I. Gi I Thi U: o (Tampering), o Danh (Impersonation) .V.v. Các Bi N Pháp B o M T Hi N Nay

D ti khoa hoc cp truong Trin khai cc dch v da trn CA
Trang 1
I . Gi i thi u
Ngy nay, vic giao tip qua mang Internet dang tro thnh mt nhu cu cp thit.
Cc thng tin truyn trn mang du rt quan trong, nhu m s ti khoan, thng tin
mt... Tuy nhin, voi cc thu doan tinh vi, nguy co bi n cp thng tin qua mang cung
ngy cng gia tng. Hin giao tip qua Internet chu yu su dung giao thuc TCP/IP.
Dy l giao thuc cho php cc thng tin duoc gui tu my tnh ny toi my tnh khc
thng qua mt loat cc my trung gian hoc cc mang ring bit. Chnh diu ny d
tao co hi cho nhung ''ke trm'' cng ngh cao c th thuc hin cc hnh dng phi
php. Cc thng tin truyn trn mang du c th bi nghe trm (Eavesdropping), gi
o (Tampering), o danh (Impersonation) .v.v. Cc bin php bao mt hin nay,
chng han nhu dng mt khu, du khng dam bao v c th bi nghe trm hoc bi d
ra nhanh chng.
Do vy, d bao mt, cc thng tin truyn trn Internet ngy nay du c xu huong
duoc m ho. Truoc khi truyn qua mang Internet, nguoi gui m ho thng tin, trong
qu trnh truyn, d c ''chn'' duoc cc thng tin ny, ke trm cung khng th doc
duoc v bi m ho. Khi toi dch, nguoi nhn s su dung mt cng cu dc bit d giai
m. Phuong php m ho v bao mt ph bin nht dang duoc th gioi p dung l
chung chi s (Digital Certificate). Voi chung chi s, nguoi su dung c th m ho
thng tin mt cch hiu qua, chng gia mo (cho php nguoi nhn kim tra thng tin
c bi thay di khng), xc thc danh tnh cua nguoi gui. Ngoi ra chung chi s cn l
bng chng gip chng chi ci ngun gc, ngn chn nguoi gui chi ci ngun gc
ti liu mnh d gui.
Mt cch m ha du liu dam bao an ton d l m ha kha cng khai. D
su dung duoc cch m ha ny, cn phai c mt chung chi s tu t chuc quan tri duoc
goi l nh cung cp chung chi s ( certification authority CA).
I I . Co so h tng kha cng khai
II.1 Khi ni m
Mt PKI (public key infrastructure) cho php nguoi su dung cua mt mang cng
cng khng bao mt, chng han nhu Internet, c th trao di du liu v tin mt cch
an ton thng qua vic su dung mt cp m kho cng khai v c nhn duoc cp pht
v su dung qua mt nh cung cp chung thuc duoc tn nhim. Nn tang kho cng
khai cung cp mt chung chi s, dng d xc minh mt c nhn hoc t chuc, v cc
dich vu danh muc c th luu tru v khi cn c th thu hi cc chung chi s. Mc d
cc thnh phn co ban cua PKI du duoc ph bin, nhung mt s nh cung cp dang
mun dua ra nhung chun PKI ring khc bit. Mt tiu chun chung v PKI trn
Internet cung dang trong qu trnh xy dung.
Mt co so ha tng kho cng khai bao gm:
Trang 2
Mt Nh cung cp chung thuc s (CA) chuyn cung cp v xc minh cc
chung chi s. Mt chung chi bao gm kho cng khai hoc thng tin v
kho cng khai.
Mt nh quan l dng k (Registration Authority (RA)) dng vai tr nhu
nguoi thm tra cho CA truoc khi mt chung chi s duoc cp pht toi nguoi
yu cu.
Mt hoc nhiu danh muc noi cc chung chi s (voi kho cng khai cua n)
duoc luu giu, phuc vu cho cc nhu cu tra cuu, ly kho cng khai cua di
tc cn thuc hin giao dich chung thuc s.
Mt h thng quan l chung chi.
II.2 Nh cung cp chng thc s CA (Certificate Authority)
Trong cc h thng quan l chung thuc s dang hoat dng trn th gioi, Nh cung
cp chung thuc s (Certificate authority - CA) l mt t chuc chuyn dua ra v quan
l cc ni dung xc thuc bao mt trn mt mang my tnh, cng cc kho cng khai
d m ho thng tin. L mt phn trong Co so ha tng kho cng khai (public key
infrastructure - PKI), mt CA s kim sot cng voi mt nh quan l dng k
(Registration authority - RA) d xc minh thng tin v mt chung chi s m nguoi
yu cu xc thuc dua ra. Nu RA xc nhn thng tin cua nguoi cn xc thuc, CA sau
d s dua ra mt chung chi.
