I HC QUC GIA H NI TRNG I HC CNG NGH

Trn Quang Thun

NGHIN CU V XY DNG H TNG KHA CNG KHAI

KHO LUN TT NGHIP I HC H CHNH QUY Ngnh : Cng ngh thng tin

H NI - 2010

I HC QUC GIA H NI TRNG I HC CNG NGH

Trn Quang Thun

NGHIN CU V XY DNG H TNG KHA CNG KHAI

KHO LUN TT NGHIP I HC H CHNH QUY Ngnh : Cng ngh thng tin Cn b hng dn: PGS TS.H S m Cn b ng hng dn: TS.L c Phong

H NI - 2010

LI CM N
Ti xin gi li cm n chn thnh nht ti PGS.TS H S m, TS. L c Phong. Nhng ngi thy cho ti nhng nh hng v nhng kin rt qu bu ti hon thnh c kha lun tt nghip ny. Ti xin t lng bit n su sc ti cc thy c, bn b du dt, gip ti tin b trong sut qu trnh lm kha lun tt nghip. Xin cm n gia nh v b bn, nhng ngi lun khuyn khch v gip ti trong mi hon cnh kh khn. Ti xin cm n b mn Truyn Thng v Mng My Tnh, khoa Cng Ngh Thng Tin trng i Hc Cng Ngh-i Hc Quc Gia H Ni ht sc to iu kin cho ti trong qu trnh hc, lm v hon thnh kha lun ny.

M C L C
Trn Quang Thun...........................................................................................................................1 H NI - 2010...........................................................................................................................1 Trn Quang Thun...........................................................................................................................2 Kha lun H tng kha cng khai (PKI), vn cp pht chng thc s v ng dng trong thng mi in t. H tng kha cng khai l mt b khung c bn xy dng m hnh an ninh, bo mt trong thng mi in t. Tm hiu vai tr ca chng thc s trong h tng kha cng khai. Vai tr ca chng thc s trong cc giao dch trc tuyn. Ngi s dng, ngoi hnh thc bo mt thng thng nh mt khu, cng phi dng mt chng thc s c nhn khng nh danh tnh ca mnh, xc nhn cc hot ng giao dch ca mnh vi dch v ngn hng, thng mi in t, dao dch chng khon... Chng thc s s gip nh qun l m bo rng khch hng khng th chi ci cc giao dch ca mnh, khi h dng chng thc s. T t ra cc vn qun l (cp pht,xc thc) thu hi v cp pht li chng thc s............................5 Trong kha lun ti s trnh by v cc vn chnh xoay quanh vn h tng kha cng khai (PKI). Phn u ca kha lun (chng 1) gii thiu vn v cch tip cn gii quyt vn s trnh by khi qut v mt vi khi nim c bn v mt m hc kha cng khai, h tng kha cng khai ; cc khi nim c bn v thut ton v l thuyt phc tp; mt vi cng c nn tng ca mt m hc kha cng khai (m ha thng tin, hm bm, ch k s). Chng 2 ca kha lun s lm r hn cc khi nim, cc vn c bn bn trong mt h tng kha cng khai (chng thc s, cc dch v ng k, cp pht, xc thc, thu hi, kha cng khai); ng dng ca h tng kha cng khai trong giao dch in t ngy nay ; v mt vi h thng h tng kha cng khai trong thc t. Chng 3 c t mt h tng kha cng khai n gin v Kt Lun.................................................................................................................................................5

TM TT KHA LUN
Kha lun H tng kha cng khai (PKI), vn cp pht chng thc s v ng dng trong thng mi in t. H tng kha cng khai l mt b khung c bn xy dng m hnh an ninh, bo mt trong thng mi in t. Tm hiu vai tr ca chng thc s trong h tng kha cng khai. Vai tr ca chng thc s trong cc giao dch trc tuyn. Ngi s dng, ngoi hnh thc bo mt thng thng nh mt khu, cng phi dng mt chng thc s c nhn khng nh danh tnh ca mnh, xc nhn cc hot ng giao dch ca mnh vi dch v ngn hng, thng mi in t, dao dch chng khon... Chng thc s s gip nh qun l m bo rng khch hng khng th chi ci cc giao dch ca mnh, khi h dng chng thc s. T t ra cc vn qun l (cp pht,xc thc) thu hi v cp pht li chng thc s. Trong kha lun ti s trnh by v cc vn chnh xoay quanh vn h tng kha cng khai (PKI). Phn u ca kha lun (chng 1) gii thiu vn v cch tip cn gii quyt vn s trnh by khi qut v mt vi khi nim c bn v mt m hc kha cng khai, h tng kha cng khai ; cc khi nim c bn v thut ton v l thuyt phc tp; mt vi cng c nn tng ca mt m hc kha cng khai (m ha thng tin, hm bm, ch k s). Chng 2 ca kha lun s lm r hn cc khi nim, cc vn c bn bn trong mt h tng kha cng khai (chng thc s, cc dch v ng k, cp pht, xc thc, thu hi, kha cng khai); ng dng ca h tng kha cng khai trong giao dch in t ngy nay ; v mt vi h thng h tng kha cng khai trong thc t. Chng 3 c t mt h tng kha cng khai n gin v Kt Lun.

DANH MC T VIT TT

PKI CA RSA DSA MD5 RA SHA SHS H RFC

Public Key Infrastructure Certificate Authority Rivest Shamir Adleman Digital Signature Algorithm Message Digest 5 Registration Authority Secure Hash Algorithm Secure Hash Standard Hash function Request For Comments

DANH MC HNH V V BNG

Hnh 1.1: Cp pht kha ring kha cng khai Hnh 1.2: M ha thng tin Hnh 1.3: To v xc thc ch k s Hnh 1.4 : M hnh xy dng PKI c bn Bng 1.5 : m hnh x dng xc thc Hnh 2.1 : c im ca cc thut ton bm SHA Bng 2.2 :So snh thi gian to kha, to ch k v xc nhn ch k ca RSA vi DSA Hnh 2.3 : Thi gian xc nhn ch k ca RSA v DSA Hnh 2.4 : Thi gian to ch k ca RSA v DSA Hnh 2.5 : Thi gian xc nhn ch k ca RSA v DSA Hnh 2.6 : M hnh phn cp Hnh 3.1 : Hm to cp kha ring v kha cng khai Hnh 3.2 : M phng to kha Hnh 3.3 : To ch k s Hnh 3.4 : Form nhp thng tin ca client Hnh 3.5 : Thng bo tr v khi kt qu gi thng tin thnh cng Hnh 3.6 : Xc thc kha cng khai v ch k s Hnh 3.7 : cp pht chng thc s Hnh 3.8 : Kim tra thng tin v cp pht chng thc s Hnh 3.9 : Xc thc chng thc s Hnh 3.10 : Form tm kim, sa, xa thng tin chng thc s Hnh 3.11 : Kim tra v thu hi chng thc s ht hn s dng

M u

Trong k nguyn ca cng ngh thng tin, tnh ph bin rng ri ca Internet mt mt em li nhiu ng dng tin li, th v v dn thay th cc hot ng truyn thng trong th gi thc; mt khc n t ra cc vn v s an ton, tnh tin cy ca nhng giao dch trn Internet. C s h tng kha cng khai (PKI) c th p ng, gii quyt nhng vn c bn nht cho nhng yu cu trn. Da trn cc dch v c bn v chng thc s v ch k s, mt PKI chnh l b khung ca cc chnh sch, dch v v phn mm m ha, p ng nhu cu bo mt ca ngi s dng. Khng ch nm trong lnh vc thng mi in t, chng thc s hin cn c s dng nh mt dng chng minh th c nhn. Ti cc nc cng ngh pht trin, chng thc s CA c tch hp vo cc chip nh nm trong th cn cc, th tn dng tng cng kh nng bo mt, chng gi mo, cho php ch th xc thc danh tnh ca mnh trn nhiu h thng khc nhau, chng hn nh xe bus, th rt tin ATM, kim sot hi quan, ra vo chung c .v.v. Vi cc c im ni bt nh khng th gi mo, chng thc ngun gc xut x, cc quc gia pht trin u s dng chng thc s nh mt bng chng php l t rt sm. y l yu t rt quan trng c th pht trin thng mi in t, v khng ai dm mo him vi tin ca mnh, khi h cha chc chn c rng cc hot ng c c m bo, v c c php lut cng nhn hay khng. Trong bn kha lun tt nghip ny, tc gi xin trnh by tng qut v c s h tng kha cng khai v ng dng ca n trong thng mi in t. Qua trnh by mt bn platform m phng hot ng ca mt h tng kha cng khai (PKI) c bn.

