H tng h thng ng nhp mt ln cho ng dng web, web service

Building Single sign-on infrasture for web, web service

Tm tt Bi bo cp n vn bo mt cho h phn tn khng thun nht trong thc t, i n gii php xy dng h tng h thng ng nhp mt ln cho cc ng dng trong h phn tn. Hng gii quyt y l ci t giao thc bo mt Kerberos, thc thi qua cc giao thc chun Internet nh GSS-API, SPNEGO v cng ngh Microsoft Active Directory. T , bi bo m t h thng ng nhp mt ln trc tin c xy dng cho web, web service, lm tin gii quyt cho cc giao thc giao vn khc. Tm li, bi bo ra c mt m hnh bo mt cho h phn tn v th vin nn tng nhm n cc mc tiu: tr gip cho ngi pht trin ng dng c th lp trnh m khng phi quan tm n hot ng ca mc an ton bo mt; n gin ho cng vic ca nh qun tr v to s tin dng cho ngi dng h thng phn tn. Abstract This article is concerned with the security problem in real heterogeneous distributed systems, then propose a solution to build a single sign-on infrastrure for there applications. The solution aims to set up the Kerberos protocol which is done via several standard Internet protocols such as GSS-API, SPNEGO and Microsoft Active Directory technology. This article also mention about our security system built for web, web service, as an initial ground of other transport protocols. To sum up, this paper offers a new solution and standard-reference library for security problem of real distributed systems to support software developers in dealing with secure problems, simplify administrators tasks and enhance users experience in using systems. I. GII THIU CHUNG Ngy nay, cc thng tin quan trng c lu tr trn mng cng nhiu v thng xuyn c

truy nhp t cc my tnh khc trong mng. Chnh nhng iu ny v ang mang li nhng li ch to ln cho vic chia s ti nguyn, kt ni trong cc t chc doanh nghip. Tuy nhin, do c im nhiu ngi s dng v phn tn v mt a l nn vic bo v ti nguyn trnh khi mt mt, xm phm (v tnh hay c ) trong mi trng mng phc tp hn nhiu so vi mt my tnh n l, mt ngi s dng. Chnh v th cng tc an ton bo mt cho cc h thng phn tn thng l phc tp v ngy cng tr nn quan trng. ti bi bo ny xut pht t yu cu xy dng h tng bo mt cho cc dch v trong h thng phn tn khng thun nht. Trong h thng ny, ngi dng c th truy nhp vo cc dch v t phn tn trong mng chy trn cc h iu hnh khc nhau (UNIX, Windows). Chng ta mun cc my ch ny c kh nng hn ch truy nhp ca cc ngi dng c phn quyn v c kh nng thc hin chng thc cho cc dch v. Tuy nhin, cc ng dng v dch v trong h thng s pht trin mt cch nhanh chng khi xut hin nhu cu, gy nn s bt tin cho ngi dng phi nhp li thng tin chng thc mi khi truy nhp mt dch v. c bit, khi m cc ng dng cung cp dch v trong h thng kh phc tp v yu cu v bo mt, an ton thng tin ca h thng ngy cng cao. H thng bao gm rt nhiu thnh phn tng tc vi nhau, chy trn nn cc h iu hnh khc nhau. Mi thnh phn module ca h thng khng ch c ci t trn mt my m c th hot ng trn rt nhiu my tnh ni mng vi nhau. Chng hn trong Workflow, khi cc dch v web thc thi trong workflow i hi thng tin chng thc ngi dng t cc dch v pht sinh yu cu phc v; hay trong h thng tnh ton li, vic bo mt thng tin v cng vic gi n

thc hin cc my tnh c nhn trn mng cng ht sc quan trng. V th, cn c mt c ch nht qun m bo chng thc, bo mt cho vic truyn thng gia cc module, cc dch v trong h phn tn. H thng ng nhp mt ln Single sign-on (SSO) cho php ngi dng ch cn mt ln khai bo vo h thng c xc thc nh danh ngi dng, ri truy nhp vo nhiu ti nguyn, dch v khc nhau trong h thng phn tn m khng b ngt qung v phi ng k nhiu ln khi c yu cu. Kerberos l mt giao thc chng thc c pht trin trong d n Anthena MIT. Qua qu trnh pht trin, n t n thun thc, n nh; phin bn 5 giao thc Kerberos c ci t trn hu ht cc nn tng, c s dng trong rt nhiu ng dng. Vic s dng giao thc Kerberos xy dng h thng s m bo tnh nng SSO cng nh tnh bo mt cho h thng. Hin nay, c nhiu ci t Kerberos KDC nh Hemidal, MIT KDC v Microsoft Active Directory. Tuy nhin, Active Directory vt tri hn hn bi tnh hon thin ca n, tng thch hon ton vi RFC1510. V th, ta mong mun tch hp vi Active Directory ci t Kerberos to ra mt nn tng bo mt trong sut, kt hp UNIX v Windows. iu ny s c thc hin thng qua vic thc thi cc giao thc chun Internet trong h thng: Web service, SPNEGO/HTTP, GSS-API/Kerberos v LDAP. II. GIAO THC KERBEROS

