Professional Documents
Culture Documents
HCM
TI BO MT THNG TIN
Ging vin hng dn: Nhm Sinh vin thc hin: M Ch Trung Mssv: 1191020168 Phm Minh Trung Mssv: 1191020164 Phm Gia ng Mssv: 1191020017 Trnh Hng Hng Mssv: 1191020039 V Thanh Tm Mssv: 1191020120 Trnh ng Tun Mssv: 1191020175
Lp: 11HTHM1 Lp: 11HTHM1 Lp: 11HTHM1 Lp: 11HTHM1 Lp: 11HTHM1 Lp: 11HTHM1
1.1 EAP-TLS l g ?
EAP-TLS l ch vit tt ca Extensible Authentication Protocol Transport Layer Security (giao thc thm nh quyn truy cp c th m rng bo mt lp truyn dn). Kt ni da trn giao thc ny i hi c mt chng nhn ngi s dng (user certificate) trn c my khch v my ch IAS . y l c ch c mc an ton nht cp ngi s dng, n cho php mt phng php xc thc ty c s dng truyn thng tin y nhim v trao i thng tin c chiu di ty . EAP l mt phn m rng cho Point-to-point (PPP) v giao thc ny c t chc IETF nh ngha trong cun RFC 2284. Cc c tnh ca EAP-TLS bao gm:
Xc thc ln nhau (gia my ch v khch hng) . Trao i kho ( thit lp WEP ng v kho TKIP) . Phn mnh v ni li (vi bn tin EAP di cn c phn kch thc kim tra nu cn) . Kt ni nhanh (thng qua TLS) .
Hnh 1- Giao din TTLS PEAP : Ging nh chun TTLS, PEAP to kh nng xc thc cho mng LAN khng dy m khng yu cu xc thc. Protected EAP ( PEAP ) thm lp TLS ln trn cng EAP ging nh EAP-TTLS, ri sau s dng kt qu ca phin TLS nh phng tin vn chuyn bo v phng thc EAP. PEAP s dng TLS xc thc t my ch ti my trm nhng khng c chiu ngc li. Theo phng thc ny ch my ch yu cu kho xc thc cn khch hng th khng. My ch v my trm trao i chui thng tin m ho trong TLS, v bn tin TLS c xc thc v m ho s dng kho c thng qua gia hai bn.
Bn tin xc nhn (Nhng k tn cng s rt kh khn trong vic chn vo bn tin EAP) . M ho bn tin (Nhng k tn cng s khng th c v gii m bn tin EAP) Xc thc t my ch n khch hng (v th phng thc ny ch cn bo v xc thc t khch hng ti my ch) . Trao i kho ( thit lp cho WEP ng hoc kho TKIP) . Phn mnh v ghp li (cn thit nu bn tin EAP di) . Thit lp kt ni nhanh ( thng qua phin TLS ) .
Type 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Description Assigned by RFC Identity Notification Nak (response only) MD5-Challenge One-Time Password (OTP) Generic Token Card (GTC) Not assigned Not assigned RSA Public Key Authentication DSS Unilateral KEA KEA-VALIDATE EAP-TLS Defender Token (AXENT) RSA Security SecurID EAP Arcot Systems EAP EAP-Cisco Wireless (LEAP) Nokia IP SmartCard authentication SRP-SHA1 Part 1 SRP-SHA1 Part 2 EAP-TTLS Remote Access Service UMTS Authentication and Key Agreement EAP-3Com Wireless PEAP MS-EAP-Authentication Mutual Authentication w/Key Exchange (MAKE) CRYPTOCard
EAP-MSCHAP-V2 DynamID Rob EAP SecurID EAP EAP-TLV SentriNET EAP-Actiontec Wireless Cogent Systems Biometrics Authentication EAP AirFortress EAP EAP-HTTP Digest SecureSuite EAP DeviceConnect EAP EAP-SPEKE EAP-MOBAC EAP-FAST Not assigned; can be assigned by IANA on the advice of a designated expert Reserved; requires standards action Expanded types Experimental usage
Hnh 3-Xc nhn 802.1x EAP-TLS 802.1x EAP-TLS vi EAS trong Controller Mode Client khng dy c chng ch in t (digital certificate) c ci t t trc. Mng ni b khng dy (WLAN) giao tip vi EAS thng qua Access Point (AP). Tt c ba thnh phn (Wireless client, AP v EAS) h tr cho qu trnh chng thc 802.1x EAP-TLS.WLAN c th s dng Windows XP (c xy dng h tr cho 802.1x EAP-TLS hay Windows 98/Me/2000) bng vic s dng Madge Wireless LAN Utility (WLU). Khi xc nhn, d liu ngi dng cng c th c s dng EAS m c cu hnh trong Gateway Mode.
