Professional Documents
Culture Documents
THUT NG VIT TT.....................................................................................i LI NI U......................................................................................................1 CHNG 1: NHN THC TRONG MI TRNG LIN MNG V TUYN..................................................................................................................4 1.1 Vai tr ca nhn thc trong kin trc an ninh ..............................................4 1.2 V tr ca nhn thc trong cc dch v an ninh ............................................4 1.3. Cc khi nim nn tng trong nhn thc......................................................6
1.3.1 Trung tm nhn thc (Authentication Center)...............................................6 1.3.2 Nhn thc thu bao (Subscriber Authentication)..........................................6 1.3.3 Nhn thc tng h (Mutual Authentication) ..............................................6 1.3.4 Giao thc yu cu/p ng (Challenge/Response Protocol).........................7 1.3.5 To kho phin (Session Key Generation)....................................................7
1.4 Mt m kho ring (Private-key) so vi kho cng cng (Public-key)......8 1.5. Nhng thch thc ca mi trng lin mng v tuyn...............................9
1.5.1 Vng tr ngi 1: Cc on ni mng v tuyn............................................10 1.5.2 Vng tr ngi 2: Tnh di ng ca ngi s dng.......................................12 1.5.3 Vng tr ngi 3: Tnh di ng ca thit b .................................................13
CHNG 2: NHNG NG DNG TIM NNG CA CC PHNG PHP KHO CNG CNG TRONG MI TRNG LIN MNG V TUYN................................................................................................................15 2.1. Thut ton kha cng cng Light-Weight cho mng v tuyn.............16
2.1.1 Thut ton MSR...........................................................................................16 2.1.2 Mt m ng cong elp (ECC: Elliptic Curve Cryptography)...................17
2.3 Carlsen: Public-light Thut ton Beller, Chang v Yacobi c duyt li ..............................................................................................................................22
Nguyn L Trng - Lp D2001VT i
2.4. Aziz v Diffie: Mt phng php kho cng cng h tr nhiu thut ton mt m.................................................................................................................24
2.4.1 Cc phn t d liu trong giao thc Aziz-Diffie.........................................24 2.4.2 Hot ng ca giao thc Aziz-Diffie ..........................................................25
2.5 Bnh lun v nh gi giao thc Aziz-Diffie .............................................28 2.6 Tng kt mt m kho cng cng trong mng v tuyn............................28 CHNG 3: NHN THC V AN NINH TRONG UMTS........................30 3.1 Gii thiu UMTS..........................................................................................30 3.2. Nguyn l ca an ninh UMTS....................................................................31
3.2.1 Nguyn l c bn ca an ninh UMTS th h 3............................................32 3.2.2 u im v nhc im ca GSM t quan im UMTS............................33 3.2.3 Cc lnh vc tng cng an ninh cho UMTS..............................................35
3.4. Nhn thc thu bao UMTS trong pha nghin cu.....................................40
3.4.1 M t giao thc kho cng cng ca Siemens cho UMTS..........................41 3.4.2 Cc iu kin tin quyt thc hin giao thc Siemens...........................42 3.4.3 Hot ng ca Sub-protocol C ca Siemens .............................................43 3.4.4 nh gi giao thc nhn thc Siemens ................................................46
3.5 Nhn thc thu bao trong vic thc hin UMTS .....................................47 3.6 Tng kt v nhn thc trong UMTS ......................................................50 CHNG 4: NHN THC V AN NINH TRONG IP DI NG .............51 (Mobile IP)..........................................................................................................51 4.1. Tng quan v Mobile IP ...............................................................52
4.1.1 Cc thnh phn logic ca Mobile IP............................................................53 4.1.2 Mobile IP Nguy c v an ninh..................................................................55
4.4 Mi quan tm v an ninh trong Mobile Host - Truyn thng Mobile Host ..............................................................................................................................64
4.5.1 Cc phn t d liu trong Giao thc nhn thc Sufatrio/Lam....................66 4.5.2 Hot ng ca giao thc nhn thc Sufatrio/Lam.......................................68
4.7 Tng kt an ninh v nhn thc cho Mobile IP............................................76 KT LUN.........................................................................................................78 TI LIU THAM KHO..................................................................................79
iii
THUT NG VIT TT
3GPP AH AMF AuC AUTN AV CA CAPI CCITT CH COA CRL CS DARPA DES DH DNS DSP EA ECC ECDSA EC-EKE ESP FA GSM HA IDEA IEEE 3rd Generation Partnership Project Authentication Header Authentication and Key Management Field Authentication Center Authentication Token Authentication Vector Certification Authority Cryptographic Application Program Interface Consultative Committee for International Telephony and Telegraphy Corresponding Host Care of Address Certificate Revocation List Certificate Server Defense Advanced Research Projects Agency Data Encryption Standard Diffie-Hellman Domain Name System Digital Signal Processor External Agent Elliptic Curve Cryptographic Elliptic Curve Digital Signature Algorithm Elliptic Curve-Encrypted Key Exchange Encapsulating Security Protocol Foreign Agent Global Systems for Mobile Communications Home Agent International Data Encryption Algorithm Institute of Electrical and Electronic Engineers n i tc th h ba Mo u nhn thc Trng qun l kho v nhn thc Trung tm nhn thc Th nhn thc Vc t nhn thc Chnh quyn chng nhn Giao din chng trnh ng dng U ban t vn v in bo v in thoi quc t My i tc Chm sc a ch Danh sch thu hi chng nhn Server chng nhn C quan cc d n nghin cu tin tin quc phng Chun mt m d liu H thng tn min B x l tn hiu s Tc nhn ngoi Mt m ng cong Elp Thut ton ch k s ng cong Elp Trao i kho mt m ng cong Elp Giao thc an ninh ng gi Tc nhn khch H thng thng tin di ng ton cu Tc nhn nh Thut ton mt m s liu quc t Vin k thut in v in t
IMEI
IMSR Improved Modular Square Root IMT-2000 International Mobile Telecomunications2000 IMUI International Mobile User Identifier IPSec ISAKMP ITU KDC LAN MAC MH MoIPS MSR PDA PKI RAND RCE RFC RPC SN SNBS SPD SPI UMTS USIM RSA Internet Protocol Security Internet Security Association and Key Management Protocol International Telecommunications Union Key Distribution Center Local Area Network Message Authentication Code Mobile Host Mobile IP Security Modular Square Root Personal Digital Assistant Public-Key Infrastructure Random number Radio Control Equipment Request For Comments Remote Procedure Call Serving Node Serving Network Base Station Security Policy Database Security Parameters Index Universal Mobile Telecommunications System UMTS Subscriber Identity Module Rivest, Shamir and Adleman
B nhn dng thit b di ng quc t Modul cn bc 2 ci tin Vin thng di ng th gii2000 B nhn dng ngi s dng di ng th gii An ninh giao thc Internet Giao thc qun l kho v lin kt an ninh Internet Lin minh vin thng quc t Trung tm phn phi kho Mng ni b M nhn thc bn tin My di ng An ninh an ninh di ng Modul cn bc hai Tr gip s c nhn C s h tng kho cng cng S ngu nhin Thit b iu khin v tuyn Yu cu ph bnh Cuc gi th tc xa Node phc v Trm gc mng phc v C s d liu chnh sch an ninh Ch mc cc tham s an ninh H thng vin thng di ng ton cu Modul nhn dng thu bao UMTS
LI NI U
Cng ngh thng tin v tuyn to ra s thay i su sc theo cch m mi ngi tng tc vi nhau v trao i thng tin trong x hi chng ta. Mt thp k qua, cc m hnh ang thnh hnh cho c cc h thng in thoi v cc mng my tnh l cc m hnh m ngi s dng tip cn mng t hp in thoi hoc trm my tnh c ni bng dy ti c s h tng lin mng rng hn. Ngy nay, cc m hnh dch chuyn n mt m hnh ni m mng tip cn ngi s dng bt k khi no h xut hin v s dng chng. Kh nng lin lc thng qua cc my in thoi t ong trong khi ang di chuyn l thc hin c v cc h thng cho truy nhp Internet khng dy ngy cng ph bin. Tim nng cung cp mm do v cc kh nng mi ca thng tin v tuyn cho ngi s dng v cc t chc l r rng. Cng thi im , vic cung cp cc c s h tng rng khp cho thng tin v tuyn v tnh ton di ng gii thiu nhng nguy c mi, c bit l trong lnh vc an ninh. Thng tin v tuyn lin quan n vic truyn thng tin qua mi trng khng kh, in hnh l bng cc sng v tuyn hn l thng qua mi trng dy dn khin cho vic chn hoc nghe ln cc cuc gi khi ngi s dng thng tin vi nhau tr nn d dng hn. Ngoi ra, khi thng tin l v tuyn th khng th s dng v tr kt ni mng ca ngi s dng nh l mt phn t nh gi nhn dng chng. khai thc tim nng ca cng ngh ny mi ngi phi c th chuyn vng t do vi cc sn phm thng tin di ng c v t quan im c s h tng mng t nht mi ngi c th xut hin t do trong nhng v tr mi. Trong khi cc c tnh ny cung cp cho ngi s dng cc tin ch mi th nh cung cp dch v v nh qun tr h thng phi i mt vi nhng thch thc v an ninh cha c tin l. Lun vn ny s tm hiu ti v nhn thc thu bao v n lin quan n mi trng mng v tuyn. Theo ng cnh ny mt thu bao l ngi s dng: chng hn mt khch hng ca mt dch v in thoi t ong hoc mt ngi s dng mt dch v truy nhp Internet khng dy. Nhn thc thu bao l mt thnh phn then cht ca an ninh
thng tin trong bt k mi trng mng no, nhng khi ngi s dng l di ng th nhn thc m nhn cc thnh phn mi. Nhng nghin cu y tm hiu c ch nhn thc thu bao trong hai mi trng lin mng. u tin l mng t ong s h tr truyn thng bng cc my in thoi t ong. Mng ny ang tri qua mt cuc pht trin t cng ngh th h th hai sang th h th 3 v cc phng php trong nhn thc thu bao km theo cng ang thay i. Mi trng mng th hai l Giao thc Internet di ng (Mobile IP), mt giao thc c pht trin trong nhng nm 90 ca th k 20 cho php Internet h tr tnh ton di ng. iu quan trng l nhn ra rng hai mi trng ny c ngun gc khc nhau. Mi trng t ong s c trnh by trong nghin cu ny chng hn nh UMTS bt ngun t cc mng in thoi. V mt lch s nhim v chnh ca mng ny l h tr cc cuc hi thoi v phng php thit lp cc mch cung cp mt kt ni lin tc gia cc im u cui. Giao thc Internet di ng l mt s m rng ca kin trc lin mng Internet hin c trong tp trung vo vic h tr cho truyn thng gia cc my tnh v kiu lu lng l s liu hn l thoi. Trong th gii Internet, nhim v quan trng nht l nh tuyn v phn phi cc gi d liu hn l thit lp cc knh tm thi im-im. Ngoi nhng s khc nhau ny theo ngun gc mng t ong s v mi trng Internet trong Mobile IP hot ng chng ta cn gp phi s khc nhau trong cc phng php c thc hin i vi nhn thc v an ninh. Tuy nhin quan trng l hiu rng tt c cc cng ngh truyn thng c cng ngh h tr hi thoi ln cng ngh h tr truyn s liu ngy nay u s dng cng ngh s. V vy, ti cc tng di ca ngn xp giao thc truyn thng, chng s dng cc c ch tng t truyn v nhn thng tin. Hn na, khi truy nhp Internet khng dy pht trin quan trng khng ch i vi my tnh m cn i vi my in thoi t bo th thch thc m hai mi trng lin mng ny phi i mt trong lnh vc an ninh c khuynh hng hp nht. Trong tng lai, nu in thoi t bo ca ai tr thnh mt loi u cui truy nhp Internet chnh th mt kt qu c tnh kh thi lu di l s khc bit gia cng ngh truyn thng t ong v cng ngh ca Internet s khng cn r rng.
