Professional Documents
Culture Documents
Gii thiu: Cc c ch mt m v xc thc thng tin l c s cho vic xy dng cc ng dng bo mt trong h thng, c bit trong mi trng mng. Chng ny s trnh by mt s ng dng ca k thut mt m v xc thc thng tin trong vic xy dng cc giao thc (protocol) v dch v (service) trn mng nhm m bo an tan h thng. Cc ng dng c trnh by trong chng ny bao gm: -Giao thc xc thc (Authentication protocol) -IPSec (Internet Protocol Security) -SSL (Secure Sockets Layer) -SET (Secure Electronic Transaction)
84
-Thi gian s dng ti a ca mt khu (password age). -Khng c php dng li mt khu c (password history). V pha ngi s dng, nhng nguyn tc chung tng an tan cho vic xc thc dng mt khu bao gm: -S dng nhiu lai k t khc nhau lm mt khu, mc ch l m rng khng gian mt khu (dng ch ci, ch s, cc k hiu c bit, dng phi hp gia ch hoa v ch thng, ) -Khng s dng cc mt khu qu ngn. -Khng s dng nhng t kha hoc t c ngha trong mt khu. -Thng xuyn thay i mt khu. -Khng ghi chp mt khu ln bt k v tr no. -Khng tit l mt khu cho ngi khc, ngay c nhng tnh hung an tan nht. Trn cc my ch xc thc, mt khu ca ngi s dng thng khng c lu tr mt cch trc tip di dng k t gc (cleartext) m phi c m ho di mt dng no m bo an ton. Ngoi ra, mt khu khng b nh cp khi truyn i trn mng, nhiu th tc xc thc phc tp c xy dng m bo rng mt khu khng c truyn i trc tip (cleartext) trn mng.
85
Ngi s dng
Authenticate request (User-name + Password) Server Authenticate ack hoc Authenticate nak
-CHAP l giao thc xc thc phc tp hn, c dng trong giao thc kt ni PPP v mt s h thng khc. CHAP c u im hn PAP v phng din bo mt l c dng cc hm bm mt chiu v thng tin xc thc khng c gi i trc tip trn mng. Qu trnh xc thc bng giao thc CHAP gm cc bc sau y (gi l qu trnh challenge-response): Sau khi thit lp xong kt ni PPP, xc nh xem ngi s dng c quyn truy xut hay khng, server s gi cho ngi s dng mt khi d liu thch thc (challenge), trong c cha mt gi tr ngu nhin do server to ra. Ngi s dng sau khi nhn c khi challenge s gn thm tn ng nhp v mt khu ca mnh vo , sau thc hin mt hm bm mt chiu (v d MD5) ln khi thng tin v gi m bm li cho server. Pha server cng thc hin mt qu trnh tng t v so snh vi kt qu nhn c t ngi s dng xc nh qu trnh xc thc c thnh cng hay khng.
Mt c im na ca giao thc ny lm tng tnh an tan ca kt ni l qu trnh challenge-response c lp li nhiu ln trong sut thi gian duy tr kt ni. Nu gi tin tr li ca ngi dng khng hp l, kt ni s b gii ta tc thi.
Challenge
Ngi s dng
Server
Success / Failure
Trong cc h thng phn tn, nhiu my ch cung cp dch v c qun l bi mt trung tm xc thc duy nht. Giao thc xc thc trong cc h thng ny phi m bo c 2 yu cu c bn: m bo an tan i vi thng tin xc thc (tn ng nhp v mt khu khng c truyn i trc tip trn mng). Ngi dng ch cn ng nhp mt ln cho phin lm vic nhng c kh nng s dng tt c cc dch v c trong h thng.
V d: Mt h thng mng Windows c cu hnh theo m hnh Domain. Trong Domain ny c nhiu my ch cung cp dch v khc nhau, gm dch v in n (print server), dch v lu tr d liu (file server), dng chung kt ni Internet (qua proxy server), Khi ngi s dng ng nhp vo h thng t mt my thnh vin ca Domain, ngi s dng ny phi c kh nng truy xut n tt c cc dch v trong Domain (ty theo quyn c cp) m khng phi nhp li tn ng nhp v mt khu cho tng dch v. C ch qun l tp trung ny cung cp s tin li cho c ngi s dng ln h thng. Mt th tc xc thc in hnh trong cc h thng ny bao gm cc bc nh sau: Mt ngi dng ng nhp t mt my con (C ) trong h thng v yu cu truy xut n my ch V. My con C yu cu ngi dng cung cp tn ng nhp v mt khu ri sau chuyn thng tin ny cho trung tm xc thc AS (Authentication Server). My ch AS kim tra xem tn ng nhp v mt khu c hp l hay khng, ng thi kim tra xem ngi dng ny c c php truy xut cc dch v trn my ch V hay khng. Nu c hai vic kim tra trn u thnh cng th ngi dng c php truy xut dch v trn my ch V. lm c vic , AS to ra mt th truy xut (ticket) cha cc thng tin bao gm nhn dng ca ngi dng, a ch mng ca my con v nhn dng ca my ch V. Th truy xut ny c m ha bng kha b mt dng chung gia AS v V. Th truy xut cng c gi cho C. Bt u t , C c th yu cu cc dch v ca V bng cch gi cc bn tin c gn km th truy xut va to ra cho V. My ch V s gii m th truy xut v chp nhn cho C truy xut cc dch v ca mnh. C AS: AS C: C V: Trong : C: My con AS: my ch xc thc (Authentication server). V: my ch cung cp dch v. IDC: Nhn dng (tn ng nhp) ca ngi dng. IDV: Nhn dng ca my ch V. IDC + PC + IDV Ticket IDC + Ticket
87
PC: Mt khu ca ngi dng. ADC: a ch mng ca my con. KV: Kha b mt ca my ch cung cp dch v V. Th tc xc thc nh trn gii quyt c vn bo mt bng cch a ra khi nim th truy xut (ticket), trong cc thng tin b mt c m ha trong mt bn tin c bit trc khi lun chuyn trn mng. Tuy nhin, vn cn hai vn cha c gii quyt: 1-Nu ngi dng c nhu cu s dng dch v nhiu ln, hoc s dng nhiu dch v khc nhau trn cc my ch khc nhau, vy ngi dng phi thc hin th tc xc thc nhiu ln, tc l phi nhp mt khu nhiu ln? 2-Th tc xc thc vn cn mt bc (bc u tin) trong thng tin xc thc (mt khu) c gi i trc tip trn mng m khng m ha. Th tc sau y s gii quyt hai vn trn: Khi ngi dng ng nhp h thng: (1) C AS: IDC + IDtgs (2) AS C: E(Tickettgs, Kc) Khi ngi dng truy xut mt loi dch v (per service type): (3) C TGS: IDC + IDV + Tickettgs (4) TGS C: Ticketv Khi ngi dng truy xut mt phin giao dch c th (per service session): (5) C V: IDC + Ticketv Trong : Tickettgs = E([IDC + ADC + IDtgs + TS1 + Lifetime1], Ktgs) Ticketv = E([IDC + ADC + IDv + TS2 + Lifetime2], Kv) Trong th tc trn, mt thnh phn mi c thm vo h thng xc thc l my ch cp th TGS (Ticket-Granting server). Khi ngi dng xc thc thnh cng vi AS, thay v cp th s dng dch v trc tip cho ngi dng, AS ch cp cho ngi dng th truy xut ca TGS, c tc dng nh mt xc nhn y l mt ngi dng hp h. K t v sau, mi khi ngi dng cn truy xut dch v no th ch cn gi th truy xut v yu cu ca mnh n TGS c cp th truy xut dch v. Nh vy, AS ch cn cp th cho ngi dng mt ln, hay ni cch khc, th c th dng li, c trong trng hp ngi dng s dng dch v nhiu ln hoc s dng nhiu dch v khc nhau m khng cn phi nhp li mt khu. Th tc ny c m t chi tit nh sau: My con C yu cu mt th xc nhn ngi dng hp l (Ticket Granting Ticket) bng cch gi nhn dng ca ngi dng cho AS, trong c nhn dng ca TGS. AS gi li th xc nhn ngi dng hp l cho my con nhng c m ha vi kha l mt khu ca ngi dng (KC). Do , nu ngi dng cung cp ng mt khu th th ny c gii m thnh cng, ngc li, vic xc thc xem nh kt thc khng thnh cng.
