Professional Documents
Culture Documents
Đồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDF
Đồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDF
Uploaded by
Lee Re0 ratings0% found this document useful (0 votes)
48 views85 pagesOriginal Title
Đồ án Nghiên cứu xây dựng hệ thống PKI dựa trên bộ phần mềm mã nguồn mở OpenCA - Luận văn, đồ án, đề tài tốt nghiệp.pdf
Copyright
© © All Rights Reserved
Available Formats
PDF or read online from Scribd
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
Download as pdf
0 ratings0% found this document useful (0 votes)
48 views85 pagesĐồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDF
Đồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDF
Uploaded by
Lee ReCopyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
Download as pdf
You are on page 1of 85
LOLCAM ON
Sau ba thang né Ive thye hign, dé an “ Nghién ettu xy dumg hé théng PKI
da trén bé phin mém ma nguén mé OpenCA” da phin nao hodn than.
Ngoai sy cd gang hét minh cita ban than, em da nhan duge su khich Ié rat
nhiéu tir phia nha truong, thiy ¢6, gia dinh, ban bé
Em xin giti Idi cam on chan thanh va su sic nhit t6i Ths Hoang Dire
Tho, ngudi thay da cho em nhimg dinh huéng va nhing y kién rat quy bau vé
PKI va OpenCA
Em ciing xin t long biét on sau
ic toi thay c6 trong khoa va ban bé cing
(St nhiing nam hoe tai Hoe Vign Ky Thugt
khoa da gitp do em tién b6 trong
Mat Ma.
‘Xin cdm on gia dinh va nhitng ngwoi than yéu da lun d6ng vién, khuyén
khich gitip 46 con trong mgi hoan canh khé khan:
Xin cdm on ban be da va dang dong vién, gitip d6 t6i trong qué trinh hoe
tap va hoan thanh dé an t6t nghigp nay
6 An tt nghigp ciia em duge hoan thanh trong mot thi gian eting tong
d6i ngin. Vi vay dé an nay chic chin sé con nhiéu khiém khuyét. Em xin cam
‘on nhiing thay c6, ban bé va ngubi than sé c6 nhitng gop ¥ chan thinh cho ndi
|, di sau nghién ctu va ap
dung cia dO an nay, dé em c6 thé tiép tye tim hic
dung trong thye tin
Ngo Thu Hing
MYC LYC
MC LUC, 2
DANH MUC CAC TU VIET TAT. 5
DANH MUC HINH VE... Pid sommes 8
LOI NOI DAU. 8
CHUONG I: CG SO MAT MA HOC.
1.1.Mat ma khos bi mat...
1.1-1.Gidi thigu vé mat ma khoa bi mat va ede khai nigm e6 lién quan. ul
1.1.2.M6t vai cdc thual ton sit dung trong mat ma khoa doi xing
TTDI DES oe
1.1.2.2.IDEA.
3. Triple DES.
1.2.Mét ma khod eéng Khai
1.2.1.Khai nigm
1.2.2, Cée thud toan sir dung trong mt ma khod e®ng khai
1.2.21. RSA
1.2.2.2 Phuong thite rao doi bid Diffie Hellman
13. CHEKY $8 so
1.3.1.Qué wink ky.
1.3.2.Qué tinh kiém tra chir ky 80
14. Him hash
14.1.Khai nigm ham hash...
1.42, Tom luge hong bio
CHUONG II: TONG QUAN VE PKI VACA
2.1. Lich sr phat trién PKI.
2.2.Tinh hinh PKI tai Vigt Nam
23. Cac dink nghia vé PKI va cde hi
nigm €6 liga quan
23.1, Cie dinh nghia v8 PKL 21
2.3.2. Cée khai nigm lign quan trong PKI 2
2.3.2.1 Ching chi 2
2.3.2.2. Kho ching chi 24
23.2.3.Hity bo chitag chi nen el ae tod
2.3.24. Sao lho vi de ping Kida 25
2.5.Cép nit Khoa te ding.
23.26 Lich se Khoa.
23.27.Chimg tac ch
23.28.11 mr ching chdi i
2329.Tem toi ian.
2°3.2.10.Phin mem phia Clem
2.4, Muc tig, chire nang.
24.1. Xée the
24,11.Dinh da thee 6.
2.4.1.1.1.Xée thye cue b6.
24.1.1.2.Xée thy tirxa
2.4.1.2. Dinh danh nguén ge dit lignes noe sone 29
2.4.2. Bi mat
2.4.3.Toin ven dir ligu
2.4.3.1.Chithy sd - oe
2.4.3.2. Ma xde duc thing bao 30
24.4.Ching chdi b.. seononnnnnnnanninnnnnn 30
2.5. Céie khia canb an toin eo ban ma PKI cung edip 31
2.5.1. Dang hap an toan.. : ce a col
2'5.2. Dang nip mt lin an tan. ce : cab
25:3. Trong suot v6i ngui ding cui 32
2.54, An ninh toin dign.... 33
HUONG III: CAC THANH PHAN, CO CHE LAM VIEC CUA PKI CAC MO HiNH
VA CAC KIBU KIEN TRUC CUA PKI. 33
3.1, Mo hinh PKI va eée think phan cia PKI... oe 33
BALLCA 34
BIQRA... oe en no
31.2.1 Chive nang, nh v4 eta RA. 34
3.1.2.2.Thanh plan cia RA 35
3.1.2.2.1,RA Console... oH : cot
3.1.2.2.2.RA Officer. : ee 35
3.1.2.2.3.RA Manager 35
3.1.3. Certificate-Enabled Client: Bén duge cp phat chting chi.......enenenn 36
3.1.4. Data Recipient: Bén nhan dt liga 36
3.15. Kho na trvthu hai chimg chi 36
3.1.6.Chudi chimg chi hoat dong nhu thé nao
3.2. Céich thie lim vige ciia PKI
3.2.1. Khéi go thyge the
3.2.2. Tao cép khoé cng khaikinoa risng,
3.23. Ap dung chy sb bah danh ng
3.24, Ma ha thong bi
3.2.5. Truyén khda déi ximg
3.2.6, Kiém (ra danh tinh ngudi gui thong qua mot CA... seieeeeere
3.2.7, Giti ma thong bio va kiém tra ngi dung thong bao, 40
3
3.3. Ce tin trinh trong PKI 41
3.3.1. Yeu edu chimng ci 41
4.3.1. Git yéu oa. Al
4.3.1.2. Cie chinh sich 41
3.3.2, Huy b9 chitng chiro Rae tetera!
3.4, Cie mé hinh PKI 2
3.4.1, M6 hinh phan cap CA chit che (strict hierarchy Of CAS) orscsnsnnnsnsncncn AZ
3.4.4. M6 hinh 4 bén (four-corner mode!)
3.4.5. M6 hinh Web (web model). —
3.4.6Mé hinh tin ciy Hy ngudi ding lam trang tim (user-centric trust. 47
3.5.2Kign tne kiéu CA don (Single CA)...
3.53. Kin tric CA phan cép
3.54. Kign tric kigu chimg thye chéo (Cross-certificate)
3.5.5. Kim nie Bridge CA(BCA).....
CHRUONG TV: XAY DUNG MO HINITPKI DUA 7 TREN MA NGUON MOOPENCA $4
4.1. Lich sir phat trién OpenCA 34
42.CA., nnn sn 35
4.2.1,Chite nang ciia CA 55
4.2.11. Cap phait ching Ct... vo sonnnnninennnnnnnnnsn 3S
4.2.1.2. Huy bo chig chi 56
4.2.1.3.Tao lap chink séich ching chi 36
142.14 Hiring dn tec hin ching chi sb (Centfiation Practice Statement)... ST
42.2Nhigm vu cia CA
4.2.3, Cf I0gi CA
42.3.1 Enterprise CA
42.3.2 Standalone CA
4.24.Cie cp CA...
4.2.4.1 Root CA(CA goe)
42.4.2 Subordinate CA(CA phu thude)
4.3. Thit chang cia CA
43.1 Phan cip eg ban
43.2.Cée giao dign
43.2I.Node sn
4322C4
AB2BRA ce
43.24. LDAP.
AB2S.Pub oor
4.4. Vong dai cua eae d
4'5. Cée luu 9 Khi thict
4.5.1, Che vin a pl
45.1LThai gion,
ASI2DI0 Whose
43.1.3. Theo doi phn cing.
45.2.Antoan vit ly
453.Cae van dé ve mang...
45.4.Vin d8 v8 ching oi.
4.8.5.CDPs (Cae diém phan phdi danh sich huy bo chimg chi (CDP)).
45.6.Cée vin d& cu the ve img dung,
4.5.6.1 Mail Server
4.5.6.2. Client Netscape
4.5.6,3.0penLDAP...
PHU LUC
1.M@i trung phat trig...
1.L.Apache
1.2. OpenSSL.
1.2.1.Cang eu dong énh trong openssl
1.2.1.1,Cée dong Ignh chuan
1.2.1.2.Cée dng lénh t6m luge thong bao.
1.2.1.3, Cf dong Ignh vé ma hod...
1.2.2.The sign SSL/TLS tong Opens.
1.2.2.1 Migu ta... -
1222. Ci nie dirtigu
1.2.2.3, Céc file header.
1.2.3. Thu vign mat mi trong OpenSSL
12.3.1, Migu ta
1.2.3.2.Téng quan sone.
1.2.4, BO cng cu OpenSSL.
1.3.1.Cée diém néi bat
1.3.2.Kién trie a6i mod ssl...
1.3.3.Gino thite SSL.
1.4. OpenLDAP.
1.5, Cée module per]
2.Céie chun mat ma
DANH MUC CAC TU VIET TAT.
AES Advanced Encryption Standard
Tigu chuan ma héa tién tién
APL Application Programming Interface
Giao dign lap trinh img dung
APXS Apache Extention (tool)
Cong eu mé rong Apache
cA Certificate Authority
Tham quyén ching the
cpp: CRL Distribution Point
RL
RR
cps
CSR
DES
DN
Dso
Email
FIP
HTTP
HTTPS:
IDEA
IKE:
IMAP
ITU:
Lpap:
Diém phan phéi CRL
Certificate Revocation List
Danh sach huy bo chitng chi
Certificate Revocation Request
Yéu cau huy bo ching chi
Certification Pratice Statement
Huéng dan thye hanh chitng chi
Certificate Signing Request
Yeu cau ky chimg chi
Data Eneryption Standard
Tigu chuan Ma hoa Dit
Distingished Name
Tén phan bigt
Dynamic Shared Object
Déi tugng chia sé dong
Electronice mail
Thur dign tir
File Transfer Protocol
Giao thie truyén tip tin
Hypertext Transfer Protocol
Giao thite truyén siéu van ban
Secure Hypertext Transfer Protocol
Giao thie truyén siéu van ban an toan
Intemational Data Encryption Algorithm-
Thuét toan ma hod dit ligu quéc té
Internet Key Exchange
Trao d6i khod Internet
Internet Message Access Protocol
Giao thie truy ep thong béo Internet
Intemet Telecommunication Union
Lign minh vién théng quéc té
Lightweight Directory Access Protocol
MAC
MD:
NCSA
ocsP
OSI
PEM:
PGP:
PKCS:
PKL
Pop:
RSA:
SCEP.
SHA:
S/MIME
SMTP
SPKC
SSH
‘TCP/IP
TLS
Giao thitc truy ep nhanh cdc thr mye
Message Authentication Code
Ma xée thye thong bao
Message Degist
‘Tom huge thing bao
Online Certificate Status Protocol
Giao thite trang thai chimg chi
Open System Interconnection
M6 hinh két néi cdc hé théng mo
Privaey Enhanced Mail
‘Thu riéng tu tang cudng
Pretty Good Privacy
Public Key CryptoGraphy Standards
Ch mat ma khod céng khai
Pulic Key Infrastructure
Co sé ha ting khéa céng khai
Post Office Protocol
Rivest Shamir Adleman
Simple Certificate Enrollment Protocol
Giao thie dang ky chimg chi don gian
Secure Hash Algorithm
Thuat toan bam
Secure Multipurpose Internet Mail Extensions
Simple Mail Transfer Protocol
Giao thite truyén thur don gian
Simple Public Key Certificate
Ching chi khod cong khai don gin
Secure Shell
Transmission Control Protocol /Internet Protocol
Giao thire digu khién truyén théng/giao thite Internet
Transport layer Security
7
Giao thite dim bao an toan Iép van chuyén
DANH MYC HiNH VE
ink 1: Mr ma kd bi ma.
Hin 2: Mat ma Bod ed Ka
Hinks 3: Qué tinh I $6. :
Hin 4: Qué erin Rig ta city 96
Hh $:Mé hinh PRE Vigt Nam hién nay
Hinh 6: Khwén dang ching chi X.509v3
Hinh 7: Tin rink dng nhp an tin
Hinh 8: Tién trinh ding nhép an todn mét lin
Hlnh 9: M3 inh cde tinh phn PRI
Hinh 10: Chudi ching chi
Hin 11> Ma hinh phan ep CA chat che
Hinks 12: Mé hinh kign trite tin cay phn tn.
inh 13° MB hinh Bon Bn.
Hink 14: Mé hinh Web
Fin 13 hin nc tag cil i tin
inh 16: Chuditn
Hinh 17: Kidn trie ku Web of Trust 50
Hinks 18: Kien trie CA dom 51
inh 19: Kicn tie CA phn cap 32
Hink 20: Kign tric Kieu ching thee chico, 3
Hin 21> Kien trie Bridge CA ss 34
Hinh 22: Sa min hoa ro0tCa ss SubCA 239
LOI NOI DAU
Trong mét vai nam Ii day, ha ting truyén thong céng nghé thong tin cing
ngay cing duge mé rong khi ma ngwdi sir dung da trén nén ting nay dé
truyén thong va giao dich voi cde ding nghigp, cde d6i téc kinh doanh cing
nhur vige khdch hang ding email trén eée mang cng eng. Hau hét cée thong
tin kinh doanh nhay cém va quan trong durge hru trir va trao di duéi hinh
ic hogt dong truyén thong doanh nghigp nay
dong nghia véi vige chiing ta phai c6 bign phip bao vé 16 chire, doanh nghigp
clia minh trude cde nguy co lita dao, can thigp, tin cdng, phd hoai hove vo
tinh tiét 16 cde thong tin 46,
thite dign tit, Sy thay d6i trong
Cu tric co sé ha tang ma héa khoa céng khai cing cdc tiéu chuan va cic
cong nghé ting dung ctia né e6 thé duge coi 1a mét gidi php ting hgp va doe
lap c6 thé durge sir dung dé giai quyét van dé nay.
PKI dang tro thanh mét phan trung tm ciia cde kién trie an toan danh cho
cae 16 chite kinh doanh, PKI duge xem fa mét diém trong tam trong nhiéu
Khia canh quan ly an toan, Hau hét cdc giao thire chuan dam bao an ton mail,
truy cip Web, mang riéng ao va hé thong xae thye ngudi ding ding nhp don
du sit dung chimng chi khéa cOng khai
PKI ban chat 14 mot hé théng céng nghé vita mang tinh tigu chudn, vira
mang tinh img dung duge sir dung dé khoi to, lau trit va quan ly ede chimg
thye dign tir cing nhwr cde ma khod cong Khai vi cd nhan, Séng kién PKI ra
oi nam 1995, khi ma céc t6 chite cng nghiép va cde chinh phit xay dug céc
tiéu chuan chung dya trén phuong phap ma hod dé hd tra mét ha ting bio mat
trén mang Internet. Tai thoi diém d6, myc tiéu durge dat ra la xAy dng mot bo
t tng hop cing cde céng cy va ly thuyét cho phép ngudi sit
dung eting nhur céc 16 chite (doanh nghiép hode phi Igi nhuan) e6 thé tao lp,
tigu chuin bao
luru trit va trao di cae théng tin mét cach an toan trong pham vi c4 nhin va
céng cong.
PKI ngay cang thé hign 16 vai tra ct
inh trong Tinh vite an toan théng
tin. Hign nay, &6 dung PKI. Mét trong nhiing cach
thire xdy dung PKI 6 la dura trén ma nguén mé OpenCA,
nhigu cach thite x:
‘Dé tdi “Nghién ciru x’y dung hé théng PKI dua trén ma nguén mo
OpenCA” duge thye hign véi mye dich tim hiéu, nghign ettu va xay dyg PKI
dya trén ma nguén mé OpenCA. Noi dung dé tai bao gdm céc khdi nim tong
quan vé mat ma, c4c khai nigm lién quan t6i PKI, cic m6 hinh va cic kiéu
kién tric cia PKL. Vé phan OpenCA, dé tai néu lén duge dac diém, chite nang
cua cée phiin mém ma mé dé xy dyng nén OpenCA nh Apache, OpenSSL,
mod _ssl , perl va cdc module perl
Voi gidi han vé cdc van dé tim hiéu va nghién citu, noi dung tim hiéu a8
tai cia em bao gm phan
Chuong I: Co sé mat ma khod cdng khai va khod bi mat,
Chuong I trinh bay vé mat ma Khoa bi mat vi mat ma khod c6ng khai
cing cdc thudt toan duge sir dung trong mat ma. Chuong I ciing néu ra khdi
nigm vé chit ky s6, ham bam va ban tém luge thong bio
‘Chuong II: Téng quan vé PKI
Chuong nay trinh bay vé cae khai nigm ctia PKI va cée khai nigm 6 lién
quan téi PKI. Chong nay néu én muc tiéu, chire nang co ban cia PKI,
nhimg khia canh an toan ma PKI cung cp. Myc dich cua chuong nay 1a thé
hign c4i nhin téng quan nhat vé PKI
Chwrong III: Céc thanh phan va céch thie im vige eta PKI, cde mé hinh
kién trie ciia PKI. Chuong I da néu len nhting edi nbin tong quan
nat ve PKI, con chuong III khai thac sau hon vé cac khia canh ky thugt duge
va ci ki
sit dung trong PKI, cach thirc lam viée cua PKI va cdc kiéu kién tric, cdc mo
hinh cia PKI
Chuong IV: Xay dung mé hinh PKI dua trén ma nguén mé OpenCA
CChurong nay trinh bay chi tiét vé CA: Bao gm chite nang, nhigm vy, cée
loai CA. Chong nay trinh bay th
dya trén nguén mo OpenCA
chung CA va lira y khi xéy dug PKI
CHUONG I: CO SO MAT MA HOC
Mat ma da duge sir dung tir rit lau di. Céc hinh thire mat ma sor khai da
duge tim thay tir khodng bén nghin nm truée trong nén van minh Ai Cap cd
dai, Mat ma da va dang tn tgi hang nghin nam lich str va hign van dang duge
sir dung rat rong rai dé gitt bi mét trong truyén tin dc bigt trong cde linh vite
h tri, an ninh va quée phong. Mat ma vé co ban duge chia thank
hai loai chinh 1a mat ma khéa bi mat (hay con goi Li mat ma déi ximg) va mat
quan su,
‘ma khéa céng khai (hay cdn goi li mgt ma phi déi ximng).
é c6 thé truyén tin str dung mt ma thi hai bén truyén tin phai e6 khéa
‘MOt khéa ma héa 1a m6t mau théng tin dac bigt duge két hop voi mot
thud
cde van ban ma héa khée nhau, va néu ta khong chon ding khéa thi khong thé
todn dé thi hanh ma hoa va gidi ma. Mdi khéa khée nhau cé thé tao ra
no mé duge dir ligu d ma héa , cho dit biét duge ma héa van ban ding thuat
todn gi. Sir dung kh6a cing phite tap, ma héa cdng manh,
Vige chuyén di tir ban tin ban dau thanh ban tin ma hod duge goi la sw
ma hod, su chuyén d6i nguge lai tir ban tin ma hoa thanh ban tin ban dau duge
oi la gidi ma.
