NGHIN CU NG DNG OTP TRN THIT B DI NG Chuyn ngnh: Truyn d liu v Mng my tnh M s: 60.48.15
TM TT LUN VN THC S K THUT
Ngi hng dn khoa hc: TS. PHM HONG DUY
H NI - 2011 2
M U Hin nay cng vi s pht trin nhanh chng ca cc dch v online (trc tuyn) a n vic tng nhanh s lng cc chng thc s khc nhau m mi ngi dng cn qun l. Kt qu l ngi dng cm thy qu ti vi nhng chng thc ny, vic ny lm cho ngi dng kh khn trong vic qun l chng c an ton. Hin nay mt khu chnh l kiu chng thc c s dng ph bin. Tuy nhin nhng mt khu yu v nhng thi quen xu li chnh l nhng mi e da an ninh trong giao dch trc tuyn. Mt gii php c a ra gip ngi dng trong vic to v qun l cc mt khu l cung cp cho ngi dng mt thit b phn cng to ra OTP (One- Time-Password) mt khu c s dng mt ln cho mt phin giao dch. Tuy nhin hu ht nhng gii php ny khng kh nng m rng hoc khng tin dng cho ngi dng hoc khng an ton. Gii php a ra l c th s dng cc thut ton ng tin cy trn in thoi di ng to OTP. Do vy ti chn ti nghin cu l Nghin cu ng dng OTP trn thit b di ng. Ni dung nghin cu bao gm: Nghin cu l thuyt v OTP: khi nim, m hnh sinh, hm bm (tp trung vo SHA), cc khuyn ngh. Nghin cu ng dng OTP trong cc giao dch trc tuyn trn mi trng di ng. Xy dng chng trnh m phng. Cu trc ni dung ca lun vn bao gm cc phn sau: 3 Chng 1: C s l thuyt. Chng ny trnh by nhng khi nim c bn v OTP, cc m hnh sinh m OTP, hm bm v khuyn ngh tiu chun cho vic to v xc thc m OTP. Chng 2: ng dng OTP cho cc giao dch trc tuyn trong mi trng di ng Chng ny nghin cu v m hnh ng dng OTP trn mi trng di ng cng nh vic ng dng OTP trong cc giao dch trc tuyn. Chng 3: Xy dng phn mm ng dng OTP trong mi trng di ng Chng ny trnh by ngn gn v chng trnh th nghim xy dng trong lun vn, trong tp trung xy dng qu trnh sinh v xc thc s dng m OTP. Chng 4: Nhn xt, nh gi v xut Chng ny khi qut li h thng xy dng v a ra mt s nhn xt. Kt lun: Phn ny tm tt nhng kt qu m lun vn t c v xut hng nghin cu trong thi gian ti. 4 CHNG 1 C S L THUYT 1.1. Khi nim OTP OTP l mt mt khu ch c gi tr trong mt phin ng nhp lm vic. OTP c th c s dng mt ln cho vic xc thc ngi dng hoc cho ngi dng xc thc mt giao dch. OTP thng c s dng trong cc giao dch in t hoc cc h thng xc thc cht ch. 1.2. Khi nim hm bm 1.2.1 Khi nim hm bm Chc nng chnh ca hm bm l thc hin nh x cc bn tin c chiu di khc nhau thnh mt on bm c kch thc c nh. on bm mi to ra thng c kch thc nh hn rt nhiu so vi bn tin ban u. Mt gi tr on bm h c sinh ra bi hm bm H c dng: h = H (M) trong : M l bn tin c chiu di ty . h l gi tr bm chiu di c nh. 1.2.2 Thut ton bm bo mt SHA 1.3 Khi nim tnh ton tin cy (TC - Trusted computing) 1.4 Cc m hnh sinh OTP C hai m hnh thng c s dng sinh m OTP l: sinh m OTP theo thi gian v sinh m OTP theo s kin. 5 1.4.1 M hnh sinh m OTP theo thi gian Theo c ch ny, ngi dng s c cp mt thit b sinh m c gi l token. Bn trong token gm c ba thnh phn l: mt m seedcode, mt ng h m thi gian, v mt thut ton m ha mt chiu. M seedcode: l m c nh sn xut ci t sn trong token. Mi token c mt m seedcode khc nhau. V m seedcode ny cng c lu li trong h thng ca nh cung cp dch v tng ng vi tn truy nhp ca ngi dng. ng h m thi gian: l ng h ca token, n c ng b vi ng h ca h thng trc khi giao cho ngi dng. Mi khi ngi dng bm nt sinh m, token s ly bin thi gian ca ng h. Bin thi gian c ly chi tit n tng pht, hoc 30 giy. Thut ton m ha: s dng thut ton bm SHA.
