HC VIN CNG NGH BU CHNH VIN THNG C S TP.

H CH MINH

BI GING

BO MT H THNG THNG TIN

DNH CHO H O TO T XA Bin son: L Phc

Thng 7/2007

M U
Ti liu ny c xy dng vi mc ch gip sinh vin h o to t xa nghin cu cc vn v bo mt h thng thng tin. Bo mt h thng thng tin l tp cc k thut, dch v, c ch v ng dng ph tr gip trin khai cc h thng thng tin vi an ton cao nht, m c th l bo v ba c trng c bn ca mt h thng an ton l tnh B mt, tnh Ton vn v tnh Kh dng ca thng tin. Tnh bo mt ca h thng l vn c cn nhc ngay khi thit k h thng v c thc hin xuyn sut trong qu trnh thi cng, vn hnh v bo dng h thng. Trong thi im m vic kt ni vo mng Internet, ni cha rt nhiu nguy c tn cng tim n, tr thnh mt nhu cu sng cn ca cc h thng thng tin th vn bo mt cng cn phi c quan tm v u t ng mc. Ti liu ny nhm n i tng sinh vin l nhng ngi va hc va lm, do cc vn bo mt thc t trn mng c quan tm nhiu hn l cc c s l thuyt. Cc chuyn v mt m cng c trnh by n gin theo cch nhn ca ngi s dng, khng qu chuyn su v c s ton hc, do , nu c nhu cu tm hiu su hn hoc chng minh cc thut ton, sinh vin cn phi c thm cc ti liu v l thuyt s. Ni dung ti liu c chia thnh 3 chng: -Chng 1:Tng quan v bo mt h thng thng tin, trnh by cc vn chung v bo mt v an ton h thng, cc nguy c v cc phng thc tn cng vo h thng thng tin, cc ng dng bo v h thng thng tin ang c s dng nh Firewall v IDS -Chng 2: Mt m v xc thc thng tin, trnh by cc c ch mt m v xc thc nhm m bo tnh B mt v Ton vn ca thng tin. Phn ny m t nguyn l ca cc thut ton mt m thng dng, hm bm, ch k s v cc vn qun l kho. -Chng 3: Cc ng dng bo mt trong h thng thng tin, trnh by cc ng dng thc t nh cc giao thc xc thc, bo mt trong kt ni mng vi IPSec, bo mt trong ng dng Internet vi SSL v SET. Cui mi chng u c phn tm tt, cc cu hi trc nghim v bi tp, gip sinh vin h thng ho li kin thc hc. c bit, cc bi tp thc hnh v lp trnh s gip sinh vin nm r hn phn l thuyt, nn c gng thc hin cc bi tp ny mt cch chu o. Hy vng ti liu ny s t nhiu gip ch cho vic nghin cu chuyn an ton h thng thng tin ca cc bn sinh vin. Thng 7/2007. Tc gi.

CHNG I TNG QUAN V BO MT H THNG THNG TIN

Gii thiu: Chng ny gip hc vin nm c cc khi nim thng dng trong bo mt v an ton h thng, nguyn tc xy dng mt h thng thng tin bo mt, nhn din v phn tch cc nguy c v ri ro i vi h thng thng tin, t c k hoch nng cp v bo v h thng. Ni dung chng ny gm cc phn nh sau: -Cc c trng ca mt h thng bo mt. -Nguy c v ri ro i vi h thng thng tin. -Cc khi nim dng trong bo mt h thng -Chin lc bo mt h thng AAA. -Mt s hnh thc xm nhp h thng. -K thut ngn chn v pht hin xm nhp.

I.1 TNG QUAN

Vn bo m an ton cho cc h thng thng tin l mt trong nhng vn quan trng cn cn nhc trong sut qu trnh thit k, thi cng, vn hnh v bo dng h thng thng tin. Cng nh tt c cc hot ng khc trong i sng x hi, t khi con ngi c nhu cu lu tr v x l thng tin, c bit l t khi thng tin c xem nh mt b phn ca t liu sn xut, th nhu cu bo v thng tin cng tr nn bc thit. Bo v thng tin l bo v tnh b mt ca thng tin v tnh ton vn ca thng tin. Mt s loi thng tin ch cn ngha khi chng c gi kn hoc gii hn trong mt s cc i tng no , v d nh thng tin v chin lc qun s chng hn. y l tnh b mt ca thng tin. Hn na, thng tin khng phi lun c con ngi ghi nh do s hu hn ca b c, nn cn phi c thit b lu tr thng tin. Nu thit b lu tr hot ng khng an ton, thng tin lu tr trn b mt i hoc sai lch ton b hay mt phn, khi tnh ton vn ca thng tin khng cn c bo m. Khi my tnh c s dng x l thng tin, hiu qu x l thng tin c nng cao ln, khi lng thng tin c x l cng ngy cng ln ln, v ko theo n, tm quan trng ca thng tin trong i sng x hi cng tng ln. Nu nh trc y, vic bo v thng tin ch ch trng vo vn dng cc c ch v phng tin vt l bo v thng tin theo ng ngha en ca t ny, th cng v sau, vn bo v thng tin tr nn a dng hn v phc tp hn. C th k ra hai iu thay i ln sau y i vi vn bo v thng tin: 1-S ng dng ca my tnh trong vic x l thng tin lm thay i dng lu tr ca thng tin v phng thc x l thng tin. Cn thit phi xy dng cc c ch bo v thng tin theo c th hot ng ca my tnh. T y xut hin yu cu bo v s an ton hot ng ca my tnh (Computer Security) tn ti song song vi yu cu bo v s an ton ca thng tin (Information Security). 2-S pht trin mnh m ca mng my tnh v cc h thng phn tn lm thay i phm vi t chc x l thng tin. Thng tin c trao i gia cc thit b x l thng qua mt khong cch vt l rt ln, gn nh khng gii hn, lm xut hin thm nhiu nguy c hn i vi s an ton ca thng tin. T xut hin yu cu bo v s an ton ca h thng mng (Network 2

Security), gm cc c ch v k thut ph hp vi vic bo v s an ton ca thng tin khi chng c trao i gia cc thit b trn mng. Cng vi vic nhn din hai iu thay i ln i vi vn bo m an ton thng tin, hin nay, khi nim bo m thng tin (Information Assurance) c xut nh mt gii php ton din hn cho bo mt thng tin. Theo , vn an ton ca thng tin khng cn ch gii hn trong vic m bo tnh b mt v tnh ton vn ca thng tin, phm vi bo v khng cn gii hn trong cc h thng my tnh lm chc nng x l thng tin na, m din ra trong tt c cc h thng t ng (automated systems). Yu cu bo v khng cn ch tp trung vn an ton ng (Security) na m bao gm c vn an ton tnh (Safety) v vn tin cy ca h thng (Reliability). Trong phm vi ti liu ny, vn Bo mt h thng thng tin (Information System Security) l vn trng tm nht. Ton b ti liu s tp trung vo vic m t, phn tch cc c ch v k thut nhm cung cp s bo mt cho cc h thng thng tin. Mt h thng thng tin, theo cch hiu ngm nh trong ti liu ny, l h thng x l thng tin bng cng c my tnh, c t chc tp trung hoc phn tn. Do vy, ni dung ca ti liu s va cp n vn bo mt my tnh (Computer Security) v bo mt mng (Network Security). Tuy vy, cc k thut bo mt mng ch c cp mt cch gin lc, dnh phn cho mt ti liu khc thuc chuyn ngnh Mng my tnh v truyn thng, l ti liu Bo mt mng.

I.2 CC C TRNG CA MT H THNG THNG TIN BO MT

Mt h thng thng tin bo mt (Secure Information System) l mt h thng m thng tin c x l trn n phi m bo c 3 c trng sau y: -Tnh b mt ca thng tin (Confidentiality) -Tnh ton vn ca thng tin (Integrity) -Tnh kh dng ca thng tin (Availability).

Confidentiality

Secure Integrity Availability

Hnh 1.1: M hnh CIA Ba c trng ny c lin kt li v xem nh l m hnh tiu chun ca cc h thng thng tin bo mt, hay ni cch khc, y l 3 thnh phn ct yu ca mt h thng thng tin Bo mt. M hnh ny c s dng rng ri trong nhiu ng cnh v nhiu ti liu khc nhau, v 3

c gi tt l m hnh CIA (ch phn bit vi thut ng CIA vi ngha Confidentiality, Itegrity, Authentication trong mt s ti liu khc). Phn sau y s trnh by chi tit v tng c trng ny.

I.2.1

Tnh b mt:

Mt s loi thng tin ch c gi tr i vi mt i tng xc nh khi chng khng ph bin cho cc i tng khc. Tnh b mt ca thng tin l tnh gii hn v i tng c quyn truy xut n thng tin. i tng truy xut c th l con ngi, l my tnh hoc phn mm, k c phn mm ph hoi nh virus, worm, spyware, Tu theo tnh cht ca thng tin m mc b mt ca chng c khc nhau. V d: cc thng tin v chnh tr v qun s lun c xem l cc thng tin nhy cm nht i vi cc quc gia v c x l mc bo mt cao nht. Cc thng tin khc nh thng tin v hot ng v chin lc kinh doanh ca doanh nghip, thng tin c nhn, c bit ca nhng ngi ni ting, thng tin cu hnh h thng ca cc mng cung cp dch v, v.v u c nhu cu c gi b mt tng mc . m bo tnh b mt ca thng tin, ngoi cc c ch v phng tin vt l nh nh xng, thit b lu tr, dch v bo v, th k thut mt m ho (Cryptography) c xem l cng c bo mt thng tin hu hiu nht trong mi trng my tnh. Cc k thut mt m ho s c trnh by c th chng II. Ngoi ra, k thut qun l truy xut (Access Control) cng c thit lp bo m ch c nhng i tng c cho php mi c th truy xut thng tin. Access control s c trnh by phn 3 ca chng ny. S b mt ca thng tin phi c xem xt di dng 2 yu t tch ri: s tn ti ca thng tin v ni dung ca thng tin . i khi, tit l s tn ti ca thng tin c ngha cao hn tit l ni dung ca n. V d: chin lc kinh doanh b mt mang tnh sng cn ca mt cng ty b tit l cho mt cng ty i th khc. Vic nhn thc c rng c iu tn ti s quan trng hn nhiu so vi vic bit c th v ni dung thng tin, chng hn nh ai tit l, tit l cho i th no v tit l nhng thng tin g, Cng v l do ny, trong mt s h thng xc thc ngi dng (user authentication) v d nh ng nhp vo h iu hnh Netware hay ng nhp vo hp th in t hoc cc dch v khc trn mng, khi ngi s dng cung cp mt tn ngi dng (user-name) sai, thay v thng bo rng user-name ny khng tn ti, th mt s h thng s thng bo rng mt khu (password) sai, mt s h thng khc ch thng bo chung chung l Invalid user name/password (ngi dng hoc mt khu khng hp l). Dng ng sau cu thng bo khng r rng ny l vic t chi xc nhn vic tn ti hay khng tn ti mt user-name nh th trong h thng. iu ny lm tng s kh khn cho nhng ngi mun ng nhp vo h thng mt cch bt hp php bng cch th ngu nhin.

I.2.2

Tnh ton vn:

c trng ny m bo s tn ti nguyn vn ca thng tin, loi tr mi s thay i thng tin c ch ch hoc h hng, mt mt thng tin do s c thit b hoc phn mm. Tnh ton vn c xt trn 2 kha cnh: -Tnh nguyn vn ca ni dung thng tin. -Tnh xc thc ca ngun gc ca thng tin. 4

Ni mt cch khc, tnh ton vn ca thng tin phi c nh gi trn hai mt: ton vn v ni dung v ton vn v ngun gc. V d: mt ngn hng nhn c lnh thanh ton ca mt ngi t xng l ch ti khon vi y nhng thng tin cn thit. Ni dung thng tin c bo ton v ngn hng nhn c mt cch chnh xc yu cu ca khch hng (ng nh ngi xng l ch ti khon gi i). Tuy nhin, nu lnh thanh ton ny khng phi cho chnh ch ti khon a ra m do mt ngi no khc nh bit c thng tin b mt v ti khon mo danh ch ti khon a ra, ta ni ngun gc ca thng tin khng c bo ton. Mt v d khc, mt t bo a tin v mt s kin va xy ra ti mt c quan quan trng ca chnh ph, c ghi ch rng ngun tin t ngi pht ngn ca c quan . Tuy nhin, nu tin tht s khng phi do ngi pht ngn cng b m c ly t mt knh thng tin khc, khng xt n vic ni dung thng tin c ng hay khng, ta ni rng ngun gc thng tin khng c bo ton. S tan vn v ngun gc thng tin trong mt s ng cnh c ngha tng ng vi s m bo tnh khng th chi ci (non-repudiation) ca h thng thng tin. Cc c ch m bo s ton vn ca thng tin c chia thnh 2 loi: cc c ch ngn chn (Prevention mechanisms) v cc c ch pht hin (Detection mechanisms). C ch ngn chn c chc nng ngn cn cc hnh vi tri php lm thay i ni dung v ngun gc ca thng tin. Cc hnh vi ny bao gm 2 nhm: hnh vi c gng thay i thng tin khi khng c php truy xut n thng tin v hnh vi thay i thng tin theo cch khc vi cch c cho php. V d: mt ngi ngoi cng ty c gng truy xut n c s d liu k ton ca mt cng ty v thay i d liu trong . y l hnh vi thuc nhm th nht. Trng hp mt nhn vin k ton c trao quyn qun l c s d liu k ton ca cng ty, v dng quyn truy xut ca mnh thay i thng tin nhm bin th ngn qu, y l hnh vi thuc nhm th hai. Nhm cc c ch pht hin ch thc hin chc nng gim st v thng bo khi c cc thay i din ra trn thng tin bng cch phn tch cc s kin din ra trn h thng m khng thc hin chc nng ngn chn cc hnh vi truy xut tri php n thng tin. Nu nh tnh b mt ca thng tin ch quan tm n vic thng tin c b tit l hay khng, th tnh ton vn ca thng tin va quan tm ti tnh chnh xc ca thng tin v c mc tin cy ca thng tin. Cc yu t nh ngun gc thng tin, cch thc bo v thng tin trong qu kh cng nh trong hin ti u l nhng yu t quyt nh tin cy ca thng tin v do nh hng n tnh ton vn ca thng tin. Ni chung, vic nh gi tnh ton vn ca mt h thng thng tin l mt cng vic phc tp.

I.2.3
l.

Tnh kh dng:
Tnh kh dng ca thng tin l tnh sn sng ca thng tin cho cc nhu cu truy xut hp

V d: cc thng tin v qun l nhn s ca mt cng ty c lu trn my tnh, c bo v mt cch chc chn bng nhiu c ch m bo thng tin khng b tit l hay thay i. Tuy nhin, khi ngi qun l cn nhng thng tin ny th li khng truy xut c v li h thng. Khi , thng tin hon ton khng s dng c v ta ni tnh kh dng ca thng tin khng c m bo.

Tnh kh dng l mt yu cu rt quan trng ca h thng, bi v mt h thng tn ti nhng khng sn sng cho s dng th cng ging nh khng tn ti mt h thng thng tin no. Mt h thng kh dng l mt h thng lm vic tri chy v hiu qu, c kh nng phc hi nhanh chng nu c s c xy ra. Trong thc t, tnh kh dng c xem l nn tng ca mt h thng bo mt, bi v khi h thng khng sn sng th vic m bo 2 c trng cn li (b mt v ton vn) s tr nn v ngha. Hin nay, cc hnh thc tn cng t chi dch v DoS (Denial of Service) v DDoS (Distributed Denial of Service) c nh gi l cc nguy c ln nht i vi s an ton ca cc h thng thng tin, gy ra nhng thit hi ln v c bit l cha c gii php ngn chn hu hiu. Cc hnh thc tn cng ny u nhm vo tnh kh dng ca h thng. Mt s hng nghin cu ang a ra cc m hnh mi cho vic m t cc h thng an ton. Theo , m hnh CIA khng m t c y cc yu cu an ton ca h thng m cn phi nh ngha li mt m hnh khc vi cc c tnh ca thng tin cn c m bo nh: -Tnh kh dng (Availability) -Tnh tin ch (Utility) -Tnh ton vn (Integrity) -Tnh xc thc (Authenticity) -Tnh bo mt (Confidentiality) -Tnh s hu (Possession)

I.3 CC NGUY C V RI RO I VI H THNG THNG TIN

I.3.1 Nguy c:
Nguy c (threat) l nhng s kin c kh nng nh hng n an ton ca h thng. V d: tn cng t chi dch v (DoS v DDoS) l mt nguy c i vi h thng cc my ch cung cp dch v trn mng. Khi ni n nguy c, ngha l s kin cha xy ra, nhng c kh nng xy ra v c kh nng gy hi cho h thng. C nhng s kin c kh nng gy hi, nhng khng c kh nng xy ra i vi h thng th khng c xem l nguy c. V d: tn cng ca su Nimda (nm 2001) c kh nng gy t lit ton b h thng mng ni b. Tuy nhin, su Nimda ch khai thc c li bo mt ca phn mm IIS (Internet Information Service) trn Windows (NT v 2000) v do ch c kh nng xy ra trn mng c my ci t h iu hnh Windows. Nu mt mng my tnh ch gm ton cc my ci h iu hnh Unix hoc Linux th su Nimda hon ton khng c kh nng tn ti, v do vy, su Nimda khng phi l mt nguy c trong trng hp ny. C th chia cc nguy c thnh 4 nhm sau y: -Tit l thng tin / truy xut thng tin tri php -Pht thng tin sai / chp nhn thng tin sai -Ph hoi / ngn chn hot ng ca h thng -Chim quyn iu khin tng phn hoc ton b h thng y l cch phn chia rt khi qut. Mi nhm s bao gm nhiu nguy c khc nhau. 6

Nghe ln, hay c ln (gi chung l snooping) l mt trong nhng phng thc truy xut thng tin tri php. Cc hnh vi thuc phng thc ny c th n gin nh vic nghe ln mt cuc m thoi, m mt tp tin trn my ca ngi khc, hoc phc tp hn nh xen vo mt kt ni mng (wire-tapping) n cp d liu, hoc ci cc chng trnh ghi bn phm (key-logger) ghi li nhng thng tin quan trng c nhp t bn phm. Nhm nguy c pht thng tin sai / chp nhn thng tin sai bao gm nhng hnh vi tng t nh nhm trn nhng mang tnh ch ng, tc l c thay i thng tin gc. Nu thng tin b thay i l thng tin iu khin h thng th mc thit hi s nghim trng hn nhiu bi v khi , hnh vi ny khng ch gy ra sai d liu m cn c th lm thay i cc chnh sch an ton ca h thng hoc ngn chn hot ng bnh thng ca h thng. Trong thc t, hnh thc tn cng xen gia Man-in-the-middle (MITM) l mt dng ca phng thc pht thng tin sai / chp nhn thng tin sai. Hot ng ca hnh thc tn cng ny l xen vo mt kt ni mng, c ln thng tin v thay i thng tin trc khi gi n cho ni nhn. Gi danh (spoofing) cng l mt dng hnh vi thuc nhm nguy c pht thng tin sai / chp nhn thng tin sai. Hnh vi ny thc hin vic trao i thng tin vi mt i tc bng cch gi danh mt thc th khc. Ph nhn hnh vi (repudiation) cng l mt phng thc gy sai lch thng tin. Bng phng thc ny, mt thc th thc hin hnh vi pht ra thng tin, nhng sau li chi b hnh vi ny, tc khng cng nhn ngun gc ca thng tin, v do vi phm yu cu v tnh ton vn ca thng tin. V d: mt ngi ch ti khon yu cu ngn hng thanh ton t ti khon ca mnh. Mi thng tin u chnh xc v ngn hng thc hin lnh. Tuy nhin sau ngi ch ti khon li ph nhn vic mnh a ra lnh thanh ton. Khi , thng tin b sai lch do ngun gc ca thng tin khng cn xc nh.

Nhm nguy c th 3 bao gm cc hnh vi c mc ch ngn chn hot ng bnh thng ca h thng bng cch lm chm hoc gin on dch v ca h thng. Tn cng t chi dch v hoc virus l nhng nguy c thuc nhm ny. Chim quyn iu khin h thng gy ra nhiu mc thit hi khc nhau, t vic ly cp v thay i d liu trn h thng, n vic thay i cc chnh sch bo mt v v hiu ho cc c ch bo mt c thit lp. V d in hnh cho nhm nguy c ny l cc phng thc tn cng nhm chim quyn root trn cc my tnh chy Unix hoc Linux bng cch khai thc cc li phn mm hoc li cu hnh h thng. Tn cng trn b m (buffer overflow) l cch thng dng nht chim quyn root trn cc h thng Linux vn c xy dng trn nn tng ca ngn ng lp trnh C.

I.3.2

Ri ro v qun l ri ro:
Ri ro (risk) l xc sut xy ra thit hi i vi h thng.

Ri ro bao gm 2 yu t: Kh nng xy ra ri ro v thit hi do ri ro gy ra. C nhng ri ro c kh nng xy ra rt cao nhng mc thit hi th thp v ngc li.

V d: ri ro mt thng tin trn h thng khng c c ch bo v tp tin, chng hn nh Windows 98. Windows 98 khng c c ch xc thc ngi s dng nn bt c ai cng c th s dng my vi quyn cao nht. Nu trn ch c cha cc tp tin vn bn khng c tnh b mt th vic mt mt tp tin th thit hi gy ra ch l mt cng sc nh my vn bn . y l dng ri ro c xc sut xy ra cao nhng thit hi thp. Mt v d khc: trn my ch cung cp dch v c mt phn mm c li trn b m, v nu khai thc c li ny th k tn cng c th chim c quyn iu khin ton b h thng. Tuy nhin, y l phn mm khng ph bin v khai thc c li ny, k tn cng phi c nhng k nng cao cp. Ri ro h thng b chim quyn iu khin c nh gi l c kh nng xy ra thp, nhng nu c xy ra, th thit hi s rt cao. Cn ch phn bit gia nguy c v ri ro. Nguy c l nhng hnh vi, nhng s kin hoc i tng c kh nng gy hi cho h thng. Ri ro l nhng thit hi c kh nng xy ra i vi h thng. V d: Tn cng t chi dch v l mt nguy c (threat). y l mt s kin c kh nng xy ra i vi bt k h thng cung cp dch v no. Thit hi do tn cng ny gy ra l h thng b gin on hot ng, y mi l ri ro (risk). Tuy nhin, khng phi bt k tn cng t chi dch v no xy ra cng u lm cho h thng ngng hot ng, v hn na, tn cng t chi dch v khng phi l ngun gc duy nht gy ra gin on h thng; nhng nguy c khc nh li h thng (do vn hnh sai), li phn mm (do lp trnh), li phn cng (h hng thit b, mt in, ) cng u c kh nng dn n gin on h thng. Mt v d khc, xt trng hp lu tr tp tin trn mt my tnh chy h iu hnh Windows 98 ni trn. Nguy c i vi h thng l cc hnh vi sa hoc xo tp tin trn my ngi khc. Nhng ngi hay s dng my tnh ca ngi khc cng c xem l nguy c i vi h thng. Ri ro i vi h thng trong trng hp ny l vic tp tin b mt hoc b sa. Trong thc t, vic ra chnh sch bo mt cho mt h thng thng tin phi m bo c s cn bng gia li ch ca vic bo m an ton h thng v chi ph thit k, ci t v vn hnh cc c ch bo v chnh sch . Cng vic qun l ri ro trn mt h thng l quy trnh cn thit nhn din tt c nhng ri ro i vi h thng, nhng nguy c c th dn n ri ro v phn tch li ch / chi ph ca gii php ngn chn ri ro. Quy trnh phn tch ri ro bao gm cc bc: -Nhn dng cc ri ro i vi h thng -Chn la v thc hin cc gii php gim bt ri ro. -Theo di v nh gi thit hi ca nhng ri ro xy ra, lm c s cho vic iu chnh li hai bc u.

I.3.3

Vn con ngi trong bo mt h thng:

Con ngi lun l trung tm ca tt c cc h thng bo mt, bi v tt c cc c ch, cc k thut c p dng bo m an ton h thng u c th d dng b v hiu ho bi con ngi trong chnh h thng . V d: h thng xc thc ngi s dng yu cu mi ngi trong h thng khi mun thao tc trn h thng u phi cung cp tn ngi dng v mt khu. Tuy nhin, nu ngi c cp mt khu khng bo qun k thng tin ny, hoc thm ch em tit l cho ngi khc bit, th kh nng xy ra cc vi phm i vi chnh sch an ton l rt cao v h thng xc thc b v hiu ho. 8

Nhng ngi c ch mun ph v chnh sch bo mt ca h thng c gi chung l nhng ngi xm nhp (intruder hoc attacker) v theo cch ngh thng thng th y phi l nhng ngi bn ngoi h thng. Tuy nhin, thc t chng minh c rng chnh nhng ngi bn trong h thng, nhng ngi c iu kin tip cn vi h thng li l nhng ngi c kh nng tn cng h thng cao nht. c th l mt nhn vin ang bt mn v mun ph hoi, hoc ch l mt ngi thch khm ph v chng t mnh. Cc tn cng gy ra bi cc i tng ny thng kh pht hin v gy thit hi nhiu hn cc tn cng t bn ngoi. Nhng ngi khng c hun luyn v an ton h thng cng l ni tim n cc nguy c do nhng hnh vi v ca h nh thao tc sai, b qua cc khu kim tra an ton, khng tun th chnh sch bo mt thng tin nh lu tp tin bn ngoi th mc an ton, ghi mt khu ln bn lm vic,

I.4 NGUYN TC XY DNG MT H THNG BO MT

I.4.1 Chnh sch v c ch:
Hai khi nim quan trng thng c cp khi xy dng mt h thng bo mt: -Chnh sch bo mt (Security policy) -C ch bo mt (Security mechanism) Chnh sch bo mt l h thng cc quy nh nhm m bo s an ton ca h thng. C ch bo mt l h thng cc phng php, cng c, th tc, dng thc thi cc quy nh ca chnh sch bo mt. Chnh sch bo mt c th c biu din bng ngn ng t nhin hoc ngn ng ton hc. V d: trong mt h thng, bo m an ton cho mt ti nguyn (resource) c th, chnh sch an ton quy nh rng ch c ngi dng no thuc nhm qun tr h thng (Administrators) mi c quyn truy xut, cn nhng ngi dng khc th khng. y l cch biu din bng ngn ng t nhin. C th biu din quy nh ny bng ngn ng ton hc nh sau: Gi: U l tp hp cc ngi dng trong h thng. A l tp hp cc ngi dng thuc nhm qun tr. O l tp hp cc i tng (ti nguyn) trong h thng Thao tc Access(u, o) cho gi tr TRUE nu ngi dng u c quyn truy xut n i tng o, ngc li, cho gi tr FALSE. Quy nh p trong chnh sch an ton c pht biu nh sau:

u U, o O: Access(u, o) = TRUE u A
Ma trn cng thng c dng biu din mt chnh sch bo mt. V d: mt h thng vi cc tp ngi dng U = {u1, u2, u3, u4} v tp i tng O = {o1, o2, o3, o4}. Cc thao tc m mt ngi dng u c th thc hin c trn mt i tng o bao gm c (r), ghi (w) v thc thi (x). Quy nh v kh nng truy xut ca tng ngi dng n tng i tng trong h thng c biu din bng ma trn nh sau:

u1 o1 o2 o3 o4 x x w w

u2 x r

U3 R R R R

u4

Quan st ma trn, ta bit rng ngi dng u3 c quyn c trn tt c cc i tng t o1 n o4, trong khi ngi dng u4 th khng c quyn truy xut n bt k i tng no. C ch bo mt thng thng l cc bin php k thut. V d: xy dng bc tng la (firewall), xc thc ngi dng, dng c ch bo v tp tin ca h thng qun l tp tin NTFS phn quyn truy xut i vi tng tp tin / th mc trn a cng, dng k thut mt m ho che giu thng tin, v.v Tuy nhin, i khi c ch ch l nhng th tc (procedure) m khi thc hin n th chnh sch c bo ton. V d: phng thc hnh my tnh ca trng i hc quy nh: sinh vin khng c sao chp bi tp ca sinh vin khc c lu trn my ch. y l mt quy nh ca chnh sch bo mt. thc hin quy nh ny, cc c ch c p dng bao gm: to th mc ring trn my ch cho tng sinh vin, phn quyn truy xut cho tng sinh vin n cc th mc ny v yu cu sinh vin phi lu bi tp trong th mc ring, mi khi ri khi my tnh phi thc hin thao tc logout khi h thng. Trong c ch ny, cc bin php nh to th mc ring, gn quyn truy xut, l cc bin php k thut. Bin php yu cu sinh vin that khi h thng (logout) khi ri khi my l mt bin php th tc. Nu sinh vin ra v m khng that ra khi h thng, mt sinh vin khc c th s dng phin lm vic ang m ca sinh vin ny sao chp bi tp. Khi , r rng chnh sch bo mt b vi phm. Cho trc mt chnh sch bo mt, c ch bo mt phi m bo thc hin c 3 yu cu sau y: -Ngn chn cc nguy c gy ra vi phm chnh sch -Pht hin cc hnh vi vi phm chnh sch -Khc phc hu qu ca ri ro khi c vi phm xy ra. Thng thng, vic xy dng mt h thng bo mt phi da trn 2 gi thit sau y: 1-Chnh sch bo mt phn chia mt cch r rng cc trng thi ca h thng thnh 2 nhm: an ton v khng an ton. 2-C ch bo mt c kh nng ngn chn h thng tin vo cc trng thi khng an ton. Ch cn mt trong hai gi thit ny khng m bo th h thng s khng an ton. Tng c ch ring l c thit k bo v mt hoc mt s cc quy nh trong chnh sch. Tp hp tt c cc c ch trin khai trn h thng phi m bo thc thi tt c cc quy nh trong chnh sch. Hai nguy c c th xy ra khi thit k h thng bo mt do khng m bo 2 gi thit trn: 1-Chnh sch khng lit k c tt c cc trng thi khng an ton ca h thng, hay ni cch khc, chnh sch khng m t c mt h thng bo mt tht s. 10

2-C ch khng thc hin c tt c cc quy nh trong chnh sch, c th do gii hn v k thut, rng buc v chi ph, Da trn nhng nhn thc ny, c th nh gi mc an ton ca mt c ch nh sau: Gi P l tp hp tt c cc trng thi ca h thng, Q l tp hp cc trng thi an ton theo nh ngha ca chnh sch bo mt, gi s c ch ang p dng c kh nng gii hn cc trng thi ca h thng trong tp R. Ta c cc nh ngha nh sau: -Nu R Q: c ch c nh gi l an ton (secure mechanism). -Nu R = Q: c ch c nh gi l chnh xc (precise mechanism). -Nu tn ti trng thi r R sao cho r Q: c ch c nh gi l lng lo (broad mechanism).

I.4.2

Cc mc tiu ca bo mt h thng:

Mt h thng bo mt, nh trnh by phn 2 ca chng ny, l h thng tho mn 3 yu cu c bn l tnh b mt, tnh ton vn v tnh kh dng, gi tt l CIA. thc hin m hnh CIA, ngi qun tr h thng cn nh ngha cc trng thi an ton ca h thng thng qua chnh sch bo mt, sau thit lp cc c ch bo mt bo v chnh sch . Mt h thng l tng l h thng: -C chnh sch xc nh mt cch chnh xc v y cc trng thi an ton ca h thng; -C c ch thc thi y v hiu qu cc quy nh trong chnh sch. Tuy nhin trong thc t, rt kh xy dng nhng h thng nh vy do c nhng hn ch v k thut, v con ngi hoc do chi ph thit lp c ch cao hn li ch m h thng an ton em li. Do vy, khi xy dng mt h thng bo mt, th mc tiu t ra cho c ch c p dng phi bao gm 3 phn nh sau: Ngn chn (prevention): mc tiu thit k l ngn chn cc vi phm i vi chnh sch. C nhiu s kin, hnh vi dn n vi phm chnh sch. C nhng s kin c nhn din l nguy c ca h thng nhng c nhng s kin cha c ghi nhn l nguy c. Hnh vi vi phm c th n gin nh vic l mt khu, qun that khi h thng khi ri khi my tnh, hoc c nhng hnh vi phc tp v c ch ch nh c gng tn cng vo h thng t bn ngoi. Cc c ch an ton (secure mechanism) hoc c ch chnh xc (precise mechanism) theo nh ngha trn l cc c ch c thit k vi mc tiu ngn chn. Tuy nhin, khi vic xy dng cc c ch an ton hoc chnh xc l khng kh thi th cn phi quan tm n 2 mc tiu sau y khi thit lp cc c ch bo mt: Pht hin (detection): mc tiu thit k tp trung vo cc s kin vi phm chnh sch v ang xy ra trn h thng. Thc hin cc c ch pht hin ni chung rt phc tp, phi da trn nhiu k thut v nhiu ngun thng tin khc nhau. V c bn, cc c ch pht hin xm nhp ch yu da vo vic theo di v phn tch cc thng tin trong nht k h thng (system log) v d liu ang lu thng trn mng (network traffic) tm ra cc du hiu ca vi phm. Cc du hiu vi phm ny (gi l signature) thng phi c nhn din trc v m t trong mt c s d liu ca h thng (gi l signature database). V d: khi my tnh b nhim virus. a s cc trng hp ngi s dng pht hin ra virus khi n thc hin ph hoi trn my tnh. Tuy nhin c nhiu virus vn ang dng tim n ch 11

cha thi hnh, khi dng chng trnh qut virus s c th pht hin ra. chng trnh qut virus lm vic c hiu qu th cn thit phi cp nht thng xuyn danh sch virus. Qu trnh cp nht l qu trnh a thm cc m t v du hiu nhn bit cc loi virus mi vo c s d liu (virus database hoc virus list). Phc hi (recovery): mc tiu thit k bao gm cc c ch nhm chn ng cc vi phm ang din ra (response) hoc khc phc hu qu ca vi phm mt cch nhanh chng nht vi mc thit hi thp nht (recovery). Ty theo mc nghim trng ca s c m c cc c ch phc hi khc nhau. C nhng s c n gin v vic phc hi c th hon ton c thc hin t ng m khng cn s can thip ca con ngi, ngc li c nhng s c phc tp v nghim trng yu cu phi p dng nhng bin php b sung phc hi. Mt phn quan trng trong cc c ch phc hi l vic nhn din s h ca h thng v iu chnh nhng s h . Ngun gc ca s h c th do chnh sch an ton cha cht ch hoc do li k thut ca c ch.

I.5 CHIN LC BO MT H THNG AAA

AAA (Access control, Authentication, Auditing) c xem l bc tip cn c bn nht v l chin lc nn tng nht thc thi cc chnh sch bo mt trn mt h thng c m t theo m hnh CIA. C s ca chin lc ny nh sau: 1-Quyn truy xut n tt c cc ti nguyn trong h thng c xc nh mt cch tng minh v gn cho cc i tng xc nh trong h thng. 2-Mi khi mt i tng mun vo h thng truy xut cc ti nguyn, n phi c xc thc bi h thng chc chn rng y l mt i tng c quyn truy xut. 3-Sau khi c xc thc, tt c cc thao tc ca i ng u phi c theo di m bo i tng khng thc hin qun quyn hn ca mnh. Cn phn bit vi AAA trong ng cnh qun l mng truy nhp vi ngha Authentication, Authorization, Accounting l dch v trn cc my ch truy nhp t xa (remote access server) thc hin qun l truy nhp mng ca ngi s dng, theo di lu lng s dng v tnh cc truy nhp. AAA trong trng hp ny thng trin khai cng vi cc dch v nh RADIUS, TACACS+, AAA gm 3 lnh vc tch ri nhng hot ng song song vi nhau nhm to ra cc c ch bo v s an ton ca h thng. Phn sau y trnh by chi tit v 3 lnh vc ca AAA.

