Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

MC LC
MC LC...............................................................................................1 DANH SCH CC T VIT TT.......................................................4 DANH MC HNH V..........................................................................5 LI NI U........................................................................................8 Chng I:...............................................................................................10 MT M HA KHA CNG KHAI V CH K S ...................10 1. Mt m ha kha cng khai..........................................................10 1.1 Khi nim................................................................................10 1.2 Cc thut ton s dng trong mt m ha kha cng khai......11 1.2.1 Thut ton RSA................................................................11 1.2.2 Thut ton tha thun kha Diffie-Hellman....................11 2. Thut ton RSA.............................................................................11 2.1 Hot ng................................................................................11 2.2 To ch k s cho vn bn......................................................13 2.3 Cc vn t ra trong thc t................................................13 2.3.1 An ninh.............................................................................13 2.3.2 Qu trnh to kha............................................................13 2.3.3 Tc ...............................................................................14 2.3.4 Phn phi kha.................................................................14 3. Ch k s.......................................................................................14 3.1 nh ngha...............................................................................14 3.2 Cc u im ca ch k s.....................................................15 3.2.1 Kh nng xc nh ngun gc..........................................15 3.2.2 Tnh ton vn....................................................................15 1

3.2.3 Tnh khng th ph nhn..................................................15 3.3 Qu trnh thc hin ch k s.................................................16 Chng II: ............................................................................................17 TNG QUAN V H TNG KHA CNG KHAI PKI................17 1. Khi nim......................................................................................17 2. Cc khi nim trong PKI...............................................................20 2.1 Chng ch s............................................................................20 2.1.1 Nhng trng c bn ca chng ch X.509.....................21 2.1.2 Nhng trng m rng ca chng ch X.509..................22 2.2 Kho chng ch.........................................................................25 2.3 Thu hi chng ch....................................................................25 2.4 Cng b v gi thng bo thu hi chng ch..........................28 2.5 Sao lu d phng....................................................................29 2.6 Cp nht kha t ng.............................................................29 2.7 Lch s kha............................................................................30 2.8 Chng ch cho........................................................................30 2.9 H tr chng chi b...............................................................31 2.10 Tem thi gian........................................................................31 2.11 Phn mm pha ngi dng...................................................31 2.12 Cc chnh sch.......................................................................32 3. Cc thnh phn ca mt h thng PKI..........................................33 3.1 T chc chng nhn (Certification Authority)........................34 3.2 T chc ng k chng nhn (Registration Authorities)........35 3.3 Thc th cui (End Entity)......................................................36 3.4 Kho lu tr chng nhn (Certificate Repository)...................36 3.5 Chnh sch chng nhn (Certificate Policy)............................37 2
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

3.6 Tuyn b trong s dng chng nhn (Certificate Practices Statement)................................................................................................38 3.7 Module bo mt phn cng (Hardware Security Module)......38 4. Cc chc nng ca h thng PKI..................................................38 4.1 Chng thc..............................................................................38 4.2 Thm tra..................................................................................39 4.3 Mt s chc nng khc............................................................39 5. Mc tiu ca h thng PKI............................................................43 Chng III: ...........................................................................................46 XY DNG H THNG PKI VI OPENCA....................................46 1. Gii thiu v d n OpenCA.........................................................46 2. M hnh h thng PKI...................................................................47 3. Cc bc ci t v cu hnh.........................................................49 3.1 Ci t v cu hnh RootCA....................................................49 3.1.1 Ci t..............................................................................49 3.1.2 Cu hnh...........................................................................50 3.1.2.1 Khi to CA..............................................................52 3.1.2.2 Khi to chng ch cho ngi qun tr......................57 3.1.2.3 Khi to chng ch cho RA Server...........................61 3.2 Ci t v cu hnh SubCA.....................................................64 3.2.1 Ci t..............................................................................64 3.2.2 Cu hnh...........................................................................64 3.3 Ci t v cu hnh RA...........................................................65 3.3.1 Ci t..............................................................................65 3.3.2 Cu hnh...........................................................................65 3

Chng IV. ..........................................................................................67 NG DNG CH K S...................................................................67 1. ng dng ch k s......................................................................67 2. Thc trng ng dng ch k s Vit Nam.................................79 TI LIU THAM KHO.....................................................................84

DANH SCH CC T VIT TT

AC: Attribute Certificate CA: Certification Authority CP: Certificate Policy CPS: Certificate Practices Statement CR: Certificate Repository CRL: Certificate Revocation List HSM: Hardware Security Module PKC: Public Key Certificate PKI: Public Key Infracstructure PGP: Pretty Good Privacy RA: Registration Authority VPN: Virtual Private Network

4
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

DANH MC HNH V
Hnh 1: S to v kim tra ch k s...............................................16 Hnh 2: Ni dung chng ch X.509.......................................................21 Hnh 3: Thng tin CRL.........................................................................27 Hnh 4: Chng ch b thu hi.................................................................27 Hnh 5: Cc chnh sch ca chng ch..................................................33 Hnh 6: Cc thnh phn ca mt PKI....................................................34 Hnh 7: ng dn chng ch cho......................................................43 Hnh 8: Kin trc PKI...........................................................................47 Hnh 9: Giao din qun l v cu hnh RootCA...................................51 Hnh 10: Ba bc thit lp CA..............................................................51 Hnh 11: Khi to c s d liu, to kha, to chng ch, ...............52 Hnh 12: To kha b mt cho CA........................................................53 Hnh 13: Kha b mt ca CA...............................................................53 Hnh 14: To yu cu cp chng ch cho CA........................................54 Hnh 15: Ni dung yu cu chng ch...................................................54 Hnh 16: La chn Self Signed CA Certificate.....................................55 Hnh 17: Chng ch ca CA..................................................................56 Hnh 18: Xy dng li chui chng ch CA..........................................56 Hnh 19: To chng ch cho ngi qun tr..........................................57 Hnh 20: Khai bo cc thng tin c bn................................................57 Hnh 21: Chi tit yu cu chng ch......................................................58 Hnh 22: Khai bo m PIN....................................................................58 Hnh 23: Tha thun ngi dng..........................................................59 Hnh 24: To yu cu............................................................................59 Hnh 25: Pht hnh chng ch...............................................................60 Hnh 26: Chng ch ca ngi qun tr.................................................60 5

Hnh 27: Ly chng ch v my............................................................61 Hnh 28: Khi to chng ch cho RA server.........................................61 Hnh 29: in cc thng tin c bn.......................................................62 Hnh 30: Chi tit yu cu chng ch......................................................62 Hnh 31: Khai bo m PIN....................................................................63 Hnh 32: Yu cu cp chng ch cho RA server...................................63 Hnh 33: Pht hnh chng ch cho RA server.......................................64 Hnh 34: Install Certificate....................................................................69 Hnh 35:Ngi dng xin cp pht chng ch........................................69 Hnh 36:Chn Browser Certificate Request..........................................69 Hnh 37: Khai bo cc thng tin c bn................................................70 Hnh 38: La chn loi chng ch, mc bo mt,........................71 Hnh 39: Chn lc k, chn m PIN..............................................71 Hnh 40: Khi to kha b mt ca ngi dng....................................72 Hnh 41: Yu cu xin cp pht chng ch ca ngi dng...................72 Hnh 42: RA k vo yu cu ca ngi dng.......................................73 Hnh 43: Yu cu c k................................................................73 Hnh 44: CA tip nhn yu cu ca ngi dng t RA........................73 Hnh 45: CA chp nhn cp pht chng ch cho ngi dng...............74 Hnh 46: Chng ch ca ngi dng c cp pht.........................74 Hnh 47: Danh sch cc chng ch c cp pht............................75 Hnh 48: Thng tin chng ch ca ngi dng.....................................75 Hnh 49: Ngi dng ti chng ch v my..........................................76 Hnh 50: S dng chng ch bo v email.......................................77 Hnh 51: Thc hin vic gi email km ch k s...............................77 Hnh 52: Kha b mt ca ngi dng..................................................78 Hnh 53: Email c m ha khi n ngi nhn............................79 6
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 54: Ni dung email c gii m............................................79

LI NI U
Ngy nay, vic giao tip qua mng Internet ang tr thnh mt nhu cu cp thit. Mi thng tin u c truyn qua mng Internet nh th in t, truy cp cc website, kt ni cc vn phng, lin lc vi khch hng, s dng cc dch v ngn hng v cc giao dch in t, Cc thng tin truyn trn mng u rt quan trng nh m s ti khon, thng tin mt, Tuy nhin vi cc th on tinh vi, nguy c b n cp thng tin qua mng cng ngy cng gia tng. Hin nay giao tip qua Internet ch yu vn da vo giao thc TCP/IP. y l giao thc cho php cc thng tin c gi t my tnh ny ti my tnh khc thng qua mt lot cc my trung gian hoc cc mng ring bit. Chnh iu ny to c hi cho nhng k trm cng ngh cao c th thc hin cc hnh ng phi php. Cc thng tin truyn trn mng c th b nghe trm (Eavesdropping), gi mo (Tampering), mo danh (Impersonation), Vn khng an ton cho thng tin trn ng truyn khin nhiu ngi n o trong vic s dng mng Internet cho nhng ng dng v ti chnh, giao dch ngn hng, hot ng mua bn v khi truyn cc thng tin kinh t, chnh tr. Cc bin php bo mt hin nay nh dng mt khu, u khng m bo v c th b nghe trm hoc b d ra nhanh chng. Nhng bin php m bo an ton thng tin a ra u nhm p ng 3 yu cu: bo mt thng tin, xc thc thng tin v ton vn thng tin. bo mt, cc thng tin truyn trn Internet ny hin nay u c xu hng c m ha. Trc khi truyn qua mng Internet, ngi gi s m ha thng tin, do trong qu trnh truyn d c chn c cc thng tin ny, k trm cng khng th c c v b m ha. Khi ti ch, ngi nhn s s dng mt cng c c bit gii m. Phng php an ton, tin cy hin nay l k vo d liu c gi i. Ch k c s dng y khng phi l ch k vit tay thng thng, m l ch k s. Vi ch k s, ngi s dng c th m ha d liu, chng gi mo, xc thc, chng chi b ngun gc ca d liu. Ch k s s dng cc k thut mt m gn vi mi ngi s dng mt cp kha cng khai - b mt v qua c th k cc vn bn in t. 8
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

s dng c ch k s, cn phi c mt t chc pht hnh, qun l cc cp kha mt m, ng thi cn phi xy dng mt h tng c s phn phi cc kha mt m ny. Hin nay, cu trc h tng kha cng khai (Public Key Infracstructure) vit tt l PKI, cng cc tiu chun v cng ngh ng dng ca n c th c coi l mt gii php tng hp v c lp nhm m bo vic trao i thng tin trn mng cng cng c an ton. Do hn ch v thi gian, kin thc nn n ny mi ch i vo tm hiu v ch k s, chng ch s v h thng PKI, qua xy dng mt m hnh h thng PKI mu vi y cc thnh phn chc nng. V cui cng l ng dng ch k s vo trong hot ng ca doanh nghip. Trong qu trnh thc hin n c s hng dn tn tnh ca cc thy, c trong Khoa An Ton Thng Tin, c bit l thy Th.s Nguyn Thanh Sn - Khoa Mt M. Tuy nhin, trong qu trnh thc hin n cn nhiu b ng, do cha c kinh nghim thc t nn khng trnh khi nhng sai st. V vy, rt mong nhn c s gp ca cc thy, c hon thnh tt n tt nghip. Em xin chn thnh cm n !

