Escolar Documentos
Profissional Documentos
Cultura Documentos
C S TP. H CH MINH
BI GING
Thng 7/2007
M U
Ti liu ny c xy dng vi mc ch gip sinh vin h o to t xa nghin cu cc
vn v bo mt h thng thng tin. Bo mt h thng thng tin l tp cc k thut, dch v, c
ch v ng dng ph tr gip trin khai cc h thng thng tin vi an ton cao nht, m c th
l bo v ba c trng c bn ca mt h thng an ton l tnh B mt, tnh Ton vn v tnh
Kh dng ca thng tin.
Tnh bo mt ca h thng l vn c cn nhc ngay khi thit k h thng v c
thc hin xuyn sut trong qu trnh thi cng, vn hnh v bo dng h thng. Trong thi im
m vic kt ni vo mng Internet, ni cha rt nhiu nguy c tn cng tim n, tr thnh mt
nhu cu sng cn ca cc h thng thng tin th vn bo mt cng cn phi c quan tm v
u t ng mc.
Ti liu ny nhm n i tng sinh vin l nhng ngi va hc va lm, do cc vn
bo mt thc t trn mng c quan tm nhiu hn l cc c s l thuyt. Cc chuyn v
mt m cng c trnh by n gin theo cch nhn ca ngi s dng, khng qu chuyn su v
c s ton hc, do , nu c nhu cu tm hiu su hn hoc chng minh cc thut ton, sinh vin
cn phi c thm cc ti liu v l thuyt s.
Ni dung ti liu c chia thnh 3 chng:
-Chng 1:Tng quan v bo mt h thng thng tin, trnh by cc vn chung v bo
mt v an ton h thng, cc nguy c v cc phng thc tn cng vo h thng thng tin, cc
ng dng bo v h thng thng tin ang c s dng nh Firewall v IDS
-Chng 2: Mt m v xc thc thng tin, trnh by cc c ch mt m v xc thc nhm
m bo tnh B mt v Ton vn ca thng tin. Phn ny m t nguyn l ca cc thut ton mt
m thng dng, hm bm, ch k s v cc vn qun l kho.
-Chng 3: Cc ng dng bo mt trong h thng thng tin, trnh by cc ng dng thc
t nh cc giao thc xc thc, bo mt trong kt ni mng vi IPSec, bo mt trong ng dng
Internet vi SSL v SET.
Cui mi chng u c phn tm tt, cc cu hi trc nghim v bi tp, gip sinh vin
h thng ho li kin thc hc. c bit, cc bi tp thc hnh v lp trnh s gip sinh vin
nm r hn phn l thuyt, nn c gng thc hin cc bi tp ny mt cch chu o.
Hy vng ti liu ny s t nhiu gip ch cho vic nghin cu chuyn an ton h thng
thng tin ca cc bn sinh vin.
Thng 7/2007.
Tc gi.
CHNG I
TNG QUAN V BO MT H THNG THNG TIN
Gii thiu:
Chng ny gip hc vin nm c cc khi nim thng dng trong bo mt v an
ton h thng, nguyn tc xy dng mt h thng thng tin bo mt, nhn din v phn tch cc
nguy c v ri ro i vi h thng thng tin, t c k hoch nng cp v bo v h thng.
Ni dung chng ny gm cc phn nh sau:
-Cc c trng ca mt h thng bo mt.
-Nguy c v ri ro i vi h thng thng tin.
-Cc khi nim dng trong bo mt h thng
-Chin lc bo mt h thng AAA.
-Mt s hnh thc xm nhp h thng.
-K thut ngn chn v pht hin xm nhp.
Confidentiality
Secure
Integrity
Availability
I.2.1
Tnh b mt:
I.2.2
Ni mt cch khc, tnh ton vn ca thng tin phi c nh gi trn hai mt: ton vn
v ni dung v ton vn v ngun gc.
V d: mt ngn hng nhn c lnh thanh ton ca mt ngi t xng l ch ti khon
vi y nhng thng tin cn thit. Ni dung thng tin c bo ton v ngn hng nhn
c mt cch chnh xc yu cu ca khch hng (ng nh ngi xng l ch ti khon gi i).
Tuy nhin, nu lnh thanh ton ny khng phi cho chnh ch ti khon a ra m do mt ngi
no khc nh bit c thng tin b mt v ti khon mo danh ch ti khon a ra, ta ni
ngun gc ca thng tin khng c bo ton.
Mt v d khc, mt t bo a tin v mt s kin va xy ra ti mt c quan quan trng
ca chnh ph, c ghi ch rng ngun tin t ngi pht ngn ca c quan . Tuy nhin, nu tin
tht s khng phi do ngi pht ngn cng b m c ly t mt knh thng tin khc, khng
xt n vic ni dung thng tin c ng hay khng, ta ni rng ngun gc thng tin khng
c bo ton.
S ton vn v ngun gc thng tin trong mt s ng cnh c ngha tng ng vi s
m bo tnh khng th chi ci (non-repudiation) ca h thng thng tin.
Cc c ch m bo s ton vn ca thng tin c chia thnh 2 loi: cc c ch ngn
chn (Prevention mechanisms) v cc c ch pht hin (Detection mechanisms).
C ch ngn chn c chc nng ngn cn cc hnh vi tri php lm thay i ni dung v
ngun gc ca thng tin. Cc hnh vi ny bao gm 2 nhm: hnh vi c gng thay i thng tin khi
khng c php truy xut n thng tin v hnh vi thay i thng tin theo cch khc vi cch
c cho php.
V d: mt ngi ngoi cng ty c gng truy xut n c s d liu k ton ca mt cng
ty v thay i d liu trong . y l hnh vi thuc nhm th nht. Trng hp mt nhn vin
k ton c trao quyn qun l c s d liu k ton ca cng ty, v dng quyn truy xut ca
mnh thay i thng tin nhm bin th ngn qu, y l hnh vi thuc nhm th hai.
Nhm cc c ch pht hin ch thc hin chc nng gim st v thng bo khi c cc thay
i din ra trn thng tin bng cch phn tch cc s kin din ra trn h thng m khng thc
hin chc nng ngn chn cc hnh vi truy xut tri php n thng tin.
Nu nh tnh b mt ca thng tin ch quan tm n vic thng tin c b tit l hay khng,
th tnh ton vn ca thng tin va quan tm ti tnh chnh xc ca thng tin v c mc tin cy
ca thng tin. Cc yu t nh ngun gc thng tin, cch thc bo v thng tin trong qu kh cng
nh trong hin ti u l nhng yu t quyt nh tin cy ca thng tin v do nh hng n
tnh ton vn ca thng tin. Ni chung, vic nh gi tnh ton vn ca mt h thng thng tin l
mt cng vic phc tp.
I.2.3
Tnh kh dng:
Tnh kh dng ca thng tin l tnh sn sng ca thng tin cho cc nhu cu truy xut hp
l.
V d: cc thng tin v qun l nhn s ca mt cng ty c lu trn my tnh, c bo
v mt cch chc chn bng nhiu c ch m bo thng tin khng b tit l hay thay i. Tuy
nhin, khi ngi qun l cn nhng thng tin ny th li khng truy xut c v li h thng. Khi
, thng tin hon ton khng s dng c v ta ni tnh kh dng ca thng tin khng c
m bo.
Nguy c:
Nguy c (threat) l nhng s kin c kh nng nh hng n an ton ca h thng.
Nghe ln, hay c ln (gi chung l snooping) l mt trong nhng phng thc
truy xut thng tin tri php. Cc hnh vi thuc phng thc ny c th n gin
nh vic nghe ln mt cuc m thoi, m mt tp tin trn my ca ngi khc,
hoc phc tp hn nh xen vo mt kt ni mng (wire-tapping) n cp d
liu, hoc ci cc chng trnh ghi bn phm (key-logger) ghi li nhng thng
tin quan trng c nhp t bn phm.
Nhm nguy c pht thng tin sai / chp nhn thng tin sai bao gm nhng hnh
vi tng t nh nhm trn nhng mang tnh ch ng, tc l c thay i thng
tin gc. Nu thng tin b thay i l thng tin iu khin h thng th mc thit
hi s nghim trng hn nhiu bi v khi , hnh vi ny khng ch gy ra sai d
liu m cn c th lm thay i cc chnh sch an ton ca h thng hoc ngn
chn hot ng bnh thng ca h thng.
Trong thc t, hnh thc tn cng xen gia Man-in-the-middle (MITM) l mt
dng ca phng thc pht thng tin sai / chp nhn thng tin sai. Hot ng ca
hnh thc tn cng ny l xen vo mt kt ni mng, c ln thng tin v thay i
thng tin trc khi gi n cho ni nhn.
Gi danh (spoofing) cng l mt dng hnh vi thuc nhm nguy c pht thng tin
sai / chp nhn thng tin sai. Hnh vi ny thc hin vic trao i thng tin vi
mt i tc bng cch gi danh mt thc th khc.
Ph nhn hnh vi (repudiation) cng l mt phng thc gy sai lch thng tin.
Bng phng thc ny, mt thc th thc hin hnh vi pht ra thng tin, nhng
sau li chi b hnh vi ny, tc khng cng nhn ngun gc ca thng tin, v
do vi phm yu cu v tnh ton vn ca thng tin.
V d: mt ngi ch ti khon yu cu ngn hng thanh ton t ti khon ca
mnh. Mi thng tin u chnh xc v ngn hng thc hin lnh. Tuy nhin sau
ngi ch ti khon li ph nhn vic mnh a ra lnh thanh ton. Khi ,
thng tin b sai lch do ngun gc ca thng tin khng cn xc nh.
I.3.2
Ri ro v qun l ri ro:
Ri ro (risk) l xc sut xy ra thit hi i vi h thng.
I.3.3
u U, o O: Access(u, o) = TRUE u A
Ma trn cng thng c dng biu din mt chnh sch bo mt.
V d: mt h thng vi cc tp ngi dng U = {u 1, u2, u3, u4} v tp i tng O = {o1,
o2, o3, o4}. Cc thao tc m mt ngi dng u c th thc hin c trn mt i tng o bao gm
c (r), ghi (w) v thc thi (x). Quy nh v kh nng truy xut ca tng ngi dng n tng i
tng trong h thng c biu din bng ma trn nh sau:
u1
u2
U3
o1
o2
o3
o4
u4
I.4.2
Cc mc tiu ca bo mt h thng:
cha thi hnh, khi dng chng trnh qut virus s c th pht hin ra. chng trnh qut
virus lm vic c hiu qu th cn thit phi cp nht thng xuyn danh sch virus. Qu trnh
cp nht l qu trnh a thm cc m t v du hiu nhn bit cc loi virus mi vo c s d
liu (virus database hoc virus list).
Phc hi (recovery): mc tiu thit k bao gm cc c ch nhm chn ng cc vi phm
ang din ra (response) hoc khc phc hu qu ca vi phm mt cch nhanh chng nht vi mc
thit hi thp nht (recovery).
Ty theo mc nghim trng ca s c m c cc c ch phc hi khc nhau. C nhng
s c n gin v vic phc hi c th hon ton c thc hin t ng m khng cn s can
thip ca con ngi, ngc li c nhng s c phc tp v nghim trng yu cu phi p dng
nhng bin php b sung phc hi.
Mt phn quan trng trong cc c ch phc hi l vic nhn din s h ca h thng v
iu chnh nhng s h . Ngun gc ca s h c th do chnh sch an ton cha cht ch hoc
do li k thut ca c ch.
I.5.1
iu khin truy xut (Access control) c nh ngha l mt quy trnh c thc hin
bi mt thit b phn cng hay mt module phn mm, c tc dng chp thun hay t chi mt s
truy xut c th n mt ti nguyn c th.
iu khin truy xut c thc hin ti nhiu v tr khc nhau ca h thng, chng hn
nh ti thit b truy nhp mng (nh remote access server-RAS hoc wireless access point WAP), ti h thng qun l tp tin ca mt h iu hnh v d NTFS trn Windows hoc trn cc
h thng Active Directory Service trong Netware 4.x hay Windows 2000 server,
Trong thc t, iu khin truy xut c thc hin theo 3 m hnh sau y:
12
I.5.2
Xc thc:
14
Trm lm vic
(workstation)
My ch
(server)
15
Trong thc t tn ti hai phng thc xc thc: xc thc mt chiu (one way
authentication) v xc thc hai chiu (mutual authentication).
Phng thc xc thc mt chiu ch cung cp c ch mt i tng (thng l my
ch) kim tra nhn dng ca i tng kia (ngi dng) m khng cung cp c ch kim tra
ngc li (tc khng cho php ngi dng kim tra nhn dng ca my ch). Xt trng hp mt
ngi s dng ng nhp vo mt hp th in t xa thng qua dch v web (web mail). Ngi
s dng d nhin phi cung cp tn ng nhp v mt khu ng th mi c php truy xut hp
th. nh cp mt khu ca ngi dng, k tn cng c th xy dng mt trang web han tan
ging vi giao din ca my ch cung cp dch v th in t (mail server) v nh la ngi s
dng kt ni n trang web ny. Do khng c c ch xc thc my ch, ngi s dng khng th
nhn bit y l mt my ch gi mo nn yn tm cung cp tn ng nhp v mt khu.