CHNG II: GIAO THC EXTENSIBLE AUTHENTICATION PROTOCOL TRANSPORT LAYER SECURITY
c m t trong RFC 5216, cuc i thoi s c bt u vi bn gi v bn nhn tin hnh thng lng cc gi tin EAP.Bn server s gi mt gi tin EAP-Request cho client yu cu xc nh danh tnh ( Indentify ), sau client s phn hi ngc li cho server bng gi tin EAP-Response cha User-ID ca mnh.K t cuc ni chuyn s c bt u gia EAP-Server v client. Mt khi nhn c Identity ca client, EAP-Server phi phn hi cho client bng gi tin EAP-TLS start, l mt gi EAP-Request vi EAP-type=EAP-TLS, cuc tr chuyn bt u, bn pha client s gi mt gi tin EAP-Response, type=EAP-TLS.Trng d liu ca gi tin s c ng gi mt hoc nhiu TLS record nh dng TLS record layer, cha thng ip bt tay ( TLS client_hello ). Client_hello message bao gm s phin bn TLS ca client ( peers TLS version number ), session ID, mt con s pht sinh ngu nhin v b m ho c h tr bi client.Phin bn TLS ca client phi tng ng vi TLS v1.0 hoc cao hn. EAP-Server s tr li li vi mt gi tin EAP-Request vi EAP-type=EAP-TLS, gi tin ny bao gm TLS server_hello handshake message, server_key_exchange, certificate_request,server_hello_done.Trong server_hello_handshake message gm TLS version number , mt con s pht sinh ngu nhin khc ( another random number ), session ID v mt b m ho ( ciphersuite ). Nu session ID ca client l null hoc server khng th nhn bit c th lc ny server s phi chn mt session ID khc thit lp phin giao dch mi.Ngc li nu session ID m server nhn c t client trng khp vi session ID client gi th phin giao dch trc s c bt u li vi session ID ny. Nu server khng bt u li vi phin giao dch thit lp trc , th gi tin m n gi cho client phi bao gm thng ip bt tay ( handshake message) TLS server_certificate v server_done_hello handshake message phi l thng ip bt tay cui cng c ng gi trong gi tin EAP-Request. Certificate message cha mt chng ch kho cng khai (public key certificate) hoc l trao i kho cng khai ( chng hn nh RSA hoc Diffie-Hellman ) hoc l ch k kho cng khai ( nh l RSA hay DSS-Digital Signature Standard ). Nu bn pha client h tr EAP-TLS v c cu hnh s dng giao thc ny th phi phn hi gi tin EAP-Request bng gi tin EAP-Response vi type=EAP-TLS.Nu server_hello_message trc c gi bi EAP-Server trong gi tin EAP-Request trc khng bt u li phin giao dch trc th trng d liu ca gi tin phi ng gi bng mt hoc nhiu TLS record trong cha TLS client_key_exchange, change_cipher_spec v finished message.
Nu EAP-Server gi mt certificate_request_message trong gi EAP-Request trc , tr khi client c cu hnh ring th client phi gi b sung certificate v certificate_verify_message.EAP-Server s xc nhn certificate ca client v ch k in t nu server c yu cu. Nu server_hello_message trc c gi t server nm trong gi EAP-Request bt u li phin giao dch trc th bn pha client ch phi gi change_cipher_spec v finished_ handshake_message ( cha client authentication phn hi li EAP-Server ).
2.1.1.1
Code : code field chim 1 octet v nhn dng cc loi gi tin EAP. 1. Request. 2. Response. 3. Success. 4. Failure. Identifier: Identifier field chim 1 octet v gip cho Response v Request trng khp vi nhau.
Length: chim 2 octet , cho bit di ca gi tin.Mi octet ca gi tin EAP bao gm Code, Identifier , Length v Data fields.Nhng octet no nm ngoi gi tr ca Length field s b qua.Mt message vi trng di ( Length Field ) no m thit lp gi tr ln hn s lng cc octet nhn c phi c loi b. Data: c th l 0 hoc chim nhiu octet.nh dng ca trng d liu c xc nh bi Code Field.
