cryptography: Theory and Practice, 1995 by CRC Press, Inc. 37. Nguyn Duy Tin, Cc m hnh xc sut v ng dng, Phn I- Xch Markov v ng dng, NXB i hc Quc gia H Ni, 2000. 38. R.Wernsdorf, The One-Round Functions of the DES Generate the Alternating Group, Proc. Eurocrypt' 92, LNCS 658, 1993, pp. 99-112. Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux 1. Glenn Herrin, Linux IP Networking-A Guide to the Implementation and Modification of the Linux Protocol Stack 2. Alan Cox, Network buffer and memory management Quyn 4B: H thng an ton trn mi trng mng Sun Solaris 1. Streams programming Guide. 1995 Sun Microsystems. 2. Solaris system administrators guide. Janice Winsor - 1993 - Ziff-Davis Press Emryville, California 3. Writing unix device drivers. George pajari - Addison-Wesley Publishing Company, Inc - 1992 4. TCP/IP Illustrated Volume 1. Volume2 , Volume 3. Gary R. Wright - W. Richard Stevens, 1995- Addison-Wesley Publishing Company 5. Network and internetwork security-Principles and practice. William Stallings, Ph.D.,1995 by Prentice-Hall, Inc 6. Computer Communications Security - Principles, Standard Protocols and Techniques. Warwick Ford - PTR Prentice Hall - 1994 7. Intenet & TCP/IP Network Security, Security Protocols and Applications -1996 by The McGraw-Hill Companies, Inc 8. Building Internet Firewalls. D. Brent chapman and Elizabeth D. Zwicky - O' Reilly & Associates, Inc. 9. Firewall complete, 1998 - Mc Graw - Hill 10. UNIX Network programming Volume 1, Network APIs: Sockets and XTI - W. Richard Stevents, 1998 Prentice - Hall, Inc 11. Ti liu chuyn v TCP/IP , Phm Vn Hi - Hc vin KTMM

12. http://www.freeswan.org/
13. RFC 2409 :The Internet Key Exchange (IKE) 14. RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) 15. RFC 1825 : An overview of a security architecture

53

16. RFC 1826 : IP Authentication Header 17. RFC 1827 : IP Authentication Header 18. Cc RFC khc v IPSEC v FreeS/WAN Quyn 5A: An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux 1. Authentication HOWTO - Peter Hernberg 2. Shadow Password Howto - Michael H. Jackson mhjack@scnet.com 3. Security HOWTO 4. The Linux-PAM System Administrators Guide, Adrew G. Morgan 5. Practical Unix Security - Simson Garfinkel and Gene Spafford 6. Cc trang man getty(); mingetty(); login(); sulogin(); 7. Text - Terminal HOWTO - David S. Lawyer dave@lafn.org 8. Solaris System Administration Guide, Chapter 12 -> Chapter 16 9. Software White Paper: Solaris Security, Ti liu t Internet Quyn 5B: C ch an ton ca cc h iu hnh mng, Network hacker, Virut my tnh 1. William Stallings Ph.D. (1999), Cryprography and Network security: Principles and Practice - Second edition, Prentice -Hall, Inc.,USA. 2. VN-GUIDE, Bo mt trn mng B quyt v gii php Tng hp v bin dch, Nh xut bn thng k. 3. Cc trang web: www.tinhat.com/internet_security/security_holes.html, www.tinhat.com/internet_security/improve.html, www.securityfocus.com, www.saintcorporation.com, www.sans.org, www.fbi.gov, www.cs.wright.edu, www.nessus.org, www.nai.com, www.linuxdoc.org/HOWTO/Secure-ProgramsHOWTO.html, www.hackecs.com, www.auscert.org.au, www.securityfocus.com, www.l0pht.com, www.w3.org, www.rhino9.com, iss.net, www.insecure.org, www.cert.org, vnEpress.net, www.viethacker.net 4. Trn Thch Tng, Bo mt v ti u trong Red Hat Linux, NXB Lao ng X hi 5. Edward Amoroso, Fundamentals of Computer Security Technology 6. E_book: Hackers Handbook, State of the art Hacking tools and techniques, Vol 1, 2, 3. 7. William Stallings Ph.D. (1999), Cryprography and Network security: Principles and Practice - Second edition, Prentice -Hall, Inc.,USA. 8. Cc trang web: www.netbus.org, www.saintcorporation.com/products/saint_engine.html, www.rootshell.com, www.hackerjokes.de/, www.hackercracker.net/, www.crackerhttp/, www.hackerethic.org/, www.counter-hack.net/, www.inthehack.com/, www.eleganthack.com/, www.hack-net.com/, www.virtualcrack.com/ 9. Ng Anh V, Virus tin hc huyn thoi v thc t, NXB Thnh Ph H Ch Minh. 10. Nguyn Thnh Cng, Hng dn phng v dit virus my tnh , NXB thng k 11. Nguyn Vit Linh v u Quang Tun, Hng dn phng chng virus trong tin hc mt cch hiu qu, NXB tr. 12. Cc trang web: www.viruslist.com/, www.norman.com, www.esecurityplanet.com, www.antivirusebook.com, www.waronvirus.com, www.hackertrickz.de

54

BCYCP HVKTMM

BCYCP HVKTMM

BCYCP HVKTMM

BAN C YU CHNH PH Hc vin K thut Mt m

Bo co Tm tt Tng kt Khoa hc v K thut ti: NGHIN CU MT S VN BO MT v an ton thng tin cho cc mng dng giao thc lin mng my tnh IP

TS o Vn Gi, TS. Trn Duy Lai

H Ni, 1-2005

Ban C yu Chnh ph Hc vin K thut Mt m

Bo co Tm tt Tng kt Khoa hc v K thut ti: NGHIN CU MT S VN BO MT v an ton thng tin cho cc mng dng giao thc lin mng my tnh IP

TS o Vn Gi, TS. Trn Duy Lai

H Ni, 1-2005

Ti liu ny c chun b trn c s kt qu thc hin ti cp Nh nc, m s KC.01.01

Danh sch nhng ngi thc hin Nhm th nht : Cc nghin cu tng quan, tm hiu gii php A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 PGS TS Hong Vn To Hc vin K thut Mt m 2 PGS TS L M T Hc vin K thut Mt m 3 TS Nguyn Hng Quang Phn vin NCKTMM- HVKTMM 4 ThS ng Ho Phng QLNCKH- HVKTMM 5 TS Nguyn Nam Hi Trung tm Cng ngh Thng tin 6 TS ng V Sn V Khoa hc Cng ngh 7 TS Trn Duy Lai Phn vin NCKHMM- HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 ThS Nguyn Ngc ip Phng QLNCKH- HVKTMM 2 ThS Nguyn c Tm Khoa Tin hc- HVKTMM 3 ThS Nguyn ng Lc Phn vin NCNVMM- HVKTMM 4 ThS on Ngc Uyn Khoa Tin hc- HVKTMM 5 ThS Nguyn Anh Tun Phn vin NCKHMM- HVKTMM 6 KS L Khc Lu Phn vin NCKTMM- HVKTMM 7 ThS o Hng Vn Trung tm Cng ngh Thng tin 8 KS Nguyn Cnh Khoa Phn vin NCKHMM-HVKTMM 9 KS Nguyn Cng Chin Phng QLNCKH-HVKTMM Sn phm t c: - 07 bo co khoa hc (cc quyn 1A, 1B, 1C, 2A, 2B, 5A v 5B) Nhm th hai: Cc phn mm bo mt gi IP A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Nguyn Nam Hi Trung tm Cng ngh Thng tin 2 TS ng V Sn V Khoa hc Cng ngh 3 TS Trn Duy Lai Hc vin K thut Mt m B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 KS Nguyn Cnh Khoa Phn vin KHMM- HVKTMM 2 KS Nguyn Quc Ton Phn vin KHMM- HVKTMM 3 KS inh Quc Tin Phn vin KHMM- HVKTMM 4 KS Nguyn Tin Dng Trung tm Cng ngh Thng tin 5 KS Nguyn Thanh Sn Khoa Mt m- HCKTMM 6 KS Nguyn Nh Tun Khoa Mt m- HVKTMM Sn phm t c: - 03 bo co khoa hc (cc quyn 3A, 3B v 3C) - 05 phn mm bo mt gi IP ( 01 trn Windows; 01 trn Solaris; 03 trn Linux)

Nhm th ba: Cung cp v s dng chng ch s A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Trn Duy Lai Phn vin NCKHMM-HVKTMM 2 PGS TS L M T Hc vin K thut Mt m 3 ThS ng Ho Phng QLNCKH-HVKTMM 4 TS Nguyn Hng Quang Phn vin NCKTMM-HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 ThS Hong Vn Thc Phn vin NCKHMM-HVKTMM 2 KS Phm Vn Lc Phn vin NCKHMM-HVKTMM 3 KS Cao Thanh Nam Phn vin NCKTMM-HVKTMM 4 ThS La Hu Phc Phn vin NCKTMM-HVKTMM 5 ThS Trnh Minh Sn Phn vin NCNVMM-HVKTMM 6 ThS Hong Thu Hng Phn vin NCNVMM-HVKTMM Sn phm t c: - 04 bo co khoa hc (cc quyn 6A, 7A, 8A, 8B v 9A) - 03 phn mm (cp v thu hi chng ch s, th vin ch k s, bo mt Web dng Proxy Server) - 01 thit b phn cng ghi kho c giao din USB Nhm th t: m bo ton hc A Nhng ngi ch tr mt trong cc kt qu nghin cu 1 TS Lu c Tn Phn vin NCKHMM-HVKTMM 2 TS Trn Vn Trng Phn vin NCKHMM-HVKTMM B Nhng ngi tham gia mt trong cc kt qu nghin cu 1 TS Nguyn Ngc Cng Phn vin NCKHMM-HVKTMM 2 KS Trn Hng Thi Phn vin NCKHMM-HVKTMM 3 ThS Trn Quang K Phn vin NCKHMM-HVKTMM 4 ThS Phm Minh Ho Phn vin NCKHMM-HVKTMM 5 KS Nguyn Quc Ton Phn vin NCKHMM-HVKTMM C Cng tc vin 1 TS Nguyn L Anh i hc Xy dng 2 TSKH Phm Huy in Vin Ton hc Sn phm t c: - 03 bo co khoa hc (cc quyn 3A, 3B v 3C) - 02 phn mm (sinh tham s an ton cho h mt RSA v Elgamal)

Mc lc Trang 2 4 5 7 7 12 16 19 22 23 24

Danh sch nhng ngi thc hin Mc lc Li m u Tm tt cc ni dung nghin cu v kt qu chnh 1. Nhm th nht : Nghin cu tng quan, tm hiu gii php cho cc c ch m bo an ninh an ton mng 2. Nhm th hai : Cc sn phm bo mt gi IP trn cc mi trng Linux, Solaris v Windows 3. Nhm th ba : Cung cp v s dng chng ch s 4. Nhm th t : m bo ton hc 5. Kh nng ng dng kt qu ca ti 6. Kt lun v kin ngh 7. Ti liu tham kho

