Chng 3

K thut ph bin cho Mobile Communications an

3.1 Gii thiu

Mobility l mt cht lng mt khp ni ang mong i bng ging ni v d liu

thu bao di ng. Tnh di ng v cc dch v lin mch c tch hp thnh
cng vo mt lot cc thng tin lin lc in thoi di ng bao gm c cc mng di
ng trong nhng nm gn y. Ngy nay, mt nhu cu ngy cng tng i vi cc
dch v cao cp m c to ra thch thc mi cho cng ngh di ng c th c
quan st thy. Nhu cu ny buc phi hi t gia truyn thng di ng v cc
mng IP nh cc dch v di ng ci thin bng cch s dng nng lc ca cc
ng trc IP cung cp d liu ngi dng phong ph.
Nhng thch thc do s hi t ang c gii quyt to iu kin cho vic thc
hin thnh cng cc cng ngh di ng mi. Mi mng c tng cng cung
cp cc dch v lin quan, ging ni hoc d liu. Dch v d liu Web c
nghin thnh inte- 2G mng di ng vi s ra i ca General Packet Radio Service,
GPRS, v thng tin lin lc bng ging ni hin nay c vn chuyn qua cc mng
IP s dng Voice-Over-IP ng gi. Nhng d liu ph hp v cc dch v thoi xy
dng cc cy cu u tin gia mng di ng v IP v trin khai cc lp cng ngh
mi cho mi mng tng ng. IP v cc mng di ng khc nhau c bn trong c s
h tng, giao thc truyn thng, v cc ti sn v hi t ca h c

tr thnh mt thch thc nghin cu k thut. Thit k lai di ng v IP truy cp

trong tch hp cc mng 3G v IP l trng tm ca chng ny.
3.2 Bo v Protocols mng
S an ton ca cc giao thc mng thu ht nhiu s quan tm trong cc mng di
ng, cung cp cc dch v trn nn IP, v cc mng ad hoc. Mt trong s cc tp
hp ln cc giao thc lm vic mng li, mt giao thc c bit, c th l cc giao
thc IP, l ch ca mt n lc quan trng. i vi vic thiu khng gian,
chng ta s tho lun, trong nhng iu sau y, cc gii php ch yu c cung
cp m bo IP.
Giao thc bo mt IP (hoc IPsec) l mt b cc giao thc bo mt tch hp lin
mch vo giao thc IP v cung cp dch v an ninh nh xc thc ngun gi, gi vn,
bo mt, v bo v chng li cc cuc tn cng replay. Ngoi ra, cc IPsec cung cp
bo mt d liu, kim sot truy cp, v ng hm giao thng. ng dng ph bin
ca IPsec bao gm nhng iu sau y:
Kch hot giao tip an ton trn cc mng cng cng: y l cc cation appli- ban
u ca IPsec, v n c to ra cung cp mt gii php cho IPv4 v IPv6 c
bn a.
bo mt mng ni b v kt ni extranet: IPsec c th c s dng kt hp vi
c ch bo mt khc thit lp cc kt ni an ton gia cc thc th giao tip
ngang hng cn chng thc v m ha gi tin (ti tng mng).
kt ni doanh nghip Secure: Virtual mng t nhn c th c xy dng cho cc
nhu cu ca cc doanh nghip da trn IPsec. H trnh by li th khc nhau, k t
khi h c th tit kim chi ph thng tin lin lc v cho php cc cng ty xy
dng mng li lm vic tng ng vi mng ring bng cch s dng IPsec.
bo mt truy cp t xa: S dng IPsec, ngi dng cui (m c th l in thoi di
ng) c th thc hin mt cuc gi a phng ISP ca mnh v c c mt
cch an ton vo mng doanh nghip ca mnh. iu ny c th gii phng cc
cng ty t ph truyn thng cho nhn vin t xa.
N ng mt mng ring o (VPN) l mt cch s dng mt c s h tng
thng tin d ng ca cng cung cp cc trang web t xa hoc ngi dng c nhn
vi truy cp an ton vo mng doanh nghip t nhn ca h. m rng khi nim
rng vi mi trng khng dy, gii php nh IPsec v SSL / TLS ni ln lin quan
n vic s dng cc truy cp khng dy, hoc bng cch s dng mt mng LAN
khng dy (WLAN) c cung cp bi mt nh cung cp dch v Internet khng dy
(WISP) hoc mt mng di ng chng hn nh GPRS. Nh mt VPN c gi l VPN
khng dy. Cc kt ni an ton c th bao gm hai loi im kt thc, hoc l mt
my tnh c nhn hay mt mng LAN vi mt cng an ninh. Hnh 3.1 m t mt v
d v VPN khng dy. Theo truyn thng, LAN-to-LAN kt ni, ni cng an ninh ti

mi im cui vi cc a ch IP c bit n phc v nh giao din gia cc kt

ni an ton v mng LAN ring, c s dng nhiu nht

hnh 3.1 khng dy VPN.