2.1.1.2
Code : gi tr =1 ( request packet ). Indentifier : phi c thay i trn mi Request Packet. Length : cho bit di ca gi tin EAP bao gm Code, Identifier , Length , Type v Data Field. Type : nhn gi tr=13 EAP-TLS. Flags :
L: M: S: R:
-Bit L cho bit s hin din ca 4 octets TLS message field v c t cho phn on mng ( fragment ) u tin ca fragmented TLS message. -Bit M : hin th tt c ngoi tr fragment cui. -Bit S : c ci t lm EAP-TLS start message, khc bit vi fragment acknowledgment. -Bit R : bit d tr. TLS Message Length : chim 4 octet , trng ny ch hin din nu bit L bt ln.N cung cp tng chiu di ca TLS Message hoc b message ang c phn on. TLS Data : lm nhim v ng gi TLS Packet bng nh dng TLS Record.
2.1.1.3
Code : gi tr = 2 ( response packet ). Identifier : chim 1 octet, phi trng khp vi Identifier form request. Length : chim 2 octet, cho bit di ca gi tin EAP bao gm Code, Identifier, Length, Type v Data Field.Nhng byte no nm ngoi dy Lengh Field c xemm nh l lp n data link layer v phi c b qua khi tip nhn. Type: nhn gi tr =13-EAP-TLS. Flags :
L: M: R:
-Bit L : chim 4 octet, cho bit s hin din ca trng TLS Message v c t cho phn on ( fragment ) u tin ca fragmented TLS message. -Bit M : gm tt c ngoi tr fragment cui. -Bit R : bit d tr. TLS Message Length : chim 4 octet, ch hin din nu bit L bt ln.Trng ny cung cp tng chiu di ca TLS Message hoc b message ang c phn on. TLS Data : lm nhim v ng gi TLS Packet bng nh dng TLS record.
2.1.1.4
Gi tin thnh cng c gi t server n client sau khi hon thnh bng phng php chng thc EAP ( type = 4 hoc ln hn ) cho bit rng client chng thc thnh cng bi server. Server phi truyn mt gi tin EAP vi Code = 3 ( success ). Nu server khng th chng thc c client ( khng th chp nhn phn hi t mt hay nhiu yu cu ) sau khi chng thc bng phng php EAP kt thc khng thnh cng, th phi truyn mt gi tin EAP b sung vi Code = 4 ( failure ) . Success & failure packets khng c cha d liu b sung v phi khng c gi bi EAP server nu phng php chng thc khng cho php kt thc ti thi im .
2.1.2
c s dng xc nh danh tnh ca client.Nh chng thc s cp pht yu cu lc ban u.Mt thn g bo c hin th them c th gm du nhc lnh cho client trong trng hp ang tng tc vi ngi s dng.Thng bo phn hi phi c gi cho bn Request vi type = 1. Type: = 1 Type-Data : trng ny cha thng ip c th hin th bn phn hi ( Request). Bn phn hi s dng trng ny tr li Indentity.Nu Identity khng r rng th trng ny c chiu di l 0 octet v khng c mang gi tr rng ( NULL ). Trng ny c chiu di nhn t di ca gi tin Request/Response do gi tr NULL l khng cn thit.
2.1.2.2
Notification
c tu chn s dng truyn ti thng tin c hin th t nh chng thc n vi client.Client nn hin th thng tin n vi ngi s dng hoc ng nhp vo nu khng th hin th c. Notification c thit k cung cp thng bo chp nhn ca 1 s tnh cht bt buc.Chng hn nh 1 mt khu sp ht hn th s th t ca mt khu gn bng 0. Hu ht trong cc trng hp, thng bo trn khng c yu cu. Type: = 2 Type-Data: trng d liu bn Request cha ng 1 thng ip hin th c di ln hn 0.Chiu di ca thng ip ny c xc nh bi trng di ( Length Field ) ca gi tin Request.Cc thng ip khng c mang gi tr kt thc l rng ( NULL ).Bn phn hi ( Response) phi c gi hi p cho bn yu cu ( Request ) ti type = 2 ( notification ).Trng d liu ( datatype ) ca bn phn hi c di l 0 octet v phi c gi ngay lp tc.
2.1.2.3
Nak
Ch c gi tr trong cc tin nhn phn hi ( response message ).N c gi tr li cho bn Request ni m nu kiu xc thc khng th chp nhn c.Kiu chng thc c nh s th t l 4 v ln hn na.Bn Response cha kiu chng thc m client mong mun.
Type: =3 Type-Data: phi ch duy nht 1 octet ch r kiu chng thc mong mun.
