I

Li ni u

C s h tng kho cng khai (PKI) l mt kin trc c bn bao gm cc chnh sch bo mt, cc c ch m ha, cc ng dng, lu tr v qun l kha. ng thi, n cung cp cc th tc, phn phi kha v chng ch. PKI cung cp cc c ch xut bn kha cng khai l mt phn trong c s h tng kha cng khai. PKI miu t cc chnh sch, cc chun, v phn mm m n thng iu chnh cc chng ch, cc kha cng khai v kha ring.

Trong ti nghin cu ny gm c ba phn: Phn 1: Tng quan v chng thc in t v PKI.Phn 2: Cng ngh EJBCAPhn 3:

Trong sut qu trnh nghin cu ti, ngoi s n lc ca bn thn em nhn c s khch l rt nhiu t pha nh trng, thy c trong khoa An ton thng tin v ban b trong lp. Chnh iu ny mang li cho em s ng vin rt ln em hon thnh tt ti nghin cu ny.

Em xin cm n nh trng ni chung v Khoa An ton thng tin ni ring

em li cho em ngun kin thc v cng qu gi em c kin thc hon thnh ti nghin cu ny. c bit l thy Hong c Th tn tnh ch bo gip em hon thnh ti nghin cu ny.

Do kin thc hiu bit cn hn ch, chc chn rng trong ti nghin cu ca em cn nhiu thiu st. Em mong cc thy c xem xt, b sung ti ca em c hon thin hn.

Em xin chn thnh cm n !

H Ni, thng 03/2010Gii Thiu ChungI. T VN

1 Xc thc danh tnh trc tuyn

Trong thi i bng n cc dch v trn Internet nh hin nay, cc t chc ti chnh, ngn hng, chng khon, bo him ngy cng cung cp a dng cc sn phm, dch v trc tuyn ca mnh ti ng o khch hng qua mng Internet. Tuy vy, bn cnh nhng li ch m cc dch v trc tuyn em li, cc t chc ti chnh phi au u tm ra mt gii php bo mt tt nht v vi chi ph hp l nht m vn bo v c thng tin ng k ca khch hng khi h tham gia vo cc dch v trc tuyn. y c coi l quyn li chnh ng ca khch hng v cng l trch nhim khng th coi nh ca nh cung cp dch v ti chnh.Mt trong nhng thng tin quan trng nht ca khch hng h c th truy cp dch v v giao dch ti chnh l Danh tnh trc tuyn (Online Identity). Thng tin ny c s dng chng thc mt ngi ng l khch hng ng k vi nh cung cp dch v trc khi h c th truy cp v s dng bt c loi sn phm dch v trc tuyn no.Vi mc quan trng ca Danh tnh trc tuyn nh vy nn phn ln cc tn cng ca Hacker u nhm vo vic l tm cch ly cp hoc chim ot danh tnh. Cc tn cng c th nhiu dng nh Phishing (hacker gi mt bc th gi mo nh cung cp la khch hng truy cp vo mt Web site v t khch hng s b l thng tin c nhn khi nhp cc gi tr nh Tn ng nhp/Mt khu, S ti khon/Mt khu hoc s th tn dng). Hoc mt s dng tn cng khc nh Brute force, Keylogger (Hacker ghi li tt c nhng g khc hng g ln bn phm t ln ra mt khu, s ti khon ca h). Thc t cho thy rng cc tn cng nh cp danh tnh v hnh vi la o trc tuyn thc s gy lo ngi cho khch hng v khng t ln gy lnhng tn tht v hu qu v cng nghim trng cho nhng nh cung cp dch v ti chnh trc tuyn.

Cho n nay, hu ht cc ngn hng, t chc ti chnh, chng khon c cc dch v trc tuyn trin khai cc h thng xc thc ngi dng bng UserName/Password c gi l xc thc 1 yu t. V h cng nhanh chng nhn ra rng cc h thng xc thc 1 yu t khng cn mnh bo v thng tin ca khch hng trc cc tn cng ngy cng tinh vi ca k xu. Bn cnh , cc yu cu v pht hin, ngn chn nhng hnh vi la o trc tuyn gim thiu cc ri ro cho c khch hng v nh cung cp cng c cc t chc qun l v gim st hot ng ti chnh p buc phi thc thi.

Thc t l hin nay c rt nhiu cng ngh v phng php xc thc danh tnh trong giao dch in t. Nhng phng php s dng mt khu, s nh danh c nhn, chng ch s s dng PKI, cc thit b bo mt vt l nh Smart Card, mt khu dng 1 ln (OTP), USB, yu t sinh trc hc bo v danh tnh. Mc bo mt ph thuc vo tng nhm cng ngh v i tng hay nhng giao dch c th cn c bo v. Tnh m bo ca phng php xc thc da trn 3 yu t c bn sau:

1. Something a person knows: Thng c s dng l s PIN, mt khu

2. Something a person has: c hiu nh cc thit b vt l: SmartCard, Token

3. Something a person is: c hiu l nhng c tnh sinh trc hc: Vn tay, mng mt

Phng php xc thc nhiu yu t s m bo an ton hn phng php xc thc 1 yu t chng li nguy c la o. S dng t 2 yu t tr nn c gi l Xc thc mnh. Chi ph ca vic u t vo nhng h thng xc thc cng tng dn theo mc bo mt ca h thng.

Mc d vy, mt h thng xc thc thnh cng khng ch da vo yu t cng ngh m cn ph thuc v rt nhiu nhng thnh phn khc nh: Cc chnh sch bo mt, cc hng dn thc thi an ton thng tin, kh nng qun l v gim st h thng. V c bit mt h thng c hiu qu th phi c ngi dng chp nhn (tnh d s dng/gi thnh), m bo tt tnh bo mt, tnh m rng v tng thch vi h thng ng dng hin ti v tng lai. 2. La chn phng php xc thc ph hp

Vi s bng pht ngy cng tng nguy c la o v mc ri ro trong cc giao dch thng mi trc tuyn trn Internet, Hi ng Kim ton Ti Chnh Lin bang (FFIEC) c s h tr ca mt lot cc ngn hng hng u trn th gii son tho mt n phm vo nm 2001 c tn Xc thc trong mi trng giao dch ngn hng in t, chng khon, bo him trc tuyn. Mc tiu ca n phm ny l hng dn thc thi nhng chnh sch xc thc mnh cho nhng t chc ti chnh tham gia vo cc dch v v giao dch in t. Ni dung ca n phm cp n nhng hu qu khi mt cp danh tnh v cc ch dn la chn cng ngh xc thc mnh ph hp cho t chc ti chnh:

Nhng k la o ang khai thc im yu bo mt ca khch hng khi h hon ton tin tng v vic xc thc 1 yu t khi truy cp vo cc dch v trc tuyn ca ngn hng, chngkhon, email v nhng website giao dch in t. Cc t chc ti chnh nn cn nhc tng yu t sau nng cao tnh m bo cho cc giao dch trc tuyn chng li nguy c nh cp danh

tnh:

1. Nng cp h thng xc thc 1 yu t da trn Mt khu ln xc thc 2 yu t.

2. S dng chng trnh d qut xc nh v ngn chn tn cng la o (phishing) ly cp thng tin nhy cm nh mt khu, s th tn dng

3. o to khch hng h nhn thc thu o v tnh quan trng v cn thit ca xc thc danh tnh trong mi trng in t.

4. Nhn mnh tm quan trng trong vic chia s thng tin v cng tc gia ngnh cng nghip dch v ti chnh, chnh ph vi nhng nh cung cp cng ngh.Trong bn xut trn, nu chng ta lm tt c xut th nht th khi lng cng vic c thc hin trong xut th 2 v th 3 c gim i rt nhiu.Theo hng dn ca FFIEC nhm nng tnh bo mt v m bo tnh kh thi khi a vo ng dng, xc thc 2 yu t l s la chn ti u cho cc giao dch v truy cp trc tuyn ca ngnh ti chnh, ngn hng,

chng khon v bo him.

3. Xc thc 2 yu t

Xc thc 2 yu t (Two-factor authentication) l phng php xc thc yu cu 2 yu t ph thuc vo nhau chng minh tnh ng n ca mt danh tnh. Xc thc 2 yu t da trn nhng thng tin m ngi dng bit (s PIN, mt khu) cng vi nhng g m ngi dng c (SmartCard, USB, Token, Grid Card) chng minh danh tnh. Vi hai yu t kt hp ng

thi, tin tc s gp rt nhiu kh khn nh cp y cc thng tin ny. Nu 1 trong 2 yu t b nh cp cng cha tin tc s dng. Phng php ny m bo an ton hn rt nhiu so vi phng php xc thc truyn thng da trn 1 yu t l Mt khu/S Pin.ch li ca vic chuyn t h thng xc thc 1 yu t sang xc thc 2 yu t c m t nh sau:

Him khi trong lnh vc bo mt, bn ch cn lm mt s thay i m c th gii quyt c rt nhiu vn lin quan ti im yu bo mt. Vic chuyn i sang h thng xc thc 2 yu t c kh nng gip bn lm c iu

Tn cng Phishing c nhng thnh cng nht nh trong vic nh cp Mt khu tnh ca khch hng. Nu s dng xc thc 2 yu t th vic nh cp mt khu tnh l v ngha.

n cp danh tnh trong mi trng giao dch trc tuyn s tr ln kh khn hn khi danh tnh c bo v bng 2 yu t thay v 1 yu t (mt khu/s PIN) nh trc y. Trong giao dch trc tuyn, tnh chng t chi v tnh b mt l mt trong nhng yu cu cn thit ca khch hng. Rt nhiu t chc ti chnh s dng Ch k s c to ra t h thng xc thc 2 yu t m bo cho cc giao dch.

Xc thc 1 yu t trc y mi ch p ng c xc thc gia nh cung cp dch v vi khch hng m khng c kh nng ngc li. H thng xc thc 2 yu t s gip cho qu trnh xc thc l tng tc 2 chiu, m bo ti a tnh an ton cho cc giao dch trc tuyn.