Ch quan tm thc s y l lnh vc my tnh, truyn thng v an ninh thng tin v n b nh hng bi lin mng v tuyn v tnh ton di ng. Tuy nhin l lnh vc khng l v phc tp. Nhn thc thu bao l mt ch hp hn v v vy thch hp hn cho phm vi ca lun vn ny. Tuy nhin, d nh ca lun vn ny l s dng nhng khm ph v nhn thc thu bao trong cc mng t ong s theo giao thc Mobile IP nh mt ng knh cho php chng ta nhn thc r rng hn khuynh hng rng hn trong an ninh cho cc mi trng lin mng v tuyn. Chng 1 gii thiu nhn thc v n lin quan n lnh vc ln hn ca my tnh, truyn thng v bo mt thng tin trong mng v tuyn v cung cp mt s c tnh c th ca mi trng mng v tuyn gy tr ngi cho ngi thit k h thng an ninh. Chng 2, trng tm chuyn n vic nghin cu t nhng nm 1990 khng nh rng tn ti phng php cho h thng mt m kho cng cng vi tim nng ln cho mi trng thng tin v tuyn. Chng 3, trng tm chuyn n s xem xt cc giao thc cho cc mng truyn thng t ong bng tn cao th h th 3 c gi l UMTS (Universal Mobile Telecommunications System). Chng 4 kho st nhn thc v n c xut cho ng dng trong min truy nhp Internet khng dy c gi l Mobile IP (Mobile Internet Protocol). Cui cng em xin gi li cm n chn thnh su sc n thy TS. Nguyn Phm Anh Dng, thy Nguyn Vit m v c Phm Th Thu Hin nhit tnh gip em hon thnh ti ny.
c th cu thnh nn tp hp y c th hi khc ph thuc vo mc ch, ni dung thng tin v mc quan trng ca h thng cha. William Stallings, trong quyn sch ca ng Cryptography and Network Security (Mt m v an ninh mng) cung cp cc dch v bo mt li c gi tr tham kho lu di t nhn thc trong ng cnh h thng chnh xc: Tnh tin cy (Confidentiality): m bo rng thng tin trong h thng my tnh v thng tin c truyn i ch c th truy nhp c c bi cc bn c thm quyn.[.] Nhn thc (Authentication): m bo rng khi ngun ca mt bn tin hoc vn bn in t c nhn dng chnh xc v m bo rng vic nhn dng l khng b li. Tnh ton vn (Integrity): m bo rng ch nhng bn c thm quyn mi c th sa i ti nguyn h thng my tnh v cc thng tin c truyn. [.] Khng thoi thc (Non-repudiation): Yu cu rng c bn nhn ln bn gi khng c t chi truyn dn. iu khin truy nhp (Access Control): Yu cu rng truy nhp ti ti nguyn thng tin c th c iu khin bi hoc cho h thng quan trng. Tnh sn sng (Availability): Yu cu rng ti nguyn h thng my tnh kh dng i vi cc bn c thm quyn khi cn thit. M t ca Stallings xut rng nhng chc nng bo mt h thng ny cho nhng ngi s dng h thng. Nh c ch ra bi ch thch Burrows, Abadi v Needham, quan trng hiu rng khi iu ny l chn thc th cc chc nng ny cng c th p dng cho cc thit b vt l (nhn thc mt my in thoi t ong) hoc p dng vi h thng my tnh (nhn thc mt server mng khng dy). Nhn thc trong cc mng hu tuyn thng thng thu ht cc cng trnh nghin cu v n lc thc hin trong sut hai thp k qua. Tr li nhng nm 1980, trong s cc giao thc nhn thc ni ting cho cc h thng my tnh phn tn l Kerberos (u tin c pht trin ti MIT nh l mt phn ca d n Athena), giao thc ci bt tay RPC (Remote Procedure Call) ca Andrew, giao thc kho cng cng ca Needham-Schroeder
v giao thc X.509 ca CCITT. Tho lun chi tit v cc giao thc nhn thc cho mi trng lin mng v tuyn l phm vi ca ti ny. i vi vic tho lun su sc v cc giao thc Kerberos, CCITT X.509 v cc kha cnh nhn thc tng qut ngi c xem ti liu ca Stallings. i vi vic phn tch hnh thc cc th tc tng ng, s m bo v s yu km ca ca bn giao thc va c cp trn th cc ti liu ca Burrows, Abai, Needham l hu dng.
trng l nhn thc khng cn phi tng h, c th ch l mt chiu. Chng hn khi tho lun nhn thc trong cc mng in thoi t ong th h th ba, chng ta s gp phi cc trng hp trong mng nhn thc my in thoi t ong ang tm s dng cc dch v ca n nhng trm gc ca mng khng c nhn thc ti my in thoi ny.
Khi nhng thut ng ny xut hin trong cc chng tip theo ca lun vn ny, chng mang ngha c nh ngha trn.
kho cng cng ca B lun kh dng cho A. Principal A sau truyn bn tin ti principal B. Thut ton mt m kho cng cng hot ng theo cch thc l bn tin c mt m vi kho cng cng ca B ch c th c gii mt m vi kho ring ca B. Khi B khng chia s kho ring ny vi ai th ch c B c th gii mt m bn tin ny. RSA (c t tn theo Ron Rivest, Adi Shamir v Len Adleman) c l l v d ni ting nht ca h thng mt m kho cng cng. Thm na, vic tm hiu chi tit cng ngh mt m kho ring v mt m kho cng cng l phm vi ca lun vn ny. Ngi c xem ti liu ca Stallings tho lun rng v su hn. Mt ti liu nm 1992 ca Beller, Chang v Yacobi cung cp s tho lun chi tit v vic phn bit gia h thng kho ring v kho cng cng trong trng hp c th mng di ng. Trong mng t ong th h th hai nh GSM (Global Systems Mobile), vic s dng cng ngh mt m kho ring tr nn ton cu. Mt s gi nh chung lin quan n cc cng ngh kho cng cng l chng i hi nhiu tnh ton n mc khng th a vo thc t trong mi trng lin mng v tuyn. Nh chng ta s thy trong chng 3, vic nghin cu c tin hnh trong u v gia nhng nm 1990 v cc thut ton mt m kho cng cng processor-light c ti u cho cc mng v tuyn t ra nghi vn cho s thng minh ny. Cuc tranh lun ang din ra v gi tr ca cc phng php kho cng cng v kho ring i vi nhn thc v an ninh l s kho cho vic nghin cu lin quan n hot ng ca mng v tuyn v s chnh n s ng vai tr quyt nh trong vic thit k pht trin cc h thng trong thp k ti.
Trong mt ti liu xut sc nm 1994 mang ta Nhng thch thc ca tnh ton di ng tng kt s khc nhau gia mi trng lin mng khng dy v c dy v nhng vn mng v tuyn t ra cho k s phn mm, George Forman v John Zahorjan phn bit nhng nhn t xut pht t ba yu cu thit yu: vic s dng lin mng v tuyn, kh nng thay i v tr v nhu cu v tnh di ng khng b gy tr ngi. Trong khi phn tch Forman v Zahorjan l rng H ang kho st nh hng ca mi trng lin mng v tuyn ln ton b phm vi ca k thut phn mm th vn c cu c th c s dng cho nhng u im ln trong vic xc nh tnh hung khi n gn c th vi an ninh v nhn thc. Kt lun ca tc gi vn rt c ch v c th ng dng c cho n ngy nay: Thng tin v tuyn mang n iu kin tr ngi mng, truy nhp n cc ngun ti nguyn xa thng khng n nh v i khi hin thi khng c sn. Tnh di ng gy ra tnh ng hn ca thng tin. Tnh di ng i hi cc ngun ti nguyn hu hn phi sn c x l mi trng tnh ton di ng. Tr ngi cho nhng ngi thit k tnh ton di ng l cch tng thch vi nhng thit k h thng hot ng tt cho h thng tnh ton truyn thng. Nn ch rng trong lnh vc an ninh, vic thit k hot ng tt cho tnh ton truyn thng chnh chng ang trong trng thi thay i lin tc cng thm vi bt nh b sung ti s cn bng ny. Trong phn cn li, ta s xc nh khi qut nhng tr ngi chnh ca mi trng lin mng v tuyn cho cc giao thc nhn thc v an ninh bng cch s dng ba phn c xut bi Forman v Zahojan.
Personal Digital Assistant), ngha l thit b di ng. Tuy nhin v nhiu phng din, vic s dng cc on ni v tuyn trong mt mng t ra nhiu vn so vi mng ch s dng dy ng, cp si quang hoc t hp cc c s h tng c nh nh th. Bng tn thp: Tc ti mng v tuyn hot ng ang tng khi cng ngh c ci thin. Tuy nhin, ni chung cc on ni v tuyn h tr truyn s liu thp hn vi ln v ln so vi mng c nh. V d, mng in thoi t ong th h th hai c tho lun trong lun vn ny truyn d liu trn knh ti tc xp x 10Kbits/s. Tc ny s tng ln hn 350Kbits/s mt cht khi cp n cc mng t ong th h th ba. Hin thi, cc h thng LAN khng dy s dng chun 802.11b c th t tc ln ti 11Mbits/s. Tuy nhin nn ch rng tc ny l cho ton b mng, khng phi cho knh thng tin i vi mt my n l, v ch hot ng trong mt vng nh, v d nh mt tng ca mt to nh. Trong mng hu tuyn, Fast Ethernet, hot ng tc 100Mbits/s ang tr thnh mt chun trong cc mng cc to nh, trong khi cc knh ng trc Internet c ly di hot ng ti tc nhiu Gigabits/s. Suy hao s liu thng xuyn: So vi mng hu tuyn, d liu s thng xuyn b suy hao hoc sai hng khi truyn qua on ni v tuyn. Cc giao thc lin mng s dng cc c ch kim tra tnh ton vn s liu c th nhn dng nhng tnh hung ny v yu cu thng tin c truyn, m tc ng s l t hp hiu ng ca bng tn thp. Ngoi vic lm chm tc ti thng tin c truyn chnh xc, suy hao d liu c th tng tnh thay i ca thi gian c yu cu truyn mt cu trc d liu cho trc hoc kt thc chuyn giao. Tnh m ca sng khng gian: Cc mng hu tuyn d c to thnh t dy ng hay cp si quang u c th b r nhnh. Tuy nhin, iu ny c khuynh hng l mt th tc gy tr ngi v mt k thut v vic xm nhp c th thng xuyn c pht hin bng cc thit b gim st mng. Ngc li, khi mng v tuyn gi s liu qua kh quyn bng cch s dng cc tn hiu sng v tuyn (radio) th bt k ai c th nghe c thm ch ch bng cch s dng thit b khng t tin. Nhng s xm nhp nh th l tiu cc v kh pht hin. Trng hp ny t ra mt s e do c bn v an ninh cho mng v
tuyn. Nh chng ta s thy trong nhng chng sau, nhng ngi thit k h thng t ong th h th hai gii quyt nhng nguy c r rng nht c t ra khi con ngi n gin truyn d liu thoi hoc d liu nhy cm qua on ni v tuyn bng cch s dng k thut mt m. Tuy nhin, s phi by pht sinh l rng khp, v khng c gii quyt mt cch trit .
mng phi truyn s iu khin ca phin truyn thng vi mt hand-off (chuyn giao), gy tr v c th b ngt kt ni. Kt ni mng hn tp: Trong mng hu tuyn in hnh, mt my tnh c kt ni c nh vi cng mng nh. c tnh ca mng ny l s lng bit trc trong khi s thay i - tc l mt h thng nng cp cho file server hoc firewall c th c hoch nh v gim st mt cch cn thn. Tuy nhin, trong mng v tuyn, mt trm di ng v d nh mt my in thoi t ong hoc PDA l c chuyn vng thng xuyn gia cc mng host khc nhau. c tnh ca cc mng ny v cch m chng tng tc vi mng nh ca ngi s dng c th thay i ng k. C tr a ch: Trong mng hu tuyn thng thng, my tnh v cc thit b khc c kt ni vi cng mt mng v gn cng a ch mng (a ch IP trong th gii Internet) trong mt thi gian di. Nu thit b c di chuyn gia cc mng, nh qun tr mng co th cp nht a ch mng. Trong mi trng lin mng v tuyn, cc a ch mng - hoc t nht mng m chng lin quan - phi c qun l trong nhng nguy c v an ninh v phc tp nhiu hn nhiu. Thng tin ph thuc v tr: Tnh hung ni n thng tin v tr l song song vi tnh hung trong trng hp c tr a ch. Trong mng hu tuyn, v tr ca cc thit b tnh ton tng i tnh v c ngi qun tr bit trc. Trong mi trng v tuyn, v tr ca cc thit b truyn thng v tnh ton thay i thng xuyn. C s h tng lin mng v tuyn khng ch phi bm v tr li nhng s thay i v tr ny cung cp dch v cho ngi s dng m n cn phi cung cp s phn phi an ton bo v thng tin v tr. Trong mi trng v tuyn, bo v tnh bo mt ca ngi s dng d nhin gm: bo v ni dung bn tin v cuc hi thoi chng li s xm nhp, ngoi ra yu cu h thng gi tnh ring t v tr ngi s dng h thng.
bn khai thc. V vy, cc sn phm in t thng dng ngy nay v d nh in thoi t ong, PDA, my tnh xch tay, camera s c ni mng v nhng thit b ging nh vy c thit k mang theo ngi khi di chuyn. Nh Forman v Zahorjan ni: Cc my tnh bn ngy nay khng c d nh mang theo bn ngi, v th vic thit k chng l t do v mt s dng khng gian, ngun ni cp v nhit. Ngc li, vic thit k, my tnh di ng cm tay nn c gng c c nhng tnh cht ca mt chic ng h eo tay: nh gn, nh, bn, chng thm v tui th ngun di. Mt s bao hm hin nhin lin quan n an ninh ca tnh di ng ca thit b l: bt k sn phm no c thit k mang theo v s dng khi di chuyn u d dng b nh cp. Khng ch l mt my in thoi t ong - mt mc tiu n gin ca bn trm m t quam im ca h thng, rng khng cn nghi ng g na thit b ang di chuyn t th trn ny n th trn khc mc d by gi n c th ang thuc quyn s hu ca mt ai khng phi ngi s hu. Nhn t di ng cng p t nhng gii hn khc ln ngi thit k cc sn phm tnh ton v truyn thng di ng v mt nhn thc v an ninh. Nhng iu ny bao gm: Tc b x l: Nng lc x l c cho bi cc mch tch hp IC c s dng trong cc thit b nh in thoi t ong v PDA ang tng theo thi gian nhng cha t n tc b x l ca my tnh bn hoc cc server mng. Thut ton mt m v nhn thc yu cu s tnh ton thm ch l rt ln. trong mt vi ng dng v an ninh trong mi trng v tuyn v d nh mt m v gii mt m mt cuc thoi c tin hnh thng qua my in thoi t ong th cc th tc an ninh phi thc thi gn nh thi gian thc. V vy, nng lc x l kh dng trn thit b di ng gii hn s la chn ca ngi thit k h thng an ninh cho mi trng v tuyn. Dung lng lu tr gii hn: V cc l do tng t, mt lng d liu c lu tr trong thit b tnh ton v truyn thng di ng nh hn dung lng lu tr d liu ca my tnh bn hoc server. Mc d t quan trng hn tc b x l nhng nhn t ny cng nh hng n s la chn c thc hin trong khi thit k h thng an ninh cho mng v tuyn.