Tuy thuc vo vic trin khai co so ha tng kho cng khai, chung chi s s bao
gm kho cng khai cua nguoi so huu, thoi han ht hiu luc cua chung chi, tn chu so
huu v cc thng tin khc v chu kho cng khai.
II.3 Chng chi s
I I .3.1 Khi ni m
Chung chi s l mt tp tin din tu dng d xc minh danh tnh mt c nhn, mt
my chu, mt cng ty... trn Internet. N ging nhu bng li xe, h chiu, chung minh
thu hay nhung giy to xc minh c nhn.
D c chung minh thu, ban phai duoc co quan Cng An so tai cp. Chung chi s
cung vy, phai do mt t chuc dung ra chung nhn nhung thng tin cua ban l chnh
xc, duoc goi l Nh cung cp chung thuc s (Certificate Authority, vit tt l CA).
CA phai dam bao v d tin cy, chiu trch nhim v d chnh xc cua chung chi s
m mnh cp.
Trong chung chi s c ba thnh phn chnh:
Thng tin c nhn cua nguoi duoc cp.
Kho cng khai (Public key) cua nguoi duoc cp.
Chu k s cua CA cp chung chi.
Thoi gian hop l.
Thng tin c nhn
Trang 3
Dy l cc thng tin cua di tuong duoc cp chung chi s, gm tn, quc tich, dia
chi, din thoai, email, tn t chuc .v.v. Phn ny ging nhu cc thng tin trn chung
minh thu cua mi nguoi.
Kho cng khai
Trong khi nim mt m, kho cng khai l mt gi tri duoc nh cung cp chung
chi dua ra nhu mt kho m ho, kt hop cng voi mt kho c nhn duy nht duoc
tao ra tu kho cng khai d tao thnh cp m kho bt di xung.
Nguyn l hoat dng cua kho cng khai trong chung chi s l hai bn giao dich
phai bit kho cng khai cua nhau. Bn A mun gui cho bn B th phai dng kho
cng khai cua bn B d m ho thng tin. Bn B s dng kho c nhn cua mnh d
mo thng tin d ra. Tnh bt di xung trong m ho th hin o ch kho c nhn c
th giai m du liu duoc m ho bng kho cng khai (trong cng mt cp kho duy
nht m mt c nhn so huu), nhung kho cng khai khng c kha nng giai m lai
thng tin, k ca nhung thng tin do chnh kho cng khai d d m ho. Dy l dc
tnh cn thit v c th nhiu c nhn B,C, D... cng thuc hin giao dich v c kho
cng khai cua A, nhung C,D... khng th giai m duoc cc thng tin m B gui cho A
d cho d chn bt duoc cc gi thng tin gui di trn mang.
Mt cch hiu nm na, nu chung chi s l mt chung minh thu nhn dn, th
kho cng khai dng vai tr nhu danh tnh cua ban trn giy chung minh thu (gm tn
dia chi, anh...), cn kho c nhn l guong mt v du vn tay cua ban. Nu coi mt
buu phm l thng tin truyn di, duoc "m ho" bng dia chi v tn nguoi nhn cua
ban, th d ai d c dng chung minh thu cua ban voi muc dich ly buu phm ny, ho
cung khng duoc nhn vin buu din giao buu kin v anh mt v du vn tay khng
ging.
Ch k s cua CA cp chng chi
Cn goi l chung chi gc. Dy chnh l su xc nhn cua CA, bao dam tnh chnh
xc v hop l cua chung chi. Mun kim tra mt chung chi s, truoc tin phai kim
tra chu k s cua CA c hop l hay khng. Trn chung minh thu, dy chnh l con
du xc nhn cua Cng An Tinh hoc Thnh ph m ban truc thuc. V nguyn tc,
khi kim tra chung minh thu, dng ra du tin phai l xem con du ny, d bit chung
minh thu c bi lm gia hay khng.
I I .3.2 Li ch cua chng chi s
a) M ho
Loi ch du tin cua chung chi s l tnh bao mt thng tin. Khi nguoi gui d m
ho thng tin bng kho cng khai cua ban, chc chn chi c ban moi giai m duoc
thng tin d doc. Trong qu trnh truyn thng tin qua Internet, d c doc duoc cc
gi tin d m ho ny, ke xu cung khng th bit duoc trong gi tin c thng tin
g. Dy l mt tnh nng rt quan trong, gip nguoi su dung hon ton tin cy v kha
nng bao mt thng tin. Nhung trao di thng tin cn bao mt cao, chng han giao
dich lin ngn hng, ngn hng din tu, thanh ton bng the tn dung, du cn phai c
chung chi s d dam bao an ton.