Hnh 1.3 M hnh ca c ch sinh m ngu nhin da theo thi gian. 6 1.4.2 M hnh sinh m OTP theo s kin Trong c ch ny ngi dng cng c cp mt token nh trn, nhng bn trong token s c mt b m s kin thay v ng h m thi gian. S kin c nhc n y l s kin m ngi dng bm nt sinh m trn Token. Mi token s cha mt s m hu hn, c th t v khng thay i. S lng cc m hu hn c gi l ca s. Kch thc ca ca s ny cng ln th bo mt ca gii php cng cao. hiu r hn c ch ta s xt mt v d. Trong v d ny, token ly kch thc ca s l 10, tc l token cha 10 m c nh c th t, nh hnh 1.4.
Hnh 1.4 M hnh ca c ch sinh m ngu nhin da theo s kin 7 1.5 Cc khuyn ngh tiu chun cho OTP Thut ton bm: an ton ca m OTP ph thuc tnh bo mt ca hm bm. Tt c cc h thng s dng OTP phi h tr MD5, nn h tr SHA v c th h tr MD4. Cc thut ton bm chp nhn u vo ty nhng u ra c nh. Khun dng u vo: Cu trc ca t : otp-<tn thut ton><chui s nguyn><seed> Khun dng u ra: OTP to bi th tc trn c 64 bit chiu di. Vic nhp vo 64 bit kh khn v d gy li cho ngi s dng khi nhp bng tay. Do vy OTP c th chuyn i thnh mt chui 6 t ngn (mi t bao gm 4 k t) theo chun ISO-646 IVCS. Mi t c chn t mt t in gm 2048 t, 11 bit cho mi t, tt c OTP c th c m ha. 8 CHNG 2 NG DNG OTP CHO CC GIAO DCH TRC TUYN TRONG MI TRNG DI NG 2.1 M hnh trin khai OTP trn mi trng di ng 2.2 ng dng OTP cho vic xc thc ti khon trong giao dch trc tuyn Trong phm vi ca lun vn, ti xy dng h thng s dng OTP xc thc ti khon trong cc giao dch trc tuyn. H thng bao gm: khch hng, web server v thit b di ng ca ngi s dng c dng to m OTP. thc hin vic xc thc hai yu t khch hng phi ng k ti khon vi nh cung cp dch v (server). Server cung cp cho ngi s dng thng tin ti khon xc thc trn h thng. Nhng thng tin ny s c lu vo c s d liu trn server. Tin hnh ci t phn mm v ng b thi gian vi server cho thit b di ng. 9 Qu trnh ng k: Hnh 2.1 Qu trnh ng k Ngi s dng khi cn xc thc trn trang web s chy chng trnh ng dng trn in thoi ca h. Sau nhp nhng thng tin m chng trnh yu cu ly m OTP. Ngi s dng khi cn xc thc trn trang web s chy chng trnh ng dng trn in thoi ca h. Sau nhp nhng thng tin m chng trnh yu cu ly m OTP. ng k thng tin (usename, password, pin, seedcode) Account(usename, password, pin, seedcode) User Server User Server Lu thng tin vo CSDL 10 Qu trnh to m OTP:
Hnh 2.2 Qu trnh to m OTP Sau khi ly c m OTP s nhp vo trang web cng vi usename v password m h ng k vi nh cung cp dch v. Server sau khi nhn c thng tin xc thc ca khch hng s tin hnh kim tra s hp l ca thng tin v tr li kt qu xc thc cho khch hng. Nhp (PIN, seedcode) M OTP User Mobile Sinh m OTP 11 Xc thc m OTP: Hnh 2.3 Qu trnh xc thc m OTP
Thng tin xc thc Nhp (username, password , OTP) Web Server User Xc thc ti khon 12 CHNG 3 XY DNG PHN MM NG DNG OTP TRONG MI TRNG DI NG 3.1. M t h thng s dng OTP trn in thoi di ng H thng xc thc phi kt ni Qu trnh to m OTP phi kt ni.
Hnh 3.1 Qu trnh to m OTP phi kt ni M OTP c to ra c hiu lc trong mt khong thi gian xc nh tng ng vi ngi dng nhp vo. Ngi s dng ly m OTP va c to ra xc thc trn website. Ngi s dng la chn nt to m OTP ca chng trnh. Ngi s dng nhp username v m PIN. Ngi s dng khi ng phn mm trn thit b di ng ca h. Ngi s dng cn ng nhp. V d vo trang web yu cu bo mt.
