Contents Cu 1: Cc nguy c tim n trong mi trng in t v gii php cho tng nguy c ..................... 2 Cu 2: H tr ng dng: M hnh ng nhp mt ln........................................................................

2 Cu 3: Y ngha cua tem thi gian trong PKI ...................................................................................... 3 Cu 4: Cc dch v li cua PKI........................................................................................................... 4 Cu 5: Cc chng ch X.509 ............................................................................................................... 8 Cu 6: Qun l kho v chng ch .................................................................................................... 11 Cu 7: Cc m hnh tin cy ............................................................................................................... 15 Cu 8: PKI trong thc t ................................................................................................................... 18 Cu 9: Tng lai cua PKI ................................................................................................................. 19 Cu 10: Trnh by thit k chi tit kin trc phn cp PKI vi cc mc phn cp CA ................... 20 Cu 11: Ch k s: nh ngha, thuc tnh v yu cu cua mt ch k s....................................... 21 Cu 12: Nhng vn khi trin khai mt h thng PKI .................................................................. 22 Cu 13: Cc giao thc PKI ............................................................................................................... 23 Cu 14: Xc thc mnh..................................................................................................................... 24 Cu 15: Hiu bit v h chiu in t .............................................................................................. 24

Cu 1: Cc nguy c tim n trong mi trng in t v gii php cho tng nguy c Cc nguy c tim n trong mi trng in t: - Bo mt : Nghe trm - Ton ven: Sa i d liu - Xc thc: Gi mo - Chng chi bo: Chi bo trch nhim Gii php cho tng nguy c - Bo mt: ma hoa d liu - Ton ven: S dng hm bm, ch ki s - Xc thc: Chng ch s, ch ki s - Chng chi bo: ch ki s, nht ki

Cu 2: H tr ng dng: M hnh ng nhp mt ln

ng nhp mt ln (SSO single sign on) cho phep ng nhp cung mt id/password ng nhp nhiu ng dng trong cung mt t chc. S ng nhp ny co th kt ni ti rt nhiu cc thit b xa, do o se loi bo c yu t cn phi ng nhp nhiu ln. Tuy nhin ng nhp mt ln cung co th c kt hp vi cc c ch kim sot truy cp khc. ng trn quan im tin dng th ng nhp mt ln rt c mong mun v ngi dung ch phi nh mt vi mt khu v ch cn phi bit thu tc mt ln truy cp ti nhiu h thng. ng trn quan im an ninh th y l iu cung c mong mun bi v cc mt khu c truyn qua mng vi tn sut it hn. M hnh ng nhp mt ln co nhng li im cho ngi dung v ngi qun tr nh sau: - D s dng: khch hng co th ng nhp mt ln v co quyn truy nhp ti mi my chu m ngi ny c trao quyn m khng b ngt on bi cc yu cu v mt khu. - Mt khu ch gii hn trong my ni b: ng nhp, ngi dung g mt khu bo v bi c s d liu khoa cng khai trn my ni b, mt khu khng gi qua mng. 2

- Vic qun l c n gin hoa: Ngi qun tr co th kim sot cc my chu c phep truy nhp bng cch kim sot cc danh sch c quan chng thc c duy tr bi phn mm cua my khch v my chu. Nhng danh sch ny ngn hn nhng danh sch tn ngi dung, mt khu v khng thng xuyn thay i. - Kim sot truy nhp khng b nh hng: ng nhp mt ln lin quan n thay th cc c ch xc thc my khch m khng lin quan n cc c ch kim sot truy nhp. Ngi qun tr khng cn thit thay i nhng ACL hin co m ban u a c thit lp cho mc ich xc thc c bn. Cu 3: Y ngha cua tem thi gian trong PKI

- Vic s dng mt tem thi gian T (Secure Time Stamping) co ngha c bit quan trng trong vic h tr Chng chi bo: + Ngun thi gian c dung trong PKI cn phi tin cy, + Gi tr thi gian cn m bo an ton khi vn chuyn. - Tem thi gian T ph chun s lu hnh cua chng ch - S dng khi khoa ring cua A b l - m bo rng khng phi thng bo cu m l thng bo co cha khoa cng khai hin thi cua B - ng thi ch ra thi hn kt thc cua chng ch 3

Cu 4: Cc dch v li cua PKI * Cc nh ngha Xc thc: m bo cho mt ngi dung rng mt thc th no o ng l i tng m h ang cn khng nh. - Hai ng cnh ng dng chinh: xc minh thc th v xc minh ngun gc d liu

Xc minh thc th: + Hot ng ny tch khoi cc hot ng khc cua thc th +Xc minh thc th sinh ra mt kt qu, s dng kt qu ny cho cc hot ng khc Xc minh ngun gc d liu: + Xc minh d liu c gn kt vi mt thc th no o + H tr chng chi bo ngun gc d liu - Hai kiu xc thc: Cc b v xa