Phng thc kim tra hai chiu cho php hai i tng tham gia giao tc xc thc ln
nhau, do tnh chnh xc ca qu trnh xc thc c m bo. Giao thc bo mt SSL (Secure
Sockets Layer) dng trong dch v web (c trnh by chng III) cung cp c ch xc thc
hai chiu dng chng thc s.
C nhiu gii thut xc thc khc nhau. Gii thut n gin nht ch cn so snh tn ng
nhp v mt khu m ngi s dng cung cp vi tn ng nhp v mt khu c lu trong
h thng, nu ging nhau ngha l th tc xc thc thnh cng (PAP). Gii thut phc tp hn nh
CHAP th thc hin vic mt m ha thng tin trn mt gi tr ngu nhin no do my ch a
ra (gi l challenge) trnh trng hp mt khu b c ln trn mng v cc hnh thc tn cng
pht li (replay attack). Mt gii thut phc tp khc l Kerberos thc hin th tc xc thc theo
mt qu trnh phc tp gm nhiu bc nhm m bo hn ch tt c cc nguy c gy nn xc
thc sai. Cc gii thut xc thc c trnh by cho tit phn I ca chng III.
I.5.3
Kim tra:
Kim tra (Auditing) l c ch theo di hot ng ca h thng, ghi nhn cc hnh vi din
ra trn h thng v lin kt cc hnh vi ny vi cc tc nhn gy ra hnh vi.
V d: ci t c ch kim tra cho mt th mc trong h thng tp tin NTFS s cho php
ngi qun tr theo di cc hot ng din ra trn th mc nh: thao tc no c thc hin,
ngy gi thc hin, ngi s dng no thc hin,
Cc mc tiu ca kim tra:
-Cung cp cc thng tin cn thit cho vic phc hi h thng khi c s c
-nh gi mc an ton ca h thng c k hoch nng cp kp thi
-Cung cp cc thng tin lm chng c cho vic pht hin cc hnh vi truy xut tri php
trn h thng.
Trong mt h thng tin cy (reliable system) th vic kim tra cng l mt yu cu quan
trng bi v n m bo rng cc hnh vi ca bt k ngi dng no trong h thng (k c nhng
ngi dng hp h c xc thc authenticated user) cng u c theo di chc chn
rng nhng hnh vi din ra ng theo cc chnh sch an ton c nh ngha trn h thng.
Nguyn tc chung khi xy dng cc h thng an tan l chia nh cc th tc thnh nhiu
cng on c thc hin bi nhiu tc nhn khc nhau, v do vic thc hin hon chnh mt
th tc yu cu phi c s tham gia ca nhiu tc nhn. y l c s thc thi cc c ch kim
tra.
16
V d: cng vic gi kho hng v cng vic qun l s sch phi c thc hin bi hai
nhn vin khc nhau trnh trng hp mt nhn vin va c th ly hng ra ngoi va c th
thay i thng tin trong s qun l. Nguyn tc ny c p dng trit trong c ch kim tra
trn h thng nhm phn bit r rng gia chc nng kim tra vi cc hot ng c kim tra.
Thng thng, mt i tng c kim tra s khng c quyn thay i cc thng tin m c ch
kim tra ghi li.
Cc thnh phn ca h thng kim tra:
-Logger: Ghi li thng tin gim st trn h thng
-Analyzer: Phn tch kt qu kim tra
-Notifier: Cnh bo v tnh an ton ca h thng da trn kt qu phn tch.
Song song vi c ch kim tra thng trc trn h thng (auditing), vic kim tra h
thng nh k (system scanning) c chc nng kim tra v pht hin cc s h k thut nh hng
n s an ton ca h thng. Cc chc nng c th thc hin bi cc chng trnh kim tra h
thng trn my tnh thng gp:
-Kim tra vic tun th chnh sch an ton v mt khu (password policy), v d: ngi
dng c i mt khu thng xuyn khng, di mt khu, phc tp ca mt khu,
-nh gi kh nng xm nhp h thng t bn ngoi.
-Kim tra phn ng ca h thng i vi cc du hiu c th dn n tn cng t chi dch
v hoc s c h thng (system crash).
Lu rng, cc cng c kim tra h thng cng ng thi l cc cng c m nhng k tn
cng (attacker) s dng pht hin cc l hng bo mt trn h thng, t thc hin cc thao
tc tn cng khc. C nhiu phn mm qut h thng, in hnh nh SATAN (System
Administrator Tool for Analyzing Network), Nessus, Nmap,
Ci t chc nng Audit ca h iu hnh Windows XP ln mt th mc trn mt phn
vng NTFS:
-Mc nh, Windows XP khng p dng c ch kim tra, do cn phi kch hot c ch
kim tra ca Windows XP dng Local Security Policy nh sau: Vo Control Panel, chn
Administrative Tools, chn Local Security Policy, trong khung Security Settings bn tri ca
s, double-click vo mc Local Policy, sau click vo mc Audit Policy. Khi , khung bn
phi ca s lit k cc chc nng kim tra ca Windows XP. kch hot c ch kim tra trn th
mc, tm dng Audit object access, double-click vo dng ny v chn c hai mc Success v
Failure trong ca s mi m. Click OK v ng tt c cc ca s li.
- p dng c ch kim tra trn mt th mc no : khi ng Windows explorer, tm
mt th mc mun kim tra v click phi vo th mc ny, chn Properties, click vo tab
Security, click vo nt Advanced, sau click vo tab Auditing. Trong ca s Auditing entries
lit k cc mc kim tra ci t. to mt mc mi, click vo nt Add, chn tn ngi dng
hoc nhm cn kim tra trong ca s Select User or Group va xut hin, click OK. Ca s
Aditing Entry for xut hin, chn cc thao tc mun kim tra, v d Delete Subfolders and
Files theo di cc hnh vi xo tp tin v th mc con trong mc ny. Cn chn c hai loi s
kin l Successful v Failed. Click OK v ng tt c cc ca s li.
-Bt u t y, tt c cc thao tc xo cc tp tin v th mc con trong th mc chn
c thc hin bi ngi dng hoc nhm ch nh trn u c theo di v ghi li trong
nht k h thng. Mun xem cc thng tin ny th vo Control Panel, chn Administrative Tools,
chn Event Viewer v chn mc Security.
17
18
-Modification: truy xut tri php vo h thng thng tin, ng thi lm thay i ni dung
thng tin, v d xm nhp vo my tnh v lm thay i ni dung mt tp tin, thay i mt chng
trnh lm cho chng trnh lm vic sai, thay i ni dung mt thng bo ang gi i trn mng,
v.v Hnh thc xm nhp ny tc ng vo tnh Ton vn ca thng tin.
-Ngoi ra, mt hnh thc xm nhp th t l hnh thc xm nhp bng thng tin gi danh
(Farbrication), v d, gi danh mt ngi no gi mail n mt ngi khc, gi mo a ch
IP ca mt my no kt ni vi mt my khc, Hnh thc xm nhp ny lm thay i
ngun gc thng tin, tc cng l tc ng vo c tnh Ton vn ca thng tin.
i tng
xm nhp
Mng
Ngi dng
My ch
i tng
xm nhp
Mng
Ngi dng
Ngi dng
Trong thc t, vic xm nhp h thng c thc hin bi rt nhiu phng thc, cng c
v k thut khc nhau, thm vo , vic pht hin ra cc phng thc xm nhp mi l vic xy
ra rt thng xuyn, nn vn nhn dng v phn loi cc xm nhp mt cch c h thng l
kh khn v khng chnh xc. C th phn loi xm nhp theo cc tiu ch sau y:
19
-Phn loi theo mc tiu xm nhp (xm nhp mng, xm nhp ng dng, xm nhp hn
hp)
-Phn loi theo tnh cht xm nhp (xm nhp ch ng, xm nhp th ng)
-Phn loi theo k thut xm nhp (d mt khu, phn mm khai thc, )
Trong ti liu ny, vi mc tiu l gip ngi c nhn din c nhng phng thc
xm nhp h thng c bn v ph bin c ghi nhn v phn tch, nn cc hnh thc xm
nhp c trnh by theo hai nhm nh sau:
1-Cc phng thc tn cng (attacks)
2-Cc phng thc xm nhp h thng bng phn mm ph hoi (malicious codes)
i tng
xm nhp
Mng
Ngi dng
Ngi dng
i tng
xm nhp
Mng
Ngi dng
Ngi dng
I.6.1
Tn cng t chi dch v thng khng gy tit l thng tin hay mt mt d liu m ch
nhm vo tnh kh dng ca h thng. Tuy nhin, do tnh ph bin ca t chi dch v v c bit
l hin nay cha c mt gii php hu hiu cho vic ngn chn cc tn cng loi ny nn t chi
dch v c xem l mt nguy c rt ln i vi s an ton ca cc h thng thng tin.
-Tn cng t chi dch v phn tn (Distributed DoS hay DDoS):
L phng thc tn cng da trn nguyn tc ca t chi dch v nhng c mc nguy
him cao hn do huy ng cng lc nhiu my tnh cng tn cng vo mt h thng duy nht.
Tn cng t chi dch v phn tn c thc hin qua 2 giai on:
1-K tn cng huy ng nhiu my tnh trn mng tham gia t chi dch v phn tn bng
cch ci t cc phn mm iu khin t xa trn cc my tnh ny.
Cc my tnh c ci t phn mm iu khin ny c gi l cc zoombie. thc
hin bc ny, k tn cng d tm trn mng nhng my c nhiu s h tn cng v ci t cc
phn mm iu khin t xa ln m ngi qun l khng hay bit. Nhng phn mm ny c
gi chung l backdoor.
2-K tn cng iu khin cc zoombie ng lot thc hin tn cng vo mc tiu.
M hnh mt chui tn cng chi dch v phn tn in hnh c m t hnh 1.9.
Cc thnh phn tham gia trong chi dch v phn tn bao gm:
-Client: phn mm iu khin t xa c k tn cng s dng iu khin cc my khc
tham gia tn cng. My tnh chy phn mm ny c gi l master.
21
Zoombie
(Deamon)
Mc tiu
trng ca ngi dng. Tn cng xen gia c bit ph bin trn mng khng dy (wireless
network) do c tnh d xm nhp ca mi trng khng dy. Do vy, vic p dng cc k thut
m ho (nh WEP, WPA, ) l iu rt quan trng m bo an ton cho mng khng dy.
Cn trn mt my tnh, tn cng dng ny c th c thc hin di dng mt chng
trnh thu thp thng tin n (key-logger), chng trnh ny s m thm chn bt tt c nhng thng
tin m ngi dng nhp vo t bn phm, trong c th s c nhiu thng tin quan trng.
I.1.2
ent
Cli
I.1.1
rver
Se
Client
Server
Thng tin xc thc
c pht li
K tn cng
23
CHNG IV S
SYN/ACK message
YN
CHNG
message III S
ACK message
YN/ACK
CHNG II A
message
CHNG VI M CK
CHNG V M
yHnh 1.12: Th tc message
bt tay ba chiu ca TCP/IP y
A
B
ACK tr li t pha client th server phi ch cho n khi ht thi hiu
nhn c bn tin
(timeout) ri mi gii to kt ni ny. Vi s h ny, nu mt k tn cng c tnh to ra cc bn
ACK lin tip gi n server nhng khng hi p (tc khng gi li bn tin ACK cho server), th
n mt thi im no , tt c cc kt ni c th c ca server u dnh ht cho vic ch i
ny v do khng c kh nng phc v cho cc kt ni khc. Hnh 1.13 trnh by phng thc tn
cng dng SYN/ACK flooding.
24
ACK message
ACK message
ACK message
ACK message
K tn cng
My ch
ACK message
ACK message
Server
K tn cng
S th t
My b tn cng
25
kim tra cc kt ni (v d khi thc hin cc lnh Ping, Tracert, ). Hai phng thc tn cng
ph bin da trn ICMP bao gm:
Chim kt ni hin
ti ca client
Server
My tn cng
Client
My tn cng
Thc hin lnh Ping n a
ch qung b ca mng t a
ch gi danh
Tt c cc my trong nhm
qung b ng lot gi tr li
v my c a ch IP b gi
danh, gy tc nghn
My b tn cng
-ICMP tunneling: Do gi d liu ICMP thng c chp nhn bi nhiu my trn mng,
nn k tn cng c th li dng iu ny chuyn cc thng tin khng hp l thng qua cc gi
d liu ICMP. ngn chn cc tn cng ny, cch tt nht l t chi tt c cc gi d liu
ICMP.
-Tn cng khai thc phn mm (Software exploitation):
y l tn gi chung ca tt c cc hnh thc tn cng nhm vo mt chng trnh ng
dng hoc mt dch v no lp ng dng. Bng cch khai thc cc s h v cc li k thut
trn cc phn mm v dch v ny, k tn cng c th xm nhp h thng hoc lm gin on hot
ng bnh thng ca h thng.
