CHNG III CC NG DNG BO MT TRONG H THNG THNG TIN

Gii thiu: Cc c ch mt m v xc thc thng tin l c s cho vic xy dng cc ng dng bo mt trong h thng, c bit trong mi trng mng. Chng ny s trnh by mt s ng dng ca k thut mt m v xc thc thng tin trong vic xy dng cc giao thc (protocol) v dch v (service) trn mng nhm m bo an tan h thng. Cc ng dng c trnh by trong chng ny bao gm: -Giao thc xc thc (Authentication protocol) -IPSec (Internet Protocol Security) -SSL (Secure Sockets Layer) -SET (Secure Electronic Transaction)

III.1 GIAO THC XC THC

III.1.1 Mt khu:
Trong s cc c ch xc thc, c ch xc thc da trn thng tin m thc th truy xut bit (what you know) l c ch n gin nht v c s dng nhiu nht. Thng tin ny thng l mt khu (password), c lin kt vi mt thc th dng xc thc thc th . Mt khu thng l mt chui k t. Khng gian mt khu (password space) l tp hp tt c cc chui k t c th xut hin trong mt khu. Mi h thng xc thc c mt khng gian mt khu khc nhau. Khng gian mt khu cng ln th kh nng b tn cng mt khu theo phng thc brute force cng thp. Mt khu c gi l phc tp nu n kh b pht hin bng phng php d mt khu theo t in (dictionary attack). Theo kho st, nhng lai mt khu c dng ph bin nht hin nay bao gm: -Dng tn ca ngi s dng (user-name hoc account-name) lm mt khu hoc thm mt vi ch s (v d ngy sinh, s in thai, ) lm mt khu. -Dng tn ng nhp (logon-name) lm mt khu. -Dng tn my tnh (computer name) lm mt khu. -Mt khu ch bao gm cc k t s (ly t s in thai, ngy sinh, ). -Mt khu l nhng t kha c bit nh computer, hacker, -Ly mt t c ngha trong t in lm mt khu. -Ly tn mt ngi khc lm mt khu (thng l ngi c quan h mt thit) Nhng mt khu nh trn u c phc tp rt thp v do d dng b tit l. Cc h thng xc thc thng a ra cc chnh sch v mt khu (password policy) i vi ngi s dng. Cc chnh sch ny thng quy nh nhng rng buc sau y: -Chiu di ti thiu v kh ca mt khu, mt khu khng c cha user-name hoc logon-name (password complexity).

84

-Thi gian s dng ti a ca mt khu (password age). -Khng c php dng li mt khu c (password history). V pha ngi s dng, nhng nguyn tc chung tng an tan cho vic xc thc dng mt khu bao gm: -S dng nhiu lai k t khc nhau lm mt khu, mc ch l m rng khng gian mt khu (dng ch ci, ch s, cc k hiu c bit, dng phi hp gia ch hoa v ch thng, ) -Khng s dng cc mt khu qu ngn. -Khng s dng nhng t kha hoc t c ngha trong mt khu. -Thng xuyn thay i mt khu. -Khng ghi chp mt khu ln bt k v tr no. -Khng tit l mt khu cho ngi khc, ngay c nhng tnh hung an tan nht. Trn cc my ch xc thc, mt khu ca ngi s dng thng khng c lu tr mt cch trc tip di dng k t gc (cleartext) m phi c m ho di mt dng no m bo an ton. Ngoi ra, mt khu khng b nh cp khi truyn i trn mng, nhiu th tc xc thc phc tp c xy dng m bo rng mt khu khng c truyn i trc tip (cleartext) trn mng.

III.1.2 Xc thc trong m hnh im-im:

Mt thc th bn ngai h thng thng tin mun truy xut h thng nh mt ch th ca th thng th phi cung cp cc thng tin h thng xc thc nhn dng ca ch th. Cc thng tin ny thng l mt khu, th xc thc, du vn tay, Qu trnh xc thc mt thc th bao gm vic ly thng tin m thc th cung cp, phn tch v xc nh xem thng tin c lin kt vi thc th hay khng. Hai m hnh thc t ca mt h thng xc thc l xc thc ti ch (local authentication) hoc xc thc t xa (remote authentication) thng qua mi trng mng. M hnh th nht c s dng khi ngi s dng ng nhp trc tip vo mt thng ni b (local logon), thng tin xc thc (tn ngi dng v mt khu) c cung cp trc tip cho h thng xc thc (server). Trong m hnh th hai, ngi s dng ng nhp vo mt h thng xa. Tnh hung ny bt buc cc thng tin xc thc phi c gi i trn mng v do , nguy c b nghe ln thng tin l rt cao. Cc giao thc xc thc c thit k gim thiu cc nguy c ny. Trong cc h thng c in, kt ni t xa thng c thc hin thng qua cc giao thc im im nh SLIP (Serial Line Internet Protocol) hoc PPP (Point to Point Protocol). Cc th tc xc thc u l mt chiu, tc l ch c my ch xc thc ngi s dng ch khng c th tc ngc li. Hai giao thc xc thc thng c dng trong cc h thng ny l PAP (Password Authentication Protocol) v CHAP (Challenge-Handshake Authentication Protocol). -PAP l giao thc xc thc n gin nht v do km an tan nht. xc thc vi mt h thng server xa, ngi s dng ch cn gi tn ng nhp v mt khu ca mnh mt cch trc tip (clear text) cho server di dng mt gi yu cu xc thc (authenticate request packet). Server s kim tra thng tin xc thc cha trong gi d liu ny, nu trng vi thng tin lu tr trc th s tr li bng mt gi xc nhn (authenticate ack packet) v qu trnh xc thc xem nh thnh cng. Ngc li, nu thng tin xc thc khng ng, server s tr li bng gi t chi (Authenticate nak packet).

85

Ngi s dng

Authenticate request (User-name + Password) Server Authenticate ack hoc Authenticate nak

Hnh 3.1: Giao thc xc thc PAP

-CHAP l giao thc xc thc phc tp hn, c dng trong giao thc kt ni PPP v mt s h thng khc. CHAP c u im hn PAP v phng din bo mt l c dng cc hm bm mt chiu v thng tin xc thc khng c gi i trc tip trn mng. Qu trnh xc thc bng giao thc CHAP gm cc bc sau y (gi l qu trnh challenge-response): Sau khi thit lp xong kt ni PPP, xc nh xem ngi s dng c quyn truy xut hay khng, server s gi cho ngi s dng mt khi d liu thch thc (challenge), trong c cha mt gi tr ngu nhin do server to ra. Ngi s dng sau khi nhn c khi challenge s gn thm tn ng nhp v mt khu ca mnh vo , sau thc hin mt hm bm mt chiu (v d MD5) ln khi thng tin v gi m bm li cho server. Pha server cng thc hin mt qu trnh tng t v so snh vi kt qu nhn c t ngi s dng xc nh qu trnh xc thc c thnh cng hay khng.

Mt c im na ca giao thc ny lm tng tnh an tan ca kt ni l qu trnh challenge-response c lp li nhiu ln trong sut thi gian duy tr kt ni. Nu gi tin tr li ca ngi dng khng hp l, kt ni s b gii ta tc thi.

Challenge

Ngi s dng

User-name + H(user-name + password + challenge)

Server

Success / Failure

Hnh 3.2: Giao thc xc thc CHAP

III.1.3 Xc thc trong cc h thng phn tn: 86

Trong cc h thng phn tn, nhiu my ch cung cp dch v c qun l bi mt trung tm xc thc duy nht. Giao thc xc thc trong cc h thng ny phi m bo c 2 yu cu c bn: m bo an tan i vi thng tin xc thc (tn ng nhp v mt khu khng c truyn i trc tip trn mng). Ngi dng ch cn ng nhp mt ln cho phin lm vic nhng c kh nng s dng tt c cc dch v c trong h thng.

