14_Tim Hieu Cong Nghe Va Trien Khai Demo Mang Rieng Ao VPN

TM HIU CNG NGH V TRIN KHAI DEMO MNG RING O VPN NM 2010

SVTH: L NGC DUY 1

Mc Lc ***

Mc Lc .......................................................................................................... 1

Danh Mc T Vit Tt & Thut Ng ............................................................ 4

Danh Mc Bng Biu ..................................................................................... 6

Danh Mc Hnh V & Th ........................................................................ 7

M u ........................................................................................................... 8

Chng 1. TNG QUAN CC VN V VPN .......................... 9

1.1. Cc vn Traffic ................................................................................. 9

1.1.1. Tn cng nghe trm ..................................................................................... 9

1.1.2. Tn cng mo danh .................................................................................... 11

1.1.3. Tn cng Man-in-the-middle ..................................................................... 12

1.2. nh ngha VPN .................................................................................. 16

1.2.1. M t VPN ................................................................................................. 16

1.2.2. Cc mode kt ni VPN .............................................................................. 17

1.2.3. Cc loi hnh VPN ..................................................................................... 21

1.2.4. Cc lp VPN .............................................................................................. 25

Chng 2. CC K THUT S DNG TRONG VPN ................ 27

2.1. Kha ..................................................................................................... 27

2.1.1. S dng kha ............................................................................................. 27

2.1.2. Kha i xng ........................................................................................... 28

2.1.3. Kha bt i xng ...................................................................................... 28

2.2. M ha ................................................................................................. 32

2.2.1. Tin trnh m ha ....................................................................................... 32

2.2.2. Cc thut ton m ha ................................................................................ 33


SVTH: L NGC DUY 2

2.2.3. Thut ton DES v 3DES .......................................................................... 34

2.2.4. Thut ton AES .......................................................................................... 35

2.3. Xc thc gi tin ................................................................................... 36

2.3.1. Trin khai xc thc gi tin ......................................................................... 36

2.3.2. S dng xc thc gi tin ............................................................................ 38

2.3.3. Cc vn xc thc gi tin ........................................................................ 40

2.4. Trao i kha ...................................................................................... 42

2.4.1. Chia s kha Dilemma ............................................................................... 42

2.4.2. Thut ton Diffie-Hellman ......................................................................... 44

2.4.3. Thay mi kha ........................................................................................... 47

2.4.4. Gii hn ca phng thc trao i kha ................................................... 48

2.5. Cc phng thc xc thc .................................................................. 48

2.5.1. Tn cng man-in-the-middle ..................................................................... 49

2.5.2. Cc gii php xc thc ............................................................................... 50

2.5.3. Xc thc thit b ......................................................................................... 50

2.5.4. Xc thc ngi dng.................................................................................. 70

Chng 3: IPSEC ............................................................................... 73

3.1. Cc chun IPSec .................................................................................. 73

3.1.1. Cc IETF RFC ........................................................................................... 74

3.1.2. Cc kt ni IPSec ....................................................................................... 80

3.1.3. Tin trnh c bn ca xy dng cc kt ni ............................................... 82

3.2. ISAKMP/IKE Pha 1 ............................................................................ 84

3.2.1. Kt ni qun l ........................................................................................... 85

3.2.2. Giao thc trao i kha: Diffie-Hellman ................................................... 88

3.2.3. Xc thc thit b ......................................................................................... 89

3.2.4. Cc bc ph thm trong remote-access ................................................... 90

3.3. ISAKMP/IKE Pha 2 .......................................................................... 102

3.3.1. Cc thnh phn ISAKMP/IKE Pha 2 ....................................................... 103


SVTH: L NGC DUY 3

3.3.2. Cc giao thc an ninh Pha 2 .................................................................... 104

3.3.3. Cc mode kt ni Pha 2 ........................................................................... 108

3.3.4. Cc transform Pha 2 ................................................................................. 108

3.3.5. Cc kt ni d liu ................................................................................... 109

3.4. Traffic IPSec v Network .................................................................. 111

3.4.1. IPSec v chuyn i a ch ..................................................................... 111

3.4.2. IPSec v Firewalls ................................................................................... 114

3.4.3. Cc vn s dng IPSec khc ............................................................... 116

Chng 4: TRIN KHAI DEMO ................................................... 117

4.1. Mt vi nt chnh v giao thc SSTP ............................................... 117

4.2. Trin khai demo theo giao thc SSTP ............................................. 118

4.2.1. M t ........................................................................................................ 118

4.2.2. Cc bc thc hin .................................................................................. 118

TNG KT ....................................................................................... 119

Danh mc ti liu tham kho .......................................................... 120


SVTH: L NGC DUY 4

Danh Mc T Vit Tt & Thut Ng

STT T Vit Tt, Thut Ng Dng y , Gii Ngha

1 Payload D liu thc t ca ngi dng nm trong gi tin 2 VPN Virtual Private Network Mng Ring o 3 Remote Access Truy nhp t xa 4 Telecommuter Ngi lm vic nh s dng my tnh c kt ni ti

vn phng t chc 5 Symmetric Key Kha i xng 6 Asymmetric Key Kha bt i xng 7 Authentication Xc thc 8 Encryption M ha 9 Public Key Kha dng chung 10 Private Key Kha ring t 11 AH Authentication Header 12 ESP Encapsulation Security Payload 13 MD5 Message Digest 5 14 SHA-1 Secure Hashing Algorithm-1 15 HMAC Hashing Message Authentication Codes 16 PKCS Public Key Cryptography Standard 17 DH Diffie Hellman 18 Digital Certificate Chng ch s 19 Digital Signature Ch k s 20 Pre-shared symmetric key Kha i xng chia-s-trc 21 Pre-shared asymmetric key Kha bt i xng chia-s-trc 22 CA Certificate Authority 23 CRL Certificate Revocation List: Danh sch chng ch thu

hi 24 Identity Certificate Chng ch nh danh 25 Root Certificate Chng ch Root 26 SCEP Simple Certificate Enrollment Protocol: Giao thc kt

np chng ch n gin 27 IPSec IP Security 28 Management Connection Kt ni qun l 29 Data Connection Kt ni d liu 30 ISAKMP Internet Security Association and Key Management


SVTH: L NGC DUY 5

Protocol 31 SA Security Association 32 IKE Internet Key Exchange 33 Clear-text Dng vn bn bnh thng, khng m ha 34 credential Ti liu cung cp nh danh ngi dng 35 SOHO Small Office Home Office


SVTH: L NGC DUY 6

Danh Mc Bng Biu

STT Tn Bng Trang

Bng 2-1 Nhm kha DH 48 Bng 3-1 So snh AH v ESP 105 Bng 3-2 Cc gii php chuyn i a ch 114


SVTH: L NGC DUY 7

Danh Mc Hnh V & Th

STT Tn Hnh V Trang

Hnh 1-1 Session replay attack 14 Hnh 1-2 Session hijacking attack 15 Hnh 1-3 Cc loi hnh v cc lp VPN 19 Hnh 1-4 Phng thc ng gi mode transport 20 Hnh 1-5 Phng thc ng gi mode tunnel 21 Hnh 1-6 V d v Remote Access 24 Hnh 2-1 Kha bt i xng v xc thc 31 Hnh 2-2 To v xc minh ch k HMAC 38 Hnh 2-3 Cc bc bo v 41 Hnh 2-4 Tin trnh Diffie-Hellman 47 Hnh 2-5 V d tn cng man-in-the-middle 50 Hnh 2-6 To ch k chng ch 60 Hnh 2-7 Ph chun ch k chng ch 61 Hnh 3-1 Thng lng ISAKMP/IKE transform 89 Hnh 3-2 a ch Client-remote-access 95 Hnh 3-3 Cc kiu kt ni Cisco-Remote-Access 96 Hnh 3-4 V d v Split-DNS 100 Hnh 3-5 Remote Access v vn nh tuyn 102 Hnh 3-6 Tin trnh ng gi AH 106 Hnh 3-7 Tin trnh ng gi ESP 108 Hnh 3-8 Gii php chuyn i a ch ESP 113


SVTH: L NGC DUY 8

M u

Ngy nay vn an ninh mng khng cn l vn mi m na. Ni u c s hin din ca mng th ni lun thng trc vn v an ninh mng. Tuy nhin, s

lng ngi hiu v tm quan trng ca an ninh mng hin khng phi l nhiu. L do c

th bi ti sn trn mng ca nhng ngi khng ng l bao nhiu, nn h khng

cn quan tm n vic bo m an ton cho ti sn . Nhng vi nhng t chc ln v d nh nhng tp on xuyn quc gia, th mng chnh l huyt mch trao i thng tin;

nhng thng tin thng l nhng thng tin cc k gi tr, thm ch v gi. Ni l v gi

v nu thng tin ny b l ra ngoi c th dn n nhng hu qu tiu cc khn lng. V

vy vic bo m an ton thng tin lu chuyn trn mng l mt trong nhng u tin hng

u ca t chc, nht l trong hon cnh c nhiu k ang tm mi cch khai thc nhng

thng tin .

C mt hin trng l ngy cng c nhiu ngi tham gia vo lnh vc gy mt an

ton thng tin mng. H s dng rt nhiu nhng cch thc khc nhau khai thc vo

nhng im yu, nhng l hng ca h thng mng. iu ny t d liu trong mng di rt nhiu ri ro. Mt cu hi c t ra l c hay khng mt gii php ton din sc

ng u vi mi hnh thc tn cng mng, m bo d liu lun thc s c an ton ?

Cu tr li l c v chnh l mng ring o-Virtual Private Network-VPN.

L sinh vin mng & h thng, em nhn thc c vai tr cng nh tm quan trng

ca vic m bo an ton thng tin mng. l l do chnh khin em la chn VPN lm

ti Tt Nghip.

n Tt Nghip s thc hin hai cng vic. Vic th nht l cp l thuyt su

sc v VPN. Vic th hai l trin khai th nghim (demo) VPN. Thc hin tt c hai cng

vic ny em tin rng mnh s tch ly c nhiu kin thcnn tng v lnh vc bo mt

thng tin, h tr c lc cho thc t i lm sau ny.

Thng qua n, em mun gi li cm n ti mi ngi trong gia nh, bn b, v thy Nguyn H Dng gip em trong sut thi gian qua.

H Ni, ngy 16 thng 6 nm 2010


SVTH: L NGC DUY 9

PHN I: L THUYT MNG RING O

Chng 1. TNG QUAN CC VN V VPN Chng ny gii thiu tng ca mng ring o (Virtual Private Network-VPN) v ti sao n c s dng. Ta s xem xt vn thng qua vic gi traffic qua mng cng cng v xem xt cch m VPN c th lm bo v traffic. Ni dung ca chng s gii thiu nhng ch chung nht v VPN. Cc chng sau s khai trin da trn nhng ch gii thiu y.

1.1. Cc vn Traffic VPN ban u c pht trin ng ph vi cc vn an ninh ca vic truyn d

liu clear-text qua mng. D liu clear-text l thng tin c th c soi xt v c hiu bi bt k ngi no, bao gm ngun, ch, v bt c ai ng gia ngun v ch. V d v mt s ng dng gi traffic theo dng clear-text l: Telnet, truyn file thng qua FTP hoc TFTP, e-mail s dng Post Office Protocol (POP) hoc Simple Mail Transfer Protocol (SMTP), v cn nhiu ng dng khc na. Nhng c th khng c o c, nh cc hacker, c th li dng vic ng dng gi d liu clear-text thc thi nhng loi tn cng sau:

Nghe trm (Eavesdropping)

Mo danh (Masquerading)

Man-in-the-middle

Mi kiu tn cng u khin d liu v ti sn cng ty ca bn ng trc rt nhiu ri ro. Ba phn sau y tho lun v nhng cuc tn cng ny su hn.

1.1.1. Tn cng nghe trm Loi ph bin nht ca kiu tn cng d liu clear-text l nghe trm

(Eavesdropping). Trong kiu tn cng ny, k tn cng s soi xt ni dung ca gi tin c truyn gia hai u. Mt s loi ng dng v giao thc d b tn cng nghe trm, bao gm Telnet, POP, HTTP, TFTP, FTP, Simple Management (SNMP),


SVTH: L NGC DUY 10

Vi tt c ng dng v giao thc ny, thng tin xc thc, v d nh Username v Password c truyn dng clear-text gia hai u. K tn cng c th s dng nhng thng tin ny thc hin tn cng truy nhp hoc mt s kiu tn cng khc.

