Professional Documents
Culture Documents
NGUYN NGC IP
TM TT LUN VN THC S
H Ni - 2012
LI NI U
Ngy ny, s pht trin ca cng ngh thng tin ngy cng chim mt v tr quan
trng trong mi lnh vc ca cuc sng. S bng n ca khoa hc cng ngh ni
chung v cng ngh thng tin ni ring em li rt nhiu li ch cho con ngi, rt
ngn khong cch v a l, tng hiu sut, tit kim thi gian v chi ph cho cng
vic
Vic giao dch in t nh trao i th tn, thng mi in t, dch v web,
mng ring o tr thnh mt phn tt yu ca cuc sng hin i. Nhu cu thc
t c t ra, l phi c mt c quan m bo chng thc in t cho cc giao
dch in t m bo yu cu xc thc, b mt, ton vn, chng chi b. Thc t l
hin nay c rt nhiu cng ngh v phng php xc thc danh tnh trong giao
dch in t. Nhng phng php s dng mt khu, s nh danh c nhn, chng
ch s s dng PKI, cc thit b bo mt vt l nh Smart Card,
ng trc nhu cu , rt nhiu cng ty bo mt phi hp cng cc ngn
hng, t chc ti chnh pht trin nhng gii php, sn phm bo v thng tin c
lin quan ti cc hot ng giao dch trc tuyn. Hin nay, trn th gii c rt nhiu
cch xy dng , trin khai mt h thng PKI . C th n c ra mt vi v d c th
nh: CA Microshoft, OpenCA Opensourc, Entrus. Trong ti thc tp ny, em
la chn gii php s dng EJBCA ca Primekey trn nn tng h iu hnh CentOS.
EJBCA l mt CA y chc nng c xy dng trn Java. Do c da trn
cng ngh J2EE, EJBCA to thnh mt CA mnh, hiu sut cao. Vi s mm do,
chy c lp khng ph thuc vo h iu hnh v phn cng, EJBCA c th c s
dng c lp hoc c tch hp trong cc ng dng J2EE.
Chng I
AN TON THNG TIN TRONG CC GIAO DCH THNG MI
IN T (TMT)
1.1. Yu cu chung cho an ton bo mt thng tin trong cc giao dch in
t
Trn mng Internet cc e da thng bao gm:
-
Quan st mng
Chn cc kt ni
Gi mo cc nh tuyn
Gi mo DNS
Gii m
Cc ch ca DES
Triple DES:
ng dng ca DES
Kt lun
Khng th ph nhn l thut ton DES c nhiu ng dng trong vin thng v cng
ngh thng tin, vic lm ch v cng ha cc thut ton rt c ngha i vi s an
ton trong cc giao dch trn mng. Nhn chung, i vi Vit Nam, vic lm ch cng
ngh cng ha thut ton DES rt c ngha trong vic m bo an ton giao dch
trn mng, m bo an ton trong truyn tin cho cc n v c yu ti Vit Nam. Hin
nay, chng ti ang trin khai cng ha thut ton DES nh cc cng ngh thit k s
hin i.
Tnh cht ca hm bm
Cc thut ton bm
+Gii thut MD5
+Gii thut SHA
- So snh tnh bo mt gia MD5 v SHA
1.5.2 Qu trnh to ch k in t
1.5.3 Qu trnh kim tra ch k in t
Chng II
C S H TNG KHA CNG KHAI (PKI)
2.1.Cc khi nim trong c s h tng kha cng khai (PKI)
2.1.1 Khi nim PKI
Public Key Infrastructure (PKI) l mt c ch cho mt bn th ba (thng l
nh cung cp chng thc s ) cung cp v xc thc nh danh cc bn tham gia vo
qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng
trong h thng mt cp public/private. Cc qu trnh ny thng c thc hin bi
mt phn mm t ti trung tm v cc phn mm khc ti cc a im ca ngi
dng. Kho cng khai thng c phn phi trong chng thc kha cng khai (PKI)
Khi nim h tng kho cng khai (PKI) thng c dng ch ton b h thng
bao gm c nh cung cp chng thc s (CA) cng cc c ch lin quan ng thi vi
ton b vic s dng cc thut ton m ho cng khai trong trao i thng tin. Tuy
nhin phn sau c bao gm khng hon ton chnh xc bi v cc c ch trong PKI
khng nht thit s dng cc thut ton m ho cng khai.
