1

NGUYN NGC IP

TM HIU V TRIN KHAI H THNG

CHNG THC KHA CNG KHAI S DNG GI PHN MM M
NGUN M EBJCA NG DNG TRONG CC GIAO DCH THNG
MI IN T.

Chuyn ngnh: TDL & MTT

M s: 60.48.15

TM TT LUN VN THC S

H Ni - 2012

Lun vn c hon thnh ti:

HC VIN CNG NGH BU CHNH VIN THNG
Lun vn c hon thnh ti:
HC VIN CNG NGH BU CHNH VIN THNG
Ngi hng dn khoa hc: T.S Phm Th Qu
Ngi hng dn khoa hc: TS. PHM TH QU
Phn bin 1:
Phn bin 1: TS.Bi Thu Lm
Phn bin 2: ..
Phn bin 2: PGS.TS. Trnh Nht Tin

Lun vn s c bo v trc Hi ng chm lun vn thc s ti Hc vin Cng ngh Bu

Lun vn s c bo v trc Hi ng chm lun vn thc s ti Hc vin Cng
chnh Vin thng
ngh Bu chnh Vin thng
Vo lc: ....... gi ....... ngy ....... thng ....... .. nm ...............
Vo lc: 9 gi 00. ngy 08 thng 09 nm 2012
C th tm hiu lun vn ti:
C th tm hiu lun vn ti:
- Th vin ca Hc vin Cng ngh Bu chnh Vin thng
- Th vin ca Hc vin Cng ngh Bu chnh Vin thng

LI NI U
Ngy ny, s pht trin ca cng ngh thng tin ngy cng chim mt v tr quan
trng trong mi lnh vc ca cuc sng. S bng n ca khoa hc cng ngh ni
chung v cng ngh thng tin ni ring em li rt nhiu li ch cho con ngi, rt
ngn khong cch v a l, tng hiu sut, tit kim thi gian v chi ph cho cng
vic
Vic giao dch in t nh trao i th tn, thng mi in t, dch v web,
mng ring o tr thnh mt phn tt yu ca cuc sng hin i. Nhu cu thc
t c t ra, l phi c mt c quan m bo chng thc in t cho cc giao
dch in t m bo yu cu xc thc, b mt, ton vn, chng chi b. Thc t l
hin nay c rt nhiu cng ngh v phng php xc thc danh tnh trong giao
dch in t. Nhng phng php s dng mt khu, s nh danh c nhn, chng
ch s s dng PKI, cc thit b bo mt vt l nh Smart Card,
ng trc nhu cu , rt nhiu cng ty bo mt phi hp cng cc ngn
hng, t chc ti chnh pht trin nhng gii php, sn phm bo v thng tin c
lin quan ti cc hot ng giao dch trc tuyn. Hin nay, trn th gii c rt nhiu
cch xy dng , trin khai mt h thng PKI . C th n c ra mt vi v d c th
nh: CA Microshoft, OpenCA Opensourc, Entrus. Trong ti thc tp ny, em
la chn gii php s dng EJBCA ca Primekey trn nn tng h iu hnh CentOS.
EJBCA l mt CA y chc nng c xy dng trn Java. Do c da trn
cng ngh J2EE, EJBCA to thnh mt CA mnh, hiu sut cao. Vi s mm do,
chy c lp khng ph thuc vo h iu hnh v phn cng, EJBCA c th c s
dng c lp hoc c tch hp trong cc ng dng J2EE.

Qua tm hiu v nghin cu em chn ti Tm hiu v trin khai h thng

chng thc kha cng khai s dng gi phn mm m ngun m EJBCA ng
dng trong cc giao dch thng mi in t. cho lun vn ca mnh .
ti tp trung gii quyt cc ni dung chnh gm 3 chng sau:
Chng 1: An ton thng tin trong cc giao dch thng mi in t
Nu ln tng quan cc yu cu chung ca h thng an ton thng tin trong
cc giao dch in t
Cc khi nim,thut ton c bn
Chng 2: C s tng kha cng khai
Nu ln tng qut v c s h tng kha cng khai PKI
Cc mc tiu, chc nng v u nhc im ca h thng
Chng 3 : B phn mm EBJCA trong h thng chng thc c s h tng kha cng
khai
Gii thiu chung v gi phn mm EJBCA
Cc kin trc ca h thng PKI s dng EJBCA
a ra m hnh trin khai
Cch ci t v cu hnh.
Kt Lun
Do ni dung lun vn bao gm nhiu kin thc mi, thi gian v kin thc cn
hn ch, vic nghin cu ch yu da trn l thuyt nn chc chn ti khng trnh
khi nhng thiu st. Em rt mong nhn c s ng gp kin ca thy c gio v
bn b ti ca em ngy mt hon thin hn.
Trong qu trnh thc hin ti, em xin c cm n s nhit tnh gip ca
TS.Phm Th Qu - Ging vin Hc vin cng ngh bu chnh vin thng, nhit
tnh hng dn gip em hon thnh ti ny.
Em xin chn thnh cm n !