H ni, ngy 09 thng 06 nm 2011 Sinh vin thc hin L Quang Minh

Chng I: MT M HA KHA CNG KHAI V CH K S 1. Mt m ha kha cng khai

1.1 Khi nim Mt m ha kha cng khai l mt dng mt m ha cho php ngi s dng trao i cc thng tin mt m m khng cn phi trao i cc kha chung b mt trc . iu ny c thc hin bng cch s dng mt cp kha c quan h ton hc vi nhau gi l kha cng khai v kha b mt hay kha chung v kha c nhn. Vn chnh ca h m ha kha i xng l vn qun l kha v gii quyt vn ny h m ha kha cng khai c a ra nh mt gii php. Trong mt m ha kha cng khai, kha c nhn phi c gi b mt trong khi kha chung c ph bin cng khai. Trong 2 kha, mt dng m ha v mt dng gii m. iu quan trng i vi h thng l khng th tm ra kha c nhn nu ch bit kha chung. H thng mt m ha kha cng khai c th s dng vi cc mc ch sau: M ha: gi b mt thng tin v ch c ngi c kha b mt mi gii m c. To ch k s: cho php kim tra mt vn bn c phi c to bi mt kha b mt no khng. Tha thun kha: cho php thit lp kha dng trao i thng tin mt gia 2 bn. Thng thng, cc k thut mt m ha kha cng khai i hi khi lng tnh ton nhiu hn cc k thut m ha kha i xng nhng nhng li ch m n mang li khin cho mt m ha kha cng khai c p dng trong nhiu ng dng. 10
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

1.2 Cc thut ton s dng trong mt m ha kha cng khai 1.2.1 Thut ton RSA Trong mt m ha, RSA l mt thut ton m ha kha cng khai. y l thut ton u tin ph hp vi vic to ra ch k in t ng thi vi vic m ha. N nh du s tin b vt bc ca lnh vc mt m trong vic s dng kha cng khai. RSA ang c s dng ph bin trong thng mi in t v c cho l m bo an ton vi iu kin di kha ln. Tuy nhin RSA c tc thc hin chm hn ng k so vi DES v cc thut ton m ha i xng khc. Trn thc t, ngi ta s dng mt thut ton m ha i xng no m ha vn bn cn gi v ch s dng RSA m ha kha gii m. 1.2.2 Thut ton tha thun kha Diffie-Hellman y l s kha cng khai u tin. Tuy nhin, khng phi l mt s m ha kha cng khai thc s m ch dng cho trao i kha. Cc kha b mt c trao i bng cch s dng cc trm trung gian ring tin cy. Phng php ny cho php cc kha b mt c truyn an ton thng qua cc mi trng khng bo mt. Tnh bo mt ca trao i kha Diffie-Hellman nm ch: tnh hm m module ca mt s nguyn t l kh d dng nhng tnh logarit ri rc l rt kh.

2. Thut ton RSA

2.1 Hot ng Thut ton RSA c hai kha: kha cng khai v kha b mt. Mi kha l nhng s c nh s dng trong qu trnh m ha v gii m. Kha cng khai c cng b rng ri cho mi ngi v c dng m ha. Nhng thng tin c m ha bng kha cng khai ch c th gii m bng kha b mt tng ng. Ni cch khc, mi ngi u c th m ha nhng ch c ngi bit kha b mt mi c th gii m c.

11

Gi s Alice v Bob cn trao i thng tin b mt thng qua mt knh khng an ton nh Internet. Vi thut ton RSA, Alice u tin cn to ra cho mnh mt cp kha cng khai v kha b mt theo cc bc sau: 1. Chn 2 s nguyn t ln p v q, vi p q la chn ngu nhin v c lp. 2. Tnh n = p.q 3. Tnh gi tr hm s le 4. Chn mt s t nhin e sao cho t cng nhau vi 5. Tnh d sao cho Khi kha cng khai bao gm: n (module) v e (s m cng khai). Kha b mt bao gm: n (module) v d (s m b mt). Alice gi kha cng khai cho Bob v gi kha b mt cho ring mnh. Gi s Bob mun gi on thng tin M cho Alice. u tin Bob chuyn M thnh mt s m < n theo mt hm c th o ngc (t m c th xc nh li M) c tha thun trc. Lc ny Bob c m v bit n cng nh e (do Alice gi). Bob s tnh c l bn m ha ca m theo cng thc . Cui cng Bob gi c cho Alice Alice nhn c t Bob v bit kha b mt d ca mnh. Alice c th tm c m t c theo cng thc sau: Bit m, Alice tm li M theo phng php tha thun trc. Qu trnh gii m hot ng v ta c Do ed 1 (mod p -1) v ed 1 (mod q - 1) nn . v v l s nguyn

Do p v q l hai s nguyn t cng nhau nn

hay

12
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

2.2 To ch k s cho vn bn Thut ton RSA cn c s dng to ch k s cho vn bn. Gi s Alice mun gi cho Bob mt vn bn c ch k ca mnh. lm vic `ny, Alice to ra mt gi tr bm (hash value) ca vn bn cn k v tnh gi tr m d mod n ca n (ging nh khi Alice thc hin gii m). Gi tr cui cng chnh l ch k s ca vn bn. Ch k ny c gi km vi vn bn cn gi Khi Bob nhn c vn bn cng vi ch k in t, Bob s tnh gi tr m e mod n ca ch k ng thi vi vic tnh gi tr hm bm ca vn bn. nu 2 gi tr ny ging nhau th Bob bit rng ngi to ra ch k bit kha b mt ca Alice v vn bn khng b thay i sau khi k. 2.3 Cc vn t ra trong thc t 2.3.1 An ninh an ton ca h thng RSA da trn 2 vn ca ton hc: bi ton phn tch ra tha s nguyn t cc s nguyn ln v bi ton RSA. Nu 2 bi ton trn l kh (khng tm c thut ton hiu qu gii chng) th khng th thc hin c vic ph m ton b i vi RSA. Ph m mt phn phi c ngn chn bng cc phng php chuyn i bn r an ton. Bi ton RSA l bi ton tnh cn bc e mod n (vi n l hp s): tm s m sao cho , trong (e,n) chnh l kha cng khai v c l bn m. Hin nay phng php trin vng nht gii bi ton ny l phn tch n ra tha s nguyn t. Khi thc hin c iu ny, k tn cng s tm ra s m b mt d t kha cng khai v c th gii m theo ng quy trnh ca thut ton. Nu k tn cng tm c 2 s nguyn t p v q sao cho n = p.q th c th d dng tm c gi tr (p - 1)(q - 1) v qua xc nh c d t e. 2.3.2 Qu trnh to kha Vic tm ra 2 s nguyn t ln p v q thng c thc hin bng cch th xc sut cc s ngu nhin c ln ph hp, p v q cn cn c chn khng qu gn nhau phng trng hp phn tch n bng phng php phn tch Fermat. Ngoi ra, nu p - 1 hoc q - 1 c tha s nguyn t nh th n 13

cng c th d dng b phn tch v v th p v q cng cn c th trnh kh nng ny. Bn cnh , cn trnh s dng cc phng php tm s ngu nhin m k tn cng c th li dng bit thm thng tin v vic la chn. Yu cu y l cc s la chn cn ng thi ngu nhin v khng d on c. Mt im na cn nhn mnh l kha b mt d phi ln. 2.3.3 Tc RSA c tc thc hin chm hn ng k so vi DES v cc thut ton m ha i xng khc. Trn thc t, Bob s dng mt thut ton m ha i xng no m ha vn bn cn gi v ch s dng RSA m ha kha cn gii m (thng thng kha ngn hn nhiu so vi vn bn). Phng php ny cng to ra nhng vn an ninh mi. Mt v d l cn phi to ra kha i xng tht s ngu nhin. Nu khng, k tn cng s b qua RSA v tp trung vo vic on kha i xng. 2.3.4 Phn phi kha Cng ging nh cc thut ton m ha khc, cch thc phn phi kha cng khai l mt trong nhng yu t quyt nh i vi an ton ca RSA. Qu trnh phn phi kha cn chng li c tn cng man in the middle. Cc phng php chng li dng tn cng ny thng da trn cc chng ch s hoc cc thnh phn ca h tng kha cng khai.

3. Ch k s
3.1 nh ngha Ch k s l mt tp con ca ch k in t. C th dng nh ngha v ch k in t cho ch k s nh sau: Ch k in t l thng tin i km theo d liu (vn bn, hnh nh, video, ) nhm mc ch xc nh ngi ch ca d liu v m bo tnh ton vn ca d liu. Ch k s kha cng khai (hay h tng kha cng khai) l m hnh s dng cc k thut mt m gn vi mi ngi s dng mt cp kha cng 14
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

khai - b mt v qua c th k cc vn bn in t cng nh trao i cc thng tin mt. Kha cng khai thng c phn phi qua chng ch kha cng khai. Qu trnh s dng ch k s bao gm 2 qu trnh: to ch k v kim tra ch k. Khi nim ch k in t mc d thng c s dng cng ngha vi ch k s nhng thc s c ngha rng hn. Ch k in t ch n bt k phng php no (khng nht thit l mt m) xc nh ngi ch ca vn bn in t. 3.2 Cc u im ca ch k s 3.2.1 Kh nng xc nh ngun gc Cc h thng mt m ha kha cng khai cho php m ha vn bn vi kha b mt m ch c ngi ch ca kha bit. s dng ch k s th vn bn cn phi c m ha bng hm bm (vn bn c bm ra thnh mt chui, thng c di c nh v ngn hn vn bn) sau dng kha b mt ca ngi ch kha m ha, khi ta c ch k s. Khi cn kim tra, bn nhn gii m vi kha cng khai ly li chui gc (c sinh ra qua hm bm) v kim tra vi hm bm ca vn bn nhn c. Nu 2 gi tr ny khp nhau th bn nhn c th tin tng rng d liu xut pht t ngi s hu kha b mt 3.2.2 Tnh ton vn C hai bn tham gia vo qu trnh thng tin u c th tin tng l vn bn khng b sa i trong khi truyn, v nu vn bn b thay i th hm bm cng s thay i v lp tc b pht hin. Qu trnh m ha s n ni dung ca gi tin i vi bn th 3 nhng khng ngn cn c vic thay i ni dung ca n. 3.2.3 Tnh khng th ph nhn Trong giao dch, mt bn c th t chi nhn mt vn bn no l do mnh gi. ngn nga kh nng ny, bn nhn c th yu cu bn gi phi gi km ch k s vi vn bn. Khi c tranh chp, bn nhn s dng ch k ny nh mt chng c bn th ba gii quyt. Tuy nhin, kha b mt vn c th b l v tnh khng th ph nhn cng khng th t c hon ton. 15

3.3 Qu trnh thc hin ch k s Ch k s da trn nn tng mt m ha kha cng khai. c th trao i thng tin trong mi trng ny, mi ngi s dng c mt cp kha: kha cng khai v kha b mt. Kha cng khai c cng b rng ri cn kha b mt phi c gi kn v khng th tm c kha b mt nu ch bit kha cng khai Ton b qu trnh gm 3 thut ton: Thut ton to kha Thut ton to ch k s Thut ton kim tra ch k s

Hnh 1: S to v kim tra ch k s

16
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Chng II: TNG QUAN V H TNG KHA CNG KHAI PKI 1. Khi nim
Trong mt vi nm tr li y, h tng truyn thng IT cng ngy cng c m rng khi m ngi s dng da trn nn tng ny truyn thng v giao tip vi cc ng nghip, cc i tc kinh doanh cng nh vic khch hng dng email trn cc mng cng cng. Hu ht cc thng tin kinh doanh nhy cm v quan trng c lu tr v trao i di hnh thc in t. S thay i trong cc hot ng truyn thng doanh nghip ny ng ngha vi vic ngi qun tr phi c bin php bo v t chc, doanh nghip ca mnh trc cc nguy c la o, can thip, tn cng, ph hoi hoc v tnh tit l cc thng tin . Cu trc h tng PKI cng cc tiu chun v cc cng ngh ng dng ca n c th c coi l mt gii php tng hp v c lp c th s dng gii quyt cc vn ny. Kh nng bo mt (Secure): t tiu chun quc t v bo mt EAL4+, p ng hu ht cc thit b HSM v Smartcard. Kh nng m rng (Scalable): da trn kin trc PKI hin i, c thit k theo m hnh c sn sng cao, c kh nng m rng cp pht s lng ln chng ch s mt cch d dng. Kh nng sn sng (Available): Tt c chnh sch, log, d liu v chng ch s v CRL c lu tr trn c s d liu tin cy v bo mt v d nh: Oracle h c s d liu ln nht v ng tin cy trn th gii. Kh nng m, tng thch (Open): c thit k tun th cc tiu chun m quc t nh X.509, PKIX, LDAP, Kh nng kim sot bng chnh sch (Policy Driven): h thng c kh nng p dng cc chnh sch khc nhau vi vic ng k cc loi chng ch s khc nhau. 17

