An Toan Va Bao Mat He Thong Thong Tin

HC VIN CNG NGH BU CHNH VIN THNG
C S TP. H CH MINH
BI GING
BO MT H THNG THNG TIN

DNH CHO H O TO T XA
Bin son: L Phc
Thng 7/2007
M U
Ti liu ny c xy dng vi mc ch gip sinh vin h o to t xa nghin cu cc
vn v bo mt h thng thng tin. Bo mt h thng thng tin l tp cc k thut, dch v, c
ch v ng dng ph tr gip trin khai cc h thng thng tin vi an ton cao nht, m c th
l bo v ba c trng c bn ca mt h thng an ton l tnh B mt, tnh Ton vn v tnh
Kh dng ca thng tin.
Tnh bo mt ca h thng l vn c cn nhc ngay khi thit k h thng v c
thc hin xuyn sut trong qu trnh thi cng, vn hnh v bo dng h thng. Trong thi im
m vic kt ni vo mng Internet, ni cha rt nhiu nguy c tn cng tim n, tr thnh mt
nhu cu sng cn ca cc h thng thng tin th vn bo mt cng cn phi c quan tm v
u t ng mc.
Ti liu ny nhm n i tng sinh vin l nhng ngi va hc va lm, do cc vn
bo mt thc t trn mng c quan tm nhiu hn l cc c s l thuyt. Cc chuyn v
mt m cng c trnh by n gin theo cch nhn ca ngi s dng, khng qu chuyn su v
c s ton hc, do , nu c nhu cu tm hiu su hn hoc chng minh cc thut ton, sinh vin
cn phi c thm cc ti liu v l thuyt s.
Ni dung ti liu c chia thnh 3 chng:
-Chng 1:Tng quan v bo mt h thng thng tin, trnh by cc vn chung v bo
mt v an ton h thng, cc nguy c v cc phng thc tn cng vo h thng thng tin, cc
ng dng bo v h thng thng tin ang c s dng nh Firewall v IDS
-Chng 2: Mt m v xc thc thng tin, trnh by cc c ch mt m v xc thc nhm
m bo tnh B mt v Ton vn ca thng tin. Phn ny m t nguyn l ca cc thut ton mt
m thng dng, hm bm, ch k s v cc vn qun l kho.
-Chng 3: Cc ng dng bo mt trong h thng thng tin, trnh by cc ng dng thc
t nh cc giao thc xc thc, bo mt trong kt ni mng vi IPSec, bo mt trong ng dng
Internet vi SSL v SET.
Cui mi chng u c phn tm tt, cc cu hi trc nghim v bi tp, gip sinh vin
h thng ho li kin thc hc. c bit, cc bi tp thc hnh v lp trnh s gip sinh vin
nm r hn phn l thuyt, nn c gng thc hin cc bi tp ny mt cch chu o.
Hy vng ti liu ny s t nhiu gip ch cho vic nghin cu chuyn an ton h thng
thng tin ca cc bn sinh vin.
Thng 7/2007.
Tc gi.
CHNG I
TNG QUAN V BO MT H THNG THNG TIN
Gii thiu:
Chng ny gip hc vin nm c cc khi nim thng dng trong bo mt v an
ton h thng, nguyn tc xy dng mt h thng thng tin bo mt, nhn din v phn tch cc
nguy c v ri ro i vi h thng thng tin, t c k hoch nng cp v bo v h thng.
Ni dung chng ny gm cc phn nh sau:
-Cc c trng ca mt h thng bo mt.
-Nguy c v ri ro i vi h thng thng tin.
-Cc khi nim dng trong bo mt h thng
-Chin lc bo mt h thng AAA.
-Mt s hnh thc xm nhp h thng.
-K thut ngn chn v pht hin xm nhp.
I.1 TNG QUAN

Vn bo m an ton cho cc h thng thng tin l mt trong nhng vn quan trng
cn cn nhc trong sut qu trnh thit k, thi cng, vn hnh v bo dng h thng thng tin.
Cng nh tt c cc hot ng khc trong i sng x hi, t khi con ngi c nhu cu
lu tr v x l thng tin, c bit l t khi thng tin c xem nh mt b phn ca t liu sn
xut, th nhu cu bo v thng tin cng tr nn bc thit. Bo v thng tin l bo v tnh b mt
ca thng tin v tnh ton vn ca thng tin. Mt s loi thng tin ch cn ngha khi chng c
gi kn hoc gii hn trong mt s cc i tng no , v d nh thng tin v chin lc qun
s chng hn. y l tnh b mt ca thng tin. Hn na, thng tin khng phi lun c con
ngi ghi nh do s hu hn ca b c, nn cn phi c thit b lu tr thng tin. Nu thit b
lu tr hot ng khng an ton, thng tin lu tr trn b mt i hoc sai lch ton b hay mt
phn, khi tnh ton vn ca thng tin khng cn c bo m.
Khi my tnh c s dng x l thng tin, hiu qu x l thng tin c nng cao ln,
khi lng thng tin c x l cng ngy cng ln ln, v ko theo n, tm quan trng ca thng
tin trong i sng x hi cng tng ln. Nu nh trc y, vic bo v thng tin ch ch trng
vo vn dng cc c ch v phng tin vt l bo v thng tin theo ng ngha en ca t
ny, th cng v sau, vn bo v thng tin tr nn a dng hn v phc tp hn. C th k ra
hai iu thay i ln sau y i vi vn bo v thng tin:
1-S ng dng ca my tnh trong vic x l thng tin lm thay i dng lu tr ca
thng tin v phng thc x l thng tin. Cn thit phi xy dng cc c ch bo v thng tin
theo c th hot ng ca my tnh. T y xut hin yu cu bo v s an ton hot ng ca
my tnh (Computer Security) tn ti song song vi yu cu bo v s an ton ca thng tin
(Information Security).
2-S pht trin mnh m ca mng my tnh v cc h thng phn tn lm thay i phm
vi t chc x l thng tin. Thng tin c trao i gia cc thit b x l thng qua mt khong
cch vt l rt ln, gn nh khng gii hn, lm xut hin thm nhiu nguy c hn i vi s an
ton ca thng tin. T xut hin yu cu bo v s an ton ca h thng mng (Network
2
Security), gm cc c ch v k thut ph hp vi vic bo v s an ton ca thng tin khi chng

c trao i gia cc thit b trn mng.
Cng vi vic nhn din hai iu thay i ln i vi vn bo m an ton thng tin,
hin nay, khi nim bo m thng tin (Information Assurance) c xut nh mt gii php
ton din hn cho bo mt thng tin. Theo , vn an ton ca thng tin khng cn ch gii
hn trong vic m bo tnh b mt v tnh ton vn ca thng tin, phm vi bo v khng cn gii
hn trong cc h thng my tnh lm chc nng x l thng tin na, m din ra trong tt c cc h
thng t ng (automated systems). Yu cu bo v khng cn ch tp trung vn an ton
ng (Security) na m bao gm c vn an ton tnh (Safety) v vn tin cy ca h thng
(Reliability).
Trong phm vi ti liu ny, vn Bo mt h thng thng tin (Information System
Security) l vn trng tm nht. Ton b ti liu s tp trung vo vic m t, phn tch cc c
ch v k thut nhm cung cp s bo mt cho cc h thng thng tin. Mt h thng thng tin,
theo cch hiu ngm nh trong ti liu ny, l h thng x l thng tin bng cng c my tnh,
c t chc tp trung hoc phn tn. Do vy, ni dung ca ti liu s va cp n vn bo
mt my tnh (Computer Security) v bo mt mng (Network Security). Tuy vy, cc k thut
bo mt mng ch c cp mt cch gin lc, dnh phn cho mt ti liu khc thuc chuyn
ngnh Mng my tnh v truyn thng, l ti liu Bo mt mng.
I.2 CC C TRNG CA MT H THNG THNG TIN BO MT

Mt h thng thng tin bo mt (Secure Information System) l mt h thng m thng
tin c x l trn n phi m bo c 3 c trng sau y:
-Tnh b mt ca thng tin (Confidentiality)
-Tnh ton vn ca thng tin (Integrity)
-Tnh kh dng ca thng tin (Availability)
Confidentiality
Secure
Integrity
Availability
Hnh 1.1: M hnh CIA

Ba c trng ny c lin kt li v xem nh l m hnh tiu chun ca cc h thng
thng tin bo mt, hay ni cch khc, y l 3 thnh phn ct yu ca mt h thng thng tin Bo
mt. M hnh ny c s dng rng ri trong nhiu ng cnh v nhiu ti liu khc nhau, v
3
c gi tt l m hnh CIA (ch phn bit vi thut ng CIA vi ngha Confidentiality,

Itegrity, Authentication trong mt s ti liu khc).
Phn sau y s trnh by chi tit v tng c trng ny.
I.2.1
Tnh b mt:
Mt s loi thng tin ch c gi tr i vi mt i tng xc nh khi chng khng ph

bin cho cc i tng khc. Tnh b mt ca thng tin l tnh gii hn v i tng c quyn
truy xut n thng tin. i tng truy xut c th l con ngi, l my tnh hoc phn mm, k
c phn mm ph hoi nh virus, worm, spyware,
Tu theo tnh cht ca thng tin m mc b mt ca chng c khc nhau. V d: cc
thng tin v chnh tr v qun s lun c xem l cc thng tin nhy cm nht i vi cc quc
gia v c x l mc bo mt cao nht. Cc thng tin khc nh thng tin v hot ng v
chin lc kinh doanh ca doanh nghip, thng tin c nhn, c bit ca nhng ngi ni ting,
thng tin cu hnh h thng ca cc mng cung cp dch v, v.v u c nhu cu c gi b mt
tng mc .
m bo tnh b mt ca thng tin, ngoi cc c ch v phng tin vt l nh nh
xng, thit b lu tr, dch v bo v, th k thut mt m ho (Cryptography) c xem l
cng c bo mt thng tin hu hiu nht trong mi trng my tnh. Cc k thut mt m ho s
c trnh by c th chng II. Ngoi ra, k thut qun l truy xut (Access Control) cng
c thit lp bo m ch c nhng i tng c cho php mi c th truy xut thng tin.
Access control s c trnh by phn 3 ca chng ny.
S b mt ca thng tin phi c xem xt di dng 2 yu t tch ri: s tn ti ca
thng tin v ni dung ca thng tin .
i khi, tit l s tn ti ca thng tin c ngha cao hn tit l ni dung ca n. V d:
chin lc kinh doanh b mt mang tnh sng cn ca mt cng ty b tit l cho mt cng ty
i th khc. Vic nhn thc c rng c iu tn ti s quan trng hn nhiu so vi vic bit
c th v ni dung thng tin, chng hn nh ai tit l, tit l cho i th no v tit l nhng
thng tin g,
Cng v l do ny, trong mt s h thng xc thc ngi dng (user authentication) v d
nh ng nhp vo h iu hnh Netware hay ng nhp vo hp th in t hoc cc dch v
khc trn mng, khi ngi s dng cung cp mt tn ngi dng (user-name) sai, thay v thng
bo rng user-name ny khng tn ti, th mt s h thng s thng bo rng mt khu (password)
sai, mt s h thng khc ch thng bo chung chung l Invalid user name/password (ngi
dng hoc mt khu khng hp l). Dng ng sau cu thng bo khng r rng ny l vic t
chi xc nhn vic tn ti hay khng tn ti mt user-name nh th trong h thng. iu ny lm
tng s kh khn cho nhng ngi mun ng nhp vo h thng mt cch bt hp php bng
cch th ngu nhin.
I.2.2
Tnh ton vn:
c trng ny m bo s tn ti nguyn vn ca thng tin, loi tr mi s thay i

thng tin c ch ch hoc h hng, mt mt thng tin do s c thit b hoc phn mm. Tnh ton
vn c xt trn 2 kha cnh:
-Tnh nguyn vn ca ni dung thng tin.
-Tnh xc thc ca ngun gc ca thng tin.
4
Ni mt cch khc, tnh ton vn ca thng tin phi c nh gi trn hai mt: ton vn
v ni dung v ton vn v ngun gc.
V d: mt ngn hng nhn c lnh thanh ton ca mt ngi t xng l ch ti khon
vi y nhng thng tin cn thit. Ni dung thng tin c bo ton v ngn hng nhn
c mt cch chnh xc yu cu ca khch hng (ng nh ngi xng l ch ti khon gi i).
Tuy nhin, nu lnh thanh ton ny khng phi cho chnh ch ti khon a ra m do mt ngi
no khc nh bit c thng tin b mt v ti khon mo danh ch ti khon a ra, ta ni
ngun gc ca thng tin khng c bo ton.
Mt v d khc, mt t bo a tin v mt s kin va xy ra ti mt c quan quan trng
ca chnh ph, c ghi ch rng ngun tin t ngi pht ngn ca c quan . Tuy nhin, nu tin
tht s khng phi do ngi pht ngn cng b m c ly t mt knh thng tin khc, khng
xt n vic ni dung thng tin c ng hay khng, ta ni rng ngun gc thng tin khng
c bo ton.
S ton vn v ngun gc thng tin trong mt s ng cnh c ngha tng ng vi s
m bo tnh khng th chi ci (non-repudiation) ca h thng thng tin.
Cc c ch m bo s ton vn ca thng tin c chia thnh 2 loi: cc c ch ngn
chn (Prevention mechanisms) v cc c ch pht hin (Detection mechanisms).
C ch ngn chn c chc nng ngn cn cc hnh vi tri php lm thay i ni dung v
ngun gc ca thng tin. Cc hnh vi ny bao gm 2 nhm: hnh vi c gng thay i thng tin khi
khng c php truy xut n thng tin v hnh vi thay i thng tin theo cch khc vi cch
c cho php.
V d: mt ngi ngoi cng ty c gng truy xut n c s d liu k ton ca mt cng
ty v thay i d liu trong . y l hnh vi thuc nhm th nht. Trng hp mt nhn vin
k ton c trao quyn qun l c s d liu k ton ca cng ty, v dng quyn truy xut ca
mnh thay i thng tin nhm bin th ngn qu, y l hnh vi thuc nhm th hai.
Nhm cc c ch pht hin ch thc hin chc nng gim st v thng bo khi c cc thay
i din ra trn thng tin bng cch phn tch cc s kin din ra trn h thng m khng thc
hin chc nng ngn chn cc hnh vi truy xut tri php n thng tin.
Nu nh tnh b mt ca thng tin ch quan tm n vic thng tin c b tit l hay khng,
th tnh ton vn ca thng tin va quan tm ti tnh chnh xc ca thng tin v c mc tin cy
ca thng tin. Cc yu t nh ngun gc thng tin, cch thc bo v thng tin trong qu kh cng
nh trong hin ti u l nhng yu t quyt nh tin cy ca thng tin v do nh hng n
tnh ton vn ca thng tin. Ni chung, vic nh gi tnh ton vn ca mt h thng thng tin l
mt cng vic phc tp.
I.2.3
Tnh kh dng:
Tnh kh dng ca thng tin l tnh sn sng ca thng tin cho cc nhu cu truy xut hp
l.
V d: cc thng tin v qun l nhn s ca mt cng ty c lu trn my tnh, c bo
v mt cch chc chn bng nhiu c ch m bo thng tin khng b tit l hay thay i. Tuy
nhin, khi ngi qun l cn nhng thng tin ny th li khng truy xut c v li h thng. Khi
, thng tin hon ton khng s dng c v ta ni tnh kh dng ca thng tin khng c
m bo.
Tnh kh dng l mt yu cu rt quan trng ca h thng, bi v mt h thng tn ti

nhng khng sn sng cho s dng th cng ging nh khng tn ti mt h thng thng tin no.
Mt h thng kh dng l mt h thng lm vic tri chy v hiu qu, c kh nng phc hi
nhanh chng nu c s c xy ra.
Trong thc t, tnh kh dng c xem l nn tng ca mt h thng bo mt, bi v khi
h thng khng sn sng th vic m bo 2 c trng cn li (b mt v ton vn) s tr nn v
ngha.
Hin nay, cc hnh thc tn cng t chi dch v DoS (Denial of Service) v DDoS
(Distributed Denial of Service) c nh gi l cc nguy c ln nht i vi s an ton ca cc
h thng thng tin, gy ra nhng thit hi ln v c bit l cha c gii php ngn chn hu
hiu. Cc hnh thc tn cng ny u nhm vo tnh kh dng ca h thng.
Mt s hng nghin cu ang a ra cc m hnh mi cho vic m t cc h thng an
ton. Theo , m hnh CIA khng m t c y cc yu cu an ton ca h thng m cn
phi nh ngha li mt m hnh khc vi cc c tnh ca thng tin cn c m bo nh:
-Tnh kh dng (Availability)
-Tnh tin ch (Utility)
-Tnh ton vn (Integrity)
-Tnh xc thc (Authenticity)
-Tnh bo mt (Confidentiality)
-Tnh s hu (Possession)
I.3 CC NGUY C V RI RO I VI H THNG THNG TIN

I.3.1
Nguy c:
Nguy c (threat) l nhng s kin c kh nng nh hng n an ton ca h thng.
V d: tn cng t chi dch v (DoS v DDoS) l mt nguy c i vi h thng cc my

ch cung cp dch v trn mng.
Khi ni n nguy c, ngha l s kin cha xy ra, nhng c kh nng xy ra v c kh
nng gy hi cho h thng. C nhng s kin c kh nng gy hi, nhng khng c kh nng xy
ra i vi h thng th khng c xem l nguy c.
V d: tn cng ca su Nimda (nm 2001) c kh nng gy t lit ton b h thng mng
ni b. Tuy nhin, su Nimda ch khai thc c li bo mt ca phn mm IIS (Internet
Information Service) trn Windows (NT v 2000) v do ch c kh nng xy ra trn mng c
my ci t h iu hnh Windows. Nu mt mng my tnh ch gm ton cc my ci h iu
hnh Unix hoc Linux th su Nimda hon ton khng c kh nng tn ti, v do vy, su Nimda
khng phi l mt nguy c trong trng hp ny.
C th chia cc nguy c thnh 4 nhm sau y:
-Tit l thng tin / truy xut thng tin tri php
-Pht thng tin sai / chp nhn thng tin sai
-Ph hoi / ngn chn hot ng ca h thng
-Chim quyn iu khin tng phn hoc ton b h thng
y l cch phn chia rt khi qut. Mi nhm s bao gm nhiu nguy c khc nhau.
6
Nghe ln, hay c ln (gi chung l snooping) l mt trong nhng phng thc
truy xut thng tin tri php. Cc hnh vi thuc phng thc ny c th n gin
nh vic nghe ln mt cuc m thoi, m mt tp tin trn my ca ngi khc,
hoc phc tp hn nh xen vo mt kt ni mng (wire-tapping) n cp d
liu, hoc ci cc chng trnh ghi bn phm (key-logger) ghi li nhng thng
tin quan trng c nhp t bn phm.
Nhm nguy c pht thng tin sai / chp nhn thng tin sai bao gm nhng hnh
vi tng t nh nhm trn nhng mang tnh ch ng, tc l c thay i thng
tin gc. Nu thng tin b thay i l thng tin iu khin h thng th mc thit
hi s nghim trng hn nhiu bi v khi , hnh vi ny khng ch gy ra sai d
liu m cn c th lm thay i cc chnh sch an ton ca h thng hoc ngn
chn hot ng bnh thng ca h thng.
Trong thc t, hnh thc tn cng xen gia Man-in-the-middle (MITM) l mt
dng ca phng thc pht thng tin sai / chp nhn thng tin sai. Hot ng ca
hnh thc tn cng ny l xen vo mt kt ni mng, c ln thng tin v thay i
thng tin trc khi gi n cho ni nhn.
Gi danh (spoofing) cng l mt dng hnh vi thuc nhm nguy c pht thng tin
sai / chp nhn thng tin sai. Hnh vi ny thc hin vic trao i thng tin vi
mt i tc bng cch gi danh mt thc th khc.
Ph nhn hnh vi (repudiation) cng l mt phng thc gy sai lch thng tin.
Bng phng thc ny, mt thc th thc hin hnh vi pht ra thng tin, nhng
sau li chi b hnh vi ny, tc khng cng nhn ngun gc ca thng tin, v
do vi phm yu cu v tnh ton vn ca thng tin.
V d: mt ngi ch ti khon yu cu ngn hng thanh ton t ti khon ca
mnh. Mi thng tin u chnh xc v ngn hng thc hin lnh. Tuy nhin sau
ngi ch ti khon li ph nhn vic mnh a ra lnh thanh ton. Khi ,
thng tin b sai lch do ngun gc ca thng tin khng cn xc nh.
Nhm nguy c th 3 bao gm cc hnh vi c mc ch ngn chn hot ng bnh

thng ca h thng bng cch lm chm hoc gin on dch v ca h thng.
Tn cng t chi dch v hoc virus l nhng nguy c thuc nhm ny.
Chim quyn iu khin h thng gy ra nhiu mc thit hi khc nhau, t vic

ly cp v thay i d liu trn h thng, n vic thay i cc chnh sch bo mt
v v hiu ho cc c ch bo mt c thit lp.
V d in hnh cho nhm nguy c ny l cc phng thc tn cng nhm chim
quyn root trn cc my tnh chy Unix hoc Linux bng cch khai thc cc li
phn mm hoc li cu hnh h thng. Tn cng trn b m (buffer overflow) l
cch thng dng nht chim quyn root trn cc h thng Linux vn c
xy dng trn nn tng ca ngn ng lp trnh C.
I.3.2
Ri ro v qun l ri ro:
Ri ro (risk) l xc sut xy ra thit hi i vi h thng.
Ri ro bao gm 2 yu t: Kh nng xy ra ri ro v thit hi do ri ro gy ra. C nhng ri

ro c kh nng xy ra rt cao nhng mc thit hi th thp v ngc li.
V d: ri ro mt thng tin trn h thng khng c c ch bo v tp tin, chng hn nh

Windows 98. Windows 98 khng c c ch xc thc ngi s dng nn bt c ai cng c th s
dng my vi quyn cao nht. Nu trn ch c cha cc tp tin vn bn khng c tnh b mt
th vic mt mt tp tin th thit hi gy ra ch l mt cng sc nh my vn bn . y l dng
ri ro c xc sut xy ra cao nhng thit hi thp.
Mt v d khc: trn my ch cung cp dch v c mt phn mm c li trn b m, v
nu khai thc c li ny th k tn cng c th chim c quyn iu khin ton b h thng.
Tuy nhin, y l phn mm khng ph bin v khai thc c li ny, k tn cng phi c
nhng k nng cao cp. Ri ro h thng b chim quyn iu khin c nh gi l c kh nng
xy ra thp, nhng nu c xy ra, th thit hi s rt cao.
Cn ch phn bit gia nguy c v ri ro. Nguy c l nhng hnh vi, nhng s kin
hoc i tng c kh nng gy hi cho h thng. Ri ro l nhng thit hi c kh nng xy ra
i vi h thng.
V d: Tn cng t chi dch v l mt nguy c (threat). y l mt s kin c kh nng
xy ra i vi bt k h thng cung cp dch v no. Thit hi do tn cng ny gy ra l h thng
b gin on hot ng, y mi l ri ro (risk). Tuy nhin, khng phi bt k tn cng t chi
dch v no xy ra cng u lm cho h thng ngng hot ng, v hn na, tn cng t chi dch
v khng phi l ngun gc duy nht gy ra gin on h thng; nhng nguy c khc nh li h
thng (do vn hnh sai), li phn mm (do lp trnh), li phn cng (h hng thit b, mt in,
) cng u c kh nng dn n gin on h thng.
Mt v d khc, xt trng hp lu tr tp tin trn mt my tnh chy h iu hnh
Windows 98 ni trn. Nguy c i vi h thng l cc hnh vi sa hoc xo tp tin trn my
ngi khc. Nhng ngi hay s dng my tnh ca ngi khc cng c xem l nguy c i
vi h thng. Ri ro i vi h thng trong trng hp ny l vic tp tin b mt hoc b sa.
Trong thc t, vic ra chnh sch bo mt cho mt h thng thng tin phi m bo
c s cn bng gia li ch ca vic bo m an ton h thng v chi ph thit k, ci t v
vn hnh cc c ch bo v chnh sch .
Cng vic qun l ri ro trn mt h thng l quy trnh cn thit nhn din tt c nhng
ri ro i vi h thng, nhng nguy c c th dn n ri ro v phn tch li ch / chi ph ca gii
php ngn chn ri ro. Quy trnh phn tch ri ro bao gm cc bc:
-Nhn dng cc ri ro i vi h thng
-Chn la v thc hin cc gii php gim bt ri ro.
-Theo di v nh gi thit hi ca nhng ri ro xy ra, lm c s cho vic iu chnh
li hai bc u.
I.3.3
Vn con ngi trong bo mt h thng:
Con ngi lun l trung tm ca tt c cc h thng bo mt, bi v tt c cc c ch, cc

k thut c p dng bo m an ton h thng u c th d dng b v hiu ho bi con
ngi trong chnh h thng .
V d: h thng xc thc ngi s dng yu cu mi ngi trong h thng khi mun thao
tc trn h thng u phi cung cp tn ngi dng v mt khu. Tuy nhin, nu ngi c cp
mt khu khng bo qun k thng tin ny, hoc thm ch em tit l cho ngi khc bit, th kh
nng xy ra cc vi phm i vi chnh sch an ton l rt cao v h thng xc thc b v hiu
ho.
8
Nhng ngi c ch mun ph v chnh sch bo mt ca h thng c gi chung l

nhng ngi xm nhp (intruder hoc attacker) v theo cch ngh thng thng th y phi l
nhng ngi bn ngoi h thng.
Tuy nhin, thc t chng minh c rng chnh nhng ngi bn trong h thng,
nhng ngi c iu kin tip cn vi h thng li l nhng ngi c kh nng tn cng h thng
cao nht. c th l mt nhn vin ang bt mn v mun ph hoi, hoc ch l mt ngi thch
khm ph v chng t mnh. Cc tn cng gy ra bi cc i tng ny thng kh pht hin v
gy thit hi nhiu hn cc tn cng t bn ngoi.
Nhng ngi khng c hun luyn v an ton h thng cng l ni tim n cc nguy c
do nhng hnh vi v ca h nh thao tc sai, b qua cc khu kim tra an ton, khng tun th
chnh sch bo mt thng tin nh lu tp tin bn ngoi th mc an ton, ghi mt khu ln bn lm
vic,
I.4 NGUYN TC XY DNG MT H THNG BO MT

I.4.1
Chnh sch v c ch:

Hai khi nim quan trng thng c cp khi xy dng mt h thng bo mt:
-Chnh sch bo mt (Security policy)
-C ch bo mt (Security mechanism)
Chnh sch bo mt l h thng cc quy nh nhm m bo s an ton ca h thng.
C ch bo mt l h thng cc phng php, cng c, th tc, dng thc thi cc

quy nh ca chnh sch bo mt.
Chnh sch bo mt c th c biu din bng ngn ng t nhin hoc ngn ng ton
hc.
V d: trong mt h thng, bo m an ton cho mt ti nguyn (resource) c th,
chnh sch an ton quy nh rng ch c ngi dng no thuc nhm qun tr h thng
(Administrators) mi c quyn truy xut, cn nhng ngi dng khc th khng. y l cch biu
din bng ngn ng t nhin.
C th biu din quy nh ny bng ngn ng ton hc nh sau:
Gi:
U l tp hp cc ngi dng trong h thng.

A l tp hp cc ngi dng thuc nhm qun tr.
O l tp hp cc i tng (ti nguyn) trong h thng
Thao tc Access(u, o) cho gi tr TRUE nu ngi dng u c quyn truy xut n

i tng o, ngc li, cho gi tr FALSE.
Quy nh p trong chnh sch an ton c pht biu nh sau:
u U, o O: Access(u, o) = TRUE u A
Ma trn cng thng c dng biu din mt chnh sch bo mt.
V d: mt h thng vi cc tp ngi dng U = {u 1, u2, u3, u4} v tp i tng O = {o1,
o2, o3, o4}. Cc thao tc m mt ngi dng u c th thc hin c trn mt i tng o bao gm
c (r), ghi (w) v thc thi (x). Quy nh v kh nng truy xut ca tng ngi dng n tng i
tng trong h thng c biu din bng ma trn nh sau:
u1
u2
U3
o1
o2
o3
o4
u4
Quan st ma trn, ta bit rng ngi dng u3 c quyn c trn tt c cc i tng t

o1 n o4, trong khi ngi dng u4 th khng c quyn truy xut n bt k i tng no.
C ch bo mt thng thng l cc bin php k thut.
V d: xy dng bc tng la (firewall), xc thc ngi dng, dng c ch bo v tp tin
ca h thng qun l tp tin NTFS phn quyn truy xut i vi tng tp tin / th mc trn a
cng, dng k thut mt m ho che giu thng tin, v.v
Tuy nhin, i khi c ch ch l nhng th tc (procedure) m khi thc hin n th chnh
sch c bo ton.
V d: phng thc hnh my tnh ca trng i hc quy nh: sinh vin khng c sao
chp bi tp ca sinh vin khc c lu trn my ch. y l mt quy nh ca chnh sch
bo mt. thc hin quy nh ny, cc c ch c p dng bao gm: to th mc ring trn
my ch cho tng sinh vin, phn quyn truy xut cho tng sinh vin n cc th mc ny v yu
cu sinh vin phi lu bi tp trong th mc ring, mi khi ri khi my tnh phi thc hin thao
tc logout khi h thng.
Trong c ch ny, cc bin php nh to th mc ring, gn quyn truy xut, l cc
bin php k thut. Bin php yu cu sinh vin that khi h thng (logout) khi ri khi my l
mt bin php th tc. Nu sinh vin ra v m khng that ra khi h thng, mt sinh vin khc
c th s dng phin lm vic ang m ca sinh vin ny sao chp bi tp. Khi , r rng
chnh sch bo mt b vi phm.
Cho trc mt chnh sch bo mt, c ch bo mt phi m bo thc hin c 3 yu cu
sau y:
-Ngn chn cc nguy c gy ra vi phm chnh sch
-Pht hin cc hnh vi vi phm chnh sch
-Khc phc hu qu ca ri ro khi c vi phm xy ra.
Thng thng, vic xy dng mt h thng bo mt phi da trn 2 gi thit sau y:
1-Chnh sch bo mt phn chia mt cch r rng cc trng thi ca h thng thnh 2
nhm: an ton v khng an ton.
2-C ch bo mt c kh nng ngn chn h thng tin vo cc trng thi khng an ton.
Ch cn mt trong hai gi thit ny khng m bo th h thng s khng an ton. Tng c
ch ring l c thit k bo v mt hoc mt s cc quy nh trong chnh sch. Tp hp tt
c cc c ch trin khai trn h thng phi m bo thc thi tt c cc quy nh trong chnh sch.
Hai nguy c c th xy ra khi thit k h thng bo mt do khng m bo 2 gi thit
trn:
1-Chnh sch khng lit k c tt c cc trng thi khng an ton ca h thng, hay ni
cch khc, chnh sch khng m t c mt h thng bo mt tht s.
10
2-C ch khng thc hin c tt c cc quy nh trong chnh sch, c th do gii hn

v k thut, rng buc v chi ph,
Da trn nhng nhn thc ny, c th nh gi mc an ton ca mt c ch nh sau:
Gi P l tp hp tt c cc trng thi ca h thng, Q l tp hp cc trng thi an ton theo
nh ngha ca chnh sch bo mt, gi s c ch ang p dng c kh nng gii hn cc trng
thi ca h thng trong tp R. Ta c cc nh ngha nh sau:
-Nu R Q: c ch c nh gi l an ton (secure mechanism).
-Nu R = Q: c ch c nh gi l chnh xc (precise mechanism).
-Nu tn ti trng thi r R sao cho r Q: c ch c nh gi l lng lo (broad
mechanism).
I.4.2
Cc mc tiu ca bo mt h thng:
Mt h thng bo mt, nh trnh by phn 2 ca chng ny, l h thng tho mn 3

yu cu c bn l tnh b mt, tnh ton vn v tnh kh dng, gi tt l CIA.
thc hin m hnh CIA, ngi qun tr h thng cn nh ngha cc trng thi an ton
ca h thng thng qua chnh sch bo mt, sau thit lp cc c ch bo mt bo v chnh
sch .
Mt h thng l tng l h thng:
-C chnh sch xc nh mt cch chnh xc v y cc trng thi an ton ca h thng;
-C c ch thc thi y v hiu qu cc quy nh trong chnh sch.
Tuy nhin trong thc t, rt kh xy dng nhng h thng nh vy do c nhng hn ch
v k thut, v con ngi hoc do chi ph thit lp c ch cao hn li ch m h thng an ton
em li. Do vy, khi xy dng mt h thng bo mt, th mc tiu t ra cho c ch c p dng
phi bao gm 3 phn nh sau:
Ngn chn (prevention): mc tiu thit k l ngn chn cc vi phm i vi chnh sch.
C nhiu s kin, hnh vi dn n vi phm chnh sch. C nhng s kin c nhn din l
nguy c ca h thng nhng c nhng s kin cha c ghi nhn l nguy c. Hnh vi vi phm
c th n gin nh vic l mt khu, qun that khi h thng khi ri khi my tnh, hoc
c nhng hnh vi phc tp v c ch ch nh c gng tn cng vo h thng t bn ngoi.
Cc c ch an ton (secure mechanism) hoc c ch chnh xc (precise mechanism) theo
nh ngha trn l cc c ch c thit k vi mc tiu ngn chn.
Tuy nhin, khi vic xy dng cc c ch an ton hoc chnh xc l khng kh thi th cn
phi quan tm n 2 mc tiu sau y khi thit lp cc c ch bo mt:
Pht hin (detection): mc tiu thit k tp trung vo cc s kin vi phm chnh sch
v ang xy ra trn h thng.
Thc hin cc c ch pht hin ni chung rt phc tp, phi da trn nhiu k thut v
nhiu ngun thng tin khc nhau. V c bn, cc c ch pht hin xm nhp ch yu da vo vic
theo di v phn tch cc thng tin trong nht k h thng (system log) v d liu ang lu thng
trn mng (network traffic) tm ra cc du hiu ca vi phm. Cc du hiu vi phm ny (gi l
signature) thng phi c nhn din trc v m t trong mt c s d liu ca h thng (gi
l signature database).
V d: khi my tnh b nhim virus. a s cc trng hp ngi s dng pht hin ra virus
khi n thc hin ph hoi trn my tnh. Tuy nhin c nhiu virus vn ang dng tim n ch
11
cha thi hnh, khi dng chng trnh qut virus s c th pht hin ra. chng trnh qut
virus lm vic c hiu qu th cn thit phi cp nht thng xuyn danh sch virus. Qu trnh
cp nht l qu trnh a thm cc m t v du hiu nhn bit cc loi virus mi vo c s d
liu (virus database hoc virus list).
Phc hi (recovery): mc tiu thit k bao gm cc c ch nhm chn ng cc vi phm
ang din ra (response) hoc khc phc hu qu ca vi phm mt cch nhanh chng nht vi mc
thit hi thp nht (recovery).
Ty theo mc nghim trng ca s c m c cc c ch phc hi khc nhau. C nhng
s c n gin v vic phc hi c th hon ton c thc hin t ng m khng cn s can
thip ca con ngi, ngc li c nhng s c phc tp v nghim trng yu cu phi p dng
nhng bin php b sung phc hi.
Mt phn quan trng trong cc c ch phc hi l vic nhn din s h ca h thng v
iu chnh nhng s h . Ngun gc ca s h c th do chnh sch an ton cha cht ch hoc
do li k thut ca c ch.
I.5 CHIN LC BO MT H THNG AAA

AAA (Access control, Authentication, Auditing) c xem l bc tip cn c bn nht
v l chin lc nn tng nht thc thi cc chnh sch bo mt trn mt h thng c m t
theo m hnh CIA.
C s ca chin lc ny nh sau:
1-Quyn truy xut n tt c cc ti nguyn trong h thng c xc nh mt cch tng
minh v gn cho cc i tng xc nh trong h thng.
2-Mi khi mt i tng mun vo h thng truy xut cc ti nguyn, n phi c xc
thc bi h thng chc chn rng y l mt i tng c quyn truy xut.
3-Sau khi c xc thc, tt c cc thao tc ca i ng u phi c theo di
m bo i tng khng thc hin qun quyn hn ca mnh.
Cn phn bit vi AAA trong ng cnh qun l mng truy nhp vi ngha
Authentication, Authorization, Accounting l dch v trn cc my ch truy nhp t xa (remote
access server) thc hin qun l truy nhp mng ca ngi s dng, theo di lu lng s
dng v tnh cc truy nhp. AAA trong trng hp ny thng trin khai cng vi cc dch v
nh RADIUS, TACACS+,
AAA gm 3 lnh vc tch ri nhng hot ng song song vi nhau nhm to ra cc c ch
bo v s an ton ca h thng. Phn sau y trnh by chi tit v 3 lnh vc ca AAA.
I.5.1
iu khin truy xut:
iu khin truy xut (Access control) c nh ngha l mt quy trnh c thc hin
bi mt thit b phn cng hay mt module phn mm, c tc dng chp thun hay t chi mt s
truy xut c th n mt ti nguyn c th.
iu khin truy xut c thc hin ti nhiu v tr khc nhau ca h thng, chng hn
nh ti thit b truy nhp mng (nh remote access server-RAS hoc wireless access point WAP), ti h thng qun l tp tin ca mt h iu hnh v d NTFS trn Windows hoc trn cc
h thng Active Directory Service trong Netware 4.x hay Windows 2000 server,
Trong thc t, iu khin truy xut c thc hin theo 3 m hnh sau y:
12
-M hnh iu khin truy xut bt buc (Mandatory Access Control_MAC): l m hnh

iu khin truy xut c p dng bt buc i vi ton h thng. Trong mi trng my tnh, c
ch iu khin truy xut bt buc c tch hp sn trong h iu hnh, v c tc dng i vi tt
c cc ti nguyn v i tng trong h thng, ngi s dng khng th thay i c.
V d: trong h thng an ton nhiu cp (multilevel security), mi i tng (subject) hoc
ti nguyn (object) c gn mt mc bo mt xc nh. Trong h thng ny, cc i tng c
mc bo mt thp khng c c thng tin t cc ti nguyn c mc bo mt cao, ngc li cc
i tng mc bo mt cao th khng c ghi thng tin vo cc ti nguyn c mc bo mt
thp. M hnh ny c bit hu dng trong cc h thng bo v b mt qun s (m hnh BellLaPadula, 1973).
Nhng c im phn bit ca m hnh iu khin truy xut bt buc:
-c thit lp c nh mc h thng, ngi s dng (bao gm c ngi to ra ti
nguyn) khng thay i c.
-Ngi dng v ti nguyn trong h thng c chia thnh nhiu mc bo mt khc nhau,
phn nh mc quan trng ca ti nguyn v ngi dng.
-Khi m hnh iu khin bt buc c thit lp, n c tc dng i vi tt c ngi
dng v ti nguyn trn h thng.
-M hnh iu khin truy xut t do (Discretionary Access Control_DAC): l m hnh
iu khin truy xut trong vic xc lp quyn truy xut i vi tng ti nguyn c th do ngi
ch s hu ca ti nguyn quyt nh. y l m hnh c s dng ph bin nht, xut hin
trong hu ht cc h iu hnh my tnh.
V d: trong h thng qun l tp tin NTFS trn Windows XP, ch s hu ca mt th
mc c ton quyn truy xut i vi th mc, c quyn cho php hoc khng cho php ngi
dng khc truy xut n th mc, c th cho php ngi dng khc thay i cc xc lp v quyn
truy xut i vi th mc.
Xem v thay i quyn truy xut DAC trn mt th
mc trong Windows XP:
-Khi ng Windows Explorer bng cch click phi
vo biu tng My Computer v chn Explorer.
-Mc nh, Windows XP khng th hin cc thng tin
chi tit v quyn truy xut i vi th mc. Mun th hin cc
thng tin ny, vo menu Tools, chn Folder Options, click vo
tab View, trong ca s Advanced settings, tm dng Use
simple file sharing (Recommended) cui danh sch v b
tu chn ny (uncheck), chn OK.
-Click phi vo mt th mc tu trong ca s
Windows Explorer, chn Properties, click vo tab Security
(Hnh 1.2).
-Ca s Group or User names lit k cc ngi dng
v nhm ngi dng hin c trong h thng. Ca s
Permissions for lit k cc quyn c gn cho nhm
hoc ngi dng tng ng.
Hnh 1.2: iu khin truy xut t do

trong Windows XP
-Th cho php hoc xo b cc quyn mc nh ca

mt ngi dng bt k.
c im phn bit ca m hnh iu khin truy xut t do:

13
-Khng c p dng mc nh trn h thng

-Ngi ch s hu ca ti nguyn (owner), thng l ngi to ra ti nguyn hoc
ngi c gn quyn s hu, c ton quyn iu khin vic truy xut n ti nguyn.
-Quyn iu khin truy xut trn mt ti nguyn c th c chuyn t i tng (user)
ny sang i tng (user) khc.
-M hnh iu khin truy xut theo chc nng (Role Based Access Control_RBAC):
y l m hnh iu khin truy xut da trn vai tr ca tng ngi dng trong h thng (user
roles).
V d: mt ngi qun l ti chnh cho cng ty (financial manager) th c quyn truy xut
n tt c cc d liu lin quan n ti chnh ca cng ty, c thc hin cc thao tc sa, xa,
cp nht trn c s s liu. Trong khi , mt nhn vin k ton bnh thng th ch c truy
xut n mt b phn no ca c s d liu ti chnh v ch c thc hin cc thao tc c gii
hn i vi c s d liu.
Vn quan trng trong m hnh iu khin truy xut theo chc nng l nh ngha cc
quyn truy xut cho tng nhm i tng ty theo chc nng ca cc i tng . Vic ny
c nh ngha mc h thng v p dng chung cho tt c cc i tng.
C ch qun l theo nhm (account group) ca Windows NT chnh l s m phng ca
m hnh RBAC. Trong c ch ny, ngi s dng c gn lm thnh vin ca mt hoc nhiu
nhm trong h thng, vic phn quyn truy xut n cc ti nguyn c thc hin i vi cc
nhm ch khng phi i vi tng ngi dng, khi cc ngi dng thnh vin trong nhm s
nhn c quyn truy xut tng ng mt cch mc nh. Vic thay i quyn truy xut i
vi tng ngi dng ring bit c thc hin bng cch chuyn ngi dng sang nhm khc
c quyn truy xut thch hp.
c im phn bit ca m hnh iu khin truy xut theo chc nng:
-Quyn truy xut c cp da trn cng vic ca ngi dng trong h thng (users role)
-Linh ng hn m hnh iu khin truy xut bt buc, ngi qun tr h thng c th cu
hnh li quyn truy xut cho tng nhm chc nng hoc thay i thnh vin trong cc nhm.
-Thc hin n gin hn m hnh iu khin truy xut t do, khng cn phi gn quyn
truy xut trc tip cho tng ngi dng.
ng dng cc m hnh iu khin truy xut trong thc t:
Trong thc t, m hnh iu khin truy xut t do (DAC) c ng dng rng ri nht do
tnh n gin ca n i vi ngi dng. Tuy nhin, DAC khng m bo c cc yu cu c
bit v an ton h thng. Do vy, mt m hnh thch hp nht l phi hp c 3 m hnh: m hnh
iu khin truy xut bt buc, m hnh iu khin truy xut t do v m hnh iu khin truy xut
theo chc nng.
Ngoi m hnh DAC c tch hp trong hu ht cc h iu hnh; m hnh RBAC
c ng dng trong dch v Active Directory ca Netware 4.11 v Windows 2000 tr v sau; m
hnh MAC c a vo trong cc h iu hnh nh Windows Vista (di dng c ch
Mandatory Integrity Control), SELinux (k c Red Hat Enterprise Linux version 4), Trusted
Solaris v Apple Computer (MAC OS X version 10.5 Leopard).
I.5.2
Xc thc:
14
Xc thc (Authentication) l mt th tc c chc nng xc minh nhn dng (identity) ca

mt i tng trc khi trao quyn truy xut cho i tng ny n mt ti nguyn no . Xc
thc c thc hin da trn 3 c s:
-What you know (iu m i tng bit), v d mt khu.
-What you have (ci m i tng c), v d th thng minh Smartcard.
-What you are (c trng ca i tng): cc c im nhn dng sinh trc hc nh du
vn tay, vng mc,
Trong mi trng my tnh, xc thc c dng nhiu ng cnh khc nhau, v d: xc
thc tn ng nhp v mt khu ca ngi s dng (hnh 1.3) trc khi cho php ngi s dng
thao tc trn h thng my tnh (xc thc ca h iu hnh), xc thc tn ng nhp v mt khu
trc khi cho php ngi dng kim tra hp th in t (xc thc ca Mail server); trong giao
dch ngn hng, th tc xc thc dng xc nh ngi ang ra lnh thanh ton c phi l ch ti
khon hay khng; trong trao i thng tin, th tc xc thc dng xc nh chnh xc ngun gc
ca thng tin.
Trm lm vic
(workstation)
My ch
(server)
Hnh 1.3: Xc thc bng tn ng nhp v mt khu

Nhiu k thut khc nhau c p dng thc thi c ch xc thc. C ch xc thc dng
tn ng nhp v mt khu l c ch truyn thng v vn cn c s dng rng ri hin nay. Khi
vic xc thc c thc hin thng qua mng, mt s h thng thc hin vic mt m ho tn
ng nhp v mt khu trc khi truyn i trnh b tit l, nhng cng c nhiu h thng gi
trc tip nhng thng tin nhy cm ny trn mng (v d nh cc dch v FTP, Telnet, ) gi l
cleartext authentication.
Mt s k thut tin tin hn c dng trong xc thc nh th thng minh (Smartcard),
chng thc s (digital certificate), cc thit b nhn dng sinh trc hc (biometric devices),
tng tin cy ca c ch xc thc, nhiu k thut c s dng phi hp nhau gi l
multi-factor authentication. V d: xc thc dng th thng minh km vi mt khu, ngha l
ngi s dng va c th va phi bit mt khu th mi ng nhp c, trnh trng hp ly
cp th ca ngi khc ng nhp.
15
Trong thc t tn ti hai phng thc xc thc: xc thc mt chiu (one way
authentication) v xc thc hai chiu (mutual authentication).
Phng thc xc thc mt chiu ch cung cp c ch mt i tng (thng l my
ch) kim tra nhn dng ca i tng kia (ngi dng) m khng cung cp c ch kim tra
ngc li (tc khng cho php ngi dng kim tra nhn dng ca my ch). Xt trng hp mt
ngi s dng ng nhp vo mt hp th in t xa thng qua dch v web (web mail). Ngi
s dng d nhin phi cung cp tn ng nhp v mt khu ng th mi c php truy xut hp
th. nh cp mt khu ca ngi dng, k tn cng c th xy dng mt trang web han tan
ging vi giao din ca my ch cung cp dch v th in t (mail server) v nh la ngi s
dng kt ni n trang web ny. Do khng c c ch xc thc my ch, ngi s dng khng th
nhn bit y l mt my ch gi mo nn yn tm cung cp tn ng nhp v mt khu.
Phng thc kim tra hai chiu cho php hai i tng tham gia giao tc xc thc ln
nhau, do tnh chnh xc ca qu trnh xc thc c m bo. Giao thc bo mt SSL (Secure
Sockets Layer) dng trong dch v web (c trnh by chng III) cung cp c ch xc thc
hai chiu dng chng thc s.
C nhiu gii thut xc thc khc nhau. Gii thut n gin nht ch cn so snh tn ng
nhp v mt khu m ngi s dng cung cp vi tn ng nhp v mt khu c lu trong
h thng, nu ging nhau ngha l th tc xc thc thnh cng (PAP). Gii thut phc tp hn nh
CHAP th thc hin vic mt m ha thng tin trn mt gi tr ngu nhin no do my ch a
ra (gi l challenge) trnh trng hp mt khu b c ln trn mng v cc hnh thc tn cng
pht li (replay attack). Mt gii thut phc tp khc l Kerberos thc hin th tc xc thc theo
mt qu trnh phc tp gm nhiu bc nhm m bo hn ch tt c cc nguy c gy nn xc
thc sai. Cc gii thut xc thc c trnh by cho tit phn I ca chng III.
I.5.3
Kim tra:
Kim tra (Auditing) l c ch theo di hot ng ca h thng, ghi nhn cc hnh vi din
ra trn h thng v lin kt cc hnh vi ny vi cc tc nhn gy ra hnh vi.
V d: ci t c ch kim tra cho mt th mc trong h thng tp tin NTFS s cho php
ngi qun tr theo di cc hot ng din ra trn th mc nh: thao tc no c thc hin,
ngy gi thc hin, ngi s dng no thc hin,
Cc mc tiu ca kim tra:
-Cung cp cc thng tin cn thit cho vic phc hi h thng khi c s c
-nh gi mc an ton ca h thng c k hoch nng cp kp thi
-Cung cp cc thng tin lm chng c cho vic pht hin cc hnh vi truy xut tri php
trn h thng.
Trong mt h thng tin cy (reliable system) th vic kim tra cng l mt yu cu quan
trng bi v n m bo rng cc hnh vi ca bt k ngi dng no trong h thng (k c nhng
ngi dng hp h c xc thc authenticated user) cng u c theo di chc chn
rng nhng hnh vi din ra ng theo cc chnh sch an ton c nh ngha trn h thng.
Nguyn tc chung khi xy dng cc h thng an tan l chia nh cc th tc thnh nhiu
cng on c thc hin bi nhiu tc nhn khc nhau, v do vic thc hin hon chnh mt
th tc yu cu phi c s tham gia ca nhiu tc nhn. y l c s thc thi cc c ch kim
tra.
16
V d: cng vic gi kho hng v cng vic qun l s sch phi c thc hin bi hai
nhn vin khc nhau trnh trng hp mt nhn vin va c th ly hng ra ngoi va c th
thay i thng tin trong s qun l. Nguyn tc ny c p dng trit trong c ch kim tra
trn h thng nhm phn bit r rng gia chc nng kim tra vi cc hot ng c kim tra.
Thng thng, mt i tng c kim tra s khng c quyn thay i cc thng tin m c ch
kim tra ghi li.
Cc thnh phn ca h thng kim tra:
-Logger: Ghi li thng tin gim st trn h thng
-Analyzer: Phn tch kt qu kim tra
-Notifier: Cnh bo v tnh an ton ca h thng da trn kt qu phn tch.
Song song vi c ch kim tra thng trc trn h thng (auditing), vic kim tra h
thng nh k (system scanning) c chc nng kim tra v pht hin cc s h k thut nh hng
n s an ton ca h thng. Cc chc nng c th thc hin bi cc chng trnh kim tra h
thng trn my tnh thng gp:
-Kim tra vic tun th chnh sch an ton v mt khu (password policy), v d: ngi
dng c i mt khu thng xuyn khng, di mt khu, phc tp ca mt khu,
-nh gi kh nng xm nhp h thng t bn ngoi.
-Kim tra phn ng ca h thng i vi cc du hiu c th dn n tn cng t chi dch
v hoc s c h thng (system crash).
Lu rng, cc cng c kim tra h thng cng ng thi l cc cng c m nhng k tn
cng (attacker) s dng pht hin cc l hng bo mt trn h thng, t thc hin cc thao
tc tn cng khc. C nhiu phn mm qut h thng, in hnh nh SATAN (System
Administrator Tool for Analyzing Network), Nessus, Nmap,
Ci t chc nng Audit ca h iu hnh Windows XP ln mt th mc trn mt phn
vng NTFS:
-Mc nh, Windows XP khng p dng c ch kim tra, do cn phi kch hot c ch
kim tra ca Windows XP dng Local Security Policy nh sau: Vo Control Panel, chn
Administrative Tools, chn Local Security Policy, trong khung Security Settings bn tri ca
s, double-click vo mc Local Policy, sau click vo mc Audit Policy. Khi , khung bn
phi ca s lit k cc chc nng kim tra ca Windows XP. kch hot c ch kim tra trn th
mc, tm dng Audit object access, double-click vo dng ny v chn c hai mc Success v
Failure trong ca s mi m. Click OK v ng tt c cc ca s li.
- p dng c ch kim tra trn mt th mc no : khi ng Windows explorer, tm
mt th mc mun kim tra v click phi vo th mc ny, chn Properties, click vo tab
Security, click vo nt Advanced, sau click vo tab Auditing. Trong ca s Auditing entries
lit k cc mc kim tra ci t. to mt mc mi, click vo nt Add, chn tn ngi dng
hoc nhm cn kim tra trong ca s Select User or Group va xut hin, click OK. Ca s
Aditing Entry for xut hin, chn cc thao tc mun kim tra, v d Delete Subfolders and
Files theo di cc hnh vi xo tp tin v th mc con trong mc ny. Cn chn c hai loi s
kin l Successful v Failed. Click OK v ng tt c cc ca s li.
-Bt u t y, tt c cc thao tc xo cc tp tin v th mc con trong th mc chn
c thc hin bi ngi dng hoc nhm ch nh trn u c theo di v ghi li trong
nht k h thng. Mun xem cc thng tin ny th vo Control Panel, chn Administrative Tools,
chn Event Viewer v chn mc Security.
17
Hnh 1.4: Ci t Auditing trn th mc NTFS

Tm li, AAA l phng php tip cn c bn nht thc hin mt h thng bo mt
theo m hnh CIA. Phng php ny gm 3 phn tch ri:
-Thit lp cc c ch iu khin truy xut cho tng i tng (Access control)
-Xc thc cc i tng trc khi cho php thao tc trn h thng (Authentication)
-Theo di cc thao tc ca i tng trn h thng (Auditing)
I.6 CC HNH THC XM NHP H THNG

Thut ng xm nhp (intrusion) v tn cng (attack) c s dng vi ngha gn
ging nhau trong ng cnh bo mt h thng. Xm nhp mang ngha ph qut hn, ch bt k
mt s kin no c xm hi n s an ton ca h thng, mt cch ch ng hoc th ng. Tn
cng thng c dng ch cc hnh vi xm nhp ch ng, c thc hin bi con ngi
nhm vo mt h thng vi mc ch khai thc hoc ph hoi.
Mc tiu ca xm nhp l tc ng vo 3 thuc tnh CIA ca h thng.
Mt cch tng qut, s an ton ca mt h thng thng tin c th b xm phm bng
nhng cch sau y:
-Interruption: lm gin on hot ng ca h thng thng tin, v d nh ph hoi phn
cng, ngt kt ni, ph hoi phn mm, Hnh thc xm nhp ny tc ng vo c tnh Kh
dng ca thng tin.
-Interception: truy xut tri php vo h thng thng tin. Tc nhn ca cc hnh vi xm
nhp kiu Interception c th l mt ngi, mt phn mm hay mt my tnh lm vic bng cch
quan st dng thng tin (monitor) nhng khng lm thay i thng tin gc. Hnh thc xm nhp
ny tc ng vo c tnh B mt ca thng tin.
18
-Modification: truy xut tri php vo h thng thng tin, ng thi lm thay i ni dung
thng tin, v d xm nhp vo my tnh v lm thay i ni dung mt tp tin, thay i mt chng
trnh lm cho chng trnh lm vic sai, thay i ni dung mt thng bo ang gi i trn mng,
v.v Hnh thc xm nhp ny tc ng vo tnh Ton vn ca thng tin.
-Ngoi ra, mt hnh thc xm nhp th t l hnh thc xm nhp bng thng tin gi danh
(Farbrication), v d, gi danh mt ngi no gi mail n mt ngi khc, gi mo a ch
IP ca mt my no kt ni vi mt my khc, Hnh thc xm nhp ny lm thay i
ngun gc thng tin, tc cng l tc ng vo c tnh Ton vn ca thng tin.
i tng
xm nhp
Mng
Ngi dng
My ch
Hnh 1.5: Xm nhp kiu Interruption
i tng
xm nhp
Mng
Ngi dng
Ngi dng
Hnh 1.6: Xm nhp kiu Interception
Trong thc t, vic xm nhp h thng c thc hin bi rt nhiu phng thc, cng c
v k thut khc nhau, thm vo , vic pht hin ra cc phng thc xm nhp mi l vic xy
ra rt thng xuyn, nn vn nhn dng v phn loi cc xm nhp mt cch c h thng l
kh khn v khng chnh xc. C th phn loi xm nhp theo cc tiu ch sau y:
19
-Phn loi theo mc tiu xm nhp (xm nhp mng, xm nhp ng dng, xm nhp hn
hp)
-Phn loi theo tnh cht xm nhp (xm nhp ch ng, xm nhp th ng)
-Phn loi theo k thut xm nhp (d mt khu, phn mm khai thc, )
Trong ti liu ny, vi mc tiu l gip ngi c nhn din c nhng phng thc
xm nhp h thng c bn v ph bin c ghi nhn v phn tch, nn cc hnh thc xm
nhp c trnh by theo hai nhm nh sau:
1-Cc phng thc tn cng (attacks)
2-Cc phng thc xm nhp h thng bng phn mm ph hoi (malicious codes)
i tng
xm nhp
Mng
Ngi dng
Ngi dng
Hnh 1.7: Xm nhp kiu Modification
i tng
xm nhp
Mng
Ngi dng
Ngi dng
Hnh 1.8: Xm nhp kiu Farbrication
I.6.1
Cc phng thc tn cng:

-Tn cng t chi dch v DoS (Denial of Service):
Dng tn cng ny khng xm nhp vo h thng ly cp hay thay i thng tin m ch

nhm vo mc ch ngn chn hot ng bnh thng ca h thng, c bit i vi cc h thng
phc v trn mng cng cng nh Web server, Mail server,
20
V d: k tn cng dng phn mm t ng lin tc gi d liu n mt my ch trn

mng, gy qu ti cho my ch, lm cho my ch khng cn kh nng cung cp dch v mt cch
bnh thng.
Cc tn cng t chi dch v thng rt d nhn ra do tc ng c th ca n i vi h
thng. Mc tiu tn cng ca t chi dch v c th l mt my ch hoc mt mng con (bao gm
c thit b mng nh router v kt ni mng).
C s ca tn cng t chi dch v l cc s h v bo mt trong cu hnh h thng (cu
hnh firewall), s h trong giao thc kt ni mng (TCP/IP) v cc l hng bo mt ca phn
mm, hoc n gin l s hn ch ca ti nguyn nh bng thng kt ni (connection bandwidth),
nng lc ca my ch (CPU, RAM, a cng, ). Tn cng t chi dch v thng c thc
hin thng qua mng Intrenet, nhng cng c th xut pht t trong ni b h thng di dng tc
ng ca cc phn mm c nh worm hoc trojan.
Hai k thut thng dng gy ra cc tn cng t chi dch v truyn thng tng ng
vi hai mc tiu tn cng l Ping of Death v buffer-overflow.
Ping of Death tn cng vo kt ni mng (bao gm c router) bng cch gi lin

tc v vi s lng ln cc gi d liu ICMP (Internet Control Message Protocol)
n mt mng con no , chim ton b bng thng kt ni v do gy ra tc
nghn mng.
Buffer-overflow (c m t phn software exploitation attacks) tn cng vo

cc my ch bng cch np d liu vt qu gii hn ca b m (buffer) trn
my ch, gy ra li h thng. Cc tn cng t chi dch v ni ting trong lch s
bo mt my tnh nh Code Red, Slapper, Slammer, l cc tn cng s dng k
thut buffer-overflow.
Tn cng t chi dch v thng khng gy tit l thng tin hay mt mt d liu m ch
nhm vo tnh kh dng ca h thng. Tuy nhin, do tnh ph bin ca t chi dch v v c bit
l hin nay cha c mt gii php hu hiu cho vic ngn chn cc tn cng loi ny nn t chi
dch v c xem l mt nguy c rt ln i vi s an ton ca cc h thng thng tin.
-Tn cng t chi dch v phn tn (Distributed DoS hay DDoS):
L phng thc tn cng da trn nguyn tc ca t chi dch v nhng c mc nguy
him cao hn do huy ng cng lc nhiu my tnh cng tn cng vo mt h thng duy nht.
Tn cng t chi dch v phn tn c thc hin qua 2 giai on:
1-K tn cng huy ng nhiu my tnh trn mng tham gia t chi dch v phn tn bng
cch ci t cc phn mm iu khin t xa trn cc my tnh ny.
Cc my tnh c ci t phn mm iu khin ny c gi l cc zoombie. thc
hin bc ny, k tn cng d tm trn mng nhng my c nhiu s h tn cng v ci t cc
phn mm iu khin t xa ln m ngi qun l khng hay bit. Nhng phn mm ny c
gi chung l backdoor.
2-K tn cng iu khin cc zoombie ng lot thc hin tn cng vo mc tiu.
M hnh mt chui tn cng chi dch v phn tn in hnh c m t hnh 1.9.
Cc thnh phn tham gia trong chi dch v phn tn bao gm:
-Client: phn mm iu khin t xa c k tn cng s dng iu khin cc my khc
tham gia tn cng. My tnh chy phn mm ny c gi l master.
21
-Deamon: phn mm chy trn cc zoombie, thc hin yu cu ca master v l ni trc

tip thc hin tn cng chi dch v (DoS) n my nn nhn.
Master
(client)
Zoombie
(Deamon)
Mc tiu
Hnh 1.9: Tn cng t chi dch v phn tn (DDoS)

-Tn cng gi danh (Spoofing attack):
y l dng tn cng bng cch gi danh mt i tng khc (mt ngi s dng, mt
my tnh vi mt a ch IP xc nh hoc mt phn mm no ) thc hin mt hnh vi.
V d 1: mt ngi c th gi danh a ch e-mail ca mt ngi khc gi th n mt
ngi th ba, y l trng hp i tng b gi danh l mt ngi s dng.
V d 2: mt my tnh trn mng c th to ra cc gi d liu mang a ch IP ngun
(source IP address) khng phi l a ch ca mnh gi cho my khc (gi l IP spoofing), y
l trng hp i tng b gi danh l mt my tnh.
V d 3: trng hp th ba l trng hp m i tng b gi danh l mt phn mm, v
d chng trnh xc thc ngi s dng (user logon) trn h iu hnh Windows. Bng cch to
ra mt chng trnh c giao din ging nh ca s logon ca Windows v cho thc hin khi
Windows khi ng. Ngi s dng khng phn bit c y l ca s gi nn nhp tn ng
nhp v mt khu cho chng trnh ny v hu qu l nhng thng tin ny b tit l.
Tn cng gi danh nh cp trn l hnh thc in hnh nht ca spoofing attack, tn
ti song song vi nhng khim khuyt v k thut ca b giao thc TCP/IP. Ngy nay, Tn cng
gi danh pht trin thm mt hng mi da trn s ph bin ca mng Internet, l
Phishing. Phishing hot ng bng cch gi danh cc a ch e-mail hoc a ch trang web
nh la ngi s dng.
-Tn cng xen gia (Man-in-the-middle attack):
y l phng thc tn cng bng cch xen vo gia mt th tc ang din ra, thng
xy ra trn mng IP, nhng cng c th xy ra trong ni b mt my tnh.
Trn mng, k tn cng bng mt cch no xen vo mt kt ni, c bit giai on
thit lp kt ni gia ngi dng vi my ch, v thng qua nhn c nhng thng tin quan
22
trng ca ngi dng. Tn cng xen gia c bit ph bin trn mng khng dy (wireless
network) do c tnh d xm nhp ca mi trng khng dy. Do vy, vic p dng cc k thut
m ho (nh WEP, WPA, ) l iu rt quan trng m bo an ton cho mng khng dy.
Cn trn mt my tnh, tn cng dng ny c th c thc hin di dng mt chng
trnh thu thp thng tin n (key-logger), chng trnh ny s m thm chn bt tt c nhng thng
tin m ngi dng nhp vo t bn phm, trong c th s c nhiu thng tin quan trng.
I.1.2
ent
Cli
K tn cng xen vo gia mt

th tc bt tay ly thng tin.
I.1.1
rver
Se
Hnh 1.10: Tn cng xen gia (Man-in-the-middle)

-Tn cng pht li (Replay attack):
Trong phng thc tn cng ny, cc gi d liu lu thng trn mng c chn bt v
sau pht li (replay). Trong mi trng mng, thng tin xc thc gia ngi dng v my ch
c truyn i trn mng. y l ngun thng tin thng b tn cng nht. Nu khi pht li, my
ch chp nhn thng tin ny th my tn cng c kh nng truy xut vo my ch vi quyn ca
ngi dng trc .
Thng tin xc thc gi cho server
Client
Thng tin xc thc

b chn bt
Server
Thng tin xc thc
c pht li
K tn cng
Hnh 1.11: Tn cng pht li (Replay)
-Nghe ln (Sniffing attack):

y l hnh thc ly cp d liu bng cch c ln trn mng. Hu ht cc card mng iu
c kh nng chn bt (capture) tt c cc gi d liu lu thng trn mng, mc d gi d liu
khng c gi n cho mnh. Nhng card mng c kh nng nh th c gi l ang ch
promiscuous.
C rt nhiu phn mm cho php thc hin chn bt d liu t mt my ang kt ni vo
mng, v d Ethereal, Common view hoc Network monitor c sn trn Windows server (2000
23
hoc 2003 server). Bng vic c v phn tch cc gi d liu bt c, k tn cng c th tm

thy nhiu thng tin quan trng tin hnh cc hnh thc tn cng khc.
-Tn cng mt khu (Password attack):
L hnh thc truy xut tri php vo h thng bng cch d mt khu. C hai k thut d
mt khu ph bin:
-D tun t (Brute force attack): D mt khu bng cch th ln lt cc t hp k t,
thng thng vic ny c thc hin t ng bng phn mm. Mt khu cng di th s ln th
cng ln v do kh b pht hin hn. Mt s h thng quy nh chiu di ti thiu ca mt
khu. Ngoi ra ngn chn vic th mt khu nhiu ln, mt s h thng ngt kt ni nu lin
tip nhn c mt khu sai sau mt s ln no .
-D theo t in (Dictionary attack): th ln lt cc mt khu m ngi s dng thng
dng. cho dn gin, ngi s dng thng c thi quen nguy him l dng nhng thng tin d
nh lm mt khu, v d nh tn mnh, ngy sinh, s in thoi, Mt s h thng hn ch
nguy c ny bng cch nh ra cc chnh sch v mt khu (password policy), quy nh kh ti
thiu ca mt khu, v d mt khu phi khc vi nhng thng tin lin quan n c nhn ngi s
dng, phi bao gm c ch hoa v ch thng, ch ci v cc mu t khc ch ci,
Mt s k thut tn cng da trn giao thc TCP/IP:
Giao thc TCP/IP l giao thc chun c s dng trong hu ht cc mng my tnh, v l
giao thc bt buc trn mng Internet. Nhng khng may, TCP/IP cha trong n nhiu s h v
bo mt dn n nhng tn cng da trn nguyn l ca TCP/IP nh sau:
-Lm trn kt ni TCP (TCP SYN/ACK flooding attack):
y l tn cng khai thc th tc bt tay ba chiu (three-way handshake) ca TCP. Mc
ch ca tn cng l gy ra qu ti kt ni trn my ch v dn ti t chi dch v (DoS).
Hnh 1.12 m t th tc bt tay ba chiu trong tnh hung bnh thng. Khi mt my
(client) mun kt ni mt my khc (server) qua mt dch v no , n bt u bng cch gi
bn tin SYN ti server trn cng (port) tng ng ca dch v . Ngay sau , server dnh ring
mt kt ni cho client ny v tr li bng mt bn tin SYN/ACK cho client. hon thnh kt ni,
client phi mt ln na tr li bng mt bn tin ACK gi n server. Trong trng hp khng
SYN message
CHNG IV S
SYN/ACK message
YN
CHNG
message III S
ACK message
YN/ACK
CHNG II A
message
CHNG VI M CK
CHNG V M
yHnh 1.12: Th tc message
bt tay ba chiu ca TCP/IP y
A
B
ACK tr li t pha client th server phi ch cho n khi ht thi hiu
nhn c bn tin
(timeout) ri mi gii to kt ni ny. Vi s h ny, nu mt k tn cng c tnh to ra cc bn
ACK lin tip gi n server nhng khng hi p (tc khng gi li bn tin ACK cho server), th
n mt thi im no , tt c cc kt ni c th c ca server u dnh ht cho vic ch i
ny v do khng c kh nng phc v cho cc kt ni khc. Hnh 1.13 trnh by phng thc tn
cng dng SYN/ACK flooding.
24
ACK message
ACK message
ACK message
ACK message
K tn cng
My ch
ACK message
ACK message
Hnh 1.13: Tn cng TCP SYN/ACK flooding
-Tn cng da vo s th t ca TCP (TCP sequence number attack):

Trong qu trnh truyn d liu gia cc my s dng giao thc TCP, s th t (sequence
number) l mt thng tin quan trng gip xc nh th t cc gi d liu v xc nhn cc gi
c nhn thnh cng. S th t c nh theo tng byte d liu v c duy tr mt cch ng
b gia bn gi v bn nhn. Nu mt my th ba, bng cch no , chn bt c cc gi d
liu ang c trao i v on c s th t ca qu trnh truyn nhn d liu, n s c kh
nng xen vo kt ni, lm ngt kt ni ca mt u v nhy vo thay th (hijacking). Hnh 1.14
m t phng thc hot ng ca tn cng ny.
Server
K tn cng
S th t
My b tn cng
Hnh 1.14: Tn cng da vo s th t TCP (TCP sequence number attack)

-Chim kt ni TCP (TCP Hijacking):
Ging nh phng thc tn cng trn (sequence number attack), nhng sau khi on
c s th t, my tn cng s c gng chim ly mt u ca kt ni hin hu m u kia
khng hay bit tip tc truyn nhn d liu, khi thng tin trao i gia hai my ban u b
chuyn sang mt my th ba. Hnh 1.15 trnh by hot ng ca phng thc tn cng ny.
-Tn cng dng giao thc ICMP (ICMP attack):
ICMP (Internet Control Message Protocol) l mt giao thc iu khin dng trong mng
IP. Giao thc ny thng c s dng thc hin cc th tc iu khin trn mng IP nh
25
kim tra cc kt ni (v d khi thc hin cc lnh Ping, Tracert, ). Hai phng thc tn cng
ph bin da trn ICMP bao gm:
Chim kt ni hin
ti ca client
Ngt kt ni ca client n server
Server
My tn cng
Client
Hnh 1.15: Chim kt ni TCP (TCP connection hijacking)

-Smurf attack: (cn c gi la Ping of Death). Nguyn l hot ng ca ICMP l hi p
li (reply) khi nhn c cc yu cu (echo request) t cc my khc, do chc nng ca ICMP l
kim tra cc kt ni IP. Da vo nguyn l ny, mt k tn cng c th gi danh mt a ch IP
no (IP spoofing) v gi mt yn cu (echo request) n tt c cc my trong mng ni b
(bng cch s dng a ch qung b broadcast). Ngay lp tc, tt c cc my ny u ng lot
tr li cho my c a ch IP b gi danh, dn n my ny b tc nghn khng cn kh nng hot
ng bnh thng. Mc tiu ca tn cng smurf l lm t lit mt my no bng cc gi ICMP.
Hnh 1.16 m t hot ng ca phng thc tn cng smurf.
Cc my trong nhm qung b
My tn cng
Thc hin lnh Ping n a
ch qung b ca mng t a
ch gi danh
Tt c cc my trong nhm
qung b ng lot gi tr li
v my c a ch IP b gi
danh, gy tc nghn
My b tn cng
Hnh 1.16: Tn cng Ping of Death

26
-ICMP tunneling: Do gi d liu ICMP thng c chp nhn bi nhiu my trn mng,
nn k tn cng c th li dng iu ny chuyn cc thng tin khng hp l thng qua cc gi
d liu ICMP. ngn chn cc tn cng ny, cch tt nht l t chi tt c cc gi d liu
ICMP.
-Tn cng khai thc phn mm (Software exploitation):
y l tn gi chung ca tt c cc hnh thc tn cng nhm vo mt chng trnh ng
dng hoc mt dch v no lp ng dng. Bng cch khai thc cc s h v cc li k thut
trn cc phn mm v dch v ny, k tn cng c th xm nhp h thng hoc lm gin on hot
ng bnh thng ca h thng.
Tn cng trn b m (buffer overflow attack): l phng thc tn cng vo cc li lp
trnh ca s phn mm. Li ny c th do lp trnh vin, do bn cht ca ngn ng hoc do trnh
bin dch. Ngn ng C l ngn ng c nhiu kh nng gy ra cc li trn b m nht, v khng
may, y l ngn ng vn c dng rng ri nht trong cc h iu hnh, cc chng trnh h
thng, c bit trong mi trng Unix v Linux.
a s cc trnh bin dch C khng kim tra gii hn vng nh cp pht cho cc bin,
do , khi d liu lu vo vng nh vt qua gii hn cp pht, n s ghi chng qua nhng
vng nh k cn v gy ra li. V d: khi lp trnh, mt khu m ngi dng nhp vo thng c
x l di dng mt chui (string), v c khai bo vi chiu di xc nh, v d 32 k t. Tuy
nhin, nu trong chng trnh khng thc hin vic kim tra chiu di mt khu trc khi x l v
trnh bin dch cng thng t ng thc hin vic ny th khi ngi s dng nhp mt khu c
chiu di ln hn 32 k t, ton b chui k t ny s trn vng nh cp pht v c th gy ra
li trn b m.
Ngoi tn cng trn b m, cc phng thc tn cng khc nhm vo vic khai thc cc
s h ca phn mm v dch v bao gm: khai thc c s d liu (database exploitation), khai
thc ng dng (application exploitation) v d nh cc loi macro virus, khai thc cc phn mm
gi th in t (e-mail exploitation),
-Cc k thut nh la (Social enginerring):
y l phng thc tn cng khng s dng k thut hay my tnh xm nhp h thng
m bng cc k xo gian ln tm kim cc thng tin quan trng, ri thng qua m xm nhp
h thng.
V d, mt k tn cng gi danh l mt nhn vin h tr k thut gi in thoi n mt
ngi trong h thng trao i cng vic, thng qua cuc trao i ny khai thc cc thng tin
cn thit thc hin hnh vi xm nhp h thng. R rng, phng thc ny khng s dng cc
k thut tn cng, nn c gi l social engineering. y cng l mt trong nhng loi tn
cng ph bin, v i tng m n nhm n l vn con ngi trong h thng.
I.6.2
Cc phng thc xm nhp h thng bng phn mm ph hoi
K thut v hnh thc tn cng mi thng xuyn c pht hin v nng cp. trn ch
gii thiu cc hnh thc tn cng ph bin c pht hin v phn tch. Ngoi cc hnh thc tn
cng nh trn, cc h thng thng tin cn phi i mt vi mt nguy c xm nhp rt ln l
cc phn mm virus, worm, spyware, gi chung l cc phn mm ph hoi hay phn mm c
(malicious code). Sau y s tp trung trnh by cc hnh thc xm nhp ny.
Cc phn mm c c chia thnh cc nhm sau y: Virus, worm, Trojan horse v
logic bomb.
27
-Virus:
L phn mm n, kch thc nh v c gn vo mt tp tin ch no , thng thng l
cc tp tin thc thi c, nh virus mi c kh nng ph hoi v lan truyn sang cc my khc.
Mt s loi virus li gn vi cc tp tin ti liu (v d nh word, excel, ) v c gi l cc
virus macro.
Virus lan truyn gia cc my tnh thng qua vic sao chp cc tp tin c nhim virus t
a mm, a CD, a flash, hoc thng qua cc tp tin gi km theo e-mail. Phm vi ph hoi ca
virus l rt ln. Thng thng nht, cc virus thng gy ra mt mt d liu, h hng phn mm
v h hng c h iu hnh.
Nu trn my cha ci t sn cc chng trnh qut virus th du hiu thng thng nht
nhn bit c virus trn my tnh l:
-Xut hin cc thng bo l trn mn hnh
-My tnh lm vic chm i ng k, c bit khi khi ng chng trnh.
-Mt t ngt mt hoc nhiu tp tin trn a.
-Li phn mm khng r l do.
-Kch thc mt s tp tin, c bit l cc tp tin thc thi, tng ln bt thng.
-My tnh t khi ng li khi ang lm vic
-
Hnh 1.17 m t vic ly lan ca virus thng qua ng sao chp tp tin (bng a hoc
qua cc tp tin dng chung trn mng). Hnh 1.18 m t qu trnh pht tn virus thng qua email.
C th thy mc pht tn ca virus thng qua e-mail nghim trng hn nhiu, bi v
i vi hnh thc ly lan qua ng sao chp tp tin th ch c cc my tnh ch ng sao chp tp
tin mi b nhim virus; ngc li trong phng thc pht tn bng e-mail, nhng my khng ch
ng sao chp tp tin cng c kh nng b ly nhim nu v m nhng tp tin nhim virus c
gi km theo e-mail.
My b nhim virus
My cha b nhim virus
Hnh 1.17: Virus ly lan t my ny sang my khc qua phng tin lu tr (a) hoc qua th
mc dng chung trn mng
28
Hnh 1.18: Virus pht tn qua e-mail