Kerberos l mt giao thc chng thc mng c pht trin trong d n Athena ca hc vin cng ngh Massachusetts (MIT). Kerberos l mt c ch chng thc mnh cho cc ng dng client/server trn mi trng mng phn tn; n cho php cc thc th truyn thng trong mng chng thc ln nhau m vn m bo an ton, chng nghe ln hay tn cng dng li trn mng. N cng m bo tnh ton vn v tnh mt cho thng tin truyn i, s dng m ho b mt nh DES, triple DES. 2.1. Ni dung Kerberos khng xy dng cc giao thc chng thc phc tp cho mi my ch m hot ng da trn mt my ch chng thc tp trung KDC (Key Distribution Centre). KDC cung cp v cho vic chng thc ngi dng v bo mt truyn thng bi kho phin trong v. KDC gm:

- My ch chng thc AS (Authentication

Server) bit kho mt ca tt c ngi dng c lu gi trn mt c s d liu tp trung.

- My ch cp kho TGS (Ticket Granting

Server) cung cp v dch v cho php ngi dng truy nhp vo cc my ch trn mng. Giao thc Kerberos hot ng kh phc tp, v c bn c thc hin qua ba giai on, hay ba pha. Trong kch bn ny, ngi dng C ng nhp vo my trm client v yu cu truy nhp ti my ch V.

Hnh 1: Giao thc Kerberos Pha th nht: Kt ni vi AS ly v v xin truy nhp TGS, ticket-granting-ticket (TGT) Truyn thng vi AS thng l giai on khi u ca phin ng nhp, nhm ly v d liu chng thc (TGT) cho TGS, sau ly v chng thc cho cc my ch khc m khng phi nhp li kho b mt ca client. Kho b mt ca client c s dng cho c vic m ho v gii m. a. Ngi dng C ng nhp vo h thng, nhp nh danh v mt khu. Client s chuyn i mt khu thnh kho mt ca C, lu tr trong bin ca chng trnh. Sau , client gi yu cu xin cp TGT ti AS bng thng ip Kerberos Authentication Service Request (KRB_AS_REQ) gm 2 phn : nh danh ngi dng, nh danh TGS nhm ch nh s dng dch v TGS di dng bn r. D liu tin chng thc (pre-authentication data) chng minh rng ngi dng c ng mt khu ca anh ta. Phn ny c m ho bng kho sinh ra t mt khu ngi dng. c. Cui cng th AS cng xc minh c nh danh ca C, AS s phn hi bng mt thng ip Kerberos Authentication Service Response (KRB_AS_REP) c cha v TGT bao gm :
-

Mt kho phin SK1 dng cho truyn thng gia client v TGS pha th hai, c m ho bng kho mt ca C m bo ch c C mi gii m c. Bn sao ca SK1 c m ho bng kho mt ca TGS m bo ch TGS c c.

Pha th hai: Truyn thng vi my ch cp v dch v TGS, ly v service ticket truy nhp my ch V a. C v TGT v kha phin SK1, C sn sng truy nhp vo TGS. u tin C gi cho TGS mt thng ip Kerberos Ticket Granting Service Request (KRB_TGS_REQ) c cha :

- V TGT v nh danh dch v yu cu V. - B d liu chng thc gi l Authenticator

c m ho bng SK1 gm nh danh ngi dng C, IP ca client v tem thi gian. Authenticator ch s dng mt ln v c hiu lc trong mt thi gian cc ngn. b. TGS dng kho mt ca mnh gii m TGT, ly ra SK1 gii m authenticator, kim tra tnh hp l.

b. AS s truy lc trong c s d liu, ly kho b mt ca C, gii m phn d liu tin chng thc, kim tra c hp l khng. Nu c, AS c th bo m d liu tin chng thc c m ho ng bng kho b mt ca C, khng b tn cng dng li.