 Kh nng linh ng (Flexible): c th h tr nhiu phng thc ng k chng ch s khc nhau: web, email, face-to-face, CMP, SCEP, Trong mt m hc, h tng kha cng khai (Public Key Infracstructure -PKI) l mt h thng va mang tnh tiu chun, va mang tnh cng ngh cho php ngi s dng trong mt mng cng cng khng bo mt nh Internet, c th trao i thng tin mt cch an ton thng qua vic s dng mt cp kha cng khai v b mt c chng nhn bi mt nh cung cp chng ch s CA c tn nhim. Mt PKI l mt tp cc phn cng, phn mm, con ngi v cc th tc cn thit to, lu tr, phn phi, thu hi kha (chng nhn) da trn m ha kha cng khai. Khi nim h tng kha cng khai - PKI thng c dng ch ton b h thng bao gm nh cung cp chng ch s (Certificate Authority - CA) cng cc c ch lin quan ng thi vi ton b vic s dng cc thut ton m ha kha cng khai trong trao i thng tin. Nhu cu s dng h tng kha cng khai ny c t cui nhng nm 1990, khi m cc t chc cng nghip v cc chnh ph xy dng cc tiu chun chung da trn phng php m ha h tr mt h tng bo mt trn mng Internet. Mc tiu c t ra ti thi im l xy dng mt b tiu chun bo mt tng hp cng cc cng c v l thuyt cho php ngi s dng cng nh cc t chc (doanh nghip hoc phi li nhun) c th to lp, lu tr v trao i cc thng tin mt cch an ton trong phm vi c nhn v cng cng. Mt la chn khc phn phi chng nhn kha cng khai gia mt h thng m khng cn n t chc th ba l hng tip cn trong h thng PGP - Pretty Good Privacy ca NAI (Network Associates, Inc). Mi thnh vin tham gia vo h thng ny c th ng vai tr ca CA to v k vo chng nhn kha cng khai ca mt thnh vin khc m h bit, do khng cn phi pht trin h tng trung tm. Tuy nhin m hnh ny ch hot ng rt tt cho mt nhm nh gm nhng ngi c nhng mi quan h trc vi ngi khc, nhng n khng m rng tt cho nhng nhm ln hn 18
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

hoc mi trng cn i hi s cht ch (chng hn mc xc thc c i hi trc khi chng ch c pht hnh). V vy ti ny ch tp trung nghin cu cc kin trc PKI s dng CA trong vic cp pht, qun l, thu hi, cc chng ch. Ti nay, nhng n lc hon thin PKI vn ang c u t v thc y. V hin thc ho tng ny, cc tiu chun cn phi c nghin cu pht trin cc mc khc nhau bao gm: m ho, truyn thng v lin kt, xc thc, cp php v qun l. Nhiu chun bo mt trn mng Internet, chng hn Secure Sockets Layer/Transport Layer Security (SSL/TLS) v Virtual Private Network (VPN), chnh l kt qu ca sng kin PKI. Qu trnh nghin cu v pht trin PKI l mt qu trnh lu di v cng vi n, mc chp nhn ca ngi dng cng tng ln mt cch kh chm chp. PKI c th m bo mt c ch bo mt v tng hp lu tr v chia s cc ti sn tr tu c trong v ngoi phm vi cng ty. Tuy nhin, chi ph v s phc tp ca n c th gy ra nhng ro cn nht nh i vi kh nng ng dng. a phn cc giao dch truyn thng ca doanh nghip vi khch hng, chnh quyn v cc i tc khc u c din ra mt cch in t. Ngy nay, mt gii php an ninh ton din cnh tranh vi PKI thc s cha c tm thy. T gc gii php cng ngh, iu ny lm cho vic chn la tr nn n gin hn. Nhiu hng khc cng cung cp cc gii php PKI. Nhng tnh nng ny, cng kh nng qun l v lin kt PKI, c tch hp vo h iu hnh v cc ng dng c lin quan. PKI l cng ngh xc thc u tin v hon thin nht s dng phng php m ho da trn kho cng khai v kha b mt. Tuy nhin, PKI cng bao gm c vic ng dng rng ri cc dch v bo mt khc, bao gm dch v d liu tin cy, thng nht d liu v tng th v qun l m kho.

19

2. Cc khi nim trong PKI

2.1 Chng ch s Chng ch s l mt ti liu s dng ch k s kt hp vi kha cng khai vi mt nh danh thc th (c nhn, t chc, my ch, dch v, ). Mt chng ch kha cng (Public Key Certificate - PKC) c ngi cp k bng ch k c hiu lc, a ra mt bo m y v s gn kt gia kha cng khai, thc th s hu kha ny v tp cc thuc tnh khc c vit trong chng ch. PKC cn c gi l chng ch s - digital certificate, hay n gin l chng ch. Chng ch khng cha bt k mt thng tin b mt no. V c bn, chng ch cha nhng thng tin cn thit nh kha cng khai, ch th (ngi s hu), bn cp chng ch v mt s thng tin khc. Tnh hp l ca cc thng tin c m bo bng ch k s ca bn cp chng ch. Ngi dng mun s dng chng ch trc ht s kim tra ch k s trong chng ch. Nu ch k hp l th c th s dng chng ch . C nhiu lai chng ch: Chng ch kha cng khai X.509 Chng ch kha cng khai n gin (Simple Public Key Certificate). Chng ch Pretty Good Privacy - PGP. Chng ch thuc tnh (Attribute Certificate - AC) Tt c cc loi chng ch ny u c cu trc dng ring bit. Hin nay chng ch kha cng khai X.509 c s dng ph bin trong hu ht cc h thng PKI. Chng ch X.509 c Hip hi vin thng quc t (ITU) a ra ln u tin nm 1998. Chng ch ny gm 2 phn: phn u l nhng trng c bn cn thit phi c trong chng ch, phn th hai l phn cha mt s cc trng ph, hay cn gi l trng m rng. Cc trng m rng thng c dng xc nh v p ng nhng yu cu b sung ca h thng. 20
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Cu trc chng ch X.509

Hnh 2: Ni dung chng ch X.509 2.1.1 Nhng trng c bn ca chng ch X.509 Chng ch X.509 bao gm nhng trng c bn sau: Version: xc nh s phin bn ca chng ch Certificate Serial Number: Do CA gn, l nh danh duy nht ca chng ch Signature Algorithm ID: Ch ra thut ton CA s dng k s chng ch. C th l thut ton RSA hay DSA Issuer: Ch ra CA cp v k chng ch Validity Period: Khong thi gian chng ch c hiu lc. Trng ny xc nh thi gian chng ch bt u c hiu lc v thi im ht hn 21

 Subject: Xc nh thc th m kha cng khai ca thc th ny c xc nhn. Tn ca subject phi duy nht i vi mi thc th CA xc nhn Subject Public Key Information: Cha kha cng khai v nhng tham s lin quan; xc nh thut ton (RSA hay DSA) c s dng cng vi kha Issuer Unique ID (Optional): Trng ny khng bt buc, cho php s dng li tn ngi cp. Trng ny him c s dng trong trin khai thc t Subject Unique ID (Optional): Trng ny khng bt buc, cho php s dng li tn ca subject khi qu hn. Trng ny cng t c s dng. Extensions (Optional): M rng, ch c trong chng ch v.3 Certification Authoritys Digital Signature: Ch k s ca CA c tnh t nhng thng tin trn chng ch vi kha ring v thut ton k s c ch ra trong trng Signature Algorithm Identifier ca chng ch. Tnh ton vn ca chng ch c m bo bng ch k s ca CA trn chng ch. Kha cng khai ca CA c phn phi n ngi s dng chng ch theo mt s c ch bo mt trc khi thc hin cc thao tc PKI. Ngi s dng kim tra hiu lc ca chng ch c cp vi ch k s ca CA v kha cng khai CA. 2.1.2 Nhng trng m rng ca chng ch X.509 Phn m rng l nhng thng tin v cc thuc tnh cn thit c a vo gn nhng thuc tnh ny vi ngi s dng hay kha cng khai. Nhng thng tin trong phn m rng thng c dng qun l xc thc phn cp, chnh sch chng ch, thng tin v chng ch b thu hi N cng c th c s dng nh ngha phn m rng ring cha nhng thng tin 22
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

c trng cho cng ng nht nh. Mi trng m rng trong chng ch c thit k vi c critical hoc uncritical. Authority Key Indentifier: cha ID kha cng khai ca CA, ID ny l duy nht v c dng kim tra ch k s trn chng ch. N cng c s dng phn bit gia cc cp kha do mt CA s dng (trong trng hp nu CA c nhiu hn mt kha cng khai). Trng ny c s dng cho tt c cc chng ch t k s. Subject Key Indentifier: cha ID kha cng khai c trong chng ch v c s dng phn bit gia cc kha nu nh c nhiu kha c gn vo trong cng chng ch ca ngi s dng (Nu ch th c nhiu hn mt kha cng khai) Key Usage: cha mt chui bit c s dng xc nh (hoc hn ch) chc nng hoc dch v c h tr qua vic s dng kha cng khai trong chng ch. Extended Key Usage: cha mt hoc nhiu OIDs (Object Identifier - nh danh i tng) xc nh c th vic s dng kha cng trong chng ch. Cc gi tr c th l: (1) xc thc server TLS, (2) xc thc client TLS, (3) k m, (4) bo mt email, (5) tem thi gian. CRL Distribution Point: ch ra v tr ca CRL, l ni hin c thng tin thu hi chng ch. N c th l URI (Uniform Resource Indicator), a ch ca X.509 hoc LDAP server. Private Key Usage Period: trng ny cho bit thi gian s dng kha ring gn vi kha cng khai trong chng ch. Certificate Policies: trng ny ch ra dy cc chnh sch OIDs gn vi vic cp v s dng chng ch. Policy Mappings: trng ny ch ra chnh sch xc thc tng ng gia hai min CA. N c s dng trong vic thit lp 23

xc thc cho v kim tra ng dn chng ch. Trng ny ch c trong chng ch CA. Subject Alternative Name: ch ra nhng dng tn la chn gn vi ngi s hu chng ch. Nhng gi tr c th l: a ch email, a ch IP, a ch URI Issuer Alternative Name: ch ra nhng dng tn la chn gn vi ngi cp chng ch. Subject Directory Attributes: trng ny ch ra dy cc thuc tnh gn vi ngi s hu chng ch. Trng m rng ny khng c s dng rng ri. N c dng cha nhng thng tin lin quan n c quyn. Basic Constraints Field: trng ny cho bit y c phi l chng ch CA hay khng bng cch thit lp gi tr logic. Trng ny ch c trong chng ch CA Chng ch CA dng thc hin mt s chc nng. Chng ch ny c th mt trong hai dng. Nu CA to ra chng ch s dng, chng ch ny c gi l chng ch CA t k. Khi mt CA mi c thit lp, CA to ra mt chng ch CA t k k ln chng ch ca ngi s dng cui trong h thng. V dng th hai l CA cp chng ch cho nhng CA khc trong h thng. Path Length Constraint: trng ny ch ra di ti a ca ng dn chng ch c th c thit lp. Gi tr zero ch ra rng CA ch c th cp chng ch cho thc th cui, khng cp chng ch cho nhng CA khc. Trng ny ch c trong chng ch ca CA. Name Constrainsts: c dng bao gm hoc loi tr cc nhnh trong nhng min khc nhau trong khi thit lp mi trng tin tng gia cc min PKI. 24
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Policy Constrains: c dng bao gm hoc loi tr mt s chnh sch chng ch trong khi thit lp mi trng tin tng gia cc min PKI. 2.2 Kho chng ch Chng ch c cp bi CA kt hp vi kha cng khai vi nhn dng ca thc th B. Tuy nhin nu thc th A khng c kh nng xc nh v tr chng ch ny mt cch d dng th anh ta cng khng c hiu qu g hn so vi vic chng ch ny cha c to ra. Do , phi c mt kho chng ch trc tuyn (online repositories), quy m ln v mm do v phi c t v tr m A c th xc nh v tr chng ch m anh ta cn truyn thng an ton. 2.3 Thu hi chng ch Trong mt s trng hp nh kha b xm hi, hoc ngi s hu chng ch thay i v tr, c quan th chng ch c cp khng c hiu lc. Do , cn phi c mt c ch cho php ngi s dng chng ch kim tra c trng thi thu hi chng ch. X.509 cho php kim tra chng ch trong cc trng hp sau: Chng ch khng b thu hi Chng ch b CA cp thu hi Chng ch do mt t chc c thm quyn m CA y thc c trch nhim thu hi chng ch. C ch thu hi X.509 xc nh l s dng danh sch thu hi chng ch CRL (Certificate Revocation List). X.509 a ra s phn bit gia ngy, thi gian chng ch b CA thu hi v ngy, thi gian trng thi thu hi c cng b u tin. Ngy thu hi thc s c ghi cng vi u vo chng ch trong CRL. Ngy thng bo thu hi c xc nh trong header ca CRL khi n c cng b. V tr ca thng tin thu hi c th khc nhau ty theo CA khc nhau. Bn thn chng ch c th cha con tr n ni thng tin thu hi c xc nh v tr. Ngi s dng chng ch c th bit th mc, kho lu tr hay 25