Trang 4
b) Chng gia mo
Khi ban gui di mt thng tin, c th l mt du liu hoc mt email, c su dung
chung chi s, nguoi nhn s kim tra duoc thng tin cua ban c bi thay di hay
khng. Bt ky mt su sua di hay thay th ni dung cua thng dip gc du s bi pht
hin. Dia chi mail, tn domain... du c th bi ke xu lm gia d dnh lua nguoi nhn
d ly lan virus, n cp thng tin quan trong. Tuy nhin, chung chi s th khng th
lm gia, nn vic trao di thng tin c km chung chi s lun dam bao an ton.
c) Xc thc
Khi gui mt thng tin km chung chi s, nguoi nhn - c th l di tc kinh doanh,
t chuc hoc co quan chnh quyn - s xc dinh r duoc danh tnh cua ban. C nghia
l d khng nhn thy ban, nhung qua h thng chung chi s m ban v nguoi nhn
cng su dung, nguoi nhn s bit chc chn d l ban chu khng phai l mt nguoi
khc. Xc thuc l mt tnh nng rt quan trong trong vic thuc hin cc giao dich din
tu qua mang, cung nhu cc thu tuc hnh chnh voi co quan php quyn. Cc hoat dng
ny cn phai xc minh r nguoi gui thng tin d su dung tu cch php nhn. Dy
chnh l nn tang cua mt Chnh phu din tu, mi truong cho php cng dn c th
giao tip, thuc hin cc cng vic hnh chnh voi co quan nh nuoc hon ton qua
mang. C th ni, chung chi s l mt phn khng th thiu, l phn ct li cua Chnh
phu din tu.
d) Chng chi ci ngun gc
Khi su dung mt chung chi s, ban phai chiu trch nhim hon ton v nhung
thng tin m chung chi s di km. Trong truong hop nguoi gui chi ci, phu nhn mt
thng tin no d khng phai do mnh gui (chng han mt don dt hng qua mang),
chung chi s m nguoi nhn c duoc s l bng chung khng dinh nguoi gui l tc gia
cua thng tin d. Trong truong hop chi ci, CA cung cp chung chi s cho hai bn s
chiu trch nhim xc minh ngun gc thng tin, chung to ngun gc thng tin duoc
gui.
e) Ch k din tu
Email dng mt vai tr kh quan trong trong trao di thng tin hng ngy cua
chng ta v uu dim nhanh, re v d su dung. Nhung thng dip c th gui di nhanh
chng, qua Internet, dn nhung khch hng, dng nghip, nh cung cp v cc di tc.
Tuy nhin, email rt d bi doc boi cc hacker. Nhung thng dip c th bi doc hay bi
gia mao truoc khi dn nguoi nhn.
Bng vic su dung chung chi s c nhn, ban s ngn ngua duoc cc nguy co ny
m vn khng lm giam nhung loi th cua email. Voi chung chi s c nhn, ban c
th tao thm mt chu k din tu vo email nhu mt bng chung xc nhn cua mnh.
Chu k din tu cung c cc tnh nng xc thuc thng tin, ton ven du liu v chng
chi ci ngun gc.
Ngoi ra, chung chi s c nhn cn cho php nguoi dng c th chung thuc mnh
voi mt web server thng qua giao thuc bao mt SSL. Phuong php chung thuc dua
Trang 5
trn chung chi s duoc dnh gi l tt, an ton v bao mt hon phuong php chung
thuc truyn thng dua trn mt khu.
f) Bao mt Website
Khi Website cua ban su dung cho muc dch thuong mai din tu hay cho nhung
muc dch quan trong khc, nhung thng tin trao di giua ban v khch hng cua ban
c th bi l. D trnh nguy co ny, ban c th dng chung chi s SSL Server d bao
mt cho Website cua mnh.
Chung chi s SSL Server s cho php ban lp cu hnh Website cua mnh theo
giao thuc bao mt SSL (Secure Sockets Layer). Loai chung chi s ny s cung cp
cho Website cua ban mt dinh danh duy nht nhm dam bao voi khch hng cua ban
v tnh xc thuc v tnh hop php cua Website. Chung chi s SSL Server cung cho
php trao di thng tin an ton v bao mt giua Website voi khch hng, nhn vin v
di tc cua ban thng qua cng ngh SSL m ni bt l cc tnh nng:
+ Thuc hin mua bn bng the tn dung.
+ Bao v nhung thng tin c nhn nhay cam cua khch hng.
+ Dam bao hacker khng th d tm duoc mt khu.
g) Dam bao phn mm
Nu ban l mt nh san xut phn mm, chc chn ban s cn nhung ''con tem
chng hng gia'' cho san phm cua mnh. Dy l mt cng cu khng th thiu trong
vic p dung hnh thuc so huu ban quyn. Chung chi s Nh pht trin phn mm s
cho php ban k vo cc applet, script, Java software, ActiveX control, cc file dang
EXE, CAB, DLL... Nhu vy, thng qua chung chi s, ban s dam bao tnh hop php
cung nhu ngun gc xut xu cua san phm. Hon nua nguoi dng san phm c th xc
thuc duoc ban l nh cung cp, pht hin duoc su thay di cua chuong trnh (do v
tnh hong hay do virus ph, bi crack v bn lu...).
