1

HC VIN CNG NGH BU CHNH VIN THNG

-------------------------------------------------





NNG TH LM


NGHIN CU NG DNG OTP TRN
THIT B DI NG
Chuyn ngnh: Truyn d liu v Mng my tnh
M s: 60.48.15

TM TT LUN VN THC S K THUT

Ngi hng dn khoa hc: TS. PHM HONG DUY





H NI - 2011
2

M U
Hin nay cng vi s pht trin nhanh chng ca cc dch v
online (trc tuyn) a n vic tng nhanh s lng cc chng
thc s khc nhau m mi ngi dng cn qun l. Kt qu l ngi
dng cm thy qu ti vi nhng chng thc ny, vic ny lm cho
ngi dng kh khn trong vic qun l chng c an ton. Hin
nay mt khu chnh l kiu chng thc c s dng ph bin. Tuy
nhin nhng mt khu yu v nhng thi quen xu li chnh l nhng
mi e da an ninh trong giao dch trc tuyn. Mt gii php c
a ra gip ngi dng trong vic to v qun l cc mt khu l
cung cp cho ngi dng mt thit b phn cng to ra OTP (One-
Time-Password) mt khu c s dng mt ln cho mt phin
giao dch. Tuy nhin hu ht nhng gii php ny khng kh nng
m rng hoc khng tin dng cho ngi dng hoc khng an
ton. Gii php a ra l c th s dng cc thut ton ng tin cy
trn in thoi di ng to OTP. Do vy ti chn ti nghin
cu l Nghin cu ng dng OTP trn thit b di ng.
Ni dung nghin cu bao gm:
Nghin cu l thuyt v OTP: khi nim, m hnh sinh, hm
bm (tp trung vo SHA), cc khuyn ngh.
Nghin cu ng dng OTP trong cc giao dch trc tuyn
trn mi trng di ng.
Xy dng chng trnh m phng.
Cu trc ni dung ca lun vn bao gm cc phn sau:
3
Chng 1: C s l thuyt.
Chng ny trnh by nhng khi nim c bn v OTP, cc
m hnh sinh m OTP, hm bm v khuyn ngh tiu chun cho vic
to v xc thc m OTP.
Chng 2: ng dng OTP cho cc giao dch trc tuyn trong
mi trng di ng
Chng ny nghin cu v m hnh ng dng OTP trn mi
trng di ng cng nh vic ng dng OTP trong cc giao dch trc
tuyn.
Chng 3: Xy dng phn mm ng dng OTP trong mi
trng di ng
Chng ny trnh by ngn gn v chng trnh th nghim
xy dng trong lun vn, trong tp trung xy dng qu trnh
sinh v xc thc s dng m OTP.
Chng 4: Nhn xt, nh gi v xut
Chng ny khi qut li h thng xy dng v a ra
mt s nhn xt.
Kt lun: Phn ny tm tt nhng kt qu m lun vn t c
v xut hng nghin cu trong thi gian ti.
4
CHNG 1 C S L THUYT
1.1. Khi nim OTP
OTP l mt mt khu ch c gi tr trong mt phin ng
nhp lm vic. OTP c th c s dng mt ln cho vic xc thc
ngi dng hoc cho ngi dng xc thc mt giao dch. OTP
thng c s dng trong cc giao dch in t hoc cc h thng
xc thc cht ch.
1.2. Khi nim hm bm
1.2.1 Khi nim hm bm
Chc nng chnh ca hm bm l thc hin nh x cc bn tin c
chiu di khc nhau thnh mt on bm c kch thc c nh.
on bm mi to ra thng c kch thc nh hn rt nhiu so vi
bn tin ban u.
Mt gi tr on bm h c sinh ra bi hm bm H c dng:
h = H (M) trong : M l bn tin c chiu di ty .
h l gi tr bm chiu di c nh.
1.2.2 Thut ton bm bo mt SHA
1.3 Khi nim tnh ton tin cy (TC - Trusted computing)
1.4 Cc m hnh sinh OTP
C hai m hnh thng c s dng sinh m OTP l:
sinh m OTP theo thi gian v sinh m OTP theo s kin.
5
1.4.1 M hnh sinh m OTP theo thi gian
Theo c ch ny, ngi dng s c cp mt thit b sinh
m c gi l token. Bn trong token gm c ba thnh phn l: mt
m seedcode, mt ng h m thi gian, v mt thut ton m ha
mt chiu.
M seedcode: l m c nh sn xut ci t sn trong
token. Mi token c mt m seedcode khc nhau. V m
seedcode ny cng c lu li trong h thng ca nh cung
cp dch v tng ng vi tn truy nhp ca ngi dng.
ng h m thi gian: l ng h ca token, n c ng
b vi ng h ca h thng trc khi giao cho ngi dng.
Mi khi ngi dng bm nt sinh m, token s ly bin thi
gian ca ng h. Bin thi gian c ly chi tit n tng
pht, hoc 30 giy.
Thut ton m ha: s dng thut ton bm SHA.