c ch ly c thng tin thu hi da trn nhng thng tin cu hnh c thit lp trong qu trnh khi sinh. duy tr tnh nht qun v kh nng kim tra, CA yu cu: Duy tr bn ghi kim tra chng ch thu hi Cung cp thng tin trng thi thu hi Cng b CRL khi CRL l danh sch trng. C hai trng thi ca chng ch b thu hi c miu t trong ti liu RFC 3280 nh sau: Revoked (b thu hi): Mt chng ch nu b thu hi th s khng th phc hi li c. Mt chng ch b thu hi nu nh c quan chng nhn cp chng nhn khng ng hoc nu kha b mt b xm phm, th CA s thu hi chng ch. Chng ch cng s b thu hi nu nh vi phm cc chnh sch c CA ra. L do ph bin nht l ngi s dng khng cn c s hu kha ring duy nht (kha ring b mt hoc b nh cp). Hold (tm gi): Tnh trng ny c th c s dng ch thch rng chng ch tm thi b v hiu. V d, nu ngi dng khng chc chn l kha ring b mt. V trong trng hp nu kha ring c tm thy v khng ai c quyn truy cp vo n, tnh trng ca chng ch c th c phc hi, v chng ch li hp l mt ln na.

26
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 3: Thng tin CRL

Hnh 4: Chng ch b thu hi Cc l do thu hi chng ch c miu t trong RFC 5280 gm: Unspecified (0) 27

 keyCompromise (1) cACompromise (2) affiliationChanged (3) superseded (4) cessationOfOperation (5) certificateHold (6) (value 7 is not used) removeFromCRL (8) privilegeWithdrawn (9) aACompromise (10) 2.4 Cng b v gi thng bo thu hi chng ch Danh sch hy b chng ch in t bao gm cc chng ch ht hn hoc b thu hi. Tt c cc xc thc u c thi hn. y l mt quy nh mang tnh thit k, tuy nhin trc y, rt kh thc hin quy nh ny bi vic gia hn chng ch thng phi c thng bo ti tt c ngi dng s dng chng ch . Tnh nng ny bo m rng cc chng ch ht hn s c gia hn t ng khi n thi hn. Vi mt s l do nht nh cn thit phi hu b chng ch ch khng ch n thun l lm cho n ht hn. Cng vic ny c th c thc hin thng qua c ch danh sch hu b chng ch t ng. Cc ch th c thm quyn cp php chng ch (CA) thng thng s lm cng vic gi cc danh sch ny ti ngi dng, tuy nhin h cng c th u nhim cho mt b phn khc. Thng thng chng ch s hp l trong khong thi gian c hiu lc. Nhng trong mt s trng hp chng ch li khng hp l trc thi gian ht hn, v d nh: 28
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Kha ring ca ch th b xm phm Thng tin cha trong chng ch b thay i Kha ring ca CA cp chng ch b xm phm Trong nhng trng hp ny cn c mt c ch thng bo n nhng ngi s dng khc. Mt trong nhng phng php thng bo n ngi s dng v trng thi ca chng ch l cng b CRL nh k hoc khi cn thit. Ngoi ra, c mt s cch la chn khc thng bo n ngi s dng nh dng phng php trc tuyn Online Certificate Status Protocol. 2.5 Sao lu d phng Trong bt k mt mi trng PKI ang hot ng, kh nng lm mt hoc sai cc m kha ring ca ngi dng l rt ln, do cn phi c mt c ch lu tr d phng v khi phc m kha. Khng c kha ring, vic khi phc ti liu l khng th c xt trn thc t. Nguyn nhn c th l do: Qun mt khu: Kho b mt ca ngi dng vn cn v mt vt l nhng khng th truy cp c. Phng tin b hng hc: V d nh a cng b hng hoc th thng minh b gy. S thay th ca phng tin: H iu hnh c ti li (ghi ln cc giy t u nhim cc b) hoc mt m hnh my tnh c hn c thay th bng mt m hnh my tnh mi hn v cc giy t u nhim khng c chuyn trc khi a c b format. Gii php a ra l thc hin vic sao lu v d phng kha b mt. Vic sao lu v d phng kha m cn thit, n to nn mt phn m rng trong nh ngha PKI. 2.6 Cp nht kha t ng Mt chng ch c thi gian sng hu hn. Khi chng ch b ht hn s c thay th bng mt chng ch mi. Th tc ny c gi l cp nht kha 29

hay cp nht chng ch. Vn t ra l ngi dng PKI s thng cm thy bt tin khi phi cp nht kho th cng v thng thng th h s khng nh thi hn ht hn ca chng ch hoc khi thc hin cp nht kho khi ht hn thng gp phi nhiu th tc phc tp hn. Gii php a ra l xy dng PKI theo cch m ton b kha hoc chng ch s c cp nht hon ton t ng m khng cn c s can thip no ca ngi dng. Mi khi chng ch ca ngi s dng c dng n cho mt mc ch bt k, thi gian hp l ca n s c kim tra. Khi sp ht hn th hot ng lm mi chng ch s din ra, chng ch mi s c to ra thay th chng ch c v giao dch ca c yu cu ca ngi dng s tip tc din ra. Bi v qu trnh cp nht kho t ng l nhn t sng cn i vi PKI hot ng trong nhiu mi trng, do , n to nn mt phn nh ngha ca PKI. 2.7 Lch s kha Trong sut qu trnh s dng PKI, mt ngi dng c th c nhiu chng ch c v c t nht mt chng ch hin ti. Tp hp cc chng ch ny vi cc kho b mt tng ng c gi l lch s kho (key history) hay cn gi l lch s kho v chng ch. Cng ging nh s cp nht kho, qun l lch s kho phi c thc hin v duy tr t ng trong PKI. PKI cn phi nm gi c tt c cc kho trong lch s, thc hin sao lu v d phng ti v tr thch hp. 2.8 Chng ch cho Trong mi trng thc t, khng phi ch c mt PKI ton cc duy nht hot ng m thc t c rt nhiu PKI c trin khai, hot ng, phc v trong cc mi trng v cng ng ngi dng khc nhau. Khi cc PKI hot ng phi hp, lin kt vi nhau, s ny sinh vn l lm th no m bo an ton truyn thng gia cc cng ng ngi dng trong cc PKI. Khi nim chng ch cho ny sinh trong mi trng PKI gii quyt nhu cu ny nhm to ra mi quan h tin tng gia cc PKI khng c 30
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

quan h vi nhau trc . Chng ch cho l c ch cho php ngi dng ca mt cng ng PKI ny xc nhn tnh hp l chng ch ca ngi dng khc trong mt cng ng PKI khc. 2.9 H tr chng chi b Trong mi trng hot ng ca PKI, mi hnh ng ca ngi dng lun gn vi nh danh ca h. Nu mt ngi dng k s vn bn ca mnh, th c ngha ngi dng khng nh rng vn bn xut pht t pha mnh. PKI cn phi m bo rng ngi dng khng th chi b trch nhim m mnh thc hin. C ch ny c gi l c ch h tr chng chi b. thc hin c c ch h tr chng chi b, PKI cn phi cung cp mt vi cc bng chng k thut c yu cu, nh l xc thc ngun gc d liu v chng ch thi gian m d liu c k. 2.10 Tem thi gian Mt nhn t quan trng trong vic h tr cc dch v chng chi b l s dng tem thi gian an ton (secure time stamping) trong PKI. Ngha l ngun thi gian phi c tin cy v gi tr thi gian phi c truyn i mt cch an ton. Do cn phi c mt ngun thi gian c th tin tng c cho tt c ngi dng trong PKI. 2.11 Phn mm pha ngi dng Trong m hnh PKI, cc server s thc hin nhng nhim v sau: CA cung cp cc dch v chng ch. Kho chng ch s lu gi cc thng tin chng ch v hy b chng ch. My ch sao lu v d phng s qun l lch s kha mt cch ph hp. My ch tem thi gian s kt hp cc thng tin thi gian c th tin tng c vi cc ti liu vn bn. 31

Server khng th thc hin bt k iu g cho cc my khch nu nh my khch khng a ra cc yu cu dch v. Do nhim v ca my khch s l: My khch a ra yu cu cc dch v chng ch. My khch yu cu chng ch v x l cc thng tin hy b chng ch c lin quan. My khch phi bit lch s kha v phi bit khi no cn yu cu cp nht kha hoc hy b kha. My khch phi bit khi no n cn phi yu cu tem thi gian trn vn bn Phn mm pha client l mt thnh phn thit yu ca PKI tch hp y tnh nng trn. 2.12 Cc chnh sch Chnh sch c nh danh duy nht (c bit n nh nh danh i tng hay OID) v nh danh ny c ng k ngi cp v ngi s dng chng ch c th nhn ra v tham chiu n. Mt chng ch c th c cp theo nhiu chnh sch. Mt s c th l th tc v m t mc m bo gn vi vic to v qun l chng ch. Nhng chnh sch khc c th l k thut v m t mc m bo gn vi an ton ca h thng c s dng to chng ch hay ni lu tr kha. Mt chnh sch chng ch cng c th c hiu l vic gii thch nhng yu cu v gii hn lin quan n vic s dng chng ch c cng b theo nhng chnh sch ny. Chnh sch chng ch - Certificate Policies (CP) c cha trong trng m rng chun ca chng ch X.509. Bng vic kim tra trng ny trong chng ch, h thng s dng chng ch c th xc nh c mt chng ch c th c thch hp cho mc ch s dng hay khng.

32
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 5: Cc chnh sch ca chng ch Nh trong chng ch trn ta c th thy chng ch ny c pht hnh km theo cc chnh sch: 1.2.3.3.5, 1.2.3.3.6, 1.2.3.3.7, v chng ch ny c th c s dng trong vic remote computer, protects e-mail hay c tch hp trong Smart Card Mt thut ng chuyn mn khc Certificate Practice Statement CPS c s dng m t chi tit nhng th tc hot ng bn trong ca CA v PKI cp chng ch vi chnh sch chng ch quy nh. Chnh sch chng ch c bit quan trng khi a ra quyt nh xc nhn cho hai PKI khc nhau.