I.5.1

iu khin truy xut:

iu khin truy xut (Access control) c nh ngha l mt quy trnh c thc hin bi mt thit b phn cng hay mt module phn mm, c tc dng chp thun hay t chi mt s truy xut c th n mt ti nguyn c th. iu khin truy xut c thc hin ti nhiu v tr khc nhau ca h thng, chng hn nh ti thit b truy nhp mng (nh remote access server-RAS hoc wireless access point WAP), ti h thng qun l tp tin ca mt h iu hnh v d NTFS trn Windows hoc trn cc h thng Active Directory Service trong Netware 4.x hay Windows 2000 server, Trong thc t, iu khin truy xut c thc hin theo 3 m hnh sau y: 12

-M hnh iu khin truy xut bt buc (Mandatory Access Control_MAC): l m hnh iu khin truy xut c p dng bt buc i vi ton h thng. Trong mi trng my tnh, c ch iu khin truy xut bt buc c tch hp sn trong h iu hnh, v c tc dng i vi tt c cc ti nguyn v i tng trong h thng, ngi s dng khng th thay i c. V d: trong h thng an ton nhiu cp (multilevel security), mi i tng (subject) hoc ti nguyn (object) c gn mt mc bo mt xc nh. Trong h thng ny, cc i tng c mc bo mt thp khng c c thng tin t cc ti nguyn c mc bo mt cao, ngc li cc i tng mc bo mt cao th khng c ghi thng tin vo cc ti nguyn c mc bo mt thp. M hnh ny c bit hu dng trong cc h thng bo v b mt qun s (m hnh BellLaPadula, 1973). Nhng c im phn bit ca m hnh iu khin truy xut bt buc: -c thit lp c nh mc h thng, ngi s dng (bao gm c ngi to ra ti nguyn) khng thay i c. -Ngi dng v ti nguyn trong h thng c chia thnh nhiu mc bo mt khc nhau, phn nh mc quan trng ca ti nguyn v ngi dng. -Khi m hnh iu khin bt buc c thit lp, n c tc dng i vi tt c ngi dng v ti nguyn trn h thng. -M hnh iu khin truy xut t do (Discretionary Access Control_DAC): l m hnh iu khin truy xut trong vic xc lp quyn truy xut i vi tng ti nguyn c th do ngi ch s hu ca ti nguyn quyt nh. y l m hnh c s dng ph bin nht, xut hin trong hu ht cc h iu hnh my tnh. V d: trong h thng qun l tp tin NTFS trn Windows XP, ch s hu ca mt th mc c ton quyn truy xut i vi th mc, c quyn cho php hoc khng cho php ngi dng khc truy xut n th mc, c th cho php ngi dng khc thay i cc xc lp v quyn truy xut i vi th mc.
Xem v thay i quyn truy xut DAC trn mt th mc trong Windows XP: -Khi ng Windows Explorer bng cch click phi vo biu tng My Computer v chn Explorer. -Mc nh, Windows XP khng th hin cc thng tin chi tit v quyn truy xut i vi th mc. Mun th hin cc thng tin ny, vo menu Tools, chn Folder Options, click vo tab View, trong ca s Advanced settings, tm dng Use simple file sharing (Recommended) cui danh sch v b tu chn ny (uncheck), chn OK. -Click phi vo mt th mc tu trong ca s Windows Explorer, chn Properties, click vo tab Security (Hnh 1.2). -Ca s Group or User names lit k cc ngi dng v nhm ngi dng hin c trong h thng. Ca s Permissions for lit k cc quyn c gn cho nhm hoc ngi dng tng ng. -Th cho php hoc xo b cc quyn mc nh ca mt ngi dng bt k.

Hnh 1.2: iu khin truy xut t do trong Windows XP

c im phn bit ca m hnh iu khin truy xut t do: 13

-Khng c p dng mc nh trn h thng -Ngi ch s hu ca ti nguyn (owner), thng l ngi to ra ti nguyn hoc ngi c gn quyn s hu, c ton quyn iu khin vic truy xut n ti nguyn. -Quyn iu khin truy xut trn mt ti nguyn c th c chuyn t i tng (user) ny sang i tng (user) khc. -M hnh iu khin truy xut theo chc nng (Role Based Access Control_RBAC): y l m hnh iu khin truy xut da trn vai tr ca tng ngi dng trong h thng (user roles). V d: mt ngi qun l ti chnh cho cng ty (financial manager) th c quyn truy xut n tt c cc d liu lin quan n ti chnh ca cng ty, c thc hin cc thao tc sa, xa, cp nht trn c s s liu. Trong khi , mt nhn vin k ton bnh thng th ch c truy xut n mt b phn no ca c s d liu ti chnh v ch c thc hin cc thao tc c gii hn i vi c s d liu. Vn quan trng trong m hnh iu khin truy xut theo chc nng l nh ngha cc quyn truy xut cho tng nhm i tng ty theo chc nng ca cc i tng . Vic ny c nh ngha mc h thng v p dng chung cho tt c cc i tng. C ch qun l theo nhm (account group) ca Windows NT chnh l s m phng ca m hnh RBAC. Trong c ch ny, ngi s dng c gn lm thnh vin ca mt hoc nhiu nhm trong h thng, vic phn quyn truy xut n cc ti nguyn c thc hin i vi cc nhm ch khng phi i vi tng ngi dng, khi cc ngi dng thnh vin trong nhm s nhn c quyn truy xut tng ng mt cch mc nh. Vic thay i quyn truy xut i vi tng ngi dng ring bit c thc hin bng cch chuyn ngi dng sang nhm khc c quyn truy xut thch hp. c im phn bit ca m hnh iu khin truy xut theo chc nng: -Quyn truy xut c cp da trn cng vic ca ngi dng trong h thng (users role) -Linh ng hn m hnh iu khin truy xut bt buc, ngi qun tr h thng c th cu hnh li quyn truy xut cho tng nhm chc nng hoc thay i thnh vin trong cc nhm. -Thc hin n gin hn m hnh iu khin truy xut t do, khng cn phi gn quyn truy xut trc tip cho tng ngi dng. ng dng cc m hnh iu khin truy xut trong thc t: Trong thc t, m hnh iu khin truy xut t do (DAC) c ng dng rng ri nht do tnh n gin ca n i vi ngi dng. Tuy nhin, DAC khng m bo c cc yu cu c bit v an ton h thng. Do vy, mt m hnh thch hp nht l phi hp c 3 m hnh: m hnh iu khin truy xut bt buc, m hnh iu khin truy xut t do v m hnh iu khin truy xut theo chc nng. Ngoi m hnh DAC c tch hp trong hu ht cc h iu hnh; m hnh RBAC c ng dng trong dch v Active Directory ca Netware 4.11 v Windows 2000 tr v sau; m hnh MAC c a vo trong cc h iu hnh nh Windows Vista (di dng c ch Mandatory Integrity Control), SELinux (k c Red Hat Enterprise Linux version 4), Trusted Solaris v Apple Computer (MAC OS X version 10.5 Leopard).

I.5.2

Xc thc:

14

Xc thc (Authentication) l mt th tc c chc nng xc minh nhn dng (identity) ca mt i tng trc khi trao quyn truy xut cho i tng ny n mt ti nguyn no . Xc thc c thc hin da trn 3 c s: -What you know (iu m i tng bit), v d mt khu. -What you have (ci m i tng c), v d th thng minh Smartcard. -What you are (c trng ca i tng): cc c im nhn dng sinh trc hc nh du vn tay, vng mc, Trong mi trng my tnh, xc thc c dng nhiu ng cnh khc nhau, v d: xc thc tn ng nhp v mt khu ca ngi s dng (hnh 1.3) trc khi cho php ngi s dng thao tc trn h thng my tnh (xc thc ca h iu hnh), xc thc tn ng nhp v mt khu trc khi cho php ngi dng kim tra hp th in t (xc thc ca Mail server); trong giao dch ngn hng, th tc xc thc dng xc nh ngi ang ra lnh thanh ton c phi l ch ti khon hay khng; trong trao i thng tin, th tc xc thc dng xc nh chnh xc ngun gc ca thng tin.

Trm lm vic (workstation)

My ch (server)

Hnh 1.3: Xc thc bng tn ng nhp v mt khu Nhiu k thut khc nhau c p dng thc thi c ch xc thc. C ch xc thc dng tn ng nhp v mt khu l c ch truyn thng v vn cn c s dng rng ri hin nay. Khi vic xc thc c thc hin thng qua mng, mt s h thng thc hin vic mt m ho tn ng nhp v mt khu trc khi truyn i trnh b tit l, nhng cng c nhiu h thng gi trc tip nhng thng tin nhy cm ny trn mng (v d nh cc dch v FTP, Telnet, ) gi l cleartext authentication. Mt s k thut tin tin hn c dng trong xc thc nh th thng minh (Smartcard), chng thc s (digital certificate), cc thit b nhn dng sinh trc hc (biometric devices), tng tin cy ca c ch xc thc, nhiu k thut c s dng phi hp nhau gi l multi-factor authentication. V d: xc thc dng th thng minh km vi mt khu, ngha l ngi s dng va c th va phi bit mt khu th mi ng nhp c, trnh trng hp ly cp th ca ngi khc ng nhp.

15

Trong thc t tn ti hai phng thc xc thc: xc thc mt chiu (one way authentication) v xc thc hai chiu (mutual authentication). Phng thc xc thc mt chiu ch cung cp c ch mt i tng (thng l my ch) kim tra nhn dng ca i tng kia (ngi dng) m khng cung cp c ch kim tra ngc li (tc khng cho php ngi dng kim tra nhn dng ca my ch). Xt trng hp mt ngi s dng ng nhp vo mt hp th in t xa thng qua dch v web (web mail). Ngi s dng d nhin phi cung cp tn ng nhp v mt khu ng th mi c php truy xut hp th. nh cp mt khu ca ngi dng, k tn cng c th xy dng mt trang web han tan ging vi giao din ca my ch cung cp dch v th in t (mail server) v nh la ngi s dng kt ni n trang web ny. Do khng c c ch xc thc my ch, ngi s dng khng th nhn bit y l mt my ch gi mo nn yn tm cung cp tn ng nhp v mt khu. Phng thc kim tra hai chiu cho php hai i tng tham gia giao tc xc thc ln nhau, do tnh chnh xc ca qu trnh xc thc c m bo. Giao thc bo mt SSL (Secure Sockets Layer) dng trong dch v web (c trnh by chng III) cung cp c ch xc thc hai chiu dng chng thc s. C nhiu gii thut xc thc khc nhau. Gii thut n gin nht ch cn so snh tn ng nhp v mt khu m ngi s dng cung cp vi tn ng nhp v mt khu c lu trong h thng, nu ging nhau ngha l th tc xc thc thnh cng (PAP). Gii thut phc tp hn nh CHAP th thc hin vic mt m ha thng tin trn mt gi tr ngu nhin no do my ch a ra (gi l challenge) trnh trng hp mt khu b c ln trn mng v cc hnh thc tn cng pht li (replay attack). Mt gii thut phc tp khc l Kerberos thc hin th tc xc thc theo mt qu trnh phc tp gm nhiu bc nhm m bo hn ch tt c cc nguy c gy nn xc thc sai. Cc gii thut xc thc c trnh by cho tit phn I ca chng III.

I.5.3

Kim tra:

Kim tra (Auditing) l c ch theo di hot ng ca h thng, ghi nhn cc hnh vi din ra trn h thng v lin kt cc hnh vi ny vi cc tc nhn gy ra hnh vi. V d: ci t c ch kim tra cho mt th mc trong h thng tp tin NTFS s cho php ngi qun tr theo di cc hot ng din ra trn th mc nh: thao tc no c thc hin, ngy gi thc hin, ngi s dng no thc hin, Cc mc tiu ca kim tra: -Cung cp cc thng tin cn thit cho vic phc hi h thng khi c s c -nh gi mc an ton ca h thng c k hoch nng cp kp thi -Cung cp cc thng tin lm chng c cho vic pht hin cc hnh vi truy xut tri php trn h thng. Trong mt h thng tin cy (reliable system) th vic kim tra cng l mt yu cu quan trng bi v n m bo rng cc hnh vi ca bt k ngi dng no trong h thng (k c nhng ngi dng hp h c xc thc authenticated user) cng u c theo di chc chn rng nhng hnh vi din ra ng theo cc chnh sch an ton c nh ngha trn h thng. Nguyn tc chung khi xy dng cc h thng an tan l chia nh cc th tc thnh nhiu cng on c thc hin bi nhiu tc nhn khc nhau, v do vic thc hin hon chnh mt th tc yu cu phi c s tham gia ca nhiu tc nhn. y l c s thc thi cc c ch kim tra.

16

V d: cng vic gi kho hng v cng vic qun l s sch phi c thc hin bi hai nhn vin khc nhau trnh trng hp mt nhn vin va c th ly hng ra ngoi va c th thay i thng tin trong s qun l. Nguyn tc ny c p dng trit trong c ch kim tra trn h thng nhm phn bit r rng gia chc nng kim tra vi cc hot ng c kim tra. Thng thng, mt i tng c kim tra s khng c quyn thay i cc thng tin m c ch kim tra ghi li. Cc thnh phn ca h thng kim tra: -Logger: Ghi li thng tin gim st trn h thng -Analyzer: Phn tch kt qu kim tra -Notifier: Cnh bo v tnh an ton ca h thng da trn kt qu phn tch. Song song vi c ch kim tra thng trc trn h thng (auditing), vic kim tra h thng nh k (system scanning) c chc nng kim tra v pht hin cc s h k thut nh hng n s an ton ca h thng. Cc chc nng c th thc hin bi cc chng trnh kim tra h thng trn my tnh thng gp: -Kim tra vic tun th chnh sch an ton v mt khu (password policy), v d: ngi dng c i mt khu thng xuyn khng, di mt khu, phc tp ca mt khu, -nh gi kh nng xm nhp h thng t bn ngoi. -Kim tra phn ng ca h thng i vi cc du hiu c th dn n tn cng t chi dch v hoc s c h thng (system crash). Lu rng, cc cng c kim tra h thng cng ng thi l cc cng c m nhng k tn cng (attacker) s dng pht hin cc l hng bo mt trn h thng, t thc hin cc thao tc tn cng khc. C nhiu phn mm qut h thng, in hnh nh SATAN (System Administrator Tool for Analyzing Network), Nessus, Nmap,
Ci t chc nng Audit ca h iu hnh Windows XP ln mt th mc trn mt phn vng NTFS: -Mc nh, Windows XP khng p dng c ch kim tra, do cn phi kch hot c ch kim tra ca Windows XP dng Local Security Policy nh sau: Vo Control Panel, chn Administrative Tools, chn Local Security Policy, trong khung Security Settings bn tri ca s, double-click vo mc Local Policy, sau click vo mc Audit Policy. Khi , khung bn phi ca s lit k cc chc nng kim tra ca Windows XP. kch hot c ch kim tra trn th mc, tm dng Audit object access, double-click vo dng ny v chn c hai mc Success v Failure trong ca s mi m. Click OK v ng tt c cc ca s li. - p dng c ch kim tra trn mt th mc no : khi ng Windows explorer, tm mt th mc mun kim tra v click phi vo th mc ny, chn Properties, click vo tab Security, click vo nt Advanced, sau click vo tab Auditing. Trong ca s Auditing entries lit k cc mc kim tra ci t. to mt mc mi, click vo nt Add, chn tn ngi dng hoc nhm cn kim tra trong ca s Select User or Group va xut hin, click OK. Ca s Aditing Entry for xut hin, chn cc thao tc mun kim tra, v d Delete Subfolders and Files theo di cc hnh vi xo tp tin v th mc con trong mc ny. Cn chn c hai loi s kin l Successful v Failed. Click OK v ng tt c cc ca s li. -Bt u t y, tt c cc thao tc xo cc tp tin v th mc con trong th mc chn c thc hin bi ngi dng hoc nhm ch nh trn u c theo di v ghi li trong nht k h thng. Mun xem cc thng tin ny th vo Control Panel, chn Administrative Tools, chn Event Viewer v chn mc Security.

17

Hnh 1.4: Ci t Auditing trn th mc NTFS Tm li, AAA l phng php tip cn c bn nht thc hin mt h thng bo mt theo m hnh CIA. Phng php ny gm 3 phn tch ri: -Thit lp cc c ch iu khin truy xut cho tng i tng (Access control) -Xc thc cc i tng trc khi cho php thao tc trn h thng (Authentication) -Theo di cc thao tc ca i tng trn h thng (Auditing)

I.6 CC HNH THC XM NHP H THNG

Thut ng xm nhp (intrusion) v tn cng (attack) c s dng vi ngha gn ging nhau trong ng cnh bo mt h thng. Xm nhp mang ngha ph qut hn, ch bt k mt s kin no c xm hi n s an ton ca h thng, mt cch ch ng hoc th ng. Tn cng thng c dng ch cc hnh vi xm nhp ch ng, c thc hin bi con ngi nhm vo mt h thng vi mc ch khai thc hoc ph hoi. Mc tiu ca xm nhp l tc ng vo 3 thuc tnh CIA ca h thng. Mt cch tng qut, s an ton ca mt h thng thng tin c th b xm phm bng nhng cch sau y: -Interruption: lm gin on hot ng ca h thng thng tin, v d nh ph hoi phn cng, ngt kt ni, ph hoi phn mm, Hnh thc xm nhp ny tc ng vo c tnh Kh dng ca thng tin. -Interception: truy xut tri php vo h thng thng tin. Tc nhn ca cc hnh vi xm nhp kiu Interception c th l mt ngi, mt phn mm hay mt my tnh lm vic bng cch quan st dng thng tin (monitor) nhng khng lm thay i thng tin gc. Hnh thc xm nhp ny tc ng vo c tnh B mt ca thng tin.

18

-Modification: truy xut tri php vo h thng thng tin, ng thi lm thay i ni dung thng tin, v d xm nhp vo my tnh v lm thay i ni dung mt tp tin, thay i mt chng trnh lm cho chng trnh lm vic sai, thay i ni dung mt thng bo ang gi i trn mng, v.v Hnh thc xm nhp ny tc ng vo tnh Ton vn ca thng tin. -Ngoi ra, mt hnh thc xm nhp th t l hnh thc xm nhp bng thng tin gi danh (Farbrication), v d, gi danh mt ngi no gi mail n mt ngi khc, gi mo a ch IP ca mt my no kt ni vi mt my khc, Hnh thc xm nhp ny lm thay i ngun gc thng tin, tc cng l tc ng vo c tnh Ton vn ca thng tin.

i tng xm nhp

Mng Ngi dng My ch

Hnh 1.5: Xm nhp kiu Interruption

i tng xm nhp

Mng Ngi dng Ngi dng

Hnh 1.6: Xm nhp kiu Interception

Trong thc t, vic xm nhp h thng c thc hin bi rt nhiu phng thc, cng c v k thut khc nhau, thm vo , vic pht hin ra cc phng thc xm nhp mi l vic xy ra rt thng xuyn, nn vn nhn dng v phn loi cc xm nhp mt cch c h thng l kh khn v khng chnh xc. C th phn loi xm nhp theo cc tiu ch sau y: 19

-Phn loi theo mc tiu xm nhp (xm nhp mng, xm nhp ng dng, xm nhp hn hp) -Phn loi theo tnh cht xm nhp (xm nhp ch ng, xm nhp th ng) -Phn loi theo k thut xm nhp (d mt khu, phn mm khai thc, ) Trong ti liu ny, vi mc tiu l gip ngi c nhn din c nhng phng thc xm nhp h thng c bn v ph bin c ghi nhn v phn tch, nn cc hnh thc xm nhp c trnh by theo hai nhm nh sau: 1-Cc phng thc tn cng (attacks) 2-Cc phng thc xm nhp h thng bng phn mm ph hoi (malicious codes)

i tng xm nhp

Mng Ngi dng Ngi dng

Hnh 1.7: Xm nhp kiu Modification

i tng xm nhp

Mng Ngi dng Ngi dng

Hnh 1.8: Xm nhp kiu Farbrication

I.6.1

Cc phng thc tn cng:

-Tn cng t chi dch v DoS (Denial of Service):

Dng tn cng ny khng xm nhp vo h thng ly cp hay thay i thng tin m ch nhm vo mc ch ngn chn hot ng bnh thng ca h thng, c bit i vi cc h thng phc v trn mng cng cng nh Web server, Mail server, 20

V d: k tn cng dng phn mm t ng lin tc gi d liu n mt my ch trn mng, gy qu ti cho my ch, lm cho my ch khng cn kh nng cung cp dch v mt cch bnh thng. Cc tn cng t chi dch v thng rt d nhn ra do tc ng c th ca n i vi h thng. Mc tiu tn cng ca t chi dch v c th l mt my ch hoc mt mng con (bao gm c thit b mng nh router v kt ni mng). C s ca tn cng t chi dch v l cc s h v bo mt trong cu hnh h thng (cu hnh firewall), s h trong giao thc kt ni mng (TCP/IP) v cc l hng bo mt ca phn mm, hoc n gin l s hn ch ca ti nguyn nh bng thng kt ni (connection bandwidth), nng lc ca my ch (CPU, RAM, a cng, ). Tn cng t chi dch v thng c thc hin thng qua mng Intrenet, nhng cng c th xut pht t trong ni b h thng di dng tc ng ca cc phn mm c nh worm hoc trojan. Hai k thut thng dng gy ra cc tn cng t chi dch v truyn thng tng ng vi hai mc tiu tn cng l Ping of Death v buffer-overflow. Ping of Death tn cng vo kt ni mng (bao gm c router) bng cch gi lin tc v vi s lng ln cc gi d liu ICMP (Internet Control Message Protocol) n mt mng con no , chim ton b bng thng kt ni v do gy ra tc nghn mng. Buffer-overflow (c m t phn software exploitation attacks) tn cng vo cc my ch bng cch np d liu vt qu gii hn ca b m (buffer) trn my ch, gy ra li h thng. Cc tn cng t chi dch v ni ting trong lch s bo mt my tnh nh Code Red, Slapper, Slammer, l cc tn cng s dng k thut buffer-overflow.

Tn cng t chi dch v thng khng gy tit l thng tin hay mt mt d liu m ch nhm vo tnh kh dng ca h thng. Tuy nhin, do tnh ph bin ca t chi dch v v c bit l hin nay cha c mt gii php hu hiu cho vic ngn chn cc tn cng loi ny nn t chi dch v c xem l mt nguy c rt ln i vi s an ton ca cc h thng thng tin. -Tn cng t chi dch v phn tn (Distributed DoS hay DDoS): L phng thc tn cng da trn nguyn tc ca t chi dch v nhng c mc nguy him cao hn do huy ng cng lc nhiu my tnh cng tn cng vo mt h thng duy nht. Tn cng t chi dch v phn tn c thc hin qua 2 giai on: 1-K tn cng huy ng nhiu my tnh trn mng tham gia t chi dch v phn tn bng cch ci t cc phn mm iu khin t xa trn cc my tnh ny. Cc my tnh c ci t phn mm iu khin ny c gi l cc zoombie. thc hin bc ny, k tn cng d tm trn mng nhng my c nhiu s h tn cng v ci t cc phn mm iu khin t xa ln m ngi qun l khng hay bit. Nhng phn mm ny c gi chung l backdoor. 2-K tn cng iu khin cc zoombie ng lot thc hin tn cng vo mc tiu. M hnh mt chui tn cng chi dch v phn tn in hnh c m t hnh 1.9. Cc thnh phn tham gia trong chi dch v phn tn bao gm: -Client: phn mm iu khin t xa c k tn cng s dng iu khin cc my khc tham gia tn cng. My tnh chy phn mm ny c gi l master. 21

-Deamon: phn mm chy trn cc zoombie, thc hin yu cu ca master v l ni trc tip thc hin tn cng chi dch v (DoS) n my nn nhn.
Master (client)

Zoombie (Deamon)

Mc tiu

Hnh 1.9: Tn cng t chi dch v phn tn (DDoS) -Tn cng gi danh (Spoofing attack): y l dng tn cng bng cch gi danh mt i tng khc (mt ngi s dng, mt my tnh vi mt a ch IP xc nh hoc mt phn mm no ) thc hin mt hnh vi. V d 1: mt ngi c th gi danh a ch e-mail ca mt ngi khc gi th n mt ngi th ba, y l trng hp i tng b gi danh l mt ngi s dng. V d 2: mt my tnh trn mng c th to ra cc gi d liu mang a ch IP ngun (source IP address) khng phi l a ch ca mnh gi cho my khc (gi l IP spoofing), y l trng hp i tng b gi danh l mt my tnh. V d 3: trng hp th ba l trng hp m i tng b gi danh l mt phn mm, v d chng trnh xc thc ngi s dng (user logon) trn h iu hnh Windows. Bng cch to ra mt chng trnh c giao din ging nh ca s logon ca Windows v cho thc hin khi Windows khi ng. Ngi s dng khng phn bit c y l ca s gi nn nhp tn ng nhp v mt khu cho chng trnh ny v hu qu l nhng thng tin ny b tit l. Tn cng gi danh nh cp trn l hnh thc in hnh nht ca spoofing attack, tn ti song song vi nhng khim khuyt v k thut ca b giao thc TCP/IP. Ngy nay, Tn cng gi danh pht trin thm mt hng mi da trn s ph bin ca mng Internet, l Phishing. Phishing hot ng bng cch gi danh cc a ch e-mail hoc a ch trang web nh la ngi s dng. -Tn cng xen gia (Man-in-the-middle attack): y l phng thc tn cng bng cch xen vo gia mt th tc ang din ra, thng xy ra trn mng IP, nhng cng c th xy ra trong ni b mt my tnh. Trn mng, k tn cng bng mt cch no xen vo mt kt ni, c bit giai on thit lp kt ni gia ngi dng vi my ch, v thng qua nhn c nhng thng tin quan 22

trng ca ngi dng. Tn cng xen gia c bit ph bin trn mng khng dy (wireless network) do c tnh d xm nhp ca mi trng khng dy. Do vy, vic p dng cc k thut m ho (nh WEP, WPA, ) l iu rt quan trng m bo an ton cho mng khng dy. Cn trn mt my tnh, tn cng dng ny c th c thc hin di dng mt chng trnh thu thp thng tin n (key-logger), chng trnh ny s m thm chn bt tt c nhng thng tin m ngi dng nhp vo t bn phm, trong c th s c nhiu thng tin quan trng.

I.1.1

Cli

K tn cng xen vo gia mt th tc bt tay ly thng tin.

I.1.2

Se

Hnh 1.10: Tn cng xen gia (Man-in-the-middle) -Tn cng pht li (Replay attack): Trong phng thc tn cng ny, cc gi d liu lu thng trn mng c chn bt v sau pht li (replay). Trong mi trng mng, thng tin xc thc gia ngi dng v my ch c truyn i trn mng. y l ngun thng tin thng b tn cng nht. Nu khi pht li, my ch chp nhn thng tin ny th my tn cng c kh nng truy xut vo my ch vi quyn ca ngi dng trc .
Thng tin xc thc gi cho server

Client

Thng tin xc thc b chn bt

Server Thng tin xc thc c pht li

K tn cng

Hnh 1.11: Tn cng pht li (Replay)

-Nghe ln (Sniffing attack): y l hnh thc ly cp d liu bng cch c ln trn mng. Hu ht cc card mng iu c kh nng chn bt (capture) tt c cc gi d liu lu thng trn mng, mc d gi d liu khng c gi n cho mnh. Nhng card mng c kh nng nh th c gi l ang ch promiscuous. C rt nhiu phn mm cho php thc hin chn bt d liu t mt my ang kt ni vo mng, v d Ethereal, Common view hoc Network monitor c sn trn Windows server (2000

23

hoc 2003 server). Bng vic c v phn tch cc gi d liu bt c, k tn cng c th tm thy nhiu thng tin quan trng tin hnh cc hnh thc tn cng khc. -Tn cng mt khu (Password attack): L hnh thc truy xut tri php vo h thng bng cch d mt khu. C hai k thut d mt khu ph bin: -D tun t (Brute force attack): D mt khu bng cch th ln lt cc t hp k t, thng thng vic ny c thc hin t ng bng phn mm. Mt khu cng di th s ln th cng ln v do kh b pht hin hn. Mt s h thng quy nh chiu di ti thiu ca mt khu. Ngoi ra ngn chn vic th mt khu nhiu ln, mt s h thng ngt kt ni nu lin tip nhn c mt khu sai sau mt s ln no . -D theo t in (Dictionary attack): th ln lt cc mt khu m ngi s dng thng dng. cho dn gin, ngi s dng thng c thi quen nguy him l dng nhng thng tin d nh lm mt khu, v d nh tn mnh, ngy sinh, s in thoi, Mt s h thng hn ch nguy c ny bng cch nh ra cc chnh sch v mt khu (password policy), quy nh kh ti thiu ca mt khu, v d mt khu phi khc vi nhng thng tin lin quan n c nhn ngi s dng, phi bao gm c ch hoa v ch thng, ch ci v cc mu t khc ch ci, Mt s k thut tn cng da trn giao thc TCP/IP: Giao thc TCP/IP l giao thc chun c s dng trong hu ht cc mng my tnh, v l giao thc bt buc trn mng Internet. Nhng khng may, TCP/IP cha trong n nhiu s h v bo mt dn n nhng tn cng da trn nguyn l ca TCP/IP nh sau: -Lm trn kt ni TCP (TCP SYN/ACK flooding attack): y l tn cng khai thc th tc bt tay ba chiu (three-way handshake) ca TCP. Mc ch ca tn cng l gy ra qu ti kt ni trn my ch v dn ti t chi dch v (DoS). Hnh 1.12 m t th tc bt tay ba chiu trong tnh hung bnh thng. Khi mt my (client) mun kt ni mt my khc (server) qua mt dch v no , n bt u bng cch gi bn tin SYN ti server trn cng (port) tng ng ca dch v . Ngay sau , server dnh ring mt kt ni cho client ny v tr li bng mt bn tin SYN/ACK cho client. hon thnh kt ni, client phi mt ln na tr li bng mt bn tin ACK gi n server. Trong trng hp khng
SYN message SYN/ACK message ACK message

Hnh 1.12: Th tc bt tay ba chiu ca TCP/IP nhn c bn tin ACK tr li t pha client th server phi ch cho n khi ht thi hiu (timeout) ri mi gii to kt ni ny. Vi s h ny, nu mt k tn cng c tnh to ra cc bn ACK lin tip gi n server nhng khng hi p (tc khng gi li bn tin ACK cho server), th n mt thi im no , tt c cc kt ni c th c ca server u dnh ht cho vic ch i ny v do khng c kh nng phc v cho cc kt ni khc. Hnh 1.13 trnh by phng thc tn cng dng SYN/ACK flooding. 24

ACK message ACK message ACK message ACK message K tn cng ACK message ACK message My ch

Hnh 1.13: Tn cng TCP SYN/ACK flooding

-Tn cng da vo s th t ca TCP (TCP sequence number attack): Trong qu trnh truyn d liu gia cc my s dng giao thc TCP, s th t (sequence number) l mt thng tin quan trng gip xc nh th t cc gi d liu v xc nhn cc gi c nhn thnh cng. S th t c nh theo tng byte d liu v c duy tr mt cch ng b gia bn gi v bn nhn. Nu mt my th ba, bng cch no , chn bt c cc gi d liu ang c trao i v on c s th t ca qu trnh truyn nhn d liu, n s c kh nng xen vo kt ni, lm ngt kt ni ca mt u v nhy vo thay th (hijacking). Hnh 1.14 m t phng thc hot ng ca tn cng ny.

Server K tn cng S th t

My b tn cng

Hnh 1.14: Tn cng da vo s th t TCP (TCP sequence number attack) -Chim kt ni TCP (TCP Hijacking): Ging nh phng thc tn cng trn (sequence number attack), nhng sau khi on c s th t, my tn cng s c gng chim ly mt u ca kt ni hin hu m u kia khng hay bit tip tc truyn nhn d liu, khi thng tin trao i gia hai my ban u b chuyn sang mt my th ba. Hnh 1.15 trnh by hot ng ca phng thc tn cng ny. -Tn cng dng giao thc ICMP (ICMP attack): ICMP (Internet Control Message Protocol) l mt giao thc iu khin dng trong mng IP. Giao thc ny thng c s dng thc hin cc th tc iu khin trn mng IP nh

25

kim tra cc kt ni (v d khi thc hin cc lnh Ping, Tracert, ). Hai phng thc tn cng ph bin da trn ICMP bao gm:

Ngt kt ni ca client n server

Chim kt ni hin ti ca client

Server

Client

My tn cng

Hnh 1.15: Chim kt ni TCP (TCP connection hijacking) -Smurf attack: (cn c gi la Ping of Death). Nguyn l hot ng ca ICMP l hi p li (reply) khi nhn c cc yu cu (echo request) t cc my khc, do chc nng ca ICMP l kim tra cc kt ni IP. Da vo nguyn l ny, mt k tn cng c th gi danh mt a ch IP no (IP spoofing) v gi mt yn cu (echo request) n tt c cc my trong mng ni b (bng cch s dng a ch qung b broadcast). Ngay lp tc, tt c cc my ny u ng lot tr li cho my c a ch IP b gi danh, dn n my ny b tc nghn khng cn kh nng hot ng bnh thng. Mc tiu ca tn cng smurf l lm t lit mt my no bng cc gi ICMP. Hnh 1.16 m t hot ng ca phng thc tn cng smurf.
Cc my trong nhm qung b

My tn cng Thc hin lnh Ping n a ch qung b ca mng t a ch gi danh

Tt c cc my trong nhm qung b ng lot gi tr li v my c a ch IP b gi danh, gy tc nghn My b tn cng

Hnh 1.16: Tn cng Ping of Death 26

-ICMP tunneling: Do gi d liu ICMP thng c chp nhn bi nhiu my trn mng, nn k tn cng c th li dng iu ny chuyn cc thng tin khng hp l thng qua cc gi d liu ICMP. ngn chn cc tn cng ny, cch tt nht l t chi tt c cc gi d liu ICMP. -Tn cng khai thc phn mm (Software exploitation): y l tn gi chung ca tt c cc hnh thc tn cng nhm vo mt chng trnh ng dng hoc mt dch v no lp ng dng. Bng cch khai thc cc s h v cc li k thut trn cc phn mm v dch v ny, k tn cng c th xm nhp h thng hoc lm gin on hot ng bnh thng ca h thng. Tn cng trn b m (buffer overflow attack): l phng thc tn cng vo cc li lp trnh ca s phn mm. Li ny c th do lp trnh vin, do bn cht ca ngn ng hoc do trnh bin dch. Ngn ng C l ngn ng c nhiu kh nng gy ra cc li trn b m nht, v khng may, y l ngn ng vn c dng rng ri nht trong cc h iu hnh, cc chng trnh h thng, c bit trong mi trng Unix v Linux.
a s cc trnh bin dch C khng kim tra gii hn vng nh cp pht cho cc bin, do , khi d liu lu vo vng nh vt qua gii hn cp pht, n s ghi chng qua nhng vng nh k cn v gy ra li. V d: khi lp trnh, mt khu m ngi dng nhp vo thng c x l di dng mt chui (string), v c khai bo vi chiu di xc nh, v d 32 k t. Tuy nhin, nu trong chng trnh khng thc hin vic kim tra chiu di mt khu trc khi x l v trnh bin dch cng thng t ng thc hin vic ny th khi ngi s dng nhp mt khu c chiu di ln hn 32 k t, ton b chui k t ny s trn vng nh cp pht v c th gy ra li trn b m.

Ngoi tn cng trn b m, cc phng thc tn cng khc nhm vo vic khai thc cc s h ca phn mm v dch v bao gm: khai thc c s d liu (database exploitation), khai thc ng dng (application exploitation) v d nh cc loi macro virus, khai thc cc phn mm gi th in t (e-mail exploitation), -Cc k thut nh la (Social enginerring): y l phng thc tn cng khng s dng k thut hay my tnh xm nhp h thng m bng cc k xo gian ln tm kim cc thng tin quan trng, ri thng qua m xm nhp h thng. V d, mt k tn cng gi danh l mt nhn vin h tr k thut gi in thoi n mt ngi trong h thng trao i cng vic, thng qua cuc trao i ny khai thc cc thng tin cn thit thc hin hnh vi xm nhp h thng. R rng, phng thc ny khng s dng cc k thut tn cng, nn c gi l social engineering. y cng l mt trong nhng loi tn cng ph bin, v i tng m n nhm n l vn con ngi trong h thng.

I.6.2

Cc phng thc xm nhp h thng bng phn mm ph hoi

K thut v hnh thc tn cng mi thng xuyn c pht hin v nng cp. trn ch gii thiu cc hnh thc tn cng ph bin c pht hin v phn tch. Ngoi cc hnh thc tn cng nh trn, cc h thng thng tin cn phi i mt vi mt nguy c xm nhp rt ln l cc phn mm virus, worm, spyware, gi chung l cc phn mm ph hoi hay phn mm c (malicious code). Sau y s tp trung trnh by cc hnh thc xm nhp ny. Cc phn mm c c chia thnh cc nhm sau y: Virus, worm, Trojan horse v logic bomb.

27

-Virus: L phn mm n, kch thc nh v c gn vo mt tp tin ch no , thng thng l cc tp tin thc thi c, nh virus mi c kh nng ph hoi v lan truyn sang cc my khc. Mt s loi virus li gn vi cc tp tin ti liu (v d nh word, excel, ) v c gi l cc virus macro. Virus lan truyn gia cc my tnh thng qua vic sao chp cc tp tin c nhim virus t a mm, a CD, a flash, hoc thng qua cc tp tin gi km theo e-mail. Phm vi ph hoi ca virus l rt ln. Thng thng nht, cc virus thng gy ra mt mt d liu, h hng phn mm v h hng c h iu hnh. Nu trn my cha ci t sn cc chng trnh qut virus th du hiu thng thng nht nhn bit c virus trn my tnh l: -Xut hin cc thng bo l trn mn hnh -My tnh lm vic chm i ng k, c bit khi khi ng chng trnh. -Mt t ngt mt hoc nhiu tp tin trn a. -Li phn mm khng r l do. -Kch thc mt s tp tin, c bit l cc tp tin thc thi, tng ln bt thng. -My tnh t khi ng li khi ang lm vic - Hnh 1.17 m t vic ly lan ca virus thng qua ng sao chp tp tin (bng a hoc qua cc tp tin dng chung trn mng). Hnh 1.18 m t qu trnh pht tn virus thng qua email. C th thy mc pht tn ca virus thng qua e-mail nghim trng hn nhiu, bi v i vi hnh thc ly lan qua ng sao chp tp tin th ch c cc my tnh ch ng sao chp tp tin mi b nhim virus; ngc li trong phng thc pht tn bng e-mail, nhng my khng ch ng sao chp tp tin cng c kh nng b ly nhim nu v m nhng tp tin nhim virus c gi km theo e-mail.