Hnh 1.3 M hnh ca c ch sinh m ngu nhin da theo thi gian.
6
1.4.2 M hnh sinh m OTP theo s kin
Trong c ch ny ngi dng cng c cp mt token nh
trn, nhng bn trong token s c mt b m s kin thay v ng
h m thi gian. S kin c nhc n y l s kin m ngi
dng bm nt sinh m trn Token. Mi token s cha mt s m hu
hn, c th t v khng thay i. S lng cc m hu hn c
gi l ca s. Kch thc ca ca s ny cng ln th bo mt ca
gii php cng cao. hiu r hn c ch ta s xt mt v d. Trong
v d ny, token ly kch thc ca s l 10, tc l token cha 10 m
c nh c th t, nh hnh 1.4.

Hnh 1.4 M hnh ca c ch sinh m ngu nhin da theo s kin
7
1.5 Cc khuyn ngh tiu chun cho OTP
Thut ton bm: an ton ca m OTP ph thuc tnh bo mt ca
hm bm. Tt c cc h thng s dng OTP phi h tr MD5, nn h
tr SHA v c th h tr MD4. Cc thut ton bm chp nhn u
vo ty nhng u ra c nh.
Khun dng u vo:
Cu trc ca t :
otp-<tn thut ton><chui s nguyn><seed>
Khun dng u ra: OTP to bi th tc trn c 64 bit chiu di.
Vic nhp vo 64 bit kh khn v d gy li cho ngi s dng khi
nhp bng tay. Do vy OTP c th chuyn i thnh mt chui 6 t
ngn (mi t bao gm 4 k t) theo chun ISO-646 IVCS. Mi t
c chn t mt t in gm 2048 t, 11 bit cho mi t, tt c OTP
c th c m ha.
8
CHNG 2 NG DNG OTP CHO CC
GIAO DCH TRC TUYN TRONG MI
TRNG DI NG
2.1 M hnh trin khai OTP trn mi trng di ng
2.2 ng dng OTP cho vic xc thc ti khon trong giao dch
trc tuyn
Trong phm vi ca lun vn, ti xy dng h thng s
dng OTP xc thc ti khon trong cc giao dch trc tuyn.
H thng bao gm: khch hng, web server v thit b di
ng ca ngi s dng c dng to m OTP.
thc hin vic xc thc hai yu t khch hng phi ng
k ti khon vi nh cung cp dch v (server). Server cung cp cho
ngi s dng thng tin ti khon xc thc trn h thng. Nhng
thng tin ny s c lu vo c s d liu trn server. Tin hnh ci
t phn mm v ng b thi gian vi server cho thit b di ng.
9
Qu trnh ng k:
Hnh 2.1 Qu trnh ng k
Ngi s dng khi cn xc thc trn trang web s chy
chng trnh ng dng trn in thoi ca h. Sau nhp nhng
thng tin m chng trnh yu cu ly m OTP.
Ngi s dng khi cn xc thc trn trang web s chy
chng trnh ng dng trn in thoi ca h. Sau nhp nhng
thng tin m chng trnh yu cu ly m OTP.
ng k thng tin (usename,
password, pin, seedcode)
Account(usename, password, pin,
seedcode)
User
Server
User
Server
Lu thng tin
vo CSDL
10
Qu trnh to m OTP:

Hnh 2.2 Qu trnh to m OTP
Sau khi ly c m OTP s nhp vo trang web cng vi
usename v password m h ng k vi nh cung cp dch v.
Server sau khi nhn c thng tin xc thc ca khch hng s tin
hnh kim tra s hp l ca thng tin v tr li kt qu xc thc cho
khch hng.
Nhp (PIN, seedcode)
M OTP
User Mobile
Sinh m
OTP
11
Xc thc m OTP:
Hnh 2.3 Qu trnh xc thc m OTP





Thng tin xc thc
Nhp (username, password , OTP)
Web Server User
Xc thc ti
khon
12
CHNG 3 XY DNG PHN MM NG
DNG OTP TRONG MI TRNG DI NG
3.1. M t h thng s dng OTP trn in thoi di ng
H thng xc thc phi kt ni
Qu trnh to m OTP phi kt ni.

Hnh 3.1 Qu trnh to m OTP phi kt ni
M OTP c to ra c
hiu lc trong mt khong
thi gian xc nh tng
ng vi ngi dng nhp
vo.
Ngi s dng ly m
OTP va c to ra
xc thc trn website.
Ngi s dng la chn
nt to m OTP ca
chng trnh.
Ngi s dng nhp
username v m PIN.
Ngi s dng khi ng
phn mm trn thit b di
ng ca h.
Ngi s dng cn ng
nhp. V d vo trang web
yu cu bo mt.

13
Th hai l qu trnh to m OTP da trn tin nhn SMS.

Hnh 3.2 Qu trnh to m OTP da trn tin nhn SMS

3.2. Xy dng ng dng
m phng ng dng OTP cho vic xc thc ti khon
trong giao dch trc tuyn, lun vn tp trung xy dng chng trnh
ng dng theo phng php phi kt ni. ng dng gm hai phn:
phn th nht l chng trnh xc thc bn server v th hai l
Ngi s dng cn ng
nhp. V d vo trang web
yu cu bo mt.
Ngi s dng gi tin nhn
SMS c m ha ti
server.
Server nhn tin nhn SMS.
Server gii m v chia tin
nhn SMS thnh cc phn:
1. S in thoi ngi gi
2. Username
3. PIN
4. S IMEI
Server i chiu thng tin
vi c s d liu m
bo ng l ngi s dng
ca h thng.
KT ngi
s dng
Sai
Server b
qua tin
nhn SMS
ny.
Server to ra mt mt khu
c cp nht.
Mt khu c m ha s
dng kha i xng duy
nht c chia s gia
server v ngi s dng.
Server gi m OTP n
ngi s dng thng qua tin
nhn SMS.
ng
14
chng trnh chy trn thit b di ng to m OTP. Hnh 3.3 di
y m t v quy trnh s dng OTP trong lun vn.


Hnh 3.3 M hnh s dng OTP trong xc thc ti khon
- iu kin tin quyt:
o Khch hng phi ng k thng tin ti khon vi
server v ci phn mm sinh m OTP trn thit b di
ng ca mnh.
- Ch thch:
o Kim tra OK khi khch hng nhp ng cc thng
tin xc thc: username, mt khu, m OTP.
Khch hng Trnh duyt Web Server
Yu cu thanh ton
Gi thng tin n
Server
Xc thc thng tin
ti khon (tn, mt
khu, m otp)
Gi thng tin ti
khon n server
Nhn thng tin
Yu cu xc thc
ti khon
Kim tra
Thc hin
giao dch
OK
Not OK
Thng bo giao dch
tht bi
Thng bo
thnh cng
Sinh m OTP


