Anninhmang K13 MTT

I HC QUC GIA H NI
TRNG I HC CNG NGH
AN NINH MNG
TS. Nguyn i Th
B mn Mng & Truyn thng My tnh
Khoa Cng ngh Thng tin

thond_cn@vnu.edu.vn
Nm hc 2007-2008
Nguyn i Th
An ninh Mng
Chng 1
Gii thiu
Nguyn i Th
An ninh Mng
Bi cnh
Nhu cu m bo an ninh thng tin c nhng
bin i ln
Trc y
Ch cn cc phng tin vt l v hnh chnh
T khi c my tnh
Cn cc cng c t ng bo v tp tin v cc thng tin khc
lu tr trong my tnh
T khi c cc phng tin truyn thng v mng

Cn cc bin php bo v d liu truyn trn mng
Nguyn i Th
An ninh Mng
Cc khi nim
An ninh thng tin
Lin quan n cc yu t ti nguyn, nguy c, hnh
ng tn cng, yu im, v iu khin
An ninh my tnh
Cc cng c bo v d liu v phng chng tin tc
An ninh mng
Cc bin php bo v d liu truyn trn mng
An ninh lin mng

Cc bin php bo v d liu truyn trn mt tp hp
cc mng kt ni vi nhau
Nguyn i Th
An ninh Mng
Mc tiu mn hc
Ch trng an ninh lin mng
Nghin cu cc bin php ngn cn, phng
chng, pht hin v khc phc cc vi phm an
ninh lin quan n truyn ti thng tin
Nguyn i Th
An ninh Mng
m bo an ninh thng tin

thc hin c hiu qu cn ra mt phng
thc chung cho vic xc nh cc nhu cu v an
ninh thng tin
Phng thc a ra s xt theo 3 mt
Hnh ng tn cng
C ch an ninh
Dch v an ninh
Nguyn i Th
An ninh Mng
Dch v an ninh
L mt dch v nng cao an ninh ca cc h
thng x l thng tin v cc cuc truyn d liu
trong mt t chc
Nhm phng chng cc hnh ng tn cng
S dng mt hay nhiu c ch an ninh
C cc chc nng tng t nh m bo an
ninh ti liu vt l
Mt s c trng ca ti liu in t khin vic
cung cp cc chc nng m bo an ninh kh
khn hn
Nguyn i Th
An ninh Mng
C ch an ninh
L c ch nh ra pht hin, ngn nga v
khc phc mt hnh ng tn cng
Khng mt c ch n l no c th h tr tt c
cc chc nng m bo an ninh thng tin
C mt yu t c bit hu thun nhiu c ch
an ninh s dng hin nay l cc k thut mt m
Mn hc s ch trng lnh vc mt m
Nguyn i Th
An ninh Mng
Hnh ng tn cng
L hnh ng ph hoi an ninh thng tin ca
mt t chc
An ninh thng tin l nhng cch thc ngn nga
cc hnh ng tn cng, nu khng c th
pht hin v khc phc hu qu
Cc hnh ng tn cng c nhiu v a dng
Ch cn tp trung vo nhng th loi chung nht
Lu : nguy c tn cng v hnh ng tn cng
thng c dng ng ngha vi nhau
Nguyn i Th
An ninh Mng
Kin trc an ninh OSI

Kin trc an ninh cho OSI theo khuyn ngh
X.800 ca ITU-T
nh ra mt phng thc chung cho vic xc
nh cc nhu cu v an ninh thng tin
Cung cp mt ci nhn tng quan v cc khi
nim mn hc s cp n
Ch trng n cc dch v an ninh, cc c ch
an ninh v cc hnh ng tn cng
Nguyn i Th
An ninh Mng
10
Cc dch v an ninh
Theo X.800
Dch v an ninh l dch v cung cp bi mt tng giao
thc ca cc h thng m kt ni nhm m bo an
ninh cho cc h thng v cc cuc truyn d liu
C 5 loi hnh
Theo RFC 2828

Dch v an ninh l dch v x l hoc truyn thng
cung cp bi mt h thng bo v ti nguyn theo
mt cch thc nht nh
Nguyn i Th
An ninh Mng
11
Cc dch v an ninh X.800

Xc thc
m bo thc th truyn thng ng l n
iu khin truy nhp

Ngn khng cho s dng tri php ti nguyn
Bo mt d liu
Bo v d liu khi b tit l tri php
Ton vn d liu
m bo nhn d liu ng nh khi gi
Chng chi b
Ngn khng cho bn lin quan ph nhn hnh ng
Nguyn i Th
An ninh Mng
12
Cc c ch an ninh X.800
Cc c ch an ninh chuyn dng
M ha, ch k s, iu khin truy nhp, ton vn d
liu, trao i xc thc, n tin truyn, iu khin nh
tuyn, cng chng
Cc c ch an ninh ph qut
Tnh nng ng tin, nhn an ninh, pht hin s kin,
du vt kim tra an ninh, khi phc an ninh
Nguyn i Th
An ninh Mng
13
Cc hnh ng tn cng
Cc hnh ng tn cng th ng
Nghe trm ni dung thng tin truyn ti
Gim st v phn tch lung thng tin lu chuyn
Cc hnh ng tn cng ch ng
Gi danh mt thc th khc

Pht li cc thng bo trc
Sa i cc thng bo ang lu chuyn
T chi dch v
Nguyn i Th
An ninh Mng
14
M hnh an ninh mng

Bn th ba ng tin
Thng tin
b mt
Chuyn i
lin quan
n an ninh
Thng bo
Knh
thng tin
Thng bo an ton
Chuyn i
lin quan
n an ninh
Bn nhn
Thng bo an ton
Thng bo
Bn gi
Thng tin
b mt
i th
Nguyn i Th
An ninh Mng
15
M hnh an ninh mng

Yu cu
Thit k mt gii thut thch hp cho vic chuyn i
lin quan n an ninh
To ra thng tin b mt (kha) i km vi gii thut
Pht trin cc phng php phn b v chia s thng
tin b mt
c t mt giao thc s dng bi hai bn gi v nhn
da trn gii thut an ninh v thng tin b mt, lm c
s cho mt dch v an ninh
Nguyn i Th
An ninh Mng
16
M hnh an ninh truy nhp mng

Cc ti nguyn tnh
ton (b x l, b nh,
ngoi vi)
i th
- Con ngi
Knh truy nhp
D liu
Cc tin trnh
- Phn mm
Chc nng
gc cng
Nguyn i Th
Phn mm
Cc iu khin an ninh
bn trong
An ninh Mng
17
M hnh an ninh truy nhp mng

Yu cu
La chn cc chc nng gc cng thch hp nh
danh ngi dng
Ci t cc iu khin an ninh m bo ch nhng
ngi dng c php mi c th truy nhp c
vo cc thng tin v ti nguyn tng ng
Cc h thng my tnh ng tin cy c th dng

ci t m hinh ny
Nguyn i Th
An ninh Mng
18
Chng 2
M HA I XNG
Nguyn i Th
An ninh Mng
19
Hai k thut m ha ch yu
M ha i xng
Bn gi v bn nhn s dng chung mt kha
Cn gi l
M ha truyn thng
M ha kha ring / kha n / kha b mt
L k thut m ha duy nht trc nhng nm 70

Hin vn cn c dng rt ph bin
M ha kha cng khai (bt i xng)

Mi bn s dng mt cp kha
Mt kha cng khai + Mt kha ring
Cng b chnh thc nm 1976

Nguyn i Th
An ninh Mng
20
Mt s cch phn loi khc

Theo phng thc x l
M ha khi
Mi ln x l mt khi nguyn bn v to ra khi bn m tng
ng (chng hn 64 hay 128 bit)
M ha lung
X l d liu u vo lin tc (chng hn mi ln 1 bit)
Theo phng thc chuyn i

M ha thay th
Chuyn i mi phn t nguyn bn thnh mt phn t bn
m tng ng
M ha hon v
B tr li v tr cc phn t trong nguyn bn
Nguyn i Th
An ninh Mng
21
M hnh h m ha i xng
Kha b mt dng chung
bi bn gi v bn nhn
Kha b mt dng chung

bi bn gi v bn nhn
Bn m
truyn i
Nguyn bn
u vo
Gii thut m ha
Gii thut gii m
M ha
Gii m
Y = EK(X)
X = DK(Y)
Nguyn i Th
An ninh Mng
Nguyn bn
u ra
22
M hnh h m ha i xng
Gm c 5 thnh phn
Nguyn bn
Gii thut m ha
Kha b mt
Bn m
Gii thut gii m
An ninh ph thuc vo s b mt ca kha,

khng ph thuc vo s b mt ca gii thut
Nguyn i Th
An ninh Mng
23
Ph m
L n lc gii m vn bn c m ha
khng bit trc kha b mt
C hai phng php ph m
Vt cn
Th tt c cc kha c th
Thm m
Khai thc nhng nhc im ca gii thut
Da trn nhng c trng chung ca nguyn bn hoc mt
s cp nguyn bn - bn m mu
Nguyn i Th
An ninh Mng
24
Phng php ph m vt cn
V l thuyt c th th tt c cc gi tr kha cho
n khi tm thy nguyn bn t bn m
Da trn gi thit c th nhn bit c nguyn
bn cn tm
Tnh trung bnh cn th mt na tng s cc
trng hp c th
Thc t khng kh khi nu di kha ln
Nguyn i Th
An ninh Mng
25
Thi gian tm kim trung bnh

Kch thc
kha (bit)
S lng kha
Thi gian cn thit

(1 gii m/s)
32
56
128
168
26 k t
(hon v)
232 = 4,3 x 109

256 = 7,2 x 1016
2128 = 3,4 x 1038
2168 = 3,7 x 1050
26! = 4 x 1026
231 s = 35,8 pht

255 s = 1142 nm
2127 s = 5,4 x 1024 nm
2167 s = 5,9 x 1036 nm
2 x 1026 s =
6,4 x 1012 nm
Kha DES di 56 bit

Kha AES di 128+ bit
Kha 3DES di 168 bit
Nguyn i Th
Thi gian cn thit

(106 gii m/s)
2,15 ms
10,01 gi
5,4 x 1018 nm
5,9 x 1030 nm
6,4 x 106 nm
Tui v tr : ~ 1010 nm
An ninh Mng
26
Cc k thut thm m
Ch c bn m
Ch bit gii thut m ha v bn m hin c
Bit nguyn bn
Bit thm mt s cp nguyn bn - bn m
Chn nguyn bn
Chn 1 nguyn bn, bit bn m tng ng
Chn bn m
Chn 1 bn m, bit nguyn bn tng ng
Chn vn bn
Kt hp chn nguyn bn v chn bn m
Nguyn i Th
An ninh Mng
27
An ninh h m ha
An ninh v iu kin
Bn m khng cha thng tin xc nh duy nht
nguyn bn tng ng, bt k vi s lng bao nhiu
v tc my tnh th no
Ch h m ha n mt ln l an ninh v iu kin
An ninh tnh ton