Li m u
Cc ni dung m ti tin hnh nhm thc hin 2 mc tiu c ng k trong bn thuyt minh ti, l: Nghin cu mt s cng ngh, gii php nhm m bo an ton, an ninh thng tin cho cc mng dng giao thc IP, t xut m hnh ph hp c im s dng Vit Nam Phc v vic pht trin thng mi in t (TMT) ca Vit Nam, hng ti hi nhp khu vc S pht trin ca cc mng my tnh ni ring v mng Internet ni chung lm cho nhu cu m bo an ninh an ton thng tin trn mng ngy cng tng. C nhiu cng ngh mng (v d nh Ethernet v Token Ring), c nhiu giao thc mng (v d nh TCP/IP, IPX/SPX v NETBEUI,...), nhng do s pht trin vt tri ca giao thc IP so vi cc giao thc khc trn th gii, v cn c vo c im cng ngh mng c trin khai ti Vit Nam, chng ta thy rng c th bo m c an ninh an ton cho hu ht cc dch v mng th ch cn tp trung vo gii quyt cc bi ton i vi giao thc IP. Nu c gii php v sn phm bo mt tt cho mi trng IP, khi gp phi cc mi trng truyn thng khc chng ta c th dng cc thit b chuyn i (v d nh E1-IP) s dng c cc gii php v sn phm c. Vit Nam ang trong qu trnh hi nhp khu vc v hi nhp quc t. Thng mi in t chnh l mt cng c c lc phc v cho qu trnh hi nhp y. trong nc cng ang qu trnh xy dng chnh ph in t ( n 112 ca Chnh ph v Tin hc ho qun l hnh chnh). cho thng mi in t cng nh chnh ph in t pht trin c u cn c s h tr ca cc cng c/sn phm m bo an ninh bo mt thng tin trn cc mng truyn thng tin hc. Cc sn phm ca ti (bo co khoa hc v phn mm) p ng y cc cc ni dung ng k trong mc 16 Yu cu khoa hc i vi sn phm to ra ca bn thuyt minh ti, cng nh bng 2 Danh mc sn phm khoa hc cng ngh ca bn hp ng thc hin ti. Bo co khoa hc ca ti gm 18 quyn nh sau: tt 1 Tn bo co Bo co cp nht cc kt qu mi trong lnh vc bo mt mng v thng mi in t: Quyn 1A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t Quyn 1B: Nc Nga v ch k in t s Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m M hnh bo mt thng tin cho cc mng my tnh Quyn 2A: Giao thc TCP/IP v gii php bo mt cc tng khc nhau Quyn 2B: Tng quan v an ton Internet Nghin cu m bo ton hc Quyn 3A: Sinh tham s an ton cho h mt RSA Quyn 3B: Sinh tham s an ton cho h mt Elgamal

2 3

6 7 8 9

Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu Ph lc: Mt s nghin cu v hm bm v giao thc mt m H thng phn mm bo mt mng Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux Quyn 4B: H thng an ton trn mi trng mng Sun Solaris Quyn 4C: Phn mm bo mt trn mi trng Windows An ninh, an ton ca cc h iu hnh mng Quyn 5A: An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux Quyn 5B: C ch an ton ca cc h iu hnh mng, Network Hacker, Virut my tnh H thng cung cp PKI Quyn 6A: Mt h thng cung cp chng ch s theo m hnh sinh kho tp trung B chng trnh cung cp ch k in t Quyn 7A: Mt h ch k s c s dng RSA H thng chng trnh xc thc trong thng mi in t Quyn 8A: Dng chng ch s vi cc dch v Web v Mail Quyn 8B: Bo mt dch v Web thng qua Proxy Server Cc sn phm nghip v v qui ch s dng Quyn 9A: Mt s thit b c s dng ghi kho

Cc sn phm phn mm/thit b bao gm: 1 Phn mm bo mt gi IP: - Trn mi trng Windows (SECURE SOCKET) - Trn mi trng Linux (TRANSCRYPT, IP-CRYPTOR, DLCRYPTOR) 2 Phn mm v chng ch s: - Sinh chng ch s theo m hnh sinh kho tp trung - Th vin ch k s - Dng chng ch s bo mt dch v Web thng qua Proxy Server 3 Phn mm m bo ton hc: - Phn mm sinh tham s an ton cho h mt RSA - Phn mm sinh tham s an ton cho h mt Elgamal 4 Thit b nghip v: - Thit b ghi kho vi giao din USB

Tm tt cc ni dung nghin cu v kt qu chnh 1. Nhm th nht: Nghin cu tng quan, tm hiu gii php cho cc c ch m bo an ninh an ton mng 1.1 Quyn 1 A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t. Cc ni dung cng vic c thc hin l: Nghin cu v cng ngh IPSEC, y l mt trong cc cng ngh to nn mng ring o (VPN), cc dch v IPSEC cho php bn xy dng cc ng hm an ton thng tin qua cc mng khng tin cy (v d nh Internet) vi c hai kh nng xc thc v bo mt. Cc vn c i su l: cc c tnh ca IPSEC; cc khi nim c bn nh AH, ESP,...; m hnh ng dng cng vi u nhc im ca IPSEC Nghin cu v cc h thng pht hin xm nhp. V cc bc tng la v cc chnh sch an ninh an ton l cha ngn chn mi tn cng ph hoi, cho nn cn n h pht hin xm nhp (IDS - Intrusion Detection System). Cc vn sau c trnh by: Pht hin xm nhp l g? Cc gii php pht hin xm nhp; Nhng u im ca IDS ? Nhng g cn ch khi s dng IDS. Nghin cu tm hiu v thng mi in t vi cc ni dung: Cc hnh thc hot ng ch yu ca TMT; Tnh hnh pht trin TMT trn th gii; Tnh hnh pht trin TMT Vit Nam; v cc vn an ton trong TMT

Quyn 1B: Nc Nga v ch k in t s. Ngy 10 thng 1 nm 2002, tng thng Nga V. Putin k sc lnh lin bang v ch k in t s. i ti Lut v ch k in t s, nc Nga c mt qu trnh chun b k cng t trc. Lin quan n vn ny, trong bo co cp ti cc ni dung sau: - Bi vit Nhng cng ngh ha hn trong lnh vc ch k in t s cp ti d n chun quc gia mi ca Nga v ch k s. - Bi Ch k in t hay con ng gian kh thot khi giy t phn tch so snh ch k s vi ch k vit tay, khc vi ch k vit tay, ch k s ph thuc vo vn bn c k. - Vy nc Nga dng chun ch k s no? Chng ti m t: (1) chun ch k s GOST P 34.10-94 ; (2) chun ch k s GOST P 34.10-2001; (3) chun hm bm GOST P.34.11-94; (4) chun m khi GOST 24187-89 (do chun hm bm GOST P.34.11-94 c s dng thut ton GOST 24187-89) - Trong bo co chng ti dch ton b B lut Lin bang v ch k in t gm 5 chng v 21 iu. - Trong bo co cng trnh by cc thut ton chun ch k s, hm bm, m khi ca M v 2 bi bo phn tch so snh gia thut ton m khi ca Nga v thut ton AES ca M.

1.3 Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m. Mt m c th thc hin theo cch th cng hoc t ng vi s tr gip ca my mc. Trong thi i in t, truyn thng v tin hc ngy nay cc ngun tin ngy cng a dng; mi thng tin u c s ha vi khng l tr lng ti ch v lu lng trn knh; i hi ca ngi dng ngy cng cao v mt, tc , an ton, tnh tin dng... Trong tnh hnh , ch c mt la chn duy nht l thc hin mt m vi s tr gip ca my mc. Cc ni dung nghin cu c thc hin l: So snh thc hin mt m bng phn cng v phn mm v tr li cu hi: nn thc hin mt m trn c s phn cng (hardware) hay phn mm (software)? so snh v an ton gia 2 platform (s dng chung khng gian nh RAM; m bo ton vn; thm ngc thit k; tn cng phn tch nng lng; vn lu tr kho di hn; ph thuc vo an ton ca h iu hnh) v phn tch cc u nhc im ca hai platform ny La chn cng ngh cho cng ho mt m. Vi ngnh mt m, ngoi vic chn cng ngh thch hp cho encryption, cng quan trng khng km l cng ngh c bo m security khng. Cc cng ngh c a ra xem xt l: (1) ASIC (2) ASSP (Application-Specific Standard Product); (3) Configurable Processor; (4) DSP (Digital Signal Processor); (5) FPGA (Field Programmable Gate Array); (6) MCU (Microcontroller); (7) RISC/GPP (Reduced Instruction Set Computer/ General Purpose Processor). Tip theo nghin cu v vic dng FPGA cng ho cc loi thut ton mt m khc nhau, l: (1) sinh kho dng; (2) cc php nhn v modulo; (3) m khi (AES); (4) mt m elliptic; (5) hm hash; (6) sinh s ngu nhin. Cc cng vic/ kin thc cn chun b cng ho mt m. Hai ni dung c trnh by. Trc ht l nhng kin thc cn thit thc hin FPGA bao gm: kin thc v ton; kin thc v k thut; kin thc v cng ngh; kin thc v th trng vi mch. Th hai l cc cng c cn thit thc hin FPGA bao gm: cng c thit k (CAD); thit b (my tnh, b np); nhn lc.

1.4 Quyn 2A: Giao thc TCP/IP v cc gii php bo mt cc tng khc nhau. Ch tr nhm nghin cu: ThS. ng Ho Mun nghin cu gii php bo mt cho giao thc IP th cn phi hiu r n. Chnh v vy m bo co khoa hc gm c 2 phn, phn I Giao thc mng TCP/IP gm c 9 chng, phn II Gii php bo mt gm c 3 chng dnh cho 3 tng: tng mng, tng giao vn v tng ng dng. Ch rng, khi nim tng 3 chng cui li theo m hnh ISO. Cc ni dung c cp n bao gm: Gii thiu v khi qut v TCP/IP: nu ra 4 c tnh ca TCP/IP; n c cc dch v tiu biu tng ng dng l th in t, chuyn file, truy cp t xa v www; cc dch v tng mng c th chia lm 2 loi: dch v khng lin kt chuyn gi tin v dch v vn ti dng d liu tin cy Cu trc phn tng ca m hnh TCP/IP: n c 4 tng; tng ng dng (Telnet, FTP,...); tng vn ti (TCP, UDP,...); tng Internet (IP) (hay cn gi l tng mng); v tng tip cn mng (Ethernet, ATM,...). Trong tng tip cn mng cn ch vic chuyn i gia a ch IP v a ch vt l. Trong tng Internet cn ch n bi ton dn ng ca gi tin (routing).