Cui cng, cn nhc ti vic gii thot ngi dng khi vic phi nh rt nhiu mt khu, phi nh thay i mt khu theo nh k v rt nhiu rc ri khc khi chng ta qun chng. Mt s dng ca xc thc 2 yu t c kh nng gip ta thc hin iu .

ng trc nhu cu , rt nhiu cng ty bo mt phi hp cng cc ngn hng, t chc ti chnh pht trin nhng gii php, sn phm bo v thng tin c lin quan ti cc hot ng giao dch trc tuynII. Mc tiu

n c 2 mc tiu chnh : 1. Tm hiu v PKI . 2. Trin khai EJBCA .III. Hng gii quyt

Hin nay, trn th gii c rt nhiu cch xy dng , trin khai mt h thng PKI . C th n c ra mt vi v d c th nh : + CA Microshoft + OpenCA Opensourc+Entrus

Trong n ny, em la chn gii php s dng EJBCA ca Primekey trn nn tng h iu hnh Solaris 10 . L do la chn xy dng m hnh PKI gm EJBCA v Solaris l:i vi EJBCA : Chy c lp khng ph thuc vo h iu hnh v phn cng. Chy trn nn java, jdk . Tng thch vi nhiu lai c s d liu. Xc thc mnh 2 chiu . S dng c vi nhiu mi trng chng ch khc nhau .

i vi Solaris : c vit bi Sun , h tr mnh m java, jboss v jdk , s to cho h thng tnh n nh . . .IV. Ni dung nPhn I Tng quan v PKI v chng thc sPhn II Cng Ngh EJBCAPHN I TNG QUAN V PKI V CHNG THC S Ngy nay, vic giao tip qua mng Internet ang tr thnh mt nhu cu cp thit. Cc thng tin truyn trn mng u rt quan trng, nh m s ti khon, thng tin mt

Tuy nhin, vi cc th on tinh vi, nguy c b n cp thng tin qua mng cng ngy cng gia tng. Hin giao tip qua Internet ch yu s dng giao thc TCP/IP. y l giao thc cho php cc thng tin c gi t my tnh ny ti my tnh khc thng qua mt lot cc my trung gian hoc cc mng ring bit. Chnh iu ny to c hi cho nhng k trmcng ngh cao c th thc hin cc hnh ng phi php. Cc thng tin truyn trn mng u c th b nghe trm (Eavesdropping), gi mo (Tampering), mo danh (Impersonation) .v.v. Cc bin php bo mt hin nay, chng hn nh dng mt khu, u khng m bo v c th b nghe trm hoc b d ra nhanh chng.Do vy, bo mt, cc thng tin truyn trn Internet ngy nay u c xu hng c m ho. Trc khi truyn qua mng Internet, ngi gi m ho thng tin, trong qu trnh truyn, d c chn c cc thng tin ny, k trm cng khng th c c v b m ho. Khi ti ch, ngi nhn s s dng mt cng c c bit gii m. Phng php m ho v bo mt ph bin nht ang c th gii p dng l chng ch s (Digital Certificate). Vi chng ch s, ngi s dng c th m ho thng tin mt cch hiu qu, chng gi mo (cho php ngi nhn kim tra thng tin c b thay i khng), xc thc danh tnh ca ngi gi. Ngoi ra chng ch s cn l bng chng gip chng chi ci ngun gc, ngn chn ngi gi chi ci ngun gc ti liu mnh gi.

gii quyt vn ny ngi ta s dng thut ng Chng thc in t

m bo tnh bo mt : s dng m ha

m bo tnh ton vn : s dng hm bm v ch k s

m bo tnh xc thc: s dng ch k s v chng ch s

m bo chng chi b: s dng ch k s, nht k

Chng thc in t c ngha rt quan trng khng th thiu trong giao dch in t.

Nn tng ca chng thc in t l mt m kha cng khai v ch k s

I. Khi nim v chng thc in t

Chng thc in t(Electronic Certification): l hot ng chng thc danh tnh ca nhng ngi tham gia v vic gi nhn thng tin, ng thi cung cp cho h nhng cng c dch v cn thip thc hin vic bo mt thng tin, chng thc ngun gc v ni dung thng tin.

H tng cng ngh ca chng thc in t l c s h tng kha cng khai PKI vi nn tng l mt m kha cng khai v ch k s.

Chng ch s l mt tp tin in t dng xc minh danh tnh mt c nhn, mt my ch, mt cng ty trn Internet. N ging nh bng li xe, h chiu, chng minh th hay nhng giy t xc minh c nhn.

II. Cng ngh PKI1. PKI hot ng nh th no ?

Bob v Alice mun lin lc vi nhau qua Internet, dng PKI chc chn rng thng tin trao i gia h c bo mt. Bob c chng nhn k thut s, nhng Alice th cha. c n, c phi chng minh c vi T chc cp giy chng nhn c thc s l Alice. Mt khi cc thng s nhn dng ca Alice c T chc thng qua, h s pht hnh cho c mt chng nhn k thut s. Chng nhn in t ny c gi tr thc s, ging nh tm h chiu vy, n i din cho Alice. N gm c nhng chi tit nhn dng Alice, mt bn sao cha kha cng cng ca c v thi hn ca giy chng nhn cng nh ch k k thut s ca T chc chng nhn. Alice cng nhn c cha kha c nhn km theo cha kha cng cng. Cha kha c nhn ny c lu l phi gi b mt, khng c san s vi bt c ai.

By gi th Alice c chng nhn k thut s, Bob c th gi cho c nhng thng tin quan trng c s ha. Bob c th xc nhn vi c l thng ip xut pht t anh ta cng nh c bo m rng ni dung thng ip khng b thay i v khng c ai khc ngoi Alice c n.

Din bin thc t khng phi mt nhiu thi gian nh nhng gii thch trn, phn mm ti my trm ca Bob to ra mt ch k in t v m ha thng ip c cha ch k . Phn mm s dng cha kha c nhn ca Bob to ra ch k in t v dng cha kha cng cng ca Alice m ha thng ip. Khi Alice nhn c thng ip c m ha c ch k ca Bob, phn mm s dng cha kha c nhn ca c gii m thng ip. V ch c duy nht cha kha c nhn ca Alice mi c th gii m thng ip c m ha bng cha kha cng cng ca c, cho nn tin cy ca thng tin hon ton c bo m. Sau , phn mm dng cha kha cng cng ca Bob xc minh ch k in t, m bo rng chnh Bob gi thng ip i, v thng tin khng b xm phm trn ng di chuyn.

Bng sau y minh ha cho tin trnh ca ch k in t v tin cy cao p ng cho yu cu giao dch in t an ton ca Bob v Alice.

2 .nh ngha v cc thnh phn PKI

2.1 nh ngha

C nhiu nh ngha khc nhau v PKI :

- PKI l c s ca mt h tng an ninh rng khp, cc dch v ca n c ci t v thc hin bng cch s dng cc khi nim v k thut ca mt m kha cng khai.

- PKI l mt tp hp cc phn cng, phn mm, con ngi, cc chnh sch v cc th tc cn thit to, qun l, lu tr, phn phi v thu hi cc chng ch kha cng khai da trn mt m kha cng khai

-Chng ch- Certificate: l i lng in t i din cho ngi dng, my tnh, dch v hoc thit b trong mng. N lin kt nh danh ca ch s hu kha v thng gm: s serial ca chng ch, thi gian ht hn, ch k ngi pht chng ch, kha cng khai ca ch s hu

2.2 Cc thnh phn PKI2.2.1. Thm quyn chng thc CA(Certification Authority)Trong PKI c mt s ngi c thm quyn, nhng ngi ny c tin cy bi tt c ngi dng khc.

H c nhim v chnh l:

- Gn mt cp kha cng khai vi mt nh danh cho.

- Chng nhn vic gn kt ny bng cch k s mt cu trc d liu c cha biu din ca nh danh(gi l chng ch).

2.2.2. Nh qun l ng k RAMt nh qun l ng k (Registration Authority RA) l mt c quan thm tra trn mt mng my tnh, xc minh cc yu cu ca ngi dng mun xc thc mt chng ch s, v yu cu CA a ra kt qu. RA l mt phn trong c s h tng kho cng khai PKI, mt h thng cho php cc cng ty v ngi dng trao i cc thng tin v hot ng ti chnh mt cch an ton bo mt.

2.2.3. Kho chng ch CR( Certificate Repository)

-CA pht hnh chng ch, gi cho ngi dng v lu tr n v kho chng ch.

-Kho chng ch c CA sn sng cng b.

-Kho chng ch c th c truy cp bng nhiu giao thc khc nhau(HTTP, FTP)

2.2.4. Hy b chng ch ( Certificate Revocation)

Trong nhiu trng hp cn thit phi hy b gn kt gia cp kha m vi nh danh ngi dng do : s thay i nh danh, l kha b mt, chng ch ht hn v mt thi gian -> cn phi thng bo cho cc thnh vin rng kha cng khai ny cho nh danh n khng c chp nhn na

2.2.5. Sao lu v khi phc kha(Backup key and Recovery key)

Nhiu trng hp ngi dng c th mt quyn s dng kha b mt c th do:

qun mt khu, phng tin b hng hoc b thay th. Dn n vic d liu c bo v khng th c c -> cn phi sao lu kha b mt v khi phc li n khi cn thit gii m

2.2.6. Cp nht kha t ng (Automatic Key Update)

Mt chng ch thng c hiu lu trong mt khong thi gian nht nh do: trnh thm m c th thay i(thng l pht trin ), quy nh v dung lng d liu c bo v bi mt kha( dung lng d liu tng-> cn pi thay kha khc)

Mt chng ch ht hiu lu cn phi c thay th bng mt chng ch mi. Th tc ny gi l Cp nht kha hay Cp nht chng ch .

Cp nht kha c thc hin mt cch t ng : thun tin cho ngi dng, khng cn thm tng tc ngoi l.

2.2.7. Lch s kha(Key History)

Trong sut qu trnh s dng PKI, mt ngi dng c th c nhiu chng ch c v t nht mt chng ch hin ti.

Tp hp cc chng ch ny vi cc kha b mt tng ng gi l Lch s kha

Vic lu tr v qun l ton b lch s kha ng vai tr cc k quan trng. Qu trnh ny phi c duy tr y v t ng bi PKI.

Phi m bo ngi dng d tm c kha thch hp tng ng vi d liu c bo v

2.2.8. Chng thc cho (Cross-Certification)

Trong thc t, nhiu PKI c ci t v hot ng c lp phc v cho cc mi trng cng ng ngi dng khc nhau. Nhu cu lin lc an ton gia cc mi trng, cng ng ny l iu cn chc chn.

Khi cn to ra cc quan h tin cu gia cc PKI tng ng -> chng thc cho

Cross Certificate: qu trnh lin kt cc peerCA

2.2.9. H tr chng chi b( Support for Non-repudiation)

Trong mi trng PKI, mi hnh ng (chng hn nh gi thng tin ) lun gn vi nh danh ca ngi dng.

Khi A k mt vn bn gi cho B, tc l khng nh rngVn bn xut pht t A.

PKI phi m bo rng A khng th chi b trch nhim v vn bn m A k v gi cho B.

2.2.10. Tem thi gian( Time Stamping )

Vic s dng mt tem thi gian an ton (Secure Time Stamping ) c ngha c bit quan trng trong vic h tr chng chi b: ngun thi gian dng trong PKI phi tin cy, gi tr thi gian cn m bo an ton khi vn chuyn.

2.2.11. Phn mm pha client( Client Software)

L thnh phn a ra yu cu v cc dch v chng thc: yu cu v cc chng ch v qu trnh lin quan n thng tin hy b, yu cu thng tin lch s kha v bit lc no phi yu cu cp nht/ khi phc kha, yu cu tem thi gian trn mt vn bnIII. Kin trc PKI

Hin nay PKI c trin khai trong nhiu t chc nh l mt cng c m bo nhng ngun ti nguyn nhy cm an ton. Tuy nhin, vi nhiu mc ch khc nhau, tin trnh khc nhau nn kh c th a ra mt tiu chun thit k chung. V c bn c cc m hnh kin trc PKI c da trn cc m hnh chnh: m hnh phn cp, m hnh mng li, m hnh danh sch tin cy1. M hnh phn cp CA

M hnh phn cp CA c dng hnh cy gm

- RootCA mc cao nht v cc nhnh owjc m rng xung di.

- RootCA l gc tin cy duy nht ca ton b thc th bn di

- Di RootCA l cc thc th hoc mt s CA trung gian to cc nh trong ca cy

- Cc l ca cy l thc th (thng l end entity).

Trong m hnh ny RootCA cung cp chng ch cho cc CA hoc thc th ngay di n.

Cc CA ny li cung cp chng c cho cc thc th hoc nhiu CA khc ngay di n. Tt c cc i tng u phi bit kha cng khai ca RootCA v tt c cc chng ch u c th kim tra bng cch kim tra ng dn ca chng ch ti RootCA.

u im:

+ Tng thch vi cu trc phn cp ca h thng qun l trong cc t chc

+ Gn ging vi hnh thc phn cp trong t chc th mc nn d lm quen.

+ Cch thc tm ra mt nhnh xc thc theo mt hng nht nh, khng c hin tng vng lp-> n gin, nhanh.