Tn cng trn b m (buffer overflow attack): l phng thc tn cng vo cc li lp
trnh ca s phn mm. Li ny c th do lp trnh vin, do bn cht ca ngn ng hoc do trnh
bin dch. Ngn ng C l ngn ng c nhiu kh nng gy ra cc li trn b m nht, v khng
may, y l ngn ng vn c dng rng ri nht trong cc h iu hnh, cc chng trnh h
thng, c bit trong mi trng Unix v Linux.
a s cc trnh bin dch C khng kim tra gii hn vng nh cp pht cho cc bin,
do , khi d liu lu vo vng nh vt qua gii hn cp pht, n s ghi chng qua nhng
vng nh k cn v gy ra li. V d: khi lp trnh, mt khu m ngi dng nhp vo thng c
x l di dng mt chui (string), v c khai bo vi chiu di xc nh, v d 32 k t. Tuy
nhin, nu trong chng trnh khng thc hin vic kim tra chiu di mt khu trc khi x l v
trnh bin dch cng thng t ng thc hin vic ny th khi ngi s dng nhp mt khu c
chiu di ln hn 32 k t, ton b chui k t ny s trn vng nh cp pht v c th gy ra
li trn b m.
Ngoi tn cng trn b m, cc phng thc tn cng khc nhm vo vic khai thc cc
s h ca phn mm v dch v bao gm: khai thc c s d liu (database exploitation), khai
thc ng dng (application exploitation) v d nh cc loi macro virus, khai thc cc phn mm
gi th in t (e-mail exploitation),
-Cc k thut nh la (Social enginerring):
y l phng thc tn cng khng s dng k thut hay my tnh xm nhp h thng
m bng cc k xo gian ln tm kim cc thng tin quan trng, ri thng qua m xm nhp
h thng.
V d, mt k tn cng gi danh l mt nhn vin h tr k thut gi in thoi n mt
ngi trong h thng trao i cng vic, thng qua cuc trao i ny khai thc cc thng tin
cn thit thc hin hnh vi xm nhp h thng. R rng, phng thc ny khng s dng cc
k thut tn cng, nn c gi l social engineering. y cng l mt trong nhng loi tn
cng ph bin, v i tng m n nhm n l vn con ngi trong h thng.
I.6.2
K thut v hnh thc tn cng mi thng xuyn c pht hin v nng cp. trn ch
gii thiu cc hnh thc tn cng ph bin c pht hin v phn tch. Ngoi cc hnh thc tn
cng nh trn, cc h thng thng tin cn phi i mt vi mt nguy c xm nhp rt ln l
cc phn mm virus, worm, spyware, gi chung l cc phn mm ph hoi hay phn mm c
(malicious code). Sau y s tp trung trnh by cc hnh thc xm nhp ny.
Cc phn mm c c chia thnh cc nhm sau y: Virus, worm, Trojan horse v
logic bomb.
27
-Virus:
L phn mm n, kch thc nh v c gn vo mt tp tin ch no , thng thng l
cc tp tin thc thi c, nh virus mi c kh nng ph hoi v lan truyn sang cc my khc.
Mt s loi virus li gn vi cc tp tin ti liu (v d nh word, excel, ) v c gi l cc
virus macro.
Virus lan truyn gia cc my tnh thng qua vic sao chp cc tp tin c nhim virus t
a mm, a CD, a flash, hoc thng qua cc tp tin gi km theo e-mail. Phm vi ph hoi ca
virus l rt ln. Thng thng nht, cc virus thng gy ra mt mt d liu, h hng phn mm
v h hng c h iu hnh.
Nu trn my cha ci t sn cc chng trnh qut virus th du hiu thng thng nht
nhn bit c virus trn my tnh l:
-Xut hin cc thng bo l trn mn hnh
-My tnh lm vic chm i ng k, c bit khi khi ng chng trnh.
-Mt t ngt mt hoc nhiu tp tin trn a.
-Li phn mm khng r l do.
-Kch thc mt s tp tin, c bit l cc tp tin thc thi, tng ln bt thng.
-My tnh t khi ng li khi ang lm vic
-
Hnh 1.17 m t vic ly lan ca virus thng qua ng sao chp tp tin (bng a hoc
qua cc tp tin dng chung trn mng). Hnh 1.18 m t qu trnh pht tn virus thng qua email.
C th thy mc pht tn ca virus thng qua e-mail nghim trng hn nhiu, bi v
i vi hnh thc ly lan qua ng sao chp tp tin th ch c cc my tnh ch ng sao chp tp
tin mi b nhim virus; ngc li trong phng thc pht tn bng e-mail, nhng my khng ch
ng sao chp tp tin cng c kh nng b ly nhim nu v m nhng tp tin nhim virus c
gi km theo e-mail.
My b nhim virus
Hnh 1.17: Virus ly lan t my ny sang my khc qua phng tin lu tr (a) hoc qua th
mc dng chung trn mng
28
-Logic bomb:
L cc phn mm nm n trn my tnh v ch thc hin khi c mt s kin no xy ra,
v d khi ngi qun tr mng ng nhp vo h thng, khi mt ng dng no c chy hoc
n mt ngy gi nh trc no .
Thng thng, khi c thc hin, logic bomb gi mt thng bo v mt my trung tm
nh trc no thng bo s kin xy ra. Nhn c thng bo ny, k tn cng t my tnh
trung tm s thc hin tip cc th thut tn cng vo h thng, v d khi ng mt cuc tn
cng t chi dch v (DoS hoc DDoS).
Trn y l cc phng thc xm nhp vo h thng s dng cc phn mm ph hoi.
Mc d s xm nhp vo mt h thng c th no ca cc phn mm ny c th khng do ch
ch ca mt c nhn no, nhng thit hi do cc hnh thc xm nhp ny gy ra l rt ln, do tnh
ph bin ca n. Bt k my no cng c th b nhim phn mm c, c bit khi kt ni n
mng Internet. Cc nguyn tc chung trnh s xm nhp ca cc phn mm c vo my tnh
ni ring v vo mt h thng thng tin ni chung bao gm:
-Khng sao chp d liu t cc ngun khng tin cy (t a hay qua mng).
-Khng ci t cc phn mm khng r ngun gc, c bit l cc phn mm download t
Internet.
-Thng xuyn cp nht cc bn sa li (Hotfixes hoc service pack) cho h thng (c h
iu hnh v chng trnh ng dng).
-Ci t cc chng trnh Antivirus, Antispyware v cp nht thng xuyn cho cc
chng trnh ny.
-Theo di cc thng tin v cc loi virus mi, phng thc hot ng v cch thc ngn
chn trn cc trang web chuyn v bo mt (v d trang CERT ti a ch http://www.cert.org).
I.7.1
Tng la:
Tng la hay firewall l k thut ngn chn cc tn cng xm nhp t bn ngoi (mng
Internet) vo h thng bn trong (mng LAN v server). Hnh 1.19 m t mt cu trc mng in
hnh trong firewall c lp t trc router, vi vai tr bo v cho ton b h thng mng bn
trong.
Nguyn tc chung ca cc bc tng la l iu khin truy xut mng bng cch gim st
tt c cc gi d liu c gi thng qua tng la, v tu vo cc ci t trong chnh sch bo
mt m cho php hoc khng cho php chuyn tip cc gi ny n ch. Hnh 1.20 m t hot
ng in hnh ca mt bac tng la, trong , lu lng HTTP (TCP port 80) c php i
qua tng la, cn lu lng NetBIOS (TCP port 445) th b chn li.
30
Internet
Firewall
Router
Web server
Mail server
Cc my tnh khc trong mng ni b
Mng ni b
Internet
NetBios (port 445)
Firewall
31
Ngc li, chc nng tng la cng c th c thc hin trong mt khi phn cng
ring bit v c gi l firewall cng. Cc sn phm firewall cng in hnh hin nay bao gm:
Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, Nokia firewalls,
giao dch vi mng bn ngai thay cho cc my tnh bn trong. Do vy, tng la lp ng dng
cng cn c gi l cc phn mm Proxy.
K thut ny c ch trong cc trng hp cn qun l ni dung truy cp ca ngi s dng
hoc nhn dng du hiu ca mt s loi phn mm c (virus, worm, trojan, ), v d ngn
chn ngi s dng ti cc tp tin hnh nh hoc phim vi kch thc ln.
Do phi phn tch ton b cu trc gi d liu ly thng tin nn nhc im ca tng
la lp ng dng l yu cu nng lc x l mnh, v l ni c th xy ra tc nghn tim nng ca
mng.
-Tng la kim sot trng thi (stateful inspection firewall):
L loi tng la kt hp c hai nguyn l lm vic ca tng la lc gi v tng la lp
ng dng.
Tng la kim sat trng thi cho php thit lp cc quy tc lc gi phc tp hn so vi
tng la lc gi, tuy nhin khng mt qu nhiu thi gian cho vic phn tch ni dung ca tt c
cc gi d liu nh trng hp tng la lp ng dng. Tng la kim sat trng thi theo di
trng thi ca tt c cc kt ni i qua n v cc gi d liu lin quan n tng kt ni. Theo ,
ch cc cc gi d liu thuc v cc kt ni hp l mi c chp nhn chuyn tip qua tng la,
cc gi khc u b loi b ti y.
Tng la kim sat trng thi phc tp hn do phi tch hp chc nng ca c 2 loi
tng la trn. Tuy nhin, c ch thc hin ca tng la ny chng t c tnh hiu qu
ca n v trong thc t, cc sn phm tng la mi u h tr k thut ny.
Bng 1.1: Mt s dch v ph bin trn TCP
Cng
I.7.2
Dch v
20
21
22
23
Telnet
25
80
110
143
443
H thng pht hin xm nhp IDS (Intrusion Detection System) l h thng pht hin cc
du hiu ca tn cng xm nhp. Khc vi bc tng la, IDS khng thc hin cc thao tc ngn
chn truy xut m ch theo di cc hot ng trn mng tm ra cc du hiu ca tn cng v
cnh bo cho ngi qun tr mng.
IDS khng thc hin chc nng phn tch gia mng ni b v mng cng cng nh bc
tng la nn khng gnh ton b lu lng qua n v do khng c nguy c lm tc nghn
mng.
33
Router
Firewall
IDS
Qun tr
h thng
Signature
database
Network
Host
H iu hnh
Logging
35
Tm tt chng:
-Mt h thng thng tin an tan l h thng m bo c 3 c trng c bn:
-Tnh Bo mt (Confidentiality)
-Tnh Tan vn (Integrity)
-Tnh Kh dng (Availability)
Ba c trng ny c gi tt l CIA.
-Chin lc c bn nht m bo tnh bo mt ca mt h thng thng tin:
-Access Control
-Authentication
-Auditing
K thut ny gi tt l AAA.
-Nguy c (threat) ca mt h thng thng tin l cc s kin, hnh vi c kh nng nh
hng n 3 c trng CIA ca h thng. Ri ro i vi h thng thng tin l xc sut xy ra cc
thit hi i vi h thng.
-Chnh sch bo mt (security policy) nh ngha cc trng thi an tan ca h thng, cc
hnh vi m ngi s dng c php hoc khng c php thc thi. C ch bo mt (security
mechianism) l cc bin php k thut (technical) hoc th tc (procedure) nhm m bo chnh
sch. Nguyn tc xy dng mt h thng thng tin an ton bao gm xy dng chnh sch bo mt
nh ngha mt cch chnh xc v y cc trng thi an ton ca h thng, sau thit lp
cc c ch m bo thc thi chnh sch.
-C nhiu hnh thc xm nhp / tn cng khc nhau trn h thng. Cc tn cng ny da
trn cc s h v an tan ca giao thc (TCP/IP), ca h iu hnh (Windows, Linux, ) hoc
ca cc chng trnh ng dng chy trn cc h iu hnh . K thut tt cng lun lun c
pht trin v han thin, do cng ngh an ton mng cng phi c pht trin tng xng.
-Hai gii php k thut gip pht hin v ngn chn cc tn cng trn mt h thng thng
tin l IDS v Firewall. IDS gim st h thng pht hin cc du hiu tn cng v to ra cnh
bo. Firewall ngn chn hoc cho php cc truy xut thng qua Firewall theo cc quy lut nh
trc (access rules).
CU HI V BI TP.
A- Cu hi trc nghim
Cu 1. Th no l tnh bo mt ca h thng thng tin?
a- L c tnh ca h thng trong thng tin c gi b mt khng cho ai truy
xut.
b- L c tnh ca h thng trong tt c thng tin c lu tr di dng mt m.
c- L c tnh ca h thng trong ch c nhng ngi dng c cho php mi
c th truy xut c thng tin
d- Tt c u ng
Cu 2. Chn cu ng khi ni v tnh bo mt ca h thng thng tin:
a- Mt h thng m bo tnh b mt (confidential) l mt h thng an ton (secure).
b- Tnh b mt ca thng tin bao gm tnh b mt v s tn ti ca thng tin v tnh
36
a- Sniffing
b- Spoofing
c- DoS
d- Man-In-The-Middle.
Cu 24. Chn cu ng:
a- C th ngn chn cc tn cng trn b m (buffer overflow) bng cc phn mm
antivirus.
b- C th ngn chn cc tn cng trn b m bng cch ci t firewall.
c- Tt c cc phn mm vit bng ngn ng C u c cha li trn b m.
d- Li trn b m ch xy ra trn cc phn mm c nhp liu t ngi dng.