Cc a ch Internet: trnh by v 5 lp a ch mng l A, B, C, D v E. Khi nim mng con (subnet) i km vi khi nim a ch mng v subnet mask. Cch nh a ch Internet cng c mt s nhc im. Giao thc ARP gii quyt bi ton tng ng a ch Internet vi a ch vt l. y l gii php gii quyt nh tng ng ng, trong mi thit b mng s c mt cache gii quyt a ch. Giao thc Internet chnh l dch v chuyn gi tin khng lin kt ( tng mng) gii thiu nh dng ca gi tin IP (a ch ngun, a ch ch, IHL, ...), c i su vo mt s trng nh kch thc ca gi tin, MTU v Fragmentation Offset. Mt vi giao thc dn ng c im qua: GGP, EGP, BGP. Tho lun v c cu m cc cng v cc my s dng trao i s iu khin hoc thng bo li. C cu ny c gi l Giao thc Thng bo iu khin Internet - Internet Control Message Protocol (ICMP). Giao thc ny c coi l mt phn ca Giao thc Internet, v phi c trong mi thc hin ca giao thc IP. Giao thc gi tin ca ngi s dng UDP: nh dng ca gi tin UDP, cch bc gi tin UDP vo gi tin IP. Mt cch khi nim, ton b vic phn cng v hp cng gia phn mm UDP v chng trnh ng dng xy ra qua c ch cng. Giao thc iu khin truyn tin TCP: nu ln 5 tnh cht ca TCP. Phi c mt c ch gip cho TCP cung cp s tin cy, l xc nhn v truyn li, l cc ca s trt, thit lp mt lin kt TCP. Bo co cng trnh by v khi nim cng ca TCP, nh dng ca on TCP. H thng tn vng: trnh by v cc tn vng quen thuc nh GOV, EDU, COM,..,; tng ng gia tn vng v a ch. cp ti An ton tng mng: Network-Layer Security Protocol (NLSP) c cng b trong ISO/IEC 11577. Trong NLSP c hai giao din: giao din dch v NLSP v giao din dch v mng c s (UN-underlying network).
M hnh by tng ISO 7 6 5 4 3 2 1 Tng ng dng Tng trnh din Tng phin Tng giao vn Tng mng Tng lin kt d liu Tng vt l SSL IPSEC PPTP, swIPe VPDN, L2F, L2TP Fiber Optics PEM, S-HTTP, SET

Transport Layer Security Protocol (TLSP) c m t chun ISO/IEC 10736. N c t hon ton trong tng giao vn. TLSP c thit k b sung vo cc giao thc tng giao vn thng thng m khng phi thay i chng. Cc giao thc an ton tng ng dng ca cc mng gm 3 lnh vc: Trao i tin t (SET); Gi thng bo in t (PEM, RIPEM, S/MIME, PGP) v Cc giao dch

www (SSL, S-HTTP) 1.5 Quyn 2B: Tng quan v an ton Internet. Internet vi chi ph thp v tn ti mi ni lm cho cc ng dng thng mi in t tr nn kh thi. Th nhng, cc ri ro khi s dng Internet c th gy ra hin tng nn ch. Cc ni dung c nghin cu xem xt l: An ton Internet vi cc vn sau: An ton mng vi IPSEC; bc tng la; Cc kha cnh ca An ton dch v gi tin; trnh by v 6 ng dng c bo mt l PEM, MIME, S/MIME, PGP, X.400 v MSP ; An ton web vi SSL, S-HTTP v Phn mm c kh nng ti xung (Java Applet hay ActiveX); An ton i vi cc ng dng thng mi in t (EDI, SET,..); c bit c cp n Cc tho thun ca cc nh cung cp dch v Internet Phn nghin cu v Nhu cu thc t v bo mt cp ti: Tnh hnh pht pht trin ca CNTT trn th gii; Tnh hnh pht trin CNTT trong nc; M t kt qu mng ca B Ti chnh (tuy rng s liu tng i c). C th ni tm li, vi s trin khai ca cc n 112 v 47 th nhu cu bo mt cc dch v mng trong nc ta thi im ny l rt ln.

1.6 Quyn 5A : An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux. Phn An ton ca h iu hnh Linux nghin cu v: Tng quan v Linux Security: Phng php bo v vt l; An ton ti khon truy nhp; An ton file v h thng file; An ton mt khu; Dng mt m; An ton giao din ho; An ton nhn v An ton mng. i su nghin cu vn Login v xc thc ngi dng: m t chi tit v qu trnh ng nhp (t khi du nhc login cho ti khi xc thc xong v h thng a ra du nhc shell), phng php xc thc ngi dng cng nh cch qun l ngi dng trn h thng Linux. Trnh by v mt cng ngh l PAM (Pluggable Authentication Modules), l cc th vin chia s (shared libraries), cho php ngi qun tr h thng la chn cch xc thc ngi dng. Ni cch khc, ta khng phi bin dch li cc ng dng s dng PAM (PAM-aware), v vn c th chuyn i cch xc thc khc nhau.

Phn An ninh ca h iu hnh Sun Solaris nghin cu v: - Gii thiu v nh gi kh nng an ton ca Solaris vi 4 mc bo v: (1) iu khin ng nhp; (2) iu khin truy nhp ti nguyn h thng (3) Cc dch v phn tn an ton v nhng nn tng pht trin; (4) iu khin truy nhp ti mng vt l - Qun l h thng an ton bao gm 4 vn : (1) Cho php truy nhp ti h thng my tnh; (2) An ton file; (3)An ton h thng v (4) An ton mng - Cc tc v an ton file m u bng vic trnh by v cc tnh nng an ton file: cc lp ngi dng; cc quyn i vi file; cc quyn i vi th mc; cc quyn c bit; umask mc nh. Sau m t chi tit cc thao tc : hin th thng tin v file; thay i quyn s hu file; thay i cc quyn i vi file; ...

10

Cc tc v an ton h thng: ch dn tng bc hin th trng thi ng nhp ca ngi dng; hin th nhng ngi dng khng c mt khu; v hiu ho tm thi ng nhp ca ngi dng; lu li nhng cuc ng nhp tht bi; ... RPC an ton l cch thc xc thc xc nhn c my ch v ngi dng. RPC an ton dng xc thc hoc Diffie-Hellman hoc Kerberos. C hai c ch xc thc ny dng m DES. Mi trng NFS dng RPC an ton v c hiu nh NFS an ton. C hai kiu xc thc Diffie-Hellman v Kerberos version 4 u c h tr. PAM cung cp cch thc "ti vo" cc dch v xc thc v m bo tr gip nhiu dch v xc thc M t cch dng cng c tng cng an ton t ng (ASET- Automated Security Enhancement Tool) gim st hoc hn ch truy nhp ti cc file h thng v cc th mc. ASET c 3 mc an ton v c c thy 7 tc v. C 2 cch chy ASET: trc tuyn hoc nh k

Phn III An ninh ca cc h iu hnh h Microsoft Windows nghin cu v: - Nhc li m hnh lp mng trong mi trng Windows. Mng c hnh thnh gm c hai phn chnh v client v server. C hai m hnh lp mng : m hnh nhm lm vic (workgroup model) v m hnh min (domain model). Sau nh gi khi qut v an ninh an ton ca hai mi trng l Windows9x vWindowsNT. - cp n vn ht sc kinh in, l mt khu. Cn phn bit mt khu Windows 9x vi mt khu WinNT. Mt khu WinNT c dng DES lm hm mt chiu, cn Win2000 ngm nh s dng giao thc thm nh quyn Kerberos v5. - i vi Phn quyn i vi th mc, tp trnh by v cc h thng file c trong h Windows, bao gm: FAT, NTFS, CDFS, HPFS. Phn quyn i vi th mc v tp thc cht l bo mt cc ti nguyn mng thng qua permission chia s. - trnh by cc tnh nng an ton ca NTFS. 1.7 Quyn 5B: C ch an ton ca cc h iu hnh mng, Network hacker, Virut my tnh. Ch tr nhm nghin cu: TS. ng V Sn Phn I Kh nng an ton ca cc h iu hnh mng trnh by v: Tng quan v h iu hnh : H iu hnh l g? Phn loi h iu hnh; Lch s pht trin ca h iu hnh; 6 yu cu chun tc nh gia h thng my tnh tin cy v 4 cp nh gi. C ch an ton ca h iu hnh gm c 3 vn an ton chung i vi cc tt c cc h iu hnh mng, l: An ton truy nhp mng; An ton h thng v An ton file v th mc Trnh by v mt s cc l hng an ton ca h iu hnh Windows, ca vi h iu hnh Unix. Cc l hng c th n t: (1) h iu hnh v cc ng dng; (2) do ngi s dng; (3) do ngi lp trnh. Mt s h iu hnh c l hng v mt m (v d nh FTP daemon ca Unix) Ph lc c gii thiu Nessus l mt phn mm gim st an ninh mng. gii thiu cch ci t, cu hnh, chy khai thc chng trnh km theo file nht k kt qu chy trnh.

Phn II Network hacker gm c:

11

Tr li cu hi Hacker l ai? v phn loi hacker. Nu ra qui trnh 9 bc hack. Hacker hot ng hiu qu l do: cu hnh sai my ch, li trong cc ng dng, nh cung cp thiu trch nhim, thiu ngi c trnh . lit k ra nhng li ca h iu hnh m hacker c th khai thc. C a ra mt v d thc hin tn cng h thng Unix. Tr li cu hi l: c th s dng mt m chng hacker hay khng? Mt m c th dng vo 2 vic: bo v mt khu v m d liu c lu tr. nu ra 3 nguyn nhn khin ngi ta quan tm ti vic bo v thng tin trn Internet, l: bo v d liu, bo v ti nguyn mng, bo v danh ting ca c quan. nu ra mt hng dn bo mt cho h thng gm 6 bc Ph lc gii thiu phn mm gim st an ninh mng SNORT. y l mt Network IDS.