Nhc im:

+ Trong mt phm vi rng, mt CA duy nht khng th m nhn c tt c qu trnh xc thc

+ Cc quan h kinh doanh thng mi khng phi bao gi cng c dng phn cp.

+ Kha ring ca RootCA b l th ton b h thng s b nguy him.

2. M hnh mng li

Trong m hnh ny:

- Cc CA xc thc ngang hng to nn mt mng li tin cy ln nhau.

- Cc CA k nhau cp chng ch cho nhau.

- A c th xc thc B the nhiu nhnh khc nhau.

u im:

- y l m hnh linh ng, thch hp vi cc mi lin h- quan h tin cy ln nhau trong thc t v cng vic kinh doanh.

- Cho php cc CA xc thc ngang hng trc tip : iu ny c bit c li khi cc i tng s dng ca cc CA lm vic vi nhau thng xuyn-> gim ti lng ng truyn v thao tc x l

- Khi mt CA b l kha ch cn cp pht chng ch ca CA ti cc i tng c thit lp quan h tin cy vi CA ny.

Nhc im:

- Do cu trc ca mng c th phc tp nn vic tm kim cc i tng c th kh khn.

- Mt i tng khng th a ra mt nhnh xc thc duy nht c th m bo rng tt c cc i tng trong h thng c th tin cy c.

3. M hnh danh sch tin cy

Trong m hnh ny cc ng dng duy tr mt danh sch cc RootCA c tin cy. y l kin trc c p ng rng ri vi cc dch v Web, cc trnh duyt v cc my ch l nhng i tng s dng tiu biu nht.

u im:

- Kin trc n gin, d trin khai.

- Cc i tng s dng c ton quyn vi danh sch cc CA m mnh tin cy

- Cc i tng lm vic trc tip vi CA trong danh sch cc CA c tin cy

Nhc im:

- Vic qun l danh sch cc CA tin cy ca mt t chc l kh khn.

- Cu trc chng ch khng c nhiu h tr cho vic tm ra cc nhnh xc nhn.

- Khng c nhng h tr trc tip i vi cc cp chng ch ngang hng do vy hn ch ca CA trong vic qun l s tin cy ca mnh vi cc CA khc

- Nhiu ng dng khng h tr tnh nng t ng ly thng tin trng thi hoc hy b ca chng ch

IV. Cch thc lm vic ca PKI

Nhng chc nng khc nhau m mt PKI cn thc hin to ra trong mt trt t cung cp s an ton v tin cy n giao dch in t an ton bao gm:

- To cp kha cng khai v kha ring cho vic to v xc thc ch k s.

- Cung cp xc thc kim sot truy nhp n kha ring.

- To v pht hnh chng ch cho ngi dng xc thc.

- Vic ng k ngi dng mi n xc thc chng.

- Duy tr lch s kha cho vic tham chiu tng lai.

- Thu hi cc chng ch khng cn hiu lc.

- Cp nht v phc hi kha trong trng hp kha b l

- Cung cp cc bng chng cho vic hiu lc kha.

Tt c cc chc nng trn u bt buc mt h thng PKI phi lm c m bo tnh tin cy. Cc hot ng PKI bao gm.

1. To cp kha

2. p dng ch k s nh danh ngi dng.

3. M ha thng bo.

4. Truyn kha i xng.

5. Kim tra nh danh ca ngi dng thng qua mt CA.

6. Gii m thng bo v kim tra ni dung ca n.

1. To cp kha

y l bc u tin trong hot ng PKI. Ngi dng mun gi thng bo u tin to ra cp kha cng khai- kha ring(public/private). Cp kha ny l duy nht cho mi ngi dng trong h thng PKI. u tin kha ring c to v sau bng vic p dng hm bm mt chiu trn kha ring , tng ng vi kha cng khai c to ra. Kha ring c s dng cho vic k d liu. Kha cng khai c s dng cho vic kiemr tra ch k s. Khi ngi dng mun m ha bt k thng bo no, ngi dng s dng kha cng khai. Thng bo m s dng kha cng khai ch c th c gii m bi kha ring tng ng.

2 p dng ch k s nh danh ngi gi.

Mt ch k s c nh km vi thng bo m nh danh ngi gi thng bo . Ch k s l hm ton hc c bt ngun t kha cng khai ca ngi gi v thng bo g. to ra mt ch k s v nh km n n thng bo cn thc hin nh sau:

1. Chuyn i thng bo ban u thnh mt chui chiu di c nh bng vic p dng hm bm trn thng bo. Qu trnh ny c th gi l bm thng bo, v chui cc chiu di c nh cng c xem nh l thng bo bm.

2. M ha thng bo bm vi kha ring ca ngi gi. Kt qu ca thng bo bm m ha l ch k s.

3. nh km ch k s vi thng bo ban u

3 M ha thng bo

Sau khi p dng ch k s ln thng bo ban u, bo v n bng cch m ha n. m ha thng bo v nh km ch k s, s dng mt m kha i xng. Kha ny c tha thun trc gia ngi gi v ngi nhn thng bo v ch c s dng mt ln cho vic m ha v gii m.

4 Truyn kha i xng.

Sau khi m ha thng bo v ch k s, kha i xng m c s dng m ha cn truyn n ngi nhn. Bn thn kha i xng cng c m ha v l do an ton, nu b l th bt k ngi no cng c th gii m thng bo. Ch c ngi nhn mi c th gii m c kha i xng bng vic s dng kha ring tng ng. Sau khi m ha, kha phin v thng bo s c chuyn n ngi nhn thng bo.

5. Kim tra nh danh ngi gi thng qua mt CA

CA hoat ng nh mt bn th 3 tin cy kim tra nh danh ca thc th ang ni chuyn vi nhau trong tin trnh giao dch. Khi ngi nhn nhn mt thng bo m( bn m ), ngi nhn c th yu cu CA kim tra ch k s nh km theo thng bo . Da trn yu cu , CA kim tra ch k s ca ngi gi thng bo.

6 Gii m thng bo v kim tra ni dung ca n.

Sau khi nhn thng bo m, ngi nhn cn gii m. Bn m ch c th gii m bng kha i xng m ngi gi dng m ha. V vy, trc khi gii m, kha i xng phi c gii m bng vic s dng kha ring ca ngi nhn. Ch k s nh km vi thng bo c gii m bng kha cng khai ca ngi gi, v thng bo bm c bc tch ra t . Thng bo m ny c bm chng li vic nhn thng bo bm th hai. C hai thng bo bm sau c so snh kim tra bt k kh nng gin on thng bo trong lc truyn. Nu hai thng bo bm trng kht nhau chng t thng bo khng b gin on trong khi truyn.

Cc tiu ch ca mt giao dch in t:

- Chng chi b: tt c cc thc th lin quan trong giao dch khng th t chi rng mnh khng phi l mt phn ca giao dch .

- Truyn tin an ton: y l mt c ch ng n m bo an ton thng bo trong truyn tin. Bt k s gin on hoc thay i c lm trn thng bo nn pht hin d dng.

- Tnh ring t: Bt k s truy nhp bt hp php n thng bo l b t chi.

- S xc thc: nh danh c thc th ang l mt phn lin lc trong qu trnh giao dch nn c bit n c hai thc th.

- Tnh rng buc: Giao dch nn c kim tra v c k bi cc bn lin quan.

PKI m bo rng tt c cc giao dch nn bt gp cc i hi hp l bng cch cung cp ti nguyn v c s h tng cn thit.

V. Cc tin trnh trong PKI

Cc ng dng c th t c bn nguyn tc an ton bt buc trong mt h thong PKI l: Tnh b mt, tnh ton ven, tnh xc thc v chng chng b.

1 Yu cu chng ch

nhn c mt chng ch t CA, ngi dng cn phi gi mt thng bo yu cu chng ch. C nhiu tiu chun cho vic gi thng bo yu cu chng ch, thng dng nht l chun PKCS#10. Theo chun ny, cc thng bo yu cu chng ch cha ng cc thnh phn sau:

+ tn phn bit (dn) ca mt CA

+ kha cng khai ca ngi dung

+ ID ca thut ton s dng trong qu trnh chng thc

+ ch k s ca ngi dng.

Ch k s c to ra bi kha ring ca ngi dng. N hot ng ging nh bng chng s hu kha ring. Ngi dng gi yu cu chng ch PCKS n 1 CA thng qua knh b mt. Nu knh truyn khng an ton, ngi dng s download kha cng khai ca CA v m ha chng ch vi kha cng khai ca CA to ra mt chng ch an ton.

2 Gi cc yu cu chng ch

Yu cu chng ch c gi n CA nh mt th in t m s dng mu PEM ( Privacy Enhanced Mail) Yu cu chng ch cn c gi trong mu PEM bi v ban u yu cu c to ra trong mt mu nh phn. Mu bit nh phn ny khng th truyn bng vic s dng th in t.V vy, thng bo nh phn c chuyn i n mu PEM , m n da trn k t m ASCII. iu ny loi tr vn v vic gi yu cu chng ch thng qua th in t.

Vi ch k s trong yu cu chng ch , CA c th m bo rng ngi gi c mt kha ring lin quan n kha cng khai. V vy, ngi gi c mt bng chng v s hu.

Mt Client cng c th gi mt thng bo yu cu kha thng qua mt Web server. Trong trng hp ny, PKCS#10 c s dng vi SSL. Client to ra mt kt ni SSL vi server chng thc v sau chuyn ti cc yu cu chng ch thng qua mt knh an ton.

3 Cc chnh sch

Chnh sch an ton nh ngha cch m mt t chc qun l kha ring v kha cng khai nh th no? V cc thng tin nh l mc iu khin i hi qun l cc nhn t ri ro bo mt.

Mt vi h thng PKI c iu phi bi mt thc th th 3 tin cy gi l C quan y quyn chng thc thng mi ( Commercial Certification Authority) v v vy i hi mt ti liu thc hnh chng thc (CPS) , m m t chi tit v cc th mang tnh iu phi. CPS nh ngha cch m cc chnh s c thc thi v h tr;cch m cc chng ch s c pht hnh; chp nhn v thu hi; v cch m cc kha s c to ra; ng k v kim tra. CPS cng nh ngha v tr ca cc kha v cch chng c sn trn mt yu cu ngi dng.

4 Thu hi chng ch.

Nh bit, chng ch dng nh danh ngi dng. Tt c cc chng ch u c mt giai on hiu lc. Tt c cc chng ch c hiu lc thng qua giai on hiu lc ca n. S hiu lc ca mt chng ch ch c ngha l t lc chng ch c pht hnh n thi gian ht hn ca n. Bn thn chng ch ch dng xc thc ngi dng. Tuy nhin, ti nhiu thi im, chng ch c th mt i hiu lc trc khi mt tnh hiu lc ca giai on hiu lc. Trong nhiu trng hp, chng ch khng cn c s dng cho mc ch xc thc . Nhn chung , cc trng hp khc mc ln khi m va s an ton ca chng ch b l va l nhng ngi gi ly chng ch khng cn c xc thc thc hin cc cng vic m h thc hin thng qua vic s dng chng ch. Trong nhiu trng hp , khi mt chng ch mt i tnh hiu lc trc thi gian ht hn ca n, th c hiu nh l s thu hi chng ch.

