Professional Documents
Culture Documents
N TT NGHIP
NGHIN CU VN BO MT
TRONG XY DNG NG DNG
ECOMMERCE (ONLINE PAYMENT)
: V TH THANH VN
: NGUYN CNH CHN
: DHTH3LT
: CNG NGH THNG TIN
GVHD: V Th Thanh Vn
LI M U
Cng vi s ln mnh ca Internet, vic mua bn hng ha v dch v thng qua
Internet xut hin, chnh l Thng mi in t.
Tuy mi xut hin v ch chim mt t trng nh trong thng mi song thng
mi in t mang li nhng li ch to ln cho doanh nghip, chnh ph, ngi tiu
dng v x hi. Thng mi in t vt ra khi lnh vc thng mi, ngy cng
tc ng n cc lnh vc khc v ha hn mang li nhng thay i to ln v su sc
mi mt i sng x hi loi ngi. Thng mi in t ngy cng c s quan tm
ca chnh ph, doanh nghip v ngi tiu dng v ang tr thnh mt cng c hu
hiu trong qu trnh ton cu ho v trong xy dng nn kinh t s. Tht kh m hnh
dung ra x hi tng lai nu khng c thng mi in t.
Bn cnh , thng mi in t cng t ra nhiu vn cn phi gii quyt
khai thc cc li ch ca thng mi in t nh vn an ton, an ninh cho cc giao
dch trn mng, cc vn v bo v b mt, tnh ring t, c s h tng, cc vn v
nhn lc, chuyn i m hnh kinh doanh, cc vn v qun l, thay i tp qun,
thi quen trong kinh doanh Trong vn an ton, an ninh cho cc giao dch trn
mng v cc vn v bo v tnh ring t, gi chung l cc vn bo mt trong
thng mi in t c ngha sng cn i vi vic pht trin ca thng mi in
t.
n Nghin cu cc vn bo mt trong xy dng ng dng thng mi in
t v thanh ton trc tuyn s gip tm hiu r thm cc vn bo mt v cch
xy dng mt ng dng thng mi in t an ton, m bo li ch ca doanh nghip
v khch hng.
GVHD: V Th Thanh Vn
LI CM N
Sau hn bn thng tm hiu v thc hin n tt nghip Nghin cu cc vn
bo mt trong xy dng ng dng ecommerce(online payment) , n nay n c
bn c hon thnh. Ngoi s c gng ca bn thn, em nhn c s gip ,
ng vin khuyn khch t gia nh, thy c v bn b.
Em xin chn thnh cm n n thy c khoa cng ngh thng tin trng i hc
cng nghip TP.HCM tn tnh ging dy, truyn t nhng kin thc qu bu cho
chng em trong sut thi gian qua. c bit em xin gi li cm n su sc n gio
vin hng dn ca em tn tnh gip em hon thnh n ny.
n hon thnh vi nhng kt qu nht nh, tuy nhin khng trnh khi
nhng thiu st. Knh mong s cm thng v ng gp t cc thy c.
GVHD: V Th Thanh Vn
NHN XT
(Ca ging vin hng dn)
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
GVHD: V Th Thanh Vn
NHN XT
(Ca ging vin phn bin)
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
GVHD: V Th Thanh Vn
MC LC
LI M U......................................................................................................3
LI CM N......................................................................................................4
NHN XT........................................................................................................5
.......................................................................................................................5
NHN XT........................................................................................................6
MC LC..........................................................................................................7
DANH MC CC BNG S HNH..................................................................10
DANH MC CC CM T VIT TT....................................................................12
CHNG 1. GII THIU ...................................................................................14
3.1.
Yu cu h .........................................................................................................84
GVHD: V Th Thanh Vn
HIN THC....................................................................................95
5.1.
5.2.
Nhn xt nh gi............................................................................................110
Hng pht trin.............................................................................................111
PH LC.......................................................................................................112
GVHD: V Th Thanh Vn
GVHD: V Th Thanh Vn
11
HNH 3.27 M HNH USE CASE PHN KHCH HNG.............................................87
HNH 3.28 M HNH USE CASE PHN QUN TR...................................................88
HNH 3.29 M HNH HOT NG QU TRNH NG K THNH VIN MI..............89
HNH 3.30 M HNH HOT NG QU TRNH NG NHP...................................90
HNH 3.31 M HNH HOT NG QU TRNH THM SN PHM VO GI HNG.....91
HNH 3.32 M HNH HOT NG QU TRNH MUA HNG.....................................92
HNH 3.33 M HNH LP TNG NGHIP V.........................................................93
HNH 3.34 M HNH LP X L THANH TON.....................................................94
HNH 4.35 BO MT THNG TIN TRN URL.........................................................95
HNH 4.36 THNG TIN KT NI VO CSDL TRONG WEB.CONFIG CHA C M
HA ................................................................................................................95
HNH 4.37 THNG TIN KT NI VO CSDL TRONG WEB.CONFIG C M HA95
HNH 4.38 M HA CC THIT LP QUAN TRNG TRONG C S D LIU..............96
HNH 4.39 MN HNH TRANG CH....................................................................103
HNH 4.40 MN HNH TRANG NG K KHCH HNG........................................103
HNH 4.41 MN HNH TRANG NHM SN PHM................................................104
HNH 4.42 MN HNH TRANG CP NHT GI HNG............................................104
HNH 4.43 MN HNH TRANG THNG TIN CHUYN HNG...................................105
HNH 4.44 MN HNH TRANG THNG TIN HA N...........................................105
HNH 4.45 MN HNH TRANG THNG TIN TH TN DNG....................................106
HNH 4.46 MN HNH XC NHN MUA HNG.....................................................106
HNH 4.47 MN HNH TRANG QUN L SN PHM.............................................107
HNH 4.48 MN HNH TRANG QUN L NHM SN PHM..................................107
HNH 4.49 MN HNH TRANG QUN L HA N..............................................108
HNH 4.50 MN HNH TRANG QUN L NHN VIN............................................108
HNH 4.51 MN HNH TRANG QUN L NHM NHN VIN..................................108
HNH 4.52 MN HNH TRANG CU HNH H THNG...........................................109
GVHD: V Th Thanh Vn
12
DANH MC CC CM T VIT TT
B2B
: Business To Business
B2C
: Business to Customers
B2G
: Business to Government
C2C
:Customers to Customers
G2C
: Customers to Government
SSL
ID
: Identification
PIN
BIN
IETF
TLS
HTTP
IMAP
FTP
MIT
DES
DSA
KEA
MD5
GVHD: V Th Thanh Vn
13
SHA-1
NIST
PGP
GPG
FIPS
NSA
AES
PKI
CA
: Certificate Authority
URL
IP
: Internet Protocol
ITU
SET
LAN
CGI
CSC
CVV
CVC
AVS
CSDL
: C s d liu
TMT
: Thng mi in t
GVHD: V Th Thanh Vn
14
CHNG 1.GII THIU
1.1. Thng mi in t v thanh ton in t
1.1.1.
Thng mi in t
15
d nh dch v cung cp thng tin, dch v php l, ti chnh); cc hot ng truyn
thng (nh chm sc sc khe, gio dc ) v cc hot ng mi (v d nh siu th o).
Tm li, theo ngha rng th thng mi in t c th c hiu l cc giao dch
ti chnh v thng mi bng phng tin in t nh: trao i d liu in t; chuyn
tin in t v cc hot ng gi rt tin bng th tn dng.
Thng mi in t theo ngha hp bao gm cc hot ng thng mi c thc
hin thng qua mng Internet. Cc t chc nh: T chc Thng mi th gii (WTO),
T chc Hp tc pht trin kinh t a ra cc khi nim v thng mi in t theo
hng ny. Thng mi in t c ni n y l hnh thc mua bn hng ha
c by ti cc trang Web trn Internet vi phng thc thanh ton bng th tn dng.
C th ni rng thng mi in t ang tr thnh mt cuc cch mng lm thay i
cch thc mua sm ca con ngi.
Theo T chc Thng mi Th gii: Thng mi in t bao gm vic sn xut,
qung co, bn hng v phn phi sn phm c mua bn v thanh ton trn mng
Internet, nhng c giao nhn mt cch hu hnh c cc sn phm c giao nhn
cng nh nhng thng tin s ha thng qua mng Internet.
Khi nim v Thng mi in t do T chc hp tc pht trin kinh t ca Lin
Hp quc a ra l: Thng mi in t c nh ngha s b l cc giao dch thng
mi da trn truyn d liu qua cc mng truyn thng nh Internet.
