Upload
nguyen-linh
View
20
Download
4
Embed Size (px)
DESCRIPTION
BKHN
Citation preview
16/01/2014
1
Cn bn v mt m
Khi nim
Cc gii thut
ng dng ca mt m
H tng kha cng khai (PKI)
Qun l kha v chng ch s
Chng 4
16/01/2014 1B mn HTMT&TT 16/01/2014B mn HTMT&TT 2
Mc tiu
Cung cp cho ngi hc mt ci nhn tng quan v mt
m v ng dng ca mt m trong an ninh mng.
Sau khi hon tt chng, sinh vin c nhng kh nng:
Trnh by c khi nim v mt m.
Phn bit c cc gii thut dng trong mt m nh gii thut
bm, i xng v bt i xng.
Trnh by c ng dng ca mt m trong an ninh mng.
Hiu c khi nim c s h tng kha cng khai (PKI).
Trnh by c khi nim ch k s, chng ch s v vic qun l
ch k in t v chng ch s.
16/01/2014B mn HTMT&TT 3
Khi nim v mt m
Mt m (cryptography)
u vo l d liu gc (plaintext) u ra l d
liu m ha (ciphertext)
Mt m s dng cc gii thut : Bm (hashing) M ha i xng (symmetric) M ha bt i xng (Asymmetric)
Mt m l 1 ngh thut lm bin i
d liu gc v sau s khi phc
li s dng trong tng lai.
Kha (di nhiu dng khc nhau) lun c yu cu
16/01/2014B mn HTMT&TT 4
Cc gii thut trong mt m
Gii thut bm (hashing)
Bm dng to ra du vn tay
(MAC-message authentication code
hay message digest) ca d liu.
Gi tr ny c gi km vi d
liu ni nhn kim tra tnh ton
vn d liu.
Bm (hashing) cng dng khngphi l m ha (encryption)
Cc gii thut bm: Message-Digest 5(MD5) Secure Hash Algorithm 1 (SHA-1)
16/01/2014
2
16/01/2014B mn HTMT&TT 5
Cc gii thut trong mt m
Gii thut bm MD5
c pht minh bi Ron Rivest
ca RSA Security.
M t trong RFC-1321
MD5 thng dng kim tra phn checksum ca nhng phn mm cho php download t Internet nhm m bo khng phi l phn mm gi mo.
u ra ca MD5 lun l 1 digest c gi tr 128 bits hay 32 k t Hex. Khng th dch ngc li c d liu gc t digest ca MD5.
16/01/2014B mn HTMT&TT 6
Cc gii thut trong mt m
Gii thut bm SHA-1
c to ra bi chnh ph M
(NIST v NSA).
M t trong RFC-3174
Khc phc im yu trong MD5.
SHA-1 thng thng c s dng trong vic ci t IPSec.
u ra ca SHA lun l 1 digest c gi tr 160 bits. Bo mt hn MD5
16/01/2014B mn HTMT&TT 7
Cc gii thut trong mt m
Gii thut bm HMAC
Cc gii thut bm c im
yu khi gp dng tn cng
K ng gia (Man-in-the-
middle): gi mo d liu v
c digest gi km.
HMACs a vo thm 1 kha b mt trc khi dng gii thut bm:
Data + key => Digest
C ch dng thm kha b mt gi l Message Authentication Codes (MAC). Kha b mt ch c bit bi ngi gi v ngi nhn. Dng HMAC vi 2 gii thut bm chnh:
o HMAC + MD5 = HMAC-MD5 s dng kha 128 bitso HMAC + SHA-1 = HMAC-SHA-1 s dng kha 160 bits
16/01/2014B mn HTMT&TT 8
Cc gii thut trong mt m
Gii thut m ha (encryption algorithms)
M ha l 1 hnh thc ca mt m
M ha to ra s b mt (bo mt)
cho d liu khi lu tr hay truyn i
trn mng.
M ha s dng nhng gii thut
bin i d liu gc (plaintext) sang dng
d liu khng th hiu c (ciphertext).
Cc gii thut m ha dng kha (key)
m ha v gii m.
Kha cng di => bo mt cng cao.
C 2 dng m ha:
i xng (symmetric key encryption):
s dng chung 1 kha cho m ha v
gii m.