S vn hnh cng sut nh: Cc sn phm in t di ng hot ng da vo pin. Bt k cng vic no c thc hin bi b x l trong my in thoi t ong hoc PDA tiu hao nng lng v v vy lm gim tui th ca ngun. Theo quan im ca ngi s dng sn phm, khi an ninh l c im quan trng th vic thc hin n c t ln hng u. V vy, thm ch c th thc thi thut ton nhn thc hoc an ninh tn nhiu cng vic x l theo quan im k thut, th s tiu tn nng lng ngun nui c l khng th chp nhn c. Nh c th thy t danh sch ny, nhng tr ngi m ngi thit k kin trc v h thng bo mt cho mng v tuyn phi i mt l rt ln lao, v chng khc nhau theo c loi hnh ln mc so vi trng hp trong mng hu tuyn thng thng. Thc t, nhng nhn t ny gii thch ti sao s quan tm v an ninh trong mi trng v tuyn khc vi s xem xt tng ng v mng hu tuyn. Mt khuynh hng ng quan tm l truy nhp Internet khng dy ang pht trin ngy cng rng khp, v nhiu mng nh v mng lin kt ang kt hp cht ch vi cc thnh phn v tuyn. V l do ny, cc nhn t c phc tho trong phn ny s c cp sau tng nh hng ln vic thit k h thng an ninh m khng d nh cho mi trng v tuyn thun tu.
CHNG 2: NHNG NG DNG TIM NNG CA CC PHNG PHP KHO CNG CNG TRONG MI TRNG LIN MNG V TUYN
Trong nhng nm 1980, khi cc giao thc bo mt cho GSM ang c pht trin, s ph bnh c ni n nhiu nht v mt m kha cng cng cng nh mng v tuyn lin quan l cc giao thc yu cu vic x l qu nhiu. Chng hn, RSA c c tnh l yu cu tnh ton gp 1000 ln so vi cng ngh mt m kha ring. Cho trc gii hn ca cc my in thoi t ong di dng c tc x l ln tui th ngun, ngi thit k mng t ong nhn thy iu ny phi tr mt gi qu cao.
2.1. Thut ton kha cng cng Light-Weight cho mng v tuyn
Bt u vo u nhng nm 1990, cc nh nghin cu tm ra cc thut ton lun phin yu cu phi thc hin t x l hn. Cc thut ton ny c th c p dng cho nhn thc v an ninh trong mi trng lin mng v tuyn. Trong s ny c k thut MSR (Module Square Root) v mt vi bin th ca ECC (Elliptic Curve Cryptography: Mt m ng cong). Nhng thut ton ny s c m t khi qut trong cc phn nh di y.
dng y. (Thut ng ca Beller, Chang v Yacobi cng c sa i trong mt vi chi tit gi nht qun). Cc phn t v chc nng d liu then cht trong giao thc IMSR bao gm:
1. IDBS (Base Station Identifier): B nhn dng duy nht ca trm gc mng v tuyn
(trong ng cnh ny l mt trm gc trong mng phc v hoc mng khch).
2. IDMS (Mobile Station Identifier): B nhn dng duy nht trm di ng. iu ny
tng ng vi IMSI (International Mobile Subscriber Identity : Nhn dng thu bao di ng quc t) trong giao thc nhn thc GSM.
3. NBS (Public Key of Base Station): NBS, kha cng cng ca trm gc l tch ca 2 s
nguyn t ln, pBS v qBS, ch trm gc ca mng v Chnh quyn chng nhn (CA) bit.
4. NCA (Public Key of CA): NCA, kha cng cng ca CA tng t l tch ca 2 s
nguyn t ln, pCA v qCA, ch CA c bit.
5. Ks (Session Key): Mt kha phin cho mt m d liu n sau trong phin truyn
thng, c m phn trong giao thc nhn thc.
8. Trm gc kim tra tnh hp l ca chng nhn bng cch bnh phng gi tr chng
nhn modul NCA, v so snh n vi gi tr ca h (IDBS, NBS) (c tnh ton mt cch c lp). Nu cc gi tr trng khp vi nhau th trm di ng thng qua, nu khc n hy b phin truyn thng.
10. Server mng tnh gi tr RANDX (trong thc t y l kha phin Ks) bng cch tnh
RANDX sqrt(a) mod NBS. Ch rng k nghe trm khng th thc hin c tnh ton ny bi v k nghe trm khng truy cp c cc tha s p v q ca trm gc. C trm gc ln trm di ng by gi dng chung kha phin Ks.
Trm di ng
Yu cu m phin
Tnh Cert BS = SQRT(h(ID BS, NBS)) mod N CA [IDBS, N BS, Cert BS]
Ch : NBS v NCA tng ng l cc kho cng cng ca trm gc mng v CA. [a] Tnh RANDX = SQRT(a) mod NBS; Thit lp kho phin Ks = RANDX
Chn RANDX; Tnh a = RANDX2 mod NBS; Thit lp kho phin Ks = RANDX
Ly ra CK(i) v IK(i)
Tnh m = f1(Ks, b); Ly ra Cert BS t m ; Kim tra xem Cert BS2 mod N CA = g(IDM S) mod NC A
theo yu cu tnh ton. V pha server, cc giao thc ny yu cu ly ra modul cn bc 2 mt qu trnh i hi nhiu tnh ton thm ch ngay c khi cc tha s nguyn t p v q c sn. Tuy nhin vi cc server mt m chuyn dng trong trm gc mng, tc gi bin lun rng iu ny l kh dng thm ch bng cch s dng phn cng nm 1993. Ngc li, gnh nng tnh ton b p t bi IMSR trn my cm tay l nh. Ch cn n hai php nhn modul. Mc tnh ton ny c th qun l mt cch d dng ngay c vi b vi x l 8 bt. Khi b xung kho chuyn i Diffie-Hellman vo th vi giao thc MSR+DH, khi lng tnh ton tng ln ti 212 php nhn modul trong giao thc nhn thc, thc hin cc modul 512 bt. iu ny l khng thc t i vi cc my cm tay ch c trang b mt b vi iu khin. Tuy nhin tc gi bin lun rng, vi cc chun phn cng nm 1993 th c th trin khai c cho my cm tay c trang b mt DSP (Digital Subscriber Processor: B x l tn hiu s) v sn sng c th thc hin trong nm 2001.
Carlsen xut hai giao thc tng cng cho cc giao thc c a ra bi BCY nhm tng cng vic m bo an ninh trong khi vn gi c mt vi u im ca phng php kho cng cng.
Giao thc tr li kho b mt (Secret Key Responder Protocol): Giao thc ny gii thiu li mt kho b mt c x l bi trm di ng cng nh server tin cy (trusted server) m ring bit vi trm di ng v trm gc mng. Trusted server bit kho ring ca trm di ng v v vy c th gii mt m mt nonce c mt m bi trm di ng vi kho ring ca trm di ng. Nonce c s dng m bo ng thi hn trao i bn tin nhn thc; trong khi s c mt ca trusted server trong hnh nh cho php trm di ng khi to phin truyn thng m khng phi qung b nhn dng ring ca n mt cch r rng.
Giao thc an ninh u cui-n-u cui (End to End Security Protocol): Carlsen ch ra rng nhiu s bo mt cho mng v tuyn m nhn an ninh ca mng v tuyn. Tuy nhin, iu ny l gi thuyt ti u thi qu: Ngi s dng ngh rng di dng an ninh di ng v t tin tng vo hiu qu ca vic o c an ton c iu khin bi ngi vn hnh. V vy yu cu ca ngi s dng l cc dch v bo mt end -to- end (cc thnh phn mng c iu khin bi ngi vn hnh khng th can thip n) nn c cung cp. Mt kha cnh th v ca Giao thc bo mt u cui n u cui l, trc khi kho phin c to ra v c trao i th giao thc yu cu hai ngi nghe nhn thc ID ca nhau bng cch nhn ra ging ni ca nhau v xc nhn n (Giao thc v vy khng hu dng khi tng tc vi nhng ngi nghe m ngi s dng khng quen bit). Ni chung, Carlsen t lc quan hn Beller, Chang v Yacobi rng phng php kho
cng cng c th thc hin mt mc hiu nng cho php chng c th linh ng s dng trong cc h thng mng v tuyn thc. Do hiu nng v thi gian hn ch, cng ngh kho cng cng hin thi khng thch hp cho vic cung cp tin cy nhn dng ch trong giao thc responder. Ngoi ra chng ta thy rng u im ca cng ngh kho cng cng gim khi server online v c th l
trusted server c yu cu. iu ny t ti u hn cho vic s dng cng ngh kho cng cng nh mt gii php chung cho nhn thc v tnh ring t trong cc giao thc PCS (Personal Communications Services: Cc dch v thng tin c nhn) khi tin cy nhn dng ch c yu cu. Vn ny hin ra r rng c bit trong cc vng th, ni m s cc my di ng c t ng thi ti mt cng v tuyn c th c th ln n hng trm.
2.4. Aziz v Diffie: Mt phng php kho cng cng h tr nhiu thut ton mt m
Trong mt bi vit nm 1994 trong IEEE Personal Communications, Ashar Aziz v Witfield Diffie cng xut mt giao thc cho cc mng v tuyn s dng giao thc kho cng cng cho nhn thc v to kho phin, v mt phng php kho ring cho mt m d liu trong mt phin truyn thng. Ging nh xut ca Beller, Chang v Yacobi c m t trn, phng php ca Aziz v Diffie s dng chng nhn s v CA. Mt c tnh ring bit ca phng php Aziz-Diffie l n cung cp s h tr r rng cho trm di ng v trm gc mng m phn thut ton mt m kho ring no s c s dng thc hin tnh tin cy d liu.
bi trm di ng trong pha khi to ca giao thc nhn thc. Aziz v Diffie xut di 128 bt.
2. CertMS (Certificate of the Mobile Station): Certificate ca trm gc cha cc phn
t d liu di y: S Sri (Serial number), thi gian hiu lc, tn my, kho cng cng ca my v tn CA. Ni dung v nh dng Cert tun theo CCITT X.509. Cert c k vi bn tin digest c to vi kho ring ca CA. Nhn dng cha trong CA ny trong Cert cho php Principal khc m bo an ton kho cng cng CA.
ca trm di ng.
4. KUMS (Public Key): Kho cng cng ca trm di ng. 5. KUBS (Public Key): Kho cng cng ca trm gc. 6. RAND1; RAND2 (Random Numbers): RAND1, c to bi trm gc v
RAND2.
8. SKCS (List of Encription Protocols): SKCS cung cp mt danh sch cc giao
thc mt m d liu kho ring m trm di ng c th s dng cho vic mt m d liu c truyn dn trong mt phin truyn thng.
9. Sig (Digital Signatures): Nhng ch k s di giao thc Aziz-Diffie, c to ra
bng cch s dng kho ring ca ng k principal, v c p dng bng cch p dng kho cng cng ca ngi k.
mng trong vng ln cn ca n. Bn tin request to join cha ba phn t chnh: s c to ngu nhin ng vai tr nh mt yu cu (challenge), RCH1; chng nhn trm di ng, CertMS; v mt danh sch cc thut ton mt m d liu kho ring m trm di ng c th h tr, SKCS. 2. Trm di ng xc nhn gi tr ca ch k trn chng nhn ca trm di ng. Ch rng iu ny chng nhn rng chnh chng nhn cng l iu xc nhn c gi tr m khng phi l chng nhn nhn c t trm di ng cng trm di ng m
chng nhn pht hnh ti. Nu chng nhn khng c gi tr th trm gc kt thc phin; nu khc n tip tc.
3. Trm gc tr li trm di ng bng cch gi chng nhn ca n, CertBS; mt s ngu
nhin, RAND1, mt m bng cch s dng kho cng cng ca trm di ng; v la chn thut ton mt m kho ring t cc thut ton c gii thiu bi trm di ng. Trm gc chn t s giao nhau ca tp cc thut ton c gii thiu bi trm di ng v tp cc thut ton m trm gc h tr thut ton m n xem l a ra bo mt cao. di kho c m phn n di ti thiu m trm di ng c kh nng x l v trm gc h tr. Trm gc tnh ton mt ch k bn tin bng cch s dng kho ring trn mt tp cc gi tr m cha gi tr mt m RAND1, thut ton mt m d liu c chn, challenge RCH1 ban u nhn c t trm di ng v danh sch ban u cc thut ton mt m ng c.
4. Trm di ng xc nhn tnh cht hp l ca chng nhn n nhn c t trm
gc. Trm di ng cng xc nhn ch k trm gc bng cch gii mt m tp cc gi tr n nhn c trong bn tin k, bng cch s dng kho cng cng ca trm gc. Nu gi tr RCH1 v gi tr cc thut ton mt m ng c nhn c t trm gc ph hp vi nhng gi tr ny c truyn ban u bi trm di ng th nhn dng trm gc c xc nhn. Nu khc trm di ng kt thc phin truyn thng. 5. Trm di ng ly ra gi tr RAND1 bng gii mt m s dng kho ring ca n.
6. Trm di ng by gi to ra mt gi tr ngu nhin th hai, RAND2 c cng di
bt nh RAND1 v lm php ton logic XOR hai chui. Chui to ra bi RAND1RAND2 s cu thnh mt kho phin cho phin truyn thng ny. Trm di ng mt m gi tr RAND2 theo kho cng cng ca trm gc. 7. Trm di ng gi gi tr mt m RAND2 ti trm gc. N cng tnh ton ch k ca n trn mt tp cc gi tr cha gi tr mt m RAND2, v gi tr mt m RAND1 m n nhn c trc y t trm gc. (Bi v gi tr mt m RAND1 ny by gi c k vi kho ring ca trm di ng nn trm gc c mt c ch
xc nhn vic nhn thc trm di ng). Trm di ng gi cc phn t d liu ny ti trm gc. 8. Trm gc xc nhn ch k trn bn tin va nhn c t trm di ng bng cch s dng kho cng cng trm di ng. Nu ch k c xc nhn, trm gc chp nhn trm di ng nh mt thu bao hp l.