Xc thc cc b: + Xc thc mt thc th vi mi trng cc b, + Lun i hoi ngi dung tham gia trc tip; Xc thc xa: + Xc thc mt thc th vi mi trng xa, + Co th khng cn ti s tham gia trc tip cua ngi dng; = > Kh bo v d liu nhy cm v khng thun tin cho ngi dng khi nhp vo thng tin xc thc nhiu ln - Co 4 nhn t chinh :

Mt ci g o ngi dng c (th thng minh,), Mt ci g o ngi dng bit (mt khu,), Mt ci g o gn vi ngi dung (vn tay,), Mt ci g o ngi dung thc hin 4

- Xc thc 1 nhn t s dng 1 trong s cc la chn trn, - Xc thc nhiu nhn t s dng nhiu hn 1 la chn - Xc thc cc b du l mt hay nhiu nhn t u khng s dng dch v cua PKI. - Xc thc vi mi trng xa thng s dng dch v cua PKI.

Ton ven d liu: m bo d liu khng b thay i, nu co thay i th b pht hin, m bo tinh ton ven, mt h thng phi co kh nng pht hin nhng thay i d liu tri phep, Mc ich l gip cho ngi nhn d liu xc minh c rng d liu khng b thay i. Cc k thut mt ma c s dng, Thng co s thoa thun v cc thut ton v khoa thich hp gia 2 bn, Bo mt: m bo tinh bi mt cua d liu: Khng ai co th c c ni dung cua d liu ngoi tr nhng ngi dung nh trc; - Cc d liu nhy cm u cn c bo mt. 5

- Thng c yu cu khi

D liu c lu trn phng tin d b c bi nhng ngi dung khng c quyn, c lu trn thit b co th b ri vo tay nhng ngi khng c php, c truyn trn cc mng khng c bo v. - m bo tnh b mt, cc thut ton thich hp v khoa se c thoa thun

* Cc k thut - Xc thc: Dch v PKI v xc thc khai thc k thut mt ma v ch k s, Ch k s co th c tinh trn gi tr bm cua 1 trong 3 gi tr sau: + D liu no o c xc thc: Dung cho xc thc ngun gc d liu; + Mt yu cu no o m ngi dung mun gi n thit b xa; + Mt yu cu c a ra bi thit b xa: Dung cho xc thc thc th./.

- Ton ven d liu: - Dch v PKI v ton ven co th p dng mt trong hai k thut: + Ch k s: Nu d liu b thay i, ch k se loi bo khi kim tra v vy vic mt tinh ton ven cua d liu d dng b pht hin; + Ma xc thc thng ip (Message Authentication Code - MAC): K thut ny thng s dng mt ma khi i xng hoc mt hm bm mt ma - Khi Alice mun gi ti Bob d liu c bo v tinh ton ven, Alice co th thc hin day cc thao tc sau:

+ To kho i xng mi, + S dng kho i xng sinh MAC cho d liu, 6

+ Ma ho kho i xng bng kho cng khai cua Bob, + Gi d liu cho Bob cung vi kho a c ma ho. - Nu Bob co khoa cng khai (chng hn khoa cng khai Diffie - Hellman) Alice co th thc hin day cc thao tc sau:

+ To kho i xng mi t khoa cng khai cua Bob v khoa bi mt cua mnh, + S dng kho i xng sinh MAC cho d liu, + Gi d liu cho Bob cung vi chng ch kho cng khai cua mnh. - Sau khi nhn c d liu t Alice, Bob to li kho i xng, s dng kho cng khai cua Alice, kho bi mt cua mnh kim tra tinh ton ven + M hnh ch h ki s:

+ M hnh MAC - DES-CBC-MAC

- Bo mt d liu: S dng mt c ch tng t vi mt trong cc phng n cua dch v ton ven d liu. Tc l: - Alice sinh kho i xng, - Kho i xng c dung ma ho d liu, - D liu a ma ho c gi n Bob cung vi:

+ kho cng khai trong tho thun kho cua Alice, + hoc bn sao cua kho i xng a c ma ho bng kho cng khai cua Bob. Cu 5: Cc chng ch X.509 Gm 3 phin bn khc nhau: - Phin bn 1 c nh ngha nm 1988: Nhc im l khng mm do do khng co trng m rng h tr thm cc c tinh; - Phin bn 2 c ra i nm 1993:

+ B sung vo phin bn 1 bng vic thm vo 2 trng la chn, + Nhng vn khng co kh nng h tr cc m rng khc; - Phin bn 3 c gii thiu nm 1997:

+ iu chnh nhng thiu sot trong phin bn 1 v 2, + B sung nhiu la chn m rng, h tr y u cc yu cu; Khun dng cua X.509 version 3