PKI cho php cc giao dch in t c din ra m bo tnh b mt, ton vn v
xc thc ln nhau m khng cn trao i cc thng tin bo mt t trc.
Mc tiu chnh ca PKI l cung cp kho cng khai v xc nh mi lin h gia kho
v nh dng ngi dng. Nh vy, ngi dng c th s dng trong mt s ng dng
nh :
-M ho Email hoc xc thc ngi gi Email.
-M ho hoc chng thc vn bn.
-Xc thc ngi dng ng dng.
-Cc giao thc truyn thng an ton dng k thut Bootstrapping (IKE, SSL):trao
i bng kho bt i xng, m ho bng kho i xng
Vic Diffie, Hellman, Rivest, Shamir, v Adleman cng b cng trnh nghin cu
v trao i kha an ton v thut ton mt m ha kha cng khai vo nm 1976
lm thay i hon ton cch thc trao i thng tin mt. Cng vi s pht trin ca
cc h thng truyn thng in t tc cao (Internet v cc h thng trc n), nhu
cu v trao i thng tin b mt tr nn cp thit. Thm vo mt yu cu na pht
sinh l vic xc nh nh dng ca nhng ngi tham gia vo qu trnh thng tin. V
vy tng v vic gn nh dng ngi dng vi chng thc c bo v bng cc
k thut mt m c pht trin mt cch mnh m.
10
2.1.2. Chng ch
2.1.3. Kho chng ch
2.1.4 Thu hi chng ch
2.1.5. Cng b v gi thng bo thu hi chng ch
2.1.6. Sao lu v d phng kha
2.1.7 Cp nht kha t ng
2.1.8 Lch s kha
2.1.9. Chng thc cho
2.1.10 H tr chng chi b
2.1.11 Tem thi gian
2.1.12 Phn mm pha ngi dng
2.1.13 Chnh sch ca chng ch
2.2 Chc nng ca PKI
2.2.1. Chng thc (certification)
2.2.2. Thm tra (validation)
2.3. Cc thnh phn chnh ca PKI
11
* u im:
- Tng thch vi cu trc phn cp ca h thng qun l trong cc t chc
- Gn ging vi hnh thc phn cp trong t chc th mc nn d lm quen.
- Cch thc tm ra mt nhnh xc thc theo mt hng nht nh, khng c hin
tng vng lp-> n gin, nhanh.
12
* Nhc im:
- Trong mt phm vi rng, mt CA duy nht khng th m nhn c tt c qu
trnh xc thc.
- Cc quan h kinh doanh thng mi khng phi bao gi cng c dng phn cp.
- Kha ring ca RootCA b l th ton b h thng s b nguy him.
* u im:
- y l m hnh linh ng, thch hp vi cc mi lin h- quan h tin cy ln
nhau trong thc t v cng vic kinh doanh.
- Cho php cc CA xc thc ngang hng trc tip : iu ny c bit c li khi
cc i tng s dng ca cc CA lm vic vi nhau thng xuyn-> gim ti lng
ng truyn v thao tc x l
- Khi mt CA b l kha ch cn cp pht chng ch ca CA ti cc i tng c
thit lp quan h tin cy vi CA ny.
* Nhc im:
- Do cu trc ca mng c th phc tp nn vic tm kim cc i tng c th
kh khn.
- Mt i tng khng th a ra mt nhnh xc thc duy nht c th m bo
rng tt c cc i tng trong h thng c th tin cy c.
13
* u im:
- Kin trc n gin, d trin khai.
- Cc i tng s dng c ton quyn vi danh sch cc CA m mnh tin cy.
- Cc i tng lm vic trc tip vi CA trong danh sch cc CA c tin cy.
* Nhc im:
- Vic qun l danh sch cc CA tin cy ca mt t chc l kh khn.
- Cu trc chng ch khng c nhiu h tr cho vic tm ra cc nhnh xc nhn.
- Khng c nhng h tr trc tip i vi cc cp chng ch ngang hng do vy
hn ch ca CA trong vic qun l s tin cy ca mnh vi cc CA khc.
- Nhiu ng dng khng h tr tnh nng t ng ly thng tin trng thi hoc hy
b ca chng ch.