Cu 25. Mt my tnh nghe ln thng tin trn mng v dng cc thng tin ny xm nhp tri
php vo mt h thng thng tin, y l phng thc tn cng no?
a- Spoofing
b- Replay
c- Man-In-The-Middle
d- Sniffing
Cu 26. Phng thc tn cng no sau y khng da trn bn cht ca giao thc TCP/IP:
a- SYN/ACK flooding
b- TCP sequence number attack
c- ICMP attack
d- Software exploitation
Cu 27. Chn cu ng khi ni v cc phng thc tn cng bng phn mm c (malicious
code):
a- Virus c th t sao chp v lan truyn thng qua mng my tnh.
b- Worm l loi phn mm c hot ng da vo mt phn mm khc.
c- Trojan horse l mt loi phn mm c nhng c tn ging nh cc tp tin bnh
thng.
d- Logic bomb khng th ph hoi h thng nu ng h h thng lun chm hn
thi gian hin hnh.
Cu 28. Chn cu ng khi ni v firewall:
a- Firewall ch c th ngn chn cc tn cng t bn ngoi h thng.
b- Tt c cc gi d liu i qua firewall u b c ton b ni dung, nh firewall
mi c c s phn bit cc tn cng vi cc loi lu lng khc.
c- Nu m tt c cc cng (port) trn firewall th firewall s hon ton b v hiu
ho.
d- Tt c u ng.
Cu 29. ng dng no sau y c chc nng thay i a ch IP ca tt c cc gi d liu i qua
n:
a- IDS
b- Proxy
40
c- NAT
d- Khng c ng dng no nh vy
Cu 30. Nguyn l hot ng ca IDS:
a- Phn tch cc gi d liu lu thng trn mng tm du hin ca tn cng.
b- Phn tch cc d liu trong nht k h thng (system log) pht hin du hiu
ca tn cng.
c- Duy tr mt c s d liu v cc du hiu tn cng (signature database).
d- Tt c cc iu trn.
Cu 31. Chn cu ng khi ni v IDS:
a- IDS l mt ng dng c chc nng pht hin v ngn chn cc tn cng vo h
thng thng tin.
b- IDS ch c th pht hin c cc tn cng t bn ngoi vo h thng.
c- Network-based IDS khng c kh nng pht hin tn cng vo mt my ch c
th.
d- Signature-based IDS khng c kh nng pht hin cc tn cng hon ton mi,
cha tng c m t trong c s d liu.
B- Bi tp
Cu 32. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng ch ng (active
attacks) v tn cng th ng (passive attacks).
Cu 33. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng vo giao thc TCP/IP
v tn cng vo phn mm (chng trnh ng dng v h iu hnh).
Cu 34. Ci t v cu hnh phn mm IDS Snort trn H iu hnh Linux.
Cu 35. Ci t v cu hnh ISA server 2004 trn Windows.
----------
41
CHNG II
MT M V XC THC THNG TIN
Gii thiu:
Chng ny trnh by c ch mt m v cc vn lin quan nh hm bm, ch k s,
chng thc v c s h tng kho cng khai PKI. Mt m l c ch c bn nht nhm m bo
tnh B mt ca thng tin. Cc c ch xc thc nh hm bm v ch k s c chc nng bo v
tnh Ton vn ca thng tin. Cc ni dung cp trong chng ny bao gm:
-Tng quan v k thut mt m.
-K thut mt m i xng
-K thut mt m bt i xng
-Cc hm bm bo mt
-Ch k s
-Vn qun l kho v c s h tng kho cng khai
Kho mt m
(Key)
Thng tin c m
ho (ciphertext)
Thng tin gc
(Plaintext)
Thut ton m ho
(Encryption
algorithm)
Thng tin gc
(Plaintext)
gii m phi c c 3 thnh phn: thng tin mt (ciphertext), kha (secret key) v thut tan gii
m (decryption algorithm). K tn cng thng khng c y 3 thng tin ny, do , thng
c gng gii m thng tin bng hai phng php sau:
-Phng php phn tch m (cryptanalysis): da vo bn cht ca thut tan m ha,
cng vi mt an thng tin gc hoc thng tin mt c c, k tn cng tm cch phn tch
tm ra tan b thng tin gc hoc tm ra kha, ri sau thc hin vic gii m ton b thng tin
mt.
-Phng php th tun t (brute-force): bng cch th tt c cc kha c th, k tn
cng c kh nng tm c kha ng v do gii m c thng tin mt.
Thng thng, tm c kha ng th cn phi th mt s lng kha bng khang
mt na s kha c th c ca h thng m. V d, nu kho c chiu di l 8 bit th s c tt c 2 8
= 256 kho khc nhau. chn c kho ng th k tn cng phi th trung bnh khong 256 /
2 = 128 ln. Vic th ny thng c tr gip bi cc my tnh v phn mm chuyn nghip.
Hai thnh phn m bo s an ton ca mt h thng mt m l thut ton m (bao gm
thut ton m ho v thut ton gii m) v kho.
Trong thc t, thut tan m khng c xem nh mt thng tin b mt, bi v mc ch
xy dng mt thut tan m l ph bin cho nhiu ngi dng v cho nhiu ng dng khc
nhau, hn na vic che giu chi tit ca mt thut tan ch c th tn ti trong mt thi gian ngn,
s c mt lc no , thut tan ny s c tit l ra, khi tan b h thng m ha tr nn v
dng. Do vy, tt c cc tnh hung u gi thit rng k tn cng bit trc thut tan m.
Nh vy, thnh phn quan trng cui cng ca mt h thng m l kha ca h thng,
kha ny phi c gi b mt gia cc thc th tham gia nn c gi l kha b mt.
Mt cch tng qut, chiu di kha cng ln th thi gian cn thit d ra kha bng
cch th cng ln, do vy kh nng pht hin kha cng thp. Bng sau y lit k mt s kha
vi di khc nhau v thi gian cn thit d ra kha.
Bng 2.1: Quan h gia di kho v thi gian d kho.
Chiu di
kho (bit)
S kho ti a
32
56
255 ms = 1.142 nm
10,01 gi
128
5,4 * 1018 nm
168
5,9 * 1030 nm
26! = 4 * 1026
6.4 * 106 nm
26 k t
(hon v)
44
Thut ton
m ha
Thng tin mt
Thut ton
gii m
Thng tin gc
-Thng tin gc c ct thnh tng khi c kch thc 2w bit (tc l mt s bit chn).
Mi khi bit c x l thnh 2 phn bng nhau: w bit bn tri (L) v w bit bn phi (R).
-C hai phn bn tri v bn phi c a ln lt vo khi m ho gm n vng lin tip
v ging nhau. Cc thao tc thc hin ti mi vng bao gm: hon v phn bn tri v phn bn
phi, a phn bn phi vo mt hm x l F cng vi kho con K i, ng ra s c XOR vi phn
bn tri. Kt qu cui cng c hon v mt ln na trc khi xut ra.
Thng tin gc
2w bit
L0
w bit
w bit
R0
K1
L1
R1
Ki
F
Ri
Li
Kn
F
Ln
Rn
Ln+1
Rn+1
Thng tin mt
2w bit
Thng tin gc
2w bit
K1
LE0
Thng tin mt
2w bit
RE0
LD0=RE16
RE1
LD1=RE15
LE15
RD0=LE16
K2
LE1
K16
K15
RD1=LE15
K16
RE15
LD15=RE1
K1
RD15=LE1
LE16
RE16
LEout
REout
Thng tin mt
2w bit
a-Qu trnh m ho
LD16=RE0
LDout=LE0
RD16=LE0
RDout=RE0
Thng tin gc
2w bit
b-Qu trnh gii m
(1)
(2)
(3)
(4)
Kho b mt
64 bit
IP
PC-1
64 bit
56 bit
56 bit
K1 48 bit
Vng 1
Dch tri
PC-2
64 bit
56 bit
56 bit
K2 48 bit
Vng 2
Dch tri
PC-2
56 bit
K16 48 bit
Vng 16
PC-2
Dch tri
64 bit
32 bit swap
Ch thch:
IP (Initial Permutation): php hon v khi u
64 bit
IP-1
Thng tin mt
64 bit
M2
M3
M4
M5
M6
M7
M8
32 bit
Li-1
Ri-1
E table
48 bit
48 bit
Ki
Hm F
48 bit
S-Box
32 bit
Permutation (P)
32 bit
Li
32 bit
Ri
32 bit
51
E table (Expansion/Permutation) thc hin chc nng hon v cc bit trong khi thng tin,
ng thi chuyn t 32 bit thnh 48 bit bng cch s dng ma trn E table (hnh 2.9). 32 bit thng
tin theo th t c c vo 48 v tr (tng ng vi 6 ct v 8 dng) ca E table. Nh vy, s c
mt s bit c lp li trong ma trn.
S-Box (Substitution Box) thc hin thao tc thay th chui bit thnh mt chui bit khc,
ng thi thc hin thao tc ngc li vi E table l chuyn khi thng tin t 48 bit thnh 32 bit.
S-Box cng c thc hin thng qua cc ma trn S-Box (hnh 2.10).
Nguyn tc hot ng ca S-box nh sau:
Tng phn 6 bit c x l ring bit bng mt ma trn S-Box khc nhau (c 8 SBox khc nhau).
Ti mi S-Box, bit u v bit cui ca phn 6 bit thng tin c dng chn 1
trong 4 hng ca ma trn, 4 bit cn li c dng chn 1 trong 16 gi tr ca
hng tng ng, gi tr c chn s chuyn thnh 4 bit nh phn.
Php hon v P (Permuatation) c chc nng chuyn i v tr cc bit trong khi thng tin
32 bit xut ra t S-Box. Thao tc hon v P cng c thc hin da trn ma trn P gm 8 ct v 4
dng (hnh 2.11).
52
S1
S2
S3
S4
S5
S6
S7
S8
Ci-1
Di-1
Dch tri
Dch tri
PC-2
Ki
Ci
Di
PC-1 l thay i v tr cc bit ca 56 bit kho va to ra. Ch rng PC-1 ch c thc hin 1 ln
duy nht trc khi bt u vng u tin. Trong tt c cc vng m ho, php hon v thc hin
trn cc kho ph l php hon v PC-2. PC-1 v PC-2 c thc hin thng qua cc ma trn
PC-1 v PC-2 hnh 2.13 v 2.14. Ng ra ca khi hon v PC-1 c chia thnh 2 phn, mi
phn 28 bit (C v D). Ti mi vng m ho, hai phn ny c dch tri 1 hoc 2 bit trc khi i
qua khi hon v PC-2 thnh 48 bit kho ph a vo hm XOR cng vi khi thng tin ca
vng tng ng. S bit dch tri tng ng vi mi vng nh sau:
Vng
11 12 13 14 15 16
S bit dch
C = E(P, K)
P = D(C, K)
K1
K2
a- M ho
K2
K1
b- Gii m
K2
K1
a- M ho
K1
K2
K1
b- Gii m
128
192
256
128
128
128
S vng m (vng)
10
12
14
128
128
128
176
208
240
Chiu di kho ca AES c th l 128, 192 hoc 256 bit. ng vi mi trng hp, cc
thng s cn li c cho tng ng bng trn, trong , kch thc khi thng tin lun c nh
l 128 bit.
Mt lu quan trng l AES khng da trn cu trc Feistel. Tt c cc thao tc trong
thut ton u c th c m t bng cng c ton hc, do AES c th thc hin bng phn
cng hoc phn mm vi tc ti a. AES s dng hai thut ton khc nhau cho m ho v gii
m, do vy tt c cc thao tc trong thut ton bt buc phi c thao tc ngc (ngoi tr php
XOR).
Hnh 2.17 m t thut ton AES trong trng hp n gin nht (128 bit kho).
57
Kho
Thng tin gc
W[0,3]
Substitute bytes
Expand key
Mix column
Vng 1
Shift rows
Vng 10
Thng tin gc
W[4,7]
Substitute bytes
Vng 9
Shift rows
Mix column
W[36,39]
Vng 10
Vng 1
Substitute bytes
Shift rows
W[40,43]
Thng tin mt
Thng tin mt
a- M ho
b- Gii m
58
VI.1.3 Thng
VI.1.2 Cc trng thi
VI.1.1 Thng
tin ng vo
trung gian
tin ng ra
Hnh 2.18: Qu trnh bin i mng trng thi trong thut ton AES
04
65
85
83
45
5D
96
5C
33
98
B0
F0
2D
AD
C5
Sau khi qua thao tc thay th byte s dng ma trn S-Box hnh 2.19 s tr thnh:
87
F2
4D
97
EC
6E
4C
90
4A
C3
46
E7
8C
D8
95
A6
59
a- Ma trn S-Box
-Thao tc dch dng: Thao tc ny c mc ch hon v cc byte trong mng trng thi.
Nguyn tc dch nh sau: dng u tin ca mng c gi nguyn, dng th hai c dch tri 1
byte, dng th ba c dch tri 2 byte v dng th t c dch tri 3 byte (hnh 2.20).
60
Thao tc ngc c thc tng t nhng vi php dch phi c dng thay cho php
dch tri, ngha l dng u tin cng c gi nguyn, dng th hai c dch phi 1 byte, dng
th ba c dch phi 2 byte v dngth t c dch phi 3 byte.
