an ninh mang minh 2015

AN NINH MNG THNG TIN

HC VIN CNG NGH BU CHNH VIN THNG

Ging vin: TS. Hong Trng Minh

Email: [email protected], Nguyn Thanh Tr, Dng Thanh T

H Ni, 2015

m

GII THIU MN HC

Tn hc phn

o An ninh mng thng tin

S n v hc trnh: 04

Mc tiu

o Cung cp cho sinh vin cc kin thc cn bn v an

ninh gm:

- an ninh thng tin ni chung,

- an ninh mng hu tuyn,

- an ninh truy nhp mng internet v truy nhp AAA v IMS,

- an ninh mng truy nhp v tuyn ca cc h thng thng

tin di ng t 2G n 4G

- an ninh mng WLAN, WiMAX

m

GII THIU MN HC

Cc ni dung chnh

o Tng quan an ninh trong cc h thng thng tin

o Cng ngh ni mng s liu v an ninh

o Cng ngh an ninh trong GSM v GPRS

o Cng ngh an ninh trong 3G UMTS

o Cng ngh an ninh trong MIP

o Cng ngh an ninh trong CDMA2000

m

GII THIU MN HC

Cc ni dung chnh

o An ninh trong chuyn mng 2G sang 3G, hin trng

an ninh 2G ti Vit Nam v th gii

o An ninh trong cc mng LAN v tuyn

o An ninh trong 4G LTE/SAE

o An ninh trong mng WiMAX

nh gi

o Tham gia hc tp trn lp : 10 %

o Thc hnh/Th nghim/Bi tp/Tho lun: 15 %

o Kim tra gia k : 15 %

o Kim tra cui k : 60%

m

TNG QUAN V AN NINH

Cc ni dung chnh trong chng 1

1.1. To lp mt mi trng an ninh

1.2. Cc e da an ninh

1.3. Cc cng ngh an ninh

1.4. Nhn thc v kim sot truy nhp

1.5. H tng kha cng khai

1.6. Cc giao thc hng u

1

m

TNG QUAN V AN NINH

Cc ni dung chnh trong chng 1

1.7. Cc bin php an ninh khc

1.8. An ninh giao thc v tuyn, WAP

1.9. An ninh mc ng dng

1.10. An ninh client thng minh

1.11. M hnh an ninh tng qut ca mt h thng

thng tin di ng

Tng kt v cu hi

1

m

TNG QUAN V AN NINH

Cc kha cnh chnh ca an ninh thng tin

o Nhn thc (Authentication)

o Cm t chi (Non repudiation)

o Chng pht li (Non-replay)

o Ton vn s liu (Integrity)

o M ha (Encryption)

o Trao quyn (Authorization)

(Tnh bo mt Confidentiality)

1

m

TNG QUAN V AN NINH


o Nhn thc

Xc nhn rng i tng (con ngi hay phn mm ) c

cp php truy cp vo h thng. (mt khu, sinh trc hc)

o Cm t chi Yu cu cc bn c trch nhim vi giao dch c tin

hnh v bao gm c nhn dng i tng tham gia nhm

trnh chi b.

o Trao quyn Xc nh quyn truy nhp c th cho i tng truy nhp

vo h thng. Quyn truy nhp c th gm nhiu mc, kiu

hoc hot ng v gn cht vi nhn thc.

1

m

TNG QUAN V AN NINH


o Ton vn s liu

m bo rng s liu truyn khng b thay i hay b ph

hoi trong qu trnh truyn dn t ni pht n ni thu.

o Mt m ha

m bo tnh ring t ca s liu chng li s nghe hoc

c trm s liu t nhng ngi khng c php.

o Chng pht li

Trnh cc bn tham gia pht li cc bn tin gy ra hin

tng t chi dch v ca bn nhn.

1

m

TNG QUAN V AN NINH

Cc nguy c e da an ninh

o Mo danh

K tn cng truy nhp vo h thng (ngun thng tin) bng

mt account hp l;

Cc bc tip theo l tm hiu v t nhp su hn vo h

thng;

K tn cng cng c th gi lm ngun thng tin ly thng

tin t ngi dng hp l;

Cc k thut nhn thc l gii php chng li cc nguy c

ny.

1

m

TNG QUAN V AN NINH


o Gim st

Nghe trm thng tin trn ng truyn (thc cht l nghe

trm in t);

D thc hin, kh pht hin;

Mt m ha l cng c chng li nguy c loi ny.

1

m

TNG QUAN V AN NINH


o Sa thng tin

ng vai tr trung gian nhm thay i ni dung thng tin;

Ph bin trong cc mi trng truyn dn m;

Vi phm tnh ton vn ca thng tin;

Mt m ha l cng c chng li nguy c loi ny.

1

m

TNG QUAN V AN NINH


o Lm gi thng tin

K tn cng lu thng tin hoc truyn thng tin nh bn gc

theo phng cch hp l;

Bn tin c th c pht li nhiu ln;

Cc chng thc bn tin vn c th hp l;

1

m

TNG QUAN V AN NINH

Cc gii php cng ngh m bo an ninh

o Mt m

Mt m hay m ha d liu (cryptography), l mt cng c

c bn thit yu ca bo mt thng tin.

Mt m p ng c cc nhu cu v tnh bo mt

(confidentiality), tnh chng thc (authentication) v tnh

khng t chi (non-repudiation) ca mt h truyn tin.

1

m

TNG QUAN V AN NINH


o Cc gii thut v giao thc

Cng ngh mt m hot ng nhiu mc

Mc thp: Gii thut mt m - Trnh by cc bc tnh ton

(i d liu t khun dng ny sang khun dng khc)

Giao thc c xy dng da trn gii thut

M t ton b qu trnh thc hin cc hot ng ca cng

ngh mt m; Gii thut chu trch nhim mt m ha d liu,

truyn d liu v trao i kha;

Gii thut mnh khng ng ngha vi giao thc mnh

1

m

TNG QUAN V AN NINH


o Mt m ha s liu

S liu gc (vn bn th) c bin i thnh dng khng

th hiu c (vn bn m ha);

m bo tnh ring t ca s liu ngay c khi b ri vo tay

bn th 3;

hiu c s liu, cn chuyn v dng gc: Gii mt m

Gii thut hin i s dng kha mt m ha v gii mt

m s liu;

Hai loi: i xng v bt i xng.

1

m

TNG QUAN V AN NINH

M ha i xng o Gii thut i xng

Cc gii thut i xng s dng mt kha duy nht mt m v gii mt m tt c cc bn tin;

Pha pht s dng kha mt m ha bn tin, sau gi n n pha thu ch nh;

Nhn c bn tin, pha thu s dng chnh kha ny gii mt m bn tin.

Gii thut ny lm vic tt khi c cch an ton trao i kha gia cc ngi s dng.

Mt m ha i xng cn c gi l mt m bng kha b mt.

Dng ph bin nht ca phng php ny l DES (Data Encryption Standard: Tiu chun mt m ha s liu) c pht trin vo nhng nm 1970.

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M ha Ceasar

Th k th 3 trc cng nguyn, nh qun s ngi La

M Julius Ceasar ngh ra phng php m ha mt bn

tin nh sau: thay th mi ch trong bn tin bng ch ng

sau n k v tr trong bng ch ci. (v d k=3)

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M hnh m ha i xng

1

Bn r P (plaintext)

Thut ton m ha E (encrypt algorithm)

Kha b mt K (secret key)

Bn m C (ciphertext)

Thut ton gii m D (decrypt algorithm)

Trong : C = E (P, K) P = D (C, K)

m

TNG QUAN V AN NINH

M ha i xng c in

o c tnh c bn ca m ha i xng

Mt c tnh quan trng ca m ha i xng l kha

phi c gi b mt gia ngi gi v ngi nhn, hay

ni cch khc kha phi c chuyn mt cch an ton t

ngi gi n ngi nhn. (knh an ton, dng nhiu ln);

c tnh quan trng th hai ca mt h m ha i xng l

tnh an ton ca h m. Mt bn m c th d dng suy ra

c bn r ban u m khng cn bit kha b mt

(Ceasar).

Do mt h m ha i xng c gi l an ton khi v

ch khi n khng th b ph m - khng cn kha (iu kin

l tng) hoc thi gian ph m l bt kh thi.

1

m

TNG QUAN V AN NINH

M ha i xng c in

o c tnh c bn ca m ha i xng

K ph m c th th c ht tt c cc trng hp ca

kha. Phng php tn cng ny c gi l phng php

vt cn kha (bruteforce attack);

Ch cn ni rng min gi tr ca kha th c th tng thi

gian ph m n mt mc c coi l bt kh thi.

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M ha thay th n bng (Monoalphabetic

Substitution Cipher)

Phng php n bng tng qut ha phng php

Ceasar bng cch dng m ha khng phi l mt dch

chuyn k v tr ca cc ch ci A, B, C, na m l mt

hon v ca 26 ch ci ny (mi hon v c xem nh l

mt kha).

Tn cng ph m vt cn kha l bt kh thi;

Al-Kindi pht hin ra mt phng php ph m kh thi

da trn tn sut xut hin ca ch ci. Phng php m

ha n bng nh x mt ch ci trong bn r thnh mt

ch ci khc trong bn m. Do cc ch ci trong bn m

cng s tun theo lut phn b tn sut trn.

1

m

TNG QUAN V AN NINH

M ha i xng c in o M ha thay th a k t (Playfair)

M ha Playfair xem hai k t ng st nhau l mt n v m ha, hai k t ny c thay th cng lc bng hai k t khc.

Playfair dng mt ma trn 5x5 cc k t nh sau:

T kha c xp vo hng u;

K t cng hng th thay tip theo

hng v vng li;ar RM

K t cng ct th thay tip theo ct

v vng li; ov HO

Cn li, k t c thay bng v tr

Trn ng cho ca hnh ch nht.

hs BP, ea JM

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M ha thay th a k t (Hill)

Trong m Hill, mi ch ci c gn cho mt con s nguyn

t 0 n 25;

M Hill thc hin m ha mt ln m k t bn r (k

hiu p1, p2,,pm), thay th thnh m k t trong bn m (k

hiu c1, c2,,cm).

Vic thay th ny c thc hin bng m phng trnh tuyn

tnh. Gi s m = 3

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M ha thay th a k t (Hill)

Hay: C = KP mod 26 vi P v C l vector i din cho bn

r v bn m, cn K l ma trn dng lm kha.

Bng gii m l: K -1 C mod 26 = K -1KP mod 26 = P

(iu kin, tn ti ma trn nghch o ca K)

1

m

TNG QUAN V AN NINH

M ha i xng c in

o M hon v (Hill)

Xo trn th t ca cc ch ci trong bn r;

Mt cch thc hin n gin l ghi bn r theo tng hng,

sau kt xut bn m da trn cc ct;

Mt c ch phc tp hn l chng ta c th hon v cc ct

trc khi kt xut bn m. V d chn mt kha l

MONARCH, ta c th hon v cc ct;

1

attackpostponeduntilthisnoon

AODHTSUITTNSAPTNCOIOKNLOPETN

APTNKNLOPETNAODHTTNSTSUICOIO

m

TNG QUAN V AN NINH

M ha i xng hin i

o Khi nim c s

Bn tin: attack

M ASCII: 97 116 116 97 99 107

Biu din nh phn: 01100001 01110100 01110100

01100001 01100011 01101011;

bn tin nh phn cng tn ti mt s c tnh thng k no

m ngi ph m c th tn dng ph bn m;

M ha hin i quan tm n vn chng ph m trong

cc trng hp bit trc bn r (known-plaintext), hay

bn r c la chn (chosen-plaintext).

Gi s dng mt kha K gm 4 bt 0101 m ha bn r

trn bng php XOR

1

m

TNG QUAN V AN NINH

M ha i xng hin i

o M lung (stream cipher)

M lung c cc c tnh sau:

1

Qu trnh gii m c thc hin ngc li, bn m C c XOR

vi dy s ngu nhin S cho ra li bn r ban u

im quan trng nht ca cc m lung l b sinh s ngu nhin.

m

TNG QUAN V AN NINH

M ha i xng hin i

o M khi (stream cipher)

chng ph m trong trng hp known-plaintext hay

choosen-plaintext, ch c th l lm cho P v C khng c mi

lin h ton hc. iu ny ch c th thc hin c nu ta

lp mt bn tra cu ngu nhin gia bn r v bn m.