Ban tin ban dau duge goi la ban 10, ban tin ban diu duge ma hod
thanh ban ma, Toan b6 co ché bi mat dé duge goi la mat ma.
xiimg cae bén tham gia lién lac sir dung cing mot khéa
8 ma héa va gidi ma. Trrée khi truyén tin, hai thye thé A va B cing thoa
thugn voi nhau m6t khéa ding chung (K). Thyc thé A ding khoa do dé ma
hhéa ban tin (eq) sau d6 giti cho thye thé B. Thye thé B ding kha K, thye
hign phép giai ma (dx) dé giai ma ma nhan duge
Khéa bi mat phai duge dit bi mat
1.1.2.M6t vi
cée thudt todn sir dung trong mét ma khoa déi ximg
1.1.2.1.DES
Hé mat DES duge xay dung tai MY trong nhiing nim 70 theo yéu cdu cla
‘Van phong Quée Gia vé chuan va duge sy thim dinh eiia an ninh quéc gia,
DES két hgp ca hai phuong phap thay thé va chuyén dich
DES la mt mat ma khéi. D6 dai cua mdi khdi 1a 64 bit
Khod ding trong DES c6 d6 dai téng thé 18 64 bit, tuy nhién chi e6 56 bit
thye sy duge ding, 8 bit cdn lai ding cho vige kiém tra
Day da timg la thuat ton mat ma duge sit dung rong rai nhat .
1.1.221DEA
IDEA Ii mét thust toan ma hod khéi
IDEA tao thae trén timg khéi 64 bit, ma khéi 64bit plaintext thanh khdi
64bit ciphertext
D6 dai khoa khod ding trong thudt toan IDEA Li 128 bit,
1.1.23. Triple DES
3DES (Triple DES), la thuat toan ma héa khdi trong 46. khdi théng tin 64
bit sé duge Kin Iugt ma héa 3 Lin bang thugt toan ma hoa DES voi 3 khod
Kha nhau, Do a6, chiéu dai khéa mé
véi DES do 3DES ding 3 khéa khéc nhau dé ma héa dit Higu. BO xir Ly thye
hign céc burée sau :
Khoa diu tién ding dé ma héa dit ligu. Sau d6, khéa thir hai sé ding 48
giai ma dit ligu vira duge ma héa. Cudi cing, khéa thir ba sé ma héa lan thir
hai. Toan b6 qua trinh xir ly ciia 3DES tao thinh m6t thudt giai c6 d@ an toan
J6n hon va d@ an ton s® cao hon so
cao, Nhung béi vi day 18 mt thudt giai phi tap nén théi gian thye hign sé
lau hon, gap 3 Lin so véi phuong phap DES.
1.1.2.4.CAST-128
La mot thuat toan mat ma durge dat
‘Adams va Stafford Tavares
Chiéu dai khod 1A 128 bit
ngudi phat trién lé Carlisle
1.1.2.5.4ES
AES 14 mét thudt ton ma hoa khdi
AES lim vige voi khéi dit ligu 128 bit va khéa 06 d6 dai 128, 192 hoae
256 bit
SENDER RECIPIENT
nano, =a SI emcc
“a ae y a yg
eee =e ==
Hinh I: M@t ma khod bi mat
1.2.M§t ma khod cng khai
1.2.1.Khai nigm
Mat ma khéa cOng khai la mt dang mat ma cho phép ngudi
Gi cée thing tin mat ma khong cn phai trac ddi cée khéa bi mat trade dé.
‘Trong mat ma khéa cong Khai sir dung mot cJp khéa 1a khéa cong khai/khéa
ig diing dé gidi ma
dung tra
rigng, Khéa dng khai ding dé ma hoa cdn khéa
Diéu quan trong déi véi hé théng la khong thé tim ra khéa bi mat néu chi
biét khéa cong khai
Public Key Encryption
2 2
"? key private key
i
= =|
a ocel ae =
fatered
=
Piaintext Praintext
Hinh 2: Mat ma khod cong khai
1
2. Céc thuat toan sit dung trong mat ma khoa céng Khai
1.2.2.1. RSA
Thuat toan RSA duge Ron Rivest, Adi Shamir va Len Adleman mé ta lin
dau tién vio ndim 1977 tai Hoe vign Cong nghé Massachusetts (MIT).
RSA 1a mot thugt toan_ma ha khéa c6ng kha.
‘Thuat todn dau tién phd hgp véi viée tgo ra chit ky dign ti déng thoi voi
vige ma ha, No danh dau mot sy tién b6 vugt bic cita fink vue mgt ma trong
iéc sir dung khoa cong khai. RSA dang duge sir dung pho bién trong thuong
mai dign tt va durge cho 1 dam bao an toin v6i didu kién d6 dai khéa du lon,
DG an tolin cua hé thong RSA dya trén 2 vi
phan tich ra thira sé nguyén t6 cae s6 nguyén lon va bai toan RSA
8 cia todin hoc: bai ton
RSA cé téc d6 thye hign cham hon dang ké so voi DES va cac thuat toan
ma héa déi xing khdc. Trén thye 12, ngudi ta sir dung mot thuat tosn ma hoa
d6i ximg nao d6 dé ma héa van ban cin giti va chi sir dung RSA dé ma hoa
so voi van ban).
khéa dé giai ma (thong thuéng khéa ngin hon ni
1.2.2.2.Phirong thie trao déi khod Diffie Hellman
Phuong thite nay durge phat minh boi Whitfield Diffie va Matty Hellman 6
Stand ford,
Day la so dé khod céng khai dau tién. Tuy nhién, d6 khéng phai 1 mot so
46 ma hoa khoa céng khai thye su, ma chi ding cho trao déi khéa.
Cée khod bi mat duge trao déi bang cach str dung céc tram trung gian
ring tin cay. Phuong phap nay cho phép cdc khod bi mat duge truyén an toan
thong qua cde moi trudng khong bao mat.
Trao déi khod Diffie-Hemall dya trén tinh higu qua cia bai todn logarit roi
modulo etia mot s6 nguyén 16 1 kh
kho
1.3. Chit ky sé
‘MOt trong nhiing tng dung cia mat ma khéa cng khai li chit ky sé.
Chit ky 86 li m6t phan dit ligu durge dinh kem véi ban tin, ding dé nhan
dang va xéc the ngudi giti va dit Higu cua ban tin, sir dung ma hod khod cong
khai, Nguoi giti sir dung ham hash mot chiéu dé tao ra mét ban ma hash c6 dd
dai 32 bit tir dir ligu cia ban tin. Sau dé
d6(hash-code) bing khod rigng cia nguéi gir. Nguoi nhdn sé tinh toan Igi ma
hash d6 tir dir ligu d6 va giai ma ban ma hash d6 bang khod cong Khai cua
, ngueri gil sé ma hod ban ma hash
ngwoi giri. Néu hai ma hash d6 giéng nhau, thi ngudi nhan ¢6 thé chdc chin
ring di ligu dé khong bj sira di va dir ligu d6 ding 1 cia ngudi
1.3.1.Qué trinh ky
‘au tién, théng bdo duge tinh toan bai ham bam mot chiéu , ham nay se
tinh toan théng béo va tra vé mét ban tém luge théng bdo (message digest),
ham bam mét chiéu dim bao ring bin tm luge thong béo nay la duy nhdt va
bat ky mot stta doi dt nho nhat trén thong bao cling sé gay ra thay doi cho ban
t6m tit nay, Sau d6 ngudi gi st ding khod riéng cla minh ma hod ban tm
tit nay, NOi ding sau khi duge ma hod chinh la chi ky s6 (digital signature)
cia théng bio d6 durge ky bi nguisi giti. Chir ky s6 nay s€ durge giti téi cho
ngudi nhin kém véi thong bio
Cee es
pec
Hinh 3: Qué trinh ky sé
1.3.2.Qua trinh kiém tra chit ky sé
Khi nguéi nhan nhan duge théng bao, dé kiém tra tinh hop Ié ciia nd, dau
tién nguéi nhin s? ding khod cong khai cha ngudi gui dé giai ma chit ky sé.
Két qua cita qué trinh giai ma chit ky sé 1a ban tom luge thong bao ctia ngudi
gui tgo ra, Sau dé, ngudi nhan ding him bam mét chiéu dé tinh toan ban tom
tat qua ndi dung cua théng bao mét lan nita roi lay két qua dem so sénh voi
ban tém luge théng bao vira duoc giai ma 6 trén, néu két qua giéng nhau thi
qué trinh kiém tra thanh céng. Ngwoc lai c6 thé két Iudn day la mét thong bio
a bj gid mao hoje thong tin da bj thay di trén qua trinh gir di.
16
Verifying a digital signature
oc
Crenee it
ce)
fc
eal rn
Wun
Cray
omen
Poa siL
cs
cd
Hinh 4: Qud trinh kiém tra chit ky sé
1.4, Ham hash
1.4.1.Khdi niém ham hash
Ham hash (hash function) la ham mot chiéu ma khi ta dra mgt khdi dit
igu co dG dai bat ky qua ham nay thi sé tao ra mGt chudi bit co do dai c6 dinh
6 dau ra. Két qua 6 dau ra goi [a ban tém luge théng bao (message digest)
Hash c6 thé dam bao tinh toan vgn va xe thye
‘Thuat ton hash khéng thé duge dich nguge trv lai dit ligu ban dau vi vay
duge goi a thuat toan ma hod mot chigu
1.4.2. Tém luge théng bio
Ban t6m huge thong bio duge coi Li mot “dau van tay”
t6m luge thong béo durge tgo ra tir ham hash trén dd ligu eta ban tin,
‘Thuat toan tom luge théng bao c6 hai dac diém quan trong
Dau vio nhu mhau thi lun ludn tao ra dau ra nh nhau nhung du vio
hae nhau thi c6 thé khong bao gid tao ra dau ra nhw nhaw
Khong thé xc dinh durge ban tin thgt su tir ban t6m luge thong bio
Ban t6m luge thong béo duge sit dung dé dim bao ring div ligu ban tin
khéng bj thay ddi trong suét qua trinh truyén
‘ia ban tin, Ban
”
Ban tém luge théng béo duge ma hoa bing khod riéng cia ngudi giti dé
tao nén chit ky
(CHUONG II: TONG QUAN VE PKI VA CA
+h sir phat trién PKI
Diffie, Hellman, Rivest, Shamir, va Adleman céng bé céng trinh
nghién ciru vé trao d6i khéa an ton va thudt todn mat ma hoa kha cong khai
vao nim 1976 da lam thay déi hoin toin céch thite trao d6i théng tin mat
Ciing v6i sy phat trién cua cdc hé théng truyén thong dién tir tc do cao
(Intemet va cae hé théng trrdc n6), nhu cau vé trao déi théng tin bi mat tro
nén cap thiét, Thém vio 46 mét yéu cau nifa phat sinh la vige xde dinh dinh
Vi
y tong ve
2 cdc ky thuat
dang
‘ge gin dinh dang ngudi ding vai chimg thyc durge bio ve
mat ma da duge phat trién mét céch manh mé.
nhting ngudi tham gia vio qué trinh thong
Nhiéu giao thite sit dung cde k¥ thuat mat ma méi da duge phat trién va
phan tich. Ciing voi sy ra doi va pho bién cia World Wide Web, nhing nhu
cdu vé théng tin an toan va xée thye ngudi sir dung cang te nén ep thiét, Chi
tinh riéng cde nhu céu img dung cho thueng mai (nhur giao dich dign tir hay
truy cap nhiing co sé dir ligu bang trinh duyét web) ciing da da hip din céc
nha phat trién linh vue niy. Taher ElGamal va céc cOng sur tai Netscape da
phat trién giao thite SSL trong dé bao gdm thiét lap khéa, xe thre may ht
Sau d6, cdc thiét ché PKI duge tao ra dé phyc vu nhu cau truyén thong an
toan,
Cée nha doanh nghigp ky vong vio mot thi trudng ita hen moi da thanh
lap nhimng céng ty hoac du an mdi vé PKI va bat dau van déng cac chinh phit
dé hinh thanh nén khung phap ly vé linh ve nay. Mgt dy én ca American
Bar Association da xudt ban m6t nghién citu téng quat vé nhing van dé phép
ly c6 thé nay sinh khi vn hanh PKI .Khéng lau sau a6, mot vai tiéu bang ctia
Hoa ky ma di ddu la Utah (nam 1995) da thong qua nhing dir uit va quy dinh
dau tién
‘ée nhom bao vé quyén loi ngudi tiéu ding thi dat ra cde vin dé vé
riéng tw va eae trich nhigm phap ly.
bao vé qu;
Tuy nhién, céc luat va quy dinh da duge théng qua lai khong théng nat
trén thé gidi, Thém vao dé 1a nhiing kh khan vé ky thudt va van hanh khién
cho vige thye hign PKI kho khan hon rat nhieu so véi ky vong ban dau,
Tai thoi diém dau thé ky 21, ngudi ta nhan ra ring cc ky thugt mat ma
ciing nhu cac quy trinh/giao thite rat khé duge thyre
chuan hign tai chua dap ting duge cac yéu cau dé ra,
‘Thj trong PKI thyc sy da ton tai va phat trién nhung khéng phai véi quy
mo da duge ky vong tir nhimg nam gitta cia thap ky 1990. PKI chwa gidi
quyét duge mdt s6 van dé ma né duge ky vong. Nhing PKI thanh céng nhat
ign chinh xée va céc tiéu
{Gi nay 1a cée phién ban do cae chinh phir thye hign
Toi nay, nhimg né lye hoan thign PKI van dang duge diu wr va thie day.
ién thue hoa ¥ tuéng tuyét voi nay, cc tiéu chudn can ph
nghién eiru phat trién 6 cée mite d6 khae nhau bao gdm: ma hod, tru
duge
thong
/a lién két, xdc thyc, cap phép va quan ly. Tuy nhién, hau hét cde cong nghé
hinh thanh tir ¥ twéng nay dA tré nén chin mudi va mot sé da bude vao giai
doan "lio hod". Nhiéu chuan bao mét trén mang Internet, ching han Secure
Sockets Layer/Transport Layer Security (SSL/TLS) va Virtual Private
Network (VPN), chinh la két qua ciia sing kién PKI
Qua trinh nghién ctu va phat trién PKI 1a mét qué trinh lau dai va cing
véi nd, mic dé chap nhan cita ngubi ding cing ting 1én mot cdch kha cham
chap. Ciing gidng nhu voi nhieu tiéu chun céng cong khic, ty 1é ngudi ding
chap nhan sé tang Ién chi khi ede chudn dé tra nén hon thign, chimg minh
duge kha nang thye sir cha n6, va kha nang img dyng va hign thyre hod ciia né
la kha thi (ca vé khia anh chi phi lan thye hign),
2a
inh hinh PKI tai Vigt Nam
Trude nhu cdu sir dung PKI, & Vit nam, e6 mot s
hoat dong cung cap dich vu chimg thy trong linh vue nay. Trong khu vue
Nha nude Ban Co Yéu chinh phi da xy dyng va thir nghiém tai ha tang
16 chite da trién khai
Trung Tam cia mot s6 BO, nganh & quy m6 nho , ding théi sir dung trong
mOt sé dich vy bao mat va an toan . Ngan hang Nha nude, BO Cong Thuong
cing da t6 chite thir nghigm cac CA chuyén ding dap img hoat déng nghiép
vu ndi bd
Khu vy ngoai nha nude nhu cae to chire VASC, VDC da cung cap ching
thyc dign tir cho mot sé té chite va ed nhan, Nhin chung, nhu cdu sir dung PKI
6 Vigt Nam ngay cang tang , tuy nhién vige trién khai thye té hign tgi chur
nhiéu
6 Vigt Nam, nim 2007 Ban Co Yéu Chinh phi thanh tip Trung tim
Chimg thye dign tir chuyén diing vai cae chire ning cung cp , quan ly chimg
thu 6 va cdc dich vu chimg thyc chit ky sé cho cae co quan thugc hé théng
Chinh tri
Nam 2008, BO Thong tin- Truyén thong da thanh lap Trung tim ching
thyc chit ky sé quéc gia va giao Cyc tmg dung Céng nghé théng tin t6 chitc,
quan ly, cdp phép va cung cdp dich vy chimg thy s6 cho Khu vite cng eéng,
Hinh 5:Mo hinh PKI Viét Nam hién nay
Nhin chung vige trién khai dich vu chimg thye chit ky s6 6 nude ta edn
chim, chura theo kip téc d6 phat trién mang CNTT va cde dich vu giao dich
ign tir trén thé gidi
Co so ha ting khod céng khai (PKI) 1a mot trong nhing nhu cau thiét yéu
ca tong lai, Nhung van dé 1a hu hét cdc tng dung cé thé duge dam bao an
at PKI, Iy dé la
phan mém trung tam tin cay cé tinh linh hoat thi lai rit dat. Day 1a diém khoi
toan bang chimg chi va khod nhung Iai rat khé va dit dé c:
20
dau ctia OpenCA. Myc dich la san phim cia hé théng trung tam tin cay nguén
mo dé hé tro céng déng véi cae giai phap tét, ré (chi phi hgp ly) va mang tinh
xu huéng trong tuong lai
Dy 4n OpenCA duge bat dau vio nim 1998, Y tung OpenCA ban dau
duoc phat trién béi Massimiliano Pala. Ma nguén ban dau cia dy an duge
dogn script rat dai. Khi phién ban dau tién cua phan mém duge xay
vidt v«
dung, thi dy an OpenSSL van cé tén ld SSLeay . Rat nhiéu chire nang van con
16i va nbidu thé khéc nita déu dang bi bo qua
cai dt phdn mém ban dau rit don gian va chi cé m6t vai doan script
kha tao CA. Dé cai dt nhanh chéng phn mém, ban chi cn giai nén g6i dé,
ding Iénh ed dé chuyén vao géi vita gidi nén dé va sir dung lénh “make
install”, doan script sau 46 sé chay va tién hanh cai dat phin mém CA don
gian va tao ra chimng chi CA
‘MOt loat céc doan script duge cung cap sé giup cho vié
hinh cho hau hét cée phn cia dy én, Mac dit don gin nhur vay, nhung giai
phap nay gay ra rat nhiéu van dé voi cong déng nguéi ding béi vi céc van dé
cai dat va edu
nay sinh tir viée nhu cdu can phai tao ra mét goi day dit va tét hon. Phién ban
dau tién cia OpenCA rat don gin, nhiéu chite nang duge xay dung chi yéu
chi duge ding dé cép phat chimg chi, CRL va cée phurong thire cai dat thi kha
don so, khéng cé tinh tign dung cho bat ky du hinh nao , dogn script
chi c6 thé tuong thich véi bash
‘Cac phién ban tiép theo duge bé sung thém nhieu tinh nang hon cho dir an
va do d6 phién bin 0.109 43 bao gém giao dign cho server cla CA, RA va
Pub. Tir Iic bat dau dy an va tir phat hanh phién ban dau tién, da c6 mot
lugng Ion sy tham gia cia cong déng Internet déng gop vao sy phat t
dy an
cia
2.3. Cée dinh nghia vé PKI va ede khai nigm c6 tién quan
2.3.1, Cée dinh nghia vé PKI
PKI cé rat nhiéu dinh nghia. Dé hiéu sau va rd vé PKI, em xin phép duge
dua ra cde dinh nghia vé PKI
Dinh nghia |
PKI la co s6 ca m6t ha tang an ninh rong khap, cdc dich vy cia PKI duge
cai dat va thye hign bing céch sir dung cde khai nigm va ky thudt cia mgt ma
khod cong khai
h nghia 2
PKI [a mot tép hgp phan ctmg, phan mém, con ngudi, cae chinh séch va
cae thi: tue ean thiét dé tao, quan ly, lu trir, phan phéi va thu hdi cdc ching
chi khod cong khai dya trén mat ma khod céng khai
inh nghia 3
‘Trong mt ma khod cong khai, co sé ha ting khéa cong Khai la mot co ché
dé cho mot bén thir 3 (CA) cung cp vi xée thye dinh danh cae bén tham gia
vao qui trinh trao ddi thing tin, Co ché nay eting cho phép gén cho mdi ngudi
sit dung trong hé théng mét cap khéa céng khai/khéa riéng. Cae qua trinh nay
thuéng duge thuc hign boi mét phan mém dat tai trung tam va cdc phi
phdi hp Khe tgi cdc dia diém cita nguoi ding. Khéa cong khai thudmg duge
pan phéi trong ching chi khod céng khai
Khai nigm ha ting khéa cdng khai thurdng duge ding dé chi toan bo hé
mém
théng bao gém tham quyén chtmg thue cing cae co ché lién quan déng thoi
‘vGi toan bé vide sit dung cac thudt toan mat ma héa khéa céng khai trong trao
di thong tin
2.3.2. Céie khdi nigm lién quan trong PKI
2.3.2.1. Ching chi
Chimg chi 1 mt tai 1igu sir dung char ky s6 két hop khod cng khai véi
‘mot dinh danh thyc thé (nhur ngutri, mét t6 chire hoe mot may chii)
‘Chimng chi khong chita bat ky mot théng tin bi mat nao. Vé co ban, n6 bao
gdm cae thnh phan sau
Chimg chi chira nhimg thong tin edn thiét nhur khod cong khai, chit thé
(nguoi sé hiu) , bén cdp chimg chi va mdt sé thong tin khdc. Tinh hgp Ié cita
cdc théng tin duge dam bao bing chit ky sé ctia bén cdp chimg chi. Ngudi
ding muén sir dung chiing chi trrée hét s® kiém tra chit ky s6 trong ching
chi, Néu chit ky d6 hgp Ig thi c6 thé sir dung chimg chi dé
Mot vai logi ching chi
Chiimg chi khod cong khai X.509
‘Ching chi khod cng khai don giin (Simple Public Key Certificate -
SPKC)
Ching chi Pretty Good Privacy (PGP)
Ching chi thude tinh (Attribute Certificate -AC)
Tat ca cée logi chimg chi nay déu 6 céu inte dang riéng bigt. Hign nay
chimg chi khoa céng khai X.509 duge sir dung phé bién trong hau hét cdc hé
théng PKL.