Nu hp l, TGS c m bo chc chn rng ngi gi chic v chnh l ch nhn thc s ca n. Khi , TGS s sinh ra kho phin mi SK2 chung cho client v my ch V. Hai bn sao ca kho phin ny c gi v cho C bng thng ip Kerberos Ticket Granting Service Response (KRB_TGS_REP) gm:

rt nhiu ng dng. Vic s dng giao thc Kerberos xy dng h thng s m bo nhng tnh nng sau cho h thng: Tng cng bo mt Khi mt phin truyn thng c thit lp, kho phin s c truyn an ton n cc bn truyn thng. iu ny s m bo cho h thng cc tnh nng bo mt sau:

- Mt bn sao kho phin SK2 c m ho

bng kho phin ca C.

- Bn kia c m ha bng kho mt ca V

m bo ch V mi m c. Pha th ba: Truyn thng trong chng thc client/server, trao i d liu a. By gi th client sn sng chng thc vi my ch V. Client gi cho V mt thng ip Kerberos Aplication Request (KRB_AP_REQ) c cha :

Tnh xc thc: Khng ai gi mt thng ip sai. Do ch c client v my ch dch v c th bit c kho phin nn khng th xy ra trng hp c k th ba mo danh mt trong hai bn tham gia vo phin truyn thng. y, Kerberos m bo tnh Chng thc ln nhau. Tnh ring t, tnh ton vn: Thng ip trc khi truyn s c m ho v k bng kho phin nn thm m khng th no c th c hay thay i ni dung thng ip c truyn.

- Authenticator m ho bi kho phin SK2. - Service ticket m ho bi kho mt ca V. - C xc nh client c yu cu chng thc ln
nhau khng. b. V gii m service ticket, ly ra SK2 gii m authenticator, xc minh tnh hp l. Nu hp l, B xem gi tr c yu cu chng thc ln nhau. Nu c c thit lp, V s dng SK2 m ho thi gian t authenticator v gi v cho C bng thng ip KRB_AP_REP. c. C gii m thng ip bng kho phin dng chung vi V, xc minh thi gian trong c ng nh khi gi cho V khng. Nu hp l, kt ni truyn thng s c thc hin. Nh vy, kho phin c chuyn ti server V v client mt cch an ton, c s dng cho vic bo mt truyn thng gia client v server v sau. Hn na, c client v server u c chng thc ln nhau, khng xy ra trng hp gi mo mt trong hai bn tham gia truyn thng. 2.2. nh gi giao thc Kerberos Qua qu trnh pht trin, Kerberos t n thun thc, n nh; phin bn Kerberos v5 c ci t trn hu ht cc nn tng, c s dng trong

Nh vy, s dng giao thc Kerberos th ta c m bo tnh xc thc, tnh ring t, v tnh ton vn ca cc thng ip c truyn. y chnh l cc yu cu cn v m bo mt phin truyn thng an ton. Ngoi ra, Kerberos cn cung cp mt chc nng quan trng nh sau :

H tr c ch u nhim:

Trong cc ng dng a lp, khi ngi dng yu cu mt dch v tng giao din ngi dng, t y s gi yu cu n tng gia thc hin cc chc nng ca h thng ng thi to ra cc giao tc truy vn ti tng d liu ly ra thng tin ca ngi dng. Thng thng, cc tng nm phn tn trong cc my ch trn mng nn u c c ch bo mt c lp vi nhau.

Hnh 2: H tr u nhim trong Kerberos Do v Kerberos c kh nng i din v th cc tng c th dng v ny i din cho ngi dng thc hin cc chc nng c php. V th, mi tin trnh ca mi tng u c th xc nh chnh xc c ngi dng m n phc v, t c c ch phn quyn, auditing ph hp. Nh vy, vi s h tr kh nng u nhim trong Kerberos cc dch v bo mt nh auditing, phn quyn c thc hin mt cch d dng. Cung cp c ch chng thc mnh Mi khi ng nhp vo h thng (login vo KDC), ngi dng s c cp mt v TGT xin cc service ticket cho cc ln truy nhp sau vo cc my ch dch v trong h thng. Tc l vi v TGT, ngi dng khng cn phi nhp nh danh, mt khu thm mt ln no na, v l do ny giao thc Kerberos cn gi l giao thc ng nhp mt ln (Single sign-on). Ta s nh gi cc im ca nng SSO theo c ba quan im: ca ngi dng, ca nh qun tr, nh pht trin h thng. Theo , Kerberos :

tham gia vo mng, s lng ngi dng s tng ln rt nhanh lm qu ti cng tc qun tr. Vi SSO, mi h thng s dng cng c s d liu ngi dng tp trung v th cng tc qun tr c tp trung ho, s lng ngi dng gim i rt nhiu.

Tng cng bo mt: H thng SSO c c ch chng thc an ton cng nh bo mt truyn thng trn mng. Gim thiu s ln nhp mt khu cng c ngha l tng an ton cho h thng v vi s lng mt khu nhiu ngi dng thng ghi mt khu ra xung quanh, d l.