Chng I
AN TON THNG TIN TRONG CC GIAO DCH THNG MI
IN T (TMT)
1.1. Yu cu chung cho an ton bo mt thng tin trong cc giao dch in
t
Trn mng Internet cc e da thng bao gm:
-

Quan st mng
Chn cc kt ni
Gi mo cc nh tuyn
Gi mo DNS

Tn cng t chi dch v

m bo an ton trn mng Internet cn quan tm x l cc vn sau:

Tnh xc thc (Authentication)
b) Tnh bo mt (privacy)
c) Tnh ton vn ca d liu (Integrity)
d) Tnh chng chi b (Non-repudiation)
Cc vn an ton trn mng c th c gii quyt da trn c s l thuyt
mt m.Mt m hc c ng dng xa xa t thi Ai cp c i v xuyn sut tin
trnh lch s truyn i cc thng tin qun s v ngoi giao b mt.Ngy nay vic
mt m ho (encryption) d liu l mt phng php mnh bo v nhng d
liu quan trng hoc ring t khng b xm phm bi s soi mi tc mch hay dng
tm c c .

1.2 Mt m kha b mt (secret -key cryptography)

H mt m kha b mt hay cn c gi l h mt m kha i xng.Trong mt
m i xng cc bn tham gia lin lc s dng cng mt kha m ha v gii m.
Trc khi truyn tin, hai thc th A v B cng tha thun vi nhau mt kha dng
chung (K). Thc th A dng kha m ha bn tin (ek ) sau gi cho thc th
B. Thc th B dng kha K, thc hin php gii m (dK ) gii m m nhn c.V

vy kha mt m chung phi c gi b mt ch ngi lp m v ngi nhn m

bit m thi.
C rt nhiu h kha b mt dng chung, in hnh nht l chun m ha d liu
Des (Data Encryptiol Standard).
-

Ngy 13/5/1973 y ban quc gia v tiu chun ca M cng b yu cu v h

mt m p dng cho ton quc. iu ny t nn mng cho chun m ha
d liu, hay l DES.
Lc u Des c cng ty IBM pht trin t h m Lucifer, cng b vo nm
1975. Sau Des c xem nh l chun m ha d liu cho cc ng dng.

Cu trc thut ton

M t thut ton

Gii m
Cc ch ca DES
Triple DES:
ng dng ca DES

Kt lun
Khng th ph nhn l thut ton DES c nhiu ng dng trong vin thng v cng
ngh thng tin, vic lm ch v cng ha cc thut ton rt c ngha i vi s an
ton trong cc giao dch trn mng. Nhn chung, i vi Vit Nam, vic lm ch cng
ngh cng ha thut ton DES rt c ngha trong vic m bo an ton giao dch
trn mng, m bo an ton trong truyn tin cho cc n v c yu ti Vit Nam. Hin
nay, chng ti ang trin khai cng ha thut ton DES nh cc cng ngh thit k s
hin i.

1.3 Mt m kha cng khai

Nhng hn ch ca mt m i xng
+ Vn phn phi kha
-

Kh m bo chia s m khng lm l kha b mt

Trung tm phn phi kha c th b tn cng

+ Khng thch hp cho ch k s

Bn nhn c th lm gi thng bo ni nhn c t bn gi.

Cc hn ch ca m mt m i xng s c gii quyt bng m ha kha cng

khai.Phng php m ha ny c xut bi Whitfield Diffie v Martin Hellman
vo nm 1976.C th coi l bc t ph quan trng nht trong lch s ngnh mt
m.N b xung nhng hn ch ca mt m i xng ch khng thay th.
- c im mt m kha cng khai
- ng dng mt m kha cng khai
- H m ha RSA
+ To kha
+ Thc hin RSA
+ V sao RSA kh thi ?
+ Hn ch ca kha cng khai

1.4 Hm Bm (Hash Function)

Hm bm (Hash Function) l hm chuyn i mt thng ip c di bt k
thnh mt dy bit c di c nh. Cc hm bm nhn mt chui bit c chiu di ty
(hu hn) lm d liu u vo v to ra mt chui bit mi c chiu di c nh n bit
(n > 0), c gi l gi tr bm hay m bm.
-

Tnh cht ca hm bm

Cc thut ton bm
+Gii thut MD5
+Gii thut SHA
- So snh tnh bo mt gia MD5 v SHA

1.5. Ch k in t (Digital Signature)

1.5.1 Khi nim

Ch k in t (Digital Signature) da trn k thut s dng m ha kha cng
khai. Trong , c ngi gi v ngi nhn, mi ngi c mt cp kha l kha b
mt,hay ring t (Private Key) v kha cng khai (Public Key).