Chng 1 : Gii Thiu

1.1. Tm hiu Mt m hc kho cng khai
1.1.1. Mt m hc kho cng khai
Mt m hc kha cng khai (Phi i xng) l g

1.1.1.1.

- l mt chuyn ngnh ca mt m hc cho php ngi s dng trao i cc

thng tin mt m khng cn phi trao i cc kha chung b mt trc . iu ny c thc hin bng cch s dng mt cp kha c quan h ton hc vi nhau l kha cng khai v kha c nhn (hay kha b mt).
-

Trong mt m hc kha cng khai, kha c nhn phi c gi b mt trong khi kha cng khai c ph bin cng khai. Trong 2 kha, mt dng m ha v kha cn li dng gii m. iu quan trng i vi h thng l khng th tm ra kha b mt nu ch bit kha cng khai.[1] Mc ch ca h thng m ho cng khai :

1.1.1.2.
-

Cp pht kho ring v kho cng khai :

Hnh 1.1: Cp pht kha ring kha cng khai

Vic cp pht kho cng khai v kho b mt thng qua thut ton RSA (ph bin). Thut ton RSA to ra cp kho bng cc phng thc ton hc t 2 s nguyn t bt k ln.
2

M ho :

Hnh 1.2: M ha thng tin

Bob m ha thng tin gi cho Alice bng kha cng khai ca Alice. Alice nhn c tin nhn t Bob kim tra tin nhn v gii m bng kha b mt ca Alice.

To v xc thc ch k s :

Hnh 1.3: To v xc thc ch k s S = H(m)^d mod n (To ch k s) Cho php kim tra mt vn bn c phi c to vi mt kha b mt no hay khng. To ch k s bng kha b mt ca Alice. V k vo tin nhn Alive gi cho Bob Bob kim tra ch k s bng kha cng khai ca Alice: S^e mod n =H(m) vi H(m) l gi tr sau khi bm tin nhn Alice gi cho Bob. Ch k s ng n ng ngha vi vic cc thng tin Alice gi bob l ng n.

1.1.2. ng dng
ng dng r rng nht ca mt m ha kha cng khai l trong lnh vc bo mt, an ton thng tin: Mt vn bn c m ha bng kha cng khai ca mt ngi s dng th ch c th gii m vi kha b mt ca ngi .Cc thut ton to ch k s kha cng khai cho php nh danh mt tin nhn hay 1 ti liu . Mt ngi s dng c th m ha vn bn vi kha b mt ca mnh. Nu mt ngi khc c th gii m vi kha cng khai ca ngi gi th c th tin rng vn bn thc s xut pht t ngi gn vi kha cng khai (y l nguyn l sinh & xc thc ch k s, ngi gi s dng kha b mt ca mnh sinh ra 1 ch k s cho 1 tin nhn, ti liu. Bn nhn c th xc thc tnh ng n ca
4

ch k s nh vo kha cng khai ca ngi gi).Cc c im trn cn c ch cho nhiu ng dng khc nh: tin in t, tha thun kha... Cc vn v mc ch ca ti.

1.2. Thut ton v phc tp thut ton

1.2.1. Thut ton
Thut ton c hiu l s c t chnh xc ca mt dy cc bc c th c thc hin mt cch my mc gii quyt mt vn . Cn nhn mnh rng, mi thut ton c mt d liu vo (Input) v d liu ra (Output); khi thc hin thut ton (thc hin cc bc m t) , thut ton cn cho ra cc kiu d liu ra tng ng vi cc d liu vo.[2]

1.2.2.

Phn tch thut ton

1.2.2.1. Tnh hiu qu ca thut ton Khi gii mt vn , chng ta cn chn trong s cc thut ton, mt thut ton m chng ta cho l tt nht. C s nh chn la thut ton :

Thut ton n gin, d hiu, d ci t(d vit chng trnh)

Thut ton s dng tit kim nht cc ngun ti nguyn ca my tnh v c bit chy nhanh nht c th c. Tnh hiu qu ca thut ton bao gm 2 nhn t c bn :

Dung lng khng gian nh cn thit lu gi cc d liu vo, cc kt qu tnh ton trung gian v cc kt qu ca thut ton

Thi gian cn thit thc hin thut ton(hay thi gian chy) [3] nh gi thi gian thc hin thut ton
5

1.2.2.2.

Thi gian chy chng trnh ph thuc vo cc nhn t chnh sau: Cc d liu vo Chng trnh dch chuyn chng trnh ngun thnh m my.

Tc thc hin ca cc php ton ca my tnh c s dng chy chng trnh.

Gi s T(n) l thi gian thc hin thut ton v f(n) l hm xc nh dng.T(n)=O(f(n)) nu cc hng s dng c v n0 sao cho T(n) c.g(n) vi mi n>= n 0 .

1.3. H tng kha cng khai (PKI)

1.3.1. PKI l g
hiu r v vic xy dng c PKI v vn cp pht chng thc s c vai tr v ng dng nh th no trong thng mi in t. Chng ta s i phn tch tng kha cnh xung quanh PKI.
-

Trc tin chng hiu th no l PKI v tnh cp thit ca PKI hin nay : PKI : vit tt ca Public Key Infrastructure tc l h tng c s kha cng khai. L mt c ch cho mt bn th 3 (thng l nh cung cp chng thc s) cung cp v xc thc nh danh cc bn tham gia vo qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng trong h thng mt cp kha cng khai/kha b mt.

Trong k nguyn bng n ca cng ngh thng tin, mi giao dch t xa c th thng qua internet. Tuy nhin, mt khc kh m bo m rng nhng giao dch trn Internet lun an ton. C s h tng kha cng khai (PKI) p ng nhng yu cu cp thit . Da trn cch s dng ca cha kha mt m cng cng v ch k in t, mt PKI chnh l b khung ca cc chnh sch, dch v v phn mm m ha, p ng nhu cu bo mt ca ngi s dng.

1.3.2. C s h tng kha cng khai

Hnh 1.4 : M hnh xy dng PKI c bn

-

PKI cung cp mt cp cha kha, trong c mt cha l cha kha cng khai (Public key) c th s dng dch v, cha cn li l cha kha b mt (Private key) m ngi s dng phi gi b mt. Hai cha kha ny c lin quan mt thit n nhau, sao cho mt thng ip c m ha bi mt cha kha mt m cng khai th ch gii m c bi mt cha kha b mt tng ng. V d v m hnh x dng xc thc : Gi s c 2 ngi dng Bob v Alice mun chuyn th in t cho nhau m bo tnh xc thc v bo mt h dng 1 phn mm PKI

Hnh ng

Trng thi ca h thng PKI

Bob mun chuyn mt th in t n Phn mm PKI dng cha kha c nhn cho Alice, vi yu cu rng giao dch ca Bob to ra mt ch k in t cho phi chng minh c chnh anh gi bc th n i v ni dung bc th khng b thay i. Bob mun chc chn rng khng ai ngoi Phn mm PKI ca Bob dng cha kha
7

Alice c c bc th ny

cng cng ca Alice m ha thng ip ca Bob. Phn mm PKI dng cha kha c nhn ca Alice gii m thng ip.