88
Nh vy, mt khu ca ngi dng khng c gi i trc tip trn mng. Do th ny c kh nng dng li, nn qun l vic tn ti ca n, trong th c gn thm mt nhn thi gian quy nh thi gian tn ti hp l ca th. trnh trng hp thay i v gi mo th, th c m ha mt ln na bng kha b mt ca AS v TGS. Sau khi c th xc nhn ngi dng hp l, my con c th yu cu dch v trn my ch V bng cch yu cu th s dng dch v (Service-granting Ticket) t TGS. Thng tin gi n cho TGS bao gm nhn dng ca my ch V, th xc nhn ngi dng hp l v tn ng nhp ca ngi dng. TGS gii m th xc nhn ngi dng hp l kim tra, nu hp l th cp th truy xut dch v cho ngi dng. Th ny c m ha bng kha b mt ca V v TGS. Sau khi c th truy xut dch v, ngi dng c th s dng dch v trn my ch V.
Nh vy, th tc trn gii quyt c 2 vn : dng li th v khng gi mt khu trc tip trn mng. Tuy nhin, li thm 2 vn khc ny sinh: -Th nht, nu thi gian tn ti ca cc ticket qu ngn, ngi dng c th phi nhp li mt khu to th mi. Nu thi gian ny qu di, nguy c b ly cp th tng ln. Do , khi xc nhn mt th, my ch (TGS hoc V) phi bit chc rng mnh ang lm vic vi ng ngi dng c tn ng nhp cha trong th. -Th hai, song song vi vic ngi dng xc thc vi my ch, th cng cn phi c thao tc xc thc ngc li t my ch n ngi dng lai tr trng hp chnh my ch b gi mo. y chnh l tn ti c gii quyt bi giao thc xc thc Kerberos.
89
Authenticatorc = E([IDC + ADC + TS3], Kc,tgs) 5- My con yu cu dch v: C V: Ticketv + Authenticatorc Vi Authenticatorc = E([IDc + ADC + TS5], Kc,v) 6- Server xc thc vi my con (khng bt buc): V C: E([TS5 + 1], Kc,v) Vi: Ticketv = E([Kc,v + IDc + ADc + IDv + TS4 + Lifetime4], Kv)
My con (C) Ticket granting Ticket Request Ticket + session key My ch xc thc (AS)
Kerberos
My ch cp th (TGS)
Hnh 3.3: Th tc xc thc Kerberos 4 Cc thnh phn trong cc bn tin ca Kerberos: -Bn tin (1): My con yu cu cp th xc nhn ngi dng (Ticket-granting-Ticket): IDC: Nhn din ca ngi dng (do my con gi n cho AS, da trn thng tin ng nhp ca ngi dng). IDtgs: Nhn din ca TGS, mc ch cho AS bit rng my con ang mun truy xut n TGS. TS1: Nhn thi gian, mc ch ng b thi gian gia AS v my con. Kc: Dng chnh mt khu ca ngi dng lm kho mt m, va c mc ch bo v thng tin va cho php AS xc thc mt khu ca ngi dng. Nu my con khng c mt khu ng th s khng gii m c bn tin ny.
90
Kc, tgs: kho b mt c dng gia my con v TGS do AS to ra. Kha ny ch c tc dng trong mt phin lm vic (session key). IDtgs: Nhn din ca TGS, dng xc nhn rng th ny c tc dng cho php my con truy xut n TGS. TS2: Nhn thi gian, cho bit thi im th c to ra. Lifetime2 : Cho my con bit thi gian tn ti ca th. Tickettgs: My con dng th ny truy xut TGS. IDV: Nhn dng ca my ch V, dng thng bo cho TGS l my con mun truy xut n dch v ca my ch V. Tickettgs: Th c cp cho my con bi AS Authenticatorc: mt gi tr c to ra bi my con xc minh th. Kc, tgs: Kho b mt dng chung gia my con v TGS bo v ni dung ca bn tin (4) Kc, v: Kho b mt c dng gia my con v my ch V do TGS to ra. Kho ny ch c gi tr trong tng phin lm vic (session key). IDv: nhn din ca my ch V, c chc nng xc nhn th ca my ch V TS4: nhn thi gian cho bit thi im th c to ra. Ticketv: Th c my con dng truy xut my ch V. Tickettgs: Th ny c dng li ngi dng khng phi nhp li mt khu khi mun truy xut dch v khc. Ktgs: Kha b mt dng chung gia AS v TGS. Kc, tgs: Session key c TGS dng gii m authenticator. Kho ny c dng chung gia my con v TGS. IDC: Nhn din my con, cho bit y l ch s hu ca th. ADC: a ch mng ca my con, dng ngn chn trng hp mt my khc ly cp th yu cu dch v. IDtgs: nhn din ca TGS, xc nhn th c gii m thnh cng. TS2: nhn thi gian cho bit thi im to ra th. Lifetime2 : Thi gian tn ti ca th, nhm ngn chn vic s dng li th (replay). Authenticatorc: Thng tin xc thc ca my con. Kc, tgs: Kho b mt dng chung gia my con v TGS, dng m ho thng tin xc thc ca my con. IDc: nhn dng my con, phi trng vi ID trong th. ADc: a ch mng ca my con, phi trng vi a ch trong th. TS3: Nhn thi gian, cho bit thi im m authenticator c to ra.