Ch k in t hot ng khi mt ngi gi mt thng ip, ngi dng

kha ring ca mnh m ha thng ip sang mt dng kh nhn dng. Ngi nhn
dng kha cng khai ca ngi gi m ha thng ip. Tuy nhin, an ton tht
s phi c cc bc b sung. Do , thut ton bm MD5 v thut ton m ha RSA
c th c p dng xy dng ng dng ch k in t.

1.5.2 Qu trnh to ch k in t
1.5.3 Qu trnh kim tra ch k in t

Chng II
C S H TNG KHA CNG KHAI (PKI)
2.1.Cc khi nim trong c s h tng kha cng khai (PKI)
2.1.1 Khi nim PKI
Public Key Infrastructure (PKI) l mt c ch cho mt bn th ba (thng l
nh cung cp chng thc s ) cung cp v xc thc nh danh cc bn tham gia vo
qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng
trong h thng mt cp public/private. Cc qu trnh ny thng c thc hin bi
mt phn mm t ti trung tm v cc phn mm khc ti cc a im ca ngi
dng. Kho cng khai thng c phn phi trong chng thc kha cng khai (PKI)
Khi nim h tng kho cng khai (PKI) thng c dng ch ton b h thng
bao gm c nh cung cp chng thc s (CA) cng cc c ch lin quan ng thi vi
ton b vic s dng cc thut ton m ho cng khai trong trao i thng tin. Tuy
nhin phn sau c bao gm khng hon ton chnh xc bi v cc c ch trong PKI
khng nht thit s dng cc thut ton m ho cng khai.
PKI cho php cc giao dch in t c din ra m bo tnh b mt, ton vn v
xc thc ln nhau m khng cn trao i cc thng tin bo mt t trc.
Mc tiu chnh ca PKI l cung cp kho cng khai v xc nh mi lin h gia kho
v nh dng ngi dng. Nh vy, ngi dng c th s dng trong mt s ng dng
nh :
-M ho Email hoc xc thc ngi gi Email.
-M ho hoc chng thc vn bn.
-Xc thc ngi dng ng dng.
-Cc giao thc truyn thng an ton dng k thut Bootstrapping (IKE, SSL):trao
i bng kho bt i xng, m ho bng kho i xng
Vic Diffie, Hellman, Rivest, Shamir, v Adleman cng b cng trnh nghin cu
v trao i kha an ton v thut ton mt m ha kha cng khai vo nm 1976
lm thay i hon ton cch thc trao i thng tin mt. Cng vi s pht trin ca
cc h thng truyn thng in t tc cao (Internet v cc h thng trc n), nhu
cu v trao i thng tin b mt tr nn cp thit. Thm vo mt yu cu na pht
sinh l vic xc nh nh dng ca nhng ngi tham gia vo qu trnh thng tin. V
vy tng v vic gn nh dng ngi dng vi chng thc c bo v bng cc
k thut mt m c pht trin mt cch mnh m.

10

Th trng PKI thc s tn ti v pht trin nhng khng phi vi quy m

c k vng t nhng nm gia ca thp k 1990. PKI cha gii quyt c mt s
vn m n c k vng. Nhng PKI thnh cng nht ti nay l cc phin bn do
cc chnh ph thc hin.

2.1.2. Chng ch
2.1.3. Kho chng ch
2.1.4 Thu hi chng ch
2.1.5. Cng b v gi thng bo thu hi chng ch
2.1.6. Sao lu v d phng kha
2.1.7 Cp nht kha t ng
2.1.8 Lch s kha
2.1.9. Chng thc cho
2.1.10 H tr chng chi b
2.1.11 Tem thi gian
2.1.12 Phn mm pha ngi dng
2.1.13 Chnh sch ca chng ch
2.2 Chc nng ca PKI
2.2.1. Chng thc (certification)
2.2.2. Thm tra (validation)
2.3. Cc thnh phn chnh ca PKI

11

2.3.1. C quan cp chng ch (CA).

2.3.2 C quan ng k.
2.3.3 Ni lu tr chng ch (certificate directory).
2.3.4. My ch khi phc kha.
2.3.5. Danh sch thu hi chng ch (CRL).
2.3.6. C quan to tem thi gian (TSA)
2.3.7. Phn mm pha client( Client Software).
2.4 Kin trc ca h thng PKI
Hin nay PKI c trin khai trong nhiu t chc nh l mt cng c m bo
nhng ngun ti nguyn nhy cm an ton. Tuy nhin, vi nhiu mc ch khc nhau,
tin trnh khc nhau nn kh c th a ra mt tiu chun thit k chung. V c bn
c cc m hnh kin trc PKI c da trn cc m hnh chnh: m hnh phn cp, m
hnh mng li, m hnh danh sch tin cy.