Bt u
Kt thc
Mobile Phone

15
Phn mm bn server c xy dng di dng web server.
Pha server da vo thng tin ti khon v m OTP m ngi dng
cung cp s a ra quyt nh cho php ngi dng thanh ton hay
t chi yu cu ny. Phn mm ny tng tc vi c s d liu lu
thng tin ca khch hng cng nh ti khon ca h. C s d liu
s dng trong ng dng ny l mysql.
Pha client chy mt chng trnh ng dng to m OTP cho
khch hng. Chng trnh ng dng ny c xy dng trn nn
tng ngn ng java chy trn nn h iu hnh android. Android l
h iu hnh trn in thoi di ng c pht trin bi Google da
trn nn tng Linux s dng cc th vin J ava (mt s trong cc th
vin c Google pht trin cho Android). Mi trng xy dng
ng dng l eclipse (Eclipse IDE for Java Developer) c tch hp
plugin ca android gi l ADT (Android Development Tools Cc
cng c pht trin Android) v ci t android SDK (Software
Development Kit). Google android SDK l cng c c chnh
Google xy dng v pht hnh pht trin ng dng cho h iu
hnh android. Android SDK cung cp mt tp hp cc cng c
phong ph, bao gm trnh g ri, cc th vin, trnh m phng thit
b cm tay, ti liu, m mu v cc hng dn.
16
3.2.1 Giao din bn server

Hinh 3.5 Giao din trang ch

Hnh 3.6 Giao din xc thc ti khon


17
3.2.2 Giao din bn client


Hnh 3.7 Giao din to m otp trn gi lp Android
18
CHNG 4 NHN XT NH GI V
XUT
Lun vn xy dng chng trnh m phng s dng xc
thc OTP cho mt thanh ton trc tuyn da trn m hnh sinh m
da trn thi gian. H thng bao gm hai phn: phn mm cho server
xc thc v phn mm sinh m OTP trn thit b di ng.
Thit b di ng v server cng s dng hm bm an ton
SHA1 cho vic sinh v xc thc m OTP.
Bn thit b di ng m OTP c to ra vi cc tham s:
thi gian thc, seed v m PIN ca tng ngi s dng. M PIN
khng lu tr trn thit b di ng c dng m bo ngi s
dng l hp php. M PIN c chiu di 8 k t.
Bn pha server cng thc hin bm vi u vo l thi gian
thc, seed v m PIN ca tng ngi dng. Kt qu ny c em so
snh vi m OTP m ngi dng nhp vo a ra quyt nh.
Cc tham s u vo to m OTP ca h thng:
Seed: bao gm 20 k t.
M PIN: m PIN c chiu di 8 k t v c lu trn server
di dng on bm m bo an ton cho h thng.
Thi gian thc: thi gian bao gm: nm, thng, ngy, gi,
pht (ch s u ca s pht).
Cc tham s ny c kt ni vi nhau v a qua hm bm
SHA1. u ra ca thut ton bm trnh by di dng s hexa 40 k
19
t (160 bit). u ra s c chuyn v dng d c cho ngi s
dng gm 3 t vi 12 k t.
Mt khu OTP hp l trong mi pht s gim nguy c b
tn cng ng thi to thun tin cho ngi s dng, v ngi s
dng cn mt khong thi gian c v nhp m OTP.
M PIN c di 8 k t bao gm cc ch s khng cha
du cch m bo kh on hoc b tn cng brute-forced bi cc
hacker. M PIN khng c lu tr trn in thoi di ng ca
ngi dng m bo trong trng hp khch hng mt in thoi.
an ton ca h thng ph thuc vo an ton ca hm
bm. i vi tn cng brute-force kh khn tnh ton ra mt
bn tin no c kch c on bm 160 bit to bi thut ton bm
SHA1 cn 2
80
php tnh.
So snh h thng vi nhng yu cu a ra trong khuyn ngh:
Thut ton: lun vn s dng chung thut ton bm SHA1
cho c client v server, SHA1 l thut ton bm a ra trong khuyn
ngh.
Khun dng u vo:
Seed: p ng c chiu di theo khuyn ngh (t
16 k t tr ln) tuy nhin cha p ng c yu
cu loi b du cch v chuyn sang dng ch
thng trc khi x l.
T : cu trc t tun th c php trong khuyn
ngh tuy nhin tng an ton ca m OTP lun
vn thm m PIN vo trong t .
20
Khun dng u ra: u ra c a ra di dng hexa tun
th theo khuyn ngh tuy nhin lun vn cha a c u ra v
dng chun 6 t. Trong khuyn ngh s dng u ra l 64 bit cn u
ra s dng thut ton SHA1 l 160 bit.
Thay i cm mt khu: h thng c xy dng khng h
tr ngi dng thay i cm mt khu t xa.