V d: Mt h thng mng Windows c cu hnh theo m hnh Domain. Trong Domain ny c nhiu my ch cung cp dch v khc nhau, gm dch v in n (print server), dch v lu tr d liu (file server), dng chung kt ni Internet (qua proxy server), Khi ngi s dng ng nhp vo h thng t mt my thnh vin ca Domain, ngi s dng ny phi c kh nng truy xut n tt c cc dch v trong Domain (ty theo quyn c cp) m khng phi nhp li tn ng nhp v mt khu cho tng dch v. C ch qun l tp trung ny cung cp s tin li cho c ngi s dng ln h thng. Mt th tc xc thc in hnh trong cc h thng ny bao gm cc bc nh sau: Mt ngi dng ng nhp t mt my con (C ) trong h thng v yu cu truy xut n my ch V. My con C yu cu ngi dng cung cp tn ng nhp v mt khu ri sau chuyn thng tin ny cho trung tm xc thc AS (Authentication Server). My ch AS kim tra xem tn ng nhp v mt khu c hp l hay khng, ng thi kim tra xem ngi dng ny c c php truy xut cc dch v trn my ch V hay khng. Nu c hai vic kim tra trn u thnh cng th ngi dng c php truy xut dch v trn my ch V. lm c vic , AS to ra mt th truy xut (ticket) cha cc thng tin bao gm nhn dng ca ngi dng, a ch mng ca my con v nhn dng ca my ch V. Th truy xut ny c m ha bng kha b mt dng chung gia AS v V. Th truy xut cng c gi cho C. Bt u t , C c th yu cu cc dch v ca V bng cch gi cc bn tin c gn km th truy xut va to ra cho V. My ch V s gii m th truy xut v chp nhn cho C truy xut cc dch v ca mnh. C AS: AS C: C V: Trong : C: My con AS: my ch xc thc (Authentication server). V: my ch cung cp dch v. IDC: Nhn dng (tn ng nhp) ca ngi dng. IDV: Nhn dng ca my ch V. IDC + PC + IDV Ticket IDC + Ticket

Qu trnh c biu din nh sau:

Ticket = E([IDC + ADC + IDV], KV)

87

PC: Mt khu ca ngi dng. ADC: a ch mng ca my con. KV: Kha b mt ca my ch cung cp dch v V. Th tc xc thc nh trn gii quyt c vn bo mt bng cch a ra khi nim th truy xut (ticket), trong cc thng tin b mt c m ha trong mt bn tin c bit trc khi lun chuyn trn mng. Tuy nhin, vn cn hai vn cha c gii quyt: 1-Nu ngi dng c nhu cu s dng dch v nhiu ln, hoc s dng nhiu dch v khc nhau trn cc my ch khc nhau, vy ngi dng phi thc hin th tc xc thc nhiu ln, tc l phi nhp mt khu nhiu ln? 2-Th tc xc thc vn cn mt bc (bc u tin) trong thng tin xc thc (mt khu) c gi i trc tip trn mng m khng m ha. Th tc sau y s gii quyt hai vn trn: Khi ngi dng ng nhp h thng: (1) C AS: IDC + IDtgs (2) AS C: E(Tickettgs, Kc) Khi ngi dng truy xut mt loi dch v (per service type): (3) C TGS: IDC + IDV + Tickettgs (4) TGS C: Ticketv Khi ngi dng truy xut mt phin giao dch c th (per service session): (5) C V: IDC + Ticketv Trong : Tickettgs = E([IDC + ADC + IDtgs + TS1 + Lifetime1], Ktgs) Ticketv = E([IDC + ADC + IDv + TS2 + Lifetime2], Kv) Trong th tc trn, mt thnh phn mi c thm vo h thng xc thc l my ch cp th TGS (Ticket-Granting server). Khi ngi dng xc thc thnh cng vi AS, thay v cp th s dng dch v trc tip cho ngi dng, AS ch cp cho ngi dng th truy xut ca TGS, c tc dng nh mt xc nhn y l mt ngi dng hp h. K t v sau, mi khi ngi dng cn truy xut dch v no th ch cn gi th truy xut v yu cu ca mnh n TGS c cp th truy xut dch v. Nh vy, AS ch cn cp th cho ngi dng mt ln, hay ni cch khc, th c th dng li, c trong trng hp ngi dng s dng dch v nhiu ln hoc s dng nhiu dch v khc nhau m khng cn phi nhp li mt khu. Th tc ny c m t chi tit nh sau: My con C yu cu mt th xc nhn ngi dng hp l (Ticket Granting Ticket) bng cch gi nhn dng ca ngi dng cho AS, trong c nhn dng ca TGS. AS gi li th xc nhn ngi dng hp l cho my con nhng c m ha vi kha l mt khu ca ngi dng (KC). Do , nu ngi dng cung cp ng mt khu th th ny c gii m thnh cng, ngc li, vic xc thc xem nh kt thc khng thnh cng.

88

Nh vy, mt khu ca ngi dng khng c gi i trc tip trn mng. Do th ny c kh nng dng li, nn qun l vic tn ti ca n, trong th c gn thm mt nhn thi gian quy nh thi gian tn ti hp l ca th. trnh trng hp thay i v gi mo th, th c m ha mt ln na bng kha b mt ca AS v TGS. Sau khi c th xc nhn ngi dng hp l, my con c th yu cu dch v trn my ch V bng cch yu cu th s dng dch v (Service-granting Ticket) t TGS. Thng tin gi n cho TGS bao gm nhn dng ca my ch V, th xc nhn ngi dng hp l v tn ng nhp ca ngi dng. TGS gii m th xc nhn ngi dng hp l kim tra, nu hp l th cp th truy xut dch v cho ngi dng. Th ny c m ha bng kha b mt ca V v TGS. Sau khi c th truy xut dch v, ngi dng c th s dng dch v trn my ch V.

Nh vy, th tc trn gii quyt c 2 vn : dng li th v khng gi mt khu trc tip trn mng. Tuy nhin, li thm 2 vn khc ny sinh: -Th nht, nu thi gian tn ti ca cc ticket qu ngn, ngi dng c th phi nhp li mt khu to th mi. Nu thi gian ny qu di, nguy c b ly cp th tng ln. Do , khi xc nhn mt th, my ch (TGS hoc V) phi bit chc rng mnh ang lm vic vi ng ngi dng c tn ng nhp cha trong th. -Th hai, song song vi vic ngi dng xc thc vi my ch, th cng cn phi c thao tc xc thc ngc li t my ch n ngi dng lai tr trng hp chnh my ch b gi mo. y chnh l tn ti c gii quyt bi giao thc xc thc Kerberos.

III.1.4 Giao thc xc thc Kerberos:

Kerberos l mt th tc c xy dng nng cao an tan khi xc thc trong mi trng mng phn tn. Kerberos da trn k thut mt m i xng (DES). C th tm lc th tc xc thc ca Kerberos version 4 nh sau (hnh 3. 3): 1- My con yu cu AS cung cp th xc nhn ngi dng : C AS: IDc + IDtgs + TS1 2- AS cung cp th xc nhn ngi dng cho my con: AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc) Vi Tickettgs = E([Kc,tgs + IDc + ADc + IDtgs + TS2 + Lifetime2], Ktgs) 3- My con yu cu TS cung cp th truy xut dch v: C TGS: IDv + Tickettgs + Authenticatorc 4- TGS cung cp th truy xut dch v cho my con: TGS C: E([Kc,v + IDv + TS4 + Ticketv], Kc,tgs) Vi Tickettgs = E([Kc,tgs + IDC +ADC + IDtgs + TS2 + Lifetime2], Ktgs) Ticketv = E([Kc,v + IDC + ADC + IDv + TS4 + Lifetime4], Kv)

89

Authenticatorc = E([IDC + ADC + TS3], Kc,tgs) 5- My con yu cu dch v: C V: Ticketv + Authenticatorc Vi Authenticatorc = E([IDc + ADC + TS5], Kc,v) 6- Server xc thc vi my con (khng bt buc): V C: E([TS5 + 1], Kc,v) Vi: Ticketv = E([Kc,v + IDc + ADc + IDv + TS4 + Lifetime4], Kv)

My con (C) Ticket granting Ticket Request Ticket + session key My ch xc thc (AS)

Kerberos

Service granting Ticket Request Ticket + session key

My ch cp th (TGS)

My ch (V) Yu cu dch v Cung cp dch v

Hnh 3.3: Th tc xc thc Kerberos 4 Cc thnh phn trong cc bn tin ca Kerberos: -Bn tin (1): My con yu cu cp th xc nhn ngi dng (Ticket-granting-Ticket): IDC: Nhn din ca ngi dng (do my con gi n cho AS, da trn thng tin ng nhp ca ngi dng). IDtgs: Nhn din ca TGS, mc ch cho AS bit rng my con ang mun truy xut n TGS. TS1: Nhn thi gian, mc ch ng b thi gian gia AS v my con. Kc: Dng chnh mt khu ca ngi dng lm kho mt m, va c mc ch bo v thng tin va cho php AS xc thc mt khu ca ngi dng. Nu my con khng c mt khu ng th s khng gii m c bn tin ny.

-Bn tin (2): AS cung cp th xc nhn ngi dng cho my con:

90

Kc, tgs: kho b mt c dng gia my con v TGS do AS to ra. Kha ny ch c tc dng trong mt phin lm vic (session key). IDtgs: Nhn din ca TGS, dng xc nhn rng th ny c tc dng cho php my con truy xut n TGS. TS2: Nhn thi gian, cho bit thi im th c to ra. Lifetime2 : Cho my con bit thi gian tn ti ca th. Tickettgs: My con dng th ny truy xut TGS. IDV: Nhn dng ca my ch V, dng thng bo cho TGS l my con mun truy xut n dch v ca my ch V. Tickettgs: Th c cp cho my con bi AS Authenticatorc: mt gi tr c to ra bi my con xc minh th. Kc, tgs: Kho b mt dng chung gia my con v TGS bo v ni dung ca bn tin (4) Kc, v: Kho b mt c dng gia my con v my ch V do TGS to ra. Kho ny ch c gi tr trong tng phin lm vic (session key). IDv: nhn din ca my ch V, c chc nng xc nhn th ca my ch V TS4: nhn thi gian cho bit thi im th c to ra. Ticketv: Th c my con dng truy xut my ch V. Tickettgs: Th ny c dng li ngi dng khng phi nhp li mt khu khi mun truy xut dch v khc. Ktgs: Kha b mt dng chung gia AS v TGS. Kc, tgs: Session key c TGS dng gii m authenticator. Kho ny c dng chung gia my con v TGS. IDC: Nhn din my con, cho bit y l ch s hu ca th. ADC: a ch mng ca my con, dng ngn chn trng hp mt my khc ly cp th yu cu dch v. IDtgs: nhn din ca TGS, xc nhn th c gii m thnh cng. TS2: nhn thi gian cho bit thi im to ra th. Lifetime2 : Thi gian tn ti ca th, nhm ngn chn vic s dng li th (replay). Authenticatorc: Thng tin xc thc ca my con. Kc, tgs: Kho b mt dng chung gia my con v TGS, dng m ho thng tin xc thc ca my con. IDc: nhn dng my con, phi trng vi ID trong th. ADc: a ch mng ca my con, phi trng vi a ch trong th. TS3: Nhn thi gian, cho bit thi im m authenticator c to ra.