Phn III Virut my tnh vit v cc vn sau: - Tng quan v virus my tnh: tr li cu hi virus my tnh l g v phn loi virus. - i vi B-virus trnh by v c ch ly lan ca n. B-virus c th chia ra Single B-Virus v Doublr B-Virus. trnh by v cu trc ca mt B-virus (gm 4 phn) v cc c tnh ca n (tnh tn ti duy nht, tnh thng tr,...) - i vi F-virus xt n 2 mi trng l DOS v Win32. i vi cc virus trn DOS cp n: phng php ly lan; phn thnh 2 loi (Transient File Virus v Resident File Virus); Cu trc ca TF-virus v RF-virus;Cng nh B-virus, mt F-virus c cc yu cu: tnh tn ti duy nht, tnh ly lan,... - cp ti vic ly nhim virus trn mng LAN v Internet. - Liu c th dng mt m pht hin v phng chng virus hay khng? i vi B-virus th mt m khng phng chng c, cn i vi F-virus th c th phng chng bng cch i tn file. C th dng ch k s pht hin file b virus. - Ph lc l mt danh sch cc loi virus tiu biu cng vi m t ca chng: Nimda, Code Red, Chernobyl,... 2. Nhm th hai: Cc sn phm bo mt gi IP trn cc mi trng Linux, Solaris v Windows 2.1 Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux. Bo co gm 2 phn. Phn I c tn l Lp trnh mng trong Linux c 2 chng. Chng 1 l Mng IP trong Linux v chng 2 l Lp trnh mng trong Linux. Phn II Cc sn phm bo mt gi IP c 4 mc. Ba mc A, B v C trnh by v 3 phn mm TRANSCRIPT, IP-CRYPTO v DL-CRYPTO. Mi mc A, B v C u c 2 chng, chng u gii thiu v gii php v chng th hai gii thiu v sn phm phn mm. Ring mc th t l mc D c 2 chng trnh by v gii php mt m bao gm : m d liu bng m khi v trao i kho t ng. Phn I Lp trnh mng trong Linux nghin cu cc vn sau: - Chng giao thc (protocol stack) l mt phn trong kernel code, n gm c

12

SOCKET layer, INET layer, TCP/UDP layer, IP layer, Network device layer. Cu trc v cc lnh lm vic vi socket buffer. File /proc/net/route cha Forwarding Information Base. Trnh by tng qut v qu trnh khi to mng khi h iu hnh khi ng, cch s dng trnh ifconfig v route thit lp kt ni mng, cc th tc c lin quan. Trnh by v qu trnh kt ni, cc bc gi d liu, cc bc nhn d liu, cc bc ca IP Forwarding, Internet Routing Protocol. Trnh by chi tit v sk_buffs, Cc th tc h tr mc cao hn. Dnh mt dung lng ln trnh by v thit b mng Trong phn ny cng c cp n IP-multicasting v cc th tc h tr Ethernet.

Nghin cu k, nm chc cch x l gi tin mng trong Linux l nhn t quyt nh c th thc hin thnh cng cc gii php can thip mt m nhm bo mt gi tin c truyn trn mng. Phn II Cc sn phm bo mt gi IP A. Phn mm TRANSCRYPT Transcrypt da trn phn mm CIPE (Crypto IP Encapsulation). Cc cng vic c lm l: khai thc lm ch hot ng ca h thng v thay i phn mt m (bao gm thut ton m d liu v ton b phn trao i kho). Transcrypt bao bc cc gi tin IP ( c m ho) bi cc gi tin UDP v gi chng bng k thut UDP thng thng. y l s khc bit vi vic bao bc IP trong IP. Trong bo co trnh by v vic m ho gi tin v trnh trao i kho Kex.

IP

data

New IP

UDP

IP

data

trnh by v m ngun ca Transcrypt, cch bin dch v ci t, cch thit lp cu hnh v cch chy chng trnh (gm cc bc np module v chy chng trnh daemon transcryptd. B. Phn mm IP-CRYPTO Phn mm IP-CRYPTO phng theo FreeS/WAN nhng ch h tr mt mode tunnel vi nhng thut ton mt m c thay th (m d liu v trao i kho). Phn trnh by v gii phpbo mt ca IP-CRYPTO cp n: K thut to card mng o v cch gi gi tin qua card mng o; Cch nhn gi tin mng trong nhn Linux; Ch ng hm (tunnel mode), Encapsulating Security Payload Packet Format v Phn tch chng trnh ngun ca qu trnh gi v nhn gi tin trong IP-Crypto

13

Outer IP header IP header IP Payload IP header IP Payload

My 1

Encapsulator

Decapsulator

My 2

Trong bo co trnh by v m ngun v b ci t ca IP-Crypto; cch bin dch v ci t n; cch thit lp cu hnh (gm c cu hnh mng, trao i kho th cng, trao i kho t ng, s dng trnh keyingd); m hnh chy th nghim. C. Phn mm DL-CRYPTOR Trnh by v gii php can thip mt m. Trong nhn linux vic gi v nhn gi tin mng c cha trong cu trc cha gi tin struct sk_buff. Ta thy trong nhn linux vic gi v nhn gi tin tng data link c thc hin nh hai hm l dev_queue_xmit() trong trng hp gi gi tin i v net_bh() trong trng hp nhn gi tin. Khi gi tin c truyn i, hm dev_queue_xmit() s thc hin vic m ho v sang bn nhn hm net_bh() s thc hin vic gii m. Nh vy, i vi cc giao thc mng tng cao hn (v d, giao thc tng mng IP) hai my l trong sut. Trong bo co trnh by v m ngun ca DL-Cryptor, cch bin dch v ci t, cch thit lp cu hnh v 2 ch lm vic ca DL-Cryptor (trao i kho th cng v t ng). D. Gii php mt m Chng 1 M d liu bng m khi trnh by v 2 ch lm vic ca m khi c dng n trong khi m gi IP l OFB (Output Feedback Mode) v CBC(Cipher Block Chaining Mode). Chng 2 Trao i kho t ng trnh by v giao thc trao i kho STS (Station-To-Station), n c u im l chng li c tn cng ngi ng gia. Giao thc STS c ci tin tr thnh giao thc STS i xng nh sau:
Alice gx gy EK(SIGA{gx, gy}) EK(SIGB{gy, gx}) Bob

14

Trong chng ny trnh by v vic lp trnh giao thc STS i xng c trnh trao i kho Kex, cch s dng trnh Kex v c bit l vic dng trnh trao i kho i km vi 3 phn mm bo mt l Transcrypt, IP-Crypto v DL-Cryptor.

2.2 Quyn 4B: H thng an ton trn mi trng mng Sun Solaris.
y l mt gii php bo mt c nghin cu trong Ban C yu. Do u t ca ti KC.01.01, kt qu ny c hon thin, c bit l ni dung ca chng 4 c thc hin thm. Tuy vy, v mt ti liu th bo co vn c vit thnh 4 chng, trong 3 chng u nhm gii thiu cch tip cn dng cng ngh lp trnh STREAMS can thip mt m vo Solaris. Trong bo co trnh by v gii php, cch tip cn, phng php nghin cu : - streamS l phn b xung mi y ti kin trc ca nhn (kernel) UNIX. Ct li ca m hnh StreamS l n c ci t ging nh chng giao thc. - Cc thnh phn ca lung gm: cc hng i (queue); cc thng bo (message); cc module; cc trnh iu khin (driver). - Cc thao tc trn lung gm: open, read, write, close,... - Cc thng bo l phng tin truyn thng trong lung. - Trong STREAMS cc trnh iu khin c m (opened) v cc m un c chn vo (pushed). C ba kiu ca trnh iu khin thit b: Trnh iu khin phn cng (Hardware Driver); Trnh iu khin o (Pseudo Driver); Trnh M hnh STREAMS iu khin a lung (Multiplexer Driver). Trong bo co i su vo vic xy dng a lung STREAMS TCP/IP. nghin cu gii php bt gi IP thc hin vic m ho trong m hnh STREAMS TCP/IP l xy dng v chn tng lc gi IPF thm vo. tit kim v mt thit b, chng ta nn tch hp nt m ho vi Router lc gi. V mt thc hnh, nhm nghin cu kho st kh nng ngn chn ca mt s phn mm hacker ca b phn mm IPSEC_SUN, l: Sniffit V.0.3.5, IPSCAN, Packetboy, ICMP_Bomber. Bn cnh , nhm nghin cu cng kho st nh hng ca b phn mm IPSEC_SUN i vi thi gian truyn d liu ca dch v FTP v so snh vi FreeS/WAN. 2.3 Quyn 4C: Phn mm bo mt trn mi trng Windows. Trong iu kin ca nc ta l mt nc ph thuc hon ton vo cng ngh nhp

15

ngoi th vn an ton cng cn phi c nghin cu sao cho ph hp vi hon cnh ca chng ta. Lm th no va tn dng c sc mnh ca cc h thng phn mm thng mi hin nay nhng vn kim sot c mc an ton ca thng tin trn mng l mt trong nhng vn ng c quan tm. Ni dung nghin cu phn ny nhm mc ch nghin cu xy dng gii php bo v thng tin trn cc mng my tnh c xy dng trn nn tng m hnh mng Winsock. M hnh mng Winsock l mt m hnh mng c pht trin mnh m s dng rng ri ngy nay. Do vy nh hng nghin cu vo m hnh ny l cn thit v c ngha thc tin. MS Windows

New API message filter

Gii php v k thut c s dng: Ton b dng thng tin trn mng trong cc Platform Windows u chuyn qua Winsock. Vn t ra l lm th no Task B c th khng ch c dng thng tin ny phc v Task A cho cc mc tiu ring bit. Can thip trc tip vo cc Modul trong Winsock l mt vic lm kh c th thc hin c bi i vi nhng ngi pht trin ng New API DLL dng th Winsock ch nh mt chic hp en. Chng ta ch c th bit c giao din vi Winsock m thi. Vy cch tip cn l nh th no. Chng ti tip cn Winsock DLL theo kiu xy dng mt API mi trn Windows Socket API. Dng thng tin trc khi chuyn qua Winsock s qua mt tng mi do ta xy dng v tng ny chng ta c th khng ch c dng thng tin mng. Cc ch c nghin cu l: M hnh Winsock: 3 thnh t ca m hnh mng Winsock, l (1) Winsock application; (2) Network system; (3) Winsock API. Mt lin kt gia Client v Server trong m hnh Winsock gm 5 thnh phn: Giao thc, a ch IP ca Client, s hiu cng ca Client, a ch IP ca Server, s hiu cng ca Server. Socket c trng thi, trng thi hin thi ca socket xc nh cc php ton mng no s c tip tc, cc php ton no s b treo li v nhng php ton mng no s b hu. C hai kiu socket: Datagram Socket v Stream socket. Thit k xy dng socket an ton: Nhm nghin cu pht trin giao din ti tng giao vn cho truyn thng TCP/IP c gi l Secure Socket phc v cho mc tiu nn v m ho d liu truyn qua Internet v cc mng PSTN. Secure Socket c ci t ti cc trm, Server v trong FireWall m bo an ton v truyn thng tc cao gia trm v cc my trm. Secure Socket cung cp giao din lp trnh ng dng Winsock chun cho cc ng dng TCP/IP chng hn nh Web Browser, telnet, ftp m khng bt k s thay i no i vi cc trnh ng dng v TCP/IP. C mt vi cch chn cc lnh ca Winsock : Thay th cc a ch hm; Thay i thng tin lin kt; i tn th vin Winsock. Nhm ti chn cch th 3 thc hin.