Cc m ha n gin thng l php thay th

(substitution, S-box) v hon v (Permutation, P-box). Do

ngi ta hay gi m ha tng l Substitution-

Permutation Network (mng SPN).

1

m

TNG QUAN V AN NINH

M ha i xng hin i

o M khi (stream cipher)

Tnh khuch tn: mt bt ca bn r tc ng n tt c cc

bt ca bn m, hay ni cch khc, mt bt ca bn m chu

tc ng ca tt c cc bt trong bn r. Vic lm nh vy

nhm lm gim ti a mi lin quan gia bn r v bn m,

ngn chn vic suy ra li kha. Tnh cht ny c c da

vo s dng P-box kt hp S-box.

Tnh gy ln: lm phc tp ha mi lin quan gia bn m

v kha. Do cng ngn chn vic suy ra li kha. Tnh

cht ny c c da vo s dng S-box.

1

m

TNG QUAN V AN NINH

M ha i xng hin i o M hnh m Feistel

Trong h m Feistel, bn r s c bin i qua mt s vng cho ra bn m cui cng.

Trong bn r P v cc bn m Ci c chia thnh na tri v na phi: P = (L0, R0); Ci = (Li, Ri) i = 1, 2, n;

Quy tc bin i cc na tri phi ny qua cc vng c thc hin nh sau:

1

m

TNG QUAN V AN NINH

M ha i xng hin i

o M hnh m Feistel

1

Ki l mt kha con cho vng th i.

Kha con ny c sinh ra t kha

K ban u theo mt thut ton sinh

kha con (key schedule): K - K1 - K2 Kn . F l mt hm m ha dng chung

cho tt c cc vng (thay th); Bn m C c tnh t kt xut ca vng cui cng: C = Cn = (Ln, Rn)

m

TNG QUAN V AN NINH

M ha i xng hin i

o M ha DES (Data Encryption Standard)

L m thuc h m Feistel gm 16 vng, ngoi ra DES c

thm mt hon v khi to trc khi vo vng 1 v mt hon

v khi to sau vng 16;

Kch thc ca khi l 64 bt: v d bn tin

meetmeafterthetogaparty biu din theo m ASCII th m

DES s m ha lm 3 ln, mi ln 8 ch ci (64 bt):

meetmeaf - tertheto - gaparty;

Kch thc kha l 56 bt;

Mi vng ca DES dng kha con c kch thc 48 bt

c trch ra t kha chnh.

1

m

TNG QUAN V AN NINH

M ha i xng hin i


1

m

TNG QUAN V AN NINH

M ha i xng hin i


Ta nh s cc bt ca khi 64 bt theo th t t tri sang

phi l 0, 1, , 62, 63; b0, b1,..b63 .

Hon v khi to s hon i cc bt theo quy tc sau (1)

Hon v kt thc hon i cc bt theo quy tc sau (2)

Hon v kt thc chnh l hon v nghch o ca hon v

khi to,

1

m

TNG QUAN V AN NINH

M ha i xng hin i


1

m

TNG QUAN V AN NINH

M ha i xng hin i

o an ton ca DES

Tn cng vt cn kha (Brute Force Attack): chiu di kha

l 56 bit (tn cng kh thi, s dng tnh ton song song);

Ph m DES theo phng php vi sai (differential

cryptanalysis): Phng php vi sai tm kha t tn thi gian

hn brute-force. Tuy nhin phng php ph m ny li i

hi phi c 247 cp bn r - bn m c la chn (chosen-

plaintext). Bt kh thi.

Ph m DES theo phng php th tuyn tnh (linear

cryptanalysis): Matsui a ra phng php ph m tuyn

tnh. Trong phng php ny, cn phi bit trc 243 cp

bn r-bn m (known-plaintext). Kh thi

Thay th bng TripleDEC, AES

1

m

TNG QUAN V AN NINH

M ha i xng hin i o Tiu chun m ha tin tin AES

Thut ton c tn l Rijndael i tn thnh Andvanced Encryption Standard hay AES.

M ha AES vi kha c kch thc 256 bt (an ton);

Ging nh DES, m ha AES l mt m khi gm nhiu vng;

Khc vi DES, m ha AES khng phi l mt m ha Feistel;

Cho php la chn kch thc khi m ha l 128, 192 hay 256 bt.

Cho php la chn kch thc ca kha mt cch c lp vi kch thc khi: l 128, 192 hay 256 bt.

S lng vng c th thay i t 10 n 14 vng ty thuc vo kch thc kha.

1

m

TNG QUAN V AN NINH

M hnh ng dng ca m khi

o Bn tin di c chia thnh nhiu khi

o Electronic Codebook ECB

Mi khi c m ha mt cch ring r, dng chung mt

kha K;

Trong m ha ECB, nu Pi = Pj th Ci = Cj v ngc li.

1

m

TNG QUAN V AN NINH

M hnh ng dng ca m khi

o Cipher Block Chaining CBC

o Bn m ca mt ln m ha c s dng cho ln m ha tip

theo;

o m ha khi u tin, ngi ta dng mt khi d liu gi

c gi l vector khi to (initialization vector IV) v c

chn ngu nhin;

o gii m, tin hnh ngc li:

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o M ha i xng d rng pht trin t c in

n hin i, vn tn ti hai im yu sau;

Vn trao i kha gia ngi gi v ngi nhn (knh an

ton l kh kh thi)

Tnh b mt ca kha: khng c c s quy trch nhim nu

kha b tit l.

o Whitfield Diffie v Martin Hellman tm ra phng

php m kha cng khai/ m kha bt i xng.

o C phng php no vic m ha v gii

m dng hai kha khc nhau? C ngha l C =

E(P, K1) v P = D(C, K2).

1

m

TNG QUAN V AN NINH

M ha kha cng khai o Ngi nhn gi b mt kha K2, cn kha K1 th cng khai cho tt

c. Ngi gi dng kha K1 m ha, ngi nhn dng K2 gii m. (m bo bo mt)

o Ngi gi gi b mt kha K1, cn kha K2 th cng khai cho tt c. Ngi gi dng kha K1 m ha, ngi nhn dng K2 gii m. (khng m bo bo mt nhng m bo tnh chng thc v tnh khng t chi)

o Kha ring (bi mt) l KR. Kha cng khai l KU, Bn r c k hiu l M, cn bn m l C;

o KR=fKU l cc hm mt chiu; cc phng php Knapsack, RSA, Elgaman, v phng php ng cong elliptic ECC

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Phng php RSA l mt phng php m ha kha

cng khai. RSA c xy dng bi cc tc gi Ron

Rivest, Adi Shamir v Len Adleman ti hc vin MIT

vo nm 1977;

o V mt tng qut RSA l mt phng php m ha

theo khi.

o Trong bn r M v bn m C l cc s nguyn t

0 n 2i vi i s bt ca khi.

o Kch thc thng dng ca i l 1024 bt. RSA s

dng hm mt chiu l phn tch mt s thnh tha

s nguyn t.

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Nguyn tc thc hin ca RSA:

o thc hin m ha v gii m, RSA dng php ly

tha modulo ca l thuyt s. 1) Chn hai s nguyn t ln p v q v tnh N = pq. Cn chn p v

q sao cho: M < 2i-1< N < 2i

Vi i = 1024 th N l mt s nguyn di khong 309 ch s.

2) Tnh n = (p - 1)(q - 1)

3) Tm mt s e sao cho e nguyn t cng nhau vi n

4) Tm mt s d sao cho (d l nghch o ca e trong

php modulo n)

5) Hy b n, p v q. Chn kha cng khai KU l cp (e, N),

kha ring KR l cp (d, N)

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Nguyn tc thc hin ca RSA:

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o an ton ca RSA o Vt cn kha: cch tn cng ny th tt c cc kha d c th c tm

ra bn gii m c ngha, tng t nh cch th kha K ca m ha

i xng. Vi N ln, vic tn cng l bt kh thi;

o Phn tch N thnh tha s nguyn t N = pq: Chng ta ni rng vic

phn tch phi l bt kh thi th mi l hm mt chiu, l nguyn tc

hot ng ca RSA. (Thut ton mi, tc tnh ton: kh thi);

o o thi gian: y l mt phng php ph m khng da vo mt ton

hc ca thut ton RSA, m da vo mt hiu ng l sinh ra bi qu

trnh gii m RSA. Hiu ng l l thi gian thc hin gii m bng

thut ton bnh phng lin tip tm d.

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o M hnh bo mt v khng chi t

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Kt hp bo mt, khng t chi v chng thc

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Trao i kha

Gim gnh nng cho tng c nhn, mt m hnh gi l

chng ch kha cng khai (public-key certificate) c s

dng. Trong m hnh ny c mt t chc lm nhim v cp

chng ch c gi l trung tm chng thc (Certificate

Authority CA).

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Cp chng ch

A gi nh danh IDA v kha cng khai KUA ca mnh n

trung tm chng thc.

2) Trung tm chng nhn kim tra tnh hp l ca A,

v d nu IDA l Microsoft, th Alice phi c bng

chng chng t mnh thc s l cng ty Microsoft.

3) Da trn c s , trung tm chng thc cp mt chng

ch CA xc nhn rng kha cng khai KUA l tng

ng vi IDA. Chng ch c k chng thc bng kha ring

ca trung tm m bo rng ni dung ca chng ch l

do trung tm ban hnh.

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Cp chng ch

4) A cng khai chng ch CA .

5) B mun trao i thng tin vi A th s gii m CA bng

kha cng khai ca trung tm chng thc c c kha

cng khai KUA ca A . Do nu B tin tng vo trung tm

chng thc th B s tin tng l KUA l tng ng vi IDA,

tc tng ng vi A .

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Phng php trao i kha Diffie Hellman

o Trao i kha Diffie-Hellman dng thit lp mt kha b mt

gia ngi gi v ngi nhn m khng cn dng n

m ha cng khai.

o Phng php ny dng hm mt chiu lm hm logarith ri rc.

Diffie-Hellman khng c ngha v mt m ha ging nh RSA.

o Trc tin A v B s thng nht s dng chung mt s

nguyn t p v mt s g nh hn p v l primitive root ca p

(ngha l php ton gx mod p kh nghch)

o Hai s p v g khng cn gi b mt. Sau A chn mt s a

v gi b mt s a ny. B cng chn mt s b v gi b mt s

b. Tip theo A tnh v gi ga mod p cho B, B tnh v gi gb mod

p cho A.

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o Phng php trao i kha Diffie Hellman

o Trn c s A tnh

Trn c s B tnh

Do A v B c chung gi tr gab mod p. Gi tr ny c th dng

lm kha cho php m ha i xng.

Mun tnh c gab mod p, k ph m c th c c g, p, ga v gb

Tuy nhin, vic tnh a hay b theo cng thc: a = dlogg, p ga

hay b = dlogg, p gb l khng kh thi do tnh phc tp ca php

logarith ri rc.

Kha dng chung c trao i b mt gia A v B .

1

m

TNG QUAN V AN NINH

M ha kha cng khai

o c trng c bn ca trao i kha Diffie Hellman

Cc kha b mt ch c to khi cn thit. Khng cn phi

cha cc kha b mt trong mt khong thi gian di.

Vic tha thun da trn cc tham s chung.

o Nhc im bo mt trao i kha Diffie Hellman

N khng cung cp thng tin bt k v cc nh danh ca

cc bn.

N an ton i vi vic tn cng th ng ngha l mt

ngi th ba bit a, b s khng tnh c K. Tuy nhin giao

thc l khng an ton i vi vic tn cng ch ng bng

cch nh tro gia ng hay cn gi l kiu tn cng

Man in the Midle".

1

m

TNG QUAN V AN NINH

Vn xc thc o Cc tn cng

Ci trang (Massquerade) : chn cc bn tin vo mng t mt ngun la o. Ci trang bao gm c vic to ra cc bn tin bi k tn cng nhng li c v nh n t ngi u nhim.