Tha mn mt trong hai iu kin
Chi ph ph m vt qu gi tr thng tin
Thi gian ph m vt qu tui th thng tin
Thc t tha mn hai iu kin

Khng c nhc im
Kha c qu nhiu gi tr khng th th ht
Nguyn i Th
An ninh Mng
28
M ha thay th c in
Cc ch ci ca nguyn bn c thay th bi
cc ch ci khc, hoc cc s, hoc cc k hiu
Nu nguyn bn c coi nh mt chui bit th
thay th cc mu bit trong nguyn bn bng cc
mu bit ca bn m
Nguyn i Th
An ninh Mng
29
H m ha Caesar
L h m ha thay th xut hin sm nht v n
gin nht
S dng u tin bi Julius Caesar vo mc ch
qun s
Dch chuyn xoay vng theo th t ch ci
Kha k l s bc dch chuyn
Vi mi ch ci ca vn bn
t p = 0 nu ch ci l a, p = 1 nu ch ci l b,...
M ha : C = E(p) = (p + k) mod 26
Gii m : p = D(C) = (C - k) mod 26
V d : M ha "meet me after class" vi k = 3

Nguyn i Th
An ninh Mng
30
Ph m h m ha Caesar
Phng php vt cn
Kha ch l mt ch ci (hay mt s gia 1 v 25)
Th tt c 25 kha c th
D dng thc hin
Ba yu t quan trng
Bit trc cc gii thut m ha v gii m
Ch c 25 kha th
Bit v c th d dng nhn ra c ngn ng ca
nguyn bn
V d : Ph m "GCUA VQ DTGCM"
Nguyn i Th
An ninh Mng
31
H m ha n bng
Thay mt ch ci ny bng mt ch ci khc
theo trt t bt k sao cho mi ch ci ch c mt
thay th duy nht v ngc li
Kha di 26 ch ci
V d
Kha
a b cd e fg h i j k l mnopqr st u vw x y z
M N B V C X ZAS D F G H J K LP O I U YT R E W Q
Nguyn bn
i love you
Nguyn i Th
An ninh Mng
32
Ph m h m ha n bng
Phng php vt cn
Kha di 26 k t
S lng kha c th = 26! = 4 x 1026
Rt kh thc hin

Bit r tn s cc ch ci ting Anh
C th suy ra cc cp ch ci nguyn bn - ch ci bn m
V d : ch ci xut hin nhiu nht c th tng ng vi 'e'
C th nhn ra cc b i v b ba ch ci
V d b i : 'th', 'an', 'ed'
V d b ba : 'ing', 'the', 'est'
Nguyn i Th
An ninh Mng
33
Tn s tng i (%)
Cc tn s ch ci ting Anh
Nguyn i Th
An ninh Mng
34
V d ph m h n bng
Cho bn m
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Tnh tn s ch ci tng i
on P l e, Z l t
on ZW l th v ZWP l the
Tip tc on v th, cui cng c
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow
Nguyn i Th
An ninh Mng
35
H m ha Playfair (1)
L mt h m ha nhiu ch
Gim bt tng quan cu trc gia bn m v nguyn
bn bng cch m ha ng thi nhiu ch ci ca
nguyn bn
Pht minh bi Charles Wheatstone vo nm

1854, ly tn ngi bn Baron Playfair
S dng 1 ma trn ch ci 5x5 xy dng trn c
s 1 t kha
in cc ch ci ca t kha (b cc ch trng)
in nt ma trn vi cc ch khc ca bng ch ci
I v J chim cng mt ca ma trn
Nguyn i Th
An ninh Mng
36
H m ha Playfair (2)
V d ma trn vi t kha MONARCHY
M
C
E
L
U
O N
H Y
F G
P Q
V W
A
B
I/J
S
X
R
D
K
T
Z
M ha 2 ch ci mt lc
Nu 2 ch ging nhau, tch ra bi 1 ch in thm

Nu 2 ch nm cng hng, thay bi cc ch bn phi
Nu 2 ch nm cng ct, thay bi cc ch bn di
Cc trng hp khc, mi ch ci c thay bi ch
ci khc cng hng, trn ct ch ci cng cp
Nguyn i Th
An ninh Mng
37
Ph m h m ha Playfair
An ninh m bo hn nhiu h m ha n ch
C 26 x 26 = 676 cp ch ci
Vic gii m tng cp kh khn hn
Cn phn tch 676 tn s xut hin thay v 26
Tng c qun i Anh, M s dng rng ri

Bn m vn cn lu li nhiu cu trc ca
nguyn bn
Vn c th ph m c v ch c vi trm cp
ch ci cn gii m
Nguyn i Th
An ninh Mng
38
H m ha Vigenre
L mt h m ha a bng
S dng nhiu bng m ha
Kha gip chn bng tng ng vi mi ch ci
Kt hp 26 h Ceasar (bc dch chuyn 0 - 25)

Kha K = k1k2...kd gm d ch ci s dng lp i lp li
vi cc ch ci ca vn bn
Ch ci th i tng ng vi h Ceasar bc chuyn i
V d
Kha :
deceptivedeceptivedeceptive
Nguyn bn : wearediscoveredsaveyourself
Bn m :
ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Nguyn i Th
An ninh Mng
39
Ph m h m ha Vigenre
Phng php vt cn
Kh thc hin, nht l nu kha gm nhiu ch ci

Cu trc ca nguyn bn c che y tt hn h
Playfair nhng khng hon ton bin mt
Ch vic tm di kha sau ph m tng h Ceasar
Cch tm di kha
Nu di kha nh so vi di vn bn, c th pht hin 1
dy vn bn lp li nhiu ln
Khong cch gia 2 dy vn bn lp l 1 bi s ca di kha
T suy ra di kha
Nguyn i Th
An ninh Mng
40
H m ha kha t ng
Vigenre xut t kha khng lp li m c
gn vo u nguyn bn
Nu bit t kha s gii m c cc ch ci u tin
S dng cc ch ci ny lm kha gii m cc ch
cc tip theo,...
V d :
Kha :
deceptivewearediscoveredsav
nguyn bn : wearediscoveredsaveyourself
M ha :
ZICVTWQNGKZEIIGASXSTSLVVWLA
Vn c th s dng k thut thng k ph m

Kha v nguyn bn c cng tn s cc ch ci
Nguyn i Th
An ninh Mng
41
n mt ln
L h m ha thay th khng th ph c
xut bi Joseph Mauborgne
Kha ngu nhin, di bng di vn bn,
ch s dng mt ln
Gia nguyn bn v bn m khng c bt k
quan h no v thng k
Vi bt k nguyn bn v bn m no cng tn
ti mt kha tng ng
Kh khn vic to kha v m bo phn phi
kha an ninh
Nguyn i Th
An ninh Mng
42
M ha hon v c in
Che y ni dung vn bn bng cch sp xp li
trt t cc ch ci
Khng thay i cc ch ci ca nguyn bn
Bn m c tn s xut hin cc ch ci ging nh
nguyn bn
Nguyn i Th
An ninh Mng
43
H m ha hng ro
Vit cc ch ci theo ng cho trn mt s
hng nht nh
Sau c theo tng hng mt
V d
Nguyn bn : attack at midnight
M ha vi cao hng ro l 2
a t c a m d
i
h
t a k t
i
n g
t
Bn m : ATCAMDIHTAKTINGT
Nguyn i Th
An ninh Mng
44
H m ha hng
Vit cc ch ci theo hng vo 1 s ct nht nh

Sau hon v cc ct trc khi c theo ct
Kha l th t c cc ct
V d
Kha :
4 3 1 2 5 6 7
Nguyn bn : a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Bn m :
TTNAAPTMTSUOAODWCOIXKNLYPETZ
Nguyn i Th
An ninh Mng
45
M ha tch hp
Cc h m ha thay th v hon v khng an ton
v nhng c im ca ngn ng
Kt hp s dng nhiu h m ha s khin vic
ph m kh hn
Hai thay th to nn mt thay th phc tp hn
Hai hon v to nn mt hon v phc tp hn
Mt thay th vi mt hon v to nn mt h m ha
phc tp hn nhiu
L cu ni t cc h m ha c in n cc h
m ha hin i
Nguyn i Th
An ninh Mng
46
M ha khi
So vi m ha lung
M ha khi x l thng bo theo tng khi
M ha lung x l thng bo 1 bit hoc 1 byte mi ln
Ging nh thay th cc k t rt ln ( 64 bit)

Bng m ha gm 2n u vo (n l di khi)
Mi khi u vo ng vi mt khi m ha duy nht
Tnh thun nghch
di kha l n x 2n bit qu ln
Xy dng t cc khi nh hn
Hu ht cc h m ha khi i xng da trn cu
trc h m ha Feistel
Nguyn i Th
An ninh Mng
47
Mng S-P
Mng thay th (S) - hon v (P) xut bi Claude
Shannon vo nm 1949
L c s ca cc h m ha khi hin i
Da trn 2 php m ha c in
Php thay th : Hp S
Php hon v : Hp P
an xen cc chc nng

Khuch tn : Hp P (kt hp vi hp S)
Pht ta cu trc thng k ca nguyn bn khp bn m
Gy ln : Hp S
Lm phc tp ha mi quan h gia bn m v kha
Nguyn i Th
An ninh Mng
48
Hp S
u vo
3 bit
0
1
0
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
u ra
3 bit
1
1
0
Lu : Hp S c tnh thun nghch

Nguyn i Th
An ninh Mng
49
Hp P
u vo
4 bit
1
0
1
0
Lu : Hp P c tnh thun nghch

Nguyn i Th
An ninh Mng
50
M ha Feistel
xut bi Horst Feistel da trn khi nim h
m ha tch hp thun nghch ca Shannon
Phn mi khi di 2w bit thnh 2 na L0 v R0
X l qua n vng
Chia kha K thnh n kha con K1, K2,..., Kn
Ti mi vng i
Thc hin thay th na bn tri Li-1 bng cch XOR
n vi F(Ki, Ri-1)
F thng gi l hm chuyn i hay hm vng
Hon v hai na Li v Ri
Nguyn i Th
An ninh Mng
51
Nguyn bn (2w bit)

w bit
L0
+
Vng 1
. . .
L1
R0
K1
. . .
+
Vng n
w bit
R1
Kn
Ln
Rn
Ln+1
Rn+1
Bn m (2w bit)
Nguyn i Th
An ninh Mng
52
Cc c trng h Feistel
di khi
Khi cng ln cng an ninh (thng 64 bit)
di kha
Kha cng di cng an ninh (thng 128 bit)
S vng
Cng nhiu vng cng an ninh (thng 16 vng)
Gii thut sinh m con