Theo cc khi nim trn, chng ta c th hiu c rng theo ngha hp thng mi
in t ch bao gm nhng hot ng thng mi c thc hin thng qua mng
Internet m khng tnh n cc phng tin in t khc nh in thoi, fax, telex...
Qua nghin cu cc khi nim v thng mi in t nh trn, hiu theo ngha rng
th hot ng thng mi c thc hin thng qua cc phng tin thng tin lin lc
tn ti hng chc nm nay v t ti doanh s hng t la M mi ngy. Theo
ngha hp th thng mi in t ch mi tn ti c vi nm nay nhng t c
nhng kt qu rt ng quan tm, thng mi in t ch gm cc hot ng thng
GVHD: V Th Thanh Vn
16
mi c tin hng trn mng my tnh m nh Internet. Trn thc t, chnh cc hot
ng thng mi thng qua mng Internet lm pht sinh thut ng thng mi in
t.
1.1.1.2. Cc c trng ca thng mi in t
xy dng khung php lut thng nht cho thng mi in t, chng ta cn
nghin cu v tm ra cc c trng ca thng mi in t. So vi cc hot ng
thng mi truyn thng, thng mi in t c mt s im khc bit c bn sau:
1.
2.
3.
4.
6.
7.
GVHD: V Th Thanh Vn
17
8.
9.
10.
GVHD: V Th Thanh Vn
18
1.1.1.5. Cc bc c bn ca mt giao dch mua bn trn mng
16.
ng thi chuyn tip thng tin thanh ton (s th tn dng, ngy o hn, ch
th ...) c m ho n my ch (Server, thit b x l d liu) ca Trung
tm cung cp dch v x l th trn mng Internet. Vi qu trnh m ha cc
thng tin thanh ton ca khch hng c bo mt an ton nhm chng gian ln
trong cc giao dch (chng hn doanh nghip s khng bit c thng tin v th
tn dng ca khch hng).
19.
tin thanh ton, s gii m thng tin v x l giao dch ng sau bc tng la
(FireWall) v tch ri mng Internet (off the Internet), nhm mc ch bo mt
tuyt i cho cc giao dch thng mi, nh dng li giao dch v chuyn tip
thng tin thanh ton n ngn hng ca doanh nghip (Acquirer) theo mt
ng dy thu bao ring (mt ng truyn s liu ring bit).
20.
19
21.
tc chuyn tip nhng thng tin phn hi trn n doanh nghip, v ty theo
doanh nghip thng bo cho khch hng c r l n t hng s c thc
hin hay khng.
22.
1.1.2.1. Th tn dng
Th tn dng c x l in t hng thp k nay. Chng c s dng u tin
trong cc nh hng v khch sn sau l cc ca hng bch ho v cch s dng n
c gii thiu trn cc chng trnh qung co trn truyn hnh t 20 nm nay. C
mt ngnh cng nghip ln ang tn ti trong lnh vc x l cc giao dch th tn dng
trc tuyn vi cc cng ty nh First Data Corp., Total System Corp., v National Data
Corp., chi tit ho cc giao dch pha sau mi quan h gia nh bng, ngi bn hng
v ngi s dng th tn dng. Hng triu cc ca hng bch ho trn ton nc M
c trang b cc trm u cui (Hewlett-Package Verifone l nh sn xut hng u
ca thit b ny) thng qua th tn dng c kim tra, nhp s th v bin lai c
in ra. Ngi s dng k vo bin lai ny xc thc vic mua hng.
Trc khi nhn s th tn dng ca ngi mua qua Internet bn cn c mt chng
nhn ngi bn. Nu bn hot ng kinh doanh th n gin l yu cu nh bng ca
bn cung cp chng nhn ny. Nu bn cha c bt c ci g th bn c th thc hin
vic ny nhanh chng ti mt nh bng no hoc truy nhp vo mt WEB site c
cc mu ng k trc tuyn.
S dng th tn dng trc tuyn ngy hm nay, tuy nhin, ging nh vic s dng
chng vi mt "operating standing by". S th v chi tit ca giao dch c lu li v
x l, nhng khng c s xut hin ca ngi mua v khi c mt v thanh ton b l
th n vn c lu li trn h thng. Bi l do ny cc chi ph x l th tn dng trc
GVHD: V Th Thanh Vn
20
tuyn nhiu ngang bng vi chi ph x l mt giao dch ch khng ngang bng vi
mt mc ph nh in thoi v thng thng l vo khong 50 xen. (Cc giao dch
c x l thng qua cc trm u cui c hp ng ch mt khong t 3 n 5
xen).
Ngoi cc khon trn, ph c gim nh vic s dng cc dch v ca Visa v
MasterCard, l cc t hp ca cc nh bng, hoc American Express Co. v Discover
l cc cng ty ring r x l v qun l cc giao dch th tn dng. iu c ngha l
bn s phi tr t 2 n 3 xen cho mt la khi s dng Visa hay MasterCard, v t
hn mt cht vi Discover, i vi American Express ph ny vo khong 5 xen cho
mt la. Cc tho c gia cc cng ty cung cp th v cc ch doanh nghip gip
cho khch hng khng phi tr cc chi ph ny. Vic chit khu cng khc gia ngi
s dng ti trm u cui ni m th tn dng tn ti mt cch vt l, v mi trng
WEB ni m th khng hin din. Trong qu trnh chuyn i chit khu ngi bn
c m bo thanh ton. Ngi mua c m bo v vic s nhn c hng ho v
mt s m bo c gii hn khc chng li vic b la hoc mt th. (Bo him th
c bn bi cc nh bng pht hnh th v cc ri ro s c thanh ton).
Ca hng trn web ca bn cn phn mm no c th x l th tn dng? mc
n gin nht, bn phi c sn mt s biu mu c kh nng m ho bo mt, thng
thng l Sercure Socket Layer (SSL), mt tiu chun i vi c cc trnh duyt ca
Microsoft v Netscape, v iu cng c ngha l my ch ca bn phi c mt kho
m ho. Tip theo bn phi c mt chng trnh ng vai tr l mt gi mua hng, cho
php ngi s dng thu thp cc mt hng cn mua, tnh gi v thu sau a ra mt
ho n cui cng ph chun. Cui cng nu nh bn khng mun x l cc tp
giao dch bng tay hoc x l mt gi cc tp th bn phi cn mt c ch giao dch
in t.
1.1.2.2. nh danh hay ID s ho (Digital identificator)
Cc kho m bo mt trn my ch, c bit n nh l cc ID s ho, c cung
cp bi mt s cc c quan chng nhn thm quyn, l ni cp php v bo dng cc
GVHD: V Th Thanh Vn
21
bn ghi din bin trn cc ID s ho ny. T chc chng thc thm quyn ln nht
c iu hnh bi VeriSign Inc., mt cng ty c thnh lp vo nm 1995 chuyn v
lnh vc qun l cc chng nhn s ho. Cng ty x l cc yu cu ID s ho cho cc
cng ty nh American Online, Microsoft, Netscape, tuy nhin bn cng c th trc tip
c cc ID s ho trn web site ca cng ty. Vo ma h nm 1998, VeriSign thu ph
349 USD cho my ch ID u tin m mt cng ty mua v 249 USD cho thm mi
my ch ID tip theo. Mt My ch ID ton cc - Global Server ID, 128 bit c mc
chi ph 695 USD.
Cng ngh nn tng cho cc ID s ho ca VeriSign l SSL c xy dng u tin
bi RSA Technologies inc., nay l mt n v ca Sercurity Dynamics. Mi thng
ip, c m ho bng hai m hoc kho l mt chui cc bit lm thay i gi tr
c s ho cc ca d liu c a vo hay ly ra khi chng trnh. Mt kho cng
cng c dng m ho cc thng ip, trong khi kho ring th hai c dng
gii m n. Tnh thng nht v xc thc ca cc kho ring c m bo bi mt c
quan chng nhn thm quyn nh VeriSign. Mt my ch ID s ho cho php bn k
vo cc vn bn in t v chng thc ch k ca mnh vi mt c quan chng nhn
thm quyn.
1.1.2.3. Mt s thut ng
23.
GVHD: V Th Thanh Vn
22
25.
khn cp, l mt danh sch lit k nhng s th khng c php thanh ton hay
khng c php mua hng ha, dch v. l nhng th tiu dng qu hn
mc, th gi mo ang lu hnh, th b l mt m c nhn (PIN), th b mt cp,
tht lc, th b loi b... Danh sch c cp nht lin tc v gi n cho tt c
cc Ngn hng thanh ton thng bo kp thi cho c s chp nhn.