Bt i xng (Asymmetric key
encryption ): s dng 2 kha
- 1 kha cho m ha
- 1 kha cho gii m
16/01/2014
3
16/01/2014B mn HTMT&TT 9
Cc gii thut trong mt m
Gii thut m ha i xng (Symmetric)
Cn gi l m ha vi
kha b mt hay m
ha vi kha chia s
C th b cc tn cng vt cn
tm ra kha.
C tc nhanh v ci t n gin
hn so vi m ha bt i xng.
SSL s dng m ha i xng.
Mt s gii thut m ha i xng:
Data Encryption Standard (DES)
Triple Data Encryption Standard (3DES)
Advanced Encryption Standard (AES)
International Data Encryption Algorithm (IDEA)
Twofish
Carlisle Adams/Stafford Tavares (CAST)
16/01/2014B mn HTMT&TT 10
Cc gii thut trong mt m
Gii thut m ha DES
Pht trin t thut ton Lucifer
ca Horst Feistel (IBM).
c chun ha nm 1976.
M ha tng khi d liu 64 bits.
di kha 64 bits: 56 bits cho
kha v 8 bits cho kim tra (parity).
D liu c chia lm 2 (32 bits) x
l qua 16 chu trnh (mng Feistel).
Mi hm Feistel thc thi s s dng
1 kha con 48 bits (tnh ra t kha
chnh 56 bits).
Gii thut c s dng rng ri v tc
m ha nhanh,
Hin nay, DES c xem l khng
an ton v di kha ngn (56bits)
=> chuyn qua dng 3DES
16/01/2014B mn HTMT&TT 11
Cc gii thut trong mt m
Gii thut m ha 3DES
Thay th dn cho DES
v an ton hn
Dng 3 ln lin tip thut ton DES vi 3 kha khc nhau K1, K2 v K3.
Kha s dng = 3 x 56 bits = 168 bits
Gn nh khng th d tm c kha bng phng php vt cn.
Phin bn khc l 2TDES c kha l 112 bits v s dng kha K1=K3.
Tc thc thi chm nn c thay th dn bi thut ton AES.
16/01/2014B mn HTMT&TT 12
Cc gii thut trong mt m
Gii thut m ha AES
c pht trin bi 2 nh mt m ngi
B Joan Daemen v Vincent Rijmen, ly tn
l thut ton Rijndael.
Tm dch l Tiu chun m ha tin tin
S dng thut ton thay th hon v.
Khi d liu 128 bits.
Kha 128, 192 hoc 256 bits.
S chu trnh thc hin l 10, 12 hoc
14 ty theo di kha.
c s dng ph bin v d thc hin,
tc cao v t tn b nh.
c M p dng lm tiu chun m ha
vo thng 5 nm 2002.
16/01/2014
4
16/01/2014B mn HTMT&TT 13
Cc gii thut trong mt m
Gii thut m ha bt i xng (Asymmetric)
Cn gi l m ha vi
kha cng khai
Dng kha cng khai m ha v
dng kha b mt gii m li.
Kha b mt c lu gi cn thn,
kha cng khai cng b cho mi ngi.
Gii thut thc thi chm.
Mt s gii thut m ha bt i xng:
RSA (Rivest Shamir Adleman)
DSA (Digital Signature Algorithm)
DH (Diffie-Hellman)
ECC (Error Correcting Code)
El Gamal
16/01/2014B mn HTMT&TT 14
Cc gii thut trong mt m
Gii thut m ha RSA
c pht minh vo nm 1977 bi
Rivest, Shamir v Adleman ti MIT.
M ha d liu: dng kha chung
(public key) m ha, kha ring
(private key) gii m.
To ch k s: kha ring m
ha, kha chung gii m.
Kha c di t 1024-2048 bits.
Gii thut rt phc tp, s dng nhiu
cng thc ton hc.
Gn nh khng c mt phng php
no tm ngc li c kha ring t
d liu c m ha v kha chung.
RSA c s dng trong IPSec.
Tc thc thi chm hn DES v
cc gii thut m ha i xng khc.
16/01/2014B mn HTMT&TT 15
Cc gii thut trong mt m
Gii thut m ha DSA
c to ra bi NIST vo nm 1994.
L chun ca chnh ph M trong
vic to ra ch k in t.
S dng SHA-1 cho gii thut bm
Kha c di t 512 1024 bits
Hin nay, c khuyn co nn
dng 2048 bits cho kha.