 Y ngha cua Cc trng m rng - Phin bn (Version): Ch ra phin bn cua chng ch, - S xeri (Serial Number): S Seri duy nht cua chng ch, - Tn thut ton k (Signature): Ch ra nh danh cua thut ton c dung tinh ch k s trn chng ch, - Ngi pht hnh (Issuer): L tn phn bit cua CA pht hnh chng ch: c trnh by theo cu trc quy c trong khuyn co X.509; - Tinh hp l (Validity): Thi gian hp l cua chng ch, - Chu th (Subject): Tn cua ngi chu chng ch, - Thng tin v khoa cng khai cua chu th (Subject Public Key Info): l khoa cng khai (v nh danh thut ton) tng ng vi chu th, - nh danh duy nht ngi pht hnh (Issuer Unique ID): L tuy chn nh danh duy nht cua ngi pht hnh chng ch, Trng ny it c s dng trong thc t. Ngoi ra cn co cc trng m rng: - nh danh khoa cua thm quyn (Authority Key Identifier): + nh danh duy nht cua khoa c dung kim tra ch k trn chng ch, + Dung phn bit cc khoa khi mt ngi pht hnh co nhiu khoa; - nh danh khoa cua chu th (Subject Key Identifier): + nh danh duy nht v khoa cng khai cua chu th, 10

+ Dung phn bit cc khoa khi mt chu th co nhiu khoa; - Chinh sch chng thc (Certificate Policies): + Cha mt tp cc iu khon cua thng tin v chinh sch i vi chng ch, + Cc iu khon ny dung nu r: . Chng ch a c to ra trong hon cnh no, . Chng ch c s dng cho nhng mc ich g.

Cu 6: Qun l kho v chng ch

n khi to (Initiazation phase): Trc khi cc thc th co th tham gia vo cc dch v, chng cn c khi to. 11

Vic khi to bao gm: ng k thc th cui, Sinh cp khoa, To chng ch v phn phi khoa/chng ch, Ph bin chng ch v sao lu khoa (nu c p dng). Qu trnh ng k: Co th co nhiu kch bn khc nhau - L qu trnh trong o nh danh cua thc th c thit lp v kim tra, - Mc kim tra tuy thuc vo chinh sch chng ch./.

Qu trinh sinh cp khoa: - Tc l sinh cp khoa bi mt/cng khai, - Co th c sinh trc qtrnh ng k hoc trong tr li trc tip cho qtrnh ng k thc th cui, - Trong m hnh PKI ton din, cc khoa co th c sinh ti: Thc th cui, Trong RA, Hoc trong CA - Cc nhn t co th nh hng n vic chn v tri sinh khoa bao gm: Kh nng, Hiu sut, Tinh m bo, Phn nhnh php l v cch s dng khoa nh sn. - V tri sinh cp khoa l quan trng: V trong tt c cc trng hp ngi s dng phi co trch nhim lu gi v m bo s an ton, bi mt cho khoa ring cua mnh, Trng hp do CA to ra, CA phi co c ch, phng tin c bit v trch nhim m bo bi mt tuyt i khoa ring cua ngi dung./. To chng ch v phn phi khoa/ chng ch: - Trch nhim to chng ch ch thuc v CA c cp phep, 12

- Nu khoa cng khai c sinh bi thnh phn khc CA th khoa cng khai o phi c chuyn n CA mt cch an ton - Khi khoa v chng ch lin quan a c sinh ra, no cn c phn phi hp l.

- Cc yu cu phn phi khoa v chng ch c th ph thuc vo nhiu yu t. Bao gm: Ni m cc khoa c sinh ra, Mc ich s dng cua chng ch, Cc rng buc v chinh sch. Ph bin chng ch - Khi khoa bi mt v chng ch khoa cng khai tng ng a c phn phi, chng ch c ph bin, - Cc phng php ph bin: Phn phi thu cng v Lu chng ch trong kho cng cng h tr vic ti v trc tuyn theo yu cu. Sao lu khoa (key backup): - Nu cp khoa bi mt/cng khai c dung cho vic m bo tinh bi mt, giai on khi to co th bao gm c vic sao lu khoa v chng ch bi bn th 3 tin cy, - Vic sao lu khoa cn tuy thuc vo chinh sch trong tng mi trng c th./. n sau pht hnh (Issued Phase): Khi khoa bi mt v chng ch a c phn phi, giai on sau pht hnh cua vic qun l khoa/chng ch c bt u

Giai on ny bao gm: Ti chng ch t mt kho xa (khi c yu cu), Kim tra tinh hp l cua chng ch, Khi phc khoa khi cn thit, Cp nht khoa t ng Ti chng ch - Thc th cui yu cu ly chng ch dung, - Co th xut pht t 2 yu cu s dng ring bit: + ma hoa d liu c gi ti mt thc th cui khc: Thng l ma khoa khoa i xng gi cho ngi nhn; + kim tra ch k s t mt thc th cui khc; - Lin quan n tinh sn sng truy cp chng ch cua thc th u cui Xc nhn tinh hp l cua chng ch: - Tinh ton ven cua chng ch c kim tra bi v chng ch c k s bi CA pht hnh, 13