Alice mun c th do Bob gi

Alice mun kim chng rng chnh Bob Phn mm PKI ca Alice dng cha kha gi i thng ip v ni dung cng cng ca Bob kim chng ch thng ip khng b chnh sa. k in t ca anh ta. Bng 1.5 : M hnh s dng xc thc

1.4. Mt vi kin trc v cng ngh PKI hin hnh

1.4.1. Mt s ng dng
Mc tiu chnh ca PKI l cung cp kha cng khai v xc nh mi lin h gia kha v nh dng ngi dng. Nh vy ngi dng c th s dng trong mt s ng dng nh: M ho Email hoc xc thc ngi gi Email (OpenPGP hay S/MIME). M ha hoc nhn thc vn bn (Cc tiu chun Ch k XML* hoc m ho XML* khi vn bn c th hin di dng XML). Xc thc ngi dng ng dng (ng nhp bng th thng minh smartcard, nhn thc ngi dng trong SSL). Cc giao thc truyn thng an ton dng k thut Bootstrapping (IKE, SSL): trao i kha bng kha bt i xng, cn m ha bng kha i xng.

1.4.2. Mt s h thng PKI

Di y l danh sch mt s h thng PKI, trong mt s nh cung cp chng thc s hng u (v d VeriSign) khng c lit k v cc phn mm ca h khng c cng b cng khai :
8

 H thng qun l chng thc Red Hat Computer Associate eTrust PKI

Microsoft OpenCA (Mt m hnh PKI m ngun m) RSA Security IDX-PKI Simple CA

1.5. Mc ch ca ti
-

Mt vi nm tr li y PKI l 1 ch nng i vi cc doanh nghip ln. Vit Nam y vn l mt ti kh mi m. Do vy tm hiu v xy dng h tng c s xc thc kha cng khai(PKI) l mt cch tip cn cho mt nn tng mi. T nu r vai tr v ng dng ca h tng kha cng khai trong thng mi in t. Tm hiu v cc thut ton(sinh s ngu nhin trong vic to kha, hm bm, m ha, to ch k s...)

1.6. t vn ?
xy dng mt c s h tng chng ta phi gii quyt s b nhng vn sau y :

Lm sao cp pht kha cng khai v kha b mt cho tng ngi. Vn ng k kha cng khai vi mt CA Vn thu hi/cp pht li kha cng khai Vn kim chng kha cng khai

Lm sao t kha cng khai ca 1 ngi h thng PKI phi xc nh xem ch k s c phi ca ngi hay khng. Vn ton vn d liu. H thng PKI phi xc nh xem liu tin nhn gi i gia client v server c b thay i hay khng? Mt thng ip c m ha bi mt cha kha mt m cng khai th ch gii m c bi mt cha kha b mt tng ng. Kha ca bn th 3 bn thm nh s do cp hay t chc no gim inh. Hay phi c c ch no chng gi mo bn chng thc. Cc Vn lin quan n chng thc s cp pht, xc thc v qun l ti server ra sao.

1.7. Cc vn s gii quyt trong kha lun

Vi nhng yu cu v mt h thng PKI nh trn chng ta phi xy dng bi ton nh th no.Chng trnh thit k phi bao gm 3 i tng : Server : Cho php ngi dng trong h thng ng k kha cng khai. Cp pht 1 chng thc s (certificat) cho ngi dng nu kha cng khai hp l Qun l kha cng khai, Thu hi/cp pht li chng thc s Cho php bn th 3 kim tra tnh ng n ca 1 chng thc s bt k

User : H thng PKI cp pht mt kha cng khai cho user v kha b mt (Kha ring) do PKI client cp pht v user phi gi b mt. To ch k s cho tng vn bn ngu nhin. Bn th 3 l bn thm nh v nh gi : Cp pht v bo mt Kha ring v kha cng khai ca CA.

10

Chng 2 : Xy dng h tng kha cng khai(PKI), vn cp pht chng thc s v ng dng trong thng mi in t

2.1. Hm bm mt m hc
2.1.1. Hm bm
Hm bm (ting Anh: hash function) l hm sinh ra cc gi tr bm tng ng vi mi khi d liu (c th l mt chui k t, mt on tin nhn...). Gi tr bm ng vai tr gn nh mt kha phn bit cc khi d liu, tuy nhin, ngi ta chp nhn hin tng trng kha hay cn gi l ng v c gng ci thin gii thut gim thiu s ng . Hm bm thng c dng trong bng bm nhm gim chi ph tnh ton khi tm mt khi d liu trong mt tp hp (nh vic so snh cc gi tr bm nhanh hn vic so snh nhng khi d liu c kch thc ln).

2.1.2. Hm bm mt m hc
-

Trong ngnh mt m hc, mt hm bm mt m hc (ting Anh: Cryptographic hash function) l mt hm bm vi mt s tnh cht bo mt nht nh ph hp vic s dng trong nhiu ng dng bo mt thng tin a dng, chng hn nh chng thc (authentication) v kim tra tnh nguyn vn ca thng ip (message integrity). Mt hm bm nhn u vo l mt xu k t di (hay thng ip) c di ty v to ra kt qu l mt xu k t c di c nh, i khi c gi l tm tt thng ip (message digest) hoc ch k s (digital fingerprint).[4]

2.1.3. m bo tnh ton vn d liu

-

Hm bm mt m hc l hm bam v c tnh cht l hm 1 chiu. T khi d liu hay gi tr bm u vo ch c th a ra 1 gi tr bm duy nht. Nh chng

11

ta bit i vi tnh cht ca hm 1 chiu. Mt ngi no d bt c gi tr bm h cng khng th suy ngc li gi tr, on tin nhn bm khi im.
-

Hm bm thng c dng trong bng bm nhm gim chi ph tnh ton khi tm mt khi d liu trong mt tp hp. Gi tr bm ng vai tr gn nh mt kha phn bit cc khi d liu Gi tr u vo(tin nhn, d liu...) b thay i tng ng gi tr bm cng b thay i. Do vy nu 1 k tn cng ph hoi, chnh sa d liu th server c th bit ngay lp tc.

2.1.4. Mt s hm bm thng dng

2.1.4.1. Thut ton hm bm MD5 a. Thut ton hm bm MD5 MD5 (Message-Digest algorithm 5) l mt hm bm mt m c s dng ph bin, c thit k bi Gio s Ronald L. Rivest ti trng MIT vo nm 1991 thay th cho hm bm trc l MD4 (1990). L mt chun Internet (RFC 1321), MD5 c dng trong nhiu ng dng bo mt v cng c dng ph bin kim tra tnh ton vn ca tp tin. Cng nh cc hm bm khc nh MD4 v SHS (Secure Hash Standard), MD5 l phng php c u im tc x l rt nhanh, thch hp vi cc thng ip di v cho ra gi tr bm di 128 bit. Trong MD5, thng ip ban u X s c m rng thnh dy bit X c di l bi ca 512. Dy bit X gm cc thnh phn c sp th t nh sau: Dy bit X ban u, mt bit 1, dy d bit 0 (d c tnh sao cho dy X cui cng l bi ca 512), dy 64 bit l biu din chiu di ca thng ip. n v x l trong MD5 l cc t 32-bit, nn dy bit X trn s c biu din thnh dy cc t X[i] 32-bit sau: X=X[0] X[1] X[2] X[N1] , vi N l bi ca 16.[5] b. Phng php MD5 c nhng u im sau so vi phng php MD4

- Thay v c 3 chu k bin i nh trong MD4, MD5 b sung thm chu k th

4 tng mc an ton.
12

- Trong mi thao tc ca tng chu k, MD5 s dng hng s ti phn bit, trong
khi MD4 s dng hng s chung cho mi thao tc trong cng chu k bin i.