Tuy nhin, bt k h thng bo mt no cng khng th chng li tt c cc kiu tn cng ca hacker, Kerberos cng c nhng nhc im nht nh nh:

Tng s tin dng cho ngi dng: Ngi dng khng cn phi ng nhp nhiu ln khi s dng h thng, cng nh khng cn phi nh qu nhiu mt khu cho cc dch v trong h thng. Tt c ch l mt ti khon cho ht thy cc dch v trong h thng. H tr cc nh pht trin h thng: SSO cung cp mt framework chng thc chung cho cc nh pht trin. V th h khng cn phi quan tm n chng thc khi xy dng h thng na, coi nh l cc yu cu gi n h thng c chng thc. iu ny s lm cho cc nh pht trin hon ton yn tm v an ninh ca h thng c xy dng, m trnh c cng vic nng nhc l xy dng an ton bo mt cho h thng mi. Lm n gin ho cng tc qun tr: Theo truyn thng, mi ng dng c c s d liu ngi dng ring phc v cho c ch chng thc c lp ca n, nn khi cc h thng

Kh tch hp vi cc h thng c: thng th cc h thng sn c trong mng c c ch chng thc ring, cng nh c s d liu thng tin ngi dng ring. V th, vic tch hp h thng c vo h SSO khng trnh khi phi sa li m chng trnh h thng cng nh di chuyn, thay i c s d liu ngi dng. Tn cng desktop: Cng do tnh nng SSO, c kh nng k ch ginh c quyn truy nhp ti cc ti nguyn khi ngi dng ca my ri khi my sau khi ng nhp m qun khng kho my li. H thng SSO ch bo mt trn ng truyn m khng bo mt cho d liu trc khi c truyn nn mt khu ca ngi dng rt c kh nng b cc chng trnh nh trojan nh cp, ginh quyn truy nhp h thng. im yu trong mng: Vi ng nhp mt ln, dch v chng thc s c s dng bi tt c cc ng dng trong mng. V th, dch v ny rt d b tn cng DoS, lm t lit c h thng.

Nh vy, ta thy c s ph hp khi s dng giao thc Kerberos cho vic bo mt cho h thng phn tn. Trong mc tip theo, ta s trnh by

nhng nghin cu cc cng ngh, giao thc, gii php phc v cho vic thc hin ci t giao thc Kerberos trong h thng. III. CC GIAO THC QUAN TRNG Mc ny s tp trung trnh by cc cng ngh, giao thc phc v cho vic tch hp c mi trng bo mt Kerberos. Vic tch hp th hin nhng kha cnh sau: Yu cu v pht sinh th bi bo mt Kerberos Gn th bi Kerberos vo thng ip truyn To ra mt ng cnh an ton K, m ho thng ip theo ng cnh an ton Hnh 3: GSS-API Layer

GSS-API l phng php truyn thng gii quyt vn trn, khi m hai bn truyn thng an ton vi nhau trong mt ng cnh an ton theo giao thc Kerberos. V th, trong phn u ca mc ny, chng ta i vo tm hiu GSS-API v nhng li im, cc dch v bo mt cung cp v c hn ch ca n. 3.1. Giao thc GSS-API GSS-API (Generic Security Service Application Programming Interface) c t chc IETF nghin cu v son tho nhm cung cp mt m hnh gii php chung cho bi ton chng thc, phn quyn, m bo an ton d liu khi truyn, chng replay, v h tr vic giao giy y nhim (RFC 2743). GSS-API c m t khng ph thuc vo ngn ng thc thi n. GSS-API ch m t cc giao din lp trnh bn trn cn chi tit bn di c ch m bo an ton thng tin c th ty la chn.

Mt trong nhng tnh nng quan trng ca GSS-API l n da trn cc th bi, c s dng cc thc hin vic chng thc v m ha cc thng tin cn thit. Tm li, GSS-API thc hin hai nhim v c bn:

To ra mt ng cnh an ton (security context) cho php trao i d liu gia hai bn truyn thng. Mt ng cnh an ton c th c hiu l s tin tng gia hai bn, cc ng dng c th chy trong cng mt ng cnh xc nh c bn kia, t cho php truyn d liu cho nhau trong khi ng cnh cn tn ti. GSS-API c th thc thi mt hay nhiu kiu bo v (security services) cho d liu c truyn. Tnh kh chuyn ng dng vi