Cng phc tp cng kh ph m
Hm vng
Cng phc tp cng kh ph m
nh hng n ci t v phn tch

Nguyn i Th
An ninh Mng
53
Gii m Feistel
Ging gii thut m ha, ch khc
Bn m l d liu u vo
Cc kha con c dng theo th t ngc li
Ti mi vng kt qu u ra chnh l cc d liu

u vo ca qu trnh m ha
i vi qu trnh m ha
Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
i vi qu trnh gii m
Ri-1 = Li
Li-1 = Ri F(Li, Ki)
Nguyn i Th
An ninh Mng
54
Chun m ha d liu
DES (Data Encryption Standard) c cng nhn
chun nm 1977
Phng thc m ha c s dng rng ri nht
Tn gii thut l DEA (Data Encryption Algorithm)
L mt bin th ca h m ha Feistel, b xung
thm cc hon v u v cui
Kch thc khi : 64 bit
Kch thc kha : 56 bit
S vng : 16
Tng gy nhiu tranh ci v an ninh
Nguyn i Th
An ninh Mng
55
Gii thut m ha DES

Kha 56 bit
Nguyn bn (64 bit)
giao hon
giao hon thun

vng 1
vng 2
K1
giao hon
dch vng tri
K2
giao hon
dch vng tri
giao hon
dch vng tri
. . .
vng n
Kn
. . .
hon i 32 bit
giao hon nghch
Bn m (64 bit)
Nguyn i Th
An ninh Mng
56
Mt vng DES
<-----32 bit------>
Li-1
<-----32 bit------>
Ri-1
m rng g/hon
--- 48 bit
Ki
--- 48 bit
hp S
--- 32 bit
giao hon
x
Li
Nguyn i Th
--- 32 bit
Ri
An ninh Mng
57
Ph m DES
Kha 56 bit c 256 = 7,2 x 1016 gi tr c th
Phng php vt cn t ra khng thc t
Tc tnh ton cao c th ph c kha
1997 : 70000 my tnh ph m DES trong 96 ngy
1998 : Electronic Frontier Foundation (EFF) ph m
DES bng my chuyn dng (250000$) trong < 3 ngy
1999 : 100000 my tnh ph m trong 22 gi
Vn cn phi nhn bit c nguyn bn

Thc t DES vn c s dng khng c vn
Nu cn an ninh hn : 3DES hay chun mi AES
Nguyn i Th
An ninh Mng
58
H m ha 3DES
S dng 3 kha v chy 3 ln gii thut DES
M ha : C = EK3[DK2[EK1[p]]]
Gii m : p = DK1[EK2[DK3[C]]]
di kha thc t l 168 bit

Khng tn ti K4 = 56 sao cho C = EK4(p)
V sao 3 ln : trnh tn cng "gp nhau gia"

C = EK2(EK1(p)) X = EK1(p) = DK2(C)
Nu bit mt cp (p, C)
M ha p vi 256 kha v gii m C vi 256 kha
So snh tm ra K1 v K2 tng ng
Kim tra li vi 1 cp (p, C) mi; nu OK th K 1 v K2 l kha
Nguyn i Th
An ninh Mng
59
Chun m ha tin tin

AES (Advanced Encryption Standard) c cng
nhn chun mi nm 2001
Tn gii thut l Rijndael (Rijmen + Daemen)
An ninh hn v nhanh hn 3DES
Kch thc khi : 128 bit
Kch thc kha : 128/192/256 bit
S vng : 10/12/14
Cu trc mng S-P, nhng khng theo h Feistel
Khng chia mi khi lm i
Nguyn i Th
An ninh Mng
60
Cc h m ha khi khc (1)

IDEA (International Data Encryption Algorithm)
Khi 64 bit, kha 128 bit, 8 vng
Theo cu trc mng S-P, nhng khng theo h Feistel
Mi khi chia lm 4
Rt an ninh
Bn quyn bi Ascom nhng dng min ph
Blowfish
Khi 64 bit, kha 32-448 bit (ngm nh 128 bit), 16 vng

Theo cu trc h Feistel
An ninh, kh nhanh v gn nh
T do s dng
Nguyn i Th
An ninh Mng
61
Cc h m ha khi khc (2)

RC5
Pht trin bi Ron Rivest

Khi 32/64/128 bit, kha 0-2040 bit, 0-255 vng
n gin, thch hp cc b x l c rng khc nhau
CAST-128
Pht trin bi Carlisle Adams v Stafford Tavares

Khi 64 bit, kha 40-128 bit, 12/16 vng
C 3 loi hm vng dng xen k
Bn quyn bi Entrust nhng dng min ph
Nguyn i Th
An ninh Mng
62
Cc phng thc m ha khi

ECB (Electronic Codebook)
M ha tng khi ring r
CBC (Cipher Block Chaining)

Khi nguyn bn hin thi c XOR vi khi bn m
trc
CFB (Cipher Feedback)

M phng m ha lung (n v s bit)
s bit m ha trc c a vo thanh ghi u vo hin thi
OFB (Output Feeback)

s bit tri u ra trc c a vo thanh ghi u vo hin thi
CTR (Counter)
XOR mi khi nguyn bn vi 1 gi tr thanh m m ha
Nguyn i Th
An ninh Mng
63
Phng thc ECB

p1
K
M ha
p2
K
C1
M ha
pN
...
C2
M ha
CN
M ha
C1
K
Gii m
p1
C2
K
Gii m
CN
...
p2
Gii m
pN
Gii m
Nguyn i Th
An ninh Mng
64
nh gi ECB
Nhng khi lp li trong nguyn bn c th thy
c trong bn m
Nu thng bo di, c th
Gip phn tch ph m
To c hi thay th hoc b tr li cc khi
Nhc im do cc khi c m ha c lp
Ch yu dng gi thng bo c t khi
V d gi kha
Nguyn i Th
An ninh Mng
65
Phng thc CBC

IV
M ha
p2
p1
C1
Gii m
M ha
...
CN-1
K
C2
M ha
CN
M ha
C2
C1
K
pN
Gii m
...
CN
K
Gii m
CN-1
IV
p1
p2
pN
Gii m
Nguyn i Th
An ninh Mng
66
nh gi CBC
Mi khi m ha ph thuc vo tt c cc khi
nguyn bn trc
S lp li cc khi nguyn bn khng th hin trong bn
m ha
Thay i trong mi khi nguyn bn nh hng n tt
c cc khi bn m v sau
Cn 1 gi tr u IV bn gi v bn nhn u bit
Cn c m ha ging kha
Nn khc nhau i vi cc thng bo khc nhau
Cn x l c bit khi nguyn bn khng y

cui cng
Dng m ha d liu ln, xc thc
Nguyn i Th
An ninh Mng
67
M ha CFB
CM-1
IV
Thanh ghi dch
64-s bit | s bit
Thanh ghi dch

64-s bit | s bit
64
M ha
64
M ha
64
p1
Chn
s bit
B i
64-s bit
Thanh ghi dch

64-s bit | s bit
...
64
M ha
64
Chn
s bit
p2
s
B i
64-s bit
64
Chn
s bit
pM
s
B i
64-s bit
s
C1
Nguyn i Th
C2
CM
An ninh Mng
68
Gii m CFB
CM-1
IV
Thanh ghi dch
64-s bit | s bit
Thanh ghi dch

64-s bit | s bit
64
M ha
64
Chn
s bit
64
p1
Nguyn i Th
...
64
M ha
64
s
Chn
s bit
B i
64-s bit
M ha
Thanh ghi dch

64-s bit | s bit
s
C1
64
Chn
s bit
B i
64-s bit
B i
64-s bit
s s
C2
CM
pM
p2
An ninh Mng
69
nh gi CFB
Thch hp khi d liu nhn c theo tng n
v bit hay byte
Khng cn n thng bo lm trn khi
Cho php s lng bit bt k
K hiu CFB-1, CFB-8, CFB-64,...
L phng thc lung ph bin nht

Dng gii thut m ha ngay c khi gii m
Li xy ra khi truyn 1 khi m ha s lan rng
sang cc khi tip sau
Nguyn i Th
An ninh Mng
70
M ha OFB
OM-1
IV
Thanh ghi dch
64-s bit | s bit
Thanh ghi dch

64-s bit | s bit
64
M ha
64
M ha
64
Chn
s bit
p1
s
Chn
s bit
p2
s
C1
Nguyn i Th
...
64
M ha
64
B i
64-s bit
Thanh ghi dch

64-s bit | s bit
64
Chn
s bit
B i
64-s bit
pM
B i
64-s bit
s
s
C2
CM
An ninh Mng
71
Gii m OFB
OM-1
IV
Thanh ghi dch
64-s bit | s bit
Thanh ghi dch

64-s bit | s bit
64
64
M ha
64
Chn
s bit
...
M ha
64
M ha
64
B i
64-s bit
Thanh ghi dch

64-s bit | s bit
Chn
s bit
64
B i
64-s bit
Chn
s bit
B i
64-s bit
s
s
C1
p1
Nguyn i Th
C2
p2
CM
pM
An ninh Mng
72
nh gi OFB
Tng t CFB ch khc l phn hi ly t u ra
gii thut m ha, c lp vi thng bo
Khng bao gi s dng li cng kha v IV
Li truyn 1 khi m ha khng nh hng n
cc khi khc
Thng bo d b sa i ni dung
Ch nn dng OFB-64
C th tit kim thi gian bng cch thc hin
gii thut m ha trc khi nhn c d liu
Nguyn i Th
An ninh Mng
73
Phng thc CTR

Bin m
M ha
Bin m + 1
M ha
C1
M ha
pN
C2
M ha
Bin m + 1
Bin m
M ha
CN
...
C2
C1
p1
M ha
p2
p1
...
Bin m + N - 1
Bin m + N - 1
M ha
K
CN
p2
pN
Gii m
Nguyn i Th
An ninh Mng
74
nh gi CTR
Hiu qu cao
C th thc hin m ha (hoc gii m) song song
C th thc hin gii thut m ha trc nu cn
C th x l bt k khi no trc cc khi khc

An ninh khng km g cc phng thc khc
n gin, ch cn ci t gii thut m ha,
khng cn n gii thut gii m
Khng bao gi s dng li cng gi tr kha v
bin m (tng t OFB)
Nguyn i Th
An ninh Mng
75
B tr cng c m ha
Gii php hu hiu v ph bin nht chng li cc
mi e da n an ninh mng l m ha
thc hin m ha, cn xc nh
M ha nhng g
Thc hin m ha u
C 2 phng n c bn
M ha lin kt
M ha u cui
Nguyn i Th
An ninh Mng
76
M ha lin kt
Cng c m ha c sp t 2 u ca mi
lin kt c nguy c b tn cng
m bo an ninh vic lu chuyn thng tin trn
tt c cc lin kt mng
Cc mng ln cn n rt nhiu cng c m ha
Cn cung cp rt nhiu kha
Nguy c b tn cng ti mi chuyn mch
Cc gi tin cn c m ha mi khi i vo mt
chuyn mch gi c c a ch phn u
Thc hin tng vt l hoc tng lin kt