13 Th hai l qu trnh to m OTP da trn tin nhn SMS.
Hnh 3.2 Qu trnh to m OTP da trn tin nhn SMS
3.2. Xy dng ng dng m phng ng dng OTP cho vic xc thc ti khon trong giao dch trc tuyn, lun vn tp trung xy dng chng trnh ng dng theo phng php phi kt ni. ng dng gm hai phn: phn th nht l chng trnh xc thc bn server v th hai l Ngi s dng cn ng nhp. V d vo trang web yu cu bo mt. Ngi s dng gi tin nhn SMS c m ha ti server. Server nhn tin nhn SMS. Server gii m v chia tin nhn SMS thnh cc phn: 1. S in thoi ngi gi 2. Username 3. PIN 4. S IMEI Server i chiu thng tin vi c s d liu m bo ng l ngi s dng ca h thng. KT ngi s dng Sai Server b qua tin nhn SMS ny. Server to ra mt mt khu c cp nht. Mt khu c m ha s dng kha i xng duy nht c chia s gia server v ngi s dng. Server gi m OTP n ngi s dng thng qua tin nhn SMS. ng 14 chng trnh chy trn thit b di ng to m OTP. Hnh 3.3 di y m t v quy trnh s dng OTP trong lun vn.
Hnh 3.3 M hnh s dng OTP trong xc thc ti khon - iu kin tin quyt: o Khch hng phi ng k thng tin ti khon vi server v ci phn mm sinh m OTP trn thit b di ng ca mnh. - Ch thch: o Kim tra OK khi khch hng nhp ng cc thng tin xc thc: username, mt khu, m OTP. Khch hng Trnh duyt Web Server Yu cu thanh ton Gi thng tin n Server Xc thc thng tin ti khon (tn, mt khu, m otp) Gi thng tin ti khon n server Nhn thng tin Yu cu xc thc ti khon Kim tra Thc hin giao dch OK Not OK Thng bo giao dch tht bi Thng bo thnh cng Sinh m OTP
Bt u Kt thc Mobile Phone
15 Phn mm bn server c xy dng di dng web server. Pha server da vo thng tin ti khon v m OTP m ngi dng cung cp s a ra quyt nh cho php ngi dng thanh ton hay t chi yu cu ny. Phn mm ny tng tc vi c s d liu lu thng tin ca khch hng cng nh ti khon ca h. C s d liu s dng trong ng dng ny l mysql. Pha client chy mt chng trnh ng dng to m OTP cho khch hng. Chng trnh ng dng ny c xy dng trn nn tng ngn ng java chy trn nn h iu hnh android. Android l h iu hnh trn in thoi di ng c pht trin bi Google da trn nn tng Linux s dng cc th vin J ava (mt s trong cc th vin c Google pht trin cho Android). Mi trng xy dng ng dng l eclipse (Eclipse IDE for Java Developer) c tch hp plugin ca android gi l ADT (Android Development Tools Cc cng c pht trin Android) v ci t android SDK (Software Development Kit). Google android SDK l cng c c chnh Google xy dng v pht hnh pht trin ng dng cho h iu hnh android. Android SDK cung cp mt tp hp cc cng c phong ph, bao gm trnh g ri, cc th vin, trnh m phng thit b cm tay, ti liu, m mu v cc hng dn. 16 3.2.1 Giao din bn server
Hinh 3.5 Giao din trang ch
Hnh 3.6 Giao din xc thc ti khon
17 3.2.2 Giao din bn client
Hnh 3.7 Giao din to m otp trn gi lp Android 18 CHNG 4 NHN XT NH GI V XUT Lun vn xy dng chng trnh m phng s dng xc thc OTP cho mt thanh ton trc tuyn da trn m hnh sinh m da trn thi gian. H thng bao gm hai phn: phn mm cho server xc thc v phn mm sinh m OTP trn thit b di ng. Thit b di ng v server cng s dng hm bm an ton SHA1 cho vic sinh v xc thc m OTP. Bn thit b di ng m OTP c to ra vi cc tham s: thi gian thc, seed v m PIN ca tng ngi s dng. M PIN khng lu tr trn thit b di ng c dng m bo ngi s dng l hp php. M PIN c chiu di 8 k t. Bn pha server cng thc hin bm vi u vo l thi gian thc, seed v m PIN ca tng ngi dng. Kt qu ny c em so snh vi m OTP m ngi dng nhp vo a ra quyt nh. Cc tham s u vo to m OTP ca h thng: Seed: bao gm 20 k t. M PIN: m PIN c chiu di 8 k t v c lu trn server di dng on bm m bo an ton cho h thng. Thi gian thc: thi gian bao gm: nm, thng, ngy, gi, pht (ch s u ca s pht). Cc tham s ny c kt ni vi nhau