ĐẠI HỌC BÁCH KHOA HÀ NỘI ViỆN CÔNG NGHỆ THÔNG TIN VÀ TRUYỀN THÔNG. BÀI TẬP LỚN AN NINH MẠNG “Bảo mật trong Web Service” Giáo viên: PGS. TS.Nguyễn Linh Giang Sinh viên thực hiện : Nguyễn Hồng Phúc – 20072236 Vũ Thành Trung - 20073070 - PowerPoint PPT Presentation
Slide 1
I HC BCH KHOA H NIViN CNG NGH THNG TIN V TRUYN THNGBI TP LN AN
NINH MNG Bo mt trong Web Service
Gio vin: PGS.TS.Nguyn Linh Giang
Sinh vin thc hin : Nguyn Hng Phc 20072236 V Thnh Trung -
20073070Lp: : Truyn thng mng-K52
Mc lcTng quan v Web ServiceKhi nim c bnCc phng thc hot ngBo mt
trong Web ServiceTng quan v chnh sch bo mtMc tiu bo mtCc phng thc
tn cngCc gii php phng chngGii thiu chng ch bo mt X509Lp trnh kim
th
Tng quan v Web ServicePhng thc giao tip gia hai i tng trn
mngGiao din cc thnh phn kt ni thng qua WSDLSOAPXMLCc i tng tham
giaRequestersProviders
SOAPSOAP Simple Object Access ProtocolGiao thc thc hin trn HTTP
vi c trng giao tip thng qua cc thng ip (message)
XMLXML eXtended Markup Languagey l mt nh dng chun cho php lu cc
thng tin hng cu trc, c t chc di dng cc th (tag) tng ng.Vic lu tr v
thao tc i vi XML c n gin ha rt nhiu, thun tin cho vic trao i thng
tin thng qua giao thc HTTPVD:...
Web ServiceNh vy, Web Service c xy dng da trn phng thc giao tip
thng qua thng ip (message) ca SOAP v s dng XML thc hin vic lu tr,
trao i cc thng ip trn giao thc HTTP.Chun WSDL Web Service
Description Language: y l mt ti liu vit bng XML v c s dng m t cc
dch v Web. y l tng thc hin ca Web Service nh trn.Cc hnh thc tng tc
trong WSDL:
One-wayPhng thc c th nhn 1 thng ip nhng khng tr v mt
response.Request-responsePhng thc c th nhn 1 request v tr v mt
response.Solicit-responseGi 1 request v ch i reponseNotificationGi
1 thng ip nhng khng ch 1 reponseCc thnh phn c bn
Securityy l mt m hnh bo mt ton din trong Web ServiceMt s nh danh
trong Web Service Security:SOAP Message Security: cung cp chun cht
lng bo mt thng qua vic tch hp thng ip, bo mt gi/nhn thng ip v xc
thc thng ip trn mng. VD: chng ch X509, Kerberos...Web Service
Trust: xc nh thnh phn m rng c xy dng trn Web Security yu cu v xc
cung cp cc kha bo mt nhm qun l cc lin kt/quan h tin cy. VD:
https://Reliable MessagingCc thng ip c chuyn vn tin cy gia cc thnh
phn trong cc h thng, ng dng...Cc c ch chuyn vn thng ip tin
cySequences (tun t)Message Numbers (s lng thng ip)Acknowledgments
(phn hi kt qu)Message persistence (Durability)Transactionsy l khi
nim m t cc loi/hnh thc phi hp, iu phi trong vic thc hin cc tc v trn
Web Service.Phn loi:Atomic Transaction (AT)Business Activity (BA)Cc
m hnh hot ngRemote Procedure Calls ModelRepresentational State
Transfer (REST) ModelMessage Oriented ModelService Oriented
ModelResource Oriented ModelPolicy Model
Tng quan v bo mtBo mt ti nguyn trn mngBo mt vic thc hin trao i
thng tinCc c ch, chnh sch rng buc cc i tng v ti nguyn tham gia qu
trnh trao i thng tinCc chnh sch cho phpCc chnh sch bt bucMc tiu bo
mtC ch xc thc (Authentication Mechanisms)C ch phn quyn
(Authorization)Ton vn d liu v an ton d liu (Data Integrity and Data
Confidentiality)Ton vn giao dch v giao tip (Integrity of
Transaction and Communications)Loi b t chi (Non-Repudiation)An ton
vi thng ip (End-to-End Integrity and Confidentiality of
Messages)Kim sot vt giao dch (Audit Trails)Cc chnh sch bo mt cho cc
thc thi phn tn (Distributed Enforcement of Security Policies)Cc
phng thc tn cngMessage Alteration (Thay i ni dung thng
ip)Confidentiality (Bo mt gi)Man-in-the-middleSpoofing (Gi
mo)Denial of Service (T chi dch v)Replay Attacks (Tn cng pht
li)
Message AlterationHnh thc tn cng ny s chnh sa li ni dung mt s
phn hoc ton b thng ipS m phng qu trnh tn cng:
ConfidentialityVi hnh thc ny, nhng i tng khng c xc thc, khng c
phn quyn s mang trong mnh nhng thng tin xc thc gi mo nh la nhng ro
cn bo mt ca h thng.V d: gn km thng tin credit card trong thng ip gi
i gi mo mt ngi dng tin cy...