-Bn tin (3): My con yu cu th truy xut dch v (Service Granting Ticket):

-Bn in (4): TGS cung cp th truy xut dch v cho my con::

-Bn tin (5): My con yu cu truy xut dch v:

91

Ticketv: Th cho bit mycon c xc thc bi AS. Authenticatorc: Thng tin xc thc th ca my con. Kc, v: Kho b mt dng chung gia my con v my ch V. TS5 + 1: Nhn thi gian, dng trnh trng hp thng tin xc thc c c dng li. Ticketv: Th truy xut my ch V. Th ny c th dng li khi my con truy xut dch v n chnh my ch V m khng cn yu cu cp th mi. Kv: Kho b mt dng chung gia TGS v my ch V. Kc, v: Kho b mt dng chung gia my con v my ch V, dng gii m thng tin xc thc. IDc: Nhn dng ca my con. ADc: a ch mng ca my con. IDv: Nhn dng ca my ch V. TS4: Nhn thi gian cho bit thi im th c to. Lifetime4 : Thi gian tn ti ca th. Authenticatorc: Thng tin xc thc ca my con. Kc, v: Kho b mt, dng chung gia my con v my ch V m ho thng tin xc thc. IDc: Nhn din my con, phi ging vi IDc trong th ADc: a ch mng ca my con, phi ging vi a ch trong th. TS5: Thi im thng tin xc thc c to ra.

-Bn tin (6): My ch V xc thc vi my con:

-Kt hp gia nhiu h thng Kerberos: Mt mi trng s dng h thng xc thc Kerberos y bao gm my ch Kerbe ros (Kerberos server), cc my ch dch v (application server) v cc my con s dng dch v (client), trong : -My ch Kerberos phi c danh sch tt c cc tn ng nhp v mt khu c m ha ca cc ngi dng ny. Tt c cc my con u phi ng k vi my ch Kerberos. -My ch Kerberos s dng mt kha b mt chung vi cc my ch cn li. Tt c cc my ch u phi ng k vi my ch Kerberos. Mt mi trng tha mn cc iu kin nh vy c gi l mt lnh a Kerberos (Kerberos realm). Nh vy, cc my ch v my con thuc cc n v qun l khc nhau s thuc v cc lnh a Kerberos khc nhau. Giao thc xc thc Kerberos cng bao gm cc th tc cho php kt hp cc lnh a Kerberos li cung cp dch v mt cch ng nht. Hnh 3.4 m t hat ng ca th tc ny. Trnh t ca th tc kt hp lnh a Kerberos c tm tt nh sau: (1) C AS: IDc + IDtgs + TS1

92

(2) AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc) (3) C TGS: IDtgsrem + Tickettgs + Authenticatorc (4) TGS C: E([Kc,tgsrem + IDtgsrem + TS4 + Tickettgsrem], Kc,tgs) (5) C TGSrem: IDvrem + Tickettgsrem + Authenticatorc (6) TGSrem C: E([Kc,vrem + IDvrem + TS6 + Ticketvrem], Kc,tgsrem) (7) C Vrem: Ticketvrem + Authenticatorc

Lnh a A

Kerberos My con Ticket-granting-Ticket Request Ticket-granting-Ticket AS

Service-granting-Ticket Request for realm B Service-granting-Ticket TGS

Cung cp dch v

Yu cu dch v

Lnh a B Service Granting Ticket Request Service Granting Ticket

Kerberos TGS

AS

My ch

Hnh 3.4: Xc thc gia hai lnh a Kerberos -Kerberos 5: l mt phin bn nng cp ca Kerberos 4 vi nhng im khc bit nh sau:

93

Kerberos 4 ph thuc cht ch vo gii thut m ha i xng DES, trong khi Kerberos 5 th tng thch vi bt k mt gii thut m ha no. Kerberos 4 ph thuc vo a ch IP xc thc ngi dng, Kerberos 5 c th s dng bt k a ch no (v d MAC address). Kerberos 4 s dng thm 1 byte trong cc bn tin cho bit th t byte trong bn tin. Kerberos 5 dng c php ANS.1 (Abstract Syntax Notation One) v lut m ha c bn BER (Basic Coding Rules) to ra c ch xp th t byte trong bn tin mt cch r rng. Thi gian tn ti ca th trong Kerberos 4 c cha trong mt trng di 8 bit, tnh theo n v 5 pht, nh vy, thi gian sng ti a ca th l 5 * 28 = 1280 pht (khang 21 gi). Trong Kerberos 5, thi gian tn ti c biu th bng thi im bt u v thi im kt thc, cho php thi gian ny c bin thin khng gii hn. Kerberos 4 khng cho php c ch chuyn tip xc thc, tc l c ch mt my con truy xut n mt my ch, v yu cu my ch ny truy xut n dch v ca mt my ch khc thng qua nhn dng ca my con. Kerberos 5 cung cp kh nng ny. Kerberos 4 yu cu N2 quan h gia cc lnh a Kerberos trong trng hp lin kt hat ng gia N lnh a. Kerberos 5 yu cu s quan h t hn nhiu.

Th tc xc thc dng Kerberos 5 c tm tt nh sau: (1) C AS: Options + IDc + Realmc + IDtgs + Times + Nonce1 (2) AS C:Realmc +IDC +Tickettgs +E([Kc,tgs +Times +Nonce1 +Realmtgs +IDtgs], Kc) Vi Tickettgs = E([Flags + Kc,tgs + Realm c + IDc + ADc + Times], Ktgs) (3) C TGS: Options + IDv + Times + Nonce2 + Tickettgs + Authenticatorc (4) TGS C: Realmc +IDc +Ticketv +E([Kc,v +Times +Nonce2 +Realmv +IDv], Kc,tgs) Vi Tickettgs = E([Flags + KC,tgs + Realm c + IDC + ADC + Times], Ktgs) Ticketv = E([Flags + Kc,v + Realmc + IDC + ADc + Times], Kv) Authenticatorc = E([IDC + Realm c + TS1], Kc,tgs) (5) C V: Options + Ticketv + Authenticatorc (6) V C: E([TS2 + Subkey + Seq#], Kc,v) Vi Ticketv = E([Flags + Kc,v + Realm c + IDC + ADC + Times], Kv) Authenticatorc = E([IDC + Realm c + TS2 + Subkey + Seq#], Kc,v) Trong th tc trn, ngoi nhng thnh phn xut hin trong Kerberos 4 cn c thm cc thnh phn mi sau y: -Realm: Biu th lnh a ca ngi dng. -Options: Cc tu chn, dng yu cu cc thng tin cng thm xut hin trong th. -Times: Dng my con yu cu cc thng s thi gian trong th nh from, till, rtime.

94

-Nonce: Gi tr ngu nhin c to ra trong bn tin m bo rng bn tin tr li l bn tin hp l ch khng phi bn tin c dng li.