GSS-API

GSS-API h tr tnh kh chuyn cho cc ng dng nh sau:

c lp vi cc c ch bo mt: GSS-API cung cp mt giao din chung cho bo mt. Bng cch ch ra c ch bo mt ngm nh, ng dng s c bo m an ton m khng cn phi quan tm n c ch bo mt chy di hay bt k thng tin chi tit no v c ch .

c lp vi giao thc giao vn: GSS-API c lp vi cc giao thc giao vn, v th GSS-API c th s dng cho cc ng dng s dng socket, RPC hay TCP/IP. c lp vi nn tng: GSS-API h tr bi hu ht cc nn tng, n c th p dng cho ng dng chy trn bt c h iu hnh no. c lp vi QoP (Quality of Protection): QoP tham chiu ti kiu thut ton m ho, sinh ra cc th mt m. GSS-API cho php ngi lp trnh b qua QoP bng cch s dng gi tr ngm nh, trong trng hp cn thit th c th ch ra. Cc dch v bo mt trong GSS

Hnh 4: M hnh GSS-API Mi c ch bo mt c nh danh bi mt s nht nh (OID - Object Identifier) c ng k trc vi t chc IANA. C ch Kerberos V5 c nh danh bi OID {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) krb5(2)} = 12840113554122. V vy, s dng giao thc chng thc Kerberos bn di, ng dng ch cn ch ra OID ca c ch l 12840113554122. Hn ch ca GSS-API

GSS-API cung cp ba dch v bo mt nh sau:

Chng thc: y l dch v c bn ca GSS-API. m bo tnh ton vn: Tnh ton vn l s xc minh tnh ng n ca d liu. Ngay c khi d liu c gi i t mt ngi dng hp l th d liu d liu khng th no b thay i hay xm hi. Tnh ton vn bo m rng d liu c ton vn nh ban u, khng b thm hay bt i phn no. GSS-API m bo tnh ton vn ca d liu bng vic thm vo th mt m MIC (Message Integrity Code). MIC chng minh rng d liu nhn c ton vn nh khi c gi i. m bo tnh mt: GSS-API m bo tnh mt ca d liu v cc c ch bo mt bn di c kh nng m ho d liu, do khng c k th ba no c th c c d liu khi n truyn i. Cc c ch trong GSS-API

GSS-API to ra mt giao din chung cho cc c ch chng thc khc nhau v th, nu cc bn truyn thng c c cc giy chng thc GSS-API ca cng mt c ch chng thc th mt ng cnh an ton ca c ch s to ra cho truyn thng gia chng. Tuy nhin, GSS-API khng quy nh phng thc m hai bn truyn thng thit lp khi chng c chung mt c ch bo mt. V th, ITFE a ra giao thc SPNEGO cho vic thng lng s dng c ch chng thc bn di. 3.2. Giao thc SPNEGO Giao thc Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) c nh ngha l mt c ch gi an ton, nh danh bi OID (object indentifier) iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) cho php hai bn truyn thng c th ch nh c ch bo mt khi chng c chung cc c ch bo mt GSS-API, v triu gi vic thit lp cc ng cnh an ton (security context) cho c ch bo mt c chn. iu ny rt hu ch cho cc ng dng s dng cc ci t GSS-API h tr nhiu c ch bo mt khc nhau. SPNEGO cho php thng lng cc c ch bo mt khc nhau, cc tu chn khc nhau trong cng mt c ch hoc gia cc c ch bo mt. Khi mt c ch bo mt chung c ch nh, n c th

GSS-API c thit k cho php mt thc thi ca n c th ng thi h tr nhiu c ch bo mt trong c hai c ch bo mt chun c IETF nh ngha Kerberos v SPKM (Simple Public Key Mechanism).

thng lng cc tu chn ring trong khi security context ca n c thit lp. Vic ny xy ra trong cc th bi ca c ch v c lp vi giao thc SPNEGO. SPNEGO thc thi da trn m hnh thng lng sau: Bn khi xng ngh mt c c ch bo mt hoc mt danh sch c th t cc c ch bo mt, bn th hai s chp nhn c ch c xut hay chn ra mt c ch trong danh sch xut, hoc t chi cc xut ; v thng bo cho bn khi xng quyt nh ca n. Trong dng thc c bn, SPNEGO s yu cu thm mt round trip. Tuy nhin, vic thit lp kt ni mng l mt c trng hiu sut then cht ca bt k h tng mng no v thm mt round trip trn cc kt ni WAN, mng radio gi s gim hiu sut mng mt cch ng k. trnh round trip thm , th bi u tin ca c ch c bn khi xng ch nh s c nhng vo trong th bi u tin ca SPNEGO. V th, nu bn th hai ng th khng cn thm mt round trip no trong giao thc thng lng na. SPNEGO s dng cc khi nim s dng trong c t GSS-API. Cc d liu thng lng c ng gi trong cc th bi context-level. V th, cc bn khng cn phi bit n s tn ti ca cc th bi thng lng cng nh c c ch gi an ton mi. Tht bi trong pha thng lng s tr v m GSS_S_BAD_MECH.