2.1.2.4
MD5-Challenge
Tng t nh giao thc PPP CHAP.Bn Request cha 1 challenge message v gi cho client, bn Response phi c gi tr li cho bn Resquest v c th c loi 4 ( MD5-Challenge ) hoc loi 3 ( Nak ).Vic trin khai EAP phi h tr c ch chng thc MD5-Challenge. Type : = 4 Type-Data: ni dung ca trng d liu ny c tm tt di y
2.1.2.5
Bn yu cu ( Request ) cha mt thng ip hin th gm 1 OPT Challenge.Bn pha phn hi ( Response ) phi gi tr li cho bn Request v phi thuc loi 5 ( OPT ) hoc 3 ( Nak ).Nak reply cho bit kiu c ch chng thc m client mong mun. Type: =5 Type-Data: OPT Challenge l mt thng ip hin th ca bn Request.Bn hi p, trng ny c s dng cho 6 t trong One-Time Password System ( RFC-1938 ).Cc thng ip ny khng c kt thc bng gi tr rng ( NULL ). di ca trng ny nhn c t chiu di ca gi tin Request/Response.
2.1.2.6
c nh ngha s dng vi vic trin khai Token Card khc nhau m yu cu ngi s dng nhp vo.Bn yu cu cha mt tin nhn dng vn bn ASCII v bn tr li cha tin nhn Token Card cn thit cho vic chng thc.Thng tin ny c ngi s dng c t thit b Token Card v nhp nh dng vn bn ASCII.
Type: = 6 Type-Data: trng d liu bn yu cu cha thng ip hin th c di ln hn 0 octet.Chiu di ca thng ip ny c xc nh bi trng di ( Length Field ) ca gi tin Request v khng c mang gi tr rng ( NULL).Bn phn hi phi gi tin nhn tr li cho bn yu cu vi type = 6, v cha d liu t Token Card i hi vic xc thc.Chiu di ca d liu c xc nh bi trng d liu ca gi tin Response.
2.1.3
TLS Protocol c chia lm hai lp.Lp u tin l Handshake Protocol Layer bao gm ba giao thc con: Handshake Protocol, Change Cipher Spec Protocol v Alert Protocol.Lp th hai l Record Protocol Layer.
Record Layer Protocol: giao thc lp ny nhn v m ho d liu t lp ng dng (application layer) v cung cp cho lp vn chuyn(Transport layer ).Record Protocol ly d liu, phn mnh n cho ph hp vi kch thc ca thut ton m ho, p dng MAC (Message Authentication code ) hoc HMAC ( Hash-based Message Authentication Code ) v sau m ho hoc gii m d liu bng cch s dng thng tin tho thun trc trong Handshake Protocol. Handshake Protocol chu trch nhim cho vic thng lng phin giao dch bao gm cc hng mc sau y :
Session Identifier: mt chui byte tu c la chn bi my ch xc nh trng thi phin giao dch mt cch ch ng hoc c th khi phc li. Peer Certificate: chng ch X509v3 [X509] ca client, trng thi ny c th l Null. Compression method: thut ton dng nn d liu trc khi m ho. Cipher spec: ch nh cc thut ton m ho d liu s lng ln ( vd nh Null , DES ) v thut ton MAC ( MD5 hoc SHA ), ngoi ra n cn nh ngha m ho cc thuc tnh nh kch thc hm bm ( hash_size ). Master secret: 48 byte b mt c chia s gia client v server. Resumable: mt l c hiu cho bit rng liu phin giao dch c th c s dng bt u kt ni mi.
2.1.3.1
L giao thc tn ti bo hiu qu trnh chuyn i chin lc m ho.Giao thc gm mt tin nhn n l c m ho v nn bng trng thi kt ni hin ti. Message ny gm 1 byte ring l c gi tr = 1
2.1.3.2
Alert Protocol
Mt trong cc kiu ni dung c h tr bi phn lp TLS Record l kiu bo ng ( Alert Type ). Alert message truyn t mc nghim trng ca tin nhn v s m t v cnh bo. Tin nhn cnh bo vi kt qu m gy ra thit hi nghim trng th kt ni s c hu ngay lp tc.Trong trng hp ny, cc kt ni khc tng ng vi phin giao dch c th tin hnh tip tc nhng phin giao dch nh danh ( session identifier ) phi b mt hiu lc v ngn chn cc phin khng thnh cng ( fail session ) c s dng cho vic thit lp kt ni mi.Cng ging nh cc tin nhn khc, tin nhn cnh bo c m ho v nn nh c ch nh trc bi trng thi kt ni hin hnh.