III.2 IP SECURITY
III.2.1 Cc ng dng v c im ca IPSec:
IP security (IPSec) cung cp mt phng tin truyn thng an tan trn mng LAN, gia cc mng LAN ni vi nhau thng qua mng WAN v gia cc mng khc nhau trn mng Internet. IPSec l phn m rng ca giao thc IP, c thc hin thng nht trong c hai phin bn ca IP v IPv4 v IPv6. -Cc ng dng in hnh ca IPSec bao gm: Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch xy dng cc mng ring o VPN (Virtual Private Network) trn nn ca mng WAN cng cng hoc mng Internet. Cc t chc c th kt ni cc mng con cc chi nhnh ca mnh li thnh mt mng ring vi chi ph thp nhng vn m bo c an tan. Truy xut t xa thng qua mng Internet: truy xut t xa n mt dch v no , thng thng ngi dng phi thc hin kt ni bng ng dy in thai (dial-up) n my ch cung cp dch v. Vi IPSec, ngi dng ch cn kt ni n mt nh cung cp dch v Internet gn nht (ISP) v sau thc hin kt ni n my ch xa thng qua IPSec mt cch an tan m khng phi tn chi ph in thai ng di. Nng cao tnh an tan ca cc giao dch thng mi trn mng Internet, p dng

Thit b u cui c h tr IPSec

Mng WAN / Internet

Thit b mng c h tr IPSec Thit b mng c h tr IPSec

Mng LAN / intranet

Mng LAN / intranet

Cc thnh phn ca gi d liu: Tiu IP (IP header) Tiu IPSec (IPSec header) D liu ca gi IP 95 (IP Payload)

Hnh 3.5: ng dng ca IPSec

cho cc website bn hng qua mng hoc cc dch v thanh tan qua Internet. -Cc u im ca IPSec: -Khi IPSec c trin khai trn bc tng la hoc b nh tuyn ca mt mng ring, th tnh nng an tan ca IPSec c th p dng cho tan b lu lng vo ra mng ring m cc thnh phn khc khng cn phi x l thm cc cng vic lin quan n bo mt. -IPSec c thc hin bn di ca lp TCP v UDP, ng thi n hat ng mt cch trong sut vi cc lp ny. Do vy, khng cn phi thay i phn mm hay cu hnh li cc dch v khi IPSec c trin khai. -IPSec c th c cu hnh hat ng mt cch trong sut i vi cc ng dng u cui, iu ny gip che giu nhng chi tit cu hnh phc tp m ngi dng phi thc hin khi kt ni n mng ni b t xa thng qua mng Internet.

III.2.2 Cu trc IPSec:

IPSec c xy dng da trn cc thnh phn bo mt c bn sau y, mi thnh phn
Cu trc IPSec

Giao thc ESP

Giao thc AH

Thut tan mt m

Thut tan xc thc

Min thc thi

Qun l kha

Hnh 3.6: Cu trc IPSec c nh ngha trong mt ti liu ring tng ng (hnh 3.6): -Cu trc (Architecture): Quy nh cu trc, cc khi nim v yu cu ca IPSec. -Giao thc ESP: M t giao thc ESP, l mt giao thc mt m v xc thc thng tin trong IPSec.

96

-Giao thc AH: nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc im ring, s c trnh by trong phn ny. -Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da ch yu vo cc gii thut m ha i xng. -Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP. -Qun l kha: M t cc c ch qun l v phn phi kha trong IPSec. -Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi IPSec. Nh trnh by, IPSec khng phi l mt cng ngh ring bit m s t hp ca nhiu c ch, giao thc v k thut khc nhau, trong mi c ch, giao thc u c nhiu ch hat ng khc nhau. Vic xc nh mt tp cc ch cn thit trin khai IPSec trong mt tnh hung c th l chc nng ca min thc thi.

III.2.3 Quan h bo mt:

Mc tiu ca IPSec l cung cp mt c ch truyn an tan m bo tnh tan vn v xc thc ca d liu. Trong mi trng IPSec, mt khi nim quan trng c dng din t mt quan h truyn thng bo mt gia mt u gi v mt u nhn l quan h bo mt (SA_Security Association). Mi SA c xem nh mt lin kt mt chiu gia hai thc th, do , mt kt ni hai chiu thng thy s bao gm 2 SA. Mi SA s dng mt giao thc xc thc nht nh (AH hoc ESP) ch khng th s dng ng thi c hai. Mi SA c nhn dng bi 3 thng s sau y: -Security Parameters Index (SPI): l mt chui bit c gn cho SA, ch c gi tr ni b. SPI c t trong tiu ca AH v ESP, cho php pha nhn (receiving system) chn mt SA c th x l cc gi d liu nhn c. -IP Destination Address: y l a ch u cui ca SA, a ch ny l a ch ca thit b m SA kt thc ti , c th l a ch ca mt h thng u cui hoc ca mt thit b mng (router, firewall) -Security Protocol Identifier: Cho bit SA s dng giao thc xc thc no (AH hay ESP). Nh vy, trong mi gi IP ca IPSec, SA c nhn dng bng t hp gm a ch ch (destination address) v SPI trong tiu m rng (AH hoc ESP).

III.2.4 Ch vn chuyn v ch ng hm:

IPSec (c AH v ESP) cung cp hai ch lm vic khc nhau: -Ch vn chuyn (transport mode): cung cp c ch bo v cho d liu ca cc lp cao hn (TCP, UDP hoc ICMP). c ch ny, phn d liu (payload) ca gi IP c p dng cc c ch bo v (mt m hoc xc thc). Ch ny thng dng cho cc kt ni t u cui n u cui, v d t trm lm vic n my ch hoc gia hai trm lm vic vi nhau. -Ch ng hm (tunnel mode): cung cp c ch bo v lp IP, ngha l gi IP cng vi cc tiu ca AH hoc ESP c gi thm mt ln na bng cc tiu mi. Khi , cc gi IP gc c xem nh di chuyn trong mt ng hm (tunnel) t u ny n u kia ca mng m cc nt trung gian khng xen vo c. Ch ny thng c dng trong cc SA ni gia hai gateway ca hai mng.

97

Ch vn chuyn v ch ng hm s c trnh by ring trong tng giao thc AH v ESP. Cc thut ton m ha / gii m v cc thut ton xc thc thng tin c trnh by chng 2, nn trong phn ny ch tp trung m t hat ng ca hai giao thc AH v ESP, sau gii thiu cc c ch qun l kha ca IPSec.

III.2.5 AH:
AH (Authentication Header) l mt giao thc xc thc dng trong IPSec, c chc nng m bo tnh tan vn ca d liu chuyn i trn mng IP. AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng. Ngai ra, AH cn c kh nng hn ch cc tn cng gi danh (spoofing) v tn cng pht li (replay). C ch hat ng ca AH da trn m xc thc MAC (Message Authetication Code), do , thc thi AH th hai u cui ca SA phi dng chung mt kha b mt. Cu trc tiu ca gi AH (hnh 3.7) bao gm cc phn sau:
Bit 0 Tiu k tip 8 16 Kch thc d liu Dnh ring 31

Security Parameters Index (SPI) S th t gi M xc thc (Kch thc thay i)

Hnh 3.7: Cu trc gi AH

-Tiu k tip (Next Header - 8 bits): Nhn dng kiu tiu i lin sau tiu ca AH. -Kch thc d liu (Payload Length -8 bits): Chiu di ca gi AH, tnh bng n v 32 bit tr i 2. V d, chiu di phn d liu xc thc l 96 bit (= 3 * 32 bit), cng vi chiu di phn tiu AH (c nh) l 3 * 32 bit na thnh 6 * 32 bit, khi gi tr ca trng kch thc d liu l 4. -Dnh ring (Reserved -16 bits): Phn dnh ring, cha dng. -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trnh by trn. -S th t gi (Sequence Number - 32 bits): S th t. -M xc thc (Authentication Data): d liu xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Trng ny cha gi tr kim tra ICV (Integrity Check Value) hoc MAC (Message Authentication Code) cho tan b gi *-Anti-replay service: dch v cho php ngn chn cc hnh vi tn cng pht li (replay) nh trnh by chng 1. Trng s th t (Sequence number) trong tiu AH c dng

98

nh du th t cc gi c gi i trn mt SA. Ban u, gi tr ny c khi to bng 0 v tng dn sau mi gi c gi. m bo khng c gi lp li, khi s th t t gi tr cc i (232-1), n s khng c quay li gi tr 0 m thay vo , mt SA mi c thit lp tip tc vic truyn d liu. pha nhn, qu trnh x l cc gi nhn c thc hin theo c ch dch ca s nh m t hnh 3.8. Kch thc mc nh ca ca s l 64. C ch thc hin nh sau: Nu gi nhn c nm trong vng hp l ca ca s v l mt gi mi ch khng phi gi truyn li th gi tr MAC ca gi s c kim tra. Nu chnh
Dch ca s qua bn phi nu nhn c mt gi hp l. Ca s vi kch thc c nh W

N-W c nh du biu th mt gi hp l va c nhn

N+1 khng nh du cho bit gi d liu v tr cha c nhn

Hnh 3.8: C ch dch ca s trong AH xc (tc gi c xc thc) th khe tng ng trong ca s c nh du. Nu gi nhn c nm bn phi ca ca s v l gi mi, gi tr MAC ca gi c kim tra. Nu ng th ca s c dch mt khe sang bn phi, ng thi khe tng ng trong ca s c nh du. Nu gi nhn c nm bn tri ca s hoc gi tr MAC khng hp h th b hy b.

-Xc thc thng tin: M xc thc (trng Authentication Data) c to ra dng mt trong 2 cch: -HMAC-MD5-96: dng phng php HMAC, thut ton MD5, ct ly 96 bit u tin. -HMAC-SHA-1-96: dng phng php HMAC, thut ton SHA-1, ct ly 96 bit u tin. Thut ton MAC c p dng trn cc phn thng tin sau y: Cc trng khng b thay i trong tiu gi IP khi c chuyn tip trn mng hoc c th d an c ti u cui ca SA. Nhng trng cn li trong tiu gi IP c thay bng cc bit 0 khi tnh tan. Cc trng trong tiu AH ngai tr trng Authentication Data. Trng ny c thay bng cc bit 0 khi tnh. Tan b gi d liu ca lp trn (tc phn payload ca gi IP).

