Slide An Ninh Mang Chuong 4

16/01/2014

1

Cn bn v mt m

Khi nim

Cc gii thut

ng dng ca mt m

H tng kha cng khai (PKI)

Qun l kha v chng ch s

Chng 4

16/01/2014 1B mn HTMT&TT 16/01/2014B mn HTMT&TT 2

Mc tiu

Cung cp cho ngi hc mt ci nhn tng quan v mt

m v ng dng ca mt m trong an ninh mng.

Sau khi hon tt chng, sinh vin c nhng kh nng:

Trnh by c khi nim v mt m.

Phn bit c cc gii thut dng trong mt m nh gii thut

bm, i xng v bt i xng.

Trnh by c ng dng ca mt m trong an ninh mng.

Hiu c khi nim c s h tng kha cng khai (PKI).

Trnh by c khi nim ch k s, chng ch s v vic qun l

ch k in t v chng ch s.

16/01/2014B mn HTMT&TT 3

Khi nim v mt m

Mt m (cryptography)

u vo l d liu gc (plaintext) u ra l d

liu m ha (ciphertext)

Mt m s dng cc gii thut : Bm (hashing) M ha i xng (symmetric) M ha bt i xng (Asymmetric)

Mt m l 1 ngh thut lm bin i

d liu gc v sau s khi phc

li s dng trong tng lai.

Kha (di nhiu dng khc nhau) lun c yu cu

16/01/2014B mn HTMT&TT 4

Cc gii thut trong mt m

Gii thut bm (hashing)

Bm dng to ra du vn tay

(MAC-message authentication code

hay message digest) ca d liu.

Gi tr ny c gi km vi d

liu ni nhn kim tra tnh ton

vn d liu.

Bm (hashing) cng dng khngphi l m ha (encryption)

Cc gii thut bm: Message-Digest 5(MD5) Secure Hash Algorithm 1 (SHA-1)

16/01/2014

2

16/01/2014B mn HTMT&TT 5


Gii thut bm MD5

c pht minh bi Ron Rivest

ca RSA Security.

M t trong RFC-1321

MD5 thng dng kim tra phn checksum ca nhng phn mm cho php download t Internet nhm m bo khng phi l phn mm gi mo.

u ra ca MD5 lun l 1 digest c gi tr 128 bits hay 32 k t Hex. Khng th dch ngc li c d liu gc t digest ca MD5.

16/01/2014B mn HTMT&TT 6


Gii thut bm SHA-1

c to ra bi chnh ph M

(NIST v NSA).

M t trong RFC-3174

Khc phc im yu trong MD5.

SHA-1 thng thng c s dng trong vic ci t IPSec.

u ra ca SHA lun l 1 digest c gi tr 160 bits. Bo mt hn MD5

16/01/2014B mn HTMT&TT 7


Gii thut bm HMAC

Cc gii thut bm c im

yu khi gp dng tn cng

K ng gia (Man-in-the-

middle): gi mo d liu v

c digest gi km.

HMACs a vo thm 1 kha b mt trc khi dng gii thut bm:

Data + key => Digest

C ch dng thm kha b mt gi l Message Authentication Codes (MAC). Kha b mt ch c bit bi ngi gi v ngi nhn. Dng HMAC vi 2 gii thut bm chnh:

o HMAC + MD5 = HMAC-MD5 s dng kha 128 bitso HMAC + SHA-1 = HMAC-SHA-1 s dng kha 160 bits

16/01/2014B mn HTMT&TT 8


Gii thut m ha (encryption algorithms)

M ha l 1 hnh thc ca mt m

M ha to ra s b mt (bo mt)

cho d liu khi lu tr hay truyn i

trn mng.

M ha s dng nhng gii thut

bin i d liu gc (plaintext) sang dng

d liu khng th hiu c (ciphertext).

Cc gii thut m ha dng kha (key)

m ha v gii m.

Kha cng di => bo mt cng cao.

C 2 dng m ha:

i xng (symmetric key encryption):

s dng chung 1 kha cho m ha v

gii m.