-Thao tc trn ct: Thao tc ny c thc hin trn tng ct, c tc dng thay th tng
Xem thm ti liu v cc php ton trong trng Galois, c bit l dng GF(2 n)
61
87
F2
4D
97
6E
4C
90
EC
46
E7
4A
C3
A6
8C
D8
95
Sau khi qua thao tc trn ct bng php nhn ma trn trn s tr thnh:
47
40
A3
4C
37
D4
70
9F
94
E4
3A
42
ED
A5
A6
BC
-Thao tc cng kho: l thao tc n gin nht ca thut ton, c tc dng trn gi tr ca
mng trng thi hin hnh vi kho ph ca vng tng ng. Thao tc trn c thc hin bng
php XOR gia 128 bit ca mng trng thi hin hnh vi 128 bit ca kho ph. Thao tc cng
kho khng c thao tc ngc, hay ni ng hn l thao tc ngc cng chnh l php XOR.
-Thut ton sinh kho ph: 128 bit kho ban u c m rng (expand key) thnh 176
byte, c t chc thnh 44 t (word), mi t 4 byte, va to thnh 10 kho ph cho 10
vng m ho ca thut ton (mi kho ph gm 4 t) cng vi 1 kho ph cho thao tc cng kho
ban u. Nh vy, thut ton sinh kho ph ca AES thc cht l thut ton m rng bn t kho
(128 bit) ban u thnh 44 t kho. Thao tc m rng kho c thc hin nh sau:
-Bn t kho gc c a trc tip vo php cng kho ban u, tc w[0,3] = key.
-Cc t kho m rng tip theo (c th t khng l bi s ca 4) c to ra bng cch
XOR gia t kho lin trc n vi t kho cch n 4 v tr, tc w[i] = w[i-1] w[i-4].
-i vi cc t kho m rng c th t l bi s ca 4 th cch to ra gm cc bc:
Thc hin dch t kho lin trc n sang tri 1 byte, temp = leftshift(w[i1], 8 bit)
Thay th cc byte trong t kho va to ra bng cc gi tr khc s dng
ma trn S-Box hnh 2.19, temp = S-Box(temp)
Gi tr to ra c XOR vi mt hng s xc nh cho tng vng m ho
gi l Round Constant hay RC[j]. Gi tr RC[j] c nh ngha ring bit
cho tng vng nh sau:
Vng
10
RC[j]
01
02
04
08
10
20
40
80
1B
36
Chiu di kha
S vng m ha
ng dng
DES
56 bit
16
XOR, S-box
SET,
Kerberos
3DES
48
XOR, S-box
PGP,
S/MIME, cc
ng
dng
qun l kha
AES
10, 12 hoc 14
SSL
IDEA
128 bit
Blowfish
Thay i, ti a
448 bit
16
RC5
Thay i, ti a
2048 bit
Thay i, ti a
255 vng
CAST-128
40 n 128 bit
16
Tp kho
cng khai
User E
User D
User C
User B
Kho b mt ca
user B
Thng
tin gc
Thut ton m ho
(thc hin bi user A)
Thng
tin gc
Tp kho
cng khai
User E
User D
User C
Kho b mt
ca user A
User A
Kho cng khai
ca user A
Thng tin mt
Thng
tin gc
Thut ton m ho
(thc hin bi user A)
Thng
tin gc
Mi user thng bo mt trong hai kho ca mnh cho cc user khc bit, kha ny
c gi l kha cng khai (public key). Kha cn li c gi b mt, v gi l
kha ring (private key).
Nu mt user A mun gi thng tin cho user B, user A s thc hin m ha thng
tin cn gi bng kha cng khai ca user B.
Khi nhn c thng tin m ha t user A, user B thc hin gii m thng tin
bng kha ring ca mnh. Do kha ring khng ph bin cng khai nn ch c
mt mnh user B c kh nng gii m c.
(vi M l s nguyn nh hn N)
66
= Med mod N
= M(ed 1) + 1 mod N
= M . Med 1 mod N
= M . M k(N) mod N
= M . 1k mod N
= M.
Chn p, q
Tnh N = p.q
Tnh (N) = (p 1) (q 1)
2- M ho:
C = Me mod N
(M l s nguyn nh hn N)
3- Gii m:
M = Cd mod N
Timing attack: da trn thi gian thc thi ca thut ton gii m.
Tuy nhin trong thc t, nguy c tn cng cc h thng mt m RSA l rt thp, do RSA
l mt thut ton linh ng, kch thc khi d liu gc v chiu di kho d dng c thay i
m khng nh hng n thut ton m.
by, mt trong nhng vn quan trng lin quan trc tip n tnh an ton ca cc thut ton
mt m i xng l vn thng nht kho b mt gia cc thc th thng tin.
Thut ton trao i kho Diffie-Hellman da trn php logarit ri rc (discrete log). Cho
trc mt s g v x = gk , tm k, ta n gin thc hin php logarit: k = log g(x). Tuy nhin, nu
cho trc g, p v (gk mod p), th qu trnh xc nh k c thc hin theo cch khc vi cch
trn v c gi l logarit ri rc. Vic tnh logarit ri rc ni chung rt phc tp nhng vn c
th thc hin c.
Thut tan Diffie-Hellman kh n gin nh sau:
User A
User B
Chn s b mt Xa < p
Chn s b mt Xb < p
trn cc s nguyn ln. Tuy nhin, thut ton ny khng ngn chn c cc tn cng theo
phng thc xen gia Man-In-The-Middle (MITM) nh sau:
thc hin tn cng MITM trn kt ni gia user A v user B, user C cng chn
cho mnh hai s nguyn XC1 v XC2 tho iu kin XC1 < p v XC2 < p, sau
cng tnh hai gi tr tng ng YC1 = (gXc1 mod p) v YC2 = (gXc2 mod p).
Khi user A gi Ya cho user B, user C s chn ly thng tin ny, ng thi mo
danh A gi cho B gi tr YC1. User B xc nh kho K1 da trn YC1, v gi li
cho A gi tr Yb. User C li chn ly gi tr ny v mo danh B gi cho A gi tr
YC2.
II.4 CC HM BM
II.4.1 Xc thc thng tin:
Xc thc thng tin (message authentication) l mt c ch c ng dng trong x l
thng tin vi mc ch:
a- Dng mt m i xng
b- Dng mt m bt i xng
M: thng tin gc
C: Thng tin mt
PRa: Kha b mt ca bn gi.
E: thut tan mt m
D: Thut tan gii m
K: Kha b mt dng chung gia bn gi v bn nhn
PUa: Kha cng khai ca bn gi
So snh
M xc thc (MAC)
M: thng tin gc
C: Hm to m xc thc
K: Kha b mt dng chung gia bn gi v bn nhn
| |: Ni m xc thc vo thng tin gc
72
Ni gi thng tin
So snh
M bm c m ha
M: thng tin gc
D: thut tan gii m
H: hm bm
E: thut tan m ha
K: kha b mt dng chung gia pha gi v pha nhn.
| |: ni m bm c m ha vo thng tin gc
II.4.2 Cc hm bm bo mt:
Cc hm bm bo mt (secure hash functions) hay gi tt l hm bm l mt trong nhng
k thut c bn thc hin cc c ch xc thc thng tin (message authentication). Ngoi ra,
hm bm cng cn c s dng trong nhiu thut ton mt m, trong ch k s (digital
signature) v nhiu ng dng khc.
Nguyn tc ca hm bm l bin i khi thng tin gc c di bt k thnh mt on
thng tin ngn hn c di c nh gi l m bm (hash code hay message digest). M bm
c dng kim tra tnh chnh xc ca thng tin nhn c. Thng thng, m bm c gi
km vi thng tin gc. pha nhn, hm bm li c p dng i vi thng tin gc tm ra m
bm mi, gi tr ny c so snh vi m bm i km vi thng tin gc. Nu hai m bm ging
nhau, ngha l thng tin gi i khng b thay i.
Ch c th dng hm bm tnh m bm t thng tin gc ch khng th tnh c thng
tin gc t m bm. Do c tnh ny, cc hm bm bo mt cng cn c gi l hm bm mt
chiu (one way hash fntion).
Hnh 2.27 m t nguyn l hot ng ca mt gii thut xc thc thng tin s dng hm
bm n gin.
Cc yu cu ca mt hm bm bo mt H:
73
Cho trc khi thng tin x, khng th tm c mt khi thng tin y khc x sao
cho H(y) = H(x). Thuc tnh ny c gi l weak collision resistance.
Khng th tm c hai khi thng tin x v y khc nhau sao cho H(x) = H(y).
Thuc tnh ny c gi l strong collision resistance.
Thng tin gc
Thng tin gc
Thng tin gc
So snh
H
: M bm
H
: Hm bm
(*)
Bi ton ngy sinh: trong mt cn phng c n ngi, n ti thiu phi bng bao nhiu c t nht 2 ngi c
cng ngy sinh (trong nm). L thuyt xc sut xc nh n = 23. Bi ton ny c m rng cho hm bm.
74
SHA-1
SHA-256
SHA-384
SHA-512
160
256
384
512
<2
<2
<2
<2128
512
512
1024
1024
di t (bit)
32
32
64
64
80
64
80
80
64
64
128
75
4- X l thng tin theo tng khi 512 bit Process message: y l cng an trung tm
qu hm bm, cn c gi l hm nn (compress function), bao gm 4 vng, mi vng 20 bc.
Hnh 2.28 trnh trnh by s khi ca bc 4.
C 4 vng c cu trc tng t nhau, nhng mi vng s dng mt hm lun l khc nhau
l f1, f2, f3 v f4.
Ng vo ca mi vng l khi bit Y (512 bit) ang x l cng vi gi tr ca b m MD.
Mi vng s dng mt bin cng Kt khc nhau, vi 0 t 79 biu din cho 80 bc ca 4 vng.
Tuy nhin, thc t ch c 4 gi tr K khc nhau nh sau:
Yq
CVq
160
512
32
A
f1, K, W[019]
20 vng
f2, K, W[2039]
20 vng
f3, K, W[4059]
20 vng
f4, K, W[6079]
20 vng
160
CVq+1
Gi tr K (Hexa)
0 t 19
Kt = 5A827999
20 t 39
Kt = 6ED9EBA11
76
40 t 59
Kt = 8F1BBCDC
60 t 79
Kt = CA62C1D6
MD5
SHA-1
128
160
512
512
S bc
64
80
Khng gii hn
< 264
Vi 128 bit m bm, vic tm ra hai khi thng tin c cng mt gi m bm khng cn
l iu bt kh thi i vi nng lc ca cc b x l hin nay. Do , an tan ca MD5 ang b
e da nghim trng, v trong thi gian ngn sp ti, mc ph bin ca MD5 c th s gim
i v c thay th bng mt gii thut xc thc khc.
II.5 CH K S
II.5.1 Nguyn l hot ng ca ch k s:
Ch k s l mt c ch xc thc cho php ngi to ra thng tin (message creator) gn
thm mt an m c bit vo thng tin c tc dng nh mt ch k. Ch k c to ra bng
cch p dng mt hm bm ln thng gc, sau m ha thng tin gc dng kha ring ca
ngi gi. Ch k s c mc ch m bo tnh tan vn v ngun gc v ni dung ca thng tin.
Ti sao phi dng ch k s trong khi cc c ch xc thc thng tin (message
authentication) thc hin chc nng xc thc ngun gc thng tin? Cc c ch xc thc thng
tin s dng cc hm bm mt chiu c tc dng bo v thng tin trao i gia hai thc th thng
77
tin khi s xm phm ca mt thc th th 3, tuy nhin n khng c tc dng ngn chn c s
xm phm ca chnh hai thc th. V d:
Thc th A gi mt bn tin X cho thc th B s dng mt c ch xc thc no , c ch
ny m bo ch c A v B dng chung mt kho b mt K to ra cc m xc thc t thng tin
gc. Tuy nhin, thc th B c th i bn tin X thnh mt bn tin Y, v vi kha b mt K, thc
th B han tan c th to ra thng tin xc thc mi gn vo Y, lm cho n tr thnh mt bn
tin hp l mc d thc cht y khng phi l bn tin do thc th A to ra.
Mt v d khc, thc th A c th t chi xc nhn vic mnh gi bn tin X cho thc
th B, v vi cc c ch xc thc nh trn, thc th B hon ton c kh nng gi mo thng tin
a ra t thc th A.
Ging nh mt ch k thng thng (ch k bng tay), mt ch k s phi c y cc
thuc tnh sau y:
L mt chui bit pht sinh t khi thng tin cn c xc nhn (thng tin gc).
-Phn loi ch k s: C nhiu thut ton pht sinh ch k s khc nhau. C th phn
loi cc thut ton ny theo cc cch nh sau:
-Cc phng php thc hin ch k s: C hai phng php thc hin ch k s l k
trc tip (direct signature) v k thng qua trng ti (arbitrated signature).
K trc tip (direct signature): phng php ny, gi thit rng pha nhn bit
c kha cng khai ca pha gi. Do , ch k c th c to ra bng cch m
ha tan b bn tin bng kha ring ca ngi to ra thng tin, hoc l ch m ha
phn m bm (kt qu to ta t hm bm i vi thng tin gc) dng kha ring
ca ngi to thng tin.
E(M, PRa)
So snh
E(H(M), PRa)
b- To ch k trc tip bng cch m ha phn m bm ca thng tin gc
M: thng tin gc
H: Hm bm
PRa: Kha b mt ca ngi k
E: Thut tan m ha
D: Thut tan gii m
| |: Ni m bm vo thng tin gc
PUa: Kha cng khai ca ngi k
79
Bc 2:
Bc 2:
Bc 2:
Vi PRx l kho ring ca X, PUy l kho cng khai ca Y, PRa l kho ring ca A
khai l thng tin c cng b rng ri cho bt k thc th no c quan tm. ng thi, thng tin
gc cng c a vo hm bm tnh m bm, sau em so snh vi m bm va nhn c.