Mi OID nh danh cho mt c ch GSS-API hoc cc bin th ca chng. Khi mt c ch bo mt c xut bi bn khi xng, n i din cho c ch bo mt duy nht c h tr/la chn bi bn khi xng. Khi c nhiu c ch bo mt c xut bi bn khi xng, chng s i din cho mt tp cc c ch bo mt c h tr/la chn bi bn khi xng.

Th bi SPNEGO u tin (NegTokenInit) do bn khi xng gi c cha mt danh sch cc c ch bo mt, mt tp cc tu chn (deleg, replay, conf flags) phi c h tr bi c ch ngh v th bi bo mt cho c ch do bn khi xng ngh. Th bi thng lng hi p (NegTokenTarg) c gi i bi bn nhn cha kt qu thng lng (ACCEPT_COMPLETED, ACCEPT_IMCOMPLETE, REJECT) v c c c ch ng trong trng hp chp thun. N c th cng bao gm c hi p cho th bi u tin ca bn khi xng, khi c ch ngh u tin c chp thun. Trong trng hp ngc li, n ch vic b qua responseToken trong hi p u tin. Th tc thng lng

Qu trnh thng lng din ra nh sau: (a). Bn khi xng s triu gi phng thc GSS_Init_sec_context nh thng thng, nhng cc yu cu ca SPNEGO s c s dng. (b). Bn khi xng s pht i mt th bi thng lng cha mt danh sch cc c ch bo mt c h tr cho cc giy chng thc c s dng cho thit lp context, v th bi c ch ngh (tu chn) t danh sch ny, ch nh trng thi GSS_S_CONTINUE_NEEDED. (c) Bn khi xng gi th bi ti bn nhn. (d) Bn nhn gi li th bi ny trong sut thi gian triu gi phng thc GSS_Accept_sec_context. Pha nhn s pht ra mt th bi ca c ch m n h tr trong ngh.

Hnh 5: Giao thc SPNEGO M t vic thng lng

Nu c ch c chn bi bn nhn trng vi c ch c ch nh bn khi xng th th bi thng lng c th cha mt th bi cho c ch . Nu c ch ch nh bi bn khi xng c bn nhn chp thun, GSS_Accept_sec_context() ch nh GSS_S_CONTINUE_NEEDED khi chng thc ln nhau hoc mt bn c thc hin v bao gm c mt th bi n trong mi hng truyn i hay nhn v.

m bo c th s dng cho cc ng dng trn cc nn tng Windows, Unix, Linux. Kin trc ca JAAM, v c bn, gm 4 mun c s kt hp vi nhau thc hin 4 chc nng c bn: chng thc, phn quyn, u nhim, m ho v k.

Khi Nego: ci t giao thc SPNEGO thc hin vic thng lng cho vic chn giao thc Kerberos thc thi GSS-API. Khi Auth: s dng th vin JGSS-API ca J2SDK 1.4.2 thc hin chng thc, u nhim theo giao thc Kerberos qua GSSAPI. Khi Policy: Thc hin vic phn quyn ngi dng thng qua vic gii m thng tin PACs (ch c Active Directory) v i snh ci t chnh sch phn quyn ca h thng. Khi Crypto: Cung cp cc chc nng m ho, k thng ip da trn kho mt ca ngi dng.

3.3.Kt lun
Nh vy, s kt hp gia hai giao thc GSS-API v SPNEGO thc thi Kerberos s mang n cho h thng mt nn tng bo mt m, hon ton tun theo chun Internet ca t chc ITFE. Mt l do na l giao thc Kerberos s thay i lin tc theo cc phin bn hon thin (hin ti l phin bn 5), GSS-API l framework chun thc hin giao thc Kerberos gia cc h thng khc nhau m c th khc phc c nhc im ny.

IV. GII PHP NG NHP MT LN

T nhng nghin cu trn, chng ti xy dng th vin bo mt chung JAAM (Java Authentication and Authorization Module) c xy dng thc hin: chng thc, phn quyn, bo mt thng qua vic ci t cc giao thc SPNEGO, GSS-API (Kerberos) v chnh sch phn quyn. T , h thng ng nhp mt ln s thc thi bo mt mc thng ip, trnh ph thuc vo giao thc truyn thng, giao thc truyn thng ch c nhim v vn chuyn th bi nhm p dng c cho mi ng dng s dng cc giao thc truyn thng khc nhau trong h thng.

