Professional Documents
Culture Documents
Graduated - Network Security
Graduated - Network Security
( GRADUATED )
1-TRNH BY KIN TRC IPSEC. CC TNH NNG M IPSEC B SUNG CHO GIAO THC IP?
P N: IPSec l thnh phn m rng ca giao thc IP. B sung mt s tnh nng cho giao thc IP
KIN TRC IPSec
Kin trc IPSec
Giao thc AH
Thut tan mt m
DOI
Qun l kha
-Kin trc IPSec (RFC 2401): Quy nh cu trc, cc khi nim v yu cu ca IPSec.
-Giao thc ESP (RFC 2406): M t giao thc ESP, l mt giao thc mt m v xc thc thng tin
trong IPSec.
-Giao thc AH (RFC 2402): nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng
vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc
im ring.
-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da
ch yu vo cc gii thut m ha i xng.
-Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP.
-Qun l kha (RFC 2408): M t cc c ch qun l v trao i kha trong IPSec.
-Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi, xc nh mt tp
cc ch cn thit trin khai IPSec trong mt tnh hung c th.
Xt v mt ng dng, IPSec thc cht l mt giao thc hat ng song song vi IP nhm cung
cp hai chc nng c bn m IP nguyn thy cha c, l m ha v xc thc gi d liu. Mt cch khi
qut, c th xem IPSec l mt t hp gm 2 thnh phn:
-Giao thc ng gi, bao gm AH v ESP.
-Giao thc trao i kha IKE (Internet Key Exchange).
P N:
C CH HOT NG CA GIAO THC NG GI AH:
AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng m
bo tnh ton vn ca d liu di chuyn trn mng. Ngoi ra, AH cn c kh nng hn ch cc tn cng
gi danh v tn cng pht li. C ch xc th ca AH da trn m xc thc MAC, do thc thi u
cui ca SA phi dng chung mt kha b mt d khng dng mt thut ton mt m no.
AH
Transport
Tunnel
Ging nhau
Khc nhau
P N:
M T C CH HOT NG CA GIAO THC NG GI ESP ?
ESP (Encapsulating Security Payload) cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k
thut mt m. Tuy nhin n cn c ty chn khc l cung cp dch v m bo tnh ton vn ca d liu
thng qua c ch xc thc. Ngi dng c th chn hoc khng chn chc nng xc thc cn m ha l
chc nng mc nh ca ESP.
Transport
Tunnel
Ging nhau
Khc nhau
- Ton b gi IP c m ha
v xc thc
- Gi ESP header t trc ia
ch IP c (a ch IP ca gi IP
gc)
- Phm vi thng tin xc thc
nhiu hn Transport.
- Gi IP ch ny cn chn
thm mt a ch IP mi
bao bc gi d liu hin
hnh.
- ESP header nm sau a ch IP
mi (a ch IP c tao khi
dng ch Tunnel).
P N:
CC DCH V CA SSL ?
- M ha d liu
- Xc thc d liu
- Xc thc u cui
+
+
+
+
Phn on
Nn
Gn thng tin
xc thc (MAC)
Mt m ho
Gn tiu giao
thc SSL record
P N:
-
GIAI ON 2: Server c th gi chng thc kha cng khai, trao i kha v yu cu client cung cp
chng thc kha.
GIAI ON 3: Client gi chng thc kha khi c yu cu t pha server , trao i kha vs Server.
Client cng c th gi xc minh chng thc kha cng khai cho Server.
- Discovery: AP gi cc bn tin Beacon v Probe Response qung b thng tin v mng v cc chnh
sch bo mt ca mng WLAN. STA da trn cc thng tin ny kt ni n AP.
Mc ch ca giai on ny l AP v STA nhn din nhau, thng lng cc thng s mt m
v thit lp lin kt vi nhau chun b cho cc bc tip theo. Cc chi tit c xc lp trong giai on ny
bao gm:
+ Giao thc mt m v xc thc d liu gia AP v STA.
+ Phng php xc thc u cui.
+ C ch qun l kha.
- Authentication: STA tin hnh xc thc vi AS thng qua AP. Trong qu trnh ny, AP khng tham gia
vo qu trnh xc thc m ch c vai tr chuyn tip cc bn tin gia STA v AS.
y l giai on xc thc 2 chiu gia STA v AS. C ch xc thc c thc hin theo m t ca
802.11X, s dng giao thc xc thc EAP (Extensible Authentication Protocol).
- Key Management: AP v STA thc hin qu trnh trao i kha.
Hai c ch trao i kha c th dng trong giai on ny: preshared key v Master Session Key
(MSK). Preshared dng kha tnh c ci t i xng trn AP v STA, ngc li MSK th c to ra
trong giai on xc thc dng giao thc EAP. Cc kha sau c sinh ra t hai kha chnh ny. Qu
trnh thit lp kha c thc thng qua th tc bt tay 4 bc.
- Protected Data Transfer: Qu trnh truyn d liu gia cc STA thng qua AP. AP s ng vai tr trung
gian trong vic m ha v gii m d liu.
D liu c trao i gia AP v STA c bo v bng mt trong 2 c ch: TKIP v CCMP:
+ TKIP (Temporal Key Integrity Protocol): D liu c xc thc bng MIC (da trn thut ton
bm Michael) v m ha bng RC4.
+ CCMP (Counter Mode CBC MAC protocol): D liu c xc thc bng CMAC (CBC-based MAC)
v m ha bng AES ch CTR (counter mode).
- Connection Termination: AP v STA thc hin th tc xa kt ni.
- Bo mt ni dung th:
- Nn th:
+ Vic nn th nhm mc ch lm gim kch thc th vic truyn c thc hin nhanh hn,
ng thi lm tng hiu qu ca thut ton mt m.
- Chuyn m:
+ Sau khi x l th (xc thc, nn, m ha) th ni dung th s tr thnh mt khi d liu nh
phn, c th khng tng thch vi cc h thng th vn ch h tr nh dng vi m ASCII. Do
vy, PGP phi thc hin thao tc chuyn m nhm m bo ni dung th sau khi x l vn c th
c chuyn tip bnh thng trn cc mail server.
+ C ch chuyn m trong PGP c thc hin theo bng m base64 encoding (radix-64).
- Qun l kha:
+ Mi user duy tr mt tp cc kha cng khai ca nhng user khc, tp kha ny c qun l
bi mt keyring.
+ Trong PGP, ngi dng t to ra chng ch s, cc chng ch s ny c phn phi bi chnh
ngi dng.
+ Quan h tin cy gia cc user c thit lp thng qua m hnh Web of Trust.
* M T C CH M HA V XC THC P DNG TRONG PGP:
- PGP thc hin thao tc xc thc th trc v m ha sau.
+ Bm ni dung th bng hm bm SHA_1 v m ha m bm bng kha b mt ca ngi gi.
Gn kt qu vo u th lm ch k.
+ To kha i xng K v m ha ton b ni dung th (k c phn ch k va to ra)
+ M ha kha K bng kha cng khai ca ngi nhn v gn tip vo u th.
+ pha nhn, ngi nhn th gii m phn u th bng kha ring ca mnh ly kha K.
+ Gii m ni dung th (cng vi ch k s) bng kha K. Hon tt chc nng bo mt.
+ Gii m ch k s bng kha cng khai ca ngi gi. Hon tt chc nng xc thc.
M ha v xc thc th pha gi