99

-Ch vn chuyn v ch ng hm: Hnh 3.9 m t hai trng hp xc thc khc nhau: -Xc thc t u cui n u cui (End-to-End Authentication): l trng hp xc thc trc tip gia hai h thng u cui (gia my ch vi trm lm vic hoc gia hai trm lm vic), vic xc thc ny c th din ra trn cng mng ni b hoc gia hai mng khc nhau, ch cn 2 u cui bit c kha b mt ca nhau. Trng hp ny s dng ch transport ca A H. -Xc thc t u cui n trung gian (End-to-Intermediate Authentication): l trng hp xc thc gia mt h thng u cui vi mt thit b trung gian (router hoc firewall). Trng
Server

Xc thc u cui n u cui Mng ni b Xc thc u cui n u cui Router/Firewall Xc thc u cui n trung gian

Mng cng cng

Hnh 3.9: Hai ch xc thc ca AH hp ny s dng ch tunnel ca AH. Hnh 3.10 m t phm vi p dng c ch bo v ca AH ln gi d liu trong hai ch khc nhau.

100

a- Gi IP gc

IP

TCP

Data

Phm vi thng tin c xc thc b- Gi IP ch transport IP AH TCP Data

Phm vi thng tin c xc thc b- Gi IP ch tunnel IP (mi) AH IP (c) TCP Data

Hnh 3.10: Phm vi p dng ca AH ln gi d liu hai ch transport v tunnel

III.2.6 ESP:

101

ESP (Encapsulating Security Payload) l mt la chn khc thc thi IPsec bn cnh giao thc xc thc thng tin AH. Chc nng chnh ca ESP l cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k thut mt m. Tuy nhin, ESP cng cn c mt ty chn khc l cung cp c dch v bo m tnh tan vn ca d liu thng qua c ch xc thc. Nh vy, khi
Bit 0 8 16 Security Parameters Index (SPI) S th t gi 24 31

D liu (kch thc thay i)

D liu chn (0 255 byte) Kch thc chn M xc thc (kch thc thay i) Tiu k tip

Hnh 3. 11: Cu trc gi ESP dng ESP, ngi dng c th chn hoc khng chn chc nng xc thc, cn chc nng m ha l chc nng mc nh ca ESP. Gi d liu ESP gm cc thnh phn sau (hnh 3.11): -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trong giao thc AH. -S th t gi (Sequence Number - 32 bits): S th t, c chc nng nh s th t trong AH. -D liu (Payload Data): y l phn d liu c bo v bng mt m. Trng ny c di thay i. Trong ch vn chuyn, y l tan b gi d liu ca lp 4 (TCP hoc UDP). Cn trong ch ng hm, y l tan b gi IP. ESP chun s dng thut ton mt m i xng DES, tuy nhin, c th dng cc thut ton mt m khc nh 3DES (3 kha), RC5, IDEA, triple IDEA (3 kha), CAST, Blowfish. -D liu chn (Padding 0-255 bytes): Mt s thut ton mt m yu cu kch thc d liu gc phi c nh. Cc byte d liu gi c thm vo m bo di vng d liu. Tuy nhin, theo quy nh ca ESP, chiu di trng pad -length v trng next-header phi c nh l 32 bit tnh t bn phi, do vy, phn padding phi c kch thc sao cho tan b phn thng tin cn m ha l bi s ca 32 bit. - Kch thc chn (Pad Length - 8 bits): Cho bit s byte ca vng d liu chn (padding).

102

- Tiu k tip (Next Header - 8 bits): Nhn dng kiu d liu cha trong phn payload data. - M xc thc (Authentication Data): Cha thng tin xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Thng tin xc thc c tnh trn tan gi ESP ngai tr phn Authentication Data. -Ch vn chuyn v ch ng hm: Ch vn chuyn: chc nng m ha v xc thc thng tin c thc hin trn phn d liu (payload data) ca gi IP (tc tan b n v d liu ca lp trn IP). Ch ng hm: tan b gi IP c m ha v xc thc. S khc nhau gia hai ch hot ng c m t hnh 3.12.
a- Gi IP gc

IP

TCP

Data

Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch transport IP ESP header TCP Data ESP trailer ESP auth

Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch tunnel IP (mi) ESP header IP (c) TCP Data ESP trailer ESP auth

Hnh 3.12: Tc dng ca ESP ln gi IP hai ch transport v tunnel

III.2.7 Qun l kha trong IPSec:

IPSec da trn k thut xc thc HMAC (hashed based MAC) v cc phng php mt m i xng m c bn l DES. Do vy, vn qun l v phn phi cc kha b mt gia cc u cui SA l vn quan trng trong trin khai IPSec. C hai c ch qun l kha: -Qun l kha bng tay (manual): ngi qun tr mng to ra kha v ci t cho cc h thng u cui. C ch ny ch ph hp vi cc h thng c quy m nh. -Qun l kha t ng (automated): mt h thng t ng to ra v phn phi kha cho cc h thng u cui. IPSec s dng hai h thng qun l kha t ng l Oakley v ISAKMP. -Oakley Key Determination Protocol : y l giao thc trao i kha da trn gii thut Diffie-Hellman, c b sung thm cc chc nng bo mt. -Internet Security Association and Key Management Protocol (ISAKMP): cung cp mt m hnh chung cho vic qun l kha trn Internet, nh ngha cc th tc v khun dng ring.

103

III.3 SECURE SOCKETS LAYER

Secure Sockets layer hay SSL l mt giao thc bo mt c Netscape thit k nhm cung cp cc kt ni bo mt cho cc ng dng trn nn giao thc TCP/IP. SSL c chun ha v s dng rng ri trong nhiu ng dng trn mng Internet nh web, mail, Phin bn hin ti ca SSL l 3.0. Phin bn SSL c IEEE chun ha l c gi l TLS (Transport Layer Security), v c xem nh l SSL phin bn 3.1.

III.3.1 Cu trc SSL:

SSL thc ra bao gm hai lp giao thc nm pha trn TCP. Lp th nht l giao thc truyn d liu SSL (SSL record protocol) v lp th hai gm mt tp cc giao thc ph tr (hnh 3.13). Phn ny gii thiu khi qut cc thnh phn ca SSL.
Giao thc bt tay SSL Giao thc thay i thng s m Giao thc cnh bo

HTTP

Giao thc truyn d liu

TCP

IP

Hnh 3.13: Cu trc SSL

Hai khi nim c bn thng c dng trong SSL l kt ni (connection) v phin giao dch (session). -Kt ni l mt kt ni (tm thi) gia mt u cui ny vi mt u cui kia cung cp mt lai dch v thch hp. Mi kt ni lin kt vi mt phin giao dch (session). -Phin giao dch l mt lin kt gia mt my con v mt my ch, c to ra bi giao thc SSL Handshake protocol. Phin giao dch nh ngha cc tham s bo mt dng chung cho nhiu kt ni. Trng thi ca phin giao dch c nh ngha bi cc thng s sau y: Nhn dng phin (Session identifier): Mt chui byte ngu nhin c server chn nhn dng mt trng thi ca phin giao dch. Chng thc kha i phng (Peer certificate): Chng thc kha cng khai (X509.v3) ca thc th i phng. Thnh phn ny c th c hoc khng. Phng php nn (Compression method): Gii thut nn d liu trc khi m ha. Thut tan m (Cipher spec): Xc nh thut ton m ha v hm bm c s dng cho phin giao dch. Kha (Master secret): Kha b mt (48-byte) dng chung gia my con v server.

104

Kh nng phc hi (Is resumable): Cho bit phin giao dch ny c th khi to mt kt ni mi hay khng. S nhn dng ngu nhin (Server and client random): Chui byte chn ngu nhin bi server v client, c chc nng phn bit cc kt ni vi nhau. Kha xc thc ca my ch (Server write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t server. Kha xc thc ca my con (Client write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t my con. Kha mt m ca my ch (Server write key): Kha b mt dng mt m ha d liu gi i t server. Kha mt m ca my con (Client write key): Kha b mt dng mt m ha d liu gi i t client. Vc t khi to (Initialization vectors): vec-t khi to (IV) dng trong ch m ha CBC (Chaining Bock Cipher). Gi tr ny c khi to bi giao thc SSL record. S th t gi (Sequence numbers): S th t ca cc bn tin c gi i v nhn v trn kt ni.

Tng t, cc thng s nh ngha trng thi ca mt kt ni bao gm:

III.3.2 Giao thc truyn d liu SSL:

D liu gc

Phn on

Nn Gn thng tin xc thc (MAC)

Mt m ho

Gn tiu giao thc SSL record

Hnh 3.14: Hot ng ca giao thc truyn d liu SSL Giao thc truyn d liu SSL (SSL record protocol) cung cp 2 dch v c bn cho cc kt ni SSL l dch v bo mt v dch v tan vn d liu.