Voi nhung loi ch v bao mt v xc thuc, chung chi s hin d duoc su dung rng
ri trn th gioi nhu mt cng cu xc minh danh tnh cua cc bn trong giao dich
thuong mai din tu. Dy l mt nn tang cng ngh mang tnh tiu chun trn ton
cu, mc d o mi nuoc c mt s chnh sch quan l chung thuc s khc nhau. Mi
quc gia du cn c nhung CA ban dia d chu dng v cc hoat dng chung thuc s
trong nuoc. Nhung ngoi ra, nu mun thuc hin TMDT vuot ra ngoi bin gioi, cc
quc gia cung phai tun theo cc chun cng ngh chung, v thuc hin chung thuc
cho, trao di v cng nhn cc CA cua nhau.
I I I . Tri n khai d|ch v CA trn mi trung Wi ndow Server 2003
Trn mi truong h diu hnh Windows Server 2003, CA l mt phn mm duoc
tch hop sn.
I I I .1Ci }t d|ch v CA
Dng nhp vo Windows Server 2003 voi quyn Administrator.
1. Click vo Start Control Panel Add Or Remove Programs. Hp thoai Add Or
Remove Programs xut hin.
Trang 6
2. Click Add/Remove Windows Components. Hp thoai Add/Remove Windows
Components xut hin chon Certificate Services.
3. Click chon chon Details. Hp thoai Certificate Services xut hin.
4. Hp thoai canh bo v thnh vin domain v rng buc di tn my tnh xut hin
click Yes.
Trang 7
5. Trong trang loai CA, click chon Enterprise Root CA click Next.
6. Trn trang thng tin nhn ra CA, trong hp Common name, dnh tn cua server click
next.
Trang 8
7. Trn trang Certificate Database Settings, d duong dn mc dinh trong hp Certificate
database box v Certificate database log click Next.
8. Loi nhc dung Internet Information Services xut hin click Yes.
9. Enable Active Server Pages (ASPs) click Yes.
10. Khi qu trnh ci dt hon tt click Finish.
III.2Cc d|ch v chng chi CA Windows Server 2003 cung cp
Ch k din tu: Su dung d xc nhn nguoi gui thng dip, file hoc du liu
khc. Chu k din tu khng h tro bao v du liu khi truyn.
Chng thc internet: C th su dung PKI d chung thuc client v server duoc
thit lp ni kt trn internet, v vy server c th nhn dang my client ni kt dn n
v client c th xc nhn d ni kt dng server.
Bao mt IP ( IP Security - IPSec): mo rng IPSec cho php m ha v truyn
chu k s, nhm ngn chn du liu bi l khi truyn trn mang. Trin khai IPSec trn
Windows Server 2003 khng phai dng PKI d c duoc kha m ha cua n, nhung
c th dng PKI voi muc dch ny.
Secure e-mail: Giao thuc e-mail trn internet truyn thng dip mail o ch d ban
r, v vy ni dung mail d dng doc duoc khi truyn. Voi PKI, nguoi gui c th bao
mt e-mail khi truyn bng cch m ha ni dung mail dng kha cng khai cua
nguoi nhn. Ngoi ra, nguoi gui c th k ln thng dip bng kha ring cua mnh.
Smart card logon: Smart card l mt loai the tn dung. Windows Server 2003 c
th dng smart card nhu l mt thit bi chung thuc. Smart card chua chung chi cua
Trang 9
user v kha ring, cho php nguoi dng logon toi bt ky my no trong doanh
nghip voi d an ton cao.
Software code signing: K thut Authenticode cua Microsoft dng chung chi d
chung thuc nhung phn mm nguoi dng download v ci dt chnh xc l cua tc gia
v khng duoc chinh sua.
Wireless network authentication: Khi ci dt mt LAN wireless, phai chc chn
rng chi nguoi dng chung thuc dng th moi duoc ni kt mang v khng c ai c
th nghe ln khi giao tip trn wireless. C th su dung Windows Server 2003 PKI d
bao v mang wireless bng cch nhn dang v chung thuc nguoi dng truoc khi ho
truy cp mang.
III.3 Cc l oi CA trn Windows Server 2003
Trn windows Server 2003 c hai loai CA:
Enterprise: Enterprise CAs duoc tch hop trong dich vu Active Directory. Chng
su dung mu chung chi, xut ban (publish) chung chi v CRLs dn Active Directory,
su dung thng tin trong co so du liu Active Directory d chp nhn hoc tu chi yu
cu cp pht chung chi tu dng. Boi vy client cua t chuc CA phai truy xut dn
Active Directory d nhn chung chi, nhiu t chuc CA khng thch hop cho vic cp
pht chung chi cho cc client bn ngoi t chuc.