-Worm:
L loi phn mm c c c ch hot ng v tm ph hoi gn ging nh virus. im
khc nhau c bn gia worm v virus l worm c kh nng t sao chp thng qua mng (trong
khi virus phi nh vo thao tc sao chp ca ngi s dng) v t tn ti nh mt chng trnh
c lp (trong khi virus phi gn vo mt tp tin khc).
c trng c bn nht ca worm l tnh pht tn nhanh trn phm vi rng bng nhiu
phng tin khc nhau, nh s dng trc tip giao thc TCP/IP, s dng cc dch v mng lp
ng dng, pht tn qua e-mail v nhiu phng tin khc. Worm Nimda xut hin nm 2001 l
mt worm in hnh vi tc pht tn cc nhanh v mc nguy him ln, c th gy t lit cc
h thng mng ln s dng h iu hnh Windows trong nhiu gi.
-Trojan horse:
Mt dng phn mm c hot ng np di danh ngha mt phn mm hu ch khc, v
s thc hin cc hnh vi ph hoi h thng khi chng trnh gi danh c kch hot bi ngi s
dng.
Trojan khng c kh nng t sao chp nh worm (m phi gi dng thnh mt phn mm
c ch hoc c gn vo mt phn mm thc thi khc c ci t vo my), khng c kh
nng t thc thi nh virus (m ch thc hin khi ngi s dng khi ng chng trnh).
Mc ph hoi ca Trojan cng rt a dng, trong quan trong nht l thc thi nh
mt phn mm gin ip (back-door) gip cho nhng k tn cng t xa c th d dng xm nhp
h thng. Spyware l mt v d ca Trojan, y l cc phn mm c t ng ci vo my khi
ngi s dng ti cc phn mm trn Internet v ci trn my ca mnh. Spyware c th t ng
gi e-mail, t ng m cc trang web hoc thc hin cc hnh vi khc gy nh hng n hot
ng bnh thng ca my tnh b nhim.
29
-Logic bomb:
L cc phn mm nm n trn my tnh v ch thc hin khi c mt s kin no xy ra,
v d khi ngi qun tr mng ng nhp vo h thng, khi mt ng dng no c chy hoc
n mt ngy gi nh trc no .
Thng thng, khi c thc hin, logic bomb gi mt thng bo v mt my trung tm
nh trc no thng bo s kin xy ra. Nhn c thng bo ny, k tn cng t my tnh
trung tm s thc hin tip cc th thut tn cng vo h thng, v d khi ng mt cuc tn
cng t chi dch v (DoS hoc DDoS).
Trn y l cc phng thc xm nhp vo h thng s dng cc phn mm ph hoi.
Mc d s xm nhp vo mt h thng c th no ca cc phn mm ny c th khng do ch
ch ca mt c nhn no, nhng thit hi do cc hnh thc xm nhp ny gy ra l rt ln, do tnh
ph bin ca n. Bt k my no cng c th b nhim phn mm c, c bit khi kt ni n
mng Internet. Cc nguyn tc chung trnh s xm nhp ca cc phn mm c vo my tnh
ni ring v vo mt h thng thng tin ni chung bao gm:
-Khng sao chp d liu t cc ngun khng tin cy (t a hay qua mng).
-Khng ci t cc phn mm khng r ngun gc, c bit l cc phn mm download t
Internet.
-Thng xuyn cp nht cc bn sa li (Hotfixes hoc service pack) cho h thng (c h
iu hnh v chng trnh ng dng).
-Ci t cc chng trnh Antivirus, Antispyware v cp nht thng xuyn cho cc
chng trnh ny.
-Theo di cc thng tin v cc loi virus mi, phng thc hot ng v cch thc ngn
chn trn cc trang web chuyn v bo mt (v d trang CERT ti a ch http://www.cert.org).
I.7 K THUT NGN CHN V PHT HIN XM NHP

Sau khi nhn din cc nguy c v ri ro i vi h thng, phn tch cc phng thc v k
thut tn cng c kh nng nh hng n s an ton ca h thng, cc h thng thng tin thng
trin khai cc bin php k thut cn thit ngn chn v pht hin xm nhp. Phn ny gii
thiu v tng la (Firewall) v h thng pht hin xm nhp (IDS), l hai ng dng bo mt in
hnh nht hin nay.
I.7.1
Tng la:
Tng la hay firewall l k thut ngn chn cc tn cng xm nhp t bn ngoi (mng
Internet) vo h thng bn trong (mng LAN v server). Hnh 1.19 m t mt cu trc mng in
hnh trong firewall c lp t trc router, vi vai tr bo v cho ton b h thng mng bn
trong.
Nguyn tc chung ca cc bc tng la l iu khin truy xut mng bng cch gim st
tt c cc gi d liu c gi thng qua tng la, v tu vo cc ci t trong chnh sch bo
mt m cho php hoc khng cho php chuyn tip cc gi ny n ch. Hnh 1.20 m t hot
ng in hnh ca mt bac tng la, trong , lu lng HTTP (TCP port 80) c php i
qua tng la, cn lu lng NetBIOS (TCP port 445) th b chn li.
30
Internet
Firewall
Router
Web server
Mail server
Cc my tnh khc trong mng ni b
Hnh 1.19: Bc tng la t trc Router bo v ton b mng bn trong

Chc nng ca tng la trn mng l qun l lu lng vo/ra trn kt ni Internet v
ghi li cc s kin din ra trn kt ni ny phc v cho cc mc ch an ton mng. Tuy nhin, do
bn cht ca tng la l gim st lu lng lun chuyn thng qua mt kt ni gia mng ni b
v mng cng cng bn ngoi, cho nn tng la khng c kh nng gim st v ngn chn cc
tn cng xut pht t bn trong mng ni b. C th tm tt chc nng ch yu ca tng la nh
sau:
-Separator: Tch ri gia mng ni b v mng cng cng, rng buc tt c cc kt ni t
trong ra ngoi hoc t ngoi vo trong phi i qua tng la nh mt ng i duy nht.
-Restricter: Ch cho php mt s lng gii hn cc loi lu lng c php xuyn qua
tng la, nh ngi qun tr c th thc thi chnh sch bo mt bng cch thit lp cc quy
tc lc gi tng ng gi l cc access rules.
-Analyzer: Theo di (tracking) lu lng lun chuyn qua tng la, ghi li cc thng tin
ny li (logging) theo yu cu ca ngi qun tr phc v cho cc phn tch nh gi mc
an ton ca h thng.
Ngoi cc chc nng c bn trn, mt s bc tng la cn c chc nng xc thc
(authentication) i vi ngi s dng trc khi chp nhn kt ni.
HTTP (port 80)
Mng ni b
Internet
NetBios (port 445)
Firewall
Hnh 1.20: Hot ng c bn ca bc tng la

*-Phn loi tng la theo c tnh k thut:
Tng la c th l mt phn mm chy trn mt my tnh no vi t nht l hai giao
tip mng (dual-home host), khi n c gi l firewall mm. Cc firewall mm thng dng
hin nay gm: SunScreen, ISA server, Check point, Gauntlet, IPTables,
31
Ngc li, chc nng tng la cng c th c thc hin trong mt khi phn cng
ring bit v c gi l firewall cng. Cc sn phm firewall cng in hnh hin nay bao gm:
Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, Nokia firewalls,
*-Phn loi firewall theo phm vi bo v:

Cn c vo phm vi m tng la bo v, c th chia tng la thnh 2 nhm ring bit:
tng la dnh cho my tnh c nhn (personal firewalls) v tng la dnh cho mng (network
firewalls).
-Personal firewall thng thng l cc firewall mm, c ci t trn my c nhn
bo v cho my c nhn. H iu hnh Windows (2000 v XP) c tch hp sn personal
firewall. Ngoi ra, cc phn mm antivirus chuyn nghip cng c chc nng ca personal
firewall nh Norton Antivirus, McAfee,
-Network firewall c th l firewall mm hoc firewall cng, thng c lp t trc
hoc sau b nh tuyn (router) nhm mc ch bo v cho ton h thng mng.
*-Phn loi firewall theo c ch lm vic:
Da trn c ch lm vic, firewall c chia thnh 3 loi nh sau:
-Tng la lc gi (packet filtering firewall hay stateless firewall)
Nguyn l ca cc bc tng la lc gi l c tt c cc thng tin trong tiu ca cc
gi d liu IP lun chuyn qua bc tng la, v da trn cc thng tin ny quyt nh chp
nhn (accept) hay loi b gi d liu (drop). Nh vy, khi thit lp cc quy tc lc gi ca tng
la, ngi qun tr mng phi cn c trn cc thng tin sau y:
-a ch IP, bao gm a ch IP ca my gi v a ch IP ca my nhn (source IP address
v destination IP address).
-S cng kt ni (port number), bao gm c cng ca my gi v cng ca my nhn
(source port v destination port)
-Giao thc kt ni (protocol), v d TCP, UDP hay ICMP.
Packet filtering firewall ch phn tch tiu ca gi IP, khng phn tch ni dung gi v
do khng c kh nng ngn chn truy xut theo ni dung d liu.
Packet filtering firewall hu ch trong cc trng hp mun ngn chn mt hoc mt s
cng xc nh no , t chi mt hoc mt s a ch IP xc nh hoc mt giao thc xc nh
no (v d ICMP). Trong thc t, cc tn cng xm nhp thng c thc hin thng qua cc
cng khc vi cc cng dch v ph bin. Bng 1.1 lit k danh sch mt s dch v thng dng
trn Internet v s cng tng ng.
-Tng la lp ng dng (Application Layer gateway):
Hot ng ca tng la lp ng dng tng t nh tng la lc gi, tc l cng da
trn vic phn tch cc gi d liu IP quyt nh c cho php i xuyn qua bc tng la hay
khng. im khc ca tng la lp ng dng l n c kh nng phn tch c ni dung ca gi
d liu IP (phn data payload), v do cho php thit lp cc quy tc lc gi phc tp hn. V
d, c th chp nhn lu lng HTTP i qua bc tng la, tuy nhin vi nhng gi no c cha
ni dung trng vi mu nh trc th chn li.
Do c tnh ca tng la lp ng dng can thip trc tip vo tt c cc gi d liu i
qua n, nn nhn di gc truy xut mng, bc tng la lp ng dng trc tip thc hin cc
32
giao dch vi mng bn ngai thay cho cc my tnh bn trong. Do vy, tng la lp ng dng
cng cn c gi l cc phn mm Proxy.
K thut ny c ch trong cc trng hp cn qun l ni dung truy cp ca ngi s dng
hoc nhn dng du hiu ca mt s loi phn mm c (virus, worm, trojan, ), v d ngn
chn ngi s dng ti cc tp tin hnh nh hoc phim vi kch thc ln.
Do phi phn tch ton b cu trc gi d liu ly thng tin nn nhc im ca tng
la lp ng dng l yu cu nng lc x l mnh, v l ni c th xy ra tc nghn tim nng ca
mng.
-Tng la kim sot trng thi (stateful inspection firewall):
L loi tng la kt hp c hai nguyn l lm vic ca tng la lc gi v tng la lp
ng dng.
Tng la kim sat trng thi cho php thit lp cc quy tc lc gi phc tp hn so vi
tng la lc gi, tuy nhin khng mt qu nhiu thi gian cho vic phn tch ni dung ca tt c
cc gi d liu nh trng hp tng la lp ng dng. Tng la kim sat trng thi theo di
trng thi ca tt c cc kt ni i qua n v cc gi d liu lin quan n tng kt ni. Theo ,
ch cc cc gi d liu thuc v cc kt ni hp l mi c chp nhn chuyn tip qua tng la,
cc gi khc u b loi b ti y.
Tng la kim sat trng thi phc tp hn do phi tch hp chc nng ca c 2 loi
tng la trn. Tuy nhin, c ch thc hin ca tng la ny chng t c tnh hiu qu
ca n v trong thc t, cc sn phm tng la mi u h tr k thut ny.
Bng 1.1: Mt s dch v ph bin trn TCP
Cng
I.7.2
Dch v
20
FTP, knh iu khin (Control port)
21
FTP, knh d liu (Data port)
22
Secure Shell (SSH)
23
Telnet
25
Simple Mail Transfer Protocol (SMTP)
80
HyperText Transfer Protocol (HTTP)
110
Post Office Protocol, version 3 (POP3)
143
Internet Message Access Protocol
443
Secure Sockets Layer (SSL)
H thng pht hin xm nhp:
H thng pht hin xm nhp IDS (Intrusion Detection System) l h thng pht hin cc
du hiu ca tn cng xm nhp. Khc vi bc tng la, IDS khng thc hin cc thao tc ngn
chn truy xut m ch theo di cc hot ng trn mng tm ra cc du hiu ca tn cng v
cnh bo cho ngi qun tr mng.
IDS khng thc hin chc nng phn tch gia mng ni b v mng cng cng nh bc
tng la nn khng gnh ton b lu lng qua n v do khng c nguy c lm tc nghn
mng.
33
Intrusion (xm nhp) c nh ngha l bt k mt s kin hay hnh vi no tc ng vo

3 thnh phn c bn ca mt h thng an tan l tnh Bo mt, tnh Tan vn v tnh Kh dng.
IDS pht hin du vt ca tn cng bng cch phn tch hai ngun thng tin ch yu sau
y:
1-Thng tin v cc thao tc thc hin trn my ch c lu trong nht k h thng
(system log)
2-Lu lng ang lu thng trn mng.
Chc nng ban u ca IDS ch l pht hin cc du hin xm nhp, do IDS ch c th
to ra cc cnh bo tn cng khi tn cng ang din ra hoc thm ch sau khi tn cng hon tt.
Cng v sau, nhiu k thut mi c tch hp vo IDS, gip n c kh nng d an c tn
cng (prediction) v thm ch phn ng li cc tn cng ang din ra (Active response).
Hai thnh phn quan trng nht cu to nn h thng IDS l sensor (b cm nhn) c chc
nng chn bt v phn tch lu lng trn mng v cc ngun thng tin khc pht hin du hiu
xm nhp; signature database l c s d liu cha du hiu (signature) ca cc tn cng c
pht hin v phn tch. C ch lm vic ca signature database ging nh virus database trong cc
chung trnh antivirus, do vy, vic duy tr mt h thng IDS hiu qu phi bao gm vic cp
nhn thng xuyn c s d liu ny.
*-Phn loi IDS theo phm vi gim st:
Da trn phm vi gim st, IDS c chia thnh 2 lai:
-Networ- based IDS (NIDS):
L nhng IDS gim st trn tan b mng. Ngun thng tin ch yu ca NIDS l cc gi
d liu ang lu thng trn mng. NIDS thng c lp t ti ng vo ca mng, c th ng
trc hoc sau bc tng la. Hnh 1.21 m t mt NIDS in hnh.
-Host-based IDS (HIDS):
L nhng IDS gim st hat ng ca tng my tnh ring bit. Do vy, ngun thng tin
ch yu ca HIDS ngai lu lng d liu n v i t my ch cn c h thng d liu nht k
h thng (system log) v kim tra h thng (system audit).
Hnh 1.22 trnh by cu trc ca HIDS. IDS c thit k phi hp vi h iu hnh
x l cc thng tin gim st h thng. Dch v nht k h thng (logging) ghi li cc s kin v
trng thi ca h thng vo mt c s d liu (Event database). Ngoi ra, kt qu gim st trn
mng ca IDS cng c ghi vo Event Database. pht hin xm nhp, IDS duy tr mt c s
d liu (IDS database) cha cc m t v tng loi tn cng.
*-Phn loi IDS theo k thut thc hin:
Da trn k thut thc hin, IDS cng c chia thnh 2 loi:
-Signature-based IDS:
Signature-based IDS pht hin xm nhp da trn du hiu ca hnh vi xm nhp, thng
qua phn tch lu lng mng v nht k h thng. K thut ny i hi phi duy tr mt c s d
liu v cc du hiu xm nhp (signature database), v c s d liu ny phi c cp nht
thng xuyn mi khi c mt hnh thc hoc k thut xm nhp mi.
-Anomaly-based IDS: pht hin xm nhp bng cch so snh (mang tnh thng k) cc
hnh vi hin ti vi hat ng bnh thng ca h thng pht hin cc bt thng (anomaly) c
th l du hiu ca xm nhp. V d, trong iu kin bnh thng, lu lng trn mt giao tip
34
mng ca server l vo khang 25% bng thng cc i ca giao tip. Nu ti mt thi im no

, lu lng ny t ngt tng ln n 50% hoc hn na, th c th gi nh rng server ang b
tn cng DoS.
Router
Firewall
IDS
Qun tr
h thng
Signature
database
Hnh 1.21: Network-based IDS (NIDS)
Network
Host
H iu hnh
Logging
Hnh 1.22: Host-based IDS (HIDS)

hat ng chnh xc, cc IDS lai ny phi thc hin mt qu trnh hc, tc l gim
st hat ng ca h thng trong iu kin bnh thng ghi nhn cc thng s hat ng, y l
c s pht hin cc bt thng v sau.
Trong thc t, IDS l mt k thut mi so vi firewall, tuy nhin, cho n thi im ny,
vi s pht trin kh mnh m ca k thut tn cng th IDS vn cha tht s chng t c tnh
hiu qu ca n trong vic m bo an tan cho cc h thng mng. Mt trong nhng phn mm
IDS ph bin hin nay l Snort. y l mt sn phm NIDS m ngun m vi h thng signature
database (c gi l rule database) c cp nht thng xuyn bi nhiu thnh vin trong cng
ng Internet.
35
Tm tt chng:
-Mt h thng thng tin an tan l h thng m bo c 3 c trng c bn:
-Tnh Bo mt (Confidentiality)
-Tnh Tan vn (Integrity)
-Tnh Kh dng (Availability)
Ba c trng ny c gi tt l CIA.
-Chin lc c bn nht m bo tnh bo mt ca mt h thng thng tin:
-Access Control
-Authentication
-Auditing
K thut ny gi tt l AAA.
-Nguy c (threat) ca mt h thng thng tin l cc s kin, hnh vi c kh nng nh
hng n 3 c trng CIA ca h thng. Ri ro i vi h thng thng tin l xc sut xy ra cc
thit hi i vi h thng.
-Chnh sch bo mt (security policy) nh ngha cc trng thi an tan ca h thng, cc
hnh vi m ngi s dng c php hoc khng c php thc thi. C ch bo mt (security
mechianism) l cc bin php k thut (technical) hoc th tc (procedure) nhm m bo chnh
sch. Nguyn tc xy dng mt h thng thng tin an ton bao gm xy dng chnh sch bo mt
nh ngha mt cch chnh xc v y cc trng thi an ton ca h thng, sau thit lp
cc c ch m bo thc thi chnh sch.
-C nhiu hnh thc xm nhp / tn cng khc nhau trn h thng. Cc tn cng ny da
trn cc s h v an tan ca giao thc (TCP/IP), ca h iu hnh (Windows, Linux, ) hoc
ca cc chng trnh ng dng chy trn cc h iu hnh . K thut tt cng lun lun c
pht trin v han thin, do cng ngh an ton mng cng phi c pht trin tng xng.
-Hai gii php k thut gip pht hin v ngn chn cc tn cng trn mt h thng thng
tin l IDS v Firewall. IDS gim st h thng pht hin cc du hiu tn cng v to ra cnh
bo. Firewall ngn chn hoc cho php cc truy xut thng qua Firewall theo cc quy lut nh
trc (access rules).
CU HI V BI TP.
A- Cu hi trc nghim
Cu 1. Th no l tnh bo mt ca h thng thng tin?
a- L c tnh ca h thng trong thng tin c gi b mt khng cho ai truy
xut.
b- L c tnh ca h thng trong tt c thng tin c lu tr di dng mt m.
c- L c tnh ca h thng trong ch c nhng ngi dng c cho php mi
c th truy xut c thng tin
d- Tt c u ng
Cu 2. Chn cu ng khi ni v tnh bo mt ca h thng thng tin:
a- Mt h thng m bo tnh b mt (confidential) l mt h thng an ton (secure).
b- Tnh b mt ca thng tin bao gm tnh b mt v s tn ti ca thng tin v tnh
36
b mt ni dung thng tin.

c- Tnh b mt ca thng tin bao gm tnh b mt v ni dung thng tin v tnh b
mt v ngun gc thng tin.
d- Tt c u sai.
Cu 3. Th no l tnh ton vn ca h thng thng tin?
a- L c tnh ca h thng trong thng tin khng b sa i hoc xo b bi
ngi s dng.
b- L c tnh ca h thng trong thng tin khng b thay i theo thi gian
c- L c tnh ca h thng trong thng tin khng b truy xut bi nhng ngi
khng c php.
d- L c tnh ca h thng trong thng tin khng b thay i, h hng hay mt
mt.
Cu 4. Chn cu ng khi ni v tnh ton vn ca thng tin:
a- Mt h thng an ton l mt h thng m bo tnh ton vn ca thng tin.
b- Tnh ton vn ca thng tin bao gm ton vn v ni dung v ton vn v ngun
gc thng tin.
c- Tnh ton vn ca thng tin bao gm ton vn v ni dung v s tn ti ca thng
tin.
d- Cu a v b.
Cu 5. Cc c ch m bo tnh ton vn ca thng tin:
a- Gm cc c ch ngn chn v c ch pht hin cc vi phm v ton vn thng tin.
b- Mt m ho ton b thng tin trong h thng.
c- Lu ton b thng tin trong h thng di dng nn.
d- Tt c cc c ch trn.
Cu 6. Hnh vi no sau y nh hng n tnh ton vn ca h thng thng tin:
a- Mt sinh vin sao chp bi tp ca mt sinh vin khc.
b- Virus xa mt cc tp tin trn a cng.
c- Mt in thng xuyn lm h thng my tnh lm vic gin an.
d- Tt c cc hnh vi trn.
Cu 7. Hnh vi no sau y nh hng n tnh kh dng ca h thng thng tin:
Cu 8. Hnh vi no sau y nh hng n tnh b mt ca h thng thng tin:
Cu 9. Cc c ch bo v tnh b mt ca thng tin:
37
a- Mt m ho ton b thng tin trong h thng.

b- Xy dng cc c ch iu khin truy xut (access control) ph hp.
c- Lp t cc phng tin bo v h thng thng tin mc vt l.
d- Tt c cc c ch trn.
Cu 10. Th no l tnh kh dng ca h thng thng tin?
a- L tnh sn sng ca thng tin trong h thng cho mi nhu cu truy xut.
b- L tnh sn sng ca thng tin trong h thng cho cc nhu cu truy xut hp l.
c- L tnh d s dng ca thng tin trong h thng.
d- Tt c u sai.
Cu 11. Th no l nguy c i vi h thng thng tin?
a- L cc s kin, hnh vi nh hng n s an ton ca h thng thng tin.
b- L cc thit hi xy ra i vi h thng thng tin
c- L cc hnh vi v ca ngi s dng lm nh hng n tnh kh dng ca h
thng thng tin.
d- Tt c u ng.
Cu 12. Cc nguy c no sau y c th nh hng n tnh kh dng ca h thng thng tin:
a- Thit b khng an ton.
b- Cc tn cng t chi dch v (DoS v DDoS).
c- Virus v cc loi phn mm ph hoi khc trn my tnh.
d- Tt c cc nguy c trn.
Cu 13. Chn cu sai khi ni v cc nguy c i vi s an ton ca h thng thng tin:
a- Nhng k tn cng h thng (attacker) c th l con ngi bn trong h thng.
b- Ngi s dng khng c hun luyn v an ton h thng cng l mt nguy c
i vi h thng.
c- Mt h thng khng kt ni vo mng Internet th khng c cc nguy c tn
cng.
d- Xm nhp h thng (intrusion) c th l hnh vi xut pht t bn ngoi hoc t
bn trong h thng.
Cu 14. Chn cu ng khi ni v cc nguy c v ri ro i vi h thng thng tin:
a- Tt c cc ri ro u c t nht mt nguy c i km vi n.
b- C th ngn chn ri ro bng cch ngn chn cc nguy c tng ng.
c- Mc tiu ca an ton h thng l ngn chn tt c cc ri ro xy ra trn h thng.
d- Tt c cc cu trn.
Cu 15. Nguyn tc xy dng mt h thng bo mt:
a- p dng cc c ch an ton ph hp vi h thng.
b- Xy dng cc chnh sch an ton cht ch.
c- Xy dng chnh sch bo mt v trin khai cc c ch m bo chnh sch .
d- Tt c u ng.
Cu 16. Mc tiu ca chnh sch bo mt h thng:
38
a- Xc nh cc trng thi an ton m h thng cn m bo.

b- Ngn chn cc nguy c i vi h thng.
c- Hn ch cc ri ro i vi h thng.
d- Tt c cc cu trn.
Cu 17. Mc tiu ca an tan h thng theo th t u tin gim dn:
a- Ngn chn, pht hin, phc hi.
b- Pht hin, ngn chn, phc hi.
c- Pht hin v ngn chn.
d- Pht hin v phc hi.
Cu 18. Chn cu ng khi ni v cc m hnh iu khin truy xut (access control):
a- MAC l c ch iu khin bt buc c p dng cho ton h thng
b- C ch qun l theo nhm trn Windows 2000 l mt dng thc thi tng ng
vi c ch RBAC.
c- a s cc h iu hnh u c thc hin m hnh DAC.
d- Tt c u ng.
Cu 19. Cc c ch xc thc thng dng trong h thng thng tin:
a- Dng cc c ch qun l truy xut tp tin trn a cng.
b- Dng c ch phn quyn cho ngi s dng.
c- Dng user-name/password.
d- Tt c u sai.
Cu 20. Cc giao thc xc thc thng dng trong h thng thng tin:
a- Kerberos
b- CHAP
c- C hai u sai
d- C hai u ng..
Cu 21. Chc nng ca c ch kim tra (auditing) trn h thng:
a- Ghi li (Logger), phn tch (Analyzer) v thng bo (Notifier).
b- Theo di v ghi nhn cc s kin v hnh vi din ra trn h thng.
c- Cung cp thng tin phc hi h thng khi c s c.
d- Cung cp thng tin lm chng c cho cc hnh vi vi phm chnh sch an ton h
thng.
Cu 22. Chn cu ng:
a- Tn cng kiu Interception tc ng vo c tnh ton vn ca h thng thng tin.
b- Modification l kiu tn cng vo c tnh b mt ca h thng thng tin.
c- Tn cng bng hnh thc gi danh (farbrication) tc ng n c tnh ton vn
ca thng tin.
d- Vn ph nhn hnh vi (repudiation) l mt hnh thc tn cng h thng kiu
Interruption.
Cu 23. Phng thc tn cng no ngn chn cc user hp l truy xut cc ti nguyn h thng?
39
a- Sniffing
b- Spoofing
c- DoS
d- Man-In-The-Middle.
Cu 24. Chn cu ng:
a- C th ngn chn cc tn cng trn b m (buffer overflow) bng cc phn mm
antivirus.
b- C th ngn chn cc tn cng trn b m bng cch ci t firewall.
c- Tt c cc phn mm vit bng ngn ng C u c cha li trn b m.
d- Li trn b m ch xy ra trn cc phn mm c nhp liu t ngi dng.
Cu 25. Mt my tnh nghe ln thng tin trn mng v dng cc thng tin ny xm nhp tri
php vo mt h thng thng tin, y l phng thc tn cng no?
a- Spoofing
b- Replay
c- Man-In-The-Middle
d- Sniffing
Cu 26. Phng thc tn cng no sau y khng da trn bn cht ca giao thc TCP/IP:
a- SYN/ACK flooding
b- TCP sequence number attack
c- ICMP attack
d- Software exploitation
Cu 27. Chn cu ng khi ni v cc phng thc tn cng bng phn mm c (malicious
code):
a- Virus c th t sao chp v lan truyn thng qua mng my tnh.
b- Worm l loi phn mm c hot ng da vo mt phn mm khc.
c- Trojan horse l mt loi phn mm c nhng c tn ging nh cc tp tin bnh
thng.
d- Logic bomb khng th ph hoi h thng nu ng h h thng lun chm hn
thi gian hin hnh.
Cu 28. Chn cu ng khi ni v firewall:
a- Firewall ch c th ngn chn cc tn cng t bn ngoi h thng.
b- Tt c cc gi d liu i qua firewall u b c ton b ni dung, nh firewall
mi c c s phn bit cc tn cng vi cc loi lu lng khc.
c- Nu m tt c cc cng (port) trn firewall th firewall s hon ton b v hiu
ho.
d- Tt c u ng.
Cu 29. ng dng no sau y c chc nng thay i a ch IP ca tt c cc gi d liu i qua
n:
a- IDS
b- Proxy
40
c- NAT
d- Khng c ng dng no nh vy
Cu 30. Nguyn l hot ng ca IDS:
a- Phn tch cc gi d liu lu thng trn mng tm du hin ca tn cng.
b- Phn tch cc d liu trong nht k h thng (system log) pht hin du hiu
ca tn cng.
c- Duy tr mt c s d liu v cc du hiu tn cng (signature database).
d- Tt c cc iu trn.
Cu 31. Chn cu ng khi ni v IDS:
a- IDS l mt ng dng c chc nng pht hin v ngn chn cc tn cng vo h
thng thng tin.
b- IDS ch c th pht hin c cc tn cng t bn ngoi vo h thng.
c- Network-based IDS khng c kh nng pht hin tn cng vo mt my ch c
th.
d- Signature-based IDS khng c kh nng pht hin cc tn cng hon ton mi,
cha tng c m t trong c s d liu.
B- Bi tp
Cu 32. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng ch ng (active
attacks) v tn cng th ng (passive attacks).
Cu 33. Lit k v sp xp cc phng thc tn cng theo hai loi: tn cng vo giao thc TCP/IP
v tn cng vo phn mm (chng trnh ng dng v h iu hnh).
Cu 34. Ci t v cu hnh phn mm IDS Snort trn H iu hnh Linux.
Cu 35. Ci t v cu hnh ISA server 2004 trn Windows.
----------
41
CHNG II
MT M V XC THC THNG TIN
Gii thiu:
Chng ny trnh by c ch mt m v cc vn lin quan nh hm bm, ch k s,
chng thc v c s h tng kho cng khai PKI. Mt m l c ch c bn nht nhm m bo
tnh B mt ca thng tin. Cc c ch xc thc nh hm bm v ch k s c chc nng bo v
tnh Ton vn ca thng tin. Cc ni dung cp trong chng ny bao gm:
-Tng quan v k thut mt m.
-K thut mt m i xng
-K thut mt m bt i xng
-Cc hm bm bo mt
-Ch k s
-Vn qun l kho v c s h tng kho cng khai
II.1 TNG QUAN V MT M:

II.1.1 Gii thiu:
Mt m (Encryption) l mt k thut c s quan trng trong bo mt thng tin. Nguyn
tc ca mt m l bin i thng tin gc thnh dng thng tin b mt m ch c nhng thc th
tham gia x l thng tin mt cch hp l mi hiu c.
Mt thc th hp l c th l mt ngi, mt my tnh hay mt phn mm no c
php nhn thng tin. c th gii m c thng tin mt, thc th cn phi bit cch gii m
(tc l bit c thut tan gii m) v cc thng tin cng thm (kha b mt).
Qu trnh chuyn thng tin gc thnh thng tin mt theo mt thut ton no c gi l
qu trnh m ho (encryption). Qu trnh bin i thng tin mt v dng thng tin gc ban u gi
l qu trnh gii m (decryption). y l hai qu trnh khng th tch ri ca mt k thut mt m
bi v mt m (giu thng tin) ch c ngha khi ta c th gii m (phc hi li) c thng tin
. Do vy, khi ch dng thut ng mt m th n c ngha bao hm c m ha v gii m.
K thut m ho c chia thnh hai loi: m ho dng kho i xng (symmetric key
encryption) v m ho dng kho bt i xng (asymmetric key encryption) nh s trnh by
trong cc phn tip theo.
II.1.2 Cc thnh phn ca mt h thng m ho:

Hnh 2.1 m t nguyn tc chung ca mt h thng mt m quy c. Cc thnh phn trong
mt h thng mt m in hnh bao gm:
-Plaintext: l thng tin gc cn truyn i gia cc h thng thng tin
-Encryption algorithm: thut tan m ha, y l cch thc to ra thng tin mt t thng
tin gc.
-Key: kha mt m, gi tt l kha. y l thng tin cng thm m thut tan m ha s
dng trn vi thng tin gc to thnh thng tin mt.
-Ciphertext: thng tin m ha (thng tin mt). y l kt qu ca thut ton m ha.
42
-Decryption algorithm: Thut tan gii m. u vo ca thut tan ny l thng tin m

ha (ciphertext) cng vi kha mt m. u ra ca thut tan l thng tin gc (plaintext) ban u.
Kho mt m
(Key)
Kho mt m
(Key)
Thng tin c m
ho (ciphertext)
Thng tin gc
(Plaintext)
Thut ton m ho
(Encryption
algorithm)
Thut ton gii m

(Decryption
algorithm)
Thng tin gc
(Plaintext)
Hnh 2.1: Cu trc mt h thng mt m quy c
II.1.3 Cc tiu ch c trng ca mt h thng m ho:

Mt h thng m ha bt k c c trng bi 3 tiu ch sau y:
-Phng php m (operation): c hai phng php mt m bao gm thay th
(substitution) v chuyn v (transposition). Trong phng php m thay th, cc n v thng tin
(bit, k t, byte hoc khi) trong thng tin gc c thay th bng cc n v thng tin khc theo
mt quan h no . Trong phng php m chuyn v, cc n v thng tin trong thng gc c
i ch cho nhau to thnh thng tin m ha. Cc h thng m ho hin i thng kt hp c
hai phng php thay th v chuyn v.
-S kha s dng (number of keys): nu pha m ha (pha gi) v pha gii m (pha
nhn) s dng chung mt kha, ta c h thng m dng kho i xng (symmetric key) - gi tt l
m i xng hay cn c cc tn gi khc nh m mt kha (single-key), m kha b mt (secret
key) hoc m quy c (conventional cryptosystem). Nu pha m ha v pha gii m dng 2 kha
khc nhau, h thng ny c gi l m bt i xng (asymmetric key), m hai kha (two key)
hc m kha cng khai (public key).
-Cch x l thng tin gc (mode of cipher): thng tin gc c th c x l lin tc theo
tng phn t , khi ta c h thng m dng (stream cipher). Ngc li, nu thng tin gc c
x l theo tng khi, ta c h thng m khi (block cipher). Cc h thng m dng thng phc
tp v khng c ph bin cng khai, do ch c dng trong mt s ng dng nht nh (v
d trong thng tin di ng GSM). Cc thut tan mt m c gii thiu trong ti liu ny ch tp
trung vo c ch m khi.
II.1.4 Tn cng mt h thng mt m:

Tn cng (attack) hay b kho (crack) mt h thng mt m l qu trnh thc hin vic
gii m thng tin mt mt cch tri php. Thut ng cryptanalysis c dng ch hnh vi b
kho v ngi thc hin b kho c gi l cryptanalyst.
Thng thng, y l hnh vi ca mt k tn cng khi mun xm nhp vo mt h thng
c bo v bng mt m. Theo nguyn tc mt m, ly c thng tin gc, th tc nhn
43
gii m phi c c 3 thnh phn: thng tin mt (ciphertext), kha (secret key) v thut tan gii
m (decryption algorithm). K tn cng thng khng c y 3 thng tin ny, do , thng
c gng gii m thng tin bng hai phng php sau:
-Phng php phn tch m (cryptanalysis): da vo bn cht ca thut tan m ha,
cng vi mt an thng tin gc hoc thng tin mt c c, k tn cng tm cch phn tch
tm ra tan b thng tin gc hoc tm ra kha, ri sau thc hin vic gii m ton b thng tin
mt.
-Phng php th tun t (brute-force): bng cch th tt c cc kha c th, k tn
cng c kh nng tm c kha ng v do gii m c thng tin mt.
Thng thng, tm c kha ng th cn phi th mt s lng kha bng khang
mt na s kha c th c ca h thng m. V d, nu kho c chiu di l 8 bit th s c tt c 2 8
= 256 kho khc nhau. chn c kho ng th k tn cng phi th trung bnh khong 256 /
2 = 128 ln. Vic th ny thng c tr gip bi cc my tnh v phn mm chuyn nghip.
Hai thnh phn m bo s an ton ca mt h thng mt m l thut ton m (bao gm
thut ton m ho v thut ton gii m) v kho.
Trong thc t, thut tan m khng c xem nh mt thng tin b mt, bi v mc ch
xy dng mt thut tan m l ph bin cho nhiu ngi dng v cho nhiu ng dng khc
nhau, hn na vic che giu chi tit ca mt thut tan ch c th tn ti trong mt thi gian ngn,
s c mt lc no , thut tan ny s c tit l ra, khi tan b h thng m ha tr nn v
dng. Do vy, tt c cc tnh hung u gi thit rng k tn cng bit trc thut tan m.
Nh vy, thnh phn quan trng cui cng ca mt h thng m l kha ca h thng,
kha ny phi c gi b mt gia cc thc th tham gia nn c gi l kha b mt.
Mt cch tng qut, chiu di kha cng ln th thi gian cn thit d ra kha bng
cch th cng ln, do vy kh nng pht hin kha cng thp. Bng sau y lit k mt s kha
vi di khc nhau v thi gian cn thit d ra kha.
Bng 2.1: Quan h gia di kho v thi gian d kho.
Chiu di
kho (bit)
S kho ti a
Thi gian d kho vi tc

th 1 kho /ms
Thi gian d kho vi tc

th 106 kho /ms
32
232 = 4,3 * 109
231 ms = 35,8 pht
2,15 milli giy
56
256 = 7,2 * 1016
255 ms = 1.142 nm
10,01 gi
128
2128 = 3,4 * 1038
2127 ms = 5,4 * 1024 nm
5,4 * 1018 nm
168
2168 = 3,7 * 1050
2167 ms = 5,9 * 1036 nm
5,9 * 1030 nm
26! = 4 * 1026
2 * 1026 ms = 6,4 x 1012 nm
6.4 * 106 nm
26 k t
(hon v)
II.2 K THUT MT M I XNG:

K thut mt m i xng c c trng bi vic s dng mt kha duy nht cho c qu
trnh m ha v gii m thng tin. Bng mt cch an tan no , kha chung ny phi c trao
44
i thng nht gia bn gi v bn nhn (tc bn m ha v bn gii m), ng thi c gi b

mt trong sut thi gian s dng.
K thut mt m i xng cn c gi l mt m quy c (conventional encryption)
hoc mt m dng kha b mt (secret key encryption).
Cu trc chung ca mt h thng mt m ha quy c nh trnh by hnh 2.2, trong ,
knh thng tin dng trao i kha b mt phi l mt knh an tan. C th thc hin vic trao
i kha b mt gia hai thc th A v B theo nhng cch sau y:
1-A chn ra mt kha b mt v chuyn trc tip cho B (chuyn bng phng tin vt l
nh ghi ln a, ni trc tip, ghi ra giy, )
2-Mt thc th th 3 chn ra kha b mt v thng bo kha ny cho c A v B (bng
phng tin vt l nh trn)
3-Nu A v B trc dng mt kha no thng tin vi nhau, th mt trong hai
thc th s tip tc dng kha c gi thng bo v kha mi cho thc th kia.
4-Nu A v B c cc kt ni an tan n mt thc th th 3 l C, th C c th gi thng
bo v kha cho c hai thc th A v B thng qua kt ni an tan ny.
Kho b mt
(dng chung)
Thng tin gc
Thut ton
m ha
Thng tin mt
Thut ton
gii m
Thng tin gc
Hnh 2.2: Trao i kho trong mt m i xng

M ha i xng da ch yu trn hai thao tc: thay th v chuyn v.
Thao tc thay th s thay tng t m bi mt t m khc theo mt quy c no , v quy
c ny chnh l kha ca h thng m. V d: thay th tng k t trong mt thng ip bng mt
k t ng cch n 3 v tr trong bng ch ci la tinh, thng ip HELLO WORLD s c m
ha thnh KHOOR ZRUOG.
Thao tc chuyn v thc hin vic thay th v tr ca cc t m trong thng tin gc theo
mt quy c no v quy c ny cng tr thnh kha ca h thng. V d: dch tng k t
trong mt thng ip qua phi mt v tr c xoay vng, thng ip HELLO WORLD s c
m ha thnh DHELLO WORL.
II.2.1 Cu trc m khi c bn Feistel:

Cu trc m khi c bn Feistel (Feistel Cipher Structure) c IBM a ra vo nm
1973, c xem nh l cu trc mt m c bn nht v c p dng trong nhiu thut ton mt
m ph bin hin nay nh DES, Blowfish, IDEA, Cn ch rng Feistel cha phi l mt
thut ton mt m, m ch l mt m hnh c xy dng ph hp cho vic thit k cc thit b
mt m bng phn cng. Cc thut ton mt m phi thc hin hon chnh m hnh Feistel theo
yu cu ca mnh, bao gm vic nh ngha cc hm F, S-Box v thut ton to kho ph (subkey
generation algorithm). Cu trc Feistel c trnh by hnh 2.3.
Nguyn l hot ng ca Feistel da trn vic hon v v thay th nhiu ln trn khi d
liu gc, c th nh sau:
45
-Thng tin gc c ct thnh tng khi c kch thc 2w bit (tc l mt s bit chn).
Mi khi bit c x l thnh 2 phn bng nhau: w bit bn tri (L) v w bit bn phi (R).
-C hai phn bn tri v bn phi c a ln lt vo khi m ho gm n vng lin tip
v ging nhau. Cc thao tc thc hin ti mi vng bao gm: hon v phn bn tri v phn bn
phi, a phn bn phi vo mt hm x l F cng vi kho con K i, ng ra s c XOR vi phn
bn tri. Kt qu cui cng c hon v mt ln na trc khi xut ra.
Thng tin gc
2w bit
L0
w bit
w bit
R0
K1
L1
R1
Ki
F
Ri
Li
Kn
F
Ln
Rn
Ln+1
Rn+1
Thng tin mt
2w bit
Hnh 2.3: Cu trc m khi Feistel

46
Qu trnh gii m ca Feistel tng t nh qu trnh m ho, ch khc ch th t cc

kho ph a vo ti mi vng b o ngc so vi qu trnh m ho, ngha l kho K n s a vo
vng th nht, kho K1 a vo vng cui cng. Cng v l do ny, tt cc cc thao tc trong cu
trc Feistel, k c hm F, u khng cn phi c thao tc ngc.
Qu trnh gii m c minh ho hnh 2.4, c th cho trng hp Feistel s dng 16
vng. Ta s chng minh c rng ng ra ca thut ton gii m chnh l thng tin gc ban u.
T kt qu chng minh ny, ta c th p dng tng t cho thut ton Feistel bt k vi n vng.
Thng tin gc
2w bit
K1
LE0
Thng tin mt
2w bit
RE0
LD0=RE16
RE1
LD1=RE15
LE15
RD0=LE16
K2
LE1
K16
K15
RD1=LE15
K16
RE15
LD15=RE1
K1
RD15=LE1
LE16
RE16
LEout
REout
Thng tin mt
2w bit
a-Qu trnh m ho
LD16=RE0
LDout=LE0
RD16=LE0
RDout=RE0
Thng tin gc
2w bit
b-Qu trnh gii m
Hnh 2.4: M ho v gii m dng cu trc Feistel

phn bit gia qu trnh m ho v qu trnh gii m, ta k hiu cc khi thng tin ti
tng vng nh sau:
- LEi v REi: ng vo bn tri v bn phi ca thut tan m ha vng th i.
47
- LDi v RDi: ng vo bn tri v bn phi ca thut tan gii m vng th i.