Tc tng ng nh RSA
khi to ra ch k s.
Chm hn 10-40 ln khi kim
tra ch k s.
16/01/2014B mn HTMT&TT 16
Cc gii thut trong mt m
Gii thut m ha DH (Diffie-Hellman)
Gii thut DH dng to ra Kha b mt chia s (s dng cho
m ha i xng) gia 2 host trn ng truyn khng an ton.
c to ra nm
1976 bi Whitfield
Diffie v Martin
Hellman.
DH c im yu vi
dng tn cng k ng
gia.
DH dng cung cp c
ch bo mt, nhng
khng cung cp dch
v chng thc.
16/01/2014
5
16/01/2014B mn HTMT&TT 17
Cc gii thut trong mt m
Gii thut m ha DH (Diffie-Hellman)
Alice Bob
16/01/2014B mn HTMT&TT 18
ng dng ca mt m
ng dng ca mt m trong an ninh mng
Mt m c th c s dng trong nhiu dch v an ninh cung
cp cc kh nng nh:
Tnh bo mt (confidentiality)
Tnh ton vn (integrity)
Chng thc (authentication)
Tnh khng th ph nhn (nonrepudiation)
16/01/2014B mn HTMT&TT 19
ng dng ca mt m
Trong dch v bo mt
C ch bo v d liu
khi s truy cp tri php.
S bo mt c thc
hin thng qua m ha.
M ha dng kha cng khai
(public key ) ca bn nhn
16/01/2014B mn HTMT&TT 20
ng dng ca mt m
Trong dch v ton vn
C ch c th kim tra c d liu c b
bin i hay khng.
S dng gii thut bm MD5 hay SHA-1.
16/01/2014
6
16/01/2014B mn HTMT&TT 21
ng dng ca mt m
Trong dch v chng thc ti cc im cui
Chng thc c thc hin
thng qua vic chp nhn kha
ca thut ton DH.
C 3 cch chng thc:
+ S dng kha b mt chia s
+ S dng ch k s
+ S dng s ngu nhin c
m ha
Chng thc s m ha dng
kha b mt (private key ) ca
bn gi
16/01/2014B mn HTMT&TT 22
ng dng ca mt m
Trong dch v khng th ph nhn (nonrepudiation)
Chng t rng mt thc th lm 1 vic g v c k nhn vo
ti liu. Sau ny, thc th khng th chi b c vic lm .
Tnh khng th ph nhn c thc hin qua ch k s.
Ch k s l duy nht, xc nhn ng l c nhn hay thc th .
16/01/2014B mn HTMT&TT 23
ng dng ca mt m
Ch k s (Digital signature)
Ch k s l thng tin i km theo d liu (vn bn, hnh nh, video...)
nhm mc ch xc nh ngi ch ca d liu .
Ch k s hot ng bng cch s dng gii thut bm v 1 trong 2 dng: M ha i xng M ha bt i xng.
Ch k s l 1 tp con ca ch k in t (electronic signature).
16/01/2014B mn HTMT&TT 24
ng dng ca mt m
Ch k s
1. Ngi gi to ti liu2. Bm ti liu => to ra Digest3. S dng kha b mt m ha
s digest .4. Gn s Digest c m ha
(ch k s) vo ti liu5. Gi qua ngi nhn
1. Ngi nhn tch ti liu v ch k s ra2. S dng kha cng khai gii m ch k
s thnh s Digest1.3. Bm ti liu => to ra s Digest24. So snh 2 s Digest1 v Digest2:
+ Nu trng: xc nhn ng ngi gi+ Nu sai: khng phi
Qu trnh s dng ch k s bao gm 2 qu trnh: to ch k v kim tra ch k
16/01/2014
7
16/01/2014B mn HTMT&TT 25 16/01/2014B mn HTMT&TT 26
16/01/2014B mn HTMT&TT 27
ng dng ca mt m
Ch k s
Thng tin ca 1 ch k s
Ngi k
Gii thut bm
Gii thut m ha ch k s
Thng tin ca 1 chng ch s i km
16/01/2014B mn HTMT&TT 28
H tng kha cng khai (PKI)
Khi nim
L c ch cho mt bn th 3 (thng l
nh cung cp chng ch s - CA) cung cp
v chng thc nh danh cc bn tham gia
vo qu trnh trao i thng tin.