Ch :

Mc d mt s giao thc c th gi thng tin dng clear-text nhng trong nhiu trng hp chng c mt phng thc xc thc nh xc nh mt nh danh c th trc khi cho php ngi truy nhp vo ti nguyn. V d: cc ng dng nh Telnet, POP, v SMTP cho php xc thc, mc d thng tin xc thc uc gi dng clear-text. Thng thng, nhng giao thc ny lc u khng c thit k cho vic m bo an ninh, m gii quyt nhng vn kt ni c th. Tuy vy, mi th thay i t khi nhng ng dng ny c pht trin vo nhng nm 1970, 1980, v u nhng nm 1990, c bit vi s bng n ca vic s dng Internet.

1.1.1.1. Cc cng c nghe trm Nhn chung, mt b phn tch giao thc c s dng soi xt gi tin. B phn

tch c th da trn gii php phn cng hoc l mt my PC vi nhiu nhng card giao din mng (Network Interface Card -NIC) v phn mm tng ng i km. kiu tn cng ny hot ng c, k tn cng phi truy nhp c vo kt ni gia thit b ngun v thit b ch.

C hai lp phn tch giao thc l: General v Attack. Phn tch giao thc General chp mi gi tin n thy v c bn c s dng nh mt cng c chn on khc phc mt s vn . C kh nhiu phn mm phn tch giao thc min ph thc hin chc nng ny.

Cn phn tch giao thc Attack l dng nng cao ca phn tch giao thc General. Phn tch giao thc Attack tm trn nhng giao thc v ng dng bt k no nhng thng tin lin quan n xc thc, ti chnh v an ninh. K tn cng s s dng nhng thng tin thu thp c thc thi nhng loi hnh tn cng khc.

1.1.1.2. Cc gii php chng nghe trm Nhng thng tin nhy cm bao gm thng tin th tn dng, thng tin c nhn, s an

ninh x hi, s in thoi v a ch, username, password, v mt s thng tin quan trng khc. V nhiu giao thc v ng dng khng an ton khi truyn nhng thng tin nhy cm (truyn di dng clear-text), nn vic bo v l rt cn thit. Mt gii php c a ra l


SVTH: L NGC DUY 11

s dng password-mt-ln (one-time password) vi th bi (token card). iu ny s ngn chn ai thc thi tn cng truy nhp khi s dng phn tch giao thc chp thng tin password. Tuy vy, gii php ny ch bo v chng li tn cng nhm vo password; nhng loi tn cng khc nhm vo vic thng tin c truyn i dng clear-text th khng c bo v.

Mt trong nhng gii php ph bin nht cho cc cng ty mun bo v thng tin th tn dng trong mi trng thng mi l s dng HTTP with SSL (HTTPS) m ha thng tin nhy cm ca ngi dng. Mt gii php khc l s dng VPN vi m ha (with encryption). M ha s trn ln thng tin clear-text v trng n ging nh chui cc k t ngu nhin; v ch c ch mi c th gii m c thng tin . M ha c th c trin khai bng mt trong hai phng thc sau:

M ha lin kt (Link Encryption): Tng th frame (v d PPP hoc HDLC frame) c m ha gia hai u; iu ny c s dng trn kt ni Point-to-Point ca cc thit b kt ni trc tip.

M ha Payload gi tin (Packet Payload Encryption): Ch c phn Payload ca gi tin c m ha, cho php dng m ha ny c th c nh tuyn thng qua mng Internet.

M ha c s dng mt cch ph bin trong cc kt ni External i qua mng cng cng, tuy nhin i vi loi d liu nhy cm, c th bn mun m ha n i qua mng Intranet. Trong hai phng thc k trn th Packet Payload Encryption c s dng rng ri nht trong gii php VPN. L do Packet Payload Encryption ph bin nht v trong nhiu trng hp, d liu phi truyn qua nhiu trm (hops), Packet Payload Encryption li mang tnh m rng (scalable): ch cn c hai thit b iu khin tin trnh m ha/gii m, cc thit b trung gian ch nh tuyn cc gi tin m ha.

1.1.2. Tn cng mo danh Tn cng mo danh l ni m nhng c th che giu nh danh ca h, thm ch gi

lm nh danh ca mt ai . Trong mt mi trng mng, iu ny c thit lp bng vic thay i thng tin a ch ngun trong gi tin. Trong th gii TCP/IP, tn cng ny thng c gi l spoofing. K tn cng thng s dng spoofing kt hp vi tn cng t chi dch v DoS.

1.1.2.1. Nhng cng c mo danh Khng ging nh kiu tn cng nghe trm (eavesdropping), c nhiu loi cng c

c th c s dng trong tn cng mo danh. thay i c a ch IP ngun trong mt gi tin th cn n mt chng trnh sinh gi tin chuyn dng. iu ny cho php k


SVTH: L NGC DUY 12

tn cng n nh c a ch ngun cn s dng, thay v s dng a ch IP lin kt vi card mng NIC ca my tnh k tn cng.

K tn cng s s dng mt a ch IP ngun External c xc thc i vng (bypass) qua cc b lc gi tin. Tt nhin, cc lung traffic phn hi u s tr v a ch External thc t c xc thc thay v v my tnh k tn cng. xem c lung traffic phn hi, k tn cng s phi kt hp vi kiu tn cng nh tuyn (routing attack), cho php lung traffic phn hi b chuyn hng ti k tn cng. trin khai mt cuc tn cng DoS n gin, k tn cng s th s dng mt a ch ngun Internal m b lc gi tin c th cho php chy qua h thng firewall.

Ch :

Trong lp mng Layer-2, k tn cng c th s dng vic gi mo ARP (ARP Spoofing) chuyn hng traffic gia hai u n thit b ca k tn cng.

1.1.2.2. Gii php chng mo danh Tt nhin, vic s dng mt h thng Firewall mnh hn ch mt s loi gi tin

vo bn trong mng ca bn l iu cn thit. Tuy vy, h thng Firewall s vn cho php traffic t nhng h thng External c xc thc. Do , mt s loi hnh kim tra xc thc gi tin c yu cu. V d, bn cn xc nh liu gi tin n t mt ngun hp l hay n t mt k tn cng ang thc hin mo danh.

Gii php hay dng nht l s dng h thng kim tra gi tin tch hp, h thng ny c trin khai vi mt hm hashing. Hm hashing cho php xc minh ngun ca gi tin. Hm hashing s dng hash-mt-chiu vi mt kha chia s, ch nhng thit b c kha mi c th to ra v xc minh gi tr hash. Vi VPN, nhng hm hashing ph bin nht c s dng l MD5 v SHA.

1.1.3. Tn cng Man-in-the-middle Tn cng man-in-the-middle c th din ra theo nhiu cch, hai dng ph bin nht

nh sau:

Session replay attack

Session hijacking attack

Vi session replay attack, k tn cng gia hai u, chp gi tin t cc phin (sessions). Sau k tn cng s li dng nhng gi tin chp c ti thi im trc bng cch gi li chng. Mc ch ca k tn cng l chim quyn truy nhp vo h


SVTH: L NGC DUY 13

thng t xa vi cng nhng gi tin. Trong mt s biu hin khc, k tn cng s thay i ni dung ca gi tin h tr cho tin trnh ny.

Gin trong hnh 1-1 minh ha mt v d. Trong bc 1, ngi s dng gi traffic ti my ch thc (real server). Trong bc 2, k tn cng chn traffic t ngi s dng ti my ch (gi thit rng l mt phin web). Nhn chung, k tn cng s lm iu ny bng cch va gi mo phn hi ca DNS vi a ch ngun l ca anh ta thay v a ch ch thc s, va gi mo cc gi tin, trong s kt hp vi kiu tn cng ti nh tuyn (rerouting attack). Tt nhin, nu k tn cng truy nhp c vo mt lin kt gia ngun v ch, anh ta c th d dng s dng phn tch giao thc xem xt cc gi tin. Trong v d ny, gi thit rng k tn cng s dng tn cng chuyn hng (redirection attack) v tt c nhng traffic u ang c gi ti anh ta. K tn cng gi lm my ch v gi cc phn hi li cho ngi s dng, thm ch c th km theo cc on m c hi khai thc thng tin nhy cm. Trong biu hin ny, k tn cng s chuyn hng traffic gc v cc phn hi ca ngi s dng ti ch thc, nh trong bc 3.

Hnh 1-1. Session replay attack

Trong session hijacking attack, k tn cng s c gng chen vo mt kt ni ang din ra, sau tip qun kt ni gia hai u. Hnh 1-2 minh ha cho session hijacking attack.


SVTH: L NGC DUY 14

Hnh 1-2. Session hijacking attack

thc thi kiu tn cng ny, k tn cng s phi thc hin vic mo danh, gi lm ngun v ch. Thm vo , k tn cng phi truy nhp vo lung gi tin gia ngun v ch. V mt vt l, iu ny ging nh phn trn trong hnh 1-2.

mt kha cnh khc, trong phn di ca gin trong hnh 1-2 m t k hn cch m session hijacking attack din ra. Trong v d ny, khi DeviceA gi traffic cho DeviceB, k tn cng chn traffic v gi lm DeviceB. K tn cng phn hi cho DeviceA vi thng tin ging nh ci m DeviceB s gi. K tn cng s dng cng mt tin trnh khi tng tc vi DeviceB. Vi lung d liu qua li gia DeviceA v DeviceB, k tn cng s thc hin thao tc trn d liu, tn cng thay i d liu gia hai u ko di phin hijacking hin ti. K tn cng s dng tin trnh ny hc thm thng tin v thit b hai u, bao gm c nhng im yu ca chng.

Vi cc giao thc nh UDP v ICMP, trin khai tn cng session hijacking l mt tin trnh n gin bi v khng c c trng no nh ngha cch mt kt ni c duy tr.


SVTH: L NGC DUY 15

Vi TCP th kh hn c bit vi tin trnh ni tip nhau ca TCP (TCPs sequencing process). S Sequence l s ngu nhin, gy kh khn hn cho k tn cng c th on c sequence tip theo ca phn on k tip. V l nn hijacking phin TCP thc s kh khn. Tuy vy, khng phi tt c ng dng TCP u s dng s sequence ngu nhin. Trong nhiu trng hp, kh d dng on c s sequence, da trn s trc ca kt ni ang tn ti. K tn cng c k nng c th chen c vo mt kt ni TCP ang tn ti. D nhin y khng phi l mt vic n gin. K tn cng s cn phi thc hin mt s bc v s dng mt s cng c chuyn dng ko di cuc tn cng ny.

1.1.3.1. Cc cng c man-in-the-middle K tn cng nhn chung s s dng mt b phn tch giao thc chp cc gi tin

vi hai kiu tn cng c m t. Vi tn cng session-replay, hacker thm ch c th s dng cc script Java hoc ActiveX chp gi tin t phin web-server. Vi tn cng session-hijacking, attacker s cn mt s kiu chng trnh c chng chuyn-on-TCP-sequence-number chn v thu thnh cng mt kt ni TCP ang tn ti.

Ch :

TCP-sequence-number di 32-bit, cung cp trn 2 t kh nng kt hp; ngu nhin ha s sequence-number lm cho vic on s sequence-number tip theo trong qu trnh truyn l iu khng th.

1.1.3.2. Gii php chng tn cng man-in-the-middle Gii php tt nht cho loi vn ny l s dng VPN. VPN cung cp ba cng c

chin u vi tn cng man-in-the-middle:

Xc thc thit b

Kim tra ton vn gi tin

M ha

Vi xc thc thit b, bn c th yn tm rng thit b m ang gi traffic ti bn l mt tht b c nhn thc thay v mt thit b gi mo. Vi kim tra ton vn gi tin, bn c th yn tm rng gi tin ang n ch bn t mt ngun c nhn thc, v khng b lc li hay la lc. V vi m ha, bn c th yn tm rng thit b man-in-the-middle khng th nghe trm d liu thc t gia hai thit b ang chia s cho nhau. Nhng ch ny s c bn nhiu hn trong phn.


SVTH: L NGC DUY 16

1.2. nh ngha VPN Nh nu trong mt s phn trc y, VPN c th c s dng i ph vi

bt k loi tn cng no. Vy, cu hi t ra l: Virtual Private Network (VPN) l g ? - C mt s gii thch v VPN nh sau:

N l mt ng hm c m ha.

N s dng IPSec, GRE, PPTP, SSL, L2TP, hoc MPLS.

N m ha d liu.

N bo v traffic qua Internet.

N bo v d liu khi cc hacker v cc cuc tn cng.