Bt i xng (Asymmetric key

encryption ): s dng 2 kha

- 1 kha cho m ha

- 1 kha cho gii m

16/01/2014

3

16/01/2014B mn HTMT&TT 9


Gii thut m ha i xng (Symmetric)

Cn gi l m ha vi

kha b mt hay m

ha vi kha chia s

C th b cc tn cng vt cn

tm ra kha.

C tc nhanh v ci t n gin

hn so vi m ha bt i xng.

SSL s dng m ha i xng.

Mt s gii thut m ha i xng:

Data Encryption Standard (DES)

Triple Data Encryption Standard (3DES)

Advanced Encryption Standard (AES)

International Data Encryption Algorithm (IDEA)

Twofish

Carlisle Adams/Stafford Tavares (CAST)

16/01/2014B mn HTMT&TT 10


Gii thut m ha DES

Pht trin t thut ton Lucifer

ca Horst Feistel (IBM).

c chun ha nm 1976.

M ha tng khi d liu 64 bits.

di kha 64 bits: 56 bits cho

kha v 8 bits cho kim tra (parity).

D liu c chia lm 2 (32 bits) x

l qua 16 chu trnh (mng Feistel).

Mi hm Feistel thc thi s s dng

1 kha con 48 bits (tnh ra t kha

chnh 56 bits).

Gii thut c s dng rng ri v tc

m ha nhanh,

Hin nay, DES c xem l khng

an ton v di kha ngn (56bits)

=> chuyn qua dng 3DES

16/01/2014B mn HTMT&TT 11


Gii thut m ha 3DES

Thay th dn cho DES

v an ton hn

Dng 3 ln lin tip thut ton DES vi 3 kha khc nhau K1, K2 v K3.

Kha s dng = 3 x 56 bits = 168 bits

Gn nh khng th d tm c kha bng phng php vt cn.

Phin bn khc l 2TDES c kha l 112 bits v s dng kha K1=K3.

Tc thc thi chm nn c thay th dn bi thut ton AES.

16/01/2014B mn HTMT&TT 12


Gii thut m ha AES

c pht trin bi 2 nh mt m ngi

B Joan Daemen v Vincent Rijmen, ly tn

l thut ton Rijndael.

Tm dch l Tiu chun m ha tin tin

S dng thut ton thay th hon v.

Khi d liu 128 bits.

Kha 128, 192 hoc 256 bits.

S chu trnh thc hin l 10, 12 hoc

14 ty theo di kha.

c s dng ph bin v d thc hin,

tc cao v t tn b nh.

c M p dng lm tiu chun m ha

vo thng 5 nm 2002.

16/01/2014

4

16/01/2014B mn HTMT&TT 13


Gii thut m ha bt i xng (Asymmetric)

Cn gi l m ha vi

kha cng khai

Dng kha cng khai m ha v

dng kha b mt gii m li.

Kha b mt c lu gi cn thn,

kha cng khai cng b cho mi ngi.

Gii thut thc thi chm.

Mt s gii thut m ha bt i xng:

RSA (Rivest Shamir Adleman)

DSA (Digital Signature Algorithm)

DH (Diffie-Hellman)

ECC (Error Correcting Code)

El Gamal

16/01/2014B mn HTMT&TT 14


Gii thut m ha RSA

c pht minh vo nm 1977 bi

Rivest, Shamir v Adleman ti MIT.

M ha d liu: dng kha chung

(public key) m ha, kha ring

(private key) gii m.

To ch k s: kha ring m

ha, kha chung gii m.

Kha c di t 1024-2048 bits.

Gii thut rt phc tp, s dng nhiu

cng thc ton hc.

Gn nh khng c mt phng php

no tm ngc li c kha ring t

d liu c m ha v kha chung.

RSA c s dng trong IPSec.

Tc thc thi chm hn DES v

cc gii thut m ha i xng khc.

16/01/2014B mn HTMT&TT 15


Gii thut m ha DSA

c to ra bi NIST vo nm 1994.

L chun ca chnh ph M trong

vic to ra ch k in t.

S dng SHA-1 cho gii thut bm

Kha c di t 512 1024 bits

Hin nay, c khuyn co nn

dng 2048 bits cho kha.