Nguyn i Th
An ninh Mng
77
M ha u cui
Qu trnh m ha c thc hin 2 h thng
u cui
m bo an ninh d liu ngi dng
Ch cn mt kha cho 2 u cui
m bo xc thc mc nht nh
Mu lu chuyn thng tin khng c bo v
Cc phn u gi tin cn c truyn ti tng minh
Thc hin tng mng tr ln

Cng ln cao cng t thng tin cn m ha v cng an
ninh nhng cng phc tp vi nhiu thc th v kha
Nguyn i Th
An ninh Mng
78
Kt hp cc phng n m ha
Cng c m ha u cui
Cng c m ha lin kt
Nguyn i Th
PSN : Packet-switching node

An ninh Mng
79
Qun l kha b mt
Vn i vi m ha i xng l lm sao phn
phi kha an ninh n cc bn truyn tin
Thng h thng mt an ninh l do khng qun l tt
vic phn phi kha b mt
Phn cp kha
Kha phin (tm thi)
Dng m ha d liu trong mt phin kt ni
Hy b khi ht phin
Kha ch (lu di)

Dng m ha cc kha phin, m bo phn phi chng
mt cch an ninh
Nguyn i Th
An ninh Mng
80
Cc cch phn phi kha

Kha c th c chn bi bn A v gi theo
ng vt l n bn B
Kha c th c chn bi mt bn th ba, sau
gi theo ng vt l n A v B
Nu A v B c mt kha dng chung th mt
bn c th gi kha mi n bn kia, s dng
kha c m ha kha mi
Nu mi bn A v B u c mt knh m ha
n mt bn th ba C th C c th gi kha theo
cc knh m ha n A v B
Nguyn i Th
An ninh Mng
81
Phn phi kha t ng

1.
2.
3.
4.
Host gi gi tin yu cu kt ni
FEP m gi tin; hi KDC kha phin
KDC phn phi kha phin n 2 host
Gi tin m c truyn i
FEP = Front End Processor

KDC = Key Distribution Center
Nguyn i Th
An ninh Mng
82
Chng 3
MT M KHA CNG KHAI
Nguyn i Th
An ninh Mng
83
Gii thiu
Nhng hn ch ca mt m i xng
Vn phn phi kha
Kh m bo chia s m khng lm l kha b mt
Trung tm phn phi kha c th b tn cng
Khng thch hp cho ch k s

Bn nhn c th lm gi thng bo ni nhn c t bn gi
Mt m kha cng khai xut bi Whitfield

Diffie v Martin Hellman vo nm 1976
Khc phc nhng hn ch ca mt m i xng
C th coi l bc t ph quan trng nht trong lch
s ca ngnh mt m
B xung ch khng thay th mt m i xng
Nguyn i Th
An ninh Mng
84
c im mt m kha cng
khai
Cn gi l mt m hai kha hay bt i xng

Cc gii thut kha cng khai s dng 2 kha
Mt kha cng khai
Ai cng c th bit
Dng m ha thng bo v thm tra ch k
Mt kha ring
Ch ni gi c bit
Dng gii m thng bo v k (to ra) ch k
C tnh bt i xng
Bn m ha khng th gii m thng bo
Bn thm tra khng th to ch k
Nguyn i Th
An ninh Mng
85
M ha kha cng khai

Cc kha cng khai
Ted
Joy
Mike
Alice
Kha cng khai
ca Alice
Bn m
truyn i
Nguyn bn
u vo
Gii thut
m ha
Nguyn i Th
Kha ring
ca Alice
Gii thut
gii m
An ninh Mng
Nguyn bn
u ra
86
Xc thc
Cc kha cng khai
Ted
Joy
Mike
Bob
Kha cng khai
ca Bob
Kha ring
ca Bob
Bn m
truyn i
Nguyn bn
u vo
Gii thut
m ha
Nguyn i Th
Gii thut
gii m
An ninh Mng
Nguyn bn
u ra
87
ng dng mt m kha cng khai

C th phn ra 3 loi ng dng
M ha/gii m
m bo s b mt ca thng tin
Ch k s
H tr xc thc vn bn
Trao i kha
Cho php chia s kha phin trong m ha i xng
Mt s gii thut kha cng khai thch hp cho

c 3 loi ng dng; mt s khc ch c th dng
cho 1 hay 2 loi
Nguyn i Th
An ninh Mng
88
M hnh m bo b mt
K
ph m
ch B
Ngun A
Ngun
th. bo
Gii thut
m ha
Gii thut
gii m
ch
th. bo
Ngun
cp kha
Nguyn i Th
An ninh Mng
89
M hnh xc thc
K
ph m
ch B
Ngun A
Ngun
th. bo
Gii thut
m ha
Gii thut
gii m
ch
th. bo
Ngun
cp kha
Nguyn i Th
An ninh Mng
90
M hnh kt hp
ch B
Ngun A
Ngun
th. bo
G. thut
m ha
G. thut
m ha
G. thut
gii m
G. thut
gii m
ch
th. bo
Ngun
cp kha
Ngun
cp kha
Nguyn i Th
An ninh Mng
91
Trao i kha
Kha ngu nhin
Kha ngu nhin
Alice
Bob
M ha
Gii m
Kha cng khai ca Bob
Kha ring ca Bob
Nguyn i Th
An ninh Mng
92
Cc iu kin cn thit
Bn B d dng to ra c cp (KUb, KRb)
Bn A d dng to ra c C = EKUb(M)
Bn B d dng gii m M = DKRb(C)
i th khng th xc nh c KRb khi bit KUb
i th khng th xc nh c M khi bit KUb v
C
Mt trong hai kha c th dng m ha trong khi
kha kia c th dng gii m
M = DKRb(EKUb(M)) = DKUb(EKRb(M))
Khng thc s cn thit
Nguyn i Th
An ninh Mng
93
H m ha RSA
xut bi Ron Rivest, Adi Shamir v Len
Adleman (MIT) vo nm 1977
H m ha kha cng khai ph dng nht
M ha khi vi mi khi l mt s nguyn < n
Thng kch c n l 1024 bit 309 ch s thp phn
ng k bn quyn nm 1983, ht hn nm 2000

An ninh v chi ph phn tch tha s ca mt s
nguyn ln l rt ln
Nguyn i Th
An ninh Mng
94
To kha RSA
Mi bn t to ra mt cp kha cng khai - kha
ring theo cc bc sau :
Chn ngu nhin 2 s nguyn t ln p q
Tnh n = pq
Tnh (n) = (p-1)(q-1)
Chn ngu nhin kha m ha e sao cho 1 < e < (n)
v gcd(e, (n)) = 1
Tm kha gii m d n tha mn e.d 1 mod (n)
Cng b kha m ha cng khai KU = {e, n}

Gi b mt kha gii m ring KR = {d, n}
Cc gi tr b mt p v q b hy b
Nguyn i Th
An ninh Mng
95
Thc hin RSA

m ha 1 thng bo nguyn bn M, bn gi
thc hin
Ly kha cng khai ca bn nhn KU = {e, n}
Tnh C = Me mod n
gii m bn m C nhn c, bn nhn thc

hin
S dng kha ring KR = {d, n}
Tnh M = Cd mod n
Lu l thng bo M phi nh hn n
Phn thnh nhiu khi nu cn
Nguyn i Th
An ninh Mng
96
V sao RSA kh thi

Theo nh l Euler
a, n : gcd(a, n) = 1 a(n) mod n = 1
(n) l s cc s nguyn dng nh hn n v nguyn
t cng nhau vi n
i vi RSA c
n = pq vi p v q l cc s nguyn t
(n) = (p - 1)(q - 1)
ed 1 mod (n) s nguyn k : ed = k(n) + 1
M<n
C th suy ra
Cd mod n = Med mod n = Mk(n) + 1 mod n = M mod n = M
Nguyn i Th
An ninh Mng
97
V d to kha RSA
Chn 2 s nguyn t p = 17 v q = 11
Tnh n = pq = 17 11 = 187
Tnh (n) = (p - 1)(q - 1) = 16 10 = 160
Chn e : gcd(e, 160) = 1 v 1 < e < 160; ly e = 7
Xc nh d : de 1 mod 160 v d 187
Gi tr d = 23 v 23 7 = 161 = 1 160 + 1
Cng b kha cng khai KU = {7, 187}
Gi b mt kha ring KR = {23, 187}
Hy b cc gi tr b mt p = 17 v q = 11
Nguyn i Th
An ninh Mng
98
V d thc hin RSA

M ha
Nguyn
bn
Nguyn i Th
Gii m
Bn
m
An ninh Mng
Nguyn
bn
99
Chn tham s RSA

Cn chn p v q ln
Thng chn e nh
Thng c th chn cng gi tr ca e cho tt c
ngi dng
Trc y khuyn ngh gi tr ca e l 3, nhng
hin nay c coi l qu nh
Thng chn e = 216 - 1 = 65535
Gi tr ca d s ln v kh on
Nguyn i Th
An ninh Mng
100
An ninh ca RSA
Kha 128 bit l mt s gia 1 v mt s rt ln
340.282.366.920.938.000.000.000.000.000.000.000.000
C bao nhiu s nguyn t gia 1 v s ny

n / ln(n) = 2128 / ln(2128)
3.835.341.275.459.350.000.000.000.000.000.000.000
Cn bao nhiu thi gian nu mi giy c th tnh

c 1012 s
Hn 121,617,874,031,562,000 nm (khong 10 triu ln
tui ca v tr)
An ninh nhng cn phng nhng im yu

Nguyn i Th
An ninh Mng
101
Ph m RSA
Phng php vt cn
Th tt c cc kha ring c th
Ph thuc vo di kha
Phng php phn tch ton hc

Phn n thnh tch 2 s nguyn t p v q
Xc nh trc tip (n) khng thng qua p v q
Xc nh trc tip d khng thng qua (n)
Phng php phn tch thi gian

Da trn vic o thi gian gii m
C th ngn nga bng cch lm nhiu
Nguyn i Th
An ninh Mng
102
Phn tch tha s RSA

An ninh ca RSA da trn phc tp ca vic
phn tch tha s n
Thi gian cn thit phn tch tha s mt s
ln tng theo hm m vi s bit ca s
Mt nhiu nm khi s ch s thp phn ca n vt
qu 100 (gi s lm 1 php tnh nh phn mt 1 s)
Kch thc kha ln m bo an ninh cho RSA

T 1024 bit tr ln
Gn y nht nm 1999 ph m c 512 bit
(155 ch s thp phn)
Nguyn i Th
An ninh Mng
103
H trao i kha Diffie-Hellman