3. Cc thnh phn ca mt h thng PKI

PKI l mt c cu t chc gm con ngi, tin trnh, chnh sch, giao thc, thit b phn cng v phn mm dng pht sinh, qun l, lu tr, trin khai v thu hi cc chng nhn kha cng khai. V c bn mt h thng PKI gm cc thnh phn sau: Certificate Authorites (CA): T chc chng nhn. Registration Authorites (RA): T chc ng k chng nhn. 33

 End Entity (EE): Thc th cui. Certificate Repositories (CR): Kho lu tr chng nhn. Certificate Policy (CP): Chnh sch chng nhn. Certificate Practices Statement (CPS): Tuyn b trong s dng chng nhn. Hardware Security Module (HSM): Module bo mt phn cng. Cc thnh phn PKI v cc mi quan h gia chng c ch ra nh trong hnh sau. y l m hnh kin trc PKI do PKIX a ra:

Hnh 6: Cc thnh phn ca mt PKI 3.1 T chc chng nhn (Certification Authority) T chc chng nhn (CA) l mt thc th quan trng duy nht trong PKI v c ngi s dng tn nhim. T chc ny c nhim v pht hnh, qun l v hy b cc chng nhn. T chc ny gm tp hp con ngi v 34
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

cc h thng my tnh c an ton cao (nh s dng tng la trong h thng mng, ) chng li cc nguy him bn trong. T chc chng nhn - CA cng c gi l bn th ba c tin tng v ngi s dng cui tin tng vo ch k s ca CA trn chng ch trong khi thc hin nhng hot ng m ho kho cng khai cn thit. CA thc hin chc nng xc thc bng cch cp chng ch cho cc CA khc v cho thc th cui (ngi gi chng ch) trong h thng. Nu CA nm nh ca m hnh phn cp PKI v ch cp chng ch cho nhng CA mc thp hn th chng ch ny c gi l chng ch gc root certificate. 3.2 T chc ng k chng nhn (Registration Authorities) Mc d CA c th thc hin nhng chc nng ng k cn thit, nhng i khi cn c thc th c lp thc hin chc nng ny. Thc th ny c gi l registration authority. T chc ny l thnh phn ty chn nhng thng c trong PKI. RA c thit k chia s bt cng vic m CA thng phi m trch. V d khi s lng thc th cui trong min PKI tng ln v s thc th cui ny c phn tn khp ni v mt a l th vic ng k ti mt CA trung tm tr thnh vn kh gii quyt. gii quyt vn ny cn thit phi c mt hoc nhiu RAs (trung tm ng k a phng). Quan trng nht l RA c y quyn v c quyn thc hin cc cng vic m CA cho php v li ch ca CA. Mt RA ch nn phc v cho mt CA, trong khi mt CA c th c h tr bi nhiu RA. Thng qua vic chia s bt nhim v cho cc RA, mt CA c th p ng nhanh cc yu cu ca thc th cui. Mc ch chnh ca RA l xc minh danh tnh ca thc th cui v quyt nh xem thc th ny c c cp chng nhn kha cng khai hay khng. RA phi tun theo cc chnh sch v cc th tc c nh ngha trong CP v CPS. Chc nng thc hin ca mt RA c th s khc nhau tu theo nhu cu trin khai PKI nhng ch yu bao gm nhng chc nng sau: Xc thc c nhn, ch th ng k chng ch. Kim tra tnh hp l ca thng tin do ch th cung cp. 35

 Xc nhn quyn ca ch th i vi nhng thuc tnh chng ch c yu cu. Kim tra xem ch th c thc s s hu kha ring ang c ng k hay khng - iu ny thng c cp n nh s chng minh s hu (proof of possesion POP). To cp kha b mt, cng khai. Phn phi b mt c chia s n thc th cui (v d: kha cng khai ca CA). Thay mt ch th thc th cui khi to qu trnh ng k vi CA. Lu tr kha ring. Khi sinh qu trnh khi phc kha. Phn phi th bi vt l (th thng minh). 3.3 Thc th cui (End Entity) Thc th cui trong PKI c th l con ngi, thit b, v thm ch l mt chng trnh phn mm nhng thng l ngi s dng h thng. Thc th cui thng thng phi c kh nng pht sinh cp kha cng khai/b mt v mt s phng tin cho vic lu tr v s dng kha b mt mt cch an ton. Thc th cui s thc hin nhng chc nng mt m (m ho, gii m v k s) cc d liu. 3.4 Kho lu tr chng nhn (Certificate Repository) Kho lu tr chng nhn (CR) l ni cha in t cha cc thng tin v trng thi ca cc chng nhn c pht hnh bi CA v cng c th cha c danh sch cc chng nhn b thu hi (CRL). Kho lu tr cn c nhim v cha nhng biu mu in t v cc cng c cho php ti v, cng b CP v CPS, cp nht thng tin v hi p, Kho lu tr chng nhn phi l mt h thng tn nhim v an ton. Chng ch (kha cng khai) v thng tin thu hi 36
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

chng ch phi c phn phi sao cho nhng ngi cn n chng ch u c th truy cp v ly c. C 2 phng php phn phi chng ch: Phn phi c nhn: y l cch phn phi c bn nht. Trong phng php ny th mi c nhn s trc tip a chng ch ca h cho ngi dng khc. Vic ny c th thc hin theo mt s c ch khc nhau. Chuyn giao bng tay chng ch c lu trong a mm hay trong mt s cc mi trng lu tr khc. Cng c th phn phi bng cch gn chng ch trong email gi cho ngi khc. Cch ny thc hin tt trong mt nhm t ngi dng nhng khi s lng ngi dng tng ln th c th xy ra vn v qun l. Phn phi cng khai: Mt phng php khc ph bin hn phn phi chng ch (v thng tin thu hi chng ch) l cng b cc chng ch rng ri, cc chng ch ny c th s dng mt cch cng khai v c t v tr c th truy cp d dng. Nhng v tr ny c gi l c s d liu. Di y l v d v mt s h thng lu tr: X.500 Directory System Agents (DSAs). Lightweight Directory Access Protocol (LDAP ) Server. Online Certificate Status Protocol (OCSP) Responders. Domain name System (DNS) v Web servers. File Transfer Protocol (FTP) Servers v Corporate Database. 3.5 Chnh sch chng nhn (Certificate Policy) Chnh sch chng nhn (CP) cung cp nhng nguyn tc hng dn tng th mt t chc c th bit c ai c lm g hay bng cch no vo c h thng v d liu. Mt CP cng cn phi ch r cch thc kim sot v qun l. Hn na, CP nh r mt tp nhng lut l cho thy tnh kh thi ca mt chng nhn kha cng khai i vi mt cng ng ring bit hoc mt lp cc ng dng vi nhng yu cu an ninh chung. V d, mt CP ring bit c th cho bit tnh kh thi ca mt loi chng nhn kha cng khai i vi vic xc thc mt giao dch trao i in t trong kinh doanh hng ha hoc gi tr tin t, 37

3.6 Tuyn b trong s dng chng nhn (Certificate Practices Statement) Tuyn b trong s dng chng nhn (CPS) rt ging vi chnh sch chng nhn, ngoi tr n tp trung vo vn bo mt ca CA trong sut cc hot ng v qun l chng nhn c pht hnh bi CA. CPS th hin chi tit mi qu trnh bn trong ch k s ca chng nhn kha cng khai, bao gm qu trnh pht sinh, pht hnh, qun l, lu tr, trin khai v hy b. C th xem CPS nh mt tha thun gia ngi dng chng nhn v cng ty chu trch nhim cho vic pht hnh CA. Khng ging nh chnh sch chng nhn, CPS lun c sn cng cng mt ngi dng no c chng nhn lun c th truy cp vo CPS. Trong mi chng nhn m CA pht hnh, s c mt lin kt ch ra v tr ni CPS c cng b. 3.7 Module bo mt phn cng (Hardware Security Module) Module bo mt phn cng (HSM) l mt thnh phn chnh khc ca mt CA. Mt CA phi mang n s tn nhim khng ch i vi khch hng ca n m cn i vi nhng ngi tin cy vo nhng chng nhn c pht hnh. Do s tn nhim phi c xc nhn nh vo s bo mt v s ton vn ca kha b mt c s dng k chng nhn kha cng khai ca ngi ng k, kha b mt cn phi c bo v tt nht c trong cc thit b my tnh chuyn dng c bit n nh l HSM. S thc thi v s dng mt HSM tiu chun mang tnh quyt nh i vi bt k CA v PKI m n h tr.

4. Cc chc nng ca h thng PKI

Nhng h thng PKI khc nhau cho php n c nhng chc nng khc nhau. Nhng nhn chung c hai chc nng chnh l: chng ch v thm tra. 4.1 Chng thc Chng ch l chc nng quan trng nht ca h thng PKI. y l qu trnh rang buc kha cng khai vi nh danh ca thc th. CA l thc th PKI thc hin chc nng chng ch. C hai phng php chng ch: T chc chng ch (CA) to ra cp kha cng khai, kha b mt v to ra chng ch cho phn kha cng khai ca cp kha. 38
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Ngi s dng t to cp kha v a kha cng khai cho CA CA to chng ch cho kha cng khai . Chng ch m bo tnh ton vn ca kha cng khai v cc thng tin gn cng. 4.2 Thm tra Qu trnh xc nh liu chng ch a ra c th c s dng ng mc ch thch hp hay khng c xem nh l qu trnh kim tra tnh hiu lc ca chng ch. Qu trnh ny bao gm mt s bc sau: Kim tra xem liu c ng l CA c tin tng k s ln chng ch hay khng (x l theo ng dn chng ch). Kim tra ch k s ca CA trn chng ch kim tra tnh ton vn. Xc nh xem chng ch cn trong thi gian c hiu lc hay khng. Xc nh xem chng ch b thu hi hay cha. Xc nh xem chng ch ang c s dng c ng mc ch, chnh sch, gii hn hay khng (bng cch kim tra nhng trng m rng c th nh m rng chnh sch chng ch hay m rng vic s dng kha). 4.3 Mt s chc nng khc Ngoi cc chc nng chng thc v thm tra, h thng PKI cn thc hin mt s chc nng ph tr khc. Di y l mt s chc nng v dch v c hu ht cc h thng PKI cung cp. Mt s nhng chc nng khc c th c nh ngha tu theo yu cu c th ca cc h thng PKI. ng k: L qu trnh n hoc lin lc vi cc t chc, trung tm tin cy ng k cc thng tin v xin cp chng ch. RA v CA l nhng thc th trong qu trnh ng k. Qu trnh ng k ph thuc vo chnh sch ca t chc. Nu chng ch c cung cp vi mc ch dng cho nhng hot ng b mt th s dng phng php gp mt trc tip. Nu chng ch ch 39

c s dng cho nhng mc ch, hot ng thng th c th ng k qua nhng ng dng vit sn hoc ng dng in t. Khi to ban u: Khi h thng trm ca ch th nhn c cc thng tin cn thit lin lc vi CA th qu trnh khi to bt u. Nhng thng tin ny c th l kho cng ca CA, chng ch ca CA, cp kha cng /b mt ca ch th. Mt s h thng khc s dng c ch da trn password trong giai on khi to. Ngi dng cui lin lc vi CA khi nhn c password v sau thit lp mt knh bo mt truyn nhng thng tin cn thit. Giai on khi to thng tip tc vi qu trnh chng ch Khi phc cp kha: Hu ht h thng PKI to ra hai cp kho cho ngi s dng cui, mt k s v mt m ho. L do to hai cp kho khc nhau xut pht t yu cu khi phc v sao lu d phng kho. Tu theo chnh sch ca t chc, b kho m (m v gii m) v nhng thng tin lin quan n kho ca ngi s dng phi c sao lu c th ly li c d liu khi ngi s dng mt kho ring hay ri khi n v. Cn kho k s c s dng tu theo mc ch c nhn nn khng c sao lu. Ring kho b mt ca CA th c lu gi d phng trong mt thi gian di gii quyt nhng vn nhm ln c th xy ra trong tng lai. H thng PKI c nhng cng c thc hin chc nng sao lu v khi phc kha. To kha: Cp kho cng khai/b mt c th c to nhiu ni. Chng c th c to ra bng phn mm pha client v c gi n CA chng ch. CA cng c th to ra cp kho trc khi chng ch. Trong trng hp ny, CA t to cp kho v gi kho b mt ny cho ngi s dng theo mt cch an ton. Nu kho do bn th ba to ra th nhng kho ny phi c CA tin cy trong min xc nhn trc khi s dng. Hn s dng v cp nht kha: Mt trong nhng thuc tnh ca chng ch l thi gian hiu lc. Thi gian hiu lc ca mi cp kho c xc nh theo chnh sch s dng. Cc cp kho ca ngi s dng nn c cp nht khi c thng bo v ngy ht hn. H thng s thng bo v tnh hung ny trong mt thi gian nht nh. Chng ch mi s c ngi cp cng b t ng sau thi gian ht hn. 40
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Xm hi kha: y l trng hp khng bnh thng nhng nu xy ra th kho mi s c cng b v tt c ngi s dng trong h thng s nhn thy iu ny. Xm hi n kho ca CA l mt trng hp c bit. V trong trng hp ny th CA s cng b li tt c cc chng ch vi CA-certificate mi ca mnh. Thu hi: Chng ch c cng b s c s dng trong khong thi gian c hiu lc Nhng trong trng hp kho b xm hi hay c s thay i trong thng tin ca chng ch th chng ch mi s c cng b, chng ch c s b thu hi. Cng b v gi thng bo thu hi chng ch: Mt chng ch c cp cho ngi s dng cui s c gi n cho ngi nm gi v h thng lu tr c th truy cp cng khai. Khi mt chng ch b thu hi v mt l do no , tt c ngi s dng trong h thng s c thng bo v vic ny. Phng thc cng b v gi nhng thng bo thu hi c cp chi tit trong ni dung v chng ch s phn trn. Xc thc cho: Xc thc cho l mt trong nhng c tnh quan trng nht ca h thng PKI. Chc nng ny c s dng ni hai min PKI khc nhau. Xc thc cho l cch thit lp mi trng tin cy gia hai CA di nhng iu kin nht nh. Nhng iu kin ny c xc nh theo yu cu ca ngi s dng. Nhng ngi s dng cc min khc nhau ch c th giao tip an ton vi ngi khc sau khi vic xc thc cho gia cc CA thnh cng. Xc thc cho c thit lp bng cch to chng ch CA xc thc ln nhau. Nu CA-1 v CA-2 mun thit lp xc thc cho th cn thc hin mt s bc sau: CA-1 cng b CA certificate cho CA-2. CA-2 cng b CA certificate cho CA-1. CA-1 v CA-2 s s dng nhng trng m rng xc nh trong chng ch t nhng gii hn cn thit trong CA-certificate. Vic xc thc cho i hi phi c s kim tra cn thn cc chnh sch PKI. Nu c hai u c cng hoc tng t chnh sch 41