Tc tng ng nh RSA

khi to ra ch k s.

Chm hn 10-40 ln khi kim

tra ch k s.

16/01/2014B mn HTMT&TT 16


Gii thut m ha DH (Diffie-Hellman)

Gii thut DH dng to ra Kha b mt chia s (s dng cho

m ha i xng) gia 2 host trn ng truyn khng an ton.

c to ra nm

1976 bi Whitfield

Diffie v Martin

Hellman.

DH c im yu vi

dng tn cng k ng

gia.

DH dng cung cp c

ch bo mt, nhng

khng cung cp dch

v chng thc.

16/01/2014

5

16/01/2014B mn HTMT&TT 17


Gii thut m ha DH (Diffie-Hellman)

Alice Bob

16/01/2014B mn HTMT&TT 18

ng dng ca mt m

ng dng ca mt m trong an ninh mng

Mt m c th c s dng trong nhiu dch v an ninh cung

cp cc kh nng nh:

Tnh bo mt (confidentiality)

Tnh ton vn (integrity)

Chng thc (authentication)

Tnh khng th ph nhn (nonrepudiation)

16/01/2014B mn HTMT&TT 19

ng dng ca mt m

Trong dch v bo mt

C ch bo v d liu

khi s truy cp tri php.

S bo mt c thc

hin thng qua m ha.

M ha dng kha cng khai

(public key ) ca bn nhn

16/01/2014B mn HTMT&TT 20

ng dng ca mt m

Trong dch v ton vn

C ch c th kim tra c d liu c b

bin i hay khng.

S dng gii thut bm MD5 hay SHA-1.

16/01/2014

6

16/01/2014B mn HTMT&TT 21

ng dng ca mt m

Trong dch v chng thc ti cc im cui

Chng thc c thc hin

thng qua vic chp nhn kha

ca thut ton DH.

C 3 cch chng thc:

+ S dng kha b mt chia s

+ S dng ch k s

+ S dng s ngu nhin c

m ha

Chng thc s m ha dng

kha b mt (private key ) ca

bn gi

16/01/2014B mn HTMT&TT 22

ng dng ca mt m

Trong dch v khng th ph nhn (nonrepudiation)

Chng t rng mt thc th lm 1 vic g v c k nhn vo

ti liu. Sau ny, thc th khng th chi b c vic lm .

Tnh khng th ph nhn c thc hin qua ch k s.

Ch k s l duy nht, xc nhn ng l c nhn hay thc th .

16/01/2014B mn HTMT&TT 23

ng dng ca mt m

Ch k s (Digital signature)

Ch k s l thng tin i km theo d liu (vn bn, hnh nh, video...)

nhm mc ch xc nh ngi ch ca d liu .

Ch k s hot ng bng cch s dng gii thut bm v 1 trong 2 dng: M ha i xng M ha bt i xng.

Ch k s l 1 tp con ca ch k in t (electronic signature).

16/01/2014B mn HTMT&TT 24

ng dng ca mt m

Ch k s

1. Ngi gi to ti liu2. Bm ti liu => to ra Digest3. S dng kha b mt m ha

s digest .4. Gn s Digest c m ha

(ch k s) vo ti liu5. Gi qua ngi nhn

1. Ngi nhn tch ti liu v ch k s ra2. S dng kha cng khai gii m ch k

s thnh s Digest1.3. Bm ti liu => to ra s Digest24. So snh 2 s Digest1 v Digest2:

+ Nu trng: xc nhn ng ngi gi+ Nu sai: khng phi

Qu trnh s dng ch k s bao gm 2 qu trnh: to ch k v kim tra ch k

16/01/2014

7

16/01/2014B mn HTMT&TT 25 16/01/2014B mn HTMT&TT 26

16/01/2014B mn HTMT&TT 27

ng dng ca mt m

Ch k s

Thng tin ca 1 ch k s

Ngi k

Gii thut bm

Gii thut m ha ch k s

Thng tin ca 1 chng ch s i km

16/01/2014B mn HTMT&TT 28


Khi nim

L c ch cho mt bn th 3 (thng l

nh cung cp chng ch s - CA) cung cp

v chng thc nh danh cc bn tham gia

vo qu trnh trao i thng tin.