v a qua hm bm SHA1. u ra ca thut ton bm trnh by di dng s hexa 40 k 19 t (160 bit). u ra s c chuyn v dng d c cho ngi s dng gm 3 t vi 12 k t. Mt khu OTP hp l trong mi pht s gim nguy c b tn cng ng thi to thun tin cho ngi s dng, v ngi s dng cn mt khong thi gian c v nhp m OTP. M PIN c di 8 k t bao gm cc ch s khng cha du cch m bo kh on hoc b tn cng brute-forced bi cc hacker. M PIN khng c lu tr trn in thoi di ng ca ngi dng m bo trong trng hp khch hng mt in thoi. an ton ca h thng ph thuc vo an ton ca hm bm. i vi tn cng brute-force kh khn tnh ton ra mt bn tin no c kch c on bm 160 bit to bi thut ton bm SHA1 cn 2 80 php tnh. So snh h thng vi nhng yu cu a ra trong khuyn ngh: Thut ton: lun vn s dng chung thut ton bm SHA1 cho c client v server, SHA1 l thut ton bm a ra trong khuyn ngh. Khun dng u vo: Seed: p ng c chiu di theo khuyn ngh (t 16 k t tr ln) tuy nhin cha p ng c yu cu loi b du cch v chuyn sang dng ch thng trc khi x l. T : cu trc t tun th c php trong khuyn ngh tuy nhin tng an ton ca m OTP lun vn thm m PIN vo trong t . 20 Khun dng u ra: u ra c a ra di dng hexa tun th theo khuyn ngh tuy nhin lun vn cha a c u ra v dng chun 6 t. Trong khuyn ngh s dng u ra l 64 bit cn u ra s dng thut ton SHA1 l 160 bit. Thay i cm mt khu: h thng c xy dng khng h tr ngi dng thay i cm mt khu t xa.
21 KT LUN
Ngy nay cng vi s pht trin nhanh chng ca internet th nhng yu cu giao dch trc tuyn cng ngy cng tng nhanh, do vy yu cu t ra l phi xy dng c h thng m bo an ton. Hin nay h thng xc thc hai yu t dng OTP ang c s dng tng thm an ton cho h thng v ng thi phi tin dng cho ngi s dng. Xut pht t yu cu lun vn nghin cu v trnh by mt s vn sau: Nghin cu tm quan trng v l thuyt c bn ca vic to m OTP. Nghin cu cc m hnh sinh m OTP. Nghin cu vic ng dng OTP vo thanh ton trc tuyn. Xy dng chng trnh th nghim s dng in thoi di ng cho vic xc thc m OTP cho cc thanh ton trc tuyn. nh gi v h thng xy dng. Mt s vn tip tc nghin cu v xut M rng chc nng chng thc, ngoi xc nh ti khon cn xc nh cc quyn cho ch s hu chng thc nh quyn truy nhp ti mt ti nguyn no Xy dng m hnh s dng OTP theo c ch t ng kch hot v trong sut vi ngi s dng.
22 TI LIU THAM KHO
TI LIU TING VIT TI LIU TING ANH [1]: F. Aloul, S. Zahidi, W. El-Hajj (2009), Multi Factor Authentication Using Mobile Phones. [2]: Alzomai, Mohammed, Audun and J osang (2010 September 31), The Mobile Phone as a Multi OTP Device Using Trusted Computing. [3]: Chao-Wen Chan and Chih-Hao Lin (2008), A New Credit Card Payment Scheme Using Mobile Phones Based on Visual Cryptography. [4]: J osh Benaloh, Trevor William Freeman, K J ohn Biccum, Ttul Kumar Shal (2010 October 14), One time password key ring for mobile computing device. [5]: J an-Erik Ekberg, Markku Kylanpaa (2007 November 14), Mobile Trusted Module (MTM) - an introduction. [6]: Kjell J orgen Hole, Lars Hopland Nestas, and Havard Raddum (2010 J anuary), Security Analysis of Mobile Phones Used as OTP Generators. [7]: J unrusu, Xiaomin Zhu, Xiaopu Shang, Chuanchen Wang (2010 November), Study on an OTP Identity Authentication Scheme in Mobile Commerce. 23 [8]: Nicolai Kuntze, Gunther Diederich, Karsten Sohr, Kai-Oliver Detken, Secure mobile business information processing. [9]: FIPS 180-2 (2002 August 1), Secure Hash Standard. [10]: Network Working Group (February 1998), RFC2289. [11]: Network Working Group (December 2005), RFC4226. WEBSITE [12]: http://www.androidpit.com [13]: http://csrc.nist.gov [14]: http://motp.sourceforge.net/ [15]: http://www.trustedcomputinggroup.org/