ca nhau th vic xc thc cho s c ngha. Ngc li, s c nhng tnh hung khng mong mun xut hin trong trng hp chnh sch PKI ca mt min tr thnh mt phn ca min khc. Trng m rng Policy mapping, name constraints v policy constraints ca chng ch X.509 chun c s dng trong xc thc cho a ra mt s gii hn trong mi trng tin cy. Thm quyn th cp: cho php CA gc hn ch tnh nng ca cc CA th cp. tnh nng ny quyt nh dng CA c pht hnh v cc dch v khc m CA c th to ra cho khch hng. Mt khi c mt c ch phn cp trong t chc, xc nh cc i tc kinh doanh chnh v bt u a vo cu trc bo mt. To ra cc chnh sch bo mt trong ni b t chc trong nh ngha cc ti sn cn bo v v nhng cch thc v cng c m nhn vin s s dng thc hin iu ny. Tho ra cc quy trnh h tr ngi s dng trong cc vn lin quan ti pht hnh, gia hn v phc hi cc chng ch v m kho, sau phn cng trch nhim pht trin v duy tr tng th h thng PKI cho nhng b phn c chc nng. Mt gii php PKI hon chnh v ph hp s m bo kh nng bo mt cao nht cho cc ti sn k thut s trong doanh nghip.

42
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 7: ng dn chng ch cho

5. Mc tiu ca h thng PKI

PKI cho php nhng ngi tham gia xc thc ln nhau v s dng thng tin t cc chng ch kha cng khai mt m ha v gii m thng tin trong qua trnh trao i. Thng thng, PKI bao gm phn mm my khch, phn mm my ch, phn cng (th thng minh) v cc quy trnh hot ng lin quan. Ngi s dng cng c th k cc vn bn in t vi kha b mt ca mnh v mi ngi u c th kim tra vi kha cng khai ca ngi . PKI cho php cc giao dch in t c din ra m bo tnh b mt, ton vn v xc thc ln nhau m khng cn phi trao i cc thng tin mt t trc. Tnh bo mt ngha l bo m tnh b mt ca d liu. Tnh b mt ny c cung cp bi cc c ch m ha mt m hc, bng cch s dng c m ha kha cng khai ln m ha kha b mt. Do m ha kha cng khai khng hiu qu bng m ha kha b mt trong vic m ha d liu ln, nn n thng c s dng 43

 m ha nhng i tng d liu tng i nh nh cc kha b mt c s dng trong cc h thng m ha bt i xng. Tnh ton vn ngha l m bo d liu khng th b mt mt hoc chnh sa v cc giao tc khng th b thay i. Tnh ton vn c th c cung cp bn trong PKI bng cch s dng c m ha cng khai v m ha b mt. M ha kha cng khai c bit c s dng chung vi mt thut ton bm nh SHA-1 hay MD5 cung cp tnh ton vn. Mt PKI c thit k tt s s dng cc giao thc i hi s dng cc thut ton cung cp c ch ton vn hiu qu. Tnh xc thc ngha l danh tnh ca thc th c xc minh. Tnh xc thc trong mi trng thng mi in t c thc hin rt tt bng cc h thng m ha kha cng khai, da trn mi quan h ton hc gia cc kha cng khai v kha b mt. Thng ip c k bi mt thc th c th c kim tra bi bt k thc th no quan tm. Cc thc th ny c th an tm rng ch c ch ca kha b mt mi c th to ra thng ip ny, bi v ch c ngi mi c kha b mt. Tnh khng th chi t ngha l m bo d liu khng th b khng tha nhn hoc giao tc b t chi. y l mt dch v bo mt then cht ca bt k ng dng thng mi no, trong vic trao i gi tr hay cc quy nh php lut c tha hip. Tnh khng th chi t c cung cp thng qua m ha kha cng khai bng ch k s. Khi d liu c k theo cch mt m hc s dng kha b mt ca cp kha, bt k ai c th truy cp kha cng khai ca cp kha ny u c th xc nh rng ch c ch ca cp kha mi c th k vo d liu. PKI khng ch phc v cho cc chc nng thng mi ni ring, n cn cung cp mt nn tng cho cc dch v bo mt khc. PKI l nn tng cho cc ng dng v cc thnh phn bo mt mng khc c xy dng trn n. Cc h thng thng xuyn i hi cc c ch bo mt da trn PKI c th k ra 44
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

nh th in t, cc ng dng th thng minh, giao dch in t (nh th ghi n v th tn dng), ngn hng in t, v cc h thng bu in in t. Mc tiu chnh ca PKI l cung cp kha cng khai v xc nh mi lin h gia kha v nh dng ngi dng. Nh vy ngi dng c th s dng trong mt s ng dng nh: M ha email hoc xc thc ngi gi email (OpenPGP hay S/MIME). M ha hoc xc thc vn bn. Xc thc ngi dng ng dng (ng nhp bng th thng minh smartcard, chng thc ngi dng trong SSL, ). Xc giao thc truyn thng an ton dng k thut Bootstrapping (IKE, SSL): trao i kha bng kha bt i xng, cn m ha bng kha i xng. Ngoi ra, vic s dng PKI v m ha kha cng khai trong thng mi in t gip cc t chc gim chi ph x l cc giao tc, gim ri ro v gim phc tp ca cc h thng bo mt vi cc phng php i xng.

45

Chng III: XY DNG H THNG PKI VI OPENCA 1. Gii thiu v d n OpenCA

C s h tng kho cng khai l mt trong nhng nhu cu thit yu ca tng lai. Nhng vn l hu ht cc ng dng c th c m bo an ton bng chng ch v kho th li rt kh v t ci t PKI, l d l phn mm trung tm tin cy c tnh linh hot th li rt t. y l im khi u ca d n OpenCA. Mc ch l sn phm ca h thng trung tm tin cy ngun m h tr cng ng vi cc gii php tt, r (chi ph hp l) v mang tnh xu hng trong tng lai. D n OpenCA c bt u vo nm 1998. tng OpenCA ban u c pht trin bi Massimiliano Pala. M ngun ban u ca d n c vit bi on script rt di. Khi phin bn u tin ca phn mm c xy dng th d n OpenSSL vn c tn l SSLeay. Rt nhiu chc nng vn cn li v nhiu th khc na u ang b b qua. Phin bn u tin ca OpenCA rt n gin, nhiu chc nng c xy dng ch yu ch c dng cp pht chng ch, CRL v cc phng thc ci t th kh n s, khng c tnh tin dng cho bt k tin ch cu hnh no, on script ch c th tng thch vi bash. Cc phin bn tip theo c b sung thm nhiu tnh nng hn cho d n v do phin bn 0.109 bao gm giao din cho server ca CA, RA v Pub. T lc bt u d n v t pht hnh phin bn u tin, c mt lng ln s tham gia ca cng ng Internet ng gp vo s pht trin ca d n. Hin nay OpenCA pht trin ln phin bn OpenCA PKI v1.1.1 (codename Halloween), bn cnh d n LibPKI cng a ra phin bn LibPKI v0.6.4 (codename Broadway).

46
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

2. M hnh h thng PKI

Ngy nay, PKI c trin khai bi nhiu t chc nh l cng c bo v nhng ti nguyn tp th nhy cm. Tuy nhin, vi nhng nhu cu, quy trnh v s phc tp khc nhau trong mi cng vic, ch mt m hnh c chun ha cho PKI hon ton khng linh hot. V l do , c nhiu kin trc PKI khc nhau m mi t chc c th trin khai ph hp nht vi nhu cu ca h. Tuy vy, cho d kin trc PKI no c trin khai, mt th quan trng trong ct li ca mi kin trc chnh l s tn nhim. CA gip thit lp cho vic nhn dng ca cc thc th giao tip vi nhau c ng n. CA khng ch chng nhn cho ngi s dng, m cn cho nhng CA khc bng cch pht hnh chng nhn s n chng. Nhng CA c chng nhn ln lt c th chng nhn cho nhng CA khc v chui mt xch ny s tip tc cho n khi c th chng nhn cho kha cng khai ca thc th cui. Chui mt xch ny c gi l chui tn nhim (chain of trust) hay ng dn chng nhn (certification path).

Hnh 8: Kin trc PKI 47

Ngc li, khi thc th cui xc nhn chnh mnh cho mt ng dng in t (nh thng mai in t hay chnh ph in t), phn mm m ha ng dng s kim tra ch k trong chng nhn ca thc th cui bng vic s dng kha cng khai ca CA to ra chng nhn . Nu kha ca CA ny khng phi l kha gc (l kha ca CA gc c mi ngi tin cy) th chng nhn cha n cng s c xc thc vi kha cng khai ca CA k chng nhn , v c nh vy n khi chng nhn trong chui tn nhim c th c kim tra vi mt kha gc c tin cy. Chui xc nhn lc ny hm tnh cht xc thc ca tt c chng nhn, bao gm c chng nhn ca ngi dng cui. Di y l mt s kin trc PKI ph bin c th c s dng thit lp chui tn nhim nh vy v mi kin trc u c nhng l l tn thnh v phn i khi c trin khai thc t. S khc bit gia chng da trn s lng CA, s sp xp v mi quan h gia chng. Kin trc PKI n gin: Kin trc CA n (Single CA) Kin trc danh sch tn nhim c bn (Basic Trust List) Kin trc PKI trong t chc: Kin trc phn cp (Hierarchical) Kin trc li (Mesh) Kin trc lai: Kin trc danh sch tn nhim m rng (Extended Trust List) Kin trc chng nhn cho (Cross Certification) Kin trc CA cu ni (Bridge CA) Kin trc Gateway CA