-Bn tin (3): My con yu cu th truy xut dch v (Service Granting Ticket):
91
Ticketv: Th cho bit mycon c xc thc bi AS. Authenticatorc: Thng tin xc thc th ca my con. Kc, v: Kho b mt dng chung gia my con v my ch V. TS5 + 1: Nhn thi gian, dng trnh trng hp thng tin xc thc c c dng li. Ticketv: Th truy xut my ch V. Th ny c th dng li khi my con truy xut dch v n chnh my ch V m khng cn yu cu cp th mi. Kv: Kho b mt dng chung gia TGS v my ch V. Kc, v: Kho b mt dng chung gia my con v my ch V, dng gii m thng tin xc thc. IDc: Nhn dng ca my con. ADc: a ch mng ca my con. IDv: Nhn dng ca my ch V. TS4: Nhn thi gian cho bit thi im th c to. Lifetime4 : Thi gian tn ti ca th. Authenticatorc: Thng tin xc thc ca my con. Kc, v: Kho b mt, dng chung gia my con v my ch V m ho thng tin xc thc. IDc: Nhn din my con, phi ging vi IDc trong th ADc: a ch mng ca my con, phi ging vi a ch trong th. TS5: Thi im thng tin xc thc c to ra.
-Kt hp gia nhiu h thng Kerberos: Mt mi trng s dng h thng xc thc Kerberos y bao gm my ch Kerbe ros (Kerberos server), cc my ch dch v (application server) v cc my con s dng dch v (client), trong : -My ch Kerberos phi c danh sch tt c cc tn ng nhp v mt khu c m ha ca cc ngi dng ny. Tt c cc my con u phi ng k vi my ch Kerberos. -My ch Kerberos s dng mt kha b mt chung vi cc my ch cn li. Tt c cc my ch u phi ng k vi my ch Kerberos. Mt mi trng tha mn cc iu kin nh vy c gi l mt lnh a Kerberos (Kerberos realm). Nh vy, cc my ch v my con thuc cc n v qun l khc nhau s thuc v cc lnh a Kerberos khc nhau. Giao thc xc thc Kerberos cng bao gm cc th tc cho php kt hp cc lnh a Kerberos li cung cp dch v mt cch ng nht. Hnh 3.4 m t hat ng ca th tc ny. Trnh t ca th tc kt hp lnh a Kerberos c tm tt nh sau: (1) C AS: IDc + IDtgs + TS1
92
(2) AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc) (3) C TGS: IDtgsrem + Tickettgs + Authenticatorc (4) TGS C: E([Kc,tgsrem + IDtgsrem + TS4 + Tickettgsrem], Kc,tgs) (5) C TGSrem: IDvrem + Tickettgsrem + Authenticatorc (6) TGSrem C: E([Kc,vrem + IDvrem + TS6 + Ticketvrem], Kc,tgsrem) (7) C Vrem: Ticketvrem + Authenticatorc
Lnh a A
Cung cp dch v
Yu cu dch v
Kerberos TGS
AS
My ch
Hnh 3.4: Xc thc gia hai lnh a Kerberos -Kerberos 5: l mt phin bn nng cp ca Kerberos 4 vi nhng im khc bit nh sau:
93
Kerberos 4 ph thuc cht ch vo gii thut m ha i xng DES, trong khi Kerberos 5 th tng thch vi bt k mt gii thut m ha no. Kerberos 4 ph thuc vo a ch IP xc thc ngi dng, Kerberos 5 c th s dng bt k a ch no (v d MAC address). Kerberos 4 s dng thm 1 byte trong cc bn tin cho bit th t byte trong bn tin. Kerberos 5 dng c php ANS.1 (Abstract Syntax Notation One) v lut m ha c bn BER (Basic Coding Rules) to ra c ch xp th t byte trong bn tin mt cch r rng. Thi gian tn ti ca th trong Kerberos 4 c cha trong mt trng di 8 bit, tnh theo n v 5 pht, nh vy, thi gian sng ti a ca th l 5 * 28 = 1280 pht (khang 21 gi). Trong Kerberos 5, thi gian tn ti c biu th bng thi im bt u v thi im kt thc, cho php thi gian ny c bin thin khng gii hn. Kerberos 4 khng cho php c ch chuyn tip xc thc, tc l c ch mt my con truy xut n mt my ch, v yu cu my ch ny truy xut n dch v ca mt my ch khc thng qua nhn dng ca my con. Kerberos 5 cung cp kh nng ny. Kerberos 4 yu cu N2 quan h gia cc lnh a Kerberos trong trng hp lin kt hat ng gia N lnh a. Kerberos 5 yu cu s quan h t hn nhiu.
Th tc xc thc dng Kerberos 5 c tm tt nh sau: (1) C AS: Options + IDc + Realmc + IDtgs + Times + Nonce1 (2) AS C:Realmc +IDC +Tickettgs +E([Kc,tgs +Times +Nonce1 +Realmtgs +IDtgs], Kc) Vi Tickettgs = E([Flags + Kc,tgs + Realm c + IDc + ADc + Times], Ktgs) (3) C TGS: Options + IDv + Times + Nonce2 + Tickettgs + Authenticatorc (4) TGS C: Realmc +IDc +Ticketv +E([Kc,v +Times +Nonce2 +Realmv +IDv], Kc,tgs) Vi Tickettgs = E([Flags + KC,tgs + Realm c + IDC + ADC + Times], Ktgs) Ticketv = E([Flags + Kc,v + Realmc + IDC + ADc + Times], Kv) Authenticatorc = E([IDC + Realm c + TS1], Kc,tgs) (5) C V: Options + Ticketv + Authenticatorc (6) V C: E([TS2 + Subkey + Seq#], Kc,v) Vi Ticketv = E([Flags + Kc,v + Realm c + IDC + ADC + Times], Kv) Authenticatorc = E([IDC + Realm c + TS2 + Subkey + Seq#], Kc,v) Trong th tc trn, ngoi nhng thnh phn xut hin trong Kerberos 4 cn c thm cc thnh phn mi sau y: -Realm: Biu th lnh a ca ngi dng. -Options: Cc tu chn, dng yu cu cc thng tin cng thm xut hin trong th. -Times: Dng my con yu cu cc thng s thi gian trong th nh from, till, rtime.
