You are on page 1of 41

N TP

AN NINH MNG THNG TIN


1. Cc kiu thc c bn v k thut an ton mng thng tin
1.1 Cc c tnh an ninh mng vin thng.
Nhn thc (Authentication): Nhn thc l qu trnh kim tra s hp l ca cc i
tng tham gia thng tin. Xc nhn rng i tng (con ngi hay phn mm) c
cp php truy cp vo h thng. (mt khu, sinh trc hc). Cch nhn thc n
gin nht nhng cng km an ninh nht l kt hp tn ngi s dng v mt khu.
Cc phng php tin tin hn l s dng cc chng nhn s hay cc ch k in
t.
Cm t chi (Non repudiation): Yu cu cc bn c trch nhim vi giao dch c
tin hnh v bao gm c nhn dng i tng tham gia nhm trnh chi b.
Chng pht li (Non-replay): Trnh cc bn tham gia pht li cc bn tin gy ra
hin tng t chi dch v ca bn nhn.
Ton vn s liu (Integrity): l s m bo rng s liu truyn khng b thay i
hay b ph hoi trong qu trnh truyn dn t ni pht n ni thu. iu ny c th
c thc hin bng kim tra mt m hay MAC (Message Authentication Code: m
nhn thc bn tin).
M ha (Encryption): Mc ch ca bo mt l m bo tnh ring t ca s liu
chng li s nghe hoc c trm s liu t nhng ngi khng c php. Qu
trnh ny bao gm m ha bn tin vo dng khng th c c i vi bt k my
thu no khc tr my thu ch nh.
Trao quyn (Authorization): l c ch kim tra rng ngi s dng c quyn
truy nhp mt dch v c th v quyt nh mc truy nhp ca ngi s dng:
ngi s dng c quyn thc hin mt s hnh ng. Trao quyn thng lin h
cht ch vi nhn thc. Mt khi ngi s dng c nhn thc, h thng c th
quyt nh ngi s dng c lm g.
Trang 1

1.2 Khi nim mt m ho i xng: m khi v m dng:


Khi nim mt m kho i xng: cn c gi l mt m bng kha b mt qu
trnh mt m c s bao gm nhn s liu (Plaintext: vn bn th) s dng kho
ring duy nht (mt lung s liu khc) thc hin mt php tnh no (chng hn
cng hai lung s to ra mt lung th ba (vn bn mt m). Sau s liu
mt m c th c gi qua mng. Kiu mt m ny cn c gi l m mt ln.
M khi: Khi x l s liu, trc ht b mt m khi chia s liu thnh cc khi
(c gi l chunk) c kch thc bng nhau. Kch thc ca mi chunk c xc
nh da trn kch thc khi ca b m ha. V khng th m bo rng di ca
u vo l bi s kch thc khi ca b mt m ha, nn c th phi n thm.
M dng: mi ln b mt m dng tnh ton cho mt bit s liu. S dng mt kho
lm ht ging, chng to ra mt lung bit sau XOR vi s liu u vo. B mt
m v b gii mt m phi ng b vi nhau m bo cng mt bt lung c
s dng mt m vn bn th gii mt m bit tng ng ca vn bn th.
Note: Khi s dng m ha khi, mt mt gi khng nh hng n x l cc gi sau,
nhng s dng mt m dng iu ny s nh hng.
1.3 Khi nim v mt m ha kha i xng v mt m ha kha cng khai
Khi nim v mt m ha kha i xng
Cn c gi l mt m bng kha b mt qu trnh mt m c s bao gm nhn s
liu (Plaintext: vn bn th) s dng kho ring duy nht (mt lung s liu khc)
thc hin mt php tnh no (chng hn cng hai lung s to ra mt lung
th ba (vn bn mt m). Sau s liu mt m c th c gi qua mng. Kiu
mt m ny cn c gi l m mt ln.
Nhc im:
-

Trc ht khng thc t khi phi c di kho bng di s liu mc d kho


cng di cng cho tnh an ninh cao hn v cng kh m kho.

th hai l c hai pha cn s dng chung mt kho (kha ny thng c gi l


kha chia s). iu ny lm ny sinh cu hi: lm cch no pht kho n pha thu
mt cch an ton?
Trang 2

khc phc, ngi ta s dng mt m kho cng khai.


Khi nim mt m ha kha cng khai
Trong mt m kho cng khai hai kho c s dng. Mt kho cng khai v
mt kho ring ng thi c tao lp bng cng mt gii thut (gii thut thng
dng l RSA). Ngi s dng gi kho ring ca mnh nhng a ra kho cng
khai cho mi ngi. Kho ring khng bao gi c chia s vi mt ngi khc
hoc truyn trn mng. C th s dng kho cng khai mt m ho s liu
nhngbit v kho ny cng khng th gii m s liu ny v cn phi bit kho
ring. S d nh vy v cc php ton c s dng trong kiu mt m ny khng
i xng.
V d: Ngi s dng A mun pht s liu c bo v n ngi s dng B, ngi
s dng A s dng kho cng khai ca ngi s dng B mt m ho s liu v
an tm rng ch c ngi s dng B l c th c c s liu ny.
1.4 Hot ng ca m khi mc xch CBC
Ch CBC nhn khi vn bn mt m trc v XOR n vi khi vn bn th
mt m. V khng c khi trc i vi khi u tin nn khi ny c XOR vi
mt vect khi u (IV: Initial Vector). di ca IV phi bng di ca khi mt
m m bo x l ton b khi th nht. IV phi c cc thuc tnh ngu nhin
mnh m bo rng vn bn th ging nhau khng to ra vn bn mt m ging
nhau.

Gii mt m l qu trnh ngc ca mt m: mi khi c gii mt m v tnh ton


XOR (Exclisive Or: hoc loi tr) vi khi trc cha gii mt m. Khi u tin
c gii mt m v tnh ton XOR vi IV.
Trang 3

1.5 Hot ng ca gii thut tiu chun m ha tin tin AES


AES c xy dng da trn gii thut Rijindael. y l mt phng php mt m
ha lp lin kt c coi rng c cc thuc tnh mt m mnh. Ngoi vic cung cp
mt m mnh, AES cn cho php thc hin nhanh v d rng trong phn cng cng
nh phn mm v i hi b nh nh hn so vi cc s mt m tng ng khc.
Hot ng:
1. Trong thao tc Subytes, tng byte trong trng thi S c thay th bng mt byte
khc bng cch s dng mt bng tra cu c gi l hp S (S-Box). Hp S c
8
s dng rt ra hm o trn trng GF( 2 ) c bit l c cc thuc tnh phi

tuyn tt. Thao tc ny l thao tc duy nht m bo tnh phi tuyn cho mt m ny.
Mc d c th rt ra bng S bng phng php ton hc, nhng hu ht cc ng
dng s dng bng thay th lu trong b nh.
2. Trong thao tc ShiftRows, mi hng c dch vng theo mt s bc c nh.
Chng hn, cc phn t ca hng th nht c nguyn, cc phn t ca hng
th hai dch tri tri mt ct, cc phn t ca hng th ba dch tri hai ct v cc
phn t ca hng th t dch tri ba ct. Thao tc ny m bo rng mi ct ca
trng thi u ra trong bc ny bao gm cc byte ca mi ct ca trng thi u
vo.
3. Trong thao tc MixColumns, mi ct c chuyn i tuyn tnh bng cch nhn
vi mt ma trn trong trng hu hn. Ni chnh xc hn, mi ct c x l nh
8
l mt a thc to m trn GF( 2 ) sau c nhn modul

x 4 +1 vi mt a

3
2
thc c nh C(x)=3 x + x +x+2. Chuyn i tuyn tnh kh o ny cng vi

thao tc ShiftRows m bo s ri rm trong b mt m.