Tng bn tham gia s cung cp cp kha
cng khai v kha b mt:
M ha: m ha bng kha cng khai,
gii m bng kha b mt.
Ch k in t: m ha bng kha b
mt, gii m bng kha cng khai.
ng dng ca PKI:
Open PGP: m ha email v chng thc
ngi gi email.
M ha v xc thc vn bn.
Chng thc ngi dng ng dng: ng
nhp bng smartcard, trong SSL.
Trong cc giao thc truyn thng an ton.
16/01/2014
8
16/01/2014B mn HTMT&TT 29
H tng kha cng khai (PKI)
Chng ch s (Digital certificate)
CA: nh cung cp
chng ch s
Jeff c th kim tra thng ip vi chng ch s
km theo t Mike l hp l nu Jeff tin tng
nh cung cp chng ch s
iu 4 ca lut giao dch in t Vit Nam:
Chng th in t l thng ip d liu do t chc
cung cp dch v chng thc ch k in t pht
hnh nhm xc nhn c quan, t chc, c nhn
c chng thc l ngi k ch k in t
16/01/2014B mn HTMT&TT 30
H tng kha cng khai (PKI)
Nh cung cp chng ch s (CA)
Certificate Authority:
L i tc th 3 c
tin cy
Cung cp v k xc
nhn cc chng ch s
Ngi dng in 1 form vi cc thng tin: tn, t chc,
kha cng khai, gii thut dng to kha cng khai,
M ha form v gi cho nh cung cp chng ch s
Chun mt m kha cng khai
(PKCS#10)
CA nhn form, xc nhn thng tin ngi dng, to ra
chng ch s v gi chng ch s tr li cho ngi dng.
Chng ch s c to ra theo chun X.509 version 3.
16/01/2014B mn HTMT&TT 31
H tng kha cng khai (PKI)
Chng ch s (Digital certificate)
16/01/2014B mn HTMT&TT 32
H tng kha cng khai (PKI)
Cc m hnh tn nhim (trust models)
(Leaf CA)
M hnh phn cp c s dng nhiu nht
16/01/2014
9
16/01/2014B mn HTMT&TT 33
H tng kha cng khai (PKI)
S hy b (Revocation)
Chng ch s (trc khi ht hn)
c th b hy b khi kha b mt
b l hay thng tin ca ngi ch
chng ch s c thay i.
Mi chng ch s u c 1 s serial number.
Hy b chng ch s l a s serial number
vo 1 danh sch CRL (Certificate Revocation List)
Khi chng thc, host s kim tra danh sch
CRL, nu chng ch s c serial number trong
danh sch th ngt ni kt.
Registration
Authority
16/01/2014B mn HTMT&TT 34
H tng kha cng khai (PKI)
Chnh sch cho chng ch s (certificate policy)
CA phi nh ngha tt cc chnh
sch v c ch an ninh m
bo dch v m h cung cp phi
tht s tin cy.
Chnh sch cho chng ch s
c nh ngha trong X.509
v m t trong RFC-3647
Chnh sch cho chng ch s l tp
cc quy nh chung v vic chng
ch s c s dng, qun l v
trin khai trong t chc nh th no.
Phi r rng, sc tch.
Gii hn trong 2 trang
C xc nhn ca lnh o cp cao.
Vit theo dng gch u dng.
16/01/2014B mn HTMT&TT 35
H tng kha cng khai (PKI)
Ch dn thc t cho chng ch s (certificate pratice statements CPS)
CPS thng do b phn iu
hnh (c lin quan n IT)
son tho v duy tr.
C tnh k thut hn so vi
chnh sch v chng ch s.
CPS m t chi tit vic thc hin
chnh sch v chng ch (CP)
trong ng cnh ca kin trc
h thng v quy trnh hot
ng ca t chc.
CP trnh by v vic g (what)
CPS trnh by v cch thc hin
nh th no (how)
16/01/2014B mn HTMT&TT 36
Qun l kha v chng ch s
Khi nim
Kha l 1 thnh phn bn trong chng ch s.
Chng ch s thc thi vai tr vn chuyn kha.
Kha s phi c bo qun nh kha ca 1 cn nh.
Tng t nh mt khu v m, kha c to ra, phn
phi, thay i phi tun theo cc c ch bo mt.
Kha phi c qun l an ton sut dng i ca n.