- Hm G chu k 2 ca MD4: G(X,Y,Z) = ((X Z) (X Y) (Y Z ))

c thay th bng G(X,Y,Z) = (X Z) xng.

(Y ( Z )) gim tnh i

- Mi bc bin i trong tng chu k chu nh hng kt qu ca bc bin

i trc, v vy lm tng nhanh tc ca hiu ng lan truyn (avalanche).

- Cc h s dch chuyn xoay vng trong mi chu k c ti u ha nhm

tng tc hiu ng lan truyn. Ngoi ra, mi chu k s dng 4 h s dch chuyn khc nhau.

- L do MD5 c thit k thay th cho MD4 l v cc phn tch ch ra rng

phng php MD4 c v khng an ton. Den Boer v Bosselaers ch ra cc im yu trong MD4 trong mt bi bo c ng vo nm 1991v mt tn cng xung t u tin c tm thy bi Han Dobbertin vo nm 1996 .

- Tuy nhin, cc n lc tn cng, phn tch ca cc nh nghin cu cho thy

MD5 cng khng cn an ton v cn c thay th bng mt thut ton bm khc nh cc cng b ca Den Boer v Bosselaers nm 1993; ca Hans Dobbertin nm 1996; ca nhm tc gi Xiaoyun Wang, Dengguo Feng, Xuejia Lai, v Hongbo ngy 19/8/2004; ca Arjen Lenstra, Xiaoyun Wang, v Benne de Weger ngy 1/3/2005; v ca Vlastimil Klima, 2.1.4.2. Chun bm an ton SHS

- SHS (Secure Hash Standard) l chun gm tp hp cc thut ton bm mt

m an ton (Secure Hash Algorithm SHA) nh SHA-1, SHA-224, SHA256, SHA-384, SHA-512 do NIST 2 v NSA 3 xy dng.

- Phng php SHA-1 (cng nh SHA-0) c xy dng trn cng c s vi

phng php MD4 v MD5. Tuy nhin, phng php SHA-1 s dng trn h thng Big-endian 5 thay v Little-endian 6 nh phng php MD4 v MD5. Ngoi ra, hm bm SHA-1 to ra thng ip rt gn kt qu c di 160 bit nn thng c s dng
13

- Phng php SHA-1 ging vi MD5 (ci tin t MD4) nhng thng ip tm
tt c to ra c di 160 bit. Di y l mt s im so snh gia MD5 v SHA-1:

Ging nh MD5, SHA-1 cng thm chu k th 4 tng mc an ton cho thut ton. Tuy nhin, chu k 4 ca SHA-1 s dng li hm f ca chu k th 2. Trong SHA-1, 20 bc bin i trong cng mt chu k s dng cng mt hng s K[t] . Trong khi , mi bc bin i trong cng mt chu k ca MD5 s dng cc hng s khc nhau. So vi MD4, hm G trong MD5 c thay th thnh hm mi lm gim tnh i xng. Trong khi SHA-1, hm G trong SHA-1 vn gi li hm G ca MD4. C MD5 v SHA-1, mi bc bin i trong tng chu k chu nh hng kt qu ca bin i trc, v vy lm tng nhanh tc ca hiu ng lan truyn.

Hnh 2.1: c im ca cc thut ton bm SHA

2.2. M ha thng tin

14

C rt nhiu thng tin m chng ta khng mun ngi khc bit khi gi i nh: thng tin v Credit-Card, thng tin v kinh doanh ca cng ty, thng tin v ti khon c nhn, thng tin v c nhn nh s chng minh th, s th...
-

Cc thng tin b mt c cung cp cho cc my tnh quan mng Internet bng nhiu phng thc khc nhau v d : Mt cch bo mt n gin nhng minh bch nht l lu cc thng tin b mt trn cc b nh c th xo c (Removable Storage) nh a mm. Tuy nhin dng bo mt ph bin nht vn l da vo qu trnh m ho d liu (Encryption).

Cc h thng m ho trong my tnh ph bin nht thuc mt trong hai loi sau: M ho vi kho i xng (Symmetric-key Encryption) : Trong phng php m ho vi kho i xng, mi my tnh c mt kho b mt (dng m) dng m ho cc gi thng tin trc khi chng c gi qua mng ti cc my tnh khc. Phng php m ho vi kho i xng i hi ngi s dng phi xc nh c nhng my tnh no ang lin lc trao i thng tin vi nhau ci t kho ny trn mi my. M ho vi kho cng khai (Public-key Encryption).[6]

2.3. Ch k s
2.3.1.
-

Ch k s

Ch k s (Digital Signature) ch l tp con ca ch k in t. Ch k s l ch k in t da trn k thut m ha vi kha cng khai, trong , mi ngi c mt cp kha (mt kha b mt v mt kha cng khai). Kha b mt khng bao gi c cng b, trong khi , kha cng khai c t do s dng. trao i thng ip b mt, ngi gi s dng kha cng khai ca ngi nhn m ha thng ip gi, sau , ngi nhn s s dng kha b mt tng ng ca mnh gii m thng ip. Ch k in t l thng tin c m ho bng Kho ring ca ngi gi, c gi km theo vn bn nhm m bo cho ngi nhn nh danh, xc thc ng ngun gc v tnh ton vn ca ti liu nhn c. Ch k in t th hin vn bn gi i l c k bi chnh ngi s hu mt Kho ring tng ng vi mt Chng ch in t no .
15

Ch k s kha cng khai (hay h tng kha cng khai) l m hnh s dng cc k thut mt m gn vi mi ngi s dng mt cp kha cng khai - b mt v qua c th k cc vn bn in t cng nh trao i cc thng tin mt. Kha cng khai thng c phn phi thng qua chng thc kha cng khai. Qu trnh s dng ch k s bao gm 2 qu trnh: to ch k v kim tra ch k. [7]

2.3.2. To v kim tra ch k s

2.3.2.1. Cc thut ton ch k s thng dng Ch k s gip xc nh c ngi to ra hay chu trch nhim i vi mt thng ip c k. Mt phng php ch k s phi bao gm t nht 3 thut ton chnh, l thut ton dng to kha, thut ton dng to ra ch k s v thut ton tng ng xc nhn ch k s. 2.3.2.2. Thut ton ch k s RSA
-

Phng php ch k s RSA c xy dng da trn thut ton m ha kha cng khai RSA. to mt cp kha, RSA thc hin cc bc sau: Chn 2 s nguyn t ln ngu nhin p, q. Nhm c s an ton ti a nn chn p v q c di bng nhau. Tnh n=pq v =(p1)(q1). Chn ngu nhin mt s nguyn e (1<e<) sao cho gcd(e, )=1 vi gcd l c s chung ln nht. Tnh: d=e1 mod . - Kt qu l ta c c cp kha: kha cng khai (n,e) v kha b mt (n,d). Hai ngi s s dng chung mt hm bm an ton trc hin tng xung t. k mt thng ip m, ngi k thc hin cc bc sau:

Dng hm bm bm thng ip m: h=(m).