28.
Ngn hng pht hnh th. Trong hip hi th c nhiu ngn hng thnh vin,
mi ngn hng thnh vin c mt m s ring gip thun li trong thanh ton v
truy xut.
GVHD: V Th Thanh Vn
23
31.
ngy ngn hng pht hnh th lp cc sao k v khon chi tiu m ch th phi
thanh ton trong thng.
32.
pht hnh qui nh cho ch th thanh ton ton b hay mt phn trong gi tr sao
k trn
33.
khon ngn hng c bit, cho php bn khi kinh doanh c th chp nhn thanh
ton bng th tn dng. Vic thanh ton bng th tn dng ch c th tin hnh
thng qua dng ti khon ny.
34.
Tm hiu v thng mi in t.
36.
37.
m hnh B2C.
39.
GVHD: V Th Thanh Vn
24
41.
43.
thanh ton in t.
GVHD: V Th Thanh Vn
25
Chng 2.
C S L THUYT
GVHD: V Th Thanh Vn
26
web, lm vic vi nhau, my ch v my khch s trao i "li cho" (hello) di dng
cc thng ip cho nhau vi xut pht u tin ch ng t my ch, ng thi xc
nh cc chun v thut ton m ho v nn s liu c th c p dng gia hai ng
dng. Ngoi ra, cc ng dng cn trao i "s nhn dng/kho theo phin" (session ID,
session key) duy nht cho ln lm vic . Sau ng dng khch (trnh duyt) yu
cu c chng ch in t (digital certificate) xc thc ca ng dng ch (web server).
GVHD: V Th Thanh Vn
27
Chng ch in t thng c xc nhn rng ri bi mt c quan trung gian
(Thm quyn xc nhn CA - Certificate Authority) nh RSA Data Sercurity hay
VeriSign Inc., mt dng t chc c lp, trung lp v c uy tn. Cc t chc ny cung
cp dch v "xc nhn" s nhn dng ca mt cng ty v pht hnh chng ch duy nht
cho cng ty nh l bng chng nhn dng (identity) cho cc giao dch trn mng,
y l cc my ch webserver.
Sau khi kim tra chng ch in t ca my ch (s dng thut ton mt m cng
khai, nh RSA ti trnh my trm), ng dng my trm s dng cc thng tin trong
chng ch in t m ho thng ip gi li my ch m ch c my ch c th
gii m. Trn c s , hai ng dng trao i kho chnh (master key) - kho b mt
hay kho i xng - lm c s cho vic m ho lung thng tin/d liu qua li gia
hai ng dng ch khch. Ton b cp bo mt v an ton ca thng tin/d liu ph
thuc vo mt s tham s:
44.
45.
cho SSL;
46.
lc m ho thng tin.
C th tm tt c ch ca SSL nh sau:
47.
cp n Server
48.
Key ca Server)
49.
50.
GVHD: V Th Thanh Vn
28
51.
52.
Private Key
53.
dng ca chnh ph M;
57.
GVHD: V Th Thanh Vn
29
61.
s dng bi chnh ph M;
62.
Hnh 2.2 V d hm bm
Ni rng, mt hm bm phi hot ng cng ging vi mt hm ngu nhin cng
tt, trong khi vn c tnh cht n nh v tnh ton c hiu qu.
Mt hm bm mt m hc c coi l khng an ton nu mt trong cc vic sau l
kh thi v mt tnh ton:
GVHD: V Th Thanh Vn
30
64.
bit) khp vi tm tt
65.
GVHD: V Th Thanh Vn
31
"k". Cc hm bm cn c th c dng to cc bit gi ngu nhin
(pseudorandom).
SHA-1, MD5, v RIPEMD-160 nm trong s cc thut ton tm tt thng ip
c dng rng ri nht ca nm 2005. Thng 8 nm 2004, cc nh nghin cu tm
c cc im yu ca mt lot hm bm, trong c MD5, SHA-0 v RIPEMD.
Thng 2 nm 2005, ngi ta ghi nhn mt tn cng i vi SHA-1. Thng 8 nm 2005,
ngi ta li ghi nhn mt tn cng khc i vi SHA-1.
Cc hm bm c dng nhn dng cc file trong cc mng chia s tp ng
ng. V d, trong mt ed2k link, mt bin th ca MD4 c kt hp vi kch thc
file cung cp thng tin cho vic xc nh ngun file, ti xung v kim tra ni dung.
2.1.2.3. MD5 (Message-Digest algorithm 5)
MD5 (Message-Digest algorithm 5) l mt hm bm m ha vi gi tr bm l
128bit. Tng c xem l mt chun trn Internet, MD5 c s dng rng ri
trong cc chng trnh an ninh mng, v cng thng c dng kim tra tnh
nguyn vn ca tp tin.
MD5 c thit k bi Ronald Rivest vo nm 1991 thay th cho hm bm trc
, MD4 (cng do ng thit k, trc na l MD2).
MD5 c 2 ng dng quan trng:
66.
32
l khng th hoc phi mt mt khong thi gian v tn ( lm nn lng cc
hacker)
Mt vi bng bm MD5
68.
= 5d41402abc4b2a76b9719d911017c592
Thm ch mt s thay i nh trong mu tin cng
= 598d4c200461b81522a3328565c25f7c
Bng bm ca mt chui rng l:
MD5("") = d41d8cd98f00b204e9800998ecf8427e
2.1.2.4. SHA (Secure Hash Algorithm)
SHA (Secure Hash Algorithm hay thut gii bm an ton) l nm thut gii c
chp nhn bi FIPS dng chuyn mt on d liu nht nh thnh mt on d liu
c chiu di khng i vi xc sut khc bit cao.
Nm thut gii SHA l:
71.
72.
73.
74.
75.
Thut gii SHA l thut gii bm mt c pht trin bi cc an ninh quc gia M
(National Security Agency hay NSA) v c xut bn thnh chun ca chnh ph M
GVHD: V Th Thanh Vn
33
bi vin cng ngh v chun quc gia M (National Institute of Standards and
Technology hay NIST). Bn thut gii sau thng c gi chung l SHA-2.
SHA-1 c s dng rng ri trong nhiu ng dng v giao thc an ninh khc
nhau, bao gm TLS v SSL, PGP, SSH, S/MIME, v IPSec. SHA-1 c coi l thut
gii thay th MD5, mt thut gii bm 128 bit ph bin khc.
Hin nay, SHA-1 khng cn c coi l an ton bi u nm 2005, ba nh mt m
hc ngi Trung Quc pht trin thnh cng mt thut gii dng tm c hai
on d liu nht nh c cng kt qu bm to ra bi SHA-1[1]. Mc d cha c ai
lm c iu tng t vi SHA-2, nhng v v thut gii, SHA-2 khng khc bit
my so vi SHA-1 nn nhiu nh khoa hc bt u pht trin mt thut gii khc tt
hn SHA. NIST cng khi u mt cuc thi pht trin thut gii bm mi an ton
hn SHA, ging nh quy trnh pht trin chun m ha tin tin (Advanced Encryption
Standard hay AES).
Mt vi bng bm SHA-1
76.
Thay e thnh a:
GVHD: V Th Thanh Vn
34
m ha v gii m c quan h r rng vi nhau (c th d dng tm c mt kha nu
bit kha kia).
GVHD: V Th Thanh Vn
35
Cc thut ton i xng thng khng c s dng c lp. Trong thit k ca cc
h thng mt m hin i, c hai thut ton bt i xng (asymmetric) (dng cha kha
cng khai) v thut ton i xng c s dng phi hp tn dng cc u im ca
c hai. Nhng h thng s dng c hai thut ton bao gm nhng ci nh SSL (Secure
Sockets Layer), PGP (Pretty Good Privacy) v GPG (GNU Privacy Guard) v.v. Cc
thut ton cha kha bt i xng c s dng phn phi cha kha mt cho thut
ton i xng c tc cao hn.
Mt s v d cc thut ton i xng ni ting v kh c tn trng bao gm
Twofish, Serpent, AES (cn c gi l Rijndael), Blowfish, CAST5, RC4, Tam phn
DES (Triple DES), v IDEA (International Data Encryption Algorithm - Thut ton
mt m ha d liu quc t).