3. Nhm th ba: Cung cp v s dng chng ch s 3.1 Quyn 6A: Mt h thng cung cp chng ch s theo m hnh sinh kho tp trung.

16

Trn nn ca phn mm c m ngun m OpenCA, chng ti xy dng mt h thng cp chng ch vi m hnh n gin: trung tm sinh cp kho v ch c RootCA. phc v cho quy m nh, c th chng ta khng cn n c my RA. Nhng ni dung c trnh by bao gm: Gii thiu tng quan v PKI, v CA, RA, X.509 v 3 certificate, certification paths, revocation; Sau i vo trnh by cch ci t v vn hnh my CA. LDAP server c dng cho vic lu tr chng ch s cn hiu lc hay b hu b sao cho vic khai thc s dng c tin li. Ngi ta thng dng LDAP Server lm vic ny, mc d v mt nguyn tc c th dng mt database server bt k. Cc ci t, cu hnh v vn hnh my LDAP Server c trnh by. M t Qui trnh pht hnh chng ch s gm 6 bc cng vic sau: (1) Nhp thng tin v ngi c cp; (2) K yu cu cp chng ch; (3) Chuyn i nh dng ca chng ch; (4) Cp chng ch cho ngi dng; (5) Cp nht chng ch va pht hnh ln LDAP server; (6) In ni dung chng ch. M t Quy trnh hu b chng ch s gm cc bc cng vic sau: (1) Hu b mt chng ch bi ngi qun tr; (2) Pht hnh CRL v cp nht ln LDAP; (3) Ti CRL t my LDAP v my phc v; (4) In chng nhn hu b chng ch cho ngi s dng.

3.2 Quyn 7A: Mt h ch k s c s dng RSA i vi nhiu loi d liu th tnh xc thc i khi li cn hn tnh bo mt. Mt m kho cng khai gii quyt c bi ton xc thc bng h ch k s (vi s tr gip ca hm bm). C nhiu thut ton ch k s, nhng RSA l mt thut ton quen thuc v n c trong chun ca nhiu nc, nhiu t chc quc t. Th nhng dng ng thut ton ch k s RSA khng phi l mt vic d. Bn cnh vic la chn tham s sao cho an ton, chng ta cn phi ch ti cch chun b d liu k, ch khng phi c vic lu tha vi s m l kho b mt l xong. Trong vic chn tham s an ton th khng ch c p v q, m cn c c e v d na. C mt iu cn ch l tiu chun an ton i vi RSA m khc vi RSA k. Cc ni dung d c nghin cu l: Ch k s da trn mt m hin i cp ti mt s ci mang tnh l thuyt, l: Ch k s t h m c th o ngc; Lc ch k s cng vi appendix; Lc k khi phc thng bo; im qua cc kiu tn cng trn lc k; Hm bm ( k c nhanh). Lc ch k s RSA: im qua cc tn cng i vi ch k RSA. Trong ti liu trnh by thut ton k theo PKCS#1 phin bn 1.5, y cha phi l chun k dng RSA tt nht. Chun k tt nht dng RSA l RSA-PSS trong PKCS#1 phin bn 2.1. Module thc hin k v kim tra ch k s s dng chng ch s: trnh by mt s cng ngh c lin quan ti vic to ra ch k theo chun v module thc hin vic k v kim tra mt tp d liu c s dng chng ch s.

17

3.3 Quyn 8A: Dng chng ch s vi cc dch v Web v Mail. Cc vn c i su nghin cu bao gm: Giao thc Secure Socket Layer l ci cn hiu r bi v y chnh l gii php bo mt giao dch gia Web Server v Web Client. SSL v3 gm c SSL Record Protocol, SSL Handshake Protocol, SSL Change Cipher Specification v SSL Alert Protocol. i vi Application data, SSL Record Protocol thc hin 3 vic: phn mnh d liu (frame); (2) nn d liu (3) m ho v to MAC ri chuyn xung tng TCP. Cc tham s mt m lin quan n mt phin lin lc c thc hin thng qua SSLv3 Handshake Protocol. Trong bo co trnh by c th qu trnh thc hin SSLv3 Handshake qua cc bc gia client/server. cui chng c trnh by cch tnh kho cho phin lin lc.

trnh by cc thao tc s dng chng ch s vi dch v Web: Ci t chng ch cho trnh duyt Web; Cp nht CTL v CRL t Public Database Server; Ci t v thit lp cu hnh cho phn mm E-shop c s dng chng ch trn Apache Server; S dng lnh https truy nhp ti E-shop bng IE hoc Netscape. Trnh by cch a chng ch s vo trnh th tn Outlook Express, cch dng chng ch s m ho v xc thc th, cch cp nht cc CRL.

3.4 Quyn 8B: Bo mt dch v Web thng qua Proxy Server. Cc ni dung c nghin cu l: SQUID Proxy Server: Tp cu hnh squid.conf kh phc tp. Chng ta quan tm ti nhng la chn h tr SSL, l https_port v ssl_unclean_shutdown. MySSL nhn c t OpenSSL sau khi thc hin cc cng vic sau: Loi b nhng phn m ngun khng s dng n; Loi b giao thc SSL v2; Loi b cc thut ton m c sn, thay vo l thut ton M khi ca Ngnh CY; Loi b cc thut ton bm tr MD5 v SHA-1; Loi b cc thut ton k, tr RSA; Loi b chng trnh sinh s nguyn t xc sut, thay vo l thut ton sinh tham s RSA an ton. Trnh duyt MyBrowser nhn c t Mozzila 1.0 bng cch thu gn, kim sot v tch hp mt m ring vo.Trong ti liu c trnh by cch bin dch ra MyBrowser. M hnh bo mt dch v web thng qua Proxy nh sau:

18

Web Client (Linux, Win)

128.1.1.3/16

128.1.1.2/16

Squid MySSL (Linux)

200.1.1.2/24

Web Server (Linux, Win)

200.1.1.1/24

HUB 1

HUB 2

3.5 Quyn 9A: Mt s thit b c s dng ghi kho. Cc ni dung c cp n l: Gii thiu thit b iKey ca hng Rainbow Technologies. trnh by cc bc nhm dng iKey lu chng ch s v kho b mt, l: khi to nh dng cho iKey; thit lp tn cho iKey; khi to (hay t li) vng lu chng ch s; thay i mt khu; lu chng ch s. Sau l cch ng k chng ch s vi cc ng dng nh IE v Outlook Express. trnh by vic thit k, xy dng mt loi thit b nghip v c giao din USB. S khi tng qut ca thit b gm c 3 khi: khi giao din, khi vi x l v khi nh. Khi giao din s dng linh kin IC USB FT245 BM ca hng FTDI. Khi vi x l s dng linh kin AT89C2051 ca hng Atmel. Khi nh s dng linh kin AT24C64 ca hng Atmel

4. Nhm th t: m bo ton hc 4.1 Quyn 3A: Sinh tham s an ton cho h mt RSA. Mt m kho cng khai cn c s nguyn t ln, nhng ch ln khng th cha . Khng phi s nguyn t no cng dng cho mt m kho cng khai c mt cch ni chung v cho mt h mt c th no ni ring (v d nh RSA hay Elgamal). - cp n 4 tiu chun cho s nguyn t dng cho RSA ca chun X9.31 (y l mt chun ca cc t chc ti chnh M). Trn c s 4 tiu chun , cng vi vic xt cc tn cng phn tch s bng phng php sng trng s, tn cng phn tch s da vo ng cong elliptic, phng php phn tch s p1 ca Williams, tn cng kiu gii h phng trnh v phn tch s da vo gcd(p1, q1), nhm nghin cu a ra h tiu chun ca mnh vi nhng ngng c th. - Xy dng phn mm sinh s nguyn t dng cho h mt RSA bt u bng cc nh l Pocklington v Lucas, trn c s cc hm PocklingtonPrimeTest, LucasPrimeTest v LucasPocklingtonPrimeTest c xy dng. Tip , thut ton sinh s nguyn t bng phng php tng dn di c trnh by v mt l thuyt c nh gi s ln dn trung bnh v mt s nguyn t sinh c theo cch ny. Thut ton

19

StrongPrimeGenerator (theo kiu ca Gordon) c xy dng sinh s RSA-mnh. Lc lng cc s RSA-mnh c sinh theo thut ton StrongPrimeGenerator c nh gi v mt l thuyt. Hm RSAGenerator c thit k sinh ra nhng cp s nguyn t cn thit. 4.2 Quyn 3B: Sinh tham s an ton cho h mt Elgamal. Nhm nghin cu hon thnh cc cng vic sau: - Gii quyt vn s nguyn t mnh dng u v c th hn l im ra 3 ng dng ch yu trong mt m l bi ton bo mt tin dng h mt Elgamal, bi ton xc thc tin theo s ch k Elgamal v bi ton tho thun kho theo s Diffie-Hellman. c im chung ca cc loi hnh trn l tnh an ton ca chng u c coi l tng ng vi tnh kh gii ca bi ton logarit trn trng GF(p). Trnh by mt phng php sinh s nguyn t bng cch tng dn di hon ton da vo nh l Pocklington. V mt l thuyt th bt c mt s nguyn t no cng c th c sinh t phng php ca chng ti tt nhin vi kh nng khng nh nhau. Quan trng hn c trong vic a ra thut ton ny l n c th sinh cc s nguyn t dng trong h mt Elgamal mt cch rt hiu qu. i vo gii quyt vn xy dng c s l thuyt ca thut ton v hin thc ho bng mt chng trnh sinh s nguyn t mnh trn mt lp s nguyn c th: gii thiu v lp Lp(k) vi y vic nh gi v lc lng s nguyn t trong lp v thut ton sinh cc s nguyn t trong , trn c s xy dng thut ton sinh cc s nguyn t mnh v gn mnh. Trnh bay cc th thut tnh ton trn cc s ln , nhm hin thc ho c thut ton ch ra trn. Ph lc "Mt s kt qu th nghim", nhm gii thiu mt s kt qu th nghim gm: Mt s kt qu thng k thu c v thi gian sinh trung bnh cng mt trung bnh ca s nguyn t mnh v gn mnh; V d v cc s nguyn t Pepin, Sophie.