To ch k s s dng kha b mt (n,d) tnh: s=h d mod n. Ch k ca m l s v c gi km vi thng ip m n ngi nhn. xc nhn ch k, ngi nhn thc hin cc bc sau:
16

2.3.2.3.
-

S dng kha cng khai (n,e) ca ngi k gii m ch k: h=s e mod n. S dng cng hm bm vi ngi k bm thng ip m: h =H(m). Chp nhn ch k nu h=h. Ngc li t chi ch k. Thut ton ch k s DSA Thut ton ch k s DSA (Digital Signature Algorithm) c ngh bi NIST vo thng 8/1991 s dng trong chun ch k s DSS (Digital Signature Standard), c ch ra trong FIPS 186, c chp nhn nm 1993. Mt sa i nh c a ra ngy nm 1996 trong FIPS 186-1, chun c m rng hn nm 2000, c xem nh xem nh FIPS 186-2. Vic to kha gm hai bc. Bc th nht l la chn cc tham s cho thut ton c chia s gia cc ngi s dng khc nhau trong cng h thng:

Chn mt hm bm m ha . Trong DSS chun lun l SHA-1, nhng cc hm bm tt hn trong nhm SHA cng ang c s dng. i khi u ra ca mt thut ton bm mi hn b rt ngn kch thc so vi cc thut ton bm mi c tng tch vi cp kha hin c. Chn kch thc kha L. y l thc o chnh quyt nh sc mnh m ha ca kha. DSS chun rng buc L l bi s ca 64 v 512L1024. Sau , FIPS 186-2 xc nh L lun l 1024. Khng lu sau, NIST 800-57 ngh di kha l 2048 (hoc 3072) thi gian an ton n nm 2010 (hoc 2030), s dng tng ng vi cc gi tr bm v q di hn. Bn tho FIPS 186-3 cng tnh n cc hm bm sau ny v cc kha di hn. Chn mt s nguyn t q cng s bit vi u ra ca . Chn mt s nguyn t p di L bit sao cho p1 l bi ca q. Tc l p=qz1 vi s nguyn z no . Chn g = h ( p 1) / q mod p vi h bt k (1<h<p1), v chn li nu kt qu l 1. Hu ht cch chn h u nhn c g c th s dng, thng thng chn h=2.

17

- Cc tham s thut ton (p,q,g) c th chia s gia nhng ngi khc nhau trong h thng. Bc th hai tnh cc kha b mt v kha cng khai ca tng ngi : Chn x ngu nhin sao cho 0<x<q.

Tnh y=g x mod p. Phin bn FIPS 186-3 sp ti s dng SHA-224/256/384/512 l cc hm k mt thng ip m, ngi k thc hin cc bc sau:

Kha cng khai l (p,q,g,y), kha b mt l x. -

bm, kch thc ca q l 224 (hoc 256 bit), v L bng 2048 (hoc 3072).

Pht sinh mt s ngu nhiu k (0<k<q) cho mi thng ip.

Tnh r=(g k mod p) mod q. 1 Tnh s = k ((m) + xr)) mod q.

Tnh ton li ch k trong trng hp khng chc chn r=0 hoc s=0. Ch k l (r,s). xc nhn ch k, ngi nhn thc hin cc bc sau:

Loi b ch k nu 0<r<q hoc 0<s<q khng tha mn.

1 Tnh w=s mod q. Tnh u 1 =((m)w) mod q. Tnh u 2 =(rw) mod q. Tnh v=( (g u1 y u2 )mod p) mod q

Ch k c hiu lc nu v=r. Tnh ng n ca gii thut c chng minh nh sau: 1 u tin, nu g = h ( p 1) / q mod p suy ra gp=h p 1=1 (mod p) theo nh l Fermat nh. Bi v g>1 v q l s nguyn t nn g c bc q. 1 Ngi k tnh s = k ((m) + xr)) mod q. 1 1 Nh vy k=(m)s +xrs =(m)w+xrw (mod q). Bi v g c bc q nn ta c: g k =g H ( m ) w .g xrw =g H ( m ) w y rw =g u1 y u2 (mod p). Cui cng, tnh ng n ca DSA suy ra t: r= (g k mod p) mod q= (g u1 y u2 mod p) mod q=v.

18

Phng php DSA gii quyt vn ny bng cch s dng ch k 320 bit cho vn bn 160 bit vi cc php tnh c thc hin trn tp con c 2160 phn t vi p l s nguyn t 512 bit.
-

2.3.2.4.
-

Kt qu th nghim v nhn xt
So snh RSA v DSA

so snh tc ca hai thut ton ch k s RSA v DSA, Th nghim 2.2 di y c tin hnh v ghi nhn. Th nghim 2.2: DSS chun rng buc di kha L l bi s ca 64 v 512L1024 v an ton lu di di kha L c ngh l 2048 hoc 3072. Do di kha c th nghim cho c RSA v DSA l 576, 640, 704, 768, 832, 896, 960, 1024, 2048, 3072 (bit). ng vi mi di kha, ln lt cho c RSA v DSA pht sinh kha, k vn bn ngu nhin (kch thc 2 MB) v kim tra ch k to c. thun tin so snh, hm bm mt m SHA-1 c chn s dng cho c RSA v DSA. Th nghim c lp li 50.000 ln. Kt qu nhn c nh sau:

19

Kch To kha (giy) thc (bit) RSA DSA 512 0,0408 0,5676

To ch k (giy) DSA/ RSA RSA DSA RSA/ DSA

Xc nhn ch k (giy) RSA DSA RSA/ DSA

13,93 0,035 0,001 32,60 0,032 0,001 19,32 1 1 0 7 576 0,0568 0,8030 14,14 0,036 0,001 27,24 0,032 0,002 14,60 1 3 1 2 640 0,0757 1,2464 16,47 0,037 0,001 24,53 0,031 0,002 12,57 1 5 9 5 704 0,0994 1,7948 18,06 0,038 0,001 20,25 0,032 0,003 10,16 7 9 0 1 768 0,1278 2,3668 18,52 0,040 0,001 25,29 0,032 0,004 7,94 8 6 1 0 832 0,1609 3,0526 18,97 0,042 0,002 20,31 0,032 0,004 7,34 8 1 2 4 896 0,2026 4,2369 20,92 0,045 0,002 16,58 0,032 0,005 6,36 4 7 1 0 960 0,2446 5,4622 22,33 0,048 0,002 18,45 0,032 0,006 5,29 0 6 1 1 1024 0,2734 7,1210 26,05 0,051 0,003 14,86 0,031 0,006 4,69 5 5 8 8 2048 2,4876 103,112 41,45 0,174 0,012 14,16 0,032 0,024 1,35 4 9 4 5 0 3072 11,188 508,239 45,43 0,505 0,027 18,19 0,034 0,053 0,63 2 5 6 8 1 9 Bng 2.2 So snh thi gian to kha, to ch k v xc nhn ch k ca RSA vi DSA

20

Hnh 2.3 : Thi gian to kha ca RSA v DSA

Kt qu Th nghim 2.5 cho thy tc to kha ca RSA nhanh hn rt nhiu so vi DSA v khi kch thc kha tng ln th t l ny ngy cng gia tng. Hn na, khi tng kch thc L ca DSA v tng ng vi cc hm bm SHA c u ra ln hn th DSA s cn chm hn rt nhiu.

Hnh 2.4 : Thi gian to ch k ca RSA v DSA

Kt qu Th nghim 2.2 cho thy tc to ch k ca RSA chm hn DSA nhng t l ny c xu hng gim khi kch thc kha tng ln. Nguyn nhn l do khi s m kha cng khai e c nh th s m kha b mt d s tng khi kch thc n tng. Mt khc, php tnh chim thi gian nhiu nht ca quy trnh k chnh l php ly tha modulo
21

nn khi s m tng th thi gian thc hin cng s tng. Tuy nhin, kch thc kha c s dng ph bin hin nay l 1024 v 2048 nn thi gian k lc ny s khng cn l vn ng lo ngi do ton b quy trnh ch mt t hn 0,2 giy.

Hnh 2.5 : Thi gian xc nhn ch k ca RSA v DSA Th nghim trn mi trng Windows XP, b x l Pentium 4 3.00 GHz, b nh 512 MB.