Nu hai m ny ging nhau th thng tin va nhn c chp nhn nh l thng tin hp l.
Hat ng ca DSS cng bao gm vic a thng tin gc vo hm bm to ra m bm
c kch thc c nh. Tuy nhin, m bm ny s khng c m ha trc tip bng mt gii
thut m ha m c s dng lm ng vo ca mt hm to ch k S (Signature function). Cc
thng tin a vo hm to ch k bao gm:
M bm ca thng tin gc
Mt s ngu nhin k
Kha cng khai ca nhm cc thc th lin quan n giao dch ch k (PUG)
H
M
PRa
PUa
So snh
H
M
PUa
PUG
PRa PUG
H
V
So snh
k
a- Dng ch k s DSS
81
f2
r
M
x
q
s
f4
v
f1
f3
H
So snh
a- To ch k
b- Kim chng ch k
w = (s)-1 mod q
u1 = [H(M')w] mod q
u2 = (r')w mod q
v = [(gu1 yu2) mod p] mod q
Lu : s, r, M tng ng vi cc phn s, r v M ti pha thu.
Vi phc tp ca php tan logarit ri rc, rt kh c th xc nh c k khi bit r
hoc xc nh c x khi bit s.
83
Qu trnh to ra v phn phi chng thc kha din ra nh sau (hnh 2.32):
- to chng thc kha cho mnh, thc th A gi yu cu n c quan chng thc CA
(Certificate Authority), trong yu cu c cha kho cng khai ca A (PUA). trnh cc tnh
hung gi mo CA, yu cu cung cp chng thc gi t cc thc th u cui phi c gi n
CA bng mt knh bo mt, trn c p dng cc c ch xc thc cht ch.
-CA to ra chng thc kha cho A bng cch m ho khi thng tin bao gm: nhn dng
ca thc th A (IDA), kho cng khai ca A (PUA) v thi im thc hin vic cp chng thc,
bng kho ring ca CA (PRCA).
PUA
Knh thng tin
bo mt
PUB
CA = E([Time + ID A + PUA],PRCA)
(1)CA
(2)CB
Hnh 2.32: Qun l kho cng khai dng chng thc kha (Certificate)
Nh vy, thc th A to c chng thc kha cho mnh (CA).
Tng t nh vy, thc th B cng yu cu CA cung cp chng thc kha cho n (CB).
bt u trao i thng tin vi nhau s dng mt m bt i xng, hai thc th A v B
trao i chng thc kha cho nhau thc th ny nhn c kho cng khai ca thc th kia.
Vi vic nh mt thc th tin cy th 3 lm trung gian to ra chng thc kha, kho
cng khai c th c phn phi mt cch an ton m khng b gi mo.
Mt trong nhng c ch c s dng rng ri to ra cc chng thc kha cng khai l
chun X.509. Chun ny c dng trong nhiu dch v v giao thc bo mt nh IPSec, SSL,
S/MIME, SET,
84
Trong k thut mt m i xng, c hai thc th thng tin phi dng chung mt kha b
mt. Vn l lm th no trao i kha b mt gia hai thc th ny?
Thut ton trao i kha Diffie-Hellman c trnh by trong phn m ha bt i xng
l mt thut ton an tan, cho php hai thc th trao i kha b mt m mt thc th th 3 khng
ly cp c. Tuy nhin, hn ch ca Diffie-Hellman l khng c tnh xc thc, ngha l mt thc
th s khng th bit chc chn rng kha mnh nhn c ng l kha ca thc th m mnh
ang mun trao i thng tin hay khng. Do vy, trong thc t, Diffie-Hellman thng c dng
phi hp vi mt c ch xc thc u cui (peer authentication).
(1) E([N1 + IDA], PUB)
(2) E([N1 + N2], PUA)
85
C s h tng kha cng khai PKI (Public Key Infrastructure) l mt h thng h tng bao
gm cc thit b phn cng, chng trnh phn mm, cc chnh sch, th tc v con ngi cn
thit to ra, qun l, lu tr v phn phi cc chng thc kha phc v cho mc ch ph bin
kha cng khai ca cc thc th thng tin.
Vai tr ca PKI trong h thng l qun l cc chng thc kha mt cch an tan v cung
PKI users
Kho lu tr Certificate/CRL
End Entity
Phn phi
Certificate
RA
Phn phi
Certificate/CRL
-ng k
-Khi to
-Chng thc
-Phc hi kho
-Cp nht kho
-Yu cu thu hi
CA-2
Chng thc
cho
Phn
phi
kho
ra
ngoi
h
thng
CA-1
PKI management
Repository: Kho lu tr chng thc kha v cung cp chng thc kha cho cc
thc th u cui khi c yu cu. C nhiu cch thc th u cui truy xut cc
86
chng thc kha ti PKI: thng qua dch v th mc LDAP (X.500), thng qua
FTP hoc HTTP,
Tm tt chng:
-Mt m l mt c ch c bn nht c dng bo m an tan cho thng tin khi trao
i gia cc h thng thng tin (thng thng qua mng my tnh). K thut mt m bo v c
2 c trng ca m hnh CIA l tnh B mt v tnh Ton vn ca thng tin.
-K thut mt m hin i c chia thnh 2 lai: Mt m i xng (symmetric key
encryption) v mt m bt i xng (asymmetric key encryption).
-Mt m i xng (hay cn gi l mt m quy c) s dng 1 kha duy nht cho vic m
ha v gii m, kha ny c gi b mt, ch c cc thc th tham gia vic truyn nhn thng tin
mi bit c. K thut mt m quy c da ch yu trn cc thao tc x l bit (nh dch, xoay
vng, XOR, ) do thch hp vi phn vic thc thi bng phn cng, tc m ho cao. Cc
thut ton mt m i xng thng dng bao gm DES, Blowfish, IDEA, AES,
-Mt m bt i xng (hay cn gi mt m dng kha cng khai) s dng 2 kha khc
nhau cho qu trnh m ha v gii m. Mt trong hai kha l kha cng cng (public key), c
ph bin cng khai cho bt k mt thc th no cng c th truy xut c; v kha cn li l
kha ring (private key) c gi b mt, ch c ch th ca kha bit. M ha kha cng khai
da ch yu trn cc hm ton hc, do thch hp vi thc thi bng phn mm v tc m
ho thp. RSA l thut ton mt m bt i xng ph bin nht hin nay.
-Mt m dng kha cng khai c nhiu ng dng khc nhau nh: mt m d liu, to ch
k s, trao i kha b mt ca mt m i xng,
-Hm bm bo mt (secure hash function) l c ch dng trong xc thc thng tin
(message authentication). Nguyn l ca hm bm l bin i khi thng tin gc thnh mt gi tr
kim tra c kch thc c nh gi l m bm, gi tr ny c gi i km vi thng tin gc.
u thu, thng tin nhn c cng c a vo hm bm to ra gi tr kim tra. Nu gi tr
kim tra va c to ra bng vi gi tr gi km ca pha gi th thng tin c xem l xc thc.
Hm bm c dng trong cc thut ton xc thc thng tin (message authentication), to ch k
s v l thnh phn ca mt s thut ton mt m.
-Ch k s (digital signature) l k thut dng nhn dng mt thc th thng tin cng
vi thng tin do thc th ny to ra. ng dng c bn nht ca ch k s l chng thc v
m bo thnh khng th ph nhn (non-repudiation) ca thng tin. C nhiu cch phn loi cc
thut ton to ch k: ch k phc hi c v khng phc hi c, ch k c nh v ch k
ngu nhin. Hai phng php thc hin ch k s l k trc tip v k thng qua trng ti. Chun
ch k s DSS s dng thut ton DSA, to ra ch k s da trn cc hm bm bo mt (SHA) v
k thut mt m kha cng khai (RSA).
-Mt m ha dng kha cng khai ch c u im khi n c mt c ch phn phi kha
cng khai mt cch an tan v hiu qu cho cc thc th trong h thng. Chng thc kha cng
khai (Certificate) m mt c ch hiu qu thc hin vn ny. Mi chng thc kha bao gm
nhn dng thc th u cui, kha cng khai ca thc th u cui v xc nhn (bng ch k s)
ca mt thc th th 3. Mt h thng cung cp c ch to ra v qun l chng thc kha c
gi l c s h tng kha cng khai PKI.
88
CU HI V BI TP.
A- Cu hi trc nghim.
Cu 1. Chc nng ca mt m thng tin:
a- Bo v tnh ton vn ca thng tin.
b- Bo v tnh b mt ca thng tin.
c- Bo v tnh kh dng ca thng tin .
d- Bo v tnh khng th ph nhn ca thng tin.
Cu 2. Cc nguy c ca mt h thng mt m:
a- Tn cng bng cch d kho b mt (brute force attack).
b- Tn cng bng phng php phn tch m (crypanalysis).
c- Tn cng t chi dch v
d- Cu a v b.
Cu 3. Mt h thng m ho quy c dng kho di 128 bit. Nu dng phng php tn cng
brute force th phi th trung bnh bao nhiu ln v thi gian cn thit thc hin nu
tc x l l mt t ln trong mt giy?
a- Phi th 2128 ln, thi gian th l 5,4 * 1018 nm.
b- Phi th 264 ln, thi gian th l 5,4 * 1018 nm.
c- Phi th 2127 ln, thi gian th l 5,4 * 1018 nm.
d- Phi th 2128 ln, thi gian th l 18 nm.
Cu 4. C ch trao i kho b mt trong m ho i xng?
a- A v B trao i kho vi nhau bng e-mail.
b- A v B trao i kho vi nhau bng mt phng tin vt l.
c- A gi kho b mt cho mt thc th th 3 bng e-mail, th cth th 3 ny s gi
li kho ny cho B cng bng e-mail.
d- Mt trong 3 cch trn u c.
Cu 5. Chn cu ng khi ni v cu trc mt m Feistel:
a- Tt c cc thao tc trong cu trc u c thao tc ngc tng ng.
b- Cu trc Feistel da trn cc thao tc x l bit vi cc php hon v v thay th
lp li nhiu ln.
c- Kch thc khi d liu (block size) l bt k.
d- Mch m ho v mch gii m c cu trc khc nhau.
Cu 6. Chn cu ng khi ni v thut ton mt m DES:
a- Mch m ho v mch gii m l ging nhau.
b- S-box l mt hm hon v, cho kt qu ngc li vi php hon v IP.
c- Th t sinh kho ph qu trnh m ho v gii m l ging nhau.
d- Thao tc hon v PC-1 c thc hin 16 ln trong qu trnh m ho v gii m.
Cu 7. Chn cu ng v an ton ca DES:
a- Ch c th tn cng h thng mt m DES bng phng php brute force.
b- Kho a vo thut ton l 64 bit, nhng thc cht ch s dng 56 bit.
89
Cu 21. Xc nh cc bit 1, 16, 33 v 48 ti ng ra vng th nht ca thut ton gii m DES, bit
rng ciphertext cha ton bit 1 v kho ban u cng l chui bit 1.
Cu 22. Chng minh rng mch m ho ca DES cng ng thi l mch gii m ca DES.
Cu 23. So snh ma trn IP v ma trn PC-1 ca DES. Rt ra kt lun g t s so snh ny?
Cu 24. Tnh 8 word u tin ca kho m rng trong thut ton m AES nu bit kho ban u
l chui 128 bit 0.
Cu 25. Thc hin m ho v gii m dng thut ton RSA vi cc d liu sau y:
a- p = 3; q = 11, e = 7; M = 5
b- p = 5; q = 11, e = 3; M = 9
c- p = 7; q = 11, e = 17; M = 8
d- p = 11; q = 13, e = 11; M = 7
e- p = 17; q = 31, e = 7; M = 2
Cu 26. User A v B trao i kho dng Diffie-Hellman vi p = 71 v g = 7.
a- Nu A chn Xa = 5, tnh Ya?
b- Nu B chn Xb = 12, tnh Yb?
c- Kho b mt dng chung gia A v B?
Cu 27. Ci t thut ton mt m DES bng C.
Cu 28. Ci t thut ton mt m RSA bng C.
----------
92
CHNG III
CC NG DNG BO MT TRONG H THNG THNG TIN
Gii thiu:
Cc c ch mt m v xc thc thng tin l c s cho vic xy dng cc ng dng bo
mt trong h thng, c bit trong mi trng mng. Chng ny s trnh by mt s ng dng
ca k thut mt m v xc thc thng tin trong vic xy dng cc giao thc (protocol) v dch v
(service) trn mng nhm m bo an tan h thng. Cc ng dng c trnh by trong chng
ny bao gm:
-Giao thc xc thc (Authentication protocol)
-IPSec (Internet Protocol Security)
-SSL (Secure Sockets Layer)
-SET (Secure Electronic Transaction)
94
Authenticate request
(User-name + Password)
Ngi
s
dng
Server
Authenticate ack
hoc Authenticate nak
-CHAP l giao thc xc thc phc tp hn, c dng trong giao thc kt ni PPP v mt
s h thng khc. CHAP c u im hn PAP v phng din bo mt l c dng cc hm bm
mt chiu v thng tin xc thc khng c gi i trc tip trn mng. Qu trnh xc thc bng
giao thc CHAP gm cc bc sau y (gi l qu trnh challenge-response):
Sau khi thit lp xong kt ni PPP, xc nh xem ngi s dng c quyn truy
xut hay khng, server s gi cho ngi s dng mt khi d liu thch thc
(challenge), trong c cha mt gi tr ngu nhin do server to ra.
