an ninh mang minh 2015
DESCRIPTION
very interestingTRANSCRIPT
-
AN NINH MNG THNG TIN
HC VIN CNG NGH BU CHNH VIN THNG
Ging vin: TS. Hong Trng Minh
Email: [email protected], Nguyn Thanh Tr, Dng Thanh T
H Ni, 2015
-
m
GII THIU MN HC
Tn hc phn
o An ninh mng thng tin
S n v hc trnh: 04
Mc tiu
o Cung cp cho sinh vin cc kin thc cn bn v an
ninh gm:
- an ninh thng tin ni chung,
- an ninh mng hu tuyn,
- an ninh truy nhp mng internet v truy nhp AAA v IMS,
- an ninh mng truy nhp v tuyn ca cc h thng thng
tin di ng t 2G n 4G
- an ninh mng WLAN, WiMAX
-
m
GII THIU MN HC
Cc ni dung chnh
o Tng quan an ninh trong cc h thng thng tin
o Cng ngh ni mng s liu v an ninh
o Cng ngh an ninh trong GSM v GPRS
o Cng ngh an ninh trong 3G UMTS
o Cng ngh an ninh trong MIP
o Cng ngh an ninh trong CDMA2000
-
m
GII THIU MN HC
Cc ni dung chnh
o An ninh trong chuyn mng 2G sang 3G, hin trng
an ninh 2G ti Vit Nam v th gii
o An ninh trong cc mng LAN v tuyn
o An ninh trong 4G LTE/SAE
o An ninh trong mng WiMAX
nh gi
o Tham gia hc tp trn lp : 10 %
o Thc hnh/Th nghim/Bi tp/Tho lun: 15 %
o Kim tra gia k : 15 %
o Kim tra cui k : 60%
-
m
TNG QUAN V AN NINH
Cc ni dung chnh trong chng 1
1.1. To lp mt mi trng an ninh
1.2. Cc e da an ninh
1.3. Cc cng ngh an ninh
1.4. Nhn thc v kim sot truy nhp
1.5. H tng kha cng khai
1.6. Cc giao thc hng u
1
-
m
TNG QUAN V AN NINH
Cc ni dung chnh trong chng 1
1.7. Cc bin php an ninh khc
1.8. An ninh giao thc v tuyn, WAP
1.9. An ninh mc ng dng
1.10. An ninh client thng minh
1.11. M hnh an ninh tng qut ca mt h thng
thng tin di ng
Tng kt v cu hi
1
-
m
TNG QUAN V AN NINH
Cc kha cnh chnh ca an ninh thng tin
o Nhn thc (Authentication)
o Cm t chi (Non repudiation)
o Chng pht li (Non-replay)
o Ton vn s liu (Integrity)
o M ha (Encryption)
o Trao quyn (Authorization)
(Tnh bo mt Confidentiality)
1
-
m
TNG QUAN V AN NINH
Cc kha cnh chnh ca an ninh thng tin
o Nhn thc
Xc nhn rng i tng (con ngi hay phn mm ) c
cp php truy cp vo h thng. (mt khu, sinh trc hc)
o Cm t chi Yu cu cc bn c trch nhim vi giao dch c tin
hnh v bao gm c nhn dng i tng tham gia nhm
trnh chi b.
o Trao quyn Xc nh quyn truy nhp c th cho i tng truy nhp
vo h thng. Quyn truy nhp c th gm nhiu mc, kiu
hoc hot ng v gn cht vi nhn thc.
1
-
m
TNG QUAN V AN NINH
Cc kha cnh chnh ca an ninh thng tin
o Ton vn s liu
m bo rng s liu truyn khng b thay i hay b ph
hoi trong qu trnh truyn dn t ni pht n ni thu.
o Mt m ha
m bo tnh ring t ca s liu chng li s nghe hoc
c trm s liu t nhng ngi khng c php.
o Chng pht li
Trnh cc bn tham gia pht li cc bn tin gy ra hin
tng t chi dch v ca bn nhn.
1
-
m
TNG QUAN V AN NINH
Cc nguy c e da an ninh
o Mo danh
K tn cng truy nhp vo h thng (ngun thng tin) bng
mt account hp l;
Cc bc tip theo l tm hiu v t nhp su hn vo h
thng;
K tn cng cng c th gi lm ngun thng tin ly thng
tin t ngi dng hp l;
Cc k thut nhn thc l gii php chng li cc nguy c
ny.
1
-
m
TNG QUAN V AN NINH
Cc nguy c e da an ninh
o Gim st
Nghe trm thng tin trn ng truyn (thc cht l nghe
trm in t);
D thc hin, kh pht hin;
Mt m ha l cng c chng li nguy c loi ny.
1
-
m
TNG QUAN V AN NINH
Cc nguy c e da an ninh
o Sa thng tin
ng vai tr trung gian nhm thay i ni dung thng tin;
Ph bin trong cc mi trng truyn dn m;
Vi phm tnh ton vn ca thng tin;
Mt m ha l cng c chng li nguy c loi ny.
1
-
m
TNG QUAN V AN NINH
Cc nguy c e da an ninh
o Lm gi thng tin
K tn cng lu thng tin hoc truyn thng tin nh bn gc
theo phng cch hp l;
Bn tin c th c pht li nhiu ln;
Cc chng thc bn tin vn c th hp l;
1
-
m
TNG QUAN V AN NINH
Cc gii php cng ngh m bo an ninh
o Mt m
Mt m hay m ha d liu (cryptography), l mt cng c
c bn thit yu ca bo mt thng tin.
Mt m p ng c cc nhu cu v tnh bo mt
(confidentiality), tnh chng thc (authentication) v tnh
khng t chi (non-repudiation) ca mt h truyn tin.
1
-
m
TNG QUAN V AN NINH
Cc gii php cng ngh m bo an ninh
o Cc gii thut v giao thc
Cng ngh mt m hot ng nhiu mc
Mc thp: Gii thut mt m - Trnh by cc bc tnh ton
(i d liu t khun dng ny sang khun dng khc)
Giao thc c xy dng da trn gii thut
M t ton b qu trnh thc hin cc hot ng ca cng
ngh mt m; Gii thut chu trch nhim mt m ha d liu,
truyn d liu v trao i kha;
Gii thut mnh khng ng ngha vi giao thc mnh
1
-
m
TNG QUAN V AN NINH
Cc gii php cng ngh m bo an ninh
o Mt m ha s liu
S liu gc (vn bn th) c bin i thnh dng khng
th hiu c (vn bn m ha);
m bo tnh ring t ca s liu ngay c khi b ri vo tay
bn th 3;
hiu c s liu, cn chuyn v dng gc: Gii mt m
Gii thut hin i s dng kha mt m ha v gii mt
m s liu;
Hai loi: i xng v bt i xng.
1
-
m
TNG QUAN V AN NINH
M ha i xng o Gii thut i xng
Cc gii thut i xng s dng mt kha duy nht mt m v gii mt m tt c cc bn tin;
Pha pht s dng kha mt m ha bn tin, sau gi n n pha thu ch nh;
Nhn c bn tin, pha thu s dng chnh kha ny gii mt m bn tin.
Gii thut ny lm vic tt khi c cch an ton trao i kha gia cc ngi s dng.
Mt m ha i xng cn c gi l mt m bng kha b mt.
Dng ph bin nht ca phng php ny l DES (Data Encryption Standard: Tiu chun mt m ha s liu) c pht trin vo nhng nm 1970.
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M ha Ceasar
Th k th 3 trc cng nguyn, nh qun s ngi La
M Julius Ceasar ngh ra phng php m ha mt bn
tin nh sau: thay th mi ch trong bn tin bng ch ng
sau n k v tr trong bng ch ci. (v d k=3)
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M hnh m ha i xng
1
Bn r P (plaintext)
Thut ton m ha E (encrypt algorithm)
Kha b mt K (secret key)
Bn m C (ciphertext)
Thut ton gii m D (decrypt algorithm)
Trong : C = E (P, K) P = D (C, K)
-
m
TNG QUAN V AN NINH
M ha i xng c in
o c tnh c bn ca m ha i xng
Mt c tnh quan trng ca m ha i xng l kha
phi c gi b mt gia ngi gi v ngi nhn, hay
ni cch khc kha phi c chuyn mt cch an ton t
ngi gi n ngi nhn. (knh an ton, dng nhiu ln);
c tnh quan trng th hai ca mt h m ha i xng l
tnh an ton ca h m. Mt bn m c th d dng suy ra
c bn r ban u m khng cn bit kha b mt
(Ceasar).
Do mt h m ha i xng c gi l an ton khi v
ch khi n khng th b ph m - khng cn kha (iu kin
l tng) hoc thi gian ph m l bt kh thi.
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o c tnh c bn ca m ha i xng
K ph m c th th c ht tt c cc trng hp ca
kha. Phng php tn cng ny c gi l phng php
vt cn kha (bruteforce attack);
Ch cn ni rng min gi tr ca kha th c th tng thi
gian ph m n mt mc c coi l bt kh thi.
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M ha thay th n bng (Monoalphabetic
Substitution Cipher)
Phng php n bng tng qut ha phng php
Ceasar bng cch dng m ha khng phi l mt dch
chuyn k v tr ca cc ch ci A, B, C, na m l mt
hon v ca 26 ch ci ny (mi hon v c xem nh l
mt kha).
Tn cng ph m vt cn kha l bt kh thi;
Al-Kindi pht hin ra mt phng php ph m kh thi
da trn tn sut xut hin ca ch ci. Phng php m
ha n bng nh x mt ch ci trong bn r thnh mt
ch ci khc trong bn m. Do cc ch ci trong bn m
cng s tun theo lut phn b tn sut trn.
1
-
m
TNG QUAN V AN NINH
M ha i xng c in o M ha thay th a k t (Playfair)
M ha Playfair xem hai k t ng st nhau l mt n v m ha, hai k t ny c thay th cng lc bng hai k t khc.
Playfair dng mt ma trn 5x5 cc k t nh sau:
T kha c xp vo hng u;
K t cng hng th thay tip theo
hng v vng li;ar RM
K t cng ct th thay tip theo ct
v vng li; ov HO
Cn li, k t c thay bng v tr
Trn ng cho ca hnh ch nht.
hs BP, ea JM
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M ha thay th a k t (Hill)
Trong m Hill, mi ch ci c gn cho mt con s nguyn
t 0 n 25;
M Hill thc hin m ha mt ln m k t bn r (k
hiu p1, p2,,pm), thay th thnh m k t trong bn m (k
hiu c1, c2,,cm).
Vic thay th ny c thc hin bng m phng trnh tuyn
tnh. Gi s m = 3
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M ha thay th a k t (Hill)
Hay: C = KP mod 26 vi P v C l vector i din cho bn
r v bn m, cn K l ma trn dng lm kha.
Bng gii m l: K -1 C mod 26 = K -1KP mod 26 = P
(iu kin, tn ti ma trn nghch o ca K)
1
-
m
TNG QUAN V AN NINH
M ha i xng c in
o M hon v (Hill)
Xo trn th t ca cc ch ci trong bn r;
Mt cch thc hin n gin l ghi bn r theo tng hng,
sau kt xut bn m da trn cc ct;
Mt c ch phc tp hn l chng ta c th hon v cc ct
trc khi kt xut bn m. V d chn mt kha l
MONARCH, ta c th hon v cc ct;
1
attackpostponeduntilthisnoon
AODHTSUITTNSAPTNCOIOKNLOPETN
APTNKNLOPETNAODHTTNSTSUICOIO
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o Khi nim c s
Bn tin: attack
M ASCII: 97 116 116 97 99 107
Biu din nh phn: 01100001 01110100 01110100
01100001 01100011 01101011;
bn tin nh phn cng tn ti mt s c tnh thng k no
m ngi ph m c th tn dng ph bn m;
M ha hin i quan tm n vn chng ph m trong
cc trng hp bit trc bn r (known-plaintext), hay
bn r c la chn (chosen-plaintext).