2.1.3.2. DES (Data Encryption Standard )
DES (vit tt ca Data Encryption Standardl mt phng php mt m ha c
FIPS (Tiu chun X l Thng tin Lin bang Hoa K) chn lm chun chnh thc vo
nm 1976. Sau chun ny c s dng rng ri trn phm vi th gii. Ngay t u,
thut ton ca n gy ra rt nhiu tranh ci, do n bao gm cc thnh phn thit k
mt, di kha tng i ngn, v cc nghi ng v ca sau C quan An ninh quc
gia Hoa K (NSA) c th b kha. Do , DES c gii nghin cu xem xt rt k
lng, vic ny thc y hiu bit hin i v mt m khi (block cipher) v cc
phng php thm m tng ng.
Hin nay DES c xem l khng an ton cho nhiu ng dng. Nguyn nhn
ch yu l di 56 bit ca kha l qu nh. Kha DES tng b ph trong vng
cha y 24 gi. c rt nhiu kt qu phn tch cho thy nhng im yu v mt l
thuyt ca m ha c th dn n ph kha, tuy chng khng kh thi trong thc tin.
Thut ton c tin tng l an ton trong thc tin c dng Triple DES (thc hin
DES ba ln), mc d trn l thuyt phng php ny vn c th b ph. Gn y DES
c thay th bng AES (Advanced Encryption Standard, hay Tiu chun M ha
Tin tin).
GVHD: V Th Thanh Vn
36
DES l thut ton m ha khi: n x l tng khi thng tin ca bn r c di
xc nh v bin i theo nhng qu trnh phc tp tr thnh khi thng tin ca bn
m c di khng thay i. Trong trng hp ca DES, di mi khi l 64 bit.
DES cng s dng kha c bit ha qu trnh chuyn i. Nh vy, ch khi bit kha
mi c th gii m c vn bn m. Kha dng trong DES c di ton b l 64 bit.
Tuy nhin ch c 56 bit thc s c s dng; 8 bit cn li ch dng cho vic kim tra.
V th, di thc t ca kha ch l 56 bit.
2.1.3.3. AES (Advanced Encryption Standard)
Trong mt m hc, AES (vit tt ca t ting Anh: Advanced Encryption Standard,
hay Tiu chun m ha tin tin) l mt thut ton m ha khi c chnh ph Hoa k
p dng lm tiu chun m ha. Ging nh tiu chun tin nhim DES, AES c k
vng p dng trn phm vi th gii v c nghin cu rt k lng. AES c
chp thun lm tiu chun lin bang bi Vin tiu chun v cng ngh quc gia Hoa k
(NIST) sau mt qu trnh tiu chun ha ko di 5 nm.
Thut ton c thit k bi hai nh mt m hc ngi B: Joan Daemen v
Vincent Rijmen (ly tn chung l "Rijndael" khi tham gia cuc thi thit k AES).
Rijndael c pht m l "Rhine dahl" theo phin m quc t (IPA: [aindal]).
Mc d 2 tn AES v Rijndael vn thng c gi thay th cho nhau nhng trn
thc t th 2 thut ton khng hon ton ging nhau. AES ch lm vic vi khi d liu
128 bt v kha c di 128, 192 hoc 256 bt trong khi Rijndael c th lm vic vi
d liu v kha c di bt k l bi s ca 32 bt nm trong khong t 128 ti 256
bt.
Cc kha con s dng trong cc chu trnh c to ra bi qu trnh to kha con
Rijndael.
Hu ht cc php ton trong thut ton AES u thc hin trong mt trng hu
hn.
GVHD: V Th Thanh Vn
37
2.1.4.
GVHD: V Th Thanh Vn
38
t c an ton tng ng, thut ton mt m ha kha bt i xng i
hi khi lng tnh ton nhiu hn ng k so vi thut ton mt m ha kha i
xng. V th trong thc t hai dng thut ton ny thng c dng b sung cho nhau
t hiu qu cao. Trong m hnh ny, mt bn tham gia trao i thng tin to ra mt
kha i xng dng cho phin giao dch. Kha ny s c trao i an ton thng qua
h thng m ha kha bt i xng. Sau 2 bn trao i thng tin b mt bng h
thng m ha i xng trong sut phin giao dch.
2.1.4.2. Cc ng dng
H thng mt m ha kha cng khai c th s dng vi cc mc ch:
79.
kha b mt mi gii m c.
80.
GVHD: V Th Thanh Vn
39
81.
Ch k s (Digital Signature)
Kha b mt dng to ch k s
83.
thc
GVHD: V Th Thanh Vn
40
2.1.5.2. To ch k s
Hnh 2.7 To ch k s
2.1.5.3. Thm nh ch k s
GVHD: V Th Thanh Vn
41
84.
GVHD: V Th Thanh Vn
42
(a,b) m chi nhnh gi v trung tm ri gi gi tin (a,b3) thay th lp tc tr
thnh triu ph!
2.1.6.
RSA
GVHD: V Th Thanh Vn
43
tin trong th. Trong v d ny, chic hp vi kha m ng vai tr kha cng khai,
chic cha kha chnh l kha b mt.
2.1.6.2. Thut ton
Gi s Alice v Bob cn trao i thng tin b mt thng qua mt knh khng an
ton (v d nh Internet). Vi thut ton RSA, Alice u tin cn to ra cho mnh cp
kha gm kha cng khai v kha b mt theo cc bc sau:
1.
Chn 2 s nguyn t ln v vi
, la chn
Tnh:
3.
Tnh: gi tr hm s le
4.
.
Tnh: d sao cho
Mt s lu :
87.
php th xc sut.
88.
cho
90.
bc
thay cho
GVHD: V Th Thanh Vn
3,
PKCS#1
v2.1
dng
).
SVTH: Nguyn Cnh Chn
44
Kha cng khai bao gm:
91.
n, mun, v
92.
kha b mt, v
94.
96.
dmp1 v dmq1),
97.
GVHD: V Th Thanh Vn
45
khai/kha b mt. Cc qu trnh ny thng c thc hin bi mt phn mm t ti
trung tm v cc phn mm phi hp khc ti cc a im ca ngi dng. Kha cng
khai thng c phn phi trong chng thc kha cng khai.
Khi nim h tng kha cng khai (PKI) thng c dng ch ton b h thng
bao gm nh cung cp chng thc s (CA) cng cc c ch lin quan ng thi vi
ton b vic s dng cc thut ton mt m ha kha cng khai trong trao i thng
tin. Tuy nhin phn sau c bao gm khng hon ton chnh xc bi v cc c ch
trong PKI khng nht thit s dng cc thut ton m ha kha cng khai.
PKI cho php nhng ngi tham gia xc thc ln nhau v s dng thng tin t cc
chng thc kha cng khai mt m ha v gii m thng tin trong qu trnh trao i.
Thng thng, PKI bao gm phn mm my khch (client), phn mm my ch
(server), phn cng (nh th thng minh) v cc quy trnh hot ng lin quan. Ngi
s dng cng c th k cc vn bn in t vi kha b mt ca mnh v mi ngi u
c th kim tra vi kha cng khai ca ngi . PKI cho php cc giao dch in t
c din ra m bo tnh b mt, ton vn v xc thc ln nhau m khng cn phi
trao i cc thng tin mt t trc.
2.1.7.2. Chng ch s
Chng ch s l mt tp tin in t c s dng nhn din mt c nhn, mt
my ch, mt cng ty, hoc mt vi i tng khc v gn ch danh ca i tng
vi mt kho cng khai (public key). Ging nh bng li xe, h chiu, chng minh th
hay nhng giy t nhn din c nhn thng thng khc, chng ch s cung cp bng
chng cho s nhn din ca mt i tng. H m kho cng khai s dng chng ch
s gii quyt vn mo danh.
ly c bng li xe, bn cn phi ng k vi Phng cnh st giao thng. H s
cp cho bn bng li xe sau khi xc nh cc thng tin v bn nh: c kh nng li
xe, h v tn, a ch, v nhng thng tin cn thit khc. ly c chng ch s bn
cng cn phi thc hin cc cng vic ng k tng t nh vy. Ni c th chng
nhn nhng thng tin ca bn l chnh xc c gi l nh cp chng ch s
GVHD: V Th Thanh Vn
46
(Certificate Authority vit tt l CA), mt t chc c thm quyn xc nhn ch danh v
cp cc chng ch s. H c th l mt thnh phn th ba ng c lp hoc cc t
chc t vn hnh phn mm cp chng ch s ca mnh. Cc phng php xc nh
ch danh ph thuc vo cc chnh sch m CA t ra. Chnh sch lp ra phi m bo
vic cp chng ch s phi ng n, ai c cp v mc ch dng vo vic g. Thng
thng, trc khi cp mt chng ch s, CA s cng b cc th tc cn phi thc hin
cho cc loi chng ch s.