Sa i ni dung (Content modification) : thay i ni dung ca bn tin bao gm cc thao tc chn, xa, chuyn v hay sa i.

Sa i th t (Sequence modification) : sa i dy bn tin gia cc bn bao gm thao tc chn, xa, v thay i th t cc thng bo trong dy.

Sa i thi gian (Timing modification) : lm tr hoc dng li bn tin.

o Xc thc:

m bo bn tin xut pht ng t ngi gi

m bo bn tin khng b thay i, gi mo.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Cc hm xc thc c chia thnh ba lp nh sau :

Lp m bn tin (Message encryption) : bn m ca thng

bo l bng chng xc thc.

Tng kim tra mt m (Cryptographic checksum): Mt hm

chung ca bn tin v mt kho b mt to thnh mt gi tr

di c nh lm bng chng xc thc

Hm bm (Hash funtions) : Mt hm chung nh x mt bn

tin c di bt k thnh mt gi tr Hash lm bng

chng xc thc.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Checksum

Internet checksum c mt s c tnh ging nh hm bm

hash:

To ra cc tm tt di c nh (16-bit sum);

nh x many-to-one.

Khng an ton: C th d dng to ra 2 bn tin khc nhau c

cng checksum.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Hm bm

Hm Hash nhn bn tin R c kch c bin i lm u vo

v sinh ra m Hash c kch c c nh H(R), gi l gi tr tm

lc u ra.

M Hash l hm ca tt c cc bt ca bn tin v cung cp

cung cp kh nng pht hin sai.

S thay i i vi bt bt k hoc cc lot bt trong bn tin

s sinh ra s thay i trong m Hash.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Hm bm (cc yu cu)

H c th thao tc vi khi d liu kch thc bt k.

H to ra u ra di c nh.

H(x) c tnh d dng vi x bt k.

Vi gi tr m bt k ca hm Hash, khng th tm ra x H(x)

= m.

Vi khi x bt k, khng th tm y # x H(y) = H(x).

Khng th tm ra cp (x,y) tho mn H(x) = H(y).

MD5 hash function (RFC 1321) - 128-bit.

SHA-1 - US standard [NIST, FIPS PUB 180-1], 160-bit.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Hm bm (s dng)

1

Ngi s dng A Ngi s dng B

To ra 124 bit Digest (t bn tin gc)

Mt m (Digest) bng kha ring ca A

Gi (bn tin gc, Digest c mt m)

Gii mt m (Digest) bng kha

cng khai ca A

To ra 128 bit Digest (t

bn tin gc)

So snh Digest

m

TNG QUAN V AN NINH

Vn xc thc

o M xc thc bn tin MAC (Message Authentication

Code)

Xc thc bn tin bng hm hash

A m bn tin m v hm bm H(m).

A gi m v H(m) cho B.

B nhn c bn tin v bm, tnh ton bm v so snh hm

bm H(m) nhn c xc thc.

Ngi gi mo gi bn tin m,H(m) v gi cho B bn tin

m,H(m)???

M xc thc bn tin MAC.

1

m

TNG QUAN V AN NINH

Vn xc thc

o Hm bm (lu thc hin)

1

S liu

Gii thut

MAC

S liu

MAC

S liu

MAC

Gii thut

MAC

MAC=?

Kho b mt

chia s

Kha b mt

chia s

m

TNG QUAN V AN NINH

Vn xc thc

o Hm bm (lu thc hin)

1

m

TNG QUAN V AN NINH

Vn xc thc

o Kin trc CMAC Cipher based MAC

1

m

TNG QUAN V AN NINH

Ch k in t

1

Nu ch dng m xc thc:

1. Gi mo ni dung thng bo

2. T chi trch nhim

Ch k in t:

N c kh nng kim tra ngi k

v thi gian k.

N xc thc c ni dung thng

tin ti thi im k.

Ch k phi c kim tra bi cc

bn th ba gii quyt tranh

chp.

Ngi gi k ti liu, thit lp ch quyn cho ti liu

Ngi nhn chng minh c cho mi ngi chnh ngi gi k ti

liu.

m

TNG QUAN V AN NINH

Ch k in t

o Yu cu ca ch k s

Yu cu 1 : Ch k s phi l mt mu bt nh phn ph

thuc vo bn tin c k.

Yu cu 2: Ch k s phi dng thng tin ch c i vi

ngi gi trnh c gi mo v t chi trch nhim.

Yu cu 3 : Ch k s phi tng i d c to ra.

Yu cu 4 : Ch k s phi d c nhn ra v kim tra.

Yu cu 5 : Ch k s phi khng th gi mo c v mt

tnh ton hoc bng cch to bn tin mi t ch k s c

hoc to ch k s gi mo cho mt bn tin c th.

Yu cu 6 : Trong ci t, ch k s phi d dng c tch

ra v lu tr.

1

m

TNG QUAN V AN NINH

Ch k in t

o Kiu n gin

S dng m ha kha cng khai: B gi bn tin m v ch k

m ha bng kha ring KRB(m)

A nhn c bn tin m v ch k KRB(m)

A xc minh m k bi B bng public key KUB:

KUB(KRB(m) )=m.

Nu KUB(KRB(m)) = m, ngi k m phi s dng kha ring

ca B.

1

m

TNG QUAN V AN NINH

Ch k in t

o Kiu xc minh

A xc minh c:

B k bn tin m.

Khng c ai khc k m.

B k chnh bn tin m ch khng phi m.

Chng chi b:

A c th dng m, v ch k KRB(m) chng minh B k m.

1

m

TNG QUAN V AN NINH

Ch k in t

o Kiu da trn MAC

1

large message m

H: hash

function H(m)

digital

signature

(encrypt)

Bobs

private

key K B

-

+

Bob gi bn tin k s Alice xc minh ch k v hon

nguyn bn tin

KB(H(m)) -

encrypted

msg digest

KB(H(m)) -

encrypted

msg digest

large message m

H: hash

function

H(m)

digital

signature

(decrypt)

H(m)

Bobs

public

key K B

+

m

TNG QUAN V AN NINH

Ch k in t

o M t chu trnh to ch k

1

m

TNG QUAN V AN NINH

Chng ch s ca kha cng khai

o Cc c im c bn

Vn ca kha cng khai:

Khi A nhn c kha cng khai ca B (t Web site, e-mail,

); Lm th no bit l kha cng khai ca B, ch

khng phi ca ngi mo danh?

Gii php:

Thm quyn chng ch tin cy (trusted certification authority -

CA).

1

m

TNG QUAN V AN NINH


o Cc yu t chnh

Chng ch s Certification Authority (CA): lin kt kha cng

khai vi thc th c th E.

E ng k kha cng khai vi CA.

E cung cp bng chng nh danh (proof of identity) cho CA.

CA m chng ch (certificate) rng buc E vi kha cng khai

ca n.

Chng ch cha kha cng khai ca E c k s bi CA: CA

thng bo y chnh l kha cng khai ca E.

1

m

TNG QUAN V AN NINH


o C ch ly kha

Khi A mun kha cng khai ca B:

Ly chng ch s ca B (t B hoc t u ).

p dng kha cng khai ca CA cho chng ch ca B, gii m

ly kha cng khai ca B.

1

Bobs public

key K B +

digital signature (decrypt)

CA public

key K CA

+

K B +

- K CA (K ) B

+

m

TNG QUAN V AN NINH


o C ch ly kha

1

m

TNG QUAN V AN NINH


o M hnh quy

1

m

TNG QUAN V AN NINH


o Chng ch s X.509 v.1 v v.2

1

m

TNG QUAN V AN NINH


o Chng ch s X.509 v.3

i tng c th c cc chng ch khc nhau vi cc kha

cng khai khc nhau v gi thit rng cc cp kha cn c

cp nht nh k, do vy cn phi c cch phn bit cc

chng ch khc nhau ca i tng ny mt cch d dng.

Mt tn i tng tr thnh tn duy nht nhng n khng c

thng tin cho nhng ngi s dng chng ch khc nhn

dng i tng, do cn c thm thng tin nhn dng i

tng.

Mt s cc ng dng cn nhn dng nhng ngi s dng

thng qua cc dng tn xc nh ng dng. V d: trong an

ton th tn in t; trong vic gn kt mt kha cng khai vi

mt a ch th tn in t.

1

m

TNG QUAN V AN NINH


o Chng ch s X.509 v.3

1

m

TNG QUAN V AN NINH


o Thu hi chng ch s

1

m

TNG QUAN V AN NINH


o Thu hi chng ch s X.509 v.3

1

m

TNG QUAN V AN NINH

Cc loi chng ch s

o Chng ch SSL cho my khch

S dng chng thc my khch vi my dch v bng giao

thc bo mt SSL. Bnh thng, nh danh ca mt my khch

c th c tha nhn vi nh danh ca mt ngi, v d

nhn vin ca mt cng ty, mt cng dn.

o Chng ch SSL cho my dch v

S dng chng thc my dch v vi my khch bng giao

thc SSL. Chng thc my dch v l mt iu kin cn thit

cho mt phin lm vic trong giao thc bo mt SSL.

1

m

TNG QUAN V AN NINH

Cc loi chng ch s o Chng th S/MIME (S/MIME certificates)

Dng k v m ha th in t. Vi mt chng th SSL cho my khch nh danh ca my khch c tha nhn nh nh danh ca mt ngi. Mt chng ch n cng c th c s dng chung cho hai loi chng th S/MIME v chng th SSL cho my khch (Client SSL certificate)..

o Chng th k cho i tng Dng chng thc nhng ngi k cho Java code,

Javascipt, hoc nhng file v phn mm cn c k.

o Chng th cho CA S dng chng thc cho cc CA. Phn mm my khch

v my dch v s dng chng th ca CA xc nh cc chng th khc c tin tng c khng.

1

m

TNG QUAN V AN NINH

H tng kha cng cng PKI

o Chu trnh xy dng PKI

1

m

TNG QUAN V AN NINH


o Cc thnh phn

T chc pht hnh chng ch (Certificate Authority - CA):

L mt bn th ba c tin cy c trch nhim to, qun l,

phn phi, lu tr v thu hi cc chng ch s. CA s nhn cc

yu cu cp chng ch s v ch cp cho nhng ai xc minh

c nhn dng ca h.

T chc ng k (Registration Authority - RA):

ng vai tr trung gian gia CA v ngi dng. Khi ngi

dng cn chng ch s mi, h gi yu cu ti RA v RA s

xc nhn tt c cc thng tin nhn dng cn thit trc khi

chuyn tip yu cu ti CA CA thc hin to v k s ln

chng ch ri gi v cho RA hoc gi trc tip cho ngi dng.

1

m

TNG QUAN V AN NINH


o Cc thnh phn

Kho v lu tr chng th (Certificate Repository v

Archive - CRA) :

u tin l kho lu tr cng khai v phn phi cc chng th

v CRL (cha danh sch cc chng th khng cn hiu lc).

Kho th hai l mt c s d liu c CA dng sao lu cc

kha hin ang s dng v lu tr cc kha ht hn, kho ny

cn c bo v an ton nh chnh CA.

My ch bo mt (Security Server - SS):

L mt my ch cung cp cc dch v qun l tp trung tt c

cc ti khon ngi dng, cc chnh sch bo mt chng th

s, cc mi quan h tin cy (trusted relationship) gia cc CA

trong PKI, lp bo co v nhiu dch v khc.

1

m

TNG QUAN V AN NINH


o Cc thnh phn

Cc ng dng cho php PKI v nhng ngi s dng PKI

(PKI-enabled applications v PKI users):

Bao gm ngi dng s dng cc dch v ca PKI v cc

phn mm c h tr ci t v s dng cc chng th s nh

cc trnh duyt web, cc ng dng email pha my khch.

o Cc m hnh

PKI phn cp;

PKI dng li;

CA n l - Single CA.