5 Thu hi chng ch truyn thng

Khi mt chng ch b thu hi, thng tin v chng ch b thu hi phi c cng khai bi v kha cng khai ca chng ch b l. Thng tin v chng ch b thu hi c th c ng trn mt server chng thc m nhng ngi s dng c cnh bo trnh vic s dng nhng chng ch . Mt phng php khc m thng c s dng l s dng danh sch thu hi chng ch (CRL) , CRL chng ng thng tin v danh sch chng ch b thu hi. m bo rng danh sch khng tng ln qu nhiu, khi m mt chng ch b thu hi m thi gian ht hn ca n th khon mc danh sch dnh cho chng ch s b xa i khi CRL. iu ny khng dn n vic s dng khng nh hng v cc chng ch b thu hi bi v chng ch s ht hn trong bt k trng hp no.

Mt CA duy tr danh sch thu hi chng ch (CRL) , mt c quan m phn phi danh sch ti nhng phm vi bt buc . Phm vi ny phi ngn trnh vic s dng li cc chng ch sau khi n b thu hi v tr c khi n c cng b trn danh sch thu hi chng ch.Thng thng y l mt thi gian. Bt c lc no mt chng ch c trnh by nh mt phn ca hp thoi xc thc, thi gian hin hnh cn c kim tra chng li thi hn hiu lc.Nu giy chng nhn l qua thi k , hoc ht hn, sau l xc thc nn khng thnh cng Tuy nhin, i khi giy chng nhn khng nn c thc thi , ngay c trong thi gian hiu lc ca thi gian.V d, nu cc kha ring lin kt vi mt chng ch b mt hoc b phi nhim, sau bt c xc thc bng cch s dng chng ch nn b t chi.Tng t nh vy, mi ngi s thay i cng vic, tn, v cc cng ty.Khi chng ch ca h c thay th, ngi gi Giy chng nhn phi c nh du bng cch no nh l "khng cn chp nhn" Mc ch ca vic.

CRL l giy chng nhn danh sch l hp l, nhng b thu hi

im khi u cho CRL l CRL Distribution Point im phn phi (cc CDP), l mt lnh vc nm trong mi chng ch.CDP l ty chn, nhng tt nht chy PKI ci t bao gm mt khu thng k trong mi Giy chng nhn

Rt t cc ng dng ph bin (nh trnh duyt web v email ca khch hng) thc s kim tra cc CRL.V d, nu bn ang s dng mt trnh duyt WWW trn cng cng Internet, trnh duyt ca bn khng theo mc nh kim tra cc h thng thng k.V n khng quan trng nu bn thay i ci t m quan trng nht l giy chng nhn cho WWW my ch khng c mt h thng thng k, do , ngay c khi bn quan tm n vic kim tra CRL, bn s khng bit c ni c c n

6 Truyn thng Client-to-Client thng qua PKI

Bt k khi no hai hay nhiu Client PKI mun truyn thng mt cch an ton, chng cn phi lm hiu lc ln nhau v thng lng s m ha, s xc thc khc nhau v cc thut ton tng thch d liu. Cc giao thc m c s dng thng lng l:

-ISAKMP(Internet Security Associated and Key Management Protocol)

-IKE(Internet Key Exchange)

-Oakley

-Skeme

ISAKMP v IKE cn cc lin kt an ton (SA) xc nh cc tham s kt ni ca chng. SA m t cc tin ch v cc dch v an ton cho vic truyn thng mt cch an ton.IKE l mt giao thc lai to m thc thi s trao i kha Oakley v s trao i kha Skeme trong giao thc ISAKMP. Giao thc Skeme v Oakley thng s dng bt ngun cc kha xc thc. Sau y s tm hiu chi tit v giao thc ISAKMP v giao thc IKE

6.1 Giao thc ISAKMPGiao thc ISAKMP nh ngha cc th tc khc nhau v cc mu gi d liu i hi thit lp, thay i, thng lng, v xa b lin kt an ton (SA). Mt lin kt an ton cha ng cha ng tt c cc thng tin m c i hi chuyn ra bn ngoi cc mng an ton lin quan n cc hot ng trong t chc. N nh ngha cc payload cho s to ra kha trao i v cho xc thc d liu. Khung cng vic ny th c lp v giao thc qun l kha ang s dng, thut ton m ha ang s dng, v c ch xc thc

s dng trong qu trnh .Giao thc ny th c lp vi giao thc IPSec v tng thch vi c hai IPv4 v IPv6.

6.1.1 ISAKMP concepts

6.1.1.1 Security protocol

Mt giao thc bo mt l mt dch v bo mt cho giao tip mng thc hin ti mt im duy nht trong mng .V d, IPSec Encapsulating Security Payload (ESP) v Authentication Header (AH) l mt giao thc bo mt hot ng trong lp mng.6.1.1.2 Security Association

SA nh ngha mt mi quan h gia hai hay nhiu thc th giao tip.Mi quan h ny m t cch cc thc th s s dng cc dch v bo mt, chng hn nh m ho, giao tip mt cch an ton.Trong vn bn r rng, mt SA cho bit nhng g cc thng s an ninh v cc dch v thng c tha thun gia cc bn giao tip.V d v cc thng s nh vy l thut ton xc thc, phm xc thc, cc thut ton m ho, kho mt m v thi gian hiu lc ca bn thn SA.Ty thuc vo loi giao thng l trong cu hi, cc loi khc nhau ca SAS c thit lp.Bo m an ninh cp ca IP giao thng cc loi nhu cu ring ca Sas v d, v Secure Socket Layer (SSL) giao thng khc.SAS thng c t tn theo cc giao thc bo mt lin quan, v d:ESP SA.iu cn lu y l ISAKMP khng xc nh nhng ni dung ca SAS c, m l lm th no cc bn ng giao tip vo ni dung ca Sas.6.1.1.3 Situation

L mt tp hp cc thng tin ca s lin quan khi quyt nh cc dch v bo mt v cc thng s l cn thit cho mt phin.Ni cch khc, tnh hnh mt nh ngha cc iu kin bn ngoi m phi c a vo ti khon khi thit lp mt phin lin lc.

Mt v d v tnh hnh c th cha cc thng tin nh a ch IP ngun v ch n, phn loi bo mt mong mun (cng cng, bo mt) vv Thng tin ny c gi t cc my ch ISAKMP theo n, cc my ch c th quyt nh nhng dch v bo mt chnh xc c th c chn cho ccSAS t mt tp hp nhng xut.

V d, DOI IPSEC nh ngha ba tnh hnh

SIT_IDENTITY_ONLY

SIT_SECRECY

SIT_INTEGRITY

6.1.1.4 Domain of interpretation

ISAKMP nh ngha mt thit lp mc nh ca cc nh dng ti trng v trao i tin nhn.Trong hu ht trng hp, tuy nhin cn thit xc nh hn.Mt tn min ca din gii (DOI) nh ngha nhng nh dng ti trng b sung v cc loi ngoi t.DOI cng nh ngha quy c t tn cho thng tin bo mt nh cc thut ton mt m v ch .Ni cch khc, vi s gip ca mt DOI, ni dung ca tt c cc payloads ISAKMP c th c din gii mt cch chnh xc v tt c cc tin nhn trao i mt cch chnh xc hon thnh.Chnh xc hn, DOI mt nh ngha:

Mt gii thch v ni dung ca trng v tnh hnh.

Vic thit lp cc chnh sch an ninh bt buc, ngh v ty chn.

n t tn cho cc thut ton m ha, thut ton trao i kha, thuc tnh chnh sch an ninh v chnh quyn chng nhn.

C php c th DOI-SA thuc tnh (dnh cho cc cuc m phn giai on 2

C php cho DOI-trng ti ni dung c th.

B sung cc loi trao i quan trng, nu nhng ci mc nh ca ISAKMP khng .

B sung cc loi thng bo tin nhn, nu nh vy l cn thit.

6.1.1.5 Security parameter index

Mt ch s tham s bo mt (SPI) l mt nh danh cho mt SA c thit lp trong phm vi ca mt giao thc bo mt.Vi s gip ca mt gi tr SPI v a ch ch n, tc l a ch ca bn giao tip, mt trong duy nht c th xc nh mt SA.iu ny cho php giao thc bo mt truy cp SAS chnh xc v c ch bo mt v cc thng s c tm thy bn trong, bo v cc giao tip.6.1.2 ISAKMP architecture

ISAKMP dch v ny thng c cung cp bi mt my ch ISAKMP chuyn dng (UNIX) kt ni vi cng 500.Theo c im k thut, ISAKMP phi cung cp dch v vi cc giao thc UDP, nhng c im k thut ca tiu bang khng c tr ngi cho cc h tr giao thc vn ti khc cng nh TCP hoc trc tip IP.Mc d con s di y khng r rng cho thy ISAKMP thng lng cung cp dch v bo mt cho tt c cc lp ca giao thc ngn xp, l nhng g ISAKMP c thit k cho.

7. Giao thc trao i kha Internet(IKE)

IKE x l trao i kho mt m khi hai my mun giao tip mt cch an ton bng cch s dng giao thc IPSec.Phn phi kho mt m l mt nhim v kh khn, i hi xem xt cn thn.Trc khi cc phm c trao i, khng c my ch c th m ha bt c thng tin v nu phm c gi i trong vn bn r rng, chng c th c chn ca mt ai nghe trn giao tip. trao i cc phm cch an ton, IKE s dng thut ton trao i kha, thit k c bit p ng cc thch thc trong vic phn phi kho an ton trong cc h thng nhng.

Giao thc IKE t ng thng lng cc lin kt an ton IPSec v thit lp cc truyn thng IPSec. N cng lm r tnh hiu lc v lin kt an ton IPSec (IPSec SA). Khi mt s truyn thng IPSec c thit lp. N cho php CA h tr vic xy dng cc thc thi IPSec c tnh qun l v tp trung. IPSec c s dng cho vic m ha v xc thc gi d liu IP. IKE lm vic trong hai ch .

IKE khng phi l mt cng ngh c lp, do n c th dng vi bt k c ch bo mt no. C ch IKE, mc d khng nhanh, nhng hiu qu cao b v mt lng ln nhng hip hi bo mt tha thun vi nhau vi mt vi thng ip kh t.

7.1 IKE Phases

Giai on I v II l hai giai on to nn phin lm vic da trn IKE, hnh trnh by mt s c im chung ca hai giai on. Trong mt phin lm vic IKE, n gi s c mt knh bo mt c thit lp sn. Knh bo mt ny phi c thit lp trc khi c bt k tha thun no xy ra.

Giai on I ca IKE u tin xc nhn cc im thng tin, v sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton m ha, hm bm, v cc phng php xc nhn bo v m kha.

Sau khi c ch m ha v hm bm c ng trn, mt kha chi s b mt c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt :

Gi tr Diffie-Hellman

SPI ca ISAKMP SA dng cookies

S ngu nhin known as nonces (used for signing purposes)

Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng cn trao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khng cn thc s trao i bt k kha no thng qua mng.

Giai on II ca IKE

Trong khi giai on I tha thun thit lp SA cho ISAKMP, giai on II gii quyt bng vic thit lp SAs cho IPSec. Trong giai on ny, SAs dng nhiu dch v khc nhau tha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH v ESP) di hnh thc mt phn ca giai on SA.

S tha thun ca giai on xy ra thng xuyn hn giai on I. in hnh, s tha thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhng kha ny v sau l ni dung ca gi d liu.

Tng qut, mt phin lm vic giai on II tng ng vi mt phin lmvic n ca giai on I. Tuy nhin, nhiu s thay i giai on II cng c th c h tr bi mt trng hp n giai on I. iu ny lm qua trnh giao dch chm chp ca IKE t ra tng i nhanh hn.