My b nhim virus

My cha b nhim virus

Hnh 1.17: Virus ly lan t my ny sang my khc qua phng tin lu tr (a) hoc qua th mc dng chung trn mng

28

Hnh 1.18: Virus pht tn qua e-mail -Worm: L loi phn mm c c c ch hot ng v tm ph hoi gn ging nh virus. im khc nhau c bn gia worm v virus l worm c kh nng t sao chp thng qua mng (trong khi virus phi nh vo thao tc sao chp ca ngi s dng) v t tn ti nh mt chng trnh c lp (trong khi virus phi gn vo mt tp tin khc). c trng c bn nht ca worm l tnh pht tn nhanh trn phm vi rng bng nhiu phng tin khc nhau, nh s dng trc tip giao thc TCP/IP, s dng cc dch v mng lp ng dng, pht tn qua e-mail v nhiu phng tin khc. Worm Nimda xut hin nm 2001 l mt worm in hnh vi tc pht tn cc nhanh v mc nguy him ln, c th gy t lit cc h thng mng ln s dng h iu hnh Windows trong nhiu gi. -Trojan horse: Mt dng phn mm c hot ng np di danh ngha mt phn mm hu ch khc, v s thc hin cc hnh vi ph hoi h thng khi chng trnh gi danh c kch hot bi ngi s dng. Trojan khng c kh nng t sao chp nh worm (m phi gi dng thnh mt phn mm c ch hoc c gn vo mt phn mm thc thi khc c ci t vo my), khng c kh nng t thc thi nh virus (m ch thc hin khi ngi s dng khi ng chng trnh). Mc ph hoi ca Trojan cng rt a dng, trong quan trong nht l thc thi nh mt phn mm gin ip (back-door) gip cho nhng k tn cng t xa c th d dng xm nhp h thng. Spyware l mt v d ca Trojan, y l cc phn mm c t ng ci vo my khi ngi s dng ti cc phn mm trn Internet v ci trn my ca mnh. Spyware c th t ng gi e-mail, t ng m cc trang web hoc thc hin cc hnh vi khc gy nh hng n hot ng bnh thng ca my tnh b nhim. 29

-Logic bomb: L cc phn mm nm n trn my tnh v ch thc hin khi c mt s kin no xy ra, v d khi ngi qun tr mng ng nhp vo h thng, khi mt ng dng no c chy hoc n mt ngy gi nh trc no . Thng thng, khi c thc hin, logic bomb gi mt thng bo v mt my trung tm nh trc no thng bo s kin xy ra. Nhn c thng bo ny, k tn cng t my tnh trung tm s thc hin tip cc th thut tn cng vo h thng, v d khi ng mt cuc tn cng t chi dch v (DoS hoc DDoS). Trn y l cc phng thc xm nhp vo h thng s dng cc phn mm ph hoi. Mc d s xm nhp vo mt h thng c th no ca cc phn mm ny c th khng do ch ch ca mt c nhn no, nhng thit hi do cc hnh thc xm nhp ny gy ra l rt ln, do tnh ph bin ca n. Bt k my no cng c th b nhim phn mm c, c bit khi kt ni n mng Internet. Cc nguyn tc chung trnh s xm nhp ca cc phn mm c vo my tnh ni ring v vo mt h thng thng tin ni chung bao gm: -Khng sao chp d liu t cc ngun khng tin cy (t a hay qua mng). -Khng ci t cc phn mm khng r ngun gc, c bit l cc phn mm download t Internet. -Thng xuyn cp nht cc bn sa li (Hotfixes hoc service pack) cho h thng (c h iu hnh v chng trnh ng dng). -Ci t cc chng trnh Antivirus, Antispyware v cp nht thng xuyn cho cc chng trnh ny. -Theo di cc thng tin v cc loi virus mi, phng thc hot ng v cch thc ngn chn trn cc trang web chuyn v bo mt (v d trang CERT ti a ch http://www.cert.org).

I.7 K THUT NGN CHN V PHT HIN XM NHP

Sau khi nhn din cc nguy c v ri ro i vi h thng, phn tch cc phng thc v k thut tn cng c kh nng nh hng n s an ton ca h thng, cc h thng thng tin thng trin khai cc bin php k thut cn thit ngn chn v pht hin xm nhp. Phn ny gii thiu v tng la (Firewall) v h thng pht hin xm nhp (IDS), l hai ng dng bo mt in hnh nht hin nay.

I.7.1

Tng la:

Tng la hay firewall l k thut ngn chn cc tn cng xm nhp t bn ngoi (mng Internet) vo h thng bn trong (mng LAN v server). Hnh 1.19 m t mt cu trc mng in hnh trong firewall c lp t trc router, vi vai tr bo v cho ton b h thng mng bn trong. Nguyn tc chung ca cc bc tng la l iu khin truy xut mng bng cch gim st tt c cc gi d liu c gi thng qua tng la, v tu vo cc ci t trong chnh sch bo mt m cho php hoc khng cho php chuyn tip cc gi ny n ch. Hnh 1.20 m t hot ng in hnh ca mt bac tng la, trong , lu lng HTTP (TCP port 80) c php i qua tng la, cn lu lng NetBIOS (TCP port 445) th b chn li.

30

Internet Firewall Router

Web server

Mail server Cc my tnh khc trong mng ni b

Hnh 1.19: Bc tng la t trc Router bo v ton b mng bn trong Chc nng ca tng la trn mng l qun l lu lng vo/ra trn kt ni Internet v ghi li cc s kin din ra trn kt ni ny phc v cho cc mc ch an ton mng. Tuy nhin, do bn cht ca tng la l gim st lu lng lun chuyn thng qua mt kt ni gia mng ni b v mng cng cng bn ngoi, cho nn tng la khng c kh nng gim st v ngn chn cc tn cng xut pht t bn trong mng ni b. C th tm tt chc nng ch yu ca tng la nh sau: -Separator: Tch ri gia mng ni b v mng cng cng, rng buc tt c cc kt ni t trong ra ngoi hoc t ngoi vo trong phi i qua tng la nh mt ng i duy nht. -Restricter: Ch cho php mt s lng gii hn cc loi lu lng c php xuyn qua tng la, nh ngi qun tr c th thc thi chnh sch bo mt bng cch thit lp cc quy tc lc gi tng ng gi l cc access rules. -Analyzer: Theo di (tracking) lu lng lun chuyn qua tng la, ghi li cc thng tin ny li (logging) theo yu cu ca ngi qun tr phc v cho cc phn tch nh gi mc an ton ca h thng. Ngoi cc chc nng c bn trn, mt s bc tng la cn c chc nng xc thc (authentication) i vi ngi s dng trc khi chp nhn kt ni.
HTTP (port 80)

Mng ni b
NetBios (port 445)

Internet

Firewall

Hnh 1.20: Hot ng c bn ca bc tng la *-Phn loi tng la theo c tnh k thut: Tng la c th l mt phn mm chy trn mt my tnh no vi t nht l hai giao tip mng (dual-home host), khi n c gi l firewall mm. Cc firewall mm thng dng hin nay gm: SunScreen, ISA server, Check point, Gauntlet, IPTables,

31

Ngc li, chc nng tng la cng c th c thc hin trong mt khi phn cng ring bit v c gi l firewall cng. Cc sn phm firewall cng in hnh hin nay bao gm: Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, Nokia firewalls, *-Phn loi firewall theo phm vi bo v: Cn c vo phm vi m tng la bo v, c th chia tng la thnh 2 nhm ring bit: tng la dnh cho my tnh c nhn (personal firewalls) v tng la dnh cho mng (network firewalls). -Personal firewall thng thng l cc firewall mm, c ci t trn my c nhn bo v cho my c nhn. H iu hnh Windows (2000 v XP) c tch hp sn personal firewall. Ngoi ra, cc phn mm antivirus chuyn nghip cng c chc nng ca personal firewall nh Norton Antivirus, McAfee, -Network firewall c th l firewall mm hoc firewall cng, thng c lp t trc hoc sau b nh tuyn (router) nhm mc ch bo v cho ton h thng mng. *-Phn loi firewall theo c ch lm vic: Da trn c ch lm vic, firewall c chia thnh 3 loi nh sau: -Tng la lc gi (packet filtering firewall hay stateless firewall) Nguyn l ca cc bc tng la lc gi l c tt c cc thng tin trong tiu ca cc gi d liu IP lun chuyn qua bc tng la, v da trn cc thng tin ny quyt nh chp nhn (accept) hay loi b gi d liu (drop). Nh vy, khi thit lp cc quy tc lc gi ca tng la, ngi qun tr mng phi cn c trn cc thng tin sau y: -a ch IP, bao gm a ch IP ca my gi v a ch IP ca my nhn (source IP address v destination IP address). -S cng kt ni (port number), bao gm c cng ca my gi v cng ca my nhn (source port v destination port) -Giao thc kt ni (protocol), v d TCP, UDP hay ICMP. Packet filtering firewall ch phn tch tiu ca gi IP, khng phn tch ni dung gi v do khng c kh nng ngn chn truy xut theo ni dung d liu. Packet filtering firewall hu ch trong cc trng hp mun ngn chn mt hoc mt s cng xc nh no , t chi mt hoc mt s a ch IP xc nh hoc mt giao thc xc nh no (v d ICMP). Trong thc t, cc tn cng xm nhp thng c thc hin thng qua cc cng khc vi cc cng dch v ph bin. Bng 1.1 lit k danh sch mt s dch v thng dng trn Internet v s cng tng ng. -Tng la lp ng dng (Application Layer gateway): Hot ng ca tng la lp ng dng tng t nh tng la lc gi, tc l cng da trn vic phn tch cc gi d liu IP quyt nh c cho php i xuyn qua bc tng la hay khng. im khc ca tng la lp ng dng l n c kh nng phn tch c ni dung ca gi d liu IP (phn data payload), v do cho php thit lp cc quy tc lc gi phc tp hn. V d, c th chp nhn lu lng HTTP i qua bc tng la, tuy nhin vi nhng gi no c cha ni dung trng vi mu nh trc th chn li. Do c tnh ca tng la lp ng dng can thip trc tip vo tt c cc gi d liu i qua n, nn nhn di gc truy xut mng, bc tng la lp ng dng trc tip thc hin cc 32

giao dch vi mng bn ngai thay cho cc my tnh bn trong. Do vy, tng la lp ng dng cng cn c gi l cc phn mm Proxy. K thut ny c ch trong cc trng hp cn qun l ni dung truy cp ca ngi s dng hoc nhn dng du hiu ca mt s loi phn mm c (virus, worm, trojan, ), v d ngn chn ngi s dng ti cc tp tin hnh nh hoc phim vi kch thc ln. Do phi phn tch ton b cu trc gi d liu ly thng tin nn nhc im ca tng la lp ng dng l yu cu nng lc x l mnh, v l ni c th xy ra tc nghn tim nng ca mng. -Tng la kim sot trng thi (stateful inspection firewall): L loi tng la kt hp c hai nguyn l lm vic ca tng la lc gi v tng la lp ng dng. Tng la kim sat trng thi cho php thit lp cc quy tc lc gi phc tp hn so vi tng la lc gi, tuy nhin khng mt qu nhiu thi gian cho vic phn tch ni dung ca tt c cc gi d liu nh trng hp tng la lp ng dng. Tng la kim sat trng thi theo di trng thi ca tt c cc kt ni i qua n v cc gi d liu lin quan n tng kt ni. Theo , ch cc cc gi d liu thuc v cc kt ni hp l mi c chp nhn chuyn tip qua tng la, cc gi khc u b loi b ti y. Tng la kim sat trng thi phc tp hn do phi tch hp chc nng ca c 2 loi tng la trn. Tuy nhin, c ch thc hin ca tng la ny chng t c tnh hiu qu ca n v trong thc t, cc sn phm tng la mi u h tr k thut ny. Bng 1.1: Mt s dch v ph bin trn TCP Cng 20 21 22 23 25 80 110 143 443 FTP, knh d liu (Data port) Secure Shell (SSH) Telnet Simple Mail Transfer Protocol (SMTP) HyperText Transfer Protocol (HTTP) Post Office Protocol, version 3 (POP3) Internet Message Access Protocol Secure Sockets Layer (SSL) Dch v FTP, knh iu khin (Control port)

I.7.2

H thng pht hin xm nhp:

H thng pht hin xm nhp IDS (Intrusion Detection System) l h thng pht hin cc du hiu ca tn cng xm nhp. Khc vi bc tng la, IDS khng thc hin cc thao tc ngn chn truy xut m ch theo di cc hot ng trn mng tm ra cc du hiu ca tn cng v cnh bo cho ngi qun tr mng. IDS khng thc hin chc nng phn tch gia mng ni b v mng cng cng nh bc tng la nn khng gnh ton b lu lng qua n v do khng c nguy c lm tc nghn mng. 33

Intrusion (xm nhp) c nh ngha l bt k mt s kin hay hnh vi no tc ng vo 3 thnh phn c bn ca mt h thng an tan l tnh Bo mt, tnh Tan vn v tnh Kh dng. IDS pht hin du vt ca tn cng bng cch phn tch hai ngun thng tin ch yu sau y: 1-Thng tin v cc thao tc thc hin trn my ch c lu trong nht k h thng (system log) 2-Lu lng ang lu thng trn mng. Chc nng ban u ca IDS ch l pht hin cc du hin xm nhp, do IDS ch c th to ra cc cnh bo tn cng khi tn cng ang din ra hoc thm ch sau khi tn cng hon tt. Cng v sau, nhiu k thut mi c tch hp vo IDS, gip n c kh nng d an c tn cng (prediction) v thm ch phn ng li cc tn cng ang din ra (Active response). Hai thnh phn quan trng nht cu to nn h thng IDS l sensor (b cm nhn) c chc nng chn bt v phn tch lu lng trn mng v cc ngun thng tin khc pht hin du hiu xm nhp; signature database l c s d liu cha du hiu (signature) ca cc tn cng c pht hin v phn tch. C ch lm vic ca signature database ging nh virus database trong cc chung trnh antivirus, do vy, vic duy tr mt h thng IDS hiu qu phi bao gm vic cp nhn thng xuyn c s d liu ny. *-Phn loi IDS theo phm vi gim st: Da trn phm vi gim st, IDS c chia thnh 2 lai: -Networ- based IDS (NIDS): L nhng IDS gim st trn tan b mng. Ngun thng tin ch yu ca NIDS l cc gi d liu ang lu thng trn mng. NIDS thng c lp t ti ng vo ca mng, c th ng trc hoc sau bc tng la. Hnh 1.21 m t mt NIDS in hnh. -Host-based IDS (HIDS): L nhng IDS gim st hat ng ca tng my tnh ring bit. Do vy, ngun thng tin ch yu ca HIDS ngai lu lng d liu n v i t my ch cn c h thng d liu nht k h thng (system log) v kim tra h thng (system audit). Hnh 1.22 trnh by cu trc ca HIDS. IDS c thit k phi hp vi h iu hnh x l cc thng tin gim st h thng. Dch v nht k h thng (logging) ghi li cc s kin v trng thi ca h thng vo mt c s d liu (Event database). Ngoi ra, kt qu gim st trn mng ca IDS cng c ghi vo Event Database. pht hin xm nhp, IDS duy tr mt c s d liu (IDS database) cha cc m t v tng loi tn cng. *-Phn loi IDS theo k thut thc hin: Da trn k thut thc hin, IDS cng c chia thnh 2 loi: -Signature-based IDS: Signature-based IDS pht hin xm nhp da trn du hiu ca hnh vi xm nhp, thng qua phn tch lu lng mng v nht k h thng. K thut ny i hi phi duy tr mt c s d liu v cc du hiu xm nhp (signature database), v c s d liu ny phi c cp nht thng xuyn mi khi c mt hnh thc hoc k thut xm nhp mi. -Anomaly-based IDS: pht hin xm nhp bng cch so snh (mang tnh thng k) cc hnh vi hin ti vi hat ng bnh thng ca h thng pht hin cc bt thng (anomaly) c th l du hiu ca xm nhp. V d, trong iu kin bnh thng, lu lng trn mt giao tip 34

mng ca server l vo khang 25% bng thng cc i ca giao tip. Nu ti mt thi im no , lu lng ny t ngt tng ln n 50% hoc hn na, th c th gi nh rng server ang b tn cng DoS.

Router

Firewall

IDS

Signature database

Qun tr h thng

Hnh 1.21: Network-based IDS (NIDS)

Network Host H iu hnh

Logging

Hnh 1.22: Host-based IDS (HIDS) hat ng chnh xc, cc IDS lai ny phi thc hin mt qu trnh hc, tc l gim st hat ng ca h thng trong iu kin bnh thng ghi nhn cc thng s hat ng, y l c s pht hin cc bt thng v sau. Trong thc t, IDS l mt k thut mi so vi firewall, tuy nhin, cho n thi im ny, vi s pht trin kh mnh m ca k thut tn cng th IDS vn cha tht s chng t c tnh hiu qu ca n trong vic m bo an tan cho cc h thng mng. Mt trong nhng phn mm IDS ph bin hin nay l Snort. y l mt sn phm NIDS m ngun m vi h thng signature database (c gi l rule database) c cp nht thng xuyn bi nhiu thnh vin trong cng ng Internet.

35

Tm tt chng: -Mt h thng thng tin an tan l h thng m bo c 3 c trng c bn: -Tnh Bo mt (Confidentiality) -Tnh Tan vn (Integrity) -Tnh Kh dng (Availability) Ba c trng ny c gi tt l CIA. -Chin lc c bn nht m bo tnh bo mt ca mt h thng thng tin: -Access Control -Authentication -Auditing K thut ny gi tt l AAA. -Nguy c (threat) ca mt h thng thng tin l cc s kin, hnh vi c kh nng nh hng n 3 c trng CIA ca h thng. Ri ro i vi h thng thng tin l xc sut xy ra cc thit hi i vi h thng. -Chnh sch bo mt (security policy) nh ngha cc trng thi an tan ca h thng, cc hnh vi m ngi s dng c php hoc khng c php thc thi. C ch bo mt (security mechianism) l cc bin php k thut (technical) hoc th tc (procedure) nhm m bo chnh sch. Nguyn tc xy dng mt h thng thng tin an ton bao gm xy dng chnh sch bo mt nh ngha mt cch chnh xc v y cc trng thi an ton ca h thng, sau thit lp cc c ch m bo thc thi chnh sch. -C nhiu hnh thc xm nhp / tn cng khc nhau trn h thng. Cc tn cng ny da trn cc s h v an tan ca giao thc (TCP/IP), ca h iu hnh (Windows, Linux, ) hoc ca cc chng trnh ng dng chy trn cc h iu hnh . K thut tt cng lun lun c pht trin v han thin, do cng ngh an ton mng cng phi c pht trin tng xng. -Hai gii php k thut gip pht hin v ngn chn cc tn cng trn mt h thng thng tin l IDS v Firewall. IDS gim st h thng pht hin cc du hiu tn cng v to ra cnh bo. Firewall ngn chn hoc cho php cc truy xut thng qua Firewall theo cc quy lut nh trc (access rules).

CU HI V BI TP.
A- Cu hi trc nghim Cu 1. Th no l tnh bo mt ca h thng thng tin? a- L c tnh ca h thng trong thng tin c gi b mt khng cho ai truy xut. b- L c tnh ca h thng trong tt c thng tin c lu tr di dng mt m. c- L c tnh ca h thng trong ch c nhng ngi dng c cho php mi c th truy xut c thng tin d- Tt c u ng Cu 2. Chn cu ng khi ni v tnh bo mt ca h thng thng tin: a- Mt h thng m bo tnh b mt (confidential) l mt h thng an ton (secure). b- Tnh b mt ca thng tin bao gm tnh b mt v s tn ti ca thng tin v tnh 36

b mt ni dung thng tin. c- Tnh b mt ca thng tin bao gm tnh b mt v ni dung thng tin v tnh b mt v ngun gc thng tin. d- Tt c u sai. Cu 3. Th no l tnh ton vn ca h thng thng tin? a- L c tnh ca h thng trong thng tin khng b sa i hoc xo b bi ngi s dng. b- L c tnh ca h thng trong thng tin khng b thay i theo thi gian c- L c tnh ca h thng trong thng tin khng b truy xut bi nhng ngi khng c php. d- L c tnh ca h thng trong thng tin khng b thay i, h hng hay mt mt. Cu 4. Chn cu ng khi ni v tnh ton vn ca thng tin: a- Mt h thng an ton l mt h thng m bo tnh ton vn ca thng tin. b- Tnh ton vn ca thng tin bao gm ton vn v ni dung v ton vn v ngun gc thng tin. c- Tnh ton vn ca thng tin bao gm ton vn v ni dung v s tn ti ca thng tin. d- Cu a v b. Cu 5. Cc c ch m bo tnh ton vn ca thng tin: a- Gm cc c ch ngn chn v c ch pht hin cc vi phm v ton vn thng tin. b- Mt m ho ton b thng tin trong h thng. c- Lu ton b thng tin trong h thng di dng nn. d- Tt c cc c ch trn. Cu 6. Hnh vi no sau y nh hng n tnh ton vn ca h thng thng tin: a- Mt sinh vin sao chp bi tp ca mt sinh vin khc. b- Virus xa mt cc tp tin trn a cng. c- Mt in thng xuyn lm h thng my tnh lm vic gin an. d- Tt c cc hnh vi trn. Cu 7. Hnh vi no sau y nh hng n tnh kh dng ca h thng thng tin: a- Mt sinh vin sao chp bi tp ca mt sinh vin khc. b- Virus xa mt cc tp tin trn a cng. c- Mt in thng xuyn lm h thng my tnh lm vic gin an. d- Tt c cc hnh vi trn. Cu 8. Hnh vi no sau y nh hng n tnh b mt ca h thng thng tin: a- Mt sinh vin sao chp bi tp ca mt sinh vin khc. b- Virus xa mt cc tp tin trn a cng. c- Mt in thng xuyn lm h thng my tnh lm vic gin an. d- Tt c cc hnh vi trn. Cu 9. Cc c ch bo v tnh b mt ca thng tin: 37

a- Mt m ho ton b thng tin trong h thng. b- Xy dng cc c ch iu khin truy xut (access control) ph hp. c- Lp t cc phng tin bo v h thng thng tin mc vt l. d- Tt c cc c ch trn. Cu 10. Th no l tnh kh dng ca h thng thng tin? a- L tnh sn sng ca thng tin trong h thng cho mi nhu cu truy xut. b- L tnh sn sng ca thng tin trong h thng cho cc nhu cu truy xut hp l. c- L tnh d s dng ca thng tin trong h thng. d- Tt c u sai. Cu 11. Th no l nguy c i vi h thng thng tin? a- L cc s kin, hnh vi nh hng n s an ton ca h thng thng tin. b- L cc thit hi xy ra i vi h thng thng tin c- L cc hnh vi v ca ngi s dng lm nh hng n tnh kh dng ca h thng thng tin. d- Tt c u ng. Cu 12. Cc nguy c no sau y c th nh hng n tnh kh dng ca h thng thng tin: a- Thit b khng an ton. b- Cc tn cng t chi dch v (DoS v DDoS). c- Virus v cc loi phn mm ph hoi khc trn my tnh. d- Tt c cc nguy c trn. Cu 13. Chn cu sai khi ni v cc nguy c i vi s an ton ca h thng thng tin: a- Nhng k tn cng h thng (attacker) c th l con ngi bn trong h thng. b- Ngi s dng khng c hun luyn v an ton h thng cng l mt nguy c i vi h thng. c- Mt h thng khng kt ni vo mng Internet th khng c cc nguy c tn cng. d- Xm nhp h thng (intrusion) c th l hnh vi xut pht t bn ngoi hoc t bn trong h thng. Cu 14. Chn cu ng khi ni v cc nguy c v ri ro i vi h thng thng tin: a- Tt c cc ri ro u c t nht mt nguy c i km vi n. b- C th ngn chn ri ro bng cch ngn chn cc nguy c tng ng. c- Mc tiu ca an ton h thng l ngn chn tt c cc ri ro xy ra trn h thng. d- Tt c cc cu trn. Cu 15. Nguyn tc xy dng mt h thng bo mt: a- p dng cc c ch an ton ph hp vi h thng. b- Xy dng cc chnh sch an ton cht ch. c- Xy dng chnh sch bo mt v trin khai cc c ch m bo chnh sch . d- Tt c u ng. Cu 16. Mc tiu ca chnh sch bo mt h thng: 38

a- Xc nh cc trng thi an ton m h thng cn m bo. b- Ngn chn cc nguy c i vi h thng. c- Hn ch cc ri ro i vi h thng. d- Tt c cc cu trn. Cu 17. Mc tiu ca an tan h thng theo th t u tin gim dn: a- Ngn chn, pht hin, phc hi. b- Pht hin, ngn chn, phc hi. c- Pht hin v ngn chn. d- Pht hin v phc hi. Cu 18. Chn cu ng khi ni v cc m hnh iu khin truy xut (access control): a- MAC l c ch iu khin bt buc c p dng cho ton h thng b- C ch qun l theo nhm trn Windows 2000 l mt dng thc thi tng ng vi c ch RBAC. c- a s cc h iu hnh u c thc hin m hnh DAC. d- Tt c u ng. Cu 19. Cc c ch xc thc thng dng trong h thng thng tin: a- Dng cc c ch qun l truy xut tp tin trn a cng. b- Dng c ch phn quyn cho ngi s dng. c- Dng user-name/password. d- Tt c u sai. Cu 20. Cc giao thc xc thc thng dng trong h thng thng tin: a- Kerberos b- CHAP c- C hai u sai d- C hai u ng.. Cu 21. Chc nng ca c ch kim tra (auditing) trn h thng: a- Ghi li (Logger), phn tch (Analyzer) v thng bo (Notifier). b- Theo di v ghi nhn cc s kin v hnh vi din ra trn h thng. c- Cung cp thng tin phc hi h thng khi c s c. d- Cung cp thng tin lm chng c cho cc hnh vi vi phm chnh sch an ton h thng. Cu 22. Chn cu ng: a- Tn cng kiu Interception tc ng vo c tnh ton vn ca h thng thng tin. b- Modification l kiu tn cng vo c tnh b mt ca h thng thng tin. c- Tn cng bng hnh thc gi danh (farbrication) tc ng n c tnh ton vn ca thng tin. d- Vn ph nhn hnh vi (repudiation) l mt hnh thc tn cng h thng kiu Interruption. Cu 23. Phng thc tn cng no ngn chn cc user hp l truy xut cc ti nguyn h thng? 39

a- Sniffing b- Spoofing c- DoS d- Man-In-The-Middle. Cu 24. Chn cu ng: a- C th ngn chn cc tn cng trn b m (buffer overflow) bng cc phn mm antivirus. b- C th ngn chn cc tn cng trn b m bng cch ci t firewall. c- Tt c cc phn mm vit bng ngn ng C u c cha li trn b m. d- Li trn b m ch xy ra trn cc phn mm c nhp liu t ngi dng. Cu 25. Mt my tnh nghe ln thng tin trn mng v dng cc thng tin ny xm nhp tri php vo mt h thng thng tin, y l phng thc tn cng no? a- Spoofing b- Replay c- Man-In-The-Middle d- Sniffing Cu 26. Phng thc tn cng no sau y khng da trn bn cht ca giao thc TCP/IP: a- SYN/ACK flooding b- TCP sequence number attack c- ICMP attack d- Software exploitation Cu 27. Chn cu ng khi ni v cc phng thc tn cng bng phn mm c (malicious code): a- Virus c th t sao chp v lan truyn thng qua mng my tnh. b- Worm l loi phn mm c hot ng da vo mt phn mm khc. c- Trojan horse l mt loi phn mm c nhng c tn ging nh cc tp tin bnh thng. d- Logic bomb khng th ph hoi h thng nu ng h h thng lun chm hn thi gian hin hnh. Cu 28. Chn cu ng khi ni v firewall: a- Firewall ch c th ngn chn cc tn cng t bn ngoi h thng. b- Tt c cc gi d liu i qua firewall u b c ton b ni dung, nh firewall mi c c s phn bit cc tn cng vi cc loi lu lng khc. c- Nu m tt c cc cng (port) trn firewall th firewall s hon ton b v hiu ho. d- Tt c u ng. Cu 29. ng dng no sau y c chc nng thay i a ch IP ca tt c cc gi d liu i qua n: a- IDS b- Proxy 40

c- NAT d- Khng c ng dng no nh vy Cu 30. Nguyn l hot ng ca IDS: a- Phn tch cc gi d liu lu thng trn mng tm du hin ca tn cng. b- Phn tch cc d liu trong nht k h thng (system log) pht hin du hiu ca tn cng. c- Duy tr mt c s d liu v cc du hiu tn cng (signature database). d- Tt c cc iu trn. Cu 31. Chn cu ng khi ni v IDS: a- IDS l mt ng dng c chc nng pht hin v ngn chn cc tn cng vo h thng thng tin. b- IDS ch c th pht hin c cc tn cng t bn ngoi vo h thng. c- Network-based IDS khng c kh nng pht hin tn cng vo mt my ch c th. d- Signature-based IDS khng c kh nng pht hin cc tn cng hon ton mi, cha tng c m t trong c s d liu. B- Bi tp Cu 32. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng ch ng (active attacks) v tn cng th ng (passive attacks). Cu 33. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng vo giao thc TCP/IP v tn cng vo phn mm (chng trnh ng dng v h iu hnh). Cu 34. Ci t v cu hnh phn mm IDS Snort trn H iu hnh Linux. Cu 35. Ci t v cu hnh ISA server 2004 trn Windows. ----------

41

CHNG II MT M V XC THC THNG TIN

Gii thiu: Chng ny trnh by c ch mt m v cc vn lin quan nh hm bm, ch k s, chng thc v c s h tng kho cng khai PKI. Mt m l c ch c bn nht nhm m bo tnh B mt ca thng tin. Cc c ch xc thc nh hm bm v ch k s c chc nng bo v tnh Ton vn ca thng tin. Cc ni dung cp trong chng ny bao gm: -Tng quan v k thut mt m. -K thut mt m i xng -K thut mt m bt i xng -Cc hm bm bo mt -Ch k s -Vn qun l kho v c s h tng kho cng khai

II.1 TNG QUAN V MT M:

II.1.1 Gii thiu:
Mt m (Encryption) l mt k thut c s quan trng trong bo mt thng tin. Nguyn tc ca mt m l bin i thng tin gc thnh dng thng tin b mt m ch c nhng thc th tham gia x l thng tin mt cch hp l mi hiu c. Mt thc th hp l c th l mt ngi, mt my tnh hay mt phn mm no c php nhn thng tin. c th gii m c thng tin mt, thc th cn phi bit cch gii m (tc l bit c thut tan gii m) v cc thng tin cng thm (kha b mt). Qu trnh chuyn thng tin gc thnh thng tin mt theo mt thut ton no c gi l qu trnh m ho (encryption). Qu trnh bin i thng tin mt v dng thng tin gc ban u gi l qu trnh gii m (decryption). y l hai qu trnh khng th tch ri ca mt k thut mt m bi v mt m (giu thng tin) ch c ngha khi ta c th gii m (phc hi li) c thng tin . Do vy, khi ch dng thut ng mt m th n c ngha bao hm c m ha v gii m. K thut m ho c chia thnh hai loi: m ho dng kho i xng (symmetric key encryption) v m ho dng kho bt i xng (asymmetric key encryption) nh s trnh by trong cc phn tip theo.

II.1.2 Cc thnh phn ca mt h thng m ho:

Hnh 2.1 m t nguyn tc chung ca mt h thng mt m quy c. Cc thnh phn trong mt h thng mt m in hnh bao gm: -Plaintext: l thng tin gc cn truyn i gia cc h thng thng tin -Encryption algorithm: thut tan m ha, y l cch thc to ra thng tin mt t thng tin gc. -Key: kha mt m, gi tt l kha. y l thng tin cng thm m thut tan m ha s dng trn vi thng tin gc to thnh thng tin mt. -Ciphertext: thng tin m ha (thng tin mt). y l kt qu ca thut ton m ha. 42

-Decryption algorithm: Thut tan gii m. u vo ca thut tan ny l thng tin m ha (ciphertext) cng vi kha mt m. u ra ca thut tan l thng tin gc (plaintext) ban u.
Kho mt m (Key) Kho mt m (Key)

Thng tin c m ho (ciphertext)

Thng tin gc (Plaintext)

Thut ton m ho (Encryption algorithm)

Thut ton gii m (Decryption algorithm)

Thng tin gc (Plaintext)

Hnh 2.1: Cu trc mt h thng mt m quy c

II.1.3 Cc tiu ch c trng ca mt h thng m ho:

Mt h thng m ha bt k c c trng bi 3 tiu ch sau y: -Phng php m (operation): c hai phng php mt m bao gm thay th (substitution) v chuyn v (transposition). Trong phng php m thay th, cc n v thng tin (bit, k t, byte hoc khi) trong thng tin gc c thay th bng cc n v thng tin khc theo mt quan h no . Trong phng php m chuyn v, cc n v thng tin trong thng gc c i ch cho nhau to thnh thng tin m ha. Cc h thng m ho hin i thng kt hp c hai phng php thay th v chuyn v. -S kha s dng (number of keys): nu pha m ha (pha gi) v pha gii m (pha nhn) s dng chung mt kha, ta c h thng m dng kho i xng (symmetric key) - gi tt l m i xng hay cn c cc tn gi khc nh m mt kha (single-key), m kha b mt (secret key) hoc m quy c (conventional cryptosystem). Nu pha m ha v pha gii m dng 2 kha khc nhau, h thng ny c gi l m bt i xng (asymmetric key), m hai kha (two key) hc m kha cng khai (public key). -Cch x l thng tin gc (mode of cipher): thng tin gc c th c x l lin tc theo tng phn t , khi ta c h thng m dng (stream cipher). Ngc li, nu thng tin gc c x l theo tng khi, ta c h thng m khi (block cipher). Cc h thng m dng thng phc tp v khng c ph bin cng khai, do ch c dng trong mt s ng dng nht nh (v d trong thng tin di ng GSM). Cc thut tan mt m c gii thiu trong ti liu ny ch tp trung vo c ch m khi.