94
-Nonce: Gi tr ngu nhin c to ra trong bn tin m bo rng bn tin tr li l bn tin hp l ch khng phi bn tin c dng li.
III.2 IP SECURITY
III.2.1 Cc ng dng v c im ca IPSec:
IP security (IPSec) cung cp mt phng tin truyn thng an tan trn mng LAN, gia cc mng LAN ni vi nhau thng qua mng WAN v gia cc mng khc nhau trn mng Internet. IPSec l phn m rng ca giao thc IP, c thc hin thng nht trong c hai phin bn ca IP v IPv4 v IPv6. -Cc ng dng in hnh ca IPSec bao gm: Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch xy dng cc mng ring o VPN (Virtual Private Network) trn nn ca mng WAN cng cng hoc mng Internet. Cc t chc c th kt ni cc mng con cc chi nhnh ca mnh li thnh mt mng ring vi chi ph thp nhng vn m bo c an tan. Truy xut t xa thng qua mng Internet: truy xut t xa n mt dch v no , thng thng ngi dng phi thc hin kt ni bng ng dy in thai (dial-up) n my ch cung cp dch v. Vi IPSec, ngi dng ch cn kt ni n mt nh cung cp dch v Internet gn nht (ISP) v sau thc hin kt ni n my ch xa thng qua IPSec mt cch an tan m khng phi tn chi ph in thai ng di. Nng cao tnh an tan ca cc giao dch thng mi trn mng Internet, p dng
Cc thnh phn ca gi d liu: Tiu IP (IP header) Tiu IPSec (IPSec header) D liu ca gi IP 95 (IP Payload)
cho cc website bn hng qua mng hoc cc dch v thanh tan qua Internet. -Cc u im ca IPSec: -Khi IPSec c trin khai trn bc tng la hoc b nh tuyn ca mt mng ring, th tnh nng an tan ca IPSec c th p dng cho tan b lu lng vo ra mng ring m cc thnh phn khc khng cn phi x l thm cc cng vic lin quan n bo mt. -IPSec c thc hin bn di ca lp TCP v UDP, ng thi n hat ng mt cch trong sut vi cc lp ny. Do vy, khng cn phi thay i phn mm hay cu hnh li cc dch v khi IPSec c trin khai. -IPSec c th c cu hnh hat ng mt cch trong sut i vi cc ng dng u cui, iu ny gip che giu nhng chi tit cu hnh phc tp m ngi dng phi thc hin khi kt ni n mng ni b t xa thng qua mng Internet.
Giao thc AH
Thut tan mt m
Qun l kha
Hnh 3.6: Cu trc IPSec c nh ngha trong mt ti liu ring tng ng (hnh 3.6): -Cu trc (Architecture): Quy nh cu trc, cc khi nim v yu cu ca IPSec. -Giao thc ESP: M t giao thc ESP, l mt giao thc mt m v xc thc thng tin trong IPSec.
96
-Giao thc AH: nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc im ring, s c trnh by trong phn ny. -Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da ch yu vo cc gii thut m ha i xng. -Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP. -Qun l kha: M t cc c ch qun l v phn phi kha trong IPSec. -Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi IPSec. Nh trnh by, IPSec khng phi l mt cng ngh ring bit m s t hp ca nhiu c ch, giao thc v k thut khc nhau, trong mi c ch, giao thc u c nhiu ch hat ng khc nhau. Vic xc nh mt tp cc ch cn thit trin khai IPSec trong mt tnh hung c th l chc nng ca min thc thi.
97
Ch vn chuyn v ch ng hm s c trnh by ring trong tng giao thc AH v ESP. Cc thut ton m ha / gii m v cc thut ton xc thc thng tin c trnh by chng 2, nn trong phn ny ch tp trung m t hat ng ca hai giao thc AH v ESP, sau gii thiu cc c ch qun l kha ca IPSec.
III.2.5 AH:
AH (Authentication Header) l mt giao thc xc thc dng trong IPSec, c chc nng m bo tnh tan vn ca d liu chuyn i trn mng IP. AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng. Ngai ra, AH cn c kh nng hn ch cc tn cng gi danh (spoofing) v tn cng pht li (replay). C ch hat ng ca AH da trn m xc thc MAC (Message Authetication Code), do , thc thi AH th hai u cui ca SA phi dng chung mt kha b mt. Cu trc tiu ca gi AH (hnh 3.7) bao gm cc phn sau:
Bit 0 Tiu k tip 8 16 Kch thc d liu Dnh ring 31
-Tiu k tip (Next Header - 8 bits): Nhn dng kiu tiu i lin sau tiu ca AH. -Kch thc d liu (Payload Length -8 bits): Chiu di ca gi AH, tnh bng n v 32 bit tr i 2. V d, chiu di phn d liu xc thc l 96 bit (= 3 * 32 bit), cng vi chiu di phn tiu AH (c nh) l 3 * 32 bit na thnh 6 * 32 bit, khi gi tr ca trng kch thc d liu l 4. -Dnh ring (Reserved -16 bits): Phn dnh ring, cha dng. -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trnh by trn. -S th t gi (Sequence Number - 32 bits): S th t. -M xc thc (Authentication Data): d liu xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Trng ny cha gi tr kim tra ICV (Integrity Check Value) hoc MAC (Message Authentication Code) cho tan b gi *-Anti-replay service: dch v cho php ngn chn cc hnh vi tn cng pht li (replay) nh trnh by chng 1. Trng s th t (Sequence number) trong tiu AH c dng
98
nh du th t cc gi c gi i trn mt SA. Ban u, gi tr ny c khi to bng 0 v tng dn sau mi gi c gi. m bo khng c gi lp li, khi s th t t gi tr cc i (232-1), n s khng c quay li gi tr 0 m thay vo , mt SA mi c thit lp tip tc vic truyn d liu. pha nhn, qu trnh x l cc gi nhn c thc hin theo c ch dch ca s nh m t hnh 3.8. Kch thc mc nh ca ca s l 64. C ch thc hin nh sau: Nu gi nhn c nm trong vng hp l ca ca s v l mt gi mi ch khng phi gi truyn li th gi tr MAC ca gi s c kim tra. Nu chnh
Dch ca s qua bn phi nu nhn c mt gi hp l. Ca s vi kch thc c nh W
Hnh 3.8: C ch dch ca s trong AH xc (tc gi c xc thc) th khe tng ng trong ca s c nh du. Nu gi nhn c nm bn phi ca ca s v l gi mi, gi tr MAC ca gi c kim tra. Nu ng th ca s c dch mt khe sang bn phi, ng thi khe tng ng trong ca s c nh du. Nu gi nhn c nm bn tri ca s hoc gi tr MAC khng hp h th b hy b.