105

Hnh 3.14 m t hat ng ca giao thc truyn d liu SSL. Theo , cc thao tc m SSL thc hin trn d liu bao gm: phn an d liu (fragmentation), nn d liu (compression), xc thc d liu (MAC), m ha, thm cc tiu cn thit v cui cng gi tan b an thng tin trn trong mt segment TCP. pha nhn, qu trnh c thc hin ngc li.
Kiu d liu Phin bn chnh Phin bn ph Kch thc d liu

D liu Thng tin c m ho (c th nn hoc khng nn)

M xc thc (0, 16 hoc 20 byte)

Hnh 3.15: Cu trc gi SSL record Cu trc gi d liu SSL record gm cc thnh phn sau (hnh 3.15): -Kiu d liu (Content Type - 8 bits): Giao thc lp trn. Giao thc ny s x l thng tin trong gi d liu SSL. - Phin bn chnh (Major Version - 8 bits): Phin bn chnh ca SSL. i vi SSL v3, gi tr ny l 3. - Phin bn ph (Minor Version - 8 bits): Phin bn ph ca SSL. V d: i vi SSLv3 th gi tr trng ny l 0. - Kch thc d liu (Compressed Length -16 bits): Chiu di ca phn d liu (plaintext), tnh theo byte. -D liu (Plaintext): D liu ca lp trn c chuyn i trong gi SSL record. D liu ny c th c nn hoc khng. -M xc thc (MAC): M xc thc, c kch thc = 0 byte nu khng dng chc nng xc thc.

III.3.3 Giao thc thay i thng s m:

Giao thc thay i thng s m (Change cipher spec protoco l) l giao thc n gin nht trong cu trc SSL, dng thay i cc thng s m ha trn kt ni SSL. Giao thc ny ch gm c mt bn tin c kch thc 1 byte, mang gi tr 1. Chc nng ca bn tin ny l yu cu cp nht cc thng s m ho cho kt ni hin hnh.

III.3.4 Giao thc cnh bo:

Giao thc cnh bo (Alert protocol) dng trao i cc bn tin cnh bo gia hai u ca kt ni SSL. C hai mc cnh bo: warning (1) v fatal (2). Mc warning ch n gin dng thng bo cho u kia cc s kin bt thng ang din ra. Mc fatal yu cu kt thc kt

106

ni SSL hin hnh, cc kt ni khc trong cng phin giao dch c th vn c duy tr nhng phin giao dch khng c thit lp thm kt ni mi. Cc bn tin cnh bo ca SSL bao gm: -unexpected_message: Nhn c mt bn tin khng ph hp. -bad_record_mac: Bn tin va nhn c gi tr MAC khng hp l. -decompression_failure: Thao tc gii nn thc hin khng thnh cng.. -handshake_failure: Pha gi khng thng lng cc thng s bo mt. -illegal_parameter: Mt trng no trong bn tin bt tay (handshake message) khng hp l. -close_notify: Thng bo kt thc kt ni. -no_certificate: Khi nhn c yu cu cung cp chng thc kha (certificate), nhng nu khng c chng thc kha no thch hp th gi cnh bo ny. -bad_certificate: Chng thc kha khng hp l (ch k sai) -unsupported_certificate: Kiu chng thc khng c h tr. -certificate_revoked: Chng thc kha b thu hi. -certificate_expired: Chng thc kha ht hn s dng. -certificate_unknown: Khng x l c chng thc kha v cc l do khc vi cc l do trn.

III.3.5 Giao thc bt tay:

Giao thc bt tay (handshake protocol) giao thc phc tp nht ca SSL, c hai pha s dng xc thc ln nhau v thng lng thng nht cc thut ton xc thc MAC v m ha. Th tc ny cng c trao i cc kha b mt dng cho m ha v MAC. Th tc phi c thc hin trc khi d liu c truyn. Th tc bt tay gm 4 giai an c m t hnh 3.16.

III.3.6 So snh SSL v IPSec:

SSL v IPSec l hai giao thc tng ng vi nhau v chc nng. C hai u c thit k bo v d liu truyn trn cc kt ni bng cc c ch xc thc v m ha. Tuy nhin, hai k thut ny c nhng im khc bit nhau nh sau: SSL hat ng lp socket (hnh 3.13), do n c gn kt phn ngi s dng (user space) trong cc h thng u cui. IPSec hat ng lp mng (network layer), nn c tch hp vo trong chc nng ca h iu hnh. y chnh l s khc nhau c bn nht gia SSL v IPSec. C SSL v IPSec u cung cp chc nng m ha (Encryption), bo v d liu (Integrity) v xc thc thng tin (Authentication), tuy nhin SSL n gin ha cc k thut ny p dng trong m hnh ca n, trong khi IPSec bao gm mt cch y cc chi tit thit k ca tt c cc k thut to thnh, v do , khi t hp li s xut hin nhiu li tng thch trong ni b IPSec. IPSec l thnh phn ca h iu hnh, do , trin khai IPSec th phi thay i cu hnh h iu hnh m khng cn thay i cu hnh chng trnh ng dng.

107

Ngc li, SSL nm mc ngi dng nn phi ci t vi tng ng dng c th (v d mail, web, ) m khng cn khai bo vi h iu hnh, V nhng khc bit trn y, SSL thng c s dng bo v kt ni cho tng ng dng c th, c bit l Web, E-mail. Trong khi , IPSec thng c dng xy dng cc mng ring o (VPN) ri trn c s mi trin khai cc dch v ng dng.

108

Client client_hello server_hello

Server Giai on 1: Thit lp cc thng s bo mt nh phin bn ca giao thc, nhn dng phin giao dch, thut ton mt m, phng php nn v s ngu nhin ban u.

Chng thc kha server

Kha b mt ca server Giai on 2: Server c th gi chng thc kha cng khai, trao i kho v yu cu client cung cp chng thc kha.

Yu cu cung cp chng thc

Kt thc server_hello

Chng thc kha client Thi gian Giai on 3: Client gi chng thc kha khi c yu cu t pha server, trao i kha vi server. Client cng c th gi xc minh chng thc kha cng khai cho server (certificate_verify)

Kha b mt ca client

Xc minh chng thc kha

Thay i thng s m

Kt thc

Giai on 4: Thay i cc thng s ca thut ton mt m v kt thc giao thc bt tay.

Thay i thng s m

Ch : nhng giao tc biu din bng nt ri l nhng giao tc tu chn, c th c hoc khng, tu thuc vo tng tnh hung ng dng ca SSL.

Kt thc

Hnh 3.16: Th tc bt tay SSL

109

III.4 SECURE ELECTRONIC TRANSACTION

III.4.1 Tng quan v SET:
Secure Electronic Transaction hay SET l mt k thut c thit k bo v cc thng tin quan trng trao i trn mng (v d s th tn dng) dng trong cc giao dch thanh tan qua mng Internet. SET phin bn 1 c xut nm 1996 (MasterCard v Visa ch tr), sau c nhiu nh sn xut khc tham gia pht trin (nh Microsoft, IBM, Netscape, RSA, Terisa v Verisign). SET khng phi l mt h thng thanh tan, m ch l mt giao thc an tan cho php cc u cui trao i cc thng tin b mt, c bit l cc thng tin v ti khan ngn hng, thng qua cc mi trng cng cng v d nh Internet. -Cc tnh nng ca SET: Bo mt thng tin: c bit l thng tin v ti khan ngn hng khi nhng thng tin ny c trao i qua mng. SET cn c chc nng ngn chn ngi bn hng bit s th tn dng (credit card) ca ngi mua hng. K thut m ha quy c vi thut tan DES c dng cung cp chc nng ny. Bo tan d liu: cc thng tin v vic t hng, thanh tan, thng tin c nhn khi gi t mt ngi mua hng n ngi bn hng c m bo tan vn, khng b thay i. K thut ch k s DSA vi hm bm SHA-1 c dng bo m tnh nng ny (trong mt s bn tin ca SET, HMAC c dng thay cho DSA). Xc thc ti khan ca ngi s dng th: cho php ngi bn hng xc minh ngi dng th l ch nhn hp l ca ti khon ang cp. thc hin chc nng ny, SET dng chun xc thc X.509 version 3. Xc thc ngi bn hng: SET cho php ngi s dng th xc thc rng ngi bn hng c quan h vi mt t chc ti chnh c chp nhn thanh ton qua th. Chc nng ny cng c thc hin dng X.509 version 3.

Mt iu cn ch l SET hat ng bng cch truy xut trc tip n lp TCP/IP m khng dng cc giao thc lp ng dng khc. Tuy vy hat ng ca SET cng khng nh hng n cc c ch bo mt khc nh IPSec hoc SSL. -Cc thnh phn ca SET: -Ngi dng th (Cardholder): Ngi dng th tn dng thc hin cc giao dch thanh tan trn Internet (ngi mua hng). -Ngi bn hng (Merchant): Mt c nhn hay t chc bn hng hoc dch v trn mng (thng qua web hoc email). Ngi bn hng phi c kh nng chp nhn thanh tan bng th, v phi c quan h vi mt t chc ti chnh no (Accquirer). -T chc pht hnh th (Issuer): y l t chc ti chnh (thng l ngn h ng) pht hnh th tn dng. T chc ny c trch nhim thanh tan theo yu cu ca ngi s dng th. -Trng ti (Acquirer): Mt t chc ti chnh khc c quan h vi ngi bn hng, thc hin vic xc thc ti khan ca ngi mua hng v thanh tan. Trng ti s kim tra ti khan ca ngi mua hng thng bo cho ngi bn hng bit s d trong ti khan ca ngi mua c thc hin giao dch hay khng. Sau khi giao dch mua hng c thc hin, trng ti thc hin vic chuyn tin t ti khan ca ngi mua hng sang ti tan khan ca ngi bn hng, ng thi ra yu cu thanh tan i vi ngn hng pht hnh th (Issuer).