Nh bn c th thy, nhiu ngi c nhng ci nhn hay nhn thc khc nhau v VPN.

1.2.1. M t VPN dng n gin nht, VPN l mt kt ni, v c bn c bo v, gia hai thc

th m khng cn thit phi kt ni trc tip vi nhau. Hai thc th c th kt ni trc tip thng qua lin kt point-to-point, nhng nhn chung chng cch nhau nhiu hn mt hop hay mt network. Thut ng thc th c th coi hoc l mt thit b hoc l mng (nhiu thit b). Kt ni, trong nhiu biu hin, i qua mt mng cng cng; tuy nhin, VPN c th c s dng mt cch d dng cho cc mc ch ni b (internal purpose). V t c bo v l im mu cht khai thng vn v VPN. Hu ht mi ngi u cho rng y c ngha l m ha (bo v traffic khi tn cng nghe trm), hoc gi tin khng b lc li (bi tn cng man-in-the-middle). Nhng nhn nh ny v c bn l chnh xc; tuy nhin, mt gii php VPN tt s ng ph vi hu ht, nu khng l tt c, nhng vn sau:

Bo v d liu khi nghe trm bng cch s dng cc k thut m ha, nh RC-4, DES, 3DES, v AES

Bo v gi tin khi lc li bng cch s dng cc hm hashing ton vn gi tin nh MD5 v SHA

Bo v chng li tn cng man-in-the-middle bng cch s dng c ch xc thc nh danh, nh cc kha chia-s-trc hoc chng ch s

Bo v chng li tn cng replay bng cch s dng cc s sequence-number khi truyn d liu c bo v

nh ngha cc c ch v cch thc d liu c ng gi v bo v, v cch thc traffic c truyn gia hai thit b

nh ngha traffic no thc t cn c bo v


SVTH: L NGC DUY 17

Nh bn s thy th VPN m nhn tt c nhng chc nng ny.

Ch :

Tt nhin, khng phi mi trin khai VPN u bao gm tt c nhng thnh phn k trn. Cch thc m kt ni c thit lp, c bo v, c duy tr, v b hy l khc nhau trn tng gii php VPN. Do , iu quan trng l s dng chnh sch an ninh ca t chc trong vic xc nh k thut VPN no l tt nht trong tng tnh hung c th. Trong mt s biu hin, thng c hn mt gii php VPN c trin khai trn cng mt mng.

1.2.2. Cc mode kt ni VPN Trc khi bn v bn loi hnh VPN v ba lp VPN, u tin ta s bn v hai loi

c bn ca mode kt ni c s dng di chuyn d liu gia cc thit b:

Mode tunnel

Mode transport

Nu trc y bn lm vic vi IPSec (Internet Protocol Security), th bn chc quen thuc vi hai thut ng ny. Nhng loi k thut VPN khc IPSec c th s dng thut ng khc m t hai mode kt ni ny, y ta s s dng cc thut ng ca IPSec ni v cc vn VPN.

C hai mode nh ngha tin trnh ng gi c bn c s dng di chuyn d liu gia hai thc th. Mi ngi thng s dng t ng hm - tunnel m t tin trnh ny; tuy nhin, ta s khng s dng t tunnel bi n cn c nhng ngha khc vi VPN. Do , ta s s dng thut ng ng gi - encapsulation m t cch d liu c di chuyn gia hai thc th VPN. Hai phn tip sau s bn v hai mode kt ni ny.

1.2.2.1. Mode Transport Kt ni mode transport c s dng gia a ch IP ngun v ch thc s ca

thit b. Hnh 1-3 minh ha s dng mode transport. Trong v d ny, ngi qun tr mng lo ngi v vic gi cc thng ip syslog t PIX-Security-Appliance ti Internal-Syslog-Server. Ngi qun tr mng quyt nh s dng VPN bo v cc thng ip syslog.


SVTH: L NGC DUY 18

Hnh 1-3. Cc loi hnh v cc lp VPN

V y l kt ni VPN gia cc thit b thc t truyn d liu cho nhau, nn mode kt ni transport c s dng. Trong mode kt ni transport, d liu ngi dng (phn on UDP cha thng tin syslog) c ng gi trong mt gi tin VPN.

Hnh 1-4 th hin mt v d v tin trnh ng gi c s dng trong mode transport. Trong v d ny, PIX to ra mt phn on UDP cng vi d liu syslog. PIX ng gi phn on UDP trong mt gi tin VPN. Vic ng gi VPN s bao gm thng tin m s gip bn ch ph chun thng tin bo v (v s gii m n, nu m ha c s dng). Thng tin VPN sau c ng gi trong mt gi tin IP, a ch ngun l PIX v a ch ch l Syslog-Server.


SVTH: L NGC DUY 19

Hnh 1-4. Phng thc ng gi mode transport

Ch :

Vi mode transport, nu gi tin VPN-c-bo-v b soi xt bi tn cng nghe trm, th attacker s bit c ngun v ch thc t ca thit b tham gia vo giao tip; tt nhin, nu bn s dng m ha nh mt trong cc phng thc bo v vi VPN, th attacker s khng th gii m phn payload thc t ang c vn chuyn gia cc thit b VPN (trong trng hp ny l d liu syslog).

1.2.2.2. Mode Tunnel im hn ch ca mode transport l n khng c tnh m rng tt bi vic bo v

c thc hin trn nn tng device-by-device. Hnh 1-3 minh ha tnh hung trong mode transport s khng l mt phng thc kt ni VPN tt. Trong v d ny, cho rng c 10 thit b ti vng vn phng (regional office) cn giao tip vi 10 thit b ti vn phng t chc (coporate office), v gi thit xa hn rng tt c 10 thit b t mt pha cn giao tip vi tt c 10 thit b ti pha u xa. Vi nhng thng tin gi thit ny, bn s cn to ra chn kt ni VPN trn mi thit b, v vi 10 thit b trn mi pha, tng cng s l 180 kt ni ! Ni cch khc, bn s phi lm vic ct lc khi ci t theo kch bn ny.

Do , nu bn c nhiu thit b ti hai ni tch bit m chng cn ni chuyn vi nhau theo li an ton, bn s s dng mode tunnel thay v mode transport. Trong mode tunnel, cc thit b ngun v ch thc t v c bn khng bo v traffic. Thay vo , mt s thit b trung gian c s dng bo v traffic. T v d trc v cc thit b ti coporate-office v regional-office i hi vic bo v, hai Router ti mi ni c th m


SVTH: L NGC DUY 20

nhim vic bo v VPN. Cc thit b cung cp bo v VPN i din cho mi bn thng c gi l cc VPN-gateway.

Ta s xem xt mt v d minh ha cch thc mode tunnel lm vic. Trong v d ny, thit b ni b s to ra mt gi tin IP bnh thng v forward gi tin ny ti VPN-gateway ni b. Gi thit rng PIX t ti regional-site (c th hin trong hnh 1-3 trc y) cn gi thng ip syslog ti syslog-server t ti coporate-site, cc Router ngoi bin t ti hai ni ang thc hin chc nng ca VPN-gateway.

Hnh 1-5 th hin mt v d v tin trnh ng gi c s dng. Trong hnh, regional-PIX sinh ra mt thng ip syslog v ng gi n trong gi tin UDP sau l gi tin TCP, c a ch ngun l a ch ni b ca PIX v a ch ch l a ch IP ca corporate-syslog-server. Khi regional-router/VPN-gateway nhn gi tin IP syslog t regional-PIX, th VPN-gateway ng gi gi tin vi thng tin bo v VPN, thm ch c th m ha tng th gi tin PIX gc. Tip theo, VPN-gateway t thng tin ny trong gi tin IP khc, c a ch ngun ca gi tin l regional-office-Router v a ch ch l corporate-office-VPN-gateway (trong v d ny l Router ngoi bin). Mi khi corporate-office-Router nhn gi tin c bo v, n xc minh vic bo v v remove n (nu bn s dng m ha bo v gi tin, corporate-office-VPN-gateway s gii m n). Syslog-server sau thu c gi tin IP gc, m khng bit (hoc khng quan tm) rng gi tin l phn c bo v ca ng i t regional-PIX-appliance ti syslog-server.

Hnh 1-5. Phng thc ng gi mode tunnel


SVTH: L NGC DUY 21

Mode tunnel cung cp nhng im li th hn so vi mode transport nh sau:

Cung cp m rng Bn c th la chn nhiu thit b tng ng hn thc hin tin trnh bo v, gii phng c tin trnh bo v nng-CPU.

Mm do Nhn chung bn s khng phi thay i cu hnh VPN khi thm mi thit b ng ng sau VPN-gateway v bn mun traffic t thit b mi ny c bo v.

Che giu giao tip Mt attacker thc hin tn cng nghe trm trn mng gia hai thit b VPN-gateway bit rng traffic c bo v gia hai VPN-gateway, nhng khng c cch no bit nu VPN-gateway l cc thit b ngun v ch thc s trong qu trnh truyn, hoc nu d liu ang c truyn bi mt s thit b khc.

S dng a ch private Thit b ngun v ch thc s c th s dng a ch public hoc private v ci ny c ng gi trong mt gi tin khc bi cc thit b VPN-gateway.

S dng cc chnh sch an ninh hin hnh V cc thit b ang s dng a ch IP thc s ca chng khi giao tip vi nhau, nhn chung bn khng th thay i bt k chnh sch an ninh ni b no bn nh ngha trn firewall ca bn v trn cc thit b lc-gi-tin.

1.2.3. Cc loi hnh VPN Loi hnh VPN m t kiu cc thc th tham gia vo kt ni VPN. C 4 loi hnh

VPN chung:

Site-to-site VPN

Remote-access VPN

Firewall VPN

User-to-user VPN

Hnh 1-3 s c s dng trong cc phn sau minh ha cho 4 loi hnh VPN.

1.2.3.1. Site-to-site VPN Site-to-site VPN s dng mode kt ni tunnel gia cc gateway bo v traffic

gia hai hoc nhiu site hay v tr. Cc kt ni site-to-site thng c coi l cc kt ni LAN-to-LAN (L2L). Vi L2L VPN, thit b trung tm ti mi ni cung cp dch v bo v traffic gia cc site. Tin trnh bo v ny l trong sut (transparent) ti thit b u cui ti hai site.

Vi Cisco, mt s thit b ng vai tr ca VPN-gateway l:

VPN 3000 Series Concentrators


SVTH: L NGC DUY 22

Cc Router IOS-based vi phn mm VPN

PIX v ASA security appliances

Trong hnh 1-3, ci t kt ni bo v gia regional-office v corporate-office, bn c th s dng cu hnh nh sau:

Ti corporate-office th VPN-gateway c th l Router ngoi bin (perimeter router), PIX, hoc VPN Concentrator.

Ti regional-office th VPN-gateway c th hoc l Router ngoi bin hoc l PIX.

Ch :

Cisco khuyn co s dng cc Router cho gii php L2L VPN; tuy nhin, y l mt mnh rt chung chung v nhiu nhn t cn c cn nhc trc khi a ra quyt nh. Nh bn s thy th mi loi thit b u c c u im v nhc im. V d, y l mt s u im c bn ca mt loi sn phm Cisco hn nhng sn phm ca hng khc:

IOS Router c QoS cp tin, ng hm GRE, nh tuyn, v tnh nng m rng v cp tin VPN L2L.

Cisco VPN 3000 Concentrator d dng ci t v khc phc s c.

PIX Security Appliance firewall c firewall cp tin v cc c trng an ninh, bao gm stateful-filtering, appliance-filtering, v tnh nng chuyn i a ch cp tin.

1.2.3.2. Remote Access VPN Remote-access VPN nhn chung c s dng cho bng-thng-thp hoc cho cc

cc kt ni gia thit-b-ngi-dng-n-l, nh PC hay small-office-home-office (SOHO), Client phn cng (Cisco VPN 3000 hardware client, small-end PIX appliance hoc small-end IOS-based router), v thit b VPN-gateway. Remote-access VPN nhn chung s dng mode Tunnel cho cc kt ni. Lc u iu ny c v l, khi cho rng mt thit b l VPN-gateway v thit b khc th khng. Tuy nhin, nu bn ngh v cch thc kt ni mode Transport lm vic, ni m d liu bo v c truyn gia cc thit b ngun v ch thc s, th kt ni remote-access khng ph hp trong khun dng ny. Vi remote-access, traffic cn c bo v t ngun ti mt s thit b trung gian, ni xc minh thng tin c bo v (v gii m n nu n c m ha). ch thc s s nhn thng tin khng c bo v. thc hin iu ny, mode Tunnel c s dng.