-Xc thc thng tin: M xc thc (trng Authentication Data) c to ra dng mt trong 2 cch: -HMAC-MD5-96: dng phng php HMAC, thut ton MD5, ct ly 96 bit u tin. -HMAC-SHA-1-96: dng phng php HMAC, thut ton SHA-1, ct ly 96 bit u tin. Thut ton MAC c p dng trn cc phn thng tin sau y: Cc trng khng b thay i trong tiu gi IP khi c chuyn tip trn mng hoc c th d an c ti u cui ca SA. Nhng trng cn li trong tiu gi IP c thay bng cc bit 0 khi tnh tan. Cc trng trong tiu AH ngai tr trng Authentication Data. Trng ny c thay bng cc bit 0 khi tnh. Tan b gi d liu ca lp trn (tc phn payload ca gi IP).
99
-Ch vn chuyn v ch ng hm: Hnh 3.9 m t hai trng hp xc thc khc nhau: -Xc thc t u cui n u cui (End-to-End Authentication): l trng hp xc thc trc tip gia hai h thng u cui (gia my ch vi trm lm vic hoc gia hai trm lm vic), vic xc thc ny c th din ra trn cng mng ni b hoc gia hai mng khc nhau, ch cn 2 u cui bit c kha b mt ca nhau. Trng hp ny s dng ch transport ca A H. -Xc thc t u cui n trung gian (End-to-Intermediate Authentication): l trng hp xc thc gia mt h thng u cui vi mt thit b trung gian (router hoc firewall). Trng
Server
Xc thc u cui n u cui Mng ni b Xc thc u cui n u cui Router/Firewall Xc thc u cui n trung gian
Hnh 3.9: Hai ch xc thc ca AH hp ny s dng ch tunnel ca AH. Hnh 3.10 m t phm vi p dng c ch bo v ca AH ln gi d liu trong hai ch khc nhau.
100
a- Gi IP gc
IP
TCP
Data
III.2.6 ESP:
101
ESP (Encapsulating Security Payload) l mt la chn khc thc thi IPsec bn cnh giao thc xc thc thng tin AH. Chc nng chnh ca ESP l cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k thut mt m. Tuy nhin, ESP cng cn c mt ty chn khc l cung cp c dch v bo m tnh tan vn ca d liu thng qua c ch xc thc. Nh vy, khi
Bit 0 8 16 Security Parameters Index (SPI) S th t gi 24 31
D liu chn (0 255 byte) Kch thc chn M xc thc (kch thc thay i) Tiu k tip
Hnh 3. 11: Cu trc gi ESP dng ESP, ngi dng c th chn hoc khng chn chc nng xc thc, cn chc nng m ha l chc nng mc nh ca ESP. Gi d liu ESP gm cc thnh phn sau (hnh 3.11): -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trong giao thc AH. -S th t gi (Sequence Number - 32 bits): S th t, c chc nng nh s th t trong AH. -D liu (Payload Data): y l phn d liu c bo v bng mt m. Trng ny c di thay i. Trong ch vn chuyn, y l tan b gi d liu ca lp 4 (TCP hoc UDP). Cn trong ch ng hm, y l tan b gi IP. ESP chun s dng thut ton mt m i xng DES, tuy nhin, c th dng cc thut ton mt m khc nh 3DES (3 kha), RC5, IDEA, triple IDEA (3 kha), CAST, Blowfish. -D liu chn (Padding 0-255 bytes): Mt s thut ton mt m yu cu kch thc d liu gc phi c nh. Cc byte d liu gi c thm vo m bo di vng d liu. Tuy nhin, theo quy nh ca ESP, chiu di trng pad -length v trng next-header phi c nh l 32 bit tnh t bn phi, do vy, phn padding phi c kch thc sao cho tan b phn thng tin cn m ha l bi s ca 32 bit. - Kch thc chn (Pad Length - 8 bits): Cho bit s byte ca vng d liu chn (padding).
102
- Tiu k tip (Next Header - 8 bits): Nhn dng kiu d liu cha trong phn payload data. - M xc thc (Authentication Data): Cha thng tin xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Thng tin xc thc c tnh trn tan gi ESP ngai tr phn Authentication Data. -Ch vn chuyn v ch ng hm: Ch vn chuyn: chc nng m ha v xc thc thng tin c thc hin trn phn d liu (payload data) ca gi IP (tc tan b n v d liu ca lp trn IP). Ch ng hm: tan b gi IP c m ha v xc thc. S khc nhau gia hai ch hot ng c m t hnh 3.12.
a- Gi IP gc
IP
TCP
Data
Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch transport IP ESP header TCP Data ESP trailer ESP auth
Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch tunnel IP (mi) ESP header IP (c) TCP Data ESP trailer ESP auth
103
HTTP
TCP
IP
Hai khi nim c bn thng c dng trong SSL l kt ni (connection) v phin giao dch (session). -Kt ni l mt kt ni (tm thi) gia mt u cui ny vi mt u cui kia cung cp mt lai dch v thch hp. Mi kt ni lin kt vi mt phin giao dch (session). -Phin giao dch l mt lin kt gia mt my con v mt my ch, c to ra bi giao thc SSL Handshake protocol. Phin giao dch nh ngha cc tham s bo mt dng chung cho nhiu kt ni. Trng thi ca phin giao dch c nh ngha bi cc thng s sau y: Nhn dng phin (Session identifier): Mt chui byte ngu nhin c server chn nhn dng mt trng thi ca phin giao dch. Chng thc kha i phng (Peer certificate): Chng thc kha cng khai (X509.v3) ca thc th i phng. Thnh phn ny c th c hoc khng. Phng php nn (Compression method): Gii thut nn d liu trc khi m ha. Thut tan m (Cipher spec): Xc nh thut ton m ha v hm bm c s dng cho phin giao dch. Kha (Master secret): Kha b mt (48-byte) dng chung gia my con v server.