4.3 Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu. Chng 1 M u v m khi gii thiu chung v m hnh ton hc ca h m khi kho b mt. m bo tnh hiu qu mt h m khi cn phi c cu trc u, i xng m/dch v cc thnh phn ca n cng phi d dng trong qu trnh cng ho hay chng trnh ho mc cao. Chng ny cng gii thiu mt s cu trc m khi c bn nh cu trc i xng thun nghch Feistel, cu trc truy hi Matsui, cu trc cng-nhn Massey...v mt s thut ton m khi c th minh ho nh thut ton GOST ca Lin bang Nga, thut ton IDEA. Chng 2 Thm m khi :Mt s nhng cng vic quan trng khi u cho qu trnh thit k xy dng m khi l cn thit nghin cu nhng phng php thm m khi in hnh, t rt ra nhng c trng an ton c bn ca mt h m khi. Chng ny tp trung nghin cu l thuyt v cc phng php thm m khi c bn nh thm m vi sai, thm m vi sai bc cao, thm m tuyn tnh v cc dng c bit ca thm m tuyn tnh, thm m ni suy, thm m kho quan h.. ch yu p dng trn chun m d liu DES. V mt l thuyt chng ti ch nu nhng nguyn tc thm m c bn i vi m khi (da trn chun m d liu DES) m khng trnh by chi tit thut ton (v c th tm thy trong nhiu ti liu khc). Phn thc hnh,

20

chng ti tp trung nghin cu khai thc phng php thm m phi tuyn da trn tng thm m tuyn tnh xy dng thut ton thm h DES rt gn 8-vng nhm tm 56 bt kho ca chng. Chng 3 Kho st h m khi an ton theo cc c trng o gii tch. Nh chng ta bit m hnh chung ph bin ca mt h m khi gm hai phn: phn ngu nhin ho d liu v phn lc to kho cho h m. Phn ngu nhin ho d liu gm cc cu trc c bn gii thiu trong chng 1, c th thy n thng cha ba lp: cc hp th (lp trong cng), hm vng (lp gia) v cu trc m-dch (lp ngoi cng). Phn lc kho cng s c gii thiu cui chng, n c th gm lc on-line (tnh cng qu trnh m-dch), hay off-line (tnh trc qu trnh m-dch), hoc l lc kho c lp vi phn ngu nhin ho d liu hay ph thuc phn ngu nhin ho d liu. cho h m l an ton chng c cc tn cng nu, cn phi thit k xy dng cc hp th, hm vng v nghin cu la chn cu trc m-dch sao cho hn ch ti a cc tn cng phn tch m hoc v hiu ho cc phng php thm m c th. ng thi lc kho phi trnh c cc quan h kho n gin hoc trnh cc s tng t gia cc cng on to kho... Chng 4 Kho st m khi theo nhm sinh ca cc hm m ho. Vic tm cc tnh yu ca mt h m khi cn c vo nhng c tnh c th ca nhm sinh ca cc hm m ho ca h m trn c s hnh thnh nn nhng tiu chun khi thit k xy dng cc h m khi an ton. Cng lao ch yu ca chng ti a ra trong bi ny l a ra cc kt qu lin quan n khi nim t-pht tn v t-pht tn mnh cng vi ngha mt m ca chng. Qua cc kt qu a ra cng tot ln mt vn rt thc t l mi tnh yu v nhm cc php th c nh hng n tnh an ton ca h mt th vic loi b chng ch l cn thit v rt d khc phc cc khuyt tt hnh thc trn nhm sinh (ch bng cch b xung vo tp cc hm m ho cng lm l 2 hm n gin) trong khi bn cht mt m ch ph thuc vo chnh tp cc hm m ho. Chng 5 Kho st cc c trng ca m khi theo quan im xch Markov. Cc h m khi hin ti u thuc dng thut ton m ho tin hnh lp i lp li mt hm (thng c gi l hm vng). Hai phng php tn cng rt ni ting i vi loi m khi ny l tn cng vi sai v tn cng tuyn tnh nh ni trong chng 2. Hiu qu ca hai phng php ny c th hin trn cc phng din sau y: tp cc cp r, v cc cp m tng ng (trong tn cng vi sai), tp cc cp r/ m tng ng (trong tn cng tuyn tnh) c ln l bao nhiu th xc sut thnh cng ca ngi m thm cao? Khi c tp ny ri th thi gian tin hnh c thc t hay khng? Kh nng thc t trong vic thu thp tp hp ny? i vi ngi lp m, cc cu hi thng c t ra nh sau: Hm vng phi c thit k nh th no cc cng thc trn ng vi xc sut b? S vng lp ti thiu phi l bao nhiu khin cho lc lng cn thit ca tp r/m lm nn lng cc nh m thm? Vic nghin cu m khi trn quan im xch Markov gip cc nh mt m tr li cc cu hi trn nhng im ln, khi qut. Chng 6: Xy dng thut ton m khi MK_KC-01-01. Trong chng ny chng ti thit k mt thut ton m khi c th m bo cc thng s an ton, hiu qu phc v cho ti: - Trc ht, phn ngu nhin ho d liu c xy dng theo cu trc 3 lp: trong, gia v ngoi cng. Lp ngoi cng chng ti chn cu trc Feistel c th nh gi c cc o an ton trc cc tn cng mnh nht hin nay. Lp gia l

21

c cu trc kiu mng thay th hon v 2-SPN (c 2 tng phi tuyn c xen gia bi 1 tng tuyn tnh) nh nu trong chng 3. Lp trong cng l cc hp th phi tuyn. Cc hp th ny c la chn t 2 hp th S1 v S2 c kho st trong chng 3 c cc o an ton tt trnh cc kiu tn cng kho st. Ngoi ra cc php hon v, php dch vng c la chn cn thn sao cho h m c tnh khuych tn ngu nhin u. Cc php bin i u vo v u ra u ly l php XOR vi kho tng ng. - Phn lc kho, dng ngu nhin mt mm kho c di 128-bit thnh cc kho con cho cc vng lp v cc php bin i u vo v u ra. Phn lc kho cng ch trnh tn cng kiu trt khi, ng thi s dng ti a cc hp th phi tuyn ca phn ngu nhin ho d liu. - M hnh m, gii m; cc tham s c th trong m hnh v lc to kho c trnh by trong chng. Cc thng s an ton l thuyt v thc nghim ch ra rng h m khi MK_KC-01-01 p ng c cc yu cu an ton v hiu qu. 4.4 Ph lc: Mt s nghin cu v hm bm v giao thc mt m M u Ph lc l kt qu Nghin cu thm m MD4. Trn c s kt qu ca Dobbertin cng b nm 1997, mt thnh vin tham gia ti tnh li cc xc sut thnh cng, cn chnh li mt s cng thc cho c chnh xc, lp trnh thc hin thut ton tm va chm i vi MD4, ng thi thc hnh chy trn my Dell Power Edge 450 Mhz. Trong ph lc cn c trnh by li 2 bi bo ca cc tc gi nc ngoi l Va chm vi sai ca SHA-0 v Phn tch SHA-1 trong ch m ho. L do 2 bi bo ny c la chn l v: SHA-1 c pht trin trn c s nhng ci tng t trc l MD2, MD4, MD5, SHA-0 v SHA-1. Do SHA-0 c va chm, cho nn n c sa thnh SHA-1. Bi bo phn tch SHA-1 trong ch m ho cho thy n l mt thut ton m ho SHACAL da trn SHA-1 l mt thut ton tt. Cn xt SHA-1 nh mt hm bm th sao? t ra n cng ng vng c 9 nm, cho ti u thng 2 nm 2005, th c 3 nh mt m hc ngi Trung quc tm c thut ton ph n vi thi gian nhanh hn vt cn, rt tic bi bo y v thut ton ny cha c cng b. Kt qu t ph ny c gii thiu qua bi vit Cp nht thng tin v hm SHA-1. Nh tc gi Bruce Schneier vit ngy 18 thng 2 nm 2005 sau s kin SHA-1 b tn cng: Cc hm bm l thnh t mt m c hiu bit t, cc k thut bm c pht trin t hn so vi cc k thut m ho. Cho nn nhm ti cng cha c c nhng nghin cu su sc, bi v c nhiu k thut cha c nhun nhuyn. Trong ph lc cng c trnh by li 4 bi bo theo 3 hng nghin cu v thit k cc hm bm, l: Phng php thit k cc hm bm da trn m khi, Nguyn tc thit k hm bm , Hm bm nhanh an ton da trn m sa sai v mt ca hm bm lp da trn m khi. Cui ph lc l mt nghin cu tng quan v giao thc mt m v trnh by mt bi bo v giao thc STS. y l giao thc da trn giao thc Diffie-Hellman chun nhng c ci bin chng li tn cng ngi ng gia. Giao thc ny c nhm ti s dng lp trnh thc hin giao thc trao i kho phc v cc phn mm m gi IP trn mi trng Linux. 5. V gi tr ng dng v trin vng p dng kt qu KHCN

22

 Phn mm IP-Crypto v1.0 c nng cp ln thnh IP-Crypto 2.0 ci t vo thit b chuyn dng do X nghip M2 ch to trn nn mt my tnh nhng vi h iu hnh Linux c ti thiu. Phn mm ny hin nay c nng cp ln thnh IP-Crypto v 3.0 c h tr chng ch s bo mt 4 mng LAN ca Tng cc An ninh- B Cng An. Phn mm cung cp chng ch s c s dng th ti Cc E15-Tng cc VI- B Cng An vi dch v th tn. Vic bo mt dch v WEB vi chng ch s cng c dng th ti Cc C yu- BTTM (nhm m rng cc dch v c h tr bo mt trn trc mng). Cc phn mm bo mt mng dng giao thc IP ang c m rng din s dng (ti B Cng An, trc ht l 13 mng LAN ca Tng cc An ninh; sau l 30 mng LAN thuc trung tm ch huy; mng ca Chnh ph theo n 112;...) Hin nay, Cc Qun l K thut Nghip v Mt m- Ban C yu Chnh ph ang xy dng d n cung cp chng ch s cho khu vc Nh nc. Vn trin khai s dng chng ch s trong khu vc dn s cng ang c nhiu c quan quan tm (nht l B Bu chnh Vin thng). Vic thc hin ti KC.01.01 gip cho nhiu sn phm quan trng i vi Ngnh C yu c hnh thnh nhanh hn. iu quan trng na l, vi ti KC.01.01, nhng ngi lm cng tc nghin cu trong Ngnh C yu c iu kin tip cn vi nhim v bo mt cc mt loi hnh thng tin mi, l cc thng tin kinh t x hi, p ng nhu cu s dng sn phm mt m cho cc lnh vc khng phi l an ninh quc phng. y l mt cng vic ln, bi v bn cnh cc thng tin tc nghip ca cc c quan ng v Nh nc (nh chnh ph in t), cn c cc thng tin phc v pht trin kinh t ca cc doanh nghip, cng ty,... Bn cnh cc gii php k thut, vn ny cn ph thuc vo cc yu t khc nh chnh sch qun l, cc vn bn php qui khc,... 6. Kt lun v kin ngh ti KC.01.01 c thc hin trong thi gian hn 3 nm, tt c cc sn phm ng k c hon thnh. Bn nhm sn phm (bo co khoa hc, phn mm, thit b) c hnh thnh, l: (1) nhng nghin cu tng quan, tm hiu gii php; (2) cc phn mm bo mt gi IP; (3) cung cp v s dng chng ch s; (4) m bo ton hc. Mt s sn phm ca ti c Ban C yu tip tc u t pht trin nng cp v c nhng ng dng thc t mang li hiu qu thc s v gp phn thc y qu trnh thc hin nhu cu bo mt thng tin trn cc mng ca cc n 112 ca Chnh ph (trc ht l ti B Cng An). Nhng kt qu nghin cu t c ca ti KC.01.01 c tip tc hon thin to ra nhng sn phm mi, v d nh phn mm m tng cu bo mt hi ngh truyn hnh. Trong mt tng lai gn, thng mi in t v chnh ph in t s pht trin mnh nc ta. l mi trng thun li cho nhng sn phm h tr PKI pht trin. Nhng n cng lm ny sinh mt vn ht sc quan trng, l nhu cu cn c mt b chun cc thut ton mt m dng chung cho cc sn phm . y l mt cng vic ln, hin ang c cc cn b nghin cu thc hin ti KC.01.01 ni ring v i ng cn b nghin cu trong Ban C yu Chnh ph ni ring tp trung gii quyt.