- Tinh ton ven ch l mt trong s nhng phep kim tra cn thc hin trc khi chng ch c coi l hp l. Bao gm: + Chng ch a c pht hnh bi ni tin cy c xc nhn, + Tinh ton ven c m bo, + Chng ch vn trong thi gian hp l, + Chng ch cha b huy bo, + Chng ch phu hp vi chinh sch Khi phc khoa - Nh ta a bit, vic sao lu v khi phc khoa trong PKI l rt cn thit, - Sao lu v khi phc khoa thng gn lin vi qu trnh qun l vng i cua chng ch Cp nht khoa: - Cc chng ch c gn mt thi gian sng c nh khi pht hnh, - Khi mt chng ch gn ht hn, cn phi pht hnh cp khoa mi v chng ch mi tng ng:o l cp nht khoa; - Thc cht l chy li qu trnh khi to, - Cp nht khoa cn phi c t ng n hu bo: Qun l vng i cua khoa/chng ch kt thc bng giai on huy bo Giai on ny bao gm: Ht hn chng ch, Huy bo chng ch, Lch s khoa, Lu tr khoa Ht hn chng ch: - Cc chng ch c gn mt khong thi gian sng c nh, - Khi chng ch ht hn, co 3 kh nng co th xy ra vi thc th cui:

+ Khng nh hng g nu thc th cui khng tip tc tham gia vo PKI. + Vic i mi chng ch c thc hin (t li thi gian hp l mi) + Vic cp nhp chng ch c thc hin Huy bo chng ch - Huy bo ng lc chng ch trc khi no ht hn v thi gian, - Vic huy bo xut pht t mt s nhn t: 14

+ Khoa bi mt b nghi ng, + S thay i trong trng thi cng vic hoc kt thc thu bao PKI. - Mt s kch bn huy bo chng ch

Lch s khoa - Cc chng ch c pht hnh vi khong thi gian hp l nht nh, - Cc khoa ma dn ht hn, - Nhng khng co ngha l tt c d liu a c ma hoa bng khoa o se khng khi phc li c - V vy cn lu gi an ton v tin cy cc khoa cn thit gii ma, ngay c khi chng ch tng ng a ht hn, + To thnh lch s khoa Lu tr khoa - L ct gi khoa mt cch an ton v tin cy trong thi hn lu di, - Thng thng c h tr bi CA hoc bn tin cy th 3 khc

Cu 7: Cc m hnh tin cy p

15

 Miu t: Co dng hnh cy vi RootCA mc cao nht v cc nhnh c m rng xung di. RootCA l gc cua tin cy cho ton b cc thc th bn di no. Di RootCA l thc th hoc mt s CA trung gian to thnh cc nh trong cua cy. Cc nh l cua cy l cc thc th khng phi l CA Trong m hnh ny: (1/2) - RootCA cung cp chng ch cho cc CA hoc thc th ngay di no, - Cc CA ny li cung cp chng ch cho thc th hoc nhiu CA khc ngay di no, - Tt c cc i tng u phi bit khoa cng khai cua RootCA, - Tt c cc chng ch u co th kim chng bng cch kim tra ng dn cua chng ch o ti RootCA u im:(1/2) - Tng ng vi cu trc phn cp cua h thng qun l trong cc t chc, - Gn ging vi hnh thc phn cp trong vic t chc th mc nn d lm quen hn, - Cch thc tm ra mt nhnh xc thc l theo mt hng nht nh, khng co hin tng vng lp, n v nhanh chong hn Nhc im: - Trong mt phm vi rng, mt CA duy nht khng th m nhn c tt c qu trnh xc thc, - Cc quan h kinh doanh thng mi khng phi bao gi cung co dng phn cp, - Khi khoa ring cua RootCA b l th ton b h thng b nguy him

16

ng li

Trong m hnh ny: - Cc CA xc thc ngang hng to nn mt mng li tin cy ln nhau, - Cc CA k nhau cp chng ch cho nhau, - A co th xc thc B theo nhiu nhnh khc nhau u im: - y l m hnh linh ng, thich hp vi cc mi lin h - quan h tin cy ln nhau trong thc t cua cng vic kinh doanh - Cho phep cc CA xc thc ngang hng trc tip: iu ny c bit co li khi cc i tng s dng cua cc CA lm vic vi nhau thng xuyn: Gip gim ti lng ng truyn v thao tc x l. - Khi mt CA b l khoa ch cn cp pht chng ch cua CA ti cc i tng co thit lp quan h tin cy vi CA ny Nhc im: - Do cu trc cua mng co th phc tp nn vic tm kim cc i tng co th kho khn, Mt i tng khng th a ra mt nhnh xc thc duy nht co th m bo rng tt c cc i tng trong h thng co th tin cy c y