104
Kh nng phc hi (Is resumable): Cho bit phin giao dch ny c th khi to mt kt ni mi hay khng. S nhn dng ngu nhin (Server and client random): Chui byte chn ngu nhin bi server v client, c chc nng phn bit cc kt ni vi nhau. Kha xc thc ca my ch (Server write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t server. Kha xc thc ca my con (Client write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t my con. Kha mt m ca my ch (Server write key): Kha b mt dng mt m ha d liu gi i t server. Kha mt m ca my con (Client write key): Kha b mt dng mt m ha d liu gi i t client. Vc t khi to (Initialization vectors): vec-t khi to (IV) dng trong ch m ha CBC (Chaining Bock Cipher). Gi tr ny c khi to bi giao thc SSL record. S th t gi (Sequence numbers): S th t ca cc bn tin c gi i v nhn v trn kt ni.
D liu gc
Phn on
Mt m ho
Hnh 3.14: Hot ng ca giao thc truyn d liu SSL Giao thc truyn d liu SSL (SSL record protocol) cung cp 2 dch v c bn cho cc kt ni SSL l dch v bo mt v dch v tan vn d liu.
105
Hnh 3.14 m t hat ng ca giao thc truyn d liu SSL. Theo , cc thao tc m SSL thc hin trn d liu bao gm: phn an d liu (fragmentation), nn d liu (compression), xc thc d liu (MAC), m ha, thm cc tiu cn thit v cui cng gi tan b an thng tin trn trong mt segment TCP. pha nhn, qu trnh c thc hin ngc li.
Kiu d liu Phin bn chnh Phin bn ph Kch thc d liu
Hnh 3.15: Cu trc gi SSL record Cu trc gi d liu SSL record gm cc thnh phn sau (hnh 3.15): -Kiu d liu (Content Type - 8 bits): Giao thc lp trn. Giao thc ny s x l thng tin trong gi d liu SSL. - Phin bn chnh (Major Version - 8 bits): Phin bn chnh ca SSL. i vi SSL v3, gi tr ny l 3. - Phin bn ph (Minor Version - 8 bits): Phin bn ph ca SSL. V d: i vi SSLv3 th gi tr trng ny l 0. - Kch thc d liu (Compressed Length -16 bits): Chiu di ca phn d liu (plaintext), tnh theo byte. -D liu (Plaintext): D liu ca lp trn c chuyn i trong gi SSL record. D liu ny c th c nn hoc khng. -M xc thc (MAC): M xc thc, c kch thc = 0 byte nu khng dng chc nng xc thc.
106
ni SSL hin hnh, cc kt ni khc trong cng phin giao dch c th vn c duy tr nhng phin giao dch khng c thit lp thm kt ni mi. Cc bn tin cnh bo ca SSL bao gm: -unexpected_message: Nhn c mt bn tin khng ph hp. -bad_record_mac: Bn tin va nhn c gi tr MAC khng hp l. -decompression_failure: Thao tc gii nn thc hin khng thnh cng.. -handshake_failure: Pha gi khng thng lng cc thng s bo mt. -illegal_parameter: Mt trng no trong bn tin bt tay (handshake message) khng hp l. -close_notify: Thng bo kt thc kt ni. -no_certificate: Khi nhn c yu cu cung cp chng thc kha (certificate), nhng nu khng c chng thc kha no thch hp th gi cnh bo ny. -bad_certificate: Chng thc kha khng hp l (ch k sai) -unsupported_certificate: Kiu chng thc khng c h tr. -certificate_revoked: Chng thc kha b thu hi. -certificate_expired: Chng thc kha ht hn s dng. -certificate_unknown: Khng x l c chng thc kha v cc l do khc vi cc l do trn.
107
Ngc li, SSL nm mc ngi dng nn phi ci t vi tng ng dng c th (v d mail, web, ) m khng cn khai bo vi h iu hnh, V nhng khc bit trn y, SSL thng c s dng bo v kt ni cho tng ng dng c th, c bit l Web, E-mail. Trong khi , IPSec thng c dng xy dng cc mng ring o (VPN) ri trn c s mi trin khai cc dch v ng dng.
108
Server Giai on 1: Thit lp cc thng s bo mt nh phin bn ca giao thc, nhn dng phin giao dch, thut ton mt m, phng php nn v s ngu nhin ban u.
Kha b mt ca server Giai on 2: Server c th gi chng thc kha cng khai, trao i kho v yu cu client cung cp chng thc kha.
Kt thc server_hello
Chng thc kha client Thi gian Giai on 3: Client gi chng thc kha khi c yu cu t pha server, trao i kha vi server. Client cng c th gi xc minh chng thc kha cng khai cho server (certificate_verify)
Kha b mt ca client
Thay i thng s m
Kt thc
Thay i thng s m
Ch : nhng giao tc biu din bng nt ri l nhng giao tc tu chn, c th c hoc khng, tu thuc vo tng tnh hung ng dng ca SSL.
Kt thc
109
Mt iu cn ch l SET hat ng bng cch truy xut trc tip n lp TCP/IP m khng dng cc giao thc lp ng dng khc. Tuy vy hat ng ca SET cng khng nh hng n cc c ch bo mt khc nh IPSec hoc SSL. -Cc thnh phn ca SET: -Ngi dng th (Cardholder): Ngi dng th tn dng thc hin cc giao dch thanh tan trn Internet (ngi mua hng). -Ngi bn hng (Merchant): Mt c nhn hay t chc bn hng hoc dch v trn mng (thng qua web hoc email). Ngi bn hng phi c kh nng chp nhn thanh tan bng th, v phi c quan h vi mt t chc ti chnh no (Accquirer). -T chc pht hnh th (Issuer): y l t chc ti chnh (thng l ngn h ng) pht hnh th tn dng. T chc ny c trch nhim thanh tan theo yu cu ca ngi s dng th. -Trng ti (Acquirer): Mt t chc ti chnh khc c quan h vi ngi bn hng, thc hin vic xc thc ti khan ca ngi mua hng v thanh tan. Trng ti s kim tra ti khan ca ngi mua hng thng bo cho ngi bn hng bit s d trong ti khan ca ngi mua c thc hin giao dch hay khng. Sau khi giao dch mua hng c thc hin, trng ti thc hin vic chuyn tin t ti khan ca ngi mua hng sang ti tan khan ca ngi bn hng, ng thi ra yu cu thanh tan i vi ngn hng pht hnh th (Issuer).
110
-Ca thanh tan (Payment gateway): y l thnh phn chu trch nhim x l cc bn tin thanh tan (payment message) c iu hnh bi trng ti hoc mt t chc th 3 c ch nh. Payment gateway giao tip gia SET v h thng thanh tan ca ngn hng thc hin cc thao tc xc thc v thanh tan. Nh vy, ngi bn hng tht ra trao i cc thng bo vi ca ng thanh tan thng qua mng Internet, sau , Payment gateway mi lin kt n h thng x l ti chnh ca Acquirer. -T chc chng thc (Certification authority _ CA): L thnh phn c chc nng to ra cc chng thc (certificate) theo chun X.509v3 v phn phi c ho Cardholder, Merchant v Payment Gateway. S thnh cng ca SET ph thuc vo s tn ti ca CA. Thng thng, CA c t chc theo mt m hnh phn cp vi nhiu CA lin h vi nhau.