Stand-alone Stand-alone CAs khng dng mu chung chi hay Active Directory;
chng luu tru thng tin cuc b cua n. Hon nua, mc dinh, stand-alone CAs khng tu
dng dp lai yu cu cp pht chung chi s ging nhu enterprise CAs lm. Yu cu
cho trong hng doi cho nguoi quan tri chp nhn hoc tu chi bng tay.
D nguoi dng chon tao ra mt enterprise CA hay l mt stand-alone CA, du
phai chi r CA l gc (root) hay cp duoi (subordinate).
III.4Cp pht v quan l cc chng chi s
I I I .4.1Cp pht tng (Auto-Enrol l ment)
Auto-Enrollment cho php client yu cu tu dng v nhn chung chi s tu CA m
khng cn su can thip cua nguoi quan tri. D dng Auto-Enrollment th phai c
domain chay Windows Server 2003, mt enterprise CA chay trn Windows Server
2003 v client c th chay Windows XP Professional. Diu khin tin trnh Auto-
Enrollment bng su phi hop cua group policy v mu chung chi s.
Mc dinh, Group Policy Objects (GPOs) cho php Auto-Enrollment cho tt ca cc
nguoi dng v my tnh nm trong domain. D ci dt, ban mo chnh sch ci dt
Auto-Enrollment, nm trong thu muc Windows Settings\ Sercurity Settings\Public
Key Policies trong ca 2 node Computer Configuration v User Configuration cua
Group Policy Object Editor. Hp thoai Autoenrollment Settings Properties xut hin,
ban c th cm hon ton auto-enrollment cho cc di tuong su dung GPO ny. Ban
cung c th cho php cc di tuong thay di hoc cp nht chung chi s cua chng
mt cch tu dng.
Trang 10
Mt k thut khc ban c th dng d diu khin auto-enrollment l xy dung mu
chung chi c xc dinh dc tnh cua kiu chung chi s r rng. D quan l mu chung
chi s, ban dng mu chung chi s c sn ( Certificate Templates snap-in), nhu hnh
duoi. Su dung cng cu ny, ban c th chi r thoi gian hiu luc v thoi gian gia han
cua loai chung chi s d chon, chon dich vu m ha (cryptographic) cung cp cho
chng. Dng tab Security, ban cung c th chi r nhung user v group duoc php yu
cu chung chi s dng mu ny.
Trang 11
Khi client yu cu mt chung chi s, CA kim tra dc tnh di tuong Active
Directory cua client d quyt dinh liu client c quyn ti thiu duoc nhn chung chi
khng?. Nu client c quyn thch hop th CA s cp pht chung chi s mt cch tu
dng.
I I I .4.2Cp pht khng tng (Manual Enrol l ment)
Stand-alone CAs khng th dng auto-enrollment, v vy khi mt stand-alone CA
nhn yu cu v chung chi s tu client, n s luu tru nhung yu cu d vo trong mt
hng doi cho toi khi nguoi quan tri quyt dinh liu c cp pht chung chi s hay
khng?.D gim st v xu l cc yu cu vo, nguoi quan tri dng Certification
Authority console, nhu hnh sau:
Trong Certification Authority console, tt ca yu cu cp pht chung chi s xut
hin trong thu muc Pending Request. Sau khi dnh gi thng tin trong mi yu cu,
nguoi quan tri c th chon d chp nhn (issue) hay tu chi yu cu. Nguoi quan tri
cung c th xem dc tnh cua vic cp pht chung chi v thu hi chung chi khi cn.
I I I .4.3Cc cch yu cu cp pht CA
I I I .4.3.1 S dng Cert i fi cat es Snap-i n:
Certificate Snap-in l mt cng cu dng d xem v quan l chung chi cua mt user
hoc computer cu th. Mn hnh chnh cua snap-in bao gm nhiu thu muc chua tt ca
hang muc chung chi s duoc chi dinh cho user hoc computer. Nu t chuc cua nguoi
dng su dung enterprise CAs, Certificate Snap-in cung cho php nguoi dng yu cu
v thay di chung chi s bng cch dng Certificate Request Wizard v Certificate
Renewal Wizard.
Trang 12
I I I .4.3.2 Yu cu cp pht t hng qua Web (Web Enrol l ment )
Khi ban ci dt Certificate Services trn my tnh chay Windows Server 2003,
nguoi dng c th chon ci dt module Certificate Services Web Enrollment Support.
D hoat dng mt cch dng dn, module ny yu cu nguoi dng phai ci dt IIS
trn my tnh truoc. Chon module ny trong qu trnh ci dt Certificate Services tao
ra trang Web trn my tnh chay CA, nhung trang Web ny cho php nguoi dng gui
yu cu cp chung chi s yu cu m ho chon.
Trang 13
Giao din Web Enrollment Support duoc dng cho nguoi su dung bn ngoi hoc
bn trong mang truy xut dn stand-alone CAs. V stand-alone server khng dng
mu chung chi s, client gui yu cu bao gm tt ca cc thng tin cn thit v chung
chi s v thng tin v nguoi su dung chung chi s.