Gi s dng mt kha K gm 4 bt 0101 m ha bn r
trn bng php XOR
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M lung (stream cipher)
M lung c cc c tnh sau:
1
Qu trnh gii m c thc hin ngc li, bn m C c XOR
vi dy s ngu nhin S cho ra li bn r ban u
im quan trng nht ca cc m lung l b sinh s ngu nhin.
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M khi (stream cipher)
chng ph m trong trng hp known-plaintext hay
choosen-plaintext, ch c th l lm cho P v C khng c mi
lin h ton hc. iu ny ch c th thc hin c nu ta
lp mt bn tra cu ngu nhin gia bn r v bn m.
Cc m ha n gin thng l php thay th
(substitution, S-box) v hon v (Permutation, P-box). Do
ngi ta hay gi m ha tng l Substitution-
Permutation Network (mng SPN).
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M khi (stream cipher)
Tnh khuch tn: mt bt ca bn r tc ng n tt c cc
bt ca bn m, hay ni cch khc, mt bt ca bn m chu
tc ng ca tt c cc bt trong bn r. Vic lm nh vy
nhm lm gim ti a mi lin quan gia bn r v bn m,
ngn chn vic suy ra li kha. Tnh cht ny c c da
vo s dng P-box kt hp S-box.
Tnh gy ln: lm phc tp ha mi lin quan gia bn m
v kha. Do cng ngn chn vic suy ra li kha. Tnh
cht ny c c da vo s dng S-box.
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i o M hnh m Feistel
Trong h m Feistel, bn r s c bin i qua mt s vng cho ra bn m cui cng.
Trong bn r P v cc bn m Ci c chia thnh na tri v na phi: P = (L0, R0); Ci = (Li, Ri) i = 1, 2, n;
Quy tc bin i cc na tri phi ny qua cc vng c thc hin nh sau:
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M hnh m Feistel
1
Ki l mt kha con cho vng th i.
Kha con ny c sinh ra t kha
K ban u theo mt thut ton sinh
kha con (key schedule): K - K1 - K2 Kn . F l mt hm m ha dng chung
cho tt c cc vng (thay th); Bn m C c tnh t kt xut ca vng cui cng: C = Cn = (Ln, Rn)
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M ha DES (Data Encryption Standard)
L m thuc h m Feistel gm 16 vng, ngoi ra DES c
thm mt hon v khi to trc khi vo vng 1 v mt hon
v khi to sau vng 16;
Kch thc ca khi l 64 bt: v d bn tin
meetmeafterthetogaparty biu din theo m ASCII th m
DES s m ha lm 3 ln, mi ln 8 ch ci (64 bt):
meetmeaf - tertheto - gaparty;
Kch thc kha l 56 bt;
Mi vng ca DES dng kha con c kch thc 48 bt
c trch ra t kha chnh.
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M ha DES (Data Encryption Standard)
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M ha DES (Data Encryption Standard)
Ta nh s cc bt ca khi 64 bt theo th t t tri sang
phi l 0, 1, , 62, 63; b0, b1,..b63 .
Hon v khi to s hon i cc bt theo quy tc sau (1)
Hon v kt thc hon i cc bt theo quy tc sau (2)
Hon v kt thc chnh l hon v nghch o ca hon v
khi to,
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o M ha DES (Data Encryption Standard)
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i
o an ton ca DES
Tn cng vt cn kha (Brute Force Attack): chiu di kha
l 56 bit (tn cng kh thi, s dng tnh ton song song);
Ph m DES theo phng php vi sai (differential
cryptanalysis): Phng php vi sai tm kha t tn thi gian
hn brute-force. Tuy nhin phng php ph m ny li i
hi phi c 247 cp bn r - bn m c la chn (chosen-
plaintext). Bt kh thi.
Ph m DES theo phng php th tuyn tnh (linear
cryptanalysis): Matsui a ra phng php ph m tuyn
tnh. Trong phng php ny, cn phi bit trc 243 cp
bn r-bn m (known-plaintext). Kh thi
Thay th bng TripleDEC, AES
1
-
m
TNG QUAN V AN NINH
M ha i xng hin i o Tiu chun m ha tin tin AES
Thut ton c tn l Rijndael i tn thnh Andvanced Encryption Standard hay AES.
M ha AES vi kha c kch thc 256 bt (an ton);
Ging nh DES, m ha AES l mt m khi gm nhiu vng;
Khc vi DES, m ha AES khng phi l mt m ha Feistel;
Cho php la chn kch thc khi m ha l 128, 192 hay 256 bt.
Cho php la chn kch thc ca kha mt cch c lp vi kch thc khi: l 128, 192 hay 256 bt.
S lng vng c th thay i t 10 n 14 vng ty thuc vo kch thc kha.
1
-
m
TNG QUAN V AN NINH
M hnh ng dng ca m khi
o Bn tin di c chia thnh nhiu khi
o Electronic Codebook ECB
Mi khi c m ha mt cch ring r, dng chung mt
kha K;
Trong m ha ECB, nu Pi = Pj th Ci = Cj v ngc li.
1
-
m
TNG QUAN V AN NINH
M hnh ng dng ca m khi
o Cipher Block Chaining CBC
o Bn m ca mt ln m ha c s dng cho ln m ha tip
theo;
o m ha khi u tin, ngi ta dng mt khi d liu gi
c gi l vector khi to (initialization vector IV) v c
chn ngu nhin;
o gii m, tin hnh ngc li:
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o M ha i xng d rng pht trin t c in
n hin i, vn tn ti hai im yu sau;
Vn trao i kha gia ngi gi v ngi nhn (knh an
ton l kh kh thi)
Tnh b mt ca kha: khng c c s quy trch nhim nu
kha b tit l.
o Whitfield Diffie v Martin Hellman tm ra phng
php m kha cng khai/ m kha bt i xng.
o C phng php no vic m ha v gii
m dng hai kha khc nhau? C ngha l C =
E(P, K1) v P = D(C, K2).
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai o Ngi nhn gi b mt kha K2, cn kha K1 th cng khai cho tt
c. Ngi gi dng kha K1 m ha, ngi nhn dng K2 gii m. (m bo bo mt)
o Ngi gi gi b mt kha K1, cn kha K2 th cng khai cho tt c. Ngi gi dng kha K1 m ha, ngi nhn dng K2 gii m. (khng m bo bo mt nhng m bo tnh chng thc v tnh khng t chi)
o Kha ring (bi mt) l KR. Kha cng khai l KU, Bn r c k hiu l M, cn bn m l C;
o KR=fKU l cc hm mt chiu; cc phng php Knapsack, RSA, Elgaman, v phng php ng cong elliptic ECC
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Phng php RSA l mt phng php m ha kha
cng khai. RSA c xy dng bi cc tc gi Ron
Rivest, Adi Shamir v Len Adleman ti hc vin MIT
vo nm 1977;
o V mt tng qut RSA l mt phng php m ha
theo khi.
o Trong bn r M v bn m C l cc s nguyn t
0 n 2i vi i s bt ca khi.
o Kch thc thng dng ca i l 1024 bt. RSA s
dng hm mt chiu l phn tch mt s thnh tha
s nguyn t.
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Nguyn tc thc hin ca RSA:
o thc hin m ha v gii m, RSA dng php ly
tha modulo ca l thuyt s. 1) Chn hai s nguyn t ln p v q v tnh N = pq. Cn chn p v
q sao cho: M < 2i-1< N < 2i
Vi i = 1024 th N l mt s nguyn di khong 309 ch s.
2) Tnh n = (p - 1)(q - 1)
3) Tm mt s e sao cho e nguyn t cng nhau vi n
4) Tm mt s d sao cho (d l nghch o ca e trong
php modulo n)
5) Hy b n, p v q. Chn kha cng khai KU l cp (e, N),
kha ring KR l cp (d, N)
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Nguyn tc thc hin ca RSA:
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o an ton ca RSA o Vt cn kha: cch tn cng ny th tt c cc kha d c th c tm
ra bn gii m c ngha, tng t nh cch th kha K ca m ha
i xng. Vi N ln, vic tn cng l bt kh thi;
o Phn tch N thnh tha s nguyn t N = pq: Chng ta ni rng vic
phn tch phi l bt kh thi th mi l hm mt chiu, l nguyn tc
hot ng ca RSA. (Thut ton mi, tc tnh ton: kh thi);
o o thi gian: y l mt phng php ph m khng da vo mt ton
hc ca thut ton RSA, m da vo mt hiu ng l sinh ra bi qu
trnh gii m RSA. Hiu ng l l thi gian thc hin gii m bng
thut ton bnh phng lin tip tm d.
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o M hnh bo mt v khng chi t
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Kt hp bo mt, khng t chi v chng thc
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Trao i kha
Gim gnh nng cho tng c nhn, mt m hnh gi l
chng ch kha cng khai (public-key certificate) c s
dng. Trong m hnh ny c mt t chc lm nhim v cp
chng ch c gi l trung tm chng thc (Certificate
Authority CA).
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Cp chng ch
A gi nh danh IDA v kha cng khai KUA ca mnh n
trung tm chng thc.
2) Trung tm chng nhn kim tra tnh hp l ca A,
v d nu IDA l Microsoft, th Alice phi c bng
chng chng t mnh thc s l cng ty Microsoft.
3) Da trn c s , trung tm chng thc cp mt chng
ch CA xc nhn rng kha cng khai KUA l tng
ng vi IDA. Chng ch c k chng thc bng kha ring
ca trung tm m bo rng ni dung ca chng ch l
do trung tm ban hnh.
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Cp chng ch
4) A cng khai chng ch CA .
5) B mun trao i thng tin vi A th s gii m CA bng
kha cng khai ca trung tm chng thc c c kha
cng khai KUA ca A . Do nu B tin tng vo trung tm
chng thc th B s tin tng l KUA l tng ng vi IDA,
tc tng ng vi A .
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Phng php trao i kha Diffie Hellman
o Trao i kha Diffie-Hellman dng thit lp mt kha b mt
gia ngi gi v ngi nhn m khng cn dng n
m ha cng khai.
o Phng php ny dng hm mt chiu lm hm logarith ri rc.
Diffie-Hellman khng c ngha v mt m ha ging nh RSA.
o Trc tin A v B s thng nht s dng chung mt s
nguyn t p v mt s g nh hn p v l primitive root ca p
(ngha l php ton gx mod p kh nghch)
o Hai s p v g khng cn gi b mt. Sau A chn mt s a
v gi b mt s a ny. B cng chn mt s b v gi b mt s
b. Tip theo A tnh v gi ga mod p cho B, B tnh v gi gb mod
p cho A.
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o Phng php trao i kha Diffie Hellman
o Trn c s A tnh
Trn c s B tnh
Do A v B c chung gi tr gab mod p. Gi tr ny c th dng
lm kha cho php m ha i xng.
Mun tnh c gab mod p, k ph m c th c c g, p, ga v gb
Tuy nhin, vic tnh a hay b theo cng thc: a = dlogg, p ga
hay b = dlogg, p gb l khng kh thi do tnh phc tp ca php
logarith ri rc.
Kha dng chung c trao i b mt gia A v B .
1
-
m
TNG QUAN V AN NINH
M ha kha cng khai
o c trng c bn ca trao i kha Diffie Hellman
Cc kha b mt ch c to khi cn thit. Khng cn phi
cha cc kha b mt trong mt khong thi gian di.
Vic tha thun da trn cc tham s chung.
o Nhc im bo mt trao i kha Diffie Hellman
N khng cung cp thng tin bt k v cc nh danh ca
cc bn.
N an ton i vi vic tn cng th ng ngha l mt
ngi th ba bit a, b s khng tnh c K. Tuy nhin giao
thc l khng an ton i vi vic tn cng ch ng bng
cch nh tro gia ng hay cn gi l kiu tn cng
Man in the Midle".
1
-
m
TNG QUAN V AN NINH
Vn xc thc o Cc tn cng
Ci trang (Massquerade) : chn cc bn tin vo mng t mt ngun la o. Ci trang bao gm c vic to ra cc bn tin bi k tn cng nhng li c v nh n t ngi u nhim.