Chitng chi X.509
Ching chi X.509 duge Hiép hdi vin thong quéc té (ITU) dua ra lin dau
tign nam 1998
‘Ching chi nay gém 2 phan, Phin dau la nhimg truéng co ban
phai c6 trong chimg chi, phan thir hai la phan chita mét s6 cae trrang phu,
hay c6n goi la trong mé rong. Cac trrong mé rong thong duge ding dé xac
dinh va dap img nhitng yéu cau bé sung cua hé thong
Version: Phién ban cia chitng chi
Serial Number: Sé serial clia chiing chi, ld dinh danh duy nhat etia chimg.
fin thiét
chi, ¢6 gid tri nguyén
Signature Algorithm: Thugt toin ctia chit ky : Chi ra thuat toan CA sit
dung dé ky chimg chi
Issuer: Tén chit thé phat hinh chimng chi
Valid from — Valid to: Thai han cia chitng chi
Subject: Tén chi thé cia ching chi
Public Key: Khod cong khai ciia chu s6 hitu ching chi
X509 Public Key Certificate
vate
‘3
3564 386400 18d 1b 7305.
shanks
Thawte SCC CA, Thawte Cos.
2. kvdina 2008 18:02:55
2 kt 2009 18:02:55
wv. goage.com, Google Ine.
sa (i024 Bt)
Server Authenteation (1.3.6
{HJCRL Distrouton Pont: Ost...
authority information Access [1JAuthority Info Access: Acc.
ies constants Subject TypeEnd Entty, Pat.
[thumbprint aor she
[thumbprint 89.2098 710 72582 35...
Psonature 31 0a 6c a2 Se e9 54
Hinh 6: Khudn dang ching chi X.509v3
2.3.2.2.Kho chiing chi
Chimg chi duge cip boi CA két hyp khoa céng khai véi nhén dang cia
thyc thé B. Tuy nhién néu thyc thé A khong cé kha nang xac dinh vj tri chimg
chi nay m6t cdch dé dang thi anh ta cing khong co higu qua gi hon so véi vige
ching chi nay chura dirge tao ra
Do dé, phai cé m6t kho chimg chi tryc tuyén (online repository), quy mé
Jén va mém déo va phai duge dat & vi tri ma A cé thé xac dinh vi tri chimg
chi ma anh ta can dé trayén théng an toan
Mot PKI quy m6 lin s@ tro: nén vo ich néu khong e6 kho chimg chi
2.3.2.3. Hiiy bo ching chi
CA ky chimg chi gan két khéa cOng khai voi nhan dang ngudi dung. Tuy
nhién trong mdi trudng thyc té, cdc sy kign sé c6 lie ddi hoi phai phd bO sr
gin két nay. Sy pha bé gin két cAp khoa céng khai véi nhan dang cia mot
thu thé ¢6 thé 1a do
Sy thay déi nhén dang
Khoa bi mat bj hacker kham pha ra
24
Do 6 cin phai c6 mét céch thite dé théng bao cho nhitng ngudi ding con
lai ring khod céng khai ctia dinh danh nay khéng con durge chp nhén nita,
Co ché canh bao nay trong PKI duge goi 18 huy bo chimg chi (Certificate
Revocation)
2.3.2.4. Sao leu vir due phong khéa
Trong bat ky mOt méi trudng PKI dang hoat déng , mot ti 1g ngudi ding
sit dung khoa bi mat ciia minh theo mét thei han 6 dinh
1u mdi thang hodc méi nam ). Nguyén nhan cé thé la do
Quén mat khdu: Khoa bi mat ea ngudi ding van con vé mat vat ly nhung
khong thé truy cp duge
Phuong tign bj hong hoe: Vi dy nhur dia cimg bj hong hoe thé théng minh
bi gay
Su thay thé cata phyong tin: Hé diéu hanh duoc tai lai (ghi dé lén cac gidy
te uy nhigm cyc b6) hoge mot m6 hinh may tinh ci hon duge thay thé bing
mot m6 hinh may tinh méi hon va céc gidy ta uy nhigm khong duge ehuyén
rude Khi dia ei bj format lai
Giai phap: Thue hign sao hiru va dy phong khod bi mat dé giai ma. Vige
sao luu va dy phdng khoa la mang tinh can thiét, né tao nén mét phan mo
rOng trong dinh nghia PKI
2.3.2.5.Cap nhdt khéa tee ding
‘MOt chitng chi thi 6 thoi gian sng hau han. Khi ching ch
duge thay thé bling mOt ching chi mdi. Thi tuc nay duge goi
hay cp nhat chimg chi
Vain dé dat ra la: Ngudi ding PKI sé thuéng cam thay bat tign khi phai cap
nhat khoa tha cng va théng thong thi ho sé khéng nhé théi han hét han cia
ching chi hoe khi thye hign cp nhgt khod khi da hét han thuéng gap phai
nhiéu thi: tue phite tap hon
Gidi phép: Xay dung PKI theo céch ma toin bd khod hode ching chi s®
duge cap nhét hoan toan ty dong ma khdng cin e6 sy can thigp ndo cia ngudi
ét han s&
hat khost
ding
MGi khi chimg chi cia ngudi sir dung duge ding dén cho mot mye dich
bat ky, thé gian hop Ig ciia né s@ durge kiém tra. Khi sp hét han thi hoat dong
25
lam méi chimg chi sé dign ra, chimg chi méi sé duge tao ra va sé duge sue
dung dé thay thé chimg chi ci va giao dich cia duge yéu céu cua ngudi ding
s@ tigp tue dign ra
Boi vi qué trinh cp nh§t khod ty dong 1 nhan 16 séng cdn déi voi PKI
hoe dng trong nhiéu méi trang, do 6, né tao nén mot phin dink nghia eva
PKI
2.3.2.6 Lich si khéa
Trong suét qué trinh sir dung PKI, mét nguai ding c6 thé c6 nhiéu chimg
chi cf va e6 it nhét mot chimg chi hign tai. T§p hgp ede chtmg chi nay véi ede
khod bi mat tuong ing duge goi 4 lich sir khod (key history) hay cdn goi li
lichsir khoa va chitng chi
iéc duy tri. toan bé lich sir khoa nay rat quan trong bei vi néu gia sir thc
thé A ma hod ban tin cho thye thé B trong khoang thoi gian 1a 5 nam thi thuc
thé B khong thé giai ma bang khod bi mat hign tai clla minh
ang giéng nhu sy c4p nhat khod, quan ly lich str khod phai durge thre
hign va duy ti tr dong trong PKI. PKI can phai nim git duge tit ed cde khod
trong lich stt, thye hign sao hu va dy phong tai vi tri thich hyp
Duy tri lich sir khoa rat quan trong béi vi né tao ra mét phan mo réng,
trong PKI duge dinh nghia
2.3.2.7. Ching thye chéo
Bat van dé
‘Trong mdi trudng thy té, khong phai chi
hoat dong ma thy té 6 rat nhiéu PKI duge trién khai va hoat déng, phye vu
trong cde moi trudng va cong déng ngudi ding khae nhaw
“6 mot PKI ton cuc duy nhat
Khi céc PKI hoat déng phéi hop, lién két voi nhau, sé nay sinh van dé 1a
lam thé nao dé dam bao an toan truyén théng gitta cdc céng déng ngudi ding
trong cae PKI?
Giai phap
Khai nigm chimg the chéo da nay sinh trong méi trong PKI dé gidi
quyét nhu cu nay nhim tao ra méi quan hé tin twong giita cac PKI khong c6
quan hé véi nhau tre dé
‘Chimg thyc chéo 1a co ché cho phép ngudi ding cia mot céng déng PKI
nay xée nhén tinh hop Ié chimg chi ctia ngudi ding khéc trong mot cng déng
PKI khée
2.3.2.8.H6 tro chéng chéi bo
Trong méi trung hoat dng ciia PKI, mdi hanh dong cia ngudi ding ludn
gan véi dinh danh cia ho, Néu mOt ngudi ding ky sé van ban cia minh, thi
cé nghia ngudi ding dé khang dinh ring van ban dé xuat phat tir pl
PKI cn phai dam bao ring ngwai ding d6 khéng thé chéi bo trach nhigm
‘ma minh da thye hign. Co ché nay durge goi la co ché hé try chong chéi bo
Dé thyc hién dirge co ché hd try chéng chéi bo, PKI cdn phai cung cap
minh
thye nguén géc dir
ligu va chimg thyc thoi gian ma dit ligu duge ky. Do d6, hd tra chéng chéi bo
tao nén mét phan cia dinh nghia PKI mé rong.
Ot vai cdc bing chimg ky thudt duge yéu edu, nhur lax
2.3.2.9.Tem thoi gian
‘MOt nhan té quan trong trong vige hé trg cae dich vy chéng chdi bo 1a sir
dyng tem thé gian an ton (secure time stamping) trong PKI. Nghia 18 nguén
thoi gian phai durge tin cy va gid tr} thoi
ian phai duge truyén di m@t cach
an toan. Do dé can phai cé mét nguén théi gian cé thé tin tuéng durge cho tat
ca ngudi diing trong PKL
2.3.2.10.Phén mém phia Client
Trong m6 hinh PKI, kien tric may chi-may khach (server-software) thi
cde server sé thie hién nhing nhié
CA sé cung cép cée dich vy chimg chi
Kho chimg chi sé lwu giit céc théng tin chimg chi va huy bé ching chi
May chii sao liu va dyt phong sé quan Iy lich str khod mét ech phi hyp
May chi tem thoi gian sé két hop cc théng tin thoi gian cé thé tin tueng
duge vai cic
vusau
su van ban,
Tuy nhién, server khong thé thyc hién bat ky diéu gi cho cdc may khach
néu nhu may khach khéng dua ra eae yéu edu dich vy. Do d6 nhigm vu clia
may khaich sé 1a
May khdch phai dura ra yéu edu e:
© dich vy chimg thre
ce
May khach phai yéu ciu ching chi va xir ly cde thng tin huy bd ching
chi e6 lién quan
May khach phai biét lich sir khoa va phai biét khi nao can yéu cau cap
mh§t khéa hoe huy bo khod
May khach phai biét khi nao né can phai yéu cdu tem thoi gian trén van
ban
éu cia PKI tich hgp day dit
dich vy duge cung cép bai
client 1a mét thanh phan thié
6 phin mém nay, rit ni
tinh nang. Néu kh
PKI gan nhu khong cé higu qua
2.4, Mue tidu, chite ning
PKI cho phép nhiing ngudi tham gia xée thye lin nhau va sir dung thong
tin tir cde chitng chi khéa cong khai dé ma héa va gidi ma théng tin trong qua
trinh trao d6i. PKI cho phép cae giao dich dign tr durge dign ra dim bao tinh
bi mat, toan ven xac thye lin nhau va chéng chéi bo ma khéng cn phai trao
cc thong tin mat tir truée.
Xe thye: Chiing minh dink danh thyc thé
Bi mat: Dam bao ring khéng ai cé thé doc durgc théng béo ngoai trit nguti
nhan
Toan ven: Bam béo rang ngudi nhin sé nhan duge thong béo ma khong bi
thay d6i ndi dung ban dau
Tinh chéng chéi bo: Co ché nay sé chimg minh ring ngudi nban/giti da
thy su girinhén thong
PKL tan dung ca mat ma déi ximg va phi doi vimg dé dé dat durge nhing
tinh nang co ban trén
io
2.4.1. Xée thye
‘Vé co ban, tinh xée thye cung cap 2 kl
danh thute thé va dinh danh ngudn gée dir
canh ting dung chinh dé la dinh
u
2.4.1.1.Binh dan thue thé
Dinh danh thyc thé don gidn ding dé dinh danh thye thé xéc dinh ndo d6
6 lién quan, Do dé, trén thye t6, dinh danh thye thé thong thuéng s& tao ra
mét két qua cy thé ma sau 6 duge sit dung dé thyc hién cdc hoat déng khic
hode truyén thong khée
‘Dinh danh thye thé bao gdm : M6t nhan t6 va nhiéu nhan t6
C6 rét nhigu cach dé ching minh dinh dank. Ta c6 thé chia ra Kim bén logi
sau
Cai gi dé ngudi ding cé (vi dy thé thong minh hoae thiét bj phan cimg)
Cai gi d6 ngudi dung biét (Vi dy mat khdu hode PIN)
Cai gi dé 1a ngudi ding hoge gin véi ngudi ding (vi dy dau van tay hoae
vong mac mat)
CAi gi dé ngudi ding thye hign (vi du g6 cae ky ty nao d6)
Cé hai kigu xée thyre duge biét dén nhu la dinh danh thy thé, dé la xée
thyc cue bo va xae thy tirxa
24.11.1.Xéc thee cuc bé
‘Xée thye ban dau cua mot thye thé téi mdi trudng cuc b6 hau nhu lién
quan trye tiép t6i nguéi ding. Vi du nhu mat khdu hode sé dinh danh cé nhan
(PIN) phai duge nhap vio, sir dung déu van tay dé nhan dang.
24 11.2Xée thee tiexa
Xa thue cia mot thye thé t6i méi truimg G xa: Nghia la c6 thé hode
khéng can lién quan tryc tiép t6i ngudi ding. Trén thy té, hau hét cée he
théng xée thye tir xa phire tap khéng hodn ton lién quan t6i ngudi ding vi
khé dé bao vé hé théng xéc thye mA dura ra cdc thong tin xéc thye nhay cam,
i du nhu mat khdu hodc dau van tay, va trayén trén mot kénh khong an toan
2.4.1.2. Dinh danh nguén géc dit ligu
inh danh ngudn géc dit ligu sé dinh danh mét thye thé xac dinh nao 45
nhw nguén géc ctia dit ligu duoc dua ra, Hoat dng dinh danh nay khéng phai
la dinh danh cé lap, cing khéng phai hoan toan la dinh danh cho muc dich
thu hign cdc hoat déng khie
2.4.2, Bi mat
Dich vu bi mat dim bao tinh rigng tur ciia dir Higu. Khdng ai e6 thé doe
duge dit ligu ngoai trir thye thé nhan. Dich vy bi mat duge yéu cau khi di ligu
ki
‘Duoc hu trit trén phuong tién (nhur phan cimg may tinh) ma ngudi ding
khéng hgp phap c6 thé doc duge
‘Duge dy phdng trén thiét bi (vi dy bang tir) ma c6 thé bi roi vao tay ngudi
ding khéng hop phap
Dupe truyén trén mang khéng duge bao ve
Cae ky thuat mat ma dim bao tinh bi mat cn phai duge ap dung véi mei
loai dit ligu nhay cam
2.4.3.Toan ven dit ligu
‘Toan ven dir ligu dam bao ring dit ligu khéng bj thay déi. Sy dam bao nay
la mét phan thiét yéu trong bat ky mdi truéng thuong mai dign ttt hoc logi
hinh kinh doanh nao
Mite dé toan ven dit ligu c6 thé dat durge bing cic co ché chin lé iia cde
bit va ma kiém tra dich vong (Cyclic Redundancy Codes -CRCs)
‘Dé bao vé dit ligu khdi tin cOng nhim phd vo tinh toan ven dit ligu, cic ky
thugt mat ma duge sit dung. Do d6, khod va cae thugt ton phai duge trién
khai va phai durge biét giita cdc thyc thé muén cung cap tinh toan ven dit ligu
vi thyc thé muén duge dam bao tinh toan ven ca dit ligu
Dich vu toan ven ca PKI c6 thé duge xay dug dua trén hai ky thuat
2.4.3.1.Chit hy sd
Mac dit né duge diing cho myc dich cung cp sir xée thye, nhung né cing
duge str dung dé cung cdp tinh toan ven cho dit ligu durge ky-Néu cé sy thay
déi bat ky true va sau khi ky thi char ky s6 s® bi loai bd khi kiém tra , vi vay
viée mit tinh toan ven cla dit ligu s& dé dang bi phat hién
(2.4.3.2. Ma xde thie théng bdo
Ky thuat nay théng thudng sir dung mot ma khéi déi xing (vi dy DES,
DES-CBC-MAC) hoac mét ham bam mat ma (HMAC-SHA-1)
2.4.4.Chéng choi bd
Dich vu chéng chéi bo 1a dich vu dam bao ring thyc thé khéng thé chi bd
Ong cla minh. Céc bién thé thudng duge nhic téi nhiéu nhat 1a chong,
hanh
chéi bo ngudn gée (ngudi ding khéng thé chéi bo ring da giri mot tai Tigu
30
hoc mét van bin) hodc chéi bo sy tiép nhdn (nguoi ding khéng thé chéi bo
ring di nhan duge van ban hode tai ligu).
Ot vai cde bién thé khde cia tinh chong chdi bo ld : Choi bo da tao ra,
chéi bé 4a chuyén, chéi b6 vige tin thanh
2.5. Cée khia canh an toin co ban ma PKI cung cip
‘Theo nhu dinh nghia trén, PKI cung cap mt co so ha tang an ninh rong
khap. Co so ha ting danh cho céc myc dich an ninh phai chip nhén mét
nguyén tic nhat quan va phai cung cép cde Igi ich co ban nhw nhau. Co so ha
tang an ninh rng khip dam bao an toan cho toain b@ t6 chire va tat cd cde dbi
tuong, img dung trong t6 chite. Cc khia canh an toan ma PKI cung céip bao
gdm
2.
1, Ding nh§p an toan
ién trinh dang nhap lién quan ti ngudi ding nhép dinh danh cia minh,
(ID ctia user hode username), xac thc théng tin (password hodc gia tri bi mat
nao d6).