2.1.3.3
Handshake Protocol
TLS handshake protocol l mt trong nhng my trm c nh ngha mc cao hn ( defined higher-level clients ) ca TLS Record Protocol. Giao thc ny c s dng thng lng cc thuc tnh bo mt ca mt phin. Thng ip bt tay c cung cp cho TLS Record Layer, ni m cc thng ip ny c ng gi trong mt hoc nhiu cu trc TLS Plaintext, chng c x l v truyn i theo quy nh ca trng thi phin kt ni hin ti ang hot ng. TLS Handshake protocol bao gm cc bc sau: -Exchange hello message ng trao i cc thut ton, trao i ngu nhin cc gi tr v kim tra phin tip tc.
-Trao i cc thng s mt m cn thit cho php client v server tho thun premaster secret key. -Cc chng ch trao i ( exchange certificates ) v thng tin mt m cho php client v server t chng thc. -To ra mt master secret key t premaster secret key v trao i cc gi tr ngu nhin. -Cung cp cc thng s bo mt cho record layer. -Cho php client v server xc minh rng cc my trong cng ng mng tnh ton c cc thng s bo mt v nh th qu trnh bt tay ( handshake ) xy ra m khng c k tn cng can thip vo. Cu trc ca giao thc bt tay: enum { hello_request(0), client_hello(1), server_hello(2), certificate(11), server_key_exchange (12), certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), (255) } HandshakeType; struct { HandshakeType msg_type; /* handshake type */ uint24 length; /* bytes in message */ select (HandshakeType) { case hello_request: HelloRequest; case client_hello: ClientHello; case server_hello: ServerHello; case certificate: Certificate; case server_key_exchange: ServerKeyExchange; case certificate_request: CertificateRequest; case server_hello_done: ServerHelloDone; case certificate_verify: CertificateVerify; case client_key_exchange: ClientKeyExchange; case finished: Finished; } body; } Handshake;
Hello Message: c s dng trao i, tng cng tnh bo mt gia my trm v my ch .Khi mt phin mi bt u, trng thi kt ni ca Record Layer s m ho, bm v cc thut ton nn c khi to gi tr Null.Trng thi kt ni hin ti c s dng cho nhng thng ip thng lng li (renegotiation messages). Hello Request : c th c gi i bi my ch bt k thi im no.
ngh g n : Hello Request l mt thng bo yu cu client nn bt u qu trnh trao i thng tin mt ln na bng cch gi cho client mt Hello Message khi thun tin. Thng bo ny s c client b qua nu client ang thc hin mt tc v khc.Hello Message cng c th c client b qua nu n khng mun thc hin tc v ny, hoc l client s tr li mt thng bo khng chp nhn tin nhn. Khi gi tin trao i c gi i n s c cp u tin cao hn cc ng dng thng thng, n s thc hin vic trao i vi client khi khng nhn c qu nhiu record t client. Nu nh server gi i Hello Request nhng khng nhn c phn hi t client, n s ngt kt ni ca client km theo mt cnh bo.Sau khi gi hello message , my ch khng nn gi li cc yu cu cho n khi vic trao i thng tin hon tt. tr g n
struct { } HelloRequest;
Message ny khng c bao gm trong nhng d liu b phn r, th m c duy tr trong sut qu trnh trao i thng tin v dng trong nhng message kt thc cng nh chng thc xc nhn tin nhn ( certificate verify message). Client Hello : ngh a message ny : Khi mt client kt ni vi my ch ln u tin, n s c yu cu gi client hello message .Client cng c th gi mt client hello phn hi hello request hoc dng mt kiu d liu ca chnh bn thn mnh trao i cc thng s bo mt trong mt kt ni tn ti. tr struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-1>; CompressionMethod compression_methods<1..2^8-1>; } ClientHello; +client_version : cc phi n n ca giao thc m c ient mun d ng giao ti p trong session ny n n i nhng phi n n m i nh t. g n
Server Hello: ngh a message ny: server gi cho client gi tin hello message khi c th tm thy mt tp hp cc thut ton c th chp nhn c. Nu khng th tm thy ci no trng khp, n s phn hi mt cnh bo l qu trnh bt tay tht bi ( handshake failure alert) . C u trc ca message ny: struct { ProtocolVersion server_version; Random random; SessionID session_id; CipherSuite cipher_suite; CompressionMethod compression_method; } ServerHello; +Server version : thng s ny cha nhng ngh th p h n ca c ient trong c ient he o message v nhng h tr cao nh t t server. +Random : c to ra client hello random . i server v phi c to ra c pt
+Session_id : danh t nh ca mt phin t ng ng v i k t ni ny. u c ienthe o.session id khng r ng (non-empty) th server s t m trong b nh cache ca phi n mt mu tin trng kh p. u mt mu tin trng kh p c t m ra v my ch s n sng thi t p k t ni m i ng cch s d ng cc session quy nh th server s phn h i i mt gi tr t ng t nh gi tr c cung c p i c ient. +Cipher_suite : m ho c a ch n i my ch t danh sch trong C ient e o.cupher suites. i v i session c kh i ng i v ng ny mang gi tr t session c kh i ng. +compression_method : cc ph ng thc n n c la ch n b i server t danh sch clienthello.compression_methods. i v i cc phin kh i ng li (resumed session) th tr ng ny l gi tr ca trng thi b t u li. Server Certificate: server phi gi mt chng thc (certificate) bt c khi no cc phng php trao i kho c truyn i khng phi l t mt a ch v danh (anonymous) . Message ny s lun km theo server hello message.