II.1.4 Tn cng mt h thng mt m:

Tn cng (attack) hay b kho (crack) mt h thng mt m l qu trnh thc hin vic gii m thng tin mt mt cch tri php. Thut ng cryptanalysis c dng ch hnh vi b kho v ngi thc hin b kho c gi l cryptanalyst. Thng thng, y l hnh vi ca mt k tn cng khi mun xm nhp vo mt h thng c bo v bng mt m. Theo nguyn tc mt m, ly c thng tin gc, th tc nhn 43

gii m phi c c 3 thnh phn: thng tin mt (ciphertext), kha (secret key) v thut tan gii m (decryption algorithm). K tn cng thng khng c y 3 thng tin ny, do , thng c gng gii m thng tin bng hai phng php sau: -Phng php phn tch m (cryptanalysis): da vo bn cht ca thut tan m ha, cng vi mt an thng tin gc hoc thng tin mt c c, k tn cng tm cch phn tch tm ra tan b thng tin gc hoc tm ra kha, ri sau thc hin vic gii m ton b thng tin mt. -Phng php th tun t (brute-force): bng cch th tt c cc kha c th, k tn cng c kh nng tm c kha ng v do gii m c thng tin mt. Thng thng, tm c kha ng th cn phi th mt s lng kha bng khang mt na s kha c th c ca h thng m. V d, nu kho c chiu di l 8 bit th s c tt c 28 = 256 kho khc nhau. chn c kho ng th k tn cng phi th trung bnh khong 256 / 2 = 128 ln. Vic th ny thng c tr gip bi cc my tnh v phn mm chuyn nghip. Hai thnh phn m bo s an ton ca mt h thng mt m l thut ton m (bao gm thut ton m ho v thut ton gii m) v kho. Trong thc t, thut tan m khng c xem nh mt thng tin b mt, bi v mc ch xy dng mt thut tan m l ph bin cho nhiu ngi dng v cho nhiu ng dng khc nhau, hn na vic che giu chi tit ca mt thut tan ch c th tn ti trong mt thi gian ngn, s c mt lc no , thut tan ny s c tit l ra, khi tan b h thng m ha tr nn v dng. Do vy, tt c cc tnh hung u gi thit rng k tn cng bit trc thut tan m. Nh vy, thnh phn quan trng cui cng ca mt h thng m l kha ca h thng, kha ny phi c gi b mt gia cc thc th tham gia nn c gi l kha b mt. Mt cch tng qut, chiu di kha cng ln th thi gian cn thit d ra kha bng cch th cng ln, do vy kh nng pht hin kha cng thp. Bng sau y lit k mt s kha vi di khc nhau v thi gian cn thit d ra kha. Bng 2.1: Quan h gia di kho v thi gian d kho. Chiu di kho (bit) 32 56 128 168 26 k t (hon v) S kho ti a 232 = 4,3 * 109 256 = 7,2 * 1016 2128 = 3,4 * 1038 2168 = 3,7 * 1050 26! = 4 * 1026 Thi gian d kho vi tc th 1 kho /ms 231 ms = 35,8 pht 255 ms = 1.142 nm 2127 ms = 5,4 * 1024 nm 2167 ms = 5,9 * 1036 nm 2 * 1026 ms = 6,4 x 1012 nm Thi gian d kho vi tc th 106 kho /ms 2,15 milli giy 10,01 gi 5,4 * 1018 nm 5,9 * 1030 nm 6.4 * 106 nm

II.2 K THUT MT M I XNG:

K thut mt m i xng c c trng bi vic s dng mt kha duy nht cho c qu trnh m ha v gii m thng tin. Bng mt cch an tan no , kha chung ny phi c trao

44

i thng nht gia bn gi v bn nhn (tc bn m ha v bn gii m), ng thi c gi b mt trong sut thi gian s dng. K thut mt m i xng cn c gi l mt m quy c (conventional encryption) hoc mt m dng kha b mt (secret key encryption). Cu trc chung ca mt h thng mt m ha quy c nh trnh by hnh 2.2, trong , knh thng tin dng trao i kha b mt phi l mt knh an tan. C th thc hin vic trao i kha b mt gia hai thc th A v B theo nhng cch sau y: 1-A chn ra mt kha b mt v chuyn trc tip cho B (chuyn bng phng tin vt l nh ghi ln a, ni trc tip, ghi ra giy, ) 2-Mt thc th th 3 chn ra kha b mt v thng bo kha ny cho c A v B (bng phng tin vt l nh trn) 3-Nu A v B trc dng mt kha no thng tin vi nhau, th mt trong hai thc th s tip tc dng kha c gi thng bo v kha mi cho thc th kia. 4-Nu A v B c cc kt ni an tan n mt thc th th 3 l C, th C c th gi thng bo v kha cho c hai thc th A v B thng qua kt ni an tan ny.
Kho b mt (dng chung) Thng tin gc Thng tin mt Thng tin gc

Thut ton m ha

Thut ton gii m

Hnh 2.2: Trao i kho trong mt m i xng M ha i xng da ch yu trn hai thao tc: thay th v chuyn v. Thao tc thay th s thay tng t m bi mt t m khc theo mt quy c no , v quy c ny chnh l kha ca h thng m. V d: thay th tng k t trong mt thng ip bng mt k t ng cch n 3 v tr trong bng ch ci la tinh, thng ip HELLO WORLD s c m ha thnh KHOOR ZRUOG. Thao tc chuyn v thc hin vic thay th v tr ca cc t m trong thng tin gc theo mt quy c no v quy c ny cng tr thnh kha ca h thng. V d: dch tng k t trong mt thng ip qua phi mt v tr c xoay vng, thng ip HELLO WORLD s c m ha thnh DHELLO WORL.

II.2.1 Cu trc m khi c bn Feistel:

Cu trc m khi c bn Feistel (Feistel Cipher Structure) c IBM a ra vo nm 1973, c xem nh l cu trc mt m c bn nht v c p dng trong nhiu thut ton mt m ph bin hin nay nh DES, Blowfish, IDEA, Cn ch rng Feistel cha phi l mt thut ton mt m, m ch l mt m hnh c xy dng ph hp cho vic thit k cc thit b mt m bng phn cng. Cc thut ton mt m phi thc hin hon chnh m hnh Feistel theo yu cu ca mnh, bao gm vic nh ngha cc hm F, S-Box v thut ton to kho ph (subkey generation algorithm). Cu trc Feistel c trnh by hnh 2.3. Nguyn l hot ng ca Feistel da trn vic hon v v thay th nhiu ln trn khi d liu gc, c th nh sau: 45

-Thng tin gc c ct thnh tng khi c kch thc 2w bit (tc l mt s bit chn). Mi khi bit c x l thnh 2 phn bng nhau: w bit bn tri (L) v w bit bn phi (R). -C hai phn bn tri v bn phi c a ln lt vo khi m ho gm n vng lin tip v ging nhau. Cc thao tc thc hin ti mi vng bao gm: hon v phn bn tri v phn bn phi, a phn bn phi vo mt hm x l F cng vi kho con Ki, ng ra s c XOR vi phn bn tri. Kt qu cui cng c hon v mt ln na trc khi xut ra.
Thng tin gc 2w bit

L0

w bit

w bit

R0 K1

L1

R1

Ki F

Li

Ri

Kn F

Ln

Rn

Ln+1

Rn+1

Thng tin mt 2w bit

Hnh 2.3: Cu trc m khi Feistel 46

Qu trnh gii m ca Feistel tng t nh qu trnh m ho, ch khc ch th t cc kho ph a vo ti mi vng b o ngc so vi qu trnh m ho, ngha l kho Kn s a vo vng th nht, kho K1 a vo vng cui cng. Cng v l do ny, tt cc cc thao tc trong cu trc Feistel, k c hm F, u khng cn phi c thao tc ngc. Qu trnh gii m c minh ho hnh 2.4, c th cho trng hp Feistel s dng 16 vng. Ta s chng minh c rng ng ra ca thut ton gii m chnh l thng tin gc ban u. T kt qu chng minh ny, ta c th p dng tng t cho thut ton Feistel bt k vi n vng.

Thng tin gc 2w bit LE0 K1 RE0

Thng tin mt 2w bit LD0=RE16 K16 RD0=LE16

LE1

K2

RE1

LD1=RE15

K15

RD1=LE15

LE15

K16

RE15

LD15=RE1

K1

RD15=LE1

LE16

RE16

LD16=RE0

RD16=LE0

LEout Thng tin mt 2w bit a-Qu trnh m ho

REout

LDout=LE0 Thng tin gc 2w bit b-Qu trnh gii m

RDout=RE0

Hnh 2.4: M ho v gii m dng cu trc Feistel phn bit gia qu trnh m ho v qu trnh gii m, ta k hiu cc khi thng tin ti tng vng nh sau: - LEi v REi: ng vo bn tri v bn phi ca thut tan m ha vng th i. 47

- LDi v RDi: ng vo bn tri v bn phi ca thut tan gii m vng th i. - F(REi, Ki): p dng hm F ln khi thng tin REi v kho Ki. Xt vng cui cng (vng 16) ca qu trnh m ho: LE16 = RE15 RE16 = LE15 F(RE15, K16) (1) Khi a ng ra ca qu trnh m ho vo ng vo ca qu trnh gii m, ch ln hon v sau cng ca qu trnh m ho, ta c: LD0 = LEout = RE16 RD0 = REout = LE16 Xt vng th nht ca qu trnh gii m, ta c: LD1 = RD0 RD1 = LD0 F(RD0, K16) Kt hp (1), (2) v (3) ta c: LD1 = RE15 RD1 = RE16 F(LE16, K16) = [LE15 F(RE15, K16)] F(RE15, K16) = LE15 Do vi php XOR, ta lun c: AA=0 (A B) C = A (B C). Mt cch tng qut, ti vng th i ca qu trnh m ho: LEi = REi-1 REi = LEi-1 F(REi-1, Ki) Hay c th vit: REi-1 = LEi LEi-1 = REi F(REi-1, Ki) = REi F(LEi, Ki) (4) Vi (4), ta hon ton c th kim chng c kt qu ca tng vng gii m nh hnh 2.4b. V d vng th 2: LD2 = RD1= LE15 = RE14 RD2 = LD1 F(RD1, K15) = RE15 F(LE15, K15) = LE14 vng th 16, ta c: LD16 = RD15 = LE1 = RE0 RD16 = LD15 F(RD15, K1) = RE1 F(LE1, K1) = LE0 Ln hon v sau cng cho ra: LDout = LE0 v RDout = RD0, y chnh l thng tin gc ban u. Cc thut ton mt m da trn cu trc Feistel phn bit vi nhau bi cc thng s sau y: 1-Kch thc khi d liu u vo (block size) 2-Chiu di kho (key size) 3-S vng lp (number of rounds) 48 (3) (2)

4-Thut ton sinh kho ph (subkey generation algorithm) 5-Hm F thc hin ti mi vng (round function) y l nhng thng s cha c xc nh trong cu trc Feistel. Ngoi ra, hai tiu ch khc cn quan tm khi thit k thut ton m da trn Feistel: t tc ti a khi ci t bng phn mm. D phn tch v thc hin.

II.2.2 Thut ton mt m DES:

DES (Data Encryption Standard) l mt thut tan m da trn cu trc Feistel c chun ha nm 1977 bi c quan chun ha Hoa k (NIST National Institute of Standards and Technology). C ch thc hin m ha DES c m t hnh 2.5.
Thng tin gc 64 bit Kho b mt 64 bit

IP 64 bit K1 48 bit Vng 1 64 bit K2 48 bit Vng 2 PC-2 56 bit PC-2 56 bit

PC-1 56 bit Dch tri 56 bit Dch tri

K16 48 bit Vng 16 64 bit 32 bit swap 64 bit IP-1 Ch thch: PC-2

56 bit Dch tri

IP (Initial Permutation): php hon v khi u IP-1 (Inverse Initial Permutation): php hon v ngc ca hon v khi u. PC-1 (Permuted Choice 1): php hon v 1 PC-2 (Permuted Choice 2): php hon v 2

Thng tin mt 64 bit

Hnh 2.5: Thut ton mt m DES 49

DES xc nh cc thng s ca cu trc Feistel nh sau: -Kch thc khi: 64 bit -Chiu di kho: 64 bit, thc ra l 56 bit nh s trnh by sau y -S vng lp: 16 vng -Thut ton sinh kho ph: kt hp php dch tri v hon v -Hm F: kt hp cc php XOR, hon v v thay th (S-box). Chi tit thc hin cc thng s ca DES c trnh by sau y: -Php hon v khi u (IP): c chc nng lm thay i v tr cc bit trong khi thng tin gc. y l phn thc hin khng c trong cu trc Feistel. phn cui ca qu trnh m ho, php hon v ngc s tr li cc bit v v tr ban u ca n. Php hon v IP v IP-1 thc hin da trn hai ma trn nh sau, vi cc gi tr trong ma trn cho bit s th t ca bit trong khi thng tin (t 1 n 64):

Hnh 2.6: Ma trn hon v khi u (IP)

Hnh 2.7: Ma trn ngc ca ma trn hon v khi u ( IP-1) 64 bit trong khi thng tin (M1, M2, , M64) c nh x vo cc v tr tng ng trong ma trn IP v IP-1, sau c c ra tun t theo tng dng t trn xung. 50

V d: i vi php hon v IP, bit M1 c ghi vo v tr ct 8 dng 5, bit M2 c ghi vo ct 8 dng 1 v tip tc nh th n bit M64 c ghi vo ct 1 dng 4. Sau , khi thng tin ny c c ra ln lt tng dng, khi 8 bit u tin tng ng vi dng u tin s l cc bit c th t l: 58, 50, 42, 34, 26, 18, 10, 2. Hay ni cch khc, chui bit: M1 M2 M3 M4 M5 M6 M7 M8

c hon v thnh chui bit: M58 M50 M42 M34 M26 M18 M10 M2 -Hm F: c chc nng trn gia kho ph Ki vi khi thng tin ti tng vng. Hm F trong DES gm c thao tc: hon v m rng (E table) chuyn t 32 bit thnh 48 bit, hm XOR cng 48 bit va to ra vi 48 bit ca kho ph Ki, khi thay th S-Box chuyn 48 bit thnh 32 bit, cui cng l khi hon v P. Hot ng ca hm F ti tng vng c m t hnh 2.8.
32 bit Li-1 32 bit Ri-1

E table 48 bit 48 bit Hm F 48 bit S-Box 32 bit Permutation (P) 32 bit Ki

Li 32 bit

Ri 32 bit

Hnh 2.8: Cu trc tng vng ca DES

51

E table (Expansion/Permutation) thc hin chc nng hon v cc bit trong khi thng tin, ng thi chuyn t 32 bit thnh 48 bit bng cch s dng ma trn E table (hnh 2.9). 32 bit thng tin theo th t c c vo 48 v tr (tng ng vi 6 ct v 8 dng) ca E table. Nh vy, s c mt s bit c lp li trong ma trn. S-Box (Substitution Box) thc hin thao tc thay th chui bit thnh mt chui bit khc, ng thi thc hin thao tc ngc li vi E table l chuyn khi thng tin t 48 bit thnh 32 bit. S-Box cng c thc hin thng qua cc ma trn S-Box (hnh 2.10). Nguyn tc hot ng ca S-box nh sau: 48 bit ng ra ca php XOR c chia thnh 8 phn, mi phn 6 bit. Tng phn 6 bit c x l ring bit bng mt ma trn S-Box khc nhau (c 8 SBox khc nhau). Ti mi S-Box, bit u v bit cui ca phn 6 bit thng tin c dng chn 1 trong 4 hng ca ma trn, 4 bit cn li c dng chn 1 trong 16 gi tr ca hng tng ng, gi tr c chn s chuyn thnh 4 bit nh phn.

V d, xt ma trn S1, vi chui bit l 101100: - bit u v bit cui l 10, c gi tr thp phn l 2, do hng c chn l hng s 2. - 4 bit cn li l 0110 nh phn, gi tr thp phn tng ng l 6, do gi tr ti ct 6 c chn. - Gi tr ti hng 2 ct 6 trong ma trn S1 l 2, gi tr xut ra l 0010.

Hnh 2.9: Ma trn E table

Php hon v P (Permuatation) c chc nng chuyn i v tr cc bit trong khi thng tin 32 bit xut ra t S-Box. Thao tc hon v P cng c thc hin da trn ma trn P gm 8 ct v 4 dng (hnh 2.11).

52

S1

S2

S3

S4

S5

S6

S7

S8

Hnh 2.10: Ma trn S-Box 53

Hnh 2.11: Ma trn hon v P

Ci-1

Di-1

Dch tri

Dch tri

PC-2 Ki

Ci

Di

Hnh 2.12: Thut ton sinh kho ph ca DES

Hnh 2.13: Ma trn hon v PC-1 -Thut ton sinh kho ph: Kho a vo cho thut ton DES l 64 bit, tuy nhin trong qu trnh thc hin, ch c 56 bit c s dng. Tt c cc bit cui cng ca byte (t bit 8, 16, 24, 32, 40, 48, 56 v 64) b loi b ngay t vng x l u tin. Hnh 1.12 m t thut ton sinh kho ph ca DES. 64 bit kho ban u c chn ly 56 bit theo quy tc ni trn, sau c a vo khi hon v PC-1. Mc ch ca khi hon v 54

PC-1 l thay i v tr cc bit ca 56 bit kho va to ra. Ch rng PC-1 ch c thc hin 1 ln duy nht trc khi bt u vng u tin. Trong tt c cc vng m ho, php hon v thc hin trn cc kho ph l php hon v PC-2. PC-1 v PC-2 c thc hin thng qua cc ma trn PC-1 v PC-2 hnh 2.13 v 2.14. Ng ra ca khi hon v PC-1 c chia thnh 2 phn, mi phn 28 bit (C v D). Ti mi vng m ho, hai phn ny c dch tri 1 hoc 2 bit trc khi i qua khi hon v PC-2 thnh 48 bit kho ph a vo hm XOR cng vi khi thng tin ca vng tng ng. S bit dch tri tng ng vi mi vng nh sau: Vng S bit dch 1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 0 2 11 12 13 14 15 16 2 2 2 2 2 1

Hnh 2.14: Ma trn hon v PC-2 Nhn xt: -Thut tan mt m DES l mt thut tan da trn cu trc Feistel nhng c cch thc hin phc tp, c thit k da trn cc thao tc x l bit (bitwise operartions) nh php XOR, php dch, hon v, do thch hp vi cc thit b m ho bng phn cng. Thut ton DES khng d phn tch, v trong mt thi gian di c gi b mt. -Hai thng tin lin quan n mc an tan ca thut ton m DES l tnh phc tp ca gii thut v chiu di kha. n thi im hin nay, tc 30 nm k t khi DES c chp nhn nh mt thut ton mt m tiu chun, cha c mt pht hin no v im yu trong bn thn thut ton. Tuy nhin, vi chiu di kho l 56 bit, vic d kho bng phng php th ln lt l c th thc hin c vi cc my tnh a dng hin nay vi thi gian tm kim khong 10 gi. Do vy, nguy c tn cng mt m i vi cc h thng s dng DES l kh cao trong thi im hin nay. iu yu cu phi xy dng mt tiu chun mt m khc hoc ci tin DES tng mc an ton. Phn tip theo s trnh by c hai gii php ny.

II.2.3 Thut tan mt m Triple DES:

Tripple DES hay DES bi ba (vit tt l 3DES hoc TDES) l mt phin bn ci tin ca DES. Nguyn tc ca Triple DES l tng chiu di kho ca DES tng an ton, nhng vn gi tnh tng thch vi thut ton DES c. Gi P l thng tin gc, K l kha v C l thng tin mt m ha; E l thut tan m ha v D l thut tan gii m, qu trnh m ha v gii m dng thut tan DES n gin c biu din nh sau: 55

C = E(P, K) P = D(C, K)
K1 K2

a- M ho

K2

K1

b- Gii m

Hnh 2.15: DES bi hai (double DES) tng an tan ca gii thut mt m DES, tng c bn l thc hin DES nhiu ln i vi cng mt khi thng tin gc. Nu thc hin DES hai ln, ta c DES bi hai (double DES) (hnh 2.15) vi cng thc biu din nh sau: C = E (E(P, K1), K2) P = D (D (C, K2), K1) Tuy nhin, vi 112 bit kho, DES bi hai vn cha chng t c tnh an tan cao ca n, cc h thng dng DES bi hai vn c th b tn cng bng phng thc xen gia (Man-In-TheMiddle). Bng cch thc hin DES ba ln trn cng mt khi thng tin, trong c hai ln m ho v mt ln gii m (hnh 2.16), ta c Triple DES hay DES bi ba: C = E (D (E (P, K1), K2), K1) P = D (E ( D (C, K1), K2, K1)
K1 K2 K1

D a- M ho

K1

K2

K1

D b- Gii m

Hnh 2.16: DES bi ba (triple DES) dng 2 kho 56

Khi , chiu di kha ca thut tan ny vn l l K1 + K2 = 112 bit. Vic xen vo mt ln gii m gia trong thut ton Triple DES khng nhm mc ch tng thm an ton cho thut ton m ch gip to ra s tng thch gia Triple DES v thut ton DES c. Khi , thit b gii m Triple DES c th gii m c thng tin mt c m ho bng DES: C = E (D (E (P, K1), K2), K1) = E (P, K1). Triple DES vi hai kho l mt thut ton mt m an ton, trnh c cc tn cng xen gia v c s dng thay th DES trong nhiu ng dng (ANS X9.17, ISO 8732, ). Mt phin bn khc ca Triple DES l s dng c 3 kho khc nhau K1, K2, K3 vi cng cu trc nh trn. Khi chiu di kho ca thut ton l K1 + K2 + K3 = 168 bit. Khi cn thit phi m bo tnh tng thch vi cc ng dng DES c th t K1 = K2 hoc K3 = K2. Triple DES 3 kho cng c ng dng trong nhiu dch v, c bit l PGP, S/MIME .

II.2.4 Thut tan mt m AES:

Triple DES khc phc c cc im yu ca DES v hot ng n nh trong nhiu ng dng trn mng Internet. Tuy nhin, Triple DES vn cn cha nhng nhc im ca DES nh tnh kh phn tch, ch thch hp vi thc thi bng phn cng ch khng thch hp cho thc thi bng phn mm, kch thc khi c nh 64 bit, Do , cn thit phi xy dng mt chun mt m mi, da trn mt c s ton hc vng chc, c tnh linh ng c th iu chnh cho ph hp vi ng dng v c bit l phi thch hp vi vic thc thi c bng phn mm v phn cng. l nhng yu cu c bn i vi chun mt m cao cp AES (Advanced Encryption Standard). Thut ton mt m Rijndael c chn chun ho thnh AES nm 2002. Hin nay, AES vn cn trong giai on th nghim, cc ng dng da trn AES cha nhiu, nhng trong thi gian ngn sp ti, cc ng dng mt m dng kho i xng s chuyn dn sang AES. Cc thng s chnh ca AES c tm tt nh sau: Chiu di kho (bit) Kch thc khi (bit) S vng m (vng) Chiu di kho ph (bit) Chiu di kho m rng (byte) 128 128 10 128 176 192 128 12 128 208 256 128 14 128 240

Chiu di kho ca AES c th l 128, 192 hoc 256 bit. ng vi mi trng hp, cc thng s cn li c cho tng ng bng trn, trong , kch thc khi thng tin lun c nh l 128 bit. Mt lu quan trng l AES khng da trn cu trc Feistel. Tt c cc thao tc trong thut ton u c th c m t bng cng c ton hc, do AES c th thc hin bng phn cng hoc phn mm vi tc ti a. AES s dng hai thut ton khc nhau cho m ho v gii m, do vy tt c cc thao tc trong thut ton bt buc phi c thao tc ngc (ngoi tr php XOR). Hnh 2.17 m t thut ton AES trong trng hp n gin nht (128 bit kho). 57

Thng tin gc

Kho

Thng tin gc

Add round key

W[0,3]

Add round key

Substitute bytes

Expand key

Inverse sub bytes

Shift rows Vng 1

Inverse shift rows

Mix column

Inverse mix column

Add round key

W[4,7]

Add round key Vng 9 Inverse sub bytes

Substitute bytes

Inverse shift rows

Shift rows Vng 9

Mix column

Inverse mix column

Add round key

W[36,39]

Add round key Vng 1

Substitute bytes Vng 10

Inverse sub bytes

Shift rows

Inverse shift rows

Add round key

W[40,43]

Add round key

Thng tin mt a- M ho

Thng tin mt b- Gii m

Hnh 2.17: Thut ton m AES

Vng 10

58

Khi thng tin gc (128 bit) c x l nh mt mng 2 chiu kch thc 4 x 4 gi l mng trng thi (State array), mi phn t ca mng tng ng vi 8 bit ca khi thng tin. Mi vng m ho s lm thay i gi tr ca mng trng thi, v ng ra ca thut ton mt m chnh l gi tr cui cng ca mng trng thi (hnh 2.18).

VI.1.1 Thng

VI.1.2 Cc trng thi

VI.1.3 Thng

Hnh 2.18: Qu trnh bin i mng trng thi trong thut ton AES

Thut tan m AES thc hin da trn 4 thao tc sau y: -Thay th byte (Byte Substitution) -Dch dng (ShiftRows) -Trn ct (MixColumns) -Cng kha (AddRoundKey) Thut ton mt m AES dng kho 128 bit (c m ho v gii m) bt u bng mt thao tc cng kho, sau l 9 vng lin tip, mi vng gm 4 bc nh trn, v mt vng cui cng gm 3 bc (khng c thao tc trn ct). -Thao tc thay th byte: thao tc ny c chc nng thay th tng byte trong mng trng thi thnh mt byte khc s dng mt ma trn kch thc 16 x 16 (c gi l S-Box). Nguyn tc thay th dng ma trn S-Box nh sau: ng vi mi byte trong mng trng thi hin hnh, 4 bit bn tri c dng chn mt trong 16 dng, 4 bit bn phi c dng chn mt trong 16 ct. Gi tr ca tng ng vi dng v ct c chn s l gi tr thay th cho byte hin hnh. qu trnh gii m, thao tc ny cng c thc hin tng t nhng s dng mt ma trn khc, gi l ma trn S-Box ngc (hnh 2.19). V d: mng trng thi hin hnh c gi tr (Hex) nh sau: EA 83 5C F0 87 EC 4A 8C 04 45 33 2D F2 6E C3 D8 65 5D 98 AD 4D 4C 46 95 85 96 B0 C5 97 90 E7 A6 59

Sau khi qua thao tc thay th byte s dng ma trn S-Box hnh 2.19 s tr thnh:

a- Ma trn S-Box

b-Ma trn S-Box ngc

Hnh 2.19: Ma trn thay th byte (S-Box)

-Thao tc dch dng: Thao tc ny c mc ch hon v cc byte trong mng trng thi. Nguyn tc dch nh sau: dng u tin ca mng c gi nguyn, dng th hai c dch tri 1 byte, dng th ba c dch tri 2 byte v dng th t c dch tri 3 byte (hnh 2.20).

60

Thao tc ngc c thc tng t nhng vi php dch phi c dng thay cho php dch tri, ngha l dng u tin cng c gi nguyn, dng th hai c dch phi 1 byte, dng th ba c dch phi 2 byte v dngth t c dch phi 3 byte. -Thao tc trn ct: Thao tc ny c thc hin trn tng ct, c tc dng thay th tng

Hnh 2.20: Thao tc dch dng byte trong ct bng mt gi tr c to ra t gi tr ca tt c cc byte trong cng ct . Thao tc ny c biu din bng php nhn ma trn nh sau:

Vi php nhn ny, ta c: s0,j = 2s0,j 3s1,j s2,j s3,j s1,j = s0,j 2s1,j 3s2,j s3,j s2,j = s0,j s1,j 2s2,j 3s3,j s3,j = 3s0,j s1,j s2,j 2s3,j Php nhn ma trn c thc hin trong trng GF(28) (*). Thao tc ngc ca thao tc trn ct c thc hin tng t nhng vi php nhn ma trn sau:

Khi , gi tr ca mng trng thi c xc nh nh sau: s0,j = 14s0,j 11s1,j 13 s2,j 9 s3,j s1,j = 9s0,j 14s1,j 11s2,j 13s3,j s2,j = 13s0,j 9s1,j 14s2,j 11s3,j s3,j = 11s0,j 13s1,j 9s2,j 14s3,j V d: mng trng thi hin hnh c gi tr (Hex) nh sau:
(*)

Xem thm ti liu v cc php ton trong trng Galois, c bit l dng GF(2n)

61

87 6E 46 A6

F2 4C E7 8C

4D 90 4A D8

97 EC C3 95

Sau khi qua thao tc trn ct bng php nhn ma trn trn s tr thnh: 47 37 94 ED 40 D4 E4 A5 A3 70 3A A6 4C 9F 42 BC

-Thao tc cng kho: l thao tc n gin nht ca thut ton, c tc dng trn gi tr ca mng trng thi hin hnh vi kho ph ca vng tng ng. Thao tc trn c thc hin bng php XOR gia 128 bit ca mng trng thi hin hnh vi 128 bit ca kho ph. Thao tc cng kho khng c thao tc ngc, hay ni ng hn l thao tc ngc cng chnh l php XOR. -Thut ton sinh kho ph: 128 bit kho ban u c m rng (expand key) thnh 176 byte, c t chc thnh 44 t (word), mi t 4 byte, va to thnh 10 kho ph cho 10 vng m ho ca thut ton (mi kho ph gm 4 t) cng vi 1 kho ph cho thao tc cng kho ban u. Nh vy, thut ton sinh kho ph ca AES thc cht l thut ton m rng bn t kho (128 bit) ban u thnh 44 t kho. Thao tc m rng kho c thc hin nh sau: -Bn t kho gc c a trc tip vo php cng kho ban u, tc w[0,3] = key. -Cc t kho m rng tip theo (c th t khng l bi s ca 4) c to ra bng cch XOR gia t kho lin trc n vi t kho cch n 4 v tr, tc w[i] = w[i-1] w[i-4]. -i vi cc t kho m rng c th t l bi s ca 4 th cch to ra gm cc bc: Thc hin dch t kho lin trc n sang tri 1 byte, temp = leftshift(w[i1], 8 bit) Thay th cc byte trong t kho va to ra bng cc gi tr khc s dng ma trn S-Box hnh 2.19, temp = S-Box(temp) Gi tr to ra c XOR vi mt hng s xc nh cho tng vng m ho gi l Round Constant hay RC[j]. Gi tr RC[j] c nh ngha ring bit cho tng vng nh sau: Vng RC[j] 1 01 2 02 3 04 4 08 5 10 6 20 7 40 8 80 9 1B 10 36

Gi tr sau khi XOR vi RC[j] c XOR mt ln na vi t kho cch t kho hin hnh 4 v tr to thnh t kho mi. Hnh 2.21 trnh by thut ton m rng kho ca AES, trong hm g biu din mt php ton phc tp gm 4 thao tc va trnh by, p dng cho cc t kho c v tr l bi s ca 4. 62

Hnh 2.21: Thut ton m rng kho ca AES

II.2.5 Cc thut ton mt m i xng khc:

Ngai 2 thut ton mt m ha tiu chun trn (Triple DES c xem nh l mt phin bn nng cp ca DES ch khng phi mt thut ton c lp), c nhiu thut ton khc cng chng minh c tnh hiu qu ca n v c s dng trong mt s ng dng khc nhau: -IDEA (International Data Encryption Algorithm) l mt thut ton mt m i xng c pht trin Thy in nm 1991. IDEA da trn cu trc Feistel, s dng kha 128 bit v c nhiu im khc bit so vi DES. IDEA khng s dng S-box m da vo 3 php tan l XOR, php cng nh phn v php nhn nh phn trn cc thanh ghi 16 bit. IDEA s dng thut ton m ha gm 8 vng, kha ph ti mi vng c sinh ra t cc php dch phc tp. IDEA c s dng trong cc ng dng bo mt th in t (PGP). -Blowfish c pht trin nm 1993, bi mt ngi nghin cu mt m ha c lp (Bruce Schneier) v cng nhanh chng c s dng song song vi gii thut m ha DES. Blowfish c thit k n gin v tc thc thi nhanh. Gii thut ny s dng kha c chiu di thay i (c th ln n 448 bit) nhng thng s dng nht l kha 128 bit. Blowfish cng dng cu trc m khi Feistel, thc hin 16 vng m, s dng cc php tan S-box, XOR v php cng nh phn. -RC4 v RC5 l gii thut m ha i xng c thit k bi Ron Rivest (mt trong nhng ngi pht minh ra gii thut m ha bt i xng RSA) vo nm 1988 v 1994. RC4 l mt thut ton m dng (Stream cipher), c cu trc n gin, c ng dng trong bo mt Web (SSL/TSL) v trong mng khng dy (WEP). RC5 l thut ton m khi, c thit k vi cc c tnh nh: ph hp vi vic thc thi bng c phn cng v phn mm, tc cao, n gin, dng kha c chiu di thay i v s vng m ha cng c th thay i. 63

-CAST-128 l mt thut ton khc c thit k nm 1997 bi Carlisle Adams v Stafford Tavares. CAST-128 dng kha c di thay i, cng s dng S-box nhng vi kch thc ln hn so vi DES, v iu c bit l cc vng m ha khng han tan ging nhau. Bng 2.1 tm tt cc thut ton mt m khi dng kho i xng hin c trong thc t v cc ng dng ca chng. Bng 2.1: Cc thut ton mt m i xng Thut ton DES 3DES Chiu di kha 56 bit 112 hoc 168 bit S vng m ha 16 48 Php tan s dng XOR, S-box XOR, S-box ng dng SET, Kerberos PGP, S/MIME, cc ng dng qun l kha SSL

AES IDEA Blowfish RC5 CAST-128

128, 192 hoc 256 bit 128 bit Thay i, ti a 448 bit Thay i, ti a 2048 bit 40 n 128 bit

10, 12 hoc 14 8 16 Thay i, ti a 255 vng 16

XOR, dch, S-box

XOR, cng nh phn, PGP nhn nh phn XOR, S-box, cng nh Cc cng c phn mt m. Cng nh phn, tr nh Cc cng c phn, XOR, php quay mt m. Cng, tr nh phn, PGP XOR, quay, S-box

II.3 K THUT MT M BT I XNG

II.3.1 Cu trc h thng mt m bt i xng:
c trng ca k thut mt m bt i xng l dng 2 kha ring bit cho hai qu trnh m ha v gii m, trong c mt kha c ph bin cng khai (public key hay PU) v kha cn li c gi b mt (private key hay PR). C hai kho u c th c dng m ho hoc gii m. Vic chn kho cng khai hay kho b mt cho qu trnh m ho s to ra hai ng dng khc nhau ca k thut mt m bt i xng: Nu dng kho cng khai m ho v kho b mt gii m, ta c ng dng bo mt trn thng tin (confidentiality). Nu dng kho b mt m ho v kho cng khai gii m, ta c ng dng xc thc ni dung v ngun gc thng tin (authentication).

Thut ton mt m bt i xng da ch yu trn cc hm ton hc hn l da vo cc thao tc trn chui bit. Mt m ha bt i xng cn c gi bng mt tn thng dng hn l mt m ha dng kha cng khai (public key encryption). Ni chung, mt m ha bt i xng khng phi l mt k thut mt m an tan hn so vi mt m i xng, m an tan ca mt thut ton m ni chung ph thuc vo 2 yu t: di ca kha v mc phc tp khi thc hin thut tan (trn my tnh). Hn na, mc d c 64

ra i sau nhng khng c ngha rng mt m bt i xng han tan u im hn v s c s dng thay th cho mt m i xng. Mi k thut m c mt th mnh ring v mt m i xng vn rt thch hp cho cc h thng nh v n gin. Ngoi ra, vn phn phi kha trong mt m bt i xng cng c nh gi l mt trong nhng vn phc tp khi trin khai k thut mt m ny trong thc t.

Tp kho cng khai User E User C

User D User B Kho cng khai ca user B Thng tin mt Kho b mt ca user B

Thng tin gc

Thut ton m ho (thc hin bi user A)

Thut ton gii m (thc hin bi user B)

Thng tin gc

a- ng dng bo mt thng tin

Tp kho cng khai User E User C Kho b mt ca user A Thng tin mt

User D User A Kho cng khai ca user A

Thng tin gc

Thut ton m ho (thc hin bi user A)

Thut ton gii m (thc hin bi user B)

Thng tin gc

b- ng dng xc thc thng tin

Hnh 2.22: Cu trc h thng mt m bt i xng Cu trc mt h thng mt m bt i xng c trnh by trong hnh 2.22. Cc bc c bn ca mt h thng mt m dng kha cng khai bao gm: 65

Mi thc th thng tin (user) to ra mt cp kha (public/private) dng cho vic m ha v gii m. Mi user thng bo mt trong hai kho ca mnh cho cc user khc bit, kha ny c gi l kha cng khai (public key). Kha cn li c gi b mt, v gi l kha ring (private key). Nu mt user A mun gi thng tin cho user B, user A s thc hin m ha thng tin cn gi bng kha cng khai ca user B. Khi nhn c thng tin m ha t user A, user B thc hin gii m thng tin bng kha ring ca mnh. Do kha ring khng ph bin cng khai nn ch c mt mnh user B c kh nng gii m c.

Mt m ha bt i xng c s dng trong cc ng dng: che giu thng tin, to ch k s (digital signature) v trao i kha trong cc thut tan mt m i xng (key exchange).

II.3.2 Thut ton mt m RSA:

RSA l thut ton mt m bt i xng c xy dng bi Ron Rivest, Adi Shamir v Len Adleman ti vin cng ngh Massachusetts (MIT), do c t tn l Rivest Shamir Adleman hay RSA. Thut ton ny ra i nm 1977 v cho n nay c ng dng trong nhiu lnh vc. Cng nh cc thut ton mt m bt i xng khc, nguyn l ca RSA da ch yu trn l thuyt s ch khng da trn cc thao tc x l bit. Trong phm vi ti liu ny, thut tan m RSA c m t khi qut gip ngi c nm c nguyn l ca thut tan m ch khng ch trng n vn phn tch v chng minh cc c s l thuyt ca thut tan. RSA l mt thut ton mt m khi, kch thc khi thng thng l 1024 hoc 2048 bit. Thng tin gc ca RSA c x l nh cc s nguyn. V d, khi chn kch thc khi ca thut ton l 1024 bit th s nguyn ny c gi tr t 0 n 21024 1, tng ng vi s thp phn c 309 ch s. Ch rng y l nhng s nguyn cc ln, khng th x l c bng cch s dng cc cu trc d liu c sn ca cc ngn ng lp trnh ph bin. Thut ton RSA c m t nh sau: 1- to ra mt cp kha RSA, trc ht, chn hai s nguyn t ln p v q. Gi N l tch ca p v q (N = pq). 2-Tip theo, chn mt s e sao cho e v (p-1)(q-1) l hai s nguyn t cng nhau. Sau tm s d sao cho ed = 1 mod (p-1)(q-1). K hiu mod m biu din php modulo trn c s m. 3-By gi, b qua vai tr ca p v q. Vi 3 thnh phn cn li l N, e v d, ta : -Kha cng khai (public key) l t hp (N, e) -Kha b mt (private) l t hp (N, d). 4-Vic m ha mt khi thng tin gc M c thc hin theo cng thc: C = Me mod N M = Cd mod N
C s l thuyt ca thut ton RSA da trn l thuyt v s nguyn t, php ton modulo v nh l Euler nh sau:

(vi M l s nguyn nh hn N)

5-V qu trnh gii m C c thc hin theo cng thc:

66

Hm Euler: Cho mt s nguyn dng n, nh ngha (n) l s cc s nguyn dng nh hn n v l s nguyn t cng nhau vi n. V d: cho n = 8, cc s nguyn dng nh hn 8 v l s nguyn t cng nhau vi 8 l cc s 1, 3, 5, 7, do (8) = 4. (n) c gi l hm Euler ca n. -Quy c (1) = 1. -Nu n l s nguyn t th tt c cc s nguyn dng nh hn n u l s nguyn t cng nhau vi n, khi (n) = n -1. -Nu p v q l hai s nguyn t v N = pq. Khi (N) = (p) . (q). Tht vy, trong N-1 hay (pq-1) s nguyn dng nh hn N: cc s p, 2p, , (q-1)p v cc s q, 2q, , (p-1)q l cc s khng phi nguyn t cng nhau vi N. Nh vy: (N) = (pq 1) [(p 1 ) + (q 1)] = pq (p + q) + 1 = (p 1) (q 1) = (p) . (q) nh l Euler: cho a v n l hai s nguyn t cng nhau, ta c a(n) = 1 mod n Ta chp nhn nh l ny m khng phi chng minh. Vi nhng c s ny, ta c th kim chng thut ton RSA nh sau: Cho trc khi thng tin mt C = Me mod N, cn kim chng rng M = Cd mod N. Ta c: Cd mod N = (Me)d mod N = Med mod N Xt qu trnh to cp kho ca RSA, ta c: ed = 1 mod (p 1) (q 1) Hn na, N = pq nn (N) = (p 1) (q 1) vi p, q l cc s nguyn t. Nh vy: ed 1 = k (N) vi mt s nguyn k no . V: Cd mod N = Med mod N = M(ed 1) + 1 mod N = M . Med 1 mod N = M . M k(N) mod N = M . 1k mod N = M.