Local sro09 =
component || Auhentcaton —_TRemate component of
secu secu etasctre
irasttine
Loca
Environment
Hinh 7: Tién trinh dang nhép an toan
2.5.2. Dang nhap mét lan an toan
Dang nh{p an toan mot Lin 1a sy mo rng cita dang nhp an toan. Sy dang
nhap nay c6 thé ket néi ti rat nhiéu cac thiét bj 6 xa, do dé sé loai bo duge
31
yéu té cén phai dang nhp nhiéu lan . So dé hinh.. minh hga co ché ding nhap
mot lin an todn
Fononnicson’ | [enon iam
[=]
Toa sero
mo ao
4)! | an secy nae
1)
{I
Wu
Local
|
Hinh 8: Tién trinh dng nhdp an toan moe lan
Dang nhgp an toan mot Lan cling di dé truy c4p tei cde thiét bi, mién, may.
chu, cde hé théng va cde img dung. Tuy nhién, ching ta can cha ¥ ring, sy
kign dang nhap an toan van c6 thé dugc két hop véi cdc co ché kiém soat truy
cap khac. Do dé, ding trén quan diém vé tinh tign dung thi su kign dang nhap
an todn mét Kin 1a digu rat duge mong muén boi vi ngudi ding thuéng chi
phai nhé mt vai mat khdu va chi edn phai biét thi tue mt lan dé truy cp t6i
nhiéu hé théng. Ding trén quan diém vé an ninh thi day ciing 1a diéu cing rat
duge mong muén béi vi céc mat khdu duge trayén qua mang véi tin sudt it
hon
Lgi ich an toan quan trong trong dé 1a mét co sé ha tang duge thiét k
c6 thé dam bao rang ngudi ding chi cin dang nhap téi may cuc b6 ma ho
dang kim vige. Do d6, mat khau s® khong phai chuyén qua ving mang d@ bi
khai thac, giam duge nhitng rai ro lén nhu cae ri ro bi danh cip mat khau
2.5.3. Trong suét véi nguai ding cudi
‘MOt dic tinh rit quan trong cla co sé ha ting rong khip dé 1a tinh trong
suét voi ngudi ding cudi. Nghia lA ngudi diing khéng can biét vé phan header
cia géi tin IP hoge cae g6i Ethemet. Céic dich vu cia co so ha ting sé duge
chuyén t6i ngudi ding trong car sé ha ting théng qua mét “hop den” hoan
32
toan. Ngudi ding khéng cdn phai biét tit cd vé van dé an ninh va khdng cin
phai can thigp thi cOng. Ngudi ding cing khong cdn phai biét vé ede thudt
toan va khod
Ngudi ding citing khong can phai biét vé co ché co so ha ting dam bao an
ninh ra sao, Swan toan kh6ng nén gay khé khin cho ngudi ding dé can tre ho
thyc téc vy cia minh. An toan khéng can yéu cau ngudi ding phai co
hiéu biét dac biét, khong yéu cau ngwoi ding phai c6 nhiing thu tue dic biét .
2.5.4. An ninh toan dign
Loi ich quan trong nhat cua ha tang an ninh rng khap la : N6 dam bao
ring mt cOng nghé an toan tin ey, nhur cong nghé Khod cong khai i
sing trong méi trang. $6 lugng cdc img dung, thiét bj va eée may chi e6 thé
hoat dng lién tue cing nhau dé dim bao an toin trong khi truyén, laru trit va
truy xudt di ligu, cae qua trinh giao dich, va truy cap may chi. Cée ting dung
thu dign ti, trinh duygt Web, tug lita va ede thiét bi truy cp tir xa, edie may
chu img dung, cae may chi file, co sé dit ligu...tét cd déu phai hiéu duge va
tn dung duge ha ting an ninh theo mt cach théng shat. Nhimg méi trudng
nhu vay sé giam luge duge rat lin ca cde van dé giao tiép cua ngudi ding voi
rat nhiéu cac thiét bi va cdc tmg dung va cdc céng viée quan tri phite tap céc
thiét bi va cdc img dung nay
‘M6t trong nhitng co ché chu yéu dé dat durge an ninh toan dign trong co so
ha ting 1a kha nang dim bao khod duge str dung, durge hiéu va duge xir
theo m@t céch chat ché théng qua mdt pham vi rng lén cia cde thye thé va
thiet bj trong té chitc.
CHUONG I: CAC THANH PHAN, CO CHE LAM VIEC
CUA PKI. CAC MO HiNH VA CAC KIEU KIEN TRUC CUA
PKI
3.1. M6 hinh PKI va cac thinh phan cia PKI
3
CA (Roop
Building A PKI
Sims
Subordinate Cons
Repostry for
pay CA Ghordinat Cars, CLs
" fs m Directory
Define Patios Pubtsh Ser
onfigure with
Ritter Revoke > ES) —Via toa —
Copy of Cer»
heen
sot
Mtoe
£ 2
cn nt hn ona
(eg VPN Client, Browser) (eg Web Server, VPN Gateway)
Signs, Encrypts Veifies, Decrypts
Hinh 9: Mé hinh céc thanh phan PKI
BLL CA,
Trong PKI, CA Li m@t thy thé PKI ¢6 trich nhigm cép chimg chi cho cae
thyc thé khac trong hé thong
Té chite chimg thye ~ CA duge goi li bén thit ba tin cdy béi vi nguii
dang cuéi tin tong vao chit ky sé cia CA trén chimg chi trong khi thye hién
nhing hoat dng ma hod khod céng khai ean thiét,
CA thye hign xée thye bang céch cap ching chi cho cde CA khdc va cho
thy thé cudi trong hé théng. Néu CA nim o dinh cia mé hinh phan cap PKI
‘va chi cp chimg chi cho nhimg CA 6 mite thap hon thi CA nay duge goi la
root CA.
3.L2RA
3.1.2.1.Chite nang, nhiém vu ctia RA
Chite nang quan tri cé thé duge phan phdi cho RA. RA déng vai tro tung
gian lam nhiém vy tuong tic gitta CA va client.
34
RA c6 thé chiu trich nhigm cho viée gan tén, tao cp Khoa, xée thye thc
thé cudi trong sudt qua trinh ding ky
RA lam nhigm vu nhan cae yéu cau cua thye thé, xac minh ching sau d6
ti yeu clu cho CA.V RA efing nhan cae ching chi tir CA, sau d6 gti chimg
chi cho thye thé
‘Thiét lap va xée nhan danh tinh cua thye thé trong giai doan khdi tao
Phan phéi céc bi mat ding chung t6i nguoi sir dung cudi dé xéc the tuan
tur trong suét giai doan khdi tao try tuyén
Khoi to qué trinh chimg thye v6i CA dai dign cho ngudi ding cudi
Thue hign chite nang quan ly vong déi ciia khod/chimg chi, chit ¥ ring RA
khéng bao gié duge phép cap chimg chi hoc thu héi chimg chi. Chire ning
nay chi c6 6 CA
3.1.2.2. Thanh phan cia RA
RA bao gdm 3 thanh pha
sau
3.1.2.2..RA Console
RA console 14 mot ma
chu (server) duge cai dat cho RA officer dé dua
‘ac yéu cau ching chi. Né cé thé két ndi veri CA. Server nay xir ly cdc yéu
cau ching chi s6 trong qua trinh chimg thyc
3.1.2.2.2.RA Officer
RA Officer lé mt ed nhan thyc hign cdc tée vu nhur ding ky chimg chi sé,
lam méi hoge thu hdi chting chi. Sau khi RA Officer xe minh va cl
yéu cau, né sé chuyén trye tiép cde yéu cu nay Ién CA server. Sau khi CA
server xtr ly yéu clu va cp chimg chi, RA Officer s@ phan phéi ching chi
thuan
3.1.2.2.3.RA Manager
RA Manager la mt cd nan lim nhigm vy quan ly RA Officer va dim bio
ring toan bd tha tuc img dung chimg thye duge the hign ma khOng c6 sv lira
dao cua con nguéi. RA Manager sé cin phai chap thuan tat ca cde yéu cau
duoc xir ly boi RA Officer trude khi dura cc tng dung chirg thu téi cho CA
3.1.3. Certificate-Enabled Client: Bén durge cap phat chimg chi
Bén durge cip phat chiing chi (hay cdn goi la PKI client) thuéng yéu chu
CA hoic RA cip phat ching chi, Dé e6 duge chiing chi tir CA, PKI client
thyc hign céc burée sau
Giri yéu cdu tao cp khod cng khai/khéa riéng. CA hode client ¢6 thé
thyc hign nhiém vu nay. Cap khéa chira chi tid
Sau khi cap khod duge tgo ra, client giti yéu ciu cho CA yéu cau chimg
tia client
chi.
Sau khi client nhén duge chimg chi tir CA, n6 c6 thé sir dung chimg chi dé
chimg minh danh tinh cia chink né va duge xem nhu mét ngudi sé hi
chimg chi da duge xae the
cae két ndi gi
client va CA déu duge gitt an toan, Hon nita, client
chju trach nhigm dam bao an toan cho khoa riéng
‘Vi du VPN Client, trinh duyét
Lam nhigm vy ky va ma hod
3.1.4. Data Recipient : Bén nhan dit ligu
Vi dy Web Server, VPN Gateway
Lam nhigm vu xd minh va gi
ma
3.1.5. Kho luu trivthu hoi ching chi
é lim thudn tign qué trinh phan phdi, chitng chi c6 thé duge cong bé
trong kho chitng chi
Kho chitng chi phin phdi ching chi tdi ngudi diing va ede té chite . Kho
chiing chi ¢6 chita chimg chi, danh sich huy bé chimg chi, danh sich huy bo
tham quyén va mot sé thir khée c6 lién quan t6i d6i tong , vi du nhwr chinh
+h ca cdc di tuong,
Chimg chi c6 thé duge phan phéi béi chinh ngudi ding hoge duge phan
phéi bang mét may chi thu muc ma sir dung LDAP dé truy van théng tin
ngudi ding. Hg théng phan phdi chimg chi duge sir dung dé thye hign cde
nhigm vy sau
Tao va cdp phat cp khod
Ching thye tinh hgp Ig cita khod céng khai bing eich ky vao khoa céng
khai
36
Thu hoi cate khod da hét han
Cong b6 khod cong khai trong may chi dich vy thur mye
3.1.6.Chudi chimg chi hoat d6ng nhu thé nao
Khi ta nhan duge chiig chi tir m6t thy thé khée, ta sé
n phai sit dung
chudi chimg chi dé thu durge chimg chi ciia root CA. Chudi chimg chi, hay
con duge goi la duimg din ching chi, f& mOt danh sich cée chimg chi duge
sit dung dé xc thu thu thé. Chudi ching chi sé bat dau vai chimg chi cia
thye thé d6, va méi chimg chi trong chudi sé duge ky boi thye thé di durge
xde dinh boi chimg chi ké tiép trong chudi. Chimng chi két thic 1a chimg chi
ca rootCA. Chimg chi ca root CA ludn ludn duge ky bai chinh nd. Chit ky
cia tat ea cée chimg chi trong chudi phai durge xée minh cho ti chimg el
cia root CA. So dé sau minh hoa dudng dan chimg chi tir ngudi sé hitw
chimg chi téi rootCA, noi chudi tin cay bat dau
(Oumers DN
Owner's public key
Tssuers (CA) ON on enti
issuers (CA) DN
Issuer's (Root CA) DN
Root CA's DN
Verily signature
Root CA's signature
Hinh 10: Chudi ching ehi
3.2. Cach thire lam viée cia PKI
‘Cac hoat dong cla PKI bao gom
37
= Khéi tao thu thé cudi
- Tao ep khoa
- Ap dung chit ky s6 dé xe dinh danh tinh nguoi giti
~ Mi hod thong béo
= Truyén khoa déi ximg
~ Kiém tra dinh danh nguoi giti thong qua mot CA
- Giai ma thong béo va kiém tra ni dung cia n6
3.2.1, Khdi tao thye thé cudi
‘Trude hi cée thye thé cudi 6 thé tham gia va cde dich vu duge hé tro béi
PKI, cde thye thé nay can phai durge khdi tgo trong PKL.
Dang ky thy thé cudi 14 mOt qua trinh ma trong dé danh tinh cia ed nhan
duge xéc minh, Qua trinh ding ky thye thé cudi duge thyc hign true tuyén.
Qua trinh dang ky truc tuyén can phai duge xac thuc va duge bao ve
3.2.2. Tao cp khod cong khai/khod riéng
Negudi ding mudn ma hod va giri thong bao dau tién phai tao ra mot cap
khod cong khai/khod riéng, Cap khod nay la duy nbat déi véi mdi ngudi ding
trong PKI
‘Trong mé hinh PKI toan dign, o6 thé to khod trong hé théng may tram
ciia ngudi ding cudi hode trong hé théng ciia CA. Vi tri tao cap khod duge
xem Ta quan trong. Cae nhan t6 ©6 tae dng t6i vi tri tg0 cap khod bao gdm
kha nang, higu suat, tinh dim bao, sir phan nhdnh hgp php va eéch sir dung
khod theo chi dinh
Cho di la vi tri tao khoa 6 dau thi trich nhigm déi véi viée tao ching chi
chi dya vio CA duge cdp quyén. Néu khod cng khai duge tao bai thye thé,
thi khoa cng khai d6 phai durge chuyén toi CA mét cach an toan
‘Mot khi khod va ching chi cé lién quan duge tao ra, ching phai duoc
phan phéi mét cdch thich hop. Vigc phan phéi chimg chi va khoa yéu
trén mét vai nhdn t6, bao gom ca vj tri tao khoa, myc dich sir dung va céc moi
quan tam khac nhu la nhiing ring bude vé chite nding, chinh sich. Ching chi
duge tao ra c6 thé duge phan phéi tryc tiép téi ngudi sé hitu, hode téi kho
chiing chi 6 xa hoe ca hai. igu nay sé phy thude vao mue dich sir dung khoa
‘va cdc méi quan tim vé chite nang. Néu khoa duge tao 6 hé théng may khach,
38
thi khod riéng da duge hru trit boi ngudsi sé hitu khod riéng, va khong cin 6
yéu cau phan phéi khoa (khéng 4p dung véi dy phong khod). Tuy nhién, néu
Khoa duge tgo ra 6 mot noi khée, thi khod riéng phai duge phin phdi mgt eich
an todn (61 ngudi sé hitu khod 46. C6 rit nhigu co ché e6 thé duge sir dung dé
thye hign diéu nay. Cing can phai chi ¥ ring, néu khoa duge tao ra duge
ding cho muc dich chéng chéi bé thi khoa dé can duge tao tai vi tri may
Khach cia thy thé
3.2.3. Ap dung chit ky sé dé dinh danh ngudi giti.
Mot chit ky sé duye dinh kém véi thong béo dé xde dinh danh tinh,
ngudi giti thong bio dé. Dé tao ra mét chit ky sé va dinh kém no dén thong
béo cn thye hign nhur sau:
1. Bién déi thong bao ban dau thanh mét chudi c6 46 dai cé dinh bing
cach ap dung him bam trén thong bio. Qué trinh nay c6 thé goi la bam thong
bao, chudi 06 dé dai cé dinh duge xem goi Ia ban tom lige thong bao.
2. Ma héa ban tm luge théng bao bing khéa riéng cua ngwoi giri. Két
qua cia tém Inge théng bao di ma héa 1d chit ky sé
3. Dinh kém chit ky sé voi thong bao ban dau
3.2.4. Ma héa thong bao
Sau khi ap dung chit ky s6 Ién théng bio ban dau, dé bao vg nd ta st
ma héa. Dé ma héa thong bio va chir ky s6, si dung mat ma khéa déi xing.
Khéa déi xing nay duge thoa thuin tude gitta ngudi gui va nguoi nhan
théng béo va chi duge sir dung m6t lan cho vid
3.2.5. Truyén khéa déi ximng.
Sau khi ma héa thong bao va chit ky sé, khéa déi ximg ma duge sir
dung dé ma héa cin truyen dén ngudi nhan. Ban thin khéa déi xting cing
duoc ma héa vi ly do an toan, néu bi 16 thi bit ky ngudi nao ciing c6 thé gidi
ma théng bao. Do d6, khod déi ximg sé durge ma hod bang khod céng khai cia
ngudi nhan. Chi cé ngué 6 thé gidi ma duge khéa déi ximg bing
vige sir dung khéa riéng twong ting. Sau khi da duge ma héa, khéa phién va
thong bao sé duge chuyén dén nguddi nhn thong bio.
than mi
39
3.2.6. Kiém tra danh tinh ngwai giri thong qua mét CA.
CA déng vai trd 18 mot bén thir 3 tin e4y dé xe minh danh tinh cua ede
thyc thé dang tham gia trong qué trinh giao dich, Khi ngudi nhgn nhiin mot
iém tra chit ky s6 dinh kem theo
ban ma, ngudi mhdn c6 thé yeu cau CA
théng bio dé. Dua trén yéu cdu 46, CA kiém tra chit ky
théng bao.
cia ngudi git
3.2.7. Giaii ma théng bao va kiém tra noi dung théng bio.
Sau khi nhgn théng béo da dirge ma hod, nguoi nhan can giai ma, Ban ma
chi c6 thé duge giai ma bing khéa déi ximg da duge ma hoa. Vi vay, truéc
khi giai ma théng bdo, khéa doi ximg phai duge gidi ma bang kha riéng cla
nguoi nhan. Sau khi da gidi ma khoa déi xing, khod d6i xing sé durge ding
dé gidi ma thong bao.Chit ky sé dinh kém véi thong bao duge giai ma bing
khéa cOng khai cia ngudi giri va ban tém hrge théng bao duge béc tach ra tir
né. Ngudi nhan sau dé sé tao ra mot ban tom luge thong bao thir hai. Ca hai
théng bao bam sau dé duge so sanh dé kiém tra xem cd bat ky sy gid mao cia
thong béo xay ra trong qua trinh truyén tin khéng. Néu hai théng béo bam
tring khit nhau chtmg to théng bao khéng bj gia mao trong khi truyén,
ic tiéu chi co ban ciia m6t giao dich dign tit:
Chéng chéi bo: Tat ca céc thye thé lién quan trong giao dich khéng thé
tir chéi minh la m6t phan ciia giao dich dé,
Truyén tin an toan: Day la mot co ehé dung din dé dam bao an toan
thong bdo trong truyén tin, Bat ky sy gia mao hodc thay d6i duge lam trén
thong bao phai duge phat hign dé ding.
Tinh riéng tr: Bat ky sw truy nhap bat hop php dén théng bao déu bj
tir chéi.
‘Su xac thc: Dé dinh danh cac thu thé dang la mét phan lién lac trong
qua trinh giao dich thi can phai biét dén ca hai thye thé
Tinh ring bude: Giao dich nén duge kiém tra va duge ky béi cde bén
ign quan,
PKI dam bao ring tat ca cdc giao dich c6 thé dap tmg céc yéu cau hop
phap bing cdch cung cap co so ha ting va méi truéng can thiét
40
3.3. Cac tién trinh trong PKI
Cée ting dung e6 thé dat duge eée chite ning an toan khi sir dung PKI.
Cée chite ning an toan a6 Ia tinh bi mat, tinh toan ven, tinh xde thyre vA tinh
chéng chéi bo
Mi m6t tién trinh trong PKI sé thuc hign cac yéu cdu an toan da duoc 48
cap 6 trén.
3.3.1, Yéu cau chimg chi
Dé c6 duge chimg chi s6 tir CA, ngud
C6 rit nhiéu chudn dé giri yéu cau chimg chi va chudn phd bién nhat dé 1a
ding can giti yéu ciu chimg chi.
PKCS#10. Yéu cdu chimg chi chia cde trudmg sau
‘Tén phan biét ciia CA,
Khoa céng khai ciia nguei ding
Ten thugt toan
Chit ky sé cia ngudi ding
Nguoi ding giti yéu cu chitng chi PKCS t6i cho CA thong qua mot kénh,
an toan, Néu kénh nay khéng duge dim bao an toan, thi ngudi ding tai khoa
Ong khai cua CA va ma hoa yéu cau nay bing khoa cong khai cua CA.