Tn Trng
V D
Version
Version 3
Serial number
70:58:E1:B7:54:C6:B4:5B
14
6/4/2011 22:38:34 PM
Not After
6/1/2021 16:17:55 PM
Subject
Subject Public
Information
Certificate AuthorityK 1d 43 ad da 32 10 43 6b 6a 50 de 08 ab a1 35 1c
Extension eyIdentifier
s
Subject
1a 5c d7 b5 ea 9b 93 dd dd fe 13 e1 8a 20 52 95
Key
Identifier
Key Usage
Subject
DNS Name: http://localhost:8080/ejbca
Altermative
names
CA
Signature
51 16 84 a0 14 32 bd 0b 9d 96 09 b3 9a d0 42 08
7d 8e 45 5a a5 cb 09 48 6b 81 d3 42 6a ab 50 aa
f4 0a 6a 12 dc d1 b7 c0 11 51 05 fe 53 8f b8 ae
e4 a8 17 c9 39 fe d1 11 90 02 f4 8d d9 30 08 b6
88 cb 33 43 f0 77 64 f3 69 1b 20 99 71 2b 54 6d
34 01 3a d5 8a fc e3 31 65 3a 0c 70 90 fc 5a 30
44 e1 74 f0 12 6c 91 dd 36 b3 84 5d 06 bc ca 61
..
15
K hiu chun
Tn chun
PKCS#1
Chun mt m RSA
PKCS#2
PKCS#3
PKCS#4
PKCS#5
PKCS#6
PKCS#7
Chun k t thng bo mt m
PKCS#8
PKCS#9
PKCS#10
Chun k t yu cu chng ch
PKCS#11
PKCS#12
PKCS#13
PKCS#14
PKCS#15
16
- H tr giao dch hai bn v giao dch ba bn. S thit k giao thc nn tin li
s dng v mt giao thc n gin thng qua cc thc th d h ang tng tc vi
mt CA hay RA.
- Cc giao thc ny nn l c lp thut ton. K t khi t chc cn phi s dng
cc thut ton khc nhau cho cp kha ca h, cc giao thc ny nn c kh nng
cng nhn cc kiu thut ton c s dng . Mt vi thut ton c s dng trong
mt m nh MD5, RSA, DSA..
- Giao thc qun l PKI phi h tr nhiu c ch truyn ti khc nhau nh HTTP,
FTP, TCP/IP.
17
18
Chng III
c im
EJBCA
OpenCA
kh khi cu hnh
Rt phc tp
Phc tp
Tnh b mt
C (s dng m ha)
C (s dng m ha)
Tnh ton vn
C (s dng m ha)
Tnh xc thc
C (s dng ch k s)
Khng
Khng
Bng tay
Cp nht CRL
Khng
H tr th thng minh
T ng
Min ph
Cc m rng
19
Mi trng nn
Min ph
C s d liu
H tr LDAP
Mun
EJB
Perl
Kh nng m rng
c thit k tt v c th m M rng kh vi
rng
phc tp tng rt nhiu
Thnh phn c lp
Nhiu
20
Trnh khch:
21
+ DB2
* Nhc im:
- Ci t v cu hnh phc tp hn so vi cc h thng khc.
22
theo m PKI theo kin trc phn cp hnh 2.3 th mi CA s c cc qun tr vin
c chia thnh 4 nhm:
+ Qun tr vin CA (CA administrator)
+ Qun tr vin RA (RA administrator)
+ Siu qun tr vin (super administrator)
Tn cc CA,cc thc th c c pht hnh chng nhn u c t theo
tiu chun tn phn bit X.509.
Cc bc trin khai:
Cp chng nhn cho qun tr CA,RA,gim st vin v siu qun tr vin, c
th ng nhp vo h thng qun tr CA trn trnh duyt web nh fire fox,IE.
23
24
25
26
27
KT LUN
PKI l mt h thng tng i ln v phc tp. Vic nm vng v nghin cu
k PKI i hi nhiu thi gian v cng sc.Qua ti em va trnh by trn a ra
mt ci nhn tng qut v h thng c s h tng PKI, cc mc tiu v chc nng ca
h thng. ng thi ti cng trnh by c nhng vn c bn, cch ci t v
cu hnh gi phn mm EJBCA - mt trong nhng cch xy dng, trin khai h thng
kha cng khai. EJBCA l mt gi phn mm m ngun m ni ting, c th trin
khai mt h thng PKI hon chnh, y chc nng. Nhm tn dng nhng c tnh
u vit ca gi phn mm ny ng thi c th qun l c qu trnh pht trin cng
nh an ton ca h thng, ti tin hnh tm hiu v phn tch.