Khi client yu cu chung chi s dng giao din Web Enrollment Support, chng
c th chon tu danh sch loai chung chi d duoc dinh nghia truoc hoc tao ra chung
chi cao cp bng cch chi r tt ca cc thng tin yu cu trong form Web-based.
Trang 14
I I I .4.4Thu hi chng chi s
C vi nguyn nhn canh bo cho nguoi quan tri thu hi chung chi. Nu nhu kha
ring ( private key) bi l, hoc nguoi dng tri php loi dung truy xut dn CA, thm
ch nu ban mun cp pht chung chi dng tham s khc nhu l kha di hon, ban
phai duoc thu hi chung chi truoc d. Mt CA duy tr mt CRL (Certificate
Revocation List). Enterprise CAs xut ban CRLs cua chng trong co so du liu
Active Directory, v vy client c th truy xut chng dng giao thuc truyn thng
Active directory chun, goi l Lightweight Directory Access Protocol (LDAP). Mt
stand-alone CA luu tru CRL cua n nhu l mt file trn dia cuc b cua server, v vy
client truy xut dng giao thuc truyn thng Internet nhu Hypertext Transfer Protocol
(HTTP) or File Transfer Protocol (FTP).
Mi chung chi s chua duong dn toi dim phn phi cua CA cho CRLs. C th
sua di duong dn ny trong Certification Authority console bng cch hin thi hp
thoai Properties cho CA, click vo tab Extension. Khi mt ung dung chung thuc client
dang dng chung chi s, n kim tra dim phn phi CRL d dinh r trong chung chi
s, d chc chn rng chung chi s khng bi thu hi. Nu CRL khng c tai dim
phn phi d dinh r cua n, ung dung tu chi chung chi.
Bng cch chon thu muc Revoked Certificates trong Certification Authority
console v sau d hin thi hp thoai Properties cua n, ban c th chi r bao lu th
CA nn xut ban mt CRL moi, v cung cu hnh CA d xut ban delta CRLs.Mt
Trang 15
delta CRL l mt danh sch tt ca cc chung chi d thu hi tu khi CRL cui cng xut
ban. Trong t chuc voi s luong chung chi s lon, su dung CRLs thay v CRLs co ban
c th luu mt s lon.
I V. Tri n khai mt s d|ch v mng su dng CA
I V.1D|ch v Web su dng SSL
SSL-Sercue Socket Layer, l mt giao thuc m ha cung cp su truyn thng an
ton trn Internet nhu web browsing, e-mail.SSL cung cp su chung thuc tai cc dim
cui cua kt ni, knh truyn thng ring tu trn Internet bng cch m ha. Thng
thuong chi c Server l duoc chung thuc, c nghia l chi c nguoi dng cui (nguoi
su dung, ung dung, ) bit r mnh dang ni chuyn voi ai. O muc d bao mt cao
hon, ca hai pha du phai bit nhau, chung thuc ln nhau. Chung thuc ln nhau yu
cu dng ha tng kha cng khai-PKI.
1) M hnh dich vu:
My Web Server duoc cu hnh dich vu web su dung SSL bng cch nhn chung
chi tu CA service.
2) Cu hnh dich vu:
Tai Web server yu cu cp pht chung chi:
Trang 16
Buoc 1: Mo IIS, click chut phai vo website cn cu hnh SSL, chon tab
Directory Security, chon Server Certificate
Buoc 2: Chon tao moi mt chung chi
Trang 17
Nhn Next, chon Prepare for Request now, but send it later v luu yu cu cp
pht xung file
Trang 18
Buoc 3: Mo Internet Explorer, g vo dic chi cua CA Service d yu cu cp pht
chung chi qua web
Trang 19
Chon Request a Certificate v chon Submit a certificate request by using a base-
64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-
encoded PKCS #7 file:
Mo file yu cu o trn v copy ni dung v dn vo Saved Request:
Nu CA Service khng cp pht tu dng th vo my CA d cp pht(Issue) cho
chung chi vua yu cu.
Trang 20
Vo lai trang web yu cu CA, chon Download Certificate d tai chung chi vua
duoc cp pht v.
Buoc 4: Quay tro lai IIS, chon Process the pending request and install the
certificate d Import chung chi vua c duoc o trn.
Chon Edit, chon Require secure channel(SSL) d cu hnh cho web site dng SSL
khi c yu cu kt ni.
Trang 21
3) Minh hoa kt qua:
Gia su ta c trang web voi ni dung sau duoc dt tai web server v client s kt
ni bng giao thuc HTTP d xem trang web ny.
Trang 22
Khi khng dng SSL, nu dng cc cng cu bt gi du liu ta c th xem duoc ni
dung, cn khi dng SSL du liu s duoc m ha v khng xem duoc d bt duoc gi
tin.