1

m

TNG QUAN V AN NINH


o Cc m hnh (biu din)

1

m

TNG QUAN V AN NINH


o M hnh ti Vit Nam

1

m

CC GIAO THC AN NINH

Nguy c tn cng truyn thng

o Tn cng pht li (replay Attacts, Playback) tc

ng ti m ha i xng v cng khai

Gii php:

1. Dng s nh danh: trong mi bn tin gi, bn gi nhng s

nh danh S cho bn tin. Mi bn tin ng vi s nh danh khc

nhau. C=E(P//S, KAB). (ch dng cho mt phin)

2. Dng Timestamp: Bn gi s dng tem thi gian gn vi

bn tin, bn nhn kim tra thi im nhn c vi thng tin

trn tem. (kh khn tr truyn bin ng v cn ng b)

3. C ch Challenge/Response: Bn B gi mt s ngu nhin

N ti A (nounce), A m ha v gi km bn tin v B, B gii m

xc minh N.

2

m

CC GIAO THC AN NINH

Giao thc an ninh (bo mt)

o Thng nht phng thc m bo an ninh

(phng php m ha, kha) cho hai thc th

truyn thng.

L cc quy nh cho cc thc th tham gia truyn thng

bo mt. Thng nhm xc nh cc yu t sau:

1, nh danh cc thc th tham gia truyn thng

2, Trao i kha phin b mt m ha d liu. (Thc hin

m ha i xng thng nhanh hn m ha cng khai- c

im ton hc)

2

m

CC GIAO THC AN NINH

nh danh v trao i kha phin dng KDC

2

1) A gi yu cu mun trao i d liu vi B cho KDC. 2) KDC to mt kha b mt KAB v m ha thnh hai bn m. Mt bn m c m ha bng kha b mt ca A: E(KAB, KA) v mt bn m c m ha bng kha b mt ca B: E(KAB, KB). 3) A gii m E(KAB, KA) c KAB 4) A gi E(KAB, KB) cho B, B gii m c c KAB 5) A v B trao i d liu qua kha b mt KAB

M hnh ny c th b tn cng replay

attack. V d, K tn cng c th

replay bc 4 m B vn ngh l A gi

v B tip tc dng KAB ny lm kha

phin. Da trn c s K tn cng

tip tc replay bc 5.

Gii php: KDC gn tem thi gian khi cp kha

m

CC GIAO THC AN NINH

Needham and Schroeder xut sa i

m hnh trn nh sau

2

1) 1) A -> KDC: IDA||IDB||N1 2) KDC -> A: E(KS||IDB||N1||E(KS||IDA, KB), KA) KS l kha phin, IDB A bit

kha phin ny dng vi B

3) A gii m c c KS v E(KS||IDA, KB)

4) A -> B: E(KS||IDA, KB) // IDA B bit kha phin ny dng vi A

5) B -> A: E(N2, KS)

6) A -> B: E(f(N2), KS) // f l hm bt k

7) A -> B: E(P, KS)

m

CC GIAO THC AN NINH

Hoc

2

1. AKDC: IDa || IDb || N1

2. KDC A: EKa[Ks || IDb || N1 || EKb[Ks || IDa]]

3. A B: EKb[Ks || IDa]

4. B A: EKs[N2]

5. A B: EKs[f(N2)]

1. AKDC : IDa || IDb

2. KDC A : EKa[Ks || IDb || T || EKb[Ks || IDa || T]]

3. A B : EKb[Ks || IDa || T]

4. B A : EKs[N2]

5. A B : EKs[f(N2)]

m

CC GIAO THC AN NINH

Ci thin l hng khi Attacker bit KS v

E(KS||IDA, KB), replay ti bc 4 v phn hi

N2 cho B-> s dng kha phin bit. o 1) A -> B: IDA ||NA

o 2) B -> KDC: IDB||NB||E(IDA||NA, KB)

o 3) KDC -> A: E(IDB||NA||KS, KA)|| E(IDA|| KS, KB)|| NB

o 4) A -> B: E(IDA||KS, KB)|| E(NB, KS)

o 5) A -> B: E(P, KS)

2

m

CC GIAO THC AN NINH

nh danh v trao i kha phin bng kha

cng khai

2

A to mt kha phin KS , m ha bng kha ring ca A sau m ha bng

kha cng khai ca B.

B gii m KS dng kha ring ca B v kha cng khai ca A.

Nh tnh bo mt, A bit chc rng ngoi A ch c B mi bit c KS.

Nh tnh khng t chi, B bit rng ngoi B ch c A mi bit c KS v

A dng kha ring m ha KS.

Trong m hnh trn, Trudy c th replay bc 3 m B vn ngh l A gi v B tip tc dng KS ny lm kha phin. Da trn c s Trudy tip tc replay bc 4.

m

CC GIAO THC AN NINH

C ch challenge/response chng replay

2

- Bc 1: A gi chng ch CA cho B.

- Bc 2: B gi chng ch CB v nounce NB cho A.

- Bc 3: A chn mt tin kha phin S v tnh c kha phin KS = H(S||NB). A

gi chng thc v bo mt S cho B. B cng tnh kha phin KS.

- Bc 4: A gi gi tr hash H(KS) cho B, B kim tra gi tr hash ny vi gi tr hash

do B t tnh. Nu khp, B bit c rng bc 3 khng th b replay attack.

Gi s Trudy replay bc 3 nhng khng bit S, vy Trudy khng tnh c

KS tng ng vi NB mi ca Bob, t Trudy cng khng th tnh c H(KS). Do

Trudy khng th replay bc 4 m khng b Bob pht hin.

- Bc 5: A v B tin hnh trao i d liu.

m

CC GIAO THC AN NINH

Giao thc WooLam

2

1. A KDC : IDa || IDb

2. KDC A : EKRauth[IDb || KUb]

3. A B : EKUb[Na || IDa]

4. B KDC : IDb || IDa || EKUauth[Na]

5. KDC B : EKRauth[IDa || KUa] || EKUb[EKRauth[Na || Ks || IDb]]

6. B A : EKUa[EKRauth[Na || Ks || IDb ] || Nb]

7. A B : EKs[Nb] tng cng tnh an ton ca giao thc trn, mt ci tin c xut l b xung

nh danh IDa ca A vo cc thng bo trong bc 5 v 6 m bo rng cp

{IDa,Na} nhn dng duy nht i hi kt ni ca A.

m

CC GIAO THC AN NINH

Cc giao thc ng dng c th trong IP

2

m

CC GIAO THC AN NINH

Secured e-mail

2

KS( ) .

KB( ) . + + -

KS(m )

KB(KS ) +

m

KS

KS

KB +

Internet

KS( ) .

KB( ) . - KB -

KS

m KS(m )

KB(KS ) +

Ngi gi:

to kha ring (kha i xng), KS.

m ha bn tin bng KS

m ha kha KS bng kha cng khai ngi nhn.

gi KS(m) v KB(KS) cho ngi nhn.

m bo tnh b mt e-mail, m.

m

CC GIAO THC AN NINH

Secured e-mail

2

KS( ) .

KB( ) . +

+ -

KS(m )

KB(KS ) +

m

KS

KS

KB +

Internet

KS( ) .

KB( ) . -

KB -

KS

m KS(m )

KB(KS ) +

Ngi nhn:

s dng kha ring gii m v ly KS s dng kha KS gii m KS(m) nhn bn tin m

m bo tnh b mt e-mail.

m

CC GIAO THC AN NINH

Secured e-mail

2

m bo tnh xc thc, tnh ton vn.

H( ) . KA( ) . -

+ -

H(m ) KA(H(m)) -

m

KA -

Internet

m

KA( ) . +

KA +

KA(H(m)) -

m H( ) .

H(m )

compare

Ngi gi k s vo bn tin.

Gi c bn tin nguyn thy v ch k s.

m

CC GIAO THC AN NINH

Secured e-mail

2

m bo tnh b mt, tnh xc thc, tnh ton vn.

H( ) . KA( ) . -

+

KA(H(m)) -

m

KA -

m

KS( ) .

KB( ) . +

+

KB(KS ) +

KS

KB +

Internet

KS

Ngi gi s dng ba loi kha: kha ring ca ngi gi, kha cng

khai ca ngi nhn, to kha i xng (kha b mt) mi.

m

CC GIAO THC AN NINH

Secured e-mail

2

Cu trc m ha e-mail

Internet, tr thnh tiu

chun.

S dng m ha kha i

xng, m ha kha cng

khai, hm bm, v ch k

s.

Cung cp tnh b mt, xc

thc ngi gi, tnh ton

vn.

Ngi pht minh Phil

Zimmerman.

---BEGIN PGP SIGNED MESSAGE---

Hash: SHA1

Bob:My husband is out of town

tonight.Passionately yours, Alice

---BEGIN PGP SIGNATURE---

Version: PGP 5.0

Charset: noconv

yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhFEvZP

9t6n7G6m5Gw2

---END PGP SIGNATURE---

Bn tin c k s PGP:

m

CC GIAO THC AN NINH

Giao thc bo mt web Secure Socket Layer

2

TCP

IP

TCP enhanced with SSL

TCP

socket

Application

TCP

IP

TCP API

SSL sublayer

Application

SSL

socket

Cung cp an ton lp giao vn cho tt c cc ng dng trn TCP s dng dch v SSL m bo tnh b mt, tnh ton vn, tnh xc thc

Giao thc SSL bo mt d

liu trao i qua socket. V

vy nn c tn gi l Secure

Socket Layer (URL bt u bng https://). y l giao thc bo mt kt

hp m ha kha cng khai v kha i xng

m

CC GIAO THC AN NINH


2

Chng thc hai pha:

Chng thc mt pha (website)

Trao i kha phin yu cu ngi duyt web v website u c cp kha ring v kha cng khai

Ch c website bit c kha phin Website chng thc ngi s dng qua password

m

CC GIAO THC AN NINH


2

Phng php Diffie-Hellman

o Fixed Diffie-Hellman: l phng php trao i kha Diffie-Hellman m trong

cc yu t cng khai (g, t) c chng thc ging nh chng thc kha

cng khai ca RSA. iu ny gip ngn chn hnh thc tn cng k-ng-

gia.

o Ephemeral Diffie-Hellman: l phng php trao i kha Diffie-

Hellman c bo v bng m ha kha cng khai RSA. y l hnh thc Diffie-Hellman an ton nht.

o Anonymous Diffie-Hellman: Diffie-Hellman thng, do c th b tn cng theo hnh thc k-ng-gia.

Cc phng php m ha i xng m SSL c th thc hin l RC4, RC2, DES, 3DES, IDEA, AES

m

CC GIAO THC AN NINH


2

Cc giai on thc hin ca SSL

1. Bt tay: xc thc, tha thun gii thut kha m ha d liu, m ha

MAC.

2. Trao i kha: to kha, gi kha cho nhau chun b cho phin

truyn d liu.

3. Trao i s liu ng dng: s liu c m ha v truyn gia client

v server.

m

CC GIAO THC AN NINH


2

Giao thc bt tay SSL

Chng thc website v chng thc ngi duyt web; Trao i kha phin v thng nht cc thut ton m ha c s dng)

m

CC GIAO THC AN NINH


2

Giao thc bt tay SSL

Pha 1: (Tha thun v phng php m ha c s dng ) Bn tin client-hello gm:

Version: phin bn SSL cao nht m client s dng

Random: l mt cu trc ngu nhin gm 32 byte

SessionID: nu bng 0 c ngha l client mun thit lp mt session mi

hon ton.

CompressionMethod: phng php nn d liu s dng

CipherSuite: Cc phng php m ha kha cng khai dng trao i

kha phin nh RSA, Fixed Diffie-Hellman,ng vi mi phng php

trao i kha l danh sch cc loi m ha i xng c s dng gm:

CipherAlgorithm; Hash Algorithm (MD5 hay SHA-1); CipherType;

KeyMaterial (mt chui byte c dng sinh kha); IV Size: kch thc

dng trong m hnh CBC ca m khi.

m

CC GIAO THC AN NINH


2

Giao thc bt tay SSL

Pha 2: Chng thc server v trao i kha ca m ha cng khai

o Bn tin certificate: server cung cp certificate ca mnh cho

client (di dng chng ch X.509) .

o Bn tin certificate_request: trong trng hp server cn chng

thc ngi s dng, server s gi bn tin ny yu cu client

cung cp chng ch.

o Bn tin server_hello_done: bo hiu server hon tt pha 2.

m

CC GIAO THC AN NINH


2

Giao thc bt tay SSL

Pha 3: Chng thc client v trao i kha ca m ha i xng

Bn tin certificate: nu server yu cu certificate, client cung cp

certificate ca mnh cho server.