17

Trong m hnh ny cc ng dng duy tr mt danh sch cc RootCA c tin cy. y l kin truc c p dng rng rai vi cc dch v Web. Cc trnh duyt v cc my chu l nhng i tng s dng tiu biu nht u im: - y l kin trc n gin, d dng trin khai, - Cc i tng s dng co ton quyn vi danh sch cc CA m mnh tin cy, Cc i tng lm vic trc tip vi CA trong danh sch cc CA c tin cy Nhc im: - Vic qun l danh sch CA c tin cy cua mt t chc l rt kho khn, - Cu trc chng ch khng co nhiu h tr cho vic tm ra cc nhnh xc nhn, - Khng co nhng h tr trc tip i vi cc cp chng ch ngang hng do vy : Hn ch cua CA trong vic qun l s tin cy cua mnh vi cc CA khc - Nhiu ng dng khng h tr tinh nng t ng ly thng tin trng thi hoc huy bo cua chng ch

Cu 8: PKI trong thc t PKI lm c nhng g ? PKI l mt cng ngh xc thc, cc phng tin k thut nh danh cc thc th trong mi trng. Mt ma khoa cng khai c s dng kt hp vi cc k thut sau to ra cng ngh nhm nh danh cc thc th: - K thut thit lp tin cy theo nh m hnh tin cy c nh ngha. - K thut t tn cc thc th sao cho mi thc th c nh danh mt cch duy nht trong mi trng quan tm 18

- K thut phn phi thng tin i vi tinh ng n cua vic gn gia cp khoa c th v tn c th ti thc th quan tm khc trong mi trng. PKI cung cp xc thc, cung cp mt cch tin cy tn, trong dng tinh khit nht. Vic bit ngi no o l ai khng co ngha l bit c ngi o co th lm ci g, cung ko co ngha l tin cy ngi o mt cch t ng, ko co ngha l co u thng tin thc hin ng cng vic cua mnh trong mt giao dch a cho. PKI bo v tinh ton ven, xc thc hoc bi mt. PKI khng lm c nhng g ? - PKI khng cp n cc vn cp phep - PKI khng to ra tin cy vo cc thc th u cui khc - PKI khng to ra tn duy nht cho cc thc th - PKI khng th ngn chn hay lm thay i cho cc li phn mm, cc vn do li trn b m, khng loi bo mi e da cua cc cuc tn cng DoS.Noi chung l khng lm cho mi vt tr nn an ton. - PKI khng lm thay i cc hnh vi xu do con ngi to ra. Li ich cua PKI. - D s dng cho thc th u cui - Hot ng hiu qu cho t chc khai thc - Bo v chng li s mo danh vi cc thnh phn quan tm n xc thc - Trch nhim gii trnh i vi cc thnh phn quan tm ti vic cp phep - Tinh bn vng trong qun li cc ch ki v cc thao tc ma hoa.

Cu 9: Tng lai cua PKI Nguyn nhn v hng pht trin Ta xem xet 2 nguyn nhn chu yu: -PKI co th co mt l hng tng i ln trong nhiu tnh hung. Trong mi trng thng mi, PKI c xem nh l mt ci t n gin v se gii quyt tt c cc vn an ton. Nhng trong thc t, cng ngh c yu cu l tng i kho v phc tp ci t, nn PKI ch gii quyt 1 s vn trong an ninh an ton. => S hiu khng ng v bn cht v gi tr cua PKI. -Ngi ta nhn mnh khia cnh h tng c s cua cng ngh ny, v no l nn tng nm di cho an ton sao cho nhiu dch v khc nhau co th xy dng v nhiu ng dng khc nhau co th tich hp vi no. Nhng phn ln li khng cho rng mt c s h tng cung cn 1 h tng c s. 19

** PKI co th tn ti c cn mt c s h tng xung quanh no: -Mt t chc co quyn lc c cng nhn -ng lc: Mc ich cua PKI l g? Ti sao PKI c khai thc? -Nhng ngi s dng v s dng PKI nh th no? **T chc co quyn lc c cng nhn -Cn 1 t chc y mnh vic khai thc v s dng cc chng ch khoa cng khai. -T chc phi c cng nhn v vic cng nhn c h tr bng cc c ch m bo. -T chc co th thit lp bc khi to cho cc chng ch nh danh tin cy mt cch thnh cng. -Hin nay trn ton th gii ang y mnh vic xy dng 1 t chc co quyn lc cng nhn cho PKI, nhng ngi dung cung a dn quen vi vic co mt cua PKI trong i sng. **ng lc -ng nhp 1 ln khng cn l mt ng lc mnh duy nht cho PKI trong nhiu tnh hung. -Trong mi mi trng, vi mi ngi dung, u mun m bo rng mi vic ang xy ra l ng, cc trch nhim cua cc bn c r rng, -Co th trong nhiu trng hp, vic nh danh khng i hoi ph chun hay hon thin giao dch, Nhng no chc chn se c yu cu nu xy ra mu thun v tranh cai gia cc bn giao dch. Vic nm gi cc bn tham gia v gii trnh c trch nhim cua h mt cch d dng a lm PKI c thit k mang li mt cch tin cy. -Ngy nay, Web l mt cng c c lc v ph bin, nhng i km vi Web th co SSL (trong SSL li s dng chng ch s) => ng lc i vi PKI tr nn mnh me. **Ngi s dng -Mt my chu l im chinh cua tng tc vi PKI, th khi nng cp phn mm PKI se khng phi thay i thng tin ti my cua ngi s dng, vic nng cp ch nh hng ti cc thnh phn my chu cua mi trng. -PKI dn dn tr thnh thn thuc v trong sut vi ngi s dng - Cc bin php an ninh bo v cc CA - Co cn ti cc chinh sch chng ch khc nhau hay khng