Trang 4

4. Trong thao tc AddRoundKey, trong mi trng thi c hoc loi tr (XOR)


vi kha vng. Qu trnh AES bao gm vic rt ra 11 kha vng t kha mt m
a n u my mt m. Bn thn m kha mt m c chuyn n cng l kt
qu ca mt s bin i nh: lm ri (Hashing) c thc hin trn kha b mt
ch. 11 kha vng c rt ra t kha mt m bng cch s dng gii thut tnh
ton n gin.

c im:
M ha AES vi kha c kch thc 256 bt (an ton). M ha AES l mt m khi
gm nhiu vng. M ha AES khng phi l mt m ha Feistel. Cho php la chn
kch thc khi m ha l 128, 192 hay256 bt. Cho php la chn kch thc ca
kha mt cch c lp vi kch thc khi: l 128, 192 hay 256 bt. S lng vng c
th thay i t 10 n 14 vng ty thuc vo kch thc kha.
Trang 5

1.6 Gii thut RSA v phn tch u, nhc im.


Phng php RSA l mt phng php m ha kha cng khai v l phng php
m ho theo khi trong bn r M v bn m C l cc s nguyn t 0 n

vi i

l s bit ca khi. Kch thc ca i thng dng l 1024 bt. RSA s dng hm mt
chiu l phn tch mt s thnh tha s nguyn t.
Nguyn tc thc hin:
thc hin m ha v gii m, RSA dng php ly tha modulo ca l thuyt s.
1. Tm 2 s nguyn t p v q, sao cho N=p.q. N thng c gi l modulus.
2. Chn E (kho cng khai) sao cho 1<E<N. E v (p-1)(q-1) l s cc s nguyn t
tng i. N v E cng nhau to nn kho cng khai.
3. Tnh D (kho ring) sao cho (DE-1) chia ht cho (p-1)(q-1).
4. Ngha l DE=1+{mod[(p-1)(q 1)]}. Hay tm mt s nguyn X sao cho D=(X(p-1)
(q-1)+1)/E l mt s nguyn v sau s dng gi tr ca D.
5. Mt m ha bn tin M to ra vn bn mt m C bng cch s dng hm C=
M

[mod(N)], trong M l bn tin cn c mt m ho phi nh hn modulus

N.
D
6. Gii mt m vn bn mt m bng hm M= C [mod(N)]. ph kho ring D ta
cn phn tch N vo tha s N.
u, nhc im ca RSA:
u im:
-

Vt kha: cch tn cng ny th tt c cc kha d c th c tm ra bn gii m


c ngha, tng t nh cch th kha K ca m ha i xng. Vi N ln, vic
tn cng l bt kh thi.

Thut ton mi, tc tnh ton: kh thi

Nhc im:
- Chn mt kha ring khng phi chuyn d, nu chn khng cn thn c th dn
n s d b b v.
- L b mt m khng i xng hay n cung cp gii php cho vn phn phi
kha bng cch s dng kha cng khai v kha ring, nhng chng qu phc tp

Trang 6

dn n tnh ton chm hn cc b gii m i xng. i vi cc tp s liu ln,


y c th tr thnh vn .
1.7 Gii thut trao i kho Diffie-Hellman v phn tch u nhc im
Trao i kha Diffie-Hellman dng thit lp mt kha b mt gia ngi gi v
ngi nhn m khng cn dng n m ha cng khai. Phng php ny dng hm
mt chiu l hm logarith ri rc. Diffie-Hellman khng c ngha v mt m ha
ging nh RSA.
Trnh by gii thut:
1. Hai bn A v B chn cng mt s nguyn t ln p cng vi mt s nguyn thu g (
gn

mod p<p, n ch l s nguyn dng). Hai s p v g ny c th cng khai.

x
2. A chn mt s b mt x ln (x<p) v pht phn d sau n B: X= g mod p.
y
3. Tng t B chn mt s ln (y<p) v pht phn d sau n A: Y= g mod p.
x
4. A tnh ton phn d: s= Y mod p.
y
5. B tnh ton phn d: s= X mod p.
xy
6. V s= s= g

mod p v th chng c chn mt m ha i xng cho c hai

pha.
7. Mc d cc kha cng khai (X v Y) c gi trn mng nhng kha cui cng (s
v s) li ph thuc vo cc kha ring (x v y) nn chng vn c bo mt.
Phn tch u, nhc im:
u im:
-

Vic tha thun da trn cc tham s chung.

Cc kha b mt ch c to khi cn thit. Khng cn phi cha cc kha b mt


trong mt khong thi gian di.

N an ton i vi vic tn cng th ng ngha l mt ngi th ba bit x,y s


khng tnh c K v tnh phc tp ca hm logarith ri rc.

Nhc im:
-

N khng cung cp thng tin bt k v cc nh danh ca cc bn.

Trang 7

Giao thc l khng an ton i vi vic tn cng ch ng bng cch nh tro


gia ng hay cn gi l kiu tn cng Man in the Midle".

1.8. Khi nim v hm bm v cc yu cu ca hm bm


Khi nim
Hm Hash (hm bm) nhn cc bn tin R c kch c bin i lm u vo v
sinh ra m Hash c kch c c nh H(R), gi l gi tr tm lc u ra.
M Hash l hm ca tt c cc bit ca bn tin v cung cp kh nng pht hin
sai.
S thay i i vi cc bit bt k hoc cc loi bit trong bn tin s sinh ra s
thay i trong m Hash.
Cc yu cu
H c th thao tc vi khi d liu kch thc bt k
H to ra u ra di c nh
H(x) c tnh d dng vi x bt k
Vi gi tr m bt k ca hm Hash, khng th tm ra x H(x)=m
Vi khi x bt k, khng th tm y#x H(y)=H(x)
Khng th tm ra cp (x,y) tha mn H(x)=H(y)
1.9. Ch k in t v yu cu ca ch k in t , qu trnh to ra ch k in t.
Ch k in t c s dng kim tra xem bn tin nhn c c phi t pha
pht hp l hay khng. N da trn nguyn tc l ch c ngi to ra ch k ny
c kha ring v c th kim tra kha ny bng kha cng khai.
Ch k in t c to ra bng cch tnh ton tm tt bn tin MD (Message
Digest) cho mt ti liu sau MD c kt hp vi thng tin ca ngi k,
nhn thi gian v cc thng tin cn thit khc bt k.
Yu cu ca ch k in t
o Yu cu ca ch k s
Trang 8

Yc1: Ch k s phi l mt mu bit nh phn ph thuc vo bn tin c k.


Yc2: Ch k s phi dng thng tin ch c i vi ngi gi trnh c gi
mo v t chi trch nhim.
Yc3: Ch k s phi tng i d c to ra
Yc4: Ch k s phi d c nhn ra v kim tra
Yc5: Ch k s phi khng c gi mo c v mt tnh ton hoc bng cch
to bn tin mi t ch k s c hoc to ch k s gi mo cho mt bn tin
c th.
Yc6: Khi ci t, ch k s phi c d dng tch ra v lu tr
Qu trnh to ra ch k in t

1.10. Trnh by v h tng kha cng khai PKI v cc m hnh PKI


H tng kha cng khai PKI l thut ng c s dng m t mt vi t
chc hon thin ca cc h thng v cc quy tc xc nh mt h thng an ninh.
Ngoi ra PKI c nh ngha nh l tp phn cng phn mm, con ngi v
cc th tc cn thit to lp , qun l, lu gi v hy cc chng nhn da
trn m ha cng khai.
Cc phn t ca PKI gm:

Trang 9

T chc pht hnh chng ch (CA): l mt bn th 3 c tin cy c trch


nhim to qun l, phn phi, lu tr v thu hi cc chng ch s. CA s nhn
cc yu cu cp chng ch s v ch cp cho nhng ai xc minh c nhn
dng ca h.
T chc ng k (RA): ng vai tr trung gian gia CA v ngi dng. Khi
ngi dng cn chng ch s mi, h gi yu cu ti RA v RA s xc nhn tt
c cc thng tin nhn dng cn thit trc khi chuyn tip yu cu ti CA
CA thc hin to v k s ln chng ch ri gi v cho RA hoc gi tip cho
ngi dng.
Kho v lu tr chng th (CRA): u tin l kho lu tr cng khai v phn
phi cc chng th CRL (cha danh sch cc chng th khng cn hiu lc).
Kho th hai l mt c s d liu c CA dng sao lu cc kha ang s
dng v lu tr cc kha ht hn, kho ny cn c bo v an ton nh chnh
CA.
My ch bo mt (SS): L mt my ch cung cp cc dch v qun l tp trung
tt c cc ti khon ngi dng, cc chnh sch bo mt chng th s, cc mi
quan h tin cy gia cc CA trong PKI, lp bo co v nhiu dch v khc.
Cc ng dng cho php PKI v nhng ngi s dng PKI: bao gm ngi s
dng cc dch v ca PKI v cc phn mm c h tr ci t v s dng cc
chng th s nh cc trnh duyt web, cc ng dng email pha my khch.
Ba chc nng chnh ca PKI gm:
Chng nhn
Cng nhn hp l
Hy
Qu trnh chng nhn bao gm vic to ra mt cp kha cng khai bao gm
kha cng khai v kha ring do ngi s dng to ra v trnh cho CA trong
mt phn ca yu cu hay do CA thay mt ngi s dng to ra.

Trang 10

Cng nhn hp l bao gm vic kim tra ch k do CA pht hnh i chiu


vi CRL v kha cng khai ca CA.
Hy mt chng nhn hin c trc khi ht hn cng c thc hin bi CA.
Sau khi chng nhn b hy, CA cp nht CRL thng tin mi.
Cc m hnh PKI
o PKI phn cp

M hnh bao gm mt CA nm cp trn cng gi l Root CA, cc CA cn li


gi l sub.CA v hot ng bn di root CA. Ngoi tr root CA th cc CA cn
li trong u c duy nht mt CA l cp trn ca n.
Tt c cc thc th (nh ngi dng, my tnh) trong t chc u phi tin cy
cng mt root CA. Sau cc trust relationship c thit lp gia cc sub. CA
ca chng thng qua vic CA cp trn s cp cc chng ch cho cc sub. CA ngay
bn di n.
o PKI dng li

Trang 11

Tt c ngi dng trong mng li c th tin cy mt CA bt k, khng nht


thit hai hay nhiu ngi dng phi cng tin mt CA no v c ngi dng tin
cy CA no th s nhn chng ch do CA cp.
Cc CA trong m hnh ny sau s cp cc chng ch cho nhau. Khi 2 CA cp
chng ch cho nhau th mt s tin cy hai chiu c thit lp gia 2 CA . Cc
CA mi c th c xin vo bng cch to cc mi tin cy 2 chiu gia chng
vi cc CA cn li trong mng li.
o CA n l- single CA

y l m hnh PKI c bn nht ph hp vi cc t chc nh trong ch c


mt CA cung cp dch v cho ton h thng v tt c ngi dng t s tin cy
vo CA ny. Mi thc th mun tham gia vo PKI v xin cp chng ch u phi
thng qua CA duy nht ny. M hnh ny d thit k v trin khai nhng cng c
cc hn ch ring.
Th nht l kh nng co gin khi quy m t chc c m rng, ch
mt CA th kh m qun l v p ng tt cc dch v

Trang 12

Hn ch th hai l CA ny s l im chu li duy nht, nu n ngng hot


ng th dch v b ngng tr.
Cui cng, nu n b xm hi th nguy hi ti tin cy ca ton b h
thng v tt c cc chng ch s phi c cp li mt khi CA ny c
phc hi.
1.11. Phn tch s cn thit cn phi xc thc v nu cc phng php xc thc
S cn thit cn xc thc l do l lm mt cch no mt ngi s dng c
th tin chc rng h ang thng tin vi ngi thn ch khng b mc la bi k
khc. Nhn thc c th c gii quyt bng cc s dng mt m ha cng
khai. y ta cn mt c ch m bo ngi s dng hay thit b c xt
l hp l.
V d m bo s liu nhn c l thc s t ngi s dng B, ngi s
dng A c th s dng kha cng khai, kha ring cng vi mt s ngu nhin.
Nu B tr li ng s ngu nhin ca A, th A c th tin tng rng bn tin c
gi n n chnh l t B. Tng t B cng c th chc chn rng A xc nhn
bn tin m n gi. Ngi khc khng th c c bn tin ny cng nh khng
th to ra c bn tin khc, v khng ngi s dng no khc c th c c
kha ring hay s ngu nhin ng.
Cc phng php xc thc
a Giao thc nhn thc kh m rng (EAP)
EAP l chng trnh khung linh hot do IETF to lp cho php cc giao thc
nhn thc c trao i gia b ngi xin truy nhp v server nhn thc. EAP l s
ng bao n gin c th hot ng khng ch trn PPP m cn trn mi lin kt k
c lin kt WiMAX

Trang 13

EAP gm mt tp cc bn tin m phn c trao i giuwax client v server


nhn thc. Giao thc ny nh ngha mt tp cc bn tin yu cu v tr li,
trong b nhn thc gi yu cu n server nhn thc; ty theo tr li, client
c th c php truy nhp hoc b t chi.
EAP nh ngha cc quy tc nhn thc ngi s dng hay thit b, mt s
phng php EAP c nh ngha h tr nhn thc bng cch s dng
cc chng ch nh mt khu, cc chng nhn, cc th v cc th thng minh.
Trong WiMAX, EAP truyn t MS n BS trn giao thc PKMv2 (qun l
kho b mt) c nh ngha trong IEEE 802.16e-2005. Nu b nhn thc
khng c t trong BS, BS chuyn tip giao thc nhn thc n b nhn thc
trong mng dch v truy nhp (ASN), t b nhn thc n server nhn thc,
EAP c truyn trn RADIUS.
b Giao thc nhn thc mt khu (PAP)
PAP l mt giao thc nhn thc s dng password. PAP s dng da trn giao
thc im im xc nhn cho ngi dng trc khi cho php h truy nhp
ti ti nguyn ca server. Hu ht tt c cc h thng hot ng mng iu
khin server h tr PAP.
PAP truyn i cc mt khu ASCII c gii m thng qua mng, do s
khng c an ton. PAP c s dng nh mt gii php cui cng khi iu
khin server khng h tr cc giao thc nhn thc bn vng hn, nh CHAP
hoc EAP

Trang 14

Nhn thc da trn password l giao thc cha 2 thc th mng cng chia
s mt password v s dng password nh mt c s nhn thc. Tn ti cc
phng php nhn thc password c th phn loi thnh 2 kiu: phng php
nhn thc password yu v nhn thc password mnh.
c Giao thc xc thc th thch-bt tay (CHAP)
CHAP l m hnh xc thc da trn username v password. Xt trng hp 2
router s dng giao thc xc thc CHAP
R1 v R2 c cng mt password chung c thit lp trc . R1 mun kt
ni n R2 th n phi chng minh c rng n nm b mt chnh l password
gia chng. Khc vi giao thc PAP truyn pass di dng clear text, giao
thc CHAP truyn mt gi tr hash m gi tr u vo l password v cc
trng khc. vt qua c th thch th gi tr hash sau khi tnh ton ca 2
bn phi ging nhau.
1.12. Nhn thc bng m xc thc bn tin MAC v cc gii thut HMAC, CMAC.
a Nhn thc bng m xc thc bn tin
L phng php m bo ton vn s liu v nhn thc ngun gc s liu. S
ph bin ca phng php ny:

Xc thc bn tin bng hm hash


A m bn tin m v hm bm H(m)
A gi m v H(m) cho B

Trang 15

B nhn c bn tin v hm bm, tnh ton bm v so snh hm bm H(m)


nhn c xc thc.
Ngi gi mo gi bn tin m, H(m) v gi cho B bn tin m, H(m)
M xc thc bn tin MAC
b HMAC (m nhn thc bn tin da trn hm lm ri)
L mt phng php nhn thc s dng hm mt m hash kt hp vi mt kha
b mt. Phng php ny c s dng bo v ton vn s liu v nhn thc
bn tin. Mi hm hash lp mt m u c th s dng tnh ton HMAC
im mnh ca HMAC ph thuc vo im mnh mt m hc ca hm hash.
Hm hash lp chia bn tin thnh cc khi c kch thc c nh v x l lp
chng bng mt hm nn
nh ngha HMAC i hi mt hm hash v mt kha b mt. Gi thit H lm
ri s liu bng cch s dng hm nn lp nhiu ln i vi khi s liu B o
bng byte (B=64) v L k hiu cho di o bng byte u ra ca Hash, kha
nhn thc K c th c di bt k v ln nht bng di B
Cc ng dng s dng cc kha ngn hn phi chn cc byte 0 c di B.
Tri li cc ng dng c cc kha di hn B trc ht phi lm ri kha bng H
v sau s dng L byte nhn c vi chn thm cc byte 0 c di B.
c CMAC (m nhn thc bn tin da trn mt m)
L m nhn thc bn tin da trn mt m khi
to ra th ca CMAC c di l bit ca bn tin m bng cch s dng mt
b mt m khi

di bit v mt kha b mt K. Trc tin phi to ra 2 kha

con k1 v k2 theo gii thut.

Trang 16

2. An ton cho ng dng mng vin thng


2.1. c tnh an ton ca VPN lp 2 v thit lp ng hm trn L2TP
2.2. Giao thc IPSec v hai ch AH v ESP ca giao thc IPSec
Khi nim: IPsec l mt h thng cc giao thc bo mt cho qu trnh truyn
thng tin nn IP thuc lp mng. N cho php gi nhn cc gi tin IP c m ha.
Mc ch chnh ca IPSec l bo v lung d liu mong mun da trn cc dch
v bo mt c sn, hot ng ca IPSec c th chia thnh 5 bc chnh nh sau:

S hot ng IPSec gia hai host

- A gi cc traffic cn bo v ti B
- Router A v B tha thun cc tham s IKE Phase 1
IKE SA

<= IKE Phase 1 => IKE SA

- Router A v B tho thun cc chnh sch IKE Phase 2


IPSec SA <=

IKE Phase 2 => IPSec SA

- Thng tin c truyn dn qua tunnel IPSec


- Kt thc tunnel IPSec
Bc 1: Traffic cn c bo v khi to qu trnh IPSec. y, cc thit u
cui IPSec s nhn ra u l lu lng cn c bo v thng qua trng a ch.
Bc 2: IKE Phase 1 IKE xc thc cc bn v mt tp cc dch v bo mt c
tho thun v cng nhn thit lp IKE SA. Trong phase ny, s thit lp mt knh
truyn thng an ton tin hnh tho thun IPSec SA trong Phase 2.
Bc 3: IKE Phase 2 IKE tho thun cc tham s IPSec SA v thit lp cc
IPSec SA tng ng hai pha. Cc tham s bo mt ny c s dng bo v
Trang 17

d liu v cc gi tin trao i gia cc im u cui. Kt qu cui cng ca hai bc


trn s to ra mt knh thng tin bo mt gia hai bn.
Bc 4: Truyn d liu D liu c truyn gia cc bn IPSec da trn c s
cc thng s bo mt v cc kho c lu tr trong c s d liu SA.
Bc 5: Kt thc ng hm IPSec Do cc IPSec SA ht hn hoc b xo.
SA lin kt an ninh(Security association). Mi SA c xem nh mt quan h mt
chiu gia hai u truyn nhn d liu, nhm mc ch xc nh cc thng s no bo
mt p dng cho lung d liu theo chiu . Nh vy, mt kt ni hai chiu thng
thy gia hai h thng u cui s bao gm 2 SA. Mi SA s dng 1 giao thc ng
gi nht nh (AH hoc ESP) ch khng th s dng ng thi c hai.

Ty theo mc , IPsec c th cung cp tnh bo mt v xc thc cho qu trnh


trao i d liu trn 2 kiu dv m ha: AH, ESP
AH (Authentication header): L giao thc cung cp s ton vn, chng thc
ngun d liu v mt s ty chn khc. Nhng khc vi ESP, n khng cung
cp chc nng bo mt (data confidential). AH m bo d liu khng b thay
i trong qu trnh truyn dn nhng khng m ha d liu.

IP Packet c bo v bi AH

Trng AH ch nh ci s theo sau AH header. Trong transport mode, n s l gi tr


ca giao thc lp trn ang c bo v (chng hn UDP hoc TCP). Trong tunnel

Trang 18

mode, gi tr ny l 4. V tr ca AH trong transport v tunnel mode c m t hnh


sau:

IP Packet c bo v bi AH trong Transport Mode


Trong tunnel mode, AH ng gi gi tin IP v thm vo mt IP header trc AH
header

IP Packet c bo v bi AH trong Tunnel Mode

ESP (Encapsulating Security Payload): L giao thc cung cp s an ton, ton


vn, chng thc ngun d liu v nhng ty chn khc, chng hn anti-replay.
ESP cung cp gn nh ton b tnh nng ca IPSec, ngoi ra n cn cung cp
tnh nng m ha d liu. Do , ESP c s dng ph bin trong IPSec VPN.
ESP bao gm nhng tnh nng sau:

Tnh bo mt (Data confidentiality)

Tnh ton vn d liu (Data integrity)

Chng thc ngun d liu (Data origin authentication)

Trnh trng lp (Anti-replay)

Nhng tnh nng trn cng l nhng tnh nng c trng v chnh yu nht ca
IPSec.
Lu : ESP s dng IP protocol number 50.
Hot ng ca ESP

Trang 19

ESP chn mt header vo sau phn IP header v trc header ca giao thc lp
trn. Header ny c th l mt IP header mi trong tunnel mode hoc IP header ca gi
tin ban u trong transport mode. Hnh sau cho thy v tr ca ESP header trong
transport mode v tunnel mode:

IP Packet c bo v bi ESP trong Transport Mode

IP Packet c bo v bi ESP trong Tunnel Mode

2.3. Khi nim lin kt an ninh SA, s liu lin kt an ninh SAD v s liu chnh
sch an ninh SPD trong x l gi tin IPSec
Lin kt an ninh (SA: Security Asociations): L mt kt ni logic gia hai thc
th s dng Ipsec ; n hng
S liu lin kt an ninh SAD (Security Association Database ) nm gi thng tin
lin quan n mi SA. Thng tin ny bao gm thut ton kha, thi gian sng ca SA,
v chui s tun t.
Thng thng, c 2 SAD l inbound (trong) v outbound (ngoi);
Mi mc trong mt SAD trong c la chn bng cch s dng 3 ch s:
-

Ch s tham s bo mt (mt s 32 bit nh ngha SA ti im n)

a ch ch

Trang 20

Giao thc (AH hoc ESP)