V d: Cp s nguyn t p = 11 v q = 3 c chn to ra cp kho RSA cho user A. Khi , N = pq = 3*11 = 33 (p-1) (q-1) = (11 1) (3 1) = 20 Tip theo, chn e = 3 tho iu kin 3 v 20 l cp s nguyn t cng nhau. Vi e = 3, ta xc nh c d = 7 v ed = 3*7 = 1 mod 20. Tht ra, c nhiu gi tr d tha mn yu cu ny, nhng cho n gin, ta chn gi tr nh nht. Khi , ta xc nh c cp kha nh sau: Kha cng khai: (N, e) = (33, 3) Kha b mt: (N, d) = (33, 7) Gi s, user B mun gi an thng tin M = 15 cho user A, da trn kha cng khai ca A, B thc hin nh sau: C = Me mod N = 153 mod 33 = 3375 mod 33 = 9 mod 33. 67

Khi , thng tin mt gi cho A l C = 9. Khi nhn c thng tin ny, A gii m bng kha ring ca mnh (d = 7) nh sau: M = Cd mob N = 97 mod 33 = 4.782.969 mod 33 = 15 mod 33. Nh vy, thng tin gii m c l M = 15, ng vi thng tin gc ban u. Tm li, thut ton mt m RSA c thc hin gm 3 qu trnh tch ri: to kho, m ho v gii m c tm tt nh sau: 1-To kho: Chn p, q Tnh N = p.q Tnh (N) = (p 1) (q 1) Chn e sao c s chung ln nht ca e v (N) l 1 Chn d sao cho e.d mod (N) = 1 Cp kho RSA c to ra l PU = (N, e), PR = (N, d) C = Me mod N M = Cd mod N (M l s nguyn nh hn N) (p v q l s nguyn t, p q)

2- M ho: 3- Gii m:

Trong thc t, t c an tan cao, cp kha phi c chn trn cc s p v q ln (N nh nht phi l 1024 bit), do vy, vn thc thi RSA bao gm cc php tan ly tha trn cc s rt ln. Vn gim chi ph tnh tan v tng tc thc hin thut tan RSA l mt trong nhng vn quan trng cn phi gii quyt. Trn cc h thng my tnh hin nay, hiu sut thc hin gii thut RSA l chp nhn c. - an ton ca RSA: Theo l thuyt, h thng RSA c th b tn cng bng nhng phng thc sau y: Brute-force attack: tm ln lt kho ring PR Mathematical attack: xc nh p v q bng cch phn tch N thnh tch ca cc tha s nguyn t ri t xc nh e v d. Timing attack: da trn thi gian thc thi ca thut ton gii m. Chosen ciphertext attack: s dng cc an thng tin mt (ciphertext) c bit khi phc thng tin gc.

Tuy nhin trong thc t, nguy c tn cng cc h thng mt m RSA l rt thp, do RSA l mt thut ton linh ng, kch thc khi d liu gc v chiu di kho d dng c thay i m khng nh hng n thut ton m.

II.3.3 Thut ton trao i kho Diffie-Hellman:

Diffie-Hellman l mt thut ton dng trao i kha (key exchange) ch khng dng mt m ha (che giu) d liu. Tuy nhin, Deffie-Hellman li c ch trong giai an trao i kha b mt ca cc thut ton mt m i xng. Nh trong phn u ca chng ny trnh 68

by, mt trong nhng vn quan trng lin quan trc tip n tnh an ton ca cc thut ton mt m i xng l vn thng nht kho b mt gia cc thc th thng tin. Thut ton trao i kho Diffie-Hellman da trn php logarit ri rc (discrete log). Cho trc mt s g v x = gk , tm k, ta n gin thc hin php logarit: k = logg(x). Tuy nhin, nu cho trc g, p v (gk mod p), th qu trnh xc nh k c thc hin theo cch khc vi cch trn v c gi l logarit ri rc. Vic tnh logarit ri rc ni chung rt phc tp nhng vn c th thc hin c. Thut tan Diffie-Hellman kh n gin nh sau:
User A Chn s b mt Xa < p User B Chn s b mt Xb < p

Tnh Ya = (gXa mod p) v gi cho B

Tnh Yb = (gXb mod p) v gi cho A

Tnh K = (Yb)Xa mod p

Tnh K = (Ya)Xb mod p

Hnh 2.23: Thut ton trao i kho Diffie-Hellman -Gi p l mt s nguyn t v g l mt c s sinh (generator) tho iu kin vi mi x {1, 2, , p-1}, ta lun tm c s n sao cho x = gn mod p. -Gi tr p v g c ph bin cng khai gia cc thc th trao i kho. Sau user A to ra mt s b mt Xa < p, tnh gi tr Ya = (gXa mod p) v gi cho B. Tng t, user B cng to ra mt s b mt Xb < p, tnh gi tr Yb = (gb mod p) v gi li cho A. -Da trn thng tin nhn c t A, user B xc nh c kho b mt dng cho phin lm vic bng cch tnh gi tr (gXa mod p)Xb = (gXaXb mod p). Bng cch tng t, user A cng xc nh c kho b mt ny bng cch tnh gi tr (gXb mod p)Xa = (gXaXb mod p). -Gi s trong qu trnh trao i cc gi tr (gXa mod p) v (gXb mod p), mt ngi th 3 no n bt c thng tin ny th cng rt kh xc nh c a v b v phc tp ca php tan logarit ri rc l rt cao. V d: Cho p = 353 v g = 3. C th kim chng c rng vi mt s nguyn n bt k sao cho 0 < n < 353, ta lun xc nh c mt s nguyn i tho 3i = n. Gi s, user A chn gi tr b mt Xa = 97 v user B chn gi tr b mt Xb = 233. User A tnh c Ya = (397 mod 353) = 40 v gi cho B. User B tnh c Yb = (3233 mod 353) = 248 v gi cho A. User A tnh c kho b mt K = (Yb)Xa mod 353 = 24897 mod 353 = 160 User B tnh c kho b mt K = (Ya)Xb mod 353 = 4097 mod 353 = 160 -Mc an ton ca thut ton trao i kho Diffie-Hellman: Tnh an ton ca Diffie-Hellman da trn phc tp ca php ton logarit ri rc. Ni chung, vic xc nh cc gi tr Xa, Xb t cc gi tr p, g, Ya v Yb l khng th thc hin c 69

trn cc s nguyn ln. Tuy nhin, thut ton ny khng ngn chn c cc tn cng theo phng thc xen gia Man-In-The-Middle (MITM) nh sau: thc hin tn cng MITM trn kt ni gia user A v user B, user C cng chn cho mnh hai s nguyn XC1 v XC2 tho iu kin XC1 < p v XC2 < p, sau cng tnh hai gi tr tng ng YC1 = (gXc1 mod p) v YC2 = (gXc2 mod p). Khi user A gi Ya cho user B, user C s chn ly thng tin ny, ng thi mo danh A gi cho B gi tr YC1. User B xc nh kho K1 da trn YC1, v gi li cho A gi tr Yb. User C li chn ly gi tr ny v mo danh B gi cho A gi tr YC2. User A xc nh kho K2 da trn YC2. Bt u t y, cc thng tin trao i gia A v B u c C chn bt v thay i bng cch s dng cp kho K1 v K2.

Thut ton Diffie-Hellman khng gii quyt c vn ny do khng c c ch xc thc gia cc thc th trao i kho. im yu ny c khc phc bng cch s dng kt hp vi cc thut ton xc thc nh s trnh by phn k tip. Ngoi hai thut ton RSA v Diffie-Hellman, mt s thut ton khc cng c pht trin da trn nguyn l s dng mt cp kho cng khai v b mt. Elliptic-Curve Cryptography (ECC) l mt gii thut mi ang c th nghim v ha hn nhiu u im so vi RSA nh phc tp tnh ton gim trong khi tnh an tan vn c m bo. ECC thch hp vi cc ng dng chy trn cc thit b c nng lc x l hn ch chn hn nh cc thit b nhng (embded devices).

II.3.4 nh gi k thut mt m bt i xng:

K thut mt m bt i xng han tan c th p ng c nhng yu cu v bo mt h thng nh trong k thut mt m i xng, mc d tc thc thi ca m bt i xng thng thp hn do bn cht thut ton da trn cc thao tc s hc ch khng da trn cc thao tc x l bit. Hn na, m bt i xng ch ph hp vi vic thc thi bng phn mm. Mt m bt i xng m bo c 2 yu cu c bn ca thng tin l tnh b mt v tnh ton vn. K thut mt m bt i xng c 2 u im so vi m i xng: 1-Hai thc th thng tin khng cn thc hin th tc trao i kha trc khi bt u lm vic. 2-Bn cnh cng dng m bo tnh tan vn ca d liu, mt m bt i xng (khi c s dng cho mc ch xc thc) cn m bo c tnh khng th ph nhn (non-repudiation) ca thng tin.

II.4 CC HM BM
II.4.1 Xc thc thng tin:
Xc thc thng tin (message authentication) l mt c ch c ng dng trong x l thng tin vi mc ch: m bo ni dung thng tin trao i gia cc thc th l chnh xc, khng b thm, sa, xa hay pht li (m bo tnh tan vn v ni dung). m bo i tng to ra thng tin (ngun gc thng tin) ng l i tng hp l c khai bo (m bo tnh tan vn v ngun gc thng tin).

thc hin xc thc thng tin, v nguyn tc c 3 phng php sau y: 70

1-Dng cc thut tan mt m (i xng v bt i xng) xc thc thng tin. Nguyn tc ca mt m l ch c nhng i tng hp l mi khi phc c thng tin gc t thng tin mt. Ta c th s dng nguyn tc ny xc thc thng tin nh sau (hnh 2.24):
Ni gi thng tin Ni nhn thng tin

a- Dng mt m i xng

b- Dng mt m bt i xng
M: thng tin gc C: Thng tin mt PRa: Kha b mt ca bn gi. E: thut tan mt m D: Thut tan gii m K: Kha b mt dng chung gia bn gi v bn nhn PUa: Kha cng khai ca bn gi

Hnh 2.24: Xc thc thng tin dng mt m Trng hp th nht: dng mt m i xng. Theo quy c, ch c ni gi thng tin v ni nhn thng tin hp l mi c kha b mt K, do ch c thc th gi thng tin hp l mi c kh nng to ra khi thng tin mt hp l t khi thng tin gc M. Tng t, ch c thc th nhn thng tin hp l mi c kh nng gii m c thng tin mt khi phc ng thng tin gc M. Tt c cc c gng khc u cho ra kt qu sai. Trng hp th hai: dng mt m bt i xng. Thc th gi thng tin thc hin m ha dng kha b mt (PR) thay v dng kha cng khai. Khi thng tin mt to ra c th c gii m bi bt k i tng no bit kha cng khai ca thc th gi. Tuy nhin, nu qu trnh gii m thnh cng, i tng nhn thng tin c th chc chn rng thng tin nhn c l ng v chnh i tng gi hp l gi thng tin ny, bi v ch c i tng mi c kha ring PR. Phng php xc thc dng mt m da han tan vo tin cy ca kha b mt. 2-Dng m xc thc MAC (Message Authentication Code). M xc thc MAC c sinh ra t t hp gm mt khi thng tin gc c di bt k v mt kha b mt. Kch thc ca MAC l c nh, khng ph thuc vo kch thc ca khi d liu gc v thng nh hn d liu gc. i tng gi s gi km gi tr MAC i cng vi thng tin gc. Pha nhn sau khi nhn 71

c thng tin gc cng vi gi tr MAC gi km s thc hin thao tc to ra gi tr MAC mi t thng tin gc cng vi kha b mt thng nht gia hai bn. Nu gi tr MAC va to ra ging vi gi tr MAC nhn c t pha gi, pha nhn c th chc chn rng thng tin gc khng b thay i trong qu trnh truyn (hnh 2.25).
Ni gi thng tin Ni nhn thng tin

So snh M xc thc (MAC)

M: thng tin gc C: Hm to m xc thc K: Kha b mt dng chung gia bn gi v bn nhn | |: Ni m xc thc vo thng tin gc

Hnh 2.25: Xc thc thng tin dng MAC Vic dng MAC xc thc thng tin da vo hai c s: ng vi mt khi thng tin gc M v mt kha b mt K, hm C ch to ra duy nht mt m xc thc MAC. Ch c pha gi v pha nhn hp l mi c bit kha K.

C hai k thut to ra m xc thc MAC: k thut th nht dng c ch mt m khi (Cipher Block Chaining) v c gi l CMAC hay CBC-MAC. K thut th hai da trn cc hm bm bo mt v c gi l HMAC. M xc thc MAC c ng dng trong cc trng hp thng tin ch yu cu m bo tnh xc thc m khng cn m bo tnh b mt. 3-Dng cc hm bm bo mt (secure hash function). Ging nh m xc thc MAC, hm bm cng to ra mt khi thng tin ngn c di xc nh gi l m bm (hash code) t mt khi thng tin gc c di bt k. Tuy nhin, khc vi MAC, hm bm ch da vo thng tin gc to ra m bm m khng dng thm bt k kha b mt no. Do vy, c th s dng nh mt c ch xc thc thng tin, hm bm phi c dng km vi mt thut tan mt m no (i xng hoc bt i xng). Hnh 2.26 trnh by mt ng dng in hnh ca hm bm trong xc thc thng tin. Theo c ch ny, m bm sau khi c to ra s c m ha bng mt thut tan mt m i xng vi kha b mt K ch c bn gi v bn nhn bit. an m bm c mt m ha c gi i km vi thng tin gc v qu trnh kim tra pha nhn cng c tin hnh theo trnh t ngc li, tc l gii m an m bm bng kha b mt, sau to ra m bm mi t thng tin gc v so snh hai an m bm.

72

C nhiu cch p dng cc thu tan mt m vo hm bm xc thc thng tin: dng m i xng hoc bt i xng, ch m ha m bm hoc m ha c thng tin gc v m bm, thm ch c th t hp nhiu cch trn li vi nhau.

Ni gi thng tin

Ni nhn thng tin

So snh M bm c m ha

M: thng tin gc H: hm bm E: thut tan m ha D: thut tan gii m K: kha b mt dng chung gia pha gi v pha nhn. | |: ni m bm c m ha vo thng tin gc

Hnh 2.26: Xc thc thng tin dng hm bm Ngai ng dng xc thc thng tin, hm bm cn c dng trong nhiu ng dng khc. Phn tip theo trnh by chi tit hn v cc hm bm bo mt.

II.4.2 Cc hm bm bo mt:
Cc hm bm bo mt (secure hash functions) hay gi tt l hm bm l mt trong nhng k thut c bn thc hin cc c ch xc thc thng tin (message authentication). Ngoi ra, hm bm cng cn c s dng trong nhiu thut ton mt m, trong ch k s (digital signature) v nhiu ng dng khc. Nguyn tc ca hm bm l bin i khi thng tin gc c di bt k thnh mt on thng tin ngn hn c di c nh gi l m bm (hash code hay message digest). M bm c dng kim tra tnh chnh xc ca thng tin nhn c. Thng thng, m bm c gi km vi thng tin gc. pha nhn, hm bm li c p dng i vi thng tin gc tm ra m bm mi, gi tr ny c so snh vi m bm i km vi thng tin gc. Nu hai m bm ging nhau, ngha l thng tin gi i khng b thay i. Ch c th dng hm bm tnh m bm t thng tin gc ch khng th tnh c thng tin gc t m bm. Do c tnh ny, cc hm bm bo mt cng cn c gi l hm bm mt chiu (one way hash fntion). Hnh 2.27 m t nguyn l hot ng ca mt gii thut xc thc thng tin s dng hm bm n gin. Cc yu cu ca mt hm bm bo mt H: H c th c p dng cho khi thng tin vi chiu di bt k. Kt qu ca hm H lun c chiu di c nh. Vic tnh gi tr ca H(x) vi mt gi tr x cho trc phi n gin, c th thc hin c bng c phn cng hoc phn mm.

73

Cho trc mt gi tr h, khng th tm c mt gi tr x sao cho H(x) = h, y c gi l thuc tnh mt chiu ca hm bm (one-way property). Cho trc khi thng tin x, khng th tm c mt khi thng tin y khc x sao cho H(y) = H(x). Thuc tnh ny c gi l weak collision resistance. Khng th tm c hai khi thng tin x v y khc nhau sao cho H(x) = H(y). Thuc tnh ny c gi l strong collision resistance.

Thng tin gc

Thng tin gc

Thng tin gc

So snh H : M bm H : Hm bm

Hnh 2.27: Mt ng dng in hnh ca hm bm -Tn cng trn cc hm bm: Nguyn l lm vic ca hm bm l biu din mt khi thng tin c kch thc ln bi mt on thng tin c kch thc nh hn nhiu gi l m bm, v trong trng hp l tng nht th cc biu din ny l cc nh x 1:1, tc s khng xy ra tnh hung 2 khi thng tin khc nhau cng cho ra mt m bm. Trng hp c 2 khi thng tin khc nhau cng cho ra mt m bm, ta ni thut tan bm b ng (collision). Mc tiu tn cng vo mt hm bm bo mt l to ra cc tnh hung ng ny. Xc sut hai khi thng tin c cng m bm ph thuc vo kch thc ca m bm, tc ph thuc vo s lng m bm c th c. Kch thc ny cng nh th kh nng xy ra cng ln, v do xc sut tn cng thnh cng cng ln. Bi ton ngy sinh (Birthday problem)(*) ch ra rng: vi kch thc m bm l n bit, xc sut xy ra ng l 50% th cn c khong 2n/2 khi thng tin c x l. Ngi ta thng dng nguyn l ny tn cng vo cc ng dng c s dng hm bm, cc tn cng ny c gi l Birthday attack. Ni chung, an ton ca mt hm bm ph thuc vo kch thc ng ra ca n. Phn sau y s gii thiu mt s thut ton bm thng dng thng c s dng trong xc thc thng tin.

II.4.3 Thut ton bm SHA:

(*) Bi ton ngy sinh: trong mt cn phng c n ngi, n ti thiu phi bng bao nhiu c t nht 2 ngi c cng ngy sinh (trong nm). L thuyt xc sut xc nh n = 23. Bi ton ny c m rng cho hm bm.

74

SHA (Secure Hash Function) c chun ho nm 1993, sau c chnh sa nm 1995 v t tn l SHA-1, t phin bn c c gi l SHA-0. SHA-1 to ra m bm c chiu di c nh l 160 bit. V sau, c nhiu nng cp i vi SHA, ch yu l tng chiu di m bm, t xut hin cc phin bn khc nhau ca SHA, bao gm: SHA-256 (m bm di 256 bit), SHA-384 (m bm di 385 bit) v SHA-512 (m bm di 512 bit). Bng 2.2 tm tt cc thng s ca cc phin bn SHA. Bng 2.2: Cc phin bn SHA Thng s Kch thc m bm (bit) Kch thc thng tin gc (bit) Kch thc khi (bit) di t (bit) S bc thc hin (bc) SHA-1 160 <2
64

SHA-256 256 <2

64

SHA-384 384 <2

128

SHA-512 512 <2128 1024 64 80

512 32 80

512 32 64

1024 64 80

Phn ny ch m t thut ton bm SHA-1, cc phin bn khc ca SHA cng c thit k theo nguyn l tng t. SHA-1 chp nhn cc khi thng tin c kch thc ti a l 264 bit to ra m bm vi di c nh 160 bit. Tan b khi thng tin c x l theo tng khi 512 bit, qua 5 cng on nh sau: 1- Gn bit m Append padding bit: thng tin gc c gn thm cc bit tha c chiu di (448 modulo 512) bit, tc l tt c cc khi trc c chiu di bng nhau l 512 bit, ring khi cui cng l 448 bit. Ch rng vic chn thm bit vo khi thng tin c thc hin i vi tt c cc khi thng tin gc, k c khi khi thng tin gc c s bit chnh xc bng 448 mod 512 (khi chui bit chn vo s c chiu di l 512 bit). 2- Gn chiu di Append length: mt chui 64 bit c gn thm vo khi thng tin. 64 bit ny c x l nh mt s nguyn khng du, cho bit chiu di ca khi thng tin gc (tc chiu di tht s khi cha thc hin cng on 1). Sau cng on ny, khi thng tin nhn c c chiu di l bi s ca 512 bit, c chia thnh cc nhm, mi nhm tng ng vi 16 thanh ghi 32 bit (16*32 = 512 bit). 3- Khi to b m MD Initialize MD buffer: b m MD (message digest) l b nh c dung lng 160 bit dng cha cc kt qu trung gian v kt qu cui cng ca m bm. B nh ny c t chc thnh 5 thanh ghi 32 bit v c khi to cc gi tr ban u nh sau (Hex): A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476 E = C3D2E1F0

75

4- X l thng tin theo tng khi 512 bit Process message: y l cng an trung tm qu hm bm, cn c gi l hm nn (compress function), bao gm 4 vng, mi vng 20 bc. Hnh 2.28 trnh trnh by s khi ca bc 4. C 4 vng c cu trc tng t nhau, nhng mi vng s dng mt hm lun l khc nhau l f1, f2, f3 v f4. Ng vo ca mi vng l khi bit Y (512 bit) ang x l cng vi gi tr ca b m MD. Mi vng s dng mt bin cng Kt khc nhau, vi 0 t 79 biu din cho 80 bc ca 4 vng. Tuy nhin, thc t ch c 4 gi tr K khc nhau nh sau:
Yq 512 A B C D CVq 160 32 E

f1, K, W[019] 20 vng

f2, K, W[2039] 20 vng

f3, K, W[4059] 20 vng

f4, K, W[6079] 20 vng

160 CVq+1

Hnh 2.28: X l thng tin trong SHA-1 Bc 0 t 19 20 t 39 Gi tr K (Hexa) Kt = 5A827999 Kt = 6ED9EBA11 76

40 t 59 60 t 79

Kt = 8F1BBCDC Kt = CA62C1D6

Ng ra ca vng th t (tc bc 80) c cng vi ng vo ca vng u tin to ra CVq+1. Thao tc cng c thc hin mt cch c lp, ng vi tng thanh ghi trong b m MD vi mt t tng ng trong CVq, s dng php cng modulo 232. 5- Xut kt qu - Output: Sau khi tt c cc khi 512 bit c x l, ng ra ca bc cui cng chnh l gi tr ca m bm. Mt thuc tnh quan trng ca gii thut bm SHA-1 l mi bit trong m bm u c quan h vi tt c cc bit trong thng tin gc. Vic lp li cc hm f mt cch phc tp nh vy nhm mc ch m bo rng d liu c trn mt cch k lng v do rt kh tm c 2 khi thng tin gc khc nhau c th to ra cng mt m bm.

II.4.4 Thut ton bm MD5:

MD5 l mt gii thut xc thc thng tin c s dng ph bin trong thi gian qua trong cng ng Internet, c bit dng kim tra tnh chnh xc ca cc phn mm m ngun m pht hnh trn mng. Gii thut ny c xy dng bi Ron Rivest, v c chun ha bng RFC 1321. MD5 c th x l cc khi thng tin c di khng gii hn to ra m bm di 128 bit. Thng tin gc cng c x l theo tng an 512 bit. Bng 2.3 so snh cc thng s gia SHA-1 v MD5. Bng 2.3: So snh MD5 v SHA-1 Thng s so snh Kch thc m bm (bit) Kch thc khi (bit) S bc Kch thc thng tin gc (bit) S lng hm lun l MD5 128 512 64 Khng gii hn 4 SHA-1 160 512 80 < 264 4

Vi 128 bit m bm, vic tm ra hai khi thng tin c cng mt gi m bm khng cn l iu bt kh thi i vi nng lc ca cc b x l hin nay. Do , an tan ca MD5 ang b e da nghim trng, v trong thi gian ngn sp ti, mc ph bin ca MD5 c th s gim i v c thay th bng mt gii thut xc thc khc.

II.5 CH K S
II.5.1 Nguyn l hot ng ca ch k s:
Ch k s l mt c ch xc thc cho php ngi to ra thng tin (message creator) gn thm mt an m c bit vo thng tin c tc dng nh mt ch k. Ch k c to ra bng cch p dng mt hm bm ln thng gc, sau m ha thng tin gc dng kha ring ca ngi gi. Ch k s c mc ch m bo tnh tan vn v ngun gc v ni dung ca thng tin. Ti sao phi dng ch k s trong khi cc c ch xc thc thng tin (message authentication) thc hin chc nng xc thc ngun gc thng tin? Cc c ch xc thc thng tin s dng cc hm bm mt chiu c tc dng bo v thng tin trao i gia hai thc th thng 77

tin khi s xm phm ca mt thc th th 3, tuy nhin n khng c tc dng ngn chn c s xm phm ca chnh hai thc th. V d: Thc th A gi mt bn tin X cho thc th B s dng mt c ch xc thc no , c ch ny m bo ch c A v B dng chung mt kho b mt K to ra cc m xc thc t thng tin gc. Tuy nhin, thc th B c th i bn tin X thnh mt bn tin Y, v vi kha b mt K, thc th B han tan c th to ra thng tin xc thc mi gn vo Y, lm cho n tr thnh mt bn tin hp l mc d thc cht y khng phi l bn tin do thc th A to ra. Mt v d khc, thc th A c th t chi xc nhn vic mnh gi bn tin X cho thc th B, v vi cc c ch xc thc nh trn, thc th B hon ton c kh nng gi mo thng tin a ra t thc th A. Ging nh mt ch k thng thng (ch k bng tay), mt ch k s phi c y cc thuc tnh sau y: Phi xc nhn chnh xc ngi k v ngy gi pht sinh ch k. Phi xc thc ni dung thng tin ngay ti thi im pht sinh ch k. Phi c kh nng cho php kim chng bi mt ngi th 3 gii quyt cc tranh chp nu c.

Nh vy, chc nng ca ch k s bao gm chc nng ca xc thc thng tin. Cc yu cu i vi ch k s: L mt chui bit pht sinh t khi thng tin cn c xc nhn (thng tin gc). Ch k phi cha thng tin nhn dng ring ca ngi k trnh gi mo v trnh ph nhn. Quy trnh to ra ch k cng nh xc minh ch k phi n gin, nhanh chng Ch k thng th b gi mo bng bt c cch no. C th sao chp mt bn sao ca ch k dnh cho mc ch lu tr.

-Phn loi ch k s: C nhiu thut ton pht sinh ch k s khc nhau. C th phn loi cc thut ton ny theo cc cch nh sau: Ch k c nh v ch k ngu nhin: thut ton to ch k c nh (deterministic) to ra mt ch k duy nht ng vi mt khi thng tin gc xc nh, ngha l nu thc hin nhiu ln thut ton to ch k trn mt bn tin th vn cho ra mt kt qu duy nht. Ngc li, ch k ngu nhin (probabilistic) to ra nhng ch k khc nhau i vi cng mt bn tin. Ch k phc hi c v ch k khng phc hi c: c ch to ch k phc hi c (reversible signature) cho php ngi nhn phc hi li thng tin gc t ch k, iu ny cng c ngha l ch k phi c cha thng tin gc trong n di mt dng m ho no , v kt qu l ch k s s c kch thc ln hn thng tin gc. Khi , ngi gi ch cn gi i ch k l . Do vy, c ch to ch k ny cng cn c gi l ch k khi phc bn tin (signature with message recovery). Ngc li, c ch to ch k khng phc hi c (non-reversible signature) khng cho php phc hi thng tin gc t ch k, do vy, ch k ch l mt khi thng tin cng thm c kch thc nh hn thng tin gc. Ngi gi cn phi gi ch k i km vi thng tin gc nh mt dng ph lc, do c ch to ch k ny cng cn c gi l ch k vi ph lc (signature with appendix). 78

-Cc phng php thc hin ch k s: C hai phng php thc hin ch k s l k trc tip (direct signature) v k thng qua trng ti (arbitrated signature). K trc tip (direct signature): phng php ny, gi thit rng pha nhn bit c kha cng khai ca pha gi. Do , ch k c th c to ra bng cch m ha tan b bn tin bng kha ring ca ngi to ra thng tin, hoc l ch m ha phn m bm (kt qu to ta t hm bm i vi thng tin gc) dng kha ring ca ngi to thng tin.
Pha nhn thng tin

Pha to ra thng tin

E(M, PRa)

a- To ch k trc tip bng cch m ha tan b thng tin gc

Pha to ra thng tin

Pha nhn thng tin

So snh E(H(M), PRa) b- To ch k trc tip bng cch m ha phn m bm ca thng tin gc
M: thng tin gc H: Hm bm PRa: Kha b mt ca ngi k E: Thut tan m ha D: Thut tan gii m | |: Ni m bm vo thng tin gc PUa: Kha cng khai ca ngi k

Hnh 2.29: Ch k trc tip

t c tnh bo mt ca thng tin th thng tin gc cng vi ch k va c to ra s c m ha s dng kha cng khai ca thc th nhn ch k (trong trng hp dng mt m bt i xng) hoc dng kha b mt (trong trng hp dng mt m i xng). Mt nhc im rt d thy ca phng thc k trc tip l an tan ca ch k ph thuc cao vo kha ring ca ngi to ra ch k. Do vy, nu kha ring ny b mt hoc b tit l th ngha ca ch k s s khng cn.

79

K thng qua trng ti (arbitrated signature): y l mt gii php c xy dng khc phc nhc im ca ch k trc tip. Khi thc th A mun gi mt bn tin cho thc th B, qu trnh to ra mt ch k c thc hin bnh thng nh i vi ch k trc tip. Tuy nhin, trc khi bn tin ny c gi n B, n phi c gi n mt thc th th 3 gi l trng ti (arbiter). Trng ti thc hin vic kim tra, xc nhn tnh chnh xc ca thng tin v ch k, sau ghi li ngy gi ri mi gi cho thc th B, km theo thng tin xc nhn ca trng ti. S xut hin ca trng ti trong quy trnh m bo c thc th A s khng ph nhn c thng tin mnh gi.

Nu gi X l thc th to ra thng tin, Y l thc th nhn thng tin, A l trng ti, H l hm bm bo mt v E l thut ton mt m, qu trnh to ch k thng qua trng ti c thc hin nh sau: -Trng hp th nht: s dng k thut mt m i xng v trng ti c th c ni dung thng tin m X gi cho Y: Bc 1: Bc 2: X A: M + E([IDX + H(M)], Kxa) A Y: E([IDX + M + E([IDX + H(M)], Kxa) + T], Kay)

Vi M l thng tin gc m X gi cho Y, Kxa l kho b mt dng chung gia X v A, Kay l kho b mt dng chung gia Y v A, IDX l thng tin nhn dng ca thc th X v T l thi im ch k c to ra. -Trng hp th 2: s dng k thut mt m i xng v trng ti khng c c ni dung thng tin X gi cho Y: Bc 1: Bc 2: X A: IDX + E(M, Kxy) + E([IDX + H(E(M, Kxy))], Kxa) A Y: E([IDX + E(M, Kxy)], Kay) + E([IDX + H(E(M, Kxy)) + T], Kxa)

Vi Kxy l kho b mt dng chung gia X v Y. -Trng hp th 3: s dng k thut mt m bt i xng, trng ti khng c c ni dung thng tin X gi cho Y: Bc 1: Bc 2: X A: IDX + E([IDX + E(E(M, PRx), PUy)], PRx) A Y: E([IDX + E(E(M, PRx), PUy) + T], PRa)

Vi PRx l kho ring ca X, PUy l kho cng khai ca Y, PRa l kho ring ca A

II.5.2 Chun ch k DSS:

DSS (Digital Signature Standard) l mt chun v ch k s, c chun ha nm 1991, sa i nm 1993 v 1996, sau m rng vo nm 2000. DSS s dng hm bm SHA v thut ton to ch k DSA (Digital Signature Algorithm). DSS thuc loi ch k ngu nhin v khng phc hi c. Hnh 2.30 so snh cu trc DSS so vi phng thc xc thc thng tin s dng mt m bt i xng RSA. Trong thut ton xc thc thng tin dng mt m RSA, thng tin gc c a vo hm bm SHA to ra m bm (tc message digest) c kch thc c nh. M bm ny sau c m ha (bng thut ton RSA) dng kha ring ca thc th to thng tin (pha gi). Kt qu ca php m ha c gn vo thng tin gc v gi i. Pha thu nhn c thng tin, tch phn m bm ra khi thng tin gc v gii m n bng kha cng khai ca pha gi. Ch rng kha cng 80

khai l thng tin c cng b rng ri cho bt k thc th no c quan tm. ng thi, thng tin gc cng c a vo hm bm tnh m bm, sau em so snh vi m bm va nhn c. Nu hai m ny ging nhau th thng tin va nhn c chp nhn nh l thng tin hp l. Hat ng ca DSS cng bao gm vic a thng tin gc vo hm bm to ra m bm c kch thc c nh. Tuy nhin, m bm ny s khng c m ha trc tip bng mt gii thut m ha m c s dng lm ng vo ca mt hm to ch k S (Signature function). Cc thng tin a vo hm to ch k bao gm: M bm ca thng tin gc Mt s ngu nhin k Kha ring ca ngi k (PRa) Kha cng khai ca nhm cc thc th lin quan n giao dch ch k (PUG)

M PRa H E

H PUa D So snh

a- Xc thc thng tin dng mt m RSA

M PRa PUG H k S

H PUa PUG V So snh

s r

s r

a- Dng ch k s DSS

Hnh 2.30: Xc thc thng tin dng mt m RSA v dng ch k s DSS Kt qu ca hm sinh ch k gm hai thnh phn, t tn l r v s. C hai c gi km vi thng tin gc. pha nhn thu, thng tin gc c tch ring a vo hm bm. Sau , m bm c a vo hm kim chng V (Verification function) cng vi kha cng khai ca nhm (PUG) v kha cng khai ca pha gi (PRA). Nu kt qu ca hm kim chng bng vi thnh phn r ca ch k th thng tin c xem l xc thc. Hnh 2.31 m t qu trnh to ch k v kim chng ch k dng DSS. Ch rng thnh phn r ca ch k khng ph thuc vo thng tin gc m ch ph thuc vo s ngu nhin k v 3 thnh phn ca kha cng khai ca nhm (PUG) l p, q v g. Do vy,

81

gim chi ph tnh tan mi khi to ra ch k, ngi s dng c th to ra gi tr r mt ln, v dng gi tr cho nhiu ch k ng vi nhiu khi thng tin gc khc nhau.
p q g

f2

r M H

q s

q f4 v f3

M H

r f1 s

So snh a- To ch k b- Kim chng ch k

Hnh 2.31: To v kim chng ch k vi DSS

-Thut ton to ch k DSA (Digital Signature Algorithm): DSA l thnh phn trng tm ca ch k s DSS, c chc nng to ra ch k t cc thng tin nh m bm ca thng tin gc, kho ring ca ngi k, kho cng khai ca nhm v mt s ngu nhin k. DSA c xy dng da trn php ton logarit ri rc, c tm tt nh sau: -To cc thnh phn kho cng khai (public key components): p: mt s nguyn t tho 2L-1 < p < 2L vi 512 < L < 1024 v L l bi s ca 64. q: mt s nguyn t chia ht (p 1) tha iu kin 2159 < q < 2160 (q di 160 bit) g: mt s nguyn c gi tr = (h(p -1)/q mod p), trong h l mt s nguyn tho iu kin 1 < h < p 1 v (h(p-1)/q mod p) > 1 -To kho ring ca ngi dng: x: mt s nguyn ngu nhin ln hn 0 v nh hn q -To kho cng khai ca ngi dng: y: l mt s nguyn c gi tr = (gx mod p) -To s b mt cho tng bn tin: k: mt s nguyn c chn ngu nhin ln vi 0 < k < q -To ch k: r = (gk mod p) mod q s = [k-1 (H(M) + xr)] mod q -Kim chng ch k: 82

w = (s)-1 mod q u1 = [H(M')w] mod q u2 = (r')w mod q v = [(gu1 yu2) mod p] mod q Lu : s, r, M tng ng vi cc phn s, r v M ti pha thu. Vi phc tp ca php tan logarit ri rc, rt kh c th xc nh c k khi bit r hoc xc nh c x khi bit s.