Trong chng ch s cha mt kho cng khai c gn vi mt tn duy nht ca
mt i tng (nh tn ca mt nhn vin hoc server). Chng ch s gip ngn chn
vic s dng kho cng khai cho vic gi mo. Ch c kho cng khai c chng thc
bi chng ch s mi lm vic vi kho ring (private key) tng ng c s hu bi
i tng m c ch danh c chng thc nm trong chng ch s.
GVHD: V Th Thanh Vn
47
cp chng ch s . N cho php chng ch s nh c ng du cho ngi s
dng bit v tin cy vo CA.
Chng ch s l mt tp tin in t c s dng nhn din mt c nhn, mt
my ch, mt cng ty, hoc mt vi i tng khc v gn ch danh ca i tng
vi mt kho cng khai (public key).
Cc thng tin trong chng ch s bao gm:
98.
100.
Ch k s ca ngi xc nhn
101.
GVHD: V Th Thanh Vn
48
103.
104.
Thu hi chng ch
105.
Qun l cc chng ch
PKI l thnh phn nn tng trin khai cc ng dng bo mt da trn kha cng
khai.
GVHD: V Th Thanh Vn
49
2.1.7.5. Cc thnh phn ca PKI
106.
112.
50
113.
GVHD: V Th Thanh Vn
51
giao dch
115.
116.
GVHD: V Th Thanh Vn
52
2.1.8.2. Hot ng
Cc c trng c bn ca SET:
117.
118.
ch k s.
119.
version 3.
120.
version 3.
Cc thnh phn tham gia SET:
121.
chc ti chnh.
123.
124.
th (Acquirer).
125.
kh nng to ra ch k s.
GVHD: V Th Thanh Vn
53
ch th.
128.
vi th thanh tan)
129.
)
131.
132.
tan.
134.
GVHD: V Th Thanh Vn
54
135.
Giao hng
136.
Yu cu thanh ton
139.
th kia v ngc li
140.
thanh tan
141.
142.
143.
55
144.
145.
146.
2.2. Bo mt Web
2.2.1.
somebody@something.com
GVHD: V Th Thanh Vn
56
57
iu ny c th rt nguy him nu nh phn mm ca my ch ny ang tn ti
mt l hng bo mt, iu c th to c hi cho hacker khai thc l hng bo mt
ny v tn cng vo my ch.
Acccept trong header yu cu ca my khch gi ln my ch cng tit l thm
nhiu iu v ngi dng nh: Accept-Language, Accept-Encoding
Ging nh thng tin header ca my ch c th cha thng tin v my ch, trng
Form ca client header cng c th cha thng tin v a ch email ca ngi dng. R
rng, nu ngi dng lt web nc danh, thng tin ny khng nn c gi i.
Trng Referer trong header yu cu gi ln my ch c my khch s dng
ch ra a ch (URI) ca ti liu (hoc nhng thnh phn trong ti liu) m t yu
cu URI thu c. iu ny cho php my ch to ra danh sch nhng lin kt c
tr v phc v cho mc ch ghi li thng tin (log), x l cc lin kt b li... Referer
header c th b lm dng, thng tin c th c s dng m s ngi yu cu ti
nguyn trn my ch, t c th s dng thng tin ny cho nhiu mc ch khc
nhau nh phn tch hnh vi ca ngi dng phc v cho vic qung co v iu
vi phm quyn ring t ca ngi dng.
GVHD: V Th Thanh Vn
58
2.2.1.4. Vn bo mt trong Proxy v Cache
GVHD: V Th Thanh Vn
59
2.2.1.5. Bo mt giao dch Web
Trong qu trnh s dng HyperText Transport Protocol cho cc dch v c nhn hay
thng mi th nhng thng tin c nhn hay nhy cm i hi phi c pht trin trn
mt phin bn an ton bao gm tnh ring t v xc thc. Bo mt cc giao dch trn
web (hay bo mt HTTP message) cn phi tun th theo cc yu cu bo mt:
147.
150.
151.
Ngoi ra, c ch bo mt trn HTTP phi d dng tch hp vi cc tnh nng khc
ca HTTP.
m bo c cc yu cu bo mt trn y c th s dng cc phng thc bo
mt sau:
152.
GVHD: V Th Thanh Vn
60
Hin ti phng s dng SSL ang c s dng rng ri trn cc giao dch trn
nn web v tnh bo mt cao v tin dng.
2.2.2.
Bo mt Web Server
2.2.2.1. Cc vn bo mt trn my ch
S pht trin ca Internet v thng mi in t c bc tng trng rt nhanh
chng trong thi gian gn y, km theo l s pht trin ca tin tc v cc nguy c
bo mt gia tng. Rt nhiu nhng t chc vn hnh my ch nhng khng c bo
v sn sng chng li cc nguy c tn cng t bn ngoi.
Cc my ch web lun l mc tiu tn cng trn mng ca cc tin tc. Bi vy, vic
thit lp v bo v cc thng tin trn my ch lun l mt vn cp bch, t bit l
cc h thng my ch thng mi in t.
C rt nhiu nhng k thut gip k tn cng c th chy cc on m lnh nguy
him trn my ca nn nhn, cc k thut ny bao gm:
155.
GVHD: V Th Thanh Vn
61
Virus v su my tnh (worm) l nhng chng trnh c th t ng nhn bn,
v ly lan qua cc my tnh thng qua cc tp nh km trong th in t hay ly
lan c lp qua mng. Virus sa i cc chng trnh trn my tnh b ly
nhim, v cng c th to ra ca sau gip k tn cng kim sot my tnh.
157.
62
Cc phng php gip bo v my ch web:
159.
Ci t phn mm v cc ming v
(logging)
Rt nhiu dch v chy trn my ch web cho php ghi li nhng hot ng ca
n (log). Nhng my ch web chy h iu hnh UNIX hay Windows cho php
cu hnh ghi li cc hot ng ca h thng xung mt tp hay nhiu tp tin,
hoc c th gi n mt my tnh khc trong mng, gi n my in hay cc thit
b khc.
Nhng thng tin log s tr nn v gi khi phc hi li h thng t nhng s c
bo mt. Thng chng s ni cho chng ta bit cc m k tn cng tn cng
h thng, thm ch c th chng cung cp mang mi tm ra k tn cng.
Tp tin log c th c trnh nh l bng chng ln to n kt ti k tn
cng nu chng c lu li iu n trong h thng.
Nn thit lp lu li log ca tt c cc my ch, v chc rng cc thng tin
ny c kim tra mt cch iu n. Ngi qun tr c th vit ra mt chng
GVHD: V Th Thanh Vn
63
trnh nh qut qua cc tp tin log mi ngy v lc ra nhng thng tin, s kin
m ngi qun tr mun bit hay cc thng tin li, hoc cng c th dng cc
chng trnh phn tch tp tin log. Mt khi c nhng thng tin ny ri, ngi
qun tr c th d dng hnh dung cc s kin xy ra t tm cch x l
cho ph hp.
Tp tin log cng s rt hu dng cho vic o sc chi ng ca h thng. V d,
c th thit lp lu li nhng thng tin nh: s s dng kt ni ra bn ngoi v
bn trong, hot ng ca CPU, RAM, dung lng a cng. Nhng thng tin
ny s rt hu ch gip xc nh khi no th nn nng cp h thng.
Bo v tp tin log l rt quan trng. Nu nh mt mt ngi no xm nhp
vo h thng, iu u tin h lm l s tm cch sa li tip tin log xa du
vt xm nhp ca h. Cch tt nht bo v cc tp tin log l xy dng mt
my ch log an ton s thu thp thng tin log t cc my khc trong mng. Cng
cn c c ch chng thc bo v tp tin log ch cho php nhng ngi c
quyn mi c xem.
161.
cc s c xa nhm tp tin.
163.
GVHD: V Th Thanh Vn
64
Sao lu l mt vic lm khng kh, tuy nhin cn phi tun th mt vi iu
sau:
165.
GVHD: V Th Thanh Vn
65
Nn cn thn khi qun l cc bo co c xut ra t cng c ny, tt
nht l nn lu tr mt ni an ton v ch nhng ngi c quyn mi
c xem, v t nhng thng tin ny nu lt vo tay k tn cng chng c
th gip tm ra cc l hng trong h thng mt cc d dng.
170.