SVTH: L NGC DUY 23

Vi remote-access, im cui VPN, hay Client, kt ni ti VPN-gateway s cn hai a ch IP: mt cho card mng NIC ca n v mt cho a ch ni b (internal address), a ch ni b ny i khi c coi l a ch o hay logic hay a ch IP c cp.

Hnh 1-6 minh ha mt v d v kt ni remote-access. Trong v d ny, ngi dng t nh ang s dng PC kt ni ti vn phng t chc (corporate-office) thng qua VPN-gateway, l VPN 3000 Concentrator. ISP s dng DHCP cp a ch IP cho card mng NIC ca ngi dng trn my PC. a ch th hai cn cho vic giao tip ti cc thit b ti vn phng t chc v cn c bo v; y l a ch ni b, i khi c th c cp bi ngi dng theo cch th cng, hoc, ph bin hn, ly t VPN-gateway trong qu trnh thit lp phin VPN. Thng thng a ch IP n t central-site-DHCP-server hoc t mt pool a ch c nh ngha ni b. Khi client-remote-access mun gi thng tin ti thit b ng sau VPN-gateway ti vn phng t chc, nh web-server, th client-remote-access to ra gi tin IP c a ch IP ngun l a ch IP ni b, v a ch IP ch l thit b t ti mng vn phng t chc. Gi tin ny sau c ng gi v bo v vi thng tin VPN, v tip mt IP-header bn ngoi c thm vo. Trong IP-header bn ngoi, a ch ngun l a ch card mng NIC ISP-cp ca ngi dng remote-access v a ch ch l VPN-gateway. VPN-gateway, nhn gi tin c bo v, s xc minh vic bo v, gii m gi tin c ng gi (nu cn thit), v forward gi tin IP c ng gi ti thit b ni b ca t chc.

Hnh 1-6. V d v Remote Access


SVTH: L NGC DUY 24

V a ch ni b c bo v (v bn ang s dng mode tunnel), nn bn c th d dng to cho Client-remote-access trong ging nh n l mt m rng ca mng vn phng t chc (corporate office network). V d, nu vn phng t chc ang s dng khng gian a ch 172.16.0.0/16, nh c th hin trong hnh 1-6, th bn c th c client s dng a ch ni b t pool, l 172.16.254.0/24, to cho client dng v l n c kt ni ti mng 172.16.0.0/16. T thit b pha vn phng t chc cho thy rng client-remote-access c gn trc tip ti mng 172.16.0.0/16; tuy nhin, s thc l Client c th cch xa nhiu hop ti vn phng t chc, nh minh ha trong hnh 1-6.

Ch :

Cisco khuyn co bn s dng Cisco VPN 3000 Series Concentrator lm VPN-gateway cho kt ni remote-access. Khi so snh 3000 Series Concentratrors vi Cisco Routers hay PIX hoc ASA Security Appliances cho gii php remote-access-VPN-gateway, th s d dng hn nhiu khi ci t v khc phc s c kt ni remote-access trn Concentrators. Tuy nhin, nu c s lng t ngi dng cn kt ni remote-access, th nn s dng hoc PIX hoc ASA Appliance hoc IOS Router. Khi m s lng ngi dng tng ln n con s ln th nn s dng Concentrator. Cn nu cn s dng n tnh nng QoS cp tin th nn s dng Router v Concentrator thiu tnh nng ny.

1.2.3.3. Firewall VPN Firewall-VPN nhn chung l L2L hay remote-access-VPN nng cao vi chc nng

an ninh v firewall thm vo. Firewall-VPN c bn c s dng khi mt bn ca kt ni VPN cn cc chc nng an ninh v firewall nng cao da trn chnh sch an ninh ca t chc h.

Mt s chc nng an ninh hoc firewall c thc hin bi Firewall-VPN bao gm nh sau:

Lc Statefull (Statefull filtering)

Lc lp ng dng (Application layer filtering)

Cc chnh sch chuyn i a ch cp tin (Advanced address translation policies)

Cc vn a ch vi cc giao thc khng r rng nh mutimedia v voice

Ngoi nhng chc nng lit k trn, firewall-VPN c cng nhng c th ging nh L2L hoc remote-access-VPN. Nu bn ang s dng linh kin Cisco trin khai firewall-VPN, th thit b VPN-gateway v c bn s l PIX hoc ASA security appliance.


SVTH: L NGC DUY 25

1.2.3.4. User-to-User VPN Loi hnh User-to-User VPN nhn chung l mt kt ni VPN mode transport gia

hai thit b. Hai thit b c th l PIX v syslog-server, router v TFTP-server, ngi dng s dng Telnet truy nhp mt Cisco router, hoc nhiu cc cp kt ni khc.

Ch :

Cisco khng chnh thc coi User-to-User l mt loi hnh VPN.

1.2.4. Cc lp VPN C ba lp VPN c bn, chng m t v tr m VPN c s dng:

Intranet

Extranet

Internet

Hnh 1-3 minh ha iu m nhng thut ng ny m t khi s dng trong s kt hp vi VPN.

1.2.4.1. Intranet Intranet-VPN kt ni cc ngun ti nguyn ca cng mt t chc thng qua c s

h tng ca t chc . y l nhng v d n gin v kt ni Intranet-VPN:

Kt ni mode transport trong c s h tng ca t chc, nh VPN gia hai thit b (router gi traffic ti syslog-server, PIX tin hnh sao lu file cu hnh ti TFTP-server, v ngi dng s dng Telnet ti Catalyst 3550 switch)

Kt ni mode tunnel gia hai ni khc nhau trong c s h tng ca cng ty, nh VPN gia hai vn phng thng qua mng private-Frame-Relay hoc private-ATM

1.2.4.2. Extranet Extranet VPN kt ni cc ngun ti nguyn t mt t chc n t chc khc, nh

bn hng thng mi. V c bn Extranet VPN l cc kt ni L2L, nhng c th l nhng loi hnh kt ni khc. V d v Extranet l mt cng ty c chi nhnh bn ngoi thc hin chc nng vn phng v thit lp VPN cung cp kt ni an ton t vn phng cng ty n chi nhnh bn ngoi.

1.2.4.3. Internet Internet VPN s dng mng cng cng lm xng sng vn chuyn traffic VPN

gia cc thit b. Mt v d, bn c th s dng Internet kt ni hai site vi nhau (kt


SVTH: L NGC DUY 26

ni L2L), hoc c nhng telecommuter s dng ISP ca h thit lp kt ni VPN ti mng ca t chc (kt ni remote-access).

Ch :

Nh rng tt c bn loi hnh VPN u c h tr bi ba lp VPN. Cn vic s dng loi no th da trn nhu cu ca bn v chnh sch an ninh ca t chc bn.


SVTH: L NGC DUY 27

Chng 2. CC K THUT S DNG TRONG VPN Trc khi bn lun v IPSec, u tin ta cn phi hiu v cc k thut m VPN s dng cung cp tnh nng bo v traffic. Nhng thut ng nh: kha, DES, 3DES, MD5, kha chia-s-trc (pre-shared key) rt hay c s dng trong VPN. Vic hiu su v nhng giao thc, thut ton, hm v tin trnh k trn s h tr xc nh pros v cons cho k thut VPN. Nhng thng tin ny (pros, cons) s dng la chn phng n VPN ti u da trn cc k thut s dng bo v traffic.

Ni dung chng s lm r vn ln lt qua cc phn: Kha, M ha, Xc thc gi tin, Trao i kha, v Phng thc xc thc.

2.1. Kha Thut ng kha rt hay c s dng trong i sng hng ngy. nh ngha kha

l mt cng c (tool) cho php m mt cnh ca b kha, ni m mt s th c gi kn khi nhng nh mt t m. Trong th gii d liu, thut ng kha cng c mt ngha tng t. Kha c s dng bo v thng tin theo nhiu cch khc nhau. Biu hin l, kha d liu thc hin chc nng ging nh mt password bo v ti khon ngi dng hay s nh danh c nhn PIN (Personal Identification Number) c dng cng vi th ATM truy nhp ti khon ngn hng. Thng thng, kha cng di th bo v cng an ton; tuy vy, iu ny khng hon ton ng. Trong 3 phn sau s bn lun cch kha c s dng v hai loi thut ton kha: i xng v bt i xng.

2.1.1. S dng kha Trong an ninh mng, kha phc v mt tin trnh a chc nng. V d, kha c

s dng cho c 3 chc nng VPN sau:

M ha (Encryption)

Kim tra tch hp gi tin (Packet intergrity checking)

Xc thc (Authentication)

C hai loi kha c bn:

i xng (Symmetric)

Bt i xng (Asymmetric)

Nhng phn sau y s ni thm v hai loai kha ny.


SVTH: L NGC DUY 28

2.1.2. Kha i xng Kha i xng s dng cng mt kha n (single key) cung cp tnh nng an

ninh bo v thng tin. V d, thut ton m ha dng kha i xng s dng cng mt kha m ha v gii m thng tin. V cng mt kha c s dng to v xc minh vic bo v an ninh nn thut ton c s dng kh n gin v do rt hiu qu. Vy nn cc thut ton i xng, nh thut ton m ha i xng, thng lm vic rt nhanh chng.

V kha i xng rt hiu qu v nhanh nn n hay c s dng trong m ha v kim tra ton vn gi tin. Mt s thut ton v chun s dng kha i xng l: DES, 3DES, CAST, IDEA, RC-4, RC-6, Skipjack, v AES. MD5 v SHA l nhng v d v hm bm (hashing function) s dng kha i xng.

Tuy nhin cng c vn , vi kha i xng m hai bn thc hin vic bo v d liu theo cch no phi c cng mt gi tr kha. Ly v d, nu hai thit bi, RouterA v RouterB, u thc hin m ha DES, v RouterA sinh kha i xng cho DES, cn RouterB s cn chnh gi tr kha ny gii m thng tin m RouterA gi cho n. C hai cch c bn lm iu ny:

Chia-s-trc kha (Pre-sharing key): C th chia s trc kha theo li out-of-band gia hai thit b ca hai bn.

S dng mt kt ni an ton (Using a secure connection): C th s dng hoc kt ni ang tn ti v c bo v an ton gi kha, hoc to mi mt kt ni c bo v gi kha.

Cch th hai ri vo tnh hung catch-22, v c mt kt ni an ton, ta cn c kha; v chia s kha, ta cn mt kt ni an ton. Chia-s-trc kha khng c tnh m rng tt. Phn Trao i kha Key Exchange s bn v cch chia s kha, mt cch ng (dynamically) v an ton gia hai thit b m khng dng ti phng thc chia-s-trc kha th cng.

2.1.3. Kha bt i xng Khng ging nh kha i xng ch cn s dng cng mt kha to v xc minh

vc bo v thng tin, kha bt i xng s dng hai kha:

Kha ring t (Private key)

Kha dng chung (Public key)

Kha ring t c gi b mt bi bn ngun v khng bao gi chia s. Tri li kha dng chung c chia s cho nhng bn khc. Ta khng th la chn mt cch ngu


SVTH: L NGC DUY 29

nhin gi tr ca hai kha, thay vo , mt thut ton c bit c s dng to kha, bi v chng cn c mt mi lin h cng sinh cung cp kh nng bo v.

Kha bt i xng c s dng cho hai chc nng an ninh c bn sau:

M ha (Encryption)

Xc thc (Authentication)

Hai phn tip sau y s bn v mi chc nng k trn; nhng u im v nhc im ca kha bt i xng, v nhng v d s dng kha bt i xng.

2.1.3.1. Kha bt i xng v m ha Kha bt i xng c th c s dng trong m ha d liu. Trong nhiu trng

hp, thit b th nht to ra mt s kt hp kha-dng-chung/kha-ring-t. Thit b, gi l RouterA, sau gi kha dng chung cho u xa, l RouterB. RouterB s dng kha dng chung m ha bt k d liu no cn gi n cho RouterA. Vi kha bt i xng, ch c kha ring t c lin h cng sinh vi kha dng chung mi c th gii m c thng tin; do vy, RouterA s s dng kha ring t ca n gii m thng tin.

Cng nh vy, RouterA gi d liu cho RouterB, RouterB s sinh ra mt cp kha dng-chung/ring-t khc v chia s kha dng chung vi RouterA. RouterA sau s dng kha dng chung th hai ny m ha d liu gi n cho RouterB v RouterB s s dng kha ring t ca n gii m d liu.