Kt qu Th nghim 2.2 cng cho thy tc xc nhn ch k ca RSA khng thay i ng k khi kch thc kha tng do s m cng khai e c s dng lun l mt s nh (gi tr ph bin hin ny l 65537) v tc thc hin php ly tha modulo (php ton chnh trong quy trnh xc nhn ch k) s tng khng nhiu. Ngc li, tc xc nhn ch k ca DSA mc d thp hn RSA nhng s ngy cng tng khi kch kha tng ln. Nguyn nhn l do quy trnh xc nhn ch k ca DSA gm rt nhiu php tnh tn chi ph cao (php ly tha modulo v php nhn) nn khi kch thc kha tng dn th iu ny s tr thnh gnh nng. Mc khc, nu kch thc L c chn ln hn th tc xc nhn ch k s chm hn na. Vi cc th nghim trn ta d dng nhn thy RSA tt hn DSA v mi mt, c bit l tc pht sinh kha ca RSA nhanh hn DSA rt nhiu. Ngoi ra, tc k v xc nhn ch k du c chm hn DSA nhng thi gian ny l khng ng k.[8]
22

2.4. Chng thc s

-

Trong mt m hc, chng thc kha cng khai (cn gi l chng thc s / chng thc in t) l mt chng thc s dng ch k s gn mt kha cng khai vi mt thc th (c nhn, my ch hoc cng ty...). Mt chng thc kha cng khai tiu biu thng bao gm kha cng khai v cc thng tin (tn, a ch...) v thc th s hu kha . Chng thc in t c th c s dng kim tra mt kha cng khai no thuc v ai. CA pht hnh cc chng thc kha cng khai trong th hin rng CA chng nhn kha cng khai nm trong mi chng thc thuc v c nhn, t chc, my ch hay bt k thc th no ghi trong cng chng thc . Nhim v ca CA l kim tra tnh chnh xc ca thng tin lin quan ti thc th c cp chng thc. Khi ngi s dng tin tng vo mt CA v c th kim tra ch k s ca CA th h cng c th tin tng vo kha cng khai v thc th c ghi trong chng thc. [9] M hnh ny tng ng vi cu trc phn cp vi CA gc v cc CA cp di. CA gc xc nhn cc CA cp di, cc CA ny li xc nhn cc CA cp thp hn. Cc CA cp di khng cn xc nhn cc CA cp trn.

2.5. Cu trc phn tng ca h thng PKI

-

Hnh 2.6 : M hnh phn cp M hnh phn cp c minh ho nh hnh trn.Trong m hnh ny, mi thc th s gi bn sao kho cng khai ca root CA v kim tra ng dn ca chng th bt
23

u t ch k ca CA gc. y l m hnh PKI tin cy sm nht v c s dng trong PEM.

* u im ca m hnh: - M hnh ny c th dng c trc tip cho nhng doanh nghip phn cp v c

lp, cng nh nhng t chc chnh ph v qun i. - Cho php thc thi chnh sch v chun thng qua h tng c s. - D vn hnh gia cc t chc khc nhau.
* Nhc im:

C th khng thch hp i vi mi trng m mi min khc nhau cn c chnh sch v gii php PKI khc nhau. Cc t chc c th khng t nguyn tin vo cc t chc khc. C th khng thch hp cho nhng mi quan h ngang hng gia chnh phv doanh nghip. Nhng t chc thit lp CA trc c th khng mun tr thnh mt phn ca m hnh. C th gy ra s tri hn ca sn phm i vi vn v kh nng tng tc. Ch c mt CA gc nn c th gy ra mt s vn nh thiu kh nng hot ng. Thm vo , trong trng hp kho c nhn ca CA b xm phm, kho cng khai mi ca CA gc phi c phn phi n tt c cc ngi s dng cui trong h thng theo mt s c ch khc nhau.

Mc d c nhng nhc im, song m hnh ny vn thch hp vi yu cu ca cc t chc chnh ph v cu trc phn cp t nhin sn c.

2.6. Cp pht v xc thc chng thc s

2.6.1. Cp pht chng thc s
2.6.1.1. Sinh cp kha ngu nhin (PKI client) Ti Client h thng PKI s cp pht cp kha ring v kha cng khai H thng PKI(c th PKI client) s s dng 1 thut ton bt k hp l c chn la sinh cp kha ngu nhin.

24

Chng hn y l thut ta RSA. Cp kha ngu nhin c sinh ra t 2 s nguyn t ngu nhin lp ln. Cp kha ngu nhin y l : Kha cng khai : (n,e) Kha b mt : (n,d)

2.6.1.2. To ch k s Sau khi to cp kha ngu nhin , h thng PKI client s to ra ch k s tng ng vi cp kha ngu nhin ca tng client v k theo tng vn bn ngu nhin. 2.6.1.3. Cp pht chng thc s Sau khi PKI client to cp kha ring v kha cng khai ng thi to ch k s cho client tng ng. Thng tin bo mt s c gi n server. -

Ti server, server s xc thc nhng thng tin m client gi n c chnh xc v ng n.Nu thng tin xc thc l ng n(kha cng khai, ch k s, gi tr bm ca vn bn, tin nhn) server s cp pht cho client 1 chng thc s bao gm cc thng tin sau : tn, tui, a ch.. cc thng tin c nhn khc, kha cng khai, ngy to, ngy ht hn, v ID ca chng thc s. ID ca chng thc s c tnh duy nht vi mi client. 2.6.1.4. Thu hi v cp pht li chng thc s

- Mt chng thc s b thu hi khi no :

Khi m chng thc s ht hn s dng, chng thc s b thu hi ra hn hoc cp mt chng thc s mi

Khi client pht hin kha b mt ca ngi ny b l hoc server pht hin thy hm bm mt m ca mnh b l hoc cc thng tin bo mt khc ca 1 client b r r

- Cp pht li chng thc s :

Client s gi yu cu n server yu cu v 1 bn thng tin(a ch, kha cng khai,kha ring) ca client ng k mt bn chng thc s mi.

2.6.2. Xc thc chng thc s

25

Khi bn gi mt thng tin km chng ch s, ngi nhn - c th l i tc

kinh doanh, t chc hoc c quan chnh quyn - s xc nh r c danh tnh ca bn. C ngha l d khng nhn thy bn, nhng qua h thng chng ch s m bn v ngi nhn cng s dng, ngi nhn s bit chc chn l bn ch khng phi l mt ngi khc. Xc thc l mt tnh nng rt quan trng trong vic thc hin cc giao dch in t qua mng, cng nh cc th tc hnh chnh vi c quan php quyn. Cc hot ng ny cn phi xc minh r ngi gi thng tin s dng t cch php nhn. y chnh l nn tng ca mt Chnh ph in t, mi trng cho php cng dn c th giao tip, thc hin cc cng vic hnh chnh vi c quan nh nc hon ton qua mng. C th ni, chng ch s l mt phn khng th thiu, l phn ct li ca Chnh ph in t. Mt ngi th 3 bt k(C th l 1 client khc, khch cha ng k chng thc s) u c th kim tra c tnh ng n ca 1 chng thc s. Bng cch PKI client s cung cp 1 dch v xc thc. Ngi dng c th nhp vo ID ca 1 chng thc s bt k cn kim tra v gi thng tin ln server. Nu chng thc s tn ti server s tr li thng bo cho client va kim tra.