9. Trm gc gii mt m gi tr RAND2 bng cch s dng kho ring ca n. Trm
gc by gi c th to ra RAND1RAND2, n cng nm gi kho phin. (Ch rng m bo an ton kho phin RAND1RAND2, mt k xm nhp cn truy nhp vo kho ring ca c trm gc ln trm di ng t c kh nng hn l mt trong hai b xm nhp). ng ch rng ch k s c thm vo bn tin c gi bi trm gc trong bc 3 trn c ba vai tr khc nhau sau y: (1) nhn thc bn tin, (2) cung cp s tr li yu cu (Challenge) ti bn tin u tin ca trm di ng, v (3) nhn thc bn tin u tin nhn c thng qua vic cha danh sch ban u cc thut ton ng c. Cng ch rng, trong khi CA khng lin quan trc tip n chui giao thc nhn thc th CA k cc xc nhn c trm gc ln trm di ng trong mt bc u tin. vch ra s trao i bn tin trong giao thc Aziz-Diffie, hy xem hnh 2.2. Aziz v Diffie nhn mnh tnh hung ni m khng ch c mt CA m c nhiu CA c yu cu trong mt mng hot ng rng tun theo c t CCITT X.509. Trong trng hp ny, bn tin th 2, c gi trm gc ti trm di ng, s bao gm khng ch chng nhn trm gc m cn cha ng dn chng nhn m s cho php chng nhn c cng nhn hp l trong mt phn cp cc CA.
Ch : Trong bn tin trn, RAND1 c mt m vi kho cng cng ca MS , Mt chui cha Enc(RAND1), SKCS c chn, RCH1, v SKCS c k vi kho ring ca trm gc .
RAND2 Xc nh tnh hp l ch k ca MS
Ch : Trong bn tin trn, RAND2 c mt m vi kho cng cng ca BS. Mt chui cha Enc (RAND2), Enc(RAND1) c k vi kho ring ca trm di dng .
Hnh 2.2: S minh ho chui trao i bn tin trong giao thc Aziz-Diffie.
kinh nghim nhn c t chng trong lnh vc Internet th chng cha c chng minh trong mi trng mng t ong thng mi din rng. Bng cch tp trung vo cc phng php tnh ton va phi nh MSR v mt m ng cong elp, vic nghin cu y tm kim mi quan tm lin quan ti hiu nng v kh nng m rng. T u n gia nhng nm 1990, s tri rng vn l qu ln cho cc nh vn hnh mng. Tuy nhin khi th gii mng, thm ch i vi cc lu lng thoi hng ti c ch da trn IP v khi Internet tr thnh mt m hnh ni bt cho tt c cc loi truyn thng d liu th s vic ny s thay i.
CHNG 3: NHN THC V AN NINH TRONG UMTS 3.1 Gii thiu UMTS
H thng vin thng di ng ton cu (UMTS) l mt c cu t chc c phi hp bi Lin minh vin thng quc t (ITU) h tr cc dch v thng tin v tuyn th h ba. UMTS l mt phn ca mt c cu t chc ln hn l IMT-2000. Vai tr chnh ca c UMTS v IMT-2000 l to ra mt nn tng cho thng tin di ng khuyn khch vic gii thiu phn phi ni dung s v cc dch v truy nhp thng tin m b xung cho thng tin thoi thng thng trong mi trng v tuyn. Thc hin mc tiu ny r rng i hi bng tn rng hn 10Kbit/s sn c trong hu ht h thng th h th hai, v th UMTS s h tr tc truyn s liu ln ti 2 Mbits/s. Ph cho lu lng UMTS, cng nh vic thc hin IMT-2000 trn th gii ri vo khong gia 1870GHz v 2030GHz. Giy php u tin cho h thng UMTS c thc hin Chu u. Ti Nht Bn, cc k hoch yu cu vic trin khai sm IMT-2000 bng tn cao tng thch vi cc dch v t ong bt u t thng 5-2001. Trn ton th gii, vic trin khai c s h tng UMTS s tip tc gia nm 2001 n 2005 vi nhit tnh ban u c th b kim ch bi thc t th trng - nhng h thng ny t i vi cc nh cung cp dch v, v i hi mt s lng ln cc thu bao to ra li nhun. Mt bo co gn y c pht hnh bi UMTS Forum a ra mt vi u im v th h ba: Th h 3 mang n nhiu tnh di ng hn ti Internet, xy dng trn c tnh di ng duy nht nhm cung cp nhn tin nhm, cc dch v da trn v tr, cc thng tin c nhn ho v gii tr. Nhiu dch v th h ba mi s khng da trn Internet, chng thc s l cc dch v di ng thun tu. Vo nm 2005, nhiu d liu hn thoi s chy qua mng di ng. Theo quan in ny v tim nng ca cc dch v thng tin v tuyn th h th ba, cc thu bao s khng ch thng tin vi nhau qua mng. H s ti cc ni dung giu tnh ho v tn hng cc tr chi trong khi ang di chuyn. H s trao i cc vn bn qua u cui v tuyn ca h. V h s tin hnh mt phm vi rng cc giao dch thng mi in t t bt k ni no h xut hin. Mc d chi tit v cch cc nh cung cp dch v s b
xung vo tm nhn ny thng qua vic thc hin h thng thc cha c xc nh, mt iu r rng l - mt mc bo mt thng tin v nhn thc thu bao cao s l cp bch v bt buc. Nhiu cng trnh gn y trong vic nh ngha kin trc an ninh cho UMTS c tin hnh trong mt s cc d n nghin cu c ti tr bi Lin minh Chu u v cc chng trnh quc gia Chu u. Nhng d n ny bao gm ASPeCT (Advanced Security for Personal Communications TechnologyACTS program), MONET (part of RACE Program) v 3GS3 (Third Generation Mobile Telecommunications System Security Studies: Nghin cu an ninh h thng vin thng di ng th h ba) (theo chng trnh UK LINK). Mt d n gn y hn, USECA (UMTS Security Architecture: Kin trc an ninh UMTS) c ch o bi cc nh nghin cu ti Vodafone ang nh ngha mt tp y cc giao thc an ninh v cc th tc cho mi trng UMTS. Phm vi ca d n l rng, bao gm cc nghin cu su mim con: cc c im v yu cu bo mt, cc c ch bo mt, kin trc bo mt, c s h tng kho cng cng, modul thng tin thu bao (USIM), v bo mt u cui (handset). Cc kin trc quan trng khc trong s pht trin ca cc giao thc an ninh v nhn thc UMTS c gi l 3GPP (Third-Generation Partnership Project: D n hp tc th h ba), mt d n quc t bao gm nhng thnh vin t Bc M v Chu .
khng c mt trong cc h thng 2G. Khi nim ny to ra mt iu g tt hn GSM nhng khng phi l mt iu g hon ton khc. S i mi trong UMTS nn c iu khin khng ch bi tim nng k thut thun tu m cn bi nhng yu cu v mi trng quan trng v tp cc dch v tham gia cho cc mng v tuyn th h ba. Theo ng cnh ny, vo gia nm 1999 3GPP nh ngha mt tp cc c im an ninh mi hu dng cho UMTS, v cho cc h thng th h ba ni chung. Cc c im an ninh mi cu thnh vic m t v cc c tnh then cht ca mi trng th h ba. Nhng im then cht nh sau: (1) S c nhng nh cung cp dch v mi v khc nhau ngoi cc nh cung cp cc dch v vin thng v tuyn. S bao gm cc nh cung cp ni dung v cc nh cung cp dch v s liu; (2) Cc h thng di ng s c nh v nh mt phng tin truyn thng yu thch cho ngi dng a chung hn cc h thng ng dy c nh;
(3) S c nhiu dch v tr trc v pay-as-you-go. Vic thu bao di hn gia ngi
s dng v ngi vn hnh mng c th khng phi l mt m hnh quen thuc; (4) Ngi s dng s c quyn iu khin nhiu hn i vi cc profile dch v ca h v i vi cc kh nng u cui ca h.
(5) S c cc cuc tn cng ch ng vo ngi s dng; (6) Cc dch v phi thoi s quan trng nh cc dch v thoi hoc quan trng hn;
(7) Cc my cm tay di ng s c s dng nh mt nn tng cho thng mi in
t. Nhiu th thng minh a ng dng s c s dng tr gip nn tng ny. Khi quan tm n cc c im ca mi trng th h ba, nhm cng tc 3GPP phc tho nhng c im no ca cc h thng an ninh th h hai c gi li, nhng s yu km no ca th h hai phi c gii quyt trong UMTS, v ni m kin trc an ninh UMTS s gii thiu nhng kh nng mi.
s dng trong cc h thng th h hai iu ny p ng nguy c c t ra bi nng lc tnh ton ngy cng tng sn c i vi vic phn tch mt m ca mt m giao din v tuyn. (3) tin cy nhn dng thu bao s c thc hin trn giao din v tuyn.
(4) SIM (Subscriber Identity Module: Modul nhn dng thu bao) s l modul an ninh
phn cng c th ly ra c ring r vi my cm tay theo tnh nng an ninh ca n (ngha l SIM l mt th thng minh). (5) Cc c im an ninh toolkit phn ng dng SIM cung cp knh tng ng dng an ton gia SIM v server mng nh s c tnh n. (6) Hot ng ca cc c im an ninh h thng s c lp vi ngi s dng (ngha l ngi s dng khng phi lm bt c iu g kch hot cc c tnh an ninh).
(7) Yu cu cho mng nh tin cy cc mng phc v thc hin mt mc tnh nng an ninh s c ti thiu ha. Trong lnh vc nhn thc thu bao, phn tch ny thng bo cc vn pht sinh xung quanh cc thut ton GSM c quyn v yu km. Tuy nhin mt s tho mn c bn vi phng php ca cc h thng th h hai i vi nhn thc cng l hin nhin m nh chng ta s thy nh hng ln vic ra quyt nh cho nhn thc thu bao trong UMTS: Mt danh sch nhng khim khuyt trong cc giao thc an ninh th h th hai m UMTS phi quan tm cng l hu dng. Nhng vn nh sau: (1) Cc cuc tn cng ch ng trong trm gc b gi mo l c kh nng xy ra (thiu nhn thc mng i vi my cm tay di ng). (2) Kho phin v d liu nhn thc trong khi c che y trong cc tuyn v tuyn li c truyn mt cch r rng gia cc mng. (3) Mt m khng m rng phc tp i vi li mng, dn n vic truyn cc vn bn r rng ca ngi s dng v cc thng tin bo hiu qua cc tuyn vi ba. (4) Thiu chnh sch mt m v nhn thc ng nht qua cc mng nh cung cp dch v to c hi cho vic xm nhp. (5) C ch ton vn d liu cng ang thiu. Cc c ch nh th ngoi vic tng tin cp cn cung cp vic bo v chng li s mo nhn trm gc. (6) IMEI (International Mobile Equipment Identifier: B nhn dng thit b di ng quc t) l mt s nhn dng khng an ton. (7) S gian ln v s can thip hp php (b nghe trm bi cc chnh quyn thc thi lut) c x l nh l mt s gii quyt n sau hn l trong pha thit k GSM ban u. (8) C mt thit st v kin thc mng nh v iu khin cch m mng phc v s dng cc tham s nhn thc cho cc thu bao mng nh chuyn vng trong vng phc v ca mng phc v.
Chng 3: Nhn thc v an ninh trong UMTS (9) mm do nhm cp nht v b xung cc tnh nng bo mt theo thi gian
duy tr tnh ph bin cc giao thc an ninh h thng l khng cn thit. Yu cu sau i vi ngi thit k UMTS nhm nh ngha nhiu s tng cng cho cc th tc v giao thc an ninh th h hai m gi li cc c im ca an ninh th h hai m gii quyt nhng thiu st trn ca th h hai v iu s cho php tnh lin thng gia hai min trong nhng nm ti.
Tng di kho chng li cc cuc tn cng mnh: Nh c bit, cc thut ton mt m s liu GSM th h hai c di kho hiu qu ch 40 bt v ngi ta ngh c th b ph v gn nh trong thi gian thc. Cc kho cho mt m s liu trong UMTS s l 128 bt.
Tnh an ton nhn dng ngi s dng s c tng cng thng qua vic s dng kho nhm. Cc thut ton mt m UMTS c bn s c thc hin cng khai c quan tm n cc ph bnh thng xuyn v GSM.
S h tr cho tnh ton vn cng nh tnh an ton s c cung cp. Mt khi nim quan trng trong lnh nhn thc thu bao cho UMTS l mng khch
quan tm c tr ph hn l v vic nhn dng ngi s dng. V vy mt s nhn mnh v mi quan tm ca mng khch l vic trao quyn cung cp cc dch v hn l vic
nhn thc. Cc h thng thc hin vic nhn thu bao nhn mnh s tng tc gia thu bao di ng v mng nh, vi cc thng tin trao quyn c truyn ti mng m s cung cp cc dch v ti thu bao di ng (mng khch). Theo cch ny, nhn thc c th c thc hin m khng phi m phn v tnh tin cy nhn dng thu bao.
khc lin quan n ngi s dng khng c phi by cho nhng k nghe ln.
Nhn thc tng h: C u cui di ng v trm gc ca mng phc v c
nhn thc i vi nhau, ngn nga cc cuc tn cng mo nhn trn c hai pha ca phin truyn thng.
Tnh tin cy ca s liu bo hiu v s liu ngi s dng: Thng qua mt m
mnh m, c ni dung ca phin truyn thng thu bao ln thng tin bo hiu lin quan c bo v trong khi truyn dn qua on ni v tuyn.