Ta c th thy trong v d ny, thm ch nu k tn cng nghe trm c d liu v thy kha dng chung i chng na th anh ta cng khng c c d liu v khng c kha ring t gii m, kha ring t ny li khng bao gi c chia s gia hai bn (RouterA v RouterB).

2.1.3.2. Kha bt i xng v xc thc Ngoi s dng cho m ha, kha bt i xng cn c th gip thc hin chc nng

xc thc. Hnh 2-1 minh ha s dng kha bt i xng xc thc, RouterA cn xc thc RouterB.


SVTH: L NGC DUY 30

Hnh 2-1. Kha bt i xng v xc thc

Trong hnh trn din ra nhng iu sau:

B1. RouterA sinh mt kt hp kha dng-chung/ring-t.

B2. RouterA chia s kha dng chung vi RouterB.

B3. RouterA ly thng tin nh danh v chnh n (tn), v m ha vi kha ring t ca n.

B4. RouterA gi c thng tin nh danh v thng tin nh danh c m ha cho RouterB.

B5. RouterB gii m thng tin nh danh c m ha v so snh vi thng tin nh danh dng clear-text m RouterA gi.

B6. Nu s so snh ca RouterB gia thng tin nh danh clear-text v thng tin c gii m l trng khp (match), th RouterB c th c m bo rng chnh RouterA thc hin vic m ha.


SVTH: L NGC DUY 31

Trong v d hnh 2-1, kha ring t trong m ha khng bao gi c chia s (gi b mt). Kha dng chung c chia s v s dng xc minh thng tin nh danh m ha, thng c gi l ch k s (digital signature), c to vi kha ring t lin quan.

C dnh lu n phng thc xc thc ny l kiu tn cng man-in-the-middle, ngi no khc RouterA sinh ra cp kha dng-chung/ring-t v gi lm RouterA. iu ny c th khc phc bng cch chia-s-trc kha dng chung ca RouterA (theo li out-of-band) cho RouterB. iu ny s c bn n k hn trong phn Chng ch s Digital Certificate.

2.1.3.3. u nhc im ca kha bt i xng Kha bt i xng c nhiu u im hn kha i xng. u tin, bng vic s

dng n s nguyn t ln, tin trnh bo v an ton hn so vi kha i xng. Mt s nguyn t l mt s nguyn khng chia ht cho nguyn no khc ngoi s 1 v chnh n. Hai s nguyn t ln c s dng nhn vi nhau, thm mt u vo na, sinh ra kha dng chung v kha ring t.

Ngy nay cha c phng php no c th vch ra con s chnh xc ph v m ha trong mt khong thi gian va phi, khng ging nh kha i xng. Ly v d, nu em hai s rt ln nh 34,555 v 88,333 nhn vi nhau, ta c th d dng a ra kt qu l 3,052,346,815. Tuy nhin, nu em hai s 3,052,346,815 nhn vi nhau, ta s phi dnh c cuc i tm ra p n (kha dng chung v kha ring t chnh xc), m cha chc thnh cng. chnh l v p ca kha bt i xng, vic gii thch ti sao, iu u tin l hu ht thut ton kha bt i xng s dng tin trnh tnh ton ny. iu th hai, k tn cng cn phi bit c kha ring t v kha dng chung ph v an ninh, nhng kha ring t li khng bao gi c chia s cho bt c bn no.

Thc t l hu ht cc thut ton s s dng kha bt i xng cho chc nng an ninh. C iu kha bt i xng chm hn nhiu so vi kha i xng trong thc hin chc nng an ninh, con s chm hn l khong 1,500 ln ! V l , kha i xng c a dng hn khi m ha d liu, trong khi kha bt i xng li c c s dng khi thc hin xc thc, hay chia s kha (v d nh kha i xng) thng qua mng khng c bo v.

2.1.3.4. V d kha bt i xng Di y l mt s v d v chun/thut-ton s dng kha bt i xng:

Kha dng chung RSA (RSA public keying): c s dng cho chc nng xc thc sn sinh ra ch k s v thc hin m ha. RSA l vit tt ca Rivest, Shamir, v Adleman (Ronald Rivest, Adi Shamir, v Len Adleman), l nhng gio


SVTH: L NGC DUY 32

s ca Hc vin k thut Massachusetts, l nhng ngi pht trin tin trnh ny. Kha RSA thng c s dng vi ch k s trong cc chng ch. N h tr kha c chiu di 512, 768, v 1,024 bits, thm ch cn ln hn.

Thut ton ch k s (Digital Signature Algorithm-DSA): Ging nh RSA, DSA c s dng sinh ra cc ch k cho chc nng xc thc, v d nh cc chng ch; nhn chung n khng c s dng cho chc nng m ha.

Diffie-Hellman (DH): c s dng bi giao thc Internet Key Exchange (IKE) trong IPSec trao i thng tin kha v an ton kha gia cc thit IPSec. DH c bn lun k hn trong phn Diffie-Hellman.

Thut ton trao i kha (Key Exchange Algorithm-KEA): L phin bn nng cao ca DH.

2.2. M ha M ha l tin trnh bin chuyn d liu theo mt dng m khng th gii m c

nu khng c s hiu bit v kha hoc cc kha c dng m ha d liu. Ph thuc vo thut ton m ha m kha i xng hoc bt i xng c s dng.

Trong phn ny s cp n nhng vn sau:

Tin trnh m ha (Encryption process)

Cc thut ton m ha (Encryption algorithms)

2.2.1. Tin trnh m ha Loi kha c s dng nh hng n cch m ha c thc hin. V d, nu ta

s dng mt thut ton kha i xng, d liu c m ha v gii m vi cng mt kha. Mt khc, vi thut ton kha bt i xng, kha dng chung c s dng m ha d liu v kha ring t tng ng c s dng gii m. Ta bit u im ca m ha thut ton kha bt i xng: c th d dng chia s kha dng chung thng qua mng v c mt thit b u xa s dng kha ny m ha d liu cho ta. Thm ch nu k tn cng thy c kha dng chung th cng chng kh hn cho anh ta bi v ch c kha ring t tng ng mi c th gii m c d liu.

Tuy nhin, v s phc tp ca thut ton m-ha/gii-m lm cho vic m ha vi kha bt i xng din ra rt chm, kha bt i xng v c bn c dnh ring cho xc thc nh danh v chia s kha, cn kha i xng c s dng cho m ha d liu. Chnh v iu ny nn nhng phn sau s ch tp trung vo cc thut ton m ha s dng kha i xng.

Ch :


SVTH: L NGC DUY 33

Cc thit b VPN, c bit l cc VPN gateway, thng thng chuyn cc tin trnh m ha cho mt module phn cng tng tc m ha v gii m cc gi tin.

Mt vn chnh vi thut ton m ha i xng l cng mt kha phi c s dng trn c ngun v ch. Vic chia s kha c th c vn . Nu ta gi kha thng qua mng ti u bn kia, k tn cng nghe trm c th thy c kha, do anh ta c th gii m c thng ip. Ta c th chia-s-trc kha, nhng vic qun l thi im thay mi kha tng cng tnh an ninh gy ra nhiu th rc ri au u. Phn Trao i kha Key Exchange s xem xt vn ny su hn.

2.2.2. Cc thut ton m ha C nhiu thut ton c pht trin s dng kha i xng. Nhng thut ton ny

bao gm nh sau:

Data Encryption Standard (DES): DES c pht trin bi NIST (National Institute of Standards and Technology). DES s dng cu trc kha 56-bit, kh ph bin, nhng yu so vi cc chun kha i xng hin nay.

Triple DES (3DES): 3DES l s b sung nng cao cho DES, v c bn s dng DES 3 ln, vi 3 kha khc nhau, trn d liu cn c bo v. V 3DES s dng 3 ln kha 56-bit nn n thng c coi l s dng cu trc kha 168-bit. 3DES mnh hn DES nhiu nhng li chm hn.

Advanced Encryption Standard (AES): AES c thit k thay th 3DES, cung cp m ha nhanh hn v an ton hn.

CAST: ging nh DES, s dng cu trc kha 128- hoc 256-bit. N t an ton hn 3DES nhng nhanh hn.

International Data Encryption Algorithm (IDEA): c pht trin bi Hc vin k thut Swiss (Swiss Institute of Technology). S dng cu trc kha 128-bit; mc an ninh nm gia CAST v 3DES, nhng cng ging nh hai thut ton ny, n khng phi l nhanh nht.

RC-6 and RC-4: RC-6 c pht trin bi phng th nghim RSA. Cung cp kha c chiu di khc nhau ln ti 2,040 bit (RC-6). Mt trong nhng thut ton RC ph bin l RC-4, cung cp kha 40-bit v 128-bit. Mt s k thut VPN, nh PPTP c h tr n, cng nh cc trnh duyt web s dng SSL. M-ha/Gii-m RC-4 thng nhanh hn so vi 3DES c v phn cng v phn mm, nhng t an ton hn.

Skipjack: c pht trin bi National Security Agency (NSA). S dng cu trc kha 80-bit.


SVTH: L NGC DUY 34

Nhng phn sau s bn v mt s thut ton hay c s dng trong trin khai VPN.

2.2.3. Thut ton DES v 3DES DES v 3DES l nhng thut ton rt ni ting c s dng trong cc trin khai

VPN. DES, c tn nguyn thy l Lucifer, c pht trin ti IBM u nhng nm 1970. NSA v NIST thay i Lucifer, kt qu cho ra DES, l mt chun lin bang c nh ngha trong FIPS 46-3 v ANSI X9.32.

DES l thut ton m ha mt m khi: n ly mt khi d liu c chiu-di-c-nh v bin i n sang khi d liu m ha c chiu-di-c-nh c cng kch thc bng cch s dng mt kha i xng. Chiu di kha l 64-bit, nhng v 8 bit c s dng cho parity, nn chiu di kha hiu dng l 56-bit. Vic gii m s dng mt tin trnh ngc li trn khi d liu m ha vi cng kha i xng, kt qu cho ra khi d liu clear-text gc.

Khng c phng thc d dng no c tm thy t trc n nay ph v DES; tuy nhin vi phng php brute-force, vic on thng tin kha c th lm c bng cch th 2^55 gi tr kha c th. Cn c nhng cch khc ph m ha DES, nhng phng php brute-force c chng minh l s la chn tt nht. V d, DES b b gy nm 1998 bng mt siu my tnh trong 56 gi v b b gy thm ln na vo nm 1999 trong 22 gi bi mt mng my tnh phn tn. nh cao ca vic ny, ta c th xy dng nhng thit b phn cng chuyn dng ph v DES thm ch cn nhanh hn na trong khong thi gian t hn 1 gi ng h.

V my tnh tr nn mnh m hn trong sut nhng nm 1980 v 1990, v v DES c chng minh l c th b b gy trong mt khong thi gian va phi, NIST to ra 3DES vo nm 1999. 3DES v c bn l phin bn nng cao ca DES. 3DES s dng 3 ln DES v an ton hn. DES c dng 3 ln vi 3 kha 56-bit khc nhau, kt qu cho ra mt kha c chiu di hiu dng l 168-bit. Xt thy rng hin cha c cuc tn cng thnh cng no ph c 3DES, nn 3DES l cho hu ht cc ng dng. Hin cha c mt my tnh no s dng phng php brute-force ph c 3DES.

Ch :

3DES nhn chung l 168-bit, mc d c th hu hiu hn khi s dng cng mt kha 112-bit hai ln. Mt s nh sn xut khng s dng kha duy nht th ba, nhng vn gi trin khai ca h l 3DES. 3DES chm hn trong phn mm, nhng tc c s khc bit r rng khi thc hin trong phn cng.


SVTH: L NGC DUY 35

DES v 3DES c nhng u im sau:

C hai s dng kha i xng, lm cho chng nhanh hn nhiu trong vic m ha so vi thut ton m ha kha bt i xng.

C hai u d dng trin khai c trong phn cng v phn mm khi em ra so snh vi nhng thut ton m ha khc.

DES v 3DES c nhng nhc im sau:

V c hai s dng kha i xng, nn vic chia s kha l mt vn khi hai thit b b ngn cch bi mt mng cng cng. Thut ton m ha bt i xng khng gp phi vn ny.

Nhng thut ton m ha mi hn v ang c pht trin s nhanh hn v an ton hn so vi 3DES, v d nh AES, RC-6, v Blowfish.