Sa i ni dung (Content modification) : thay i ni dung ca bn tin bao gm cc thao tc chn, xa, chuyn v hay sa i.
Sa i th t (Sequence modification) : sa i dy bn tin gia cc bn bao gm thao tc chn, xa, v thay i th t cc thng bo trong dy.
Sa i thi gian (Timing modification) : lm tr hoc dng li bn tin.
o Xc thc:
m bo bn tin xut pht ng t ngi gi
m bo bn tin khng b thay i, gi mo.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Cc hm xc thc c chia thnh ba lp nh sau :
Lp m bn tin (Message encryption) : bn m ca thng
bo l bng chng xc thc.
Tng kim tra mt m (Cryptographic checksum): Mt hm
chung ca bn tin v mt kho b mt to thnh mt gi tr
di c nh lm bng chng xc thc
Hm bm (Hash funtions) : Mt hm chung nh x mt bn
tin c di bt k thnh mt gi tr Hash lm bng
chng xc thc.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Checksum
Internet checksum c mt s c tnh ging nh hm bm
hash:
To ra cc tm tt di c nh (16-bit sum);
nh x many-to-one.
Khng an ton: C th d dng to ra 2 bn tin khc nhau c
cng checksum.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm
Hm Hash nhn bn tin R c kch c bin i lm u vo
v sinh ra m Hash c kch c c nh H(R), gi l gi tr tm
lc u ra.
M Hash l hm ca tt c cc bt ca bn tin v cung cp
cung cp kh nng pht hin sai.
S thay i i vi bt bt k hoc cc lot bt trong bn tin
s sinh ra s thay i trong m Hash.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm (cc yu cu)
H c th thao tc vi khi d liu kch thc bt k.
H to ra u ra di c nh.
H(x) c tnh d dng vi x bt k.
Vi gi tr m bt k ca hm Hash, khng th tm ra x H(x)
= m.
Vi khi x bt k, khng th tm y # x H(y) = H(x).
Khng th tm ra cp (x,y) tho mn H(x) = H(y).
MD5 hash function (RFC 1321) - 128-bit.
SHA-1 - US standard [NIST, FIPS PUB 180-1], 160-bit.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm (s dng)
1
Ngi s dng A Ngi s dng B
To ra 124 bit Digest (t bn tin gc)
Mt m (Digest) bng kha ring ca A
Gi (bn tin gc, Digest c mt m)
Gii mt m (Digest) bng kha
cng khai ca A
To ra 128 bit Digest (t
bn tin gc)
So snh Digest
-
m
TNG QUAN V AN NINH
Vn xc thc
o M xc thc bn tin MAC (Message Authentication
Code)
Xc thc bn tin bng hm hash
A m bn tin m v hm bm H(m).
A gi m v H(m) cho B.
B nhn c bn tin v bm, tnh ton bm v so snh hm
bm H(m) nhn c xc thc.
Ngi gi mo gi bn tin m,H(m) v gi cho B bn tin
m,H(m)???
M xc thc bn tin MAC.
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm (lu thc hin)
1
S liu
Gii thut
MAC
S liu
MAC
S liu
MAC
Gii thut
MAC
MAC=?
Kho b mt
chia s
Kha b mt
chia s
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm (lu thc hin)
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Hm bm (lu thc hin)
1
-
m
TNG QUAN V AN NINH
Vn xc thc
o Kin trc CMAC Cipher based MAC
1
-
m
TNG QUAN V AN NINH
Ch k in t
1
Nu ch dng m xc thc:
1. Gi mo ni dung thng bo
2. T chi trch nhim
Ch k in t:
N c kh nng kim tra ngi k
v thi gian k.
N xc thc c ni dung thng
tin ti thi im k.
Ch k phi c kim tra bi cc
bn th ba gii quyt tranh
chp.
Ngi gi k ti liu, thit lp ch quyn cho ti liu
Ngi nhn chng minh c cho mi ngi chnh ngi gi k ti
liu.
-
m
TNG QUAN V AN NINH
Ch k in t
o Yu cu ca ch k s
Yu cu 1 : Ch k s phi l mt mu bt nh phn ph
thuc vo bn tin c k.
Yu cu 2: Ch k s phi dng thng tin ch c i vi
ngi gi trnh c gi mo v t chi trch nhim.
Yu cu 3 : Ch k s phi tng i d c to ra.
Yu cu 4 : Ch k s phi d c nhn ra v kim tra.
Yu cu 5 : Ch k s phi khng th gi mo c v mt
tnh ton hoc bng cch to bn tin mi t ch k s c
hoc to ch k s gi mo cho mt bn tin c th.
Yu cu 6 : Trong ci t, ch k s phi d dng c tch
ra v lu tr.
1
-
m
TNG QUAN V AN NINH
Ch k in t
o Kiu n gin
S dng m ha kha cng khai: B gi bn tin m v ch k
m ha bng kha ring KRB(m)
A nhn c bn tin m v ch k KRB(m)
A xc minh m k bi B bng public key KUB:
KUB(KRB(m) )=m.
Nu KUB(KRB(m)) = m, ngi k m phi s dng kha ring
ca B.
1
-
m
TNG QUAN V AN NINH
Ch k in t
o Kiu xc minh
A xc minh c:
B k bn tin m.
Khng c ai khc k m.
B k chnh bn tin m ch khng phi m.
Chng chi b:
A c th dng m, v ch k KRB(m) chng minh B k m.
1
-
m
TNG QUAN V AN NINH
Ch k in t
o Kiu da trn MAC
1
large message m
H: hash
function H(m)
digital
signature
(encrypt)
Bobs
private
key K B
-
+
Bob gi bn tin k s Alice xc minh ch k v hon
nguyn bn tin
KB(H(m)) -
encrypted
msg digest
KB(H(m)) -
encrypted
msg digest
large message m
H: hash
function
H(m)
digital
signature
(decrypt)
H(m)
Bobs
public
key K B
+
-
m
TNG QUAN V AN NINH
Ch k in t
o M t chu trnh to ch k
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Cc c im c bn
Vn ca kha cng khai:
Khi A nhn c kha cng khai ca B (t Web site, e-mail,
); Lm th no bit l kha cng khai ca B, ch
khng phi ca ngi mo danh?
Gii php:
Thm quyn chng ch tin cy (trusted certification authority -
CA).
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Cc yu t chnh
Chng ch s Certification Authority (CA): lin kt kha cng
khai vi thc th c th E.
E ng k kha cng khai vi CA.
E cung cp bng chng nh danh (proof of identity) cho CA.
CA m chng ch (certificate) rng buc E vi kha cng khai
ca n.
Chng ch cha kha cng khai ca E c k s bi CA: CA
thng bo y chnh l kha cng khai ca E.
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o C ch ly kha
Khi A mun kha cng khai ca B:
Ly chng ch s ca B (t B hoc t u ).
p dng kha cng khai ca CA cho chng ch ca B, gii m
ly kha cng khai ca B.
1
Bobs public
key K B +
digital signature (decrypt)
CA public
key K CA
+
K B +
- K CA (K ) B
+
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o C ch ly kha
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o M hnh quy
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Chng ch s X.509 v.1 v v.2
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Chng ch s X.509 v.3
i tng c th c cc chng ch khc nhau vi cc kha
cng khai khc nhau v gi thit rng cc cp kha cn c
cp nht nh k, do vy cn phi c cch phn bit cc
chng ch khc nhau ca i tng ny mt cch d dng.
Mt tn i tng tr thnh tn duy nht nhng n khng c
thng tin cho nhng ngi s dng chng ch khc nhn
dng i tng, do cn c thm thng tin nhn dng i
tng.
Mt s cc ng dng cn nhn dng nhng ngi s dng
thng qua cc dng tn xc nh ng dng. V d: trong an
ton th tn in t; trong vic gn kt mt kha cng khai vi
mt a ch th tn in t.
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Chng ch s X.509 v.3
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Thu hi chng ch s
1
-
m
TNG QUAN V AN NINH
Chng ch s ca kha cng khai
o Thu hi chng ch s X.509 v.3
1
-
m
TNG QUAN V AN NINH
Cc loi chng ch s
o Chng ch SSL cho my khch
S dng chng thc my khch vi my dch v bng giao
thc bo mt SSL. Bnh thng, nh danh ca mt my khch
c th c tha nhn vi nh danh ca mt ngi, v d
nhn vin ca mt cng ty, mt cng dn.
o Chng ch SSL cho my dch v
S dng chng thc my dch v vi my khch bng giao
thc SSL. Chng thc my dch v l mt iu kin cn thit
cho mt phin lm vic trong giao thc bo mt SSL.
1
-
m
TNG QUAN V AN NINH
Cc loi chng ch s o Chng th S/MIME (S/MIME certificates)
Dng k v m ha th in t. Vi mt chng th SSL cho my khch nh danh ca my khch c tha nhn nh nh danh ca mt ngi. Mt chng ch n cng c th c s dng chung cho hai loi chng th S/MIME v chng th SSL cho my khch (Client SSL certificate)..
o Chng th k cho i tng Dng chng thc nhng ngi k cho Java code,
Javascipt, hoc nhng file v phn mm cn c k.
o Chng th cho CA S dng chng thc cho cc CA. Phn mm my khch
v my dch v s dng chng th ca CA xc nh cc chng th khc c tin tng c khng.
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o Chu trnh xy dng PKI
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o Cc thnh phn
T chc pht hnh chng ch (Certificate Authority - CA):
L mt bn th ba c tin cy c trch nhim to, qun l,
phn phi, lu tr v thu hi cc chng ch s. CA s nhn cc
yu cu cp chng ch s v ch cp cho nhng ai xc minh
c nhn dng ca h.
T chc ng k (Registration Authority - RA):
ng vai tr trung gian gia CA v ngi dng. Khi ngi
dng cn chng ch s mi, h gi yu cu ti RA v RA s
xc nhn tt c cc thng tin nhn dng cn thit trc khi
chuyn tip yu cu ti CA CA thc hin to v k s ln
chng ch ri gi v cho RA hoc gi trc tip cho ngi dng.
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o Cc thnh phn
Kho v lu tr chng th (Certificate Repository v
Archive - CRA) :
u tin l kho lu tr cng khai v phn phi cc chng th
v CRL (cha danh sch cc chng th khng cn hiu lc).
Kho th hai l mt c s d liu c CA dng sao lu cc
kha hin ang s dng v lu tr cc kha ht hn, kho ny
cn c bo v an ton nh chnh CA.
My ch bo mt (Security Server - SS):
L mt my ch cung cp cc dch v qun l tp trung tt c
cc ti khon ngi dng, cc chnh sch bo mt chng th
s, cc mi quan h tin cy (trusted relationship) gia cc CA
trong PKI, lp bo co v nhiu dch v khc.
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o Cc thnh phn
Cc ng dng cho php PKI v nhng ngi s dng PKI
(PKI-enabled applications v PKI users):
Bao gm ngi dng s dng cc dch v ca PKI v cc
phn mm c h tr ci t v s dng cc chng th s nh
cc trnh duyt web, cc ng dng email pha my khch.
o Cc m hnh
PKI phn cp;
PKI dng li;
CA n l - Single CA.
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o Cc m hnh (biu din)
1
-
m
TNG QUAN V AN NINH
H tng kha cng cng PKI
o M hnh ti Vit Nam
1
-
m
CC GIAO THC AN NINH
Nguy c tn cng truyn thng
o Tn cng pht li (replay Attacts, Playback) tc
ng ti m ha i xng v cng khai
Gii php:
1. Dng s nh danh: trong mi bn tin gi, bn gi nhng s
nh danh S cho bn tin. Mi bn tin ng vi s nh danh khc
nhau. C=E(P//S, KAB). (ch dng cho mt phin)
2. Dng Timestamp: Bn gi s dng tem thi gian gn vi
bn tin, bn nhn kim tra thi im nhn c vi thng tin
trn tem. (kh khn tr truyn bin ng v cn ng b)
3. C ch Challenge/Response: Bn B gi mt s ngu nhin
N ti A (nounce), A m ha v gi km bn tin v B, B gii m
xc minh N.