2.4.1. M hnh phn cp.

Hnh 2.3: M hnh phn cp.

* u im:
- Tng thch vi cu trc phn cp ca h thng qun l trong cc t chc
- Gn ging vi hnh thc phn cp trong t chc th mc nn d lm quen.
- Cch thc tm ra mt nhnh xc thc theo mt hng nht nh, khng c hin
tng vng lp-> n gin, nhanh.

12

* Nhc im:
- Trong mt phm vi rng, mt CA duy nht khng th m nhn c tt c qu
trnh xc thc.
- Cc quan h kinh doanh thng mi khng phi bao gi cng c dng phn cp.
- Kha ring ca RootCA b l th ton b h thng s b nguy him.

2.4.2. M hnh mng li.

Hnh 2.4: M hnh mng li.

* u im:
- y l m hnh linh ng, thch hp vi cc mi lin h- quan h tin cy ln
nhau trong thc t v cng vic kinh doanh.
- Cho php cc CA xc thc ngang hng trc tip : iu ny c bit c li khi
cc i tng s dng ca cc CA lm vic vi nhau thng xuyn-> gim ti lng
ng truyn v thao tc x l
- Khi mt CA b l kha ch cn cp pht chng ch ca CA ti cc i tng c
thit lp quan h tin cy vi CA ny.
* Nhc im:
- Do cu trc ca mng c th phc tp nn vic tm kim cc i tng c th
kh khn.
- Mt i tng khng th a ra mt nhnh xc thc duy nht c th m bo
rng tt c cc i tng trong h thng c th tin cy c.

13

2.4.3. M hnh danh sch tin cy

Hnh 2.5: M hnh danh sch tin cy.

* u im:
- Kin trc n gin, d trin khai.
- Cc i tng s dng c ton quyn vi danh sch cc CA m mnh tin cy.
- Cc i tng lm vic trc tip vi CA trong danh sch cc CA c tin cy.
* Nhc im:
- Vic qun l danh sch cc CA tin cy ca mt t chc l kh khn.
- Cu trc chng ch khng c nhiu h tr cho vic tm ra cc nhnh xc nhn.
- Khng c nhng h tr trc tip i vi cc cp chng ch ngang hng do vy
hn ch ca CA trong vic qun l s tin cy ca mnh vi cc CA khc.
- Nhiu ng dng khng h tr tnh nng t ng ly thng tin trng thi hoc hy
b ca chng ch.

2.4.4 Hot ng ca h thng PKI

2.4.5. Cc loi chng ch v giao thc trong PKI
a) Cu trc chng ch X.509
Bng 2.1: Chng ch X.509 phin bn 3.

Tn Trng

V D

Version

Version 3

Serial number

70:58:E1:B7:54:C6:B4:5B

14

CA Signature Algorithm PKCS #1 SHA-256 With RSA Encryption

Identifier
Issuer
Validity
period

C = IN,O = NGOCDIEP,CN = DIEPCA

Not Before

6/4/2011 22:38:34 PM

Not After

6/1/2021 16:17:55 PM

Subject

C = IN,O = NGOCDIEP,CN = SSLDIEPCA

Subject Public
Information

Key PKCS #1 RSA Encryption

Certificate AuthorityK 1d 43 ad da 32 10 43 6b 6a 50 de 08 ab a1 35 1c
Extension eyIdentifier
s
Subject
1a 5c d7 b5 ea 9b 93 dd dd fe 13 e1 8a 20 52 95
Key
Identifier
Key Usage

Critical Signing Key Encipherment

Subject
DNS Name: http://localhost:8080/ejbca
Altermative
names

CA
Signature

51 16 84 a0 14 32 bd 0b 9d 96 09 b3 9a d0 42 08
7d 8e 45 5a a5 cb 09 48 6b 81 d3 42 6a ab 50 aa
f4 0a 6a 12 dc d1 b7 c0 11 51 05 fe 53 8f b8 ae
e4 a8 17 c9 39 fe d1 11 90 02 f4 8d d9 30 08 b6
88 cb 33 43 f0 77 64 f3 69 1b 20 99 71 2b 54 6d
34 01 3a d5 8a fc e3 31 65 3a 0c 70 90 fc 5a 30
44 e1 74 f0 12 6c 91 dd 36 b3 84 5d 06 bc ca 61
..