ngh a message ny: cc dng certificate phi tng thch vi cc thut ton trao i kho ca b m ho c la chn.N phi cha mt kho ph hp vi phng thc trao i kho .Tr khi c quy nh ring, thut ton ch k dng cho vic chng thc.phi ng b vi thut ton cho vic chng thc kho v kho cng cng c th c chiu di bt k.
Server Key Exchange Message: message ny c gi i ngay sau server certificate message (hoc server hello message, nu t anonymous negotiation). Server key exchange message c gi i bi server ch khi server certificate message khng cha d liu cho php client tin hnh trao i premaster secret key v ng vi cc phng php trao i kho nh DHE_DSS, DHE_RSA, DH_anon nhng khng hp l vi cc phng php khc nh RSA, DH_DSS, DH_RSA. ngh a message ny: message ny truyn ti thng tin mt m cho php client giao tip vi premaster secret, cng nh kho cng cng RSA m ho premaster secret key hoc kho cng cng Diffie-Hellman m client c th hon tt vic trao i kho. C u trc ca message ny: enum { rsa, diffie_hellman } KeyExchangeAlgorithm; struct { opaque rsa_modulus<1..2^16-1>; opaque rsa_exponent<1..2^16-1>; } ServerRSAParams; +rsa_modulus: module kho tm thi RSA ca my ch. +rsa_exponent: b c lu th a ca kho tm thi RSA. struct { opaque dh_p<1..2^16-1>; opaque dh_g<1..2^16-1>; opaque dh_Ys<1..2^16-1>; } ServerDHParams; +dh p: cc modu e ch nh Hellman. c s d ng trong thu t ton Diffie-
+dh_g: b t u vic dng thu t ton Diffie-Hellman. +dh_Ys: gi tr cng cng ca thu t ton Diffie-Hellman (g^X mod p). struct { select (KeyExchangeAlgorithm) {
case diffie_hellman: ServerDHParams params; Signature signed_params; case rsa: ServerRSAParams params; Signature signed_params; }; } ServerKeyExchange; struct { select (KeyExchangeAlgorithm) { case diffie_hellman: ServerDHParams params; case rsa: ServerRSAParams params; }; }Server Params; +Param: cc thng s ca server s key exchange. +Signed_params: i vi vic trao i kho non-anonymous ,qu trnh phn r tng ng vi gi tr params, vi ch k (signature) ph hp vi hm bm (hash) c p dng. +md5_hash: MD5 (ClientHello.random + ServerHello.random + ServerParams). +sha_hash : SHA (ClientHello.random + ServerHello.random + ServerParams). enum { anonymous, rsa, dsa } SignatureAlgorithm; struct { select (SignatureAlgorithm) { case anonymous: struct { }; case rsa: digitally-signed struct { opaque md5_hash[16]; opaque sha_hash[20]; }; case dsa: digitally-signed struct { opaque sha_hash[20]; }; }; }; } Signature;
Certificate Request: ngh a message ny: Mt non-anonymous server c th yu cu mt certificate t client nu n ph hp vi b m ho c chn. Nu thng bo ny c gi th ngay lp tc s thc hin theo Server Key Exchange Message. C u trc ca message ny:
enum { rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), fortezza_dms_RESERVED(20), (255) } ClientCertificateType; opaque DistinguishedName<1..2^16-1>; struct { ClientCertificateType certificate_types<1..2^8-1>; DistinguishedName certificate_authorities<0..2^16-1>; } CertificateRequest; +Certificate type: tr ng d liu ny g m mt danh sch cc kiu chng thc c s p x p theo th t u ti n ca my ch. +Certificate authorities: t p danh sch nhng tn phn bit ca trung tm u quyn chng thc m c th ch p nh n c, c th c d ng ch nh root CA ho c CA c p d i ca n. Gi tr ca ClientCertificateType c chia lm 3 nhm sau : o Gi tr t 0 (zero) n 63 lu tr cho giao thc IETF Standard Track . o Gi tr nhn t 64 n 223 c lu tr cho phng thc nonStandards Track. o Gi tr t 224 n 225 c dng cho mc ch s dng ring.