Ngi bn hng (Merchant)
Intenet
-Thc hin giao dch vi SET: Mt giao dch SET in hnh gm cc bc sau y: 1. Khch hng m ti khan ti mt ngn hng c dch v thanh tan qua mng (v d MasterCard, Visa card, ) v tr thnh Cardholder. 2. Khch hng nhn c mt chng thc X.509v3, c k bi ngn hng bng ch k s (digital signature), trong cha kha cng khai RSA ca khch hng v ngy ht hn. 3. Ngi bn hng nhn chng thc: Ngi bn hng phi c 2 chng thc khc nhau cha kha cng khai cho hai mc ch: k nhn cc thng bo (message signing) v trao i kha (key exchange). Ngai ra, ngi bn hng cng c mt bn sao chng thc ca Payment gateway.
111
4. Khch hng t hng: thao tc ny c thc hin thng qua website ca ngi bn hng hoc qua email. 5. Xc nhn ngi bn hng: ngi bn hng gi chng thc ca mnh cho ngi mua hng chng minh tnh s hu ca mnh i vi mt kho hng no . 6. Lnh t hng v thanh ton c thc hin: ngi mua hng gi lnh t hng v lnh thanh tan cho ngi bn hng cng vi chng thc ca mnh. Thng tin thanh ton (s th tn dng) c m ho sao cho ngi bn hng khng th thy c nhng c th kim tra tnh hp l ca n. 7. Ngi bn hng yu cu xc thc vic thanh tan thng qua Payment gateway. 8. Ngi bn hng xc nhn n t hng bng cch gi thng bo cho ngi mua hng. 9. Ngi bn hng giao hng (hoc bt u cung cp dch v) cho ngi mua hng. 10. Ngi bn hng yu cu thanh tan thng qua Payment gateway.
112
POMD H OI OIMD H
PI: Payment Information OI: Order Information H: Hash function (SHA-1) | | : Ni hai khi thng tin
PIMD: PI message digest OIMD: OI message digest POMD: Payment Order message digest E: Thut tan mt m (RSA) PRc: Kho ring ca ngi mua hng
113
xong th khch hng hoc ngi bn hng s c nhn. Purchase inquiry Authorization reversal Ngi mua hng kim tra trng thi ca n t hng sau khi xc nhn n t hng vi ngi bn hng. Ngi bn hng hiu chnh yu cu xc thc trc . Nu n t hng khng thc hin c th tan b vic xc thc trc c hi li (reverse). Nu n t hng ch c thc hin mt phn (ngi mua hng hi li mt phn) th ngi bn hng ch hi li phn xc thc tng ng. Ngi bn hng hiu chnh cc thng tin yu cu thanh tan gi cho Payment gateway. Ngi bn hng tr li tin vo ti khan ca ngi mua hng khi hng c tr li v l do no (h hng, sai quy cch, ). Ngi bn hng hiu chnh li yu cu tr li tin vo ti khan ca ngi mua hng (giao tc Credit) va ri.
Payment gateway Ngi bn hng yu cu bn sao chng thc ca Payment gateway. certificate request Batch administration Error message Ngi bn hng thng bo cho Payment gateway v cc t giao hng. Thng bo li xy ra trong giao dch.
-Yu cu mua hng: Sau khi ngi mua hng hon tt cc cng vic chn hng v t mua trn mng, th tc yu cu mua hng mi c bt u. Ch rng thao tc chn hng v t mua c thc hin trn cc kt ni bnh thng (nh e-mail hay web) m khng cn c s tham gia ca SET. Qu trnh yu cu mua hng bao gm 4 giao tc: Initiate Request, Initiate Response, Purchase Request, v Purchase Response. gi c cc bn tin SET n ngi bn hng, ngi mua hng cn c mt bn sao cc chng thc ca Merchant v Payment gateway. Bn tin Initiate Request c s dng yu cu ngi bn hng cung cp cc chng thc cn thit cho ngi mua hng. Ngi bn hng s tr li bn tin Initiate Request bng mt bn tin hi p Initiate Response trong c cha gi tr ngu nhin (nonce) c to ra trc bi ngi mua hng, mt gi tr ngu nhin khc do ngi bn hng to ra, nhn din ca giao tc hin hnh, cng vi cc chng thc ca chnh ngi bn hng v Payment gateway. Tt c cc thng tin ny c xc thc bi ch k ca ngi bn hng. Ngi mua hng xc minh cc chng thc nhn c, sau to ra thng tin t hng (OI) v thng tin thanh tan (PI), trong c cha nhn din giao tc m ngi bn hng va to ra trc . Ngi mua hng chun b bn tin Purchase Request. Bn tin ny cha cc thng tin sau y: Cc thng tin lin quan n vic thanh ton bao gm: PI, ch k song song, OIMD v mt phong b s (digital envelope). Cc thng tin ny c m ho bng kho b mt K s do ngi mua hng to ra cho tng phin giao dch. Cc thng tin lin quan n n t hng bao gm OI, ch k song song, PIMD. Ch rng OI c gi i trc tip m khng cn m ho. 114
Chng thc ca ngi mua hng. Xc minh chng thc ca ngi mua hng. Kim chng ch k song song ca ngi mua hng. X l n t hng v chuyn thng tin thanh ton cho Payment Gateway kim tra. Gi bn tin Purchase Response cho ngi mua hng.
Khi ngi bn hng nhn c Purchase Request, h s thc hin cc thao tc sau y:
Bn tin Purchase Response cha cc thng tin chp nhn n t hng v cc tham chiu n s nhn din giao tc tng ng. Thng tin ny c k bi ngi bn hng v gi cho ngi mua hng cng vi chng thc ca ngi bn. Ngi mua hng khi nhn c bn tin Purchase Response s tin hnh kim tra ch k v chng thc ca ngi bn hng.