Denial of ServiceT chi dch v l c ch tn cng rt ph bin, nhm cn tr
vic truy cp dch v hp php ca ngi s dng (khng cho php vic s dng dch
v).S m phng qu trnh tn cng:
Cc gii php bo mtAuthentication (C ch xc thc)Thut ton Kerberos s
dng tng DES 56 bitEncryption (M ha d liu)Digital Signature (Ch k
s)AuthenticationMi mt thnh vin my khch a ra cc yu cu SOAP thng bo
cho my ch server bit v thng tin cn thit, t a ra cc giao thc xc thc
tng ng.p dng giao thc mt m xc thc cc my tnh hot ng trong mng c ng
truyn khng an ton, l: KerberosM t giao thc Kerberos: Theo h thng k
hiu giao thc mt m, Kerberos c m t nh sau (trong Alice (A) s dng my
ch (S) nhn thc vi Bob (B)):
19AuthenticationVi c ch truyn d liu s dng SOAP v XML cng khng
trnh khi tnh trng truy xut d liu tri phpM ha cc tp tin gi trn mng
nhm m bo d liu v cu trc thng ip gi i c bo v tt nht.C ch khng cho
php vic truyn d liu trc tip trn Web Service m i hi phi m ha trc khi
truyn, ng thi bn pha ngi nhn s phi thit lp cc knh bo mt ring m ha v
gii m tng ng.Cc thut ton m ha c chia lm hai loi chnh l i xng
(shared-secret) v bt i xng (public-key)20Digital SignatureCh k in t
l thng tin i km theo d liu (vn bn, hnh nh, video...) nhm mc ch xc
nh ngi ch ca d liu .Ch k s kha cng khai(hayh tng kha cng khai) l m
hnh s dng cc k thutmt m gn vi mi ngi s dng mt cp kha cng khai - b
mt v qua c th k cc vn bnin tcng nh trao i cc thng tin mt.Qu trnh s
dng ch k s bao gm 2 qu trnh: to ch k v kim tra ch k.
21u im ca Ch k sKh nng xc nh ngun gcCc h thng mt m ha kha cng
khai cho php mt m ha vn bn vi kha b mt m ch c ngi ch ca kha bit.
Tnh ton vnC hai bn tham gia vo qu trnh thng tin u c th tin tng l vn
bn khng b sa i trong khi truyn v nu vn bn b thay i th hm bm cng s
thay i v lp tc b pht hin.Tnh khng th ph nhnKhi c tranh chp, bn nhn
s dng ch k ny nh mt chng c bn th ba gii quyt.
22Gii thiu v chng ch X509
Gii thiu v chng ch X509
Lp trnh kim tht vn Mc tiuThc nghimPhn tch yu cuMi trng ci tChc
nngCc yu cu v bo mtCc hnh thc p dngKch bn bo mtTrin khainh gi v kt
lun25t vn Cc giao dch c thc hin thng xuyn gia cc bn thng qua cc dch
v m giao thc HTTP cung cp (ch yu). Bi tiu lun ny tp trung nghin cu
Web Service c thc thi trn giao thc HTTP, t chc theo m hnh SOAP
(Simple Object Access Protocol).C rt nhiu hnh thc tn cng ca cc
hacker nhm ly trm thng tin trong cc thng ip cho cc mc ch xu nh:
message alteration, man-in-the-middle, replay attacks... Mong mun
lp trnh kim th mt trong nhng gii php trn cng c vng chc kin thc v bo
mt trong Web Service. 26Mc tiuHiu r cc thnh phn, t chc ca Web
Service s dng trong giao thc HTTP v cc vn lin quanNm c c ch bo mt
trong Web service (Security in Web Service)Cp nht thng tin v cc hnh
thc tn cng hng vo thng ip ngi dngHiu r v cc gii php chng tn cng hiu
quHiu r v cc thut ton c s dng trong cc gii php a ra c nh gi v cc
gii php c th
27Phn tch yu cuCung cp danh sch v thng tin chi tit v i ng nhn
vin ca cng ty.i vi mi i tng nhn vin s c nhng quyn hn c th i vi h
thng.Bng phn quyn ngi dng ca h thngBan qun trQun l t vnT vn vin
28Mi trngMy ch windows server 2008Web server: internet
information services 7.0Nn tng ng dng: .NET framework 4.0
29Chc nngXem danh sch nhn vinTm kim nhn vin + Xem thng tin chi
tit ca mt nhn vin c thSa i thng tin ca mt nhn vinXa mt nhn vin khi
danh schChnh sa quyn hn ca mt nhn vin
30Yu cu v bo mtm bo chnh xc quyn hn vi cc nhn vinChng cc hnh thc
tn cng gi mo, chn gi thng tin, sa i thng tinChng tn cng th ng
31Cc hnh thc p dngXc thc i vi ngi dng.Bo mt knh truyn bng Secure
Socket Layer (SSL) v M ha bn tin bng chng ch X509.
32Kch bn bo mt
33Trin khaiXy dng v trin khai ng dng cung cp web services vi cc
chc nng tng ng, ng dng c tn SecurceContact, chy trn IIS 7.0Cu hnh
ng dng s dng SSLXy dng ng dng pha client.
34nh gi v kt lunKt qu ca qu trnh thc nghim thnh cng v p ng c cc
yu cu t raVic xc thc vi mi i tng ngi dng c m bo trong qu trnh tng
tc ca ngi dng vi h thngVic p dng trin khai phng thc xc thc
(Authentication) v m ha bo mt (Encryption) trn web hon ton kh
thi.Hiu qu ca vic s dng cc phng thc m bo an ninh ny rt cao.
35Chng em xin chn thnh cm n!