Hnh 7: Kin trc JAAM T th vin JAAM c ta s ra m hnh hot ng cho web, web service, l hai giao thc quan trng cho vic gii quyt vn nn tng. Vic ci t JAAM cho hai giao thc ny phi m bo c hai yu cu sau: c lp vi ng dng. Tnh c lp vi ng dng s gip cc nh pht trin d dng hn trong vic to ra cc ng dng cng nh yn tm hn v s an ton ca h thng. D tch hp vo h thng c. y l mt tnh nng quan trng khi ci t h thng

Hnh 6: M hnh s dng dng th vin JAAM Cc ng dng s s dng cc khi chc nng m JAAM cung cp thng qua vic gi JAAM qua giao din lp trnh JAAM API. Th vin JAAM c ci t bng ngn ng Java, trn nn J2SDK 1.4.2, nhm

ln nn h thng c, d tch hp s lm tng kh nng tng thch, ti s dng cc dch v sn c. 4.1. Ci t JAAM cho Web Giao thc SPNEGO c h tr tt c cc trnh duyt ph bin nh Firefox, Microsoft Internet Explorer, Mozila. V vy, cng vic ca ta l ch ci t JAAM cho cc ng dng Web pha server. Trong c t phin bn servlet 2.3 a ra mt c ch lc rt linh ng, x l theo c ch chui, cc b lc (filter) ch cn khai bo trong Web.xml m khng phi thay i m ngun ca ng dng web. Cc request yu cu cc servlet, cc trang JSP, HTML trc khi truy nhp n ti nguyn yu cu th phi i qua cc b lc l cc moun chng thc, phn quyn ci sn x l trc. Chnh v nhng c im trn, ta c th ci t moun thc hin chng thc, phn quyn hon cho cc request mt cch c lp vi cc ng dng web. T y, ta xut m hnh bo mt cho ng dng web nh sau:

Xut pht t tng kin trc Web Service, khi mun ci t mt dch v web service th ta phi ng k vi UDDI server H thng ca ta s m bo tnh c vi ng dng khi n m nhim vai tr qun l kt ni web service gia client v server. pha client, khi ng dng pht sinh nhu cu s dng mt dch v service n pha server, n s gi cc thng s nh tn dch v, cc tham s cho WSClient.WSClient ng gi thng tin nhn c thnh cc gi XML c nh dng thit k trc cho server; tt nhin gi c cha c thng tin chng thc theo giao thc Kerberos cho server.

Hnh 9: M hnh ci t JAAM cho Webservice Yu cu theo gi XML n s c WSListener trong JAAM pha server bt ly, thc hin bc tch phn tch thng tin. Tip , WSListener s thc hin chng hin chng thc client theo giao thc Kerberos. Nu chng thc thnh cng, WSListener s to mt th hin ca lp cung cp dch v service n thc hin chc nng yu cu, vic ny c thc thi qua truy vn file ServiceMap.xml c thit t. Kt qu tr v s c ng gi XML theo chun ca h thng, gi v cho Client. WSClient nhn gi thng ip tr v, thc hin bc tch, phn tch thng tin v tr kt qu v cho ng dng. Nhn xt: S hin din ca file ServiceMap.xml lm cho vic thc thi cc dch v trn Web Service Server mt cch chnh xc v c lp; khi xut hin nhu cu ci t mt dch v th thay v phi ci t dch v web theo trnh t th ta ch cn khai bo n trong file ServiceMap.xml. Ton b vic truyn thng, thc hin chng thc phn quyn trong h thng u do WSListener, WSClient m nhim. 4.3. Ci t thc nghim

Hnh 8: M hnh ci t JAAM cho Web pha Web Server, khi c request n th s b servlet filter nh hng (redirect) sang JAAM (Java Authentication and Authorization Module. Ti JAAM, qu trnh thc hin chng thc s c header ca request, chng thc theo giao thc SPNEGO/Kerberos ng thi cng thc hin auditing (logging). Nu qu trnh ny thnh cng, JAAM ly thng tin phn quyn trong Kerberos ticket i snh vi policy ca h thng. Thnh cng JAAM, request s c tr v trang web yu cu. 4.2. Ci t JAAM cho Web Service

Gi s trong h thng mng ca ta c hai ng dng cung cp dch v qua giao din Web cho ngi dng. ng dng th nht, ng dng web simple: L mt servlet hin th cc thng tin chng thc, phn quyn cho ngi dng truy cp n. Cung cp cc kt ni n cc dch v trong h thng, c th y l dch v th hai. ng dng th hai, ng dng web hello: L mt ng dng web a lp, tu thuc vo ngi dng c role l Student hay Professor m c li cho tng ng (Hello, student, Hello, Professor). ng dng web ny khng t thc hin li cho m ly chng bng cch truy vn hai dch v khc trn mng thng qua Web Service :