Trang 23
I V.2D|ch v I PSec
IPSec-Internet Protocol Security, l mt giao thuc duoc thit k d bao v du liu
bng chu k din tu v m ha truoc khi truyn di.IPSec m ha cc thng tin trong
gi tin IP theo cch dng gi n, nn ngay ca khi bt duoc cc gi tin s khng doc
duoc ni dung bn trong.
Do IPSec hoat dng o tng mang nn IPSec tao mt knh m ha lin tuc giua cc
dim kt ni(end-to-end), nghia l khi du liu duoc m ha o my gui th chi duoc
giai m khi toi my nhn.
IPSec Protocol:
a) IP Authentication Header-AH: khng m ha du liu trong gi tin IP, m
chi m ha phn header. AH cung cp cc dich vu bao mt co ban, du liu
c th doc duoc khi bt gi tin, nhung ni dung th khng th thay di
Trang 24
b) IP Encapsulating Security Payload-ESP: m ha ton b ni dung gi tin
IP, ngn khng cho nguoi nghe ln c th doc duoc ni dung khi gi tin di
chuyn trn mang. ESP cung cp cc dich vu chung thuc, dam bao ton ven
v m ha du liu.
1) M hnh dich vu:
Trang 25
Trong m hnh trn, FTP server l my tnh cung cp cc dich vu truyn file trong
mang, client s kt ni vo server ny d download v upload cc file du liu.Truoc
khi cc client tao kt ni th phai qua mt qu trnh chung thuc, d dam bao an ton
trong qu trnh ny, cung nhu cho ni dung cua cc file du liu, ta s tch hop voi dich
vu CA.My CA Service s cung cp cc chung chi d thuc hin chung thuc giua FTP
server v cc client.
D lm duoc diu ny th my cung cp dich vu CA cung dng vai tr l Domain
Controler, cp cc chung chi tu dng cho cc my khi c yu cu.
2) Trin khai dich vu:
Phn ny trnh by mt s buoc d thit lp chnh sch IPSec c su dung CA cho
m hnh bn trn. Chnh sch ny tao tai mi my c yu cu truyn thng bng
IPSec.
Buoc 1: Trong cua s chuong trnh IP Security Policy, tao mt chnh sch moi
Buoc 2: Chon Next d thm mt lut moi, trong tab Rule chon Add d thm mt
danh sch cc yu cu loc trn giao thuc IP(IP Filter List)
Trang 26
Buoc 3: Chon Add d thm cc lut theo yu cu cn loc. Gia su o dy ta thit lp
lut d loc giao thuc FTP khi chung thuc giua my hin tai voi tt cc my khc
Trang 27
Trong From this port, nhp gi tri 21, dy l cng m FTP s dng d chung
thuc nguoi dng.
Buoc 4: Nhn oK d dn cua s Filter Action, chon Require Security d yu cu
su dung IPSec bt cu khi no cn chung thuc FTP.
Trang 28
Buoc 5: Chon phuong php chung thuc, chon cch chung thuc bng CA, nhn nt
Browse d dn CA cua m hnh mang trn.
Buoc 6: Voi chnh sch vua tao, chon Assign d chnh sch duoc p dung.
3) Minh hoa kt qua:
Gia su tu client1 kt ni vo FTP Server, khi khng dng IPSec ta s bit duoc
username v password khi nguoi dng chung thuc nu bt duoc cc gi du liu ny.
Trang 29
Khi su dung IPSec, cc gi tin s duoc m ha v khng doc duoc ni dung.
I V.3D|ch v VPN
VPN-Virtual Private Network, l mt mang ring dng mang cng cng(Internet)
d kt ni cc dim hoc nguoi su dung toi mang LAN trung tm.
VPN cho php truyn du liu giua hai my tnh su dung mi truong mang cng
cng ging nhu cch c mt duong kt ni ring giua hai my ny. D tao mt kt ni
dim dim(point-to-point), du liu duoc dng gi(encapsulate), bao boc(wrap) voi
mt header d cung cp cc thng tin dinh tuyn.D gia lp mt knh truyn ring, du
liu s duoc m ha.
Trang 30
1) M hnh dich vu:
Trong m hnh ny, dich vu VPN s duoc trin khai tai vn phng D Lat, nguoi
dng o noi khc nhu H Ni Tp H Ch Minh c th kt ni, truy cp cc ti nguyn
bn trong mang LAN tai D Lat. Giao thuc VPN su dung L2TP/IPSec, chung thuc
bng chung chi s do CA.
2) Trin khai dich vu:
Phn ny s giai thch chuc nng v trnh by mt s cu hnh quan trong mt cc
my tnh trong m hnh trn.
a. Domain Controller: hoat dng nhu mt trung tm diu khin, cung cc dich vu
phn giai tn min(DNS-Domain Name System), cp pht dia chi IP dng
(DHCP-Dyamic Host Configuration Protocol). Dng thoi dy cung l CA
server noi cp pht cc chung chi theo yu cu.
b. Web Server: cung cp dich vu Website cho nguoi dng.
c. IAS: l my quan l nguoi su dung truy cp tu xa, RADIUS (Remote Access
Dial-in User Service).