Ton vn s liu v nhn thc khi u: Thc th nhn trong mt phin truyn
thng c th xc nhn rng cc bn tin nhn c khng b thay i khi truyn v rng n thc s c khi u t pha c yu cu.
gm nhng kh nng thuc v cc nh cung cp dch v khc nhau nhn thc nhau v d liu nhy cm c trao i.
Tnh tin cy ca d liu c trao i: Vic bo v d liu c trao i gia cc
phn t mng khi cc cuc nghe ln. iu ny in hnh s c thc hin thng qua mt m.
Ton vn d liu v nhn thc ban u: iu ny l song song vi cc kha cnh
ton vn d liu v nhn thc ban u ca An ninh truy nhp mng nhng p dng i vi mi quan h gia cc phn t mng. Khi mt phn t mng truyn d liu n phn t khc, node nhn c th xc nhn rng d liu khng b thay i khi truyn, v n thc s khi u vi phn t mng c thng bo nh ngun gc khi u. Thm na, nhng tnh cht ny phi p dng qua cc mng ca cc nh cung cp dch v khc nhau.
gia mt thu bao ring v th thng minh SIM trong my cm tay UMTS ca h. gii hn s hot ng i vi ch s hu hoc mt nhm c nhn c quyn, ngi s dng c th cn cung cp PIN khi to mt phin truyn thng.
on ni USIM-Terminal: V th thng minh tr gip USIM (c gn trong th
h gia USIM v my cm tay UMTS. in hnh iu ny s c thc hin thng qua mt s nhng b mt dng chung trong c USIM ln u cui bi cc nh cung cp dch v khi dch v c khi to. on ni USIM-Terminal ngn nga th USIM ca ngi s dng khng b chn vo trong my cm tay khc v b s dng khi khng c quyn.
khi cc cuc nghe ln - in hnh l thng qua mt m trn cc on mng hu tuyn cng nh v tuyn ca ton b kin trc h tng mng.
UMTS c th yu cu tp cc dch v an ninh no phi ang hot ng trc khi ngi s dng mt dch v nht nh. Chng hn, logic ny c th p dng cho enable v disable vic s dng m PIN c nhn vi USIM trong my cm tay ca
ai hoc p dng cho vic quyt nh nh vic chp nhn cc cuc gi n m khng c mt m. Chia ton b lnh vc an ninh thnh cc min theo kiu ny c mt vi u im. Th nht, n x l bng cch chia nh ton b khng gian vn thnh cc min con ri rc (hn na, quan tm nhiu n phc tp c x l nh th no trong mi quan h vi cc giao thc lin mng Internet). Ngoi ra, bng vic to ra cc modul an ninh vi cc giao din c bit r c th cp nht hoc thay th cc thnh phn ca kin trc an ninh m khng phi lm li ton b vic kinh doanh. Ch : Cc t di y c s dng cho cc min anh ninh UMTS trong hnh 3.1. NAS: Network Access Security NDS: Network Domain Security UDS: User Domain Security ADS: Application Domain Security Hnh 3.1 cung cp s minh ho v ton b mi trng UMTS vi ch th v ni m nm min an ninh nh tr trong s tng tc gia cc phn t khc nhau ca mi trng.
Mc Home/Serving Thit b u cui (Handset) UDS Module nhn dng cc dch v ngi dng (USIM) NAS NAS NDS NAS NAS Mng phc v (SN) Mi trng nh (HE)
Mc truyn ti
Hnh 3.1: S minh ho ni nm min an ninh UMTS nh tr trong cc mi quan h gia cc thnh phn ca ton b mi trng mng UMTS. [Ngun: S. Putz]
thc thu bao v to kho phin trong UMTS c trnh bi Royal Holloway, Siemens v KPN. xut ca Royal Holloway da trn c ch yu cu-p ng (ChallengeResponse) tng t vi c ch trong GSM. Giao thc ny a ra nhn thc tng h gia trm di ng v trm gc mng v tng cng an ninh nh v ngi s dng (an ninh nh v ngi s dng c thc hin bng cch ch s dng b nhn dng ngi s dng hin thi v trnh s truyn dn ca b nhn dng vnh cu ca thu bao di ng trong clear-text qua on ni v tuyn). Hai giao thc c xut khc ca Siemens v KPN l rt khc nhau trong chng bt ngun t cc k thut kho cng cng. Cc phn di y m t phng php c xut bi Siemens.
cng cng trm di ng v mng phc v kh dng trong server mng phc v v my di ng tng ng v v vy khng cn thit phi trao i trong phin truyn thng.
Chng 3: Nhn thc v an ninh trong UMTS Sub-protocol B: x l cc trng hp ni m chng ch c gi tr ca kho xc nhn
cng cng trm di ng l kh dng trong my cm tay di ng nhng khng phi trn server mng phc v, v mt chng nhn c gi tr kho tho thun cng cng ca ngi vn hnh mng nhng khng phi trong my cm tay di ng.
Sub-protocol C: x l trng hp ni khng c bn copy c nhn thc kho cng
cng ca thu bao di ng kh dng trn server mng phc v v khng c bn copy c nhn thc kho cng cng ca nh vn hnh mng trong my cm tay di ng. Trong tho lun ny, chng ta s quan tm n Sub-protocol C, v iu ny a ra ci nhn tt nht ti cc kha cnh giao thc kho cng cng v c s h tng lin quan n xut ca Siemens.
Ngi vn hnh mng phc v gi cc kho tho thun cng cng s v gs. Trm di ng s hu h thng ch k bt i xng vi kh nng chuyn i ch k b mt Sigu.
CS gi danh sch thu hi (revocation list) mi nht i vi cc kho cng cng ca ngi vn hnh mng v cc thu bao di ng. C CS v server ca ngi vn hnh mng phc v c th to v xc nhn tem thi gian (time-stamp).
C server ca ngi vn hnh mng phc v v trm di ng gi kho cng cng ca CS. Kho ny cn thit xc nhn tnh hp l ca cc v c pht hnh bi CS.
CS s hu kho xc nhn cng cng PK_NO cn xc nhn cc ch k c to bi server ca ngi vn hnh mng phc v bng cch s dng kho ch k ring SK_NO.
Trm di ng gi g(RNDU), IDCS v Enc(L, IMUI) ti server ca nh vn hnh mng. Ch rng IDCS l b nhn dng ca CS trong kho cng cng ca trm di ng c th c bo v (n c th thuc v nh cung cp dch v nh ca thu bao di ng). iu ny cu thnh Bn tin 1 (Message 1).
Server ca nh vn hnh mng ly li kho cng cng ca n gs v to mt nhn thi gian TS1. Server sau s dng hm bm (hash function) h3 cng vi thut ton ch k SigNO v kho ring ca n SK_NO k chui (TS1||gs|| |g(RNDU) || Enc(L,IMUI)|).
Server ca nh vn hnh mng gi chui di y qua mng v tuyn ti CS: TS1, gs, g(RNDU), Enc(L, IMUI), SigNO(h3(TS1 || gs || g(RNDU) || Enc(L, IMUI))). iu ny cu thnh Bn tin 2 (Message 2).
CS: (1) s dng thut ton xc nhn VerNO v kho cng cng ca nh vn hnh mng PK_NO xc nhn bn tin; (2) kim tra tem thi gian T1; (3) tnh L bng cch s dng kho cng cng ca thu bao di ng, L = (g(RNDU)u); (4) gii mt m Enc(L, IMUI) bng cch s dng thut ton gii mt m Dec v kho L; (5) ly li CertU, chng nhn cho thu bao di ng t c s d liu thu bao ca n; (6) kim tra kho cng cng gs ca nh vn hnh mng v chng nhn ca thu bao CertU da vo revocation lists; (7) to mt chng nhn CertN bng cch s dng kho cng cng ca nh vn hnh mng v k chng nhn ny; (8) to tem thi gian TS1; v (9) tnh ton mt ch k trn chui TS||IDNO||CertU. CertN bao gm SigCS(H3(credentials)), trong credentials l g(RNDU), gs, IDNO v data3. Data3 l mt tu chn.
CS gi mt bn tin gm CertN, TS2 || IDNO || CertU, SigCS(TS2 || IDNO || CertU) ti server ca nh vn hnh mng. iu ny cu thnh Bn tin 3.
Server ca nh vn hnh mng s dng thut ton xc nhn VerCS v kho cng cng ca CS PK_CS xc nhn Bn tin 3. Sau Server ca nh vn hnh mng: (1) tnh ton mt CertN c rt gn c gi l CertN*, CertN* bao gm gs || SigCS(h3 (credentials)); (2) tnh chui ngu nhin (g(RNDU)s) bng cch s dng kho ring ca n; (3) to kho phin Ks, trong Ks = h1(g(RNDU)s || RNDN); (4) to kho nhn thc AUTHN = h2(Ks), trong h2 l mt hm bm th 2; v (5) to chui mt m Enc(Ks, data1 || data3), trong data1 l mt nonce c to bi server ca nh vn hnh mng.
Server ca nh vn hnh mng gi ti trm di ng qua on ni v tuyn RNDN, AUTHN, CertN* v Enc(Ks, data1, data3). iu ny cu thnh Bn tin 4 (Message 4).
Trm di ng by gi lm cng vic xc nhn vic truyn dn v to cc phn t d liu m n cn tip tc phin truyn thng. u tin trm di ng s dng thut ton xc nhn VerCS v kho cng cng ca CS xc nhn ch k trn CertN v xy dng li credentials. Trm di ng sau tnh: (1) gs(RNDU) bng cch s dng kho cng cng ca nh vn hnh mng; (2) kho phin Ks trong Ks by gi bng h1(gs(RNDU) || RNDN); (3) kho nhn thc AUTHN, trong AUTHN = h2(Ks); v (4) chui data1 || data3 bng cch s dng thut ton gii mt m Dec v kha phin Ks. Bng cch s dng thut ton mt m Enc vi kho phin ng vai tr input, trm di ng sau to: (1) Enc(Ks, SigU(h3(Ks || data1 || data2))), v (2) Enc(Ks, data2). Trm di ng gi Enc(Ks, SigU(h3(Ks || data1|| data2))) v Enc(Ks, data2) tr li server ca nh vn hnh mng qua on ni v tuyn. Vic truyn dn ny cu thnh Bn tin 5 (Message 5) l bn tin cui cng trong qu trnh trao i giao thc Siemens.
Server ca nh vn hnh mng sau thc hin mt vi tnh ton v so snh cui cng hon thnh qu trnh nhn thc v khi to phin truyn thng. u tin, server ca nh vn hnh mng s dng kho phin Ks gii mt m tt c cc phn ca bn tin nhn c t trm di ng. Khi server bit Ks, data1 v data2 n tip tc tnh ton h3(Ks || data1 || data2) theo quyn hn ring ca n. Sau n s dng thut ton xc nhn VerU v kho cng cng ca trm di ng PK_U ly ra h3(Ks || data1 || data2) t SigU(h3(Ks, data1, data2)). Server so snh gi tr tnh ton c vi gi tr va ly ra. Nu hai gi tr ging nhau th trm di ng c nhn thc.
Trm di ng
(M1) gRNDu, IDCS, Enc(L, IMUI) (M2) TS1, gRNDu, ID CS, Enc(L, IMUI), SigN0 (h3(TS1 || gs || gRNDu || Enc(L, IMUI)))
(M3) CertN, TS2 || IDN0 || CertU, SigC S(TS2 || ID N0 || CertU) (M4) RNDn, AUTHN , CertN*, Enc(Ks, data1 || data3)
Hnh 3.2: S minh ho s trao i cc bn tin trong giao thc nhn thc ca Siemens cho UMTS, Sub-protocol C. Mt trong s cc tin li ca Sub-protocol C c xc nhn bi cc nh nghin cu ASPeCT Project l duy tr tnh tin cy nhn dng ngi s dng: IMUI ch c gi di dng mt m t khi bt u giao thc. Cng quan trng khng km l vic s dng cc tem thi gian m bo tnh hin thi ca cc chng nhn, v cn tr cc tn cng. Cng ng ch cc trng nh data1, data2 v data3 - c nhn dng trong m t trn nh l cc nonce c th c to ra ng vai tr kp v thc s truyn thng tin gia CS, server mng v trm di ng.
ch k s v cc thut ton bm. Cc giao thc c xut ny l phc tp nhng s cung cp mc an ninh cao v tnh m rng nu c trin khai c th mt cch y . Nh chng ta s thy, y khng phi l phng php nhn thc thu bao m cc nh thit k chn nh l nn tng thc s cho vic thc hin h thng. Mc d cc l do khng hon ton r rng, mt kh nng l xut ca Siemens khi u hon ton t s k tha c s h tng GSM lm cho s hot ng lin i vi th h hai mt cch kh khn. Cng l s tht rng cc bo co ca ASPeCT Project l khng nhiu khi m t v mt m thc s, cc giao thc ch k s, cc thut ton xc nhn v bm c s dng lm cho vic m phng hiu nng h thng kh khn hn.
3.5 Nhn thc thu bao trong vic thc hin UMTS
V thi im thc hin cc h thng truyn thng v tuyn s dng cng ngh UMTS n, cc nhm lm vic 3GPP chuyn s tp trung ra khi nghin cu l thuyt c m t trong phn trc. Trong vic ra quyt nh c th lin quan n nhn thc thu bao trong UMTS, cc nh hoch nh 3GPP chn s dng s ging vi nhn thc GSM nht vi cc tng cng c la chn. Giao thc UMTS ny s dng mt phng php da trn kho cng cng i xng trong Trung tm nhn thc ca mng nh thu bao v th thng minh USIM trong my cm tay ca ngi s dng dng chung mt kho b mt. Ngoi ra v nhn thc by gi c hoch nh cho vic thc hin trong UMTS nn n khc vi nhn thc trong th h hai mt vi im quan trng sau: (1) Modul nhn dng thu bao (SIM hoc trong mng UMTS l USIM) trong my cm tay v Trung tm nhn thc (AuC) dng chung mt s chui cng nh kho b mt. S chui khng phi l mt gi tr c nh m thay i theo thi gian. (2) Ngoi nhn thc thu bao chun, trm gc ca mng khch c nhn thc i vi trm di ng nh l mt phn ca giao thc nhn thc. (3) Trong pha nhn thc, UMTS thit lp mt kho phin cho mt m d liu trong phin truyn thng v mt kho th 2 thc hin m bo ton vn d liu.