S liu chnh sch an ninh SDP: nm gi thng tin v cc dch v bo mt km
theo vi mi danh sch th t chnh sch cc im vo v ra; nh ngha lu lng no
c x l v lu lng no b t chi theo tng chun ca IP sec.
Mi host ang s dng giao thc Ipsec cn phi lu mt c s d liu chnh sch
bo mt SPD (SPD inbound v SPD outbound). Mi mc trong SPD c th c truy
cp bng cch s dng mt ch s nhm gm: a ch ngun, a ch ch, tn, giao
thc, cng ngun, cng ch.
2.4. Giao thc trao i kha IKE
Internet Key Exchange (IKE)
L giao thc thc hin qu trnh trao i kha v tha thun cc thng s bo mt
nh: thut ton m ha c p dng, khong thi gian kha cn c thay i. Sau
khi tha thun xong th s thit lp hp ng gia 2 bn, khi IPSec SA (Security
Association) c to ra.
SA l nhng thng s bo mt c tha thun thnh cng, cc thng s SA ny
s c lu trong c s d liu ca SA
Ngoi ra IKE cn dng 2 giao thc khc chng thc u cui v to kha:
ISAKMP (Internet Security Association and Key Management Protocol) v Oakley.
ISAKMP: l giao thc thc hin vic thit lp, tha thun v qun l chnh
sch bo mt SA.
Oakley: l giao thc lm nhim v chng thc kha, bn cht l dng thut
ton Diffie-Hellman trao i kha b mt thng qua mi trng cha bo mt.
Lu : Giao thc IKE dng UDP port 500
2.5. Khi nim thit lp MPLS VPN lp 2 v lp 3. Phn tch cc c tnh an ton
ca MPLS VPN

Trang 21

3. An ton mng WLAN


3.1. Hot ng m bo an ton trong WLAN s dng giao thc an ton WEP
trong tiu chun IEEE 802.11
Chun 802.11 nh ngha phng thc chng thc WEP (Wired Equivalent
Privacy) bo mt tn hiu trn ng truyn v tuyn: bo mt, nhn thc, ton vn.
WEB s dng mt c ch xc thc da trn mt m, c ch ny da trn mt kha b
mt dng chung v thut ton m ha RC4 ( Rons Code)
3.1.1. Xc thc ngi dng

c dng xc thc cc my trm khi kt ni n cc Access Point. WEP cung


cp 2 ch nhn thc: xc thc h thng m v xc thc bng kha chia s.
Xc thc h thng m :
-

Xc thc bt c ai yu cu xc thc.

Cung cp dng xc thc NULL.

My trm c xc thc nu n p ng mt a ch MAC khi trao i ban


u vi Access Point -> khng cung cp danh tnh ca my trm.

Xc thc bng dng kha chia s


-

X dng 1 kha chia s xc thc client n AP.

Kha chia s c t trong c s d liu v thng tin qun l ca tng trm


di ng.

802.11 khng nh nghi cch phn phi kha cho tng trm.

Qu trnh xc thc nh sau:

Trang 22

+ Client (b thch ng WLAN) ca trm mi gi khng cha yu cu xc


thc
+ AP nhn c s tr li bng khung nhn thc cha h lnh ngu nhin.
+ Client sao chp h lnh ny vo khung xc thc, mt m ha bng kha
chia s v vecto khi to ri gi n AP
+ AP nhn c dng kha chia s gii m v so snh vi vn bn h
lnh n gi i v tr li Client truy nhp thnh cng hay tht bi.
3.1.2. Mt m v gii mt m WEb

Qu trnh m ha

Vn bn th c mc ni vi 4 byte kim tra tnh ton vn ICV (4byte ny


c to ra bi gii thut ton vn CRC u vo) : data+ICV.
Kha b mt k (40bits hoc 128bits) c mc ni vi vecto khi to IV
(24bits) sau c a qua b to s gi ngu nhin PRNG (RC4 PRNG)
cho ra chui kha gi ngu nhin : RC4(k+IV)
Vn bn m ha C = (data + ICV) XOR RC4(k+IV)

Trang 23

Vecto khi to IV cng c gi n bn nhn bng cch t IV trc C.


Gii mt m WEP
(Hnh 8.8 bi ging, trang 266)
IV ca bn tin thu c mc ni vi kha b mt i qua b to s gi ngu
nhin to ra chui kha gii m.
Vn bn mt m XOR vi chui kha cho ta vn bn th ng thi a qua
b gii thut ton vn CRC tm ra ICV1.
Gii mt m kim chng bng cch so snh ICV1 vi IVC c pht km
vi bn tin.
Nu ICV1 # ICV bn tin b mc li, ch th li c gi v pha pht.
3.1.3. Phn tch cc im yu ca WEP

Qun l kha

Xung t

ng gi nhn thc

Tn cng tn bo: chn bt mt gi mt m v sau p dng mt khi


lng rt ln tnh ton.

Tn cng FMS (Fluhrer, Mantin and Shamir): Tn cng FMS da trn vic
chn bt khi lng ln lu lng mt m sau s dng mt my tnh cng
sut tnh ton nh cho mt gii thut ph kha.

Tn cng vo kha
Do dng chung 1 kha cho c m ha v gii m nn l cch no phn
phi kha gia 2 bn v khi s ngi s dng qu ln.
Mi ngi s dng phi bit kha v gi n b mt. Khi mt ngi qun
my tnh ti cng s hoc b nh cp: ngi ny phi c cp kha mi
v phi nhp n v cu hnh cu client.

Trang 24

Ngoi ra k tn cng c th ly cp kha ny t mt phin v s dng n


gii m cc phin khc v mi ngi u s dng cng mt kha.
Tn cng xung t
Nu ta chn IV mt cch ngu nhin (s IV 224-1) th sau vi gi IV s lp.
Khi mt IV c s dng li, ta gi y l mt xung t.
Khi xy ra mt xung t, t hp gia kha b mt v IV c s dng lp s
to ra mt lung kho c s dng trc y. V IV c pht i dng
vn bn th mt k tn cng c th theo di tt c lu lng v xc nh thi
im xy ra xung t thc hin tn cng lung kho.
Tn cng lung kha l mt phng php rt ra lung kha bng cch phn
tch hai gi c rt ra t cng mt IV. Tn cng ny da trn nguyn tc
sau: tng modul 2 ca hai vn bn mt m bng tng modul 2 ca hai vn
bn th. V th nu k tn cng bit c hai vn bn mt m (t theo di lu
lng ) v mt vn bn th th hn c th bit c vn bn th th hai.
Tn cng ph kha
Ngi tn cng yu cu ngi s dng m ha bn plaintext bit d 1 d2 d3
d4
Ngi tn cng thu c ci = di XOR kiIV
Ngi tn cng bit c ci, di c th tnh c kiIV
Ngi tn cng bit kha m k1IV k2IV k3IV
Nu ln sau s dng li IV, ngi tn cng c th gii m
Tn cng tn bo
Kha b mt 40 bit -> ph kha trong vng 1 pht.
Gii php: Tng di kha ln 104 bit

Trang 25

Tn cng FMS : Tn cng FMS l bt chn c lng s liu mt m


ph kha.
+ K tn cng chn bt lu lng mt m v tm kim thng tin m phn
da vo kch thc gi b chn, chng hn giao thc ARP nh hnh a)
+ Sau khi bt chn c thng tin m phn, k tn cng pht li gi mt m
ny nhiu ln. (Hnh b)
+ Cc tr li ARP s to ra lu lng k tn cng bt chn.
+ K tn cng lp li qu trnh ny nhiu ln n s nhn c lu lng
tn cng FMS ph kha.

3.2. Gii php an ton WLAN trong tiu chun IEEE 802.11i.
802.11i nghin cu tm ra gii php thay th WEP l WPA v 1 s cc
thnh phn : TKIP (giao thc nhn dng kha tm thi), 802.1x, AES(tiu chun
mt m ha tin tin), nhn thc/hy an ninh.
3.2.1. WPA (Wifi protected Access)

khc phc im yu ca Wep, WPA s dng TKIP v 802.1x

Trang 26

3.2.2. TKIP

Thc cht l 1 sa cha trung gian cho WEP


Gm 3 thnh phn:
+ Hm trn kha cho tng gi
+ M ton vn bn tin
+ Mt IV tng cng bao gm cc quy tc to chui

(2 hnh ging nhau, hnh no d hiu th dng)


3.2.3. Mt m ha TKIP

Client khi u bng 2 kha: kha mt m kha tm thi(128bit) v kha


ton vn s liu (kha MIC 64bit), s dng hm Hash.