21
KT LUN

Ngy nay cng vi s pht trin nhanh chng ca internet th
nhng yu cu giao dch trc tuyn cng ngy cng tng nhanh, do
vy yu cu t ra l phi xy dng c h thng m bo an ton.
Hin nay h thng xc thc hai yu t dng OTP ang c s dng
tng thm an ton cho h thng v ng thi phi tin dng
cho ngi s dng. Xut pht t yu cu lun vn nghin cu
v trnh by mt s vn sau:
Nghin cu tm quan trng v l thuyt c bn ca vic to
m OTP.
Nghin cu cc m hnh sinh m OTP.
Nghin cu vic ng dng OTP vo thanh ton trc tuyn.
Xy dng chng trnh th nghim s dng in thoi di
ng cho vic xc thc m OTP cho cc thanh ton trc
tuyn.
nh gi v h thng xy dng.
Mt s vn tip tc nghin cu v xut
M rng chc nng chng thc, ngoi xc nh ti khon
cn xc nh cc quyn cho ch s hu chng thc nh
quyn truy nhp ti mt ti nguyn no
Xy dng m hnh s dng OTP theo c ch t ng kch
hot v trong sut vi ngi s dng.

22
TI LIU THAM KHO

TI LIU TING VIT
TI LIU TING ANH
[1]: F. Aloul, S. Zahidi, W. El-Hajj (2009), Multi Factor
Authentication Using Mobile Phones.
[2]: Alzomai, Mohammed, Audun and J osang (2010 September 31),
The Mobile Phone as a Multi OTP Device Using Trusted
Computing.
[3]: Chao-Wen Chan and Chih-Hao Lin (2008), A New Credit Card
Payment Scheme Using Mobile Phones Based on Visual
Cryptography.
[4]: J osh Benaloh, Trevor William Freeman, K J ohn Biccum, Ttul
Kumar Shal (2010 October 14), One time password key ring for
mobile computing device.
[5]: J an-Erik Ekberg, Markku Kylanpaa (2007 November 14),
Mobile Trusted Module (MTM) - an introduction.
[6]: Kjell J orgen Hole, Lars Hopland Nestas, and Havard Raddum
(2010 J anuary), Security Analysis of Mobile Phones Used as OTP
Generators.
[7]: J unrusu, Xiaomin Zhu, Xiaopu Shang, Chuanchen Wang (2010
November), Study on an OTP Identity Authentication Scheme in
Mobile Commerce.
23
[8]: Nicolai Kuntze, Gunther Diederich, Karsten Sohr, Kai-Oliver
Detken, Secure mobile business information processing.
[9]: FIPS 180-2 (2002 August 1), Secure Hash Standard.
[10]: Network Working Group (February 1998), RFC2289.
[11]: Network Working Group (December 2005), RFC4226.
WEBSITE
[12]: http://www.androidpit.com
[13]: http://csrc.nist.gov
[14]: http://motp.sourceforge.net/
[15]: http://www.trustedcomputinggroup.org/