GVHD: V Th Thanh Vn
66
thng qua mng, m ch yu l qua mng internet dng nhng cuc tn
cng nh s dng cc phn mm c hi
S dng cc phn mm qut virus pht hin virus v cc phn mm
c hi nhm trnh hot ng ca chng trn h thng c th to cc l
hng cho k tn cng xm nhp vo h thng.
173.
Nguyn nhn
Li trong DNS c th b khai thc lm hi my ch.
GVHD: V Th Thanh Vn
67
Mail (SMTP,
POP, IMAP,...)
netstat, systat
chargen, echo
FTP
Telnet
GVHD: V Th Thanh Vn
68
Berkeley, nhng Nhng lnh ny s dng a ch IP chng thc, v vy rt khng
lnh "r" (rlogin, an ton v IP c th b gi mo. Nn s dng SSH hay SCP.
rsh, rdist, ...)
Bng 2.1 Nhng dch v nn hn ch trn my ch web
2.2.2.4. Tng la (Firewall)
Tng la l ro chn c lp ra nhm ngn chn ngi dng mng Internet truy
cp cc thng tin khng mong mun hay ngn chn ngi dng t bn ngoi truy nhp
cc thng tin bo mt nm trong mng ni b.
Tng la l mt thit b phn cng hay mt phn mm hoc c hai, hot ng
trong mt mi trng my tnh ni mng ngn chn mt s lin lc b cm bi chnh
sch an ninh ca c nhn hay t chc, vic ny tng t vi hot ng ca cc bc
tng ngn la trong cc ta nh.
Tng la c s dng bo v mng cc b (LAN) khi cc nguy c t
internet.
Tng la cng c th c s dng bo v my ch web. Ging nh mng cc
b, li ch ln nht ca tng la trong vic bo v my ch web l c th iu khin
c nhng giao thc c my ch s dng. V d nu nh my ch ch a ra duy
duy nht dch v HTTP, ngi qun tr c th cu hnh tng la ch cho php cc
gi d liu qua li trn cng 80. Nu my ch web cn h tr HTTP trn SSL th ngi
qun tr c th m cng 443.
Trong trng hp tn ti nhng l hng trn my ch web, tng la s gip ngn
chn k tn cng s dng my ch web lm c s tn cng cc my tnh khc trn
mng internet. t c s bo v ti a, tng la cng nn c lp tng la ca
mng ni b (xem hnh bn di). iu ny gip ngn chn k tn cng trong trng
hp kim sot c my ch web s s dng n tn cng vo mng ni b.
GVHD: V Th Thanh Vn
69
Bo mt ng dng Web
GVHD: V Th Thanh Vn
70
my ch v v k xu c th ly cp v phn tch n, t hn c th tm ra
nhng l hng an ninh nghim trng.
176.
71
2.2.3.2. Bo mt cc trng d liu, trng d liu n
Mt trong nhng l do khin kh pht trin mt ng dng web an ton l cu
trc ca ng dng web. Khi pht trin mt ng dng web, ngi pht trin vit m lnh
chy trn my ch web, v mt phn s c ti v v chy trn trnh duyt ca
ngi dng. Ngi pht trin s mt kh nhiu thi gian m bo rng hai phn ny
s hot ng mt cch trn tru vi nhau. V d nh mt iu quan trng l phi m
bo tn cc trng d liu c ti xung trnh duyt ca ngi dng s chnh xc
hon ton vi cc tn trng d liu trong kch bn trn my ch. V ngi pht trin
s phi ginh rt nhiu thi gian m bo rng cc m HTML, javascript v cc m
khc c ti xung trnh duyt ca ngi dng s hot ng tt.
C ch hin ti ca cu trc ng dng web l cc phn code c vit s chy trn
my ch web v to ra m HTML tr v cho trnh duyt ca ngi dng. trnh
duyt, ngi dng c th xem c ni dung m HTML v cc m javascript c tr
v t my ch. iu ny pht sinh ra mt nguy c bo mt l nu nh cc thng tin
trong cc trng d liu v cc trng n khng c bo mt, v kim tra th k tn
cng c th phn tch v chnh sa thng tin ny v gi nhng thng tin gi mo ln
trn my ch web.
s dng cc trng d liu mt cch an ton cn phi thc hin cc bc kim
tra sau:
177.
179.
cc trng d liu ngi dng nhp vo, th cn phi thc hin kim tra li mt
GVHD: V Th Thanh Vn
72
ln na trn my ch v k tn cng c th tt javascript v vt qua qu trnh
kim tra d liu trnh duyt mt cch d dng.
Cc trng d liu n thng c dng gi li cc thng tin ln my ch web
gip lu li cc thng tin trong phin lm vic gia ngi dng thng qua trnh duyt
vi my ch web. V d nh lu tr thng tin tn ng nhp v mt khu xc thc
ngi dng:
<INPUT TYPE="hidden" NAME="username" VALUE="simsong">
<INPUT TYPE="hidden" NAME="password" VALUE="myauth11">
Ngoi cch s dng trng d liu n, cc trng d liu cng c th c trn
URL:
http://.../password_tester?username=simsong&password=myauth11
m bo tnh bo mt v ton vn ca d liu trong cc trng d liu n cng
nh cc d liu trn URL, nn s dng cc c ch m ha m ha d liu cha
trong cc trng d liu n v cc trng d liu trn URL. V d:
http://.../password_tester?
p6e6J6FwQOk0tqLFTFYq5EXR03GQ1wYWG0ZsVnk09yv7ItIHG17ymls4UM
%2F1bwHygRhp7ECawzUm%0AKl3Q%2BKRYhlmGILFtbde8%0A:
2.2.3.3. Bo mt c s d liu
S rt nguy him nu nh k tn cng c c thng tin kt ni vo c s d liu
ca ng dng web, nhng thng tin v sn phm cng nh cc thng tin c nhn ca
khch hng, thng tin gi hng cng nh cc thng tin v ha n s b l mt khi k
tn cng xm nhp c vo c s d liu. Bi vy vic bo mt thng tin kt ni vo
c s d liu l iu cc k quan trng.
bo mt thng tin kt ni vo c s d liu th cc thng tin ny phi c m
ha v c lu tr trong mt tp tin ring trn my ch web, iu ny gip tng
cng kh nng bo mt cng nh bo tr web. Cc kch bn trn my ch web s m
GVHD: V Th Thanh Vn
73
tp tin ny ra v ly thng tin v tn ng nhp, mt khu cng nh cc thng tin cn
thit khc kt ni vo c s d liu.
Nhng iu quan trng bo v c s d liu khi cc nguy c tn cng:
181.
xm nhp t bn ngoi.
182.
Bo mt Web Client
74
2.2.4.1. Gi mo web (Web Spoofing)
Web spoofing l mt dng la o (phishing). K tn cng to ra mt bn sao ca
mt trang web no nhm kim sot thng tin gia web client v web browser ca
nn nhn nhm ly thng tin c nhn hoc cc thng tin nhy cm khc.
web gi mo.
186.
GVHD: V Th Thanh Vn
75
Vi trang web gi mo cn s dng SSL thit lp kt ni n trang web gi mo
ca mnh, ngi dng c th b mc by nu khng kim tra thng tin v chng nhn
SSL v d dng tin rng mt kt ni an ton c thit lp gia trnh duyt ca
ngi dng v my ch tht. Chng thc gi c th rt ging vi chng thc ca trang
web thc, tn c th cha mt vi li chnh t rt kh phn bit.
2.2.4.2. S vi phm tnh ring t
Thng tin ring ca ngi dng c th b l trong qu trnh truy cp thng qua:
188.
trng referer trong HTTP header c th tit l thng tin ring t ca ngi
dng.
189.
tr thng tin trng thi trn my ngi dng khi ving thm mt trang web. S
dng cookies gip web my ch c th lu li cc thng tin lin quan n ngi
dng nh cc thng tin cc sn phm trong gi hng ang mua my ch
web c th s dng li trong nhng ln vin thm sau.
Mt vi website s dng cookies lu li thng tin ng nhp v mt vi
thng tin khc v ngi dng gip my ch web nhn ra c ngi dng
trong nhng ln ving thm tip theo. iu ny s rt nguy him nu nh k tn
cng xm nhp vo h thng v ly cc thng tin c nhn t trong cookies.
Mt mi nguy c khc t cookies l cc trang website xu c th s dng
cookies m s lt truy cp ca ngi dng vo website v c th s
dng thng tin ny phc v cho nhiu mc ch khc nhau nh qung co
Nu thng tin trong cookies khng c bo mt, ngi dng c th thay i
cc gi tr trong cookies.
c th bo mt nhng thng tin c nhn v thng tin nhy cm trong cookies,
cc my ch web c th s dng k thut ch k in t hoc m ha thng tin
trong cookies xc thc v bo mt thng tin trong cookies.