Challenge
Ngi
s dng
User-name + H(user-name +
password + challenge)
Server
Success / Failure
95
Nu c hai vic kim tra trn u thnh cng th ngi dng c php truy xut
dch v trn my ch V. lm c vic , AS to ra mt th truy xut (ticket)
cha cc thng tin bao gm nhn dng ca ngi dng, a ch mng ca my con
v nhn dng ca my ch V. Th truy xut ny c m ha bng kha b mt
dng chung gia AS v V. Th truy xut cng c gi cho C.
IDC + PC + IDV
AS C:
Ticket
C V:
IDC + Ticket
Khi ngi dng truy xut mt loi dch v (per service type):
(3) C TGS: IDC + IDV + Tickettgs
(4) TGS C: Ticketv
Khi ngi dng truy xut mt phin giao dch c th (per service session):
(5) C V: IDC + Ticketv
Trong :
Tickettgs = E([IDC + ADC + IDtgs + TS1 + Lifetime1], Ktgs)
Ticketv = E([IDC + ADC + IDv + TS2 + Lifetime2], Kv)
Trong th tc trn, mt thnh phn mi c thm vo h thng xc thc l my ch cp
th TGS (Ticket-Granting server).
Khi ngi dng xc thc thnh cng vi AS, thay v cp th s dng dch v trc tip cho
ngi dng, AS ch cp cho ngi dng th truy xut ca TGS, c tc dng nh mt xc nhn y
l mt ngi dng hp h. K t v sau, mi khi ngi dng cn truy xut dch v no th ch
cn gi th truy xut v yu cu ca mnh n TGS c cp th truy xut dch v.
Nh vy, AS ch cn cp th cho ngi dng mt ln, hay ni cch khc, th c th dng
li, c trong trng hp ngi dng s dng dch v nhiu ln hoc s dng nhiu dch v khc
nhau m khng cn phi nhp li mt khu.
Th tc ny c m t chi tit nh sau:
Sau khi c th truy xut dch v, ngi dng c th s dng dch v trn my ch
V.
Kerberos
My con (C)
Ticket granting Ticket Request
Ticket + session key
My ch xc
thc (AS)
My ch cp th
(TGS)
My ch (V)
Yu cu dch v
Cung cp dch v
IDC: Nhn din ca ngi dng (do my con gi n cho AS, da trn thng tin
ng nhp ca ngi dng).
IDtgs: Nhn din ca TGS, mc ch cho AS bit rng my con ang mun truy
xut n TGS.
IDtgs: Nhn din ca TGS, dng xc nhn rng th ny c tc dng cho php
my con truy xut n TGS.
-Bn tin (3): My con yu cu th truy xut dch v (Service Granting Ticket):
Kc, tgs: Session key c TGS dng gii m authenticator. Kho ny c dng
chung gia my con v TGS.
Lifetime2 : Thi gian tn ti ca th, nhm ngn chn vic s dng li th (replay).
Kc, tgs: Kho b mt dng chung gia my con v TGS, dng m ho thng tin
xc thc ca my con.
TS5 + 1: Nhn thi gian, dng trnh trng hp thng tin xc thc c c
dng li.
Lnh a A
Kerberos
My con
Ticket-granting-Ticket Request
AS
Ticket-granting-Ticket
Service-granting-Ticket Request
for realm B
TGS
Yu cu dch v
Cung cp dch v
Service-granting-Ticket
Lnh a B
Kerberos
TGS
AS
My ch
102
Kerberos 4 s dng thm 1 byte trong cc bn tin cho bit th t byte trong bn
tin. Kerberos 5 dng c php ANS.1 (Abstract Syntax Notation One) v lut m
ha c bn BER (Basic Coding Rules) to ra c ch xp th t byte trong bn
tin mt cch r rng.
Trong th tc trn, ngoi nhng thnh phn xut hin trong Kerberos 4 cn c thm cc
thnh phn mi sau y:
-Realm: Biu th lnh a ca ngi dng.
-Options: Cc tu chn, dng yu cu cc thng tin cng thm xut hin trong th.
-Times: Dng my con yu cu cc thng s thi gian trong th nh from, till, rtime.
-Nonce: Gi tr ngu nhin c to ra trong bn tin m bo rng bn tin tr li l bn
tin hp l ch khng phi bn tin c dng li.
103
III.2 IP SECURITY
III.2.1 Cc ng dng v c im ca IPSec:
IP security (IPSec) cung cp mt phng tin truyn thng an tan trn mng LAN, gia
cc mng LAN ni vi nhau thng qua mng WAN v gia cc mng khc nhau trn mng
Internet. IPSec l phn m rng ca giao thc IP, c thc hin thng nht trong c hai phin
bn ca IP v IPv4 v IPv6.
-Cc ng dng in hnh ca IPSec bao gm:
Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch
xy dng cc mng ring o VPN (Virtual Private Network) trn nn ca mng
WAN cng cng hoc mng Internet. Cc t chc c th kt ni cc mng con
cc chi nhnh ca mnh li thnh mt mng ring vi chi ph thp nhng vn m
bo c an tan.
Nng cao tnh an tan ca cc giao dch thng mi trn mng Internet, p dng
cho cc website bn hng qua mng hoc cc dch v thanh tan qua Internet.
Thit b u cui
c h tr IPSec
Mng WAN /
Internet
Thit b mng
c h tr IPSec
Thit b mng
c h tr IPSec
Tiu IPSec
(IPSec header)
D liu ca gi IP
(IP Payload)
104
-Cc u im ca IPSec:
-Khi IPSec c trin khai trn bc tng la hoc b nh tuyn ca mt mng ring, th
tnh nng an tan ca IPSec c th p dng cho tan b lu lng vo ra mng ring m cc
thnh phn khc khng cn phi x l thm cc cng vic lin quan n bo mt.
-IPSec c thc hin bn di ca lp TCP v UDP, ng thi n hat ng mt cch
trong sut vi cc lp ny. Do vy, khng cn phi thay i phn mm hay cu hnh li cc dch
v khi IPSec c trin khai.
-IPSec c th c cu hnh hat ng mt cch trong sut i vi cc ng dng u
cui, iu ny gip che giu nhng chi tit cu hnh phc tp m ngi dng phi thc hin khi
kt ni n mng ni b t xa thng qua mng Internet.
Cu trc IPSec
Giao thc AH
Thut tan mt m
Qun l kha
105
-Giao thc AH: nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng vy,
khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v
nhc im ring, s c trnh by trong phn ny.
-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec.
IPSec da ch yu vo cc gii thut m ha i xng.
-Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v
ESP.
-Qun l kha: M t cc c ch qun l v phn phi kha trong IPSec.
-Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi IPSec.
Nh trnh by, IPSec khng phi l mt cng ngh ring bit m s t hp ca nhiu c ch,
giao thc v k thut khc nhau, trong mi c ch, giao thc u c nhiu ch hat ng
khc nhau. Vic xc nh mt tp cc ch cn thit trin khai IPSec trong mt tnh hung c
th l chc nng ca min thc thi.
106
III.2.5 AH:
AH (Authentication Header) l mt giao thc xc thc dng trong IPSec, c chc nng
m bo tnh tan vn ca d liu chuyn i trn mng IP. AH cho php xc thc ngi dng, xc
thc ng dng v thc hin cc c ch lc gi tng ng. Ngai ra, AH cn c kh nng hn ch
cc tn cng gi danh (spoofing) v tn cng pht li (replay).
C ch hat ng ca AH da trn m xc thc MAC (Message Authetication Code), do
, thc thi AH th hai u cui ca SA phi dng chung mt kha b mt.
Cu trc tiu ca gi AH (hnh 3.7) bao gm cc phn sau:
Bit 0
8
Tiu k tip
16
Kch thc d liu
31
Dnh ring
-Tiu k tip (Next Header - 8 bits): Nhn dng kiu tiu i lin sau tiu ca AH.
-Kch thc d liu (Payload Length -8 bits): Chiu di ca gi AH, tnh bng n v 32
bit tr i 2. V d, chiu di phn d liu xc thc l 96 bit (= 3 * 32 bit), cng vi chiu di phn
tiu AH (c nh) l 3 * 32 bit na thnh 6 * 32 bit, khi gi tr ca trng kch thc d liu
l 4.
-Dnh ring (Reserved -16 bits): Phn dnh ring, cha dng.
-Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trnh by trn.
-S th t gi (Sequence Number - 32 bits): S th t.
-M xc thc (Authentication Data): d liu xc thc, c chiu di thay i nhng phi l
bi s ca 32 bit. Trng ny cha gi tr kim tra ICV (Integrity Check Value) hoc MAC
(Message Authentication Code) cho tan b gi
*-Anti-replay service: dch v cho php ngn chn cc hnh vi tn cng pht li (replay)
nh trnh by chng 1. Trng s th t (Sequence number) trong tiu AH c dng
107
N-W
N+1
c nh du
biu th mt gi hp
l va c nhn
Cc trng khng b thay i trong tiu gi IP khi c chuyn tip trn mng
hoc c th d an c ti u cui ca SA. Nhng trng cn li trong tiu
gi IP c thay bng cc bit 0 khi tnh tan.
Xc thc u cui
n u cui
Mng ni b
Xc thc u
cui n u cui
Mng cng
cng
Router/Firewall
Xc thc u cui n
trung gian
109
a- Gi IP gc
IP
TCP
Data
IP
AH
TCP
Data
IP
(mi)
IP
(c)
AH
TCP
Data
III.2.6 ESP:
ESP (Encapsulating Security Payload) l mt la chn khc thc thi IPsec bn cnh
giao thc xc thc thng tin AH. Chc nng chnh ca ESP l cung cp tnh bo mt cho d liu
truyn trn mng IP bng cc k thut mt m. Tuy nhin, ESP cng cn c mt ty chn khc l
cung cp c dch v bo m tnh tan vn ca d liu thng qua c ch xc thc. Nh vy, khi
Bit 0
16
24
31
D liu
(kch thc thay i)
Tiu k tip
M xc thc
(kch thc thay i)
IP
TCP
Data
IP
ESP
header
TCP
Data
ESP
trailer
ESP
auth
IP
(mi)
ESP
header
IP
(c)
TCP
Data
ESP
trailer
ESP
auth
Giao thc
thay i
thng s m
Giao thc
cnh bo
HTTP
TCP
IP
Hai khi nim c bn thng c dng trong SSL l kt ni (connection) v phin giao
dch (session).
112
Nhn dng phin (Session identifier): Mt chui byte ngu nhin c server
chn nhn dng mt trng thi ca phin giao dch.
Chng thc kha i phng (Peer certificate): Chng thc kha cng khai
(X509.v3) ca thc th i phng. Thnh phn ny c th c hoc khng.
Phng php nn (Compression method): Gii thut nn d liu trc khi m ha.
Kha (Master secret): Kha b mt (48-byte) dng chung gia my con v server.
Kh nng phc hi (Is resumable): Cho bit phin giao dch ny c th khi to
mt kt ni mi hay khng.
S nhn dng ngu nhin (Server and client random): Chui byte chn ngu
nhin bi server v client, c chc nng phn bit cc kt ni vi nhau.
Kha xc thc ca my con (Client write MAC secret): Kha b mt dng tnh
gi tr xc thc MAC trn d liu gi i t my con.
113
D liu gc
Phn on
Nn
Gn thng tin
xc thc (MAC)
Mt m ho
Gn tiu giao
thc SSL record
Phin bn
chnh
Phin bn
ph
Kch thc
d liu
D liu
Thng tin
c m
ho
116
Client
Server
client_hello
server_hello
Giai on 1:
Thit lp cc thng s bo mt nh phin
bn ca giao thc, nhn dng phin giao
dch, thut ton mt m, phng php nn
v s ngu nhin ban u.
Kha b mt ca server
Giai on 2:
Server c th gi chng thc kha cng khai,
trao i kho v yu cu client cung cp
chng thc kha.
Kt thc server_hello
Thi gian
Kha b mt ca client
Giai on 3:
Client gi chng thc kha khi c yu cu
t pha server, trao i kha vi server. Client
cng c th gi xc minh chng thc kha
cng khai cho server (certificate_verify)
Thay i thng s m
Kt thc
Giai on 4:
Thay i cc thng s ca thut ton mt m
v kt thc giao thc bt tay.
Thay i thng s m
Kt thc
Bo tan d liu: cc thng tin v vic t hng, thanh tan, thng tin c nhn khi
gi t mt ngi mua hng n ngi bn hng c m bo tan vn, khng b
thay i. K thut ch k s DSA vi hm bm SHA-1 c dng bo m
tnh nng ny (trong mt s bn tin ca SET, HMAC c dng thay cho DSA).
Xc thc ti khan ca ngi s dng th: cho php ngi bn hng xc minh
ngi dng th l ch nhn hp l ca ti khon ang cp. thc hin chc
nng ny, SET dng chun xc thc X.509 version 3.