- F(REi, Ki): p dng hm F ln khi thng tin REi v kho Ki.
Xt vng cui cng (vng 16) ca qu trnh m ho:
LE16 = RE15
RE16 = LE15 F(RE15, K16)
(1)
Khi a ng ra ca qu trnh m ho vo ng vo ca qu trnh gii m, ch ln hon v

sau cng ca qu trnh m ho, ta c:
LD0 = LEout = RE16
RD0 = REout = LE16
(2)
Xt vng th nht ca qu trnh gii m, ta c:

LD1 = RD0
RD1 = LD0 F(RD0, K16)
(3)
Kt hp (1), (2) v (3) ta c:

LD1 = RE15
RD1 = RE16 F(LE16, K16) = [LE15 F(RE15, K16)] F(RE15, K16) = LE15
Do vi php XOR, ta lun c:
AA=0
(A B) C = A (B C).
Mt cch tng qut, ti vng th i ca qu trnh m ho:
LEi = REi-1
REi = LEi-1 F(REi-1, Ki)
Hay c th vit:
REi-1 = LEi
LEi-1 = REi F(REi-1, Ki) = REi F(LEi, Ki)
(4)
Vi (4), ta hon ton c th kim chng c kt qu ca tng vng gii m nh hnh

2.4b. V d vng th 2:
LD2 = RD1= LE15 = RE14
RD2 = LD1 F(RD1, K15) = RE15 F(LE15, K15) = LE14
vng th 16, ta c:
LD16 = RD15 = LE1 = RE0
RD16 = LD15 F(RD15, K1) = RE1 F(LE1, K1) = LE0
Ln hon v sau cng cho ra:
LDout = LE0 v RDout = RD0, y chnh l thng tin gc ban u.
Cc thut ton mt m da trn cu trc Feistel phn bit vi nhau bi cc thng s sau
y:
1-Kch thc khi d liu u vo (block size)
2-Chiu di kho (key size)
3-S vng lp (number of rounds)
48
4-Thut ton sinh kho ph (subkey generation algorithm)

5-Hm F thc hin ti mi vng (round function)
y l nhng thng s cha c xc nh trong cu trc Feistel.
Ngoi ra, hai tiu ch khc cn quan tm khi thit k thut ton m da trn Feistel:
t tc ti a khi ci t bng phn mm.
D phn tch v thc hin.
II.2.2 Thut ton mt m DES:

DES (Data Encryption Standard) l mt thut tan m da trn cu trc Feistel c
chun ha nm 1977 bi c quan chun ha Hoa k (NIST National Institute of Standards and
Technology).
C ch thc hin m ha DES c m t hnh 2.5.
Thng tin gc
64 bit
Kho b mt
64 bit
IP
PC-1
64 bit
56 bit
56 bit
K1 48 bit
Vng 1
Dch tri
PC-2
64 bit
56 bit
56 bit
K2 48 bit
Vng 2
Dch tri
PC-2
56 bit
K16 48 bit
Vng 16
PC-2
Dch tri
64 bit
32 bit swap
Ch thch:
IP (Initial Permutation): php hon v khi u
64 bit
IP-1
IP-1 (Inverse Initial Permutation): php hon v ngc ca hon v khi u.

PC-1 (Permuted Choice 1): php hon v 1
PC-2 (Permuted Choice 2): php hon v 2
Thng tin mt
64 bit
Hnh 2.5: Thut ton mt m DES

49
DES xc nh cc thng s ca cu trc Feistel nh sau:

-Kch thc khi: 64 bit
-Chiu di kho: 64 bit, thc ra l 56 bit nh s trnh by sau y
-S vng lp: 16 vng
-Thut ton sinh kho ph: kt hp php dch tri v hon v
-Hm F: kt hp cc php XOR, hon v v thay th (S-box).
Chi tit thc hin cc thng s ca DES c trnh by sau y:
-Php hon v khi u (IP): c chc nng lm thay i v tr cc bit trong khi thng tin
gc. y l phn thc hin khng c trong cu trc Feistel. phn cui ca qu trnh m ho,
php hon v ngc s tr li cc bit v v tr ban u ca n. Php hon v IP v IP-1 thc hin
da trn hai ma trn nh sau, vi cc gi tr trong ma trn cho bit s th t ca bit trong khi
thng tin (t 1 n 64):
Hnh 2.6: Ma trn hon v khi u (IP)
Hnh 2.7: Ma trn ngc ca ma trn hon v khi u ( IP-1)

64 bit trong khi thng tin (M1, M2, , M64) c nh x vo cc v tr tng ng trong
ma trn IP v IP-1, sau c c ra tun t theo tng dng t trn xung.
50
V d: i vi php hon v IP, bit M 1 c ghi vo v tr ct 8 dng 5, bit M2 c ghi

vo ct 8 dng 1 v tip tc nh th n bit M 64 c ghi vo ct 1 dng 4. Sau , khi thng tin
ny c c ra ln lt tng dng, khi 8 bit u tin tng ng vi dng u tin s l cc bit
c th t l: 58, 50, 42, 34, 26, 18, 10, 2. Hay ni cch khc, chui bit:
M1
M2
M3
M4
M5
M6
M7
M8
c hon v thnh chui bit:

M58 M50 M42 M34 M26 M18 M10 M2
-Hm F: c chc nng trn gia kho ph K i vi khi thng tin ti tng vng. Hm F
trong DES gm c thao tc: hon v m rng (E table) chuyn t 32 bit thnh 48 bit, hm XOR
cng 48 bit va to ra vi 48 bit ca kho ph K i, khi thay th S-Box chuyn 48 bit thnh 32 bit,
cui cng l khi hon v P.
Hot ng ca hm F ti tng vng c m t hnh 2.8.
32 bit
32 bit
Li-1
Ri-1
E table
48 bit
48 bit
Ki
Hm F
48 bit
S-Box
32 bit
Permutation (P)
32 bit
Li
32 bit
Ri
32 bit
Hnh 2.8: Cu trc tng vng ca DES
51
E table (Expansion/Permutation) thc hin chc nng hon v cc bit trong khi thng tin,
ng thi chuyn t 32 bit thnh 48 bit bng cch s dng ma trn E table (hnh 2.9). 32 bit thng
tin theo th t c c vo 48 v tr (tng ng vi 6 ct v 8 dng) ca E table. Nh vy, s c
mt s bit c lp li trong ma trn.
S-Box (Substitution Box) thc hin thao tc thay th chui bit thnh mt chui bit khc,
ng thi thc hin thao tc ngc li vi E table l chuyn khi thng tin t 48 bit thnh 32 bit.
S-Box cng c thc hin thng qua cc ma trn S-Box (hnh 2.10).
Nguyn tc hot ng ca S-box nh sau:
48 bit ng ra ca php XOR c chia thnh 8 phn, mi phn 6 bit.
Tng phn 6 bit c x l ring bit bng mt ma trn S-Box khc nhau (c 8 SBox khc nhau).
Ti mi S-Box, bit u v bit cui ca phn 6 bit thng tin c dng chn 1
trong 4 hng ca ma trn, 4 bit cn li c dng chn 1 trong 16 gi tr ca
hng tng ng, gi tr c chn s chuyn thnh 4 bit nh phn.
V d, xt ma trn S1, vi chui bit l 101100:

- bit u v bit cui l 10, c gi tr thp phn l 2, do hng c chn l hng s 2.
- 4 bit cn li l 0110 nh phn, gi tr thp phn tng ng l 6, do gi tr ti ct 6
c chn.
- Gi tr ti hng 2 ct 6 trong ma trn S1 l 2, gi tr xut ra l 0010.
Hnh 2.9: Ma trn E table
Php hon v P (Permuatation) c chc nng chuyn i v tr cc bit trong khi thng tin
32 bit xut ra t S-Box. Thao tc hon v P cng c thc hin da trn ma trn P gm 8 ct v 4
dng (hnh 2.11).
52
S1
S2
S3
S4
S5
S6
S7
S8
Hnh 2.10: Ma trn S-Box

53
Hnh 2.11: Ma trn hon v P
Ci-1
Di-1
Dch tri
Dch tri
PC-2
Ki
Ci
Di
Hnh 2.12: Thut ton sinh kho ph ca DES
Hnh 2.13: Ma trn hon v PC-1

-Thut ton sinh kho ph: Kho a vo cho thut ton DES l 64 bit, tuy nhin trong
qu trnh thc hin, ch c 56 bit c s dng. Tt c cc bit cui cng ca byte (t bit 8, 16, 24,
32, 40, 48, 56 v 64) b loi b ngay t vng x l u tin.
Hnh 1.12 m t thut ton sinh kho ph ca DES. 64 bit kho ban u c chn ly 56
bit theo quy tc ni trn, sau c a vo khi hon v PC-1. Mc ch ca khi hon v
54
PC-1 l thay i v tr cc bit ca 56 bit kho va to ra. Ch rng PC-1 ch c thc hin 1 ln
duy nht trc khi bt u vng u tin. Trong tt c cc vng m ho, php hon v thc hin
trn cc kho ph l php hon v PC-2. PC-1 v PC-2 c thc hin thng qua cc ma trn
PC-1 v PC-2 hnh 2.13 v 2.14. Ng ra ca khi hon v PC-1 c chia thnh 2 phn, mi
phn 28 bit (C v D). Ti mi vng m ho, hai phn ny c dch tri 1 hoc 2 bit trc khi i
qua khi hon v PC-2 thnh 48 bit kho ph a vo hm XOR cng vi khi thng tin ca
vng tng ng. S bit dch tri tng ng vi mi vng nh sau:
Vng
11 12 13 14 15 16
S bit dch
Hnh 2.14: Ma trn hon v PC-2

Nhn xt:
-Thut tan mt m DES l mt thut tan da trn cu trc Feistel nhng c cch thc
hin phc tp, c thit k da trn cc thao tc x l bit (bitwise operartions) nh php XOR,
php dch, hon v, do thch hp vi cc thit b m ho bng phn cng. Thut ton DES
khng d phn tch, v trong mt thi gian di c gi b mt.
-Hai thng tin lin quan n mc an tan ca thut ton m DES l tnh phc tp ca
gii thut v chiu di kha. n thi im hin nay, tc 30 nm k t khi DES c chp nhn
nh mt thut ton mt m tiu chun, cha c mt pht hin no v im yu trong bn thn
thut ton. Tuy nhin, vi chiu di kho l 56 bit, vic d kho bng phng php th ln lt l
c th thc hin c vi cc my tnh a dng hin nay vi thi gian tm kim khong 10 gi.
Do vy, nguy c tn cng mt m i vi cc h thng s dng DES l kh cao trong thi
im hin nay. iu yu cu phi xy dng mt tiu chun mt m khc hoc ci tin DES
tng mc an ton. Phn tip theo s trnh by c hai gii php ny.
II.2.3 Thut tan mt m Triple DES:

Tripple DES hay DES bi ba (vit tt l 3DES hoc TDES) l mt phin bn ci tin ca
DES. Nguyn tc ca Triple DES l tng chiu di kho ca DES tng an ton, nhng vn
gi tnh tng thch vi thut ton DES c.
Gi P l thng tin gc, K l kha v C l thng tin mt m ha; E l thut tan m ha
v D l thut tan gii m, qu trnh m ha v gii m dng thut tan DES n gin c biu
din nh sau:
55
C = E(P, K)
P = D(C, K)
K1
K2
a- M ho
K2
K1
b- Gii m
Hnh 2.15: DES bi hai (double DES)

tng an tan ca gii thut mt m DES, tng c bn l thc hin DES nhiu ln
i vi cng mt khi thng tin gc. Nu thc hin DES hai ln, ta c DES bi hai (double DES)
(hnh 2.15) vi cng thc biu din nh sau:
C = E (E(P, K1), K2)
P = D (D (C, K2), K1)
Tuy nhin, vi 112 bit kho, DES bi hai vn cha chng t c tnh an tan cao ca n,
cc h thng dng DES bi hai vn c th b tn cng bng phng thc xen gia (Man-In-TheMiddle). Bng cch thc hin DES ba ln trn cng mt khi thng tin, trong c hai ln m
ho v mt ln gii m (hnh 2.16), ta c Triple DES hay DES bi ba:
C = E (D (E (P, K1), K2), K1)
P = D (E ( D (C, K1), K2, K1)
K1
K2
K1
a- M ho
K1
K2
K1
b- Gii m
Hnh 2.16: DES bi ba (triple DES) dng 2 kho

56
Khi , chiu di kha ca thut tan ny vn l l K 1 + K2 = 112 bit.

Vic xen vo mt ln gii m gia trong thut ton Triple DES khng nhm mc ch
tng thm an ton cho thut ton m ch gip to ra s tng thch gia Triple DES v thut
ton DES c. Khi , thit b gii m Triple DES c th gii m c thng tin mt c m ho
bng DES:
C = E (D (E (P, K1), K2), K1) = E (P, K1).
Triple DES vi hai kho l mt thut ton mt m an ton, trnh c cc tn cng xen
gia v c s dng thay th DES trong nhiu ng dng (ANS X9.17, ISO 8732, ).
Mt phin bn khc ca Triple DES l s dng c 3 kho khc nhau K1, K2, K3 vi cng
cu trc nh trn. Khi chiu di kho ca thut ton l K 1 + K2 + K3 = 168 bit. Khi cn thit
phi m bo tnh tng thch vi cc ng dng DES c th t K 1 = K2 hoc K3 = K2. Triple DES
3 kho cng c ng dng trong nhiu dch v, c bit l PGP, S/MIME .
II.2.4 Thut tan mt m AES:

Triple DES khc phc c cc im yu ca DES v hot ng n nh trong nhiu
ng dng trn mng Internet. Tuy nhin, Triple DES vn cn cha nhng nhc im ca DES
nh tnh kh phn tch, ch thch hp vi thc thi bng phn cng ch khng thch hp cho thc
thi bng phn mm, kch thc khi c nh 64 bit, Do , cn thit phi xy dng mt chun
mt m mi, da trn mt c s ton hc vng chc, c tnh linh ng c th iu chnh cho
ph hp vi ng dng v c bit l phi thch hp vi vic thc thi c bng phn mm v phn
cng. l nhng yu cu c bn i vi chun mt m cao cp AES (Advanced Encryption
Standard).
Thut ton mt m Rijndael c chn chun ho thnh AES nm 2002. Hin nay,
AES vn cn trong giai on th nghim, cc ng dng da trn AES cha nhiu, nhng trong
thi gian ngn sp ti, cc ng dng mt m dng kho i xng s chuyn dn sang AES.
Cc thng s chnh ca AES c tm tt nh sau:
Chiu di kho (bit)
128
192
256
Kch thc khi (bit)
128
128
128
S vng m (vng)
10
12
14
Chiu di kho ph (bit)
128
128
128
Chiu di kho m rng (byte)
176
208
240
Chiu di kho ca AES c th l 128, 192 hoc 256 bit. ng vi mi trng hp, cc
thng s cn li c cho tng ng bng trn, trong , kch thc khi thng tin lun c nh
l 128 bit.
Mt lu quan trng l AES khng da trn cu trc Feistel. Tt c cc thao tc trong
thut ton u c th c m t bng cng c ton hc, do AES c th thc hin bng phn
cng hoc phn mm vi tc ti a. AES s dng hai thut ton khc nhau cho m ho v gii
m, do vy tt c cc thao tc trong thut ton bt buc phi c thao tc ngc (ngoi tr php
XOR).
Hnh 2.17 m t thut ton AES trong trng hp n gin nht (128 bit kho).
57
Kho
Thng tin gc
Add round key
W[0,3]
Add round key
Substitute bytes
Expand key
Inverse sub bytes
Inverse shift rows
Mix column
Inverse mix column
Vng 1
Shift rows
Vng 10
Thng tin gc
W[4,7]
Add round key

Vng 9
Add round key
Inverse sub bytes
Substitute bytes
Inverse shift rows
Vng 9
Shift rows
Mix column
W[36,39]
Add round key
Vng 10
Vng 1
Add round key
Inverse mix column
Substitute bytes
Inverse sub bytes
Shift rows
Inverse shift rows
Add round key
W[40,43]
Add round key
Thng tin mt
Thng tin mt
a- M ho
b- Gii m
Hnh 2.17: Thut ton m AES
58
Khi thng tin gc (128 bit) c x l nh mt mng 2 chiu kch thc 4 x 4 gi l

mng trng thi (State array), mi phn t ca mng tng ng vi 8 bit ca khi thng tin.
Mi vng m ho s lm thay i gi tr ca mng trng thi, v ng ra ca thut ton mt m
chnh l gi tr cui cng ca mng trng thi (hnh 2.18).
VI.1.3 Thng
VI.1.2 Cc trng thi
VI.1.1 Thng
tin ng vo
trung gian
tin ng ra
Hnh 2.18: Qu trnh bin i mng trng thi trong thut ton AES
Thut tan m AES thc hin da trn 4 thao tc sau y:

-Thay th byte (Byte Substitution)
-Dch dng (ShiftRows)
-Trn ct (MixColumns)
-Cng kha (AddRoundKey)
Thut ton mt m AES dng kho 128 bit (c m ho v gii m) bt u bng mt thao
tc cng kho, sau l 9 vng lin tip, mi vng gm 4 bc nh trn, v mt vng cui
cng gm 3 bc (khng c thao tc trn ct).
-Thao tc thay th byte: thao tc ny c chc nng thay th tng byte trong mng trng
thi thnh mt byte khc s dng mt ma trn kch thc 16 x 16 (c gi l S-Box). Nguyn
tc thay th dng ma trn S-Box nh sau: ng vi mi byte trong mng trng thi hin hnh, 4 bit
bn tri c dng chn mt trong 16 dng, 4 bit bn phi c dng chn mt trong 16
ct. Gi tr ca tng ng vi dng v ct c chn s l gi tr thay th cho byte hin hnh.
qu trnh gii m, thao tc ny cng c thc hin tng t nhng s dng mt ma trn khc,
gi l ma trn S-Box ngc (hnh 2.19).
V d: mng trng thi hin hnh c gi tr (Hex) nh sau:
EA
04
65
85
83
45
5D
96
5C
33
98
B0
F0
2D
AD
C5
Sau khi qua thao tc thay th byte s dng ma trn S-Box hnh 2.19 s tr thnh:
87
F2
4D
97
EC
6E
4C
90
4A
C3
46
E7
8C
D8
95
A6
59
a- Ma trn S-Box
b-Ma trn S-Box ngc
Hnh 2.19: Ma trn thay th byte (S-Box)
-Thao tc dch dng: Thao tc ny c mc ch hon v cc byte trong mng trng thi.
Nguyn tc dch nh sau: dng u tin ca mng c gi nguyn, dng th hai c dch tri 1
byte, dng th ba c dch tri 2 byte v dng th t c dch tri 3 byte (hnh 2.20).
60
Thao tc ngc c thc tng t nhng vi php dch phi c dng thay cho php
dch tri, ngha l dng u tin cng c gi nguyn, dng th hai c dch phi 1 byte, dng
th ba c dch phi 2 byte v dngth t c dch phi 3 byte.
-Thao tc trn ct: Thao tc ny c thc hin trn tng ct, c tc dng thay th tng
Hnh 2.20: Thao tc dch dng

byte trong ct bng mt gi tr c to ra t gi tr ca tt c cc byte trong cng ct . Thao tc
ny c biu din bng php nhn ma trn nh sau:
Vi php nhn ny, ta c:

s0,j = 2s0,j 3s1,j s2,j s3,j
s1,j = s0,j 2s1,j 3s2,j s3,j
s2,j = s0,j s1,j 2s2,j 3s3,j
s3,j = 3s0,j s1,j s2,j 2s3,j
Php nhn ma trn c thc hin trong trng GF(28) (*).
Thao tc ngc ca thao tc trn ct c thc hin tng t nhng vi php nhn ma
trn sau:
Khi , gi tr ca mng trng thi c xc nh nh sau:

s0,j = 14s0,j 11s1,j 13 s2,j 9 s3,j
s1,j = 9s0,j 14s1,j 11s2,j 13s3,j
s2,j = 13s0,j 9s1,j 14s2,j 11s3,j
s3,j = 11s0,j 13s1,j 9s2,j 14s3,j
V d: mng trng thi hin hnh c gi tr (Hex) nh sau:
(*)
Xem thm ti liu v cc php ton trong trng Galois, c bit l dng GF(2 n)
61
87
F2
4D
97
6E
4C
90
EC
46
E7
4A
C3
A6
8C
D8
95
Sau khi qua thao tc trn ct bng php nhn ma trn trn s tr thnh:
47
40
A3
4C
37
D4
70
9F
94
E4
3A
42
ED
A5
A6
BC
-Thao tc cng kho: l thao tc n gin nht ca thut ton, c tc dng trn gi tr ca
mng trng thi hin hnh vi kho ph ca vng tng ng. Thao tc trn c thc hin bng
php XOR gia 128 bit ca mng trng thi hin hnh vi 128 bit ca kho ph. Thao tc cng
kho khng c thao tc ngc, hay ni ng hn l thao tc ngc cng chnh l php XOR.
-Thut ton sinh kho ph: 128 bit kho ban u c m rng (expand key) thnh 176
byte, c t chc thnh 44 t (word), mi t 4 byte, va to thnh 10 kho ph cho 10
vng m ho ca thut ton (mi kho ph gm 4 t) cng vi 1 kho ph cho thao tc cng kho
ban u. Nh vy, thut ton sinh kho ph ca AES thc cht l thut ton m rng bn t kho
(128 bit) ban u thnh 44 t kho. Thao tc m rng kho c thc hin nh sau:
-Bn t kho gc c a trc tip vo php cng kho ban u, tc w[0,3] = key.
-Cc t kho m rng tip theo (c th t khng l bi s ca 4) c to ra bng cch
XOR gia t kho lin trc n vi t kho cch n 4 v tr, tc w[i] = w[i-1] w[i-4].
-i vi cc t kho m rng c th t l bi s ca 4 th cch to ra gm cc bc:
Thc hin dch t kho lin trc n sang tri 1 byte, temp = leftshift(w[i1], 8 bit)
Thay th cc byte trong t kho va to ra bng cc gi tr khc s dng
ma trn S-Box hnh 2.19, temp = S-Box(temp)
Gi tr to ra c XOR vi mt hng s xc nh cho tng vng m ho
gi l Round Constant hay RC[j]. Gi tr RC[j] c nh ngha ring bit
cho tng vng nh sau:
Vng
10
RC[j]
01
02
04
08
10
20
40
80
1B
36
Gi tr sau khi XOR vi RC[j] c XOR mt ln na vi t kho cch t

kho hin hnh 4 v tr to thnh t kho mi.
Hnh 2.21 trnh by thut ton m rng kho ca AES, trong hm g biu din mt php
ton phc tp gm 4 thao tc va trnh by, p dng cho cc t kho c v tr l bi s ca 4.
62
Hnh 2.21: Thut ton m rng kho ca AES
II.2.5 Cc thut ton mt m i xng khc:

Ngai 2 thut ton mt m ha tiu chun trn (Triple DES c xem nh l mt phin
bn nng cp ca DES ch khng phi mt thut ton c lp), c nhiu thut ton khc cng
chng minh c tnh hiu qu ca n v c s dng trong mt s ng dng khc nhau:
-IDEA (International Data Encryption Algorithm) l mt thut ton mt m i xng
c pht trin Thy in nm 1991. IDEA da trn cu trc Feistel, s dng kha 128 bit v
c nhiu im khc bit so vi DES. IDEA khng s dng S-box m da vo 3 php tan l
XOR, php cng nh phn v php nhn nh phn trn cc thanh ghi 16 bit. IDEA s dng thut
ton m ha gm 8 vng, kha ph ti mi vng c sinh ra t cc php dch phc tp. IDEA
c s dng trong cc ng dng bo mt th in t (PGP).
-Blowfish c pht trin nm 1993, bi mt ngi nghin cu mt m ha c lp
(Bruce Schneier) v cng nhanh chng c s dng song song vi gii thut m ha DES.
Blowfish c thit k n gin v tc thc thi nhanh. Gii thut ny s dng kha c chiu
di thay i (c th ln n 448 bit) nhng thng s dng nht l kha 128 bit. Blowfish cng
dng cu trc m khi Feistel, thc hin 16 vng m, s dng cc php tan S-box, XOR v php
cng nh phn.
-RC4 v RC5 l gii thut m ha i xng c thit k bi Ron Rivest (mt trong
nhng ngi pht minh ra gii thut m ha bt i xng RSA) vo nm 1988 v 1994. RC4 l
mt thut ton m dng (Stream cipher), c cu trc n gin, c ng dng trong bo mt Web
(SSL/TSL) v trong mng khng dy (WEP). RC5 l thut ton m khi, c thit k vi cc
c tnh nh: ph hp vi vic thc thi bng c phn cng v phn mm, tc cao, n gin,
dng kha c chiu di thay i v s vng m ha cng c th thay i.
63
-CAST-128 l mt thut ton khc c thit k nm 1997 bi Carlisle Adams v Stafford

Tavares. CAST-128 dng kha c di thay i, cng s dng S-box nhng vi kch thc ln
hn so vi DES, v iu c bit l cc vng m ha khng han tan ging nhau.
Bng 2.1 tm tt cc thut ton mt m khi dng kho i xng hin c trong thc t v
cc ng dng ca chng.
Bng 2.1: Cc thut ton mt m i xng
Thut ton
Chiu di kha
S vng m ha
Php tan s dng
ng dng
DES
56 bit
16
XOR, S-box
SET,
Kerberos
3DES
112 hoc 168 bit
48
XOR, S-box
PGP,
S/MIME, cc
ng
dng
qun l kha
AES
128, 192 hoc

256 bit
10, 12 hoc 14
XOR, dch, S-box
SSL
IDEA
128 bit
XOR, cng nh phn, PGP

nhn nh phn
Blowfish
Thay i, ti a
448 bit
16
XOR, S-box, cng nh Cc cng c

phn
mt m.
RC5
Thay i, ti a
2048 bit
Thay i, ti a
255 vng
Cng nh phn, tr nh Cc cng c

phn, XOR, php quay mt m.
CAST-128
40 n 128 bit
16
Cng, tr nh phn, PGP

XOR, quay, S-box
II.3 K THUT MT M BT I XNG

II.3.1 Cu trc h thng mt m bt i xng:
c trng ca k thut mt m bt i xng l dng 2 kha ring bit cho hai qu trnh
m ha v gii m, trong c mt kha c ph bin cng khai (public key hay PU) v kha
cn li c gi b mt (private key hay PR). C hai kho u c th c dng m ho hoc
gii m. Vic chn kho cng khai hay kho b mt cho qu trnh m ho s to ra hai ng dng
khc nhau ca k thut mt m bt i xng:
Nu dng kho cng khai m ho v kho b mt gii m, ta c ng dng

bo mt trn thng tin (confidentiality).
Nu dng kho b mt m ho v kho cng khai gii m, ta c ng dng

xc thc ni dung v ngun gc thng tin (authentication).
Thut ton mt m bt i xng da ch yu trn cc hm ton hc hn l da vo cc

thao tc trn chui bit. Mt m ha bt i xng cn c gi bng mt tn thng dng hn l
mt m ha dng kha cng khai (public key encryption).
Ni chung, mt m ha bt i xng khng phi l mt k thut mt m an tan hn so
vi mt m i xng, m an tan ca mt thut ton m ni chung ph thuc vo 2 yu t:
di ca kha v mc phc tp khi thc hin thut tan (trn my tnh). Hn na, mc d c
64
ra i sau nhng khng c ngha rng mt m bt i xng han tan u im hn v s c s

dng thay th cho mt m i xng. Mi k thut m c mt th mnh ring v mt m i xng
vn rt thch hp cho cc h thng nh v n gin. Ngoi ra, vn phn phi kha trong mt
m bt i xng cng c nh gi l mt trong nhng vn phc tp khi trin khai k thut
mt m ny trong thc t.
Tp kho
cng khai
User E
User D
User C
User B
Kho b mt ca
user B
Kho cng khai

ca user B
Thng tin mt
Thng
tin gc
Thut ton m ho
(thc hin bi user A)
Thut ton gii m

(thc hin bi user B)
Thng
tin gc
a- ng dng bo mt thng tin
Tp kho
cng khai
User E
User D
User C
Kho b mt
ca user A
User A
Kho cng khai
ca user A
Thng tin mt
Thng
tin gc
Thut ton m ho
(thc hin bi user A)
Thut ton gii m

(thc hin bi user B)
Thng
tin gc
b- ng dng xc thc thng tin
Hnh 2.22: Cu trc h thng mt m bt i xng

Cu trc mt h thng mt m bt i xng c trnh by trong hnh 2.22.
Cc bc c bn ca mt h thng mt m dng kha cng khai bao gm:
65
Mi thc th thng tin (user) to ra mt cp kha (public/private) dng cho

vic m ha v gii m.
Mi user thng bo mt trong hai kho ca mnh cho cc user khc bit, kha ny
c gi l kha cng khai (public key). Kha cn li c gi b mt, v gi l
kha ring (private key).
Nu mt user A mun gi thng tin cho user B, user A s thc hin m ha thng
tin cn gi bng kha cng khai ca user B.
Khi nhn c thng tin m ha t user A, user B thc hin gii m thng tin
bng kha ring ca mnh. Do kha ring khng ph bin cng khai nn ch c
mt mnh user B c kh nng gii m c.
Mt m ha bt i xng c s dng trong cc ng dng: che giu thng tin, to ch k

s (digital signature) v trao i kha trong cc thut tan mt m i xng (key exchange).
II.3.2 Thut ton mt m RSA:

RSA l thut ton mt m bt i xng c xy dng bi Ron Rivest, Adi Shamir v
Len Adleman ti vin cng ngh Massachusetts (MIT), do c t tn l Rivest Shamir
Adleman hay RSA. Thut ton ny ra i nm 1977 v cho n nay c ng dng trong
nhiu lnh vc. Cng nh cc thut ton mt m bt i xng khc, nguyn l ca RSA da ch
yu trn l thuyt s ch khng da trn cc thao tc x l bit.
Trong phm vi ti liu ny, thut tan m RSA c m t khi qut gip ngi c nm
c nguyn l ca thut tan m ch khng ch trng n vn phn tch v chng minh cc
c s l thuyt ca thut tan.
RSA l mt thut ton mt m khi, kch thc khi thng thng l 1024 hoc 2048 bit.
Thng tin gc ca RSA c x l nh cc s nguyn. V d, khi chn kch thc khi ca thut
ton l 1024 bit th s nguyn ny c gi tr t 0 n 2 1024 1, tng ng vi s thp phn c
309 ch s. Ch rng y l nhng s nguyn cc ln, khng th x l c bng cch s dng
cc cu trc d liu c sn ca cc ngn ng lp trnh ph bin.
Thut ton RSA c m t nh sau:
1- to ra mt cp kha RSA, trc ht, chn hai s nguyn t ln p v q. Gi N l
tch ca p v q (N = pq).
2-Tip theo, chn mt s e sao cho e v (p-1)(q-1) l hai s nguyn t cng nhau. Sau
tm s d sao cho ed = 1 mod (p-1)(q-1). K hiu mod m biu din php modulo trn c s m.
3-By gi, b qua vai tr ca p v q. Vi 3 thnh phn cn li l N, e v d, ta :
-Kha cng khai (public key) l t hp (N, e)
-Kha b mt (private) l t hp (N, d).
4-Vic m ha mt khi thng tin gc M c thc hin theo cng thc:
C = Me mod N
(vi M l s nguyn nh hn N)
5-V qu trnh gii m C c thc hin theo cng thc:

M = Cd mod N
C s l thuyt ca thut ton RSA da trn l thuyt v s nguyn t, php ton modulo v
nh l Euler nh sau:
66
Hm Euler: Cho mt s nguyn dng n, nh ngha (n) l s cc s nguyn dng nh

hn n v l s nguyn t cng nhau vi n. V d: cho n = 8, cc s nguyn dng nh hn 8 v l s
nguyn t cng nhau vi 8 l cc s 1, 3, 5, 7, do (8) = 4. (n) c gi l hm Euler ca n.
-Quy c (1) = 1.
-Nu n l s nguyn t th tt c cc s nguyn dng nh hn n u l s nguyn t cng
nhau vi n, khi (n) = n -1.
-Nu p v q l hai s nguyn t v N = pq. Khi (N) = (p) . (q). Tht vy, trong N-1
hay (pq-1) s nguyn dng nh hn N: cc s p, 2p, , (q-1)p v cc s q, 2q, , (p-1)q l cc s
khng phi nguyn t cng nhau vi N. Nh vy:
(N)
= (pq 1) [(p 1 ) + (q 1)]

= pq (p + q) + 1
= (p 1) (q 1)
= (p) . (q)
nh l Euler: cho a v n l hai s nguyn t cng nhau, ta c a(n) = 1 mod n

Ta chp nhn nh l ny m khng phi chng minh.
Vi nhng c s ny, ta c th kim chng thut ton RSA nh sau:
Cho trc khi thng tin mt C = Me mod N, cn kim chng rng M = Cd mod N.
Ta c:
Cd mod N = (Me)d mod N = Med mod N
Xt qu trnh to cp kho ca RSA, ta c:
ed = 1 mod (p 1) (q 1)
Hn na, N = pq nn (N) = (p 1) (q 1) vi p, q l cc s nguyn t.
Nh vy:
ed 1 = k (N) vi mt s nguyn k no .
V:
Cd mod N
= Med mod N
= M(ed 1) + 1 mod N
= M . Med 1 mod N
= M . M k(N) mod N
= M . 1k mod N
= M.
V d: Cp s nguyn t p = 11 v q = 3 c chn to ra cp kho RSA cho user A.

Khi , N = pq = 3*11 = 33
(p-1) (q-1) = (11 1) (3 1) = 20
Tip theo, chn e = 3 tho iu kin 3 v 20 l cp s nguyn t cng nhau.
Vi e = 3, ta xc nh c d = 7 v ed = 3*7 = 1 mod 20. Tht ra, c nhiu gi tr d tha
mn yu cu ny, nhng cho n gin, ta chn gi tr nh nht.
Khi , ta xc nh c cp kha nh sau:
Kha cng khai: (N, e) = (33, 3)
Kha b mt: (N, d) = (33, 7)
Gi s, user B mun gi an thng tin M = 15 cho user A, da trn kha cng khai ca
A, B thc hin nh sau:
C = Me mod N = 153 mod 33 = 3375 mod 33 = 9 mod 33.
67
Khi , thng tin mt gi cho A l C = 9.