Gii thut mt m kha cng khai u tin
xut bi Whitfield Diffie v Martin Hellman
vo nm 1976
Malcolm Williamson (GCHQ - Anh) pht hin trc
my nm nhng n nm 1997 mi cng b
Ch dng trao i kha b mt mt cch an

ninh trn cc kch thng tin khng an ninh
Kha b mt c tnh ton bi c hai bn
An ninh ph thuc vo phc tp ca vic tnh
log ri rc
Nguyn i Th
An ninh Mng
104
Thit lp Diffie-Hellman
Cc bn thng nht vi nhau cc tham s chung
q l mt s nguyn t ln
l mt nguyn cn ca q
mod q, 2 mod q,..., q-1 mod q l cc s nguyn giao hon
ca cc s t 1 n q - 1
Bn A
Chn ngu nhin lm kha ring XA < q
Tnh kha cng khai YA = XA mod q
Bn B
Chn ngu nhin lm kha ring XB < q
Tnh kha cng khai YB = XB mod q
Nguyn i Th
An ninh Mng
105
Trao i kha Diffie-Hellman

Tnh ton kha b mt
Bn A bit kha ring XA v kha cng khai YB
K = YBXA mod q
Bn B bit kha ring XB v kha cng khai YA
K = YAXB mod q
Chng minh
YAXB mod q = (XA mod q)XB mod q
= XAXB mod q
= XBXA mod q
= (XB mod q)XA mod q
= YBXA mod q
Nguyn i Th
An ninh Mng
106
V d Diffie-Hellman
Alice v Bob mun trao i kha b mt
Cng chn q = 353 v = 3
Chn ngu nhin cc kha ring
Alice chn XA = 97, Bob chn XB = 233
Tnh ton cc kha cng khai

YA = 397 mod 353 = 40
YB = 3233 mod 353 = 248
(Alice)
(Bob)
Tnh ton kha b mt chung

K = YBXA mod 353 = 24897 mod 353 = 160
K = YAXB mod 353 = 40233 mod 353 = 160
Nguyn i Th
An ninh Mng
(Alice)
(Bob)
107
Hn ch ca kha cng khai

Tc x l
Cc gii thut kha cng khai ch yu dng cc php
nhn chm hn nhiu so vi cc gii thut i xng
Khng thch hp cho m ha thng thng
Thng dng trao i kha b mt u phin truyn tin
Tnh xc thc ca kha cng khai

Bt c ai cng c th to ra mt kha cng b l
ca mt ngi khc
Chng no vic gi mo cha b pht hin c th c
c ni dung cc thng bo gi cho ngi kia
Cn m bo nhng ngi ng k kha l ng tin
Nguyn i Th
An ninh Mng
108
Chng 4
XC THC & CH K S
Nguyn i Th
An ninh Mng
109
Vn xc thc
Cc tiu chun cn xc minh
Thng bo c ngun gc r rng chnh xc
Ni dung thng bo ton vn khng b thay i
Thng bo c gi ng trnh t v thi im
Mc ch chng li hnh thc tn cng ch

ng (xuyn tc d liu v giao tc)
Cc phng php xc thc thng bo
M ha thng bo
S dng m xc thc thng bo (MAC)
S dng hm bm
Nguyn i Th
An ninh Mng
110
Xc thc bng cch m ha

S dng m ha i xng
Thng bo gi t ng ngun v ch c ngi gi
mi bit kha b mt dng chung
Ni dung khng th b thay i v nguyn bn c cu
trc nht nh
Cc gi tin c nh s th t v m ha nn
khng th thay i trnh t v thi im nhn c
S dng m ha kha cng khai

Khng ch xc thc thng bo m cn to ch k s
Phc tp v mt thi gian hn m ha i xng
Nguyn i Th
An ninh Mng
111
M xc thc thng bo (MAC)

Khi kch thc nh c nh gn vo thng bo to
ra t thng bo v kha b mt chung
Bn nhn thc hin cng gii thut trn thng bo
v kha so xem MAC c chnh xc khng
Gii thut to MAC ging nh gii thut m ha
nhng khng cn nghch c
C th nhiu thng bo cng c chung MAC
Nhng nu bit mt thng bo v MAC ca n, rt kh
tm ra mt thng bo khc c cng MAC
Cc thng bo c cng xc sut to ra MAC
p ng 3 tiu chun xc thc

Nguyn i Th
An ninh Mng
112
ch B
Ngun A
So snh
a) Xc thc thng bo
So snh
b) Xc thc thng bo v bo mt; MAC gn vo nguyn bn
So snh
c) Xc thc thng bo v bo mt; MAC gn vo bn m
Nguyn i Th
An ninh Mng
113
V sao dng MAC

Nhiu trng hp ch cn xc thc, khng cn
m ha tn thi gian v ti nguyn
Thng bo h thng
Chng trnh my tnh
Tch ring cc chc nng bo mt v xc thc

s khin vic t chc linh hot hn
Chng hn mi chc nng thc hin mt tng ring
Cn m bo tnh ton vn ca thng bo trong

sut thi gian tn ti khng ch khi lu chuyn
V thng bo c th b thay i sau khi gii m
Nguyn i Th
An ninh Mng
114
MAC da trn DES (DAC)
M ha
M ha
M ha
M ha
(16 - 64 bits)
Nguyn i Th
An ninh Mng
115
Hm bm
To ra mt gi tr bm c kch thc c nh t
thng bo u vo (khng dng kha)
h = H(M)
Hm bm khng cn gi b mt
Gi tr bm gn km vi thng bo dng
kim tra tnh ton vn ca thng bo
Bt k s thay i M no d nh cng to ra mt
gi tr h khc
Nguyn i Th
An ninh Mng
116
Ngun A
ch B
So snh
a) Xc thc thng bo v bo mt; m bm gn vo nguyn bn
So snh
b) Xc thc thng bo; m bm c m ha s dng phng php i xng
So snh
c) Xc thc thng bo; m bm c m ha s dng phng php kha cng khai
Nguyn i Th
An ninh Mng
117
Ngun A
ch B
So snh
d) Xc thc bng m ha kha cng khai v bo mt bng m ha i xng
So snh
e) Xc thc khng cn m ha nh hai bn chia s mt gi tr b mt chung
So snh
f) Xc thc nh mt gi tr b mt chung; bo mt bng phng php i xng
Nguyn i Th
An ninh Mng
118
Yu cu i vi hm bm
C th p dng vi thng bo M c di bt k
To ra gi tr bm h c di c nh
H(M) d dng tnh c vi bt k M no
T h rt kh tm c M sao cho H(M) = h
Tnh mt chiu
T M1 rt kh tm c M2 sao cho H(M2) = H(M1)

Tnh chng xung t yu
Rt kh tm c (M1, M2) sao cho H(M1) = H(M2)

Tnh chng xung t mnh
Nguyn i Th
An ninh Mng
119
Cc hm bm n gin
16 bit
XOR dch vng tri 1 bit XOR mi khi 16 bit

Nguyn i Th
An ninh Mng
120
Kiu tn cng ngy sinh

Nghch l ngy sinh
Trong 23 ngi, xc sut tm ra 1 ngi khc c cng
ngy sinh vi A l 6%
Xc sut 2 trong 23 ngi c cng ngy sinh l 50%
Cch thc tn cng m bm m bit

To ra 2m/2 bin th ng ngha ca thng bo hp l
To ra 2m/2 bin th ca thng bo gi mo
So snh 2 tp thng bo vi nhau tm ra 1 cp c cng
m bm (xc sut > 0,5 theo nghch l ngy sinh)
ngi gi k bin th hp l, ri dng ch k gn
vo bin th gi mo
Nguyn i Th
An ninh Mng
121
An ninh hm bm v MAC
Kiu tn cng vt cn
Vi hm bm, n lc ph thuc di m ca m bm
phc tp ca tnh mt chiu v tnh chng xung t yu
l 2m; ca tnh chng xung t mnh l 2m/2
128 bit c th ph c, thng dng 160 bit
Vi MAC, n lc ph thuc vo di k ca kha v

di n ca MAC
phc tp l min(2k, 2n)
t nht phi l 128 bit
Kiu thm m
Hm bm thng gm nhiu vng nh m ha khi
nn c th tp trung khai thc im yu hm vng
Nguyn i Th
An ninh Mng
122
Ch k s
Xc thc thng bo khng c tc dng khi bn
gi v bn nhn mun gy hi cho nhau
Bn nhn gi mo thng bo ca bn gi
Bn gi chi l gi thng bo n bn nhn
Ch k s khng nhng gip xc thc thng bo

m cn bo v mi bn khi bn kia
Chc nng ch k s
Xc minh tc gi v thi im k thng bo
Xc thc ni dung thng bo
L cn c gii quyt tranh chp
Nguyn i Th
An ninh Mng
123
Yu cu i vi ch k s
Ph thuc vo thng bo c k
C s dng thng tin ring ca ngi gi
trnh gi mo v chi b
Tng i d to ra
Tng i d nhn bit v kim tra
Rt kh gi mo
Bng cch to thng bo khc c cng ch k s
Bng cch to ch k s theo mun cho thng bo
Thun tin trong vic lu tr

Nguyn i Th
An ninh Mng
124
Ch k s trc tip
Ch lin quan n bn gi v bn nhn
Vi mt m kha cng khai
Dng kha ring k ton b thng bo hoc gi tr bm
C th m ha s dng kha cng khai ca bn nhn
Quan trng l k trc m ha sau
Ch c tc dng khi kha ring ca bn gi c

m bo an ninh
Bn gi c th gi v mt kha ring
Cn b xung thng tin thi gian v bo mt kha kp thi
Kha ring c th b mt tht

K cp c th gi thng bo vi thng tin thi gian sai lch
Nguyn i Th
An ninh Mng
125
Ch k s gin tip
C s tham gia ca mt bn trng ti
Nhn thng bo c ch k s t bn gi, kim tra tnh
hp l ca n
B xung thng tin thi gian v gi n bn nhn
An ninh ph thuc ch yu vo bn trng ti

Cn c bn gi v bn nhn tin tng
C th ci t vi m ha i xng hoc m ha
kha cng khai
Bn trng ti c th c php nhn thy hoc
khng ni dung thng bo
Nguyn i Th
An ninh Mng
126
Cc k thut ch k s gin tip

(a) M ha i xng, trng ti thy thng bo
(1) X A : M EKXA[IDX H(M)]
(2) A Y : EKAY[IDX M EKXA[IDX H(M)] T]
(b) M ha i xng, trng ti khng thy thng bo

(1) X A : IDX EKXY[M] EKXA[IDX H(EKXY[M])]
(2) A Y : EKAY[IDX EKXY[M] EKXA[IDX H(EKXY[M])] T]
(c) M ha kha cng khai, trng ti khng thy thng bo