3.3.1.1. Giti yéu can
‘Yéu cau ching chi duge giri cho téi CA bang m6t thy dién tir, sir dung
PEM (Privacy). Yéu céu chimng chi phai durge gui trong djnh dang PEM boi vi
yéu cau ban dau duge tao ra bang ma nhj phan. Ma nhj phan nay khong thé
dug truyén bing email,
| CA c6 thé chée chin ring nguéi
Voi chit ky sé trong yéu cau chime
gti cé mét khoa rigng tuong img v6i khod céng khai. Do do, ngudi giti duge
chimg minh sé hire
Client cing cé thé dua ra yéu cau khod théng qua trinh duyét Web. Trong
tring hop nay, PKCS#10 duge sir dung cing véi SSL. Client the hign mét
két néi SSL voi may chi chitng chi va sau dé truyén yéu cau ching chi thong
qua mOt kénh an toan
3.3.1.2. Céke chinh sich
Chinh séch an toan dinh nghia m6t hudng dan cho 16 chite dé dim bao an
toan théng tin, cac trinh va cdc nguyén tic str dung m§t ma. Chinh sch
4
dink nghia t6 chite dé quin ly khod cong khai, khod riéng va cdc thong tin
khée nhu mic kiém soat duge yéu cdu dé quan ly cdc nhan t6 gay mt an toan
nhu thé nao
MOt vai hé théng PKI duge van hanh béi bén thir ba tin e4y duge goi ki
thm quyén chimg thye thuong mai (Commercial Certificate Authorites) va
do dé sé yéu cu mgt CPS (Certification Pratice Statement). CPS dinh nghia
cde chinh sich sé duge trién khai va hé tro nhu thé nao, ching chi sé duge
cp phat, duge chip nhgn va bi thu hdi nhur thé nao va khod cdng khai sé duge
tao, duge ding ky va duge chimg thye nh thé ndo. CPS eting dinh ngl
tri ctia nhiing khod nay
3.3.2. Huy bo chimg chi
MGi ching chi déu o6 mét giai doan hgp 1é. Giai doan hgp Ié cia chimg
chi duge tinh tir thoi gian chiig chi duge cp phat ti khi ching chi hét han.
Tuy nhién, e6 nhimg tring hgp, chiing chi bi mat tinh hp 1g truée Khoang
thdi gian hét han. Trong truéng hop nay, ching chi cing duge phép tiép tuc
sid
Tinh hudng nay nay sinh khi d9 an toan cia ching chi khong cdn (vi
dy nhur I khod). Khi chimg chi bj mat tinh hop Ié cia né trade thai han, thi
duoc goi li huy bé ching chi.
Chimg chi bj huy bo s® phai duge cng khai . Thong tin vé ching chi bj
huy bé s8 duge céng bé trén may chu chimg chi sao cho ngwai ding cé thé
durge ednh bao nhing chimg chi dé.
‘MOt cach théng thuong khac cing hay duge sir dung dé la sir dung danh
‘ich huy bé chimg chi.
3.4, Cée mé hinh PKI
3.4.1. M6 hinh phan cép CA chat ché (strict hierarchy of CAs)
Trong mé hinh nay, c6 1 CA déng vai tro 1a CA géc 6 trén cing, phia
du¢i la cae nhanh mé rng va cac 1a & cudi cing
(hay cdn goi 14 “ngudn tin cay”)
cho toain b6 mién cia cae thye thé PKI dudi nd. G dudi root CA cé thé khong
6 hode c6 mét vai lép intermediate CA (hay cn goi li subCA)
RootCA déng vai trd nh 1a gée tin
42
esses
Hinh 11: M6 hinh phén cdp CA chat ch
RootCA khéng don gidn la diém khoi dau cia mot mang, hay cde két ndi,
né cén Ia diém khoi dau cua sy tin cay. Tat ca cae thye thé trong mién déu
nm gitt khod cng khai cla CA
Trong mé hinh nay, tat ca cdc thyc thé trong ki
phan cp duge thiét lp nhu sau
RootCA duge xay dung, va tr cap chimg chi cho minh (hay ty ky cho
minh)
RootCA sé chiimg thye (tao va ky chitng chi) cho cae CA trye tigp dui nd
Méi mét CA nhw trén Iai chimg thye
chy rootCA. Sir
ho CA trye tiép dui né
Tai mite gin cudi cing, CA sé ching thc thyc thé cudi
Mai thu thé trong phan cap phai duoc cung cap ban sao khod céng khai
cba root CA. Qué trinh to khod céng khai nay 1a co sé cho qué trinh ching
thyc tit ca cée két ndi sau d6, do d6, qui trinh nay phai duge thye hién trén
mot céch an toan
Cha ¥ ring trong mé hinh phan cap chit ché da mite (multilevel strict
hierarchy), cac thye thé cudi duge chimg thuc (nghia la dugc cap ching chi)
bai CA truc tiép ngay trén né, nhung géc tin cay thi lai la rootCA.
3.4.2.M6 hinh phan cap CA khéng chat che (loose hierarchy of CAs)
Trong mé hinh phan cép CA khong chat ché cde bén duge chimng thye bai
cing mot CA dé giai quyét vin dé dudng din tin cay ma khéng lién quan téi
4B
bat ky CA mic cao hon, bao gm ca root CA. Nghia li néu hai thye thé (vi du
thyc thé A va thyc thé B) duge ching thye bai cing mét CA, thi thyc thé A
va thyc thé B cé thé kiém tra tinh hgp 1g cla nhau ma khOng can phai tao mot
duéng dan chimg thyc t6i root CA. Vé co ban, thye thé A va thye thé B cing
thuge vé phan cp chi thé tin cay iia ca hai. Tuy nhién, gid sir ring ¢6 mot
thyc thé C nao dé durge ching thyre boi mét CA khée (khéng phai CA chimg
thyc cho A va B) thi thyc thé A va B phai thye hign m6t dudng dan chimg
thyc hoan toan thong qua rootCA trudc khi tin ey ching chi cua C
3.4.3.M6 hinh kién tric tin cay phan tan (distributed trust architecture)
Kién tric tin cay phan tén s@ phan phéi sy tin cay gitta hai hay nhiéu CA.
Nehia la thye thé 1 06 thé gitt ban sao khod cng khai eda CA; nhur ngudn tin
cy ciia minh, thye thé 2 6 thé giit ban sao khod céng khai ciia CA2 nhir
nguén tin cay cia minh. Boi vi nhing khoa cng khai cia nhimg CA nay
dong vai trd nh ngudn tin cdy (CA1 1a géc(root) cia hé théng phan cap chira
thyc thé 1, CA2 18 géc cita hé théng phan cép c6 chita thye thé 2)
che, thi
Néu mdi kién tric phan cdp nay 1a kién trie phan cdp khong chit
cau hinh cua kién tric dé duge goi la kién trac duge chia diém (peered
architeture) boi vi tat ca cic CA déu la nhimg diém hoan toan déc lap (Khong
6 SubCA trong kién tric). Trai lai, néu kién tric dé la phan cap da mite, thi
kién trite 46 duge goi li kién tric hinh céy (treed architeture) (chi y ring céc
root CA Ia cae diém so v6i cde CA khde nhung mdi root lai déng vai trd nh
CA cp cao déi véi mgt hoge nhigu SubCA)
44
Poche
vine Ce
Excenten
Hinh 12: M6 hinh kién trite tin cdy phan tin
‘Thong thug thi kién tric duge chia diém thuong duge xy dung trong
mot min ciia mét t6 chite (vi dy trong mot céng ty), trai lai, kién tric hinh
cy va kién tric lai (hybrid architeture) duge hinh thanh tir ede mién cia cc
16 chite khdc nhau
Qua trinh ciia vige
cchimg thye chéo (cross-
3.4.4. Mé hinh 4 bén (four-comer model)
(CA domains interact,
méi root CA théng thudng duge goi li
tification)
a5 required to
valdatelautorice
tranesctons
Relying Panys|g@ "5 subscribers
cA. cA.
eiyng pay
Subserber uses
corttestes eaued
sutnoraaton to: byasca
ach taneacton
Relying Party ‘Subscriber
in elocvoni transactions
Hinh 13: M6 hinh bon bén
45
Trong mé hinh nay minh hoa bén géc cita m6 hinh tin cdy 1A ngudi thud
bao (subscriber), bén tin cay (relying party), thué bao tia CA (subscriber's
CA) va bén tin cy cia CA (relying party’s CA)
M6 hinh tin cay 4 bén nay throng duge trién khai trong cdc giao
thanh todn dign tir
‘Trong mé hinh nay , thué bao sir dung chimg chi durge cép bai CA cia nd
‘Thué bao va bén tin cay tuong tac va ring bude nhau trong ce giao dich
dign ti
Bén tin ey trong téc vi mién CA (CA domain) ctia né dé xe thye cho
mdi phién giao dich
Mien CA tong téc khi c6 yéu cdu xée minh tinh hop Ié/edp quyén phién
giao dich
3.4.5. Mé hinh Web (web model)
M6 hinh Web — diing nhw tén goi ciia né, phu thuge vao ede trinh duyét
‘Web phé bién nhu Netscape Navigator va Microsoft Internet Explorer. Trong
mé hinh nay, sé lugng khod cdng khai cia CA sé duge cai dat sin vao mot sé
cae trinh duyét. Cae khod nay sé dinh nghia tap hgp cée CA ma trinh ngudi
ding trinh duyét ban dau sé tin tuéng va xem nhur ec root cho vige xée minh
ching chi
‘ iN hh tahoe
Hinh 14: Mo hink Web
Mi nha cung e4p trinh duyét du e6 root ella riéng minh, va né sé ehimg
thy root CA ma duge nhiing trong trinh duyét
46
M6 hinh Web cé nhimg wu diém 13 rét dé thudn tign va don gin kha nang,
lign két. Tuy nhién, e6 mot vai sy vin dé an toin cin duge quan tam trong m6
hinh nay khi quyét dinh trién khai, Vi dy, boi vi ngudi ding trinh duyét ty
dong tin tung vio tap hgp cée khod a3 duge
toan sé c6 thé bj mat néu mOt trong sé cée rootCA dé “roi vao tinh trang nguy
higm”
in trong trinh duyét, nén an
M6t van dé an toan nita cing cn phai duge quan tim dé 1a trong m6 hinh
Web, khong ¢6 co ché thye thé nio c6 thé thu hdi bay ky khod ca root da
duge nhing trong trinh duyét. Néu ching ta phat hign ra mt trong nhting CA
“dang trong tinh trang nguy hiém” hoe khoa rigng tong ting véi bat ky khoa
cng khai cia root bj 16, thi hién nhién la khong thé tiép tue sir dung khod 6
trong hang trigu cc trinh duyét web trén thé giéi
3.4.6.M6 hinh tin c@y lay ngudi ding Lim trung tam (user-centric trust)
‘Trong mo hinh tin ey ly ngudi ding kim trung tim, mdi ngudi diing sé
phai chju tréch nhigm truc tiép va toan bé dé quyét dinh xem sé sir dung
chimg chi nao va tir chéi
chimg chi nao. Mai ngudi ding sé gitr mot vong
khoa va ving khod nay déng vai trd nhur CA ctia ho. Vong khos nay chia cée
Khoa cdng khai duge tin cdy cia nhing ngudi sir dung khic trong cdng dong
M6 hinh nay durge Zimmerman phat trién dé sit dung trong chuong trinh phat
n phan mém bao mat PGP
Quyét dinh nay c6 thé chju anh huéng cia mdt sé cdc nhan t6, mac di ban
dau tap hop cée khod duge tin cay théng thug bao gdm cae nhan té li ban
be, gia dinh, déng nehigp ...
47
Ace's
Monet
Catherine
Alce’s Sister)
Atos
Friend
Alice's
Co-worker
Hinh 15: M6 hinh tin cdy ldy nguoi ding lam trung tim
M6 hinh nay duge sir dung rong rai trong phan mém an ninh ndi tiéng 1a
Pretty Good Privacy (PGP) [Zimm95, Garf95]. Trong PGP, ngudi ding xay
dyng mang hr
in nhigm (web of trust) déng vai tro la CA (ky len khod cong
Khai cho cdc thyte thé khéc)
Do si tin nhigm cia ngudi ding trong cae hoat ding va cée quyét dinh,
y lay ngudi ding lim trung tam cé thé hoat dong duge
trong cOng ding ddi hoi ky thugt va sir quan tam cao dO, nhung n6 khong thye
nén mé hinh tin
16 doi voi cong dong chung (cong dong ma trong dé nhiéu nguisi ding chic
mt chat ho&c khéng co sw hiéu biét vé cdc khai nigém PKI hay khai nigm an
toan). Hon nita, mét mé hinh nhw vay théng thudng khéng phi hgp v6i cic
m6i trong cia céng ty, t6 chite tai chinh hoac chinh phit
3.5.Cac kiéu kién trie PKI
C6 mét vai kiéu kién tric ma PKI c6 thé trign khai dé cung cp “chudi tin
cy” tir mOt khod c6ng khai da biét nhdim xéc thye théng qua khod céng khai
cu thé ctia ngudi ding. Vi dy khi ngudi diing xée thye ho véi cée ting dung
ctia véi e-Government, thi phan mém img dung mat ma sé xéc minh chit ky
trong chimg chi cia ngudi ding bing cach sir dung khod cng khai cla CA
‘ma tgo ra chimg chi d6. Néu khod cia CA khong phai 14 khod ciia root, thi
chiing chi chita né cing s® phai duge xée minh tinh hgp 1 bing khod cong
Khai ma ky chimg chi d6. Va tiép tue dén khi nao chimg chi trong “chudi tin
48
é duge xc minh bing khéa cia root. Chudi xée minh tinh hop Ié cd.
nghia 1a sé xde thyc tit ca cdc chimg chi,bao gdm ca chimg chi cua ngudi
ding cudi
f | Stier's
' seers] “avert
+
eo car
(euro Pant)
Tey TOUS
Stared »
atematea pang
Prepootuned
Hinh 16: Chudi tin cay
3.5.1. Kién tric kiéu Web of Trust
49
SER B CERT
USER B
stone av
<
USER c CERT|
ae PUBLIC
0 /sioveo av
USER A USER B
[USER ACERT
ee
SIONED BY
USERE
Hinh 17: Kién trie kiéw Web of Trust
M6 hinh nay hoat d6ng rit higu qua déi voi té chite nho, c6 su ton tai méi
chite 1én hoe noi ma
du true khi ching chi
véi cic bén tin cay
quan hé truéc dé, nhung né khéng higu qua ddi vai t
in phai c6 sy dim bao (vi dy phai xéc thye durge yéu
chimg chi
dugc cap phat). Sy giao tiép cita trang th:
(vi du nhu chimg chi bj thu hoi) cling 1 rat kho voi mé hinh nay
3.5.2.Kién tric kiéu CA don (Single CA)
Dang kién trie don gin nhat la single CA. Kién tric nay ep chitng chi va
cung cp théng tin trang thai chimg chi cho méi ngudi ding. Khod céng khai
cia CA la diém tin cay co ban , hay con goi la ngudn tin cay, durge ding dé
dan gid kha nang chap nh§n chimg chi, Nguoi dling 66 mé
vai CA, vi vay ho biét nhing img dung nao ma chimg chi cin duge sir dung.
‘Trong m@t vai t6 chire chi yéu cau cae dich vu PKI co ban, Dién hinh, dé 1a
cae t6 chite v6i hon 3000 tai khoan cua user trong dich vy thu mye. Thay vi
trign khai CA nhigu mite, thi thong thudmg ngudsi ta sé trign khai mot CA,
duoc cdi dat va déng vai tro 1a enterprise root CA.Enterprise root CA khéng
méi quan hé tryc tigp
50
thé duge di chuyén trong mang, thay vao d6, s® cé mét may tinh 1a thanh vién
cia mién va luén luén sin sang cdp phat chimg chi déi véi cde yéu cdu cap
phat eta may tinh, ngurdi ding, eée dich vu va ede thiét bi mang
Kiéu kién tric single CA dé quan If béi vi né vige quan tri chi 1ién quan
t6i mOt CA root. Tuy nhién, néu CA bj Idi, thi dich vu chimg chi sé khéng sin
sing dé xir ly cde yéu cau chimg chi, cde yéu cdu lim méi chitng chi hay danh
sich thu héi ching chi cho t6i khi CA khoi phuc Iai duge dich vu
Kién tric phan cp single CA thong thudng chi duge sir dung Khi
quan tr 14 don gian, gia thanh thip
prac
’ eal
CERTIFICATION *
auTHORTY
‘ - 4 ‘
/ [USER A CER" JUSER BCERT| +
f eee ox 1
i a ca ;
i.
te PRIVATE aT —
— 2A PUBLIC
CA PUBLIC root iey
(ROOT KEY) USER A USER B
Hinh 18: Kién trie CA don
Dang mo rong cla kiéu kién tric CA nay la két ndi céie CA dé hd tro cate
cGng déng ngudi ding khie nhau. Cac t6 chite 66 thé
thanh cde PKI 1én sit dung méi quan hé diém -diém
31
3.5.3. Kién tric CA phan cap
Kién tric mé hinh CA phan cap bao gdm c6 mét root CA 6 trén dinh, phia
dui 14 mgt hay hai lp CA (khod cng khai cha cée CA nay duge ky boi root
CA) va sau dé Ia cée thud bao va cde RA & phia dudi. Méi khod durge tin
tuéng nhit cia ngwoi ding Li khoa cdng khai ciia root CA. Mé hinh nay cho
phép si thi hanh céc chinh sich va ce chuan thong qua hg ting, tao ra mite
dam bao ting thé cao hon ld cdc kién tric da CA khac.
{uu ERIN
; r
ee
Hinh 19: Kién trie CA phan edp
Trong mé hinh nay, root CA sé cap chimg chi cho cic sub CA nhung
khéng cap chimg chi cho nguéi ding. Cac subCA nay lai cdp chimg chi cho
ce subCA khic hode cho nguéi ding
3.5.4. Kién tric kiéu chimg thye chéo (Cross-certificate)
‘Trong mé hinh nay, mdi CA tao ra cde ching chi cho cde CA ma da xée
minh [a da “di manh” dé so hitu chimg chi. Trong mé hinh phan cp, méi
32
ngudi chi cé mt khod céng khai ciia root, nhumg trong mé hinh nay, khod dé
Iai 1a khod eta CA cuc bé cla ching chit khong phai la khod cia rootCA.
oa cert || cxzcenr
a
ERTIICATION
ATO ‘UAT
\
ISA
canal ane
so \ jad
Hinh 20: Kién tric kiéu chiing thee chéo
MO6t van dé ciia mé hinh nay 1a khé khan voi img dung ngwdi ding dé xac
dinh chudi chimg chi gitta nguéi ding sé hitu CA khong cé dudng lién két
ching thye chéo
M6 hinh nay phai
mat voi “ai ld root CA” (khdng ai/ hode la tit
ca cde CA), cho phép cée CA tro thanh cau trie diém thay vi phan cap, nhung
cing giéng nhu mé hinh Web of Trust, chtmg thye chéo sé tgo ra mite bio
dam déng nhit cho toan hé thing
3.
5. Kién tric Bridge CA(BCA)
Bridge CA duge thiét ké dé giai quyét cdc thiéu sét trong céc kién tric
PKI co ban va tao két ndi cde PKI khée nhau. Bridge CA khéng cp chimg
chi cho ngudi ding va ching khong phai ld ngudn tin cay. Thay vao d6,
Bridge CA sé thiét lap méi quan hé ti
33
déng nguéi ding khac nhau va lim giim nhe van dé cp phat chimg chi gitta
cdc t6 chite trong khi dé lai cho phép ngwdi ding giit duge nguén tin cay
kao i.