Bn tin client_key_exchange: trong bc ny client gi cc thng s cn thit

cho server to kha b mt.

Bn tin certificate_verify: l ch k ca client trong trng hp server cn

chng thc client. Client phi dng kha ring k ch k, do server c

th m bo c l khng ai khc dng certificate ca client gi mo.

.

m

CC GIAO THC AN NINH


2

Giao thc bt tay SSL

Pha 4: (Hon tt qu trnh bt tay )

o Trong pha ny client v server gi thng ip finished thng bo hon tt

qu trnh bt tay ln nhau.

o Tham s ca thng ip ny l mt gi tr hash hai bn c th kim tra

ln nhau.

Vic dng cc gi tr ClientHello.random v ServerHello.random s lm

phc tp vic ph m hn. n y client v server hon tt qu trnh

bt tay trao i kha, sn sng truyn s liu theo giao thc truyn s

liu.

m

CC GIAO THC AN NINH


2

Giao thc truyn d liu

Kim tra tnh ton vn ca lung d liu: chia thnh cc khi nh (record) Khng yu cu bt buc c th tc nn d liu

Kim tra ton vn ca ton b cc khi: B sung s th t vo cc record

m

CC GIAO THC AN NINH


2

Giao thc truyn d liu

Sau khi tnh MAC xong, khi d liu cng vi gi tr MAC c m ha bng mt thut ton m khi c la chn trong giao thc bt tay.

H( ) . MB

b1b2b3 bn

d

d H(d)

d H(d)

H( ) . EB

TCP byte stream

block n bytes together compute

MAC

SSL

seq. #

d H(d) Type Ver

Len

SSL record

format

unencrypted

m

CC GIAO THC AN NINH


2

Giao thc truyn d liu (mi lin h gia cc th tc con)

trnh vic mi ln kt ni vi server l client phi tin hnh giao thc bt tay li t u, SSL a ra khi nim Session v Connection.

SSL ch cn thc hin giao thc bt tay khi to session, cn khi to mi connection,

SSL s gi nguyn tt c cc phng php m ha c chn,

gi nguyn gi tr pre-master secret; ch tnh li ClientHello.Random v

ServerHello.Random, kha MAC, kha m ha

m

CC GIAO THC AN NINH

Giao thc bo mt mng cc b Keberos

2

Giao thc Keberos l mt giao thc chng thc s dng

trong mi trng LAN

Keberos l giao thc chng thc da trn khi nim trung

tm phn phi kha KDC;

Keberos ch da trn m ha

i xng (Giao thc ny do

MIT chun ha).

Mc ch ca Keberos l

trao i kha phin, thng qua

m bo tnh bo mt v

tnh chng thc.

m

CC GIAO THC AN NINH

Giao thc bo mt lp mng

2

Giao thc IPsec v VPN

Bo mt(m ha)- Confidentiality: Ngi gi c th m ha d liu trc khi truyn chng qua mng. Nu giao tip b ngn chn, d liu khng th c c.

Ton vn d liu- Data integrity: Ngi nhn c th xc minh cc d liu c truyn

qua mng Internet m khng b thay i. IPSec m bo ton vn d liu bng cch s

dng checksums (gi tr bm).

Xc thc- Authentication: Xc thc m bo kt ni c thc hin v cc ng i

tng. Ngi nhn c th xc thc ngun gc ca gi tin, bo m, xc thc ngun gc

ca thng tin.

Antireplay protection: xc nhn mi gi tin l duy nht v khng trng lp.

IPSec l mt tp cc chun m, c pht trin bi IETF.

m

CC GIAO THC AN NINH


2

Lin kt an ninh SA (Security Associations): L mt kt ni

logic gia hai thc th s dng IPsec; n hng)

Bn tin

Cc giao thc xc nhn, cc kha, v cc thut ton.

Phng thc v cc kha cho cc thut ton xc nhn c dng bi cc giao thc Authentication

Header (AH) hay Encapsulation Security Payload (ESP) ca b IP Sec.

Thut ton m ha v gii m v cc kha.

Thng tin lin quan kha, nh khong thi gian thay i hay khong thi gian lm ti ca cc kha.

Thng tin lin quan n chnh bn thn SA bao gm a ch ngun SA v khong thi gian lm ti.

Cch dng v kch thc ca bt k s ng b m ha dng, nu c.

m

CC GIAO THC AN NINH


2

Lin kt an ninh SA (Security Associations): L mt kt ni

logic gia hai thc th s dng IPsec; n hng)

IP Sec SA gm c 3 trng:

SPI Security Parameter Index : y l mt trng 32 bit dng nhn dng

giao thc bo mt, c nh ngha bi trng Security protocol, trong b IP Sec

ang dng. SPI c mang theo nh l mt phn u ca giao thc bo mt v

thng c chn bi h thng ch trong sut qu trnh tha thun ca SA.

Destination IP address : y l a ch IP ca nt ch. Mc d n c th l a

ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch

c nh ngha cho h thng unicast.

Security protocol : Phn ny m t giao thc bo mt IP Sec, c th l AH hoc

ESP.

m

CC GIAO THC AN NINH


2

C s d liu SA (SAD):H tr nhiu lin kt an ninh

Mt IP Sec SA dng 2 c s d liu. Security Association Database (SAD) nm

gi thng tin lin quan n mi SA. Thng tin ny bao gm thut ton kha,

thi gian sng ca SA, v chui s tun t.

C s d liu c th c coi nh l mt bng hai chiu vi mi hng xc nh

mt SA duy nht. Thng thng, c hai SAD l inbound (trong) v outbound

(ngoi);

Mi mc trong mt SAD trong c la chn bng cch s dng ba ch s:

Ch s tham s bo mt (mt s 32 bit nh ngha SA ti im n),

a ch ch;

Giao thc (AH hoc ESP).

m

CC GIAO THC AN NINH


2

C s d liu SA (SAD):H tr nhiu lin kt an ninh

m

CC GIAO THC AN NINH


2

C s d liu chnh sch bo mt: SDP

Nm gi thng tin v cc dch v bo mt km theo vi mt danh sch th t chnh sch cc im vo v ra; nh ngha lu lng no c x l v lu

lng no b t chi theo tng chun ca IP Sec.

Mi host ang s dng giao thc IPSec cn phi lu mt c s d liu chnh

sch bo mt SPD (SPD inbound v SPD outbound). Mi mc trong SPD c

th c truy cp bng cch s dng mt ch s nhm gm: a ch ngun, a

ch ch, tn, giao thc, cng ngun v cng ch.

m

CC GIAO THC AN NINH


2

B giao thc Ipsec (IKE, AH v ESP)

IKE gm 3 giao thc con ISAKMP/Oakley/SKEME: ISAKMP: Internet Security Association and Key Management Protocol; Oalkey:

to kha v SKEME: trao i kha. (Diffie-Hellman)

IKE gip cc bn giao tip ha hp cc tham s bo mt v kha xc nhn trc

khi mt phin bo mt IP Sec c trin khai;

Sa i nhng tham s khi cn thit trong sut phin lm vic;

IKE cng m nhim vic xo b nhng SAs v cc kha sau khi mt phin giao

dch hon thnh;

H tr cc thit b tham gia trao i vi nhau v thng tin an ninh (phng php

m ha, thut ton, chu k m ha.

m

CC GIAO THC AN NINH


2

B giao thc Ipsec (IKE, AH v EPS)

Cung cp xc thc ngun, ton vn d liu, khng bo mt.

AH header c chn vo gia mo

u gi IP (IP header), v trng d

liu.

Protocol field: 51

Cc router trung gian x l gi tin

nh thng thng.

AH header bao gm:

nh danh kt ni

D liu xc thc: tm tt bn tin

ngun c tnh t IP datagram

ngun.

Trng mo u tip sau (next

header field): xc nh dng ca

d liu (e.g., TCP, UDP, ICMP)

IP header data (e.g., TCP, UDP segment) AH header

m

CC GIAO THC AN NINH


2


Ch AH trong IPSec

S liu c s dng tnh ton MAC cho nhn thc

(tr cc trng trong tiu IP thay i trong truyn dn)

Tiu IP AH n thm Tiu

IP gcTiu

TCP/UDPS liu

8 bit 8 bit 16 bit

Tiu

tip theo

di

ti tinD tr

Ch s thng s an ninh (SPI)

S trnh t

S liu nhn thc (MAC hay Digest)

( di kh bin)

m

CC GIAO THC AN NINH


2


C tc dng xc thc (Authentication), m ha (Encrytion) v m bo tnh trn vn

d liu (Securing of data ). y l giao thc c dng ph bin trong vic thit lp IP

Sec.

ESP thm mt tiu v phn ui (trailer). D liu xc thc ca ESP c thm

vo cui ca gi tin, lm cho tnh ton d dng hn.

m

CC GIAO THC AN NINH


2


Th tc ca EPS gm:

1. Trailer ESP c thm vo payload.

2. Payload v trailer c m ha.

3. Tiu ESP c thm vo.

4. Tiu ESP, payload, v trailer ESP c s dng to ra d liu xc thc.

5. D liu xc thc c thm vo cui ca trailer ESP.

6. IP header c thm vo sau khi thay i gi tr giao thc thnh 50.

m

CC GIAO THC AN NINH

Ch truyn ti Ipsec (transport v tunnel)

2

C AH v EPS u hot ng trn c hai ch hot ng

m

CC GIAO THC AN NINH


2

Transport mode bo v giao thc tng trn v cc ng dng. Trong Transport mode,

phn IP Sec header c chn vo gia phn IP header v phn header ca giao thc

tng trn:

Transport mode thiu mt qu trnh x l phn u, do n nhanh hn. Tuy nhin, n khng hiu qu trong trng hp ESP khng xc nhn m cng khng m ha phn u IP. - D liu (Layer4 Payload) c m ha s nm trong ESP eader v ESP s chn vo gia Layer 2 header v layer 3 header

m

CC GIAO THC AN NINH


2

Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong

mt gi d liu IP khc v mt IP Sec header c chn vo gia phn u nguyn

bn v phn u mi ca IP.

m

CC GIAO THC AN NINH


2

D liu s c m ha v ng gi thnh 1 IP Header mi vi source v des IP

mi.

IP Sec c nhng phng php m ha nh DES (Data Encrution Standard), 3DES,

AES (Advance Encrytion Standar).

IP Sec c nhng phng php xc thc nh HMAC, MD5, SHA-1.

m

CC GIAO THC AN NINH


2

Trong ch truyn ti, IPSec nm gia tng giao vn v tng mng.

Trong ch ng hm, lu lng l t tng mng n IPSec v sau tr

li tng mng mt ln na.

m

CC GIAO THC AN NINH

Bo mt lp lin kt d liu

2

Thc hin bi c ch ng hm (tunnel) cng vi th tc ng gi bo v

(encapsulation) d liu cc d liu c x l theo mt tp quy tc ch c

nhn dang bi u cui ng hm.

Tunnel

Mt chng

Kt ni vt l

Internet

Mng ring

A

C

Y

Z

Mng ring Mng ringInternet

a ch ring a ch ringa ch cng cng

Bo v tnh ton vn s liu u cui-u cui v tnh b mt

m

CC GIAO THC AN NINH


2

ng hm lp 2:

L2TP (L2 Tunneling Protocol);

PPTP (Point-to-Point Tunneling Protocol);

L2F S dng ng bao cc khung lin kt (PPP);

LAC LNS

LAC client

PPP

L2TP Tunnel

Mng

chuyn

PPP

L2TP

Tun

nel

Mng ng-i

s dng

Mng truy nhp

LAC (LT2TP Access Concentrator: b

tp trung truy nhp L2TP) c t

ti im kt cui giao thc mng truy

nhp v n c th thit lp tunnel n

cc LNS (L2TP Network Server).

LNS (L2 Network Server) kt cui

cc tunnel t cc LAC v cng cung

cp cc dch v truy nhp mng nh

nhn thc ngi s dng v n nh

a ch.

m

CC GIAO THC AN NINH


2

ng hm lp 2: Thit lp L2TP

L2TP nh ngha mt knh iu khin tin cy. Trn knh ny c th thit lp mt tunnel

gia LAC v LNS.