Oakley l mt trong s cc giao thc ca IKE. Oakley is one of the protocols on which IKE is based. Oakley ln lt nh ngha 4 ch ph bin IKE

7.2 IKE Modes

4 ch IKE ph bin thng c trin khai :

Ch chnh (Main mode)

Ch linh hot (Aggressive mode)

Ch nhanh (Quick mode)

Ch nhm mi (New Group mode)

7.2.1 Main Mode

Main mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qua trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im:

2 thng ip u tin dng tha thun chnh sch bo mt cho s thay i.

2 thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhng kha sau ny thc hin mt vai tro quan trng trong c ch m ha.

Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s gip ca ch k, cc hm bm, v tu chn vi chng nhn.

7.2.2 Aggressive Mode

Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive mode nhanh hn mai mode. Cc thng ip bao gm :

Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh, v trao i nonces cho vic k v xc minh tip theo.

Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hon thnh chnh sch bo mt bng cc kha.

Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lm vic).

C Main mode v Aggressive mode u thuc giai on I.

7.2.3 Quick Mode

Ch th ba ca IKE, Quick mode, l ch trong giai on II. N dng tha thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong giai on I, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi tr bm

7.2.4 New Group Mode

New Group mode c dng tha thun mt private group mi nhm to iu kin trao i Diffie-Hellman key c d dng. Hnh 6-18 m t New Group mode. Mc d ch ny c thc hin sau giai on I, nhng n khng thuc giai on II.

Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt hp vi qu trnh thay ca giai on II v SAs. Ch ny cung cp cho cc bn c lin quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng, Informational mode c dng thng bo cho cc bn khc bit

8 Cu trc chng ch X509 X.509 l mt ngh ca ITU (International Telecommunication Union) nh ngha mt framework v chng thc (certificate). X.509 da trn X.500, m bn thn X.500 cn cha c nh ngha hon ho. Kt qu l chun X.509 ang c din gii theo mt s cch, ty theo cng ty cung cp quyt nh s dng nh th no. X.509 ln u tin c cng b vo nm 1988, v cc phin bn tip theo c a ra gii quyt cc vn an ton, y cng l s c xy ra bt ng ngay ln cng b u tin. X.509 h tr c hai m b mt (m n) v m cng khai. X.509 nh ngha cc ni dung v mt chng thc, bao gm s phin bn, s serial, ID ch k, tn cng b, thi im c hiu lc, nh ngha ch , phn m rng v ch k trn cc trng trn. V c bn, mt ngi c trch nhim chng nhn s t kha cng khai ca mt ngi no c nhu cu chng thc vo th tc chng thc v sau xc thc li bng kha ring. iu ny bt buc kha v th tc chng thc phi lun i km vi nhau. Bt c ai cn dng kha cng cng ca mt i tng no u c th m th tc chng thc bng kha cng cng ca cc i tng ny do ngi c trch nhim chng thc cung cp (cc kha cng cng ny c k hoc kha bng kha ring ca ngi c trch nhim chng thc). V vy, ngi s dng phi tin rng ngi c trch nhim chng thc s bo m vic hp l ha ngi ch ca kha cng khai v thc s kha cng khai y chnh l kha cng khai ca ngi c trch nhim chng thc.

Cc trng ca chng ch nh sau :

a.Phin bn ( version ): ch ra dng phin bn ca chng ch X.509

b.S hiu ( serial number) : s hiu nhn dng duy nht ca chng ch ny. N c CA pht hnh v gn cho. S lot pht hnh c gn bi CA. Mi CA nn gn mt m s lot duy nht cho mi giy chng nhn m n pht hnh

c.Tn thut ton k ( Signature ) : Tn thut ton k c CA s dng k chng ch. Thut ton ch k ch r thut ton m ha c CA s dng k giy chng nhn. Trong chng nhn X.509 thng l s kt hp gia thut ton bm (chng hn nh MD5) v thut ton kha cng cng (chng hn nh RSA).

d.Ngi pht hnh chng ch (issuer) : Tn theo chun X.509 ca CA pht hnh.

1. Tn t chc CA pht hnh giy chng nhn

2. Tn phn bit theo chun X.500 (X.500 Distinguised Name X.500 DN).

3. Hai CA khng c s dng cng mt tn pht hnh

e.Thi gian hp l ( Vadility) : ngy gi c hiu lc v ht hn ca chng ch. gm hai gi tr ch nh khong thi gian m giy chng nhn c hiu lc: not-before v not-after.

1. Not-before: thi gian chng nhn bt u c hiu lc

2. Not-after: thi gian chng nhn ht hiu lc.

3. Cc gi tr thi gian ny c o theo chun thi gian Quc t, chnh xc n tng giy.

f.Tn chng ch ( subject): Tn X.509 ca i tng nm gia kha ring ( tng ng vi kha cng khai c chng thc )

g.Thng tin v kha cng khai ca ch th ( Subject public-key information ) : Gm c kha cng khai ca ch th cng vi thut ton s dng kha cng khai ny.

h.nh danh duy nht ca ngi pht hnh ( Issuer unique identifier) : l mt chui byte ty chn ch ra tn r rng ca CA pht hnh:

i. Tn duy nht ca ch th ( subject unique identifier) : l 1 chui byte ty chn , c s dng ch ra tn r rng ca ch th.

p. Signature: ch k in t c t chc CA p dng.

a. T chc CA s dng kha b mt c kiu quy nh trong trng thut ton ch k.

b. Ch k bao gm tt c cc phn khc trong giy chng nhn.

( CA chng nhn cho tt c cc thng tin khc trong giy chng nhn ch khng ch cho tn ch th v kha cng cng.

Cu trc chng ch X.509

Ngoi ra cn c cc trng m rng m trong mu chng ch X.509 phin bn 1 v phin bn 2 khng c . Mi nht l phin bn 4

Chng ch X.509 phin bn 3 Hnh di y cung cp mt ci nhn hp l ca cc yu t d liu chng ch, vi trng tm vocc yu t d liu c s dng cho chui xc nhn ch k.Cc mi tn m ch ra cc lnh vc c xc nhn v cc mi tn hin th mng m cc trng nn cha cc gi tr nh nhau.

Cc giao thc qun l PKI

Giao thc qun l chng ch lm cho CA c kh nng la chn cc thng tin cn thit cho vic pht hnh v thu hi chng ch. Cc giao thc thng dng l

1. PKCS#10

2. PKCS#7

3. Giao thc qun l chng thc CMP

4. Vic s dng qun l chng thc CMC.

5. Giao thc ng k chng ch n gin SCEP

Giao thc PKCS#10 v PKKCS#7 l mt phn ca chun mt m kha cng khai(PKCS ) m nh ngha cc chun khc nhau cho mt m PKI.

Tiu ch nh gi cho cc giao thc qun l PKI

1Cc giao thc phi h tr to v xut bn chng ch v danh sch thu hi chng

ch (CRL). Trong nhng trng hp khc n cng cho php cc thc th to ra cc yu cu chng ch v yu cu thu hi chng ch.

2. Cc giao thc nn m rng, c th s dng trn nhiu h thng tch bit.

3. H tr giao dch hai bn v giao dch ba bn. S thit k giao thc nn tin li s dng v mt giao thc n gin thng qua cc thc th d h ang tng tc vi mt CA hay RA.

4. Cc giao thc ny nn l c lp thut ton. K t khi t chc cn phi s dng cc thut ton khc nhau cho cp kha ca h, cc giao thc ny nn c kh nng cng nhn cc kiu thut ton c s dng . Mt vi thut ton c s dng trong mt m nh MD5, RSA, DSA.

5. Giao thc qun l PKI phi h tr nhiu c ch truyn ti khc nhau nh HTTP, FTP, TCP/IP.

Thng qua vic nhn nhn v cc tiu ch nh gi giao thc qun l PKI.

8.1 PKCS#10.

PKCS#10 l mt chun k t yu cu chng ch, nh ngha k t cho cc yu cu chng ch. Ty thuc vo chun PKCS#10, mt yu cu chng ch bao gm:

1.Thng tin yu cu chng ch.

2.Mt ID thut ton ch k.

3.Mt ch k s trn thng tin yu cu chng ch.

Thng tin yu cu chng ch c son trong trng Tn phn bit( Distingished Name) ca thc th, kha cng khai ca thc th, v mt vi thuc tnh ty chn khc. Cc thuc tnh cha ng thng tin b sung v cc thc th, nh l a ch bu chnh m n k ln chng ch nn c phn hi li nu nh th in t khng c sn. Nhng thuc tnh cng cha ng mt password thch m thc th c th s dng khi ang yu cu thu hi chng ch ti mt giai on no .

Mu yu cu chng ch theo chun PKCS#10

Distingished Name

Public Keys

Optional Attributes

Algorithm Identifier

Digital Signature

Gi s Bob yu cu c quan chng thc CA X no theo chun PKCS#10. Bob thc hin cc bc sau:

1. To ra mt CertificateRequestInfo value theo chun PKCS#10 t kha cng khai ca anh y v tn ngi dng. Khi bt tay sn sng, gi tr CertificateRequestInfo ny bao gm tn phn bit ca thc th, trong trng hp ny l Bob, kha cng khai ca thc th.

2. Sau khi pht gi trn CertificateRequestInfo. Bob cn k gi tr ny vi kha ring ca anh ta.

3. Cui cng, Bob cn to ra mt gi tr CertificateRequest nh mi PKCS#10 t gi tr CertificateRequestInfo v ch k ca anh ta.

8.1.1 To gi tr CertificateRequestInfo.

Bob to ra mt gi tr CertificateRequestInfo thng qua tn phn bit(DN Distinguished Name ) v kha cng khai ca anh ta. Chng ta cng nhn rng Bob thng t tn l Bob v anh ta lm vic cho cng ty X,, t trong hon cnh US. Gi tr CertifiateRequestInfo ny c ma DER. Kt qu sinh ra l mt chui octet.

CertificateRequestInfo cha bao gm :

CertificationRequestInfo:To gi tr certificateRequestInfo

CertificationRequestInfo ::= SEQUENCE

{

version INTEGER { v1(0) } (v1,...),=0 standart

subject Name,

//tn phn bit ca i tng

subjectPKInfo SubjectPublicKeyInfo{{

PKInfoAlgorithms }},

attributes [0] Attributes{{ CRIAttributes }}

}

-Version: th hin s version tng thch vi bt k cc c im k thut trong tng lai.

-Subject: th hin tn phn bit ca cc ch th ca chng ch.

SubjectPublickeyInfor: th hin thng tin kha cng khai ca ch th ca chng ch m n l c chng nhn.

-Attributes: th hin thng tin b sung v ch th ca chng ch nh tn thng dng ca ch th v tn t chc.

Sau khi to mt gi tr CertificateRequestInfo Bob cn k ln gi tr ny.

8.1.2 K gi tr CertificateRequestInfo

Sau khi to c gi tr CertificateRequestInfo, Bob cn k ln n bng vic s dng kha ring ca anh ta. Anh ta c th s dng bt k thut ton k phn bit nh PKCS#1, MD5, RSA. Cc bc k gi tr CertificateRequestInfo gm:

1. Mt thng bo MD5 c nhp vo CertificateInfo m ha.

2. Mt gi tr DigestInfo c m ha t thng bo bm v gi tr CertificateInfo

3. Cui cng, gi tr DigestInfo m ha c m ha bng kha ring ca Bob.

S m ha v gi tr DigestInfo sinh ra mt chui octet hoc mt ch k.

Sau khi k ln gi tr CertificateRequestInfo, Bob cn to ra cc gi tr CertificateRequest.

8.1.3 To mt gi tr CertificateRequest

Gi tr CertificateRequestInfo v ch k s v ch k l cng c s dng to gi tr CertificateRequest cho mi PKCS#10. N l gi tr c gi n CA nh mt yu cu chng ch.