23

7. Ti liu tham kho Quyn 1A: Gii thiu cng ngh IPSEC, cng ngh pht hin xm nhp v thng mi in t 1. An Introduction to IPSEC, Bill Stackpole, Information Security Management Hanbook, 4th edition, Chapter 14, Boca Raton-London- New York-Washington, editors Harold F.Tipton and Micki Krause, 2000. 2. Ti liu km theo phn mm FreeS/WAN (http://www.freeswan.org) 3. Cohen, F., Managing network security- Part 14: 50 ways to defeat your intrusion detection system. Network Security, December, 1997, pp.11-14. 4. Crosbie, M. and Spafford, E.H., Defending a computer system using autonomous agents. Proceedings of 18th National Information System Security Conference, 1995, pp. 549-558. 5. Garfinkel, S. and Spafford, G., Practical Unix and Internet Security, OReilly & Associates, Inc., 1996. 6. Garfinkel, S. and Spafford, G., Web Security & Commerce, OReilly & Associates, Inc., 1997. 7. Herringshaw, C. Detecting attacks on networks. IEEE Computer, 1997, Vol, Vol. 30 (12), pp. 16-17. 8. Mukherjee, B., Heberlein, L. T., and Levitt, K.N., Network intrusion detection. IEEE Network, 1994, Vol.8 (3), pp.26-41. 9. Power Richard, Issues and Trends: 1999 CSI/FBI computer crime and security survey, Computer Security Journal, Vol.XV, No.2, Spring 1999. 10. Schultz, E.E. and Wack, J., Responding to computer security incidents, in M. Krause and H.F. Tipton (Eds.), Handbook of Information Security. Boston:Auerbach, 1996, pp.53-68. 11. Van Wyk, K.R., Threats to DoD Computer Systems. Paper presented at 23rd Information Integrity Institute Forum Quyn 1B: Nc Nga v ch k in t s 1. C.U.Mfhbxtd, D.D. Ujyxfhjd, H.T.Cthjd, Jcyjds cjdhtvtyyjq rhbgnjuhfabb, Vjcrdf, Ujhzxfz kbybz-Ntktrjv, 2002, cnh. 9698. 2. S. Even and O. Goldreich. Des-like functions can generate the alternating group. IEEE Transactions on Information Theory, 29(6):863-865, November 1983. 3. National Soviet Bureau of Standards. Information Processing Systems. Cryptographic Protection. Cryptographic Algorithm. GOST 28147-89, 1989. 4. J. P. Pierrzyk and Xian-Mo Zhang. Permutation generators of alternating groups. In Advances in Cryptology- AUSCRYPT90, J.Sebery, J. Pieprzyk (Eds), Lecture Notes in Computer Science, Vol.453, pages 237-244. Springer Verlag, 1990. Quyn 1C: Tm hiu kh nng cng ngh cng ho cc thut ton mt m 1. FIPS 140-1 - Security Requirements for Cryptographic Modules., 1994 January 11. 2. Leon Adams., Choosing the Right Architecture for Real-Time Signal Processing Designs., White Paper., SPRA879 - November 2002.

24

3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

17. 18. 19. 20.

Christof Paar., Reconfigurable Hardware in Modern Cryptography., ECC 2000 October 4-6., Essen, Germany. Hagai Bar-El., Security Implications of Hardware vs. Software Cryptographic Modules., Information Security Analyst., October 2002. Cryptology., http://www.cyphernet.org/cyphernomicon/5.html Leon Adams., Choosing the Right Architecture for Real-Time Signal Processing Designs., SPRA879 - November 2002 Stephen Brown and Jonathan Rose., Architecture of FPGAs and CPLDs: A Tutorial., Department of Electrical and Computer Engineering University of Toronto. Khary Alexander, Ramesh Karri, Igor Minkin, Kaijie Wu, Piyush Mishra, Xuan Li., Towards 10-100 Gbps Cryptographic Architectures., IBM Corporation, Poughkeepsie, NY, 12601. AJ Elbirt, C Paar., Towards an FPGA Architecture Optimized for Public-Key Algorithms., Cryptography and Information Security Laboratory, Worcester, MA 01609. Thomas Blum., Modular Exponentiation on Reconfigurable Hardware., Thesis., WORCESTER POLYTECHNIC INSTITUTE. M. Shand and J. Vuillemin. Fast implementations of RSA cryptography. In Proceedings 11th IEEE Symposium on Computer Arithmetic, pages 252259, 1993. H.Orup. Simplifying quotient determination in high-radix modular multiplication., In Proceedings 12th Symposium on Computer Arithmetic, pages 1939, 1995. K. Iwamura, T. Matsumoto, and H. Imai. Montgomery modular-multiplication., method and systolic arrays suitable for modular exponentiation. Electronics and Communications in Japan, Part 3, 77(3):4051, March 1994. J.-P. Kaps. High speed FPGA architectures for the Data Encryption Standard., Masters thesis, ECE Dept., Worcester Polytechnic Institute, Worcester, USA, May 1998. Ahmed Shihab, Alcahest; and Martin Langhammer, Altera., Implementing IKE Capabilities in FPGA Designs., Dec 05, 2003 URL: http://www.commsdesign.com/showArticle.jhtml?article-ID=16600061 Alexander Tiountchik, Institute of Mathematics, National Academy of Sciences of Belarus v Elena Trichina, Advanced Computing Research Centre, University of South Australia., FPGA Implementation of Modular Exponentiation. Hauck, S. (1998). The Roles of FPGAs in Reprogrammable Systems Proceedings of the IEEE 86(4): 615-638. Kris Gaj and Pawel Chodowiec., Hardware performance of the AES finalists survey and analysis of results., George Mason University. AJ Elbirt, W Yip, B Chetwynd, C Paar., An FPGA-Based Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists., ECE Department, Worcester Polytechnic Institute. Kris Gaj and Pawel Chodowiec., Comparison of the hardware performance of the AES candidates using reconfigurable hardware., George Mason University.

25

21. Bruce Schneier, John Kelseyy, Doug Whitingz, David Wagnerx, Chris Hall, Niels Ferguson., Performance Comparison of the AES Submissions., January 3, 1999. 22. J. P. Kaps and C. Paar, Fast DES implementation on FPGAs and its application to a universal key-search machine, in Fifth Annual Workshop on Selected Areas in Cryptography, vol. LNCS 1556, Springer-Verlag, August 1998. 23. O. Mencer, M. Morf, and M. J. Flynn, Hardware Software Tri-Design of Encryption for Mobile Communication Units, in Proceedings of International Conference on Acoustics, Speech, and Signal Processing, vol. 5, (New York, New York, USA). 24. K. H. Leung, K. W. Ma, W. K. Wong v P. H. W. Leong., FPGA Implementation of a Microcoded Elliptic Curve Cryptographic Processor., Department of Computer Science and Engineering, The Chinese University of Hong Kong. 25. M. Rosner Elliptic Curve Cryptosystems on reconfigurable hardware., Masters Thesis Worcester., Polytechnic Institute Worcester USA 1998. 26. G. Orlando and C. Paar., A super-serial Galois field multiplier for FPGAs and its application to public key algorithms., Proceedings of the IEEE Symposium on Field-programmable custom computing machines., trang 232-239., 1999. 27. T. Grembowski, R. Lien, K. Gaj, N. Nguyen, P. Bellows, J. Flidr, T. Lehman, B. Schott., Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512., Electrical and Computer Engineering, George Mason University, 4400 University Drive, University of Southern California Information Sciences Institute. 28. Thomas Wollinger and Christof Paar., How Secure Are FPGAs in Cryptographic Applications?., Report 2003/119, http://eprint.iacr.org/, 5. June 2003 29. Ross Anderson Markus Kuhn., Tamper Resistance - a Cautionary Note., The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp 1-11, ISBN 1-880446-83-9. 30. S Blythe, B Fraboni, S Lall, H Ahmed, U deRiu, Layout Reconstruction of Complex Silicon Chips, IEEE Journal of Solid-State Circuits v 28 no 2 (Feb 93) pp 138-145. 31. B. Dipert. Cunning circuits confound crooks., http://www.einsite.net/ednmag/contents/images/21df2.pdf. 32. G. Richard., Digital Signature Technology Aids IP Protection., EETimes News, 1998. http://www.eetimes.com/news/98/1000news/digital.html. 33. K.H. Tsoi, K.H. Leung and P.H.W. Leong., Compact FPGA-based True and Pseudo Random Number Generators., Department of Computer Science and Engineering, The Chinese University of Hong Kong, Shatin, NT Hong Kong. 34. V. Fischer and M. Drutarovsky. True random number generator embedded in reconfigurable hardware. Trong Proceedings Cryptographic Hardware and Embedded Systems Workshop (CHES), trang 415-430, 2002. Quyn 2A: Giao thc TCP/IP v gii php bo mt cc tng khc nhau. 1. Network Layer Security, Steven F. Blanding, Chapter 8, Information Security

26

Management Hanbook, 4th edition, Boca Raton-London- New York-Washington, editors Harold F.Tipton and Micki Krause 2. Transport Layer Security, Steven F. Blanding, Chapter 9, Information Security Management Hanbook, 4th edition, Boca Raton-London- New YorkWashington, editors Harold F.Tipton and Micki Krause 3. Application- Layer Security Protocols for Network, Bill Stackpole, Chapter 10, Information Security Management Hanbook, 4th edition, Boca Raton-LondonNew York-Washington, editors Harold F.Tipton and Micki Krause Quyn 3A: Sinh tham s an ton cho h mt RSA 1. Lu c Tn, Mt s thut ton kim tra tnh nguyn t i vi mt s lp s. Lun n ph tin s khoa hc ton l, H ni 1994. 2. Ian Blanke, Gadiel Seroussi & Nigel Smart. Elliptic Curves in Cryptography. Cambridge Universty press 1999. 3. D. M. Gordon, Strong Primes Are Ease to Find, Advances in CryptologyProceedings of EUROCRYPT 84 (LNCS 209), 216-223, 1985. 4. Hans Riesel, Prime Number and Computer Methods for Factorization, Progress in Mathematics, 57, 1985. 5. R. L. Rivest and R. D. Silverman, Are Strong Primes Needed for RSA? 6. Robert D. Silverman, Fast Generation of Random, Strong RSA Primes. The Technical Newsletter of RSA Laborastories. Spring 1997. 7. N.M.Stephens, Lenstras Factorisation Based On Elliptic Curves. Springer-Verlag 1998, pp. 409-416. Quyn 3B: Sinh tham s an ton cho h mt Elgamal 1. Douglas Robert Stinson, Mt m L thuyt v Thc hnh. Bn dch ting Vit H ni 1995. 2. Lu c Tn. Mt s thut ton kim tra nhanh tnh nguyn t ca cc s trn mt s lp s. Lun n ph tin s H ni 1993. 3. Paulo Ribenboim. The Little Book of Big Primes. Springe-Verlag 1991 Quyn 3C: Nghin cu xy dng thut ton m khi an ton hiu qu 1. AES (nhiu tc gi), Tuyn tp 15 h m khi d tuyn chun m tin tin (AES), Ti liu t Internet. 2. E. Biham, New types of cryptanalytic attacks using related keys, EUROCRYPT' 93, pp. 398-409. 3. A. Biryukov, D. Wagner, Slide Attacks, Fast Software Encryption, 1999, pp. 245259. 4. A. Biryukov, D. Wagner, Advanced Slide Attacks, EUROCRYPT' 2000, pp. 589606. 5. S. Burton, Jr. Kaliski, M.J.B. Robshaw, Linear Cryptanalysis using Multiple Approximations, CRYPTO'94, pp. 26-39. 6. G. Carter, E. Dawson, and L. Nielsen, Key Schedules of Iterative Block Ciphers, Ti liu t Internet, (10 trang). 7. F. Chabaud and S. Vaudenay, Links between differential and linear cryptanalysis, Eurocrypt' 94, pp. 256-365.