Cu 10: Trnh by thit k chi tit kin trc phn cp PKI vi cc mc phn cp CA S phn cp CA v c im: 20

1*-Ch co mt CA gc (trc tuyn) - an ton thp -Ch p dng nu t chc yu cu an ton cho CA thp v s lng chng ch pht hnh it. 2*-Mt CA gc (ngoi tuyn) v mt hoc nhiu CA pht hnh (trc tuyn) - an ton trung bnh -p dng trong trng hp t chc quy m trinh bnh, ch co mt chinh sch chng ch. 3* -Mt CA gc (ngoi tuyn) -Mt hoc nhiu CA chinh sch (ngoi tuyn) -Mt hoc nhiu CA pht hnh (trc tuyn) - an ton cao -Phu hp cho cc t chc quy m ln, phn tn theo vung a l cn an ton cao.

Cu 11: Ch k s: nh ngha, thuc tnh v yu cu cua mt ch k s *Khi nim :Ch k s (mt dng ch k in t) l thng tin c ma hoa bng khoa ring (tng ng vi mt khoa cng khai) cua ngi gi, c inh km theo vn bn nhm m bo cho ngi nhn nh danh v xc thc ng ngun gc, tinh ton ven cua d liu nhn c. Commented [K1]: Ve m hnh ch k s

21

Commented [NM2R1]: *M hnh ch ki s: *Cc thuc tinh: -Khi thng ip thay i th ch k s phi thay i, do vy ch k s m bo tinh ton ven cua thng ip c k; -Ch k khng th s dng li v khng th lm gi c, khng ai tr ngi k co th k thng ip, do o ch k s m bo tinh xc thc ngi k; -Hai thuc tinh khng th lm gi c v xc thc m bo tinh khng chi bo cua ch k, ngi k sau o khng th chi rng anh ta a khng k vo thng ip. * cc yu cu -1 mu bit ph thuc thng bo k -s dng thng tin duy nht t ngi gi -d dng nhn dng kim tra ch k -co bn sao lu ch k Cu 12: Nhng vn khi trin khai mt h thng PKI PKI l mt h tng an ton tt v nhiu ha hen, tuy nhin vic trin khai PKI cung cho thy nhiu vn . Cc vn ny bt ngun t thc t l khng co mt hnh mu trin khai PKI no c coi l chun v s h tr cha chc chn cua h thng php l cho vic trin khai PKI. 1. Vn tng thich: -Cc nh cung cp khng tng thich ln nhau: khng co s tng hp v khoa v h thng qun l chng ch gia cc nh cung cp; cc chng ch v cch thc tng tc vi PKI cung khc nhau, 2. S phc tp, kho khn v cng ngh v nhn thc cua ngi dung -Chng ch X.509 xy dng trn gi thit tn ti mt Th mc X.509 ton cu => Ny sinh vn qun l nhn dng -Khng co quy nh no v vic m bo nhn dng khi chng ch a c pht hnh. -Kho thit lp c cc vn v quy tc vn hnh v trch nhim php l, -Cng ngh cha sn sng, k thut v sn phm cha n nh -Cc ng dng khai thc c li th cua PKI v tng tc c vi PKI vn kho tm thy. -Tng th h thng khng trong sut v thn thin vi ngi dung. 22