Giai on thit lp tunnel thng gm nhn thc bng cch trao i b mt gia LAC

v LNS ( dng L2TP tunnel; mt khu).

Khi thit lp mt tunnel gia LAC v LNS, mng c th thit lp hoc xo phin

PPP v gi i cc khung lin quan n hai nt s dng khun dng ng bao L2TP trn

knh s liu L2TP.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9

0 1 2

0 1

3

T L x x S x O P x x x Verx Length (opt)

Tunnel ID Session ID

Ns (opt) Nr (opt)

Offset Size (opt) Offset Pad (opt)

m

CC GIAO THC AN NINH

NHN THC, TRAO QUYN V TI KHON

2

AAA: Authentication, Authorization and Accounting

Authentication: cung cp vic xc thc ngi dng nhm bo m c th nhn dng

ng ngi dng.

Authorization: Mt khi nhn dng ngi dng, ta c th gii hn thm quyn m

ngi dng c th lm.

Accounting: Khi ngi dng s dng mng, ta cng c th gim st tt c nhng g

m h lm.

C hai giao thc bo mt dng trong dch v AAA l

TACACS (Terminal Access Controller Access Control System)

RADIUS (Remote Authentication Dial-In User Service).

m

CC GIAO THC AN NINH

TACACS v RADIUS

2

TACACS v RADIUS c dng t mt thit b nh l server truy cp mng (NAS)

n AAA server.

- Ngi dng gi t PC n NAS. NAS s hi thng tin xc thc ngi dng. T PC n

NAS, giao thc s dng l PPP, v mt giao thc nh l CHAP hay PAP c dng truyn

thng tin xc thc.

- NAS s truyn thng tin n AAA Server xc thc. N c mang bi giao thc TACACS

hoc RADIUS.

m

CC GIAO THC AN NINH

TACACS v RADIUS

2

TACACS l giao thc s dng giao thc hng kt ni (connection-oriented)

l TCP trn port 49.

TACACS c cc u im sau:

Vi kh nng nhn gi reset (RST) trong TCP, mt thit b c th lp tc bo cho

u cui khc bit rng c li trong qu trnh truyn.

TCP l giao thc m rng v c kh nng xy dng c ch phc hi li.

Ton b payload c m ha vi TACACS+ bng cch s dng mt kha b mt

chung (shared secret key). TACACS+ m ha ton b gi bng vic s dng kha

b mt chung.

TACACS+ c chia lm ba phn: xc thc (authentication), cp quyn

(authorization) v tnh cc (accounting). Vi cch tip cn theo module, c th s

dng cc dng khc ca xc thc v vn s dng TACACS+ cp quyn v

tnh cc. V d, xc thc Kerberos v cp quyn v tnh cc bng TACACS+.

m

CC GIAO THC AN NINH

TACACS v RADIUS

2

RADIUS l giao thc da theo m hnh client-server.

N dng giao thc UDP. RADIUS server thng chy trn my tnh.

Client l cc dng thit b c th truyn thng tin n RADIUS server c ch nh

trc v sau ng vai tr phc p m n tr v.

Giao tip gia client v RADIUS server c xc thc thng qua vic s dng kha

b mt chung khng c truyn qua mng.

- Mt s u im ca RADIUS l:

RADIUS c phn overhead t hn so vi TACACS v n s dng UDP, trong phn

overhead khng c a ch ch, port ch.

Vi cch thc phn phi dng source code, RADIUS l dng giao thc hon ton m

rng. Ngi dng c th thay i n lm vic vi bt k h thng bo mt hin c.

RADIUS yu cu chc nng tnh cc (accounting) m rng.

m

CC GIAO THC AN NINH

TACACS v RADIUS

2

ng dng:

RADIUS thng c dng tnh cc da trn ti nguyn s dng.

V d nh ISP s tnh cc cho ngi dng v chi ph kt ni. Ta c th ci t RADIUS

Accounting m khng cn s dng RADIUS xc thc v cp quyn. Vi chc nng

accounting m rng, RADIUS cho php ta theo di vic s dng ti nguyn (thi gian, s

lng cc gi tin, s lng byte,...) trong sut phin lm vic.

m

CC GIAO THC AN NINH

Phng php nhn thc PAP

2

PAP (Password Authetication Protocol: giao thc nhn thc mt khu) c trnh

by trong [RFC1334] l mt giao thc n gin cho php mt u cui PPP (thng

l my trm) truyn tn ngi s dng v mt khu trong ch vn bn r rng

n ng cp (thng l NAS:Network Access Server: server truy nhp mng)

ngi s dng c th kim tra s hp l v cho php hoc t chi tip tc phin PPP

v truy nhp mng tip theo.

Giao thc ny c mt yu im l mt k tn cng c th lu gi gi tr ca ngi s

dng v mt khu c pht cng khai bng cch s dng PAP v t chc cc tn

cng NAS da trn pht li.

m

CC GIAO THC AN NINH

Phng php nhn thc CHAP

2

IETF nh ngha cch bo v qu trnh nhn thc khi b tn da trn pht li qua

giao thc bt tay ba pha CHAP (Challenge Handshake Authetication Protocol)

c m t trong [RFC1994].

Trong giao thc ny, mt im cui PPP c th nh k hi khu lnh mt ng cp

bng cch s dng mt xu bit gi tr ngu nhin c gi l khu lnh (Challenge)

v im ng cp phi tr li bng cu tr li da trn mt b mt dng chung vi

u cui hi khu lnh (Challenger Endpoint).

B mt ny c ngu nhin ha bng cch s dng gi tr khu lnh theo mt hm

tm tt bn tin MD-5 [RFC1321]. im cui sau kim tra gi tr ca tm tt bn

tin MD-5 c cha trong tr li trong tr li so vi gi tr k vng v n bit c

b mt ny. Nu cc kt qa ph hp, th phin PPP c th tip tc, tri li lin kt

b d b.

m

CC GIAO THC AN NINH

Phng php nhn thc EAP

2

EAP (Extensible Authentication Protocol: giao thc nhn thc m rng) trong

[RFC2284] c nh ngha sao cho c th tr hon vic chn giao thc cho n giai

on nhn thc v c th s dng server tip sau thc hin cc gii thut nhn

thc thay v phi yu cu cc u cui thc hin chng.

Trong thc t mt im u cui PPP c th khng bit c ch nhn thc v ch n

thun trao i cc bn tin EAP n cc server nhn thc ngoi lm nhim v thc

thi cc c ch nhn thc. iu ny cho php ta cp nht cc client nhn thc cho

cc my trm ca khch hng v cc server trong cc mng khch hng m khng

nh hng n h tng.

C th cho php chuyn t truy nhp da trn mt khu sang truy nhp da trn

card thng minh sun s hn v khng cc cn cp nht cng chuyn tt c cc

nt. Chng hn mt NAS c th nh tuyn cc khung EAP n cc server nhn

thc khc nhau ph thuc vo gi tr ca giao thc nhn thc c chn.

m

CC GIAO THC AN NINH

Phng php nhn thc 3 yu t

2

Phng php nhn thc da trn tn ngi s dng v mt khu, (cn c gi l

cc phng php nhn thc hai yu t) khng cn ph bin i vi cc nh qun

l mng v duy tr mt khu gy kh khn nht nh i cn b h tr.

V th cc phng php nhn thc ba yu t tr nn ngy cng ph bin hn, v

chng khng cn ngi s dng qun l mt khu. Trong thc t, ngi s dng s

buc phi lun nh nhn dng ca mnh (tn ngi s dng) v mt PIN b mt

khng cn thay i. Sau ngi s dng c mt s ch s t mt th an ninh v

nhp n vo mt vng tng ng trn ca s ng k hay mt b c chipcard gn

t ng cc ch s ny cho php to ra mt khu mt ln.

m

CC GIAO THC AN NINH

Phng php nhn thc 3 yu t

2

M hnh i din

BTS

BSC

PDSN/FA HA

Mng IP Mng nh

M hnh mi gii

BTS

Mng IPMng nh

BSC

PDSN/FA HA

AAA server

mng khch

AAA server

mng nh

AAA server

mi gii

AAA server

mng khch

AAA server

mng nh

Kin trc AAA i din v mi gii

m

CC GIAO THC AN NINH

Giao thc Diameter

2

DIAMETER c chn gii quyt vn lin quan n RADIUS (RADIUS l mt

giao thc da trn client/server) bng cch nh ngha quan h ng cp gia cc thc th

ng cp DIAMETER. iu ny cho php thc hin cc vn nh cc th tc c

khi xng bi AAA server.

N cng tng cng thng tin server n server cho php hiu nng tt hn trong cc

thc hin da trn i din, trong thng tin server n server c th dn n cc yu

cu h tr hng nghn giao dch trn mt giy.

m

CC GIAO THC AN NINH

Giao thc Diameter

2

Cc tng cng ny m rng mc truyn ti bng vic a ra SCTP (Stream Control

Transmission Protocol: giao thc truyn dn iu khin lung, [RFC2960]); mc m hnh

s liu vi cc m hnh s liu nh hng theo i tng c phn cp, i nghch vi

m hnh khng phn cp, phng ca RADIUS v mc an ninh vi b sung kim tra tnh

ton vn gii quyt cc la o gy ra do cc thay i s liu AAA c dng xu hay

v tnh bi cc i tc trung gian ng vai tr mi gii hay i din trong mt chui i

din.

Ngoi ra DIAMETER cn cho php cc AAA broker (mi gii) hot ng nh cc tc

nhn chuyn hng, v th cho php thc hin thng tin trc tip gia AAA server mng

khch v AAA server mng nh v gim bt kh nng tn cng ca mt k trung gian.

m

CC GIAO THC AN NINH

Thu thp thng tin thanh ton

2

Cch th nht l lu s liu a phng ti nt phc v, nh NAS, hay mt my trm ng

dng. Nhc im cu cch ny l cc vn v an ninh, ri ro (c ngha l nt b s c

th s liu c th b mt) v thng cn mt th tc qu phc tp thu thp s liu nu

ngi s dng l di ng v c th truy nhp n nhiu nt phc v.

Phng php th hai c a dng hn v cng ngy cng nhiu c p dng vo cng

nghip l phng php da trn pht s liu thanh tan n mt cng hay mt chc nng

server (nh k hay theo s kin) v sau o cho h thng tnh cc truy nhp mt im

tip xc trung tm nhn thng tin thanh ton.

m

CC GIAO THC AN NINH

Thu thp thng tin thanh ton

2

UMTS/GSM

NB/BTS

RNC/BSC

SGSN GGSN

Mng IPMng

khch hng

H thng tnh cc

Cng tnh ccServer thanh

ton RADIUS

GTP

FTP

GTP

Cdma2000/

WiMAX

BTS

Mng IPMng

khch hngBSCPDSN/

FAHA

Thanh ton RADIUS Server thanh

tan RADIUS

Server thanh

tan RADIUSFTP

H thng tnh cc

V d kin trc thu thp s liu thanh ton

m

An ninh mng WLAN

Cng ngh Tn s (GHz) S liu (Mbps) ng dng Quc gia

Bluetooth 2,4 0,8 Thoi di ng Ton cu

OpenAir 2,4 1,6 Gia nh Ton cu

HomeRF 2,4 10 Gia nh Ton cu

802.11b 2,4 11 Cng s Bc M

802.11a 5 54 Cng s Bc M

HiperLAN1 5 18 Cng s Chyu u

HiperLAN2 5 54 Cng s Chu u

Mt s cng ngh s dng cho WLAN in hnh

Cc chun 802.11a, 802.11b, 802.11g, 802.11n. 802.11e QoS

c lin minh WiFi t tn l Wireless MultiMedia (WMM) 802.11i

Thm thut ton m ha AES i hi b x l tc cao, (TKIP l gii php tm thi).

m

Cu trc WLAN

My ch

H thng phn phi (DP)

Ethernet, TokenRing,...

Phn mm truyn tin / ghp ni

V d

TCP/IP, Cissco Aironet Client Drivers,...