Trang 27

Kha tm thi XOR MAC ngi gi to ra kha pha 1. Kha pha 1 c


trn vi kha trung gian (l 1 s trnh t) to ra kha pha 2 (kha cho mt
gi).
Sau l x l trong WEP to ra kha WEP 128bit(24bit IV+104bit b mt
chia s). Pha 1 m bo mi client u c kha trung gian, Pha 2 m bo
mi gi c 1 kha.
u vo hm MIC gm MAC ngun, MAC ch v kha MIC.
u ra MIC c di 8byte gn vi vn bn th v XOR vi chui kha
WEP to ra vn bn mt m.
TKIP khc phc
+ Vn xung t IV : IV tng t 24 ln 48bit, v b m trnh t truyn.
+ Vn kha yu
3.2.4. 802.1x

802.1x l mt giao thc cho php nhn dng theo ca (ca y c ngha l
ca lp 1: ca vt l).
802.1x cho php ng tt ca i vi mi lu lng chng no client khng
c nhn thc thng qua cc chng nhn c lu trong server (thng l
RADIUS server).
802.1x n gin l mt giao thc trao i (EAP: Extensible Authentication
Protocol) trn cc mng khng dy v hu tuyn
802.1x gii quyt 1 s vn v nhn thc
+ Thiu qun l kha
+ Khng h tr cc phng php nhn thc tng cng (cc th thng minh,
cc chng nhn, sinh hc, cc mt khu ch dng mt ln)
+ Khng nhn thc v nhn dng ngi s dng
+ Khng tp trung nhn thc v trao quyn
3.2.5. M ha AES

M ha theo khi v cng c thit k theo gii thut i xng


Trang 28

B mt m AES x l s liu ht ging cho ra 128bit


Vn bn th c chia thnh cc khi 128 bit sau XOR mi khi vi
128bit ca b m ha AES cho ti khi ton b vn bn th c mt m ha
Cui cng n t b m vo 0 v thc hin XOR vi gi tr MIC sau gn
vo cui khung.
Phng php m ha rt mnh
3.2.6. Phng php nhn thc EAP (thy ko dy ko thi u)

Giao thc linh hot c s dng mang thng tin nhn thc ty .
EAP c hai tnh nng:Trc ht n tch trao i bn tin ra khi qu trnh
nhn thc bng cch cung cp mt lp trao i c lp. Nh vy n t c
c tnh th hai: tnh kh m rng trc giao, ngha l cc qu trnh nhn thc
c th m rng hat ng bng cch tip nhn mt c ch mi hn v khng
cn thit phi thay i lp EAP
3.2.7. EAP-MD5

MD5 cung cp mc an ninh thp nht, d thc hin nht


Mt khu lu dng c c server
Khng cung cp nhn thc 2 chiu => d b tn cng trung gian
AP nhn thc c client, ngc li th khng
3.2.8. EAP- LEAP

Trang 29

4. An ton mng thng tin di ng


4.1. Cng ngh an ninh giao din v tuyn mng GSM
4.1.1. Kin trc h thng mng GSM

Cc giao thc an ninh GSM trong c giao thc nhn thc da trn cc cng
ngh mt m i xng trong SIM (Subscriber Identity Module) v AuC
(Authentication Centre) cung cp IMSI (International Mobile Subcriber Identity) v
kho nhn thc thu bao Ki cho tng thu bao. Nn tng ca cc giao thc an ninh
GSM l kha nhn thc thu bao (lu trong SIM v AuC) khng bao gi c pht
trn giao din v tuyn. to ra cc m nhn thc (SRES) v kha mt m Kc cho
tng cuc gi ti USIM, mt s ngu nhin RAND c gi l h lnh c pht trn
ng truyn v tuyn. Ba thng s: RAND, SRES v Kc c gi l b tam (Triplet)
c s dng tha thun kha, nhn thc v mt m.
Kin trc ca h thng GSM gm 3 phn t chnh: MS (Mobile Station), h thng
con trm gc (BSS: Base Station Subsystem) v h thng con chuyn mch (SS:
Switching Subsystem)

MS cha u cui di ng vi SIM card. SIM l mt thit b an ninh cha tt c


cc thng tin cn thit v cc gii thut nhn thc thu bao cho mng.
H thng con trm gc (BSS) bao gm mt s trm thu pht gc (BTS: Base
Transceiver Station) v mt b iu khin trm gc (BSC: Base Station Controller).
BTS iu khin lu lng v tuyn gia MS v chnh n thng qua giao din v tuyn
Um.

Trang 30

H thng con chuyn mch cha trung tm chuyn mch cc dch v di ng


(MSC: Mobile Switching Centre) thc hin tt c cc ng dng cn thit nh tuyn
cuc gi n hoc t cc ngi s dng v cc mng in thoi khc nhau nh: ISDN,
PSTN. HLR (Home location Register: b ghi nh v thng tr) mang tt c cc
thng tin v thu bao trong vng ca GMSC (Gateway MSC: MSC cng) tng ng.
VLR (Visitor Location Register: b ghi nh v tm tr) cha cc chi tit tm thi v
MS lm khch ti MSC hin thi. N cng cha TMSI. Trung tm nhn thc (AuC:
Authentication Center) c t ti HLR v l mt trong nhng ni pht i cc thng
s an ninh quan trng nht v n m bo tt c cc thng s cn thit cho nhn thc
v mt m ha gia MS v BTS. TMSI cho php t chi mt k xu tm cch ly trm
thng tin v cc ti nguyn c ngi s dng s dng v khng cho k xu theo di
vtrngisdng. Mc ch ca EIR (Equipment Identity Register: b ghi nhn dng
thit b) l nhn dng xem c ng l thit b di ng hay khng. Ni mt cch khc
EIR cha cc s seri my ca tt c cc my di ng b mt hoc b n cp m h
thng s khng cho php. Cc ngi s dng s c nhn dng l en (khng hp
l), trng (hp l ) hay xm (b nghi ng).
4.1.2. M hnh an ninh cho giao din v tuyn GSM

M hnh an ninh giao din v tuyn GSM m bo tnh ring t cho thng tin ca
ngi s dng trn ng truyn v tuyn. Mi trng an ninh trn giao din ny
c m bo bi hai qu trnh: nhn thc v bo mt.

Nhn thc v mt m m ha

Trang 31

M hnh an ninh cho giao din v tuyn GSM

IMSI (International Mobile Subscriber Identity) duy nht cho mi thu bao GSM.
IMSI c lu tr trong SIM v trong b HLR.
Ki: Mi thu bao GSM c cp mt kha nhn thc thu bao Ki. Kha Ki c
lu tr trong SIM v trong trun tm nhn thc AuC.
Thut ton A3 v A8: Hai thut ton c thc hin trong SIM v trong AuC.
Chng c dng xc nhn thu bao v to ra kha mt m Kc.
Nhn thc thu bao GSM
Trung tm nhn thc AuC c s dng nhn thc SIM card ca thu bao. N to
ra b ba thng s {RAND||SRES||Kc} v gi chng xung VLR ca mng ang phc
v thng qua HLR. Cc thng s ny c lu ti VLR v c s dng ring cho
tng cuc gi. Trong qu trnh nhn thc mt cuc gi, VLR gi h lnh RAND n
USIM n s dng to ra SRES. Sau MS gi SRES n VLR so snh vi
SRES c lu ti . Nu hai thng s ny trng nhau th nhn thc thnh cng.