Xc thc ngi bn hng: SET cho php ngi s dng th xc thc rng ngi
bn hng c quan h vi mt t chc ti chnh c chp nhn thanh ton qua th.
Chc nng ny cng c thc hin dng X.509 version 3.
118
-Ca thanh tan (Payment gateway): y l thnh phn chu trch nhim x l cc bn
tin thanh tan (payment message) c iu hnh bi trng ti hoc mt t chc th 3 c ch
nh. Payment gateway giao tip gia SET v h thng thanh tan ca ngn hng thc hin cc
thao tc xc thc v thanh tan. Nh vy, ngi bn hng tht ra trao i cc thng bo vi ca
ng thanh tan thng qua mng Internet, sau , Payment gateway mi lin kt n h thng x
l ti chnh ca Acquirer.
-T chc chng thc (Certification authority _ CA): L thnh phn c chc nng to ra
cc chng thc (certificate) theo chun X.509v3 v phn phi cho Cardholder, Merchant v
Payment Gateway. S thnh cng ca SET ph thuc vo s tn ti ca CA. Thng thng, CA
c t chc theo mt m hnh phn cp vi nhiu CA lin h vi nhau.
Ngi bn hng
(Merchant)
Ngi dng th
(Cardholder)
Intenet
T chc
chng thc
(CA)
T chc pht
hnh th
(Issuer)
Mng thanh
tan
Trng ti
(Acquirer)
Ca thanh tan
(Payment gateway)
119
PI
PIMD
PRc
H
Ch k
song song
POMD
H
OI
OIMD
H
Tn giao tc
ngha
Cardholder
registration
Ngi mua hng ng k vi CA trc khi thc hin cc giao dch SET
khc vi ngi bn hng.
Merchant
registration
Purchase request
Payment
authorization
Payment capture
Certificate
and status
Ngi mua hng kim tra trng thi ca n t hng sau khi xc nhn
n t hng vi ngi bn hng.
Authorization
reversal
Capture reversal
Credit
Credit reversal
Payment
gateway Ngi bn hng yu cu bn sao chng thc ca Payment gateway.
certificate request
Batch administration
Error message
Cc thng tin lin quan n vic thanh ton bao gm: PI, ch k song song,
OIMD v mt phong b s (digital envelope). Cc thng tin ny c m ho bng
kho b mt K s do ngi mua hng to ra cho tng phin giao dch.
Cc thng tin lin quan n n t hng bao gm OI, ch k song song, PIMD.
Ch rng OI c gi i trc tip m khng cn m ho.
122
Khi ngi bn hng nhn c Purchase Request, h s thc hin cc thao tc sau y:
X l n t hng v chuyn thng tin thanh ton cho Payment Gateway kim
tra.
Bn tin Purchase Response cha cc thng tin chp nhn n t hng v cc tham
chiu n s nhn din giao tc tng ng. Thng tin ny c k bi ngi bn hng v gi cho
ngi mua hng cng vi chng thc ca ngi bn.
Ngi mua hng khi nhn c bn tin Purchase Response s tin hnh kim tra ch k
v chng thc ca ngi bn hng.
Bn tin Purchase Request
PI
Dual Signature
Ks
Digital envelope
OIMD
PIMD
OI
PUb
Dual Signature
Cardholder
cerificate
Thng tin c
Merchant chuyn
cho Payment
Gateway
Digital envelope
POMD
PIMD
H
OI
So snh
OIMD
Dual signature
D
POMD
Cardholder
certificate
PUc
Thng tin lin quan n vic mua hng, bao gm: PI, ch k song song, OIMD v
phong b s (digital envelope).
Thng tin lin quan n xc thc bao gm: nhn din giao tc, c m ho bng
kho b mt do ngi bn hng to ra v phong b s, c m ho bng kho
cng khai ca Payment gateway.
Khi nhn c Authorization Request, Payment Gateway thc hin cc thao tc sau:
Nu nhn c thng tin xc thc thnh cng t ngn hng pht hnh th, Payment
Gateway s hi p bng bn tin Authorization Response trong cha cc thng tin sau:
Thng tin lin quan n xc thc bao gm: khi thng tin xc thc c k bi
Payment Gateway v m ho bng kho b mt do Payment Gateway to ra, ngoi
ra cn c phong b s.
Vi thng tin xc thc ny, ngi bn hng c th bt u giao hng hoc cung cp
dch v cho ngi mua hng.
-Thc hin thanh ton:
thc hin thanh ton, ngi bn hng thc hin mt giao tc vi Payment Gateway gi
l Capture transaction, giao tc ny c thc hin qua hai bn tin: Capture Request v Capture
Response.
Trong bn tin Capture Request, ngi bn hng to ra thng tin yu cu thanh ton, trong
c khi lng thanh ton v nhn din giao tc (transaction ID), cng vi thng tin xc thc
nhn c trc t Payment Gateway, ch k v chng thc ca ngi bn hng.
Payment Gateway nhn c bn tin ny, gii m v thc hin cc bc kim tra cn thit
trc khi yu cu ngn hng pht hnh th chuyn tin cho ngi bn hng. Cui cng, Payment
Gateway s thng bo cho ngi bn hng bng bn tin Capture Response.
Tm tt chng:
-Cc ng dng bo mt (security application) c xy dng da trn cc k thut c s
trnh by chng 2 bao gm: mt m i xng, mt m bt i xng, hm bm, ch k s,
chng thc kha cng khai,
-K thut xc thc c xem l k thut c bn nht qun l truy xut. Mt khu l
phng tin xc thc n gin nht v hiu qu nht t trc n nay. Tuy nhin, mt khu c
qun l v s dng bi con ngi, nn cn phi c cc chnh sch hp l m bo mt khu
khng b tit l.
-Trong m hnh thng tin im im, hai giao thc xc thc thng c dng l PAP
(Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol)
trong , giao thc CHAP c nhiu u im hn v an tan hn do khng gi mt khu i trc
tip trn mng.
-Trong m hnh phn tn, giao thc xc thc cn phi p ng c hai yu: m bo
thng tin xc thc khng b nh cp v ngi s dng ch cn xc thc mt ln cho tt c cc
dch v trong h thng phn tn. Kerberos l mt giao thc xc thc p ng c 2 yu cu ny.
125
-Giao thc bo mt IP Security (IPSec) l mt s m rng ca giao thc IP, cho php lp
mng thc hin cc chc nng bo mt v tan vn cho d liu truyn i trn mng. IPSec l mt
chun phc tp, bao gm c t ca nhiu chun khc, c trin hai da trn hai giao thc
ng gi c bn l ESP v AH. IPSec hat ng hai ch l ch vn chuyn (transport) v
ch ng hm (tunnel). Hat ng ca IPSec l trong sut i vi cc giao thc lp ng
dng.
-Giao thc bo mt SSL (Secure Sockets Layer) l mt giao thc cng thm hat ng bn
trn giao thc TCP. SSL cung cp hai dch v c bn l mt m ha v xc thc d liu / xc thc
u cui cho cc ng dng Internet nh web, e-mail, . SSL c s dng rt ph bin hin nay
trn mng Internet, t bigt trong cc th tc trao i thng tin b mt gia client v server nh
ng nhp vo hp th in t, nhp s th tn dng khi mua hng,
-SET (Secure Electronic Transaction) l mt ng dng bo mt trong cc h thng thanh
tan qua mng. SET l mt ng dng truy xut trc tip n lp TCP (tc khng thng qua cc
giao thc ng dng nh mail hay web, ). SET nh ngha mt m hnh phc tp bao gm nhiu
thc th nh ngi mua hng, ngi bn hng, ngn hng pht hnh th, trng ti, ca thanh
tan, SET c pht trin bi cc t chc ti chnh c uy tn nh MasterCard, VISA, cc t
chc cng ngh nh Microsoft, IBM, RSA, Verisign,
CU HI V BI TP.
A- Cu hi trc nghim.
Cu 1. Nguyn tc m bo an ton cho mt khu i vi ngi s dng:
a- Quy nh thi gian s dng ti a ca mt khu.
b- Khng dng mt khu qu ngn, mt khu c cha tn ngi dng, mt khu l
nhng t c ngha trong t in.
c- M ho mt khu khi lu tr.
d- Tt c u ng.
Cu 2. Trong th tc xc thc mng n gin, c ch no m bo mi th (ticket) ch c s
dng bi mt my duy nht?
a- My con phi c xc thc bi Authentication Server (AS).
b- Trong th cp cho my con c cha a ch mng ca my my con (ADC).
c- Trong th c cha nhn dng ca my ch cung cp dch v (IDV).
d- Tt c u ng.
Cu 3. Mc ch ca TGS (Ticket Granting Server) trong th thc xc thc qua mng?
a- Cho php ngi dng ch ng nhp mt ln nhng s dng c nhiu dch v.
b- Gim ti x l cho AS
c- hn ch vic gi mt khu trc tip trn mng.
d- Tt c u sai.
Cu 4. Chn cu ng v giao thc xc thc Kerberos 4:
a- S dng thut ton m ho DES
b- s dng mt dch v no , client phi thc hin 2 thao tc: xc thc vi AS
c cp th Ticket-granting-Ticket, sau xc thc vi TGS nhn c
126
HNG DN TR LI CU HI V BI TP.
Chng I:
Cu 1.
Cu 9.
Cu 17.
Cu 25.
Cu 2.
Cu 10.
Cu 18.
Cu 26.
Cu 3.
Cu 11.
Cu 19.
Cu 27.
Cu 4.
Cu 12.
Cu 20.
Cu 28.
Cu 5.
Cu 13.
Cu 21.
Cu 29.
Cu 6.
Cu 14.
Cu 22.
Cu 30.
Cu 7.
Cu 15.
Cu 23.
Cu 31.
Cu 8.
Cu 16.
Cu 24.
Chng II:
Cu 1.
Cu 6.
Cu 11.
Cu 16.
Cu 2.
Cu 7.
Cu 12.
Cu 17.
Cu 3.
Cu 8.
Cu 13.
Cu 18.
Cu 4.
Cu 9.
Cu 14.
Cu 19.
Cu 5.
Cu 10.
Cu 15.
Cu 20.
Cu 21.
Cu 22.
Cu 23.
Cu 24.
Thc hin bng tay thao tc m rng kho (expand key) ca AES.
Cu 25.
Cu 26.
Chng III:
Cu 1.
Cu 7.
Cu 13.
Cu 19.
Cu 2.
Cu 8.
Cu 14.
Cu 20.
Cu 3.
Cu 9.
Cu 15.
Cu 21.
Cu 4.
Cu 10.
Cu 16.
Cu 5.
Cu 11.
Cu 17.
Cu 6.
Cu 12.
Cu 18.
130
AAA
AES
AH
Authentication Header
ANSI
AS
Authentication Server
CBC
CC
Common Criteria
CESG
CFB
Cipher Feedback
CHAP
CIA
CMAC
CRT
DAC
DDoS
DES
DoS
Denial of Service
DSA
DSS
ECB
Electronic Codebook
ESP
FIPS
HMAC
IAB
ICMP
IDS
IDEA
IETF
IP
Internet Protocol
IPSec
IP Security
ISAKMP
ISO
ITU
ITU-T
IV
Initialization Vector
131
KDC
LAN
MAC
MAC
MD5
MIC
MIME
MITM
Man-in-the-middle attack
MTU
NAT
NIST
NSA
NTFS
NT File System
OFB
Output Feedback
PAP
PCBC
PGP
PKI
PRNG
RBAC
RFC
RNG
SATAN
RSA
Rivest-Shamir-Adelman
SET
SHA
SHS
S/MIME
Secure MIME
SNMP
SNMPv3
SSL
TCP
TGS
Ticket-Granting Server
TLS
UDP
WAN
132
[2]
[3]
Mark Stamp, Information Security: Principles and Practices, John Wiley & Sons, 2006
[4]
Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall PTR, 2003
[5]
[6]
133
MC LC
CHNG I
I.1
I.2
I.2.1
I.2.2
I.2.3
I.3
I.3.1
Nguy c: ...................................................................................................................... 6
I.3.2
Ri ro v qun l ri ro:............................................................................................... 7
I.3.3
I.4
I.4.1
I.4.2
I.5
I.5.1
I.5.2
Xc thc:.................................................................................................................... 14
I.5.3
I.6
I.6.1
I.6.2
I.7
I.7.1
I.7.2
II.1.1
II.1.2
II.1.3
II.1.4
II.2
II.2.1
II.2.2
II.2.3
II.2.4
II.2.5
II.3
II.3.1
II.3.2
II.3.3
II.3.4
II.4
CC HM BM ........................................................................................................... 70
II.4.1
II.4.2
Cc hm bm bo mt: .......................................................................................... 73
II.4.3
II.4.4
II.5
CH K S .................................................................................................................. 77
II.5.1
II.5.2
II.6
II.6.1
II.6.2
II.6.3
III.1.1
Mt khu: ............................................................................................................... 93
III.1.2
III.1.3
III.1.4
III.2
III.2.1
III.2.2
III.2.3
III.2.4
III.2.5
III.2.6
III.2.7
III.3
III.3.1
III.3.2
III.3.3
III.3.4
III.3.5
III.3.6
III.4
III.4.1
III.4.2
III.4.3
136