(1) X A : IDX EKRX[IDX EKUY[EKRX[M]]]
(2) A Y : EKRA[IDX EKUY[EKRX[M]] T]
K hiu :
X = Bn gi
M = Thng bo
Y = Bn nhn
T = Nhn thi gian
A = Trng ti
Nguyn i Th
An ninh Mng
127
Chng 5
CC NG DNG XC THC
Nguyn i Th
An ninh Mng
128
Gii thiu
Mc ch ca cc ng dng xc thc l h tr
xc thc v ch k s mc ng dng
Phn lm 2 loi chnh
Da trn m ha i xng
Dch v Kerberos
Giao thc Needham-Schroeder
Da trn kha cng khai c chng thc

Dch v X.509
H thng PGP
Nguyn i Th
An ninh Mng
129
Kerberos
H thng dch v xc thc pht trin bi MIT
Nhm i ph vi cc him ha sau
Ngi dng gi danh l ngi khc
Ngi dng thay i a ch mng ca client
Ngi dng xem trm thng tin trao i v thc hin
kiu tn cng lp li
Bao gm 1 server tp trung c chc nng xc

thc ngi dng v cc server dch v phn tn
Tin cy server tp trung thay v cc client
Gii phng chc nng xc thc khi cc server dch v
v cc client
Nguyn i Th
An ninh Mng
130
K hiu
C : Client
AS : Server xc thc
V : Server dch v
IDC : Danh tnh ngi dng trn C
IDV : Danh tnh ca V

PC : Mt khu ca ngi dng trn C
ADC : a ch mng ca C
KV : Kha b mt chia s bi AS v V
: Php ghp
TGS : Server cp th
TS : Nhn thi gian
Nguyn i Th
An ninh Mng
131
Mt hi thoi xc thc n gin

Giao thc
(1) C AS : IDC PC IDV
(2) AS C : Th
(3) C V : IDC Th
Th = EKV[IDC ADC IDV]
Hn ch
Mt khu truyn t C n AS khng c bo mt
Nu th ch s dng c mt ln th phi cp th
mi cho mi ln truy nhp cng mt dch v
Nu th s dng c nhiu ln th c th b ly cp
s dng trc khi ht hn
Cn th mi cho mi dch v khc nhau
Nguyn i Th
An ninh Mng
132
Hi thoi xc thc Kerberos 4

(a) Trao i vi dch v xc thc : c th cp th
(1) C AS : IDC IDtgs TS1
(2) AS C : EKC[KC,tgs IDtgs TS2 Hn2 Thtgs]
Thtgs = EKtgs[KC,tgs IDC ADC IDtgs TS2 Hn2]
(b) Trao i vi dch v cp th : c th dch v

(3) C TGS : IDV Thtgs DuC
(4) TGS C : EKC,tgs[KC,V IDV TS4 ThV]
ThV = EKV[KC,V IDC ADC IDV TS4 Hn4]
DuC = EKC,tgs[IDC ADC TS3]
(c) Trao i xc thc client/server : c dch v

(5) C V : ThV DuC
(6) V C : EKC,V[TS5 + 1]
DuC = EKC,V[IDC ADC TS5]
Nguyn i Th
An ninh Mng
133
M hnh tng quan Kerberos

Mi phin
ngi dng
mt ln
Client
c u
Yu p th
c
n
t h
phi
a
+ kh
h
T
v
dch
h
t
u
Yu c
phin
a
h
k
Th +
Y
u
TGS
Mi dch v
mt ln
c
ud
ch
G
i d
us
erv
Mi phin
er
dch v
mt ln
Nguyn i Th
AS
Server
dch v
An ninh Mng
134
Phn h Kerberos
Mt phn h Kerberos bao gm
Mt server Kerberos cha trong CSDL danh tnh v
mt khu bm ca cc thnh vin
Mt s ngi dng ng k lm thnh vin
Mt s server dch v, mi server c mt kha b mt
ring ch chia s vi server Kerberos
Mi phn h Kerberos thng tng ng vi

mt phm vi hnh chnh
Hai phn h c th tng tc vi nhau nu 2
server chia s 1 kha b mt v ng k vi nhau
iu kin l phi tin tng ln nhau
Nguyn i Th
An ninh Mng
135
Phn h A
1
3
1. Yu cu th cho TGS cc b
2. Th cho TGS cc b
3. Yu cu th cho TGS xa
4. Th cho TGS xa
5. Yu cu th cho server xa
6. Th cho server xa
7. Yu cu dch v xa
Phn h B
Nguyn i Th
An ninh Mng
136
Kerberos 5
Pht trin vo gia nhng nm 1990 (sau
Kerberos 4 vi nm) c t trong RFC 1510
C mt s ci tin so vi phin bn 4
Khc phc nhng khim khuyt ca mi trng
Ph thuc gii thut m ha, ph thuc giao thc mng, trt
t byte thng bo khng theo chun, gi tr hn dng th c
th qu nh, khng cho php y nhim truy nhp, tng tc
a phn h da trn qu nhiu quan h tay i
Khc phc nhng thiu st k thut

M ha hai ln c mt ln tha, phng thc m ha PCBC
m bo tnh ton vn khng chun d b tn cng, kha
phin s dng nhiu ln c th b khai thc tn cng lp
li, c th b tn cng mt khu
Nguyn i Th
An ninh Mng
137
Dch v xc thc X.509

Nm trong lot khuyn ngh X.500 ca ITU-T
nhm chun ha dch v th mc
Servers phn tn lu gi CSDL thng tin ngi dng
nh ra mt c cu cho dch v xc thc

Danh b cha cc chng thc kha cng khai
Mi chng thc bao gm kha cng khai ca ngi
dng k bi mt bn chuyn trch chng thc ng tin
nh ra cc giao thc xc thc

S dng mt m kha cng khai v ch k s
Khng chun ha gii thut nhng khuyn ngh RSA
Nguyn i Th
An ninh Mng
138
Khun dng X.509
Nguyn i Th
An ninh Mng
139
Nhn chng thc

C c kha cng khai ca CA (c quan chng
thc) l c th xc minh c chng thc
Ch CA mi c th thay i chng thc
Chng thc c th t trong mt th mc cng khai
Cu trc phn cp CA
Ngi dng c chng thc bi CA ng k
Mi CA c hai loi chng thc
Chng thc thun : Chng thc CA hin ti bi CA cp trn
Chng thc nghch : Chng thc CA cp trn bi CA hin ti
Cu trc phn cp CA cho php ngi dng xc

minh chng thc bi bt k CA no
Nguyn i Th
An ninh Mng
140
Phn cp X.509
Nguyn i Th
An ninh Mng
141
Thu hi chng thc

Mi chng thc c mt thi hn hp l
C th cn thu hi chng thc trc khi ht hn
Kha ring ca ngi dng b tit l
Ngi dng khng cn c CA chng thc
Chng thc ca CA b xm phm
Mi CA phi duy tr danh sch cc chng thc b

thu hi (CRL)
Khi nhn c chng thc, ngi dng phi
kim tra xem n c trong CRL khng
Nguyn i Th
An ninh Mng
142
Cc th tc xc thc
Nguyn i Th
An ninh Mng
143
Chng 6
AN TON TH IN T
Nguyn i Th
An ninh Mng
144
Gii thiu
Th in t l dch v mng ph dng nht
Hin nay cc thng bo khng c bo mt
C th c c ni dung trong qu trnh thng bo di
chuyn trn mng
Nhng ngi dng c quyn c th c c ni
dung thng bo trn my ch
Thng bo d dng b gi mo bi mt ngi khc
Tnh ton vn ca thng bo khng c m bo
Cc gii php xc thc v bo mt thng dng

PGP (Pretty Good Privacy)
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Nguyn i Th
An ninh Mng
145
PGP
Do Phil Zimmermann pht trin vo nm 1991
Chng trnh min ph, chy trn nhiu mi
trng khc nhau (phn cng, h iu hnh)
C phin bn thng mi nu cn h tr k thut
Da trn cc gii thut mt m an ninh nht

Ch yu ng dng cho th in t v file
c lp vi cc t chc chnh ph
Bao gm 5 dch v : xc thc, bo mt, nn,
tng thch th in t, phn v ghp
Ba dch v sau trong sut i vi ngi dng
Nguyn i Th
An ninh Mng
146
Xc thc ca PGP
Ngun A
ch B
So snh
M = Thng bo gc
H = Hm bm
= Ghp
Z = Nn
Z-1 = Ci nn
Nguyn i Th
EP = M ha kha cng khai

DP = Gii m kha cng khai
KRa = Kha ring ca A
KUa = Kha cng khai ca A
An ninh Mng
147
Bo mt ca PGP
Ngun A
ch B
EC = M ha i xng
DC = Gii m i xng
Ks = Kha phin
Nguyn i Th
An ninh Mng
148
Xc thc v bo mt ca PGP
Ngun A
Nguyn i Th
ch B
An ninh Mng
149
Nn ca PGP
PGP nn thng bo s dng gii thut ZIP
K trc khi nn
Thun tin lu tr v kim tra, nu k sau khi nn th
Cn lu phin bn nn vi ch k, hoc
Cn nn li thng bo mi ln mun kim tra
Gii thut nn khng cho kt qu duy nht

Mi phin bn ci t c tc v t l nn khc nhau
Nu k sau khi nn th cc chng trnh PGP cn s dng
cng mt phin bn ca gii thut nn
M ha sau khi nn
t d liu s khin vic m ha nhanh hn
Thng bo nn kh ph m hn thng bo th
Nguyn i Th
An ninh Mng
150
Tng thch th in t ca PGP

PGP bao gi cng phi gi d liu nh phn
Nhiu h thng th in t ch chp nhn vn
bn ASCII (cc k t c c)
Th in t vn ch cha vn bn c c
PGP dng gii thut c s 64 chuyn i d liu

nh phn sang cc k t ASCII c c
Mi 3 byte nh phn chuyn thnh 4 k t c c
Hiu ng ph ca vic chuyn i l kch thc

thng bo tng ln 33%
Nhng c thao tc nn b li
Nguyn i Th
An ninh Mng
151
Bng chuyn i c s 64
Nguyn i Th
An ninh Mng
152
Phn v ghp ca PGP

Cc giao thc th in t thng hn ch
di ti a ca thng bo
V d thng l 50 KB
PGP phn thng bo qu ln thnh nhiu thng

bo nh
Vic phn on thng bo thc hin sau tt c
cc cng on khc
Bn nhn s ghp cc thng bo nh trc khi
thc hin cc cng on khc
Nguyn i Th
An ninh Mng
153
S x l PGP
Nguyn i Th
An ninh Mng
154
Kha phin PGP

Cn s dng mt kha phin cho mi thng bo
di 56 bit vi DES, 128 bit vi CAST-128 v IDEA,
168 bit vi 3DES
Cch thc sinh kha phin cho CAST-128