GVHD: V Th Thanh Vn
76
190.
192.
dch v lt web n danh trn mng cng tng t nh s dng thng qua mt
proxy server ngoi tr vic s khng c mt thng tin no c lu li trn h
thng ca dch v.
GVHD: V Th Thanh Vn
77
2.3. Cng thanh ton in t
2.3.1.
Cng thanh ton in t l dch v cho php thanh ton trc tuyn cc website
thng mi in t. N tng t nh mt POS khi thanh ton online. Cng thanh ton
in t cho php m ha cc thng tin nhy cm nh s th tn dng, m bo thng
tin c th bo mt v giao dch thun tin gia ngi bn v ngi mua.
n gin hn, cng thanh ton in t l cng c ni lin website thng mi in
t ca bn vi ti khon ca ngi bn hng. Cng thanh ton in t n gin ch c
chc nng thanh ton, tuy nhin rt nhiu nh cung cp dch v gateway cung cp
thm cc tin ch km theo nh gi mua hng (shopping carts)
GVHD: V Th Thanh Vn
78
2.3.2.
GVHD: V Th Thanh Vn
79
194.
Discover Card, th Amex v Dis kim lun vai tr ca acquiring bank v trc
tip x l lnh t cng thanh ton in t (gp 2 bc vo 1).
199.
gi thng tin phn hi ti cng thanh ton in t theo tin trnh ngc li mt
m phn hi. M phn hi cung cp thng tin nh chp nhn hay khng chp
nhn, l do trong trng hp khng chp nhn (nh khng tin, hay ko lin
kt c vi ti khon ngn hng .v.v.)
201.
giy.
GVHD: V Th Thanh Vn
80
203.
giao dch tin v ti khon cui cng mt chng 3 ngy (trung bnh).
Cc cng thanh ton in t thng cung cp sn cc form, cc cng c t ng
tnh thu v t ng hon thnh h s gi ti trung tm x l. c bit l cc cng c
chng gi mo nh geolocation, velocity pattern analysis, delivery address verification,
computer finger printing technology, idenity morphing detection, AVS checks.
2.3.3.
c m ha trn sc t tnh ca th dng cho cc giao dch trc tip bng th.
208.
thng c yu cu khi thc hin cc giao dch gin tip (card not present) nh
cc giao dch trn Internet, th in t, in thoi hay fax.
GVHD: V Th Thanh Vn
81
CVV2 l mt dy s gm 3 hay 4 ch s c in chm trn th mt trc hoc
ngay pha sau dy t cha ch k.
209.
i vi th American Express, dy s ny c in
GVHD: V Th Thanh Vn
82
chnh sa li ha n chng hn s khng th cung cp li CVV2 cho ngn hng
thc hin vic xc minh cho qu trnh thanh ton li.
2.3.3.2. H thng xc minh a ch (Address Verification System)
H thng xc minh a ch (Address Verification System) vit tt l AVS l h
thng dng xc minh, kim chng ch s hu th tn dng. H thng s kim tra a
ch ca ho n ca th tn dng cung cp bi ngi dng vi a ch c lu tr
trong c s d liu ca nh cung cp th.
AVS s kim tra phn s ca a ch. V d nu a ch ca ca khch hng l 101
Main Street, Highland, CA 92346, AVS s kim tra 101 v 92346.
Hin ti ch c mt vi nc c h tr AVS trn Visa v MasterCard, ng ch
nht l M, Canada v Anh. American Express h tr nhiu quc gia hn.
Ngoi s kim chng t ng, mt vi ngn hng cn cung cp cho ngi bn
nhng s kim tra th cng. Thng iu ny c thc hin cho ti khon th tn
dng nc ngoi nh AVS ch lm vic trong cng quc gia. Phng tin ny tr gip
ngi bn ngn chn gian ln pht sinh t quc gia khc. Ngn hng ca ngi bn gi
ngn hng khch hng (hoc gi fax cho ngn hng yu cu h).
2.4. Authorize.net
2.4.1.
Gii thiu
GVHD: V Th Thanh Vn
83
213.
Integration Method (SIM), vi phng thc ny, khi yu cu thanh ton, khch
hng s c chuyn sang trang web ca authorize.net tin hnh cung cp
cc thng tin cn thit cho vic thanh ton. Sau khi hon tt qu trnh thanh ton
ngi dng s c chuyn li trang web bn hng. Phng thc ny ph hp
cho nhng trang web bn hng nh.
214.
GVHD: V Th Thanh Vn
84
Chng 3.
3.1. Yu cu h
215.
217.
hng.
218.
219.
220.
chuyn hng.
221.
222.
223.
224.
Professional
3.2.2.
H qun tr c s d liu
225.
GVHD: V Th Thanh Vn
85
3.3. Cc cng vic cn gii quyt
226.
Kho st yu cu
227.
228.
229.
V cc m hnh h thng
230.
231.
232.
GVHD: V Th Thanh Vn
86
3.4. Cc m hnh
3.4.1.
ERD
DEVICE_CATEGORY_TYPE
MANUFACTURE
mfg_id
<pi> Number
<M>
name
Variable characters (50)
description
Variable characters (200)
Identifier_1 <pi>
Identifier_1 <pi>
Relationship_11
Relationship_12
SYS_LOG
log_id <pi> Integer
<M>
time
Date & Time <M>
content
Text
DEVICE_CAT EGORY
CATEGORY
Identifier_1 <pi>
cate_id
<pi> Integer
<M>
name
Variable characters (50)
description
Variable characters (200)
Identifier_1 <pi>
Identifier_1 <pi>
Relationship_10
Relationship_13
Relationship_8
DEVICE
SYS_USER
sys_username <pi> Variable characters (20) <M>
sys_email
Variable characters (30)
password
Variable characters (30)
name
Variable characters (50)
telephone
Variable characters (20)
NOTEBOOK
Relationship_19
Identifier_1 <pi>
Relationship_15
SYS_GROUP
sys_group_id
<pi> Integer
<M>
name
Variable characters (50)
description
Variable characters (200)
manage_product
Boolean
manage_user
Boolean
manage_system
Boolean
manage_order
Boolean
product_id
<pi> Integer
<M>
name
Variable characters (50)
bluetooth
Boolean
vga_out
Boolean
pcmcia_slots
Short integer
usb_ports
Short integer
ieee_1384_ports
Short integer
weight
Fl oat
warranty
Fl oat
price
Integer
viewed
Integer
create_on
Date & Time
last_edit_on
Date & Time
product_description
T ext
0,n
NOT EBOOK_DEVICE
0,n
Identifier_1 <pi>
0,n
device_id
<pi> Integer
<M>
cpu_speed
Float
cpu_cores
Short integer
cpu_bus_speed
Short integer
cpu_l2_cache_size
Short integer
cpu_mfg_tech
Short integer
mb_bus_speed
Short integer
mb_max_ram
Integer
batery_max_hour
Short float
batery_cells
Short integer
graphic_memory_size
Short integer
graphic_memory_shared
Boolean
ram_size
Short integer
ram_speed
Integer
hdd_size
Short integer
hdd_speed
Integer
display_size
Short integer
display_resolution_width
Short integer
display_resolution_height
Short integer
display_widescreen
Boolean
wc_resolution
Short float
Identifier_1 <pi>
SHOPPING_CART_DETAIL
quantity Short integer
price
Integer
add_date Time
Identifier_1 <pi>
Relationship_9
0,n
CUSTOMER
username <pi> Variable characters (20) <M>
password
Variable characters (30)
first_name
Variable characters (20)
last_name
Variable characters (20)
telephone
Variable characters (20)
email
Variable characters (50)
birthday
Date
street
Variable characters (100)
address
Variable characters (100)
postcode
Variable characters (7)
DEVICE_TYPE
SHOPPING_CART
Relationship_16
COUNTRY
shop_cart_id
<pi> Integer
<M>
check_out_date
Date & Time
checked_out
Bool ean
Identifier_1 <pi>
country_id
country_name
two_iso_code
thre_iso_code
Integer
Variable characters (30)
Characters (2)
Variable characters (3)
Relationship_18
Relationship_17
IDENTIFIER_1 <pi>
Relationship_14
STATE
state_id
<pi> Integer
<M>
state_name
Variable characters (50)
Identifier_1 <pi>
SET TING
setting_id
<pi> Integer
<M>
setting_name
Variable characters (100)
setting_value
T ext
encrypted
Boolean
description
Variable characters (200)
Identifier_1 <pi>
ORDER
order_id
<pi> Integer
<M>
order_total_quantities
Integer
order_total_weight
Float
other_subtotal
Money
other_tax
Money
other_total
Money
processed
Boolean
credit_card_info
Text
authorizati on_result
Variable characters (4000)
authorizati on_transaction_id
Variable characters (100)
authorizati on_approval_code
Variable characters (10)
authorizati on_response_code
Variable characters (100)
authorizati on_on
Date & Time
transaction_state
Short integer
capture_transaction_id
Variable characters (100)
captured_on
Date & Time
ship_first_name
Variable characters (20)
ship_last_name
Variable characters (20)
ship_telephone
Variable characters (20)
ship_cellphone
Variable characters (20)
ship_email
Variable characters (50)
ship_street
Variable characters (100)
ship_address
Variable characters (100)
ship_city
Variable characters (100)
ship_state
Variable characters (50)
ship_postcode
Variable characters (7)
bill_first_name
Variable characters (20)
bill_last_name
Variable characters (20)
bill_telephone
Variable characters (20)
bill_street
Variable characters (100)
bill_address
Variable characters (100)
bill_city
Variable characters (50)
bill_state
Variable characters (50)
bill_postcode
Variable characters (7)
create_on
Date & Time
Identifier_1 <pi>
87
3.4.2.