CertificateRequest c cu trc nh sau.CertificationRequest ::= SEQUENCE {

certificationRequestInfo CertificationRequestInfo,

signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},

signature BIT STRING

}

AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {

algorithm ALGORITHM.&id({IOSet}),

parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL

}

SignatureAlgorithms ALGORITHM ::={ ... -- add any locally defined algorithms here -- }

- CertifcateRequestInfo: Th hin gi tr thng tin yu cu chng ch, m n ang c k.

- Signature Algorithm: th hin thut ton k m c s dng k thng tin yu cu chng ch.

- Signature: th hin kt qu ca vic m ha CertificateRequestInfo vi kha ring ca cc ch th.

Sau khi to gi tr CertificateRequest, Bob gi gi tr ny nh l yu cu chng ch n CA. Sau khi xc thc cc tiu chun ca Bob thng qua vic kim tra ch k ca anh ta v thng tin cha ng trong gi CertificateRequest, CA c th pht hnh chng ch n Bob.

PKCS#10 l chun ph bin nht cho yu cu chng ch. Hu ht cc ng dng PKI c s pht trin trong ng dng Web, yu cu chng ch c th c lm trc tuyn. Tuy nhin PKCS#10 khng h tr giao thc HTTP. Khi mt yu cu chng ch c to ra trn nn Web bng vic s dng giao thc HTTP. CA khng th xc thc thc th. V vy, PKCS#10 th khng c s dng ph bin vi SSL( Secure Socket Layer) cho vic to yu cu chng ch.

Nhn chung, PKCS#10 v SSl c s dng trong giao dch ba bn, trong trng hp mt RA xc thc yu cu sau khi mt thc th gi yu cu ca n n CA.

Cc tin trnh trong mt giao dch ba bn khi PKCS#10 c s dng vi SSL nh sau:

+ Mt kt ni SSL c thit lp gia client v CA.

+ Client gi mt yu cu PKCS#10 n CA.

+ CA gi yu cu n RA cho s kim tra.

+ Mt phin SSL c thit lp gia CA v RA.

+ Da trn s kim tra thng tin. RA s x l thng bo( chp nhn hoc t chi yu cu)

+ Nu RA chp nhn chng ch, CA s pht hnh chng ch.

8.1.4 Hn ch ca PKCS#10.

- Khng c thut ton c lp. Ch l thut ton RSA, n cng cng nhn rng kha ring phi c s dng cho vic to ch k s.

- Ch k s trn mu yu cu PKCS#10 khng cung cp tt c cc thng tin cn xc thc ngi dng. Hn na khng c c ch nh ngha tt m rng mt yu cu chng ch khng b thay th trong qu trnh truyn.

- PKCS#10 ch nh ngha k t cho mt kiu thng bo, m n l mt yu cu chng ch v khng cho s hon thin cc giao thc. N khng phn bit cc k t v giao thc cho bt k cc kiu thng bo khc nh yu cu thu hi chng ch. V vy, cc thng bo khc vi kiu thng bo yu cu chng ch c th c thc thi bng vic s dng giao thc khc nh l HTTP.

8.2 PKCS#7

L chun k t thng bo mt m nh ngha cc k t cho d liu mt m nh ch k s. PKCS#7 cho php xc thc thuc tnh thng tin trong vic b sung n vic xc thc ni dung thng bo.

Mt vi tnh quan trng khi s dng PKCS#7:

CA s dng PKCS#7 nh mt phn hi n thc th yu cu chng ch.

N s dng xc thc thng bo chng thc gi n mt thc th.

N cung cp thng tin hon thin n CA cho vic x l cc yu cu chng ch.

N c s dng bi nhiu giao thc S/MME cho vic cung cp s bo mt.

Mi mu thng bo theo chun PKCS#7 bao gm: kiu ni dung v ni dung8.2.1 Kiu ni dung

Miu t cc c im k thut cho mu ni dung v c tham chiu n nh l nh danh i tng. Su kiu ni dung c nh ngha bi PKCS#7 l:

1. Data

2. Signed data.

3. Enveloped data

4. Signed and enveloped data

5. Digested data

6. Encrypted data

Kiu ni dung c th phn thnh 2 lp: base , enhenced

Base: ni dung c son tho v d liu khng c tnh cht mt m. Kiu ni dung data c cha trong lp ny.

Enhenced: tt c cc kiu ni dung cn li c cha trong lp ny8.2.2 M ha mt gi tr ContentInfo

to ra mt thng bo ch k cho Bob trc tin cn m ha mt gi tr ContentInfo nh mi PKCS#7. Gi tr ny cha ng thng bo ca Bob trong mt my ca mt OCTET STRING.

Gi s Bob mun m ha mt thng bo gi n Alice l ngi qun tr h thng mi. Kiu ni dung thng bo ca Bob l mt d liu PKCS#7 v mt gi tr nh danh i tng v

{3 2 520 126731 3 6 2}

Khi Bob m ha gi tr ContentInfo, n c th thc hin nh sau

20 36

03 06 contentType = data

1b 76 84 78 d6 0c 03 06 02

b0 2a [0] EXPLICIT

03 21 content = OCTET STRING value: "Alice is the new system administrator"

34 84 45 65 80 3d 3s 70 30 32 31 12 24 45 53 30

41 52 26 89 30 5d 77 88 2f

Sau khi m ha ni dung tip theo l bm nh d liu8.2.3 Bm d liu

Bob c th s dng bt k thut ton phn bit nh MD2 bm ni dung thng bo cho mi PKCS#7. Kt qu l mt thng bo bm. N c th c thy trong bc trc l ni dung ca thng bo gc trong gi tr ContentInfo c th hin nh sau

34 84 45 65 80 3d 3s 70 30 32 31 12 24 45 53 30 41 52 26 89 30

Khi Bob bm gi tr ny vi MD2, n sinh ra kt qu bm nh sau

2c 23 ac 11 7e 3a 63 dc 67 48 c2 2b cd ea dc b2

Sau Bob s dng thng bo bm ny m ha mt gi tr DigestInfo

8.2.4 M ha mt gi tr DigetsInfo

Thng bo bm nhn c t gi tr ContentInfo c s dng m ha DigestInfo.Gi tr DigestInfo m ha ny v gi tr ContentInfo u tin sau c s dng sinh ra mt gi tr SignedData

8.2.5 M ha mt gi tr SignedData

Sau vic m ha gi tr DigestInfo, Bob cn m ha gi tr SignedData bng vic s dng gi tr DigestInfo m ha, gi tr ContentInfo u tin, v nhiu thng tin khc nh l chng ch ca anh ta, ngi pht hnh chng ch v s seral ca chng ch, v nh danh thut ton thng bo bm.

Sau khi Bob a m ha gi tr SignedInfo, Bob m ha gi tr SifgnedInfo khc cho mi PKCS#7 t gi tr SignedInfo m. Gi s rng gi tr nh danh ni dung i tng cho ni dung ny l:

{3 2 520 126731 3 6 3}

Kt qu gi tr ContentInfo m ha c th c trnh by nh sau:

30 82 02 50

03 06 1b 76 84 78 d6 0c 03 06 02 contentType = signedData b1 72 03 54 [0] EXPLICIT

20 46 01 4c ......... 46 24 d2 a2 content = SignedData value

8.2.6 Hn ch ca PKCS#7

Tng t nh PKCS#10, PKCS#7 khng nh ngha bt k k t cho thng bo thu hi chng ch. Tuy nhin, vic kt ni PKCS#10 v PKCS#7 to ra s hnh thnh v mt kiu giao dch hon tt v an ton. C hai giao thc c th thc thi d dng k t khi cc mu ca chng c h tr bi nhiu h thng. PKCS#7 th m rng mt cch cao hn. Bt k thng tin c th c ghp vo mu ny bng vic s dng cc thuc tnh xc thc v thuc tnh khng xc thc.9.OCSP

Cc chng ch Online Status Protocol [OCSP] xc nh mt c ch c s dng xc nh tnh trng ca cc chng ch s, thay CRLsT nh ngha ca n trong 1999, OSCP c trin khai trong nhiu mi trng v c chng minh l c mt chng ch hu ch kim tra tnh trng c ch ch n OCSP nh ang c s dng xc minh tnh trng giy chng nhn,nhng ch c tnh trng thu hi ca mt chng ch c kim tra thng qua giao thc.n nay, nhiu trin khai OCSP c s dng m bo kp thi v Giy chng nhn tnh trng an ton thng tin cho cc gi tr cao-in t giao dch hoc cc thng tin rt nhy cm, chng hn nh trong ngn hngti chnh v mi trng khc.Nh vy, nhng yu cu cho mt OCSP responder p ng trong "thi gian thc" (ngha l to ra mt OCSP mi phn ng i vi tng yu cu OCSP) c yu cu.Ngoi ra trin khai cc hot ng trong mi trng c ni bng thng s dng khng phi l mt vn , v c chy trn my khch v h thng my ch, ni sc mnh x l khng phi l hn ch.

Khi s dng PKI tip tc pht trin v di chuyn vo a dng mi trng, th cn thit cho mt kh nng m rng v hiu qu Giy chng nhn tnh trng c ch.Mc d OCSP nh hin nay c nh ngha v trin khai p ng cc nhu cu nh va PKIs rng hot ng trn h thng mnh m trn cc mng c dy, c mt gii hn nh th no ccOCSP trin khai hiu qu quy m t mt quan im v c chi ph. PKI tip tc c trin khai vo mi trng c hng triu, nu khng hng trm triu chng ch c pht hnh.Trong nhiu cc mi trng, mt s thm ch cn ln hn ca ngi s dng (cn gi l da bn) c cn phi m bo rng cc giy chng nhn h c da khi cha c thu hi.Nh vy, iu quan trng l OCSP c s dng theo cch sao cho m bo ti trn responders OCSP v c s h tng mng cn thit lu tr nhng phn ng c gi mc ti thiu.

OCSP cho php cc ng dng xc nh thu hi ca mt chng ch xc nh.OCSP c th c s dng p ng mt s yu cu hot ng ca cung cp thng tin kp thi thu hi nhiu hn l vi CRLs v cng c th c s dng ly c thng tin tnh trng b sung OCSP phn ng phc v nhiu mc ch:

Tch cc dch v xc nhn t cc dch v CA.iu ny lm tng bo mt v cc dch v CA khng phi chp nhn bt k kt ni n.

m bo tnh sn sng cao nht ca dch v xc nhn.S dng bn ngoi OCSP c th c mt vi nt hon ton c lp.iu ny c ngha l c th lm bo dng trn CA, hay mt s cc nt OCSP m khng sn sng lm phin vi dch v xc nhn.

m bo hiu sut cao nht.Cc OCSP responder bn ngoi l rt nhanh v mt trong nhng n responder c th tr li hng trm yu cu mi giy.Ngoi ra cc phn ng OCSP bn ngoi c th b thu nh li bng cch thm nhiu tuyn tnh c lp OCSP nt.S di y l mt gin s b kin trc bng cch s dng bn ngoi OCSP responders.

Cc EJBCA bn ngoi OCSP responder khng da vo CRLs ang c pht hnh bi CA.Thay vo cc responder OCSP s dng c s d liu ca ring n vi cc thng tin tnh trng giy chng nhn.iu ny c th l mt bn sao ca bng CertificateData trong EJBCA.Trong hot ng bnh thng CA EJBCA y thay i tnh trng c s d liu OCSP bn ngoi khi c cp giy chng nhn v thu hi trong EJBCA.