Hng pht trin ca ti l c th p dng m hnh trin khai vo thc t
nhiu hn na ch ko phi ch dng mc l thuyt demo. Chng ta c th trin khai
th nghim mt h thng chng thc tp trung theo kin trc PKI phn cp n gin
c th s dng ngay trong thc t. H thng c trin khai ny mang li y cc
tnh cht cn thit nhm thit lp mt mi trng an ton, tin cy trong giao tip nh
tnh cn mt, tnh ton vn, tnh xc thc v tnh khng th chi t. Hn na, h
thng cn c kh nng m rng, tch hp vi cc h thng khc mt cch d dng.
H thng c trin khai c th s dng ngay trong thc t ng thi c tnh
tng qut cao (nhiu loi CA: CA gc, CA con cp mt v CA con cp khc mt), c
th ng dng trong bt k t chc no c m hnh phn cp tng t.
28
[2].
[3].
Andrew Nash, William Duane, Celia Joseph and Derek Brink (2001), "PKI:
Implementing and Managing E-security", RSA Press.
[4].
[5].
[6].
http://www.ejbca.org.
[7].
http://www.primekey.se
[8].
IETF
Public-Key
Infrastructure
X.509
(PKIX)
Working
Group,
http://www.ietf.org/html.charters/pkix-charter.html
[9].
29
MC LC
DANH MC CC T VIT TT...............................................................i
DANH MC CC BNG..............................................................................ii
DANH MC CC HNH V........................................................................iv
LI NI U ............................................................................................. 1
Chng I ...................................................................................................... 5
AN TON THNG TIN TRONG CC GIAO DCH THNG MI
IN T (TMT) ...................................................................................... 5
1.1. Yu cu chung cho an ton bo mt thng tin trong cc giao dch in t 5
1.2 Mt m kha b mt (secret -key cryptography) ....................................... 5
1.3 Mt m kha cng khai ........................................................................... 6
1.4 Hm Bm (Hash Function) ...................................................................... 7
1.5. Ch k in t (Digital Signature) ......................................................... 7
1.5.1 Khi nim ............................................................................................. 7
1.5.2 Qu trnh to ch k in t ................................................................. 8
1.5.3 Qu trnh kim tra ch k in t ......................................................... 8
Chng II .................................................................................................... 9
C S H TNG KHA CNG KHAI (PKI) ........................................ 9
2.1. Khi nim trong c s h tng kha cng khai (PKI) ............................. 9
2.1.1 khi nim PKI ....................................................................................... 9
2.1.2. Chng ch .......................................................................................... 10
2.1.3. Kho chng ch ................................................................................... 10
2.1.4 Thu hi chng ch ............................................................................... 10
2.1.5. Cng b v gi thng bo thu hi chng ch ...................................... 10
2.1.6. Sao lu v d phng kha ................................................................. 10
2.1.7 Cp nht kha t ng ........................................................................ 10
2.1.8 Lch s kha ....................................................................................... 10
2.1.9. Chng thc cho ................................................................................ 10
2.1.10 H tr chng chi b ........................................................................ 10
2.1.11 Tem thi gian ................................................................................... 10
2.1.12 Phn mm pha ngi dng .............................................................. 10
2.1.13 Chnh sch ca chng ch ................................................................. 10
2.2 Chc nng ca PKI ................................................................................ 10
30
31
3.1. Gii thiu v EJBCA (Enterprise Java Bean Certificate Authority) ........18
3.1.1. Khi nim .......................................................................................... 18
3.1.2. Cc giai on pht trin ca EJBCA .................................................. 18
3.1.3. So snh vi cc gi phn mm khc .................................................. 18
3.2. M hnh ca h thng PKI EJBCA ....................................................... 19
3.2.1. S tng qut h thng PKI EJBCA ............................................... 19
3.2.2. Kin trc bn trong ca EJBCA. ........................................................ 19
3.2.3. Hot ng ca RA Server trong h thng EJBCA .............................. 20
3.2.4. Kin trc v hot ng ca External OCSP responders ...................... 20
3.3. Cc tnh nng ca EJBCA ................................................................... 20
3.4. ng dng ca EJBCA .......................................................................... 20
3.5. Mt s u nhc im ca EJBCA ....................................................... 20
3.6 Trin khai h thng PKI s dng phn mm EJBCA ........................... 21
3.6.1 M hnh trin khai .............................................................................. 21
3.6.2 Ci t cu hnh .................................... Error! Bookmark not defined.
KT LUN ................................................................................................ 27
TI LIU THAM KHO ......................................................................... 28