2
-
m
CC GIAO THC AN NINH
Giao thc an ninh (bo mt)
o Thng nht phng thc m bo an ninh
(phng php m ha, kha) cho hai thc th
truyn thng.
L cc quy nh cho cc thc th tham gia truyn thng
bo mt. Thng nhm xc nh cc yu t sau:
1, nh danh cc thc th tham gia truyn thng
2, Trao i kha phin b mt m ha d liu. (Thc hin
m ha i xng thng nhanh hn m ha cng khai- c
im ton hc)
2
-
m
CC GIAO THC AN NINH
nh danh v trao i kha phin dng KDC
2
1) A gi yu cu mun trao i d liu vi B cho KDC. 2) KDC to mt kha b mt KAB v m ha thnh hai bn m. Mt bn m c m ha bng kha b mt ca A: E(KAB, KA) v mt bn m c m ha bng kha b mt ca B: E(KAB, KB). 3) A gii m E(KAB, KA) c KAB 4) A gi E(KAB, KB) cho B, B gii m c c KAB 5) A v B trao i d liu qua kha b mt KAB
M hnh ny c th b tn cng replay
attack. V d, K tn cng c th
replay bc 4 m B vn ngh l A gi
v B tip tc dng KAB ny lm kha
phin. Da trn c s K tn cng
tip tc replay bc 5.
Gii php: KDC gn tem thi gian khi cp kha
-
m
CC GIAO THC AN NINH
Needham and Schroeder xut sa i
m hnh trn nh sau
2
1) 1) A -> KDC: IDA||IDB||N1 2) KDC -> A: E(KS||IDB||N1||E(KS||IDA, KB), KA) KS l kha phin, IDB A bit
kha phin ny dng vi B
3) A gii m c c KS v E(KS||IDA, KB)
4) A -> B: E(KS||IDA, KB) // IDA B bit kha phin ny dng vi A
5) B -> A: E(N2, KS)
6) A -> B: E(f(N2), KS) // f l hm bt k
7) A -> B: E(P, KS)
-
m
CC GIAO THC AN NINH
Hoc
2
1. AKDC: IDa || IDb || N1
2. KDC A: EKa[Ks || IDb || N1 || EKb[Ks || IDa]]
3. A B: EKb[Ks || IDa]
4. B A: EKs[N2]
5. A B: EKs[f(N2)]
1. AKDC : IDa || IDb
2. KDC A : EKa[Ks || IDb || T || EKb[Ks || IDa || T]]
3. A B : EKb[Ks || IDa || T]
4. B A : EKs[N2]
5. A B : EKs[f(N2)]
-
m
CC GIAO THC AN NINH
Ci thin l hng khi Attacker bit KS v
E(KS||IDA, KB), replay ti bc 4 v phn hi
N2 cho B-> s dng kha phin bit. o 1) A -> B: IDA ||NA
o 2) B -> KDC: IDB||NB||E(IDA||NA, KB)
o 3) KDC -> A: E(IDB||NA||KS, KA)|| E(IDA|| KS, KB)|| NB
o 4) A -> B: E(IDA||KS, KB)|| E(NB, KS)
o 5) A -> B: E(P, KS)
2
-
m
CC GIAO THC AN NINH
nh danh v trao i kha phin bng kha
cng khai
2
A to mt kha phin KS , m ha bng kha ring ca A sau m ha bng
kha cng khai ca B.
B gii m KS dng kha ring ca B v kha cng khai ca A.
Nh tnh bo mt, A bit chc rng ngoi A ch c B mi bit c KS.
Nh tnh khng t chi, B bit rng ngoi B ch c A mi bit c KS v
A dng kha ring m ha KS.
Trong m hnh trn, Trudy c th replay bc 3 m B vn ngh l A gi v B tip tc dng KS ny lm kha phin. Da trn c s Trudy tip tc replay bc 4.
-
m
CC GIAO THC AN NINH
C ch challenge/response chng replay
2
- Bc 1: A gi chng ch CA cho B.
- Bc 2: B gi chng ch CB v nounce NB cho A.
- Bc 3: A chn mt tin kha phin S v tnh c kha phin KS = H(S||NB). A
gi chng thc v bo mt S cho B. B cng tnh kha phin KS.
- Bc 4: A gi gi tr hash H(KS) cho B, B kim tra gi tr hash ny vi gi tr hash
do B t tnh. Nu khp, B bit c rng bc 3 khng th b replay attack.
Gi s Trudy replay bc 3 nhng khng bit S, vy Trudy khng tnh c
KS tng ng vi NB mi ca Bob, t Trudy cng khng th tnh c H(KS). Do
Trudy khng th replay bc 4 m khng b Bob pht hin.
- Bc 5: A v B tin hnh trao i d liu.
-
m
CC GIAO THC AN NINH
Giao thc WooLam
2
1. A KDC : IDa || IDb
2. KDC A : EKRauth[IDb || KUb]
3. A B : EKUb[Na || IDa]
4. B KDC : IDb || IDa || EKUauth[Na]
5. KDC B : EKRauth[IDa || KUa] || EKUb[EKRauth[Na || Ks || IDb]]
6. B A : EKUa[EKRauth[Na || Ks || IDb ] || Nb]
7. A B : EKs[Nb] tng cng tnh an ton ca giao thc trn, mt ci tin c xut l b xung
nh danh IDa ca A vo cc thng bo trong bc 5 v 6 m bo rng cp
{IDa,Na} nhn dng duy nht i hi kt ni ca A.
-
m
CC GIAO THC AN NINH
Cc giao thc ng dng c th trong IP
2
-
m
CC GIAO THC AN NINH
Secured e-mail
2
KS( ) .
KB( ) . + + -
KS(m )
KB(KS ) +
m
KS
KS
KB +
Internet
KS( ) .
KB( ) . - KB -
KS
m KS(m )
KB(KS ) +
Ngi gi:
to kha ring (kha i xng), KS.
m ha bn tin bng KS
m ha kha KS bng kha cng khai ngi nhn.
gi KS(m) v KB(KS) cho ngi nhn.
m bo tnh b mt e-mail, m.
-
m
CC GIAO THC AN NINH
Secured e-mail
2
KS( ) .
KB( ) . +
+ -
KS(m )
KB(KS ) +
m
KS
KS
KB +
Internet
KS( ) .
KB( ) . -
KB -
KS
m KS(m )
KB(KS ) +
Ngi nhn:
s dng kha ring gii m v ly KS s dng kha KS gii m KS(m) nhn bn tin m
m bo tnh b mt e-mail.
-
m
CC GIAO THC AN NINH
Secured e-mail
2
m bo tnh xc thc, tnh ton vn.
H( ) . KA( ) . -
+ -
H(m ) KA(H(m)) -
m
KA -
Internet
m
KA( ) . +
KA +
KA(H(m)) -
m H( ) .
H(m )
compare
Ngi gi k s vo bn tin.
Gi c bn tin nguyn thy v ch k s.
-
m
CC GIAO THC AN NINH
Secured e-mail
2
m bo tnh b mt, tnh xc thc, tnh ton vn.
H( ) . KA( ) . -
+
KA(H(m)) -
m
KA -
m
KS( ) .
KB( ) . +
+
KB(KS ) +
KS
KB +
Internet
KS
Ngi gi s dng ba loi kha: kha ring ca ngi gi, kha cng
khai ca ngi nhn, to kha i xng (kha b mt) mi.
-
m
CC GIAO THC AN NINH
Secured e-mail
2
Cu trc m ha e-mail
Internet, tr thnh tiu
chun.
S dng m ha kha i
xng, m ha kha cng
khai, hm bm, v ch k
s.
Cung cp tnh b mt, xc
thc ngi gi, tnh ton
vn.
Ngi pht minh Phil
Zimmerman.
---BEGIN PGP SIGNED MESSAGE---
Hash: SHA1
Bob:My husband is out of town
tonight.Passionately yours, Alice
---BEGIN PGP SIGNATURE---
Version: PGP 5.0
Charset: noconv
yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhFEvZP
9t6n7G6m5Gw2
---END PGP SIGNATURE---
Bn tin c k s PGP:
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
TCP
IP
TCP enhanced with SSL
TCP
socket
Application
TCP
IP
TCP API
SSL sublayer
Application
SSL
socket
Cung cp an ton lp giao vn cho tt c cc ng dng trn TCP s dng dch v SSL m bo tnh b mt, tnh ton vn, tnh xc thc
Giao thc SSL bo mt d
liu trao i qua socket. V
vy nn c tn gi l Secure
Socket Layer (URL bt u bng https://). y l giao thc bo mt kt
hp m ha kha cng khai v kha i xng
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Chng thc hai pha:
Chng thc mt pha (website)
Trao i kha phin yu cu ngi duyt web v website u c cp kha ring v kha cng khai
Ch c website bit c kha phin Website chng thc ngi s dng qua password
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Phng php Diffie-Hellman
o Fixed Diffie-Hellman: l phng php trao i kha Diffie-Hellman m trong
cc yu t cng khai (g, t) c chng thc ging nh chng thc kha
cng khai ca RSA. iu ny gip ngn chn hnh thc tn cng k-ng-
gia.
o Ephemeral Diffie-Hellman: l phng php trao i kha Diffie-
Hellman c bo v bng m ha kha cng khai RSA. y l hnh thc Diffie-Hellman an ton nht.
o Anonymous Diffie-Hellman: Diffie-Hellman thng, do c th b tn cng theo hnh thc k-ng-gia.
Cc phng php m ha i xng m SSL c th thc hin l RC4, RC2, DES, 3DES, IDEA, AES
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Cc giai on thc hin ca SSL
1. Bt tay: xc thc, tha thun gii thut kha m ha d liu, m ha
MAC.
2. Trao i kha: to kha, gi kha cho nhau chun b cho phin
truyn d liu.
3. Trao i s liu ng dng: s liu c m ha v truyn gia client
v server.
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc bt tay SSL
Chng thc website v chng thc ngi duyt web; Trao i kha phin v thng nht cc thut ton m ha c s dng)
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc bt tay SSL
Pha 1: (Tha thun v phng php m ha c s dng ) Bn tin client-hello gm:
Version: phin bn SSL cao nht m client s dng
Random: l mt cu trc ngu nhin gm 32 byte
SessionID: nu bng 0 c ngha l client mun thit lp mt session mi
hon ton.
CompressionMethod: phng php nn d liu s dng
CipherSuite: Cc phng php m ha kha cng khai dng trao i
kha phin nh RSA, Fixed Diffie-Hellman,ng vi mi phng php
trao i kha l danh sch cc loi m ha i xng c s dng gm:
CipherAlgorithm; Hash Algorithm (MD5 hay SHA-1); CipherType;
KeyMaterial (mt chui byte c dng sinh kha); IV Size: kch thc
dng trong m hnh CBC ca m khi.
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc bt tay SSL
Pha 2: Chng thc server v trao i kha ca m ha cng khai
o Bn tin certificate: server cung cp certificate ca mnh cho
client (di dng chng ch X.509) .
o Bn tin certificate_request: trong trng hp server cn chng
thc ngi s dng, server s gi bn tin ny yu cu client
cung cp chng ch.
o Bn tin server_hello_done: bo hiu server hon tt pha 2.
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc bt tay SSL
Pha 3: Chng thc client v trao i kha ca m ha i xng
Bn tin certificate: nu server yu cu certificate, client cung cp
certificate ca mnh cho server.
Bn tin client_key_exchange: trong bc ny client gi cc thng s cn thit
cho server to kha b mt.
Bn tin certificate_verify: l ch k ca client trong trng hp server cn
chng thc client. Client phi dng kha ring k ch k, do server c
th m bo c l khng ai khc dng certificate ca client gi mo.
.
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc bt tay SSL
Pha 4: (Hon tt qu trnh bt tay )
o Trong pha ny client v server gi thng ip finished thng bo hon tt
qu trnh bt tay ln nhau.
o Tham s ca thng ip ny l mt gi tr hash hai bn c th kim tra
ln nhau.