Khi nhn c thng tin ny, A gii m bng kha ring ca mnh (d = 7) nh sau:
M = Cd mob N = 97 mod 33 = 4.782.969 mod 33 = 15 mod 33.
Nh vy, thng tin gii m c l M = 15, ng vi thng tin gc ban u.
Tm li, thut ton mt m RSA c thc hin gm 3 qu trnh tch ri: to kho, m
ho v gii m c tm tt nh sau:
1-To kho:
(p v q l s nguyn t, p q)
Chn p, q
Tnh N = p.q
Tnh (N) = (p 1) (q 1)
Chn e sao c s chung ln nht ca e v (N) l 1
Chn d sao cho e.d mod (N) = 1
Cp kho RSA c to ra l PU = (N, e), PR = (N, d)
2- M ho:
C = Me mod N
(M l s nguyn nh hn N)
3- Gii m:
M = Cd mod N
Trong thc t, t c an tan cao, cp kha phi c chn trn cc s p v q

ln (N nh nht phi l 1024 bit), do vy, vn thc thi RSA bao gm cc php tan ly tha
trn cc s rt ln. Vn gim chi ph tnh tan v tng tc thc hin thut tan RSA l mt
trong nhng vn quan trng cn phi gii quyt. Trn cc h thng my tnh hin nay, hiu sut
thc hin gii thut RSA l chp nhn c.
- an ton ca RSA:
Theo l thuyt, h thng RSA c th b tn cng bng nhng phng thc sau y:
Brute-force attack: tm ln lt kho ring PR
Mathematical attack: xc nh p v q bng cch phn tch N thnh tch ca cc

tha s nguyn t ri t xc nh e v d.
Timing attack: da trn thi gian thc thi ca thut ton gii m.
Chosen ciphertext attack: s dng cc an thng tin mt (ciphertext) c bit

khi phc thng tin gc.
Tuy nhin trong thc t, nguy c tn cng cc h thng mt m RSA l rt thp, do RSA
l mt thut ton linh ng, kch thc khi d liu gc v chiu di kho d dng c thay i
m khng nh hng n thut ton m.
II.3.3 Thut ton trao i kho Diffie-Hellman:

Diffie-Hellman l mt thut ton dng trao i kha (key exchange) ch khng dng
mt m ha (che giu) d liu. Tuy nhin, Deffie-Hellman li c ch trong giai an trao i
kha b mt ca cc thut ton mt m i xng. Nh trong phn u ca chng ny trnh
68
by, mt trong nhng vn quan trng lin quan trc tip n tnh an ton ca cc thut ton
mt m i xng l vn thng nht kho b mt gia cc thc th thng tin.
Thut ton trao i kho Diffie-Hellman da trn php logarit ri rc (discrete log). Cho
trc mt s g v x = gk , tm k, ta n gin thc hin php logarit: k = log g(x). Tuy nhin, nu
cho trc g, p v (gk mod p), th qu trnh xc nh k c thc hin theo cch khc vi cch
trn v c gi l logarit ri rc. Vic tnh logarit ri rc ni chung rt phc tp nhng vn c
th thc hin c.
Thut tan Diffie-Hellman kh n gin nh sau:
User A
User B
Chn s b mt Xa < p
Chn s b mt Xb < p
Tnh Ya = (gXa mod p)

v gi cho B
Tnh Yb = (gXb mod p)

v gi cho A
Tnh K = (Yb)Xa mod p
Tnh K = (Ya)Xb mod p
Hnh 2.23: Thut ton trao i kho Diffie-Hellman

-Gi p l mt s nguyn t v g l mt c s sinh (generator) tho iu kin vi mi x
{1, 2, , p-1}, ta lun tm c s n sao cho x = gn mod p.
-Gi tr p v g c ph bin cng khai gia cc thc th trao i kho. Sau user A to
ra mt s b mt Xa < p, tnh gi tr Ya = (gXa mod p) v gi cho B. Tng t, user B cng to ra
mt s b mt Xb < p, tnh gi tr Yb = (gb mod p) v gi li cho A.
-Da trn thng tin nhn c t A, user B xc nh c kho b mt dng cho phin
lm vic bng cch tnh gi tr (g Xa mod p)Xb = (gXaXb mod p). Bng cch tng t, user A cng
xc nh c kho b mt ny bng cch tnh gi tr (gXb mod p)Xa = (gXaXb mod p).
-Gi s trong qu trnh trao i cc gi tr (gXa mod p) v (gXb mod p), mt ngi th 3
no n bt c thng tin ny th cng rt kh xc nh c a v b v phc tp ca php tan
logarit ri rc l rt cao.
V d:
Cho p = 353 v g = 3. C th kim chng c rng vi mt s nguyn n bt k sao cho 0
< n < 353, ta lun xc nh c mt s nguyn i tho 3i = n.
Gi s, user A chn gi tr b mt Xa = 97 v user B chn gi tr b mt Xb = 233.
User A tnh c Ya = (397 mod 353) = 40 v gi cho B.
User B tnh c Y b = (3233 mod 353) = 248 v gi cho A.
User A tnh c kho b mt K = (Yb)Xa mod 353 = 24897 mod 353 = 160
User B tnh c kho b mt K = (Ya)Xb mod 353 = 4097 mod 353 = 160
-Mc an ton ca thut ton trao i kho Diffie-Hellman:
Tnh an ton ca Diffie-Hellman da trn phc tp ca php ton logarit ri rc. Ni
chung, vic xc nh cc gi tr X a, Xb t cc gi tr p, g, Ya v Yb l khng th thc hin c
69
trn cc s nguyn ln. Tuy nhin, thut ton ny khng ngn chn c cc tn cng theo
phng thc xen gia Man-In-The-Middle (MITM) nh sau:
thc hin tn cng MITM trn kt ni gia user A v user B, user C cng chn
cho mnh hai s nguyn XC1 v XC2 tho iu kin XC1 < p v XC2 < p, sau
cng tnh hai gi tr tng ng YC1 = (gXc1 mod p) v YC2 = (gXc2 mod p).
Khi user A gi Ya cho user B, user C s chn ly thng tin ny, ng thi mo
danh A gi cho B gi tr YC1. User B xc nh kho K1 da trn YC1, v gi li
cho A gi tr Yb. User C li chn ly gi tr ny v mo danh B gi cho A gi tr
YC2.
User A xc nh kho K2 da trn YC2. Bt u t y, cc thng tin trao i gia

A v B u c C chn bt v thay i bng cch s dng cp kho K 1 v K2.
Thut ton Diffie-Hellman khng gii quyt c vn ny do khng c c ch xc thc

gia cc thc th trao i kho. im yu ny c khc phc bng cch s dng kt hp vi cc
thut ton xc thc nh s trnh by phn k tip.
Ngoi hai thut ton RSA v Diffie-Hellman, mt s thut ton khc cng c pht trin
da trn nguyn l s dng mt cp kho cng khai v b mt. Elliptic-Curve Cryptography
(ECC) l mt gii thut mi ang c th nghim v ha hn nhiu u im so vi RSA nh
phc tp tnh ton gim trong khi tnh an tan vn c m bo. ECC thch hp vi cc ng
dng chy trn cc thit b c nng lc x l hn ch chn hn nh cc thit b nhng (embded
devices).
II.3.4 nh gi k thut mt m bt i xng:

K thut mt m bt i xng han tan c th p ng c nhng yu cu v bo mt
h thng nh trong k thut mt m i xng, mc d tc thc thi ca m bt i xng thng
thp hn do bn cht thut ton da trn cc thao tc s hc ch khng da trn cc thao tc x l
bit. Hn na, m bt i xng ch ph hp vi vic thc thi bng phn mm. Mt m bt i xng
m bo c 2 yu cu c bn ca thng tin l tnh b mt v tnh ton vn.
K thut mt m bt i xng c 2 u im so vi m i xng:
1-Hai thc th thng tin khng cn thc hin th tc trao i kha trc khi bt u lm
vic.
2-Bn cnh cng dng m bo tnh tan vn ca d liu, mt m bt i xng (khi c
s dng cho mc ch xc thc) cn m bo c tnh khng th ph nhn (non-repudiation) ca
thng tin.
II.4 CC HM BM
II.4.1 Xc thc thng tin:
Xc thc thng tin (message authentication) l mt c ch c ng dng trong x l
thng tin vi mc ch:
m bo ni dung thng tin trao i gia cc thc th l chnh xc, khng b

thm, sa, xa hay pht li (m bo tnh tan vn v ni dung).
m bo i tng to ra thng tin (ngun gc thng tin) ng l i tng hp l

c khai bo (m bo tnh tan vn v ngun gc thng tin).
thc hin xc thc thng tin, v nguyn tc c 3 phng php sau y:

70
1-Dng cc thut tan mt m (i xng v bt i xng) xc thc thng tin. Nguyn

tc ca mt m l ch c nhng i tng hp l mi khi phc c thng tin gc t thng tin
mt. Ta c th s dng nguyn tc ny xc thc thng tin nh sau (hnh 2.24):
Ni gi thng tin
Ni nhn thng tin
a- Dng mt m i xng
b- Dng mt m bt i xng
M: thng tin gc
C: Thng tin mt
PRa: Kha b mt ca bn gi.
E: thut tan mt m
D: Thut tan gii m
K: Kha b mt dng chung gia bn gi v bn nhn
PUa: Kha cng khai ca bn gi
Hnh 2.24: Xc thc thng tin dng mt m

Trng hp th nht: dng mt m i xng. Theo quy c, ch c ni gi thng tin v
ni nhn thng tin hp l mi c kha b mt K, do ch c thc th gi thng tin hp l mi c
kh nng to ra khi thng tin mt hp l t khi thng tin gc M. Tng t, ch c thc th nhn
thng tin hp l mi c kh nng gii m c thng tin mt khi phc ng thng tin gc M.
Tt c cc c gng khc u cho ra kt qu sai.
Trng hp th hai: dng mt m bt i xng. Thc th gi thng tin thc hin m ha
dng kha b mt (PR) thay v dng kha cng khai. Khi thng tin mt to ra c th c gii
m bi bt k i tng no bit kha cng khai ca thc th gi. Tuy nhin, nu qu trnh gii
m thnh cng, i tng nhn thng tin c th chc chn rng thng tin nhn c l ng v
chnh i tng gi hp l gi thng tin ny, bi v ch c i tng mi c kha ring PR.
Phng php xc thc dng mt m da han tan vo tin cy ca kha b mt.
2-Dng m xc thc MAC (Message Authentication Code). M xc thc MAC c sinh
ra t t hp gm mt khi thng tin gc c di bt k v mt kha b mt. Kch thc ca
MAC l c nh, khng ph thuc vo kch thc ca khi d liu gc v thng nh hn d liu
gc. i tng gi s gi km gi tr MAC i cng vi thng tin gc. Pha nhn sau khi nhn
71
c thng tin gc cng vi gi tr MAC gi km s thc hin thao tc to ra gi tr MAC mi t

thng tin gc cng vi kha b mt thng nht gia hai bn. Nu gi tr MAC va to ra ging
vi gi tr MAC nhn c t pha gi, pha nhn c th chc chn rng thng tin gc khng b
thay i trong qu trnh truyn (hnh 2.25).
Ni gi thng tin
Ni nhn thng tin
So snh
M xc thc (MAC)
M: thng tin gc
C: Hm to m xc thc
K: Kha b mt dng chung gia bn gi v bn nhn
| |: Ni m xc thc vo thng tin gc
Hnh 2.25: Xc thc thng tin dng MAC

Vic dng MAC xc thc thng tin da vo hai c s:
ng vi mt khi thng tin gc M v mt kha b mt K, hm C ch to ra duy

nht mt m xc thc MAC.
Ch c pha gi v pha nhn hp l mi c bit kha K.
C hai k thut to ra m xc thc MAC: k thut th nht dng c ch mt m khi

(Cipher Block Chaining) v c gi l CMAC hay CBC-MAC. K thut th hai da trn cc
hm bm bo mt v c gi l HMAC.
M xc thc MAC c ng dng trong cc trng hp thng tin ch yu cu m bo
tnh xc thc m khng cn m bo tnh b mt.
3-Dng cc hm bm bo mt (secure hash function). Ging nh m xc thc MAC, hm
bm cng to ra mt khi thng tin ngn c di xc nh gi l m bm (hash code) t mt
khi thng tin gc c di bt k. Tuy nhin, khc vi MAC, hm bm ch da vo thng tin
gc to ra m bm m khng dng thm bt k kha b mt no. Do vy, c th s dng nh
mt c ch xc thc thng tin, hm bm phi c dng km vi mt thut tan mt m no
(i xng hoc bt i xng).
Hnh 2.26 trnh by mt ng dng in hnh ca hm bm trong xc thc thng tin. Theo
c ch ny, m bm sau khi c to ra s c m ha bng mt thut tan mt m i xng vi
kha b mt K ch c bn gi v bn nhn bit. an m bm c mt m ha c gi i
km vi thng tin gc v qu trnh kim tra pha nhn cng c tin hnh theo trnh t ngc
li, tc l gii m an m bm bng kha b mt, sau to ra m bm mi t thng tin gc v
so snh hai an m bm.
72
C nhiu cch p dng cc thu tan mt m vo hm bm xc thc thng tin: dng m

i xng hoc bt i xng, ch m ha m bm hoc m ha c thng tin gc v m bm, thm
ch c th t hp nhiu cch trn li vi nhau.
Ni gi thng tin
Ni nhn thng tin
So snh
M bm c m ha
M: thng tin gc
D: thut tan gii m
H: hm bm
E: thut tan m ha
K: kha b mt dng chung gia pha gi v pha nhn.
| |: ni m bm c m ha vo thng tin gc
Hnh 2.26: Xc thc thng tin dng hm bm

Ngai ng dng xc thc thng tin, hm bm cn c dng trong nhiu ng dng khc.
Phn tip theo trnh by chi tit hn v cc hm bm bo mt.
II.4.2 Cc hm bm bo mt:
Cc hm bm bo mt (secure hash functions) hay gi tt l hm bm l mt trong nhng
k thut c bn thc hin cc c ch xc thc thng tin (message authentication). Ngoi ra,
hm bm cng cn c s dng trong nhiu thut ton mt m, trong ch k s (digital
signature) v nhiu ng dng khc.
Nguyn tc ca hm bm l bin i khi thng tin gc c di bt k thnh mt on
thng tin ngn hn c di c nh gi l m bm (hash code hay message digest). M bm
c dng kim tra tnh chnh xc ca thng tin nhn c. Thng thng, m bm c gi
km vi thng tin gc. pha nhn, hm bm li c p dng i vi thng tin gc tm ra m
bm mi, gi tr ny c so snh vi m bm i km vi thng tin gc. Nu hai m bm ging
nhau, ngha l thng tin gi i khng b thay i.
Ch c th dng hm bm tnh m bm t thng tin gc ch khng th tnh c thng
tin gc t m bm. Do c tnh ny, cc hm bm bo mt cng cn c gi l hm bm mt
chiu (one way hash fntion).
Hnh 2.27 m t nguyn l hot ng ca mt gii thut xc thc thng tin s dng hm
bm n gin.
Cc yu cu ca mt hm bm bo mt H:
H c th c p dng cho khi thng tin vi chiu di bt k.
Kt qu ca hm H lun c chiu di c nh.
Vic tnh gi tr ca H(x) vi mt gi tr x cho trc phi n gin, c th thc

hin c bng c phn cng hoc phn mm.
73
Cho trc khi thng tin x, khng th tm c mt khi thng tin y khc x sao
cho H(y) = H(x). Thuc tnh ny c gi l weak collision resistance.
Khng th tm c hai khi thng tin x v y khc nhau sao cho H(x) = H(y).
Thuc tnh ny c gi l strong collision resistance.
Thng tin gc
Cho trc mt gi tr h, khng th tm c mt gi tr x sao cho H(x) = h, y

c gi l thuc tnh mt chiu ca hm bm (one-way property).
Thng tin gc
Thng tin gc
So snh
H
: M bm
H
: Hm bm
Hnh 2.27: Mt ng dng in hnh ca hm bm

-Tn cng trn cc hm bm: Nguyn l lm vic ca hm bm l biu din mt khi
thng tin c kch thc ln bi mt on thng tin c kch thc nh hn nhiu gi l m bm, v
trong trng hp l tng nht th cc biu din ny l cc nh x 1:1, tc s khng xy ra tnh
hung 2 khi thng tin khc nhau cng cho ra mt m bm. Trng hp c 2 khi thng tin khc
nhau cng cho ra mt m bm, ta ni thut tan bm b ng (collision). Mc tiu tn cng vo
mt hm bm bo mt l to ra cc tnh hung ng ny.
Xc sut hai khi thng tin c cng m bm ph thuc vo kch thc ca m bm, tc
ph thuc vo s lng m bm c th c. Kch thc ny cng nh th kh nng xy ra cng ln,
v do xc sut tn cng thnh cng cng ln. Bi ton ngy sinh (Birthday problem) (*) ch ra
rng: vi kch thc m bm l n bit, xc sut xy ra ng l 50% th cn c khong 2 n/2
khi thng tin c x l. Ngi ta thng dng nguyn l ny tn cng vo cc ng dng c
s dng hm bm, cc tn cng ny c gi l Birthday attack.
Ni chung, an ton ca mt hm bm ph thuc vo kch thc ng ra ca n.
Phn sau y s gii thiu mt s thut ton bm thng dng thng c s dng trong
xc thc thng tin.
II.4.3 Thut ton bm SHA:
(*)
Bi ton ngy sinh: trong mt cn phng c n ngi, n ti thiu phi bng bao nhiu c t nht 2 ngi c
cng ngy sinh (trong nm). L thuyt xc sut xc nh n = 23. Bi ton ny c m rng cho hm bm.
74
SHA (Secure Hash Function) c chun ho nm 1993, sau c chnh sa nm 1995

v t tn l SHA-1, t phin bn c c gi l SHA-0.
SHA-1 to ra m bm c chiu di c nh l 160 bit. V sau, c nhiu nng cp i vi
SHA, ch yu l tng chiu di m bm, t xut hin cc phin bn khc nhau ca SHA, bao
gm: SHA-256 (m bm di 256 bit), SHA-384 (m bm di 385 bit) v SHA-512 (m bm di
512 bit).
Bng 2.2 tm tt cc thng s ca cc phin bn SHA.
Bng 2.2: Cc phin bn SHA
Thng s
Kch thc m bm (bit)
SHA-1
SHA-256
SHA-384
SHA-512
160
256
384
512
Kch thc thng tin gc (bit)
<2
<2
<2
<2128
Kch thc khi (bit)
512
512
1024
1024
di t (bit)
32
32
64
64
S bc thc hin (bc)
80
64
80
80
64
64
128
Phn ny ch m t thut ton bm SHA-1, cc phin bn khc ca SHA cng c thit

k theo nguyn l tng t.
SHA-1 chp nhn cc khi thng tin c kch thc ti a l 2 64 bit to ra m bm vi
di c nh 160 bit. Tan b khi thng tin c x l theo tng khi 512 bit, qua 5 cng
on nh sau:
1- Gn bit m Append padding bit: thng tin gc c gn thm cc bit tha c
chiu di (448 modulo 512) bit, tc l tt c cc khi trc c chiu di bng nhau l 512 bit,
ring khi cui cng l 448 bit. Ch rng vic chn thm bit vo khi thng tin c thc hin
i vi tt c cc khi thng tin gc, k c khi khi thng tin gc c s bit chnh xc bng 448
mod 512 (khi chui bit chn vo s c chiu di l 512 bit).
2- Gn chiu di Append length: mt chui 64 bit c gn thm vo khi thng tin.
64 bit ny c x l nh mt s nguyn khng du, cho bit chiu di ca khi thng tin gc
(tc chiu di tht s khi cha thc hin cng on 1).
Sau cng on ny, khi thng tin nhn c c chiu di l bi s ca 512 bit, c chia
thnh cc nhm, mi nhm tng ng vi 16 thanh ghi 32 bit (16*32 = 512 bit).
3- Khi to b m MD Initialize MD buffer: b m MD (message digest) l b nh
c dung lng 160 bit dng cha cc kt qu trung gian v kt qu cui cng ca m bm. B
nh ny c t chc thnh 5 thanh ghi 32 bit v c khi to cc gi tr ban u nh sau (Hex):
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
E = C3D2E1F0
75
4- X l thng tin theo tng khi 512 bit Process message: y l cng an trung tm
qu hm bm, cn c gi l hm nn (compress function), bao gm 4 vng, mi vng 20 bc.
Hnh 2.28 trnh trnh by s khi ca bc 4.
C 4 vng c cu trc tng t nhau, nhng mi vng s dng mt hm lun l khc nhau
l f1, f2, f3 v f4.
Ng vo ca mi vng l khi bit Y (512 bit) ang x l cng vi gi tr ca b m MD.
Mi vng s dng mt bin cng Kt khc nhau, vi 0 t 79 biu din cho 80 bc ca 4 vng.
Tuy nhin, thc t ch c 4 gi tr K khc nhau nh sau:
Yq
CVq
160
512
32
A
f1, K, W[019]
20 vng
f2, K, W[2039]
20 vng
f3, K, W[4059]
20 vng
f4, K, W[6079]
20 vng
160
CVq+1
Hnh 2.28: X l thng tin trong SHA-1

Bc
Gi tr K (Hexa)
0 t 19
Kt = 5A827999
20 t 39
Kt = 6ED9EBA11
76
40 t 59
Kt = 8F1BBCDC
60 t 79
Kt = CA62C1D6
Ng ra ca vng th t (tc bc 80) c cng vi ng vo ca vng u tin to ra

CVq+1. Thao tc cng c thc hin mt cch c lp, ng vi tng thanh ghi trong b m MD
vi mt t tng ng trong CVq, s dng php cng modulo 232.
5- Xut kt qu - Output: Sau khi tt c cc khi 512 bit c x l, ng ra ca bc
cui cng chnh l gi tr ca m bm.
Mt thuc tnh quan trng ca gii thut bm SHA-1 l mi bit trong m bm u c quan
h vi tt c cc bit trong thng tin gc. Vic lp li cc hm f mt cch phc tp nh vy nhm
mc ch m bo rng d liu c trn mt cch k lng v do rt kh tm c 2 khi
thng tin gc khc nhau c th to ra cng mt m bm.
II.4.4 Thut ton bm MD5:

MD5 l mt gii thut xc thc thng tin c s dng ph bin trong thi gian qua trong
cng ng Internet, c bit dng kim tra tnh chnh xc ca cc phn mm m ngun m
pht hnh trn mng. Gii thut ny c xy dng bi Ron Rivest, v c chun ha bng RFC
1321. MD5 c th x l cc khi thng tin c di khng gii hn to ra m bm di 128 bit.
Thng tin gc cng c x l theo tng an 512 bit. Bng 2.3 so snh cc thng s gia SHA-1
v MD5.
Bng 2.3: So snh MD5 v SHA-1
Thng s so snh
MD5
SHA-1
Kch thc m bm (bit)
128
160
Kch thc khi (bit)
512
512
S bc
64
80
Khng gii hn
< 264
Kch thc thng tin gc (bit)

S lng hm lun l
Vi 128 bit m bm, vic tm ra hai khi thng tin c cng mt gi m bm khng cn
l iu bt kh thi i vi nng lc ca cc b x l hin nay. Do , an tan ca MD5 ang b
e da nghim trng, v trong thi gian ngn sp ti, mc ph bin ca MD5 c th s gim
i v c thay th bng mt gii thut xc thc khc.
II.5 CH K S
II.5.1 Nguyn l hot ng ca ch k s:
Ch k s l mt c ch xc thc cho php ngi to ra thng tin (message creator) gn
thm mt an m c bit vo thng tin c tc dng nh mt ch k. Ch k c to ra bng
cch p dng mt hm bm ln thng gc, sau m ha thng tin gc dng kha ring ca
ngi gi. Ch k s c mc ch m bo tnh tan vn v ngun gc v ni dung ca thng tin.
Ti sao phi dng ch k s trong khi cc c ch xc thc thng tin (message
authentication) thc hin chc nng xc thc ngun gc thng tin? Cc c ch xc thc thng
tin s dng cc hm bm mt chiu c tc dng bo v thng tin trao i gia hai thc th thng
77
tin khi s xm phm ca mt thc th th 3, tuy nhin n khng c tc dng ngn chn c s
xm phm ca chnh hai thc th. V d:
Thc th A gi mt bn tin X cho thc th B s dng mt c ch xc thc no , c ch
ny m bo ch c A v B dng chung mt kho b mt K to ra cc m xc thc t thng tin
gc. Tuy nhin, thc th B c th i bn tin X thnh mt bn tin Y, v vi kha b mt K, thc
th B han tan c th to ra thng tin xc thc mi gn vo Y, lm cho n tr thnh mt bn
tin hp l mc d thc cht y khng phi l bn tin do thc th A to ra.
Mt v d khc, thc th A c th t chi xc nhn vic mnh gi bn tin X cho thc
th B, v vi cc c ch xc thc nh trn, thc th B hon ton c kh nng gi mo thng tin
a ra t thc th A.
Ging nh mt ch k thng thng (ch k bng tay), mt ch k s phi c y cc
thuc tnh sau y:
Phi xc nhn chnh xc ngi k v ngy gi pht sinh ch k.
Phi xc thc ni dung thng tin ngay ti thi im pht sinh ch k.
Phi c kh nng cho php kim chng bi mt ngi th 3 gii quyt cc

tranh chp nu c.
Nh vy, chc nng ca ch k s bao gm chc nng ca xc thc thng tin.

Cc yu cu i vi ch k s:
L mt chui bit pht sinh t khi thng tin cn c xc nhn (thng tin gc).
Ch k phi cha thng tin nhn dng ring ca ngi k trnh gi mo v

trnh ph nhn.
Quy trnh to ra ch k cng nh xc minh ch k phi n gin, nhanh chng
Ch k thng th b gi mo bng bt c cch no.
C th sao chp mt bn sao ca ch k dnh cho mc ch lu tr.
-Phn loi ch k s: C nhiu thut ton pht sinh ch k s khc nhau. C th phn
loi cc thut ton ny theo cc cch nh sau:
Ch k c nh v ch k ngu nhin: thut ton to ch k c nh

(deterministic) to ra mt ch k duy nht ng vi mt khi thng tin gc xc
nh, ngha l nu thc hin nhiu ln thut ton to ch k trn mt bn tin th
vn cho ra mt kt qu duy nht. Ngc li, ch k ngu nhin (probabilistic) to
ra nhng ch k khc nhau i vi cng mt bn tin.
Ch k phc hi c v ch k khng phc hi c: c ch to ch k phc hi

c (reversible signature) cho php ngi nhn phc hi li thng tin gc t ch
k, iu ny cng c ngha l ch k phi c cha thng tin gc trong n di mt
dng m ho no , v kt qu l ch k s s c kch thc ln hn thng tin
gc. Khi , ngi gi ch cn gi i ch k l . Do vy, c ch to ch k ny
cng cn c gi l ch k khi phc bn tin (signature with message recovery).
Ngc li, c ch to ch k khng phc hi c (non-reversible signature)
khng cho php phc hi thng tin gc t ch k, do vy, ch k ch l mt khi
thng tin cng thm c kch thc nh hn thng tin gc. Ngi gi cn phi gi
ch k i km vi thng tin gc nh mt dng ph lc, do c ch to ch k
ny cng cn c gi l ch k vi ph lc (signature with appendix).
78
-Cc phng php thc hin ch k s: C hai phng php thc hin ch k s l k
trc tip (direct signature) v k thng qua trng ti (arbitrated signature).
K trc tip (direct signature): phng php ny, gi thit rng pha nhn bit
c kha cng khai ca pha gi. Do , ch k c th c to ra bng cch m
ha tan b bn tin bng kha ring ca ngi to ra thng tin, hoc l ch m ha
phn m bm (kt qu to ta t hm bm i vi thng tin gc) dng kha ring
ca ngi to thng tin.
Pha to ra thng tin
Pha nhn thng tin
E(M, PRa)
a- To ch k trc tip bng cch m ha tan b thng tin gc
Pha to ra thng tin
Pha nhn thng tin
So snh
E(H(M), PRa)
b- To ch k trc tip bng cch m ha phn m bm ca thng tin gc
M: thng tin gc
H: Hm bm
PRa: Kha b mt ca ngi k
E: Thut tan m ha
D: Thut tan gii m
| |: Ni m bm vo thng tin gc
PUa: Kha cng khai ca ngi k
Hnh 2.29: Ch k trc tip
t c tnh bo mt ca thng tin th thng tin gc cng vi ch k va c to ra

s c m ha s dng kha cng khai ca thc th nhn ch k (trong trng hp dng mt m
bt i xng) hoc dng kha b mt (trong trng hp dng mt m i xng).
Mt nhc im rt d thy ca phng thc k trc tip l an tan ca ch k ph
thuc cao vo kha ring ca ngi to ra ch k. Do vy, nu kha ring ny b mt hoc b
tit l th ngha ca ch k s s khng cn.
79
K thng qua trng ti (arbitrated signature): y l mt gii php c xy dng

khc phc nhc im ca ch k trc tip. Khi thc th A mun gi mt bn
tin cho thc th B, qu trnh to ra mt ch k c thc hin bnh thng nh
i vi ch k trc tip. Tuy nhin, trc khi bn tin ny c gi n B, n phi
c gi n mt thc th th 3 gi l trng ti (arbiter). Trng ti thc hin vic
kim tra, xc nhn tnh chnh xc ca thng tin v ch k, sau ghi li ngy gi
ri mi gi cho thc th B, km theo thng tin xc nhn ca trng ti. S xut
hin ca trng ti trong quy trnh m bo c thc th A s khng ph nhn
c thng tin mnh gi.
Nu gi X l thc th to ra thng tin, Y l thc th nhn thng tin, A l trng ti, H l

hm bm bo mt v E l thut ton mt m, qu trnh to ch k thng qua trng ti c thc
hin nh sau:
-Trng hp th nht: s dng k thut mt m i xng v trng ti c th c ni dung
thng tin m X gi cho Y:
Bc 1:
X A: M + E([IDX + H(M)], Kxa)
Bc 2:
A Y: E([IDX + M + E([IDX + H(M)], Kxa) + T], Kay)
Vi M l thng tin gc m X gi cho Y, Kxa l kho b mt dng chung gia X v A, Kay l

kho b mt dng chung gia Y v A, IDX l thng tin nhn dng ca thc th X v T l thi im
ch k c to ra.
-Trng hp th 2: s dng k thut mt m i xng v trng ti khng c c ni
dung thng tin X gi cho Y:
Bc 1:
X A: IDX + E(M, Kxy) + E([IDX + H(E(M, Kxy))], Kxa)
Bc 2:
A Y: E([IDX + E(M, Kxy)], Kay) + E([IDX + H(E(M, Kxy)) + T], Kxa)
Vi Kxy l kho b mt dng chung gia X v Y.

-Trng hp th 3: s dng k thut mt m bt i xng, trng ti khng c c ni
dung thng tin X gi cho Y:
Bc 1:
X A: IDX + E([IDX + E(E(M, PRx), PUy)], PRx)
Bc 2:
A Y: E([IDX + E(E(M, PRx), PUy) + T], PRa)
Vi PRx l kho ring ca X, PUy l kho cng khai ca Y, PRa l kho ring ca A
II.5.2 Chun ch k DSS:

DSS (Digital Signature Standard) l mt chun v ch k s, c chun ha nm 1991,
sa i nm 1993 v 1996, sau m rng vo nm 2000. DSS s dng hm bm SHA v thut
ton to ch k DSA (Digital Signature Algorithm). DSS thuc loi ch k ngu nhin v khng
phc hi c.
Hnh 2.30 so snh cu trc DSS so vi phng thc xc thc thng tin s dng mt m
bt i xng RSA.
Trong thut ton xc thc thng tin dng mt m RSA, thng tin gc c a vo hm
bm SHA to ra m bm (tc message digest) c kch thc c nh. M bm ny sau c
m ha (bng thut ton RSA) dng kha ring ca thc th to thng tin (pha gi). Kt qu ca
php m ha c gn vo thng tin gc v gi i. Pha thu nhn c thng tin, tch phn m
bm ra khi thng tin gc v gii m n bng kha cng khai ca pha gi. Ch rng kha cng
80
khai l thng tin c cng b rng ri cho bt k thc th no c quan tm. ng thi, thng tin
gc cng c a vo hm bm tnh m bm, sau em so snh vi m bm va nhn c.
Nu hai m ny ging nhau th thng tin va nhn c chp nhn nh l thng tin hp l.
Hat ng ca DSS cng bao gm vic a thng tin gc vo hm bm to ra m bm
c kch thc c nh. Tuy nhin, m bm ny s khng c m ha trc tip bng mt gii
thut m ha m c s dng lm ng vo ca mt hm to ch k S (Signature function). Cc
thng tin a vo hm to ch k bao gm:
M bm ca thng tin gc
Mt s ngu nhin k
Kha ring ca ngi k (PRa)
Kha cng khai ca nhm cc thc th lin quan n giao dch ch k (PUG)
H
M
PRa
PUa
So snh
a- Xc thc thng tin dng mt m RSA
H
M
PUa
PUG
PRa PUG
H
V
So snh
k
a- Dng ch k s DSS
Hnh 2.30: Xc thc thng tin dng mt m RSA v dng ch k s DSS

Kt qu ca hm sinh ch k gm hai thnh phn, t tn l r v s. C hai c gi km
vi thng tin gc.
pha nhn thu, thng tin gc c tch ring a vo hm bm. Sau , m bm
c a vo hm kim chng V (Verification function) cng vi kha cng khai ca nhm
(PUG) v kha cng khai ca pha gi (PRA). Nu kt qu ca hm kim chng bng vi thnh
phn r ca ch k th thng tin c xem l xc thc.
Hnh 2.31 m t qu trnh to ch k v kim chng ch k dng DSS.
Ch rng thnh phn r ca ch k khng ph thuc vo thng tin gc m ch ph thuc
vo s ngu nhin k v 3 thnh phn ca kha cng khai ca nhm (PU G) l p, q v g. Do vy,
81
gim chi ph tnh tan mi khi to ra ch k, ngi s dng c th to ra gi tr r mt ln, v dng

gi tr cho nhiu ch k ng vi nhiu khi thng tin gc khc nhau.
p
f2
r
M
x
q
s
f4
v
f1
f3
H
So snh
a- To ch k
b- Kim chng ch k
Hnh 2.31: To v kim chng ch k vi DSS
-Thut ton to ch k DSA (Digital Signature Algorithm):

DSA l thnh phn trng tm ca ch k s DSS, c chc nng to ra ch k t cc thng
tin nh m bm ca thng tin gc, kho ring ca ngi k, kho cng khai ca nhm v mt s
ngu nhin k. DSA c xy dng da trn php ton logarit ri rc, c tm tt nh sau:
-To cc thnh phn kho cng khai (public key components):
p: mt s nguyn t tho 2L-1 < p < 2L vi 512 < L < 1024 v L l bi s ca 64.
q: mt s nguyn t chia ht (p 1) tha iu kin 2159 < q < 2160 (q di 160 bit)
g: mt s nguyn c gi tr = (h(p -1)/q mod p), trong h l mt s nguyn tho
iu kin 1 < h < p 1 v (h(p-1)/q mod p) > 1
-To kho ring ca ngi dng:
x: mt s nguyn ngu nhin ln hn 0 v nh hn q
-To kho cng khai ca ngi dng:
y: l mt s nguyn c gi tr = (g x mod p)
-To s b mt cho tng bn tin:
k: mt s nguyn c chn ngu nhin ln vi 0 < k < q
-To ch k:
r = (gk mod p) mod q
s = [k-1 (H(M) + xr)] mod q
-Kim chng ch k:
82
w = (s)-1 mod q
u1 = [H(M')w] mod q
u2 = (r')w mod q
v = [(gu1 yu2) mod p] mod q
Lu : s, r, M tng ng vi cc phn s, r v M ti pha thu.
Vi phc tp ca php tan logarit ri rc, rt kh c th xc nh c k khi bit r
hoc xc nh c x khi bit s.
II.6 QUN L KHO

II.6.1 Qun l kho cng khai trong mt m bt i xng:
Trong k thut mt m bt i xng, kho ring ca mi thc th c chnh thc th
qun l m khng cn phi chia s cho ai, tuy nhin c ch no c dng ph bin kha cng
khai mt cch an ton v hiu qu?
Cc c ch khc nhau c th dng ph bin kha cng khai bao gm:
-Ph bin cng khai trn cc din n cng cng: ngi s dng thc hin vic ny bng
cch gi cc thng bo km theo kha cng khai ca mnh n cc website hoc din n cng
cng trn mng Internet. Phng php ny n gin nhng c nhc im l kha d b gi mo.
Mt ngi A c th a kha cng khai ca mnh ln mng nhng thng bo rng l kha ca
ngi B, bng cch , A c th c c nhng thng tin b mt m ngi khc gi cho B.
-S dng danh b kha cng khai (public key directory): vi danh b ny, nhng ngi
dng no mun ph bin kha ca mnh th phi ng k vi nh xut bn, v trnh vic gi
mo, nh xut bn phi p dng mt c ch kim duyt an tan no i vi ngi ng k.
Phng php ny an tan hn cch m mi c nhn t ph bit kha ca mnh. Tuy nhin,
n cng c kh nng b gi mo khi kha b mt ca nh xut bn b l, k tn cng c th thay
i cc thng tin m ngi s dng ng k ln .
-Chng thc kha cng khai (public-key certificate): Phng php s dng danh b cng
cng c mt im yu khc l mi ngi dng mun lin lc vi mt ngi khc cn n kho
cng khai th phi lin lc vi nh xut bn c cung cp, iu ny t nh xut bn vo trng
thi c nguy c qu ti bt c lc no, hn na y chnh l im tht c chai ca cc giao dch
trn mng.
Khi nim chng thc kha cng khai (public key certificate hay gi tt l certificate hay
chng thc kha) l mt c ch ph bin kha cng khai trong mi thc th t ph bin kha
ca mnh bng bt c phng tin g nhng vn m bo c tnh xc thc ca kha.
Chng thc kha cng khai l mt t hp gm c kha cng khai ca mt thc th, nhn
dng ca thc th v ch k s (digital signature) xc nhn ca mt thc th th 3, thc th
th 3 ny l mt t chc c tin tng trong cng ng (v d nh c quan nh nc hoc cc
t chc ti chnh). Cc c trng ca c ch ny bao gm:
Mi thc th u c th c cc chng thc kha bit c kha cng khai

cng nh nhn din ch s hu ca kha .
Mi thc th u c th xc thc thng tin trong chng thc kha l chnh xc nh

vo ch k ca mt thc th c tin cy th 3.
83
Ch c ngi chng thc (Certificate Authority hay CA) mi c quyn to ra v

cp nht cc chng thc kha.
Qu trnh to ra v phn phi chng thc kha din ra nh sau (hnh 2.32):
- to chng thc kha cho mnh, thc th A gi yu cu n c quan chng thc CA
(Certificate Authority), trong yu cu c cha kho cng khai ca A (PUA). trnh cc tnh
hung gi mo CA, yu cu cung cp chng thc gi t cc thc th u cui phi c gi n
CA bng mt knh bo mt, trn c p dng cc c ch xc thc cht ch.
-CA to ra chng thc kha cho A bng cch m ho khi thng tin bao gm: nhn dng
ca thc th A (IDA), kho cng khai ca A (PUA) v thi im thc hin vic cp chng thc,
bng kho ring ca CA (PRCA).
PUA
Knh thng tin
bo mt
PUB
CA = E([Time + ID A + PUA],PRCA)
Knh thng tin

bo mt
CB = E([Time + IDB + PUB],PRCA)
(1)CA
(2)CB
CA: Chng thc kha ca thc th A

CB: Chng thc kha ca thc th B
PUA: Kho cng khai ca thc th A
IDA: Thng tin nhn dng ca thc th A