110

-Ca thanh tan (Payment gateway): y l thnh phn chu trch nhim x l cc bn tin thanh tan (payment message) c iu hnh bi trng ti hoc mt t chc th 3 c ch nh. Payment gateway giao tip gia SET v h thng thanh tan ca ngn hng thc hin cc thao tc xc thc v thanh tan. Nh vy, ngi bn hng tht ra trao i cc thng bo vi ca ng thanh tan thng qua mng Internet, sau , Payment gateway mi lin kt n h thng x l ti chnh ca Acquirer. -T chc chng thc (Certification authority _ CA): L thnh phn c chc nng to ra cc chng thc (certificate) theo chun X.509v3 v phn phi c ho Cardholder, Merchant v Payment Gateway. S thnh cng ca SET ph thuc vo s tn ti ca CA. Thng thng, CA c t chc theo mt m hnh phn cp vi nhiu CA lin h vi nhau.
Ngi bn hng (Merchant)

Ngi dng th (Cardholder)

Intenet

T chc chng thc (CA)

T chc pht hnh th (Issuer)

Mng thanh tan Trng ti (Acquirer) Ca thanh tan (Payment gateway)

Hnh 3.17: Cc thnh phn ca SET

-Thc hin giao dch vi SET: Mt giao dch SET in hnh gm cc bc sau y: 1. Khch hng m ti khan ti mt ngn hng c dch v thanh tan qua mng (v d MasterCard, Visa card, ) v tr thnh Cardholder. 2. Khch hng nhn c mt chng thc X.509v3, c k bi ngn hng bng ch k s (digital signature), trong cha kha cng khai RSA ca khch hng v ngy ht hn. 3. Ngi bn hng nhn chng thc: Ngi bn hng phi c 2 chng thc khc nhau cha kha cng khai cho hai mc ch: k nhn cc thng bo (message signing) v trao i kha (key exchange). Ngai ra, ngi bn hng cng c mt bn sao chng thc ca Payment gateway.

111

4. Khch hng t hng: thao tc ny c thc hin thng qua website ca ngi bn hng hoc qua email. 5. Xc nhn ngi bn hng: ngi bn hng gi chng thc ca mnh cho ngi mua hng chng minh tnh s hu ca mnh i vi mt kho hng no . 6. Lnh t hng v thanh ton c thc hin: ngi mua hng gi lnh t hng v lnh thanh tan cho ngi bn hng cng vi chng thc ca mnh. Thng tin thanh ton (s th tn dng) c m ho sao cho ngi bn hng khng th thy c nhng c th kim tra tnh hp l ca n. 7. Ngi bn hng yu cu xc thc vic thanh tan thng qua Payment gateway. 8. Ngi bn hng xc nhn n t hng bng cch gi thng bo cho ngi mua hng. 9. Ngi bn hng giao hng (hoc bt u cung cp dch v) cho ngi mua hng. 10. Ngi bn hng yu cu thanh tan thng qua Payment gateway.

III.4.2 Ch k song song:

Ch k song song (dual signature) l mt thut ng c dng trong SET din t mt lin kt gia hai bn tin c gi i bi cng mt ngi gi nhng cho hai ngi nhn khc nhau. Khi mua hng qua mng, khch hng gi thng tin t hng OI (Order information) vi ch k ca mnh cho ngi bn hng, ng thi gi thng tin thanh tan PI (Payment information) cho ngn hng cng vi ch k ca mnh. V nguyn tc, ngn hng khng cn bit cc chi tit v t hng, v ngi bn hng cng khng cn bit cc chi tit v thanh tan. Ch k song song c s dng trong trng hp ny trnh cc tranh chp xy ra khi thng tin t hng v thng tin thanh tan khng khp nhau. Hnh 3.18 m t hat ng ca ch k song song. -Ngi mua hng p dng hm bm ln PI v OI (dng SHA-1), sau hai gi tr bm c ni vi nhau v p dng hm bm mt ln na vi kha ring ca chnh ngi mua hng to thnh ch k song song: DS = E([H(H(PI) + H(OI)], PRc) Trong PRc l kha ring ca ngi mua hng. -Ngi bn hng xc nhn ch k ca ngi mua hng bng cch tnh hai gi tr: H(PIMS + H[OI]) v D(DS, PUc) Trong PIMD l m bm ca PI, PUc l kha cng khai ca khch hng, DS l ch k song song nhn c trn n t hng. Nu hai gi tr trn bng nhau, th ch k xem nh chnh xc v n t hng c chp nhn. -Song song , ngn hng cng xc thc ch k song song bng cch so snh hai gi tr sau y: H(H[OI] + OIMD) v D(DS, PUc) Trong OIDM l message digest ca OI. Nu hai gi tr va tnh c l bng nhau th xem nh ch k l chnh xc v lnh thanh tan c chp nhn.

112

PI PIMD PRc H Ch k song song E

POMD H OI OIMD H

PI: Payment Information OI: Order Information H: Hash function (SHA-1) | | : Ni hai khi thng tin

PIMD: PI message digest OIMD: OI message digest POMD: Payment Order message digest E: Thut tan mt m (RSA) PRc: Kho ring ca ngi mua hng

Hnh 3.18: Ch k song song (dual signature)

III.4.3 Thc hin thanh ton trong SET:

X l thanh ton (Payment processing) l cng on quan trng nht trong giao dch SET. Qu trnh x l thanh ton gm 3 cng vic nh sau: Yu cu mua hng (Purchase Request). Xc thc thanh ton (Payment Authorization). Thc hin thanh ton (Payment Capture). Bng 3.1: Cc giao tc ca SET Tn giao tc Cardholder registration Merchant registration Purchase request Payment authorization Payment capture Certificate and status ngha Ngi mua hng ng k vi CA trc khi thc hin cc giao dch SET khc vi ngi bn hng. Ngi bn hng ng k vi CA trc khi gi cc thng bo SET vi khc hng v vi Payment gateway. Thng bo c ngi mua hng gi i, trong cha lnh t hng (OI) cho ngi bn hng v lnh thanh tan (PI) cho ngn hng. Trao i gia ngi bn hng v Payment gateway kim tra s d trong ti khan ca ngi mua hng. Ngi bn hng gi yu cu thanh tan n Payment gateway. inquiry Trong trng hp CA khng x l c yu cu cung cp chng thc tc thi, n s tr li cho ngi mua hng v ngi bn hng v vic tr han ny. Sau , ngi mua hng hoc ngi bn hng c th dng giao dch ny kim tra trng thi ca chng thc. Nu chng thc c x l

113

xong th khch hng hoc ngi bn hng s c nhn. Purchase inquiry Authorization reversal Ngi mua hng kim tra trng thi ca n t hng sau khi xc nhn n t hng vi ngi bn hng. Ngi bn hng hiu chnh yu cu xc thc trc . Nu n t hng khng thc hin c th tan b vic xc thc trc c hi li (reverse). Nu n t hng ch c thc hin mt phn (ngi mua hng hi li mt phn) th ngi bn hng ch hi li phn xc thc tng ng. Ngi bn hng hiu chnh cc thng tin yu cu thanh tan gi cho Payment gateway. Ngi bn hng tr li tin vo ti khan ca ngi mua hng khi hng c tr li v l do no (h hng, sai quy cch, ). Ngi bn hng hiu chnh li yu cu tr li tin vo ti khan ca ngi mua hng (giao tc Credit) va ri.

Capture reversal Credit Credit reversal

Payment gateway Ngi bn hng yu cu bn sao chng thc ca Payment gateway. certificate request Batch administration Error message Ngi bn hng thng bo cho Payment gateway v cc t giao hng. Thng bo li xy ra trong giao dch.