Server Hello Done: Server hello done c gi i t server ch nh vic kt thc server hello v nhng tin nhn lin quan. Sau khi tin nhn c gi i, server s ch hi p t client. ngh a message ny: khi server hon tt vic gi tin nhn h tr qu trnh trao i kho v sau client c th tin hnh giai on trao i kho .Da vo server hello done message ny, client nn xc nhn li rng server cung cp mt chng nhn hp l nu cn thit v kim tra cc thng s ca server hello message chp nhn. C u trc ca message ny: struct { } ServerHelloDone;
Client Certificate: l thng ip u tin m client c th gi sau khi nhn c server hello done message.Tin nhn ny ch c gi nu server yu cu chng nhn.Nu khng c sn chng nhn ph hp c sn th client nn gi certificate message ni dung l khng nhn c chng nhn. Client Key Exchange Message : thng ip ny lun c gi i t client. N phi lp tc gi theo sau client certificate message nu n c gi i. Ngc li, n phi l thng ip u tin c gi t client sau khi nhn c server hello done message. ngh a message ny: vi thng ip ny, kho premaster secret c thit lp mc d c hai u nhm vo vic truyn dn trc tip ca kho m ho b mt RSA bi nhng thng s ca thut ton Diffie-Hellman, vic ny s cho php mi bn tho thun cng mt premaster secret key. Nu phng php trao i kho l DH_RSA hoc DH_DSS th chng nhn ca client c yu cu v client c th p ng mt chng nhn cha ng kho cng khai Diffie-Hellman m nhng thng s phi ph hp vi nhng quy nh ca server, thng ip ny khng cha bt k d liu no.
C u trc ca message ny: struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys; } ClientKeyExchange;
RSA Encrypted Premaster Secret Message : ngh a message ny: RSA c s dng nh l kha tho thun v chng thc. Client s to ra kho premaster secret c chiu di l 48 byte v m ho kho ny bng kho cng khai t server certificate hoc kho tm thi RSA c cung cp trong server key exchange message.Sau client se gi kt qu bng tin nhn m ho premaster secret . C u trc ca message ny: struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret; +Client version: phin bn m i nh t h tr b i c ient c s d ng pht hin t n cng roll-back.Khi nh n c premaster secret key, server nn kim tra gi tr ny c ph h p hay khng. +Random: 46 byte ngu nhi n struct { public-key-encrypted PreMasterSecret pre_master_secret; } EncryptedPreMasterSecret; +Pre_master_secret: gi tr ngu nhi n c to ra b i client v c s d ng trong vic to ra kho master_secret. c to ra m bo tnh an ton.
Client Diffie-Hellman Public Value : ngh a message ny: cu trc ny truyn t gi tr cng khai Diffie-Hellman ca client (gi tt l Yc), n khng bao gm cc chng nhn ca client (Client Certificate).Yc c xc nh bi PublicValueEncoding, cu trc ny l mt bin th ca client key exchange message.