Bn tin Purchase Request PI
Dual Signature
Ks
Digital envelope
OI PUb
Dual Signature
Cardholder cerificate
Hnh 3.19: Qu trnh to bn tin Purchase request ca ngi mua hng -Xc thc thanh ton: y l th tc m ngi bn hng xc thc tnh hp l ca ngi mua hng thng qua Payment Gateway. Qu trnh xc thc nhm bo m rng giao dch ny c chp thun bi
115
ngn hng pht hnh th (Issuer), v do ngi bn hng s c m bo thanh ton. Qu trnh
Bn tin Purchase Request
PIMD H OI
POMD
H OIMD
So snh
PUc
Hnh 3.18: Qu trnh xc minh yu cu mua hng (Purchase Request) ti Merchant ny c thc hin thng qua hai bn tin: Authorization Request v Authorization response. Bn tin Authorization Request c ngi bn hng gi n Payment Gateway bao gm cc thng tin sau: Thng tin lin quan n vic mua hng, bao gm: PI, ch k song song, OIMD v phong b s (digital envelope). Thng tin lin quan n xc thc bao gm: nhn din giao tc, c m ho bng kho b mt do ngi bn hng to ra v phong b s, c m ho bng kho cng khai ca Payment gateway. Cc chng thc ca ngi mua hng v ngi bn hng.
116
Khi nhn c Authorization Request, Payment Gateway thc hin cc thao tc sau: Xc minh tt c cc chng thc. Gii m phong b s ca khi thng tin mua hng. Xc minh ch k ca ngi bn hng. Gii m phong b s ca khi thng tin xc thc. Xc minh ch k song song. Xc minh nhn din giao tc (transaction ID). Yu cu xc thc t ngn hng pht hnh th.
Nu nhn c thng tin xc thc thnh cng t ngn hng pht hnh th, Payment Gateway s hi p bng bn tin Authorization Response trong cha cc thng tin sau: Thng tin lin quan n xc thc bao gm: khi thng tin xc thc c k bi Payment Gateway v m ho bng kho b mt do Payment Gateway to ra, ngoi ra cn c phong b s. Thng tin lin quan n thc hin thanh ton. Chng thc ca Payment gateway.
Vi thng tin xc thc ny, ngi bn hng c th bt u giao hng hoc cung cp dch v cho ngi mua hng. -Thc hin thanh ton: thc hin thanh ton, ngi bn hng thc hin mt giao tc vi Payment Gateway gi l Capture transaction, giao tc ny c thc hin qua hai bn tin: Capture Request v Capture Response. Trong bn tin Capture Request, ngi bn hng to ra thng tin yu cu thanh ton, trong c khi lng thanh ton v nhn din giao tc (transaction ID), cng vi thng tin xc thc nhn c trc t Payment Gateway, ch k v chng thc ca ngi bn hng. Payment Gateway nhn c bn tin ny, gii m v thc hin cc bc kim tra cn thit trc khi yu cu ngn hng pht hnh th chuyn tin cho ngi bn hng. Cui cng, Payment Gateway s thng bo cho ngi bn hng bng bn tin Capture Response. Tm tt chng: -Cc ng dng bo mt (security application) c xy dng da trn cc k thut c s trnh by chng 2 bao gm: mt m i xng, mt m bt i xng, hm bm, ch k s, chng thc kha cng khai, -K thut xc thc c xem l k thut c bn nht qun l truy xut. Mt khu l phng tin xc thc n gin nht v hiu qu nht t trc n nay. Tuy nhin, mt khu c qun l v s dng bi con ngi, nn cn phi c cc chnh sch hp l m bo mt khu khng b tit l. -Trong m hnh thng tin im im, hai giao thc xc thc thng c dng l PAP (Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol) trong , giao thc CHAP c nhiu u im hn v an tan hn do khng gi mt khu i trc tip trn mng.
117
Confidential M Pha M Pha SYN/ACK Trm Ni Ni ACK xc SYN bm nhn to t nhn gi lm o thc ra So snh Availability Integrity Secure (2)C (1)C F babaTo Dng 2.24 ch : Hnh Hnh E(H(M), 2.13: 2.14: 2.29: 1.2: B A E(M, So snh PRa) C M: thng tin Hnh 2.26 : 2.25: vic c (MAC) m ha message thng ity tin Ch mt k iu Xc Ma trc m k trn khin thc trc tip i bt PRa) gc Xc thc (workstation hon truy bng thng xut v cch tin PC t i xng tip xng thng ) tin
H: E: dng m do ha mt 1 2 dng hm dng MAC Thut thut hm C: tan bm phn tan trong mm b bm mt Hm m ha m to m Windows thng bm ca tin xc thc E: D: thng gc XP tin T thut Thut hut tan K: Kha gc b m gii ha m mt dng C: thut chung D: H: Thng Hm gia bm tan tin mt m bn gii gi v bn nhn K: Kha kha b b |: | |: Ni| mt m dng Ni m chung bm xc thc vo gia vo thng pha bn gi tin thng tin gc v pha gc bn nhn nhn. | |: ni PRa: Kham b bm ca mt c bn ca gi. ha vo m ngi k thng tinPUa gc : Kha cng khai ca bn ca gi k ngi
-Trong m hnh phn tn, giao thc xc thc cn phi p ng c hai yu: m bo thng tin xc thc khng b nh cp v ngi s dng ch cn xc thc mt ln cho tt c cc dch v trong h thng phn tn. Kerberos l mt giao thc xc thc p ng c 2 yu cu ny. -Giao thc bo mt IP Security (IPSec) l mt s m rng ca giao thc IP, cho php lp mng thc hin cc chc nng bo mt v tan vn cho d liu truyn i trn mng. IPSec l mt chun phc tp, bao gm c t ca nhiu chun khc, c trin hai da trn hai giao thc ng gi c bn l ESP v AH. IPSec hat ng hai ch l ch vn chuyn (transport) v ch ng hm (tunnel). Hat ng ca IPSec l trong sut i vi cc giao thc lp ng dng. -Giao thc bo mt SSL (Secure Sockets Layer) l mt giao thc cng thm hat ng bn trn giao thc TCP. SSL cung cp hai dch v c bn l mt m ha v xc thc d liu / xc thc u cui cho cc ng dng Internet nh web, e-mail, . SSL c s dng rt ph bin hin nay trn mng Internet, t bigt trong cc th tc trao i thng tin b mt gia client v server nh ng nhp vo hp th in t, nhp s th tn dng khi mua hng, -SET (Secure Electronic Transaction) l mt ng dng bo mt trong cc h thng thanh tan qua mng. SET l mt ng dng truy xut trc tip n lp TCP (tc khng thng qua cc giao thc ng dng nh mail hay web, ). SET nh ngha mt m hnh phc tp bao gm nhiu thc th nh ngi mua hng, ngi bn hng, ngn hng pht hnh th, trng ti, ca thanh tan, SET c pht trin bi cc t chc ti chnh c uy tn nh MasterCard, VISA, cc t chc cng ngh nh Microsoft, IBM, RSA, Verisign,
118