15

a) Cc giao thc qun l PKI

Bng 2.2: Danh sch cc tiu chun PKCS

K hiu chun

Tn chun

PKCS#1

Chun mt m RSA

PKCS#2

Chun ny c lin kt thnh chun PKCS#1

PKCS#3

Chun tha thun kha Diffie-Hellman

PKCS#4

Chun ny c lin kt thnh chun PKCS#1

PKCS#5

Chun mt m da trn mt khu

PKCS#6

Chun k t chng ch m rng

PKCS#7

Chun k t thng bo mt m

PKCS#8

Chun k t thng tin kha ring

PKCS#9

Cc kiu thuc tnh chn

PKCS#10

Chun k t yu cu chng ch

PKCS#11

Chun giao din th bi mt m

PKCS#12

Chun k t trao i thng tin c nhn

PKCS#13

Chun mt m ng cong Eliptic

PKCS#14

Chun b sinh s gi ngu nhin

PKCS#15

Chun mu thng tin th bi mt m

Tiu ch nh gi cho cc giao thc qun l PKI l:

- Cc giao thc phi h tr to v xut bn chng ch v danh sch thu hi chng
ch (CRL). Trong nhng trng hp khc n cng cho php cc thc th to ra cc
yu cu chng ch v yu cu thu hi chng ch.
- Cc giao thc nn m rng, c th s dng trn nhiu h thng tch bit.

16

- H tr giao dch hai bn v giao dch ba bn. S thit k giao thc nn tin li
s dng v mt giao thc n gin thng qua cc thc th d h ang tng tc vi
mt CA hay RA.
- Cc giao thc ny nn l c lp thut ton. K t khi t chc cn phi s dng
cc thut ton khc nhau cho cp kha ca h, cc giao thc ny nn c kh nng
cng nhn cc kiu thut ton c s dng . Mt vi thut ton c s dng trong
mt m nh MD5, RSA, DSA..
- Giao thc qun l PKI phi h tr nhiu c ch truyn ti khc nhau nh HTTP,
FTP, TCP/IP.

2.5. Cc vn an ton cho PKI

2.5.1. Vn an ton tin cy trong PKI
2.5.2. Vn s dng kha
2.5.3. Vn xc nh an ton ca my tnh
2.5.4. Vn xc nh nh danh ngi dng
2.5.5.Vn thm quyn CA
2.5.6. Vn ngi dng quan tm ti trong thit k bo mt
2.5.7. Vn kt hp CA vi RA
2.5.8. Vn nh danh ngi gi chng ch
2.5.9. Vn s dng chng ch
2.5.10. Vn ng dng CA
2.6. ng dng ca PKI
a) ng dng M Ha bo mt thng tin (Security).
b) ng dng to Ch K S kim tra tnh tan vn thng tin (Integrity).
+ To ch k s
+ ng dng kim tra tnh tan vn d liu

17

c) ng dng Trao i kha (Key Exchange).

2.7. u nhc im ca vic ng dng h thng PKI

2.7.1. u im khi s dng c s h tng kha cng khai
2.7.2. Mt s im yu ca c s h tng kha cng khai
Kt lun Chng II
Chng II trnh by nhng khi nim c bn, cc phng php, cng ngh
v k thut s dng m ha kha cng khai cung cp mt c s h tng bo mt.
Mt c s h tng kha cng khai cho php mt t chc tn dng tc ca mng
Internet trong khi vn bo v cc thng tin quan trng khi vic nghe trm, gi mo,
v truy cp tri php.

18

Chng III

H THNG CHUN QUN L H TNG KHA CNG

KHAI EJBCA
3.1. Gii thiu v EJBCA (Enterprise Java Bean Certificate Authority)
3.1.1. Khi nim
- EJBCA (Enterprise Java Bean Certificate Authority)l mt sn phm ca cng ty
PrimeKey
- EJBCA l mt CA v l mt h thng qun l PKI hon chnh c xy dng
trn nn tng cng ngh J2EE
- Kin trc Enterprise Java Beans (EJB) l mt c t c cng ty Sun
Microsystems pht trin.

3.1.2. Cc giai on pht trin ca EJBCA

3.1.3. So snh vi cc gi phn mm khc
Di y l bng so snh mt s c im gia hai gi phn mm ny :
Bng 3.1: So snh cc c im ca EJBCA v OpenCA.

c im

EJBCA

OpenCA

kh khi cu hnh

Rt phc tp

Phc tp

Tnh b mt

C (s dng m ha)

C (s dng m ha)

Tnh ton vn

C (s dng m ha)

Tnh xc thc

C (s dng ch k s)

Tnh chng chi b

Khng

Chn thut ton s C

dng OCSP

Khng

Kh nng chn CSP

Bng tay

Cp nht CRL

Khng

H tr th thng minh

T ng

Min ph

Cc m rng

19

Mi trng nn

Min ph

C s d liu

Java J2EE (c lp nn) MySQL

Hypersoniq,PostegreSQL,
MySQL, MS SQL, Oracle,

H tr LDAP

Mun

EJB

Perl

Kh nng m rng

c thit k tt v c th m M rng kh vi
rng
phc tp tng rt nhiu

Thnh phn c lp

PKI c th c qun tr hon Ch c mt cch quan

ton thng qua dng lnh
tr PKI l thng qua
giao din web

Cc trnh duyt c Nhiu

h tr

3.2. M hnh ca h thng PKI EJBCA

3.2.1. S tng qut h thng PKI EJBCA
3.2.2. Kin trc bn trong ca EJBCA.
Tng d liu (Data Tier
Thnh phn CA
Thnh phn RA
Tng Web

Perl CGI trn Unix

Nhiu

20

Trnh khch:

Hnh 3.2:Kin trc EJBCA

3.2.3. Hot ng ca RA Server trong h thng EJBCA

3.2.4. Kin trc v hot ng ca External OCSP responders
3.3. Cc tnh nng ca EJBCA
3.4. ng dng ca EJBCA
3.5. Mt s u nhc im ca EJBCA
* u im:
- EJBCA n gin nht s dng
- Mnh m
- Hiu sut cao, thnh phn da trn CA.
- Linh hot v nn tng c lp. EJBCA c th c s dng c lp hoc tch
hp trong bt k ng dng J2EE
- C th trin khai trn cc h iu hnh khc nhau nh Windows v Linux.
- C kh nng kt ni vi cc h qun tr c s d liu sau:
+ Hypersoniq (hsqldb) (mc nh trong JBoss)
+ PostegreSQL 7.2 v 8.x ,MySQL 4.x v 5.x
+ Oracle 8i, 9i v 10g (http://www.oracle.com/)
+ Sybase
+ MS-SQL2000 v 2003
+ Informix 9.2

21

+ DB2
* Nhc im:
- Ci t v cu hnh phc tp hn so vi cc h thng khc.

3.6 Trin khai h thng PKI s dng phn mm EJBCA

Mc tiu
Mi ngi s khng qu lo lng v bc th in t ca h b xem trm hay
khng?c l n khng thu ht s t m lm.Tuy nhin cc thng tin ni b gia cc
tng cng ty,tp on vi cc chi nhnh s thu ht s ch hn.Cc cng ty s lo
lng v cc thng tin kinh doanh ca mnh b lt vo tay i th cnh tranh v h s b
mt i li nhun v th trng.Trong thc t c nhng chuyn gia vi nghip v gii
sn sang can thip ly nhng thng tin ny v bn li cho nhng i th cnh tranh
ca cng ty b xem trm.Nhm hin thc ha cc kt qu bo mt thng tin nghin
cu,di y l m hnh trin khai th nghim mt h thng PKI theo kin trc phn
cp s dng gi phn mm m ngun m EBJCA.Mc tiu t ra l h thng sau khi
c trin khai c th s dng cung cp cc chng nhn cho ngi dng chng
thc ngi s dng web,k v m ha th in t,k vn bn.

3.6.1 M hnh trin khai

Yu cu cn thit:
+ H iu hnh trin khai l h iu hnh CentOS 5.5.
+ My ch EJBCA Server v Backup/Log
+ OCSP Responder ng vai tr tr li cc truy vn v thng tin chng ch,
CRLs c ci t phn mm MySQL, Jboss, LDAP.
+ RA Server ng vai tr nhn v x l cc truy vn xin cp chng ch ca Client
v ch CA x l cp pht. c ci t MySQL v JBOSS.
V khng iu kin nn em thc hin gp ba phn trn trn mt my nn my
ny s ng vai tr ca c ba phn trong m hnh trn. Cc phn mm ci t trn
my bao gm: ejbca_3_11_1, MySQL, JBOSS-4.2.2.GA, Apache-ant-1.8.2, JDK6u23-linux, JCE_policy-6, MySQL-connector-java-1.5.14, LDAP

22

Hnh 3.7: M hnh tng quan v h thng PKI s trin khai.

theo m PKI theo kin trc phn cp hnh 2.3 th mi CA s c cc qun tr vin
c chia thnh 4 nhm:
+ Qun tr vin CA (CA administrator)
+ Qun tr vin RA (RA administrator)
+ Siu qun tr vin (super administrator)
Tn cc CA,cc thc th c c pht hnh chng nhn u c t theo
tiu chun tn phn bit X.509.
Cc bc trin khai:
Cp chng nhn cho qun tr CA,RA,gim st vin v siu qun tr vin, c
th ng nhp vo h thng qun tr CA trn trnh duyt web nh fire fox,IE.

23

Hnh 3.8 : Giao din qun l ca ejbca .

M ca s Add End Entity v in cc nh dng cho chng ch ngi dng

Hnh 3.11 Kt qu to qun tr vin email-1CA v email-2CA

- Import chng ch dng P12 vo trong firefox

24

Vo Edit/Preferences/Advanced/Encryption/View Certfiticates/Your Certtificates/

Nhn vo Import file superadmin.p12 trong /opt/ejbca/P12/superadmin.p12

Hnh 3.12: Add chng ch vo trnh duyt.

Chi tit chng ch c cp cho user1 v user 2 vi y thng s.