3. Vn v chi phi -PKI l c s h tng bao gm: phn cng, phn mm v dch v, -PKI phi c vn hnh v qun l bi cc nhn vin co trnh -Cn phi c pht trin nh mng li truyn thng -PKI khng ch l 1 ng dng k thut m bn trong o cha dng c vn v t chc v php l 4. S lin quan v php l -Cn co s h tr php l chc chn cc ng dng PKI co th y mnh. -Hnh lang php l cng nhn gi tr cua ch k in t, ch k s v chng ch s l ng lc trin khai PKI v cc ng dng ch k s, chng ch s. Cu 13: Cc giao thc PKI 1. Cc giao thc qun tr: - trin khai PKI cn co 1 giao thc qun tr chung. Tiu chun giao thc qun tr hin ny l giao thc qun l chng ch - CMP (Certificate Management Protocols) -CMP cho phep cc tng tc gia EE v CA (hoc RA) hoc gia CA v RA hoc gia mt CA v mt CA thuc vung khc (chng thc cheo) -CMP s dng thng qua HTTP, FTP, th in t v TCP/IP. -Nhim v qun l: + ng k ban u v cp chng ch + Khi phc cp khoa + Cp nht cp khoa + Cp nht (gia hn) chng ch + Yu cu thu hi + Chng thc cheo 2. Cc giao thc hot ng: -Cc giao thc hot ng c dung ly thng tin ( nh cc chng ch v CRL) cua PKI da trn giao thc truy nhp nhanh cc dch v th mc LDAP (Lightweight Directory Access Protocol) -Gm cc thao tc sau: + c h thng d liu + Tm kim trn h thng d liu 23

+ Sa i h thng d liu 3. Cc giao thc trng thi chng ch trc tuyn: -Giao thc trng thi chng ch trc tuyn OCSP (Online Certificate Status Protocol) c xc nh l phng php thay th cho phng php ly trng thi hin ti cua chng ch khng qua yu cu CRL v c s dng trong nhng trng hp cn co thng tin v trng thi hin ti cua mt chng ch ti ng thi im cn thit. -OCSP cho phep ngi dung xc nh trng thi cua mt chng ch c th. -OCSP co th c dung thay th hoc h tr cho vic kim tra nh k cc danh sch chng ch thu hi CRL Cu 14: Xc thc mnh a. nh ngha: Phng thc xc thc mnh l phng thc xc thc da trn chng ch v h tr trin khai ng nhp mt ln b. M hnh Tm hiu v 1 m hnh xc thc mnh Cu 15: Hiu bit v h chiu in t *H chiu in t: L mt loi giy t tuy thn dung nhn dng c nhn v quc tch cua cng dn s hu h chiu. Thng thng, h chiu cha cc thng tin c bn nh nh khun mt, h tn, ngy thng nm sinh, gii tinh, qu qun, quc tch, s chng minh nhn dn, ngy cp, c quan cp, cc thng tin v c quan cp h chiu, ngy cp, thi hn co gi trH chiu in t l mt giy cn cc cung cp thng tin theo thi k(khong 10 nm, tuy theo tng mi nc quy nh) v mt cng dn, dung thay th cho h chiu truyn thng. *Mc tiu chinh cua h chiu in t l nng cao an ninh/ an ton trong qu trnh cp pht/ kim duyt/xc thc h chiu. *Ba cng ngh cua H chiu in t: -RFID: RFID l cng ngh nhn dng i tng bng song v tuyn. Cng ngh ny cho phep nhn bit cc i tng thng qua h thng thu pht song v tuyn, t o co th gim st, qun l hoc lu vt tng i tng. -Sinh trc hc: Noi n sinh trc hc l noi n nhn dng v kim tra s ging nhau cua con ngi da trn c im sinh l no o. Cc c im sinh trc hc thng s dng bao gm: vn tay, khun mt, mng mt, ging noi, ch vit tay, hnh bn tayNn tng cua lnh vc xc thc sinh trc hc chinh l tinh duy nht (hoc co ng nht v cung thp) cua mt s c trng sinh trc m chng ta co.

24

-PKI: PKI co th c xem nh c ch cho phep bn th ba (thng l nh cung cp chng ch s) cung cp v xc thc nh danh cua hai bn tham gia vo qu trnh trao i thng tin. PKI khi trin khai phi p ng c cc qu trnh di y c an ninh/an ton: Qu trnh u c thm nh d liu c lu trong HCST l xc thc hay khng. Qu trnh kim tra liu d liu trong HCST b thay i hay nhn bn hay khng. Qu trnh kim tra liu u c co c phep truy cp d liu trong chip RFID hay khng. Nh vy, mi HCST cung nh cc h thng cp pht/thm nh HCST cung u phi co chng ch s. Vic trao i chng ch cua c quan cp h chiu gia cc quc gia se c thc hin bng ng cng hm v thng qua danh mc kho cng khai cua ICAO. *M hnh phn cp PKI

M hnh PKI trin khai vi c ch Terminal Authentication co cc thc th sau: - CVCA (Country Verifying Certification Authority): C quan xc thc chng ch s quc gia. - DV (Document Verifier): C quan xc thc h chiu in t. - IS (Inspection System): H thng kim duyt ti cc im xut nhp cnh. Cu trc HCDT: HCDT co cu trc ging h chiu thng thng, ngoi tr vic b xung thm chip RFID lu d liu b xung. D liu c lu trong Chip RFID phi tun theo chun c ICAO a ra. Hin nay cu trc d liu logic (Logical Data Structure-LDC) cua chip bao gm 16 nhom c gn nhan t DG1-DG16. Cc nhom d liu ny c lu trong vung nh cua RFID vi cc thnh phn d liu trong mi nhom (trng thng tin) u c se nhn din s tn ti cua chng thng qua bn hin th phn t d liu (Data Elment Presence Maps) v v tri lu tr thng tin qua cc th 25