Token Ring

Ethernet

im truy nhp (AP)

v Anten

An ninh mng WLAN

WLAN dng mi trng khng kh nh l

phng tin truyn thng cho vic gi v nhn

thng tin.

Tn hiu c th thu c khi trong phm vi hot

ng.

WLAN c mt s l hng v bo mt m khng

tn ti trong mng cc b c dy.

Mtt s mi e da

War driver: K tn cng mun truy cp Internet min ph nn c gng tm v tn

cng cc im truy cp WLAN khng c an ninh hay an ninh yu.

Tin tc: S dng mng khng dy nh mt cch truy cp vo mng doanh

nghip m khng cn phi i qua cc kt ni Internet do c bc tng la.

Nhn vin: Nhn vin v tnh c th gip tin tc truy cp vo mng doanh nghip

bng nhiu cch.

im truy cp gi mo: k tn cng thit lp AP ca ring mnh, vi cc thit lp

tng t cc AP hin c. Khi ngi dng s dng cc AP gi mo ny s b l thng

tin.

m

Mng WLAN 802-11 BSS/ESS

H thng phn phi - DS

(Trong trng hp ny l Ethernet)

a

im truy

nhp (AP)

Cc

my

v

tuyn

im truy

nhp (AP)

An ninh mng WLAN

m

Nhn thc, lin kt ca 802.11

AP1 AP2

Trm

1. Yu cu nhn thc

uc gi ti AP1.

2. Lnh nhn thc t AP1

ti my trm

3. Tr li lnh nhn thc

trm ti AP1

4. Xc nhn.

5. Lin kt.

1. Yu cu nhn thc

uc gi ti AP2.

2. Lnh nhn thc t

AP2 ti trm

3. Tr ki lnh nhn

thc t trm ti AP2

4. Xc nhn.

5. Lin kti.

Khi trm ri khi vng ph ca

AP1, cc buc sau y s xy ra:

1. Cc tn hiu n hiu trm ch th

yu ca tn hiu ti AP1. Xy ra

vic tm kim mt AP mi trn cng

knh hoc cc knh khc. Tm

uc AP2 .

2. Yu cu lin kt li uc trm

gi n AP2. AP2 chp nhn yu

cu.

3. AP2 gi thng tin cp nht lp

MAC cho trm n AP1 qua mng

hu tuyn.

4. Cng nhn hu lin kt v nhn

nhn thc uc AP1 gi n AP2.

An ninh mng WLAN

Cc hnh thc gim nguy c Xc thc ln nhau M ha d liu Pht hin thm nhp bt hp php

m

Lch s pht trin An ninh trong 802.11

1997, chun 802.11 ch cung cp SSID (Service Set Identifier) Lc trn a ch MAC WEP (Wired Equivalent Privacy)

2001 Fluhrer, Mantin v Shamir ch ra mt s im yu trong WEP IEEE bt u khi ng nhm i (802.11i)

2003 Wi-Fi Protected Access(WPA) c gii thiu L mt gii php tm thi cho WEP Mt phn ca IEEE 802.11i

2004 WPA2 c gii thiu N da trn chun IEEE 802.11i c ph chun vo 25/06/2004

An ninh mng WLAN

m

An ninh trong 802.11

S nhn dng tp dch v (SSID: service set identifier) c s dng iu khin truy

nhp n AP: SSID l mt s nhn dng duy nht bao gm nhiu k t (cao nht 32 k t)

c gn km vi s liu trn ng truyn v tuyn. SSID ng vai tr nh mt khu trong

qu trnh thit b WLAN truy nhp AP.

Ngi dng c yu cu phi cung cp SSID khi kt ni n cc Access Point.

Khi thay i SSID cn phi thng bo n mi ngi.

SSID c cc my trm gi dng bn r nn d dng b nh cp.

Lc a ch MAC

Kim sot truy cp bng cch ch cho php cc my tnh c cc a ch MAC khai bo

trc c kt ni n mng.

a ch MAC c th b gi mo.

Phi duy tr v phn phi mt danh sch cc a ch MAC n tt c cc Access Point.

Khng phi l gii php kh thi cho cc ng dng cng cng.

Giao thc bo mt tng ng hu tuyn (WEP: Wired Equivalent Privacy) bo

mt tn hiu trn ng truyn v tuyn: bo mt, nhn thc, ton vn.

An ninh mng WLAN

m

Cc tnh nng An ninh c bn trong 802.11

Xc thc ngi dng (C hai loi xc thc ngi dng) 1, Xc thc h thng m

Xc thc bt c ai yu cu xc thc; Cung cp dng xc thc NULL

2, Xc thc dng kha chung

D dng sniff kha chung

An ninh mng WLAN

Initiator Authentication request

Responder

Authentication response

m

Mt m WEP

WEP

PRNG

Gii thut ton vn

IV

Vn bn

mt m

Bn tin

Vect khi

u IV

Kha b mt

Vn bn th

Gi tr kim tra

ton vn (ICV)

Chui kha Ht

ging

An ninh mng WLAN

Chun 802.11x nh ngha WEP(Wired Equivalent Privacy) kim sot

truy cp v bo v thng tin khi n i qua mng cc b khng dy.

Dch v xc thc c dng xc thc cc my trm khi kt ni n cc Access Point Trong h thng xc thc m, my trm c xc thc nu n p ng mt a ch MAC khi trao i ban u vi Access Point -> khng cung cp danh tnh ca my trm. WEP cng s dng mt c ch xc thc da trn mt m. C ch ny da trn mt kha b mt dng chung v thut ton m ha RC4. Trao i xc thc dng mt h thng challenge response.

m

Mt m WEP

An ninh mng WLAN

Chun 802.11x nh ngha WEP(Wired Equivalent Privacy) kim sot

truy cp v bo v thng tin khi n i qua mng cc b khng dy.

Dch v xc thc

c dng xc thc cc my trm khi kt ni n cc Access Point

Trong h thng xc thc m, my trm c xc thc nu n p ng mt a ch MAC

khi trao i ban u vi Access Point -> khng cung cp danh tnh ca my trm.

WEP cng s dng mt c ch xc thc da trn mt m. C ch ny da trn mt kha

b mt dng chung v thut ton m ha RC4.

Trao i xc thc dng mt h thng challenge response.

m

An ninh mng WLAN

Dch v xc thc

B thch ng

802.11 WLAN

im truy

nhp 802.11

WLAN

1. Khung nhn thc: yu cu nhn thc

2. Khung nhn thc: h lnh WEP 128 byte

3. Khung nhn thc: h lnh c

mt m bng kha chia s

4. Kt qu nhn thc: thnh cng nu gi

m thnh cng tri li tht bi

Kha chia s c t trong c s d liu v thng tin qun l ca tng trm di ng.

Tiu chun 802.11 khng nh nghi cch phn phi kha cho tng trm m ch cung

cp hai s qun l cc kha WEP trong mt WLAN:

Mt tp bn kha chia s chung cho tt c cc trm bao gm c cc client khng

dy v cc im truy nhp ca chng

Mt client thit lp mt quan h chuyn i vi mt trm khc.

m

Mt m WEP

An ninh mng WLAN

Dch v b mt

Cng da trn RC4.

To ra dng kha gi ngu nhin m ha d liu.

Tuy nhin WEP khng ch nh mt c ch qun l kha.

iu ny c ngha l WEP da trn cc kha tnh. Trong thc t, cc

kha tng t c s dng cho tt c cc my trm trn mng.

Kha b mt k l WEP key

Tnh ton CRC32

CRC+data

Chn IV ngu nhin, ni vi kha k:

(k+IV)

To kha gi ngu nhin

Gi IV n bn nhn bng cch t n pha

trc bn m C:

C=(data+CRC) xor RC4(k+IV))

m

Mt m WEP

An ninh mng WLAN

RC4 trong WEP

o M ha dng dng kha i xng

o M ha v gii m nhanh(10 ln nhan hn so vi DES)

o Kha b mt k

G bng tay

40bits/128bits

o Vector khi to IV

Dng PRG to ra s ngu nhin kch thc 24bits

Gi trong phn r trc bn m: (IV+C)

o Kha m ha RC4 c lp vi bn r

m

Mt m WEP

An ninh mng WLAN

Dch v b mt

o Vector khi to(IV) c gi trong phn r ca gi tin

o V vy khi nm bt c vector khi to v mt s lng gi tin, k tn cng c th

xc nh c kha m ha

o http://sourceforge.net/projects/wepcrack/

o Tm li RC4 khng phi l thut ton yu nhng vic s dng RC4 trong WEP l

thiu st v m dn n b tha hip.
http://sourceforge.net/projects/wepcrack/

m

Mt m ha WEP RC4

Kim tra tnh ton vn - CRC

IV

(per frame)

KS: 40-bit

secret

symmetric

key k1

IV k2

IV k3

IV kN

IV kN+1

IV kN+1

IV

d1 d2 d3 dN

CRC1 CRC4

c1 c2 c3 cN

cN+1 cN+4

plaintext

frame data

plus CRC

key sequence generator

( for given KS, IV)

802.11

header IV

WEP-encrypted data

plus CRC

Figure 7.8-new1: 802.11 WEP protocol

An ninh mng WLAN

Dch v ton vn

o Kim tra tnh ton vn trn mi gi tin.

o Dng CRC(cyclic redundancy check) ca 32 bits.

o CRC c tnh ton trn mi gi tin trc khi gi tin c m ha.

o D liu v CRC c m ha v gi n ch.

o CRC khng phi mt m an ton tuy nhin n c bo v bng m ha.

o Do khi hin thc m ha, WEP c mt s thiu st dn n s ton vn ca

cc gi tin cng d b tha hip.

m

An ninh mng WLAN

Cc im yu ca WEP

o Qun l kha

o Xung t

o ng gi nhn thc

o Tn cng tn bo: chn bt mt gi mt m v sau p dng mt khi lng rt

ln tnh ton.

o Tn cng FMS (Fluhrer, Mantin and Shamir): Tn cng FMS da trn vic chn

bt khi lng ln lu lng mt m sau s dng mt my tnh cng sut tnh

ton nh cho mt gii thut ph kha.

m

An ninh mng WLAN

Cc im yu ca WEP Tn cng vo kha

o Vy l cch no phn phi kha gia cc ngi s dng? v iu g s xy ra

khi s ngi s dng qu ln.

o Mi ngi s dng phi bit kha v gi n b mt. iu g s xy ra khi mt ngi

qun my tnh ti cng s hoc b nh cp: ngi ny phi c cp kha mi

v phi nhp n v cu hnh cu client.

o Ngoi ra k tn cng c th ly cp kha ny t mt phin v s dng n gii

m cc phin khc v mi ngi u s dng cng mt kha.

m

An ninh mng WLAN

Cc im yu ca WEP- tn cng xung t

o Nu ta chn IV mt cch ngu nhin (s IV 224-1) th sau vi gi IV s lp. Khi

mt IV c s dng li, ta gi y l mt xung t.

o Khi xy ra mt xung t, t hp gia kha b mt v IV c s dng lp s to ra

mt lung kho c s dng trc y. V IV c pht i dng vn bn th

mt k tn cng c th theo di tt c lu lng v xc nh thi im xy ra xung

t thc hin tn cng lung kho.

o Tn cng lung kha l mt phng php rt ra lung kha bng cch phn tch hai

gi c rt ra t cng mt IV. Tn cng ny da trn nguyn tc sau: tng modul

2 ca hai vn bn mt m bng tng modul 2 ca hai vn bn th. V th nu k

tn cng bit c hai vn bn mt m (t theo di lu lng ) v mt vn bn th

th hn c th bit c vn bn th th hai.

m

An ninh mng WLAN

Cc im yu ca WEP- tn cng ph kha

o Ngi tn cng yu cu ngi s dng m ha bn plaintext bit d1 d2

d3 d4

o Ngi tn cng thu c: ci = di XOR kiIV

o Ngi tn cng bit ci di, c th tnh kiIV

o Ngi tn cng bit kha m k1IV k2

IV k3IV

o Nu ln sau s dng li IV, ngi tn cng c th gii m!

m

An ninh mng WLAN

Cc im yu ca WEP- gi mo nhn thc

o K tn cng quan st qu trnh m phn nhn thc, n s bit c vn bn th v

vn bn mt m lin quan (tr li h lnh).

o S dng phng php lm gi bn tin, k tn cng c th rt ra c kho lung v

yu cu nhn thc t AP sau s dng kha lung ny cng vi vn bn h lnh

to ra tr li hp l.

o Khi ny k tn cng s c AP nhn thc ngay c khi k ny khng bit c

kha WEP.