-Yu cu mua hng: Sau khi ngi mua hng hon tt cc cng vic chn hng v t mua trn mng, th tc yu cu mua hng mi c bt u. Ch rng thao tc chn hng v t mua c thc hin trn cc kt ni bnh thng (nh e-mail hay web) m khng cn c s tham gia ca SET. Qu trnh yu cu mua hng bao gm 4 giao tc: Initiate Request, Initiate Response, Purchase Request, v Purchase Response. gi c cc bn tin SET n ngi bn hng, ngi mua hng cn c mt bn sao cc chng thc ca Merchant v Payment gateway. Bn tin Initiate Request c s dng yu cu ngi bn hng cung cp cc chng thc cn thit cho ngi mua hng. Ngi bn hng s tr li bn tin Initiate Request bng mt bn tin hi p Initiate Response trong c cha gi tr ngu nhin (nonce) c to ra trc bi ngi mua hng, mt gi tr ngu nhin khc do ngi bn hng to ra, nhn din ca giao tc hin hnh, cng vi cc chng thc ca chnh ngi bn hng v Payment gateway. Tt c cc thng tin ny c xc thc bi ch k ca ngi bn hng. Ngi mua hng xc minh cc chng thc nhn c, sau to ra thng tin t hng (OI) v thng tin thanh tan (PI), trong c cha nhn din giao tc m ngi bn hng va to ra trc . Ngi mua hng chun b bn tin Purchase Request. Bn tin ny cha cc thng tin sau y: Cc thng tin lin quan n vic thanh ton bao gm: PI, ch k song song, OIMD v mt phong b s (digital envelope). Cc thng tin ny c m ho bng kho b mt K s do ngi mua hng to ra cho tng phin giao dch. Cc thng tin lin quan n n t hng bao gm OI, ch k song song, PIMD. Ch rng OI c gi i trc tip m khng cn m ho. 114

Chng thc ca ngi mua hng. Xc minh chng thc ca ngi mua hng. Kim chng ch k song song ca ngi mua hng. X l n t hng v chuyn thng tin thanh ton cho Payment Gateway kim tra. Gi bn tin Purchase Response cho ngi mua hng.

Khi ngi bn hng nhn c Purchase Request, h s thc hin cc thao tc sau y:

Bn tin Purchase Response cha cc thng tin chp nhn n t hng v cc tham chiu n s nhn din giao tc tng ng. Thng tin ny c k bi ngi bn hng v gi cho ngi mua hng cng vi chng thc ca ngi bn. Ngi mua hng khi nhn c bn tin Purchase Response s tin hnh kim tra ch k v chng thc ca ngi bn hng.
Bn tin Purchase Request PI

Dual Signature

Ks
Digital envelope

Phn thng tin c ngi bn hng chuyn cho Payment Gateway

OIMD PIMD Phn thng tin nhn c bi ngi bn hng

OI PUb

Dual Signature

Cardholder cerificate

Hnh 3.19: Qu trnh to bn tin Purchase request ca ngi mua hng -Xc thc thanh ton: y l th tc m ngi bn hng xc thc tnh hp l ca ngi mua hng thng qua Payment Gateway. Qu trnh xc thc nhm bo m rng giao dch ny c chp thun bi

115

ngn hng pht hnh th (Issuer), v do ngi bn hng s c m bo thanh ton. Qu trnh
Bn tin Purchase Request

Thng tin c Merchant chuyn cho Payment Gateway Digital envelope

PIMD H OI

POMD

H OIMD

So snh

Dual signature D POMD Cardholder certificate

PUc

Hnh 3.18: Qu trnh xc minh yu cu mua hng (Purchase Request) ti Merchant ny c thc hin thng qua hai bn tin: Authorization Request v Authorization response. Bn tin Authorization Request c ngi bn hng gi n Payment Gateway bao gm cc thng tin sau: Thng tin lin quan n vic mua hng, bao gm: PI, ch k song song, OIMD v phong b s (digital envelope). Thng tin lin quan n xc thc bao gm: nhn din giao tc, c m ho bng kho b mt do ngi bn hng to ra v phong b s, c m ho bng kho cng khai ca Payment gateway. Cc chng thc ca ngi mua hng v ngi bn hng.

116

Khi nhn c Authorization Request, Payment Gateway thc hin cc thao tc sau: Xc minh tt c cc chng thc. Gii m phong b s ca khi thng tin mua hng. Xc minh ch k ca ngi bn hng. Gii m phong b s ca khi thng tin xc thc. Xc minh ch k song song. Xc minh nhn din giao tc (transaction ID). Yu cu xc thc t ngn hng pht hnh th.

Nu nhn c thng tin xc thc thnh cng t ngn hng pht hnh th, Payment Gateway s hi p bng bn tin Authorization Response trong cha cc thng tin sau: Thng tin lin quan n xc thc bao gm: khi thng tin xc thc c k bi Payment Gateway v m ho bng kho b mt do Payment Gateway to ra, ngoi ra cn c phong b s. Thng tin lin quan n thc hin thanh ton. Chng thc ca Payment gateway.

Vi thng tin xc thc ny, ngi bn hng c th bt u giao hng hoc cung cp dch v cho ngi mua hng. -Thc hin thanh ton: thc hin thanh ton, ngi bn hng thc hin mt giao tc vi Payment Gateway gi l Capture transaction, giao tc ny c thc hin qua hai bn tin: Capture Request v Capture Response. Trong bn tin Capture Request, ngi bn hng to ra thng tin yu cu thanh ton, trong c khi lng thanh ton v nhn din giao tc (transaction ID), cng vi thng tin xc thc nhn c trc t Payment Gateway, ch k v chng thc ca ngi bn hng. Payment Gateway nhn c bn tin ny, gii m v thc hin cc bc kim tra cn thit trc khi yu cu ngn hng pht hnh th chuyn tin cho ngi bn hng. Cui cng, Payment Gateway s thng bo cho ngi bn hng bng bn tin Capture Response. Tm tt chng: -Cc ng dng bo mt (security application) c xy dng da trn cc k thut c s trnh by chng 2 bao gm: mt m i xng, mt m bt i xng, hm bm, ch k s, chng thc kha cng khai, -K thut xc thc c xem l k thut c bn nht qun l truy xut. Mt khu l phng tin xc thc n gin nht v hiu qu nht t trc n nay. Tuy nhin, mt khu c qun l v s dng bi con ngi, nn cn phi c cc chnh sch hp l m bo mt khu khng b tit l. -Trong m hnh thng tin im im, hai giao thc xc thc thng c dng l PAP (Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol) trong , giao thc CHAP c nhiu u im hn v an tan hn do khng gi mt khu i trc tip trn mng.

117

Confidential M Pha M Pha SYN/ACK Trm Ni Ni ACK xc SYN bm nhn to t nhn gi lm o thc ra So snh Availability Integrity Secure (2)C (1)C F babaTo Dng 2.24 ch : Hnh Hnh E(H(M), 2.13: 2.14: 2.29: 1.2: B A E(M, So snh PRa) C M: thng tin Hnh 2.26 : 2.25: vic c (MAC) m ha message thng ity tin Ch mt k iu Xc Ma trc m k trn khin thc trc tip i bt PRa) gc Xc thc (workstation hon truy bng thng xut v cch tin PC t i xng tip xng thng ) tin

H: E: dng m do ha mt 1 2 dng hm dng MAC Thut thut hm C: tan bm phn tan trong mm b bm mt Hm m ha m to m Windows thng bm ca tin xc thc E: D: thng gc XP tin T thut Thut hut tan K: Kha gc b m gii ha m mt dng C: thut chung D: H: Thng Hm gia bm tan tin mt m bn gii gi v bn nhn K: Kha kha b b |: | |: Ni| mt m dng Ni m chung bm xc thc vo gia vo thng pha bn gi tin thng tin gc v pha gc bn nhn nhn. | |: ni PRa: Kham b bm ca mt c bn ca gi. ha vo m ngi k thng tinPUa gc : Kha cng khai ca bn ca gi k ngi

-Trong m hnh phn tn, giao thc xc thc cn phi p ng c hai yu: m bo thng tin xc thc khng b nh cp v ngi s dng ch cn xc thc mt ln cho tt c cc dch v trong h thng phn tn. Kerberos l mt giao thc xc thc p ng c 2 yu cu ny. -Giao thc bo mt IP Security (IPSec) l mt s m rng ca giao thc IP, cho php lp mng thc hin cc chc nng bo mt v tan vn cho d liu truyn i trn mng. IPSec l mt chun phc tp, bao gm c t ca nhiu chun khc, c trin hai da trn hai giao thc ng gi c bn l ESP v AH. IPSec hat ng hai ch l ch vn chuyn (transport) v ch ng hm (tunnel). Hat ng ca IPSec l trong sut i vi cc giao thc lp ng dng. -Giao thc bo mt SSL (Secure Sockets Layer) l mt giao thc cng thm hat ng bn trn giao thc TCP. SSL cung cp hai dch v c bn l mt m ha v xc thc d liu / xc thc u cui cho cc ng dng Internet nh web, e-mail, . SSL c s dng rt ph bin hin nay trn mng Internet, t bigt trong cc th tc trao i thng tin b mt gia client v server nh ng nhp vo hp th in t, nhp s th tn dng khi mua hng, -SET (Secure Electronic Transaction) l mt ng dng bo mt trong cc h thng thanh tan qua mng. SET l mt ng dng truy xut trc tip n lp TCP (tc khng thng qua cc giao thc ng dng nh mail hay web, ). SET nh ngha mt m hnh phc tp bao gm nhiu thc th nh ngi mua hng, ngi bn hng, ngn hng pht hnh th, trng ti, ca thanh tan, SET c pht trin bi cc t chc ti chnh c uy tn nh MasterCard, VISA, cc t chc cng ngh nh Microsoft, IBM, RSA, Verisign,

118