48
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

3. Cc bc ci t v cu hnh
Trong phn ny s trnh by xy dng h thng PKI vi OpenCA theo m hnh phn lp. H thng bao gm cc thnh phn: RootCA, SubCA v RA. 3.1 Ci t v cu hnh RootCA 3.1.1 Ci t Trong phn ny RootCA c xy dng trn h iu hnh CentOS 5.6, vi cc thnh phn cn thit nh: apache, perl, openssl, mysql, openca-tools, openca-base, v mt s th vin cn thit cho vic ci t. Khi ci t gi openca-base chng ta s ch thc hin ch install-online v install-ca. Cc bc ci t nh sau Ci t cc thnh phn cn thit: apache, mysql, db4, gcc, gcc-c++, $ yum install make unzip openssl-devel expat-devel httpd mod_ssl mysql-server mysql-devel db4 db4-devel gcc gcc-c++ To ngi dng mi phc v qu trnh bin dch v cu hnh openca $ groupadd openca $ useradd -g openca -u 1201 openca To c s d liutrn local cho OpenCA. $ mysql -u root -h localhost -p create database dbrootca; use dbrootca; GRANT ALL PRIVILEGES ON *.* TO openca@localhost IDENTIFIED BY openca; exit; Chuyn sang ngi dng openca thc hin ci t # cd openca-tools-1.3.0 49

# ./configure --prefix = /opt/OpenCA/openca-tools --exec-prefix = /opt/OpenCA/openca-tools --with-openca-user = openca --with-opencagroup = openca # make $ make install # cd openca-base-1.1.1 # ./configure --prefix = /opt/OpenCA/openca-base --exec-prefix = /opt/OpenCA/openca-base --with-openca-tools-prefix = /opt/OpenCA/openca-tools --with-openca-user = openca --with-opencagroup = openca --with-httpd-user = apache --with-httpd-group = apache --with-db-type = mysql --with-db-host = localhost --with-db-name = dbrootca --with-db-user = openca --with-db-passwd = openca # make $ make install-online && make install-ca Sau khi ci t hon tt, chng ta c th sa li 1 s th trong file cu hnh /opt/OpenCA/openca-base/etc/openca/config.xml. Sau khi sa trong file cu hnh, mi thay i c hiu lc phi chy file /opt/OpenCA/opencabase/etc/openca/configure_etc.sh $ ./opt/OpenCA/openca-base/etc/openca/configure_etc.sh Khi ng dch v openca $ /etc/init.d/openca start

3.1.2 Cu hnh Sau khi khi ng dch v openca xong. Chng ta truy cp vo trang web cu hnh v qun l RootCA theo a ch https://rootca.actvn.net/pki/ca. 50
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 9: Giao din qun l v cu hnh RootCA Trong mc PKI Init & Config chng ta s thc hin cu hnh RootCA bao gm 3 bc

Hnh 10: Ba bc thit lp CA

51

3.1.2.1 Khi to CA Phase I: Initial the Certification Authority

Hnh 11: Khi to c s d liu, to kha, to chng ch, Khi to c s d liu(DB Setup): Bc ny s to ra c s d liu da vo cc tham s thit lp trong qu trnh ci t openca. Nu c 1 c s d liu trc th ta c th chn Upgrade Database nng cp c s d liu, hoc Re-init Database khi to li c s d liu(xa c s d liu c). To kha b mt cho CA (Key pair Setup): Bc ny thc hin sinh kha b mt cho CA. thc hin vic sinh kha b mt chng ta phi chn thut ton kha, thut ton m ha kha v di ca kha.

52
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 12: To kha b mt cho CA Sau khi chn xong cc thut ton v di kha, h thng s sinh ra 1 kha b mt cho CA. Kha c lu trong my theo ng dn sau: /opt/OpenCA/openca-base/var/openca/crypto/keys/cakey.pem

Hnh 13: Kha b mt ca CA 53

To yu cu cp chng ch cho CA (Request Setup): Sau khi c kha b mt, chng ta to 1 yu cu cp chng ch cho CA s dng kha b mt .

Hnh 14: To yu cu cp chng ch cho CA

Hnh 15: Ni dung yu cu chng ch 54

L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

To chng ch (Certificate Setup): La chn Self Signed CA Certificate to chng ch cho CA.

Hnh 16: La chn Self Signed CA Certificate Serial Number: s seri ca chng ch. Do y l chng ch u tin cp cho CA, nn chng ta mc nh ca n l 00 Certificate Validity: thi hn s dng chng ch, mc nh l 730 ngy (2 nm). Chng ta c th thay i gi tr ny ty theo nhu cu s dng ca h thng. Extensions: phn m rng, t chng thc cho CA, chng ta la chn Self Signed CA. Sau khi la chn xong h thng s to chng ch nh hnh di y. Chng ta cng c th xem li chng ch ti /opt/OpenCA/opencabase/var/openca/crypto/certs/00.pem

55

Hnh 17: Chng ch ca CA Bc cui cng (Final Setup): chng ta to chui cc chng ch cho CA

Hnh 18: Xy dng li chui chng ch CA 56

L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

3.1.2.2 Khi to chng ch cho ngi qun tr

Hnh 19: To chng ch cho ngi qun tr To mt yu cu cp chng ch (Create a new request): ngi qun tr cn phi in cc thng tin c bn vo trong mu xin cp chng ch.

Hnh 20: Khai bo cc thng tin c bn 57

Hnh 21: Chi tit yu cu chng ch La chn chng ch theo nhn Users, theo mu ca CA Operator, mc bo mt, Tip chn lc k, m PIN. Mi chng ch c mt m PIN duy nht.

Hnh 22: Khai bo m PIN 58

L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 23: Tha thun ngi dng

Hnh 24: To yu cu Sau khi yu cu cp chng ch cho ngi qun tr c khi to, yu cu ny s c lu trong h thng cho n khi yu cu c chp nhn hoc hy b. chp nhn yu cu, chng ta chn mc Issue the certificate. 59

Hnh 25: Pht hnh chng ch Sau khi chp nhn pht hnh chng ch, ngi qun tr c th ly chng ch v my bng cch chn Handle the certificate.

Hnh 26: Chng ch ca ngi qun tr 60

L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 27: Ly chng ch v my 3.1.2.3 Khi to chng ch cho RA Server Phase III: Create the initial RA certificate

Hnh 28: Khi to chng ch cho RA server

61

Hnh 29: in cc thng tin c bn

Hnh 30: Chi tit yu cu chng ch Chng ch cp cho RA server thuc nhn Applications, v theo mu Web Server. Sau chn lc k, m PIN 62
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 31: Khai bo m PIN

Hnh 32: Yu cu cp chng ch cho RA server Sau khi to yu cu cp chng ch xong, chng ta chn Issue the certificate chp nhn yu cu v pht hnh chng ch cho RA server.

63

Hnh 33: Pht hnh chng ch cho RA server Nh vy qu trnh ci t v cu hnh cho RootCA hon thnh. By gi chng ta c th Import chng ch ca RootCA vo h thng ngi dng cui. Khi ngi dng cui s hon ton tin tng RootCA v cc chng ch do RootCA pht hnh. 3.2 Ci t v cu hnh SubCA 3.2.1 Ci t Qu trnh ci t SubCA tng t nh ci t RootCA. Ci t cc thnh phn cn thit. Khi to ngi dng, to c s d liucho OpenCA. Lu khi install chng ta ch chn ch install-offline. 3.2.2 Cu hnh to chng ch cho SubCA, chng ta cng phi khi to c s d liu, to kha b mt cho SubCA. Tip khi to 1 yu cu cp pht chng ch. Do y ch l SubCA nn chng ta khng th t k vo yu cu nh RootCA. Yu cu ny phi c gi sang cho RootCA, sau khi c s ng pht hnh chng ch ca RootCA, th SubCA mi c th s dng chng ch k v pht hnh cc chng ch khc cho ngi dng. 64
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Qu trnh gi yu cu cp pht chng ch ca SubCA sang RootCA c tin hnh nh sau: SubCA khi to yu cu cp pht chng ch. Sau chn Export CA Certificate Request, xut yu cu ny ra thnh 1 file nn theo nh dng tar (mc nh c lu /tmp/openca_local). Chng ta gii nn file openca_local ny ra c 1 file careq.pem, y l file yu cu cp pht chng ch ca SubCA theo nh dng PEM (Privacy Enhanced Mail). File ny c gi sang cho RootCA, ngi qun tr s khi to 1 yu cu cp pht chng ch da theo file careq.pem ca SubCA. Sau RootCA c nhim v k v cp pht chng ch cho SubCA. Ngi qun tr s ly chng ch ca SubCA v theo nh dng PEM (subcacert.pem). V gi li cho SubCA file subcacert.pem Bn SubCA nhn c chng ch do RootCA pht hnh. Chng ta s phi to ra 1 file nn ca chng ch vi tn gi l openca_local. Sau chn Import CA certificate (approved by Root CA) import chng ch ca SubCA vo h thng. Cui cng l Rebuild CA Chain. 3.3 Ci t v cu hnh RA 3.3.1 Ci t Qu trnh ci t RA cng tng t nh RootCA v SubCA. C im khc l khi ci t gi openca-base chng ta chn ch ci t l installonline. 3.3.2 Cu hnh Sau khi ci t xong RA, chng ta c th truy cp vo a ch https://subca.actvn.net/pki/ca khi to chng ch cho ngi qun tr v chng ch cho RA server. Cc bc thc hin tng t nh lm trn RootCA. Ngoi ra chng ta cn phi cu hnh Dataexchange cho php SubCA v RA c th gi cc yu cu, chng ch, CRL, cho nhau. 65

Sau khi ci t v cu hnh RA xong. Ngi dng s ng k cp chng ch trc tip trn RA, sau cc yu cu cp chng ch s c gi n cho SubCA SubCA k. Cc chng ch sau khi c SubCA k xong s c gi tr li cho RA ngi dng ly v, ng thi cc chng ch ny cng s c cng b trn h thng kho lu tr (repositories).

66
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Chng IV. NG DNG CH K S 1. ng dng ch k s

Mt s ng dng trong cuc sng ng dng ch k s c th k n nh bo mt my ch web (khi tin hnh giao dch trn cc website thng mi in t uy tn. Tt c cc thng tin nhy cm s c m ha - a ch web thng c dng https k s v m ha email); ng nhp t xa qua VPN, wireless (ch k s lc ny c s dng thay th phng php xc thc km an ton nh username/password). Mt s giao dch trong ngnh ngn hng, chng khon hin nay ang c dng OTP (One Time Password). y l mt gii php tnh th do lc dch v chng ch s cha c mt, trong khi Lut Giao dch in t ra i nm 2005 cng nhn gi tr php l ca chng ch s. V vy, thi gian ti, rt c th cc giao dch ngn hng qua Internet (Internet banking) cng s ng dng ch k s. Tuy nhin, vi cc t chc ngn hng ang ng dng OTP, gii php m cc CA khuyn co l nn c l trnh chuyn i. Bc u c th s dng song song (chng hn vi nhng giao dch c gi tr tin thp vn dng OTP, nhng giao dch c gi tr tin ln th dng ch k s). V cn bn, ch k s l mt loi ch k in t da trn h thng mt m khng i xng, cha thng tin nh danh ngi ch s hu ch k . Cc thng tin ny c th c lu tr bng nhiu hnh thc khc nhau: di dng file v lu tr trn my tnh; trn cc thit b lu tr c bit (USB token); trn th (smart card); thm ch trn sim in thoi (SIM base CA). Ty nhu cu m mi khch hng chn nhng hnh thc lu tr khc nhau, tuy nhin, SIM base CA c nh gi cao tnh di ng, thun tin do gn lin vi chic in thoi di ng. Trn th gii, SIM base CA c s dng t nhng nm 2001 2002. Quc gia c nhiu SIM base CA l i Loan, Hn Quc. Theo nh gi ca mt s CA trong nc, Vit Nam c s lng ngi s dng in thoi di ng kh ln do th trng cho SIM base CA kh tim nng. Tuy nhin, 67

c c dch v SIM base CA cn s phi hp gia nh cung cp dch v ch k s v nh cung cp dch v vin thng. i vi cc doanh nghip, ch k s c th c ng dng vo trong hu ht cc hot ng ca cng ty nh: ng nhp bng th thng minh (smart card), windows security logon, trao i cc ti liu nhy cm, trao i email, truy cp t xa qua VPN, Vic trin khai mt h thng PKI i vi cc doanh nghip nh l rt n gin, v li ch m h thng em li rt ln so vi chi ph u t ban u. Quy trnh cp pht chng ch v ng dng chng ch s cng rt n gin. Sau y l mt v d vic s dng chng ch s trao i email trong doanh nghip. Qu trnh s bao gm: xin cp pht chng ch t ngi dng, ngi qun tr cp pht chng ch, ngi dng nh km chng ch vo trong cc email gi cho ngi khc. Trong v d ny vn s dng m hnh phn lp gm RootCA, SubCA v RA, tuy nhin trong thc t n gin v ph hp vi cc doanh nghip nh, chng ta c th ch cn s dng mt CA m nhim c chc nng ca RootCA v RA. Ban u, ngi dng cn install chng ch ca RootCA vo my tnh.