2.7. ng dng ca h tng kha cng khai v cp pht chng thc

2.7.1. M ha
Li ch u tin ca chng ch s l tnh bo mt thng tin. Khi ngi gi m ha thng tin bng kha cng khai ca bn, chc chn ch c bn mi gii m dc thng tin c. Trong qa trnh truyn thng tin qua Internet, d c c c cc gi tin m ha ny, k xu cng khng th bit c trong gi tin c thng tin g. y l mt tnh nng rt quan trng, gip ngi s dng hon ton tin cy v kh nng bo mt thng tin. Nhng trao i thng tin cn bo mt cao, chng hn giao dch lin ngn hng, ngn hng in t, thanh ton bng th tn dng, u cn phi c chng ch s m bo an ton.
-

2.7.2. Chng gi mo
-

Khi bn gi i mt thng tin, c th l mt d liu hoc mt Email, c s dng chng ch s, ngi nhn s kim tra c thng tin ca bn c b thay i hay khng. Bt k mt s sa i hay thay th ni dung ca thng ip gc u s b
26

pht hin. a ch mail, tn domain... u c th b k xu lm gi nh la ngi nhn ly lan virus, n cp thng tin quan trng. Tuy nhin , chng ch s th khng th lm gi, nn vic trao i thng tin c km chng ch s lun m bo an ton.

2.7.3. Xc thc - Khi s dng mt chng ch s, ngi nhn c th l i tc kinh doanh, t chc
hoc c quan chnh quyn- s xc nh r c danh tnh ca bn. C ngha l d khng nhn thy bn, nhng qua h thng chng ch s m bn v ngi nhn cng s dng, ngi nhn s bit chc chn l bn ch khng phi ai khc. Xc thc l mt tnh nng rt quan trng trong vic giao dch in t qua mng, cng nh cc th tc hnh chnh vi c quan vi c quan php quyn. Cc hot ng ny cn phi xc minh r ngi gi thng tin s dng t cch php nhn. y chnh l nn tng ca mt chnh ph in t, mi trng cho php cng dn c th giao tip. C th ni, chng ch s l mt phn khng th thiu, l phn ct li ca chnh ph in t.

2.7.4.

Chng chi b ngun gc

- Khi s dng mt chng ch s, bn phi chu trch nhim hon ton v nhng
thng tin m chng ch s i km. Trong trng hp ngi gi chi ci, ph nhn mt thng tin no khng phi do mnh gi(chng hn qua mng) chng ch s m ngi nhn c c s l bng chng khng nh ngi gi l tc gi ca thng tin . Trong trng hp chi b, CA cung cp chng ch s cho hai bn s chu trch nhim xc minh ngun gc thng tin, chng t ngun gc thng tin c gi.

2.7.5. Ch k in t
-

Email ng vai tr kh quan trng trong trao i thng tin hng ngy ca chng ta v u im nhanh, r v d s dng. Nhng thng ip c th gi i nhanh chng qua internet n khch hng ng nghip, nh cung cp v i tc. Tuy nhin, email rt d b c bi cc Hacker. Nhng thng ip c th b c hay b gi mo trc khi n ngi nhn.

27

Bng vic s dng chng ch c nhn, bn s ngn nga c cc nguy c ny m vn khng lm gim nhng li th ca Email. Vi chng ch s c nhn, bn c th to thm mt ch k in t vo email nh mt bng chng xc nhn ca mnh. Ch k in t cng c tnh nng xc thc thng tin, ton vn d liu v chng chi b ngun gc. Ngoi ra, chng ch s c nhn cn cho php ngi dng c th chng thc mnh vi mt web server thng qua giao thc bo mt SSL. Phng php chng thc da trn chng ch s c nh gi l tt, an ton bo mt hn phng php chng thc truyn thng da trn mt khu.

2.7.6. Bo mt website
-

Khi website ca bn s dng cho mc ch thng mi in t hay cho nhng mc ch quan trng khc, nhng thng tin trao i gia bn v khch hng c th b l. trnh nguy c ny, bn c th dng chng ch s SSL server bo mt cho Website ca mnh. Chng ch s SSL server s cho php bn lp cu hnh website ca mnh theo giao thc bo mt SSL(Secure Sockets Layer). Cc tnh nng ni bt: Thc hin mua bn bng th tn dng. Bo v nhng thng tin c nhn nhy cm xa khch hng m bo hacker khng th d tm c mt khu.

2.7.7. m bo phn mm
-

Chng ch s nh pht trin phn mm s cho php bn k vo cc applet, script, Java software, ActiveX control, cc file nh dng EXE, CAB, DLL... Nh vy, thng qua chng ch s bn s m bo tnh hp php cng nh ngun gc xut x ca sn phm. Hn na ngi dng c th xc thc c bn l nh cung cp, pht hin c s thay i ca chng trnh(virus, crack, bn lu...).

2.8. OpenCA h thng h tng kha cng khai trong thc t

2.8.1. nh ngha :

28

OpenCA l mt h thng m ngun m, c xy dng v pht trin bi rt nhiu nh lp trnh trn th gii. OpenCA c xy dng vi mc ch to ra mt h thng cng c nhm h tr cho cc d n v bo mt.OpenCA h tr t mc thp nh m ho d liu,to ch k s cho n cc h thng an ton d liu cao cp. M ngun ca OpenCA c cung cp rng ri trn www.openca.org.T nhng c im nh trn c th thy OpenCA chnh l mt cng c rt hiu qu xy dng nhng ng dng theo m hnh h tng kho cng khai PKI. OpenCA h tr xy dng tt c cc th tc li cho mt ng dng PKI t vic sinh kho m ho gii m d liu cho ti cc th tc cp pht,thu hi chng th,to ch k sVi tt c nhng ci ,ta c th xy dng mt ng dng theo m hnh PKI c s, phn m rng cn li s c xy dng tip theo nh hng ca nh pht trin. Cc thnh phn chnh ca OpenCA bao gm 3 thnh phn l h thng th vin OpenSSL, c s d liu v giao din web. Trong giao din web c xy dng bng ngn ng Perl. Th vin OpenSSL thc hin cc tin trnh v m ho. [10]

2.8.2.

nh gi v h OpenCA
2.8.2.1. u im ca h thng
-

OpenCA c thit k v xy dng theo nguyn l ca m hnh PKI v n m bo y nhng chc nng c s ca mt h PKI cn phi c: Cp pht, gia hn, thu hi chng th s, m bo tnh xc thc, an ton tin cy. Vi cc kch bn th nghim trong thi gian di h thng hot ng kh n nh v khng xy ra nhng li nghim trng dn n t chi dch v. H m ngun m OpenCA hon ton tng thch vi mi trng Linux v khng h gy xung t vi cc h thng khc cng ci t trn mt h iu hnh.

H thng OpenCA s dng rt nhiu chun cng nghip( nh cc chun v chng th s X509). V vy n c chp nhn v s dng rt rng ri trong thc t. 2.8.2.2. Nhng im cn hn ch ca h thng
-

Li khng xc nh khi RA k ln cc yu cu gi ln cho CA.

29

Khng lm vic c vi cc thit b s dng chun USB 2.0 Kh khn trong vic ci t v thay i.[11]

Chng 3: c t mt Platform PKI

3.1. Ngn ng lp trnh - Ngn ng lp trnh c chn la v s dng y l java v cng c kt ni c s

d liu l Mysql.

- Thut ton s dng to cp kha, ch k s v xc thc ch k s l RSA. Hm bm

m ha s dng : SHA-1.

3.2. Th vin s nguyn ln

-

Th vin s nguyn ln mang tt c c im ca s nguyn nguyn thy trong java v tt c cc phng thc c trong java.lang.Math. Thm vo th vin s nguyn ln cn cung cp cc phng thc nh: tnh modular ton hc(tnh ton s d trong php chia), tnh GCD(c s trung ln nht ca 2 s), to s nguyn t ngu nhin, thao tc bit, v mt vi phng thc khc.

3.3. Mt Platform PKI phi cung cp y cc chc nng sau:

Cp pht. Xc thc. Ton vn d liu. Thu hi v cp pht li chng thc s.