II.6 QUN L KHO

II.6.1 Qun l kho cng khai trong mt m bt i xng:
Trong k thut mt m bt i xng, kho ring ca mi thc th c chnh thc th qun l m khng cn phi chia s cho ai, tuy nhin c ch no c dng ph bin kha cng khai mt cch an ton v hiu qu? Cc c ch khc nhau c th dng ph bin kha cng khai bao gm: -Ph bin cng khai trn cc din n cng cng: ngi s dng thc hin vic ny bng cch gi cc thng bo km theo kha cng khai ca mnh n cc website hoc din n cng cng trn mng Internet. Phng php ny n gin nhng c nhc im l kha d b gi mo. Mt ngi A c th a kha cng khai ca mnh ln mng nhng thng bo rng l kha ca ngi B, bng cch , A c th c c nhng thng tin b mt m ngi khc gi cho B. -S dng danh b kha cng khai (public key directory): vi danh b ny, nhng ngi dng no mun ph bin kha ca mnh th phi ng k vi nh xut bn, v trnh vic gi mo, nh xut bn phi p dng mt c ch kim duyt an tan no i vi ngi ng k. Phng php ny an tan hn cch m mi c nhn t ph bit kha ca mnh. Tuy nhin, n cng c kh nng b gi mo khi kha b mt ca nh xut bn b l, k tn cng c th thay i cc thng tin m ngi s dng ng k ln . -Chng thc kha cng khai (public-key certificate): Phng php s dng danh b cng cng c mt im yu khc l mi ngi dng mun lin lc vi mt ngi khc cn n kho cng khai th phi lin lc vi nh xut bn c cung cp, iu ny t nh xut bn vo trng thi c nguy c qu ti bt c lc no, hn na y chnh l im tht c chai ca cc giao dch trn mng. Khi nim chng thc kha cng khai (public key certificate hay gi tt l certificate hay chng thc kha) l mt c ch ph bin kha cng khai trong mi thc th t ph bin kha ca mnh bng bt c phng tin g nhng vn m bo c tnh xc thc ca kha. Chng thc kha cng khai l mt t hp gm c kha cng khai ca mt thc th, nhn dng ca thc th v ch k s (digital signature) xc nhn ca mt thc th th 3, thc th th 3 ny l mt t chc c tin tng trong cng ng (v d nh c quan nh nc hoc cc t chc ti chnh). Cc c trng ca c ch ny bao gm: Mi thc th u c th c cc chng thc kha bit c kha cng khai cng nh nhn din ch s hu ca kha . Mi thc th u c th xc thc thng tin trong chng thc kha l chnh xc nh vo ch k ca mt thc th c tin cy th 3.

83

Ch c ngi chng thc (Certificate Authority hay CA) mi c quyn to ra v cp nht cc chng thc kha.

Qu trnh to ra v phn phi chng thc kha din ra nh sau (hnh 2.32): - to chng thc kha cho mnh, thc th A gi yu cu n c quan chng thc CA (Certificate Authority), trong yu cu c cha kho cng khai ca A (PUA). trnh cc tnh hung gi mo CA, yu cu cung cp chng thc gi t cc thc th u cui phi c gi n CA bng mt knh bo mt, trn c p dng cc c ch xc thc cht ch. -CA to ra chng thc kha cho A bng cch m ho khi thng tin bao gm: nhn dng ca thc th A (IDA), kho cng khai ca A (PUA) v thi im thc hin vic cp chng thc, bng kho ring ca CA (PRCA).

PUA Knh thng tin bo mt CA = E([Time + IDA + PUA],PRCA)

PUB Knh thng tin bo mt

CB = E([Time + IDB + PUB],PRCA)

(1)CA

(2)CB

CA: Chng thc kha ca thc th A CB: Chng thc kha ca thc th B PUA: Kho cng khai ca thc th A PUB: Kho cng khai ca thc th B

IDA: Thng tin nhn dng ca thc th A IDB: Thng tin nhn dng ca thc th B PRCA: Kho ring ca CA Time: Thi im to ra chng thc kha

Hnh 2.32: Qun l kho cng khai dng chng thc kha (Certificate) Nh vy, thc th A to c chng thc kha cho mnh (CA). Tng t nh vy, thc th B cng yu cu CA cung cp chng thc kha cho n (CB). bt u trao i thng tin vi nhau s dng mt m bt i xng, hai thc th A v B trao i chng thc kha cho nhau thc th ny nhn c kho cng khai ca thc th kia. Vi vic nh mt thc th tin cy th 3 lm trung gian to ra chng thc kha, kho cng khai c th c phn phi mt cch an ton m khng b gi mo. Mt trong nhng c ch c s dng rng ri to ra cc chng thc kha cng khai l chun X.509. Chun ny c dng trong nhiu dch v v giao thc bo mt nh IPSec, SSL, S/MIME, SET,

II.6.2 S dng mt m bt i xng trao i kha b mt:

84

Trong k thut mt m i xng, c hai thc th thng tin phi dng chung mt kha b mt. Vn l lm th no trao i kha b mt gia hai thc th ny? Thut ton trao i kha Diffie-Hellman c trnh by trong phn m ha bt i xng l mt thut ton an tan, cho php hai thc th trao i kha b mt m mt thc th th 3 khng ly cp c. Tuy nhin, hn ch ca Diffie-Hellman l khng c tnh xc thc, ngha l mt thc th s khng th bit chc chn rng kha mnh nhn c ng l kha ca thc th m mnh ang mun trao i thng tin hay khng. Do vy, trong thc t, Diffie-Hellman thng c dng phi hp vi mt c ch xc thc u cui (peer authentication).
(1) E([N1 + IDA], PUB) (2) E([N1 + N2], PUA)

(3) E(N2, PUB) (4) E(E(K, PRA), PUB)

Hnh 2.33: Dng mt m bt i xng trao i kho Dng kha cng khai trao i kha b mt ca m ha i xng l mt cch hiu qu c th gii quyt c vn trn y. Mt thc th A (thc th khi to Initiator) mun trao i kha b mt vi mt th B (thc th p ng - responder) c th thc hin th tc trao i kho nh sau: (1)-A dng kho cng khai ca B (PUB) m ho mt bn tin, bn tin ny cha nhn dng ca A (IDA) v mt gi tr ngu nhin N1 (nonce) nhn din giao tc ang thc hin. A B: E([N1 + IDA], PUB) (2)-B gi li cho A mt bn tin cha gi tr ngu nhin N2 do B to ra, cng vi s N1 nhn c t A. Ton b bn tin c m ho s dng kho cng khai ca A (PUA). B A: E([N1 + N2], PUA) (3)-Mt ln na, A gi li cho B mt bn tin cha gi tr N2 c m ho bng kho cng khai ca A (PUA). A B: E(N2, PUB) (4)-A chn kho b mt K cho thut ton m ho i xng sp din ra, sau m ho n bng chnh kho ring ca A (PRA), ri m ho mt ln na bng kho cng khai ca B (PUB) ri gi cho B. n bc ny, B nhn c kho b mt m A to ra mt cch an ton. A B: E(E(K, PRA), PUB)

II.6.3 C s h tng kha cng khai:

85

C s h tng kha cng khai PKI (Public Key Infrastructure) l mt h thng h tng bao gm cc thit b phn cng, chng trnh phn mm, cc chnh sch, th tc v con ngi cn thit to ra, qun l, lu tr v phn phi cc chng thc kha phc v cho mc ch ph bin kha cng khai ca cc thc th thng tin. Vai tr ca PKI trong h thng l qun l cc chng thc kha mt cch an tan v cung

Truy xut Certificate/CRL End Entity Kho lu tr Certificate/CRL

PKI users

Phn phi Certificate

RA

-ng k -Khi to -Chng thc -Phc hi kho -Cp nht kho -Yu cu thu hi

Phn phi Certificate/CRL Phn phi CRL CRL Issuer

CA-2

Chng thc cho CA-1

Phn phi kho ra ngoi h thng

PKI management

Hnh 2.34: Cu trc PKI cp n cho user mt cch hiu qu nht. Mc tiu ca PKI l cung cp mt mi trng lm vic phi hp, trong , thit b, phn mm ca nhiu nh sn xut khc nhau c th cng s dng chung mt cu trc chng thc kha. -Cc thnh phn ca PKI: End Entity (thc th u cui): l ngi s dng, mt phn mm hoc mt thit b tham gia vo qu trnh trao i thng tin s dng m ha kha cng khai. Cc thc th c mt cp kha ca mnh, trong kha cng khai c ph bin bi PKI di dng cc chng thc kha, cn kha b mt do chnh thc th qun l. Certificate Authority (CA): l thc th to ra cc chng thc kha. CA to ra chng thc kha t cc kha cng khai m cc thc th u cui y quyn cho n ph bin cng vi ch k s ca chnh CA . Do vy, CA phi l mt thc th c tin cy, nu khng, ch k ca CA s khng c ngha g. Registration Authority (RA): l mt thnh phn ty chn ca PKI, c chc nng x l mt s cng vic qun l nhm gim ti cho CA, chng hn nh ng k thc th u cui, kim chng cc thc th u cui, to ra cc cp kha publicprivate, Repository: Kho lu tr chng thc kha v cung cp chng thc kha cho cc thc th u cui khi c yu cu. C nhiu cch thc th u cui truy xut cc

86

chng thc kha ti PKI: thng qua dch v th mc LDAP (X.500), thng qua FTP hoc HTTP, Certificate revocation list (CRL) Issuer: Mt chng thc kha khi c to ra v ph bin th khng c ngha l n s c tn ti vnh vin. Sau mt khang thi gian nht nh hoc theo yu cu ca thc th u cui, chng thc kha c th b thu hi. CRL l danh sch cc chng thc kha b thu hi, c to ra bi CA hoc y quyn cho CRL issuer. Nh vy, CRL issuer cng l mt thnh phn ty chn ca PKI. ng k (Registration): l th tc m thc th u cui phi thc hin tham gia vo PKI ln u tin. Khi to (Initialization): Khi to cc thng tin ca thc th u cui ti CA, to ra cp kha public-private cho thc th u cui. Chng thc (Certification): CA to ra chng thc kha cho thc th u cui, ng vi kha cng khai va c to ra giai an khi to hoc do thc th u cui cung cp. Phc hi kha (Key-pair recovery): cho php phc hi mt kha c trc . Th tc ny thng c dng trong trng hp kha mt m v mt l do no khng truy xut c. khi phc d liu b mt m ho, cn phi c th tc ny ly li kho. Cp nht kha (Key-pair update): Mi chng thc kha c to ra vi mt khang thi gian tn ti nht nh, sau khong thi gian ny, chng thc kha s b thu hi (revoke). Th tc key-pair update c tc dng gia hn tn ti ca chng thc kha, cho php mt chng thc kha tip tc tn ti sau khi ht thi gian hiu lc. Yu cu thu hi chng thc kha (Revocation request): Yu cu thu hi mt chng thc kha v mt l do no , nh kha ring b l chng hn. Th tc ny cho php mt thc th u cui yu cu thu hi mt chng thc kha cha ht hiu lc.

-Cc chc nng qun l ca PKI:

C th tm tt cc bc in hnh ca mt quy trnh khi mt thc th A mun gi mt bn tin n mt thc th B trong mi trng PKI nh sau: -Thc th A thc hin hm bm trn bn tin to ra m bm. Sau m bm c m ha bng kha ring PRA ca thc th A to ra mt ch k ca thc th A. -S dng kha cng khai ca CA, thc th A yu cu CA cung cp kha cng khai ca thc th B (PUB). -Thc th A m ha bn tin bng kha cng khai PUB ca thc th B va nhn c t CA, sau gn ch k ca mnh vo bn tin m ha v gi cho B. -Thc th B gii m thng tin nhn c bng kha ring ca chnh n (PRB), sau p dng hm bm ln bn tin ny to ra m bm. -Thc th B gii m ch k ca thc th A bng kha cng khai ca thc th A (PUA), sau so snh vi m bm va to ra bc trn. Nu hai thng tin ny ging nhau, th bn tin nhn c xem nh hp l. 87

Tm tt chng: -Mt m l mt c ch c bn nht c dng bo m an tan cho thng tin khi trao i gia cc h thng thng tin (thng thng qua mng my tnh). K thut mt m bo v c 2 c trng ca m hnh CIA l tnh B mt v tnh Ton vn ca thng tin. -K thut mt m hin i c chia thnh 2 lai: Mt m i xng (symmetric key encryption) v mt m bt i xng (asymmetric key encryption). -Mt m i xng (hay cn gi l mt m quy c) s dng 1 kha duy nht cho vic m ha v gii m, kha ny c gi b mt, ch c cc thc th tham gia vic truyn nhn thng tin mi bit c. K thut mt m quy c da ch yu trn cc thao tc x l bit (nh dch, xoay vng, XOR, ) do thch hp vi phn vic thc thi bng phn cng, tc m ho cao. Cc thut ton mt m i xng thng dng bao gm DES, Blowfish, IDEA, AES, -Mt m bt i xng (hay cn gi mt m dng kha cng khai) s dng 2 kha khc nhau cho qu trnh m ha v gii m. Mt trong hai kha l kha cng cng (public key), c ph bin cng khai cho bt k mt thc th no cng c th truy xut c; v kha cn li l kha ring (private key) c gi b mt, ch c ch th ca kha bit. M ha kha cng khai da ch yu trn cc hm ton hc, do thch hp vi thc thi bng phn mm v tc m ho thp. RSA l thut ton mt m bt i xng ph bin nht hin nay. -Mt m dng kha cng khai c nhiu ng dng khc nhau nh: mt m d liu, to ch k s, trao i kha b mt ca mt m i xng, -Hm bm bo mt (secure hash function) l c ch dng trong xc thc thng tin (message authentication). Nguyn l ca hm bm l bin i khi thng tin gc thnh mt gi tr kim tra c kch thc c nh gi l m bm, gi tr ny c gi i km vi thng tin gc. u thu, thng tin nhn c cng c a vo hm bm to ra gi tr kim tra. Nu gi tr kim tra va c to ra bng vi gi tr gi km ca pha gi th thng tin c xem l xc thc. Hm bm c dng trong cc thut ton xc thc thng tin (message authentication), to ch k s v l thnh phn ca mt s thut ton mt m. -Ch k s (digital signature) l k thut dng nhn dng mt thc th thng tin cng vi thng tin do thc th ny to ra. ng dng c bn nht ca ch k s l chng thc v m bo thnh khng th ph nhn (non-repudiation) ca thng tin. C nhiu cch phn loi cc thut ton to ch k: ch k phc hi c v khng phc hi c, ch k c nh v ch k ngu nhin. Hai phng php thc hin ch k s l k trc tip v k thng qua trng ti. Chun ch k s DSS s dng thut ton DSA, to ra ch k s da trn cc hm bm bo mt (SHA) v k thut mt m kha cng khai (RSA). -Mt m ha dng kha cng khai ch c u im khi n c mt c ch phn phi kha cng khai mt cch an tan v hiu qu cho cc thc th trong h thng. Chng thc kha cng khai (Certificate) m mt c ch hiu qu thc hin vn ny. Mi chng thc kha bao gm nhn dng thc th u cui, kha cng khai ca thc th u cui v xc nhn (bng ch k s) ca mt thc th th 3. Mt h thng cung cp c ch to ra v qun l chng thc kha c gi l c s h tng kha cng khai PKI.

88

CU HI V BI TP.
A- Cu hi trc nghim. Cu 1. Chc nng ca mt m thng tin: a- Bo v tnh ton vn ca thng tin. b- Bo v tnh b mt ca thng tin. c- Bo v tnh kh dng ca thng tin . d- Bo v tnh khng th ph nhn ca thng tin. Cu 2. Cc nguy c ca mt h thng mt m: a- Tn cng bng cch d kho b mt (brute force attack). b- Tn cng bng phng php phn tch m (crypanalysis). c- Tn cng t chi dch v d- Cu a v b. Cu 3. Mt h thng m ho quy c dng kho di 128 bit. Nu dng phng php tn cng brute force th phi th trung bnh bao nhiu ln v thi gian cn thit thc hin nu tc x l l mt t ln trong mt giy? a- Phi th 2128 ln, thi gian th l 5,4 * 1018 nm. b- Phi th 264 ln, thi gian th l 5,4 * 1018 nm. c- Phi th 2127 ln, thi gian th l 5,4 * 1018 nm. d- Phi th 2128 ln, thi gian th l 18 nm. Cu 4. C ch trao i kho b mt trong m ho i xng? a- A v B trao i kho vi nhau bng e-mail. b- A v B trao i kho vi nhau bng mt phng tin vt l. c- A gi kho b mt cho mt thc th th 3 bng e-mail, th cth th 3 ny s gi li kho ny cho B cng bng e-mail. d- Mt trong 3 cch trn u c. Cu 5. Chn cu ng khi ni v cu trc mt m Feistel: a- Tt c cc thao tc trong cu trc u c thao tc ngc tng ng. b- Cu trc Feistel da trn cc thao tc x l bit vi cc php hon v v thay th lp li nhiu ln. c- Kch thc khi d liu (block size) l bt k. d- Mch m ho v mch gii m c cu trc khc nhau. Cu 6. Chn cu ng khi ni v thut ton mt m DES: a- Mch m ho v mch gii m l ging nhau. b- S-box l mt hm hon v, cho kt qu ngc li vi php hon v IP. c- Th t sinh kho ph qu trnh m ho v gii m l ging nhau. d- Thao tc hon v PC-1 c thc hin 16 ln trong qu trnh m ho v gii m. Cu 7. Chn cu ng v an ton ca DES: a- Ch c th tn cng h thng mt m DES bng phng php brute force. b- Kho a vo thut ton l 64 bit, nhng thc cht ch s dng 56 bit. 89

c- Mch gii m TDES khng th gii m c thng tin m ho bi DES. d- Tt c u ng. Cu 8. Chn cu ng khi ni v chun mt m AES: a- L chun mt m c thit k lm vic song song vi DES. b- Kch thc khi v chiu di kho c th thay i c. c- Mch m ho v mch gii m hon ton ging nhau. d- Tt c u ng. Cu 9. Chn pht biu sai khi ni v chun mt m AES: a- Th t sinh kho ph trong qu trnh m ho v gii m hon ton ging nhau. b- Tt c cc thao tc trong thut ton u c thao tc ngc. c- AES khng da trn cu trc m khi Feistel. d- Thut ton m Rijndael chnh l AES. Cu 10. Mt h thng gm 10 thit b u cui lin lc vi nhau s dng mt m i xng. Mi u cui s dng cc kho b mt khc nhau khi kt ni vi mi u cui khc. C bao nhiu kho b mt trong ton b h thng? a- 10 kho b- 20 kho c- 45 kho d- 90 kho Cu 11. Thut ton mt m no c dng trong giao thc xc thc Kerberos 4? a- Blowfish b- CAST-128 c- TDES d- DES Cu 12. ng dng ca mt m bt i xng: a- Bo mt thng tin b- Xc thc thng tin c- Bo v tnh kh dng ca h thng d- Cu a v b Cu 13. Chn cu ng v thut ton m RSA: a- Thut ton RSA thch hp cho thc thi bng phn cng. b- RSA dng kho v khi d liu c kch thc c nh. c- Mi khi thng tin n bit a vo thut ton RSA c x l nh mt s nguyn c gi tr t 0 n 2n 1. d- Ch c th dng kho cng khai m ho thng tin, khng th m ho thng tin bng kho b mt. Cu 14. So snh RSA v DES: a- RSA c tc thc thi bng phn mm cao hn DES. b- RSA an ton hn DES. 90

c- RSA da trn cc hm ton hc, cn DES da trn cc thao tc x l bit. d- Bng cch phn tch kho cng khai th c th tm ra kho b mt ca RSA, trong khi i vi DES, cch duy nht tm kho l th ln lt. Cu 15. Thut ton trao i kho Diffie-Hellman: a- L mt dng ca mt m ho bt i xng. b- Diffie-Hellman khng c chc nng bo mt d liu m ch dng trao i kho b mt. c- Diffie-Hellman c th b tn cng Man-In-The-Middle. d- Tt c u ng. Cu 16. Chc nng ca cc hm bm (hash function)? a- To ra mt khi thng tin ngn c nh t mt khi thng tin gc ln hn. b- Mt m ho thng tin. c- Xc thc ngun gc thng tin d- Ngn chn vic ph nhn hnh vi ca ch th thng tin Cu 17. Cc thuc tnh ca mt gii thut ch k s: a- Phi xc nhn chnh xc ngi k v ngy gi pht sinh ch k. b- Phi xc thc ni dung thng tin ngay ti thi im pht sinh ch k c- Phi c kh nng cho php kim chng bi mt ngi th 3 gii quyt cc tranh chp nu c. d- Tt c cc cu trn. Cu 18. Cc thng tin cn thit to ra ch l s: a- M bm ca thng tin cn chng thc. b- Kho b mt ca ngi k. c- Kho cng khai ca nhm d- Tt c cc thng tin trn Cu 19. Chng thc kha (certificate) l g? a- L mt s chng thc ca mt thc th c tin cy v s rng buc gia mt thc th thng tin v kho cng khai ca thc th . b- Chng thc kha l mt dng ca ch k s. c- Chng thc kha l mt ng dng phn phi kho b mt trong mt m i xng. d- Tt c u ng. Cu 20. Chn cu ng khi ni v PKI: a- PKI to ra v qun l cc chng thc kha. b- Chng thc kha sau khi to ra c th b hu b theo yu cu ca ch s hu. c- CA l thnh phn ca PKI c chc nng to ra chng thc kha theo yu cu ca ngi s dng. d- Tt c u ng. B- Bi tp. 91

Cu 21. Xc nh cc bit 1, 16, 33 v 48 ti ng ra vng th nht ca thut ton gii m DES, bit rng ciphertext cha ton bit 1 v kho ban u cng l chui bit 1. Cu 22. Chng minh rng mch m ho ca DES cng ng thi l mch gii m ca DES. Cu 23. So snh ma trn IP v ma trn PC-1 ca DES. Rt ra kt lun g t s so snh ny? Cu 24. Tnh 8 word u tin ca kho m rng trong thut ton m AES nu bit kho ban u l chui 128 bit 0. Cu 25. Thc hin m ho v gii m dng thut ton RSA vi cc d liu sau y: a- p = 3; q = 11, e = 7; M = 5 b- p = 5; q = 11, e = 3; M = 9 c- p = 7; q = 11, e = 17; M = 8 d- p = 11; q = 13, e = 11; M = 7 e- p = 17; q = 31, e = 7; M = 2 Cu 26. User A v B trao i kho dng Diffie-Hellman vi p = 71 v g = 7. a- Nu A chn Xa = 5, tnh Ya? b- Nu B chn Xb = 12, tnh Yb? c- Kho b mt dng chung gia A v B? Cu 27. Ci t thut ton mt m DES bng C. Cu 28. Ci t thut ton mt m RSA bng C. ----------

92

CHNG III CC NG DNG BO MT TRONG H THNG THNG TIN

Gii thiu: Cc c ch mt m v xc thc thng tin l c s cho vic xy dng cc ng dng bo mt trong h thng, c bit trong mi trng mng. Chng ny s trnh by mt s ng dng ca k thut mt m v xc thc thng tin trong vic xy dng cc giao thc (protocol) v dch v (service) trn mng nhm m bo an tan h thng. Cc ng dng c trnh by trong chng ny bao gm: -Giao thc xc thc (Authentication protocol) -IPSec (Internet Protocol Security) -SSL (Secure Sockets Layer) -SET (Secure Electronic Transaction)

III.1 GIAO THC XC THC

III.1.1 Mt khu:
Trong s cc c ch xc thc, c ch xc thc da trn thng tin m thc th truy xut bit (what you know) l c ch n gin nht v c s dng nhiu nht. Thng tin ny thng l mt khu (password), c lin kt vi mt thc th dng xc thc thc th . Mt khu thng l mt chui k t. Khng gian mt khu (password space) l tp hp tt c cc chui k t c th xut hin trong mt khu. Mi h thng xc thc c mt khng gian mt khu khc nhau. Khng gian mt khu cng ln th kh nng b tn cng mt khu theo phng thc brute force cng thp. Mt khu c gi l phc tp nu n kh b pht hin bng phng php d mt khu theo t in (dictionary attack). Theo kho st, nhng lai mt khu c dng ph bin nht hin nay bao gm: -Dng tn ca ngi s dng (user-name hoc account-name) lm mt khu hoc thm mt vi ch s (v d ngy sinh, s in thai, ) lm mt khu. -Dng tn ng nhp (logon-name) lm mt khu. -Dng tn my tnh (computer name) lm mt khu. -Mt khu ch bao gm cc k t s (ly t s in thai, ngy sinh, ). -Mt khu l nhng t kha c bit nh computer, hacker, -Ly mt t c ngha trong t in lm mt khu. -Ly tn mt ngi khc lm mt khu (thng l ngi c quan h mt thit) Nhng mt khu nh trn u c phc tp rt thp v do d dng b tit l. Cc h thng xc thc thng a ra cc chnh sch v mt khu (password policy) i vi ngi s dng. Cc chnh sch ny thng quy nh nhng rng buc sau y: -Chiu di ti thiu v kh ca mt khu, mt khu khng c cha user-name hoc logon-name (password complexity). -Thi gian s dng ti a ca mt khu (password age). 93

-Khng c php dng li mt khu c (password history). V pha ngi s dng, nhng nguyn tc chung tng an tan cho vic xc thc dng mt khu bao gm: -S dng nhiu lai k t khc nhau lm mt khu, mc ch l m rng khng gian mt khu (dng ch ci, ch s, cc k hiu c bit, dng phi hp gia ch hoa v ch thng, ) -Khng s dng cc mt khu qu ngn. -Khng s dng nhng t kha hoc t c ngha trong mt khu. -Thng xuyn thay i mt khu. -Khng ghi chp mt khu ln bt k v tr no. -Khng tit l mt khu cho ngi khc, ngay c nhng tnh hung an tan nht. Trn cc my ch xc thc, mt khu ca ngi s dng thng khng c lu tr mt cch trc tip di dng k t gc (cleartext) m phi c m ho di mt dng no m bo an ton. Ngoi ra, mt khu khng b nh cp khi truyn i trn mng, nhiu th tc xc thc phc tp c xy dng m bo rng mt khu khng c truyn i trc tip (cleartext) trn mng.

III.1.2 Xc thc trong m hnh im-im:

Mt thc th bn ngai h thng thng tin mun truy xut h thng nh mt ch th ca th thng th phi cung cp cc thng tin h thng xc thc nhn dng ca ch th. Cc thng tin ny thng l mt khu, th xc thc, du vn tay, Qu trnh xc thc mt thc th bao gm vic ly thng tin m thc th cung cp, phn tch v xc nh xem thng tin c lin kt vi thc th hay khng. Hai m hnh thc t ca mt h thng xc thc l xc thc ti ch (local authentication) hoc xc thc t xa (remote authentication) thng qua mi trng mng. M hnh th nht c s dng khi ngi s dng ng nhp trc tip vo mt thng ni b (local logon), thng tin xc thc (tn ngi dng v mt khu) c cung cp trc tip cho h thng xc thc (server). Trong m hnh th hai, ngi s dng ng nhp vo mt h thng xa. Tnh hung ny bt buc cc thng tin xc thc phi c gi i trn mng v do , nguy c b nghe ln thng tin l rt cao. Cc giao thc xc thc c thit k gim thiu cc nguy c ny. Trong cc h thng c in, kt ni t xa thng c thc hin thng qua cc giao thc im im nh SLIP (Serial Line Internet Protocol) hoc PPP (Point to Point Protocol). Cc th tc xc thc u l mt chiu, tc l ch c my ch xc thc ngi s dng ch khng c th tc ngc li. Hai giao thc xc thc thng c dng trong cc h thng ny l PAP (Password Authentication Protocol) v CHAP (Challenge-Handshake Authentication Protocol). -PAP l giao thc xc thc n gin nht v do km an tan nht. xc thc vi mt h thng server xa, ngi s dng ch cn gi tn ng nhp v mt khu ca mnh mt cch trc tip (clear text) cho server di dng mt gi yu cu xc thc (authenticate request packet). Server s kim tra thng tin xc thc cha trong gi d liu ny, nu trng vi thng tin lu tr trc th s tr li bng mt gi xc nhn (authenticate ack packet) v qu trnh xc thc xem nh thnh cng. Ngc li, nu thng tin xc thc khng ng, server s tr li bng gi t chi (Authenticate nak packet).

94

Ngi s dng

Authenticate request (User-name + Password) Authenticate ack hoc Authenticate nak Server

Hnh 3.1: Giao thc xc thc PAP

-CHAP l giao thc xc thc phc tp hn, c dng trong giao thc kt ni PPP v mt s h thng khc. CHAP c u im hn PAP v phng din bo mt l c dng cc hm bm mt chiu v thng tin xc thc khng c gi i trc tip trn mng. Qu trnh xc thc bng giao thc CHAP gm cc bc sau y (gi l qu trnh challenge-response): Sau khi thit lp xong kt ni PPP, xc nh xem ngi s dng c quyn truy xut hay khng, server s gi cho ngi s dng mt khi d liu thch thc (challenge), trong c cha mt gi tr ngu nhin do server to ra. Ngi s dng sau khi nhn c khi challenge s gn thm tn ng nhp v mt khu ca mnh vo , sau thc hin mt hm bm mt chiu (v d MD5) ln khi thng tin v gi m bm li cho server. Pha server cng thc hin mt qu trnh tng t v so snh vi kt qu nhn c t ngi s dng xc nh qu trnh xc thc c thnh cng hay khng.

Mt c im na ca giao thc ny lm tng tnh an tan ca kt ni l qu trnh challenge-response c lp li nhiu ln trong sut thi gian duy tr kt ni. Nu gi tin tr li ca ngi dng khng hp l, kt ni s b gii ta tc thi.

Challenge

Ngi s dng

User-name + H(user-name + password + challenge)

Server

Success / Failure

Hnh 3.2: Giao thc xc thc CHAP

III.1.3 Xc thc trong cc h thng phn tn:

95

Trong cc h thng phn tn, nhiu my ch cung cp dch v c qun l bi mt trung tm xc thc duy nht. Giao thc xc thc trong cc h thng ny phi m bo c 2 yu cu c bn: m bo an tan i vi thng tin xc thc (tn ng nhp v mt khu khng c truyn i trc tip trn mng). Ngi dng ch cn ng nhp mt ln cho phin lm vic nhng c kh nng s dng tt c cc dch v c trong h thng.

V d: Mt h thng mng Windows c cu hnh theo m hnh Domain. Trong Domain ny c nhiu my ch cung cp dch v khc nhau, gm dch v in n (print server), dch v lu tr d liu (file server), dng chung kt ni Internet (qua proxy server), Khi ngi s dng ng nhp vo h thng t mt my thnh vin ca Domain, ngi s dng ny phi c kh nng truy xut n tt c cc dch v trong Domain (ty theo quyn c cp) m khng phi nhp li tn ng nhp v mt khu cho tng dch v. C ch qun l tp trung ny cung cp s tin li cho c ngi s dng ln h thng. Mt th tc xc thc in hnh trong cc h thng ny bao gm cc bc nh sau: Mt ngi dng ng nhp t mt my con (C ) trong h thng v yu cu truy xut n my ch V. My con C yu cu ngi dng cung cp tn ng nhp v mt khu ri sau chuyn thng tin ny cho trung tm xc thc AS (Authentication Server). My ch AS kim tra xem tn ng nhp v mt khu c hp l hay khng, ng thi kim tra xem ngi dng ny c c php truy xut cc dch v trn my ch V hay khng. Nu c hai vic kim tra trn u thnh cng th ngi dng c php truy xut dch v trn my ch V. lm c vic , AS to ra mt th truy xut (ticket) cha cc thng tin bao gm nhn dng ca ngi dng, a ch mng ca my con v nhn dng ca my ch V. Th truy xut ny c m ha bng kha b mt dng chung gia AS v V. Th truy xut cng c gi cho C. Bt u t , C c th yu cu cc dch v ca V bng cch gi cc bn tin c gn km th truy xut va to ra cho V. My ch V s gii m th truy xut v chp nhn cho C truy xut cc dch v ca mnh. C AS: AS C: C V: Trong : C: My con AS: my ch xc thc (Authentication server). V: my ch cung cp dch v. IDC: Nhn dng (tn ng nhp) ca ngi dng. IDV: Nhn dng ca my ch V. 96 IDC + PC + IDV Ticket IDC + Ticket

Qu trnh c biu din nh sau:

Ticket = E([IDC + ADC + IDV], KV)

PC: Mt khu ca ngi dng. ADC: a ch mng ca my con. KV: Kha b mt ca my ch cung cp dch v V. Th tc xc thc nh trn gii quyt c vn bo mt bng cch a ra khi nim th truy xut (ticket), trong cc thng tin b mt c m ha trong mt bn tin c bit trc khi lun chuyn trn mng. Tuy nhin, vn cn hai vn cha c gii quyt: 1-Nu ngi dng c nhu cu s dng dch v nhiu ln, hoc s dng nhiu dch v khc nhau trn cc my ch khc nhau, vy ngi dng phi thc hin th tc xc thc nhiu ln, tc l phi nhp mt khu nhiu ln? 2-Th tc xc thc vn cn mt bc (bc u tin) trong thng tin xc thc (mt khu) c gi i trc tip trn mng m khng m ha. Th tc sau y s gii quyt hai vn trn: Khi ngi dng ng nhp h thng: (1) C AS: IDC + IDtgs (2) AS C: E(Tickettgs, Kc) Khi ngi dng truy xut mt loi dch v (per service type): (3) C TGS: IDC + IDV + Tickettgs (4) TGS C: Ticketv Khi ngi dng truy xut mt phin giao dch c th (per service session): (5) C V: IDC + Ticketv Trong : Tickettgs = E([IDC + ADC + IDtgs + TS1 + Lifetime1], Ktgs) Ticketv = E([IDC + ADC + IDv + TS2 + Lifetime2], Kv) Trong th tc trn, mt thnh phn mi c thm vo h thng xc thc l my ch cp th TGS (Ticket-Granting server). Khi ngi dng xc thc thnh cng vi AS, thay v cp th s dng dch v trc tip cho ngi dng, AS ch cp cho ngi dng th truy xut ca TGS, c tc dng nh mt xc nhn y l mt ngi dng hp h. K t v sau, mi khi ngi dng cn truy xut dch v no th ch cn gi th truy xut v yu cu ca mnh n TGS c cp th truy xut dch v. Nh vy, AS ch cn cp th cho ngi dng mt ln, hay ni cch khc, th c th dng li, c trong trng hp ngi dng s dng dch v nhiu ln hoc s dng nhiu dch v khc nhau m khng cn phi nhp li mt khu. Th tc ny c m t chi tit nh sau: My con C yu cu mt th xc nhn ngi dng hp l (Ticket Granting Ticket) bng cch gi nhn dng ca ngi dng cho AS, trong c nhn dng ca TGS. AS gi li th xc nhn ngi dng hp l cho my con nhng c m ha vi kha l mt khu ca ngi dng (KC). Do , nu ngi dng cung cp ng mt khu th th ny c gii m thnh cng, ngc li, vic xc thc xem nh kt thc khng thnh cng. 97

Nh vy, mt khu ca ngi dng khng c gi i trc tip trn mng. Do th ny c kh nng dng li, nn qun l vic tn ti ca n, trong th c gn thm mt nhn thi gian quy nh thi gian tn ti hp l ca th. trnh trng hp thay i v gi mo th, th c m ha mt ln na bng kha b mt ca AS v TGS. Sau khi c th xc nhn ngi dng hp l, my con c th yu cu dch v trn my ch V bng cch yu cu th s dng dch v (Service-granting Ticket) t TGS. Thng tin gi n cho TGS bao gm nhn dng ca my ch V, th xc nhn ngi dng hp l v tn ng nhp ca ngi dng. TGS gii m th xc nhn ngi dng hp l kim tra, nu hp l th cp th truy xut dch v cho ngi dng. Th ny c m ha bng kha b mt ca V v TGS. Sau khi c th truy xut dch v, ngi dng c th s dng dch v trn my ch V.

Nh vy, th tc trn gii quyt c 2 vn : dng li th v khng gi mt khu trc tip trn mng. Tuy nhin, li thm 2 vn khc ny sinh: -Th nht, nu thi gian tn ti ca cc ticket qu ngn, ngi dng c th phi nhp li mt khu to th mi. Nu thi gian ny qu di, nguy c b ly cp th tng ln. Do , khi xc nhn mt th, my ch (TGS hoc V) phi bit chc rng mnh ang lm vic vi ng ngi dng c tn ng nhp cha trong th. -Th hai, song song vi vic ngi dng xc thc vi my ch, th cng cn phi c thao tc xc thc ngc li t my ch n ngi dng lai tr trng hp chnh my ch b gi mo. y chnh l tn ti c gii quyt bi giao thc xc thc Kerberos.