D su dung dich vu phai duoc ci dt truoc.D ci dt IAS chon Control
Panel->Add and Remove Program->Window Component->Network Services ->
Internet Authentication Serivce.
Trang 31
Mo chuong trnh IAS, tao moi mt RADIUS client v mt chnh sch chi dinh
nhm hoc nguoi dng no duoc php truy cp tu xa.
_ Thm RADIUS client:
_ Thm chnh sch moi, qui dinh cho nhung nguoi dng trong nhm
VPNUsers duoc truy cp.
Trang 32
d. VPN Server: l my chu VPN, nhn yu cu kt ni tu bn ngoi.
Trang 33
Mt s cu hnh chnh:
Buoc 1:Mo chuong trnh Routing and Remote Acces, chon Configure and Enable
Routing and Remote Access.
Buoc 2:Chon Remote Access(dial-up or VPN)
Buoc 3: Chon VPN
Trang 34
Buoc 4: Nhp dia chi RADIUS server
Buoc 6:Trong phn DHCP Relay Agent, nhp dia chi cua my cung cp dich vu
DHCP
Trang 35
3) Tao kt ni tu cc my nguoi dng ngoi mang
Buoc 1: tao kt ni mang loai VPN
Buoc 2: Mo kt ni, nhp username v password cua nguoi dng duoc php truy
cp
Buoc 3: Chon Properties, chon loai VPN l L2TP/IPSec. Nhn OK va chon
Connect.
Trang 36
V. Kt qua v hung pht tri n
V.1 Kt qua
Thng qua vic thuc hin d ti, nhm d tm hiu cc kin thuc co ban v co so
ha tng kha cng khai-PKI, mt m hnh dang duoc su dung rt nhiu cho vic
truyn thng trn mang hin nay. Tm hiu v trin khai dich vu CA, mt thnh phn
quan trong cua PKI, trn mi truong Windows Server 2003. Cui cng l d tch hop
duoc dich vu CA vo mt s dich vu mang khc d tao nn cc dich vu c tnh bao
mt cao.
V.2 Hung pht tri n
Cc m hnh dich vu trn duoc thuc hin gia lp trong mi truong mang LAN.
Nu co so ha tng mang tt hon, s c th trin khai trn pham vi lon hon voi mi
truong Internet tht. Ngoi ra, c th tm hiu thm d tch hop cc dich vu trn trong
mi truong Linux.
Trang 37
MJC LJC
I. Gioi thiu............................................................................................................. 1
II. Co so ha tng kha cng khai............................................................................ 1
II.1 Khi nim .................................................................................................. 1
II.2 Nh cung cp chung thuc s CA (Certificate Authority) ............................ 2
II.3 Chung chi s.............................................................................................. 2
II.3.1 Khi nim........................................................................................... 2
II.3.2 Loi ch cua chung chi s ..................................................................... 3
III. Trin khai dich vu CA trn mi truong Window Server 2003............................ 5
III.1 Ci dt dich vu CA..................................................................................... 5
III.2 Cc dich vu chung chi CA Windows Server 2003 cung cp ....................... 8
III.3 Cc loai CA trn Windows Server 2003..................................................... 9
III.4 Cp pht v quan l cc chung chi s.......................................................... 9
III.4.1 Cp pht tu dng (Auto-Enrollment) ................................................... 9
III.4.2 Cp pht khng tu dng (Manual Enrollment) .................................. 11
III.4.3 Cc cch yu cu cp pht CA.......................................................... 11
III.4.3.1 Su dung Certificates Snap-in: ....................................................... 11
III.4.3.2 Yu cu cp pht thng qua Web (Web Enrollment) .................... 12
III.4.4 Thu hi chung chi s......................................................................... 14
IV. Trin khai mt s dich vu mang su dung CA................................................... 15
IV.1 Dich vu Web su dung SSL....................................................................... 15
IV.2 Dich vu IPSec .......................................................................................... 23
IV.3 Dich vu VPN............................................................................................ 29
V. Kt qua v huong pht trin ............................................................................ 36
V.1 Kt qua..................................................................................................... 36
V.2 Huong pht trin ...................................................................................... 36

I. Gi I Thi U: o (Tampering), o Danh (Impersonation) .V.v. Các Bi N Pháp B o M T Hi N Nay

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I. Gi I Thi U: o (Tampering), o Danh (Impersonation) .V.v. Các Bi N Pháp B o M T Hi N Nay

Uploaded by

Copyright:

Available Formats

D ti khoa hoc cp truong Trin khai cc dch v da trn CA

You might also like