3.3.1. Cp pht
Cp pht chng thc s: Chng thc s bao gm cc thng tin : tn, tui, a ch, ngy thng cp pht chng thc s, kha cng khai, v ID ca chng thc s.Vic cp pht chng thc s hon tt sau khi Client gi thng tin ng k nn server.
30

Server s kim tra cc thng tin client gi ln. Bng vic thm tra ch k s, v kha cng khai. Nu ch k s ng n tng ng vic kha cng khai l ng n . Thng tin client gi mu ln ng k server gm nhng thng tin sau:

Kha cng khai(Kha b mt ch mnh client bit) Cp kha b mt(n,d) cp kha cng khai(n,e) Hm to 2 s nguyn t trong th vin BigInteger :
public BigInteger(int bitLength, int certainty,Random rnd) bitLength : di bit ca kha(s random [1,2 bitLength -1]) certainty : xc xut 1 s BigInteger khng phi l s nguyn t 1/2
certa int y

Hnh 3.1 : Hm to cp kha ring v kha cng khai n=p.q

31

 To

(n,e): Theo thut ( n) = ( p 1)( q 1) , gcd(e, ) )=1 (n

kha

ring

ton

RSA

ta

1 (n To kha cng khai (n,d): d = e mod ) . Trong th vin s

(n nguyn ln : d= e.modInverse( ) ).

32

Hnh 3.2 : M phng to kha

33

To ch k s : S = H(m)^d mod n. Tin nhn nhp vo c bm theo hm bm mc nh cho trc

Hnh 3.3 : To ch k s

34

 Form nhp thng tin ng k :

Hnh 3.4 : Form nhp thng tin ca client

35

 Cc thng tin m client nhp s c gi ln server. Ti client:

36

37

 Ti server:

38

Hnh 3.5 : Thng bo tr v khi kt qu gi thng tin thnh cng

Ti server nhn thng tin gi t client. Nu vic thm tra ch k s thnh cng. Vic ng k chng thc s hon tt(Ti server s thng bo Successful). Nu vic thm tra tht bi tng ng vi vic ch k s v kha cng khai gi ln khng ng n hay tng thch(Server s bo Failed). Ngoi ra vic tn ti user vi a ch thng bo v kha cng khai tn ti trong chng thc s(Server s nhn bit c, server s khng cp pht 1 chng thc s khc. M ch a ra thng bo cho user )

S e mod n = H(m)

Hnh 3.6 : Xc thc kha cng khai v ch k s

39

Hnh 3.7 : cp pht chng thc s

40

Hnh 3.8 : Kim tra thng tin v cp pht chng thc s

41

Vic kim tra ti server hon tt, 1 bn chng thc s c to ra v lu ti server

3.3.2. Chng thc

- Bn cnh vic cp pht 1 PKI c bn cn c vai tr xc thc 1 chng thc s.

Hnh 3.9 : Xc thc chng thc s

42

Mt client khc hoc mt ngi th 3 c th gi ID chng thc s ca mt client bit c client c tn ti hay khng. Bng cch kch vo Menu CheckUser. Thng tin server tr v c th l Ok(nu tn ti client), failed user was expired(nu client ht hn), failed(nu khng tn ti user .

3.3.3. Ton vn d liu

-

Client gi tin nhn n server ng k chng thc s. Nu tin nhn b thay i ng ngha vi vic gia tr bm(H(m)) cng b thay i. Do vy trong trng hp thm tra ch k s l ng n tng ng vi gi tr bm H(m) ng v tin nhn gi i v tin nhn nhn c ti server l trng nhau. Nh vy thng tin m client gi ln server hon ton khng b thay i.Ngoi cc chc nng trn Platform PKI cn bao gm cc chc nng nh: Kim tra nhng client ht hn s dng chc thc s, tm kim,xa, sa 1 chng thc s.

43

Hnh 3.10 : Form tm kim, sa, xa thng tin chng thc s

3.3.4.

Thu hi v cp pht li chng thc s

3.3.4.1. Thu hi - Mi bn chng thc s s c gn thi gian bt u cp pht. Server s kim tra v so snh khong thi gian cp pht chng thc s n thi gian hin ti. Nu thi gian ht hn chng thc s s b thu hi v c lu li vo bng c s d liu cha Chng thc s ht quyn hn s dng

44

45

Hnh 3.11 : Kim tra v thu hi chng thc s ht hn s dng

46

3.3.4.2. Cp pht li Server nhn thy 1 chng thc s b l, hoc client cm nhn thy kha b mt ca mnh v cc thng tin quan trng khc b r r. Client s gi thng bo n server v yu cu ng k 1 bn chng thc s khc. V pha server, Khi pht hin thy 1 chng thc s b l hoc r r thng tin s gi yu cu n client yu cu client ng k 1 bn chng thc s khc.

47

KT LUN
ti H tng kha cng khai (PKI), vn cp pht chng thc s v ng dng trong thng mi in t l mt ti kh v rng. Trong thi gian nghin cu, tm hiu, xy dng ng dng n hon thnh c cc nhim v c t ra, c th l:
-

V mt l thuyt : Kha lun trnh by nhng khi nim, c im c bn ca mt h thng PKI. ng dng ca h tng kha cng khai trong thng mi in t. T tng ca thut ton cp pht kha, sinh v kim tra ch k s(RSA,DSA,...) v u nhc im ca tng thut ton, nh ngha v hm bm(hm bm MD5,SHA-1). Cp pht v xc thc chng thc s.
-

V m phng v kt qu th nghim : hon thnh vic m phng hot ng c bn ca mt h thng PKI.

Mc d ht sc c gng nhng trnh chuyn mn v thi gian thc hin kha lun cn hn hp, cng nh mc phc tp ca ti, nn kt qu t c cn gp phi mt s khim khuyt.

Hng pht trin ti: Tip tc hon thin cc chc nng, nhm tng hiu qu v an ton. Ci thin vic gi d liu t client v x l ti server thi gian hot ng ca c h thng l nhanh nht v hiu qu ca h thng l tt nht c th.

48

CC TI LIU THAM KHO

[1] William Stallings. Cryptography and Network Security : Principles and Practice, Fourth Edition. Prentice Hall, 2005. TS.Nguyn i Th B mn Mng & Truyn thng My tnh Khoa Cng ngh Thng tin Slide bi ging AN TON MNG - (Chng 3 trang 96). http://vi.wikipedia.org/wiki/M%E1%BA%ADt_m%C3%A3_h%C3%B3a_kh %C3%B3a_c%C3%B4ng_khai [2], [3] inh Mnh Tng Gio trnh Cu trc d liu v gii thut (Chng 1 trang 12-16).
[4] TS.Nguyn i Th B mn Mng & Truyn thng My tnh Khoa Cng ngh

Thng tin. Slide bi ging AN TON MNG - (Chng 4 trang 116). http://vi.wikipedia.org/wiki/H%C3%A0m_b%C4%83m_m%E1%BA%ADt_m %C3%A3_h%E1%BB%8Dc [5],[8] ng Bnh Phng Lun vn cao hc i hc khoa hc t nhin TP.H Ch Minh - Nghin cu kin trc v xy dng h thng chng thc tp trung.(trang 8-11) [6] http://ptic.com.vn/chuyende_chitiet.asp?stuff_id=7 [7] Chng thc in t&Ch k in t(H NI IT Week 2004) VASC CA [9] Carlisle Adams, Steve Lloyd
49

Understanding PKI: Concepts, Standards, and Deployment Considerations, Second Edition November 06, 2002 (Chng 6 Certificates and Certification). [10],[11] N TT NGHIP Trn Hon V h K S Cht Lng Cao K49 b mn Truyn Thng v Mng My Tnh, khoa Cng Ngh Thng Tin trng i Hc Bch Khoa H Ni. http://www.openca.org

50