Vic dng cc gi tr ClientHello.random v ServerHello.random s lm
phc tp vic ph m hn. n y client v server hon tt qu trnh
bt tay trao i kha, sn sng truyn s liu theo giao thc truyn s
liu.
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc truyn d liu
Kim tra tnh ton vn ca lung d liu: chia thnh cc khi nh (record) Khng yu cu bt buc c th tc nn d liu
Kim tra ton vn ca ton b cc khi: B sung s th t vo cc record
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc truyn d liu
Sau khi tnh MAC xong, khi d liu cng vi gi tr MAC c m ha bng mt thut ton m khi c la chn trong giao thc bt tay.
H( ) . MB
b1b2b3 bn
d
d H(d)
d H(d)
H( ) . EB
TCP byte stream
block n bytes together compute
MAC
SSL
seq. #
d H(d) Type Ver
Len
SSL record
format
unencrypted
-
m
CC GIAO THC AN NINH
Giao thc bo mt web Secure Socket Layer
2
Giao thc truyn d liu (mi lin h gia cc th tc con)
trnh vic mi ln kt ni vi server l client phi tin hnh giao thc bt tay li t u, SSL a ra khi nim Session v Connection.
SSL ch cn thc hin giao thc bt tay khi to session, cn khi to mi connection,
SSL s gi nguyn tt c cc phng php m ha c chn,
gi nguyn gi tr pre-master secret; ch tnh li ClientHello.Random v
ServerHello.Random, kha MAC, kha m ha
-
m
CC GIAO THC AN NINH
Giao thc bo mt mng cc b Keberos
2
Giao thc Keberos l mt giao thc chng thc s dng
trong mi trng LAN
Keberos l giao thc chng thc da trn khi nim trung
tm phn phi kha KDC;
Keberos ch da trn m ha
i xng (Giao thc ny do
MIT chun ha).
Mc ch ca Keberos l
trao i kha phin, thng qua
m bo tnh bo mt v
tnh chng thc.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
Giao thc IPsec v VPN
Bo mt(m ha)- Confidentiality: Ngi gi c th m ha d liu trc khi truyn chng qua mng. Nu giao tip b ngn chn, d liu khng th c c.
Ton vn d liu- Data integrity: Ngi nhn c th xc minh cc d liu c truyn
qua mng Internet m khng b thay i. IPSec m bo ton vn d liu bng cch s
dng checksums (gi tr bm).
Xc thc- Authentication: Xc thc m bo kt ni c thc hin v cc ng i
tng. Ngi nhn c th xc thc ngun gc ca gi tin, bo m, xc thc ngun gc
ca thng tin.
Antireplay protection: xc nhn mi gi tin l duy nht v khng trng lp.
IPSec l mt tp cc chun m, c pht trin bi IETF.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
Lin kt an ninh SA (Security Associations): L mt kt ni
logic gia hai thc th s dng IPsec; n hng)
Bn tin
Cc giao thc xc nhn, cc kha, v cc thut ton.
Phng thc v cc kha cho cc thut ton xc nhn c dng bi cc giao thc Authentication
Header (AH) hay Encapsulation Security Payload (ESP) ca b IP Sec.
Thut ton m ha v gii m v cc kha.
Thng tin lin quan kha, nh khong thi gian thay i hay khong thi gian lm ti ca cc kha.
Thng tin lin quan n chnh bn thn SA bao gm a ch ngun SA v khong thi gian lm ti.
Cch dng v kch thc ca bt k s ng b m ha dng, nu c.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
Lin kt an ninh SA (Security Associations): L mt kt ni
logic gia hai thc th s dng IPsec; n hng)
IP Sec SA gm c 3 trng:
SPI Security Parameter Index : y l mt trng 32 bit dng nhn dng
giao thc bo mt, c nh ngha bi trng Security protocol, trong b IP Sec
ang dng. SPI c mang theo nh l mt phn u ca giao thc bo mt v
thng c chn bi h thng ch trong sut qu trnh tha thun ca SA.
Destination IP address : y l a ch IP ca nt ch. Mc d n c th l a
ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch
c nh ngha cho h thng unicast.
Security protocol : Phn ny m t giao thc bo mt IP Sec, c th l AH hoc
ESP.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
C s d liu SA (SAD):H tr nhiu lin kt an ninh
Mt IP Sec SA dng 2 c s d liu. Security Association Database (SAD) nm
gi thng tin lin quan n mi SA. Thng tin ny bao gm thut ton kha,
thi gian sng ca SA, v chui s tun t.
C s d liu c th c coi nh l mt bng hai chiu vi mi hng xc nh
mt SA duy nht. Thng thng, c hai SAD l inbound (trong) v outbound
(ngoi);
Mi mc trong mt SAD trong c la chn bng cch s dng ba ch s:
Ch s tham s bo mt (mt s 32 bit nh ngha SA ti im n),
a ch ch;
Giao thc (AH hoc ESP).
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
C s d liu SA (SAD):H tr nhiu lin kt an ninh
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
C s d liu chnh sch bo mt: SDP
Nm gi thng tin v cc dch v bo mt km theo vi mt danh sch th t chnh sch cc im vo v ra; nh ngha lu lng no c x l v lu
lng no b t chi theo tng chun ca IP Sec.
Mi host ang s dng giao thc IPSec cn phi lu mt c s d liu chnh
sch bo mt SPD (SPD inbound v SPD outbound). Mi mc trong SPD c
th c truy cp bng cch s dng mt ch s nhm gm: a ch ngun, a
ch ch, tn, giao thc, cng ngun v cng ch.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
B giao thc Ipsec (IKE, AH v ESP)
IKE gm 3 giao thc con ISAKMP/Oakley/SKEME: ISAKMP: Internet Security Association and Key Management Protocol; Oalkey:
to kha v SKEME: trao i kha. (Diffie-Hellman)
IKE gip cc bn giao tip ha hp cc tham s bo mt v kha xc nhn trc
khi mt phin bo mt IP Sec c trin khai;
Sa i nhng tham s khi cn thit trong sut phin lm vic;
IKE cng m nhim vic xo b nhng SAs v cc kha sau khi mt phin giao
dch hon thnh;
H tr cc thit b tham gia trao i vi nhau v thng tin an ninh (phng php
m ha, thut ton, chu k m ha.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
B giao thc Ipsec (IKE, AH v EPS)
Cung cp xc thc ngun, ton vn d liu, khng bo mt.
AH header c chn vo gia mo
u gi IP (IP header), v trng d
liu.
Protocol field: 51
Cc router trung gian x l gi tin
nh thng thng.
AH header bao gm:
nh danh kt ni
D liu xc thc: tm tt bn tin
ngun c tnh t IP datagram
ngun.
Trng mo u tip sau (next
header field): xc nh dng ca
d liu (e.g., TCP, UDP, ICMP)
IP header data (e.g., TCP, UDP segment) AH header
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
B giao thc Ipsec (IKE, AH v EPS)
Ch AH trong IPSec
S liu c s dng tnh ton MAC cho nhn thc
(tr cc trng trong tiu IP thay i trong truyn dn)
Tiu IP AH n thm Tiu
IP gcTiu
TCP/UDPS liu
8 bit 8 bit 16 bit
Tiu
tip theo
di
ti tinD tr
Ch s thng s an ninh (SPI)
S trnh t
S liu nhn thc (MAC hay Digest)
( di kh bin)
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
B giao thc Ipsec (IKE, AH v EPS)
C tc dng xc thc (Authentication), m ha (Encrytion) v m bo tnh trn vn
d liu (Securing of data ). y l giao thc c dng ph bin trong vic thit lp IP
Sec.
ESP thm mt tiu v phn ui (trailer). D liu xc thc ca ESP c thm
vo cui ca gi tin, lm cho tnh ton d dng hn.
-
m
CC GIAO THC AN NINH
Giao thc bo mt lp mng
2
B giao thc Ipsec (IKE, AH v EPS)
Th tc ca EPS gm:
1. Trailer ESP c thm vo payload.
2. Payload v trailer c m ha.
3. Tiu ESP c thm vo.
4. Tiu ESP, payload, v trailer ESP c s dng to ra d liu xc thc.
5. D liu xc thc c thm vo cui ca trailer ESP.
6. IP header c thm vo sau khi thay i gi tr giao thc thnh 50.
-
m
CC GIAO THC AN NINH
Ch truyn ti Ipsec (transport v tunnel)
2
C AH v EPS u hot ng trn c hai ch hot ng
-
m
CC GIAO THC AN NINH
Ch truyn ti Ipsec (transport v tunnel)
2
Transport mode bo v giao thc tng trn v cc ng dng. Trong Transport mode,
phn IP Sec header c chn vo gia phn IP header v phn header ca giao thc
tng trn:
Transport mode thiu mt qu trnh x l phn u, do n nhanh hn. Tuy nhin, n khng hiu qu trong trng hp ESP khng xc nhn m cng khng m ha phn u IP. - D liu (Layer4 Payload) c m ha s nm trong ESP eader v ESP s chn vo gia Layer 2 header v layer 3 header
-
m
CC GIAO THC AN NINH
Ch truyn ti Ipsec (transport v tunnel)
2
Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong
mt gi d liu IP khc v mt IP Sec header c chn vo gia phn u nguyn
bn v phn u mi ca IP.
-
m
CC GIAO THC AN NINH
Ch truyn ti Ipsec (transport v tunnel)
2
D liu s c m ha v ng gi thnh 1 IP Header mi vi source v des IP
mi.
IP Sec c nhng phng php m ha nh DES (Data Encrution Standard), 3DES,
AES (Advance Encrytion Standar).
IP Sec c nhng phng php xc thc nh HMAC, MD5, SHA-1.
-
m
CC GIAO THC AN NINH
Ch truyn ti Ipsec (transport v tunnel)
2
Trong ch truyn ti, IPSec nm gia tng giao vn v tng mng.
Trong ch ng hm, lu lng l t tng mng n IPSec v sau tr
li tng mng mt ln na.
-
m
CC GIAO THC AN NINH
Bo mt lp lin kt d liu
2
Thc hin bi c ch ng hm (tunnel) cng vi th tc ng gi bo v
(encapsulation) d liu cc d liu c x l theo mt tp quy tc ch c
nhn dang bi u cui ng hm.
Tunnel
Mt chng
Kt ni vt l
Internet
Mng ring
A
C
Y
Z
Mng ring Mng ringInternet
a ch ring a ch ringa ch cng cng
Bo v tnh ton vn s liu u cui-u cui v tnh b mt
-
m
CC GIAO THC AN NINH
Bo mt lp lin kt d liu
2
ng hm lp 2:
L2TP (L2 Tunneling Protocol);
PPTP (Point-to-Point Tunneling Protocol);
L2F S dng ng bao cc khung lin kt (PPP);
LAC LNS
LAC client
PPP
L2TP Tunnel
Mng
chuyn
PPP
L2TP
Tun
nel
Mng ng-i
s dng
Mng truy nhp
LAC (LT2TP Access Concentrator: b
tp trung truy nhp L2TP) c t
ti im kt cui giao thc mng truy
nhp v n c th thit lp tunnel n
cc LNS (L2TP Network Server).
LNS (L2 Network Server) kt cui
cc tunnel t cc LAC v cng cung
cp cc dch v truy nhp mng nh
nhn thc ngi s dng v n nh
a ch.
-
m
CC GIAO THC AN NINH
Bo mt lp lin kt d liu
2
ng hm lp 2: Thit lp L2TP
L2TP nh ngha mt knh iu khin tin cy. Trn knh ny c th thit lp mt tunnel
gia LAC v LNS.
Giai on thit lp tunnel thng gm nhn thc bng cch trao i b mt gia LAC
v LNS ( dng L2TP tunnel; mt khu).