Hinh 21: Kién tric Bridge CA
Trong kiéu kién tric nay, Bridge CA sé cung cip mét cai cdu tin cay
(thong qua cap chimg thre chéo) gitta céc co sir ha ting khod cing khai_ phan
cap va co sé ha tang khod céng khai ching thye chéo. Dé phite tap cla mo
hinh nay kh cao va ¢6 thé phai digu chinh cde module PKI cha ngwdi ding
cudi.
mot méi quan hé tin cay Bridge CA duge thé hign bing mét cap
ching chi, mOt duge cp phat boi BCA
CHUONG Iv: XAY DUNG MO HINH PKI DUA TREN MA
NGUON MG OPENCA
4.1.Lich sir phat trién OpenCA
Co so ha ting khoa céng khai (PKI) 1a m6t trong nhimg nhu cau thiét yéu
cia tuong lai. Nhung van dé 1a hau hét cdc ing dyng cé thé durge dam bao an
toan bing chimg chi va khod nhung lai rit khé va dat dé cai dat PKI, ly dé la
phan mém trung tam tin cay c6 tinh linh hoat thi lai rit dt, Day 1a diém khoi
dau cia OpenCA, Muc dich la san pham ciia hé théng trung tam tin cay nguén
s4
mé dé hé try céng dong vai cdc gidi phap tot, ré(chi phi hyp ly) va mang tinh
xu huéng trong tong lai
Dy an OpenCA duge bat dau vao nim 1998, ¥ tuong OpenCA ban dau
dugc phat trién béi Massimiliano Pala, Ma nguén ban dau cia dy an duge
viet voi dogn script rat dai. Khi phién ban dau tién ciia phan mém duge xay
dyng, thi dyr an OpenSSL vin 6 tén la SSLeay . Rat nhigu chire ning van con
16i va nhié éu dang bi bd qua
Vige cai dat phin mém ban diu rit don gin va chi cé m@t vai dogn script
khoi tao CA. Dé cai dt nhanh chéng phan mém, ban chi can giai nén goi dd,
ding lgnh ed dé chuyén vio g6i via giai nén dé va sir dung Ienh “make
install”, doan script sau d6 sé chay va tién hanh cai dat phan mém CA don
ian va tao ra ching chi CA
M6t loat cée doan script duge cung cap sé giup cho viée cai dat va cdu
ih cho hau hét cde phan cua dy an. Mic di don gin nhu vay, nhung giai
uu vin dé véi cOng ding ngudsi ding bai vi cde vin dé
nay sinh tir vige nhu cau cin phai tao ra mot géi day di va tét hon. Phién ban
thir khie ntta
dau tién cia OpenCA rat don gian, nhiéu chite nang duge xay dung chi yéu
chi duge ding dé cép phat chimg chi, CRL va cde phuong thire edi dat thi kha
don so, khong cé tinh tign dung cho bit ky tign ich edu hinh nio , doan script
é tong thich véi bash
Cac phién ban tip theo duge bé sung thém nhiéu tinh nding hon cho dy én
chi c6 1
va do 6 phién bin 0.109 da bao gém giao dign cho server etia CA, RA va
Pub. Tu lic bat dau dy an va tir phat hanh phién ban dau tién, 43 cd mot
lugng Ién sy tham gia cla cong déng Internet déng gop vao sy phat trién cia
dy an
4.2.CA
Trong phan truéc, em da néu ra khdi nigm vé CA, trong phan nay, em xin
phép duge dé cap cw thé hon vé CA
4.2.1.Chite ning cla CA
4.2.1.1. Cap phat ching chi
CA xée thye nguéi ding bing céch cp phat chitng chi s6. Dé 6 thé e6
dug chimg chi sé cua CA, ngwi ding cn thye hign cac bude
35
Tao ra cp khoa rigng/khoa céng Khai cia minh,
Khi cp khod da duge tao, ngudi ding edn phai dang ky khoa céng khai
eta minh voi CA
Ngudi ding giri yéu clu cp chimg chi ti cho RA
RA s@ kiém tra danh tinh ngudi ding. Khi da kiém tra xong, RA sé
chuyén yéu cau 46 cho CA
CA ky chimg chi bing khoa rigng ctia minh va giri ching chi cho RA.
RA sé chuyén chimg chi ma da nhan duge tir CA cho nguoi ding da dang
ky
4.2.1.2. Huy bé ching chi
MGi chitng chi déu c6 mét giai dogn hop Ig. Tuy nhién, trong mot s6
tring hop ma chimg chi cé thé khong hop 1é tude giai doan hop 1é la
Cé sy 16 khoa riéng cua thye the
C6 sy thay déi thong tin thuge tinh cua thye thé, vi dy nhur tén thyc thé
hoge méi quan hé ciia thy thé véi t6 chite
C6 sy I khéa cia CA
Do dé, can phai e¢ sy huy bd chimng chi
Mat vai cdc phuwong thtre ma CA cé thé sir dung dé huy bo chimg chi gm
Cae co ché
Ca ché cng bé dinh kj: Co ché nay sit dung danh sich huy bo ching chi.
Danh sich huy bd chting chi 1 mot danh sich
Co ché truy van online: Co ché truy van online bao gém ¢6 giao thite
trang thai chimg chi va giao thite xae djnh tinh hop Ig cua ede phién giao dich
true tuyén: OCSP duge sit dung dé dua ra cic thong tin thu hoi chimng chi.
Giao thite xée dinh tinh hgp 18 cia cae phién giao dich tre tuyén duge sit
dung dé xdc minh tinh hgp 1é tryc tuyén
4.2,1.3.Tao ldp chinh stich ching chi
Chinh séch ching chi la mt tap hgp céc luat hay con goi la cdc quy tic
duge tao lip boi CA dé chi ra kha nding img dung cua chimg chi déi voi mot
nhém ngudi cu thé hoa tap eae img dung
‘Mue dich chinh cita cde chinh sich chimg chi la dé xée dinh chinh séch an
toan ma mot t6 chtte phai tudn theo
56
4.2.1.4. Hwéng dain thwc hién chting chi sd (Certification Practice Statement)
Huéng dan thye hanh chimg chi s6 sé chi ra ching thyc s® duge thyre hign
nhur thé nao, Tai ligu ndy sé migu td cée thi tye, hoat dng ma d3 duge dinh
nghia trong chinh sich chimg chi sé duge trién khai, thy hién nhur thé nao
CPS sé chi ra céc chinh séch va cdc thi tue ma mét cdng ty , 18 chite phai
tuan theo dé cép phat va quan ly ching chi
CA c6 thé duge xem nhur bén thir ba tin cdy nh VeriSign hoge Thawte
hodc 6 thé li mot thye thé bén trong ctia mot t6 chite
4
Nhigm vy cia CA
Chap nhan cée yéu céu cip ching chi tir ngudi ding, may tinh , ing dung
hode thiét bi
Xe thye dinh danh ngudi ding, may tinh, dich vu yéu cau chimg chi
Tao chitng chi cho ngudi yéu
Ky sé chitng chi sir dung khod riéng cia minh
iu
4.2.3. Cie loai CA
Cé hai loai CA co ban . Cac logi CA duge phan biét bing vi tri ma ching
Iu trit ching chi
4.2.3.1 Enterprise CA
Enterprise CA lu trit ban sao cia chimg chi CA trong Active Directory.
Loai CA nay tan dung cée mau chimg chi dé céng bé chimg chi vi danh sich
thu hdi chimg chi, Enterprise CA sé héi dap ty dong t6i bat ky yéu cau chimg
chi nado. Diéu nay vé co ban cho phép cde client truy cap va liy duge ching
chi va lu gitt chimg chi trong kho chimg chi cuc b6 ciia minh, Chinh vi dic
diém nay, nén EnterpriseCA khong duge sit dung 4é cp phat chimg chi cho
cae client bén ngoai t6 chite
Enterprise CA duge cau hinh nhu Domain Controller
4.2.3.2.Standalone CA
Standalone CA liu gitt cue b6 thong tin trén ching chi , trong mot folder
chia sé mi ta c6 thé truy cp théng qua Web. Standalone CA phu thude vao
ngudi quan tri cé chap thudn hay tir chéi yéu cdu chimg chi. Standalone CA
duge sit dung dé cap phat chimg chi cho nguvri ding bén ngoai t6 chite
37
4.2.4.Céc cap CA
4.2.4.1.Root CA(CA géc)
Root CA li CA mite cao nhat duge xem nhur tha
quyén déi vi tit ca
cde CA phy thuge duge dit & dudi nd. RootCA lam nhigm vy edp chitng chi
cho tat ca cdc CA phy thudc.
RootCA khie véi ce CA khée I né ty tao ching chi cho chinh minh,
Trong mé hinh phan cp, khi m6t client tin tuéng root CA, thi né cing phai
tin tudng ede CA phu thude duge dat 6 duréi root CA
4.2.4.2. Subordinate CA(CA phi thuéc):
Subordinate CA (SubCA- CA con): la CA duge chimg thye bai CA cha.
CA cha ching thye CA con bing cach cap phat va ky chimg chi cho CA con.
Cé hai loai CA phy thue trong kién tric phan cp 1a Intermediate CA va
Issuing CA
Intermediate CA:
Intermediate CA li CA phy thuée duge dat giita root CA va cic CA phu
thuge khac. Chite ning cia Intermediate CA [i cp phat chimg chi cho CA
mite la
Issuing CA (CA mute 1d):
Issuing CA li CA 6 mite thdp nhdt, Chire nang cila Issuing CA 1a cp phat
ching chi cho ede may tinh khéc, ngudi ding, cée thiét bj mang, server va cée
dich vy yéu cau CA
Issuing CA luén luén 6 ché 46 online
38
I
Hinh 22: So do minh hoa rootCA va SubCA
4.3. Thiét ké chung cia CA
Y tuong dau tién ciia dy an bao gém ba phan chinh: Giao dign web bing
Perl, ma ngudn mo OpenSSL trong hoat dong mat ma va co sé dit ligu. Khai
nigm don gian nay cho dén nay van duge coi li khdu higu . Gan nhw tat ca cdc
hoat dong c6 thé duge thye hign thong qua giao dign web. Ching ta c6 sau
giao dign duge cdu hinh truée va cé rat nhiéu giao dign c6 thé tao duge tir
ching, ty thuge vao nhu
Hign nay OpenCA hé trg cdc nhan t6 sau
Giao dign Public (Public interface )
Giao digén LDAP (LDAP interface )
iao dién RA (RA interface )
Giao dign CA (CA interface )
scEP
ocsP
Loe IP déi vai cae giao dién :(IP-filters for interfaces)
‘Dang nhap dua vao cum mat khau : (Passphrase based login)
59
Ding nhdp dya trén ching chi (bao gém thé théng minh): ( Certificate
based login (including smarteards))
Huy b6 chiing chi dra trén s6 dinh danh e4 nhan : (PIN based revocation)
Huy bo chimg chi dya én chit ky sé : (Digital signature based
revocation)
RL issuing
OpenCA duge thiét ké cho co sé ha tang phin tan. N6 khong chi xir ly
mot CA offline va mot RA online, ma sir dyng n6, ching ta ¢6 thé xay dung
mt phan cap ting thé véi ba hoge nhiéu mite. OpenCA khong chi la mot gidi
phap nhé cho cée phurang tign nghién etru nhé va trung binh, Myc dich cia n6
1a hé trg tinh linh hoat In nhat 6 thé cho cae t6 chite Kin nh eée trudmg dai
hoe, cde cong ty da quée gia
4.3.1-Phan eép co ban
Y tuong co ban cla méi PKI X.509 1a mot t6 chitc phan cap 16 rét. Didu
nay sé hinh thanh nén mét cay co so dit ligu néu ching ta cé ging tao ra kién
tnic PKI phan tin
Figure 1.1, Database oriented view
Sales Development Division
Public US Public Germany
oo
Trao déi dit ligu gitta cac co sé dit ligu 06 lap nhu vay c6 thé duge thie
hign ty dong néu ta sir dung hé théng co so di ligu phan tin , nhung trong
OpenCA thi hé théng co sé dit ligu phan tin chi cé duy nhat mot co so dit ligu
trong cay . Néu ta thye sy e6 mOt co sé dit Ligu c6 Lip (vi dy mt CA offline)
thi ta phai c6 cdng nghé dé trao déi dir Tigu va quan ly cae node trong phan
cp. Chite nang quan ly nay duge géi gon trong giao dién duge goi la node
hay quan ly node. Do dé, thiét ké Open CA nhur sau
So do hinh 2
Offline |
Cede me)
Sales Development Division
Cet) Cad
Public US Public Germany
node. Code
‘Thong thudng thi mdi server trong co sé ha ting cua trung tim tin cay déu
c6 co sé dif ligu cia rigng nd nhim muc dich an ninh. Sw phan cdp nay la
phan cét Ii cia trung tam tin cdy
4.3.2.Cée giao dign
Sau khi ta biét duge ha ting co ban ctia OpenCA, ta ciing c6 thé mudr
CA, RA, LDAP va giao dign cng khai hay con goi la céng web Ia gi
OpenCA hé trg tat ca cdc thnh phan phan mém théng quan giao dign web
So dé hinh 1.3: Téng quan ky thuat hoan chinh,
6
OpenCA hé try tit ea cée giao dign sau
Node (for node management)
CA
RA
LDAP
Pub
SCEP
4.3.2.1.Node
Giao dign nay quan ly co sé dit ligu va xtr ly tat ca cae chite nang xuat va
hp. Co sé dit ligu c6 thé durge bat dau theo phurong thire ma OpenCA tao ra
tit cd cdc bang nhung ban than OpenCA thi lai khong thé tao ra co sé dit ligu
cho chinh né boi khée bigt eiia mai hang sin xuét.Vi véy chiing ta cin mot co
6i cde quyén truy cép day du vi mot co sé di ligu moi. Giao dién
nay bao gdm mot vai cée chic nang cho vige dir phong va phye hdi nhung
chting ta phai c6 mot hé théng dur phng riéng biét cho khod riéng va chimg
chi cia CA. Bay khong phai 1a er ché mac dinh trong OpenCA dé dy phong
khoa riéng. Ching ti khéng thyc hign né béi vi thir nhat ching t6i thay ring
a
day khong phai 1a cdch an toan thong thuéng dé dur phng khod ring va thit
hai la hau hét CA sir dung HSMs va do dé ban cn mét chién luge dy phong:
diing dn va khae bigt
Vige xudt va nhap cling c6 thé duge xir ly bang giao dign nay, Ban cé thé
cu hinh cae quy tie khéc nhau khong déng b@ véi cde node trén cic mire cao
hon hoge thap hon trong phan cap.
4.3.2.2.CA
Giao dign CA cé tat ca cae chite ning ma ban can c6 dé tao ra cae chtmg.
chi va danh séch huy b6 chting chi
CA ciing bao gdm tit ca cae chite nang ta cé thé sir dung dé thay déi ciu
hinh thong qua mét giao dign web. Nhung lai khong thé thay déi cdu hinh
thong qua giao dign web khae
CA cing la Lop ngoai cia b9 xirIy 18. OpenCA bao gdm eae DG xt IY 16
rt manh dé tgo ching chi, Nhiing b@ xir ly 16 nay ¢6 thé duge sir dung
ra chimg chi s6 tw dng tir hé théng ERP(Enterprise Resource Planning- Hé
théng hoach dinh ngudn tai nguyén) ( vi dy mhu SAP, HIS, NIS)
a0
4.3.2.3.RA
RA cita OpenCA e6 kha nang xir ly tat cd cdc logi yéu edu (request). Bao
26m cé chon Igc, chinh siza yéu cu, chap thud yéu cau, tao Khoa riéng voi
thé thong minh, xoa cdc yéu cau sai va giri thy dién tir cho ngudi ding
4.3.2.4, LDAP
Giao dign LDAP duge xiy dung dé phan tach hoan toan phin quan ly
LDAP. Digu nay 1a ‘ nang ma thye sy 1a riéng
bigt cho ngudi quan tri LDAP, chi vai mot vai ngudi str dung méi can thi
t6i chite nang nay
4.3.2.5.Pub
10 dign Public bao gém tat ca nhimg chi tiét ma ngudi ding cin. Bao
eu ca
Tao rae!
ky chimng chi cho Microsoft Internet Explorer
Tao ra cdc yéu cdu ky chimng chi cho Molilla 1.1 vi Netscape Communitor
va Navigato
Tao ra cdc yéu cdu dc lap cho cdc client va khod rigng ( vi du cho ngudi
quan tri server nguéi ma khéng biét lam thé nao dé tao ra yéu cau va khoa
rigng)
Nhan PEM-
h dang theo PKCS #10 tir server
Ky chiing chi
Ky vao CRLs
H6 trg hai phuong thiic thu hdi ehimg chi khée nhau
‘Tim kiém chitng chi
Kiém tra ching chi ngudi ding trong trinh duyét ( Microsoft Internet
Explorer va Netscape Communicator vi Navigator 4.7x)
4.4, Vong doi cia cae dbi tugng
Vong di cia cdc déi trong
Déi khi co sw nham ln vé trang thai ctia cae déi twong OpenCA. So dé
sau day sé giap ban cé thé kiém tra vong di cia tat ca cdc déi tugng
Openca,
So dd 1.4. Vong di cua cde chimg chi
64
ké PKI
it nhiéu léi goi ¥ ma ching ta nén luu tam néu ban
4.8. Cie lua ¥ khi thi
Chuong nay dua ra
thiét ké hg théng PKI lan dau tie
4.5.1. Cae van dé phan cig
4.5.1.1.Thoi gian
M6t trong nhitng van dé lon nhat cua hé théng PKI dé la thoi gian. Cé hai
logi_ may tinh khae nhau dé 18 online va offline, Theo logic etia nguéi quan tri
thong thuong Khi may tinh két ndi vao mang thi may tinh sé sir dung may chi
iu hoi dat ra Li tim
thoi gian (time server). Mot
khdng khéng? Timeserver c6 thé lam nay sinh ra hai van dé sau, Ther nhdt 1a
tem thoi gian thye sy tir timeserver va thir hai la ngudn thdi gian ctia
erver c6 ding tin tuémg
65
timeserver o¢ thye sy dang tin khong? Két néi téi timeserver c6 thé duge dam
bao an toan theo céng nghé duéng ham (tunnel) giéng nh IPSec nhung vin
dé thye sy la ngudn théi gian. Hau hét cdc timeserver déu sir dyng dong ho
séng radio, nhan tin higu thdi gian duge tir tram truyén séng radio, Tin higu
tay rat dé bj gia mgo bai vi né rit yéu. Do dé ngudn thoi gian ctia mang 1
thy sy khong durge an toin
ni
4.5.1.2.Dia
Cae phin hong hée vé phan cimg phé bién nhit throng lién quan téi bd
phan lam kim lanh va ede Ii dia, Ban nén dy phong tat ea ede dit Higu quan
trong, dae biét 18 cée chimg chi da duge cap phat ALL. Khong bao gids duge
danh mat ching chi hoje la ban phai thu hdi CA hoan toan,
4.5.1.3. Theo doi phan cing
‘Thong thuong ban c6 thé quan sat true quan néu laptop cia ban bi ngung
hoat dong. MOt may tinh offline bi ngung hoat dong ciing c6 thé duge phat
hign bang sy quan sat trye quan nhw vay. Tuy nhién, thanh phan online cua
PKI bj ngung hoat dng thi Iai 1 mot van dé boi vi cdc thong tin quan trong
Kthéng sn sang, nhw IA cdc chimg chi duge cp phat méi va danh sich huy bé
chimg chi. Nhimng tinh hudng nhw vay eting c6 thé lam gidm cée dich vu cia
ban nhu SCEP. Néu giao dign céng khai cia co sé ha ting an toan bj suy
giam, thi vat in cay cia ban sé bj giam déi véi ngwoi ding cia ban trong
trong lai.