Dang Ky
Xem Hang
Khach Hang
DangNhap
<<include>>
Kiem tra thong tin the tin dung
<<include>>
Mua hang
<<extend>>
Yeu cau chuyen Khoan
GVHD: V Th Thanh Vn
88
3.4.2.2. Qun tr vin v nhn vin
phn ny ngi dng phi ng nhp vo h thng trc khi thc hin vic qun
l v cp nht thng tin.
<<include>>
<<include>>
Quan Ly Nhan vien [admin]
<<include>>
<<include>>
GVHD: V Th Thanh Vn
89
3.4.3.
[Hop le]
Kiem tra ten dang
nhap da ton tai chua
[ Hop le ]
Kiem tra email
da ton tai chua
[ Hop le ]
Luu thong tin thanh
vien xuong CSDL
Ket thuc
GVHD: V Th Thanh Vn
90
3.4.3.2. ng nhp
[ Hop le ]
Kiem tra mat
khau
[ Hop le ]
Luu thong tin khach
hang vao Session
[ Da co ]
Kiem tra gio hang cua
khach hang trong CSDL
91
3.4.3.3. Thm vo gi hng
GVHD: V Th Thanh Vn
92
3.4.3.4. Mua hng
Yeu cau thanh
toan
[ Hop le ]
Yeu cau nhap thong
tin hoa don
[Hop le]
Yeu cau nhap thong tin
the tin dung
GVHD: V Th Thanh Vn
93
3.4.4.
M hnh lp ( Class)
GVHD: V Th Thanh Vn
94
GVHD: V Th Thanh Vn
95
Chng 4.
HIN THC
4.1.2.
GVHD: V Th Thanh Vn
96
Serialize (S ha)
M ha
Lu tr xung CSDL
4.1.5.
Trong qu trnh thanh ton, khi ngi dng nhp thng tin th tn dng, h thng s
kim tra xem trang web c cu hnh SSL cha, nu c cu hnh th h thng
s t ng chuyn sang giao thc https bo mt thng tin.
GVHD: V Th Thanh Vn
97
4.2. S trang Web
4.2.1.
GVHD: V Th Thanh Vn
98
GVHD: V Th Thanh Vn
99
Trang ch
ng nhp
Qun l thng
tin khch hng
ng k
Website
Sn phm mi
Chi tit
sn phm
Tt c sn phm
Nhm SP theo
nh sn xut
Nhm SP
theo gi
Gi hng
Thanh ton
Thng tin
chuyn hng
Thng tin
ha n
Thng tin
Th tn dng
GVHD: V Th Thanh Vn
100
4.2.2.
GVHD: V Th Thanh Vn
101
ng nhp
Ci t
h thng
GVHD: V Th Thanh Vn
Phn
qun tr
Nhn vin
Qun l
Nhn vin
102
ng nhp
Ci t
h thng
Nhn vin
Phn
qun tr
Qun l
Nhn vin
Qun l
Ha n
Qun l
Sn phm
Nhm
Nhn vin
Qun l
My tnh
Qun l
Nhm thit b
Nhm SP theo
nh sn xut
GVHD: V Th Thanh Vn
103
4.3. Mt s mn hnh
4.3.1.
4.3.2.
Trang ch
Trang ng k
104
4.3.3.
4.3.4.
GVHD: V Th Thanh Vn
105
4.3.5.
4.3.6.
106
4.3.7.
4.3.8.
107
4.3.9.
4.3.10.
GVHD: V Th Thanh Vn
108
4.3.11.
Trang qun l ha n
4.3.12.
4.3.13.
109
4.3.14.
GVHD: V Th Thanh Vn
110
Chng 5.
5.1. Nhn xt nh gi
Sau qu trnh hn 2 thng tm hiu v vit n, em hc hi c rt nhiu iu
qua n ny:
233.
234.
235.
Cc vn lm c trong n:
236.
a ra c cc vn bo mt trong xy dng v
t trong ng dng.
240.
ng dng.
Cc vn cha lm c:
241.
242.
bn.
243.
GVHD: V Th Thanh Vn
111
5.2. Hng pht trin
T nhng vn lm c v cha lm c nh trn, trong thi gian tip theo
s pht trin n ln:
244.
245.
dng.
246.
GVHD: V Th Thanh Vn
112
PH LC
1.1. Thit lp chng ch SSL ca Verisign
1.1.1. Cc bc thc hin
247.
249.
Services (IIS) Manager, bung Web Site, chut phi Default Web Site, chn
Properties
250.
GVHD: V Th Thanh Vn
113
251.
252.
114
253.
chn Prepare the request now, but send it later, chn Next
254.
GVHD: V Th Thanh Vn
115
255.
256.
GVHD: V Th Thanh Vn
116
257.
258.
GVHD: V Th Thanh Vn
117
259.
Finish
260.
OK, tt tt c ca s.
GVHD: V Th Thanh Vn
118
1.1.3.2.
261.
C:\certreq.txt.
GVHD: V Th Thanh Vn
119
262.
Internet
Explorer,
truy
cp
ch
263.
GVHD: V Th Thanh Vn
120
264.
GVHD: V Th Thanh Vn
121
265.
Trong Select Server Platform, chn Microsoft. Trong Select Version, chn
IIS 6.0. Dn ni dung file certreq.txt vo Paste Certificate Signing Request
(CSR), optained from your server
GVHD: V Th Thanh Vn
122
266.
GVHD: V Th Thanh Vn
123
267.
Trong
ca
CRS
Information,
nhp
268.
Accept
GVHD: V Th Thanh Vn
124
269.
GVHD: V Th Thanh Vn
125
1.1.3.3.
270.
271.
Certificates
GVHD: V Th Thanh Vn
126
272.
Secure
GVHD: V Th Thanh Vn
Trial
Root
CA
Certificate
127
273.
copy tt c ni dung
274.
GVHD: V Th Thanh Vn
128
275.
276.
GVHD: V Th Thanh Vn
129
277.
GVHD: V Th Thanh Vn
130
278.
279.
select the certificate store based on the type of certificate, chn Next, chn
Finish
GVHD: V Th Thanh Vn
131
280.
1.1.3.4.
281.
GVHD: V Th Thanh Vn
132
282.
GVHD: V Th Thanh Vn
133
283.
285.
286.
Process the pending request and install the certificate, chn Next
GVHD: V Th Thanh Vn
134
287.
tr ng dn n C:\cert.txt
288.
GVHD: V Th Thanh Vn
135
289.
View Certificate
GVHD: V Th Thanh Vn
136
290.
1.1.3.5.
Kim tra kt qu
291.
Internet
Explorer,
truy
GVHD: V Th Thanh Vn
cp
137
1.2. Hm bm v m ha i
GVHD: V Th Thanh Vn
138
DANH MC TI LIU THAM KHO
1.
2.
3.
Web Security, Privacy & Commerce 2nd Edition, Simson Garfinkel, Gene
Spafford , O'Reilly, 2001.
4.
5.
http://www.google.com
6.
http://www.wikipedia.org/
7.
http://www.authorize.net
8.
http://msdn.microsoft.com.
GVHD: V Th Thanh Vn