(4) Cc thut ton mt m ca UMTS s c t ti domain cng cng ph bnh v phn tch. Nhng bc chnh trong giao thc UMTS nhn thc tng h v thit lp kho phin nh sau. S song song vi giao thc challenge-response ca GSM nn bit r rng. (Thut ng ang c s dng m t cc phn t then cht ca c s h tng v cc giao thc nhn thc UMTS khc v mt vi kha cnh so vi nhng g chng ta thy trong GSM Chng ta s dnh s phn bit ny trong m t di y). (1) Node phc v (SN: Serving Node) gi B ghi nh v tm tr VLR (Visitor Location Register) yu cu d liu nhn thc t Mi trng nh (HE) m h tr B ghi nh v thng tr (HLR) v Trung tm nhn thc (AuC). (2) Mi trng nh gi mt mng cc vct nhn thc (AV) ti SN. Mi vct nh th c th c s dng thc hin tho thun kho phin v nhn thc gia SN v USIM trong trm di ng. Mi AV (tng ng vi b ba ca GSM) bao gm: (1) mt s ngu nhin challenge RAND; (2) mt response mong mun cho challenge, XRES; (3) mt kho phin mt m CK; (4) mt kho ton vn d liu IK; v (5) mt th nhn thc AUTN. (3) Mng phc v gi challenge ngu nhin RAND v th nhn thc AUTN ti trm di ng qua on ni v tuyn. (4) USIM trong trm di ng xc nhn rng AUTN l c th chp nhn c (v vy thc hin nhn thc i vi trm di ng). Khi trm di ng to mt response, RES ti challenge ngu nhin v truyn tr li SN. (5) USIM tnh ton phin bn CK v IK ring ca n bng cch s dng RAND, s chui (c nhng trong AUTN) v kho b mt ca n. (6) Mng phc v so snh RES m n nhn c t trm di ng vi XRES. Nu hai gi tr trng nhau th trm di ng c nhn thc.
Chng 3: Nhn thc v an ninh trong UMTS (7) USIM v SN truyn CK ti cc thnh phn ca h thng chu trch nhim v mt
m d liu c truyn, v IK ti cc thnh phn ca h thng chu trch nhim v kim tra tnh ton vn d liu. S ca giao thc nhn thc UMTS c s xem hnh 3.3.
Trm di dng/USIM
Home Env/HLR/AuC
Xc nhn AUTN(i); Tnh ton RES(i) Tr li nhn thc ngi s dng RES(i)
Ly ra CK(i) v IK(i)
Hnh 3.3: Lung cc bn tin trong giao thc to kho phin v nhn thc UMTS c s. [Ly t J.Salva] Trong giao thc nhn thc nh c m t trn, cc th nhn thc AUTN l mt phn t d liu then cht. AUTN bao gm: (1) S chui (Sequence Number), SQN, thc hin php hoc loi tr (XORed) vi mt kho nc danh AK, (2) Trng qun l kho v nhn thc, AMF (Authentication and Key Management Field), v (3) mt M nhn thc bn tin, MAC (Message Authentication Code). Mc ch ca kho nc danh l che y Sequence Number m nu b tit l c th cung cp cc thng tin v nhn dng v v tr ca
thu bao. AMF c th mang nhng thng tin t Trung tm nhn thc ti trm di ng v cc vn nh s dng cc thut ton to kho v nhn thc. N cng hng dn trm di ng s dng mt kho trong s cc kha b mt. Giao thc nhn thc UMTS s dng nm hm mt chiu (one-way) c k hiu t f1 n f5 to cc gi tr thnh phn ca chui AUTN v AV. Cc u vo cho cc hm ny l kho b mt ca thu bao, challenge s ngu nhin RAND v Sequence Number. Hnh 3.4 cung cp mt s v cch giao thc ny hot ng trong Trung tm nhn thc.
To SQN
To RAND
SQN
Ch : SQN = Sequence Number AMF = Authentication & Key Management Field RAND = Random Challenge AMF
RAND
Kho b mt K
Hm f1
Hm f2
Hm f3
Hm f4
Hm f5
MAC
XRES
CK
IK
AK
Ch : MAC = Message Authentication Code XRES = Expected Response (to Random Challenge) CK = Cipher (Data Encyption) Key IK = Integrity Key AK = Anomynity Key
Hnh 3.4: To chui Vct nhn thc UMTS v Th nhn thc (AUTN) trong Trung tm nhn thc. [ly t J.Salva]
mt vi cng trnh nghin cu ban u m nhn nh l mt cng trnh tin thn cho UMTS trong cc chng trnh Chu u nh ACTS tp trung vo mt gii php vi mt phn t mnh cc phng php m ho. Tuy nhin trong pha thc hin cui cng vic bt buc phi xy dng trn cc thnh tu GSM hin c v duy tr tnh lin thng vi GSM c chng minh l p o. Mt ln na cc phng php kho cng cng i xng li chin thng. Tuy nhin kin trc kho cng cng cu UMTS quan tm n nhiu thiu st ca h thng t ong th h hai, bao gm vic nhn thc ca mng i vi trm di ng, nhn dng ngi s dng v tnh tin cy nh v, tnh ton vn d liu v s dng cc thut ton mt m thch hp.
Nhng ngi thit k mng in thoi t ong s th h hai v ba tho lun trong cc chng u tin ca lun vn ny bt u h tr truyn thng di ng ngha l sau ht l ton b quan im v in thoi t ong. Mt khc Internet ban u khi u nh l mt mng nhm kt ni cc my tnh ti nhng v tr c nh. Theo mt s phng din khc cc mi trng cng khc nhau mt cch ng k. Chng hn cc mng t ong th h hai c thit k truyn ch yu l lu lng thoi v h tr cc knh truyn thng gia cc bn trong cuc thoi th mng t ong th h ba s quan tm nhiu hn n truyn thng s liu ngoi lu lng thoi. Mt khc, nhng ngi thit k Internet tm cch to ra mt mng cho vic truyn dn s liu gia cc my tnh (voice over IP xut hin sau) v s dng chuyn mch gi hn l thit lp cc knh nh mt m hnh truyn dn chnh. Trong nhng nm 1980, th gii ni m cc my tnh t trong cc phng my hoc trn cc bn ca ngi s dng ti nhng v tr c nh vi a ch mng c nh bt u b ph v. Trong tng lai cc my tnh bao gm khng ch cc my tnh xch tay m cn bao gm cc thit b nh cc PDA (Personal Digital Assistant), Web pad, v my in thoi t ong thng minh - s n vi ngi s dng, nhng ngi mun kt ni ti Internet t bt c ni no h xut hin ti bt c thi im no. M hnh v cch m cc a ch mng c chnh sa trong th gii Internet c dy thng qua vic can thip ca cc nh qun tr h thng, gn cc a ch IP mi v vic cu hnh li cc my (machine) v c s h tng mng khng cn c chp nhn. Mt iu g phi c a ra cung cp s h tr cho tnh ton di ng trong mi trng Internet. Giao thc c pht trin thng qua IETF (Internet Engineering Task Force: Nhm c trch k thut Internet) l giao thc Internet di ng hay ngn gn l Mobile IP. Mc tiu ca Mobile IP l tr gip truy nhp Internet cho cc thit b tnh ton di chuyn t ni ny n ni khc m khng yu cu thay i ton b c s h tng Internet ngay lp tc bao hm tnh di ng.
trong khi cc mng ch cung cp cc dch v cho cc my tnh c dy khng cn thay i. Trong tng lai, IP Version 6 s h tr tnh di ng nh mt phn ca cc giao thc Internet chung vi s tha nhn truy nhp Internet c dy cng tr nn rt quan trng.
truyn mt bn tin vi c a ch IP ring ca n ln Chm sc a ch mi ca n (a ch IP ca FA) m FA chuyn tip ti HA. Nhn v xc nhn bn tin ny, HA thc hin rng buc cp nht (Binding Update) bng cch to mt bng u vo ghi li cc chm sc a ch mi cng vi cc Mobile Host c th ny. Mt thnh phn khc trong s ca Mobile IP l my i tc (CA: Corresponding Host). CA c th l bt k my tnh no trn Internet m c gng giao tip vi Mobile Host. Di Mobile IP, CA khng cn bit rng Mobile Host ang chuyn vng ra khi mng nh (y l gi thit n gin ho quan trng ca Mobile IP) v n gin truyn cc gi khi truyn thng vi MH theo cch thng thng ti mng nh. y HA, bit rng Mobile Host ang chuyn vng v Chm sc a ch hin thi ca n, nhn cc gi i v hng Mobile Host v chuyn tip chng ti FA ti Chm sc a ch hin thi ny trong mt qu trnh c gi l triangular routing (nh tuyn tay ba). FA sau chuyn tip cc gi ti Mobile Host qua on ni v tuyn m chng thit lp. Kin trc chung ca Mobile IP c minh ho trong hnh 4.1. Ch rng cc mng bao gm HA v FA cn thit phi thc hin Mobile IP v c kh nng h tr di ng. Tuy nhin, mt kha cnh then cht ca Mobile IP l CA v cc thnh phn khc ca nn tng Internet c gii thiu bi m my Internet trong s mng khng cn bit g v giao thc ny.
C s h tng mng
Router
Home Agent
Router
Foreign Agent D liu c gi ti Foreign Agent thng qua ng hm IP (IP Tunnel) Mobile Host D liu c tch gi v c chuyn tip ti MH thng qua on ni v tuyn
Hnh 4.1: S minh ho cc thnh phn then cht ca kin trc Mobile IP.
Kh nng mt node c hi bt chc vic nhn dng node di ng v nh hng li cc gi tin i n node di ng ti cc v tr mng khc; Nguy c v cc node th ch tim n (n t cc min qun tr mng khc nhau) nhm tin hnh cc cuc tn cng ch ng/th ng ti cc node khc khi chng s dng chung cc ti nguyn mng v cc dch v c a ra bi cc mng con h tr di ng. Cc giao thc nhn thc ngi s dng c tho lun trong chng ny u quan tm n hai nguy c an ninh ny nhng thc hin theo cc phng php khc nhau.
tip. Chng hn, Charles Perlins xut p dng nm k thut thc hnh hin thi. Cc k thut ny c xem xt theo trt t u tin bi MH v FA vi k thut u tin c la chn (c th c thc hin bng nhn cng). Nm s la chn ny l: Nu FA v MH dng chung mt lin kt an ninh, hoc c th thit lp mt lin kt thng qua ISAKMP hoc SKIP, th FA tip tc chn kho ng k ny. Nu FA v HA ca MH dng chung mt lin kt an ninh th HA c th to mt kho ng k v truyn n ti FA c mt m vi kho cng cng ny.
Nu FA c kho cng cng ring ca n th FA c th yu cu HA ca MH to ra mt kho ng k v thng tin n ti FA c mt m vi kho cng cng ny.
Nu MH gi mt kho cng cng, n c th cha kho ny trong yu cu ng k ca n, vi FA th to mt kho ng k v truyn n ti MH c mt m vi kho cng cng ny.
FA v MH c th s dng mt giao thc trao i kho Diffie-Helman thit lp mt kho ng k chung. La chn Diffie-Helman gi thit mt mc u tin thp bi v phc tp tnh ton
ca n c th p t mt gnh nng trn host di ng v do to ra tr. Trong hu ht cc kch bn m Perkins xut, MH v HA s dng chung mt lin kt an ninh theo cch suy din. V vy, nu HA v FA s dng chung cc thng tin m HA c th truyn mt kho b mt ti FA th HA c th hot ng nh l mt Trung tm phn phi kho (KDC: Key Distribution Center). Chng hn nu HA v FA s dng chung mt kho b mt thng qua mt lin kt an ninh gia chng th k thut di y, s dng thut ton MD5, c th c s dng truyn mt kho phin hoc kho ng k t HA n FA.
HA gi chui di y ti FA: String1 = MD5(secret||regrep||seret) Kr Trong secret l kho ring c s dng chung gia HA v FA, Kr l kho ng k ang c truyn thng, v regrep l mt reply cho bn tin yu cu ng k c gi bi FA ti HA. Nhn c bn tin ny (String1), FA by gi c th tnh ton: String2 = MD5(secret||regrep||secret) FA sau c th ly ra kho ng k n gin bng cch thc hin mt ton t XOR nh sau: Kr = String1 String2
Khi vng mt mt lin kt an ninh c thit lp gia HA v FA, mt phng php tng t c th c thc hin nu FA c th to ra mt kho cng cng kh dng.
Trong trng hp m FA v Mobile Node s dng chung mt lin kt an ninh (iu ny t xy ra hn trng hp MN s dng chung mt kho b mt vi HA) th FA v MN c th m phn trc tip mt kho ng k, m khng cn s dng HA nh mt Trung tm phn phi kho. iu tng t c th c hon thnh nu MN to ra kho cng cng kh dng cho FA.
Chng 3: Nhn thc v an ninh trong UMTS 3. HAID (Address of Home Agent): a ch IP ca HA trn mng nh ca MH. 4. FAID (Addresss of Foreign Agent): a ch IP ca FA trn mng m MH
ang tm tr.