Tng bn tham gia s cung cp cp kha

cng khai v kha b mt:

M ha: m ha bng kha cng khai,

gii m bng kha b mt.

Ch k in t: m ha bng kha b

mt, gii m bng kha cng khai.

ng dng ca PKI:

Open PGP: m ha email v chng thc

ngi gi email.

M ha v xc thc vn bn.

Chng thc ngi dng ng dng: ng

nhp bng smartcard, trong SSL.

Trong cc giao thc truyn thng an ton.

16/01/2014

8

16/01/2014B mn HTMT&TT 29


Chng ch s (Digital certificate)

CA: nh cung cp

chng ch s

Jeff c th kim tra thng ip vi chng ch s

km theo t Mike l hp l nu Jeff tin tng

nh cung cp chng ch s

iu 4 ca lut giao dch in t Vit Nam:

Chng th in t l thng ip d liu do t chc

cung cp dch v chng thc ch k in t pht

hnh nhm xc nhn c quan, t chc, c nhn

c chng thc l ngi k ch k in t

16/01/2014B mn HTMT&TT 30


Nh cung cp chng ch s (CA)

Certificate Authority:

L i tc th 3 c

tin cy

Cung cp v k xc

nhn cc chng ch s

Ngi dng in 1 form vi cc thng tin: tn, t chc,

kha cng khai, gii thut dng to kha cng khai,

M ha form v gi cho nh cung cp chng ch s

Chun mt m kha cng khai

(PKCS#10)

CA nhn form, xc nhn thng tin ngi dng, to ra

chng ch s v gi chng ch s tr li cho ngi dng.

Chng ch s c to ra theo chun X.509 version 3.

16/01/2014B mn HTMT&TT 31


Chng ch s (Digital certificate)

16/01/2014B mn HTMT&TT 32


Cc m hnh tn nhim (trust models)

(Leaf CA)

M hnh phn cp c s dng nhiu nht

16/01/2014

9

16/01/2014B mn HTMT&TT 33


S hy b (Revocation)

Chng ch s (trc khi ht hn)

c th b hy b khi kha b mt

b l hay thng tin ca ngi ch

chng ch s c thay i.

Mi chng ch s u c 1 s serial number.

Hy b chng ch s l a s serial number

vo 1 danh sch CRL (Certificate Revocation List)

Khi chng thc, host s kim tra danh sch

CRL, nu chng ch s c serial number trong

danh sch th ngt ni kt.

Registration

Authority

16/01/2014B mn HTMT&TT 34


Chnh sch cho chng ch s (certificate policy)

CA phi nh ngha tt cc chnh

sch v c ch an ninh m

bo dch v m h cung cp phi

tht s tin cy.

Chnh sch cho chng ch s

c nh ngha trong X.509

v m t trong RFC-3647

Chnh sch cho chng ch s l tp

cc quy nh chung v vic chng

ch s c s dng, qun l v

trin khai trong t chc nh th no.

Phi r rng, sc tch.

Gii hn trong 2 trang

C xc nhn ca lnh o cp cao.

Vit theo dng gch u dng.

16/01/2014B mn HTMT&TT 35


Ch dn thc t cho chng ch s (certificate pratice statements CPS)

CPS thng do b phn iu

hnh (c lin quan n IT)

son tho v duy tr.

C tnh k thut hn so vi

chnh sch v chng ch s.

CPS m t chi tit vic thc hin

chnh sch v chng ch (CP)

trong ng cnh ca kin trc

h thng v quy trnh hot

ng ca t chc.

CP trnh by v vic g (what)

CPS trnh by v cch thc hin

nh th no (how)

16/01/2014B mn HTMT&TT 36


Khi nim

Kha l 1 thnh phn bn trong chng ch s.

Chng ch s thc thi vai tr vn chuyn kha.

Kha s phi c bo qun nh kha ca 1 cn nh.

Tng t nh mt khu v m, kha c to ra, phn

phi, thay i phi tun theo cc c ch bo mt.

Kha phi c qun l an ton sut dng i ca n.