Cc responder OCSP bn ngoi l khng gii hn vic s dng kt hp vi EJCBA mc d.OCSP c s d liu bn ngoi n gin ch c th c cp nht bi cc cng c khc, v d nh ang c ket noi vi CRLs t khc CA

Nhng c tnh

Thc hin RFC 2560 v RFC 5.019.

c lp ca CA phn mm c s dng.

Mt responder c th p ng cho bt k s CAs.

Tnh trng thng tin c lu tr trong c s d liu

Khng ph thuc vo CRLs.Tnh trng thng tin c th c cp nht trong thi gian thc.

Plug-in c ch cho cc ty chnh OCSP phn m rng.

Cao cu hnh kim ton v giao dch ng nhp

H tr HSMs PKCS # 11.

Xy dng vo kim tra c s dng bi cn bng ti v theo di.

Cu hnh cho cc i hi yu cu ng nhp, y quyn ngi k, vv

Tuyn tnh kh nng m rng cho hiu nng v tnh sn sng cao bng cch thm cc nt nhiu.

Hiu sut cao,> 500 yu cu mi giy trn mt my ch n.

On-line i mi OCSP responder phm v chng ch.

OCSP khch hng trong java (Khch hng ToolBox.9.1 Thnh phn

9.1.1 - Request

Nu OCSPRequest c k kt, my trm ch nh tn ca n trong cc lnh vc OCSPRequest.requestorName.OCSP my ch phi c chun b sn sng nhn unsigned OCSP yu cu c cha cc requestorName lnh vc, nhng phi nhn ra rng gi tr c cung cp khng phi l chng thc. Mt yu cu OCSP cha cc d liu sau y:

- Phin bn giao thc - Dch v yu cu- Giy chng nhn nh danh mc tiu- Ty chn m rng c x l bi cc Responder OCSP

Khi nhn c yu cu, mt Responder OCSP quyt nh nu:

Mt message cng c thnh lp

Cc responder c cu hnh cung cp cc dch v yu cu .

Yu cu c cha cc thng tin cn thit bi responder Nubt k mt trong nhng iu kin trc khng c p ng, cc responder OCSPsn xut mt thng bo li; nu khng, n tr v mt phn ng.

9.1.2 Response

OCSP phn ng c nhiu loi.Mt phn ng OCSP bao gm mt loi phn ng cc yu cu . Mt tin nhn tr li gm c:

Phin bn ca c php ng ph

Tn ca cc responder

Phn ng i vi mi giy chng nhn trong yu cu mt

Ty chn phn m rng

Thut ton ch k OID

Ch k trn khp bm tnh ca phn ng ca

Cc ng cho mi chng ch yu cu bao gm

Giy chng nhn nh danh mc tiu

Giy chng nhn tnh trng gi tr

p ng khong thi hn hiu lc

Ty chn phn m rng

c t ny nh ngha cc phn ng cc ch s s dng trong tnh trng gi tr chng ch:

Tt

Thu hi

Khng r

Cc trng hp ngoi l

Trong trng hp li, cc Responder OCSP c th tr li mt thng bo li.Cc thng ip ny khng c k kt.Li c th c cc loi sau y:

- Yu cu li (MalformedRequest) : Cc yu cu khng ph hp vi c php OCSP- Li (Internalerror ) : Cc phn ng khng ph hp- TryLater : Trong trng hp cc responder OCSP ang hot ng nhng khng th tr v tnh trng ca chng ch yu cu . Phn ng c th c s dng ch ra rng dch v tn ti nhng l tm thi khng th p ng- SigRequired : c tr li trog trng hp my ch yu cu ng nhp ca khch hang yu cu xy dng mt phn ng- Tri php : c tr li trong trng hp client khng thm quyn truy vn.

Ng ngha ca thisUpdate, nextUpdate v producedAt

Phn ng c th cha ba ln trong chng - thisUpdate, nextUpdatev producedAt.Ng ngha ca cc trng ny l:

ThisUpdate: Thi gian lc tnh trng ang c ch ra c bit nc chnh xc

NextUpdate: Thi gian ti hoc trc khi c thng tin mi hn s c sn c v tnh trng ca cc chng ch

ProducedAt: Thi gian lc responder OCSPphn ng.

OCSP responders trc phn ng sn xut k xc nh tnh trng ca giy chng nhn ti mt thi gian nht nh.Thi gian lc tnh trng c bit n l ng S c phn nh trong cc thisUpdate.Thi gian hin ti hoc trc khi c thng tin mi hn s c c phn nh trong lnh vc nextUpdate, trong khithi gian m cc phn ng c sn xut s xut hin trong cc producedAt p ng cc lnh vc.

chuyn ti n OCSP , CAs S cung cp kh nng bao gm AuthorityInfoAccess m rng trong giy chng nhn, c th c kim tra bng cch s dng OCSP.Ngoi ra, cc accessLocation cho cc nh cung cp OCSP c th c cu hnh cc b ti OCSP.CAs c h tr mt dch v OCSP cung cp bi mt Responder y quyn, PHI cung cp cho s bao gm gi tr mt cho mt uniformResourceIndicator (URI) accessLocation v gi tr ca OIDid-ad-OCSP cho accessMethod trong TNH AccessDescription. Gi tr ca cc trng accessLocation trong giy chng nhn xc nh giao thc (v d nh HTTP , LDAP . . .) c s dng truy cp responder OCSP v c th cha cc thng tin khc vn chuyn ph thuc (v d nh mt URL).

Trc khi chp nhn nh l mt phn ng k hp l, khch hng OCSP Sxc nhn rng:

1.Cc chng ch xc nh trong mt phn ng c nhn tng ng m trong c xc nh trong yu cu tng ng;

2.Cc ch k trn phn ng ny l hp l;

3.Nhn dng ca ngi k ph hp vi nhn nh ca cc yu cu.

4.K tn chung l hin y quyn k cc phn ng.

5.Thi gian m tnh trng ang c ch ra c bit n l ng (thisUpdate) l gn y.

6.Khi c sn, thi gian ti hoc trc khi c thng tin mi hn s sn sng v tnh trng ca giy chng nhn (nextUpdate) l ln hn thi gian hin hnh.

Cu trc Request OCSP

OCSPRequest ::= SEQUENCE {

tbsRequest TBSRequest,

optionalSignature [0] EXPLICIT Signature OPTIONAL }

TBSRequest ::= SEQUENCE

version [0] EXPLICIT Version DEFAULT v1,

requestorName [1] EXPLICIT GeneralName OPTIONAL,

requestList SEQUENCE OF Request,

requestExtensions [2] EXPLICIT Extensions OPTIONAL }

Signature ::= SEQUENCE {

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate

OPTIONAL}

Version ::= INTEGER { v1(0) }

Request ::= SEQUENCE {

reqCert CertID,

singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }

CertID ::= SEQUENCE {

hashAlgorithm AlgorithmIdentifier,

issuerNameHash OCTET STRING, -- Hash of Issuer's DN

issuerKeyHash OCTET STRING, -- Hash of Issuers public key

serialNumber CertificateSerialNumber }

9.2 OCSP ResponseMt phn ng OCSP mc ti thiu bao gm mt lnh vc responseStatus cho thy tnh trng ca cc yu cu trc.Nu gi tr ca responseStatus l mt trong nhng iu kin li, responseBytes khng c thit lp.

OCSPResponse ::= SEQUENCE {

responseStatus OCSPResponseStatus,

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }

OCSPResponseStatus ::= ENUMERATED {

successful (0), --Response has valid confirmations

malformedRequest (1), --Illegal confirmation request

internalError (2), --Internal error in issuer

tryLater (3), --Try again later

--(4) is not used

sigRequired (5), --Must sign the request

unauthorized (6) --Request unauthorized

}

Gi tr cho responseBytes bao gm cc thng tin nhn dng v mtp ng c xc nh bi c php m OID m ha nh l mt String octet.

ResponseBytes ::= SEQUENCE {

responseType OBJECT IDENTIFIER,

response OCTET STRING }

i vi mt responder OCSP c bn, responseType s c coi l id-pkix-OCSP-c bn.

id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }

id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1

BasicOCSPResponse ::= SEQUENCE {

tbsResponseData ResponseData,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING,

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

ResponseData ::= SEQUENCE {

version [0] EXPLICIT Version DEFAULT v1,

responderID ResponderID,

producedAt GeneralizedTime,

responses SEQUENCE OF SingleResponse,

responseExtensions [1] EXPLICIT Extensions OPTIONAL }

ResponderID ::= CHOICE {

byName [1] Name,

byKey [2] KeyHash }

KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key

(excluding the tag and length fields)

SingleResponse ::= SEQUENCE {

certID CertID,

certStatus CertStatus,

thisUpdate GeneralizedTime,

nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,

singleExtensions [1] EXPLICIT Extensions OPTIONAL }

CertStatus ::= CHOICE {

good [0] IMPLICIT NULL,

revoked [1] IMPLICIT RevokedInfo,

unknown [2] IMPLICIT UnknownInfo }

RevokedInfo ::= SEQUENCE {

revocationTime GeneralizedTime,

revocationReason [0] EXPLICIT CRLReason OPTIONAL }

UnknownInfo ::= NULL -- this can be replaced with an enumeration

9.3 OCSP over HTTP

9.3.1. Request

HTTP da OCSP yu cu c th s dng hoc l GET hoc phng thc POST gi yu cu ca client. kch hot HTTP caching, yu cu nh (c sau khi m ha c t hn 255 byte), C TH c gi bng cch s dng GET. Nu HTTP cache l khng quan trng, hoc theo yu cu ln hn 255byte, yu cu NN c gi bng cch s dng POST.u l mt yu cu ring t, OCSP giao dch, trao i bng cch s dng HTTP C TH c bo v bng cch s dng hoc l TLS / SSL, hoc mt s giao thc thp lp khc. OCSP mt yu cu bng cch s dng phng thc GET c xy dng nh sau:

GET (url) / (url-m ha ca c s-64 m ha ca DER m ha ca cc OCSPRequest) ni (url) c th c bt ngun t cc gi tr ca AuthorityInfoAccess hoc local khc cu hnh ca khch hng OCSP.

OCSP mt yu cu bng cch s dng phng thc POST c xy dng nh sau: Content-Type header c gi tr "ng dng / OCSP-yu cu" trong khi c th ca thng bo l gi tr nh phn ca DER m ha ca cc OCSPRequest.

9.3.2. Response

HTTP-based OCSP phn ng bao gm HTTP heard thch hp, tip theo l gi tr nh phn ca DER m ha ca OCSPResponse.Cc Content-Type header c gi tr "ng dng / OCSP-phn ng".Ni dung-Chiu di tiu nn ch nh chiu di ca phn ng ny.Khc tiu HTTP C TH c mt v c th c b qua nu khng hiu Yu Cu ny.9.3.3. Security Considerations

9.3.3.1. Replay Attacks

Vic s dng cc nonces trong h s l ty chn, c mt kh nng l mt trong s ngy c th c p ng OCSP replayed, nh vy gy ra mt khch hng chp nhn mt phn ng tt khi trn thc t c mt nhiu up-to-date phn ng m xc nh tnh trng b thu hi. gim thiu tn cng ny, khch hng phi c quyn truy cp vo mt ngun chnh xc v thi gian v m bo rng h phn ng OCSPnhn c .

Cc khch hng m khng c mt ngun chnh xc ca ngy thng v thi gian c d b gin on dch v.V d, mt khch hng vi mt nhanh c th t chi mt phn ng OCSP mi.Tng t nh vymt khch hng vi thigian chm khng ng c th chp nhn phn ng ht hn giy chng nhn hp l cho rng trong thc t c th c thu hi.