27

8. C. Charnes, L. OConnor, J. Pieprzyk, R. Safavi-Naimi, Y. Zeng, Comments on Soviet Encryption Algorithm GOST, EUROCRYPT'94, pp. 433-438. 9. L. J. O'Conner and J. Dj Golic', A unified markov approach to differential and linear cryptanalysis, Asiacrypt, November 1994. 10. L. J. O'Conner, Design Product Ciphers Using Markov Chain, Selected Area in Cryptography 1994. 11. L. J. O'Conner, Convergence in Differential Distributions, Crypto'95, pp.13-23. 12. I. I. Ghicman, A.V. Skorokhod, Nhp mn v l thuyt cc qu trnh ngu nhin, NXB "HAYKA", Maxcova 1977. 13. G. Hornauer, W. Stephan, R.Wernsdorf, Markov Ciphers and Alternating Groups, Eurocrypt'93, p.453-460. 14. T. Jacobsen, L.R. Knudsen, Interpolation Attacks on the Block Cipher, Fast Software Encryption, 1997, pp 28-40. 15. Y. Kaneko, F. Sano, K. Sakurai, On Provable Security against Differential and Linear Cryptanalysis in Generalized Feistel Ciphers with Mutiple Random Functions, Ti liu t Internet, 15 trang. 16. J. Kelsy, B. Schneier, and D. Wagner, Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SEFER, and Triple-DES, CRYPTO'96, pp 237-251 17. L. R. Knudsen, Block Ciphers-Analysis, Design and Applications, July, 1, 1994 (Ph. D Thesis). 18. L. R. Knudsen, Practically secure Feistel ciphers, Fast Software Encryption, 1993, pp. 211-221. 19. L.R. Knudsen, New potentially "weak keys for DES and LOKI, EUROCRYPT' 94, pp. 419-424. 20. L. R. Knudsen, M.J.B. Robshaw, Non-linear Approximations in Linear Cryptanalysis, EUROCRYPT' 96, pp. 224-236. 21. M. Kwan, J. Pieprzyk, A General purpose Technique for Locating Key Scheduling Weaknesses in DES-like Cryptosystems, ASIACRYPT'91, pp. 237246. 22. X. Lai, On the Design and Security of Block Ciphers, Hartung-Gorre Verlag Konstanz, 1995 23. X. Lai, J.L. Massey and S. Murphy, Markov Ciphers and Differential cryptanalysis, Eurocrypt' 91, pp.17-38. 24. M. Matsui, New Block Encryption Algorithm MISTY, Fast Software Encryption, 1997, FSE97, pp. 54-68 25. M. Matsui, New structure of block ciphers with provable security against differential and linear cryptanalysis, Fast software Encryption, 1996, pp. 21-23. 26. M. Matsui, Linear Cryptanalysic Method for DES Cipher, EUROCRYPT' 93, pp. 386-397. 27. M. Matsui, The First Experimental Cryptanalysic of the Data Encryption Standard, CRYTO' 94, pp. 1-11. 28. S. Moriai, T. Shimoyama, T. Kaneko, Interpolation Attacks of the Block Cipher: SNACK, Fast Software Encryption, 1999, pp. 275-289. 29. K. Nyberg, Differentially uniform mappings for cryptography, EUROCRYPT'93, pp. 55-64, 1994. 30. K. Nyberg, Linear Approximation of Block Ciphers, Eurocrypt'94, pp.439-444.

28

31. K. Nyberg, L. R. Knudsen, Provable security against a differetial cryptanalysis, Journal of Cryptology, Vol. 8, pp. 27-37, 1995. 32. Savan Patel, Zulfikar Ramzan, and Ganapathy S. Sundaram, Towards Making Luby-Rackoff Ciphers Optimal and Practical, Fast Software Encryption, 1999, pp. 171-185. 33. Kenneth G. Paterson, Imprimitive Permutation Groups and Trapdoor in Iterated Block Ciphers, Fast Software Encryption, 1999, pp. 201-214. 34. T. Shimoyama, T. Kaneko, Quadratic Relation of S-box and Its Application to the Limear Attack of Full Round DES, CRYPTO'98, pp. 200-211. 35. J. Seberry, X. M. Zhang and Y. Zheng, Relationships Among Nonlinearity Criteria, EUROCRYPT'94, pp. 76-388, 1995. 36. D. R. Stinson, Cryptography: Theory and Practice, 1995 by CRC Press, Inc. 37. Nguyn Duy Tin, Cc m hnh xc sut v ng dng, Phn I- Xch Markov v ng dng, NXB i hc Quc gia H Ni, 2000. 38. R.Wernsdorf, The One-Round Functions of the DES Generate the Alternating Group, Proc. Eurocrypt' 92, LNCS 658, 1993, pp. 99-112. Quyn 4A: Cc phn mm bo mt gi IP trn h iu hnh Linux 1. Glenn Herrin, Linux IP Networking-A Guide to the Implementation and Modification of the Linux Protocol Stack 2. Alan Cox, Network buffer and memory management Quyn 4B: H thng an ton trn mi trng mng Sun Solaris 1. Streams programming Guide. 1995 Sun Microsystems. 2. Solaris system administrators guide. Janice Winsor - 1993 - Ziff-Davis Press Emryville, California 3. Writing unix device drivers. George pajari - Addison-Wesley Publishing Company, Inc - 1992 4. TCP/IP Illustrated Volume 1. Volume2 , Volume 3. Gary R. Wright - W. Richard Stevens, 1995- Addison-Wesley Publishing Company 5. Network and internetwork security-Principles and practice. William Stallings, Ph.D.,1995 by Prentice-Hall, Inc 6. Computer Communications Security - Principles, Standard Protocols and Techniques. Warwick Ford - PTR Prentice Hall - 1994 7. Intenet & TCP/IP Network Security, Security Protocols and Applications -1996 by The McGraw-Hill Companies, Inc 8. Building Internet Firewalls. D. Brent chapman and Elizabeth D. Zwicky - O' Reilly & Associates, Inc. 9. Firewall complete, 1998 - Mc Graw - Hill 10. UNIX Network programming Volume 1, Network APIs: Sockets and XTI - W. Richard Stevents, 1998 Prentice - Hall, Inc 11. Ti liu chuyn v TCP/IP , Phm Vn Hi - Hc vin KTMM

12. http://www.freeswan.org/
13. RFC 2409 :The Internet Key Exchange (IKE) 14. RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) 15. RFC 1825 : An overview of a security architecture

29

16. RFC 1826 : IP Authentication Header 17. RFC 1827 : IP Authentication Header 18. Cc RFC khc v IPSEC v FreeS/WAN Quyn 5A: An ninh ca cc h iu hnh h Microsoft Windows, Sun Solaris v Linux 1. Authentication HOWTO - Peter Hernberg 2. Shadow Password Howto - Michael H. Jackson mhjack@scnet.com 3. Security HOWTO 4. The Linux-PAM System Administrators Guide, Adrew G. Morgan 5. Practical Unix Security - Simson Garfinkel and Gene Spafford 6. Cc trang man getty(); mingetty(); login(); sulogin(); 7. Text - Terminal HOWTO - David S. Lawyer dave@lafn.org 8. Solaris System Administration Guide, Chapter 12 -> Chapter 16 9. Software White Paper: Solaris Security, Ti liu t Internet Quyn 5B: C ch an ton ca cc h iu hnh mng, Network hacker, Virut my tnh 1. William Stallings Ph.D. (1999), Cryprography and Network security: Principles and Practice - Second edition, Prentice -Hall, Inc.,USA. 2. VN-GUIDE, Bo mt trn mng B quyt v gii php Tng hp v bin dch, Nh xut bn thng k. 3. Cc trang web: www.tinhat.com/internet_security/security_holes.html, www.tinhat.com/internet_security/improve.html, www.securityfocus.com, www.saintcorporation.com, www.sans.org, www.fbi.gov, www.cs.wright.edu, www.nessus.org, www.nai.com, www.linuxdoc.org/HOWTO/Secure-ProgramsHOWTO.html, www.hackecs.com, www.auscert.org.au, www.securityfocus.com, www.l0pht.com, www.w3.org, www.rhino9.com, iss.net, www.insecure.org, www.cert.org, vnEpress.net, www.viethacker.net 4. Trn Thch Tng, Bo mt v ti u trong Red Hat Linux, NXB Lao ng X hi 5. Edward Amoroso, Fundamentals of Computer Security Technology 6. E_book: Hackers Handbook, State of the art Hacking tools and techniques, Vol 1, 2, 3. 7. William Stallings Ph.D. (1999), Cryprography and Network security: Principles and Practice - Second edition, Prentice -Hall, Inc.,USA. 8. Cc trang web: www.netbus.org, www.saintcorporation.com/products/saint_engine.html, www.rootshell.com, www.hackerjokes.de/, www.hackercracker.net/, www.crackerhttp/, www.hackerethic.org/, www.counter-hack.net/, www.inthehack.com/, www.eleganthack.com/, www.hack-net.com/, www.virtualcrack.com/ 9. Ng Anh V, Virus tin hc huyn thoi v thc t, NXB Thnh Ph H Ch Minh. 10. Nguyn Thnh Cng, Hng dn phng v dit virus my tnh , NXB thng k 11. Nguyn Vit Linh v u Quang Tun, Hng dn phng chng virus trong tin hc mt cch hiu qu, NXB tr. 12. Cc trang web: www.viruslist.com/, www.norman.com, www.esecurityplanet.com, www.antivirusebook.com, www.waronvirus.com, www.hackertrickz.de

30