C 2 phng php thng dng lu tr v phn phi kha l:

Trung tm phn phi kha (Key Distribution Center KDC)

Gii thut trao i kha (Key Exchange Algorithm KEA)

16/01/2014

10

16/01/2014B mn HTMT&TT 37


Tp trung hay khng tp trung

u im:

D qun l, to mi v phc hi kha.

Cc kha c to ra trong mi trng an ton.

Nhc im:

Nu CA c vn s nh hng n hot ng

ca ton th cc ngi dng.

S lng ngi dng gia tng v chiu di kha

tng => x l nhiu hn => nh hng n hiu

nng ca ton h thng.

Hnh thnh mc tiu chnh cho hacker tn cng.

To, qun l v phn phi kha tp trung. Doanh nghip ln s dng m hnh ny.

To, qun l v phn phi kha khng tp trung.

Verisign s dng m hnh ny.

u im:

Ngi dng t to v qun l kha b mt.

Kha c user to ra nhanh hn v ch cn gi

cho RA (Registration Authority). RA s chuyn ln

cho CA to ra chng ch s.

Nhc im:

Gp kh khn khi kha b tht lc hay mun khi

phc li kha.

C th s mt d liu m ha khi kha b

hng hay b mt.

16/01/2014B mn HTMT&TT 38


Lu tr v phn phi kha

Kha c lu tr, qun l v phn phi bi trung tm phn phi kha (KDC) thng qua gii thut trao i kha (KEA). Mt khi cn xc nhn kha, Client s gi 1 yu cu n KDC. Nu chng thc khng thnh cng, Client s b loi b.

C 2 cch lu tr kha: Bng phn mm:

+ Mm do+ Km an ton

Bng phn cng: card, flash disk+ Khng mm do+ An ton v tin cy cao hn

16/01/2014B mn HTMT&TT 39


Lu gi (Escrow)

Escrow l ni lu tr cc bn sao ca kha b mt trong h thng qun l kha tp trung.

Ngi dng nu b mt hay lm hng kha, c th phc hi li kha b mt ny t Escrow. Ngi dng c th lu nhiu bn sao ti nhiu cng ty Escrow. Tuy nhin, ngi qun tr trong cng ty hay hacker c th tn cng vo ni lu tr Escrow ly c kha ca ngi dng.

16/01/2014B mn HTMT&TT 40


Ht hn, hy b v tm dng

Kha v chng ch s (ging nh th tn dng) u c hn s dng . Khi ht hn s dng, kha v chng ch s b hy b.

Khi pht hin kha b l hay mt, ngi dng c th yu cu hy bchng ch s. CA s a s serial number ca chng ch vo danh sch en. Danh sch en gi l CRL v CA phi cng b danh sch .

Khi mun tm thi ngng s dng kha hay chng ch, ngi dng c th yu cu tm dng. Kha v chng ch khi tm dng c th c khi phc li sau ny.

16/01/2014

11

16/01/2014B mn HTMT&TT 41


Gia hn

Trc khi kha hay chng ch s ht hn, ngi dng c th gi yu cu c gia hn (lm mi) li kha v chng ch. Vic s dng kha c s vi phm chnh sch v bo mt => s l ri ro => cn thn v cn nhc khi gia hn.

16/01/2014B mn HTMT&TT 42


Tiu hy (destruction)

Khi cc kha v chng ch khng cn s dng na th cc thng tin v kha v chng ch phi c g b trong phn mm hoc phn cng lu tr thng tin ny phi b tiu hy trnh k xu li dng.

16/01/2014B mn HTMT&TT 43


S dng kha

Chin lc s dng kha:

Phi xc nh kha c s dng nh th no? S dng kha i xng hay bt i xng ? S dng 1 kha hay cn thm nhiu kha khc? Ngoi kha, c cn thm cc mc bo mt khc?

Kha c s dng rng ri trong:

VPN nh IPSec. Cc giao thc SSL v TSL SSL trong HTTP : HTTPS HTTP bo mt: Secure HTTP (SHTTP) Truy cp t xa an ton: SSH Bo mt Email: PGP, S/MIME

Documents

Slide An Ninh Mang Chuong 4