S dng chnh CAST-128 theo phng thc CBC
T mt kha 128 bit v 2 khi nguyn bn 64 bit sinh
ra 2 khi bn m 64 bit to thnh kha phin 128 bit
Hai khi nguyn bn u vo c sinh ngu nhin
da vo chui cc phm g t ngi dng
Kha u vo c sinh t cc khi nguyn bn u
vo v kha phin u ra trc
Nguyn i Th
An ninh Mng
155
Kha cng khai/kha ring PGP

Ngi dng c th c nhiu cp kha cng
khai/kha ring
Nhu cu thay i cp kha hin thi
Giao tip vi nhiu nhm i tc khc nhau
Hn ch lng thng tin m ha vi mi kha nng
cao an ton
Cn ch ra kha cng khai no c s dng

m ha kha phin
Cn ch ra ch k ca bn gi tng ng vi
kha cng khai no
Nguyn i Th
An ninh Mng
156
nh danh kha cng khai PGP

ch ra m cng khai no c s dng c
th truyn kha cng khai cng vi thng bo
Khng hiu qu
Kha cng khai RSA c th di hng trm ch s thp phn
nh danh gn vi mi kha cng khai l 64 bit

trng s nh nht ca n
ID ca KUa = KUa mod 264
Xc sut cao l mi kha cng khai c mt nh danh
duy nht
Nguyn i Th
An ninh Mng
157
Khun dng thng bo PGP
Nguyn i Th
An ninh Mng
158
Vng kha PGP

Mi ngi dng PGP c hai vng kha
Vng kha ring cha cc cp kha cng khai/kha
ring ca ngi dng hin thi
C th c ch mc bi nh danh kha cng khai (Key ID)
hoc nh danh ngi dng (User ID)
Kha ring c m ha s dng kha l gi tr bm ca mt
khu nhp trc tip t ngi dng
Vng kha cng khai cha cc kha cng khai ca

nhng ngi dng quen bit vi ngi dng hin thi
C th c ch mc bi nh danh kha cng khai hoc nh
danh ngi dng
Nguyn i Th
An ninh Mng
159
Cu trc cc vng kha PGP
Nguyn i Th
An ninh Mng
160
S to thng bo PGP
Nguyn i Th
An ninh Mng
161
S nhn thng bo PGP
Nguyn i Th
An ninh Mng
162
Qun l kha PGP

Thay v da trn cc CA (c quan chng thc),
i vi PGP mi ngi dng l mt CA
C th k cho nhng ngi dng quen bit trc tip
To nn mt mng li tin cy
Tin cc kha c chnh bn thn k
C th tin cc kha nhng ngi dng khc k nu
c mt chui cc ch k ti chng
Mi kha c mt ch s tin cy
Cc ngi dng c th thu hi kha ca h
Nguyn i Th
An ninh Mng
163
M hnh tin cy PGP (1)

Vi mi kha cng khai ngi dng n nh
tin cy vo ch nhn ca n trong trng
Owner trust
Gi tr ultimate trust c t ng gn nu kha cng
khai c trong vng kha ring
Gi tr ngi dng c th gn l unknown, untrusted,
marginally trusted, hay completely trusted
Gi tr cc trng Signature trust c sao

chp t cc trng Owner trust tng ng
Nu khng c th c gn gi tr unknown user
Nguyn i Th
An ninh Mng
164
M hnh tin cy PGP (2)

Xc nh gi tr ca trng Key legitimacy
Nu kha cng khai c t nht mt ch k vi gi tr
Signature trust l ultimate th Key legitimacy l
ultimate
Nu khng, Key legitimacy c tnh bng tng c
trng s cc gi tr Signature trust
Cc ch k completely trusted c trng s l 1/X

Cc ch k marginally trusted c trng s l 1/Y
X v Y l cc tham s do ngi dng xc nh
Nu tng s t hoc vt ngng 1 th Key legitimacy
c gn gi tr complete
Nguyn i Th
An ninh Mng
165
V d m hnh tin cy PGP
Nguyn i Th
An ninh Mng
166
Thu hi kha cng khai

L do thu hi kha cng khai
ch th bit nguyn bn kha ring
ch th bit bn m kha ring v mt khu
Trnh s dng cng mt kha trong mt thi gian di
Quy trnh thu hi kha cng khai

Ch s hu pht hnh chng thc thu hi kha
Cng khun dng nh chng thc bnh thng nhng bao
gm ch du thu hi kha cng khai
Chng thc c k vi kha ring tng ng kha cng
khai cn thu hi
Mau chng pht tn chng thc mt cch rng ri

cc i tc kp thi cp nht vng kha cng khai
Nguyn i Th
An ninh Mng
167
S/MIME
Nng cp t chun khun dng th in t MIME
c thm tnh nng an ninh thng tin
MIME khc phc nhng hn ch ca SMTP
(Simple Mail Transfer Protocol)
Khng truyn c file nh phn (chng trnh, nh,...)

Ch gi c cc k t ASCII 7 bit
Khng nhn thng bo vt qu kch thc cho php
...
S/MIME c xu hng tr thnh chun cng

nghip s dng trong thng mi v hnh chnh
PGP dng cho c nhn
Nguyn i Th
An ninh Mng
168
Cc chc nng ca S/MIME

Bao bc d liu
M ha ni dung thng bo v cc kha lin quan
K d liu
Ch k s to thnh nh m ha thng tin tng hp
thng bo s dng kha ring ca ngi k
Thng bo v ch k s c chuyn i c s 64
K v nguyn d liu
Ch ch k s c chuyn i c s 64
K v bao bc d liu
Kt hp k v bao bc d liu
Nguyn i Th
An ninh Mng
169
X l chng thc S/MIME

S/MIME s dng cc chng thc kha cng
khai theo X.509 v3
Phng thc qun l kha lai ghp gia cu
trc phn cp CA theo ng X.509 v mng li
tin cy ca PGP
Mi ngi dng c mt danh sch cc kha ca
bn thn, danh sch cc kha tin cy v danh
sch thu hi chng thc
Chng thc phi c k bi CA tin cy
Nguyn i Th
An ninh Mng
170
Chng 7
AN TON IP
Nguyn i Th
An ninh Mng
171
Gii thiu
L do cn IPSec
C nhng vn an ninh cn gii quyt mc thp
hn tng ng dng
c bit cc hnh thc tn cng tng IP rt ph bin nh gi
mo IP, xem trm gi tin
An ninh mc IP s m bo an ninh cho tt c cc

ng dng
Bao gm nhiu ng dng cha c tnh nng an ninh
Cc c ch an ninh ca IPSec
Xc thc
Bo mt
Qun l kha
Nguyn i Th
An ninh Mng
172
Cc ng dng ca IPSec
Xy dng mng ring o an ton trn Internet
Tit kim chi ph thit lp v qun l mng ring
Truy nhp t xa an ton thng qua Internet

Tit kim chi ph i li
Giao tip an ton vi cc i tc

m bo xc thc, bo mt v cung cp c ch trao
i kha
Tng cng an ninh thng mi in t

H tr thm cho cc giao thc an ninh c sn ca
cc ng dng Web v thng mi in t
Nguyn i Th
An ninh Mng
173
Minh ha ng dng IPSec
Nguyn i Th
An ninh Mng
174
ch li ca IPSec
Ti tng la hoc b nh tuyn, IPSec m
bo an ninh cho mi lung thng tin vt bin
Ti tng la, IPSec ngn chn thm nhp tri
php t Internet vo
IPSec nm di tng giao vn, do vy trong
sut vi cc ng dng
IPSec c th trong sut vi ngi dng cui
IPSec c th p dng cho ngi dng n l
IPSec bo v an ninh kin trc nh tuyn
Nguyn i Th
An ninh Mng
175
Kin trc an ninh IP

c t IPSec kh phc tp
nh ngha trong nhiu ti liu
Bao gm RFC 2401 (tng quan kin trc), RFC 2402
(m t m rng xc thc), RFC 2406 (m t m rng
m ha), RFC 2408 (c t kh nng trao i kha)
Cc ti liu khc c chia thnh 7 nhm
Vic h tr IPSec l bt buc i vi IPv6, ty

chn i vi IPv4
IPSec c ci t nh cc phn u m rng
sau phn u IP
Phn u m rng cho xc thc l AH
Phn u m rng cho m ha l ESP
Nguyn i Th
An ninh Mng
176
Tng quan ti liu IPSec
Nguyn i Th
An ninh Mng
177
Cc dch v IPSec
Bao gm
iu khin truy nhp

Ton vn phi kt ni
Xc thc ngun gc d liu
T chi cc gi tin lp
Mt hnh thc ca ton vn th t b phn
Bo mt (m ha)
Bo mt lung tin hu hn
S dng mt trong hai giao thc

Giao thc xc thc (ng vi AH)
Giao thc xc thc/m ha (ng vi ESP)
Nguyn i Th
An ninh Mng
178
Quan h giao thc dch v IPSec
Nguyn i Th
An ninh Mng
179
Cc lin kt an ninh
Khi nim lin kt an ninh (SA)
Quan h mt chiu t bn gi n bn nhn, cho bit
cc dch v an ninh p dng cho thng tin lu chuyn
Mi SA c xc nh duy nht bi 3 tham s

Ch mc cc tham s an ninh (SPI)
Ch c ngha cc b
Cho php bn nhn chn SA tng ng x l gi tin
a ch IP ch
Hin ch cho php a ch n pht
nh danh giao thc an ninh

Ch ra y l AH hay ESP
Nguyn i Th
An ninh Mng
180
Cc tham s SA
IPSec c ci t km theo CSDL lin kt an
ninh (SAD)
Cc tham s lin kt an ninh
B m s th t
C trn s th t
Ca s chng lp li
Thng tin AH
Thng tin ESP
Tui th lin kt an ninh
Ch giao thc IPSec
MTU ng dn
Nguyn i Th
An ninh Mng
181
Cc chn lc SA
IPSec cho php mt lung IP gi i phi p dng
nhiu SA kt hp hoc min tr
Cch thc gn kt lung IP vi cc SA c nh
ngha trong CSDL chnh sch an ninh (SPD)
Nhiu mc SPD c th gn vi cng mt SA
Mt mc SPD c th gn vi nhiu SA
Mi mc SPD c cc chn lc lung IP nh sau
a ch IP ch
a ch IP ngun
nh danh ngi dng
Mc nhy cm d liu
Giao thc tng giao vn
Cc cng ngun v ch
Nguyn i Th
An ninh Mng
182
Phn u xc thc
m bo ton vn v xc thc cc gi IP
Cho php mt h thng u cui hay mt thit b
mng xc thc ngi dng hoc ng dng
Trnh gi mo a ch
Chng li hnh thc tn cng lp li
S dng m xc thc thng bo