5. TMH, THA (Time Stamps): TMH v THA l cc tem thi gian c pht hnh bi
MH v HA tng ng.
6. Enc(K, M): Mt m bn tin M theo kho K. 7. MAC(K, M): To mt MAC (Message Authentication Code) t bn tin M
theo kho K.
8. KSMH-HA (Shared Secret Key): KSMH-HA l mt kho b mt c dng chung
gia MH v HA. N khng c dng chung vi FA hoc cc phn t khc ca c s h tng mng.
9. Request: Mt mu bt ch th rng cc bn tin di y l mt bn tin yu
cu.
10. 11.
(tip nhn, loi b, gii thch cho s loi b, v.v). Ch rng Kho b mt dng chung l mt phn t ca mt m kho ring c gi li trong th h tr gip di ng u tin cho Internet. N c th s khng cn thit trong tng lai, nu c s h tng kho cng cng tr thnh kh dng.
t di y: Request Designator, ID ca FA (a ch IP ca n), ID ca HA, a ch nh ca MH, Care-of-Address ca MH, v mt tem thi gian c pht hnh bi MH. Chui ny c theo sau bi m MAC m MH to ra bng cch p dng thut ton MD5 cho cc phn t trong bn tin yu cu cng vi kho b mt KSMH-HA m n s dng chung vi HA. 3. FA chuyn tip c bn tin yu cu ln MAC tng ng ti HA. Ch rng cc phn t d liu trong bn tin yu cu khng cha kho b mt c truyn i mt cch r rng, v th FA c th c a ch ca FA. 4. Khi nhn c vic truyn dn t FA, HA tnh MAC ring ca n trn bn tin yu cu ca MH. Nu gi tr tnh c ph hp vi MAC nhn c trong truyn dn th MH c nhn thc v ni dung bn tin yu cu c xc nhn l khng b thay i.
5. HA by gi to ra mt bn tin tr li cha cc phn t d liu di y:
Reply Designator, Result Code, ID ca FA (a ch IP ca FA), ID ca HA, a ch nh ca MH, v mt tem thi gian TS. Tem thi gian ny s bng vi tem thi gian c pht hnh bi MH nu gi tr ny nm trong ca s hin thi c th chp nhn c i vi HA. Mt khc tem thi gian ny s l tem thi gian c thit lp bi HA, nhm cho php vic ti ng b xy ra. HA cng tnh ton mt MAC trn cc phn t d liu ny bng cch s dng kho b mt m n s dng chung vi MH v gi kt qu cng vi bn tin. (Ch rng vi cc bin th prefix plus suffix ca thut ton MD5 th hai phin bn ca MAC c gi i thc s nhng trong s di y iu ny b b qua v tnh n gin). HA truyn bn tin tr li v MAC ny n FA. 6. FA chp nhn vic truyn dn c m t trong bc 5 t HA, v chuyn n ti MH qua on ni v tuyn.
7. MH tnh ton MAC ring ca n trn bn tin tr li v so snh kt qu vi
MAC m n nhn c cng vi bn tin tr li t FA. Nu hai gi tr MAC trng nhau th HA c nhn thc ti MH v ni dung bn tin tr li c xc nh hp l.
Ti thi im ny, MH, FA, HA c th s dng mt trong cc phng php c khuyn ngh bi Perkins thit lp mt kho ng k, hoc kho phin m s c s dng mt m d liu trong phin truyn thng ny. Hnh 4.2 minh ho s trao i cc bn tin trong Giao thc ng k Mobile IP.
Mobile Host
Foreign Host
Home Agent
[M3 || MAC(KSMH-HA,M3)]
Ch : Trong M3, nu tem thi gian t MH khng thuc ca s tip nhn th HA loi b yu cu nhng cung cp tem thi gian ring ca n cho php MH ng b li ng h ca n.
Hnh 4.2: S phc tho s trao i cc bn tin trong Giao thc ng k Mobile IP. [Ly t Sufatrio v Lam] Ch rng vic thit lp mt kho ng k phi khng tit l kho b mt dng chung ti FA, v iu ny s to thnh mt k h nghim trng v an ninh.. Cng ch
rng, trong khi kho ng k c th c thit lp thng qua ng dng kho cng cng, nu c s h tng kho cng cng ang trong trng thi hot ng th n cng c th c thit lp bng cc la chn ngha l khng yu cu PKI.
4.4 Mi quan tm v an ninh trong Mobile Host - Truyn thng Mobile Host
Hu ht mi s tho lun v giao thc Mobile IP tp trung vo truyn thng gia Corresponding Host (CS) v Mobile Host vi mt gi nh ngm rng CH nm mt v tr c nh trong Internet. D nhin, truy nhp Internet khng dy pht trin, kch bn m trong hai MH, c hai chuyn vng t do, c gng truyn thng ang tr nn ngy mt quan trng. Trong mt bi vit nm 1998 c trnh by ti hi ngh Glocom nm 1998, Alessandra Giovanardi v Gianluca Mazzini xut cc giao thc nhm ti u hiu nng truyn thng trong MH - Kch bn MH. Vn trong truyn thng gia hai MH theo giao thc Mobile IP l vn nh tuyn tay ba (triangular routing) pht trin nhanh. Trong trng hp m CH c nh c gng thng tin vi mt MH ang chuyn vng, u tin n s gi cc gi tin ca n ti ti mng nh ca MH, ni m chng b chn bi HA. HA sau chuyn tip cc gi tin ny ti v tr hin thi MH (s gin tip ny c gi l nh tuyn tay ba). Cc gi tin c truyn theo hng khc, mc d u tin chng phi c gi qua on ni v tuyn t MH ti FA, c th di chuyn trc tip ti CH (CH c a ch IP c nh). Tuy nhin vi hai MH cc gi di chuyn theo hai hng u tin c gi ti cc mng nh ca cc MH tng ng nh tuyn tay ba tr thnh nh tuyn hai hng. gii quyt vn nh tuyn tay ba ny, Giovanardi v Mazzini xut vic s dng tc nhn ngoi (EA: External Agent). EA pht trin s hiu bit v v tr hin thi ca hai MH v cc FA tng ng ca chng. Mt ng hm an ton sau c th c thit lp nn cc tuyn gia hai FA ny, v vy loi b c nh tuyn tay ba hai hng. Theo s truyn thng MH-to-MH ny, Giovanardi v Mazzini ch ra rng cn thit cc c ch an ninh bo v chng li c cc MH gian ln ln cc thc th m nc danh
c s h tng mng nhm sp xp cc ng hm an ton gia cc FA. Cc tc gi xut mt ch an ninh bao gm nm phn t hay cc mc nh sau:
1.
qua HA, mt a ch c to ra l s tch hp ca a ch IP v a ch MAC (Media Access Control) ca MH c s dng hn l ch s dng ch a IP. V a ch MAC l mt chui bt duy nht c nhng trong phn cng hoc phn sn nn n kh sa i v bt chc hn a ch IP da trn phn mm. V vy HA duy tr mt b nh cache cha cp a ch IP/MAC c s dng trong nhn thc cc MH.
2.
thng tin a ch, FA p dng cc hm bm mt chiu ti a ch MAC ca MH v gi i gi tr ny hn l chnh a ch MAC ti HA cng vi a ch IP ca MH. HA sau c th s dng a ch IP m n nhn c tham chiu bng cc cp a ch IP/MAC ca n, ly ra a ch MAC mong mun, v p dng thut ton bm i vi MAC ny. Nu gi tr kt qu trng vi gi tr bm nhn c t FA th MH c nhn thc.
3.
tc nhn trong cng ng xc nh dng chung mt kho b mt. Khi truyn dn cc bn tin gia cc agent, mt hm bm c p dng ti t hp bn tin ny, hoc mt phn ca bn tin v mt kho b mt. Agent nhn sau c th to gi tr bm ring ca n v xc nhn rng bn tin khi u t mt node s hu kho b mt ny.
4.
S dng cc tem thi gian: ngn chn cc cuc tn cng, cc nhn thi
gian c cha trong bn tin iu khin d bn tin c nhn thc hay khng. H thng nhn nh gi nhn thi gian trong bn tin v tip nhn cc bn tin ny nu tem ny ri vo ca s xc nh. Giao thc ny yu cu vi mc ng b thi gian gia cc agent, c thc hin thng qua vic s dng RFC 1305 NTP.
5.
S dng m kho thng ip: Theo giao thc con ny, kho b mt dng
v mt m kho thng ip sau c to ra c gn vo bn tin. iu ny gip m bo c tnh tin cy v ton vn cc bn tin c trao i gia cc h thng agent. Nn ch rng nhng xut ca Giovanardi v Mazzini trong phn ny quan tm ch yu n an ninh v nhn thc v n p dng cho s tng tc gia cc HA, FA v External Agent trong tng tc Mobile IP. Cng quan trng thc hin cc bc bo v on ni thng tin v tuyn gia MH v FA. 4.5. Phng php lai cho nhn thc theo giao thc Mobile IP Nhn thc theo giao thc ng k c s trong Mobile IP c trnh by trn cn thit phi gi li mt phng php da trn kho cng cng. N b ph bnh l khng c tnh m rng i vi nhng mi trng trong nhiu t chc qun l mun tng tc v mun cc MH ca h tn dng cc dch v thng qua cc mng c qun l bi cc t chc khc. Trong mt ti liu nm 1999, Sufatrio v Kwok Yan Lam xut mt kho ring lai, mt phng php kho cng cng cho nhn thc theo Mobile IP c thit k gii quyt vn tnh m rng m khng phi thay i cn bn s trao i bn tin trong giao thc ng k Mobile IP. iu ny c thc hin bng cch cho php HA ng vai tr c agent nhn thc kho cng cng v Trung tm phn phi kho (KDC) cho cc kho phin. Sufatrio v Lam chng minh rng y l s la chn c ngha cho c s h tng kho cng cng (PKI) ang pht trin mnh, trong MH v HA in hnh thuc v cng mt t chc.
nhim v vic pht hnh cc chng nhn (certificate) trong c s h tng kho HAID, FAID (Cc b nhn dng ca HA v FA): HA v FA c nhn dng bi cc a ch IP tng ng ca chng.
MHHM (a ch nh ca MH): a ch nh ca MH bao gm a ch IP trn
mng nh ca n.
MHCOA (Care-of-Address ca MH): Chm sc a ch hin thi ca MH
tng ng.
TMH, THA (Time Stamps): Cc tem thi gian c to bi MH v HA tng
ng.
KSHA-MH (Symmetric Private Key: Kho ring i xng): Mt kho i
cc cp kho ring/kho cng cng thuc cc cp kho khng i xng ca HA, FA v CA tng ng.
KUHA, KUFA, KUCA (Public Keys: Cc kho cng cng): Cc kho cng
cng trong cc cp kho ring/kho cng cng thuc cc cp kho bt i xng ca HA, FA v CA tng ng.
CertHA, CertFA (Certificates: Cc chng nhn): Cc chng nhn s ca HA
v FA tng ng.
Request, Reply, Advert (Message-Type Codes: M kiu bn tin): Chui
qung co agen. Qung co agent bao gm chng nhn ca FA v mt chui bn tin M1 bao gm mt m ch th rng y l mt bn tin qung co agent, a ch IP ca FA, v Care-of-Address m s c gn cho MH. FA cng gn mt ch k s c to ra bng cch p dng kho ring KRFA ca cp kho ring/kho cng cng ca n vo bn tin M1.
th mt yu cu dch v, a ch IP ca FA, a ch IP ca HA ca MH, a ch nh ca MH, COD ca HM (va nhn c t FA), mt nonce c to bi HA, mt nonce c to bi MH, v mt phin bn ca bn tin M1 nhn c trong bc trc. MH k bn tin ny vi kho b mt KSMH-HM, kho ny c s dng chung vi HA ca n. FA nhn bn tin M2 v chuyn tip n ti HA ca MH, gn mt nonce ca ring n.
phin bn ca kho b mt dng chung ca n KSMH-HA. HA xc nhn rng cc a ch IP cho cc FA c xc nh trong s trng khp bn tin M1 v bn tin M2 v sau nh gi tnh hp l ca chng nhn ca FA thng qua kh nng ca n nh mt trung tm nhn thc kho cng cng. HA sau cng c th nh gi tnh hp l ca ch k s ca FA trn bn tin M1, ly ra kho cng cng KUFA t chng nhn ca FA.
ng k, a ch IP ca FA, a ch IP ca HA, a ch nh ca MH, mt nonce c to bi HA, v mt nonce c to trc bi MH. Mt ch k s c to vi kho b mt c dng chung bi HA v MH c gn vo chui M4, v nonce c gi bi FA sau c gn vo chui ny, cu thnh bn tin M3. n lt HA k M3 bng cch s dng kho ring t cp kho ring/kho cng cng ca n.
tnh hp l phin bn nonce ca n NFA nhn c t HA; (2) nh gi tnh hp l ca ch k s trn bn tin M3, bng cch s dng kho cng cng ca HA; v (3) to mt u vo bn ghi vi bn tin ny m sau ng vai tr nh mt bng chng rng n cung cp dch v ti MH. FA cng ly ra bn tin M4, nh c m t trong bc 5 trn t ton b qu trnh truyn dn n nhn c t HA. FA sau chuyn bn tin M4 ti MH qua on ni v tuyn.