2.2.4. Thut ton AES Nhn ra rng sc mng my tnh cui cng cng s bt kp vi 3DES v lm cho

vic ph v n c th thc hin c, NIST thay th DES v 3DES bng AES (Advanced Encryption Standard) vo nm 2002. AES an ton hn so vi 3DES v c mong i l hu dng trong khong 10 n 20 nm, da trn lch s tng trng sc mnh my tnh trong qu kh.

Hin nay, c cuc sc xem liu thut ton m ha no s thay th 3DES: Twofish hay Rijndael. Twofish l phin bn nng cao ca thut ton Blowfish. N c th s dng kha c chiu di ln ti 448-bit, tn rt t b nh, v rt nhanh; tuy nhin, cu trc mt m ca n li rt phc tp, gy kh khn cho phn tch v xc nh xem kh hay d ph v c n. Rijndael s dng kha c chiu di 128, 192, v 256-bit, v kch thc 128, 192, 256-bit. N rt mm do v d dng trin khai. Rijndael thng trong cuc sc v by gi c bit n vi ci tn l AES.

AES l mt m khi i xng h tr kha c chiu di 128-, 192-, v 256-bit. N gm 4 giai on trong mt vng, vng c lp li 10 ln cho kha 128-bit, 12 ln cho kha 192-bit, v 14 ln cho kha 256-bit. u tin ta c th ngh rng y s l tin trnh phc tp hn nhiu khi em so snh vi 3DES; nhng v AES c vit theo li hiu qu, nn n tn t CPU hn. Thm vo , khi s dng cc kch thc kha ln, s lng vng tng thm 2 n v khi kch thc kha tng ln. Do , khng c mt tuyn tin trnh no lin i ti kch thc kha v cn chu trnh CPU thc hin m ha. Thc t, chu trnh x l tng tin chm nh tng kch thc kha, t c tnh an ninh tt hn m khng


SVTH: L NGC DUY 36

phi hi sinh performance. Nhiu trin khai VPN, v d nh IPSec, ang i theo hng s dng AES cung cp chc nng m ha d liu.

2.3. Xc thc gi tin Vic xc thc gi tin c s dng cho hai mc ch sau:

Cung cp xc thc gi tin gc

Pht hin gi tin gi mo

Nhng phn sau s bn v cch thc lm vic ca xc thc (trin khai), v d v nhng hm c s dng trong xc thc, cch s dng xc thc, v cc vn t ra vi xc thc.

2.3.1. Trin khai xc thc gi tin Hm bm (hashing function) c s dng to ra ch k s bng cch ly mt

bin-chiu-di u vo, v d nh d liu ngi s dng hoc mt gi tin, theo cng vi mt kha v cung cp n vo mt hm bm. u ra l mt kt qu c chiu di c nh. Nu cng mt u vo c cung cp cho hm bm, th n lun lun cho cng mt kt qu u ra.

Hm m xc thc bn tin bm (Hashing Message Authentication Codes - HMAC) l mt tp con ca hm bm. Hm HMAC c pht trin mt cch c th ng ph vi cc vn xc thc d liu v gi tin. HMAC s dng kha i xng b mt chia s to ra u ra c nh, gi l ch k s hay fingerprint. Hm bm nhn chung c mt im hn ch: Nu mt k tn cng nghe trm c th chn c d liu gi, anh ta c th d dng sinh ra ch k cho d liu ca ring anh ta v gi thng tin c m x ti bn. HMAC khc phc im hn ch ny bng cch s dng kha b mt chia s to ra ch k s; Do ch c nhng bn bit kha mi c th to v xc minh ch k cho d liu gi.

Ch :

Vi hm HMAC, nu cng mt d liu v cng kha b mt c s dng sinh ch k, th chng lun lun sinh ra cng mt ch k; nu thay i hoc d liu hoc gi tr kha, kt qu ch k s thay i.

Hai v d v hm HMAC l MD5 v SHA, s c bn thm trong hai phn tip theo. Nhng c trng c bn ca hm HMAC c th hin trong hnh 2-2. Gii thch cc bc trong hnh 2-2 nh sau:


SVTH: L NGC DUY 37

B1. Bn ngun ly d liu cn c bo v v mt kha, kha ny c chia s vi bn ch, cho chy qua mt hm HMAC.

B2. u ra ca hm HMAC l mt ch k s hay fingerprint. Trong IPSec VPN cn c gi l Gi Tr Kim Tra Tnh Ton Vn (Intergrity Checksum Value - ICV).

B3. Bn ngun sau ly ra d liu m lc u c cung cp vo hm HMAC v gi d liu theo cng vi ch k s ti bn ch.

B4. Bn ch s s dng cng mt tin trnh xc minh ch k; n ly d liu c gi bi bn ngun, cng vi kha c chia s, lm u vo cho cng hm HMAC, kt qu cho ra ch k th hai.

B5. Bn ch sau so snh ch k bn ngun gi vi ch k va mi tnh. Nu chng l mt, bn ch tha nhn rng d liu l ca bn ngun gi ti. Hm HMAC l tin trnh mt-chiu: iu ny c ngha l khng th no s dng k thut reverse-engineer khai thc tin trnh. Mt khc, nu hai ch k khc nhau th bn ch cho rng d liu b lc li (c th do k tn cng hoc do tai nn) v hy b d liu.

Hnh 2-2. To v xc minh ch k HMAC


SVTH: L NGC DUY 38

C nhiu trin khai VPN s dng hm HMAC xc minh ni dng gi tin khng b lc li, v d nh giao thc Authentication Header (AH) v giao thc Encapsulation Security Payload (ESP) ca IPSec. Hai phn tip theo s ni v cc hm HMAC ph bin nht: MD5 v SHA.

2.3.1.1. Hm MD5 HMAC Message Digest 5 (MD5) c pht trin bi Ronald Rivest vo nm 1994. L

thuyt v MD5 c trong IETF RFC 1321. MD5 to ch k 128-bit (di 16 byte). N nhanh nhng t an ton hn SHA. MD5 l hm HMAC ph bin nht c s dng trong th trng an ninh ngy nay. Bn c th thy MD5 ang c s dng trong CHAP (PPPs Challenge Handshake Authentication Protocol) v xc thc giao thc nh tuyn trong cc giao thc nh tuyn v d nh BGP (Border Gateway Protocol), EIGRP (Enhanced Interior Gateway Routing Protocol), IS-IS (Intermediate System-Intermediate System), OSPF (Open Shortest Path Fist), v RIP version 2 (Routing Information Protocol).

2.3.1.2. Hm SHA HMAC Secure Hashing Algorithm (SHA) c pht trin bi NIST v c nh chun

trong SHS FIPS 180. SHA-1 ra i nm 1994. N c cp chi tit trong chun ANSI X9.30. Vic s dng SHA-1 trong VPN-IPSec c m t trong RFC 2404. SHA-1 to ch k 160-bit (di 20 byte). SHA-1 chm hn MD5, nhng an ton hn; v ch k ca n ln hn, mnh m hn khi i chi li tn cng brute force - kiu tn cng nhm khm ph ra kha b mt chia s.

Ch :

Vo u nm 2005, mt nhm ngi chng minh c rng c th to ra cng ch k vi nhng u vo khc nhng u vo trong MD5, h to ra ci c gi l collision. iu ny sinh ra nhng vn an ninh bi ngy nay n hon ton c th xy ra, trong MD5, to ra nhng ch k sai trn mt t l rt nh. Chnh v iu ny nn hu ht cc nh cung cp u s dng SHA. Tuy vy, c nhng bo co ch ra rng phin bn hin ti ca SHA cng gp phi vn nu trn. Cc trin khai VPN tuy khng dnh dng nhiu nhng cc ng dng th li khc. V vn an ninh ny m SHA-256 v SHA-512 ang c pht trin, to ra ch k di hn (256-bit v 512-bit) so vi MD5 v SHA.

2.3.2. S dng xc thc gi tin Vi t cch l mt thit b ch, bng cch no bn c th xc minh c gi tin

gi n bn t mt ngun tin tng c xc minh, v nhng gi tin c gi t k tn cng ? -Hm HMAC c th c s dng cho tin trnh xc minh ny. Chng ta s dng


SVTH: L NGC DUY 39

xc thc gi tin, thng qua hm HMAC nh MD5 v SHA, xc minh rng gi tin c gi bi mt ngun tin tng v rng n khng b thay i trong khi truyn.

Mt v d n gin v s dng nhng hm ny cho tin trnh xc thc, ta s s dng xc thc vi mt giao thc nh tuyn. Ngi qun tr Router s dng giao thc nh tuyn ng v nhn nhng cp nht nh tuyn t mt ngun hp l. Bn khng mun k tn cng sa i bng nh tuyn bng vic gi cho Router ca bn nhng thng tin nh tuyn sai.

Vi hm HMAC, bn c th cung cp chc nng xc minh v xc thc. Vi giao thc nh tuyn, Router c th ly thng tin nh tuyn m bn mun gi cho Router thn cn, cng vi kha i xng HMAC, v chy n qua mt hm HMAC, sinh ra ch k gi tin. Thng tin nh tuyn gc v ch k gi tin c gi cho Router thn cn. Router thn cn sau ly thng tin nh tuyn v kha HMAC chia s c gi ti, chy chng qua cng mt hm HMAC. Nu tnh ton ra rng ch k gi tin khp vi bn ngun gi, th Router thn cn tha nhn mt iu: vi cng mt kha c s dng to v xc minh ch k, th bn tin cp nht nh tuyn phi n t mt ngun tin cy. Cc hm HMAC c th cung cp cng mt li ch cho cc trin khai VPN v nhng ng dng khc v nh xc thc giao thc nh tuyn.

Mt cu hi c t ra l: Ti sao cn phi thc hin xc thc gi tin nu s dng m ha ?. Ly v d, r rng l ch c mt cch gii m d liu thnh cng nu bn ch c kha c s dng cho thit lp m ha. Nhng nu iu l ng, th vn cn hai vn na. u tin, sau khi gii m thng tin, ta s cn xc minh xem thng tin c phi l gi khng. Th hai na, mt hacker c th li dng tin trnh ny bng cch s dng cc gi tin nh la thit b, gy ra lng ph CPU cho tin trnh gii m.

Hm bm tn rt t ti nguyn CPU to v xc minh ch k s (u ra bm). V th chng hiu qu hn. Nhng bc sau y l cc bc din ra trong vic bo v thng tin gia ngun v ch trong trin khai VPN, c th hin nh trong hnh 2-3.

B1. Bn ngun m ha d liu vi kha m ha v mt thut ton m ha.

B2. Bn ngun ly d liu m ha v kha bm cung cp cho hm HMAC, kt qu cho ra ch k gi tin.

B3. Bn ngun gi d liu m ha v ch k gi tin ti bn ch.

B4. Bn ch ly d liu m ha nhn c, cng vi kha bm, chy chng qua cng hm HMAC nh bn ngun.


SVTH: L NGC DUY 40

B5. Bn ch so snh ch k tnh c v ch k nhn c.

B6. Nu ch k va tnh c khp vi ch k nhn c t bn ngun, th khng xy ra s lc li gi tin, do bn ch gii m d liu m ha s dng kha m ha; ngc li bn ch cho rng gi tin b lc li v hy b d liu.

Hnh 2-3. Cc bc bo v

2.3.3. Cc vn xc thc gi tin C 3 vn chnh trong vic s dng hm HMAC:

Cch kha b mt chia s c chia s gia hai u

nh hng ca thit b chuyn i a ch n ch k d liu c to bi hm HMAC


SVTH: L NGC DUY 41

Cch VPN trin khai hm HMAC

Ba phn sau s bn v nhng vn k trn k hn.

2.3.3.1. Chia s kha b mt HMAC Hm HMAC c nhiu hn mt vn , bao gm: c hai thit b chia s v bo v

d liu cn cng mt kha. Theo cch no kha i xng phi c chia s cho hm HMAC m hai thit b ang s dng. Tt nhin, nu bn gi kha chia s thng qua mng cng cng, kha s i mt vi tn cng nghe trm.

C mt la chn l m-cng kha trn c hai thit b; tuy nhin, la chn ny khng c tnh m rng cao trong nhng mng c ln ni m trng thi chnh sch an ninh s khin kha s b thay i nh k. Mt la chn khc l s dng kt ni thc s c m ha chia s kha. Theo la chn ny th c mt kt ni m ha tn ti gia hai u. Phn Trao i kha Key Exchange s khm ph vn ny su hn.