Hnh 10: M hnh ci t th nghim Nh vy, ng dng web hello phi s dng nh danh ca ngi dng c thuc nhm Student hay Professor truy nhp vo dch v web tng ng. Bn thn ng dng web ny khng th t dng nh danh ca ca mnh truy nhp c v hin nhin n khng c quyn ! V. KT LUN Bo mt trong h phn tn ngy cng c quan tm c bit khi m cc h thng mng trong cc c quan, t chc pht trin, ci t nhiu ng dng phc tp. Bi bo a ra mt gii php bo mt kh hon chnh da trn giao thc Kerberos c h tr trong rt nhiu h thng ln hin nay. H thng hin ti p ng c yu cu an ton, bo mt tuy nhin, pht trin mt h bo mt y , c kh nng ng dng tt hn trong thc t cn c cc hng pht trin : xy dng h qun tr nh danh, a h thng ln hot ng trn Internet. Chng ti s tip tc hon thin trong thi gian ti.

Dch v web Student: ch cho php ngi dng c role Student truy nhp qua web service, tr v kt qu Hello, student + tn sinh vin. Dch v web Professor: ch cho php ngi dng c role Professor truy nhp qua web service, tr v kt qu Hello, professor + tn gio vin.

TI LIU THAM KHO [1]. Stallings, W. Cryptography and Network nd Security: Principles and Practice, 2 edition. Prentice Hall, 1999 [2]. Nguyn Thc Hi, Mng my tnh v h thng m. Nh xut bn Gio Dc, nm 1994 [3]. Sanj Surati & Michael Muckin, HTTP-Based [6]. RFC 1510 The Kerberos Network Authentication Service V5, Internet Engineering Task Force (IETF), Sep. 1993. [7]. RFC 1508 "Generic Security Service Application Program Interface" [8]. RFC 1964 "The Kerberos Version 5 GSS-API Mechanism" [9]. RFC 2078 "Generic Security Service Application Program Interface,version 2" [10]. RFC 2478 "Simple and Protected GSS-API Negotiation Mechanism" [11]. Web Services Security-Kerberos Token Profile:

Cross-Platform Authentication via the Negotiate Protocol, 2002

[4]. Single Sign-On in Windows 2000 Networks,White Paper, 2000 [5]. Jill Spealman, Microsoft Windows 2000 Active Directory Services, Microsoft Press, 2000

http://www.oasisopen.org/committees/download.php/1049/WS S-Kerberos-03.pdf
[12]. Utilizing the Windows 2000 Authorization Data in Kerberos Tickets for Access Control to Resources, Brezak, Microsoft Corporation, Feb. 2002. [13]. Transfer Syntax NDR, from CDE 1.1: Remote Procedure Call, The Open Group, 1997. 14]. Jarapac DCE/RPC in Java, Source Forge, 2004, http://jarapac.sourceforge.net/ [15]. SAMBA Project Documentation, April 2003, Chapter 12. Group Mapping MS Windows and UNIX, J.F. Micouleau, G. Carter,

[23]. MIT Kerberos Web Site: http://web.mit.edu/kerberosQ/www [24]. Cc ti liu hu ch t: http://appliedcrypto.com

http://info.ccone.at/INFO/Samba/groupmappi ng.html#id2909853
[16]. What Is A Group, Wiki article, K.Brown,

http://pluralsight.com/wiki/default.aspx/Keith. GuideBook/WhatIsAGroup.html
[17]. PAC (Privilege Access Certificate) in a Java Web Server World, 2005, Friis, http://appliedcrypto.com/spnego/pac/ms_kerberos_p ac.html [18]. Introduction to JAAS and Java GSS-API Tutorials : http://java.sun.com/j2se/1.4.2/docs/guide/security/jgs s/tutorials/ [19]. Single Sign-on Using Kerberos in Java :

http://java.sun.com/j2se/1.4.2/docs/guide/secu rity/jgss/single-signon.html
[20]. Prof John Larmouth, ASN.1 Complete, 1999 [21]. Eric Armstrong, Stephanie Bodoff, Debbie Carson, The Java Web Services Tutorial. Addison Wesley, 2003 [22]. Li Gong, Gary Ellison, Mary Dageforde, Inside Java 2 Platform Security Architecture : API Design, and implementation, 2nd Edition. Addison Wesley Press, 2003