(iu ny lm cho giao thc Sufatrio/Lam tr thnh mt thit k lai kho ring v kho cng cng). Ba thc th HA, FA v MH by gi c nhn thc ti nhau v c th tip tc phin truyn thng ca chng. S hot ng ca giao thc Sufatrio/Lam xem hnh 4.3. Thc t, MH khng nhn thc FA mt cch trc tip nhng c th m bo rng HA lm nh vy khi n nhn c bn tin M4 v nh gi tnh hp l ca ch k trn bn tin ny. Ch k ny ly t mt b mt m ch ny MH dng chung vi HA. Theo giao thc Sufatrio/Lam, MH khng phi thc hin nh gi chng nhn hoc kim tra cc revocation list, v vy gim gnh nng x l v truyn thng trn khi di ng.
s h tng PKI nh th cho tnh ton di ng l mt tr ngi kh vt qua. Tuy nhin nghin cu c tin hnh bi John Zao v cc ng nghip ti BBN Technology v cc t chc cng tc trong thit k v thc hin h thng MoIPS (Mobile IP Security) cung cp mt kin trc mu cho mt c s h tng nh th v h m v an ninh Mobile IP c th thc hin nh th no trong tng lai.
Mobile Host
Foreign Host
Home Agent
[M1=Advert, FAIB, HAIB, MHHM, MHCOA|| Sig(KR FA, M1) || CertFA] Qung co tc nhn [M2=Request, FAIB, HA IB, MHHM, MHCOA, NH A, NMH, Tc nhn qung co bn tin || Sig(KSMH-HA, M2) ] ng k Mobile IP [M3=Reply, Result, HAIB, FAIB, MHHM, TMN hoc TH A || MAC(KSMH-H A, M3)] nh gi tnh hp l bng cch s dng KSMH-HA Xc nhn FAID trong qung co tc nhn=FAID trong M2 nh gi tnh hp l CertFA nh gi tnh hp l ch k trn M 1 bng cch s dng kho cng cng FA
nh gi tnh hp l NFA nh gi tnh hp l CertHA nh gi tnh hp l ch k trn M bng cch s dng kho cng cng HA Log Message [M4]
Hnh 4.3: S minh ho hot ng ca giao thc Sufatrio/Lam cho nhn thc trong mi trng Mobile IP. [Ly t Sufatrio v Lam]
nguyn trong mng khch, v (3) cung cp cc ng hm an ninh cho cc gi tin IP c nh hng li.
Nhn thc trong qu trnh cp nht v tr: MoIPS h tr c giao thc Mobile IP c bn ln ci c gi l Mobile IP nh tuyn ti u ho. Theo Mobile IP nh tuyn ti u ho, CS m cung cp h tr di ng c th c thng bo v v tr hin thi ca MH m chng mun truyn thng, v vy loi b s quanh co ca nh tuyn tay bao thng qua mng nh. Nguy c an ninh l cc cuc tn cng nh hng li lu lng xa, trong mt k mo danh ch dn CH chuyn tip cc gi tin ti mt v tr khc v tr m MH ang c tr hin thi. Theo MoIPS, mi ng k Mobile IP v cp nht rng buc (l s thay i ca bn tin v tr c chuyn n CH) bao gm mt ui nhn dng 64-bit (identification tag) ngn chn cc cuc tn cng v mt hoc nhiu phn m rng nhn thc (authentication extension) cung cp tnh ton vn d liu v nhn thc ban u thng qua vic s dng MAC c to bi hm bm. MoIPS cng cung cp cc cp kho mt m cho vic s dng gia MH v FA, gia FA v HA, v gia MH v Corresponding Agent.
iu khin truy nhp cho cc Mobile Host: Theo kin trc MoIPS, c cc node u cui (nh MH v CH) v cc tc nhn h tr di ng (HA v FA) gi cc chng nhn X.509 cha cc tham s kho cng cng cng nh cc thng tin v nhn dng v s sp nhp cc thc th. Cc chng nhn c pht hnh thng qua cc phn cp CA theo cch b rng buc bi chun X.509. Mt FA c th s dng chng nhn ca mt MH nhn thc MH, v thnh cng ca qu trnh nhn thc c bao hm khi FA chuyn tip mt yu cu ng k t MH n HA. Tuy nhin quyn s dng ti nguyn mng lin quan n vic kim tra cc trng thi ca MH m xy ra trong qu trnh nhn thc (chng hn, kim tra liu ngi s hu MH c phi ang tr ho n khng). Ch c HA tin hnh kim tra trng thi ny. Mt s kim tra thnh cng v v vy quyn s dng cc ti nguyn mng c yu cu l c php nu HA gi li tr li ti FA.
ng hm an ninh cc gi tin IP (Secure Tunneling of IP Packets): Trong th gii Mobile IP, cc gi d liu di chuyn gia cc Mobile Node, FA, HA v CS (m
nh chng ta thy c th l MH) i qua Internet rng ln v khng c bo v, v t nht mt phn truyn dn ca chng i qua mt on ni v tuyn. Cc bc phi c thc hin bo v cc gi tin chng li cc cuc nghe trm v s sa i cc gi tin. Kin trc h thng MoIPS xc nh rng HA v FA chu trch nhim v vic m bo rng tt c vic truyn thng vi MH s dng cc ng hm an ninh cho tnh ton vn d liu, nhn thc khi u v khi cn c c tnh tin cy d liu. MoIPS xc nh vic s dng kiu xuyn ng hm giao thc an ninh ng gi (ESP: Encapsulation Security Protocol) ca IPSec nh l phng php thc hin cc mc tiu an ninh ny. Cc bn truyn thng m phn cc c ch bo mt v mt m c s dng trong c cu t chc ESP, nhng tt c cc gi s c ng gi trong mt header IPSec v mt header IP m rng m nhn dng cc im u cui ca ng hm. thc hin iu ny, MoIPS cha mt module h thng h tr IPSec v ISAKMP (Internet Security Association and Key Management Protocol). So vi cc giao thc nhn thc chng ta nghin cu trong cc chng trc cho cc mng t ong s th MoIPS c s khi u r rng hn trong th gii giao thc Internet ngc vi cc giao thc c quyn ca cc mng truyn thng t ong. Cng r rng hn l s ph thuc vo mt m kho cng cng v cc phn t ca PKA, bao gm cc chng nhn s v mt tp cc CA lin quan vi nhau.
vi danh sch chng nhn revocation Version 2 (CRL: Certificate Revocation List). i vi kho cha chng nhn, nhng ngi thit k ca MoIPS s dng h thng
tn min (DNS: Domain Name System) Internet chun. Theo cc tc gi, phng php ny c vi u im: (1) s dng h thng DNS c bit r v c s dng rng ri gip gii quyt vn pht hin server; (2) cc chng nhn cng cng loi b yu cu v truyn dn thi gian thc cc kho, v s cn thit vi mt c s h tng ca trung tm phn phi kho (KDC: Key Distribution Center), v c th thc hin vi Kerberos; v (3) yu cu v phng php c tnh m rng cao: chng ta phi c mt cng ngh c th thit lp cc b mt c chia s gia mt s ln cc node tri rng nhiu min Internet 3. Phn cp CA theo MoIPS gi nh mt kin trc nhiu cy. Mi cy trong cu trc c mt CA nh (TLCA: Top-Level CA), cc CA cc mc gia (MLCA: MiddleLevel CA) hoc mc 0, v mt tng cc CA mc thp hn. Cc CA mc thp hn chu trch nhim v mt khi cc a ch k nhau v pht hnh cc chng nhn MoIPS ti cc thc th Mobile IP m c cc a ch IP ri vo phm vi (chng hn, tt c cc node trn mt mng cho trc s c kh nng c phc v bi cng mt CA). Vic xc nhn cho c cho php gia cc TLCA v cc MLCA. 4. Vic tham gia vo MoIPS yu cu vic s hu mt chng nhn. Mi thc th mun tham gia vo trong cc phin truyn thng trong mi trng MoIPS d l MH, FA, HA hay CH c kh nng nhn bit tnh di ng - phi m bo an ton mt chng nhn X.509 V3 vi mt profile c th c xc nh cho MoIPS. Cc chng nhn cho cc CH ch l mt yu cu khi MoIPS tr gip Mobile IP nh tuyn ti u ho an ton. 5. Trong cc chng nhn MoIPS, a ch IP ca thc th c s dng nh trng tn ch chng nhn cho cc MH, FA, HA v cc CH. Khi iu ny c ngha l chng nhn phi c pht hnh li khi c s thay i a ch IP bi mt thc th th n cho php mt h thng my tnh hot ng, chng hn nh c HA v FA nm trn cc giao din khc nhau. Ngc li trong trng hp CA, tn min theo qui tc tiu chun c s dng nh l tn ch trn chng nhn, loi b yu cu v tra tn min trong trng hp ny.
Chng 3: Nhn thc v an ninh trong UMTS 6. MoIPS s dng thut ton bm SHA-1 to cc ch k s trn cc chng nhn
X.509. MoIPS s dng mt k thut ging Diffie-Helman (DH) to cc kho mt m, nh cc kho phin. Mi chng nhn MoIPS cha cc gi tr cng cng DH cn thit h tr trao i to kho Diffie-Helman. B mt Diffie-Helman v s lp li s nhn dng bo v chng tn cng c a vo hm HMAC (MoIPS s dng hm HMAC-MD5) nh cc thnh phn kho v bn tin tng ng. u ra sau c s dng trong qu trnh nhn thc cc bn tin iu khin Mobile IP bng cch tr li chui u ra v bn tin iu khin thng qua hm HMAC.
7. MoIPS s dng RSA CryptoKi CAPI (Cryptographic Application Program
Interface: Giao din lp trnh ng dng mt m) nh mt c ch qua truy nhp cc engine mt m. Cng c tr gip l PF Key CAPI dnh cho qun l cc kho ngn hn (nh cc kho phin) v cc lin kt an ninh. Nhng ngi thit k MoIPS to ra mt API th ba, c gi l Cert_API, nhm cung cp mt tuyn gia cc module qun l kho v cc b xc nhn chng nhn ca h thng. 8. MoIPS s dng cc trng m rng chnh sch kho trong cc chng nhn truyn thng tin cn cho iu khin truy nhp theo Mobile IP. 9. Theo Mobile IP, ng hm IPSec an ton c th c thit lp t MH n FA, t MH ti HA, v t FA ti HA. Ngoi ra, ngoi tm nh hng ca MoIPS/Mobile IP c th thit lp mt ng hm an ninh gia MH v CH nhm cung cp mt m u cui n u cui v an ton thng tin. Cc thc th Mobile IP hot ng trong mi trng MoIPS c th yu cu thit lp cc ng hm IPSec bng cch thm mt trng m rng chn ng hm IPSec vo cc bn tin Khn ni tc nhn Mobile IP (Mobile IP Agent Solicitation), Qung co tc nhn, v yu cu ng k chun. Chi tit v ng hm c thit lp sau c m phn gia cc thc th thng qua ISAKMP. Mt nguyn mu ban u ca mi trng MoIPS, c pht trin bi cc nh nghin cu BBC v vic ti s dng cc module h thng sm c pht trin ti CMU v i hc State Porland c hon thnh vo nm 1997. Nhng im then cht l: (1) kh
nng nhn c cc chng nhn X.509 v cc danh sch thu hi t cc server DNS nh l cc bn ghi ti nguyn X509CCRRL; (2) kh nng xc nhn cc chng nhn X.509 v CRL bng cch i theo phn cp CA nhiu cy; (3) kh nng nhn thc cc bn tin ng k Mobile IP c cu to theo c t IETF thng qua cc kho phin c to ra bi thut ton kho cng cng c m t trn; v (4) vic tch hp MH ti cc ng hm CH IPSec vi vic nh hng li cc gi tin Mobile IP. S khi minh ho cc module h thng ca nguyn mu MoIPS xem hnh 4.4.
Module qun l kho (Portland State) Module qun l kho Zero-Message PF-Key API Module giao thc qun l kho & lin kt, an ninh Internet Cert API
CryptoKi CAPI Module IPSec (Portland State) Module giao thc pht hin chng nhn
CryptoKi CAPI
Hnh 4.4: S khi ca nguyn mu mi trng MoIPS. (Ly t Zao v et al) Cc ng dng mc tiu cho cc phin bn tng cng ca MoIPS gm vic thc hin m rng cc h tr IPSec v Mobile IP nh tuyn ti u ho cho cc mng ring o cha cc MH. Cc tc gi xc nh mt yu cu cho vic iu tra v vic qun l v tr nhanh v qun l tinh vi hn cc lin kt an ninh.
KT LUN
Lun vn ny ch yu l xem li cc ti liu v cc kho st c khuynh hng hin i v then cht ang nghin cu trong nhn thc thu bao cho cc mng t ong s v Internet khng dy. iu ny xc nh vic thc hin then cht v mt vi nghin cu ch o trong lnh nc ny cung cp mt phc tho cho cng vic hin thi, c gng lm ni bt nhng vn , khuynh hng quan trng nht v a ra d n cho vic u t trong tng lai. Tuy nhin quan trng nhn thy ton b lnh vc nhn thc v an ninh cho mi trng lin mng v tuyn l mt cng vic ang pht trin. Nhiu vn nh s cnh tranh ang din ra gia cng ngh kho mt m kho cng cng (public key) v kho ring (private key) vn cn cha c gii quyt, ng thi nhng nn tng tnh ton v truyn thng c s ang pht trin khng ngng. Cng ngh an ninh cho thng tin v tuyn s tip tc thay i nhanh chng trong thp k ti v tim nng thc hin c cng ngh v tnh cht e do ti an ninh pht trin theo thi gian. T mt nghin cu nh lun vn ny c th d on mt s thnh phn ca l trnh pht trin. Cc phn t cn li chc chn vn cn b n. iu khng mong mun thc y chnh n hng ti lch s ca Internet mt cch thng xuyn v c l s tip tc nh vy vi tn s ngy cng tng v lch s Internet khng dy ang m ra.
Dng
2. Gio trnh thng tin di ng th h ba. Bin son: TS: Nguyn Phm
Anh Dng
3. 3G Wireless Networks: Clint Smith and Daniel Collins and others.
McGraw-Hill, 2002.
4. Subscriber Authentication and Security in Digital Cellular Network.