III.1.4 Giao thc xc thc Kerberos:

Kerberos l mt th tc c xy dng nng cao an tan khi xc thc trong mi trng mng phn tn. Kerberos da trn k thut mt m i xng (DES). C th tm lc th tc xc thc ca Kerberos version 4 nh sau (hnh 3.3): 1- My con yu cu AS cung cp th xc nhn ngi dng: C AS: IDc + IDtgs + TS1 2- AS cung cp th xc nhn ngi dng cho my con: AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc) Vi Tickettgs = E([Kc,tgs + IDc + ADc + IDtgs + TS2 + Lifetime2], Ktgs) 3- My con yu cu TS cung cp th truy xut dch v: C TGS: IDv + Tickettgs + Authenticatorc 4- TGS cung cp th truy xut dch v cho my con: TGS C: E([Kc,v + IDv + TS4 + Ticketv], Kc,tgs) Vi Tickettgs = E([Kc,tgs + IDC +ADC + IDtgs + TS2 + Lifetime2], Ktgs) Ticketv = E([Kc,v + IDC + ADC + IDv + TS4 + Lifetime4], Kv) 98

Authenticatorc = E([IDC + ADC + TS3], Kc,tgs) 5- My con yu cu dch v: C V: Ticketv + Authenticatorc Vi Authenticatorc = E([IDc + ADC + TS5], Kc,v) 6- Server xc thc vi my con (khng bt buc): V C: E([TS5 + 1], Kc,v) Vi: Ticketv = E([Kc,v + IDc + ADc + IDv + TS4 + Lifetime4], Kv)
Kerberos Ticket granting Ticket Request Ticket + session key My ch xc thc (AS)

My con (C)

Service granting Ticket Request Ticket + session key

My ch cp th (TGS)

My ch (V) Yu cu dch v Cung cp dch v

Hnh 3.3: Th tc xc thc Kerberos 4 Cc thnh phn trong cc bn tin ca Kerberos: -Bn tin (1): My con yu cu cp th xc nhn ngi dng (Ticket-granting-Ticket): IDC: Nhn din ca ngi dng (do my con gi n cho AS, da trn thng tin ng nhp ca ngi dng). IDtgs: Nhn din ca TGS, mc ch cho AS bit rng my con ang mun truy xut n TGS. TS1: Nhn thi gian, mc ch ng b thi gian gia AS v my con. Kc: Dng chnh mt khu ca ngi dng lm kho mt m, va c mc ch bo v thng tin va cho php AS xc thc mt khu ca ngi dng. Nu my con khng c mt khu ng th s khng gii m c bn tin ny. 99

-Bn tin (2): AS cung cp th xc nhn ngi dng cho my con:

Kc, tgs: kho b mt c dng gia my con v TGS do AS to ra. Kha ny ch c tc dng trong mt phin lm vic (session key). IDtgs: Nhn din ca TGS, dng xc nhn rng th ny c tc dng cho php my con truy xut n TGS. TS2: Nhn thi gian, cho bit thi im th c to ra. Lifetime2: Cho my con bit thi gian tn ti ca th. Tickettgs: My con dng th ny truy xut TGS. IDV: Nhn dng ca my ch V, dng thng bo cho TGS l my con mun truy xut n dch v ca my ch V. Tickettgs: Th c cp cho my con bi AS Authenticatorc: mt gi tr c to ra bi my con xc minh th. Kc, tgs: Kho b mt dng chung gia my con v TGS bo v ni dung ca bn tin (4) Kc, v: Kho b mt c dng gia my con v my ch V do TGS to ra. Kho ny ch c gi tr trong tng phin lm vic (session key). IDv: nhn din ca my ch V, c chc nng xc nhn th ca my ch V TS4: nhn thi gian cho bit thi im th c to ra. Ticketv: Th c my con dng truy xut my ch V. Tickettgs: Th ny c dng li ngi dng khng phi nhp li mt khu khi mun truy xut dch v khc. Ktgs: Kha b mt dng chung gia AS v TGS. Kc, tgs: Session key c TGS dng gii m authenticator. Kho ny c dng chung gia my con v TGS. IDC: Nhn din my con, cho bit y l ch s hu ca th. ADC: a ch mng ca my con, dng ngn chn trng hp mt my khc ly cp th yu cu dch v. IDtgs: nhn din ca TGS, xc nhn th c gii m thnh cng. TS2: nhn thi gian cho bit thi im to ra th. Lifetime2: Thi gian tn ti ca th, nhm ngn chn vic s dng li th (replay). Authenticatorc: Thng tin xc thc ca my con. Kc, tgs: Kho b mt dng chung gia my con v TGS, dng m ho thng tin xc thc ca my con. IDc: nhn dng my con, phi trng vi ID trong th. ADc: a ch mng ca my con, phi trng vi a ch trong th. TS3: Nhn thi gian, cho bit thi im m authenticator c to ra. Ticketv: Th cho bit mycon c xc thc bi AS. 100

-Bn tin (3): My con yu cu th truy xut dch v (Service Granting Ticket):

-Bn in (4): TGS cung cp th truy xut dch v cho my con::

-Bn tin (5): My con yu cu truy xut dch v:

Authenticatorc: Thng tin xc thc th ca my con. Kc, v: Kho b mt dng chung gia my con v my ch V. TS5 + 1: Nhn thi gian, dng trnh trng hp thng tin xc thc c c dng li. Ticketv: Th truy xut my ch V. Th ny c th dng li khi my con truy xut dch v n chnh my ch V m khng cn yu cu cp th mi. Kv: Kho b mt dng chung gia TGS v my ch V. Kc, v: Kho b mt dng chung gia my con v my ch V, dng gii m thng tin xc thc. IDc: Nhn dng ca my con. ADc: a ch mng ca my con. IDv: Nhn dng ca my ch V. TS4: Nhn thi gian cho bit thi im th c to. Lifetime4: Thi gian tn ti ca th. Authenticatorc: Thng tin xc thc ca my con. Kc, v: Kho b mt, dng chung gia my con v my ch V m ho thng tin xc thc. IDc: Nhn din my con, phi ging vi IDc trong th ADc: a ch mng ca my con, phi ging vi a ch trong th. TS5: Thi im thng tin xc thc c to ra.

-Bn tin (6): My ch V xc thc vi my con:

-Kt hp gia nhiu h thng Kerberos: Mt mi trng s dng h thng xc thc Kerberos y bao gm my ch Kerberos (Kerberos server), cc my ch dch v (application server) v cc my con s dng dch v (client), trong : -My ch Kerberos phi c danh sch tt c cc tn ng nhp v mt khu c m ha ca cc ngi dng ny. Tt c cc my con u phi ng k vi my ch Kerberos. -My ch Kerberos s dng mt kha b mt chung vi cc my ch cn li. Tt c cc my ch u phi ng k vi my ch Kerberos. Mt mi trng tha mn cc iu kin nh vy c gi l mt lnh a Kerberos (Kerberos realm). Nh vy, cc my ch v my con thuc cc n v qun l khc nhau s thuc v cc lnh a Kerberos khc nhau. Giao thc xc thc Kerberos cng bao gm cc th tc cho php kt hp cc lnh a Kerberos li cung cp dch v mt cch ng nht. Hnh 3.4 m t hat ng ca th tc ny. Trnh t ca th tc kt hp lnh a Kerberos c tm tt nh sau: (1) C AS: IDc + IDtgs + TS1 (2) AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc) 101

(3) C TGS: IDtgsrem + Tickettgs + Authenticatorc (4) TGS C: E([Kc,tgsrem + IDtgsrem + TS4 + Tickettgsrem], Kc,tgs) (5) C TGSrem: IDvrem + Tickettgsrem + Authenticatorc (6) TGSrem C: E([Kc,vrem + IDvrem + TS6 + Ticketvrem], Kc,tgsrem) (7) C Vrem: Ticketvrem + Authenticatorc

Lnh a A

My con

Kerberos Ticket-granting-Ticket Request Ticket-granting-Ticket AS

Service-granting-Ticket Request for realm B Service-granting-Ticket TGS

Cung cp dch v

Yu cu dch v

Lnh a B Service Granting Ticket Request Service Granting Ticket

Kerberos TGS

AS

My ch

Hnh 3.4: Xc thc gia hai lnh a Kerberos -Kerberos 5: l mt phin bn nng cp ca Kerberos 4 vi nhng im khc bit nh sau: Kerberos 4 ph thuc cht ch vo gii thut m ha i xng DES, trong khi Kerberos 5 th tng thch vi bt k mt gii thut m ha no.

102

Kerberos 4 ph thuc vo a ch IP xc thc ngi dng, Kerberos 5 c th s dng bt k a ch no (v d MAC address). Kerberos 4 s dng thm 1 byte trong cc bn tin cho bit th t byte trong bn tin. Kerberos 5 dng c php ANS.1 (Abstract Syntax Notation One) v lut m ha c bn BER (Basic Coding Rules) to ra c ch xp th t byte trong bn tin mt cch r rng. Thi gian tn ti ca th trong Kerberos 4 c cha trong mt trng di 8 bit, tnh theo n v 5 pht, nh vy, thi gian sng ti a ca th l 5 * 28 = 1280 pht (khang 21 gi). Trong Kerberos 5, thi gian tn ti c biu th bng thi im bt u v thi im kt thc, cho php thi gian ny c bin thin khng gii hn. Kerberos 4 khng cho php c ch chuyn tip xc thc, tc l c ch mt my con truy xut n mt my ch, v yu cu my ch ny truy xut n dch v ca mt my ch khc thng qua nhn dng ca my con. Kerberos 5 cung cp kh nng ny. Kerberos 4 yu cu N2 quan h gia cc lnh a Kerberos trong trng hp lin kt hat ng gia N lnh a. Kerberos 5 yu cu s quan h t hn nhiu.

Th tc xc thc dng Kerberos 5 c tm tt nh sau: (1) C AS: Options + IDc + Realmc + IDtgs + Times + Nonce1 (2) AS C:Realmc +IDC +Tickettgs +E([Kc,tgs +Times +Nonce1 +Realmtgs +IDtgs], Kc) Vi Tickettgs = E([Flags + Kc,tgs + Realmc + IDc + ADc + Times], Ktgs) (3) C TGS: Options + IDv + Times + Nonce2 + Tickettgs + Authenticatorc (4) TGS C: Realmc +IDc +Ticketv +E([Kc,v +Times +Nonce2 +Realmv +IDv], Kc,tgs) Vi Tickettgs = E([Flags + KC,tgs + Realmc + IDC + ADC + Times], Ktgs) Ticketv = E([Flags + Kc,v + Realmc + IDC + ADc + Times], Kv) Authenticatorc = E([IDC + Realmc + TS1], Kc,tgs) (5) C V: Options + Ticketv + Authenticatorc (6) V C: E([TS2 + Subkey + Seq#], Kc,v) Vi Ticketv = E([Flags + Kc,v + Realmc + IDC + ADC + Times], Kv) Authenticatorc = E([IDC + Realmc + TS2 + Subkey + Seq#], Kc,v) Trong th tc trn, ngoi nhng thnh phn xut hin trong Kerberos 4 cn c thm cc thnh phn mi sau y: -Realm: Biu th lnh a ca ngi dng. -Options: Cc tu chn, dng yu cu cc thng tin cng thm xut hin trong th. -Times: Dng my con yu cu cc thng s thi gian trong th nh from, till, rtime. -Nonce: Gi tr ngu nhin c to ra trong bn tin m bo rng bn tin tr li l bn tin hp l ch khng phi bn tin c dng li.

103

III.2 IP SECURITY
III.2.1 Cc ng dng v c im ca IPSec:
IP security (IPSec) cung cp mt phng tin truyn thng an tan trn mng LAN, gia cc mng LAN ni vi nhau thng qua mng WAN v gia cc mng khc nhau trn mng Internet. IPSec l phn m rng ca giao thc IP, c thc hin thng nht trong c hai phin bn ca IP v IPv4 v IPv6. -Cc ng dng in hnh ca IPSec bao gm: Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch xy dng cc mng ring o VPN (Virtual Private Network) trn nn ca mng WAN cng cng hoc mng Internet. Cc t chc c th kt ni cc mng con cc chi nhnh ca mnh li thnh mt mng ring vi chi ph thp nhng vn m bo c an tan. Truy xut t xa thng qua mng Internet: truy xut t xa n mt dch v no , thng thng ngi dng phi thc hin kt ni bng ng dy in thai (dial-up) n my ch cung cp dch v. Vi IPSec, ngi dng ch cn kt ni n mt nh cung cp dch v Internet gn nht (ISP) v sau thc hin kt ni n my ch xa thng qua IPSec mt cch an tan m khng phi tn chi ph in thai ng di. Nng cao tnh an tan ca cc giao dch thng mi trn mng Internet, p dng cho cc website bn hng qua mng hoc cc dch v thanh tan qua Internet.

Thit b u cui c h tr IPSec

Mng WAN / Internet

Thit b mng c h tr IPSec Thit b mng c h tr IPSec

Mng LAN / intranet

Mng LAN / intranet

Cc thnh phn ca gi d liu: Tiu IP (IP header) Tiu IPSec (IPSec header) D liu ca gi IP (IP Payload)

Hnh 3.5: ng dng ca IPSec

104

-Cc u im ca IPSec: -Khi IPSec c trin khai trn bc tng la hoc b nh tuyn ca mt mng ring, th tnh nng an tan ca IPSec c th p dng cho tan b lu lng vo ra mng ring m cc thnh phn khc khng cn phi x l thm cc cng vic lin quan n bo mt. -IPSec c thc hin bn di ca lp TCP v UDP, ng thi n hat ng mt cch trong sut vi cc lp ny. Do vy, khng cn phi thay i phn mm hay cu hnh li cc dch v khi IPSec c trin khai. -IPSec c th c cu hnh hat ng mt cch trong sut i vi cc ng dng u cui, iu ny gip che giu nhng chi tit cu hnh phc tp m ngi dng phi thc hin khi kt ni n mng ni b t xa thng qua mng Internet.

III.2.2 Cu trc IPSec:

IPSec c xy dng da trn cc thnh phn bo mt c bn sau y, mi thnh phn
Cu trc IPSec

Giao thc ESP

Giao thc AH

Thut tan mt m

Thut tan xc thc

Min thc thi

Qun l kha

Hnh 3.6: Cu trc IPSec c nh ngha trong mt ti liu ring tng ng (hnh 3.6): -Cu trc (Architecture): Quy nh cu trc, cc khi nim v yu cu ca IPSec. -Giao thc ESP: M t giao thc ESP, l mt giao thc mt m v xc thc thng tin trong IPSec. -Giao thc AH: nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc im ring, s c trnh by trong phn ny. 105

-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da ch yu vo cc gii thut m ha i xng. -Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP. -Qun l kha: M t cc c ch qun l v phn phi kha trong IPSec. -Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi IPSec. Nh trnh by, IPSec khng phi l mt cng ngh ring bit m s t hp ca nhiu c ch, giao thc v k thut khc nhau, trong mi c ch, giao thc u c nhiu ch hat ng khc nhau. Vic xc nh mt tp cc ch cn thit trin khai IPSec trong mt tnh hung c th l chc nng ca min thc thi.

III.2.3 Quan h bo mt:

Mc tiu ca IPSec l cung cp mt c ch truyn an tan m bo tnh tan vn v xc thc ca d liu. Trong mi trng IPSec, mt khi nim quan trng c dng din t mt quan h truyn thng bo mt gia mt u gi v mt u nhn l quan h bo mt (SA_Security Association). Mi SA c xem nh mt lin kt mt chiu gia hai thc th, do , mt kt ni hai chiu thng thy s bao gm 2 SA. Mi SA s dng mt giao thc xc thc nht nh (AH hoc ESP) ch khng th s dng ng thi c hai. Mi SA c nhn dng bi 3 thng s sau y: -Security Parameters Index (SPI): l mt chui bit c gn cho SA, ch c gi tr ni b. SPI c t trong tiu ca AH v ESP, cho php pha nhn (receiving system) chn mt SA c th x l cc gi d liu nhn c. -IP Destination Address: y l a ch u cui ca SA, a ch ny l a ch ca thit b m SA kt thc ti , c th l a ch ca mt h thng u cui hoc ca mt thit b mng (router, firewall) -Security Protocol Identifier: Cho bit SA s dng giao thc xc thc no (AH hay ESP). Nh vy, trong mi gi IP ca IPSec, SA c nhn dng bng t hp gm a ch ch (destination address) v SPI trong tiu m rng (AH hoc ESP).

III.2.4 Ch vn chuyn v ch ng hm:

IPSec (c AH v ESP) cung cp hai ch lm vic khc nhau: -Ch vn chuyn (transport mode): cung cp c ch bo v cho d liu ca cc lp cao hn (TCP, UDP hoc ICMP). c ch ny, phn d liu (payload) ca gi IP c p dng cc c ch bo v (mt m hoc xc thc). Ch ny thng dng cho cc kt ni t u cui n u cui, v d t trm lm vic n my ch hoc gia hai trm lm vic vi nhau. -Ch ng hm (tunnel mode): cung cp c ch bo v lp IP, ngha l gi IP cng vi cc tiu ca AH hoc ESP c gi thm mt ln na bng cc tiu mi. Khi , cc gi IP gc c xem nh di chuyn trong mt ng hm (tunnel) t u ny n u kia ca mng m cc nt trung gian khng xen vo c. Ch ny thng c dng trong cc SA ni gia hai gateway ca hai mng. Ch vn chuyn v ch ng hm s c trnh by ring trong tng giao thc AH v ESP.

106

Cc thut ton m ha / gii m v cc thut ton xc thc thng tin c trnh by chng 2, nn trong phn ny ch tp trung m t hat ng ca hai giao thc AH v ESP, sau gii thiu cc c ch qun l kha ca IPSec.

III.2.5 AH:
AH (Authentication Header) l mt giao thc xc thc dng trong IPSec, c chc nng m bo tnh tan vn ca d liu chuyn i trn mng IP. AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng. Ngai ra, AH cn c kh nng hn ch cc tn cng gi danh (spoofing) v tn cng pht li (replay). C ch hat ng ca AH da trn m xc thc MAC (Message Authetication Code), do , thc thi AH th hai u cui ca SA phi dng chung mt kha b mt. Cu trc tiu ca gi AH (hnh 3.7) bao gm cc phn sau:
Bit 0 Tiu k tip 8 16 Kch thc d liu Dnh ring 31

Security Parameters Index (SPI) S th t gi M xc thc (Kch thc thay i)

Hnh 3.7: Cu trc gi AH

-Tiu k tip (Next Header - 8 bits): Nhn dng kiu tiu i lin sau tiu ca AH. -Kch thc d liu (Payload Length -8 bits): Chiu di ca gi AH, tnh bng n v 32 bit tr i 2. V d, chiu di phn d liu xc thc l 96 bit (= 3 * 32 bit), cng vi chiu di phn tiu AH (c nh) l 3 * 32 bit na thnh 6 * 32 bit, khi gi tr ca trng kch thc d liu l 4. -Dnh ring (Reserved -16 bits): Phn dnh ring, cha dng. -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trnh by trn. -S th t gi (Sequence Number - 32 bits): S th t. -M xc thc (Authentication Data): d liu xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Trng ny cha gi tr kim tra ICV (Integrity Check Value) hoc MAC (Message Authentication Code) cho tan b gi *-Anti-replay service: dch v cho php ngn chn cc hnh vi tn cng pht li (replay) nh trnh by chng 1. Trng s th t (Sequence number) trong tiu AH c dng nh du th t cc gi c gi i trn mt SA. Ban u, gi tr ny c khi to bng 0 v tng dn sau mi gi c gi. m bo khng c gi lp li, khi s th t t gi tr cc i 107

(232-1), n s khng c quay li gi tr 0 m thay vo , mt SA mi c thit lp tip tc vic truyn d liu. pha nhn, qu trnh x l cc gi nhn c thc hin theo c ch dch ca s nh m t hnh 3.8. Kch thc mc nh ca ca s l 64. C ch thc hin nh sau: Nu gi nhn c nm trong vng hp l ca ca s v l mt gi mi ch khng phi gi truyn li th gi tr MAC ca gi s c kim tra. Nu chnh
Dch ca s qua bn phi nu nhn c mt gi hp l. Ca s vi kch thc c nh W

N-W c nh du biu th mt gi hp l va c nhn

N+1 khng nh du cho bit gi d liu v tr cha c nhn

Hnh 3.8: C ch dch ca s trong AH xc (tc gi c xc thc) th khe tng ng trong ca s c nh du. Nu gi nhn c nm bn phi ca ca s v l gi mi, gi tr MAC ca gi c kim tra. Nu ng th ca s c dch mt khe sang bn phi, ng thi khe tng ng trong ca s c nh du. Nu gi nhn c nm bn tri ca s hoc gi tr MAC khng hp h th b hy b.

-Xc thc thng tin: M xc thc (trng Authentication Data) c to ra dng mt trong 2 cch: -HMAC-MD5-96: dng phng php HMAC, thut ton MD5, ct ly 96 bit u tin. -HMAC-SHA-1-96: dng phng php HMAC, thut ton SHA-1, ct ly 96 bit u tin. Thut ton MAC c p dng trn cc phn thng tin sau y: Cc trng khng b thay i trong tiu gi IP khi c chuyn tip trn mng hoc c th d an c ti u cui ca SA. Nhng trng cn li trong tiu gi IP c thay bng cc bit 0 khi tnh tan. Cc trng trong tiu AH ngai tr trng Authentication Data. Trng ny c thay bng cc bit 0 khi tnh. Tan b gi d liu ca lp trn (tc phn payload ca gi IP).

-Ch vn chuyn v ch ng hm: Hnh 3.9 m t hai trng hp xc thc khc nhau: 108

-Xc thc t u cui n u cui (End-to-End Authentication): l trng hp xc thc trc tip gia hai h thng u cui (gia my ch vi trm lm vic hoc gia hai trm lm vic), vic xc thc ny c th din ra trn cng mng ni b hoc gia hai mng khc nhau, ch cn 2 u cui bit c kha b mt ca nhau. Trng hp ny s dng ch transport ca AH. -Xc thc t u cui n trung gian (End-to-Intermediate Authentication): l trng hp xc thc gia mt h thng u cui vi mt thit b trung gian (router hoc firewall). Trng
Server

Xc thc u cui n u cui Mng ni b Xc thc u cui n u cui Router/Firewall Xc thc u cui n trung gian

Mng cng cng

Hnh 3.9: Hai ch xc thc ca AH hp ny s dng ch tunnel ca AH. Hnh 3.10 m t phm vi p dng c ch bo v ca AH ln gi d liu trong hai ch khc nhau.
a- Gi IP gc IP TCP Data

Phm vi thng tin c xc thc b- Gi IP ch transport IP AH TCP Data

Phm vi thng tin c xc thc b- Gi IP ch tunnel IP (mi) AH IP (c) TCP Data

Hnh 3.10: Phm vi p dng ca AH ln gi d liu hai ch transport v tunnel

109

III.2.6 ESP:
ESP (Encapsulating Security Payload) l mt la chn khc thc thi IPsec bn cnh giao thc xc thc thng tin AH. Chc nng chnh ca ESP l cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k thut mt m. Tuy nhin, ESP cng cn c mt ty chn khc l cung cp c dch v bo m tnh tan vn ca d liu thng qua c ch xc thc. Nh vy, khi
Bit 0 8 16 Security Parameters Index (SPI) S th t gi 24 31

D liu (kch thc thay i)

D liu chn (0 255 byte) Kch thc chn M xc thc (kch thc thay i) Tiu k tip

Hnh 3. 11: Cu trc gi ESP dng ESP, ngi dng c th chn hoc khng chn chc nng xc thc, cn chc nng m ha l chc nng mc nh ca ESP. Gi d liu ESP gm cc thnh phn sau (hnh 3.11): -Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trong giao thc AH. -S th t gi (Sequence Number - 32 bits): S th t, c chc nng nh s th t trong AH. -D liu (Payload Data): y l phn d liu c bo v bng mt m. Trng ny c di thay i. Trong ch vn chuyn, y l tan b gi d liu ca lp 4 (TCP hoc UDP). Cn trong ch ng hm, y l tan b gi IP. ESP chun s dng thut ton mt m i xng DES, tuy nhin, c th dng cc thut ton mt m khc nh 3DES (3 kha), RC5, IDEA, triple IDEA (3 kha), CAST, Blowfish. -D liu chn (Padding 0-255 bytes): Mt s thut ton mt m yu cu kch thc d liu gc phi c nh. Cc byte d liu gi c thm vo m bo di vng d liu. Tuy nhin, theo quy nh ca ESP, chiu di trng pad-length v trng next-header phi c nh l 32 bit tnh t bn phi, do vy, phn padding phi c kch thc sao cho tan b phn thng tin cn m ha l bi s ca 32 bit. - Kch thc chn (Pad Length - 8 bits): Cho bit s byte ca vng d liu chn (padding). 110

- Tiu k tip (Next Header - 8 bits): Nhn dng kiu d liu cha trong phn payload data. - M xc thc (Authentication Data): Cha thng tin xc thc, c chiu di thay i nhng phi l bi s ca 32 bit. Thng tin xc thc c tnh trn tan gi ESP ngai tr phn Authentication Data. -Ch vn chuyn v ch ng hm: Ch vn chuyn: chc nng m ha v xc thc thng tin c thc hin trn phn d liu (payload data) ca gi IP (tc tan b n v d liu ca lp trn IP). Ch ng hm: tan b gi IP c m ha v xc thc. S khc nhau gia hai ch hot ng c m t hnh 3.12.
a- Gi IP gc

IP

TCP

Data

Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch transport IP ESP header TCP Data ESP trailer ESP auth

Phm vi thng tin c xc thc Phm vi thng tin c m ho b- Gi IP ch tunnel IP (mi) ESP header IP (c) TCP Data ESP trailer ESP auth

Hnh 3.12: Tc dng ca ESP ln gi IP hai ch transport v tunnel

III.2.7 Qun l kha trong IPSec:

IPSec da trn k thut xc thc HMAC (hashed based MAC) v cc phng php mt m i xng m c bn l DES. Do vy, vn qun l v phn phi cc kha b mt gia cc u cui SA l vn quan trng trong trin khai IPSec. C hai c ch qun l kha: -Qun l kha bng tay (manual): ngi qun tr mng to ra kha v ci t cho cc h thng u cui. C ch ny ch ph hp vi cc h thng c quy m nh. -Qun l kha t ng (automated): mt h thng t ng to ra v phn phi kha cho cc h thng u cui. IPSec s dng hai h thng qun l kha t ng l Oakley v ISAKMP. -Oakley Key Determination Protocol: y l giao thc trao i kha da trn gii thut Diffie-Hellman, c b sung thm cc chc nng bo mt. -Internet Security Association and Key Management Protocol (ISAKMP): cung cp mt m hnh chung cho vic qun l kha trn Internet, nh ngha cc th tc v khun dng ring.

111

III.3 SECURE SOCKETS LAYER

Secure Sockets layer hay SSL l mt giao thc bo mt c Netscape thit k nhm cung cp cc kt ni bo mt cho cc ng dng trn nn giao thc TCP/IP. SSL c chun ha v s dng rng ri trong nhiu ng dng trn mng Internet nh web, mail, Phin bn hin ti ca SSL l 3.0. Phin bn SSL c IEEE chun ha l c gi l TLS (Transport Layer Security), v c xem nh l SSL phin bn 3.1.

III.3.1 Cu trc SSL:

SSL thc ra bao gm hai lp giao thc nm pha trn TCP. Lp th nht l giao thc truyn d liu SSL (SSL record protocol) v lp th hai gm mt tp cc giao thc ph tr (hnh 3.13). Phn ny gii thiu khi qut cc thnh phn ca SSL.
Giao thc bt tay SSL Giao thc thay i thng s m Giao thc cnh bo

HTTP

Giao thc truyn d liu

TCP

IP

Hnh 3.13: Cu trc SSL

Hai khi nim c bn thng c dng trong SSL l kt ni (connection) v phin giao dch (session). -Kt ni l mt kt ni (tm thi) gia mt u cui ny vi mt u cui kia cung cp mt lai dch v thch hp. Mi kt ni lin kt vi mt phin giao dch (session). -Phin giao dch l mt lin kt gia mt my con v mt my ch, c to ra bi giao thc SSL Handshake protocol. Phin giao dch nh ngha cc tham s bo mt dng chung cho nhiu kt ni. Trng thi ca phin giao dch c nh ngha bi cc thng s sau y: Nhn dng phin (Session identifier): Mt chui byte ngu nhin c server chn nhn dng mt trng thi ca phin giao dch. Chng thc kha i phng (Peer certificate): Chng thc kha cng khai (X509.v3) ca thc th i phng. Thnh phn ny c th c hoc khng. Phng php nn (Compression method): Gii thut nn d liu trc khi m ha. Thut tan m (Cipher spec): Xc nh thut ton m ha v hm bm c s dng cho phin giao dch. Kha (Master secret): Kha b mt (48-byte) dng chung gia my con v server. 112

Kh nng phc hi (Is resumable): Cho bit phin giao dch ny c th khi to mt kt ni mi hay khng. S nhn dng ngu nhin (Server and client random): Chui byte chn ngu nhin bi server v client, c chc nng phn bit cc kt ni vi nhau. Kha xc thc ca my ch (Server write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t server. Kha xc thc ca my con (Client write MAC secret): Kha b mt dng tnh gi tr xc thc MAC trn d liu gi i t my con. Kha mt m ca my ch (Server write key): Kha b mt dng mt m ha d liu gi i t server. Kha mt m ca my con (Client write key): Kha b mt dng mt m ha d liu gi i t client. Vc t khi to (Initialization vectors): vec-t khi to (IV) dng trong ch m ha CBC (Chaining Bock Cipher). Gi tr ny c khi to bi giao thc SSL record. S th t gi (Sequence numbers): S th t ca cc bn tin c gi i v nhn v trn kt ni.

Tng t, cc thng s nh ngha trng thi ca mt kt ni bao gm:

III.3.2 Giao thc truyn d liu SSL:

D liu gc

Phn on

Nn Gn thng tin xc thc (MAC)

Mt m ho

Gn tiu giao thc SSL record

Hnh 3.14: Hot ng ca giao thc truyn d liu SSL Giao thc truyn d liu SSL (SSL record protocol) cung cp 2 dch v c bn cho cc kt ni SSL l dch v bo mt v dch v tan vn d liu. Hnh 3.14 m t hat ng ca giao thc truyn d liu SSL. Theo , cc thao tc m SSL thc hin trn d liu bao gm: phn an d liu (fragmentation), nn d liu 113

(compression), xc thc d liu (MAC), m ha, thm cc tiu cn thit v cui cng gi tan b an thng tin trn trong mt segment TCP. pha nhn, qu trnh c thc hin ngc li.
Kiu d liu Phin bn chnh Phin bn ph Kch thc d liu

D liu Thng tin c m ho (c th nn hoc khng nn)

M xc thc (0, 16 hoc 20 byte)

Hnh 3.15: Cu trc gi SSL record Cu trc gi d liu SSL record gm cc thnh phn sau (hnh 3.15): -Kiu d liu (Content Type - 8 bits): Giao thc lp trn. Giao thc ny s x l thng tin trong gi d liu SSL. - Phin bn chnh (Major Version - 8 bits): Phin bn chnh ca SSL. i vi SSL v3, gi tr ny l 3. - Phin bn ph (Minor Version - 8 bits): Phin bn ph ca SSL. V d: i vi SSLv3 th gi tr trng ny l 0. - Kch thc d liu (Compressed Length -16 bits): Chiu di ca phn d liu (plaintext), tnh theo byte. -D liu (Plaintext): D liu ca lp trn c chuyn i trong gi SSL record. D liu ny c th c nn hoc khng. -M xc thc (MAC): M xc thc, c kch thc = 0 byte nu khng dng chc nng xc thc.

III.3.3 Giao thc thay i thng s m:

Giao thc thay i thng s m (Change cipher spec protocol) l giao thc n gin nht trong cu trc SSL, dng thay i cc thng s m ha trn kt ni SSL. Giao thc ny ch gm c mt bn tin c kch thc 1 byte, mang gi tr 1. Chc nng ca bn tin ny l yu cu cp nht cc thng s m ho cho kt ni hin hnh.

III.3.4 Giao thc cnh bo:

Giao thc cnh bo (Alert protocol) dng trao i cc bn tin cnh bo gia hai u ca kt ni SSL. C hai mc cnh bo: warning (1) v fatal (2). Mc warning ch n gin dng thng bo cho u kia cc s kin bt thng ang din ra. Mc fatal yu cu kt thc kt ni SSL hin hnh, cc kt ni khc trong cng phin giao dch c th vn c duy tr nhng phin giao dch khng c thit lp thm kt ni mi. 114

Cc bn tin cnh bo ca SSL bao gm: -unexpected_message: Nhn c mt bn tin khng ph hp. -bad_record_mac: Bn tin va nhn c gi tr MAC khng hp l. -decompression_failure: Thao tc gii nn thc hin khng thnh cng.. -handshake_failure: Pha gi khng thng lng cc thng s bo mt. -illegal_parameter: Mt trng no trong bn tin bt tay (handshake message) khng hp l. -close_notify: Thng bo kt thc kt ni. -no_certificate: Khi nhn c yu cu cung cp chng thc kha (certificate), nhng nu khng c chng thc kha no thch hp th gi cnh bo ny. -bad_certificate: Chng thc kha khng hp l (ch k sai) -unsupported_certificate: Kiu chng thc khng c h tr. -certificate_revoked: Chng thc kha b thu hi. -certificate_expired: Chng thc kha ht hn s dng. -certificate_unknown: Khng x l c chng thc kha v cc l do khc vi cc l do trn.

III.3.5 Giao thc bt tay:

Giao thc bt tay (handshake protocol) giao thc phc tp nht ca SSL, c hai pha s dng xc thc ln nhau v thng lng thng nht cc thut ton xc thc MAC v m ha. Th tc ny cng c trao i cc kha b mt dng cho m ha v MAC. Th tc phi c thc hin trc khi d liu c truyn. Th tc bt tay gm 4 giai an c m t hnh 3.16.

III.3.6 So snh SSL v IPSec:

SSL v IPSec l hai giao thc tng ng vi nhau v chc nng. C hai u c thit k bo v d liu truyn trn cc kt ni bng cc c ch xc thc v m ha. Tuy nhin, hai k thut ny c nhng im khc bit nhau nh sau: SSL hat ng lp socket (hnh 3.13), do n c gn kt phn ngi s dng (user space) trong cc h thng u cui. IPSec hat ng lp mng (network layer), nn c tch hp vo trong chc nng ca h iu hnh. y chnh l s khc nhau c bn nht gia SSL v IPSec. C SSL v IPSec u cung cp chc nng m ha (Encryption), bo v d liu (Integrity) v xc thc thng tin (Authentication), tuy nhin SSL n gin ha cc k thut ny p dng trong m hnh ca n, trong khi IPSec bao gm mt cch y cc chi tit thit k ca tt c cc k thut to thnh, v do , khi t hp li s xut hin nhiu li tng thch trong ni b IPSec. IPSec l thnh phn ca h iu hnh, do , trin khai IPSec th phi thay i cu hnh h iu hnh m khng cn thay i cu hnh chng trnh ng dng. Ngc li, SSL nm mc ngi dng nn phi ci t vi tng ng dng c th (v d mail, web, ) m khng cn khai bo vi h iu hnh,

115

V nhng khc bit trn y, SSL thng c s dng bo v kt ni cho tng ng dng c th, c bit l Web, E-mail. Trong khi , IPSec thng c dng xy dng cc mng ring o (VPN) ri trn c s mi trin khai cc dch v ng dng.

116

Client client_hello server_hello

Server Giai on 1: Thit lp cc thng s bo mt nh phin bn ca giao thc, nhn dng phin giao dch, thut ton mt m, phng php nn v s ngu nhin ban u.

Chng thc kha server

Kha b mt ca server Giai on 2: Server c th gi chng thc kha cng khai, trao i kho v yu cu client cung cp chng thc kha.

Yu cu cung cp chng thc

Kt thc server_hello

Thi gian

Chng thc kha client Giai on 3: Client gi chng thc kha khi c yu cu t pha server, trao i kha vi server. Client cng c th gi xc minh chng thc kha cng khai cho server (certificate_verify)

Kha b mt ca client

Xc minh chng thc kha

Thay i thng s m

Kt thc

Giai on 4: Thay i cc thng s ca thut ton mt m v kt thc giao thc bt tay.

Thay i thng s m

Ch : nhng giao tc biu din bng nt ri l nhng giao tc tu chn, c th c hoc khng, tu thuc vo tng tnh hung ng dng ca SSL.