Yu cu i vi h chiu in t Vn an ton, an ninh thng tin HCT trong cc quy trnh cp pht, kim duyt lun l mt trong nhng vn quan trng i vi mi quc gia. Chinh v vy, trong qu trnh xc thc h chiu in t cn phi tha man 6 tinh cht c bn nh sau: Tnh chn thc: C quan cp h chiu in t phi ghi ng thng tin cua ngi xin cp h chiu, m bo rng khng co s nhm ln trong qu trnh ghi thng tin vo h chiu. Tnh khng th nhn bn: Yu cu ny phi m bo khng th to ra c bn sao chinh xc cua chip RFID lu trong HCT. Tnh nguyn ven v xc thc: Cn chng thc tt c cc thng tin lu trn trang d liu v trong chip RFID khng b thay i t lc lu v cc thng tin o u do c quan cp HCT to ra. Tnh lin kt ngi - h chiu: Cn phi m bo rng HCT thuc v ngi mang no, hay noi cch khc, cc thng tin lu trong HCT phi thc s m t v ngi s hu h chiu. Tnh lin kt h chiu - chip: Cn phi m bo booklet khp vi mch RFID nhng trong no. Kim sot truy cp: m bo s truy cp cc thng tin lu trong chip HCT phi c s ng cua chu s hu, hn ch truy cp n cc thng tin sinh trc hc nhy cm v trnh mt mt thng tin. C ch bo mt thng tin T chc hng khng dn dng quc t (International Civil Aviation Orgnization-ICAO) a a ra bn c ch bo mt thng tin nhm ngn chn nhng nguy c nh hng n an ton, an ninh HCT nh sau : Passive Authentication (PA): C ch xc thc b ng, l c ch bt buc i vi qu trnh xc thc HCT, kim tra tinh nguyn ven v xc thc cua thng tin lu trong chip RFID bng cch kim tra ch k cua c quan cp h chiu xc thc d liu c lu trong cc nhom d liu LDS trn chip RFID. Basic Access Control (BAC): C ch kim sot truy cp c bn, chng li vic nghe len v c trm thng tin trong HCT m cha co s ng cua ngi s hu, ngn chn c nguy c Skimming v Eavesdropping. Active Authentication (AA): C ch xc thc chu ng, m bo tinh duy nht v xc thc cua chip tich hp trong HCT bng cch a ra mt cp khoa ring. Khoa bi mt c lu tr trong nhom d liu DG15 v c bo v bi c ch PA. Khoa cng khai tng ng c lu tr trong b nh bo mt v co th ch c s dng trong chip RFID v khng th c c bn ngoi. C ch ny ch nn c s dng nhng ni m BAC a c thit lp.

26

Extended Access Control (EAC): C ch kim sot truy cp m rng, tng cng bo v cc thng tin sinh trc hc nhy cm nh vn tay, mng mt ng thi khc phc hn ch cua qu trnh xc thc chu ng. C ch ny gm hai giai on: Chip Authentication: l mt giao thc cho phep h thng kim tra xc thc tinh ng n cua chip RFID trong HCT. Trc khi s dng giao thc ny th chip RFID cn c bo v bi giao thc BAC. Terminal Authentication: l giao thc chip RFID xc minh xem h thng kim tra co c quyn truy cp n vung d liu nhy cm hay khng. Khi h thng kim tra co th truy cp n d liu sinh trc th tt c truyn thng phi c bo v mt cch phu hp. Trc khi thc hin giao thc ny th bt buc phi thc hin thnh cng giao thc Chip Authentication. ng dng cua ch k s trong HCDT: ch k s c lu trong SOD. Ghi SOD (Document Security Object): Trong qu trnh ghi thng tin vo chip RFIC, co mt bc quan trng nng cao tinh bo mt thng tin l to gi tr bm cho cc nhom thng tin DG trong LDS theo hm bm SHA (Secure Hash Algorithm), tp tt c cc gi tr bm ny l SOLDS. Tin hnh k SOLDS bng khoa bi mt cua c quan cp h chiu, ta c ch k trn SOLDS k hiu l SOD.signature . Kim tra ch k s SOD.signature s dng khoa bi mt SKDS cua DS. Bc ny nhm khng nh thng tin SOLDS ng l c to ra bi c quan cp h chiu v SOLDS khng b thay i. Ngoi ra, vai tr cua ch k s trong HCDT cn m bo c tinh ton ven cua chng ch s. Khoa cng khai cua CA c phn phi n ngi s dng chng ch theo mt c ch bo mt trc khi thc hin cc thao tc PKI. Ngi s dng kim tra hiu lc cua chng ch c cp vi ch k s v khoa cng khai cua CA.

27