2.3.3.2. Gi d liu v ch k HMAC qua thit b chuyn i Mt vn na vi hm HMAC v ch k s l ch k ca bn c th b lm hng

bi thit b trung gian. Ly v d, thit b chuyn i a ch thc hin chc nng chuyn i a ch mng (NAT) hoc chuyn i a ch port (PAT), thay i header ca gi tin IP hoc phn on (segment)TCP/UDP. Nu nhng trng ny l phn d liu cung cp cho hm HMAC, v chng b thay i bi thit b dch a ch, th ch k s gc s b hng, v bn ch s cho rng gi tin b lc li. Thm na, thit b trung chuyn c th thay i thng tin cht lng dch v (QoS) trong phn header ca gi tin.

Mt gii php a ra l khng ly tt c cc trng trong gi tin tnh ton ch k s vi hm HMAC; v d, ch ly d liu ngi s dng, hay trng no ca gi tin hoc phn on header m bn bit rng s khng b thay i bi thit b trung chuyn. V c bn, bn s phi loi tr tt c nhng trng c kh nng b thay i. Nhng trng ny bao gm: trng a ch IP, trng time-to-live (TTL), trng loi dch v (TOS), trng s TCP hoc UDP port, v mt s trng c th khc.

2.3.3.3. S dng hm HMAC trong trin khai VPN Mc d hm HMAC thng c s dng trong chc nng xc thc v kim tra

tnh ton vn nhng c mt vn ny sinh khi trin khai VPN. Ta s s dng IPSec lm v d v mt trong nhng giao thc an ninh ca n: AH (Authentication Header). AH h tr c hai hm HMAC: MD5 v SHA-1.

Gi thit rng AH cn bo v 200-byte d liu vi SHA-1. SHA-1 to ch k 160-bit, bng 20-byte. Phn ch k thm vo tng thm 10 % d liu truyn, v ta ang gi


SVTH: L NGC DUY 42

thit rng kch thc gi tin trung bnh l 200-byte. AH c th s dng hoc MD5 hoc SHA-1, lm cho chiu di gi tin AH bin i, bi MD5 thm 16-byte cn AH l 20-byte. Vn ca IPSec l t trng ch k 12-byte c nh, ngha l AH v ESP chim 12-byte u tin khng cn bit s dng MD5 hay SHA-1.

y chnh l vn bi nu s dng ch mi phn u ra bm ca ch k, s c rt nhiu c hi k tn cng c th tm d liu sinh ra cng b phn ch k bm. Ly v d, vi ch k MD5 di 16-byte, s c 2^128 kh nng khc nhau tm ra mt thng ip c th sinh ra cng ch k (mt collision). Nu bn nh ch s dng 8-byte u tin ca ch k MD5 gim kch thc hiu dng, s c 2^64 kh nng. V IPSec c AH v ESP s dng 12-byte cho ch k, nn s i hi k tn cng phi th 2^96 kh nng tm thng ip.

Cn na, v IPSec khng s dng tt c cc bit cho ch k, nn c kh nng d l rt nh, d liu c gi c th b h hng. Thm vo , khi bn ch nhn c d liu, bn ch c th nhn bn ch k v gi thit rng d liu b hng l hp l.

Cnh bo:

VPN c ni rng n h tr chc nng an ninh, v d, AH v ESP cung cp MD5 v SHA hay 3DES s dng 3 kha khc nhau, khng c ngha rng n trin khai nhng c trng ny theo cch chng c ch i. Trong trng hp AH v ESP, chng ct xn chiu di ca ch k MD5 v SHA-1 vo 12-byte c nh, lm gim mc an ninh vn c ca MD5 v SHA-1.

2.4. Trao i kha Phn ny s khm ph tin trnh chia-s-kha v nhng gii php kh thi nh:

Chia s kha Dilemma

Diffie-Hellman

Thay mi kha

Gii hn ca phng thc trao i kha

2.4.1. Chia s kha Dilemma L mt v d n gin minh ha cho vn chia s kha ca thut ton v hm

kha i xng. Bn nh s bo v d liu ti chnh gia hai thit b, PeerA v PeerB, v mun m ha thng tin ny s dng mt thut ton m ha i xng ring bit. PeerA nh rng kha m ha s l Nu bn c th on c kha ny, bn s thng c mt que ko !. Vn t ra by gi l a c kha ny ti PeerB n c th gii m d liu ti chnh thnh cng.


SVTH: L NGC DUY 43

2.4.1.1. Chia-s-trc kha C mt gii php c th dng ly kha trn PeerA v chia s n, theo li out-of-

band, vi PeerB. Th d, bn c th copy kha vo a mm hay ghi n vo mnh giy sau gi qua bu in n cho PeerB. Hoc bn c th gi n thoi cho PeerB v ni cho anh ta nghe v kha. C hai trng hp ny u c coi l chia s out-of-band, tc l kha khng c chia s trc tip thng qua mng d liu.

Mt tri ca chia-s-trc kha l khng c tnh m rng cao. V d, nu bn c 100 Peer v bn cn chia s kha, th s mt rt nhiu thi gian thc hin cng vic ny. Mt iu ti thiu l, bn s mun thay i kha bt c khi no nhn vin ca cng ty, ngi bit kha chia-s-trc, ri khi cng ty. Cn na, bn s mun thay i kha nh k to cho tin trnh m ha ca bn thm an ton hn, lm tiu tan c hi kha m ha ca bn b tn hi. Nu trng thi chnh sch an ninh i hi bn cn phi thay i kha m ha mi gi, th gii php ny s khng kh thi v nh hng ca tr out-of-band trong vic ly kha gia hai Peer.

2.4.1.2. S dng kt ni c m ha thc s Nu bn thit lp chia s kha m ha theo cch in-band vi PeerB, nh s dng

dch v Telnet truy nhp PeerB, kha s d mc phi tn cng nghe trm. Mt gii php a ra l s dng kt ni thc s c m ha. Bn c th s dng mt chng trnh an ton lm vic ny, v nh SSH; tuy vy, trc tin bn cn mt kt ni an ton (khc) chia s kha SSH (mc ch to knh an ton SSH). y c gi l tnh th catch-22.

2.4.1.3. M ha kha vi mt thut ton kha bt i xng Cch gii quyt vn chia-s kha i xng l: s dng m ha bt i xng.

Trong phn Kha bt i xng nu, n s dng hai kha: mt kha dng chung v mt kha ring t. Hai kha ny c mi lin h cng sinh vi nhau do mt thut ton c bit sinh ra chng. Khi c s dng cho mc ch m ha, mi Peer s sinh ra mt cp kha dng-chung/ring-t. Sau mi Peer s chia s kha dng chung ca chng cho bn kia. Khi PeerA mun gi traffic cho PeerB, PeerA s s dng kha dng chung ca PeerB m ha d liu sau gi cho PeerB. Peer B khi nhn c d liu ca PeerA ri, s s dng kha ring t ca chnh n gii m d liu.

Trong v d a ra l d liu ti chnh, ta s gi thit rng mi bn truyn 100MB, xy ra trong mi 15 hoc 20 pht. y l mt lng d liu ln; cc thut ton m ha bt i xng rt chm v l tin-trnh-cng--cao; v th chng khng c trng i khi mt lng d liu ln cn c truyn i.


SVTH: L NGC DUY 44

Tuy nhin, thay v s dng kha bt i xng m ha d liu ti chnh, ta c th s dng kha bt i xng m ha kha i xng. iu ny cho php ta chia s kha i xng qua mng khng an ton, di dng c m ha.

Trong v d v d liu ti chnh, PeerA c kha m ha; do , PeerB to ra mt cp kha dng-chung/ring-t kt hp v gi kha dng chung ca n cho PeerA. PeerA sau ly kha i xng v m ha n vi kha dng chung ca PeerB. PeerA gi kha i xng c m ha, Nu bn c th on c kha ny, bn s thng mt que ko !, ti PeerB, v c gii m bng kha ring t ca PeerB. T , bt c khi no PeerB nhn d liu ti chnh m ha t PeerA, n u c th gii m thnh cng d liu vi kha i xng chia s. u im ca phng php ny l tin trnh m ha kha bt i xng ch xy ra trn kha i xng: d liu ti chnh c m ha s dng thut ton m ha i xng v kha i xng chia s.

Hu ht cc trin khai VPN s dng thut ton kha dng-chung/ring-t theo cch ny chia s kha i xng. Trong phn tip theo s lun bn v vic trin khai kha dng-chung/ring-t c s dng trong VPN ngy nay.

2.4.2. Thut ton Diffie-Hellman Tin trnh mt m kha dng-chung/ring-t c pht trin bi Whitfield Diffie,

Martin Hellman, v Ralph Merkle vo nm 1976. Nhng tng ca h c bo h bi bng sng ch U.S. 4,200,770; ht hn vo nm 1994. Tin trnh ny thng c coi l Diffie-Hellman (DH)

Tuy nhin, s tht cho thy 3 ng khng phi nhng ngi khm ph ra tin trnh mt m kha dng-chung/ring-t; ng hn l mt trong hai c quan chnh quyn ca nc Anh hoc M (C quan an ninh quc gia National Security Agency) 10 nm trc Diffie, Hellman, v Merkle pht trin tin trnh tng t nhng mt cch hon ton c lp. Nhng tin trnh ny tuy vy c gi b mt; v trong khi thng tin ny cha bao gi c cng b, th 3 ng to ra cng gii php nhng cng b s dng rng ri.

Ngy nay chng ta khng quan tm n ai l ngi khm ph ra tin trnh, m ta quan tm n cch chia s kha i xng trong mng khng an ton. Hu ht cc nh cung ng mng tm trong chun mt m kha dng chung chun #3 (Public Key Cryptography Standard - PKCS) trin khai DH.

DH v c bn khng c s dng m ha d liu, nhng trong nhiu trng hp, c s dng bi VPN chia s thng tin kha mt cch an ton, v d nh DES, 3DES, AES, SHA, MD5 v nhng kha i xng khc, thng qua mng cng cng khng


SVTH: L NGC DUY 45

an ton, nh Internet. DH s dng mt m kha dng chung (kha bt i xng) hon thnh iu ny. Do , n thng c coi l mt phng thc trao i kha dng chung.

Nhiu trin khai VPN, nh IPSec, s dng DH chia s kha m ha i xng theo cch an ton. Biu hin nh trong cc RFC 2401, 2408, v 2412 ca IPSec da vo s dng DH chia s thng tin kha cho cc hm HMAC, v nh MD5 v SHA, v cc thut ton m ha, nh DES, 3DES, v AES.

Hnh 2-4 gii thch cch thc DH lm vic. DH s dng 6 bc chia s kha i xng qua mt mng khng an ton.

B1. Mi mt Peer chia s thng tin m s gip chng to ra cp kha dng-chung/ring-t kt hp cho chnh chng; iu ny l cn thit v DH h tr nhiu kch thc kha, c gi l cc nhm kha. Nhm kha s c bn k hn ngay sau cc bc. Khi bit c kch c kha, hai Peer to ra cp kha kt hp dng-chung/ring-t. Thng thng, mi bn to kha ring t ca n trc, v s dng tin trnh o hm chuyn ha thnh kha dng chung t kha ring t.

B2. Mi Peer chia s kha dng chung ca n vi Peer u xa.

B3. Mi Peer ly kha ring t ca chnh n v kha dng chung ca Peer u xa, chy chng qua thut ton DH.

B4. im c sc ca thut ton DH l d cung cp nhiu u vo khc nhau vo trong thut ton, nhng vn cho ra cng kt qu trn c hai bn: Diffie, Hellman, v Merkle ch ra rng nu bn c mt cp gi tr c lin h vi nhau, v mt cp gi tr khc cng c lin h, khi bn thay i mt gi tr trong cp ny bng mt gi tr khc ca cp khc, th vn c mi lin h gia nhng gi tr.

B5. Do PeerA to ra kha m ha i xng cho d liu ti chnh, PeerA m ha d liu vi kha u ra t thut ton DH, Kha_b_mt_X, v gi kha m ha i xng c m ha cho PeerB thng qua mng.

B6. Khi PeerB nhn c kha c m ha, PeerB s dng cng kha nhn c t thut ton DH l Kha_b_mt_X, gii m kha i xng, kt qu cho ra Nu bn c th on c kha ny, th bn thng c mt que ko !; do , khi PeerA gi d liu ti chnh cho PeerB, PeerB s c th gii m n thnh cng vi kha m ha i xng.


SVTH: L NGC DUY 46

Hnh 2-4. Tin trnh Diffie-Hellman

DH s dng cc nhm kha nh ngha cch kha b mt chia s c sinh ra. Nhm kha nh ngha chiu di cho cc kha dng chung, ring t v cho thut ton DH dng trong vic sinh ra kha b mt chia s.