Kt thc

Hnh 3.16: Th tc bt tay SSL 117

III.4 SECURE ELECTRONIC TRANSACTION

III.4.1 Tng quan v SET:
Secure Electronic Transaction hay SET l mt k thut c thit k bo v cc thng tin quan trng trao i trn mng (v d s th tn dng) dng trong cc giao dch thanh tan qua mng Internet. SET phin bn 1 c xut nm 1996 (MasterCard v Visa ch tr), sau c nhiu nh sn xut khc tham gia pht trin (nh Microsoft, IBM, Netscape, RSA, Terisa v Verisign). SET khng phi l mt h thng thanh tan, m ch l mt giao thc an tan cho php cc u cui trao i cc thng tin b mt, c bit l cc thng tin v ti khan ngn hng, thng qua cc mi trng cng cng v d nh Internet. -Cc tnh nng ca SET: Bo mt thng tin: c bit l thng tin v ti khan ngn hng khi nhng thng tin ny c trao i qua mng. SET cn c chc nng ngn chn ngi bn hng bit s th tn dng (credit card) ca ngi mua hng. K thut m ha quy c vi thut tan DES c dng cung cp chc nng ny. Bo tan d liu: cc thng tin v vic t hng, thanh tan, thng tin c nhn khi gi t mt ngi mua hng n ngi bn hng c m bo tan vn, khng b thay i. K thut ch k s DSA vi hm bm SHA-1 c dng bo m tnh nng ny (trong mt s bn tin ca SET, HMAC c dng thay cho DSA). Xc thc ti khan ca ngi s dng th: cho php ngi bn hng xc minh ngi dng th l ch nhn hp l ca ti khon ang cp. thc hin chc nng ny, SET dng chun xc thc X.509 version 3. Xc thc ngi bn hng: SET cho php ngi s dng th xc thc rng ngi bn hng c quan h vi mt t chc ti chnh c chp nhn thanh ton qua th. Chc nng ny cng c thc hin dng X.509 version 3.

Mt iu cn ch l SET hat ng bng cch truy xut trc tip n lp TCP/IP m khng dng cc giao thc lp ng dng khc. Tuy vy hat ng ca SET cng khng nh hng n cc c ch bo mt khc nh IPSec hoc SSL. -Cc thnh phn ca SET: -Ngi dng th (Cardholder): Ngi dng th tn dng thc hin cc giao dch thanh tan trn Internet (ngi mua hng). -Ngi bn hng (Merchant): Mt c nhn hay t chc bn hng hoc dch v trn mng (thng qua web hoc email). Ngi bn hng phi c kh nng chp nhn thanh tan bng th, v phi c quan h vi mt t chc ti chnh no (Accquirer). -T chc pht hnh th (Issuer): y l t chc ti chnh (thng l ngn hng) pht hnh th tn dng. T chc ny c trch nhim thanh tan theo yu cu ca ngi s dng th. -Trng ti (Acquirer): Mt t chc ti chnh khc c quan h vi ngi bn hng, thc hin vic xc thc ti khan ca ngi mua hng v thanh tan. Trng ti s kim tra ti khan ca ngi mua hng thng bo cho ngi bn hng bit s d trong ti khan ca ngi mua c thc hin giao dch hay khng. Sau khi giao dch mua hng c thc hin, trng ti thc hin vic chuyn tin t ti khan ca ngi mua hng sang ti tan khan ca ngi bn hng, ng thi ra yu cu thanh tan i vi ngn hng pht hnh th (Issuer). 118

-Ca thanh tan (Payment gateway): y l thnh phn chu trch nhim x l cc bn tin thanh tan (payment message) c iu hnh bi trng ti hoc mt t chc th 3 c ch nh. Payment gateway giao tip gia SET v h thng thanh tan ca ngn hng thc hin cc thao tc xc thc v thanh tan. Nh vy, ngi bn hng tht ra trao i cc thng bo vi ca ng thanh tan thng qua mng Internet, sau , Payment gateway mi lin kt n h thng x l ti chnh ca Acquirer. -T chc chng thc (Certification authority _ CA): L thnh phn c chc nng to ra cc chng thc (certificate) theo chun X.509v3 v phn phi cho Cardholder, Merchant v Payment Gateway. S thnh cng ca SET ph thuc vo s tn ti ca CA. Thng thng, CA c t chc theo mt m hnh phn cp vi nhiu CA lin h vi nhau.
Ngi bn hng (Merchant)

Ngi dng th (Cardholder)

Intenet

T chc chng thc (CA)

T chc pht hnh th (Issuer)

Mng thanh tan Trng ti (Acquirer) Ca thanh tan (Payment gateway)

Hnh 3.17: Cc thnh phn ca SET

-Thc hin giao dch vi SET: Mt giao dch SET in hnh gm cc bc sau y: 1. Khch hng m ti khan ti mt ngn hng c dch v thanh tan qua mng (v d MasterCard, Visa card, ) v tr thnh Cardholder. 2. Khch hng nhn c mt chng thc X.509v3, c k bi ngn hng bng ch k s (digital signature), trong cha kha cng khai RSA ca khch hng v ngy ht hn. 3. Ngi bn hng nhn chng thc: Ngi bn hng phi c 2 chng thc khc nhau cha kha cng khai cho hai mc ch: k nhn cc thng bo (message signing) v trao i kha (key exchange). Ngai ra, ngi bn hng cng c mt bn sao chng thc ca Payment gateway.

119

4. Khch hng t hng: thao tc ny c thc hin thng qua website ca ngi bn hng hoc qua email. 5. Xc nhn ngi bn hng: ngi bn hng gi chng thc ca mnh cho ngi mua hng chng minh tnh s hu ca mnh i vi mt kho hng no . 6. Lnh t hng v thanh ton c thc hin: ngi mua hng gi lnh t hng v lnh thanh tan cho ngi bn hng cng vi chng thc ca mnh. Thng tin thanh ton (s th tn dng) c m ho sao cho ngi bn hng khng th thy c nhng c th kim tra tnh hp l ca n. 7. Ngi bn hng yu cu xc thc vic thanh tan thng qua Payment gateway. 8. Ngi bn hng xc nhn n t hng bng cch gi thng bo cho ngi mua hng. 9. Ngi bn hng giao hng (hoc bt u cung cp dch v) cho ngi mua hng. 10. Ngi bn hng yu cu thanh tan thng qua Payment gateway.

III.4.2 Ch k song song:

Ch k song song (dual signature) l mt thut ng c dng trong SET din t mt lin kt gia hai bn tin c gi i bi cng mt ngi gi nhng cho hai ngi nhn khc nhau. Khi mua hng qua mng, khch hng gi thng tin t hng OI (Order information) vi ch k ca mnh cho ngi bn hng, ng thi gi thng tin thanh tan PI (Payment information) cho ngn hng cng vi ch k ca mnh. V nguyn tc, ngn hng khng cn bit cc chi tit v t hng, v ngi bn hng cng khng cn bit cc chi tit v thanh tan. Ch k song song c s dng trong trng hp ny trnh cc tranh chp xy ra khi thng tin t hng v thng tin thanh tan khng khp nhau. Hnh 3.18 m t hat ng ca ch k song song. -Ngi mua hng p dng hm bm ln PI v OI (dng SHA-1), sau hai gi tr bm c ni vi nhau v p dng hm bm mt ln na vi kha ring ca chnh ngi mua hng to thnh ch k song song: DS = E([H(H(PI) + H(OI)], PRc) Trong PRc l kha ring ca ngi mua hng. -Ngi bn hng xc nhn ch k ca ngi mua hng bng cch tnh hai gi tr: H(PIMS + H[OI]) v D(DS, PUc) Trong PIMD l m bm ca PI, PUc l kha cng khai ca khch hng, DS l ch k song song nhn c trn n t hng. Nu hai gi tr trn bng nhau, th ch k xem nh chnh xc v n t hng c chp nhn. -Song song , ngn hng cng xc thc ch k song song bng cch so snh hai gi tr sau y: H(H[OI] + OIMD) v D(DS, PUc) Trong OIDM l message digest ca OI. Nu hai gi tr va tnh c l bng nhau th xem nh ch k l chnh xc v lnh thanh tan c chp nhn. 120

PI PIMD H PRc Ch k song song E

POMD H OI OIMD H

PI: Payment Information OI: Order Information H: Hash function (SHA-1) | | : Ni hai khi thng tin

PIMD: PI message digest OIMD: OI message digest POMD: Payment Order message digest E: Thut tan mt m (RSA) PRc: Kho ring ca ngi mua hng

Hnh 3.18: Ch k song song (dual signature)

III.4.3 Thc hin thanh ton trong SET:

X l thanh ton (Payment processing) l cng on quan trng nht trong giao dch SET. Qu trnh x l thanh ton gm 3 cng vic nh sau: Yu cu mua hng (Purchase Request). Xc thc thanh ton (Payment Authorization). Thc hin thanh ton (Payment Capture). Bng 3.1: Cc giao tc ca SET Tn giao tc Cardholder registration Merchant registration Purchase request Payment authorization Payment capture Certificate and status ngha Ngi mua hng ng k vi CA trc khi thc hin cc giao dch SET khc vi ngi bn hng. Ngi bn hng ng k vi CA trc khi gi cc thng bo SET vi khc hng v vi Payment gateway. Thng bo c ngi mua hng gi i, trong cha lnh t hng (OI) cho ngi bn hng v lnh thanh tan (PI) cho ngn hng. Trao i gia ngi bn hng v Payment gateway kim tra s d trong ti khan ca ngi mua hng. Ngi bn hng gi yu cu thanh tan n Payment gateway. inquiry Trong trng hp CA khng x l c yu cu cung cp chng thc tc thi, n s tr li cho ngi mua hng v ngi bn hng v vic tr han ny. Sau , ngi mua hng hoc ngi bn hng c th dng giao dch ny kim tra trng thi ca chng thc. Nu chng thc c x l 121

xong th khch hng hoc ngi bn hng s c nhn. Purchase inquiry Authorization reversal Ngi mua hng kim tra trng thi ca n t hng sau khi xc nhn n t hng vi ngi bn hng. Ngi bn hng hiu chnh yu cu xc thc trc . Nu n t hng khng thc hin c th tan b vic xc thc trc c hi li (reverse). Nu n t hng ch c thc hin mt phn (ngi mua hng hi li mt phn) th ngi bn hng ch hi li phn xc thc tng ng. Ngi bn hng hiu chnh cc thng tin yu cu thanh tan gi cho Payment gateway. Ngi bn hng tr li tin vo ti khan ca ngi mua hng khi hng c tr li v l do no (h hng, sai quy cch, ). Ngi bn hng hiu chnh li yu cu tr li tin vo ti khan ca ngi mua hng (giao tc Credit) va ri.

Capture reversal Credit Credit reversal

Payment gateway Ngi bn hng yu cu bn sao chng thc ca Payment gateway. certificate request Batch administration Error message Ngi bn hng thng bo cho Payment gateway v cc t giao hng. Thng bo li xy ra trong giao dch.

-Yu cu mua hng: Sau khi ngi mua hng hon tt cc cng vic chn hng v t mua trn mng, th tc yu cu mua hng mi c bt u. Ch rng thao tc chn hng v t mua c thc hin trn cc kt ni bnh thng (nh e-mail hay web) m khng cn c s tham gia ca SET. Qu trnh yu cu mua hng bao gm 4 giao tc: Initiate Request, Initiate Response, Purchase Request, v Purchase Response. gi c cc bn tin SET n ngi bn hng, ngi mua hng cn c mt bn sao cc chng thc ca Merchant v Payment gateway. Bn tin Initiate Request c s dng yu cu ngi bn hng cung cp cc chng thc cn thit cho ngi mua hng. Ngi bn hng s tr li bn tin Initiate Request bng mt bn tin hi p Initiate Response trong c cha gi tr ngu nhin (nonce) c to ra trc bi ngi mua hng, mt gi tr ngu nhin khc do ngi bn hng to ra, nhn din ca giao tc hin hnh, cng vi cc chng thc ca chnh ngi bn hng v Payment gateway. Tt c cc thng tin ny c xc thc bi ch k ca ngi bn hng. Ngi mua hng xc minh cc chng thc nhn c, sau to ra thng tin t hng (OI) v thng tin thanh tan (PI), trong c cha nhn din giao tc m ngi bn hng va to ra trc . Ngi mua hng chun b bn tin Purchase Request. Bn tin ny cha cc thng tin sau y: Cc thng tin lin quan n vic thanh ton bao gm: PI, ch k song song, OIMD v mt phong b s (digital envelope). Cc thng tin ny c m ho bng kho b mt Ks do ngi mua hng to ra cho tng phin giao dch. Cc thng tin lin quan n n t hng bao gm OI, ch k song song, PIMD. Ch rng OI c gi i trc tip m khng cn m ho. 122

Chng thc ca ngi mua hng. Xc minh chng thc ca ngi mua hng. Kim chng ch k song song ca ngi mua hng. X l n t hng v chuyn thng tin thanh ton cho Payment Gateway kim tra. Gi bn tin Purchase Response cho ngi mua hng.

Khi ngi bn hng nhn c Purchase Request, h s thc hin cc thao tc sau y:

Bn tin Purchase Response cha cc thng tin chp nhn n t hng v cc tham chiu n s nhn din giao tc tng ng. Thng tin ny c k bi ngi bn hng v gi cho ngi mua hng cng vi chng thc ca ngi bn. Ngi mua hng khi nhn c bn tin Purchase Response s tin hnh kim tra ch k v chng thc ca ngi bn hng.
Bn tin Purchase Request PI

Dual Signature

Ks
Digital envelope

Phn thng tin c ngi bn hng chuyn cho Payment Gateway

OIMD PIMD Phn thng tin nhn c bi ngi bn hng

OI PUb

Dual Signature

Cardholder cerificate

Hnh 3.19: Qu trnh to bn tin Purchase request ca ngi mua hng -Xc thc thanh ton: y l th tc m ngi bn hng xc thc tnh hp l ca ngi mua hng thng qua Payment Gateway. Qu trnh xc thc nhm bo m rng giao dch ny c chp thun bi ngn hng pht hnh th (Issuer), v do ngi bn hng s c m bo thanh ton. Qu trnh ny c thc hin thng qua hai bn tin: Authorization Request v Authorization response. 123

Bn tin Purchase Request

Thng tin c Merchant chuyn cho Payment Gateway Digital envelope

PIMD H OI

POMD

H OIMD

So snh

Dual signature D POMD Cardholder certificate

PUc

Hnh 3.18: Qu trnh xc minh yu cu mua hng (Purchase Request) ti Merchant

Bn tin Authorization Request c ngi bn hng gi n Payment Gateway bao gm cc thng tin sau: Thng tin lin quan n vic mua hng, bao gm: PI, ch k song song, OIMD v phong b s (digital envelope). Thng tin lin quan n xc thc bao gm: nhn din giao tc, c m ho bng kho b mt do ngi bn hng to ra v phong b s, c m ho bng kho cng khai ca Payment gateway. Cc chng thc ca ngi mua hng v ngi bn hng. Xc minh tt c cc chng thc. Gii m phong b s ca khi thng tin mua hng. 124

Khi nhn c Authorization Request, Payment Gateway thc hin cc thao tc sau:

Xc minh ch k ca ngi bn hng. Gii m phong b s ca khi thng tin xc thc. Xc minh ch k song song. Xc minh nhn din giao tc (transaction ID). Yu cu xc thc t ngn hng pht hnh th.

Nu nhn c thng tin xc thc thnh cng t ngn hng pht hnh th, Payment Gateway s hi p bng bn tin Authorization Response trong cha cc thng tin sau: Thng tin lin quan n xc thc bao gm: khi thng tin xc thc c k bi Payment Gateway v m ho bng kho b mt do Payment Gateway to ra, ngoi ra cn c phong b s. Thng tin lin quan n thc hin thanh ton. Chng thc ca Payment gateway.

Vi thng tin xc thc ny, ngi bn hng c th bt u giao hng hoc cung cp dch v cho ngi mua hng. -Thc hin thanh ton: thc hin thanh ton, ngi bn hng thc hin mt giao tc vi Payment Gateway gi l Capture transaction, giao tc ny c thc hin qua hai bn tin: Capture Request v Capture Response. Trong bn tin Capture Request, ngi bn hng to ra thng tin yu cu thanh ton, trong c khi lng thanh ton v nhn din giao tc (transaction ID), cng vi thng tin xc thc nhn c trc t Payment Gateway, ch k v chng thc ca ngi bn hng. Payment Gateway nhn c bn tin ny, gii m v thc hin cc bc kim tra cn thit trc khi yu cu ngn hng pht hnh th chuyn tin cho ngi bn hng. Cui cng, Payment Gateway s thng bo cho ngi bn hng bng bn tin Capture Response. Tm tt chng: -Cc ng dng bo mt (security application) c xy dng da trn cc k thut c s trnh by chng 2 bao gm: mt m i xng, mt m bt i xng, hm bm, ch k s, chng thc kha cng khai, -K thut xc thc c xem l k thut c bn nht qun l truy xut. Mt khu l phng tin xc thc n gin nht v hiu qu nht t trc n nay. Tuy nhin, mt khu c qun l v s dng bi con ngi, nn cn phi c cc chnh sch hp l m bo mt khu khng b tit l. -Trong m hnh thng tin im im, hai giao thc xc thc thng c dng l PAP (Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol) trong , giao thc CHAP c nhiu u im hn v an tan hn do khng gi mt khu i trc tip trn mng. -Trong m hnh phn tn, giao thc xc thc cn phi p ng c hai yu: m bo thng tin xc thc khng b nh cp v ngi s dng ch cn xc thc mt ln cho tt c cc dch v trong h thng phn tn. Kerberos l mt giao thc xc thc p ng c 2 yu cu ny.

125

-Giao thc bo mt IP Security (IPSec) l mt s m rng ca giao thc IP, cho php lp mng thc hin cc chc nng bo mt v tan vn cho d liu truyn i trn mng. IPSec l mt chun phc tp, bao gm c t ca nhiu chun khc, c trin hai da trn hai giao thc ng gi c bn l ESP v AH. IPSec hat ng hai ch l ch vn chuyn (transport) v ch ng hm (tunnel). Hat ng ca IPSec l trong sut i vi cc giao thc lp ng dng. -Giao thc bo mt SSL (Secure Sockets Layer) l mt giao thc cng thm hat ng bn trn giao thc TCP. SSL cung cp hai dch v c bn l mt m ha v xc thc d liu / xc thc u cui cho cc ng dng Internet nh web, e-mail, . SSL c s dng rt ph bin hin nay trn mng Internet, t bigt trong cc th tc trao i thng tin b mt gia client v server nh ng nhp vo hp th in t, nhp s th tn dng khi mua hng, -SET (Secure Electronic Transaction) l mt ng dng bo mt trong cc h thng thanh tan qua mng. SET l mt ng dng truy xut trc tip n lp TCP (tc khng thng qua cc giao thc ng dng nh mail hay web, ). SET nh ngha mt m hnh phc tp bao gm nhiu thc th nh ngi mua hng, ngi bn hng, ngn hng pht hnh th, trng ti, ca thanh tan, SET c pht trin bi cc t chc ti chnh c uy tn nh MasterCard, VISA, cc t chc cng ngh nh Microsoft, IBM, RSA, Verisign,

CU HI V BI TP.
A- Cu hi trc nghim. Cu 1. Nguyn tc m bo an ton cho mt khu i vi ngi s dng: a- Quy nh thi gian s dng ti a ca mt khu. b- Khng dng mt khu qu ngn, mt khu c cha tn ngi dng, mt khu l nhng t c ngha trong t in. c- M ho mt khu khi lu tr. d- Tt c u ng. Cu 2. Trong th tc xc thc mng n gin, c ch no m bo mi th (ticket) ch c s dng bi mt my duy nht? a- My con phi c xc thc bi Authentication Server (AS). b- Trong th cp cho my con c cha a ch mng ca my my con (ADC). c- Trong th c cha nhn dng ca my ch cung cp dch v (IDV). d- Tt c u ng. Cu 3. Mc ch ca TGS (Ticket Granting Server) trong th thc xc thc qua mng? a- Cho php ngi dng ch ng nhp mt ln nhng s dng c nhiu dch v. b- Gim ti x l cho AS c- hn ch vic gi mt khu trc tip trn mng. d- Tt c u sai. Cu 4. Chn cu ng v giao thc xc thc Kerberos 4: a- S dng thut ton m ho DES b- s dng mt dch v no , client phi thc hin 2 thao tc: xc thc vi AS c cp th Ticket-granting-Ticket, sau xc thc vi TGS nhn c 126

th Service-granting-Ticket trc khi c th yu cu my ch cung cp dch v. c- Ngi dng ch cn nhp mt khu mt ln trong sut phin lm vic. d- Tt c u ng. Cu 5. Trong Kerberos 4, bn tin yu cu xc thc gi t my con n AS cha cc thng tin no? a- Nhn din ca ngi dng (IDC), nhn din ca TGS (IDtgs) v nhn thi gian ng b TS1. b- Tn ng nhp v mt khu. c- Tn ng nhp v a ch mng ca my con. d- Mt khu m ho v a ch mng ca my con. Cu 6. Trong Kerberos 4, bn tin yu cu dch v gi t my con n my ch dch v cha cc thng tin no? a- Cha th truy xut dch v c cp bi TGS. b- Cha th truy xut dch v c cp bi TGS v tn ng nhp. c- Cha th truy xut dch v cng vi Authenticator gm (IDc + ADC + TS5) gi trc tip. d- Cha th truy xut dch v cng vi Authenticator gm (IDc + ADC + TS5) c m ho bng kho b mt dng chung gia my con v my ch cung cp dch v. Cu 7. Th no l mt lnh a Kerberos (Kerberos Realm)? a- L h thng bao gm Kerberos server, cc my ch cung cp dch v v nhiu my con. b- L phm vi mng c qun l bi mt AS. c- L phm vi mng c qun l bi mt TGS. d- Tt c u sai. Cu 8. im khc nhau gia Krberos 4 v Kerberos 5: a- Kerberos 5 khng gii hn thi gian tn ti ca th, Kerberos 4 gii hn thi gian tn ti ca th l khong 21 gi. b- Kerberos 5 s dng mt m bt i xng, Kerberos 4 s dng mt m i xng. c- Kerberos 5 dng tn ng nhp v mt khu xc thc ngi dng, Kerberos 4 dng a ch IP xc thc. d- Tt c u ng. Cu 9. ng dng ca IPSec: a- Xy dng cc website an ton cho cc ng dng thng mi in t. b- Xy dng cc mng ring o VPN trn nn mng Internet cng cng. c- Cho php truy xut t xa mt cch an ton. d- Tt c cc ng dng trn. Cu 10. Chn cu ng v IPSec: a- Khi s dng IPSec, kch thc gi d liu IP tng ln, do hiu sut truyn gim xung. b- Khi ci t IPSec trn mt h thng th IPSec s c tc dng bo v cho tt c cc 127

dch v ng dng chy trn h thng . c- IPSec c th c thc hin nh mt phn mm ng dng. d- Cu a v b. Cu 11. SA l g? a- L mt kt ni dng IPSec gia hai my tnh bt k. b- L mt quan h truyn thng mt chiu gia hai thc th IPSec. c- L mt ng dng c chc nng phn tch v nh gi mc an ton ca h thng. d- Tt c u sai. Cu 12. c im ca AH: a- C kh nng mt m ton b d liu trao i gia cc thc th IPSec. b- Dng ch k s xc thc thng tin. c- Ch vn chuyn ch cho php xc thc d liu gia hai thit b mng (router) c h tr IPSec. d- Tt c u sai. Cu 13. Giao thc ESP: a- Cung cp c ch mt m v xc thc d liu. b- Tiu ca ESP gm hai phn, nm trc v nm sau gi IP gc. c- S dng k thut mt m i xng bo v d liu. d- Tt c u ng. Cu 14. Qun l kho trong IPSec: a- C chc nng to ra v phn phi kho cng khai ca cc u cui IPSec. b- C th s dng PKI cho mc nh qun l kho trong IPSec. c- Dng giao thc ISAKMP to v phn phi kho b mt gia cc u cui IPSec. d- Tt c u sai. Cu 15. c im ca SSL: a- L thnh phn ca H iu hnh. b- Cung cp kt ni an ton cho tt c cc dch v ng dng trn cng mt h thng. c- S dng mt m i xng m ho d liu. d- Tt c cc c im trn. Cu 16. Chc nng ca giao thc SSL record: a- Phn on d liu, nn, to m xc thc, mt m ho d liu. b- Cung cp c ch m bo tnh ton vn v tnh bo mt cho d liu. c- Nn d liu tng hiu sut truyn d- Tt c u sai. Cu 17. Th tc bt tay (handshake protocol) trong SSL thc hin cc chc nng no sau y: a- Thit lp cc thng s kt ni gia client v server. b- Trao i chng thc client nhn c kho cng khai ca server v ngc li, 128

cc kho ny dng mt m d liu trao i gia client v server. c- Thay i cc thng s v thut ton mt m. d- Cu a v c. Cu 18. Secure Electronic Transaction (SET): a- L mt ng dng thng mi in t trn nn ca IPSec. b- L mt giao thc an ton cho cc ng dng ton qua mng. c- Dng mt m bt i xng (RSA) mt m ha thng tin. d- Tt c u ng. Cu 19. Trong mt giao dch trn SET: a- Ngi mua hng (cardholder) phi c th tn dng do mt ngn hng c h tr dch v thanh ton qua mng pht hnh. b- Ngi bn hng (merchant) phi c quan h vi ngn hng pht hnh th. c- Vic chuyn tin t ti khon ca ngi mua hng sang ti khon ca ngi bn hng c thc hin theo yu cu ca ngi bn hng m khng cn mt thnh phn th 3 no. d- Vic chn la hng v quyt nh mua hng phi c thc hin thng qua giao dch SET th mi c ngha. Cu 20. Th no l ch k song song (dual signature)? a- L mt ch k duy nht nhng gm hai bn sao gi cho hai i tc cng lc. b- L mt ch k nhng gm hai thnh phn, c chc nng chng thc hai ni dung khc nhau vi hai i tc khc nhau. c- Gm hai ch k khc nhau nhng c ghp chung trong mt bn tin tit kim chi ph truyn trn mng. d- L mt ch k nhng c to ra bng vic p dng hm to ch k hai ln ln cng mt khi thng tin gc nhm m bo tnh an ton ca ch k. Cu 21. Th t thc hin cc giao tc trong SET: a- Xc thc thanh ton, yu cu mua hng, thc hin thanh ton. b- Yu cu mua hng, xc thc thanh ton, thc hin thanh ton. c- Yu cu mua hng, thc hin thanh ton, xc thc thanh ton. d- Tu tng trng hp m th t thc thi c th khc nhau. B- Bi tp Cu 22. Trong giao thc AH ca IPSec, thao tc to ra m xc thc (MAC) khng c thc hin trn ton b gi d liu IP m ch thc hin trn cc phn khng thay i trong qu trnh truyn (imutable) hoc nhng phn c thay i nhng c th on c. Hy ch ra trong gi IP (version 4), nhng phn no c thay i, khng thay i hoc thay i nhng on trc c trong qa trnh truyn? Cu 23. ch vn chuyn ca IPSec, mt lp tiu (header) khc ca gi IP c to ra song song vi tiu c. Nhng thnh phn no ca tiu mi ging vi tiu c? Cu 24. Thc hin cu hnh IPSec trn Windows 2003 server. Cu 25. Ci t v cu SSL cho Website trn Windows 2003 server. ---------129

HNG DN TR LI CU HI V BI TP.
Chng I: Cu 1. Cu 2. Cu 3. Cu 4. Cu 5. Cu 6. Cu 7. Cu 8. Cu 1. Cu 2. Cu 3. Cu 4. Cu 5. Cu 21. Cu 22. Cu 23. Cu 24. Cu 25. Cu 26. Cu 1. Cu 2. Cu 3. Cu 4. Cu 5. Cu 6. Thc hin bng tay thao tc m rng kho (expand key) ca AES. Thc hin thut ton RSA vi cc thng s tng ng. Thc hin thut ton Diffie-Hellman. b b a d a d Cu 7. Cu 8. Cu 9. Cu 10. Cu 11. Cu 12. a a d b d d Cu 13. Cu 14. Cu 15. Cu 16. Cu 17. Cu 18. d c c b d b Cu 19. Cu 20. Cu 21. a b b c b d d a b c a b d c b b Cu 9. Cu 10. Cu 11. Cu 12. Cu 13. Cu 14. Cu 15. Cu 16. Cu 6. Cu 7. Cu 8. Cu 9. Cu 10. d b a d c d c a a b b a c Cu 17. Cu 18. Cu 19. Cu 20. Cu 21. Cu 22. Cu 23. Cu 24. Cu 11. Cu 12. Cu 13. Cu 14. Cu 15. a d c d b c c d d d c c d Cu 16. Cu 17. Cu 18. Cu 19. Cu 20. a d d a D Cu 25. Cu 26. Cu 27. Cu 28. Cu 29. Cu 30. Cu 31. d d c a c d d

Chng II:

Thc hin thut ton DES bng tay. Ch kho ph l K16. Chng minh tng t i vi cu trc Feistel.

Chng III:

130

THUT NG VIT TT.

3DES AAA AES AH ANSI AS CBC CC CESG CFB CHAP CIA CMAC CRT DAC DDoS DES DoS DSA DSS ECB ESP FIPS HMAC IAB ICMP IDS IDEA IETF IP IPSec ISAKMP ISO ITU ITU-T IV Triple Data Encryption Standard Access Control, Authentication, Auditing Advanced Encryption Standard Authentication Header American National Standards Institute Authentication Server Cipher Block Chaining Common Criteria Communications-Electronics Security Group Cipher Feedback Challenge Handshake Authentication Protocol Confidentiality, Integrity, Availability Cipher-Based Message Authentication Code Chinese Remainder Theorem Discretionary Access Control Distributed Denial of Service Data Encryption Standard Denial of Service Digital Signature Algorithm Digital Signature Standard Electronic Codebook Encapsulating Security Payload Federal Information Processing Standard Hash-based Message Authentication Code Internet Architecture Board Internet Control Message Protocol Intrusion Detection System International Data Encryption Algorithm Internet Engineering Task Force Internet Protocol IP Security Internet Security Association and Key Management Protocol International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector Initialization Vector 131

KDC LAN MAC MAC MD5 MIC MIME MITM MTU NAT NIST NSA NTFS OFB PAP PCBC PGP PKI PRNG RBAC RFC RNG SATAN RSA SET SHA SHS S/MIME SNMP SNMPv3 SSL TCP TGS TLS UDP WAN

Key Distribution Center Local Area Network Message Authentication Code Mandatory Access Control Message Digest, Version 5 Message Integrity Code Multipurpose Internet Mail Extension Man-in-the-middle attack Maximum Transmission Unit Network Address Translation National Institute of Standards and Technology National Security Agency NT File System Output Feedback Password Authentication Protocol Propagating Cipher Block Chaining Pretty Good Privacy Public Key Infrastructure Pseudorandom Number Generator Role-based Access Control Request for Comments Random Number Generator System Administrator Tool for Analyzing Network Rivest-Shamir-Adelman Secure Electronic Transaction Secure Hash Algorithm Secure Hash Standard Secure MIME Simple Network Management Protocol Simple Network Management Protocol Version 3 Secure Sockets Layer Transmission Control Protocol Ticket-Granting Server Transport Layer Security User Datagram Protocol Wide Area Network.

132

TI LIU THAM KHO:

[1] [2] [3] [4] [5] [6] William Stallings, Cryptography and Network Security: Principles and Practices, 4th edition, Prentice Hall, 2005. Matt Bishop, Introduction to Computer Security, Prentice Hall PTR, 2004. Mark Stamp, Information Security: Principles and Practices, John Wiley & Sons, 2006 Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall PTR, 2003 Vesna Hasler, Security Fundamentals for E-Commerce, Artech House, 2001 Will Schmied, Security + Study guide, Syngress, 2003.

133

MC LC
CHNG I I.1 I.2 I.2.1 I.2.2 I.2.3 I.3 I.3.1 I.3.2 I.3.3 I.4 I.4.1 I.4.2 I.5 I.5.1 I.5.2 I.5.3 I.6 I.6.1 I.6.2 I.7 I.7.1 I.7.2 II.1 TNG QUAN V BO MT H THNG THNG TIN ............................... 2

TNG QUAN.................................................................................................................. 2 CC C TRNG CA MT H THNG THNG TIN BO MT ...................... 3 Tnh b mt: ................................................................................................................. 4 Tnh ton vn:.............................................................................................................. 4 Tnh kh dng:............................................................................................................. 5 CC NGUY C V RI RO I VI H THNG THNG TIN............................. 6 Nguy c: ...................................................................................................................... 6 Ri ro v qun l ri ro:............................................................................................... 7 Vn con ngi trong bo mt h thng: ................................................................. 8 NGUYN TC XY DNG MT H THNG BO MT....................................... 9 Chnh sch v c ch: .................................................................................................. 9 Cc mc tiu ca bo mt h thng:.......................................................................... 11 CHIN LC BO MT H THNG AAA............................................................. 12 iu khin truy xut: ................................................................................................. 12 Xc thc:.................................................................................................................... 14 Kim tra:.................................................................................................................... 16 CC HNH THC XM NHP H THNG............................................................. 18 Cc phng thc tn cng:........................................................................................ 20 Cc phng thc xm nhp h thng bng phn mm ph hoi ............................... 27 K THUT NGN CHN V PHT HIN XM NHP ....................................... 30 Tng la: ................................................................................................................. 30 H thng pht hin xm nhp:................................................................................... 33 TNG QUAN V MT M:....................................................................................... 42 Gii thiu:.............................................................................................................. 42 Cc thnh phn ca mt h thng m ho:............................................................ 42 Cc tiu ch c trng ca mt h thng m ho: ................................................. 43 Tn cng mt h thng mt m: ............................................................................ 43 Cu trc m khi c bn Feistel: ........................................................................... 45 Thut ton mt m DES: ....................................................................................... 49 Thut tan mt m Triple DES:............................................................................. 55 Thut tan mt m AES: ....................................................................................... 57 Cc thut ton mt m i xng khc: .................................................................. 63 134

CHNG II MT M V XC THC THNG TIN......................................................... 42 II.1.1 II.1.2 II.1.3 II.1.4 II.2 II.2.1 II.2.2 II.2.3 II.2.4 II.2.5

K THUT MT M I XNG:............................................................................ 44

II.3

K THUT MT M BT I XNG.................................................................... 64 Cu trc h thng mt m bt i xng: ............................................................... 64 Thut ton mt m RSA: ....................................................................................... 66 Thut ton trao i kho Diffie-Hellman: ............................................................. 68 nh gi k thut mt m bt i xng: ............................................................... 70 Xc thc thng tin: ................................................................................................ 70 Cc hm bm bo mt: .......................................................................................... 73 Thut ton bm SHA:............................................................................................ 74 Thut ton bm MD5: ........................................................................................... 77 Nguyn l hot ng ca ch k s: ..................................................................... 77 Chun ch k DSS: ............................................................................................... 80 Qun l kho cng khai trong mt m bt i xng: ............................................ 83 S dng mt m bt i xng trao i kha b mt:......................................... 84 C s h tng kha cng khai: .............................................................................. 85

II.3.1 II.3.2 II.3.3 II.3.4 II.4 II.4.1 II.4.2 II.4.3 II.4.4 II.5 II.5.1 II.5.2 II.6 II.6.1 II.6.2 II.6.3 III.1

CC HM BM........................................................................................................... 70

CH K S.................................................................................................................. 77

QUN L KHO......................................................................................................... 83

CHNG III CC NG DNG BO MT TRONG H THNG THNG TIN ............. 93 GIAO THC XC THC............................................................................................ 93 Mt khu:............................................................................................................... 93 Xc thc trong m hnh im-im: ..................................................................... 94 Xc thc trong cc h thng phn tn: .................................................................. 95 Giao thc xc thc Kerberos:................................................................................ 98 Cc ng dng v c im ca IPSec: ................................................................ 104 Cu trc IPSec: .................................................................................................... 105 Quan h bo mt:................................................................................................. 106 Ch vn chuyn v ch ng hm:.......................................................... 106 AH: ...................................................................................................................... 107 ESP: ..................................................................................................................... 110 Qun l kha trong IPSec:................................................................................... 111 Cu trc SSL: ...................................................................................................... 112 Giao thc truyn d liu SSL:............................................................................. 113 Giao thc thay i thng s m:.......................................................................... 114 Giao thc cnh bo:............................................................................................. 114 Giao thc bt tay: ................................................................................................ 115 So snh SSL v IPSec: ........................................................................................ 115 135 III.1.1 III.1.2 III.1.3 III.1.4 III.2 III.2.1 III.2.2 III.2.3 III.2.4 III.2.5 III.2.6 III.2.7 III.3 III.3.1 III.3.2 III.3.3 III.3.4 III.3.5 III.3.6

IP SECURITY ............................................................................................................. 104

SECURE SOCKETS LAYER..................................................................................... 112

III.4

SECURE ELECTRONIC TRANSACTION ............................................................... 118 Tng quan v SET:.............................................................................................. 118 Ch k song song: ............................................................................................... 120 Thc hin thanh ton trong SET: ........................................................................ 121

III.4.1 III.4.2 III.4.3

HNG DN TR LI CC CU HI V BI TP ....................................................... 130 THUT NG VIT TT........................................................................................................ 131 TI LIU THAM KHO........................................................................................................ 133 ----------

136