Trang 32

Qu trnh nhn thc GSM

Th tc nhn thc c khi xng bi AuC, AuC to ra mt s ngu nhin


RAND 128 bits gi n MS. Gii thut A3 s dng s ngu nhin nhn c cng vi
kha nhn thc Ki (128 bits) lu trong SIM card to ra tr li c k hiu 32 bits
(SRES).
SRES c pht v pha mng v c so snh vi SRES k vng do AuC tnh
ton. Nu gi trnh SRES c pht v pha mng v c so snh vi SRES do AuC
tnh ton ging nhau th MS c php truy nhp mng.
m bo an ninh tt hn, mi ln truy nhp mng, s ngu nhin li c thay
i dn n thay i SRES.
Mt m ha GSM
Mc ch ca mt m ha l m bo tnh ring t cho thng tin ngi s dng
trn ng truyn v tuyn.

Qu trnh mt m ha GSM

Sau khi nhn thc thnh cng, ti SIM gii thut A8 nhn kha nhn thc thu bao
Ki cng vi RAND lm u vo to ra kha mt m Kc (Ciphering Key) 64 bit.
Ti pha mng phc v, kha Kc tng ng n t AuC c VLR lu trong b
nh. Bng gii thut A5, u vo l kha Kc (64bit) v s khung 24 bit (Count)
chng pht li, thoi c mt m v gii mt m trong MS cng nh trong BTS.
Cc e da an ninh GSM

Trang 33

Thnh phn an ninh quan trng nht ca GSM l kha nhn thc ngi s dng
Ki. Vic ti to li c kha ny cho php nhn bn cc SIM card v nh gim st
c tt c cc cuc gi c ngi s dng tin hnh theo kha ny. Tuy nhin tn
ti mt c ch an ninh gim st tt c cc kha ny trong trng hp s dng ng
thi kha ny v chm dt ng k ca kha ny.
Ni chung c truy nhp mng u cui phi c mng cho php. Tuy nhin
khng c bt c mt c ch no kim tra s hp l ca mng. V th c th th xy
ra cc tn cng n mng bi mt k no khi k ny c cc c ch ph hp gi
dng mt mng hp l hoc mt u cui hp l.
Cng cn lu rng im giao din ni MS ri khi ng c bo v ( mc
nht nh) v chuyn n PSTN hay mt mng in thoi khc l c bit quan
trng t quan im an ninh v n rt d b k xu xm phm. Cng cn lu rng an
ninh p dng trn HLR l tha mn v n cha tt c cc phn t c bn ca an ninh
GSM nh IMSI, kha nhn thc thu bao Ki, s in thoi v cc chi tit tnh cc.
Mt vn quan trng khc t quan im e da an ninh l khng chc cc th tc
an ninh ni trn c th c nh cung cp dch v GSM m bo hay khng.
nh gi an ninh GSM
Anh ninh GSM da trn nhn thc v bo mt th hin u im vt tri an
ninh trong cc h thng thng tin di ng tng t th h th 1. Tuy nhin trong hi
GSM c s dng nhiu nm nhiu nc trn th gii, cc c ch an ninh c s
ca n cng b ch trch ngy cng nhiu.

C hai gii thut A3 v A8 l cc gii thut ring. Chng u c s dng


nhn thc ngi s dng v to ra cc kha phin u c thc hin bi cc nh
cung cp dch v GSM bng gii thut c gi l COMP128. Gii thut i hi
64 bit, nhng 10 bit trong s ny lun c t bng 0 nn gim ng k an ninh
ca ng dng A8. Nu kha Kc b tn hi, k xm phm c th ng gi VLR
hp php m khng cn nh k nhn thc.

Di s iu khin ca giao thc nhn thc GSM, GSM BTS nhn thc qu
trnh MS yu cu phin thng tin. Tuy nhin khng c nhn thc ngc li t MS
n mng nn MS khng c m bo rng n khng b ln thng tin vi mt
nt gi mo l GSM BTS. iu ny li tr nn ti t hn khi chnh h lnh ngu
nhin (RAND) c dng nhn thc li l thnh phn to m phin khi
Trang 34

c s dng lm u vo cho gii thut A8. Ngoi ra giao thc bn tin h lnhtr li li khng cha nhn thi gian. V th nu mt BTS gi thnh cng lm
GSM BTS, n c th tm c mt kha phin gii m mi bn tin s dng
cng kha trong thi gian kh di.
Nhn thc GSM (v an ninh ni chung) bo v ng truyn v tuyn gia MS
v GSM BTS phc v MS. C ch an nnh ny khng bo v truyn dn thng
tin gia AuC v mng phc v. Vic thiu an ninh trong mng hu tuyn l kh
nng l chnh ca GSM, nht l hin trng truyn dn gia cc GSM BTS v
mng hu tuyn thng l cc ng vi ba s dn n thng tin d b chn.

Trong s 2 phng n ca gii thut mt m ha s liu (A5/1 v A5/2), gii


thut yu hn l A5/2.
GSM khng cho php bo v ton vn bo hiu v ch cho php nhn thc thu
bao ch khng cho php nhn thc mng.
4.2. Bo mt thng tin s dng nh danh thu bao di ng tm thi TMSI
m bo mc bo mt cao cho cc bn tin v bo v chng s theo di v tr
ca thu bao, b danh nhn dng c s dng thay cho IMSI. B danh ny c gi l
TMSI (Temporary Mobile Subscriber Identity). y l mt s duy nht trong vng
phc v ca VLR ni MS c ng v khng l cng khai. TMSI ny c th c gii
phng v mt TMSI mi c th c n nh cho MS sau khi xy ra lp li nhiu ln
mt s kin (nh cp nht v tr).
TMSI l mt s nh s c p dng cho cc tnh nng bo mt nhn dng
thi bao v ch p dng bn trong vng iu khin ca VLR. Khi c yu cu, TMSI
c cp pht hoc cp pht li cho mt IMSI sao cho trong vng iu khin ca VLR
c th tm c thu bao theo TMSI. TMSI c lu trong mt bng cp pht TMSI
lin kt vi mt bn ghi trong VLR v trong SIM ca MS. TMSI lun c s dng
vi LAI (Location Area Identity) :
Nhn dng thu bao di ng trong BSS
Tm thu bao di ng trong BSS
Truy nhp s liu thu bao di ng trong c s d liu VLR
cp pht trnh trng lp TMSI sau khi khi ng li VLR, mt b phn ca
TMSI c th lin quan n thi gian m n c cp pht. Ngoi ra, TMSI cha mt
trng mt bit, trng ny c th thay i khi VLR khi phc li t u.
Trang 35

Qu trnh m bo an ninh khi cp pht TMSI cho mt thu bao c biu din
nh s sau:

M hnh an ninh giao din v tuyn cng vi cp pht TMSI cho mt thu bao

4.3. Mt m ha trn mng v tuyn GPRS


4.3.1. Kin trc GPRS

Dch v v tuyn gi chung GPRS l mt mng s liu c thit k kt hp


vi mng GSM hin c. V GSM/GPRS cho php c lu lng chuyn mch gi (PS)
nh IP v lu lng chuyn mch knh (CS).

Kin trc GPRS

MS gm thit b u cui (TE: Terminal Equipment) (my tnh PC cm tay chng


hn) v u cui di ng (MT). MS c th hot ng trong ba ch ph thuc vo
kh nng ca mng v my tnh di ng.
Trang 36

Ch A, c th x l ng thi c khai thc chuyn mch knh ln chuyn

mch gi.
Ch B, cho php MS hoc ch PS hoc ch CS nhng khng ng
thi c hai ch . Khi MS pht cc gi, nu kt ni CS c yu cu th tuyn
truyn dn PS t ng c t vo ch treo.