Cc im yu ca WEP- tn cng tn bo

o Kha b mt 40 bit -> ph kha trong vng 1 pht.

o Gii php: Tng di kha ln 104 bit.

m

An ninh mng WLAN

Cc im yu ca WEP- tn cng FMS

WLAN client AP dng WEP

K tn cng

Yu cu ARP (c mt m bng WEP)

Tr li ARP (c mt m bng WEP)

a) K tn cng chn bt yu cu ARP da trn kch thc gi 28 byte bit trc

WLAN client AP dng WEP

K tn cng

Tr li ARP (c mt m bng WEP)

Yu cu

ARP

c tim v

o (c

mt

m bng

WEP)

Tr li A

RP (

c mt m

bng WE

P)

b) k tn cng pht li yu cu ARP nhiu ln nhn c lu lng cho tn cng FMS

m

An ninh mng WLAN

Chi tit cc im yu

o 10/2000: Jesse Walker ca Intel cng b Unsafe at any keysize; An analysis of

the WEP encapsulation

o 03/2001: Scott Fluhrer, Itsik Mantin, Adi Shamir cng b "Attacks on RC4 and

WEP, Weaknesses in the Key Scheduling Algorithm of RC4.

Wi-Fi Protected Access (WPA)

o Gii quyt hu ht cc im yu ca WEP

o L mt tp con ca 802.11i, tng thch 802.11i

o Mc tiu l ci thin vn m ha v xc thc ngi dng

o Gm 2 ch hot ng

WPA doanh nghip: TKIP/MIC ; 802.1X/EAP

WPA c nhn: TKIP/MIC; PSK

m

An ninh mng WLAN

Hot ng IEEE 802.11i

o

AP: access point AS: Authentication

server

wired

network

STA:

client station

1 Discovery of

security capabilities

3

STA and AS mutually authenticate, together

generate Master Key (MK). AP servers as pass through

2

3 STA derives

Pairwise Master

Key (PMK)

AS derives

same PMK,

sends to AP

m

An ninh mng WLAN

Cc bc vn hnh IEEE 802.11i

o Pht hin: AP thng bo dng xc thc v m ha. Client yu cu xc thc v m

ha.

o Xc thc ln nhau v to kha ch MK: xc thc gia client v server nhn thc

(EAP, EAPoL, RADIUS).

o To PMK (Pairewise Master Key): gi cho AP.

o To TK (Temporal Key): m ha d liu mc Link.

wired network

EAP TLS

EAP

EAP over LAN (EAPoL)

IEEE 802.11

RADIUS

UDP/IP

m

An ninh mng WLAN

Temporal Key Identity Protocol - TKIP

o Tn cng pht li: c th s dng cc IV khng theo th t.

o Cc tn cng gi mo: ICV s dng 32 bit CRC l tuyn tnh v c th iu khin.

o Cc tn cng xung t kha: cc xung t IV

o Cc tn cng kha yu: b mt m lung RC4 b xm phm do cc tn cng FMS

(AirSnort, WEPCrack)

Kha tm thi (128 bit)

Trn kha pha 1

a ch MAC ca ngi gi

Trn kha pha 2

B m trnh t truyn

(cc s trnh t)

Kha WEP 128 bit.

(c hin th

dng 24 bit IV v 104

bit b mt chia s)

Kha MIC

a ch MAC ca ngi gi

a ch MAC ca ngi nhn

Vn bn th

MICVn bn

thMIC

WEPVn bn

mt m

m

An ninh mng WLAN

Trn kha WEP - TKIP

IV Kha b mt

Vn bn th

+ ICV

XOR

Lung khaRC4

Vn bn

mt m

Pha1:Kha gc MAC

Pha 2:

Kha trung

gian (hash

bng s

trnh t)

Kha cho

mt gi

RC4

Vn bn

th+MIC

XOR

Lung

kha

Vn bn

mt m

WEP TKIP

o Kha mt m: 128 bit. o M ton vn bn tin MIC (message integrity

code): Kha ton vn s liu 64 bit, s dng hm hash.

o Loi b xung t: IV tng t 24 bit ln 48 bit; B m trnh t truyn.

Ci tin WEP - TKIP

m

An ninh mng WLAN

EAP Extensible Authentication Protocol

o Giao thc linh hot c s dng mang thng tin nhn thc ty , c nh ngha

trong RFC2284 (Sa i mi cho EAP: RFC 3579).

o EAP c hai tnh nng:Trc ht n tch trao i bn tin ra khi qu trnh nhn thc

bng cch cung cp mt lp trao i c lp. Nh vy n t c c tnh th hai:

tnh kh m rng trc giao, ngha l cc qu trnh nhn thc c th m rng hat ng

bng cch tip nhn mt c ch mi hn v khng cn thit phi thay i lp EAP.

di (tng

di gi)

0 1 2 4

M

1 byte

S liu (ph

thuc vo

phng

php)

1 = Request

2 = Response

3 = Success

4 = Failure

1 byte

S nhn dng (

khp Yu cu- Tr li

m

An ninh mng WLAN

Trao i bn tin EAP

Ngi

cung cpB nhn

thcServer nhn

thc

Ty chnYu cu nhn dng

Tr li nhn thc

Chui bn tin nhn thc ph

thuc vo qu trnh nhn thc

Thit lp lin kt

s liu

Cc h thng cho nhn thc RADIUS, cc

Server nhn dng ca hng v.v. S dng

cc giao thc v phng php khc nhau

Trao i cc bn

tin c th qu

trnh nhn thc

0

Thnh

cng ?

YesBn tin thnh cng

Bn tin tht biNo

OR

1

1-a

2

2-a

3

m

An ninh mng WLAN

IEEE 802.1x

o 802.1x l mt giao thc cho php nhn dng theo ca (ca y c ngha l ca

lp 1: ca vt l).

o 802.1x cho php ng tt ca i vi mi lu lng chng no client khng c

nhn thc thng qua cc chng nhn c lu trong server (thng l RADIUS

server).

o 802.1x n gin l mt giao thc trao i (EAP: Extensible Authentication

Protocol) trn cc mng khng dy v hu tuyn.

IEEE 802.1x gii quyt mt s vn nhn thc

o Thiu qun l kha

o Khng h tr cc phng php nhn thc tng cng (cc th thng minh, cc

chng nhn, sinh hc, cc mt khu ch dng mt ln)

o Khng nhn thc v nhn dng ngi s dng

o Khng tp trung nhn thc v trao quyn

m

An ninh mng WLAN

M hnh IEEE 802.1x

Lc nhn thc 802.1x

My tnh

Xch tay

Ngi cung cp

(client)

AP

802.1x

EAP

EAP

Ngi nhn thc

(im truy nhp)

My tnh

Server nhn thc

(RADIUS)Ethernet hu

tuyn

Ngi cung cp Ngi nhn thc Server nhn thc

EAP Start

(EAP khi u)

EAP Request/Identity

(EAP yu cu/nhn dng)

(EAP tr li/nhn dng)

EAP Response/Identity

Forward

(Chuyn tip)

EAP Request (Challenge)

EAP yu cu (h lnh)Forward

(Chuyn tip)

Challenge Response

(Tr li h lnh)Forward

(Chuyn tip)

m

An ninh mng WLAN

Cc phng php nhn thc 802.11i

EAP-FAST EAP-TTLS EAP-TTLS UN/PW

LEAP TLS PEAP CHAP

Qu trnh nhn thc

Truyn ti nhn thcEAPOP, RADIUS, DIAMETER

EAP, 802.1x Truyn ti nhn thc

802.5

Token Ring

802.3

Ethernet802.11

Serial Link

Cc phng php truy

nhp/ Lp phng tin

Server nhn

thc

B nhn thc

Ngi cung

cp/ ng cp

1

2

3

4

Cc lp Cc thc th

m

An ninh mng WLAN

EAP-MD5 (CHAP)

B xin truy

nhpB nhn thc Server nhn

thc

Yu cu nhn dng (tn

ngi s dng)

Thnh

cng ?

Yes

No

Thit lp lin kt

s liu

Lu gi ban u kha chia s

Tr li nhn dng (tn

ngi s dng)Nhn dng (tn ngi s dng)

H lnh H lnh

Tnh ton h lnh

Hash s dng mt khu

Tr li Tr li

Bn tin thnh cng

Bn tin s c

Nhn thc - Chp nhn

Nhn thc - T chiHoc Hoc

Knh khng c mt m (nu

thnh cng)

Kim tra hash tr

li bng cch s

dng kha chia s

(thng l mt

khu c kha

bi tn ngi s

dng/nhn dng

v c lu

Trao i

PPP-CHAP

1

2

3

3-a

3-b

4-a

4-c 4-d

4-b

5

6

4

4-e

4-f

m

An ninh mng WLAN

EAP-TLS (RFC 2716)

CA (thm quyn

nhn thc)

Pht hnh

chng nhn

Thit lp lt n (TCP chng hn)

Client Server

Client Hello

Server Hello

Chng nhnTrao i kha Server

Yu cu Server

Hon thnh Server Hello

Chng nhn

Trao i kha Client

Kim tra chng nhn

Kt thc

Thay i c t mt m (ChangeCipherSpec)

Thay i c t mt m (ChangeCipherSpec)

Rt ra cc kha

phin, khi u

ng cnh

Trao i s liu s dng kha c rt ra t kha phin

Rt ra cc

kha phin,

Khi u ng

cnh

1

2

3

4

5

6

7

PKI x

nghip

Yu cu nhn dng

Tr li nhn dng

Khi u EAP-TLS

Kt thc

3-a

m

An ninh mng WLAN

PEAP Protected EAP

o AP c nhn thc bi TLS cn ngi s dng c nhn thc bi mt giao thc

tunnel khc: TLS c s dng thit lp mt knh an ninh (s dng chng

nhn pha server), sau m phn EAP c thit lp trn knh an ninh ny

nhn thc ngi s dng.

o PEAP l EAP trn TLS cho lnh vc v tuyn. PEAP h tr c nhn thc hai

chiu ln lm li kha WEP ng v i hi cc chng nhn t pha server.

o S dng chng nhn server nhn thc server, sau cm vo mt kiu nhn

thc khc EAP nhn thc client.

m

An ninh mng WLAN

PEAP Protected EAP

o

CA (thm quyn

nhn thc)

1

3-a

4

5

6

7

8

9

10

11

12

2

Pht hnh

nhn thc

ClientServer NAS

nhn thc Server

PKI x nghip

Thit lp kt ni

(chng hn, TCP) Thit lp knh an ninh

Yu cu nhn dng

Tr li nhn dng Tr li nhn dng

Bt u EAP-TLS

Client Hello

Server Hello

Chng nhn, trao i kha Server, yu cu nhn thc

Hon thnh Server Hello

Rt ra kha

MSK (Master

Sesion Key)

Chng nhn, trao i kha Client, Kim tra chng nhn, thay i c t an ninh

Kt thc

Hay i c t an ninh

EAP thnh cng

Giai on

PEAP 1

EAP-Yu cu /EAP-TLV[EAP-ti tin-TLV[EAP-Request/nhn dng]]

Tr li nhn dng trong tunnel

EAP-Yu cu /EAP-TLV[EAP-ti tin-TLV[EAP-yu cu/nhn dng-kiu=X]]

Tr li trong tunnel cho kiu EAP X

Trao i kiu EAP X

Yu cu EAP/EAP-TLV[Kt qu-TLV[rng buc mt m...]]

Tr li kt qu TLV

Rt ra CKS (Compound

Session Key) Rt ra CKS

CKS

EAP thnh cng

Trao i s liu s dng kha datrn CSK

Giai

on

PEAP 2

m

An ninh mng WLAN

LEAP

an ninh mang minh 2015

Documents