IDB: Thng tin nhn dng ca thc th B
PRCA: Kho ring ca CA
PUB: Kho cng khai ca thc th B
Time: Thi im to ra chng thc kha
Hnh 2.32: Qun l kho cng khai dng chng thc kha (Certificate)
Nh vy, thc th A to c chng thc kha cho mnh (CA).
Tng t nh vy, thc th B cng yu cu CA cung cp chng thc kha cho n (CB).
bt u trao i thng tin vi nhau s dng mt m bt i xng, hai thc th A v B
trao i chng thc kha cho nhau thc th ny nhn c kho cng khai ca thc th kia.
Vi vic nh mt thc th tin cy th 3 lm trung gian to ra chng thc kha, kho
cng khai c th c phn phi mt cch an ton m khng b gi mo.
Mt trong nhng c ch c s dng rng ri to ra cc chng thc kha cng khai l
chun X.509. Chun ny c dng trong nhiu dch v v giao thc bo mt nh IPSec, SSL,
S/MIME, SET,
II.6.2 S dng mt m bt i xng trao i kha b mt:
84
Trong k thut mt m i xng, c hai thc th thng tin phi dng chung mt kha b
mt. Vn l lm th no trao i kha b mt gia hai thc th ny?
Thut ton trao i kha Diffie-Hellman c trnh by trong phn m ha bt i xng
l mt thut ton an tan, cho php hai thc th trao i kha b mt m mt thc th th 3 khng
ly cp c. Tuy nhin, hn ch ca Diffie-Hellman l khng c tnh xc thc, ngha l mt thc
th s khng th bit chc chn rng kha mnh nhn c ng l kha ca thc th m mnh
ang mun trao i thng tin hay khng. Do vy, trong thc t, Diffie-Hellman thng c dng
phi hp vi mt c ch xc thc u cui (peer authentication).
(1) E([N1 + IDA], PUB)
(2) E([N1 + N2], PUA)
(3) E(N2, PUB)

(4) E(E(K, PRA), PUB)
Hnh 2.33: Dng mt m bt i xng trao i kho

Dng kha cng khai trao i kha b mt ca m ha i xng l mt cch hiu qu
c th gii quyt c vn trn y. Mt thc th A (thc th khi to Initiator) mun trao
i kha b mt vi mt th B (thc th p ng - responder) c th thc hin th tc trao i
kho nh sau:
(1)-A dng kho cng khai ca B (PUB) m ho mt bn tin, bn tin ny cha nhn
dng ca A (IDA) v mt gi tr ngu nhin N1 (nonce) nhn din giao tc ang thc
hin.
A B: E([N1 + IDA], PUB)
(2)-B gi li cho A mt bn tin cha gi tr ngu nhin N2 do B to ra, cng vi s N1
nhn c t A. Ton b bn tin c m ho s dng kho cng khai ca A (PU A).
B A: E([N1 + N2], PUA)
(3)-Mt ln na, A gi li cho B mt bn tin cha gi tr N 2 c m ho bng kho cng
khai ca A (PUA).
A B: E(N2, PUB)
(4)-A chn kho b mt K cho thut ton m ho i xng sp din ra, sau m ho n
bng chnh kho ring ca A (PRA), ri m ho mt ln na bng kho cng khai ca B
(PUB) ri gi cho B. n bc ny, B nhn c kho b mt m A to ra mt cch an
ton.
A B: E(E(K, PRA), PUB)
II.6.3 C s h tng kha cng khai:
85
C s h tng kha cng khai PKI (Public Key Infrastructure) l mt h thng h tng bao
gm cc thit b phn cng, chng trnh phn mm, cc chnh sch, th tc v con ngi cn
thit to ra, qun l, lu tr v phn phi cc chng thc kha phc v cho mc ch ph bin
kha cng khai ca cc thc th thng tin.
Vai tr ca PKI trong h thng l qun l cc chng thc kha mt cch an tan v cung
PKI users
Truy xut Certificate/CRL
Kho lu tr Certificate/CRL
End Entity
Phn phi
Certificate
RA
Phn phi
Certificate/CRL
-ng k
-Khi to
-Chng thc
-Phc hi kho
-Cp nht kho
-Yu cu thu hi
CA-2
Phn phi CRL

CRL Issuer
Chng thc
cho
Phn
phi
kho
ra
ngoi
h
thng
CA-1
PKI management
Hnh 2.34: Cu trc PKI

cp n cho user mt cch hiu qu nht.
Mc tiu ca PKI l cung cp mt mi trng lm vic phi hp, trong , thit b, phn
mm ca nhiu nh sn xut khc nhau c th cng s dng chung mt cu trc chng thc kha.
-Cc thnh phn ca PKI:
End Entity (thc th u cui): l ngi s dng, mt phn mm hoc mt thit b

tham gia vo qu trnh trao i thng tin s dng m ha kha cng khai. Cc
thc th c mt cp kha ca mnh, trong kha cng khai c ph bin bi
PKI di dng cc chng thc kha, cn kha b mt do chnh thc th qun l.
Certificate Authority (CA): l thc th to ra cc chng thc kha. CA to ra

chng thc kha t cc kha cng khai m cc thc th u cui y quyn cho n
ph bin cng vi ch k s ca chnh CA . Do vy, CA phi l mt thc th
c tin cy, nu khng, ch k ca CA s khng c ngha g.
Registration Authority (RA): l mt thnh phn ty chn ca PKI, c chc nng

x l mt s cng vic qun l nhm gim ti cho CA, chng hn nh ng k
thc th u cui, kim chng cc thc th u cui, to ra cc cp kha publicprivate,
Repository: Kho lu tr chng thc kha v cung cp chng thc kha cho cc
thc th u cui khi c yu cu. C nhiu cch thc th u cui truy xut cc
86
chng thc kha ti PKI: thng qua dch v th mc LDAP (X.500), thng qua
FTP hoc HTTP,
Certificate revocation list (CRL) Issuer: Mt chng thc kha khi c to ra

v ph bin th khng c ngha l n s c tn ti vnh vin. Sau mt khang
thi gian nht nh hoc theo yu cu ca thc th u cui, chng thc kha c
th b thu hi. CRL l danh sch cc chng thc kha b thu hi, c to ra bi
CA hoc y quyn cho CRL issuer. Nh vy, CRL issuer cng l mt thnh phn
ty chn ca PKI.
-Cc chc nng qun l ca PKI:
ng k (Registration): l th tc m thc th u cui phi thc hin tham gia

vo PKI ln u tin.
Khi to (Initialization): Khi to cc thng tin ca thc th u cui ti CA, to

ra cp kha public-private cho thc th u cui.
Chng thc (Certification): CA to ra chng thc kha cho thc th u cui, ng

vi kha cng khai va c to ra giai an khi to hoc do thc th u cui
cung cp.
Phc hi kha (Key-pair recovery): cho php phc hi mt kha c trc . Th

tc ny thng c dng trong trng hp kha mt m v mt l do no
khng truy xut c. khi phc d liu b mt m ho, cn phi c th tc
ny ly li kho.
Cp nht kha (Key-pair update): Mi chng thc kha c to ra vi mt

khang thi gian tn ti nht nh, sau khong thi gian ny, chng thc kha s
b thu hi (revoke). Th tc key-pair update c tc dng gia hn tn ti ca chng
thc kha, cho php mt chng thc kha tip tc tn ti sau khi ht thi gian
hiu lc.
Yu cu thu hi chng thc kha (Revocation request): Yu cu thu hi mt

chng thc kha v mt l do no , nh kha ring b l chng hn. Th tc ny
cho php mt thc th u cui yu cu thu hi mt chng thc kha cha ht
hiu lc.
C th tm tt cc bc in hnh ca mt quy trnh khi mt thc th A mun gi mt bn

tin n mt thc th B trong mi trng PKI nh sau:
-Thc th A thc hin hm bm trn bn tin to ra m bm. Sau m bm c m
ha bng kha ring PRA ca thc th A to ra mt ch k ca thc th A.
-S dng kha cng khai ca CA, thc th A yu cu CA cung cp kha cng khai ca
thc th B (PUB).
-Thc th A m ha bn tin bng kha cng khai PU B ca thc th B va nhn c t
CA, sau gn ch k ca mnh vo bn tin m ha v gi cho B.
-Thc th B gii m thng tin nhn c bng kha ring ca chnh n (PR B), sau p
dng hm bm ln bn tin ny to ra m bm.
-Thc th B gii m ch k ca thc th A bng kha cng khai ca thc th A (PUA),
sau so snh vi m bm va to ra bc trn. Nu hai thng tin ny ging nhau, th bn tin
nhn c xem nh hp l.
87
Tm tt chng:
-Mt m l mt c ch c bn nht c dng bo m an tan cho thng tin khi trao
i gia cc h thng thng tin (thng thng qua mng my tnh). K thut mt m bo v c
2 c trng ca m hnh CIA l tnh B mt v tnh Ton vn ca thng tin.
-K thut mt m hin i c chia thnh 2 lai: Mt m i xng (symmetric key
encryption) v mt m bt i xng (asymmetric key encryption).
-Mt m i xng (hay cn gi l mt m quy c) s dng 1 kha duy nht cho vic m
ha v gii m, kha ny c gi b mt, ch c cc thc th tham gia vic truyn nhn thng tin
mi bit c. K thut mt m quy c da ch yu trn cc thao tc x l bit (nh dch, xoay
vng, XOR, ) do thch hp vi phn vic thc thi bng phn cng, tc m ho cao. Cc
thut ton mt m i xng thng dng bao gm DES, Blowfish, IDEA, AES,
-Mt m bt i xng (hay cn gi mt m dng kha cng khai) s dng 2 kha khc
nhau cho qu trnh m ha v gii m. Mt trong hai kha l kha cng cng (public key), c
ph bin cng khai cho bt k mt thc th no cng c th truy xut c; v kha cn li l
kha ring (private key) c gi b mt, ch c ch th ca kha bit. M ha kha cng khai
da ch yu trn cc hm ton hc, do thch hp vi thc thi bng phn mm v tc m
ho thp. RSA l thut ton mt m bt i xng ph bin nht hin nay.
-Mt m dng kha cng khai c nhiu ng dng khc nhau nh: mt m d liu, to ch
k s, trao i kha b mt ca mt m i xng,
-Hm bm bo mt (secure hash function) l c ch dng trong xc thc thng tin
(message authentication). Nguyn l ca hm bm l bin i khi thng tin gc thnh mt gi tr
kim tra c kch thc c nh gi l m bm, gi tr ny c gi i km vi thng tin gc.
u thu, thng tin nhn c cng c a vo hm bm to ra gi tr kim tra. Nu gi tr
kim tra va c to ra bng vi gi tr gi km ca pha gi th thng tin c xem l xc thc.
Hm bm c dng trong cc thut ton xc thc thng tin (message authentication), to ch k
s v l thnh phn ca mt s thut ton mt m.
-Ch k s (digital signature) l k thut dng nhn dng mt thc th thng tin cng
vi thng tin do thc th ny to ra. ng dng c bn nht ca ch k s l chng thc v
m bo thnh khng th ph nhn (non-repudiation) ca thng tin. C nhiu cch phn loi cc
thut ton to ch k: ch k phc hi c v khng phc hi c, ch k c nh v ch k
ngu nhin. Hai phng php thc hin ch k s l k trc tip v k thng qua trng ti. Chun
ch k s DSS s dng thut ton DSA, to ra ch k s da trn cc hm bm bo mt (SHA) v
k thut mt m kha cng khai (RSA).
-Mt m ha dng kha cng khai ch c u im khi n c mt c ch phn phi kha
cng khai mt cch an tan v hiu qu cho cc thc th trong h thng. Chng thc kha cng
khai (Certificate) m mt c ch hiu qu thc hin vn ny. Mi chng thc kha bao gm
nhn dng thc th u cui, kha cng khai ca thc th u cui v xc nhn (bng ch k s)
ca mt thc th th 3. Mt h thng cung cp c ch to ra v qun l chng thc kha c
gi l c s h tng kha cng khai PKI.
88
CU HI V BI TP.
A- Cu hi trc nghim.
Cu 1. Chc nng ca mt m thng tin:
a- Bo v tnh ton vn ca thng tin.
b- Bo v tnh b mt ca thng tin.
c- Bo v tnh kh dng ca thng tin .
d- Bo v tnh khng th ph nhn ca thng tin.
Cu 2. Cc nguy c ca mt h thng mt m:
a- Tn cng bng cch d kho b mt (brute force attack).
b- Tn cng bng phng php phn tch m (crypanalysis).
c- Tn cng t chi dch v
d- Cu a v b.
Cu 3. Mt h thng m ho quy c dng kho di 128 bit. Nu dng phng php tn cng
brute force th phi th trung bnh bao nhiu ln v thi gian cn thit thc hin nu
tc x l l mt t ln trong mt giy?
a- Phi th 2128 ln, thi gian th l 5,4 * 1018 nm.
b- Phi th 264 ln, thi gian th l 5,4 * 1018 nm.
c- Phi th 2127 ln, thi gian th l 5,4 * 1018 nm.
d- Phi th 2128 ln, thi gian th l 18 nm.
Cu 4. C ch trao i kho b mt trong m ho i xng?
a- A v B trao i kho vi nhau bng e-mail.
b- A v B trao i kho vi nhau bng mt phng tin vt l.
c- A gi kho b mt cho mt thc th th 3 bng e-mail, th cth th 3 ny s gi
li kho ny cho B cng bng e-mail.
d- Mt trong 3 cch trn u c.
Cu 5. Chn cu ng khi ni v cu trc mt m Feistel:
a- Tt c cc thao tc trong cu trc u c thao tc ngc tng ng.
b- Cu trc Feistel da trn cc thao tc x l bit vi cc php hon v v thay th
lp li nhiu ln.
c- Kch thc khi d liu (block size) l bt k.
d- Mch m ho v mch gii m c cu trc khc nhau.
Cu 6. Chn cu ng khi ni v thut ton mt m DES:
a- Mch m ho v mch gii m l ging nhau.
b- S-box l mt hm hon v, cho kt qu ngc li vi php hon v IP.
c- Th t sinh kho ph qu trnh m ho v gii m l ging nhau.
d- Thao tc hon v PC-1 c thc hin 16 ln trong qu trnh m ho v gii m.
Cu 7. Chn cu ng v an ton ca DES:
a- Ch c th tn cng h thng mt m DES bng phng php brute force.
b- Kho a vo thut ton l 64 bit, nhng thc cht ch s dng 56 bit.
89
c- Mch gii m TDES khng th gii m c thng tin m ho bi DES.

d- Tt c u ng.
Cu 8. Chn cu ng khi ni v chun mt m AES:
a- L chun mt m c thit k lm vic song song vi DES.
b- Kch thc khi v chiu di kho c th thay i c.
c- Mch m ho v mch gii m hon ton ging nhau.
d- Tt c u ng.
Cu 9. Chn pht biu sai khi ni v chun mt m AES:
a- Th t sinh kho ph trong qu trnh m ho v gii m hon ton ging nhau.
b- Tt c cc thao tc trong thut ton u c thao tc ngc.
c- AES khng da trn cu trc m khi Feistel.
d- Thut ton m Rijndael chnh l AES.
Cu 10. Mt h thng gm 10 thit b u cui lin lc vi nhau s dng mt m i xng. Mi
u cui s dng cc kho b mt khc nhau khi kt ni vi mi u cui khc. C bao
nhiu kho b mt trong ton b h thng?
a- 10 kho
b- 20 kho
c- 45 kho
d- 90 kho
Cu 11. Thut ton mt m no c dng trong giao thc xc thc Kerberos 4?
a- Blowfish
b- CAST-128
c- TDES
d- DES
Cu 12. ng dng ca mt m bt i xng:
a- Bo mt thng tin
b- Xc thc thng tin
c- Bo v tnh kh dng ca h thng
d- Cu a v b
Cu 13. Chn cu ng v thut ton m RSA:
a- Thut ton RSA thch hp cho thc thi bng phn cng.
b- RSA dng kho v khi d liu c kch thc c nh.
c- Mi khi thng tin n bit a vo thut ton RSA c x l nh mt s nguyn
c gi tr t 0 n 2n 1.
d- Ch c th dng kho cng khai m ho thng tin, khng th m ho thng tin
bng kho b mt.
Cu 14. So snh RSA v DES:
a- RSA c tc thc thi bng phn mm cao hn DES.
b- RSA an ton hn DES.
90
c- RSA da trn cc hm ton hc, cn DES da trn cc thao tc x l bit.

d- Bng cch phn tch kho cng khai th c th tm ra kho b mt ca RSA, trong
khi i vi DES, cch duy nht tm kho l th ln lt.
Cu 15. Thut ton trao i kho Diffie-Hellman:
a- L mt dng ca mt m ho bt i xng.
b- Diffie-Hellman khng c chc nng bo mt d liu m ch dng trao i
kho b mt.
c- Diffie-Hellman c th b tn cng Man-In-The-Middle.
d- Tt c u ng.
Cu 16. Chc nng ca cc hm bm (hash function)?
a- To ra mt khi thng tin ngn c nh t mt khi thng tin gc ln hn.
b- Mt m ho thng tin.
c- Xc thc ngun gc thng tin
d- Ngn chn vic ph nhn hnh vi ca ch th thng tin
Cu 17. Cc thuc tnh ca mt gii thut ch k s:
a- Phi xc nhn chnh xc ngi k v ngy gi pht sinh ch k.
b- Phi xc thc ni dung thng tin ngay ti thi im pht sinh ch k
c- Phi c kh nng cho php kim chng bi mt ngi th 3 gii quyt cc
tranh chp nu c.
d- Tt c cc cu trn.
Cu 18. Cc thng tin cn thit to ra ch l s:
a- M bm ca thng tin cn chng thc.
b- Kho b mt ca ngi k.
c- Kho cng khai ca nhm
d- Tt c cc thng tin trn
Cu 19. Chng thc kha (certificate) l g?
a- L mt s chng thc ca mt thc th c tin cy v s rng buc gia mt
thc th thng tin v kho cng khai ca thc th .
b- Chng thc kha l mt dng ca ch k s.
c- Chng thc kha l mt ng dng phn phi kho b mt trong mt m i
xng.
d- Tt c u ng.
Cu 20. Chn cu ng khi ni v PKI:
a- PKI to ra v qun l cc chng thc kha.
b- Chng thc kha sau khi to ra c th b hu b theo yu cu ca ch s hu.
c- CA l thnh phn ca PKI c chc nng to ra chng thc kha theo yu cu ca
ngi s dng.
d- Tt c u ng.
B- Bi tp.
91
Cu 21. Xc nh cc bit 1, 16, 33 v 48 ti ng ra vng th nht ca thut ton gii m DES, bit
rng ciphertext cha ton bit 1 v kho ban u cng l chui bit 1.
Cu 22. Chng minh rng mch m ho ca DES cng ng thi l mch gii m ca DES.
Cu 23. So snh ma trn IP v ma trn PC-1 ca DES. Rt ra kt lun g t s so snh ny?
Cu 24. Tnh 8 word u tin ca kho m rng trong thut ton m AES nu bit kho ban u
l chui 128 bit 0.
Cu 25. Thc hin m ho v gii m dng thut ton RSA vi cc d liu sau y:
a- p = 3; q = 11, e = 7; M = 5
b- p = 5; q = 11, e = 3; M = 9
c- p = 7; q = 11, e = 17; M = 8
d- p = 11; q = 13, e = 11; M = 7
e- p = 17; q = 31, e = 7; M = 2
Cu 26. User A v B trao i kho dng Diffie-Hellman vi p = 71 v g = 7.
a- Nu A chn Xa = 5, tnh Ya?
b- Nu B chn Xb = 12, tnh Yb?
c- Kho b mt dng chung gia A v B?
Cu 27. Ci t thut ton mt m DES bng C.
Cu 28. Ci t thut ton mt m RSA bng C.
----------
92
CHNG III
CC NG DNG BO MT TRONG H THNG THNG TIN
Gii thiu:
Cc c ch mt m v xc thc thng tin l c s cho vic xy dng cc ng dng bo
mt trong h thng, c bit trong mi trng mng. Chng ny s trnh by mt s ng dng
ca k thut mt m v xc thc thng tin trong vic xy dng cc giao thc (protocol) v dch v
(service) trn mng nhm m bo an tan h thng. Cc ng dng c trnh by trong chng
ny bao gm:
-Giao thc xc thc (Authentication protocol)
-IPSec (Internet Protocol Security)
-SSL (Secure Sockets Layer)
-SET (Secure Electronic Transaction)
III.1 GIAO THC XC THC

III.1.1 Mt khu:
Trong s cc c ch xc thc, c ch xc thc da trn thng tin m thc th truy xut
bit (what you know) l c ch n gin nht v c s dng nhiu nht. Thng tin ny thng
l mt khu (password), c lin kt vi mt thc th dng xc thc thc th .
Mt khu thng l mt chui k t. Khng gian mt khu (password space) l tp hp tt
c cc chui k t c th xut hin trong mt khu. Mi h thng xc thc c mt khng gian mt
khu khc nhau. Khng gian mt khu cng ln th kh nng b tn cng mt khu theo phng
thc brute force cng thp.
Mt khu c gi l phc tp nu n kh b pht hin bng phng php d mt khu
theo t in (dictionary attack).
Theo kho st, nhng lai mt khu c dng ph bin nht hin nay bao gm:
-Dng tn ca ngi s dng (user-name hoc account-name) lm mt khu hoc thm
mt vi ch s (v d ngy sinh, s in thai, ) lm mt khu.
-Dng tn ng nhp (logon-name) lm mt khu.
-Dng tn my tnh (computer name) lm mt khu.
-Mt khu ch bao gm cc k t s (ly t s in thai, ngy sinh, ).
-Mt khu l nhng t kha c bit nh computer, hacker,
-Ly mt t c ngha trong t in lm mt khu.
-Ly tn mt ngi khc lm mt khu (thng l ngi c quan h mt thit)
Nhng mt khu nh trn u c phc tp rt thp v do d dng b tit l. Cc h
thng xc thc thng a ra cc chnh sch v mt khu (password policy) i vi ngi s
dng. Cc chnh sch ny thng quy nh nhng rng buc sau y:
-Chiu di ti thiu v kh ca mt khu, mt khu khng c cha user-name hoc
logon-name (password complexity).
-Thi gian s dng ti a ca mt khu (password age).
93
-Khng c php dng li mt khu c (password history).

V pha ngi s dng, nhng nguyn tc chung tng an tan cho vic xc thc
dng mt khu bao gm:
-S dng nhiu lai k t khc nhau lm mt khu, mc ch l m rng khng gian
mt khu (dng ch ci, ch s, cc k hiu c bit, dng phi hp gia ch hoa v ch thng,
)
-Khng s dng cc mt khu qu ngn.
-Khng s dng nhng t kha hoc t c ngha trong mt khu.
-Thng xuyn thay i mt khu.
-Khng ghi chp mt khu ln bt k v tr no.
-Khng tit l mt khu cho ngi khc, ngay c nhng tnh hung an tan nht.
Trn cc my ch xc thc, mt khu ca ngi s dng thng khng c lu tr mt
cch trc tip di dng k t gc (cleartext) m phi c m ho di mt dng no m
bo an ton. Ngoi ra, mt khu khng b nh cp khi truyn i trn mng, nhiu th tc xc
thc phc tp c xy dng m bo rng mt khu khng c truyn i trc tip (cleartext)
trn mng.
III.1.2 Xc thc trong m hnh im-im:

Mt thc th bn ngai h thng thng tin mun truy xut h thng nh mt ch th ca
th thng th phi cung cp cc thng tin h thng xc thc nhn dng ca ch th. Cc thng
tin ny thng l mt khu, th xc thc, du vn tay, Qu trnh xc thc mt thc th bao
gm vic ly thng tin m thc th cung cp, phn tch v xc nh xem thng tin c lin kt vi
thc th hay khng.
Hai m hnh thc t ca mt h thng xc thc l xc thc ti ch (local authentication)
hoc xc thc t xa (remote authentication) thng qua mi trng mng. M hnh th nht c
s dng khi ngi s dng ng nhp trc tip vo mt thng ni b (local logon), thng tin xc
thc (tn ngi dng v mt khu) c cung cp trc tip cho h thng xc thc (server). Trong
m hnh th hai, ngi s dng ng nhp vo mt h thng xa. Tnh hung ny bt buc cc
thng tin xc thc phi c gi i trn mng v do , nguy c b nghe ln thng tin l rt cao.
Cc giao thc xc thc c thit k gim thiu cc nguy c ny.
Trong cc h thng c in, kt ni t xa thng c thc hin thng qua cc giao thc
im im nh SLIP (Serial Line Internet Protocol) hoc PPP (Point to Point Protocol). Cc th
tc xc thc u l mt chiu, tc l ch c my ch xc thc ngi s dng ch khng c th tc
ngc li. Hai giao thc xc thc thng c dng trong cc h thng ny l PAP (Password
Authentication Protocol) v CHAP (Challenge-Handshake Authentication Protocol).
-PAP l giao thc xc thc n gin nht v do km an tan nht. xc thc vi mt
h thng server xa, ngi s dng ch cn gi tn ng nhp v mt khu ca mnh mt cch
trc tip (clear text) cho server di dng mt gi yu cu xc thc (authenticate request packet).
Server s kim tra thng tin xc thc cha trong gi d liu ny, nu trng vi thng tin lu tr
trc th s tr li bng mt gi xc nhn (authenticate ack packet) v qu trnh xc thc xem
nh thnh cng. Ngc li, nu thng tin xc thc khng ng, server s tr li bng gi t chi
(Authenticate nak packet).
94
Authenticate request
(User-name + Password)
Ngi
s
dng
Server
Authenticate ack
hoc Authenticate nak
Hnh 3.1: Giao thc xc thc PAP
-CHAP l giao thc xc thc phc tp hn, c dng trong giao thc kt ni PPP v mt
s h thng khc. CHAP c u im hn PAP v phng din bo mt l c dng cc hm bm
mt chiu v thng tin xc thc khng c gi i trc tip trn mng. Qu trnh xc thc bng
giao thc CHAP gm cc bc sau y (gi l qu trnh challenge-response):
Sau khi thit lp xong kt ni PPP, xc nh xem ngi s dng c quyn truy
xut hay khng, server s gi cho ngi s dng mt khi d liu thch thc
(challenge), trong c cha mt gi tr ngu nhin do server to ra.
Ngi s dng sau khi nhn c khi challenge s gn thm tn ng nhp v

mt khu ca mnh vo , sau thc hin mt hm bm mt chiu (v d MD5)
ln khi thng tin v gi m bm li cho server.
Pha server cng thc hin mt qu trnh tng t v so snh vi kt qu nhn

c t ngi s dng xc nh qu trnh xc thc c thnh cng hay khng.
Mt c im na ca giao thc ny lm tng tnh an tan ca kt ni l qu trnh

challenge-response c lp li nhiu ln trong sut thi gian duy tr kt ni. Nu gi tin tr li
ca ngi dng khng hp l, kt ni s b gii ta tc thi.
Challenge
Ngi
s dng
User-name + H(user-name +
password + challenge)
Server
Success / Failure
Hnh 3.2: Giao thc xc thc CHAP
III.1.3 Xc thc trong cc h thng phn tn:
95
Trong cc h thng phn tn, nhiu my ch cung cp dch v c qun l bi mt trung

tm xc thc duy nht. Giao thc xc thc trong cc h thng ny phi m bo c 2 yu cu
c bn:
m bo an tan i vi thng tin xc thc (tn ng nhp v mt khu khng

c truyn i trc tip trn mng).
Ngi dng ch cn ng nhp mt ln cho phin lm vic nhng c kh nng s

dng tt c cc dch v c trong h thng.
V d: Mt h thng mng Windows c cu hnh theo m hnh Domain. Trong Domain

ny c nhiu my ch cung cp dch v khc nhau, gm dch v in n (print server), dch v lu
tr d liu (file server), dng chung kt ni Internet (qua proxy server), Khi ngi s dng
ng nhp vo h thng t mt my thnh vin ca Domain, ngi s dng ny phi c kh nng
truy xut n tt c cc dch v trong Domain (ty theo quyn c cp) m khng phi nhp li
tn ng nhp v mt khu cho tng dch v. C ch qun l tp trung ny cung cp s tin li
cho c ngi s dng ln h thng.
Mt th tc xc thc in hnh trong cc h thng ny bao gm cc bc nh sau:
Mt ngi dng ng nhp t mt my con (C ) trong h thng v yu cu truy

xut n my ch V.
My con C yu cu ngi dng cung cp tn ng nhp v mt khu ri sau

chuyn thng tin ny cho trung tm xc thc AS (Authentication Server).
My ch AS kim tra xem tn ng nhp v mt khu c hp l hay khng, ng

thi kim tra xem ngi dng ny c c php truy xut cc dch v trn my
ch V hay khng.
Nu c hai vic kim tra trn u thnh cng th ngi dng c php truy xut
dch v trn my ch V. lm c vic , AS to ra mt th truy xut (ticket)
cha cc thng tin bao gm nhn dng ca ngi dng, a ch mng ca my con
v nhn dng ca my ch V. Th truy xut ny c m ha bng kha b mt
dng chung gia AS v V. Th truy xut cng c gi cho C.
Bt u t , C c th yu cu cc dch v ca V bng cch gi cc bn tin c

gn km th truy xut va to ra cho V. My ch V s gii m th truy xut v
chp nhn cho C truy xut cc dch v ca mnh.
Qu trnh c biu din nh sau:

C AS:
IDC + PC + IDV
AS C:
Ticket
C V:
IDC + Ticket
Ticket = E([IDC + ADC + IDV], KV)

Trong :
C: My con
AS: my ch xc thc (Authentication server).
V: my ch cung cp dch v.
IDC: Nhn dng (tn ng nhp) ca ngi dng.
IDV: Nhn dng ca my ch V.
96
PC: Mt khu ca ngi dng.

ADC: a ch mng ca my con.
KV: Kha b mt ca my ch cung cp dch v V.
Th tc xc thc nh trn gii quyt c vn bo mt bng cch a ra khi nim th
truy xut (ticket), trong cc thng tin b mt c m ha trong mt bn tin c bit trc khi
lun chuyn trn mng. Tuy nhin, vn cn hai vn cha c gii quyt:
1-Nu ngi dng c nhu cu s dng dch v nhiu ln, hoc s dng nhiu dch
v khc nhau trn cc my ch khc nhau, vy ngi dng phi thc hin th tc xc thc
nhiu ln, tc l phi nhp mt khu nhiu ln?
2-Th tc xc thc vn cn mt bc (bc u tin) trong thng tin xc thc
(mt khu) c gi i trc tip trn mng m khng m ha.
Th tc sau y s gii quyt hai vn trn:
Khi ngi dng ng nhp h thng:

(1) C AS: IDC + IDtgs
(2) AS C: E(Tickettgs, Kc)
Khi ngi dng truy xut mt loi dch v (per service type):
(3) C TGS: IDC + IDV + Tickettgs
(4) TGS C: Ticketv
Khi ngi dng truy xut mt phin giao dch c th (per service session):
(5) C V: IDC + Ticketv
Trong :
Tickettgs = E([IDC + ADC + IDtgs + TS1 + Lifetime1], Ktgs)
Ticketv = E([IDC + ADC + IDv + TS2 + Lifetime2], Kv)
Trong th tc trn, mt thnh phn mi c thm vo h thng xc thc l my ch cp
th TGS (Ticket-Granting server).
Khi ngi dng xc thc thnh cng vi AS, thay v cp th s dng dch v trc tip cho
ngi dng, AS ch cp cho ngi dng th truy xut ca TGS, c tc dng nh mt xc nhn y
l mt ngi dng hp h. K t v sau, mi khi ngi dng cn truy xut dch v no th ch
cn gi th truy xut v yu cu ca mnh n TGS c cp th truy xut dch v.
Nh vy, AS ch cn cp th cho ngi dng mt ln, hay ni cch khc, th c th dng
li, c trong trng hp ngi dng s dng dch v nhiu ln hoc s dng nhiu dch v khc
nhau m khng cn phi nhp li mt khu.
Th tc ny c m t chi tit nh sau:
My con C yu cu mt th xc nhn ngi dng hp l (Ticket Granting Ticket)

bng cch gi nhn dng ca ngi dng cho AS, trong c nhn dng ca TGS.
AS gi li th xc nhn ngi dng hp l cho my con nhng c m ha vi

kha l mt khu ca ngi dng (KC). Do , nu ngi dng cung cp ng mt
khu th th ny c gii m thnh cng, ngc li, vic xc thc xem nh kt
thc khng thnh cng.
97
Nh vy, mt khu ca ngi dng khng c gi i trc tip trn mng.

Do th ny c kh nng dng li, nn qun l vic tn ti ca n, trong th c gn
thm mt nhn thi gian quy nh thi gian tn ti hp l ca th.
trnh trng hp thay i v gi mo th, th c m ha mt ln na bng kha b
mt ca AS v TGS.
Sau khi c th xc nhn ngi dng hp l, my con c th yu cu dch v

trn my ch V bng cch yu cu th s dng dch v (Service-granting Ticket)
t TGS. Thng tin gi n cho TGS bao gm nhn dng ca my ch V, th xc
nhn ngi dng hp l v tn ng nhp ca ngi dng.
TGS gii m th xc nhn ngi dng hp l kim tra, nu hp l th cp th

truy xut dch v cho ngi dng. Th ny c m ha bng kha b mt ca V
v TGS.
Sau khi c th truy xut dch v, ngi dng c th s dng dch v trn my ch
V.
Nh vy, th tc trn gii quyt c 2 vn : dng li th v khng gi mt khu trc

tip trn mng.
Tuy nhin, li thm 2 vn khc ny sinh:
-Th nht, nu thi gian tn ti ca cc ticket qu ngn, ngi dng c th phi nhp li
mt khu to th mi. Nu thi gian ny qu di, nguy c b ly cp th tng ln. Do , khi
xc nhn mt th, my ch (TGS hoc V) phi bit chc rng mnh ang lm vic vi ng ngi
dng c tn ng nhp cha trong th.
-Th hai, song song vi vic ngi dng xc thc vi my ch, th cng cn phi c thao
tc xc thc ngc li t my ch n ngi dng lai tr trng hp chnh my ch b gi
mo.
y chnh l tn ti c gii quyt bi giao thc xc thc Kerberos.
III.1.4 Giao thc xc thc Kerberos:

Kerberos l mt th tc c xy dng nng cao an tan khi xc thc trong mi
trng mng phn tn. Kerberos da trn k thut mt m i xng (DES).
C th tm lc th tc xc thc ca Kerberos version 4 nh sau (hnh 3.3):
1- My con yu cu AS cung cp th xc nhn ngi dng:
C AS: IDc + IDtgs + TS1
2- AS cung cp th xc nhn ngi dng cho my con:
AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc)
Vi Tickettgs = E([Kc,tgs + IDc + ADc + IDtgs + TS2 + Lifetime2], Ktgs)
3- My con yu cu TS cung cp th truy xut dch v:
C TGS: IDv + Tickettgs + Authenticatorc
4- TGS cung cp th truy xut dch v cho my con:
TGS C: E([Kc,v + IDv + TS4 + Ticketv], Kc,tgs)
Vi
Tickettgs = E([Kc,tgs + IDC +ADC + IDtgs + TS2 + Lifetime2], Ktgs)

Ticketv = E([Kc,v + IDC + ADC + IDv + TS4 + Lifetime4], Kv)
98
Authenticatorc = E([IDC + ADC + TS3], Kc,tgs)

5- My con yu cu dch v:
C V: Ticketv + Authenticatorc
Vi
Authenticatorc = E([IDc + ADC + TS5], Kc,v)
6- Server xc thc vi my con (khng bt buc):

V C: E([TS5 + 1], Kc,v)
Vi:
Ticketv = E([Kc,v + IDc + ADc + IDv + TS4 + Lifetime4], Kv)
Kerberos
My con (C)
Ticket granting Ticket Request
Ticket + session key
Service granting Ticket Request

Ticket + session key
My ch xc
thc (AS)
My ch cp th
(TGS)
My ch (V)
Yu cu dch v
Cung cp dch v
Hnh 3.3: Th tc xc thc Kerberos 4

Cc thnh phn trong cc bn tin ca Kerberos:
-Bn tin (1): My con yu cu cp th xc nhn ngi dng (Ticket-granting-Ticket):
IDC: Nhn din ca ngi dng (do my con gi n cho AS, da trn thng tin
ng nhp ca ngi dng).
IDtgs: Nhn din ca TGS, mc ch cho AS bit rng my con ang mun truy
xut n TGS.
TS1: Nhn thi gian, mc ch ng b thi gian gia AS v my con.
-Bn tin (2): AS cung cp th xc nhn ngi dng cho my con:
Kc: Dng chnh mt khu ca ngi dng lm kho mt m, va c mc ch bo

v thng tin va cho php AS xc thc mt khu ca ngi dng. Nu my con
khng c mt khu ng th s khng gii m c bn tin ny.
99
Kc, tgs: kho b mt c dng gia my con v TGS do AS to ra. Kha ny ch c

tc dng trong mt phin lm vic (session key).
IDtgs: Nhn din ca TGS, dng xc nhn rng th ny c tc dng cho php
my con truy xut n TGS.
TS2: Nhn thi gian, cho bit thi im th c to ra.
Lifetime2 : Cho my con bit thi gian tn ti ca th.
Tickettgs: My con dng th ny truy xut TGS.
-Bn tin (3): My con yu cu th truy xut dch v (Service Granting Ticket):
IDV: Nhn dng ca my ch V, dng thng bo cho TGS l my con mun

truy xut n dch v ca my ch V.
Tickettgs: Th c cp cho my con bi AS
Authenticatorc: mt gi tr c to ra bi my con xc minh th.
-Bn in (4): TGS cung cp th truy xut dch v cho my con::
Kc, tgs: Kho b mt dng chung gia my con v TGS bo v ni dung ca bn

tin (4)
Kc, v: Kho b mt c dng gia my con v my ch V do TGS to ra. Kho

ny ch c gi tr trong tng phin lm vic (session key).
IDv: nhn din ca my ch V, c chc nng xc nhn th ca my ch V
TS4: nhn thi gian cho bit thi im th c to ra.
Ticketv: Th c my con dng truy xut my ch V.
Tickettgs: Th ny c dng li ngi dng khng phi nhp li mt khu khi

mun truy xut dch v khc.
Ktgs: Kha b mt dng chung gia AS v TGS.
Kc, tgs: Session key c TGS dng gii m authenticator. Kho ny c dng
chung gia my con v TGS.
IDC: Nhn din my con, cho bit y l ch s hu ca th.
ADC: a ch mng ca my con, dng ngn chn trng hp mt my khc

ly cp th yu cu dch v.
IDtgs: nhn din ca TGS, xc nhn th c gii m thnh cng.
TS2: nhn thi gian cho bit thi im to ra th.
Lifetime2 : Thi gian tn ti ca th, nhm ngn chn vic s dng li th (replay).
Authenticatorc: Thng tin xc thc ca my con.
Kc, tgs: Kho b mt dng chung gia my con v TGS, dng m ho thng tin
xc thc ca my con.
IDc: nhn dng my con, phi trng vi ID trong th.
ADc: a ch mng ca my con, phi trng vi a ch trong th.
TS3: Nhn thi gian, cho bit thi im m authenticator c to ra.
-Bn tin (5): My con yu cu truy xut dch v:
Ticketv: Th cho bit mycon c xc thc bi AS.