Hnh 3.13: chng nhn cho ngi dng c tn user1 v user 2

25

K v m ha th in t :H thng c th cp chng nhn cho ngi dng

k v xc nhn ch k,m ha v gii m th in t trong ng dng th in t
Outlook Epress.Khi ngi dng user-2 gi th in t cho user-1,ng thi k v m
ha th in t .
User -1 nhn c th in t ca user-2,user -1 s khng c c th cng nh
xc thc c ngi gi nu khng c chng nhn ca ngi gi (khng c kha
khp vi kha ngi gi).

Hnh 3.15: Giao din user-1 nhn c th ca user-2 c k v m ha.

Khi c y cc chng nhn cn thit ngi nhn user-1 c th c c ni dung
th c k v m ha nh hnh di.

26

Hnh 3.16: Ngi nhn user-1 c c ni dung th c gi.

Tng t Chng nhn c cp cho ngi dng th nghim trn c th c dng

k v gi nhng file vn bn.
Kt lun chng III
EJBCA l mt gi phn mm m ngun m ni ting,c th trin khai mt h
thng PKI hon chnh,y chc nng.H thng trin khai ny mang li y cc
tnh cht cn thit nhm thit lp mt mi trng an ton,tin cy trong giao tip nh
tnh bo mt,ton vn,tnh xc thc v tnh chng chi b.Hn na h thng c kh
nng m rng tch hp vi cc h thng khc mt cch d dng.

27

KT LUN
PKI l mt h thng tng i ln v phc tp. Vic nm vng v nghin cu
k PKI i hi nhiu thi gian v cng sc.Qua ti em va trnh by trn a ra
mt ci nhn tng qut v h thng c s h tng PKI, cc mc tiu v chc nng ca
h thng. ng thi ti cng trnh by c nhng vn c bn, cch ci t v
cu hnh gi phn mm EJBCA - mt trong nhng cch xy dng, trin khai h thng
kha cng khai. EJBCA l mt gi phn mm m ngun m ni ting, c th trin
khai mt h thng PKI hon chnh, y chc nng. Nhm tn dng nhng c tnh
u vit ca gi phn mm ny ng thi c th qun l c qu trnh pht trin cng
nh an ton ca h thng, ti tin hnh tm hiu v phn tch.
Hng pht trin ca ti l c th p dng m hnh trin khai vo thc t
nhiu hn na ch ko phi ch dng mc l thuyt demo. Chng ta c th trin khai
th nghim mt h thng chng thc tp trung theo kin trc PKI phn cp n gin
c th s dng ngay trong thc t. H thng c trin khai ny mang li y cc
tnh cht cn thit nhm thit lp mt mi trng an ton, tin cy trong giao tip nh
tnh cn mt, tnh ton vn, tnh xc thc v tnh khng th chi t. Hn na, h
thng cn c kh nng m rng, tch hp vi cc h thng khc mt cch d dng.
H thng c trin khai c th s dng ngay trong thc t ng thi c tnh
tng qut cao (nhiu loi CA: CA gc, CA con cp mt v CA con cp khc mt), c
th ng dng trong bt k t chc no c m hnh phn cp tng t.

28

TI LIU THAM KHO

Ting Vit
[1].

Hc vin K thut Mt m (2006), "Gio trnh chng thc in t".

[2].

Trung tm ng dng cng ngh in t vin thng NACENCOMM Gii

php PKI.
Ting Anh

[3].

Andrew Nash, William Duane, Celia Joseph and Derek Brink (2001), "PKI:
Implementing and Managing E-security", RSA Press.

[4].

Suranjan Choudhury, Kartik Bhatnagar, and Wasim Haque (2001), "Public

Key Infrastructure Implementation and Design", M&T Books.

[5].

RFC 2560, RFC2459, RFC2119.

[6].

http://www.ejbca.org.

[7].

http://www.primekey.se

[8].

IETF

Public-Key

Infrastructure

X.509

(PKIX)

Working

Group,

http://www.ietf.org/html.charters/pkix-charter.html
[9].

Carlisle Adams, Steve Lloyd (November 06, 2002),

Understanding PKI: Concepts, Standards, and Deployment Considerations,
Second Edition