4.5.2.An toan vat ly
Néu CA offline cia ban bao gdm mét may tinh xdc tay
4 ban muén dim
bao su kiém soat kép va khéng c6 mét diém Idi nao thi ban can phai tudn theo
phwong phap sau : Sir dung mét “két “ module IT va hai két dir ligu. Mot két
module IT ¢6 m6t UPC ma 6 cing mie bio vé vat ly nhur mOt két sit (ngan )
Keét nay duge sir dung dé cho phép may tinh xée tay d6 khong ngimg hogt
dong, do d6 giam duge thai gian dé vé tinh sin sang. Tat ca ba két do.
s@ c6 hai khod . Diéu nay dam bao ring kiém soat truy cap kép bing chia sé
Khoa. Vige eai dat cling s@ thye syr don gin va higu qua
66
Té chire ca cac két la thye sy dé dang. Ta cé thé phan tach passphrase
CA thanh hai phan 1a trude va sau, Té chire cia dit Ligu va may tinh © thé
hur sau
Két module IT bao gm may tinh xdch tay (véi khod riéng cia CA) va
phan truée cita passphrase (cum mat khau)
Két dit ligu dau tign bao gém céc phan dy phing (bao gém cae phan dr
phong khod rigng) va phan sau eita cum mat khdu
Ngan dit ligu thir hai bao gdm ca phan truéc va phan sau cla cum mat
khdu
Sy té chire nay dam bao rang néu mot ngan dit ligu bj phd thi cing
khong kim hur hai t6i co sé ha tang. Sy phan cp nhu vay eiing dim bio ring
néu mat mét ngan dit ligu thi cing sé khong kim ngimg hoat dng cia ban.
‘Chang ta can hai ngan tén tai va mat mét ngan thi cing cé thé chip nhan
duge it nhat trong mét théi gian ngiin
Can liu ly ring day 1a ¥ tuéng co ban déi véi nhitng CA
trung binh. Nhiing CA ¢6 mite ni ro cao nén sit dung nhiing luge dé phite tap
6 mite ri ro
hon dé c6 thé chp nhan duoc nhiéu hon mét ngn bi pha hong.
4.5.3.Cae van dé vé mang
‘Mot PKI mang day du chite nang néu nhu tat ca cde dich vy ma né cung
déu hoan toin hoat dong. Nghia li khong chi nhimng tht nh OCSP va
SCEP ma ca cdc gateway céng cOng cing nhu vay. Rat nhiéu ngudi nghi ring
sé du néu nh OCSP va mét CDP duy tri hoat dong nhung thye ra dé Ti
khong du. Ly do dau tién la hdu hét cae ting dung khéng hiéu OCSP. Van dé
thir hai la CDP dang hoat d6ng chi hd tro LDAP, bat luan trén thye té co rat
nhiéu img dung chi hd try HTTP. PKI sé khdng hoat déng day dit néu chi cd
CDP dang hoat dong. Khdng ai c6 thé tai_chimg chi méi hoe chimg chi tia
ngudi ding dang tén tai trong trang thdi nhw vay. PKI sé chi duge an toin,
nhung né khong hoat dong diy dit
4.5.4.Vin dé vé chimg chi
Phan nay bao gém hai nhém van dé lon 1a CDP va cac van dé cu thé vé
img dung. Tuy nhién thi cac van dé cy thé vé ting dung sé duge thao ludn
trong phan khdc trong huéng dan vé CA
a
4.5.5.CDPs (Cac diém phan phéi danh sich huy bé chimg chi (CDP)
Mot vai PKI true day khong c6 CDP hoge chi ed mot CDP. Cac tng
dyng an toan phai x4c minh trang thai chimg et
duge sir dung, Nhing tng
dyng nh thé s€ kiém tra truong CDP trong phan mé rong ca ching chi dé
tim ra ngudn xéc minh c6 thé ding duge. Ngay nay, digm phan phdi danh
sich huy bo ching chi khéng duge coi la mOt ngubn cho CRL. Né 6 thé
duoc xem Ia mot responder OCSP (bén hdi dip OCSP). CDP
nhiéu diém trang thai ching chi
‘Cau héi dau tién 1 ede giao thire nao can duge hé tr. Giao thir phé bién
nhat la LDAP va HTTP phai luén dug hé tro. HTTP durge hé tro bei gan nhur
t bi, nhung mot vai thiét bi chi hé tr LDAP thay vi HPPT, dae
bigt trong mot phap mang. Thém vio dé cn e6 OCSP va HTTPS.
OCSP 1a giao thite 48 xéc minh trang thai cia mOt chimg chi . Giao thite nay
6 higu suat tot hon rat nhiéu so véi cdc két néi mang chim néu ban c6 mot
én nay 1a
tat ca cde thi
lurgng lon cde cai dit véi nhiéu chimg chi (bj huy bo ). HTTPS chi di khi hd
trg ban vGi mét ngudn tin cay.
‘Cau hoi thir hai la cn bao nhiéu CDP vat ly ma ban can, Néu ban thiét ké
mot ha ting kha chuyén thi phai c6 kha nang chép nhgn s€ ngat mot vai dich
vu cia céc thanh phan nhw cable, router, switch, va server. Cach tét nhat 1a
nén 66 CDP cue b6 néu chi c6 m6t bé két ndi t6i mang trung tam. Tuy nhién,
kh6ng phai moi chi nhanh déu can CDP riéng, vi néu cic may tinh cua hg (he
théng mail, hé thdng file) la Offline khéng edn thiét phai c6 CDP online.
4,5.6.Cée vin dé cy thé vé ting dung
4.5.6.1.Mail Server
Néu bit dau nghi dén bio mat Mail thi diém bat dau 1a S/MIME hoae
PGP. Pau tién nhing nha quan tri chi sir dyng IMAPS va POPS. Sau dé ho
nghi vé cée may chit duge bio mit va ¢6 ging trién khai SMTP thong qua
TLS. Cac ching chi duge cp bei OpenCA c6 thé duge sir dung cho SMTP
qua TLS b6i vi cde chimg chi 6 thé déng vai trd nhu ching chi Client va
chiing chi Server. Mot SMTP Server c6 thé ding 2 giao thtte cho SMTP qua
TLS. NO e6 thé six dung mot ching chi don chita phan mé rng cho cde Client
6s
va Server TLS, hoa eiing c6 thé diing 2 chimg chi: mt cho Client, mét cho
Server.
4.5.6.2. Client Netscape
Cac Client Netscape ci khong tuan theo cde chuan RFC.
4.5.6.3.OpenLDAP
OpenLDAP 1 pl
khong phai 1a t6t nhdt. No sé khOng kiém tra tén tiép theo ctia cha thé ma nd
sé kiém tra tén chung cia chii thé ma phit hop véi tén DNS hode dia chi IP.
Diéu nay sé gay ra di néu chi thé ciia ching chi sir dung tén clients Netscape
0. OpenLDAP khong hé try nhing mo rng chung,
in mém ma nguén mé, nhung vie thye thi TLS ctia nd
Churong V: Banh gid va huréng phat trién
5.1. Banh gid
Két ludn, :
Nghién ciru va xdy dung hé théng PKI dya trén ma nguén OpenCA Ia mot
van dé con méi mé va ludn can duge hoan thign, Mé hinh PKI dy trén ma
nguon OpenCA duge xay dyng tir rit nhigu ma ngudn khac bao gom Apache,
OpenSSL, mod_ssl, perl va cdc module perl. Qué trinh nghién cru, xay dung
va phat trién hé théng PKI dua trén ma nguén OpenCA 1a mot qua trinh au
dai va cin phai c6 swt chdp nhan cia ngudi sir dung, Ty 18 ngudi ding sé durge
ting khi cdc chuan vé cong nghé tro nén hoan thign hon, ching minh duge
kha nang img dung va hign thyc hod 18 tinh kha thi
Hign nay, vige dp dung mat ma khod cng khai va dich vy ching thyre dign
tir dé dm bao an toan thong tin trong cic hoat dng giao dich dign tir 8 gid
phap duge nhiéu quéc gia trén thé gidi sir dung. G Viét Nam, vin
trén tuy
oo
a 06 sy tién trién, nhung con gap nhiéu khé khan. Mot
mot s6 don vi, co quan eng da c6 nhimng hoat déng ban dau nghién ciru cong
ngh@, xay dung hé théng ky thugt, phat trién cde ing dung va thir nghigm
(nim tre Iai day
cung cp dich vy chimg thye dign tir Vige trién Khai cée dich vu cung ep
ching thye dign tir yeu edu mot sy dau tu lau dai va nghiém tic méi mang lei
két qua nhu mong muén. Phan kho khan nhat trong trién khai dich vu nay lao
khau t6 chite thu hign va thay d6i nhdn thire ciia con ngudi. Tinh phép ly cia
chit ky sé va dich vu ching thye dign tir cing li mt van dé dang duge dat ra.
Hign nay, & Vigt Nam da ban hanh mot sé cdc diéu ludt trong Tinh vye nay
hur Lugt cong nghé thong tin ban hanh ngay 29/6/2006, Lust giao dich dign
tir ban hanh ngay 29/11/2005, Luét ndi dung chit ky s6 ban hanh ngay
15/2/2007..Céc t6 chite, e4 nhdn cung ep va sit dung dich vu chimg thye dign
tir can phai duge quan ly, dong thi cé quyén , nghia vy nhat dinh.
Ngoai ra néu mét co so ha ting c6 cong nghé
tudng va nha cung cép dich vu va nhiing e ngai vé tam ly cita ngudi ding nay
ciing ld cae tro ngai trong viée trién khai co sé ha tang an ninh rong khiip
réu thi s@ khong cé sy tin
PHY LUC
1.Méi trirdng phat trién
Phan mém ma nguén mo OpenCA khéng phai [4 mdt...Phan mém nguén
m6 OpenCA duge dya trén rat nhiéu phin mém nguén mé khac bao gdr
Apache, OpenSSL, mod_ss1, perl, OpenLDAP va céc module perl va. Phin
nay em xin phép duge trinh bay vé cdc phin mém nguén mé duge sir dung dé
xay dung nén OpenCA
1.LApache
Apache HTTP SERVER PROJECT.
Dy an Apache HTTP Server la mét sw nd lye dé phat trién va duy tri mot
ma nguén HTTP cho cac may chi hign dai danh cho cac hé die
nhw Unix va Window NT. Mye dich cia dy-én nay 1a cung cép mot may cha
hanh hign dai
‘mé rong, higu qua va an toan Lim nhiém vu cung cdp cdc dich vu http déng bé
véi ede tiéu chun HTTP hign nay
Dy én HTTP duge quan ly chung boi mgt nhém nhing ngudi tinh nguyén
trén khap thé gidi, nhitng ngwéi sir dyng Intemet va Web dé truyén thong, xay
dyng, phat trién may chit va cée ti ligu e6 fin quan, Nhiing ngudi tinh
nguygn nay dirge goi la nhém Apache (Apache Group). Hon nifa, 6 hang
tram ngudi sit dung cing déng gép ¥ twang, ma ngudn va tai ligu cho dur dn.
1.2. OpenSSL
OpenSSL 1a sy nd lye hyp tic nhim phat trién b¢ ma ngudn mé voi day
di tinh nang, duge trién khai trén giao thite SSL (version 2 va version 3) va
thite TSL(version 1) duge quan ly béi eGng dng nhiing ngudi tinh
nguyén trén toan thé gidi sir dung Internet dé két ndi va phat trién bO
OpenSSL va eée tai ligu e6 lién quan
Hau hét cac phin mém nhy IMAP&POP, Samba, OpenLDAP, FTP,
Apache va nhing phin mém khac déu yéu cdu céng viée kiém tra tinh xc
thyc ciia ngudi sir dung truée khi cho phép sir dung cde dich vy nay. Nhung
mac dinh vige truyén tai sy xée minh théng tin ngudi sit dung vi mat khau
(password) 6 dang van ban thuan tay nén 6 thé duge doc hode thay 461 bai
mot ngudi khdc. Ky thuat ma héa nhu SSL sé dim bao tinh an toan va nguyén
‘ven ctia dit ligu, v6i ky thuat nay théng tin truyén trén mang & dang diém néi
diém duge ma héa. MQt khi OpenSSL da duge cai dat trén Linux server
ching ta ¢6 thé sit dung né nhu mot
khée ding tinh nang SSL
OpenSSL la mot b céng cu mat ma trién khai trén giao thite mang SSL.
va TLS va céc chuin mat ma cé lién quan,
Chuong tinh OpenSSL 1 mot cdng cu dong tenh dé sir dung ¢:
nding mat ma cia cdc thir vign erypto cha OpenSSL tir nhan,
OpenSSL c6 cde thir vign cung cép cde chite nding mat ma cho cde img
yng cu thir ba cho pl
img dung
chite
dyng nhu an toan webserver
1.2.1.Céng cy dong Iénh trong opensst
1.2.1.1.Cée dong Ignh chuéin
ASN.1
- asnlparse: phan tich ch
1
~ ca: Quin ly CA
~ Ciphers: Migu ta bd ma hod
~ ems: tign tich (Cl php thong bio mat ma)
- erl: Quan Iy danh sch huy bd chimg chi (CRL)
- erl2pkes7: Chuyén doi CRL thinh PKCS37
- dgst: Tin toan ban tom luge thong béo
-dh: Quan ly cé tham sé Di
- dhparam: Tgo va quin ly céc tham s6 Diffie-Hellman
-dsa: Quan ly dat ligu DSA
-dasparam: Tao va quan ly tham sé DSA
: Xir ly khod (dug cong Elliptic)
-ecparam: Tao va thao tie tham s6 EC
enc: Ma hoa bang mat ma
-gendh: Tao cc tham sé Diffie-Hellman
-gendsa: Tao khod riéng tir cdc tham sé
-genpkey: Tao khoa riéng hoi cae tham sé
Hellman
-genrsa: Tao khoa riéng RSA
-ocsp: Tién ich giao thire trang thai chimg chi tre tuyén
-passwd: Tao cic password durge hash
-pkes12: Quan If dit ligu PKCS#12
-pkes7: Quan ly dit ligu PKCS#7
-pkey: Quain ly khod riéng vi khod cng khai
-pkeyparam: Quan ly tham s6 thugt toan khod céng khai
-pkeyutl: Tign ich hoat dong mat ma thudt todn khod cong khai
-rand: Tao cc bytes ngdu nhién
req: Quan ly yéu cdu ky chimg chi PKCS#10 X.509
-rsa: Quan ly khod RSA
-rsautl: Tign ich RSA cho vige ky, x4e minh, ma hod va giai ma
‘ime: May thoi gian két ndi SSL
-sess_id: Quan ly dit ligu phién SSL.
me: Xir ly mail S/MIME
-speed: Do tic d6 thuat toan
-spkac: Tign ich tgo va in SPKAC
n
-ts: Céng cu cp quyén tem thoi gian
ify: Xée minh chirng chi X.509
-version:Théng tin phién ban OpenSSL.
509: Quan ly dit ligu chimg chi X.509
1.2.1.2.Cée dong lgnh tim lurge thing bdo
= md2: tom Irge MD2
-md5:Tém luge MDS
-mde2: tom hrge MDC2
-rmd1160: t6m luge RMD-160
-sha: Tém luge SHA
-shal: Tom luge SHA-1
-sha224 :Tém luge SHA-224
-sha256 :Tém luge SHA-256
1a384 :Tém luge SHA-384
-sha312: Tém luge SHA-512
1.2.1.3. Cée dong Ienh vé ma hod
base64: mi hod Base 54
bf bf-cbe bf-cf bf-ecb bof : Ma Blowfish
cast cast-ebe : Ma CAST
cast5-cbe cast5-cfb cast5-ecb cast5-ofb Ma CASTS
des des-cbe des-efb des-ech des-ede des-ede-che des-ede-cfb des-ede-ofb
des-ofb :Ma DES
des} desx des-ede3 des-ede3-cbe des-ede3-cfb des-ede3-ofb :Ma 3DES
idea idea-cbe idea-cfb idea-ecb idea-ofb :Ma IDEA
12 re2-cbe re2-efb 12-ecb re2-ofb Ma RC2
re4 “Ma RC4
1€5 re5-ebe re5-efb re5-ecb reS-ofb Ma RCS
1.2.2. Thur vign SSL/TLS trong OpenSL.
1.2.2.1.Mibu ti
‘Thu vign ssl trong OpenSSL trién khai giao thite SSL va TLS.
‘au tién thu vign sé durge khoi tao
B
Sau do d6i tugng SSL_CTX duge tao ra nhu mét co cau thiét lip két ndi
TLS/SSL. Sé cé rit nhiéu tuy chon lién quan téi chimg chi, thudt todn c6 thé
duge cai dat trong déi tugng nay
Khi mot két néi mang duge tao ra, né cé thé duge gan cho déi trong SSL
Sau khi di tweng SSL duge tao ra tir SSL_new, SSL_set fd hoge
‘SSL_set_bio, nhiing thanh phan nay sé két hop mét két néi mang voi déi
tugng
Sau khi bat tay TLS/SSL duge thye hign nho SSL accept hoge
SSL_connect. SSL_read va SSL_write duge sit dung dé doe va ghi do ligu
trén két néi TLS/SSL. SSL_shutdow c6 thé duge sir dung dé két thitc két ndi
TLS/SSL
1.2.2.2. Cau trite dit ligu
Chite nang hién cé ciia thy vign ssl trong OpenSSL gidi quyét duge edu
tric dit ligu sau
SSL_METHOD
Day Li mét cdu trac migu ta chire ning/phuong thite thir vign ni ssl ni
b6. No duge siz dung dé tao SSL_CTX
SSL_CIPHER(SSL Cipher)
C4u tric nay nm gitt théng tin thuat todn cho phép ma hod dae bigt ma 1
phan Ii cia giao thie SSL/TLS. Cac phép ma hoa sin cé duge cau hinh trén
SSL_CTX
SSL_CTX (SSL Context)
Day La mot cau tric ngit cdnh todn cue duge tao bai server hod client
trong méi théi gian ton tai chuong trinh va né nim gitta chi yéu cac gid tri
mac dinh cia cdu tric SSL, cdc gid tri ma duge tao cho khi két ndi sau dé
SSL_SESSION (SSL Session)
Day 1a cau tric chita chi tiét phién TSL/SSL hign c6 cua két
SSL_CIPHER, chitng chi client va server, khoa
SSL (SSL Connection)
tnic SSL/TLS chinh , duge tao boi server hode client mdi
Day [a edu
két ndi duge thiét lap. Day thye sy 1a phan cau tric cét Ii trong SSL API.