Bn gi v bn nhn phi c mt kha b mt
dng chung
Nguyn i Th
An ninh Mng
183
Khun dng AH
Nguyn i Th
An ninh Mng
184
Dch v chng lp li
Bn gi
Khi to b m s th t gi tr 0
Mi ln gi mt gi tin mi tng b m ln 1 v t
gi tr b m vo trng s th t ca gi tin
Nu b m t ti 232 1 th kt thc SA hin thi
Bn nhn
Ci t mt ca s chng lp li di W, vi tn
cng bn phi l s th t N ln nht nhn c
Nu gi tin nm trong ca s, mi, v MAC hp l th
tng ng c nh du
Nu gi tin nm bn phi ca s, mi, v MAC hp l th
dch ca s v tn cng bn phi mi v nh du
Nguyn i Th
An ninh Mng
185
Minh ha chng lp li
Nguyn i Th
An ninh Mng
186
Ch giao vn v ng hm
Nguyn i Th
An ninh Mng
187
Phn u ESP
m bo bo mt ni dung v bo mt lung tin
hu hn
C th cung cp cc dch v xc thc ging nh
vi AH
Cho php s dng nhiu gii thut m ha,
phng thc m ha, v cch n khc nhau
DES, 3DES, RC5, IDEA, CAST,...
CBC,...
n cho trn kch thc khi, kch thc trng, che
du lu lng lung tin
Nguyn i Th
An ninh Mng
188
Khun dng ESP
Nguyn i Th
An ninh Mng
189
Giao vn v ng hm ESP
Ch giao vn ESP dng m ha v c th
c thm chc nng xc thc d liu IP
Ch m ha d liu khng m ha phn u
D b phn tch lu lng
p dng cho truyn ti gia hai im cui
Ch ng hm m ha ton b gi tin IP
Phi b xung phn u mi cho mi bc chuyn
p dng cho cc mng ring o, truyn ti thng qua
cu ni
Nguyn i Th
An ninh Mng
190
Kt hp cc lin kt an ninh
Mi SA ch c th ci t mt trong hai giao thc
AH v ESP
ci t c hai cn kt hp cc SA vi nhau
To thnh mt gi lin kt an ninh
C th kt thc ti cc im cui khc nhau hoc
ging nhau
Kt hp theo 2 cch
Gn vi giao vn
To ng hm theo nhiu bc
Cn xem xt th t xc thc v m ha
Nguyn i Th
An ninh Mng
191
V d kt hp cc SA
Nguyn i Th
An ninh Mng
192
Qun l kha
C chc nng sn sinh v phn phi kha
Hai bn giao tip vi nhau ni chung cn 4 kha
Mi chiu cn 2 kha: 1 cho AH, 1 cho ESP
Hai ch qun l kha

Th cng
Qun tr h thng khai bo cc kha khi thit lp cu hnh
Thch hp vi cc mi trng nh v tng i tnh
T ng
Cho php to kha theo yu cu cho cc SA
Thch hp vi cc h phn tn ln c cu hnh lun thay i
Gm cc thnh phn Oakley v ISAKMP
Nguyn i Th
An ninh Mng
193
Oakley
L mt giao thc trao i kha da trn gii
thut Diffie-Hellman
Bao gm mt s ci tin quan trng
S dng cookie ngn tn cng gy qu ti
Cookie cn ph thuc vo cc bn giao tip, khng th sinh
ra bi mt bn khc vi bn sinh cookie, c th sinh v kim
tra mt cch nhanh chng
H tr vic s dng cc nhm vi cc tham s DiffieHellman khc nhau

S dng cc gi tr nonce chng tn cng lp li
Xc thc cc trao i Diffie-Hellman chng tn
cng ngi gia
Nguyn i Th
An ninh Mng
194
ISAKMP
Vit tt ca Internet Security Association and
Key Management Protocol
Cung cp mt c cu cho vic qun l kha
nh ngha cc th tc v cc khun dng thng
bo cho vic thit lp, tha thun, sa i, v
hy b cc lin kt an ninh
c lp vi giao thc trao i kha, gii thut
m ha, v phng php xc thc
Nguyn i Th
An ninh Mng
195
Cc khun dng ISAKMP
Nguyn i Th
An ninh Mng
196
Chng 8
AN TON WEB
Nguyn i Th
An ninh Mng
197
Vn an ninh Web (1)

Web c s dng rng ri bi cc cng ty, t
chc, v cc c nhn
Cc vn c trng i vi an ninh Web
Web d b tn cng theo c hai chiu
Tn cng Web server s gy tn hi n danh ting
v tin bc ca cng ty
Cc phn mm Web thng cha nhiu li an ninh
Web server c th b khai thc lm cn c tn
cng vo h thng my tnh ca mt t chc
Ngi dng thiu cng c v kin thc i ph vi
cc him ha an ninh
Nguyn i Th
An ninh Mng
198
Vn an ninh Web (2)

Cc him ha i vi an ninh Web
Tnh ton vn
Tnh bo mt
T chi dch v
Xc thc
Cc bin php an ninh Web
Nguyn i Th
An ninh Mng
199
SSL
L mt dch v an ninh tng giao vn
Do Netscape khi xng
Phin bn 3 c cng b di dng bn tho
Internet
Tr thnh chun TLS
Phin bn u tin ca TLS SSLv3.1 tng thch
ngc vi SSLv3
S dng TCP cung cp dch v an ninh t

u cui ti u cui
Gm 2 tng giao thc
Nguyn i Th
An ninh Mng
200
M hnh phn tng SSL
Nguyn i Th
An ninh Mng
201
Kin trc SSL (1)

Kt ni SSL
Lin kt giao tip t im nt ti im nt

Mang tnh nht thi
Gn vi mt phin giao tc
Cc tham s xc nh trng thi kt ni
Cc s ngu nhin chn bi server v client

Kha MAC ca server
Kha MAC ca client
Kha m ha ca server
Kha m ha client
Cc vector khi to
Cc s th t
Nguyn i Th
An ninh Mng
202
Kin trc SSL (2)

Phin SSL
Lin kt gia client v server

To lp nh giao thc bt tay
C th bao gm nhiu kt ni
Xc lp mt tp cc tham s an ninh s dng bi tt
c cc kt ni trong phin giao tc
nh danh phin
Chng thc im nt
Phng php nn
c t m ha
Kha b mt ch
C c th tip tc hay khng
Nguyn i Th
An ninh Mng
203
Giao thc bn ghi SSL

Cung cp cc dch v bo mt v xc thc
Kha b mt chung do giao thc bt tay xc lp
Nguyn i Th
An ninh Mng
204
Khun dng bn ghi SSL
Nguyn i Th
An ninh Mng
205
Giao thc i c t m ha SSL

Mt trong ba giao thc chuyn dng SSL s
dng giao thc bn ghi SSL
Ch gm mt thng bo cha mt byte d liu
c gi tr l 1
Khin cho trng thi treo tr thnh trng thi
hin thi
Cp nht c t m ha cho kt ni
Nguyn i Th
An ninh Mng
206
Giao thc bo ng SSL

Dng chuyn ti cc bo ng lin quan n
SSL ti cc thc th im nt
Mi thng bo gm 2 byte
Byte th nht ch mc nghim trng
Cnh bo : c gi tr l 1
Tai ha : c gi tr l 2
Byte th hai ch ni dung bo ng

Tai ha : unexpected_message, bad_record_mac,
decompression_failure, handshake_failure, illegal_parameter
Cnh bo : close_notify, no_certificate, bad_certificate,
unsupported_certificate, certificate_revoked,
certificate_expired, certificate_unknown
Nguyn i Th
An ninh Mng
207
Giao thc bt tay SSL

Cho php server v client
Xc thc ln nhau
Tha thun cc gii thut m ha v MAC
Tha thun cc kha mt m s c s dng
Gm mt chui cc thng bo trao i gia

client v server
Mi thng bo gm 3 trng
Kiu (1 byte)
di (3 byte)
Ni dung ( 0 byte)
Nguyn i Th
An ninh Mng
208
TLS
L phin bn chun Internet ca SSL
M t trong RFC 2246 rt ging vi SSLv3
Mt s khc bit nh so vi SSLv3
S phin bn trong khun dng bn ghi SSL
S dng HMAC tnh MAC
S dng hm gi ngu nhin khai trin cc gi
tr b mt
C thm mt s m bo ng
Khng h tr Fortezza
Thay i trong trao i chng thc
Thay i trong vic s dng d liu m
Nguyn i Th
An ninh Mng
209

Anninhmang K13 MTT

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Anninhmang K13 MTT

Enviado por

Direitos autorais:

Formatos disponíveis

I HC QUC GIA H NI

TRNG I HC CNG NGH

Khoa Cng ngh Thng tin

T khi c cc phng tin truyn thng v mng

An ninh lin mng

m bo an ninh thng tin

Kin trc an ninh OSI

Theo RFC 2828

Cc dch v an ninh X.800

iu khin truy nhp

Gi danh mt thc th khc

M hnh an ninh mng

M hnh an ninh mng

M hnh an ninh truy nhp mng

Knh truy nhp

M hnh an ninh truy nhp mng

Cc h thng my tnh ng tin cy c th dng

L k thut m ha duy nht trc nhng nm 70

M ha kha cng khai (bt i xng)

Cng b chnh thc nm 1976

Mt s cch phn loi khc

Theo phng thc chuyn i

Kha b mt dng chung

Gii thut gii m

An ninh ph thuc vo s b mt ca kha,

Thi gian tm kim trung bnh

Thi gian cn thit

232 = 4,3 x 109

231 s = 35,8 pht

Kha DES di 56 bit

Thi gian cn thit

An ninh tnh ton

Thc t tha mn hai iu kin

V d : M ha "meet me after class" vi k = 3

Khai thc nhng nhc im ca gii thut

Pht minh bi Charles Wheatstone vo nm

Nu 2 ch ging nhau, tch ra bi 1 ch in thm

Tng c qun i Anh, M s dng rng ri

Kt hp 26 h Ceasar (bc dch chuyn 0 - 25)

Khai thc nhng nhc im ca gii thut

Vn c th s dng k thut thng k ph m

Vit cc ch ci theo hng vo 1 s ct nht nh

Ging nh thay th cc k t rt ln ( 64 bit)

an xen cc chc nng

Lu : Hp S c tnh thun nghch

Lu : Hp P c tnh thun nghch

Nguyn bn (2w bit)

Gii thut sinh m con

nh hng n ci t v phn tch

Ti mi vng kt qu u ra chnh l cc d liu

Gii thut m ha DES

Nguyn bn (64 bit)

giao hon thun

dch vng tri

dch vng tri

dch vng tri

Vn cn phi nhn bit c nguyn bn

di kha thc t l 168 bit

V sao 3 ln : trnh tn cng "gp nhau gia"

Chun m ha tin tin

Cc h m ha khi khc (1)

Khi 64 bit, kha 32-448 bit (ngm nh 128 bit), 16 vng

Cc h m ha khi khc (2)