29

MC LC
DANH MC CC T VIT TT...............................................................i
DANH MC CC BNG..............................................................................ii
DANH MC CC HNH V........................................................................iv
LI NI U ............................................................................................. 1
Chng I ...................................................................................................... 5
AN TON THNG TIN TRONG CC GIAO DCH THNG MI
IN T (TMT) ...................................................................................... 5
1.1. Yu cu chung cho an ton bo mt thng tin trong cc giao dch in t 5
1.2 Mt m kha b mt (secret -key cryptography) ....................................... 5
1.3 Mt m kha cng khai ........................................................................... 6
1.4 Hm Bm (Hash Function) ...................................................................... 7
1.5. Ch k in t (Digital Signature) ......................................................... 7
1.5.1 Khi nim ............................................................................................. 7
1.5.2 Qu trnh to ch k in t ................................................................. 8
1.5.3 Qu trnh kim tra ch k in t ......................................................... 8
Chng II .................................................................................................... 9
C S H TNG KHA CNG KHAI (PKI) ........................................ 9
2.1. Khi nim trong c s h tng kha cng khai (PKI) ............................. 9
2.1.1 khi nim PKI ....................................................................................... 9
2.1.2. Chng ch .......................................................................................... 10
2.1.3. Kho chng ch ................................................................................... 10
2.1.4 Thu hi chng ch ............................................................................... 10
2.1.5. Cng b v gi thng bo thu hi chng ch ...................................... 10
2.1.6. Sao lu v d phng kha ................................................................. 10
2.1.7 Cp nht kha t ng ........................................................................ 10
2.1.8 Lch s kha ....................................................................................... 10
2.1.9. Chng thc cho ................................................................................ 10
2.1.10 H tr chng chi b ........................................................................ 10
2.1.11 Tem thi gian ................................................................................... 10
2.1.12 Phn mm pha ngi dng .............................................................. 10
2.1.13 Chnh sch ca chng ch ................................................................. 10
2.2 Chc nng ca PKI ................................................................................ 10

30

2.2.1. Chng thc (certification) .................................................................. 10

2.2.2. Thm tra (validation) ......................................................................... 10
2.3. Cc thnh phn chnh ca PKI .............................................................. 10
2.3.1. C quan cp chng ch (CA). ............................................................ 11
2.3.2 C quan ng k. ................................................................................ 11
2.3.3 Ni lu tr chng ch (certificate directory). ...................................... 11
2.3.4. My ch khi phc kha. ................................................................... 11
2.3.5. Danh sch thu hi chng ch (CRL). .................................................. 11
2.3.6. C quan to tem thi gian (TSA) ....................................................... 11
2.3.7. Phn mm pha client( Client Software). ........................................... 11
2.4 Kin trc ca h thng PKI ................................................................... 11
2.4.1. M hnh phn cp. ............................................................................. 11
2.4.2. M hnh mng li. ........................................................................... 12
2.4.3. M hnh danh sch tin cy ................................................................. 13
2.4.4 Hot ng ca h thng PKI ............................................................... 13
2.4.5. Cc loi chng ch v giao thc trong PKI ........................................ 13
2.5. Cc vn an ton cho PKI .................................................................. 16
2.5.1. Vn an ton tin cy trong PKI ....................................................... 16
2.5.2. Vn s dng kha ......................................................................... 16
2.5.3. Vn xc nh an ton ca my tnh ........................................... 16
2.5.4. Vn xc nh nh danh ngi dng .............................................. 16
2.5.5.Vn thm quyn CA ...................................................................... 16
2.5.6. Vn ngi dng quan tm ti trong thit k bo mt ..................... 16
2.5.7. Vn kt hp CA vi RA ................................................................ 16
2.5.8. Vn nh danh ngi gi chng ch .............................................. 16
2.5.9. Vn s dng chng ch ................................................................. 16
2.5.10. Vn ng dng CA ....................................................................... 16
2.6. ng dng ca PKI ................................................................................ 16
2.7. u nhc im ca vic ng dng h thng PKI ................................. 17
2.7.1. u im khi s dng c s h tng kha cng khai ........................... 17
2.7.2. Mt s im yu ca c s h tng kha cng khai ........................... 17
Chng III ................................................................................................. 18
H THNG CHUN QUN L H TNG KHA CNG KHAI EJBCA....18

31

3.1. Gii thiu v EJBCA (Enterprise Java Bean Certificate Authority) ........18
3.1.1. Khi nim .......................................................................................... 18
3.1.2. Cc giai on pht trin ca EJBCA .................................................. 18
3.1.3. So snh vi cc gi phn mm khc .................................................. 18
3.2. M hnh ca h thng PKI EJBCA ....................................................... 19
3.2.1. S tng qut h thng PKI EJBCA ............................................... 19
3.2.2. Kin trc bn trong ca EJBCA. ........................................................ 19
3.2.3. Hot ng ca RA Server trong h thng EJBCA .............................. 20
3.2.4. Kin trc v hot ng ca External OCSP responders ...................... 20
3.3. Cc tnh nng ca EJBCA ................................................................... 20
3.4. ng dng ca EJBCA .......................................................................... 20
3.5. Mt s u nhc im ca EJBCA ....................................................... 20
3.6 Trin khai h thng PKI s dng phn mm EJBCA ........................... 21
3.6.1 M hnh trin khai .............................................................................. 21
3.6.2 Ci t cu hnh .................................... Error! Bookmark not defined.
KT LUN ................................................................................................ 27
TI LIU THAM KHO ......................................................................... 28