68
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 34: Install Certificate Ngi dng truy cp vo trang public ca RA to mt yu cu xin cp pht chng ch

Hnh 35:Ngi dng xin cp pht chng ch

Hnh 36:Chn Browser Certificate Request 69

in cc thng tin c bn nh: First name, Last name, a ch email, y l cc nh danh c gn km vi ngi s dng chng ch.

Hnh 37: Khai bo cc thng tin c bn La chn loi chng ch l dnh cho User (ngi s dng bnh thng)

70
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 38: La chn loi chng ch, mc bo mt, Chn lc k, di ca kha v m PIN

Hnh 39: Chn lc k, chn m PIN Sau khi ng vi tha thun ngi dng do CA ra, bc tip theo s khi to kha b mt cho ngi dng.

71

Hnh 40: Khi to kha b mt ca ngi dng Sau khi ngi dng to xong yu cu cp pht chng ch, ngi qun tr s phi truy cp vo trang https://ra.actvn.net/pki/ra thc hin vic k vo yu cu ca ngi dng.

Hnh 41: Yu cu xin cp pht chng ch ca ngi dng

72
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 42: RA k vo yu cu ca ngi dng

Hnh 43: Yu cu c k Sau khi yu cu c k bi RA, ngi qun tr tip tc chuyn yu cu sang cho CA, CA thc hin vic cp pht chng ch

Hnh 44: CA tip nhn yu cu ca ngi dng t RA 73

Hnh 45: CA chp nhn cp pht chng ch cho ngi dng Chng ch ca ngi dng c cp pht, sau ngi qun tr phi chuyn chng ch c cp pht v RA Server cng b cho ngi dng.

Hnh 46: Chng ch ca ngi dng c cp pht 74

L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Khi , ngi s dng truy cp vo trang https://ra.actvn.net/pki/pub . S thy c danh sch cc chng ch m CA cp pht (cc chng ch b thu hi s khng c trong danh sch ny)

Hnh 47: Danh sch cc chng ch c cp pht

Hnh 48: Thng tin chng ch ca ngi dng 75

Ngi dng chn chng ch ca mnh ti v my. Do mi chng ch c mt m PIN khc nhau, m m PIN ny ch c ngi to yu cu cp pht chng ch mi bit, nn nu c ly chng ch ca ngi khc cng khng th s dng c.

Hnh 49: Ngi dng ti chng ch v my Chng ch ny tun th theo cc chnh sch m CA ra nh: Policy 1.2.3.3.4, Policy 1.2.3.3.5, Policy 1.2.3.3.6, Policy 1.2.3.3.7. Vi chng ch ny, ngi dng c th dng xc thc i vi cc Website yu cu xc thc thng qua TLS, bo v email hay ng nhp vo Windows s dng Smartcard. Trong v d ny chng ta s dng Outlook Express gi th v nh km ch k s ca ngi dng. s dng ch k s ta phi install chng ch ca ngi dng vo my. Sau la chn chng ch ngi dng k v m ha email nh hnh di

76
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 50: S dng chng ch bo v email Thc hin vic gi email c km theo ch k s v m ha ni dung email. Email s c thm 2 biu tng: ch k v m ha nh hnh di

Hnh 51: Thc hin vic gi email km ch k s

77

Ngi dng c yu cu nhp kha b mt, m bo rng y l chng ch ca ngi dng ch khng phi ca ngi khc.

Hnh 52: Kha b mt ca ngi dng Ngi nhn s nhn c mt email vi ni dung b m ha

78
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Hnh 53: Email c m ha khi n ngi nhn c c ni dung bc th, ngi nhn phi c c kha cng khai ca ngi gi.

Hnh 54: Ni dung email c gii m Qua v d trn, chng ta c th thy vic s dng ch k s rt n gin v t c hiu qu an ton, bo mt thng tin cn gi i.

2. Thc trng ng dng ch k s Vit Nam

Ngoi vic l mt phng tin in t c php lut tha nhn v tnh php l, ch k s cn l mt cng ngh m ha v xc thc rt mnh. N c th gip bo m an ton, bo mt cao cho cc giao dch trc tuyn, nht l cc giao dch cha cc thng tin lin quan n ti chnh. Hin ti cng ngh ch k s ti Vit Nam c th s dng trong cc giao dch mua bn hng trc tuyn, u t chng khon trc tuyn, chuyn tin ngn hng, thanh ton trc tuyn. Ngoi ra, B Ti chnh cng p dng ch k s vo k khai, np thu trc tuyn qua mng Internet v cc th tc hi quan in t nh khai bo hi quan v thng quan trc tuyn m 79

khng phi in cc t khai, ng du ca cng ty v n c quan thu ch np t khai ny. Trong tng lai ti Vit Nam ch k s c th s dng vi cc ng dng chnh ph in t. Khi cn lm th tc hnh chnh hay mt s xc nhn ca c quan nh nc, ngi dn ch cn ngi nh khai vo mu n v s dng ch k s ca mnh gi l xong. i vi dch v chng thc ch k s cng cng ch c th s dng trong cc giao dch in t lin quan n ngi s dng c nhn v t chc, doanh nghip, trong cc giao dch gia ngi dn, doanh nghip vi cc c quan nh nc. Ring cc giao dch ni b ca cc c quan nh nc hoc gia cc c quan nh nc vi nhau l cc giao dch c th, khng dng c h thng chng thc cng cng m phi dng h thng ring. s dng ch k s cn phi ng k chng ch s v to kha b mt lu vo trong PKI Token vi cc nh cung cp dch v chng thc ch k s. Cc chng trnh ng dng phi h tr chc nng k s, khi vic s dng kh n gin, ngi k ch cn cm thit b Token vo cng USB, nhp PIN code bo v Token v chn lnh k s trong chng trnh ng dng. Ch k s khng ging ch k bnh thng ch mi ln k, ngi s dng s dng kha b mt to ch k v mi ln k s l mt ch k khc nhau. Da vo cc cng c phn mm c cung cp, cc i tc c th kim tra chng ch xc nh ch k. Cch kim tra l so snh tnh ng nht ca kha cng khai trn cc ch k s ca ngi gi vi kha cng khai ca trung tm chng thc ch k s (Root Certification Authority - Root CA). Hin nay Vit Nam c 5 nh cung cp dch v chng thc ch k s cng cng l VNPT/VDC, Viettel, Bkis, Nacencomm v FPT. Cc n v ny a ra th trng y cc loi ch k s phc v k khai thu qua mng, giao dch ngn hng, chng khon, hi quan in t, k v m ha email, vn bn... p ng cho cc i tng c nhn, t chc, doanh nghip v cc trang web.

80
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Th tc ng k tng t nh ng k cc dch v vin thng, tuy nhin do c th php l ca ch k s, tng ng vi ch k tay, nn c th phi cn thm mt s giy t xc thc ngun gc thng tin ca doanh nghip hay ngi s dng c nhn cht ch hn (v d bn sao giy t c cng chng ca doanh nghip...). Sau khi hon thin cc th tc ng k dch v, ngoi giy chng nhn chng ch s, nh cung cp dch v chng thc ch k s cng cng s cung cp phn mm h tr to ch k s t kha b mt. Phn mm ny c mt khu bo mt thng tin. Ngoi ra an ton v chng sao chp kha b mt, mt s nh cung cp dch v lu tr kha b mt trong mt thit b phn cng chuyn dng l USB Token hoc SmartCard. Thit b ny s gip ngi dng c th thc hin cc thao tc trn my tnh k cc vn bn son tho trn Word, Excel, PDF, email... Chi ph mua thit b (USB Token) 500.000 ng/ci v ph duy tr dch v ng dng cho k khai thu qua mng, k khai hi quan in t, k email, vn bn in t trong mt nm khong 1.000.000 ng hoc 4.000.000 ng/nm nu c thm tin ch cho giao dch ngn hng in t, chng khon in t.

81

KT LUN

Vic nghin cu v xy dng h thng PKI da trn nn tng m ngun m OpenCA l mt vn cn mi m v lun cn c hon thin. D n OpenCA vn ang c hon thin vi b th vin libpki mi. Hin nay, vic p dng mt m ha kha cng khai v dch v chng thc in t m bo an ton thng tin trong cc hot ng giao dch in t l gii php c nhiu quc gia trn th gii s dng. Vit Nam, tnh hnh trin khai c s h tng kha cng khai (PKI) v chng thc in t (CA) c nh gi l i ng hng v bi bn, nhng tin vn cn chm. Thc t Vit Nam vic trin khai dch v chng thc in t mi ch mt s c quan nh nc, c quan thuc chnh ph. Cn cc doanh nghip cng c s dng chng thc in t nhng cn t v u l mua ca cc t chc cung cp. Vic trin khai cc dch v cung cp chng thc in t yu cu mt s u t lu di v nghim tc mi mang li kt qu nh mong mun. Phn kh khn nht trong trin khai dch v ny l khu t chc thc hin v thay i nhn thc ca con ngi. Tnh php l ca ch k s v dch v chng thc in t cng l mt vn ang c t ra. Hin nay, Vit Nam ban hnh mt s cc iu lut trong lnh vc ny nh Lut cng ngh thng tin ban hnh ngy 29/6/2006, Lut giao dch in t ban hnh ngy 29/11/2005, Lut ni dung ch k s ban hnh ngy 15/2/2007... Cc t chc, c nhn cung cp v s dng dch v chng thc in t cn phi c qun l, ng thi c quyn, ngha v nht nh. Ngoi ra nu mt c s h tng c cng ngh yu th s khng c s tin tng v nh cung cp dch v v nhng e ngi v tm l ca ngi dng ny cng l cc tr ngi trong vic trin khai c s h tng an ninh rng khp.

82
L Quang Minh m Hc vin k thut mt

Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip

Vi OpenCA - mt d n m ngun m, th chi ph xy dng h tng kha cng khai v chng thc in t cho doanh nghip l rt thp, d dng trin khai. Tuy nhin, nu nhiu doanh nghip cng trin khai s dn n kh qun l, khng nht qun gia cc doanh nghip, do cn c mt t chc cp cao hn s qun l cc doanh nghip ny v xy dng h thng chc thc cho gia cc doanh nghip m bo s tn nhim gia cc doanh nghip. Sau mt thi gian lm ti Nghin cu, xy dng h thng PKI v ng dng ch k s trong doanh nghip vi s gip hng dn ca thy Thc S Nguyn Thanh Sn, em thu c nhiu kin thc b ch, hiu r hn v h thng h tng kha cng khai. V trin khai xy dng c mt h thng PKI mu vi cc thnh phn v chc nng cn thit. Qua th nghim ng dng ch k s trong vic gi v nhn email an ton. Tuy nhin, do hn ch v thi gian v iu kin, vic nghin cu ti mi ch l c bn, do s kh trnh khi mt vi thiu st, rt mong c s ng gp kin ca qu thy, c v cc bn. Mt ln na em xin chn thnh gi li cm n n cc thy c ging dy trong sut qu trnh hc ti Hc vin k thut mt m, cc thy Trung tm chng thc in t chuyn dng Chnh Ph thuc Ban c yu Chnh Ph gip , hng dn trong thi gian thc hin thc tp tt nghip.

83

TI LIU THAM KHO

1. Carlisle Adams and Steve Lloyd: Understanding PKI second edition: Concepts, Standards, and Deployment Considerations - 2003 2. Website http://www.vi.wikipedia.org 3. Website http://www.en.wikipedia.org 4. Website http://www.openca.org 5. Website http://www.openca.info

84
L Quang Minh m Hc vin k thut mt