100
Authenticatorc: Thng tin xc thc th ca my con.
-Bn tin (6): My ch V xc thc vi my con:
Kc, v: Kho b mt dng chung gia my con v my ch V.
TS5 + 1: Nhn thi gian, dng trnh trng hp thng tin xc thc c c
dng li.
Ticketv: Th truy xut my ch V. Th ny c th dng li khi my con truy xut

dch v n chnh my ch V m khng cn yu cu cp th mi.
Kv: Kho b mt dng chung gia TGS v my ch V.
Kc, v: Kho b mt dng chung gia my con v my ch V, dng gii m thng

tin xc thc.
IDc: Nhn dng ca my con.
ADc: a ch mng ca my con.
IDv: Nhn dng ca my ch V.
TS4: Nhn thi gian cho bit thi im th c to.
Lifetime4 : Thi gian tn ti ca th.
Authenticatorc: Thng tin xc thc ca my con.
Kc, v: Kho b mt, dng chung gia my con v my ch V m ho thng tin

xc thc.
IDc: Nhn din my con, phi ging vi IDc trong th
ADc: a ch mng ca my con, phi ging vi a ch trong th.
TS5: Thi im thng tin xc thc c to ra.
-Kt hp gia nhiu h thng Kerberos:

Mt mi trng s dng h thng xc thc Kerberos y bao gm my ch Kerberos
(Kerberos server), cc my ch dch v (application server) v cc my con s dng dch v
(client), trong :
-My ch Kerberos phi c danh sch tt c cc tn ng nhp v mt khu c m
ha ca cc ngi dng ny. Tt c cc my con u phi ng k vi my ch Kerberos.
-My ch Kerberos s dng mt kha b mt chung vi cc my ch cn li. Tt c cc
my ch u phi ng k vi my ch Kerberos.
Mt mi trng tha mn cc iu kin nh vy c gi l mt lnh a Kerberos
(Kerberos realm).
Nh vy, cc my ch v my con thuc cc n v qun l khc nhau s thuc v cc
lnh a Kerberos khc nhau. Giao thc xc thc Kerberos cng bao gm cc th tc cho php kt
hp cc lnh a Kerberos li cung cp dch v mt cch ng nht. Hnh 3.4 m t hat ng
ca th tc ny.
Trnh t ca th tc kt hp lnh a Kerberos c tm tt nh sau:
(1) C AS: IDc + IDtgs + TS1
(2) AS C: E([Kc,tgs + IDtgs + TS2 + Lifetime2 + Tickettgs], Kc)
101
(3) C TGS: IDtgsrem + Tickettgs + Authenticatorc

(4) TGS C: E([Kc,tgsrem + IDtgsrem + TS4 + Tickettgsrem], Kc,tgs)
(5) C TGSrem: IDvrem + Tickettgsrem + Authenticatorc
(6) TGSrem C: E([Kc,vrem + IDvrem + TS6 + Ticketvrem], Kc,tgsrem)
(7) C Vrem: Ticketvrem + Authenticatorc
Lnh a A
Kerberos
My con
Ticket-granting-Ticket Request
AS
Ticket-granting-Ticket
Service-granting-Ticket Request
for realm B
TGS
Yu cu dch v
Cung cp dch v
Service-granting-Ticket
Lnh a B
Kerberos
Service Granting Ticket Request

Service Granting Ticket
TGS
AS
My ch
Hnh 3.4: Xc thc gia hai lnh a Kerberos

-Kerberos 5: l mt phin bn nng cp ca Kerberos 4 vi nhng im khc bit nh
sau:
Kerberos 4 ph thuc cht ch vo gii thut m ha i xng DES, trong khi

Kerberos 5 th tng thch vi bt k mt gii thut m ha no.
102
Kerberos 4 ph thuc vo a ch IP xc thc ngi dng, Kerberos 5 c th s

dng bt k a ch no (v d MAC address).
Kerberos 4 s dng thm 1 byte trong cc bn tin cho bit th t byte trong bn
tin. Kerberos 5 dng c php ANS.1 (Abstract Syntax Notation One) v lut m
ha c bn BER (Basic Coding Rules) to ra c ch xp th t byte trong bn
tin mt cch r rng.
Thi gian tn ti ca th trong Kerberos 4 c cha trong mt trng di 8 bit,

tnh theo n v 5 pht, nh vy, thi gian sng ti a ca th l 5 * 28 = 1280
pht (khang 21 gi). Trong Kerberos 5, thi gian tn ti c biu th bng thi
im bt u v thi im kt thc, cho php thi gian ny c bin thin khng
gii hn.
Kerberos 4 khng cho php c ch chuyn tip xc thc, tc l c ch mt my

con truy xut n mt my ch, v yu cu my ch ny truy xut n dch v ca
mt my ch khc thng qua nhn dng ca my con. Kerberos 5 cung cp kh
nng ny.
Kerberos 4 yu cu N2 quan h gia cc lnh a Kerberos trong trng hp lin

kt hat ng gia N lnh a. Kerberos 5 yu cu s quan h t hn nhiu.
Th tc xc thc dng Kerberos 5 c tm tt nh sau:

(1) C AS: Options + IDc + Realmc + IDtgs + Times + Nonce1
(2) AS C:Realmc +IDC +Tickettgs +E([Kc,tgs +Times +Nonce1 +Realmtgs +IDtgs], Kc)
Vi Tickettgs = E([Flags + Kc,tgs + Realm c + IDc + ADc + Times], Ktgs)
(3) C TGS: Options + IDv + Times + Nonce2 + Tickettgs + Authenticatorc
(4) TGS C: Realmc +IDc +Ticketv +E([Kc,v +Times +Nonce2 +Realmv +IDv], Kc,tgs)
Vi
Tickettgs = E([Flags + KC,tgs + Realm c + IDC + ADC + Times], Ktgs)

Ticketv = E([Flags + Kc,v + Realmc + IDC + ADc + Times], Kv)
Authenticatorc = E([IDC + Realm c + TS1], Kc,tgs)
(5) C V: Options + Ticketv + Authenticatorc

(6) V C: E([TS2 + Subkey + Seq#], Kc,v)
Vi
Ticketv = E([Flags + Kc,v + Realm c + IDC + ADC + Times], Kv)

Authenticatorc = E([IDC + Realm c + TS2 + Subkey + Seq#], Kc,v)
Trong th tc trn, ngoi nhng thnh phn xut hin trong Kerberos 4 cn c thm cc
thnh phn mi sau y:
-Realm: Biu th lnh a ca ngi dng.
-Options: Cc tu chn, dng yu cu cc thng tin cng thm xut hin trong th.
-Times: Dng my con yu cu cc thng s thi gian trong th nh from, till, rtime.
-Nonce: Gi tr ngu nhin c to ra trong bn tin m bo rng bn tin tr li l bn
tin hp l ch khng phi bn tin c dng li.
103
III.2 IP SECURITY
III.2.1 Cc ng dng v c im ca IPSec:
IP security (IPSec) cung cp mt phng tin truyn thng an tan trn mng LAN, gia
cc mng LAN ni vi nhau thng qua mng WAN v gia cc mng khc nhau trn mng
Internet. IPSec l phn m rng ca giao thc IP, c thc hin thng nht trong c hai phin
bn ca IP v IPv4 v IPv6.
-Cc ng dng in hnh ca IPSec bao gm:
Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch
xy dng cc mng ring o VPN (Virtual Private Network) trn nn ca mng
WAN cng cng hoc mng Internet. Cc t chc c th kt ni cc mng con
cc chi nhnh ca mnh li thnh mt mng ring vi chi ph thp nhng vn m
bo c an tan.
Truy xut t xa thng qua mng Internet: truy xut t xa n mt dch v no

, thng thng ngi dng phi thc hin kt ni bng ng dy in thai
(dial-up) n my ch cung cp dch v. Vi IPSec, ngi dng ch cn kt ni
n mt nh cung cp dch v Internet gn nht (ISP) v sau thc hin kt ni
n my ch xa thng qua IPSec mt cch an tan m khng phi tn chi ph
in thai ng di.
Nng cao tnh an tan ca cc giao dch thng mi trn mng Internet, p dng
cho cc website bn hng qua mng hoc cc dch v thanh tan qua Internet.
Thit b u cui
c h tr IPSec
Mng WAN /
Internet
Thit b mng
c h tr IPSec
Thit b mng
c h tr IPSec
Mng LAN / intranet
Mng LAN / intranet
Cc thnh phn ca gi d liu:

Tiu IP
(IP header)
Tiu IPSec
(IPSec header)
Hnh 3.5: ng dng ca IPSec
D liu ca gi IP
(IP Payload)
104
-Cc u im ca IPSec:
-Khi IPSec c trin khai trn bc tng la hoc b nh tuyn ca mt mng ring, th
tnh nng an tan ca IPSec c th p dng cho tan b lu lng vo ra mng ring m cc
thnh phn khc khng cn phi x l thm cc cng vic lin quan n bo mt.
-IPSec c thc hin bn di ca lp TCP v UDP, ng thi n hat ng mt cch
trong sut vi cc lp ny. Do vy, khng cn phi thay i phn mm hay cu hnh li cc dch
v khi IPSec c trin khai.
-IPSec c th c cu hnh hat ng mt cch trong sut i vi cc ng dng u
cui, iu ny gip che giu nhng chi tit cu hnh phc tp m ngi dng phi thc hin khi
kt ni n mng ni b t xa thng qua mng Internet.
III.2.2 Cu trc IPSec:
Cu trc IPSec
Giao thc ESP
Giao thc AH
Thut tan mt m
Thut tan xc thc
Min thc thi
Qun l kha
Hnh 3.6: Cu trc IPSec

IPSec c xy dng da trn cc thnh phn bo mt c bn sau y, mi thnh phn
c nh ngha trong mt ti liu ring tng ng (hnh 3.6):
-Cu trc (Architecture): Quy nh cu trc, cc khi nim v yu cu ca IPSec.
-Giao thc ESP: M t giao thc ESP, l mt giao thc mt m v xc thc thng tin
trong IPSec.
105
-Giao thc AH: nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng vy,
khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v
nhc im ring, s c trnh by trong phn ny.
-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec.
IPSec da ch yu vo cc gii thut m ha i xng.
-Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v
ESP.
-Qun l kha: M t cc c ch qun l v phn phi kha trong IPSec.
-Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi IPSec.
Nh trnh by, IPSec khng phi l mt cng ngh ring bit m s t hp ca nhiu c ch,
giao thc v k thut khc nhau, trong mi c ch, giao thc u c nhiu ch hat ng
khc nhau. Vic xc nh mt tp cc ch cn thit trin khai IPSec trong mt tnh hung c
th l chc nng ca min thc thi.
III.2.3 Quan h bo mt:

Mc tiu ca IPSec l cung cp mt c ch truyn an tan m bo tnh tan vn v xc
thc ca d liu. Trong mi trng IPSec, mt khi nim quan trng c dng din t mt
quan h truyn thng bo mt gia mt u gi v mt u nhn l quan h bo mt
(SA_Security Association). Mi SA c xem nh mt lin kt mt chiu gia hai thc th, do
, mt kt ni hai chiu thng thy s bao gm 2 SA. Mi SA s dng mt giao thc xc thc
nht nh (AH hoc ESP) ch khng th s dng ng thi c hai.
Mi SA c nhn dng bi 3 thng s sau y:
-Security Parameters Index (SPI): l mt chui bit c gn cho SA, ch c gi tr ni b.
SPI c t trong tiu ca AH v ESP, cho php pha nhn (receiving system) chn mt SA
c th x l cc gi d liu nhn c.
-IP Destination Address: y l a ch u cui ca SA, a ch ny l a ch ca thit b
m SA kt thc ti , c th l a ch ca mt h thng u cui hoc ca mt thit b mng
(router, firewall)
-Security Protocol Identifier: Cho bit SA s dng giao thc xc thc no (AH hay ESP).
Nh vy, trong mi gi IP ca IPSec, SA c nhn dng bng t hp gm a ch ch
(destination address) v SPI trong tiu m rng (AH hoc ESP).
III.2.4 Ch vn chuyn v ch ng hm:

IPSec (c AH v ESP) cung cp hai ch lm vic khc nhau:
-Ch vn chuyn (transport mode): cung cp c ch bo v cho d liu ca cc lp cao
hn (TCP, UDP hoc ICMP). c ch ny, phn d liu (payload) ca gi IP c p dng cc
c ch bo v (mt m hoc xc thc). Ch ny thng dng cho cc kt ni t u cui n
u cui, v d t trm lm vic n my ch hoc gia hai trm lm vic vi nhau.
-Ch ng hm (tunnel mode): cung cp c ch bo v lp IP, ngha l gi IP cng
vi cc tiu ca AH hoc ESP c gi thm mt ln na bng cc tiu mi. Khi , cc
gi IP gc c xem nh di chuyn trong mt ng hm (tunnel) t u ny n u kia ca
mng m cc nt trung gian khng xen vo c. Ch ny thng c dng trong cc SA ni
gia hai gateway ca hai mng.
106
Ch vn chuyn v ch ng hm s c trnh by ring trong tng giao thc AH

v ESP.
Cc thut ton m ha / gii m v cc thut ton xc thc thng tin c trnh by
chng 2, nn trong phn ny ch tp trung m t hat ng ca hai giao thc AH v ESP, sau
gii thiu cc c ch qun l kha ca IPSec.
III.2.5 AH:
AH (Authentication Header) l mt giao thc xc thc dng trong IPSec, c chc nng
m bo tnh tan vn ca d liu chuyn i trn mng IP. AH cho php xc thc ngi dng, xc
thc ng dng v thc hin cc c ch lc gi tng ng. Ngai ra, AH cn c kh nng hn ch
cc tn cng gi danh (spoofing) v tn cng pht li (replay).
C ch hat ng ca AH da trn m xc thc MAC (Message Authetication Code), do
, thc thi AH th hai u cui ca SA phi dng chung mt kha b mt.
Cu trc tiu ca gi AH (hnh 3.7) bao gm cc phn sau:
Bit 0
8
Tiu k tip
16
Kch thc d liu
31
Dnh ring
Security Parameters Index (SPI)

S th t gi
M xc thc
(Kch thc thay i)
Hnh 3.7: Cu trc gi AH
-Tiu k tip (Next Header - 8 bits): Nhn dng kiu tiu i lin sau tiu ca AH.
-Kch thc d liu (Payload Length -8 bits): Chiu di ca gi AH, tnh bng n v 32
bit tr i 2. V d, chiu di phn d liu xc thc l 96 bit (= 3 * 32 bit), cng vi chiu di phn
tiu AH (c nh) l 3 * 32 bit na thnh 6 * 32 bit, khi gi tr ca trng kch thc d liu
l 4.
-Dnh ring (Reserved -16 bits): Phn dnh ring, cha dng.
-Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trnh by trn.
-S th t gi (Sequence Number - 32 bits): S th t.
-M xc thc (Authentication Data): d liu xc thc, c chiu di thay i nhng phi l
bi s ca 32 bit. Trng ny cha gi tr kim tra ICV (Integrity Check Value) hoc MAC
(Message Authentication Code) cho tan b gi
*-Anti-replay service: dch v cho php ngn chn cc hnh vi tn cng pht li (replay)
nh trnh by chng 1. Trng s th t (Sequence number) trong tiu AH c dng
107
nh du th t cc gi c gi i trn mt SA. Ban u, gi tr ny c khi to bng 0 v

tng dn sau mi gi c gi. m bo khng c gi lp li, khi s th t t gi tr cc i
(232-1), n s khng c quay li gi tr 0 m thay vo , mt SA mi c thit lp tip tc
vic truyn d liu.
pha nhn, qu trnh x l cc gi nhn c thc hin theo c ch dch ca s nh m
t hnh 3.8. Kch thc mc nh ca ca s l 64. C ch thc hin nh sau:
Nu gi nhn c nm trong vng hp l ca ca s v l mt gi mi ch

khng phi gi truyn li th gi tr MAC ca gi s c kim tra. Nu chnh
Dch ca s qua bn
phi nu nhn c
mt gi hp l.
Ca s vi kch thc
c nh W
N-W
N+1
c nh du
biu th mt gi hp
l va c nhn
khng nh du cho bit

gi d liu v tr cha
c nhn
Hnh 3.8: C ch dch ca s trong AH

xc (tc gi c xc thc) th khe tng ng trong ca s c nh du.
Nu gi nhn c nm bn phi ca ca s v l gi mi, gi tr MAC ca gi

c kim tra. Nu ng th ca s c dch mt khe sang bn phi, ng thi
khe tng ng trong ca s c nh du.
Nu gi nhn c nm bn tri ca s hoc gi tr MAC khng hp h th b hy

b.
-Xc thc thng tin:

M xc thc (trng Authentication Data) c to ra dng mt trong 2 cch:
-HMAC-MD5-96: dng phng php HMAC, thut ton MD5, ct ly 96 bit u tin.
-HMAC-SHA-1-96: dng phng php HMAC, thut ton SHA-1, ct ly 96 bit u tin.
Thut ton MAC c p dng trn cc phn thng tin sau y:
Cc trng khng b thay i trong tiu gi IP khi c chuyn tip trn mng
hoc c th d an c ti u cui ca SA. Nhng trng cn li trong tiu
gi IP c thay bng cc bit 0 khi tnh tan.
Cc trng trong tiu AH ngai tr trng Authentication Data. Trng ny

c thay bng cc bit 0 khi tnh.
Tan b gi d liu ca lp trn (tc phn payload ca gi IP).
-Ch vn chuyn v ch ng hm:

108
Hnh 3.9 m t hai trng hp xc thc khc nhau:

-Xc thc t u cui n u cui (End-to-End Authentication): l trng hp xc thc
trc tip gia hai h thng u cui (gia my ch vi trm lm vic hoc gia hai trm lm
vic), vic xc thc ny c th din ra trn cng mng ni b hoc gia hai mng khc nhau, ch
cn 2 u cui bit c kha b mt ca nhau. Trng hp ny s dng ch transport ca AH.
-Xc thc t u cui n trung gian (End-to-Intermediate Authentication): l trng hp
xc thc gia mt h thng u cui vi mt thit b trung gian (router hoc firewall). Trng
Server
Xc thc u cui
n u cui
Mng ni b
Xc thc u
cui n u cui
Mng cng
cng
Router/Firewall
Xc thc u cui n
trung gian
Hnh 3.9: Hai ch xc thc ca AH

hp ny s dng ch tunnel ca AH.
Hnh 3.10 m t phm vi p dng c ch bo v ca AH ln gi d liu trong hai ch
khc nhau.
109
a- Gi IP gc
IP
TCP
Data
Phm vi thng tin c xc thc

b- Gi IP ch transport
IP
AH
TCP
Data

b- Gi IP ch tunnel
IP
(mi)
IP
(c)
AH
TCP
Data
Hnh 3.10: Phm vi p dng ca AH ln gi d liu hai ch transport v tunnel
III.2.6 ESP:
ESP (Encapsulating Security Payload) l mt la chn khc thc thi IPsec bn cnh
giao thc xc thc thng tin AH. Chc nng chnh ca ESP l cung cp tnh bo mt cho d liu
truyn trn mng IP bng cc k thut mt m. Tuy nhin, ESP cng cn c mt ty chn khc l
cung cp c dch v bo m tnh tan vn ca d liu thng qua c ch xc thc. Nh vy, khi
Bit 0
16
24
31
Security Parameters Index (SPI)

S th t gi
D liu
(kch thc thay i)
D liu chn (0 255 byte)

Kch thc chn
Tiu k tip
M xc thc
(kch thc thay i)
Hnh 3. 11: Cu trc gi ESP

dng ESP, ngi dng c th chn hoc khng chn chc nng xc thc, cn chc nng m ha
l chc nng mc nh ca ESP.
110
Gi d liu ESP gm cc thnh phn sau (hnh 3.11):

-Security Parameters Index (SPI - 32 bits): Nhn dng SA nh trong giao thc AH.
-S th t gi (Sequence Number - 32 bits): S th t, c chc nng nh s th t trong
AH.
-D liu (Payload Data): y l phn d liu c bo v bng mt m. Trng ny c
di thay i. Trong ch vn chuyn, y l tan b gi d liu ca lp 4 (TCP hoc UDP).
Cn trong ch ng hm, y l tan b gi IP. ESP chun s dng thut ton mt m i
xng DES, tuy nhin, c th dng cc thut ton mt m khc nh 3DES (3 kha), RC5, IDEA,
triple IDEA (3 kha), CAST, Blowfish.
-D liu chn (Padding 0-255 bytes): Mt s thut ton mt m yu cu kch thc d
liu gc phi c nh. Cc byte d liu gi c thm vo m bo di vng d liu. Tuy
nhin, theo quy nh ca ESP, chiu di trng pad-length v trng next-header phi c nh l
32 bit tnh t bn phi, do vy, phn padding phi c kch thc sao cho tan b phn thng tin
cn m ha l bi s ca 32 bit.
- Kch thc chn (Pad Length - 8 bits): Cho bit s byte ca vng d liu chn (padding).
- Tiu k tip (Next Header - 8 bits): Nhn dng kiu d liu cha trong phn payload
data.
- M xc thc (Authentication Data): Cha thng tin xc thc, c chiu di thay i
nhng phi l bi s ca 32 bit. Thng tin xc thc c tnh trn tan gi ESP ngai tr phn
Authentication Data.
-Ch vn chuyn v ch ng hm:
Ch vn chuyn: chc nng m ha v xc thc thng tin c thc hin trn phn d
liu (payload data) ca gi IP (tc tan b n v d liu ca lp trn IP).
Ch ng hm: tan b gi IP c m ha v xc thc.
S khc nhau gia hai ch hot ng c m t hnh 3.12.
a- Gi IP gc
IP
TCP
Data

Phm vi thng tin c m ho
b- Gi IP ch transport
IP
ESP
header
TCP
Data
ESP
trailer
ESP
auth

Phm vi thng tin c m ho
b- Gi IP ch tunnel
IP
(mi)
ESP
header
IP
(c)
TCP
Data
ESP
trailer
ESP
auth
Hnh 3.12: Tc dng ca ESP ln gi IP hai ch transport v tunnel

111
III.2.7 Qun l kha trong IPSec:

IPSec da trn k thut xc thc HMAC (hashed based MAC) v cc phng php mt
m i xng m c bn l DES. Do vy, vn qun l v phn phi cc kha b mt gia cc
u cui SA l vn quan trng trong trin khai IPSec. C hai c ch qun l kha:
-Qun l kha bng tay (manual): ngi qun tr mng to ra kha v ci t cho cc h
thng u cui. C ch ny ch ph hp vi cc h thng c quy m nh.
-Qun l kha t ng (automated): mt h thng t ng to ra v phn phi kha cho
cc h thng u cui.
IPSec s dng hai h thng qun l kha t ng l Oakley v ISAKMP.
-Oakley Key Determination Protocol: y l giao thc trao i kha da trn gii thut
Diffie-Hellman, c b sung thm cc chc nng bo mt.
-Internet Security Association and Key Management Protocol (ISAKMP): cung cp mt
m hnh chung cho vic qun l kha trn Internet, nh ngha cc th tc v khun dng ring.
III.3 SECURE SOCKETS LAYER

Secure Sockets layer hay SSL l mt giao thc bo mt c Netscape thit k nhm
cung cp cc kt ni bo mt cho cc ng dng trn nn giao thc TCP/IP. SSL c chun
ha v s dng rng ri trong nhiu ng dng trn mng Internet nh web, mail, Phin bn
hin ti ca SSL l 3.0. Phin bn SSL c IEEE chun ha l c gi l TLS (Transport Layer
Security), v c xem nh l SSL phin bn 3.1.
III.3.1 Cu trc SSL:

SSL thc ra bao gm hai lp giao thc nm pha trn TCP. Lp th nht l giao thc
truyn d liu SSL (SSL record protocol) v lp th hai gm mt tp cc giao thc ph tr (hnh
3.13). Phn ny gii thiu khi qut cc thnh phn ca SSL.
Giao thc
bt tay
SSL
Giao thc
thay i
thng s m
Giao thc
cnh bo
HTTP
Giao thc truyn d liu
TCP
IP
Hnh 3.13: Cu trc SSL
Hai khi nim c bn thng c dng trong SSL l kt ni (connection) v phin giao
dch (session).
112
-Kt ni l mt kt ni (tm thi) gia mt u cui ny vi mt u cui kia cung cp

mt lai dch v thch hp. Mi kt ni lin kt vi mt phin giao dch (session).
-Phin giao dch l mt lin kt gia mt my con v mt my ch, c to ra bi giao
thc SSL Handshake protocol. Phin giao dch nh ngha cc tham s bo mt dng chung cho
nhiu kt ni.
Trng thi ca phin giao dch c nh ngha bi cc thng s sau y:
Nhn dng phin (Session identifier): Mt chui byte ngu nhin c server
chn nhn dng mt trng thi ca phin giao dch.
Chng thc kha i phng (Peer certificate): Chng thc kha cng khai
(X509.v3) ca thc th i phng. Thnh phn ny c th c hoc khng.
Phng php nn (Compression method): Gii thut nn d liu trc khi m ha.
Thut tan m (Cipher spec): Xc nh thut ton m ha v hm bm c s

dng cho phin giao dch.
Kha (Master secret): Kha b mt (48-byte) dng chung gia my con v server.
Kh nng phc hi (Is resumable): Cho bit phin giao dch ny c th khi to
mt kt ni mi hay khng.
Tng t, cc thng s nh ngha trng thi ca mt kt ni bao gm:
S nhn dng ngu nhin (Server and client random): Chui byte chn ngu
nhin bi server v client, c chc nng phn bit cc kt ni vi nhau.
Kha xc thc ca my ch (Server write MAC secret): Kha b mt dng tnh

gi tr xc thc MAC trn d liu gi i t server.
Kha xc thc ca my con (Client write MAC secret): Kha b mt dng tnh
gi tr xc thc MAC trn d liu gi i t my con.
Kha mt m ca my ch (Server write key): Kha b mt dng mt m ha

d liu gi i t server.
Kha mt m ca my con (Client write key): Kha b mt dng mt m ha

d liu gi i t client.
Vc t khi to (Initialization vectors): vec-t khi to (IV) dng trong ch

m ha CBC (Chaining Bock Cipher). Gi tr ny c khi to bi giao thc SSL
record.
S th t gi (Sequence numbers): S th t ca cc bn tin c gi i v nhn

v trn kt ni.
III.3.2 Giao thc truyn d liu SSL:
113
D liu gc
Phn on
Nn
Gn thng tin
xc thc (MAC)
Mt m ho
Gn tiu giao
thc SSL record
Hnh 3.14: Hot ng ca giao thc truyn d liu SSL

Giao thc truyn d liu SSL (SSL record protocol) cung cp 2 dch v c bn cho cc kt
ni SSL l dch v bo mt v dch v tan vn d liu.
Hnh 3.14 m t hat ng ca giao thc truyn d liu SSL. Theo , cc thao tc m
SSL thc hin trn d liu bao gm: phn an d liu (fragmentation), nn d liu
(compression), xc thc d liu (MAC), m ha, thm cc tiu cn thit v cui cng gi tan
b an thng tin trn trong mt segment TCP. pha nhn, qu trnh c thc hin ngc li.
Kiu d
liu
Phin bn
chnh
Phin bn
ph
Kch thc
d liu
D liu
Thng tin
c m
ho
(c th nn hoc khng nn)
M xc thc (0, 16 hoc 20 byte)
Hnh 3.15: Cu trc gi SSL record

Cu trc gi d liu SSL record gm cc thnh phn sau (hnh 3.15):
-Kiu d liu (Content Type - 8 bits): Giao thc lp trn. Giao thc ny s x l thng tin
trong gi d liu SSL.
- Phin bn chnh (Major Version - 8 bits): Phin bn chnh ca SSL. i vi SSL v3, gi
tr ny l 3.
114
- Phin bn ph (Minor Version - 8 bits): Phin bn ph ca SSL. V d: i vi SSLv3

th gi tr trng ny l 0.
- Kch thc d liu (Compressed Length -16 bits): Chiu di ca phn d liu (plaintext),
tnh theo byte.
-D liu (Plaintext): D liu ca lp trn c chuyn i trong gi SSL record. D liu
ny c th c nn hoc khng.
-M xc thc (MAC): M xc thc, c kch thc = 0 byte nu khng dng chc nng xc
thc.
III.3.3 Giao thc thay i thng s m:

Giao thc thay i thng s m (Change cipher spec protocol) l giao thc n gin nht
trong cu trc SSL, dng thay i cc thng s m ha trn kt ni SSL. Giao thc ny ch
gm c mt bn tin c kch thc 1 byte, mang gi tr 1. Chc nng ca bn tin ny l yu cu cp
nht cc thng s m ho cho kt ni hin hnh.
III.3.4 Giao thc cnh bo:

Giao thc cnh bo (Alert protocol) dng trao i cc bn tin cnh bo gia hai u
ca kt ni SSL. C hai mc cnh bo: warning (1) v fatal (2). Mc warning ch n gin
dng thng bo cho u kia cc s kin bt thng ang din ra. Mc fatal yu cu kt thc kt
ni SSL hin hnh, cc kt ni khc trong cng phin giao dch c th vn c duy tr nhng
phin giao dch khng c thit lp thm kt ni mi.
Cc bn tin cnh bo ca SSL bao gm:
-unexpected_message: Nhn c mt bn tin khng ph hp.
-bad_record_mac: Bn tin va nhn c gi tr MAC khng hp l.
-decompression_failure: Thao tc gii nn thc hin khng thnh cng..
-handshake_failure: Pha gi khng thng lng cc thng s bo mt.
-illegal_parameter: Mt trng no trong bn tin bt tay (handshake message) khng
hp l.
-close_notify: Thng bo kt thc kt ni.
-no_certificate: Khi nhn c yu cu cung cp chng thc kha (certificate), nhng nu
khng c chng thc kha no thch hp th gi cnh bo ny.
-bad_certificate: Chng thc kha khng hp l (ch k sai)
-unsupported_certificate: Kiu chng thc khng c h tr.
-certificate_revoked: Chng thc kha b thu hi.
-certificate_expired: Chng thc kha ht hn s dng.
-certificate_unknown: Khng x l c chng thc kha v cc l do khc vi cc l do
trn.
III.3.5 Giao thc bt tay:

Giao thc bt tay (handshake protocol) giao thc phc tp nht ca SSL, c hai pha
s dng xc thc ln nhau v thng lng thng nht cc thut ton xc thc MAC v m
ha. Th tc ny cng c trao i cc kha b mt dng cho m ha v MAC. Th tc phi
c thc hin trc khi d liu c truyn.
115
Th tc bt tay gm 4 giai an c m t hnh 3.16.
III.3.6 So snh SSL v IPSec:

SSL v IPSec l hai giao thc tng ng vi nhau v chc nng. C hai u c thit
k bo v d liu truyn trn cc kt ni bng cc c ch xc thc v m ha. Tuy nhin, hai
k thut ny c nhng im khc bit nhau nh sau:
SSL hat ng lp socket (hnh 3.13), do n c gn kt phn ngi s

dng (user space) trong cc h thng u cui. IPSec hat ng lp mng
(network layer), nn c tch hp vo trong chc nng ca h iu hnh. y
chnh l s khc nhau c bn nht gia SSL v IPSec.
C SSL v IPSec u cung cp chc nng m ha (Encryption), bo v d liu

(Integrity) v xc thc thng tin (Authentication), tuy nhin SSL n gin ha cc
k thut ny p dng trong m hnh ca n, trong khi IPSec bao gm mt cch
y cc chi tit thit k ca tt c cc k thut to thnh, v do , khi t hp
li s xut hin nhiu li tng thch trong ni b IPSec.
IPSec l thnh phn ca h iu hnh, do , trin khai IPSec th phi thay i

cu hnh h iu hnh m khng cn thay i cu hnh chng trnh ng dng.
Ngc li, SSL nm mc ngi dng nn phi ci t vi tng ng dng c th
(v d mail, web, ) m khng cn khai bo vi h iu hnh,
V nhng khc bit trn y, SSL thng c s dng bo v kt ni cho tng ng

dng c th, c bit l Web, E-mail. Trong khi , IPSec thng c dng xy dng cc
mng ring o (VPN) ri trn c s mi trin khai cc dch v ng dng.
116
Client
Server
client_hello
server_hello
Giai on 1:
Thit lp cc thng s bo mt nh phin
bn ca giao thc, nhn dng phin giao
dch, thut ton mt m, phng php nn
v s ngu nhin ban u.
Chng thc kha server
Kha b mt ca server
Yu cu cung cp chng thc
Giai on 2:
Server c th gi chng thc kha cng khai,
trao i kho v yu cu client cung cp
chng thc kha.
Kt thc server_hello
Thi gian
Chng thc kha client
Kha b mt ca client
Giai on 3:
Client gi chng thc kha khi c yu cu
t pha server, trao i kha vi server. Client
cng c th gi xc minh chng thc kha
cng khai cho server (certificate_verify)
Xc minh chng thc kha
Thay i thng s m
Kt thc
Giai on 4:
Thay i cc thng s ca thut ton mt m
v kt thc giao thc bt tay.
Thay i thng s m
Ch : nhng giao tc biu din bng nt ri

l nhng giao tc tu chn, c th c hoc
khng, tu thuc vo tng tnh hung ng
dng ca SSL.
Kt thc
Hnh 3.16: Th tc bt tay SSL

117
III.4 SECURE ELECTRONIC TRANSACTION

III.4.1 Tng quan v SET:
Secure Electronic Transaction hay SET l mt k thut c thit k bo v cc thng
tin quan trng trao i trn mng (v d s th tn dng) dng trong cc giao dch thanh tan qua
mng Internet.
SET phin bn 1 c xut nm 1996 (MasterCard v Visa ch tr), sau c nhiu
nh sn xut khc tham gia pht trin (nh Microsoft, IBM, Netscape, RSA, Terisa v Verisign).
SET khng phi l mt h thng thanh tan, m ch l mt giao thc an tan cho php cc
u cui trao i cc thng tin b mt, c bit l cc thng tin v ti khan ngn hng, thng qua
cc mi trng cng cng v d nh Internet.
-Cc tnh nng ca SET:
Bo mt thng tin: c bit l thng tin v ti khan ngn hng khi nhng thng
tin ny c trao i qua mng. SET cn c chc nng ngn chn ngi bn hng
bit s th tn dng (credit card) ca ngi mua hng. K thut m ha quy c
vi thut tan DES c dng cung cp chc nng ny.
Bo tan d liu: cc thng tin v vic t hng, thanh tan, thng tin c nhn khi
gi t mt ngi mua hng n ngi bn hng c m bo tan vn, khng b
thay i. K thut ch k s DSA vi hm bm SHA-1 c dng bo m
tnh nng ny (trong mt s bn tin ca SET, HMAC c dng thay cho DSA).
Xc thc ti khan ca ngi s dng th: cho php ngi bn hng xc minh
ngi dng th l ch nhn hp l ca ti khon ang cp. thc hin chc
nng ny, SET dng chun xc thc X.509 version 3.
Xc thc ngi bn hng: SET cho php ngi s dng th xc thc rng ngi
bn hng c quan h vi mt t chc ti chnh c chp nhn thanh ton qua th.
Chc nng ny cng c thc hin dng X.509 version 3.
Mt iu cn ch l SET hat ng bng cch truy xut trc tip n lp TCP/IP m

khng dng cc giao thc lp ng dng khc. Tuy vy hat ng ca SET cng khng nh
hng n cc c ch bo mt khc nh IPSec hoc SSL.
-Cc thnh phn ca SET:
-Ngi dng th (Cardholder): Ngi dng th tn dng thc hin cc giao dch thanh
tan trn Internet (ngi mua hng).
-Ngi bn hng (Merchant): Mt c nhn hay t chc bn hng hoc dch v trn mng
(thng qua web hoc email). Ngi bn hng phi c kh nng chp nhn thanh tan bng th, v
phi c quan h vi mt t chc ti chnh no (Accquirer).
-T chc pht hnh th (Issuer): y l t chc ti chnh (thng l ngn hng) pht hnh
th tn dng. T chc ny c trch nhim thanh tan theo yu cu ca ngi s dng th.
-Trng ti (Acquirer): Mt t chc ti chnh khc c quan h vi ngi bn hng, thc
hin vic xc thc ti khan ca ngi mua hng v thanh tan. Trng ti s kim tra ti khan
ca ngi mua hng thng bo cho ngi bn hng bit s d trong ti khan ca ngi mua
c thc hin giao dch hay khng. Sau khi giao dch mua hng c thc hin, trng ti
thc hin vic chuyn tin t ti khan ca ngi mua hng sang ti tan khan ca ngi bn
hng, ng thi ra yu cu thanh tan i vi ngn hng pht hnh th (Issuer).
118
-Ca thanh tan (Payment gateway): y l thnh phn chu trch nhim x l cc bn
tin thanh tan (payment message) c iu hnh bi trng ti hoc mt t chc th 3 c ch
nh. Payment gateway giao tip gia SET v h thng thanh tan ca ngn hng thc hin cc
thao tc xc thc v thanh tan. Nh vy, ngi bn hng tht ra trao i cc thng bo vi ca
ng thanh tan thng qua mng Internet, sau , Payment gateway mi lin kt n h thng x
l ti chnh ca Acquirer.
-T chc chng thc (Certification authority _ CA): L thnh phn c chc nng to ra
cc chng thc (certificate) theo chun X.509v3 v phn phi cho Cardholder, Merchant v
Payment Gateway. S thnh cng ca SET ph thuc vo s tn ti ca CA. Thng thng, CA
c t chc theo mt m hnh phn cp vi nhiu CA lin h vi nhau.
Ngi bn hng
(Merchant)
Ngi dng th
(Cardholder)
Intenet
T chc
chng thc
(CA)
T chc pht
hnh th
(Issuer)
Mng thanh
tan
Trng ti
(Acquirer)
Ca thanh tan
(Payment gateway)
Hnh 3.17: Cc thnh phn ca SET
-Thc hin giao dch vi SET:

Mt giao dch SET in hnh gm cc bc sau y:
1. Khch hng m ti khan ti mt ngn hng c dch v thanh tan qua mng
(v d MasterCard, Visa card, ) v tr thnh Cardholder.
2. Khch hng nhn c mt chng thc X.509v3, c k bi ngn hng bng
ch k s (digital signature), trong cha kha cng khai RSA ca khch
hng v ngy ht hn.
3. Ngi bn hng nhn chng thc: Ngi bn hng phi c 2 chng thc khc
nhau cha kha cng khai cho hai mc ch: k nhn cc thng bo (message
signing) v trao i kha (key exchange). Ngai ra, ngi bn hng cng c
mt bn sao chng thc ca Payment gateway.
119
4. Khch hng t hng: thao tc ny c thc hin thng qua website ca

ngi bn hng hoc qua email.
5. Xc nhn ngi bn hng: ngi bn hng gi chng thc ca mnh cho ngi
mua hng chng minh tnh s hu ca mnh i vi mt kho hng no .
6. Lnh t hng v thanh ton c thc hin: ngi mua hng gi lnh t
hng v lnh thanh tan cho ngi bn hng cng vi chng thc ca mnh.
Thng tin thanh ton (s th tn dng) c m ho sao cho ngi bn hng
khng th thy c nhng c th kim tra tnh hp l ca n.
7. Ngi bn hng yu cu xc thc vic thanh tan thng qua Payment gateway.
8. Ngi bn hng xc nhn n t hng bng cch gi thng bo cho ngi
mua hng.
9. Ngi bn hng giao hng (hoc bt u cung cp dch v) cho ngi mua
hng.
10. Ngi bn hng yu cu thanh tan thng qua Payment gateway.
III.4.2 Ch k song song:

Ch k song song (dual signature) l mt thut ng c dng trong SET din t mt
lin kt gia hai bn tin c gi i bi cng mt ngi gi nhng cho hai ngi nhn khc
nhau.
Khi mua hng qua mng, khch hng gi thng tin t hng OI (Order information) vi
ch k ca mnh cho ngi bn hng, ng thi gi thng tin thanh tan PI (Payment
information) cho ngn hng cng vi ch k ca mnh. V nguyn tc, ngn hng khng cn bit
cc chi tit v t hng, v ngi bn hng cng khng cn bit cc chi tit v thanh tan. Ch k
song song c s dng trong trng hp ny trnh cc tranh chp xy ra khi thng tin t
hng v thng tin thanh tan khng khp nhau. Hnh 3.18 m t hat ng ca ch k song song.
-Ngi mua hng p dng hm bm ln PI v OI (dng SHA-1), sau hai gi tr bm
c ni vi nhau v p dng hm bm mt ln na vi kha ring ca chnh ngi mua hng
to thnh ch k song song:
DS = E([H(H(PI) + H(OI)], PRc)
Trong PRc l kha ring ca ngi mua hng.
-Ngi bn hng xc nhn ch k ca ngi mua hng bng cch tnh hai gi tr:
H(PIMS + H[OI]) v D(DS, PUc)
Trong PIMD l m bm ca PI, PUc l kha cng khai ca khch hng, DS l
ch k song song nhn c trn n t hng.
Nu hai gi tr trn bng nhau, th ch k xem nh chnh xc v n t hng c chp
nhn.
-Song song , ngn hng cng xc thc ch k song song bng cch so snh hai gi tr
sau y:
H(H[OI] + OIMD) v D(DS, PUc)
Trong OIDM l message digest ca OI.
Nu hai gi tr va tnh c l bng nhau th xem nh ch k l chnh xc v lnh thanh
tan c chp nhn.
120
PI
PIMD
PRc
H
Ch k
song song
POMD
H
OI
OIMD
H
PI: Payment Information

OI: Order Information
H: Hash function (SHA-1)
| | : Ni hai khi thng tin
PIMD: PI message digest

OIMD: OI message digest
POMD: Payment Order message digest
E: Thut tan mt m (RSA)
PRc: Kho ring ca ngi mua hng
Hnh 3.18: Ch k song song (dual signature)
III.4.3 Thc hin thanh ton trong SET:

X l thanh ton (Payment processing) l cng on quan trng nht trong giao dch SET.
Qu trnh x l thanh ton gm 3 cng vic nh sau:
Yu cu mua hng (Purchase Request).
Xc thc thanh ton (Payment Authorization).
Thc hin thanh ton (Payment Capture).