Ch C, cho php MS thc hin mi ln mt dch. Nu MS ch h tr lu


lng PS (GPRS) th n hot ng ch C.
Trong BSS, BTS x l c lu lng CS v PS. N chuyn s liu PS n SGSN v
CS n MSC. Ngoi cc tnh nng GSM, HLR cn c s dng xc nh xem
thu bao GPRS c a ch IP tnh hay ng v im truy nhp no s dng ni n
mng ngoi. i vi GPRS, cc thng tin v thu bao c trao i gia HLR vi
SGSN.
SGSN x l lu lng cc gi tin IP n v t MS ng nhp vo vng phc v
ca n v n cng m bo nh tuyn gi nhn c v gi i t n.
GGSN m bo kt ni vi cc mng chuyn mch gi bn ngoi nh Internet hay
cc mng ring khc. N kt ni vi cc mng ng trc GPRS da trn IP. N cng
chuyn i tt c cc gi IP v c s dng trong qu trnh nhn thc v trong cc th
tc mt m ha.
AuC hot ng ging nh mng GSM. C th n cha thng tin nhn dng cc
ngi c php s dng mng GPRS v v th ngn chn vic s dng tri php
mng.
Mt m ha GPRS
Trong GPRS th tc mt m ha khc vi GSM. Mt gii thut mi A5-GPRS
64bit c s dng. Trong thi gian truyn cc gi IP, mi gi s liu c mt m
ha bi gii thut A5-GPRS hay GEA (GPRS Encryption Algorithm). GEA l mt gii
thut mt m lung i xng. u im ca gii thut ny so vi A5 l c th to ra u
ra ca GEA trc khi bit c vn bn th.
Qu trnh mt m c thc hin gia SGSN v MS. Trong trng hp ny cng
cn ng b lung mt m ha v gii mt m ha. Qu trnh mt m ha nh s
sau:

Trang 37

Mt m ha GPRS

Nhn thc thu bao GPRS


Th tc nhn thc thu bao GPRS c thc hin theo cch ging nh GSM ch
khc mt im l cc th tc ny c thc hin trong SGSN ch khng phi
MSC. Ni mt cch khc SGSN nhn thc MS bng cch s dng s liu nhn thc
nhn c t HLR.
Cc th tc bo hiu nhn thc cho php mng GSM/GPRS nhn dng v nhn
thc ngi s dng bo v ng truyn t cc cuc gi GSM/GPRS.
Trong th tc bo hiu nhn thc, mt VLR/SGSN mi cn nhn c b ba (Kc,
SRES, Random) t HLR/AuC thng quan giao thc MAP ca mng bo hiu SS7.
Khi SGSN nhn c b ba ny, n nhn thc MS bng cch gi i s ngu
(RAND) trong bn tin Authentication and Ciphering Request (Yu cu nhn thc v
mt m). Nhn c s ngu nhin ny, MS s tnh ton s SRES v kha Kc. Sau
MS gi s SRES ny n mng. Mng so snh SRES v kha Kc. Sau MS gi s
SRES ny n mng.
Mng so snh SRES do MS tnh vi SRES trong VLR nhn c t HLR/AuC.
Nu hai s SRES ging nhau, VLR/SGSN cho rng nhn thc thu bao MS thnh
cng.

Th tc bo hiu nhn thc thu bao

Trang 38

4.4. M hnh an ninh trn giao din v tuyn mng UMTS


Nhn thc 3G UMTS c thc hin c hai chiu: mng nhn thc ngi s
dng cho mng v ngi s dng nhn thc mng. c nhn thc, mng phi
ng du bn tin gi n UE bng m MAC-A v USIM s tnh ton con du kim tra
nhn thc XMAC-A kim tra.
Mt m cc bn tin c thc hin c hai chiu bng KS (KeyStream: lung
kha). KS ny c to ra RNC t CK (Ciphering Key: Kha mt m) trong AV
(Authentication Vector) do AuC gi xung v USIM t CK c tnh ton t RAND
v AUTN (Authentication Token) do mng gi n.
Bo v ton vn c thc hin c hai chiu bng nhn thc ton vn bn tin
c truyn gia RNC v UE. c nhn thc, bn tin pht (UE hoc RNC) phi
c ng du bng m MAC-I. Pha thu (RNC hoc UE) tnh ton con du kim tra
ton vn XMAC-I kim tra.
Cc thnh phn quan trng nht lin quan n an ninh l K v mt s thng s
khc c lu trong USIM, AuC khng bao gi c truyn ra ngoi hai v tr ny.
Cng cn m bo rng cc thng s ni trn ng b vi nhau c hai pha.

M hnh an ninh cho giao din v tuyn 3G UMTS

4.4.1. Mng nhn thc ngi s dng

m bo nhn thc trn mng UMTS ta cn xt ba thc th: VLR/SGSN,


USIM v HE. VLR/SGSN kim tra nhn dng thu bao, cn USIM m bo rng
VLR/SGSN c HE cho php thc hin iu ny.
Nhn thc c thc hin ngay khi mng phc v nhn dng thu bao. Qu trnh
ny c thc hin khi VLR (trng hp CS) hay SGSN (trng hp PS) gi yu cu
Trang 39

nhn thc n AuC. Sau VLR/SGSN gi yu cu nhn thc ngi s dng n u


cui. Yu cu ny cha RAND v s th nhn thc AUTN c pht n USIM.
USIM bao gm mt kha ch K (128 bit) s c s dng kt hp vi hai thng
s thu c (RAND v AUTN) tnh ton thng s tr li ca ngi s dng (RES).
Sau RES (32-128 bit) ny c gi tr li VLR/SGSN v c so snh vi XRES
k vng do AuC to ra. Nu hai thng s ny trng nhau, nhn thc thnh cng. RES
v XRES c tnh ton bng hm f2.

Nhn thc ngi s dng ti VLR/SGSN

4.4.2..

4.5. Hot ng nhn thc v tha thun kha AKA


AKA (Authentication and Key Agreement: nhn thc v tha thun kha) c
thc hin khi:

ng k ngi s dng trong mng phc v


Sau mi yu cu dch v
Yu cu cp nht v tr
Yu cu ng nhp
Yu cu hy ng nhp
Yu cu thit lp li kt ni

Nhn thc v tho mn kha AKA l mt trong cc tnh nng quan trng ca h
thng UMTS. Tt c cc dch v khc u ph thuc vo AKA v khng th s dng
bt c dch v no cao hn m khng phi nhn thc ngi s dng.
thc hin cc qu trnh ny trong UMTS, AuC phi to ra cc vecto nhn thc
AV da trn bn thng s sau: RAND (s ngu nhin ha), kha b mt dng chng
quy nh trc (Pre-shared Secret Key, K), SQN (s trnh t) v AMF (Key
Trang 40

Management Field: trng qun l kha) v AV nhn c s bao gm cc thng s


sau: MAC-A (m nhn thc bn tin USIM nhn thc mng), X-RES (ch k k
vng t ngi s dng nhn thc ngi ny), CK (kha mt m bo mt bn tin
pht n ngi s dng), IK (kha ton vn bo v ton vn bn tin), AK (kha du
tn cng vi mt s thng s khc c s dng chng pht li). Mng cng s
pht s pht cc thng s RAND cng vi th nhn thc AUTN gm: SQN cng
mudule 2 vi AK, AMF v MAC-A n USIM trong MS n to ra AV nhn thc
tng ng nh: X-MAC (m nhn thc bn tin k vng nhn thc mng), RES
(ch k nhn thc n vi mng), CK (kha mt m bo mt bn tin pht n
mng), IK (kha ton vn bo v ton vn bn tin), AK v SQN.

Qu trnh nhn thc v tha thun kha

Cc th tc nhn thc v tha thun kha xy ra ti USIM, SGSN/VLR v


HLR/AuC. V mng phc v c chia thnh cc min PS v CS, SGSN c ngha l
min PS, cn VLR/MSC l min CS. Cc th tc nhn thc c thc hin ging nhau
trong c hai min. V khng c c s thng tin chung gia SGSN v MSC/VLR tr
HE, nn cc th tc AKA xy ra c lp min CS v PS.
4.6. Cc hm mt m ha f1-f5 s dng trong UMTS
4.7. S dng hm f8 bo mt trong UMTS
4.8. S dng hm f9 bo v tnh ton vn trong UMTS
4.9. An ninh ca ngi s dng trong IMS

Trang 41