Khi thit lp mt tunnel gia LAC v LNS, mng c th thit lp hoc xo phin
PPP v gi i cc khung lin quan n hai nt s dng khun dng ng bao L2TP trn
knh s liu L2TP.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
0 1 2
0 1
3
T L x x S x O P x x x Verx Length (opt)
Tunnel ID Session ID
Ns (opt) Nr (opt)
Offset Size (opt) Offset Pad (opt)
-
m
CC GIAO THC AN NINH
NHN THC, TRAO QUYN V TI KHON
2
AAA: Authentication, Authorization and Accounting
Authentication: cung cp vic xc thc ngi dng nhm bo m c th nhn dng
ng ngi dng.
Authorization: Mt khi nhn dng ngi dng, ta c th gii hn thm quyn m
ngi dng c th lm.
Accounting: Khi ngi dng s dng mng, ta cng c th gim st tt c nhng g
m h lm.
C hai giao thc bo mt dng trong dch v AAA l
TACACS (Terminal Access Controller Access Control System)
RADIUS (Remote Authentication Dial-In User Service).
-
m
CC GIAO THC AN NINH
TACACS v RADIUS
2
TACACS v RADIUS c dng t mt thit b nh l server truy cp mng (NAS)
n AAA server.
- Ngi dng gi t PC n NAS. NAS s hi thng tin xc thc ngi dng. T PC n
NAS, giao thc s dng l PPP, v mt giao thc nh l CHAP hay PAP c dng truyn
thng tin xc thc.
- NAS s truyn thng tin n AAA Server xc thc. N c mang bi giao thc TACACS
hoc RADIUS.
-
m
CC GIAO THC AN NINH
TACACS v RADIUS
2
TACACS l giao thc s dng giao thc hng kt ni (connection-oriented)
l TCP trn port 49.
TACACS c cc u im sau:
Vi kh nng nhn gi reset (RST) trong TCP, mt thit b c th lp tc bo cho
u cui khc bit rng c li trong qu trnh truyn.
TCP l giao thc m rng v c kh nng xy dng c ch phc hi li.
Ton b payload c m ha vi TACACS+ bng cch s dng mt kha b mt
chung (shared secret key). TACACS+ m ha ton b gi bng vic s dng kha
b mt chung.
TACACS+ c chia lm ba phn: xc thc (authentication), cp quyn
(authorization) v tnh cc (accounting). Vi cch tip cn theo module, c th s
dng cc dng khc ca xc thc v vn s dng TACACS+ cp quyn v
tnh cc. V d, xc thc Kerberos v cp quyn v tnh cc bng TACACS+.
-
m
CC GIAO THC AN NINH
TACACS v RADIUS
2
RADIUS l giao thc da theo m hnh client-server.
N dng giao thc UDP. RADIUS server thng chy trn my tnh.
Client l cc dng thit b c th truyn thng tin n RADIUS server c ch nh
trc v sau ng vai tr phc p m n tr v.
Giao tip gia client v RADIUS server c xc thc thng qua vic s dng kha
b mt chung khng c truyn qua mng.
- Mt s u im ca RADIUS l:
RADIUS c phn overhead t hn so vi TACACS v n s dng UDP, trong phn
overhead khng c a ch ch, port ch.
Vi cch thc phn phi dng source code, RADIUS l dng giao thc hon ton m
rng. Ngi dng c th thay i n lm vic vi bt k h thng bo mt hin c.
RADIUS yu cu chc nng tnh cc (accounting) m rng.
-
m
CC GIAO THC AN NINH
TACACS v RADIUS
2
ng dng:
RADIUS thng c dng tnh cc da trn ti nguyn s dng.
V d nh ISP s tnh cc cho ngi dng v chi ph kt ni. Ta c th ci t RADIUS
Accounting m khng cn s dng RADIUS xc thc v cp quyn. Vi chc nng
accounting m rng, RADIUS cho php ta theo di vic s dng ti nguyn (thi gian, s
lng cc gi tin, s lng byte,...) trong sut phin lm vic.
-
m
CC GIAO THC AN NINH
Phng php nhn thc PAP
2
PAP (Password Authetication Protocol: giao thc nhn thc mt khu) c trnh
by trong [RFC1334] l mt giao thc n gin cho php mt u cui PPP (thng
l my trm) truyn tn ngi s dng v mt khu trong ch vn bn r rng
n ng cp (thng l NAS:Network Access Server: server truy nhp mng)
ngi s dng c th kim tra s hp l v cho php hoc t chi tip tc phin PPP
v truy nhp mng tip theo.
Giao thc ny c mt yu im l mt k tn cng c th lu gi gi tr ca ngi s
dng v mt khu c pht cng khai bng cch s dng PAP v t chc cc tn
cng NAS da trn pht li.
-
m
CC GIAO THC AN NINH
Phng php nhn thc CHAP
2
IETF nh ngha cch bo v qu trnh nhn thc khi b tn da trn pht li qua
giao thc bt tay ba pha CHAP (Challenge Handshake Authetication Protocol)
c m t trong [RFC1994].
Trong giao thc ny, mt im cui PPP c th nh k hi khu lnh mt ng cp
bng cch s dng mt xu bit gi tr ngu nhin c gi l khu lnh (Challenge)
v im ng cp phi tr li bng cu tr li da trn mt b mt dng chung vi
u cui hi khu lnh (Challenger Endpoint).
B mt ny c ngu nhin ha bng cch s dng gi tr khu lnh theo mt hm
tm tt bn tin MD-5 [RFC1321]. im cui sau kim tra gi tr ca tm tt bn
tin MD-5 c cha trong tr li trong tr li so vi gi tr k vng v n bit c
b mt ny. Nu cc kt qa ph hp, th phin PPP c th tip tc, tri li lin kt
b d b.
-
m
CC GIAO THC AN NINH
Phng php nhn thc EAP
2
EAP (Extensible Authentication Protocol: giao thc nhn thc m rng) trong
[RFC2284] c nh ngha sao cho c th tr hon vic chn giao thc cho n giai
on nhn thc v c th s dng server tip sau thc hin cc gii thut nhn
thc thay v phi yu cu cc u cui thc hin chng.
Trong thc t mt im u cui PPP c th khng bit c ch nhn thc v ch n
thun trao i cc bn tin EAP n cc server nhn thc ngoi lm nhim v thc
thi cc c ch nhn thc. iu ny cho php ta cp nht cc client nhn thc cho
cc my trm ca khch hng v cc server trong cc mng khch hng m khng
nh hng n h tng.
C th cho php chuyn t truy nhp da trn mt khu sang truy nhp da trn
card thng minh sun s hn v khng cc cn cp nht cng chuyn tt c cc
nt. Chng hn mt NAS c th nh tuyn cc khung EAP n cc server nhn
thc khc nhau ph thuc vo gi tr ca giao thc nhn thc c chn.
-
m
CC GIAO THC AN NINH
Phng php nhn thc 3 yu t
2
Phng php nhn thc da trn tn ngi s dng v mt khu, (cn c gi l
cc phng php nhn thc hai yu t) khng cn ph bin i vi cc nh qun
l mng v duy tr mt khu gy kh khn nht nh i cn b h tr.
V th cc phng php nhn thc ba yu t tr nn ngy cng ph bin hn, v
chng khng cn ngi s dng qun l mt khu. Trong thc t, ngi s dng s
buc phi lun nh nhn dng ca mnh (tn ngi s dng) v mt PIN b mt
khng cn thay i. Sau ngi s dng c mt s ch s t mt th an ninh v
nhp n vo mt vng tng ng trn ca s ng k hay mt b c chipcard gn
t ng cc ch s ny cho php to ra mt khu mt ln.
-
m
CC GIAO THC AN NINH
Phng php nhn thc 3 yu t
2
M hnh i din
BTS
BSC
PDSN/FA HA
Mng IP Mng nh
M hnh mi gii
BTS
Mng IPMng nh
BSC
PDSN/FA HA
AAA server
mng khch
AAA server
mng nh
AAA server
mi gii
AAA server
mng khch
AAA server
mng nh
Kin trc AAA i din v mi gii
-
m
CC GIAO THC AN NINH
Giao thc Diameter
2
DIAMETER c chn gii quyt vn lin quan n RADIUS (RADIUS l mt
giao thc da trn client/server) bng cch nh ngha quan h ng cp gia cc thc th
ng cp DIAMETER. iu ny cho php thc hin cc vn nh cc th tc c
khi xng bi AAA server.
N cng tng cng thng tin server n server cho php hiu nng tt hn trong cc
thc hin da trn i din, trong thng tin server n server c th dn n cc yu
cu h tr hng nghn giao dch trn mt giy.
-
m
CC GIAO THC AN NINH
Giao thc Diameter
2
Cc tng cng ny m rng mc truyn ti bng vic a ra SCTP (Stream Control
Transmission Protocol: giao thc truyn dn iu khin lung, [RFC2960]); mc m hnh
s liu vi cc m hnh s liu nh hng theo i tng c phn cp, i nghch vi
m hnh khng phn cp, phng ca RADIUS v mc an ninh vi b sung kim tra tnh
ton vn gii quyt cc la o gy ra do cc thay i s liu AAA c dng xu hay
v tnh bi cc i tc trung gian ng vai tr mi gii hay i din trong mt chui i
din.
Ngoi ra DIAMETER cn cho php cc AAA broker (mi gii) hot ng nh cc tc
nhn chuyn hng, v th cho php thc hin thng tin trc tip gia AAA server mng
khch v AAA server mng nh v gim bt kh nng tn cng ca mt k trung gian.
-
m
CC GIAO THC AN NINH
Thu thp thng tin thanh ton
2
Cch th nht l lu s liu a phng ti nt phc v, nh NAS, hay mt my trm ng
dng. Nhc im cu cch ny l cc vn v an ninh, ri ro (c ngha l nt b s c
th s liu c th b mt) v thng cn mt th tc qu phc tp thu thp s liu nu
ngi s dng l di ng v c th truy nhp n nhiu nt phc v.
Phng php th hai c a dng hn v cng ngy cng nhiu c p dng vo cng
nghip l phng php da trn pht s liu thanh tan n mt cng hay mt chc nng
server (nh k hay theo s kin) v sau o cho h thng tnh cc truy nhp mt im
tip xc trung tm nhn thng tin thanh ton.
-
m
CC GIAO THC AN NINH
Thu thp thng tin thanh ton
2
UMTS/GSM
NB/BTS
RNC/BSC
SGSN GGSN
Mng IPMng
khch hng
H thng tnh cc
Cng tnh ccServer thanh
ton RADIUS
GTP
FTP
GTP
Cdma2000/
WiMAX
BTS
Mng IPMng
khch hngBSCPDSN/
FAHA
Thanh ton RADIUS Server thanh
tan RADIUS
Server thanh
tan RADIUSFTP
H thng tnh cc
V d kin trc thu thp s liu thanh ton
-
m
An ninh mng WLAN
Cng ngh Tn s (GHz) S liu (Mbps) ng dng Quc gia
Bluetooth 2,4 0,8 Thoi di ng Ton cu
OpenAir 2,4 1,6 Gia nh Ton cu
HomeRF 2,4 10 Gia nh Ton cu
802.11b 2,4 11 Cng s Bc M
802.11a 5 54 Cng s Bc M
HiperLAN1 5 18 Cng s Chyu u
HiperLAN2 5 54 Cng s Chu u
Mt s cng ngh s dng cho WLAN in hnh
Cc chun 802.11a, 802.11b, 802.11g, 802.11n. 802.11e QoS
c lin minh WiFi t tn l Wireless MultiMedia (WMM) 802.11i
Thm thut ton m ha AES i hi b x l tc cao, (TKIP l gii php tm thi).
-
m
Cu trc WLAN
My ch
H thng phn phi (DP)
Ethernet, TokenRing,...
Phn mm truyn tin / ghp ni
V d
TCP/IP, Cissco Aironet Client Drivers,...
Token Ring
Ethernet
im truy nhp (AP)
v Anten
An ninh mng WLAN
WLAN dng mi trng khng kh nh l
phng tin truyn thng cho vic gi v nhn
thng tin.
Tn hiu c th thu c khi trong phm vi hot
ng.
WLAN c mt s l hng v bo mt m khng
tn ti trong mng cc b c dy.