Mi khi chay tng dung thuéng phan phdi cau trac nay téi cdc cdu trac khac
”
1.2.2.3. Cie fle header
Thur vign ssl trong OpenSSL cung cip nhiing file header C sau, ©6 chia
cdc mau cho cau tric di ligu va chire nang
ssL.h: Day li file header chung cho SSL/TLS API, né e6 chita phin e6t 1di
bén trong cua SSL API
Diy Id file header con el
ssI3.h: Day la file header con chi giao thire SSLv3
ss123.h: Day 1 file header con chi cé quan hé véi giao thite SSLv2 va
SSLv3
tsl.h: Day 1a file header con chi e6 quan hé véi giao thire TLSvI
ssl
1.2.3. Thu vign mat ma trong OpenSSL
‘The vign mat ma trong OpenSSL cung cép mét sé lrgng Ién cdc thuat
toan mat ma duge sir dung trong rét nhiéu chudn ciia Internet, Céc dich vu
duoc cung cap béi thir vign nay duge sir dung béi cde cong cu ciia SSL, TLS
S/MIME va ching ciing duge sir dung dé b6 sung cho SSH, OpenPGP va
cae chudin mat ma khée
1.2.3.2.Téng quan
‘Thu vign libcrypto bao gém m6t sé cac thu vign con bé sung cho céc thuat
todn rigng 18
Tinh nang niy bao gdm ma hod déi xting, mat ma khod cOng Khai va sir
thoa thugn khod, xtr ly ching chi, ham hash mat m va tao ra sé ngdu nhién
gia lap
1.2.4. BO cong cu OpenSSL
B6 céng cy OpenSSL bao gbm
bssl.a: Nay dung trén SSLv2 va SSLv3 va cdc code duge yéu ciu trén
ca SSLv2 vi SSLv3 va TLSv1 trong mét server va client
berypto.a : Thur vign ma héa chung. Trong thu vign nay thong thudng
bao gém
libdes: Thu vign ciia des. Bao gdm 15 ché d6/bién thé cia DES (cae phién
ban khéa 1,2 va 3 ctia cde ché d9 ecb, ege, cfb vi ofb)
Ma héa RC4
Ma héa RC2: Cé 4 ché do khée nhau 1a ecb, cbe, efb va ofb
Ma héa Blowfish: Cé 4 ché dg khac nhau la ech, che, cfb va ofb
Ma héa IDEA: Cé 4 ché dé khée nhau la ecb,cbe,ctb va ofb
Tom huge thong bio
Cae thugt ton tém luge thong bao MDS va MD2, SHA va thugt ton tom
luge thong bio SHA-I
‘Tom luge théng bio MDC2.
+ Khéa cdng khai
i héa/giai ma RSA
Khéng cé gic han sé lugng bit
Tao/giai ma/ma héa DSA
Taodn
Khdng cé gidi han sé lugng bit
Tao/trao d6i khéa Diffie-Hellman
Khéng cé gidi han vé sé long bit
+ Ching chi X.509v3
MA héa/gidi ma chimg chi X.509 thanh/tir ASNI nhj phan va PEM diya
trén ma héa_nhj phan ASCIT hd try ma héa bing mot khéa riéng. Chuong
chimg chi RSA va DSA va dé tao ra chimg chi
trinh dé tao ra cae yeu
RSA va DSA
1.3.Mod_ssl
Mod_ssI” két hp tinh linh hoatt cia Apache va tinh an toan ctia openssl
Mod_ssl cung cap tinh ning mat ma rat manh cho Apache 1.3 théng qua
hai giao thite SSL va TLS boi su gitp do cia b§ OpenSSL va nguén mo
SSL/TLS, dua trén SSLeay tir Eric A.Young vi Tim J.Hudson
G6i mod_ssl duge tgo ra vao thing 4/1998 boi Ralf S. Engelschall va. du
tién duge duge phat trién boi Ben Laurie dé sir dung trong dy én Apache-SSL_
HTTP server
1.Cae diém ndi bt
Cac die diém noi bat cua mod_ssl
16
La phan mém ma nguén mo
Cé thé sir dung durge cho ca mue dich throng mai va phi thuong mai
‘Tinh nang ma hod manh trén toan thé gigi
H6 trg cde giao thite SSLv2 va SSLv3 va TLSv1
H6 trg cho ca phép ma hoa RSA va Diffie-Hellman
H6 tro dy du DSO
Hé try cho OpenSSL vi RSArefUS
Nang cao kha nang xit Iy cum m@t khdu déi véi khod riéng
Chitng chi X.509 dya vao xéc thyte cho ca phia client va server
HG try danh sch thu hoi chimng chi X.509
chinh d6i véi méi URL cita cdc tham sé
Hi try kha ning tai di ft tay
SSL
Bé sung biéu thire Boolean diya trén phuong tién kiém soat truy cap
Cae tmg dung don gi Apache
ch hop diy di trong inh Apache 1.3
Bé sung sy tich hop trong giao dign kiéu tyr cdu hinh cia Apache
H6 trg sy tao chimg chi X.509v3 (ci RSA va DSA)
ic eo ché cd
1.3.2.Kién trite gi mod_ssl
G6i mod _ssl bao gém module SSL vi bG ngudn Apache c6 bé sung APT
mo rong (EAPI) -Day 1a digu kign tign quyét dé c6 thé sir dung mod_ssl. Hay
néi cach khdc, chiing ta chi c6 thé sir dung mod_ssl khi phan cét Idi cia
hing ta ap dung mod_ssl
Apache ¢6 chita API mo réng. Nhung boi vi khi
cho source Apache, phin API mo rong cling duge ty dong thém vio.
. ~|3a| @
|} 8] &| % | opensst
z x a Zz
3/2) 2] 2
EL ELE
Apache API 3 -
Apache Core
1.3.3.Giao thite SSL
Giao thire SSL ban dau duge phat trién boi Netscape, SSL da durge chip
nhan rong rai trén toan thé gigi dé xéc thye va tao lap két néi ma héa giita
client va server
Giao thite SSL chay trén giao thife TCP/IP va duGi giao thie mite tng
dyng nh HTTP, IMAP . N6 cho phép mot may hii hd try SSL. xée thre
chinh né vai méy client hd try SSL, cho phép client xée the chinh né véi
may chu, va cho phép ca hai may thiét lap m6t két noi ma hoa
Giao thite SSL hé trg sir dung rat nhiéu cdc thuat toan mat ma khéc nhau,
dé sir dung trong cde hogt dong nhu x4c thyc server, xe thye client, trayén
ching chi va thiét lfp cae kha phién. Client va server 66 thé hé tre eée bo ma
héa khéc nhau, phy thuge vao cée nhin t6 nhu phién ban SSL ma ching hé
trg, chinh sich eng ty.
Cac thuat toan mat ma ma giao thire SSI hd trg bao gam
DES : Data Encryption Standard
DSA: Digital Signature Algorithm
KEA: Key Exchange Algorithm
MDS: Message Digest Algorithm
RC2 & RC4:Rivest encryption ciphers
RSA:
SIA-1:Secure Hash Algorithm
Triple-DES
Xe thye server
Giao thite SSL 1a giao thire duge dat giita giao thi tang mang hudng
huéng két néi (vi dy TCP/IP) véi giao thire ting img dyng (vi dy HTTP)
SSL cung cép tinh nang két néi an toan giita client va server bing cdc cho
phep xée thye lan nhau, str dung chit ky sé dé dim bao tinh toan ven, va ma
hod dé dim bao tinh bi mat
Giao thite nay duge thiét ké dé hé try cae thuat todn cy thé duge sir dung
cho mat ma, tom luge, va chit ky sé.
1.4, OpenLDAP
Hign nay, dé xay dyg cdc hé théng én, diéu t6i quan trong la phai Lam
cach nao c6 thé tich hgp dit ligu dé tir d6 c6 thé ding chung gitta cdc hé théng
khac nhau. Trong d6, tich hop tai khoan cia ngwoi sir dung 1a van dé can thiét
nhat trong nhing cai “tdi quan trong” trén
‘Mot hé théng véi khoang 5 - 6 module khac nhau, méi module Iai duoc
thiét ké trén mot nén ting khéc nhau ( c6 ngudi dingOracle + AS Portal, hoae
DB2 voi WebSphere, hoe MySQL véi phpnuke, hoe Window, Linux, }, do
6 can 6 mét hé théng ngudi ding khac nhau. Vay thi voi méi module,
ngudi sir dung cin phai e6 mot User Name, mét mat khiu khéic nhau, 46 1a
é é ién va kh khan
9
Lam cach nao dé c6 thé tich hgp duge nguéi ding giita cac hé théng trén?
Cau tr loi d6 1 LDAP
LDAP (Lightweight Directory Access Protocol )- giao thie try ¢4p nhanh
“ac dich vy thu myc
mét giao thitc tim, truy cp cdc théng tin dang thir myc trén server
-N6 la giao thite dang Client/Server ding dé truy nhap dich vu thu muc
-LDAP chay trén TCP/IP hoge cée dich vy huréng két ndi khde.
inh cau trie va dae diém ctia
-LA mOt md hinh théng tin cho phép xc
thong tin trong ther myc
-La m6t khong gian tén cho phép xée dinh céch céc théng tin durge tham
va t6 chite
-MOt mé hinh cde thao tic cho phép xc dinh cde tham chi
da ligu
ch
va phan bd
-LA mét giao thite mé rong
~ La mot mé hinh thong tin mé réng.
day ching ta can tranh hiéu nham tir "thu muc" nhur trén Windows la.
folder hay directory, dé 1a thu muc theo nghia hep dé quan ly hé théng tép tin.
Tir thu muc trong LDAP mang y nghia rong hon, né bao ham cac cau tric dit
cia dan thu vign
ligu dang ligt ké theo thr mye (hay muc Tuc) - mot "tir Khoa’
nhim dm chi cach thire sip xép dit ligu dé tién tray xuat nhat
Mét cach tng quit ma néi, LDAP thurig phin chia theo O (Organisation - t6
chire) va cde OU (Organisation Unit - phan bd). Trong cde OU 6 thé cd
nhimg OU con va trong cic OU e6 ede CN (Common Name), nhting nhém
n goi phan big),
MGi gid tri chita trong LDAP thude dang tén:gia tri, thug durge goi la
LDAP Attribute (vig
Object
LDAP cé tiéu chudn théng nhdt gitta cdc img dyng phat wién LDAP. Day
18 y do LDAP duge tra chung cho
Ban chat cita LDAP la mét phan cia dich vy thu myc X.500. LDAP thyc
chat durge thiét ké nhu mét giao thire nhe nhang, ding nhw gateway tra loi
gid tri nay thurémg duge goi la DN (Distinguished Name -
At la attr, mdi attr duge nhén dign nhu mét LDAP.
nhitng yéu cdu cua X.500 server
80
X.500 thye té ld mét tap cic chuan. X500 duge biét nhur li mot
heavyweight. No yéu cau client va server lién lac v6i nhau sir dung theo mo
hinh OSI, M6 hinh 7 tng ctia OSI 14 mot m6 hinh chun phit hgp trong thiét
ké véi giao thire mang, nhung khi so sénh véi chun TCP/IP thi né tro nén
khong edn hop ly
‘plat
(ipa [Tap
TP pa
sate
Lk
LDAP dong vai tro rat quan trong trong tmg dung truy nhap don. Cé nghia
1a mot ngudi ding nhgp vao mgt hé théng, ngudi dy 6 thé truy cap ti cde
may chit, dich vy, tdi nguyén ma khong cin phai xae thye lai, Ngodi ra,
LDAP duge tgo ra dic bigt cho hanh dong “doc”. Boi thé, xéc the ngudi
ding bing phuong tign “look up” LDAP nhanh, higu suat, it ton tai
nguyén,don gian hon la | tray van tai khodn nguoi ding trén co so dit ligu
Dy an OpenLDAP 1a m6t sy nd lye hyp tic nhim phat trién bO ma nguén
ma LDAP cia cae img dung va cae cong ey phat trién duge tich hop day dit
cae tinh nang va
Dur an durge quan ly bai cng déng nhiing ngudi tinh nguyén trén thé gid,
nhimg ngudi sir dung Internet dé truyén théng, phat trién bé ma ngt
LDAP
OpenLDAP 2.0
die dim néi bat sau
81
H6 try LDAPv3: OpenLDAP 2.0 ho try Iép an ton va xdc thye don
(Simple Authentication and Sercurity Layer-SASL), TSL va SSL
Hé trg IPv6: OpenLDAP hi trg thé hé tiép theo cia giao thite IPV6
LDAP trén IPC: OpenLDAP cé thé truyén tin trong hé théng sit dung IPC
(interprocess communication). Diéu nay s€ tim ting cudmg tinh ning an ton
ig cach ngan ngira cc yéu cau truyén théng thong qua mang
Cép nhat C API: Cai thign cich ngwai lap trinh c6 thé két né
cede may chu thi mye LDAP
Ciing 6 cho server Stand-alone LDAP: Bao Cp nhat hé théng kiém soat
truy clip
BG thur vign va cOng cy eita OpenLDAp duge chia thinh cée g6i sau
+openldap- Chire céc thu vign can thiét 4é vén hanh may chi openLDAp
va cde ing dung client
va sir dung
ih dé xem xét va diéu chinh
+openlda-clients: Chite cée eéng cy dong Ié
thur mye trong LDAP server
+openidap-servers: Chita cde tign ich can thiét dé cau hinh va van hanh
may chi LDAP
4.5. Céc module perl
Table 3.1. External Perl modules
Module Version Comment
Duge yéu cau bai Net::LDAP dé xac thye SASL,
Authen::SASL 2.04 authentication -Néu ban khéng sir dung SASL thi
ban khong cin t6i nd
CGE:Session [3.95 Burge yéu cau dé xir ly phién lam vige
Convert:ASN1 [0.18 22?
Digest:HMAC [1.01 Due yéu cau boi_Authen::SASL
2.24 La thanh phan ca Perl
Digest:SHAI 2.02 Due yéu ciu boi chinh OpenCA
Encode::Unigode 297 D¥gE yeu edu boi OpenCA danh cho ngudi dung:
inurée ngodi
TOxSocket:SSL_ 0.9227?
10::stringy 2.108
MIME::Base64 2.20 Burge yéu cau cho ma hod va gaii ma Base64
82
Module ‘Version Comment
MIME::Lite 3.01 Durge yéu cau dé xir ly mail OpenCA
MIME-tools SAL1 _ Duge yéu cau dé xir ly mail OpenCA
MailTools 1.58 Duge yéu edu dé xir ly mail OpenCA
Net Server lo.g6 Purge, yeu clu cho OpenCA daemon- Phién ban’
nay rit quan trong
Parse:RecDescent|1.94 urge yéu cu boi_X500::DN
URI 123 pe
(Ching toi sit dung phién ban duge chinh sta 6
day
Burge sir dung cho XML Parsing
X300::DN 0.28
3.09
1.10 Day Ia giao dign cho nhan vign 118n
Perl-Idap (0.28 Giao dign LDAP ciia Perl
2.Cac chuan mat ma
PKCS 1a chudn mat ma khod cong khai do phdng thi nghigm RSA phat
trién, Chuan PKCS cung cp nhiing dinh nghia co ban vé dinh dang dit ligu va
thuat ton nén tang dé trién khai PKI
PKCS#1(Encryption Standard) : Chuan mat ma RSA
PKCS#2: Chuan nay duge lién ket thanh chuan PKCS#I
PKCS#3 (Diffie-Hellman Key Agreement Standard): Chuan trao déi khéa
Diffic-Hellman, Migu ta phurong phap thy hign trao di khod Diffie-Hellman
PKCS#4: Chuan nay duge lién ét thinh chuan PKCS#1
PKCS#5 (Password-based Encryption Standard): Chuan ma hoa dit ligu
dya vao password. Chuan nay mé ta phuong phap ma dang xu bat phan sir
dung khoa bi mat duge tinh tir password dé sinh ra x4u bat phan duge ma hoa.
PKCS#5 c6 thé durge sir dung dé ma hod khod rigng trong vige truyén khod bi
mat
PKCS#6 (Extended Certificate Syntax Standard): Chuan eit phap chimg
chi mé rng. Chuan nay dinh nghia ei phap chiing chi X.509 mo rong,
PKCS#7 (Cryptographic Message Syntax Standard): Chuin ef phap thong
bao mat ma. Chuan nay xée dinh cu phdp tng thé dt Tigu duge ma hod vi du
3
nhu chit ky sé. PKCS#7 cung edip mt sé Iya chon dink dang théng bio nhu
thdng bao khéng ma hod hodc ky s6, thong bio duge ma hod, théng bio duge
ky 86 va thong bio c6 ea ky s6 va ma hod
PKCS#8 (Private Key Information Syntax Standard): Chuin et phap
thong tin rigng. Chuén nay dinh nghia ci phép thong tin khod rigng va ef
phap khod riéng durge ma héa
PKCS#9 (Selected Attribute Types):Nhiing loai thuge tinh duge tyra chon.
Chuan nay dink nghia nhung Jogi thude tinh duge Iya chon sir dung trong
chimg chi mé rong PKCS#6, thong digp ky sé PKCS#7, thong tin khod rigng
PKCS#8 vi yéu cau chimg chi PKCS#10, Nhiing thuge tinh ching chi duge
chi rd & day gdm c6 dia chi thir loai néi dung, bin t6m lrge théng béo, the
gian ky, mat khau yéu cau va nhimng thude tinh chimg chi mé rong
PKCS#10 (Certification Request Syntax Standard): Chun cit phap yéu
cau ching chi. PKCS#10 dinh nghia ca phap yéu cau chimg chi. Yéu ciu
ching chi gém c6 tén phan biét, khod céng Khai va tip céc thude tinh my
chon, chit ky cia thye thé yéu cdu chimg chi
PKCS#11 (Cryptographic Token Interface Standard): Chuan giao dign thé
bai mat ma. Chuan nay xie dinh giao dign lip trinh ting dung (API) cho thig
bj ngudi ding chita thong tin ma hod va thu hign chute nang ma hoa.
PKCS#12 (Personal Information Exchange Syntax Standard): Chuan cit
phap trao d6i théng tin c4 nan, Chuan nay dinh nghia dang théng tin nhén
dign cé nhin bao gdm khod ring, ching chi, bi mat dac tinh khéc nhau va mo
rong. Chuan PKCS#12 lam cho vige truyén chimg chi va khéa bi mat gin
kém duge thudn tign, gitip ngudi sir dung c6 thé chuyén théng tin nhén dign
ca nhan tir thiét bj nay sang thiét bj khac
PKCS#13 (Elliptic Curve Cryptography Standard): Ch
Elliptic. PKCS#13 bao gdm vige tao tham s6 duemg cong Elliptic va kiém tra
higu lye, tgo khod va cong nhin gid tri, chit ky s6 va ma hod khod cong khai
ma dung cong
cing nhur thoa thugn khod
PKCS#14 (Pscudo-Random Number Generation Standard): Chuan tgo s6
gia ngdu nhién. Nhiéu ham mat ma co ban duge sir dung trong PKI nhu tao
khod va thoa thudn khod bi mat Diffie-Hellman sir dung dit tigu ngdu nhién,
Tuy nhién, néu dit ligu ngdu nhién lai khong ngdu nhién ma duge chon tir tap
84
gid tri c6 thé tién doan duge thi ham mat ma khéng bao mt duge day di. Do
6 tgo s6 gid ngdu nbién an toan la diéu t6i quan trong trong bao mat PKI
PKCS#15: Chuan mau thong tin the bai mgt ma
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5823)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1093)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (852)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (590)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (898)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (541)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (349)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (823)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (122)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (403)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- HDSD Netty v1.0Document18 pagesHDSD Netty v1.0Lee ReNo ratings yet
- Lap Trinh SwiftDocument27 pagesLap Trinh SwiftLee ReNo ratings yet
- Đồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDFDocument85 pagesĐồ Án Nghiên Cứu Xây Dựng Hệ Thống PKI Dựa Trên Bộ Phần Mềm Mã Nguồn Mở OpenCA - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDFLee ReNo ratings yet
- Chuyen de 1-Ngon NguDocument58 pagesChuyen de 1-Ngon NguLee ReNo ratings yet
- Đề Tài Đề Cương Công Nghệ Bảo Mật Và Chữ Ký Điện Tử - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDFDocument15 pagesĐề Tài Đề Cương Công Nghệ Bảo Mật Và Chữ Ký Điện Tử - Luận Văn, Đồ Án, Đề Tài Tốt Nghiệp PDFLee ReNo ratings yet
- Huong Dan Ma Hoa PGPDocument46 pagesHuong Dan Ma Hoa PGPtai_visaothe2000No ratings yet
- B-I 2 L?P TR-NH Game 2D V?i Unity - T?o D? - N Game 2D, Sprite V - GameObjectDocument12 pagesB-I 2 L?P TR-NH Game 2D V?i Unity - T?o D? - N Game 2D, Sprite V - GameObjectLee ReNo ratings yet