Bng 2-1 m t ngn gn v cc nhm kha DH. Trong bng ny, ct u tin ch tn nhm kha, c nh s. Tip sau l chiu di kha, ct cui cng l loi thut ton c s dng to ra kha b mt chia s. Nhm kha DH thng c coi l s ca chng, nh trong DH nhm 1.


SVTH: L NGC DUY 47

Nhm Kha Chiu Di Thut Ton 1 768-Bit Straight algorithm 2 1,024-Bit Straight algorithm 3 155-Bit Elliptical curve algorithm 4 185-Bit Elliptical curve algorithm 5 1,536-Bit Straight algorithm (most secure key group supported by cisco) 7 163-Bit Elliptical curve algorithm 14 2,048-Bit Straight algorithm 15 3,072-Bit Straight algorithm (most secure key group, but Cisco doesnt

support it) Bng 2-1. Nhm kha DH

Thut ton Straight (straight algorithm) s dng tin trnh tnh ton thng thng, nh phng trnh, sn sinh ra kha an ton. S bit cho thut ton Straight cng di th kt qu cho kha b mt cng mnh. Nhng kha v thut ton Straight vi s bit di khin cng vic tnh ton rt phc tp. V d, Router 7200 ca Cisco vi card VAM khng c vn khi x l thut ton straight s dng nhm DH 15; tuy nhin thit b PDA (Personal Digital Assistant) li khng c kh nng nh vy.

gip nhng thit b c kh nng x l hn ch, thut ton Elliptical-Curve (Elliptical Curve Algorithms) c s dng; chng s dng kch thc kha ngn hn, nhng c th to ra kt qu an ton hn so vi thut ton Straight khi s dng cng kch c kha. Nhng v chng cn lng x l phc tp, nn kch thc kha c gi mc ngn cc thit b c kh nng x l gii hn vn c th s dng chng.

Ch :

Nh rng nu trin khai VPN s dng DH, n khng cn thit phi h tr tt c cc nhm DH. Biu hin l, nu Router ca Cisco s dng IPSec, n ch h tr nhng nhm DH 1,2, v 5; trong khi Cisco VPN 3000 Series Concentrators h tr cc nhm DH 1,2,5, v 7 cho IPSec. iu ny cng cn ph thuc vo tng nh cung cp.

2.4.3. Thay mi kha C mt vn khc c cho l qun l kha.Theo nh k, bn chc s mun thay

i kha i xng c s dng trong cc thut ton m ha v hm HMAC an ton hn. V d, nu bn c 100 tp kha, v trng thi chnh sch an ninh khuyn bn nn thay i kha mt ln mt gi, th bn s khng mun lm iu ny theo cch th cng v n i hi nhiu rt nhiu thi gian v cng sc ca khng t ngi.


SVTH: L NGC DUY 48

Do , mt im quan trng m trin khai VPN nn h tr, l qun l kha: tnh nng thay mi kha nh k mt cch ng, an ton, theo li in-band, trong thi gian ngn. V d, DH khng ghi r cch ng x vi chc nng qun l kha; tuy vy, cc trin khai VPN, in hnh l IPSec, c nhng thnh phn khc iu khin tin trnh ny.

2.4.4. Gii hn ca phng thc trao i kha im mnh ca thut ton kha bt i xng l kha ring t, c s dng gii

m thng tin, khng bao gi c gi qua mng. Vi DH, kha b mt chuyn i cng gn nh vy. Do i vi k tn cng, d cho anh ta c nghe trm trn tin trnh trao i kha dng chung v thy c kha dng chung trao i hoc kha, th cng khng th no s dng nhng th ny gii m bt c thng tin truyn no. Trong trin khai thut ton bt i xng n gin, k tn cng nghe trm s phi bit kha ring t gii m thng tin; v trong trng hp ca DH, k tn cng phi bit mt trong hai kha ring t gii m thng tin.

Tuy vy, DH c mt im yu c bn: n d mc phi tn cng man-in-the-middle. Ta s ly v d PeerA-to-PeerB. PeerA cn m ha d liu ti chnh cho PeerB. Trong v d ny, gi thit rng DH ang c s dng chia s kha. PeerA thit lp mt kt ni ti PeerB; gi nh rng thay v PeerB tht phn hi li, mt cuc tn cng man-in-the-middle din ra v thit b ca k tn cng phn hi li. DH li cho rng l hai thit b tin tng nhau. Trong v d PeerA-to-PeerB, c bit l nu chng b phn cch bi mng cng cng, s khng c kin g nu chng ang tng tc vi nhau, hay ang tng tc vi mt s thit b gi mo l mt trong hai bn.

Ni cch khc, cc giao thc trao i kha nh DH hon ton ch ng x vi mt iu: trao i kha. Chng khng ng x vi nhng c trng xc thc. Mt s thnh phn khc c yu cu gip xc minh nh danh ca hai thit b chc chn rng PeerA khng gi nhm d liu ti chnh quan trng cho k tn cng man-in-the-middle.

2.5. Cc phng thc xc thc Xc thc c trin khai s dng ch k s. Ch k s hu ht c to ra bng

cch ly mt s thng ip nh thng tin mang tnh duy nht ca ngi hoc thit b, km theo kha cho chy qua hm bm. Ch k s ging nh ch k im: n l th g ca bn m khng ai c. Ch k s c s dng trin khai vic chng-chi-b trong VPN: chng minh nh danh ca mt thit b.

Phn cui ca chng s cp ti cc phng thc xc thc: cch hai Peer c th nhn ra nhau khi chng thit lp kt ni ti nhau, chng thc s kt ni vi nhau v khng mt ai gi danh bn kia. Trong phn ny s khm ph su hn cch m tn cng man-in-


SVTH: L NGC DUY 49

the-middle din ra v nhng loi xc thc c th s dng pht hin v ngn chn tn cng man-in-the-middle.

2.5.1. Tn cng man-in-the-middle Trong hnh 2-5 minh ha cch m tn cng man-in-the-middle din ra. Trong v d,

PeerA mun gi d liu cho PeerB. PeerA thc hin vic tra cu DNS cho a ch ca PeerB, th hin trong Bc 1. Tuy vy, k tn cng cng thy DNS request v gi tr li li cho PeerA trc khi my ch DNS c c hi, c th hin trong Bc 2 v 3. a ch IP m k tn cng gi l a ch IP ca chnh hn. PeerA khng bit g hn v cho rng l a ch IP ca DNS tr li nn tin hnh gi traffic cho PeerB; nh th hin trong Bc 4, traffic thc t li chuyn hng n k tn cng.

Hnh 2-5. V d tn cng man-in-the-middle

y l v d n gin v vic gi mo tr li DNS. Nu tr li ca my ch DNS c nhn trc tr li ca k tn cng th PeerA s kt ni c vi PeerB; tuy nhin, k tn cng xo quyt c th s dng tn cng hijacking/ti-nh-tuyn phin chuyn


SVTH: L NGC DUY 50

hng traffic gi t PeerA n PeerB, n chnh k tn cng, vn l cuc tn cng man-in-the-middle. Vn an ninh ny c t ra, mt s loi xc thc c yu cu cho php PeerA v PeerB xc minh nh danh ca chng khi giao tip vi nhau. Phn tip sau s bn v nhng loi xc thc khc nhau c th gii quyt vn ny.

2.5.2. Cc gii php xc thc Vi trin khai VPN, ta c th s dng hai loi xc thc xc minh nh danh ca

mt Peer:

Xc thc thit b (Device Authentication)

Xc thc ngi dng (User Authentication)

Xc thc thit b c s dng trn c hai loi hnh VPN l site-to-site v remote-access. Vi xc thc thit b, hoc thng tin kha c chia-s-trc gip cho vic nh danh tin trnh, hoc thng tin kha c yu cu v c xc minh khi thit b cn giao tip vi nhau thng qua chng ch s. Xc thc chia-s-trc c th s dng hoc kha i xng hoc kha bt i xng, trong khi xc thc in-band s dng kha bt i xng cng vi chng ch s.

Xc thc ngi dng ch c s dng vi loi hnh remote-access. Vi xc thc thit b, thng tin kha nhn chung c lu tr trong thit b. iu ny c th b lin i nu thit b b hng t bn trong hoc b nh cp, d dng xy ra vi laptop hoc PC. Xc thc ngi dng thng s dng kha chia-s-trc (mt password tnh) hoc dch v th bi (token card services one-time password) dng password mt-ln. Nhng phn tip theo s bn v nhng phng thc ny k hn.

2.5.3. Xc thc thit b Mt trin khai VPN c cho l an ton nu t nht n c h tr xc thc thit b.

Vic xc thc thit b din ra trn nhng thit b khi chng ang thit lp mt kt ni c bo v; tuy th n khng thc hin xc thc ngi s dng kt ni VPN. Do , xc thc thit b thng c s dng trong loi hnh VPN site-to-site, v l phng thc xc thc u tin trong loi hnh VPN remote-access.

Xc thc thit b thng s dng nhng phng thc sau:

Kha i xng chia-s-trc (Pre-shared symmetric key)

Kha bt i xng chia-s-trc (Pre-shared asymmetric key)

Chng ch s (Digital certificates)

Nhng phn tip theo s bn v ba phng thc ny.


SVTH: L NGC DUY 51

2.5.3.1. Kha i xng chia-s-trc Phng php ph bin nht trong xc thc thit b l vi kha chia-s-trc. Trong

ba phng php nu trong phn trc, th cu hnh kha i xng chia-s-trc l n gin nht.

Vi xc thc kha i xng chia-s-trc, mt kha n c s dng thc hin xc thc. Kha c chia s trn c hai Peer, theo li out-of-band, trc khi chng cn thit lp mt kt ni an ton, v c lu ni b trong cc thit b. Tin trnh xc thc s s dng mt thut ton m ha hay hm HMAC cho vic xc thc.

Khi im ca vic m ha, mi Peer s ly mt s thng tin nh danh v chng; v d, a ch IP ca chng, tn host, s serial, hoc kt hp ca nhng th ny, km theo vi kha i xng chia-s-trc, v chy chng qua mt thut ton m ha. Sau c hai bn s gi c thng tin nh danh gc, cng vi u ra ca thut ton m ha, cho Peer kia. Mi Peer sau ly thng tin nh danh m ha nhn c v gii m n vi kha i xng chia-s-trc. Nu thng tin nh danh dng clear-text nhn c trng khp vi thng tin nh danh va gii m, c hai Peer c th cm thy an tm khi cho rng l thit b m n ni n l ai, bi thng tin m ha ch c th c to ra vi kha chia-s-trc.

Ta s xem xt vic s dng hm HMAC v kha i xng chia-s-trc cho xc thc nh danh. Mi Peer s ly thng tin nh danh v chng, nh a ch IP, tn host, s serial, hoc kt hp ca nhng th ny, km theo kha i xng chia-s-trc, v chy chng qua hm HMAC. u ra c gi l ch k s. Ch k cng vi thng tin nh danh u vo, c gi ti Peer u xa. Peer u xa s ly nh danh, cng vi kha chia-s-trc, v chy chng qua cng mt hm HMAC. Ch k va tnh c trng khp vi ci m Peer kia gi, th c th cho rng l cng mt kha c s dng to ra ch k, do Peer to kt ni ti chnh l Peer ni n l ai, v khng phi k la o.

M ha chc chn t c s dng cho xc thc nh danh. M ha l: mt thit b m ha v thit b khc gii m. Bi bn phi gi thng tin nh danh km theo m ha, iu ny ni ln rng k tn cng nghe trm mt trong hai u vo ca thut ton m ha, c th d dng hn trong vic xc nh c kha m ha l g. Nhng, hm HMAC l hm mt chiu; v th nu k tn cng c thy c mt trong hai u vo ca hm HMAC, v nh thng tin nh danh, th n cng khng gip anh ta c th o chiu ch k xc nh kha i xng s dng to ra ch k v da vo mo nhn nh danh.


SVTH: L NGC DUY 52

2.5.3.2. Kha bt i xng chia-s-trc Vi kha i xng, cng mt kha c s dng cho vic xc thc nh danh,

nhng nhn chung t an ton hn tin trnh s dng hai kha ca kha bt i xng. Vi kha bt i xng, mi bn to ra mt kt hp kha dng chung v kha ring t. Mi Peer sau chia s kha dng chung cho nhau theo li out-of-band, kha dng chung chia s

Documents

14_Tim Hieu Cong Nghe Va Trien Khai Demo Mang Rieng Ao VPN