Cc phin bn tng lai ca giao thc OCSP c th cung cp mt cch khch hang bit liu my ch h tr nonces hoc khng h tr nonces.Nu mt khch hng c th xc nh rng my ch ny h tr nonces,n PHI t chi tr li rng khng c mt nonce d kin.Nu khng, cc khch hng m la chn bao gm mt nonce trong yu cu cc nn khng t chi mt OCSPResponse tng ng vi ch duy nht trn c s ca once d kin s khng tn ti, nhng PHI ri tr li ph chun cc OCSPResponse da trn thi gian.9.3.3.2. Man-in-the-Middle Attacks

gim thiu ri ro lin quan n cc cuc tn cng ny, khch hang ng phi xc nhn ch k trn phn ng ny.Vic s dng cc phn ng ng nhp OCSP phc v xc thc cc danh tnh ca responder OCSP v xc minh rng n c y quyn ng nhp tr li thay mt ca CA. Khch hng PHI m bo rng h ang lin lc vi mt thm quynresponder bi cc quy tc c m t trong OCSP

9.3.3.3. Impersonation Attacks

Vic s dng cc phn ng ng nhp OCSP phc v xc thc cc danh tnh ca OCSP responder.Theo chi tit trong [OCSP], khch hng ng phi xc nhn ch k ca cc phn ng OCSP v ch k trn ngi k ng OCSP Giy chng nhn m bo mt responder thm quyn to ra n.

9.3.3.4 Denial-of-Service Attacks

OCSP phn ng cn c bin php ngn chn hoc gim nh tn cng t chi dch v.Theo h s ny xc nh vic s dng cc unsigned OCSPRequests, truy cp vo responder c th c ngm cho tt c nhng ngi c th gi mt yu cu tr li,.V d, mt responder c th hn ch tc n yu cu t mt a ch IP c th, nu c vn l pht hin.

9.3.3.5 Modification of HTTP Headers

Gi tr bao gm trong cc phn u HTTP khng c m ha bo v; h c th c ch tc bng mtk tn cng.nn khch hng s dng cc gi tr ny cho b nh m ch hng dn v cui cng nn ch da vo cc gi tr hin din trong k ktOCSPResponse.Khch hng KHNG NN da vo phn ng cache vt ra ngoi nextUpdate thi gian.

Phn II Cng Ngh EJBCA EJBCA da trn cng ngh J2EE c tnh linh ng cao to nn thnh phn cu CA . E JBCA c th s dng c lp hay tch hp bt k ng dng ca J2EE . E JBCA l mt s m rng ca PKI , c ngh l s dng E JBCA xy dng h tng kha cng khai PKI . Ta c th xy dng E JBCA cp giy chng chit cho cc mc ch khc nhau .

Xc thc mng cho ngi truy cp intranet/extrawnet/ v ti nguyn internet.

Bo mt kt ni SSL clien ti SSL serve

Smart card ng nhp vo Windown / Linux

Ch k s , m ha email.

Kt ni VPN bng vic pht chng ch VPN router ( OpenVPN , Cisco , Juniper .v.v)

VPN client truy cp cng chng ch c cp

ng nhp mt ln cho ngi dung truy cp web bng chng ch duy nht.

To vn bn k kt.

C rt nhiu ng dng khc nhau khi s dng PKI , E JBCA c mc tiu hnh ng rng , phc tp , cp giy chng nhn cho nhiu mc ch khc nhau t nhiu CA khc nhau v c sn sang cao . L m ngun m EJBCA l nhiu hn na tch hp linh hot v thch nghi vi mi trng khc nhau hn so vi cc dch v thng mi.

1. S thun li m rng PKI - Advantageous enterprise PKI

EJBCA PKI l mt chng nhn quyn v doanh nghip mt h thng hon chnh PKI qun l, chuyn giao, hoc l mt phn tch hay nh l mt gii php trao i kha. EJBCA OCSP v EAC l chc nng ph ca EJBCA PKI, v c s dng cho cc dng xc nhn v ePassports. EJBCA cung cp nhng li th ln nh chi ph-hiu qu , s linh, hi nhp hon ton, bo tr v h tr y .

Nh c hin th bng nhiu nghin cu, cc m hnh m ngun m lm cho n c th c chi ph pht trin cc phn mm c hiu qu hn. EJBCA khng l ngoi l cho quy tc ny. N c pht trin trong mt qu trnh cha c kim sot m v nhanh nhn, - trong hp tc vi cng ng sang to cao

Khi CA linh hot nht trn th trng, EJBCA PKI c l do tt c cc doanh nghip m ngun m hng u PKI s dng . N c thit k lin hot ng - interoperate sun s vi tt c cc ng dng khc nhau cn thit trong mt gii php c th, v vi s linh hot xut sc ca n. EJBCA c th c thit k ring p ng nhu cu c th ca t chc .EJBCA cho php truy cp y tch hp tt c cc giao din. Ty chn, n c th c tch hp hon ton trong cng vic nh vy, rng khng c ai thm ch s thy rng n ang chy. l lm th no mt thnh phn c s h tng tt hot ng Trong sut vi ngi dung

2. Nn tng nh dngc vit trn java EJBCA tht s l nn tng c lp. N chy trn tt c cc phn cng ph bin, cng nh trn nn tng phn mm : Windows

Linux

Mac OS

L mt ng dng J2EE E HBCA cho php chy trn c b ca ng dng server

Jboss

Glassfish

Oracle

Weblogic

EJBCA cho php chy cng vi cc ng dng :

MySQL

PostgreSQL

Oracle

DB2

MS SQL

Derby

Cc c trng sn c

S dng cc tiu chun, RDBMS hiu nng cao cho vic lu tr.

CAs nhiu ln v mc ca CAs, xy dng mt c s h tng hon chnh Secure and robust

Khng gii hn s lng cc CAs gc v SubCAs. Yu cu qua chng ch v giy chng nhn cu t CAs khc v cu CAs. Cp giy chng nhn cho CAs khc. H tr cc thut ton RSA key ln n 4096 bit.

H tr cc thut ton DSA key vi 1024 bits.

H tr ECDSA thut ton quan trng vi nhng ng cong tn hoc implicitlyCA.

H tr nhiu thut ton bm cho ch k, MD5, SHA-1, SHA-256.

H tr cho giy chng nhn X.509 v Th Kim giy chng nhn

c lp hoc tch hp trong bt k ng dng J2EE. D dng ci t v cu hnh. Qun tr giao din mt s ngn ng - Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish

. . . V nhiu cc c trng khc c m t trong website

3. Cu trc EJBC PKI

Kin trc E JBCA c chia lm 3 thnh phn . Ch yu s l qua giao din web s l cc ng dng khc nhau . EJB s chu trch nhim lm vic vi Database , OS .

4. Ci t EJBCA trong mi trng Solaris 10 .

Solaris 10 c pht trin bi Sun da trn nn tng java . V vy Sun h tr rt mng vi nhng phn mn vit bng java (j2se , jdk . . . ) . JDK ca Solaris 1o s dng l bn jdk1.5.0_17 v j2sdk1.4.2_19 l mi trng rt thch hp ci t EJBCA . (Cc bn jdk 1.4.x tr xung u khng c EJBCA h tr )

Cc phn mn cn c ci t

apache-ant-1.7.1

ejbca_3_9_2

jboss-4.2.2.GA

4.1 Ci t JBoss

y l mt application server v n lm mi trng cho EJBCA .

$ cd /mnt/

$ wget http://downloads.sourceforge.net/jboss/jboss-4.2.3.GA.zip?modtime=1216412104&big_mirror=1

$ jar -xvf jboss-4.2.3.GA.zip

$export JBOSS_HOME=/mnt//jboss-4.2.3.GA

$export PATH=$PATH:$JBOSS_HOME/bin

Sau khi export ta co nhng cu lnh tng ng trong file /mnt/jboss-4.2.3GA

Ta chy jboss trong mt console bng cu lnh ./run.sh trong file /mnt/jboss-4.2.3GA/bin

4.2 Ci t apache-ant

Download gi t trang ch http://ant.apache.org/ gii nn vo th mc /mnt/ . S dng nhng cu lnh sau export

export ANT_HOME=/usr/local/ant

export JAVA_HOME=/usr/local/jdk-1.2.2

export PATH=${PATH}:${ANT_HOME}/bin

Thay i gi tr Java heap space :

ANT_OPTS=-Xmx512m

Ta c th to 1 con shell nh sau

#!/bin/sh

export ANT_HOME=/mnt/ apache-ant-1.7.1

export JAVA_HOME=/usr/jdk/jdk1.5.0_17/

export PATH=${PATH}:${ANT_HOME}/bin

export JBOSS_HOME=/mnt/jboss-4.2.3.GA

export PATH=$PATH:$JBOSS_HOME/bin

ANT_OPTS=-Xmx512m

4.3 Ci t EJBCAThay i ton b file.abc.sample thnh file.abcTrong cng mt console vi ci t trn (khc vi ci t jboss) . Ta ln lt s dng cc cu lnh

ant bootstrap

ant install

ant deploy

V trong trnh duyt ta g http://localhost:8080/ejbca y l trang public ra ngoi

Ta export CA cho https vi password mc nh l ejbca.

# ls

superadmin.p12 tomcat.jks truststore.jks

# /usr/sfw/bin/openssl pkcs12 -in superadmin.p12

Enter Import Password:

MAC verified OK

Bag Attributes

friendlyName: SuperAdmin

localKeyID: C6 97 37 4C 55 B2 4E C6 8A 72 6E 90 C4 8B 94 4E EE F6 53 B7

Key Attributes:

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,F8A57285703CC319

-----END RSA PRIVATE KEY-----

Bag Attributes

friendlyName: SuperAdmin

localKeyID: C6 97 37 4C 55 B2 4E C6 8A 72 6E 90 C4 8B 94 4E EE F6 53 B7

subject=/CN=SuperAdmin

issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE

-----BEGIN CERTIFICATE-----

.

-----END CERTIFICATE-----#

Vo trinh duyt g https://10.0.0.3:8443/ejbca/adminweb/index.jsp vo trang admin-gui

5. File cu hnh5.1 Database

EJBCA chy vi tt c cc dng c s d liu . y ta dung c s d liu mc nh l ca jboss bi l do sau :

+ Khi EJBCA cp nht phin bn mi th s t ng cp nht d liu vo jboss .

+ Gim s s l ca CPU khi c nhiu kt ni ti EJBCA server.

Chnh sa mc nh ti conf/database.properties# Database username.

# Default: sa (works with hsqldb)

#database.username=ejbca

# Database password.

# Default: (blank works with hsqldb)

#database.password=ejbca

Bng c s d liu :

5.2 Web.properties

Chnh sa cc mc nh ca web .

# The public port JBoss will listen to http on

# Default 8080

#httpserver.pubhttp=8080

# The public port JBoss will listen to https on, no client cert required

# Default 8442

#httpserver.pubhttps=8442

# The private port JBoss will listen to https on, client cert required

# Default 8443

#httpserver.privhttps=8443

# The interfaces JBoss will bind to. E.g. 127.0.0.1 will only allow connections from localhost.

# Default 0.0.0.0

#httpsserver.bindaddress.pubhttp=0.0.0.0

#httpsserver.bindaddress.pubhttps=0.0.0.0

#httpsserver.bindaddress.privhttps=0.0.0.0

Ti liu tham kho :

1. http://ejbca.org2. http://primekey.net3. http://google.com4. Gio trnh Chng Thc in T trng Hc Vin K thut mt m.

5. Gio trnh Thng Mi in T trng Hc Vin K thut mt m.

Ph Lc

Bng c s d liu ca EJBCA

Cc table v columns

PAGE 8