Bng 3.1: Cc giao tc ca SET
Tn giao tc
ngha
Cardholder
registration
Ngi mua hng ng k vi CA trc khi thc hin cc giao dch SET
khc vi ngi bn hng.
Merchant
registration
Ngi bn hng ng k vi CA trc khi gi cc thng bo SET vi

khc hng v vi Payment gateway.
Purchase request
Thng bo c ngi mua hng gi i, trong cha lnh t hng (OI)

cho ngi bn hng v lnh thanh tan (PI) cho ngn hng.
Payment
authorization
Trao i gia ngi bn hng v Payment gateway kim tra s d trong

ti khan ca ngi mua hng.
Payment capture
Ngi bn hng gi yu cu thanh tan n Payment gateway.
Certificate
and status
inquiry Trong trng hp CA khng x l c yu cu cung cp chng thc tc

thi, n s tr li cho ngi mua hng v ngi bn hng v vic tr han
ny. Sau , ngi mua hng hoc ngi bn hng c th dng giao dch
ny kim tra trng thi ca chng thc. Nu chng thc c x l
121
xong th khch hng hoc ngi bn hng s c nhn.

Purchase inquiry
Ngi mua hng kim tra trng thi ca n t hng sau khi xc nhn
n t hng vi ngi bn hng.
Authorization
reversal
Ngi bn hng hiu chnh yu cu xc thc trc . Nu n t hng

khng thc hin c th tan b vic xc thc trc c hi li
(reverse). Nu n t hng ch c thc hin mt phn (ngi mua
hng hi li mt phn) th ngi bn hng ch hi li phn xc thc
tng ng.
Capture reversal
Ngi bn hng hiu chnh cc thng tin yu cu thanh tan gi cho

Payment gateway.
Credit
Ngi bn hng tr li tin vo ti khan ca ngi mua hng khi hng

c tr li v l do no (h hng, sai quy cch, ).
Credit reversal
Ngi bn hng hiu chnh li yu cu tr li tin vo ti khan ca ngi

mua hng (giao tc Credit) va ri.
Payment
gateway Ngi bn hng yu cu bn sao chng thc ca Payment gateway.
certificate request
Batch administration
Ngi bn hng thng bo cho Payment gateway v cc t giao hng.
Error message
Thng bo li xy ra trong giao dch.
-Yu cu mua hng:

Sau khi ngi mua hng hon tt cc cng vic chn hng v t mua trn mng, th tc
yu cu mua hng mi c bt u. Ch rng thao tc chn hng v t mua c thc hin
trn cc kt ni bnh thng (nh e-mail hay web) m khng cn c s tham gia ca SET.
Qu trnh yu cu mua hng bao gm 4 giao tc: Initiate Request, Initiate Response,
Purchase Request, v Purchase Response.
gi c cc bn tin SET n ngi bn hng, ngi mua hng cn c mt bn sao cc
chng thc ca Merchant v Payment gateway. Bn tin Initiate Request c s dng yu cu
ngi bn hng cung cp cc chng thc cn thit cho ngi mua hng.
Ngi bn hng s tr li bn tin Initiate Request bng mt bn tin hi p Initiate
Response trong c cha gi tr ngu nhin (nonce) c to ra trc bi ngi mua
hng, mt gi tr ngu nhin khc do ngi bn hng to ra, nhn din ca giao tc hin hnh,
cng vi cc chng thc ca chnh ngi bn hng v Payment gateway. Tt c cc thng tin ny
c xc thc bi ch k ca ngi bn hng.
Ngi mua hng xc minh cc chng thc nhn c, sau to ra thng tin t hng
(OI) v thng tin thanh tan (PI), trong c cha nhn din giao tc m ngi bn hng va to
ra trc . Ngi mua hng chun b bn tin Purchase Request. Bn tin ny cha cc thng tin
sau y:
Cc thng tin lin quan n vic thanh ton bao gm: PI, ch k song song,
OIMD v mt phong b s (digital envelope). Cc thng tin ny c m ho bng
kho b mt K s do ngi mua hng to ra cho tng phin giao dch.
Cc thng tin lin quan n n t hng bao gm OI, ch k song song, PIMD.
Ch rng OI c gi i trc tip m khng cn m ho.
122
Chng thc ca ngi mua hng.
Khi ngi bn hng nhn c Purchase Request, h s thc hin cc thao tc sau y:
Xc minh chng thc ca ngi mua hng.
Kim chng ch k song song ca ngi mua hng.
X l n t hng v chuyn thng tin thanh ton cho Payment Gateway kim
tra.
Gi bn tin Purchase Response cho ngi mua hng.
Bn tin Purchase Response cha cc thng tin chp nhn n t hng v cc tham
chiu n s nhn din giao tc tng ng. Thng tin ny c k bi ngi bn hng v gi cho
ngi mua hng cng vi chng thc ca ngi bn.
Ngi mua hng khi nhn c bn tin Purchase Response s tin hnh kim tra ch k
v chng thc ca ngi bn hng.
Bn tin Purchase Request
PI
Dual Signature
Phn thng tin

c ngi bn
hng chuyn cho
Payment
Gateway
Ks
Digital envelope
OIMD
PIMD
OI
Phn thng tin

nhn c bi
ngi bn hng
PUb
Dual Signature
Cardholder
cerificate
Hnh 3.19: Qu trnh to bn tin Purchase request ca ngi mua hng

-Xc thc thanh ton:
y l th tc m ngi bn hng xc thc tnh hp l ca ngi mua hng thng qua
Payment Gateway. Qu trnh xc thc nhm bo m rng giao dch ny c chp thun bi
ngn hng pht hnh th (Issuer), v do ngi bn hng s c m bo thanh ton. Qu trnh
ny c thc hin thng qua hai bn tin: Authorization Request v Authorization response.
123
Bn tin Purchase Request
Thng tin c
Merchant chuyn
cho Payment
Gateway
Digital envelope
POMD
PIMD
H
OI
So snh
OIMD
Dual signature
D
POMD
Cardholder
certificate
PUc
Hnh 3.18: Qu trnh xc minh yu cu mua hng (Purchase Request) ti Merchant
Bn tin Authorization Request c ngi bn hng gi n Payment Gateway bao gm

cc thng tin sau:
Thng tin lin quan n vic mua hng, bao gm: PI, ch k song song, OIMD v
phong b s (digital envelope).
Thng tin lin quan n xc thc bao gm: nhn din giao tc, c m ho bng
kho b mt do ngi bn hng to ra v phong b s, c m ho bng kho
cng khai ca Payment gateway.
Cc chng thc ca ngi mua hng v ngi bn hng.
Khi nhn c Authorization Request, Payment Gateway thc hin cc thao tc sau:
Xc minh tt c cc chng thc.
Gii m phong b s ca khi thng tin mua hng.

124
Xc minh ch k ca ngi bn hng.
Gii m phong b s ca khi thng tin xc thc.
Xc minh ch k song song.
Xc minh nhn din giao tc (transaction ID).
Yu cu xc thc t ngn hng pht hnh th.
Nu nhn c thng tin xc thc thnh cng t ngn hng pht hnh th, Payment
Gateway s hi p bng bn tin Authorization Response trong cha cc thng tin sau:
Thng tin lin quan n xc thc bao gm: khi thng tin xc thc c k bi
Payment Gateway v m ho bng kho b mt do Payment Gateway to ra, ngoi
ra cn c phong b s.
Thng tin lin quan n thc hin thanh ton.
Chng thc ca Payment gateway.
Vi thng tin xc thc ny, ngi bn hng c th bt u giao hng hoc cung cp
dch v cho ngi mua hng.
-Thc hin thanh ton:
thc hin thanh ton, ngi bn hng thc hin mt giao tc vi Payment Gateway gi
l Capture transaction, giao tc ny c thc hin qua hai bn tin: Capture Request v Capture
Response.
Trong bn tin Capture Request, ngi bn hng to ra thng tin yu cu thanh ton, trong
c khi lng thanh ton v nhn din giao tc (transaction ID), cng vi thng tin xc thc
nhn c trc t Payment Gateway, ch k v chng thc ca ngi bn hng.
Payment Gateway nhn c bn tin ny, gii m v thc hin cc bc kim tra cn thit
trc khi yu cu ngn hng pht hnh th chuyn tin cho ngi bn hng. Cui cng, Payment
Gateway s thng bo cho ngi bn hng bng bn tin Capture Response.
Tm tt chng:
-Cc ng dng bo mt (security application) c xy dng da trn cc k thut c s
trnh by chng 2 bao gm: mt m i xng, mt m bt i xng, hm bm, ch k s,
chng thc kha cng khai,
-K thut xc thc c xem l k thut c bn nht qun l truy xut. Mt khu l
phng tin xc thc n gin nht v hiu qu nht t trc n nay. Tuy nhin, mt khu c
qun l v s dng bi con ngi, nn cn phi c cc chnh sch hp l m bo mt khu
khng b tit l.
-Trong m hnh thng tin im im, hai giao thc xc thc thng c dng l PAP
(Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol)
trong , giao thc CHAP c nhiu u im hn v an tan hn do khng gi mt khu i trc
tip trn mng.
-Trong m hnh phn tn, giao thc xc thc cn phi p ng c hai yu: m bo
thng tin xc thc khng b nh cp v ngi s dng ch cn xc thc mt ln cho tt c cc
dch v trong h thng phn tn. Kerberos l mt giao thc xc thc p ng c 2 yu cu ny.
125
-Giao thc bo mt IP Security (IPSec) l mt s m rng ca giao thc IP, cho php lp
mng thc hin cc chc nng bo mt v tan vn cho d liu truyn i trn mng. IPSec l mt
chun phc tp, bao gm c t ca nhiu chun khc, c trin hai da trn hai giao thc
ng gi c bn l ESP v AH. IPSec hat ng hai ch l ch vn chuyn (transport) v
ch ng hm (tunnel). Hat ng ca IPSec l trong sut i vi cc giao thc lp ng
dng.
-Giao thc bo mt SSL (Secure Sockets Layer) l mt giao thc cng thm hat ng bn
trn giao thc TCP. SSL cung cp hai dch v c bn l mt m ha v xc thc d liu / xc thc
u cui cho cc ng dng Internet nh web, e-mail, . SSL c s dng rt ph bin hin nay
trn mng Internet, t bigt trong cc th tc trao i thng tin b mt gia client v server nh
ng nhp vo hp th in t, nhp s th tn dng khi mua hng,
-SET (Secure Electronic Transaction) l mt ng dng bo mt trong cc h thng thanh
tan qua mng. SET l mt ng dng truy xut trc tip n lp TCP (tc khng thng qua cc
giao thc ng dng nh mail hay web, ). SET nh ngha mt m hnh phc tp bao gm nhiu
thc th nh ngi mua hng, ngi bn hng, ngn hng pht hnh th, trng ti, ca thanh
tan, SET c pht trin bi cc t chc ti chnh c uy tn nh MasterCard, VISA, cc t
chc cng ngh nh Microsoft, IBM, RSA, Verisign,
CU HI V BI TP.
A- Cu hi trc nghim.
Cu 1. Nguyn tc m bo an ton cho mt khu i vi ngi s dng:
a- Quy nh thi gian s dng ti a ca mt khu.
b- Khng dng mt khu qu ngn, mt khu c cha tn ngi dng, mt khu l
nhng t c ngha trong t in.
c- M ho mt khu khi lu tr.
d- Tt c u ng.
Cu 2. Trong th tc xc thc mng n gin, c ch no m bo mi th (ticket) ch c s
dng bi mt my duy nht?
a- My con phi c xc thc bi Authentication Server (AS).
b- Trong th cp cho my con c cha a ch mng ca my my con (ADC).
c- Trong th c cha nhn dng ca my ch cung cp dch v (IDV).
d- Tt c u ng.
Cu 3. Mc ch ca TGS (Ticket Granting Server) trong th thc xc thc qua mng?
a- Cho php ngi dng ch ng nhp mt ln nhng s dng c nhiu dch v.
b- Gim ti x l cho AS
c- hn ch vic gi mt khu trc tip trn mng.
d- Tt c u sai.
Cu 4. Chn cu ng v giao thc xc thc Kerberos 4:
a- S dng thut ton m ho DES
b- s dng mt dch v no , client phi thc hin 2 thao tc: xc thc vi AS
c cp th Ticket-granting-Ticket, sau xc thc vi TGS nhn c
126
th Service-granting-Ticket trc khi c th yu cu my ch cung cp dch v.

c- Ngi dng ch cn nhp mt khu mt ln trong sut phin lm vic.
d- Tt c u ng.
Cu 5. Trong Kerberos 4, bn tin yu cu xc thc gi t my con n AS cha cc thng tin
no?
a- Nhn din ca ngi dng (IDC), nhn din ca TGS (IDtgs) v nhn thi gian
ng b TS1.
b- Tn ng nhp v mt khu.
c- Tn ng nhp v a ch mng ca my con.
d- Mt khu m ho v a ch mng ca my con.
Cu 6. Trong Kerberos 4, bn tin yu cu dch v gi t my con n my ch dch v cha cc
thng tin no?
a- Cha th truy xut dch v c cp bi TGS.
b- Cha th truy xut dch v c cp bi TGS v tn ng nhp.
c- Cha th truy xut dch v cng vi Authenticator gm (IDc + ADC + TS5) gi
trc tip.
d- Cha th truy xut dch v cng vi Authenticator gm (IDc + ADC + TS5) c
m ho bng kho b mt dng chung gia my con v my ch cung cp dch
v.
Cu 7. Th no l mt lnh a Kerberos (Kerberos Realm)?
a- L h thng bao gm Kerberos server, cc my ch cung cp dch v v nhiu
my con.
b- L phm vi mng c qun l bi mt AS.
c- L phm vi mng c qun l bi mt TGS.
d- Tt c u sai.
Cu 8. im khc nhau gia Krberos 4 v Kerberos 5:
a- Kerberos 5 khng gii hn thi gian tn ti ca th, Kerberos 4 gii hn thi gian
tn ti ca th l khong 21 gi.
b- Kerberos 5 s dng mt m bt i xng, Kerberos 4 s dng mt m i xng.
c- Kerberos 5 dng tn ng nhp v mt khu xc thc ngi dng, Kerberos 4
dng a ch IP xc thc.
d- Tt c u ng.
Cu 9. ng dng ca IPSec:
a- Xy dng cc website an ton cho cc ng dng thng mi in t.
b- Xy dng cc mng ring o VPN trn nn mng Internet cng cng.
c- Cho php truy xut t xa mt cch an ton.
d- Tt c cc ng dng trn.
Cu 10. Chn cu ng v IPSec:
a- Khi s dng IPSec, kch thc gi d liu IP tng ln, do hiu sut truyn
gim xung.
b- Khi ci t IPSec trn mt h thng th IPSec s c tc dng bo v cho tt c cc
127
dch v ng dng chy trn h thng .

c- IPSec c th c thc hin nh mt phn mm ng dng.
d- Cu a v b.
Cu 11. SA l g?
a- L mt kt ni dng IPSec gia hai my tnh bt k.
b- L mt quan h truyn thng mt chiu gia hai thc th IPSec.
c- L mt ng dng c chc nng phn tch v nh gi mc an ton ca h
thng.
d- Tt c u sai.
Cu 12. c im ca AH:
a- C kh nng mt m ton b d liu trao i gia cc thc th IPSec.
b- Dng ch k s xc thc thng tin.
c- Ch vn chuyn ch cho php xc thc d liu gia hai thit b mng (router)
c h tr IPSec.
d- Tt c u sai.
Cu 13. Giao thc ESP:
a- Cung cp c ch mt m v xc thc d liu.
b- Tiu ca ESP gm hai phn, nm trc v nm sau gi IP gc.
c- S dng k thut mt m i xng bo v d liu.
d- Tt c u ng.
Cu 14. Qun l kho trong IPSec:
a- C chc nng to ra v phn phi kho cng khai ca cc u cui IPSec.
b- C th s dng PKI cho mc nh qun l kho trong IPSec.
c- Dng giao thc ISAKMP to v phn phi kho b mt gia cc u cui
IPSec.
d- Tt c u sai.
Cu 15. c im ca SSL:
a- L thnh phn ca H iu hnh.
b- Cung cp kt ni an ton cho tt c cc dch v ng dng trn cng mt h thng.
c- S dng mt m i xng m ho d liu.
d- Tt c cc c im trn.
Cu 16. Chc nng ca giao thc SSL record:
a- Phn on d liu, nn, to m xc thc, mt m ho d liu.
b- Cung cp c ch m bo tnh ton vn v tnh bo mt cho d liu.
c- Nn d liu tng hiu sut truyn
d- Tt c u sai.
Cu 17. Th tc bt tay (handshake protocol) trong SSL thc hin cc chc nng no sau y:
a- Thit lp cc thng s kt ni gia client v server.
b- Trao i chng thc client nhn c kho cng khai ca server v ngc li,
128
cc kho ny dng mt m d liu trao i gia client v server.

c- Thay i cc thng s v thut ton mt m.
d- Cu a v c.
Cu 18. Secure Electronic Transaction (SET):
a- L mt ng dng thng mi in t trn nn ca IPSec.
b- L mt giao thc an ton cho cc ng dng ton qua mng.
c- Dng mt m bt i xng (RSA) mt m ha thng tin.
d- Tt c u ng.
Cu 19. Trong mt giao dch trn SET:
a- Ngi mua hng (cardholder) phi c th tn dng do mt ngn hng c h tr
dch v thanh ton qua mng pht hnh.
b- Ngi bn hng (merchant) phi c quan h vi ngn hng pht hnh th.
c- Vic chuyn tin t ti khon ca ngi mua hng sang ti khon ca ngi bn
hng c thc hin theo yu cu ca ngi bn hng m khng cn mt thnh
phn th 3 no.
d- Vic chn la hng v quyt nh mua hng phi c thc hin thng qua giao
dch SET th mi c ngha.
Cu 20. Th no l ch k song song (dual signature)?
a- L mt ch k duy nht nhng gm hai bn sao gi cho hai i tc cng lc.
b- L mt ch k nhng gm hai thnh phn, c chc nng chng thc hai ni dung
khc nhau vi hai i tc khc nhau.
c- Gm hai ch k khc nhau nhng c ghp chung trong mt bn tin tit
kim chi ph truyn trn mng.
d- L mt ch k nhng c to ra bng vic p dng hm to ch k hai ln ln
cng mt khi thng tin gc nhm m bo tnh an ton ca ch k.
Cu 21. Th t thc hin cc giao tc trong SET:
a- Xc thc thanh ton, yu cu mua hng, thc hin thanh ton.
b- Yu cu mua hng, xc thc thanh ton, thc hin thanh ton.
c- Yu cu mua hng, thc hin thanh ton, xc thc thanh ton.
d- Tu tng trng hp m th t thc thi c th khc nhau.
B- Bi tp
Cu 22. Trong giao thc AH ca IPSec, thao tc to ra m xc thc (MAC) khng c thc hin
trn ton b gi d liu IP m ch thc hin trn cc phn khng thay i trong qu trnh
truyn (imutable) hoc nhng phn c thay i nhng c th on c. Hy ch ra trong
gi IP (version 4), nhng phn no c thay i, khng thay i hoc thay i nhng on
trc c trong qa trnh truyn?
Cu 23. ch vn chuyn ca IPSec, mt lp tiu (header) khc ca gi IP c to ra
song song vi tiu c. Nhng thnh phn no ca tiu mi ging vi tiu c?
Cu 24. Thc hin cu hnh IPSec trn Windows 2003 server.
Cu 25. Ci t v cu SSL cho Website trn Windows 2003 server.
---------129
HNG DN TR LI CU HI V BI TP.
Chng I:
Cu 1.
Cu 9.
Cu 17.
Cu 25.
Cu 2.
Cu 10.
Cu 18.
Cu 26.
Cu 3.
Cu 11.
Cu 19.
Cu 27.
Cu 4.
Cu 12.
Cu 20.
Cu 28.
Cu 5.
Cu 13.
Cu 21.
Cu 29.
Cu 6.
Cu 14.
Cu 22.
Cu 30.
Cu 7.
Cu 15.
Cu 23.
Cu 31.
Cu 8.
Cu 16.
Cu 24.
Chng II:
Cu 1.
Cu 6.
Cu 11.
Cu 16.
Cu 2.
Cu 7.
Cu 12.
Cu 17.
Cu 3.
Cu 8.
Cu 13.
Cu 18.
Cu 4.
Cu 9.
Cu 14.
Cu 19.
Cu 5.
Cu 10.
Cu 15.
Cu 20.
Cu 21.
Thc hin thut ton DES bng tay. Ch kho ph l K 16.
Cu 22.
Chng minh tng t i vi cu trc Feistel.
Cu 23.
Cu 24.
Thc hin bng tay thao tc m rng kho (expand key) ca AES.
Cu 25.
Thc hin thut ton RSA vi cc thng s tng ng.
Cu 26.
Thc hin thut ton Diffie-Hellman.
Chng III:
Cu 1.
Cu 7.
Cu 13.
Cu 19.
Cu 2.
Cu 8.
Cu 14.
Cu 20.
Cu 3.
Cu 9.
Cu 15.
Cu 21.
Cu 4.
Cu 10.
Cu 16.
Cu 5.
Cu 11.
Cu 17.
Cu 6.
Cu 12.
Cu 18.
130
THUT NG VIT TT.

3DES
Triple Data Encryption Standard
AAA
Access Control, Authentication, Auditing
AES
Advanced Encryption Standard
AH
Authentication Header
ANSI
American National Standards Institute
AS
Authentication Server
CBC
Cipher Block Chaining
CC
Common Criteria
CESG
Communications-Electronics Security Group
CFB
Cipher Feedback
CHAP
Challenge Handshake Authentication Protocol
CIA
Confidentiality, Integrity, Availability
CMAC
Cipher-Based Message Authentication Code
CRT
Chinese Remainder Theorem
DAC
Discretionary Access Control
DDoS
Distributed Denial of Service
DES
Data Encryption Standard
DoS
Denial of Service
DSA
Digital Signature Algorithm
DSS
Digital Signature Standard
ECB
Electronic Codebook
ESP
Encapsulating Security Payload
FIPS
Federal Information Processing Standard
HMAC
Hash-based Message Authentication Code
IAB
Internet Architecture Board
ICMP
Internet Control Message Protocol
IDS
Intrusion Detection System
IDEA
International Data Encryption Algorithm
IETF
Internet Engineering Task Force
IP
Internet Protocol
IPSec
IP Security
ISAKMP
Internet Security Association and Key Management Protocol
ISO
International Organization for Standardization
ITU
International Telecommunication Union
ITU-T
ITU Telecommunication Standardization Sector
IV
Initialization Vector
131
KDC
Key Distribution Center
LAN
Local Area Network
MAC
Message Authentication Code
MAC
Mandatory Access Control
MD5
Message Digest, Version 5
MIC
Message Integrity Code
MIME
Multipurpose Internet Mail Extension
MITM
Man-in-the-middle attack
MTU
Maximum Transmission Unit
NAT
Network Address Translation
NIST
National Institute of Standards and Technology
NSA
National Security Agency
NTFS
NT File System
OFB
Output Feedback
PAP
Password Authentication Protocol
PCBC
Propagating Cipher Block Chaining
PGP
Pretty Good Privacy
PKI
Public Key Infrastructure
PRNG
Pseudorandom Number Generator
RBAC
Role-based Access Control
RFC
Request for Comments
RNG
Random Number Generator
SATAN
System Administrator Tool for Analyzing Network
RSA
Rivest-Shamir-Adelman
SET
Secure Electronic Transaction
SHA
Secure Hash Algorithm
SHS
Secure Hash Standard
S/MIME
Secure MIME
SNMP
Simple Network Management Protocol
SNMPv3
Simple Network Management Protocol Version 3
SSL
Secure Sockets Layer
TCP
Transmission Control Protocol
TGS
Ticket-Granting Server
TLS
Transport Layer Security
UDP
User Datagram Protocol
WAN
Wide Area Network.
132
TI LIU THAM KHO:

[1]
William Stallings, Cryptography and Network Security: Principles and Practices, 4 th

edition, Prentice Hall, 2005.
[2]
Matt Bishop, Introduction to Computer Security, Prentice Hall PTR, 2004.
[3]
Mark Stamp, Information Security: Principles and Practices, John Wiley & Sons, 2006
[4]
Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall PTR, 2003
[5]
Vesna Hasler, Security Fundamentals for E-Commerce, Artech House, 2001
[6]
Will Schmied, Security + Study guide, Syngress, 2003.
133
MC LC
CHNG I
TNG QUAN V BO MT H THNG THNG TIN ............................... 2
I.1
TNG QUAN .................................................................................................................. 2
I.2
CC C TRNG CA MT H THNG THNG TIN BO MT ...................... 3
I.2.1
Tnh b mt: ................................................................................................................. 4
I.2.2
Tnh ton vn: .............................................................................................................. 4
I.2.3
Tnh kh dng: ............................................................................................................. 5
I.3
CC NGUY C V RI RO I VI H THNG THNG TIN ............................. 6
I.3.1
Nguy c: ...................................................................................................................... 6
I.3.2
Ri ro v qun l ri ro:............................................................................................... 7
I.3.3
Vn con ngi trong bo mt h thng:.................................................................. 8
I.4
NGUYN TC XY DNG MT H THNG BO MT ....................................... 9
I.4.1
Chnh sch v c ch: .................................................................................................. 9
I.4.2
Cc mc tiu ca bo mt h thng: .......................................................................... 11
I.5
CHIN LC BO MT H THNG AAA ............................................................. 12
I.5.1
iu khin truy xut: ................................................................................................. 12
I.5.2
Xc thc:.................................................................................................................... 14
I.5.3
Kim tra: .................................................................................................................... 16
I.6
CC HNH THC XM NHP H THNG............................................................. 18
I.6.1
Cc phng thc tn cng: ........................................................................................ 20
I.6.2
Cc phng thc xm nhp h thng bng phn mm ph hoi ............................... 27
I.7
K THUT NGN CHN V PHT HIN XM NHP ....................................... 30
I.7.1
Tng la: ................................................................................................................. 30
I.7.2
H thng pht hin xm nhp: ................................................................................... 33
CHNG II MT M V XC THC THNG TIN ......................................................... 42

II.1
TNG QUAN V MT M: ....................................................................................... 42
II.1.1
Gii thiu: .............................................................................................................. 42
II.1.2
Cc thnh phn ca mt h thng m ho: ............................................................ 42
II.1.3
Cc tiu ch c trng ca mt h thng m ho: ................................................. 43
II.1.4
Tn cng mt h thng mt m: ............................................................................ 43
II.2
K THUT MT M I XNG: ............................................................................ 44
II.2.1
Cu trc m khi c bn Feistel: ........................................................................... 45
II.2.2
Thut ton mt m DES: ....................................................................................... 49
II.2.3
Thut tan mt m Triple DES:............................................................................. 55
II.2.4
Thut tan mt m AES: ....................................................................................... 57
II.2.5
Cc thut ton mt m i xng khc: .................................................................. 63

134
II.3
K THUT MT M BT I XNG .................................................................... 64
II.3.1
Cu trc h thng mt m bt i xng: ............................................................... 64
II.3.2
Thut ton mt m RSA: ....................................................................................... 66
II.3.3
Thut ton trao i kho Diffie-Hellman: ............................................................. 68
II.3.4
nh gi k thut mt m bt i xng: ............................................................... 70
II.4
CC HM BM ........................................................................................................... 70
II.4.1
Xc thc thng tin: ................................................................................................ 70
II.4.2
Cc hm bm bo mt: .......................................................................................... 73
II.4.3
Thut ton bm SHA: ............................................................................................ 74
II.4.4
Thut ton bm MD5: ........................................................................................... 77
II.5
CH K S .................................................................................................................. 77
II.5.1
Nguyn l hot ng ca ch k s: ..................................................................... 77
II.5.2
Chun ch k DSS: ............................................................................................... 80
II.6
QUN L KHO ......................................................................................................... 83
II.6.1
Qun l kho cng khai trong mt m bt i xng: ............................................ 83
II.6.2
S dng mt m bt i xng trao i kha b mt: ......................................... 84
II.6.3
C s h tng kha cng khai: .............................................................................. 85
CHNG III CC NG DNG BO MT TRONG H THNG THNG TIN ............. 93

III.1
GIAO THC XC THC ............................................................................................ 93
III.1.1
Mt khu: ............................................................................................................... 93
III.1.2
Xc thc trong m hnh im-im:...................................................................... 94
III.1.3
Xc thc trong cc h thng phn tn: .................................................................. 95
III.1.4
Giao thc xc thc Kerberos: ................................................................................ 98
III.2
IP SECURITY ............................................................................................................. 104
III.2.1
Cc ng dng v c im ca IPSec: ................................................................ 104
III.2.2
Cu trc IPSec: .................................................................................................... 105
III.2.3
Quan h bo mt: ................................................................................................. 106
III.2.4
Ch vn chuyn v ch ng hm: .......................................................... 106
III.2.5
AH: ...................................................................................................................... 107
III.2.6
ESP: ..................................................................................................................... 110
III.2.7
Qun l kha trong IPSec: ................................................................................... 112
III.3
SECURE SOCKETS LAYER ..................................................................................... 112
III.3.1
Cu trc SSL: ...................................................................................................... 112
III.3.2
Giao thc truyn d liu SSL: ............................................................................. 113
III.3.3
Giao thc thay i thng s m: .......................................................................... 115
III.3.4
Giao thc cnh bo: ............................................................................................. 115
III.3.5
Giao thc bt tay: ................................................................................................ 115
III.3.6
So snh SSL v IPSec: ........................................................................................ 116

135
III.4
SECURE ELECTRONIC TRANSACTION ............................................................... 118
III.4.1
Tng quan v SET: .............................................................................................. 118
III.4.2
Ch k song song: ............................................................................................... 120
III.4.3
Thc hin thanh ton trong SET: ........................................................................ 121
HNG DN TR LI CC CU HI V BI TP ....................................................... 130

THUT NG VIT TT ........................................................................................................ 131
TI LIU THAM KHO ........................................................................................................ 133
----------
136

An Toan Va Bao Mat He Thong Thong Tin

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

An Toan Va Bao Mat He Thong Thong Tin

Enviado por

Direitos autorais:

Formatos disponíveis

HC VIN CNG NGH BU CHNH VIN THNG

BO MT H THNG THNG TIN

I.1 TNG QUAN

Security), gm cc c ch v k thut ph hp vi vic bo v s an ton ca thng tin khi chng

I.2 CC C TRNG CA MT H THNG THNG TIN BO MT

Hnh 1.1: M hnh CIA

c gi tt l m hnh CIA (ch phn bit vi thut ng CIA vi ngha Confidentiality,

Mt s loi thng tin ch c gi tr i vi mt i tng xc nh khi chng khng ph

Tnh ton vn:

c trng ny m bo s tn ti nguyn vn ca thng tin, loi tr mi s thay i

Tnh kh dng l mt yu cu rt quan trng ca h thng, bi v mt h thng tn ti

I.3 CC NGUY C V RI RO I VI H THNG THNG TIN

V d: tn cng t chi dch v (DoS v DDoS) l mt nguy c i vi h thng cc my

Nhm nguy c th 3 bao gm cc hnh vi c mc ch ngn chn hot ng bnh

Chim quyn iu khin h thng gy ra nhiu mc thit hi khc nhau, t vic

Ri ro bao gm 2 yu t: Kh nng xy ra ri ro v thit hi do ri ro gy ra. C nhng ri

V d: ri ro mt thng tin trn h thng khng c c ch bo v tp tin, chng hn nh

Vn con ngi trong bo mt h thng:

Con ngi lun l trung tm ca tt c cc h thng bo mt, bi v tt c cc c ch, cc

Nhng ngi c ch mun ph v chnh sch bo mt ca h thng c gi chung l

I.4 NGUYN TC XY DNG MT H THNG BO MT

Chnh sch v c ch:

C ch bo mt l h thng cc phng php, cng c, th tc, dng thc thi cc

U l tp hp cc ngi dng trong h thng.

Thao tc Access(u, o) cho gi tr TRUE nu ngi dng u c quyn truy xut n

Quan st ma trn, ta bit rng ngi dng u3 c quyn c trn tt c cc i tng t

2-C ch khng thc hin c tt c cc quy nh trong chnh sch, c th do gii hn

Mt h thng bo mt, nh trnh by phn 2 ca chng ny, l h thng tho mn 3

I.5 CHIN LC BO MT H THNG AAA

iu khin truy xut:

-M hnh iu khin truy xut bt buc (Mandatory Access Control_MAC): l m hnh

Hnh 1.2: iu khin truy xut t do

-Th cho php hoc xo b cc quyn mc nh ca

c im phn bit ca m hnh iu khin truy xut t do:

-Khng c p dng mc nh trn h thng

Xc thc (Authentication) l mt th tc c chc nng xc minh nhn dng (identity) ca

Hnh 1.3: Xc thc bng tn ng nhp v mt khu

Hnh 1.4: Ci t Auditing trn th mc NTFS

I.6 CC HNH THC XM NHP H THNG

Hnh 1.5: Xm nhp kiu Interruption

Hnh 1.6: Xm nhp kiu Interception

Hnh 1.7: Xm nhp kiu Modification

Hnh 1.8: Xm nhp kiu Farbrication

Cc phng thc tn cng:

Dng tn cng ny khng xm nhp vo h thng ly cp hay thay i thng tin m ch

V d: k tn cng dng phn mm t ng lin tc gi d liu n mt my ch trn

Ping of Death tn cng vo kt ni mng (bao gm c router) bng cch gi lin

Buffer-overflow (c m t phn software exploitation attacks) tn cng vo

-Deamon: phn mm chy trn cc zoombie, thc hin yu cu ca master v l ni trc

Hnh 1.9: Tn cng t chi dch v phn tn (DDoS)

K tn cng xen vo gia mt

Hnh 1.10: Tn cng xen gia (Man-in-the-middle)

Thng tin xc thc

Hnh 1.11: Tn cng pht li (Replay)

-Nghe ln (Sniffing attack):

hoc 2003 server). Bng vic c v phn tch cc gi d liu bt c, k tn cng c th tm

Hnh 1.13: Tn cng TCP SYN/ACK flooding

-Tn cng da vo s th t ca TCP (TCP sequence number attack):

Hnh 1.14: Tn cng da vo s th t TCP (TCP sequence number attack)

Ngt kt ni ca client n server

Hnh 1.15: Chim kt ni TCP (TCP connection hijacking)

Hnh 1.16: Tn cng Ping of Death

Cc phng thc xm nhp h thng bng phn mm ph hoi

My cha b nhim virus