C u trc ca message ny: enum { implicit, explicit } PublicValueEncoding; +Implicit: n u chng nh n ca c ient cha kho Diffie-Hellman ph h p th Yc l implicit v khng cn g i li na. rong tr ng h p ny, client key exchange message s c g i nh ng phi mang gi tr r ng. +Explicit: Yc cn struct { select (PublicValueEncoding) { case implicit: struct { }; case explicit: opaque dh_Yc<1..2^16-1>; } dh_public; } ClientDiffieHellmanPublic; +dh_yc: The c ient s iffie-Hellman public value (Yc). Certificate Verify : ngh a message ny : c s dng xc minh r rng vic cung cp chng nhn cho client.Thng ip ny ch c gi sau khi client message c hiu lc.Khi gi i n phi lp tc km theo client key exchange message. C u trc ca message ny: struct { Signature signature; } CertificateVerify; CertificateVerify.signature.md5_hash MD5(handshake_messages); CertificateVerify.signature.sha_hash SHA(handshake_messages); Finished Message : c gi ngay sau change cipher spec message xc minh rng vic trao i kho v qu trnh chng thc thnh cng.Change cipher spec message c nhn gia cc thng ip bt tay khc (other handshake message) v finished message. ngh a message ny: c bo v u tin bng cc thut ton c tho thun trc, kho v kho b mt.Finished message ca client phi xc minh rng ni dung l chnh xc. Mt khi mt bn gi finished c g i.
message, nhn c v xc nhn t client ca n th c th bt u gi v nhn d liu thng qua kt ni . C u trc ca message ny: struct { opaque verify_data[12]; } Finished; verify_data PRF(master_secret, finished_label, MD5(handshake_messages) + SHA-1(handshake_messages)) [0..11]; +Finish Label: n u c g i t client th s thng o c ient finish n u c g i t server th s thng bo server finish. +Handshake_message: t t c d liu t cc thng ip trong giao thc b t tay ny ( khng bao g m hello request message ) khng bao g m message ny. Ch c d liu c nhn th y handshake layer v khng bao g m header record layer. y l m c xch ca c u trc b t tay ( handshake structure ) .
2.1.3.4
Nhng thng ip d liu tng ng dng c thc hin bi Record Layer v c phn on ,nn m ho da trn trng thi kt ni hin hnh. Cc tin nhn c xem nh l d liu trong sut i vi Record Layer.
-Length: chiu di ca d liu tng ng dng -MAC: 20 bytes cho thut ton SHA-1 da trn HMAC v 16 bytes cho thut ton MD5. -Padding: chiu di c th thay i, byte cui cng cha padding length.
RADIUS Server
CLT Windows 7
Client
DHCP Client
Thng s my IIS Server ( Web, File Server) Domain Controller: -Raise domain functional level. -Ci t v cu hnh DHCP. -Ci Certificate Services. -Verify Administrator permission for certificates. -Cp quyn Allow Wireless for User and Computer. -Install Certificate Template Snap-in. -Create Certificate Template for wireless users. -Configure Certificate Template. -Enable Certificate Template.
IAS Server: -Ci t v cu hnh Internet Authentication Service (IAS). -Xin Certificate cho Computer Account. -To RADIUS Client. -To v cu hnh Remote Access Policy. - Configure IAS to use EAP-TLS Authentication. -Cu hnh Windows Firewall. IIS Server: -Ci t Internet Information Service, to trang web default. -Cu hnh Shared Folder. -Cu hnh Windows Firewall. Wireless Access Point: -Cu hnh 802.1x, khai bo RADIUS Server. Client: -Cu hnh Wireless Network Connection. -Configure to use EAP-TLS authentication. -Kim tra kt ni.
Scope Options
Properties hutech.com
M Active Directory Users and Computer, chn hutech.com Users, click phi WirelessUser chn Properties
M MMC
Tab Subject Name b du check dng Include e-mail name in subject name
M Certification authority
Computer ConfigurationWindows SettingsSecurity Settings , click phi Automatic Certificate Request Settings chn NewAutomatic Certificate Request
Chn Next
Chn computerNext
Chn Finish
M User ConfigurationWindows SettingsSecurity SettingsPublic Key Policy v double click Autoenrollment Settings
Vo Add/Remove Windows Components chn Networking Services check vo Internet Authentication Service
Click phi Internet Authentication Service chn Register Server in Active DirectoryOKOK
StartRun : mmc
Chn CertificatesAdd
Chn Close v OK
Chn Next
Chn ComputerNext
Chn Finish
Chn OK
Kim tra
Chn Next
Chn Locations
Chn hutech.com
Kim traNext
Chn NextFinish
Bm Add
Tab Exception chn Add Port.Name : Radius Accouting / port: 1812 /UDP
Kim tra
IIS Server :
-Ci Internet Information Service -To trang web default c ni dung Welcome to hutech.com -Kim tra truy cp thnh cng
Vo Control PanelWindows Firewall chn On, tab Exception check vo File and Printer Sharing.Sau chn Add port v khai bo nh hnh trn.
Client :
Certificate Template chn Wireless User Certificate Template CSP: Microsoft Enchanced Crytographic Provider v1.0