Mtt s mi e da
War driver: K tn cng mun truy cp Internet min ph nn c gng tm v tn
cng cc im truy cp WLAN khng c an ninh hay an ninh yu.
Tin tc: S dng mng khng dy nh mt cch truy cp vo mng doanh
nghip m khng cn phi i qua cc kt ni Internet do c bc tng la.
Nhn vin: Nhn vin v tnh c th gip tin tc truy cp vo mng doanh nghip
bng nhiu cch.
im truy cp gi mo: k tn cng thit lp AP ca ring mnh, vi cc thit lp
tng t cc AP hin c. Khi ngi dng s dng cc AP gi mo ny s b l thng
tin.
-
m
Mng WLAN 802-11 BSS/ESS
H thng phn phi - DS
(Trong trng hp ny l Ethernet)
a
im truy
nhp (AP)
Cc
my
v
tuyn
im truy
nhp (AP)
An ninh mng WLAN
-
m
Nhn thc, lin kt ca 802.11
AP1 AP2
Trm
1. Yu cu nhn thc
uc gi ti AP1.
2. Lnh nhn thc t AP1
ti my trm
3. Tr li lnh nhn thc
trm ti AP1
4. Xc nhn.
5. Lin kt.
1. Yu cu nhn thc
uc gi ti AP2.
2. Lnh nhn thc t
AP2 ti trm
3. Tr ki lnh nhn
thc t trm ti AP2
4. Xc nhn.
5. Lin kti.
Khi trm ri khi vng ph ca
AP1, cc buc sau y s xy ra:
1. Cc tn hiu n hiu trm ch th
yu ca tn hiu ti AP1. Xy ra
vic tm kim mt AP mi trn cng
knh hoc cc knh khc. Tm
uc AP2 .
2. Yu cu lin kt li uc trm
gi n AP2. AP2 chp nhn yu
cu.
3. AP2 gi thng tin cp nht lp
MAC cho trm n AP1 qua mng
hu tuyn.
4. Cng nhn hu lin kt v nhn
nhn thc uc AP1 gi n AP2.
An ninh mng WLAN
Cc hnh thc gim nguy c Xc thc ln nhau M ha d liu Pht hin thm nhp bt hp php
-
m
Lch s pht trin An ninh trong 802.11
1997, chun 802.11 ch cung cp SSID (Service Set Identifier) Lc trn a ch MAC WEP (Wired Equivalent Privacy)
2001 Fluhrer, Mantin v Shamir ch ra mt s im yu trong WEP IEEE bt u khi ng nhm i (802.11i)
2003 Wi-Fi Protected Access(WPA) c gii thiu L mt gii php tm thi cho WEP Mt phn ca IEEE 802.11i
2004 WPA2 c gii thiu N da trn chun IEEE 802.11i c ph chun vo 25/06/2004
An ninh mng WLAN
-
m
An ninh trong 802.11
S nhn dng tp dch v (SSID: service set identifier) c s dng iu khin truy
nhp n AP: SSID l mt s nhn dng duy nht bao gm nhiu k t (cao nht 32 k t)
c gn km vi s liu trn ng truyn v tuyn. SSID ng vai tr nh mt khu trong
qu trnh thit b WLAN truy nhp AP.
Ngi dng c yu cu phi cung cp SSID khi kt ni n cc Access Point.
Khi thay i SSID cn phi thng bo n mi ngi.
SSID c cc my trm gi dng bn r nn d dng b nh cp.
Lc a ch MAC
Kim sot truy cp bng cch ch cho php cc my tnh c cc a ch MAC khai bo
trc c kt ni n mng.
a ch MAC c th b gi mo.
Phi duy tr v phn phi mt danh sch cc a ch MAC n tt c cc Access Point.
Khng phi l gii php kh thi cho cc ng dng cng cng.
Giao thc bo mt tng ng hu tuyn (WEP: Wired Equivalent Privacy) bo
mt tn hiu trn ng truyn v tuyn: bo mt, nhn thc, ton vn.
An ninh mng WLAN
-
m
Cc tnh nng An ninh c bn trong 802.11
Xc thc ngi dng (C hai loi xc thc ngi dng) 1, Xc thc h thng m
Xc thc bt c ai yu cu xc thc; Cung cp dng xc thc NULL
2, Xc thc dng kha chung
D dng sniff kha chung
An ninh mng WLAN
Initiator Authentication request
Responder
Authentication response
-
m
Mt m WEP
WEP
PRNG
Gii thut ton vn
IV
Vn bn
mt m
Bn tin
Vect khi
u IV
Kha b mt
Vn bn th
Gi tr kim tra
ton vn (ICV)
Chui kha Ht
ging
An ninh mng WLAN
Chun 802.11x nh ngha WEP(Wired Equivalent Privacy) kim sot
truy cp v bo v thng tin khi n i qua mng cc b khng dy.
Dch v xc thc c dng xc thc cc my trm khi kt ni n cc Access Point Trong h thng xc thc m, my trm c xc thc nu n p ng mt a ch MAC khi trao i ban u vi Access Point -> khng cung cp danh tnh ca my trm. WEP cng s dng mt c ch xc thc da trn mt m. C ch ny da trn mt kha b mt dng chung v thut ton m ha RC4. Trao i xc thc dng mt h thng challenge response.
-
m
Mt m WEP
An ninh mng WLAN
Chun 802.11x nh ngha WEP(Wired Equivalent Privacy) kim sot
truy cp v bo v thng tin khi n i qua mng cc b khng dy.
Dch v xc thc
c dng xc thc cc my trm khi kt ni n cc Access Point
Trong h thng xc thc m, my trm c xc thc nu n p ng mt a ch MAC
khi trao i ban u vi Access Point -> khng cung cp danh tnh ca my trm.
WEP cng s dng mt c ch xc thc da trn mt m. C ch ny da trn mt kha
b mt dng chung v thut ton m ha RC4.
Trao i xc thc dng mt h thng challenge response.
-
m
An ninh mng WLAN
Dch v xc thc
B thch ng
802.11 WLAN
im truy
nhp 802.11
WLAN
1. Khung nhn thc: yu cu nhn thc
2. Khung nhn thc: h lnh WEP 128 byte
3. Khung nhn thc: h lnh c
mt m bng kha chia s
4. Kt qu nhn thc: thnh cng nu gi
m thnh cng tri li tht bi
Kha chia s c t trong c s d liu v thng tin qun l ca tng trm di ng.
Tiu chun 802.11 khng nh nghi cch phn phi kha cho tng trm m ch cung
cp hai s qun l cc kha WEP trong mt WLAN:
Mt tp bn kha chia s chung cho tt c cc trm bao gm c cc client khng
dy v cc im truy nhp ca chng
Mt client thit lp mt quan h chuyn i vi mt trm khc.
-
m
Mt m WEP
An ninh mng WLAN
Dch v b mt
Cng da trn RC4.
To ra dng kha gi ngu nhin m ha d liu.
Tuy nhin WEP khng ch nh mt c ch qun l kha.
iu ny c ngha l WEP da trn cc kha tnh. Trong thc t, cc
kha tng t c s dng cho tt c cc my trm trn mng.
Kha b mt k l WEP key
Tnh ton CRC32
CRC+data
Chn IV ngu nhin, ni vi kha k:
(k+IV)
To kha gi ngu nhin
Gi IV n bn nhn bng cch t n pha
trc bn m C:
C=(data+CRC) xor RC4(k+IV))
-
m
Mt m WEP
An ninh mng WLAN
RC4 trong WEP
o M ha dng dng kha i xng
o M ha v gii m nhanh(10 ln nhan hn so vi DES)
o Kha b mt k
G bng tay
40bits/128bits
o Vector khi to IV
Dng PRG to ra s ngu nhin kch thc 24bits
Gi trong phn r trc bn m: (IV+C)
o Kha m ha RC4 c lp vi bn r
-
m
Mt m WEP
An ninh mng WLAN
Dch v b mt
o Vector khi to(IV) c gi trong phn r ca gi tin
o V vy khi nm bt c vector khi to v mt s lng gi tin, k tn cng c th
xc nh c kha m ha
o http://sourceforge.net/projects/wepcrack/
o Tm li RC4 khng phi l thut ton yu nhng vic s dng RC4 trong WEP l
thiu st v m dn n b tha hip.
http://sourceforge.net/projects/wepcrack/ -
m
Mt m ha WEP RC4
Kim tra tnh ton vn - CRC
IV
(per frame)
KS: 40-bit
secret
symmetric
key k1
IV k2
IV k3
IV kN
IV kN+1
IV kN+1
IV
d1 d2 d3 dN
CRC1 CRC4
c1 c2 c3 cN
cN+1 cN+4
plaintext
frame data
plus CRC
key sequence generator
( for given KS, IV)
802.11
header IV
WEP-encrypted data
plus CRC
Figure 7.8-new1: 802.11 WEP protocol
An ninh mng WLAN
Dch v ton vn
o Kim tra tnh ton vn trn mi gi tin.
o Dng CRC(cyclic redundancy check) ca 32 bits.
o CRC c tnh ton trn mi gi tin trc khi gi tin c m ha.
o D liu v CRC c m ha v gi n ch.
o CRC khng phi mt m an ton tuy nhin n c bo v bng m ha.
o Do khi hin thc m ha, WEP c mt s thiu st dn n s ton vn ca
cc gi tin cng d b tha hip.
-
m
An ninh mng WLAN
Cc im yu ca WEP
o Qun l kha
o Xung t
o ng gi nhn thc
o Tn cng tn bo: chn bt mt gi mt m v sau p dng mt khi lng rt
ln tnh ton.
o Tn cng FMS (Fluhrer, Mantin and Shamir): Tn cng FMS da trn vic chn
bt khi lng ln lu lng mt m sau s dng mt my tnh cng sut tnh
ton nh cho mt gii thut ph kha.
-
m
An ninh mng WLAN
Cc im yu ca WEP Tn cng vo kha
o Vy l cch no phn phi kha gia cc ngi s dng? v iu g s xy ra
khi s ngi s dng qu ln.
o Mi ngi s dng phi bit kha v gi n b mt. iu g s xy ra khi mt ngi
qun my tnh ti cng s hoc b nh cp: ngi ny phi c cp kha mi
v phi nhp n v cu hnh cu client.
o Ngoi ra k tn cng c th ly cp kha ny t mt phin v s dng n gii
m cc phin khc v mi ngi u s dng cng mt kha.
-
m
An ninh mng WLAN
Cc im yu ca WEP- tn cng xung t
o Nu ta chn IV mt cch ngu nhin (s IV 224-1) th sau vi gi IV s lp. Khi
mt IV c s dng li, ta gi y l mt xung t.
o Khi xy ra mt xung t, t hp gia kha b mt v IV c s dng lp s to ra
mt lung kho c s dng trc y. V IV c pht i dng vn bn th
mt k tn cng c th theo di tt c lu lng v xc nh thi im xy ra xung
t thc hin tn cng lung kho.
o Tn cng lung kha l mt phng php rt ra lung kha bng cch phn tch hai
gi c rt ra t cng mt IV. Tn cng ny da trn nguyn tc sau: tng modul
2 ca hai vn bn mt m bng tng modul 2 ca hai vn bn th. V th nu k
tn cng bit c hai vn bn mt m (t theo di lu lng ) v mt vn bn th
th hn c th bit c vn bn th th hai.
-
m
An ninh mng WLAN
Cc im yu ca WEP- tn cng ph kha
o Ngi tn cng yu cu ngi s dng m ha bn plaintext bit d1 d2
d3 d4
o Ngi tn cng thu c: ci = di XOR kiIV
o Ngi tn cng bit ci di, c th tnh kiIV
o Ngi tn cng bit kha m k1IV k2
IV k3IV
o Nu ln sau s dng li IV, ngi tn cng c th gii m!