C 2 phng php thng dng lu tr v phn phi kha l:
Trung tm phn phi kha (Key Distribution Center KDC)
Gii thut trao i kha (Key Exchange Algorithm KEA)
16/01/2014
10
16/01/2014B mn HTMT&TT 37
Qun l kha v chng ch s
Tp trung hay khng tp trung
u im:
D qun l, to mi v phc hi kha.
Cc kha c to ra trong mi trng an ton.
Nhc im:
Nu CA c vn s nh hng n hot ng
ca ton th cc ngi dng.
S lng ngi dng gia tng v chiu di kha
tng => x l nhiu hn => nh hng n hiu
nng ca ton h thng.
Hnh thnh mc tiu chnh cho hacker tn cng.
To, qun l v phn phi kha tp trung. Doanh nghip ln s dng m hnh ny.
To, qun l v phn phi kha khng tp trung.
Verisign s dng m hnh ny.
u im:
Ngi dng t to v qun l kha b mt.
Kha c user to ra nhanh hn v ch cn gi
cho RA (Registration Authority). RA s chuyn ln
cho CA to ra chng ch s.
Nhc im:
Gp kh khn khi kha b tht lc hay mun khi
phc li kha.
C th s mt d liu m ha khi kha b
hng hay b mt.
16/01/2014B mn HTMT&TT 38
Qun l kha v chng ch s
Lu tr v phn phi kha
Kha c lu tr, qun l v phn phi bi trung tm phn phi kha (KDC) thng qua gii thut trao i kha (KEA). Mt khi cn xc nhn kha, Client s gi 1 yu cu n KDC. Nu chng thc khng thnh cng, Client s b loi b.
C 2 cch lu tr kha: Bng phn mm:
+ Mm do+ Km an ton
Bng phn cng: card, flash disk+ Khng mm do+ An ton v tin cy cao hn
16/01/2014B mn HTMT&TT 39
Qun l kha v chng ch s
Lu gi (Escrow)
Escrow l ni lu tr cc bn sao ca kha b mt trong h thng qun l kha tp trung.
Ngi dng nu b mt hay lm hng kha, c th phc hi li kha b mt ny t Escrow. Ngi dng c th lu nhiu bn sao ti nhiu cng ty Escrow. Tuy nhin, ngi qun tr trong cng ty hay hacker c th tn cng vo ni lu tr Escrow ly c kha ca ngi dng.
16/01/2014B mn HTMT&TT 40
Qun l kha v chng ch s
Ht hn, hy b v tm dng
Kha v chng ch s (ging nh th tn dng) u c hn s dng . Khi ht hn s dng, kha v chng ch s b hy b.
Khi pht hin kha b l hay mt, ngi dng c th yu cu hy bchng ch s. CA s a s serial number ca chng ch vo danh sch en. Danh sch en gi l CRL v CA phi cng b danh sch .
Khi mun tm thi ngng s dng kha hay chng ch, ngi dng c th yu cu tm dng. Kha v chng ch khi tm dng c th c khi phc li sau ny.
16/01/2014
11
16/01/2014B mn HTMT&TT 41
Qun l kha v chng ch s
Gia hn
Trc khi kha hay chng ch s ht hn, ngi dng c th gi yu cu c gia hn (lm mi) li kha v chng ch. Vic s dng kha c s vi phm chnh sch v bo mt => s l ri ro => cn thn v cn nhc khi gia hn.
16/01/2014B mn HTMT&TT 42
Qun l kha v chng ch s
Tiu hy (destruction)
Khi cc kha v chng ch khng cn s dng na th cc thng tin v kha v chng ch phi c g b trong phn mm hoc phn cng lu tr thng tin ny phi b tiu hy trnh k xu li dng.
16/01/2014B mn HTMT&TT 43
Qun l kha v chng ch s
S dng kha
Chin lc s dng kha:
Phi xc nh kha c s dng nh th no? S dng kha i xng hay bt i xng ? S dng 1 kha hay cn thm nhiu kha khc? Ngoi kha, c cn thm cc mc bo mt khc?
Kha c s dng rng ri trong:
VPN nh IPSec. Cc giao thc SSL v TSL SSL trong HTTP : HTTPS HTTP bo mt: Secure HTTP (SHTTP) Truy cp t xa an ton: SSH Bo mt Email: PGP, S/MIME