-
m
An ninh mng WLAN
Cc im yu ca WEP- gi mo nhn thc
o K tn cng quan st qu trnh m phn nhn thc, n s bit c vn bn th v
vn bn mt m lin quan (tr li h lnh).
o S dng phng php lm gi bn tin, k tn cng c th rt ra c kho lung v
yu cu nhn thc t AP sau s dng kha lung ny cng vi vn bn h lnh
to ra tr li hp l.
o Khi ny k tn cng s c AP nhn thc ngay c khi k ny khng bit c
kha WEP.
Cc im yu ca WEP- tn cng tn bo
o Kha b mt 40 bit -> ph kha trong vng 1 pht.
o Gii php: Tng di kha ln 104 bit.
-
m
An ninh mng WLAN
Cc im yu ca WEP- tn cng FMS
WLAN client AP dng WEP
K tn cng
Yu cu ARP (c mt m bng WEP)
Tr li ARP (c mt m bng WEP)
a) K tn cng chn bt yu cu ARP da trn kch thc gi 28 byte bit trc
WLAN client AP dng WEP
K tn cng
Tr li ARP (c mt m bng WEP)
Yu cu
ARP
c tim v
o (c
mt
m bng
WEP)
Tr li A
RP (
c mt m
bng WE
P)
b) k tn cng pht li yu cu ARP nhiu ln nhn c lu lng cho tn cng FMS
-
m
An ninh mng WLAN
Chi tit cc im yu
o 10/2000: Jesse Walker ca Intel cng b Unsafe at any keysize; An analysis of
the WEP encapsulation
o 03/2001: Scott Fluhrer, Itsik Mantin, Adi Shamir cng b "Attacks on RC4 and
WEP, Weaknesses in the Key Scheduling Algorithm of RC4.
Wi-Fi Protected Access (WPA)
o Gii quyt hu ht cc im yu ca WEP
o L mt tp con ca 802.11i, tng thch 802.11i
o Mc tiu l ci thin vn m ha v xc thc ngi dng
o Gm 2 ch hot ng
WPA doanh nghip: TKIP/MIC ; 802.1X/EAP
WPA c nhn: TKIP/MIC; PSK
-
m
An ninh mng WLAN
Hot ng IEEE 802.11i
o
AP: access point AS: Authentication
server
wired
network
STA:
client station
1 Discovery of
security capabilities
3
STA and AS mutually authenticate, together
generate Master Key (MK). AP servers as pass through
2
3 STA derives
Pairwise Master
Key (PMK)
AS derives
same PMK,
sends to AP
-
m
An ninh mng WLAN
Cc bc vn hnh IEEE 802.11i
o Pht hin: AP thng bo dng xc thc v m ha. Client yu cu xc thc v m
ha.
o Xc thc ln nhau v to kha ch MK: xc thc gia client v server nhn thc
(EAP, EAPoL, RADIUS).
o To PMK (Pairewise Master Key): gi cho AP.
o To TK (Temporal Key): m ha d liu mc Link.
wired network
EAP TLS
EAP
EAP over LAN (EAPoL)
IEEE 802.11
RADIUS
UDP/IP
-
m
An ninh mng WLAN
Temporal Key Identity Protocol - TKIP
o Tn cng pht li: c th s dng cc IV khng theo th t.
o Cc tn cng gi mo: ICV s dng 32 bit CRC l tuyn tnh v c th iu khin.
o Cc tn cng xung t kha: cc xung t IV
o Cc tn cng kha yu: b mt m lung RC4 b xm phm do cc tn cng FMS
(AirSnort, WEPCrack)
Kha tm thi (128 bit)
Trn kha pha 1
a ch MAC ca ngi gi
Trn kha pha 2
B m trnh t truyn
(cc s trnh t)
Kha WEP 128 bit.
(c hin th
dng 24 bit IV v 104
bit b mt chia s)
Kha MIC
a ch MAC ca ngi gi
a ch MAC ca ngi nhn
Vn bn th
MICVn bn
thMIC
WEPVn bn
mt m
-
m
An ninh mng WLAN
Trn kha WEP - TKIP
IV Kha b mt
Vn bn th
+ ICV
XOR
Lung khaRC4
Vn bn
mt m
Pha1:Kha gc MAC
Pha 2:
Kha trung
gian (hash
bng s
trnh t)
Kha cho
mt gi
RC4
Vn bn
th+MIC
XOR
Lung
kha
Vn bn
mt m
WEP TKIP
o Kha mt m: 128 bit. o M ton vn bn tin MIC (message integrity
code): Kha ton vn s liu 64 bit, s dng hm hash.
o Loi b xung t: IV tng t 24 bit ln 48 bit; B m trnh t truyn.
Ci tin WEP - TKIP
-
m
An ninh mng WLAN
EAP Extensible Authentication Protocol
o Giao thc linh hot c s dng mang thng tin nhn thc ty , c nh ngha
trong RFC2284 (Sa i mi cho EAP: RFC 3579).
o EAP c hai tnh nng:Trc ht n tch trao i bn tin ra khi qu trnh nhn thc
bng cch cung cp mt lp trao i c lp. Nh vy n t c c tnh th hai:
tnh kh m rng trc giao, ngha l cc qu trnh nhn thc c th m rng hat ng
bng cch tip nhn mt c ch mi hn v khng cn thit phi thay i lp EAP.
di (tng
di gi)
0 1 2 4
M
1 byte
S liu (ph
thuc vo
phng
php)
1 = Request
2 = Response
3 = Success
4 = Failure
1 byte
S nhn dng (
khp Yu cu- Tr li
-
m
An ninh mng WLAN
Trao i bn tin EAP
Ngi
cung cpB nhn
thcServer nhn
thc
Ty chnYu cu nhn dng
Tr li nhn thc
Chui bn tin nhn thc ph
thuc vo qu trnh nhn thc
Thit lp lin kt
s liu
Cc h thng cho nhn thc RADIUS, cc
Server nhn dng ca hng v.v. S dng
cc giao thc v phng php khc nhau
Trao i cc bn
tin c th qu
trnh nhn thc
0
Thnh
cng ?
YesBn tin thnh cng
Bn tin tht biNo
OR
1
1-a
2
2-a
3
-
m
An ninh mng WLAN
IEEE 802.1x
o 802.1x l mt giao thc cho php nhn dng theo ca (ca y c ngha l ca
lp 1: ca vt l).
o 802.1x cho php ng tt ca i vi mi lu lng chng no client khng c
nhn thc thng qua cc chng nhn c lu trong server (thng l RADIUS
server).
o 802.1x n gin l mt giao thc trao i (EAP: Extensible Authentication
Protocol) trn cc mng khng dy v hu tuyn.
IEEE 802.1x gii quyt mt s vn nhn thc
o Thiu qun l kha
o Khng h tr cc phng php nhn thc tng cng (cc th thng minh, cc
chng nhn, sinh hc, cc mt khu ch dng mt ln)
o Khng nhn thc v nhn dng ngi s dng
o Khng tp trung nhn thc v trao quyn
-
m
An ninh mng WLAN
M hnh IEEE 802.1x
Lc nhn thc 802.1x
My tnh
Xch tay
Ngi cung cp
(client)
AP
802.1x
EAP
EAP
Ngi nhn thc
(im truy nhp)
My tnh
Server nhn thc
(RADIUS)Ethernet hu
tuyn
Ngi cung cp Ngi nhn thc Server nhn thc
EAP Start
(EAP khi u)
EAP Request/Identity
(EAP yu cu/nhn dng)
(EAP tr li/nhn dng)
EAP Response/Identity
Forward
(Chuyn tip)
EAP Request (Challenge)
EAP yu cu (h lnh)Forward
(Chuyn tip)
Challenge Response
(Tr li h lnh)Forward
(Chuyn tip)
-
m
An ninh mng WLAN
Cc phng php nhn thc 802.11i
EAP-FAST EAP-TTLS EAP-TTLS UN/PW
LEAP TLS PEAP CHAP
Qu trnh nhn thc
Truyn ti nhn thcEAPOP, RADIUS, DIAMETER
EAP, 802.1x Truyn ti nhn thc
802.5
Token Ring
802.3
Ethernet802.11
Serial Link
Cc phng php truy
nhp/ Lp phng tin
Server nhn
thc
B nhn thc
Ngi cung
cp/ ng cp
1
2
3
4
Cc lp Cc thc th
-
m
An ninh mng WLAN
EAP-MD5 (CHAP)
B xin truy
nhpB nhn thc Server nhn
thc
Yu cu nhn dng (tn
ngi s dng)
Thnh
cng ?
Yes
No
Thit lp lin kt
s liu
Lu gi ban u kha chia s
Tr li nhn dng (tn
ngi s dng)Nhn dng (tn ngi s dng)
H lnh H lnh
Tnh ton h lnh
Hash s dng mt khu
Tr li Tr li
Bn tin thnh cng
Bn tin s c
Nhn thc - Chp nhn
Nhn thc - T chiHoc Hoc
Knh khng c mt m (nu
thnh cng)
Kim tra hash tr
li bng cch s
dng kha chia s
(thng l mt
khu c kha
bi tn ngi s
dng/nhn dng
v c lu
Trao i
PPP-CHAP
1
2
3
3-a
3-b
4-a
4-c 4-d
4-b
5
6
4
4-e
4-f
-
m
An ninh mng WLAN
EAP-TLS (RFC 2716)
CA (thm quyn
nhn thc)
Pht hnh
chng nhn
Thit lp lt n (TCP chng hn)
Client Server
Client Hello
Server Hello
Chng nhnTrao i kha Server
Yu cu Server
Hon thnh Server Hello
Chng nhn
Trao i kha Client
Kim tra chng nhn
Kt thc
Thay i c t mt m (ChangeCipherSpec)
Thay i c t mt m (ChangeCipherSpec)
Rt ra cc kha
phin, khi u
ng cnh
Trao i s liu s dng kha c rt ra t kha phin
Rt ra cc
kha phin,
Khi u ng
cnh
1
2
3
4
5
6
7
PKI x
nghip
Yu cu nhn dng
Tr li nhn dng
Khi u EAP-TLS
Kt thc
3-a
-
m
An ninh mng WLAN
PEAP Protected EAP
o AP c nhn thc bi TLS cn ngi s dng c nhn thc bi mt giao thc
tunnel khc: TLS c s dng thit lp mt knh an ninh (s dng chng
nhn pha server), sau m phn EAP c thit lp trn knh an ninh ny
nhn thc ngi s dng.
o PEAP l EAP trn TLS cho lnh vc v tuyn. PEAP h tr c nhn thc hai
chiu ln lm li kha WEP ng v i hi cc chng nhn t pha server.
o S dng chng nhn server nhn thc server, sau cm vo mt kiu nhn
thc khc EAP nhn thc client.
-
m
An ninh mng WLAN
PEAP Protected EAP
o
CA (thm quyn
nhn thc)
1
3-a
4
5
6
7
8
9
10
11
12
2
Pht hnh
nhn thc
ClientServer NAS
nhn thc Server
PKI x nghip
Thit lp kt ni
(chng hn, TCP) Thit lp knh an ninh
Yu cu nhn dng
Tr li nhn dng Tr li nhn dng
Bt u EAP-TLS
Client Hello
Server Hello
Chng nhn, trao i kha Server, yu cu nhn thc
Hon thnh Server Hello
Rt ra kha
MSK (Master
Sesion Key)
Chng nhn, trao i kha Client, Kim tra chng nhn, thay i c t an ninh
Kt thc
Hay i c t an ninh
EAP thnh cng
Giai on
PEAP 1
EAP-Yu cu /EAP-TLV[EAP-ti tin-TLV[EAP-Request/nhn dng]]
Tr li nhn dng trong tunnel
EAP-Yu cu /EAP-TLV[EAP-ti tin-TLV[EAP-yu cu/nhn dng-kiu=X]]
Tr li trong tunnel cho kiu EAP X
Trao i kiu EAP X
Yu cu EAP/EAP-TLV[Kt qu-TLV[rng buc mt m...]]
Tr li kt qu TLV
Rt ra CKS (Compound
Session Key) Rt ra CKS
CKS
EAP thnh cng
Trao i s liu s dng kha datrn CSK
Giai
on
PEAP 2
-
m
An ninh mng WLAN
LEAP