Hm nay, khi telecommuting s dng thit b di ng nh mt my tnh xch
tay l ph bin, cc thc th cui cng c th c tham gia vo cc chng trnh
VPN.
3.2.1 IPsec ch bin
IPsec s dng Authentication Header (AH) v Encapsulating Security Payload
(ESP) giao thc p dng bo mt cho gi tin IP. AH cung cp tnh ton vn v xc
thc v khng thoi thc, nu s la chn thch hp cc thut ton m ha c
thc hin. V ESP cung cp bo mt, cng vi ty chn (nhng khuyn khch mnh
m) xc thc v bo v ton vn. Cc thut ton m ha v bm quy nh v vic
s dng IPsec bao gm HMAC-SHA1 bo v tnh ton vn, v 3DES-CBC v AESCBC cho bo mt. IPsec s dng khi nim ca mt hip hi an ninh lm c s cho
vic xy dng cc chc nng bo mt vo IP. Mt hip hi an ninh n gin ch l
nhng b ca cc thut ton v cc thng s (nh phm) ang c s dng m
ha v xc thc mt dng ring trong mt phng hng. quyt nh nhng g l
bo v c cung cp cho mt gi tin gi i, IPsec s dng Security Parameter Index
(SPI), mt ch s cc c s d liu lin kt an ninh (SADB), cng vi cc a ch IP
ch trong mt tiu gi tin, m cng nhau xc nh mt SA cho gi tin . Mt
quy trnh tng t c thc hin cho mt gi tin gi n, ni IPsec c cc phm
gii m v xc minh t cc c s d liu lin kt an ninh x l cc gi tin nhn
c.
Cc SA cung cp cc dch v bo mt bng cch s dng mt trong hai giao
thc AH hoc ESP, nhng khng phi c hai (cho iu ny, hai SAs c s dng

nu cc lung lu lng s dng c AH v ESP). i vi giao thng IP in hnh, hai

SAs l cn thit: mt mi hng chy giao thng (mt cho mi ngun v my
ch). Ba iu duy nht
xc nh mt SA i: mt ch s tham s bo mt (SPI), a ch IP ch, v cc
giao thc bo mt (AH hoc ESP) nh danh. Thng thng, a ch ch ca chng
c th l mt a ch unicast, mt a ch qung b IP, hoc mt a ch nhm
multicast. Tuy nhin, cc c ch qun l hin ang s dng cc thit lp SAs ch
unicast.
Vic x l IPsec ch yu phn thnh outbound so ing process- inbound v AH
so vi cc ng dng ESP. Vic x l gi trong IPsec l khc nhau gia u vo v u
ra. X l giao thc c th c phn loi thnh SPD process- ing, SA ch bin, ch
bin tiu , v gi chuyn bin. Cc SPD v SA x l l nh nhau cho c AH v ESP.
Vic chuyn i v x l tiu khc nhau c thc hin vi AH v ESP.
Hai ch hot ng c th c s dng trong IPsec: phng tin giao
thng v cc ch tun- nel. Trong ch ny, ch c ti trng (v d, cc d liu
chuyn) ca gi tin IP c m ha v / hoc chng thc. Cc chc nng nh tuyn
khng b thay i bi qu trnh lm thm bng IPsec, k t khi cc tiu IP khng
phi l sa i cng khng c m ha; Tuy nhin, khi cc tiu xc thc c
s dng, cc a ch IP c th khng c xuyn lated, v iu ny s lm mt hiu
lc gi tr bm. Cc lp vn chuyn v ng dng lun c bo m bng bm, v
vy h khng th c sa i trong bt k cch no. Phng tin giao thng c
s dng cho host-to-host truyn thng. Mt khc, cc gi ton b IP (d liu v tiu
th), ch ng hm, c m ha v / hoc authenti- tp. Sau n phi
c ng gi vo mt gi tin IP mi cho nh tuyn lm vic vi mt tiu
mi.

3.2.1.1 Outgoing Traffic ch bin

Bc u tin trong vic x l IPsec l truy vn c s d liu ca chnh

sch, c th l SPD, tm ra chnh sch p dng vo cc gi tin i. Vic chn
c xy dng t cc thng tin giao thng c tm thy trong cc gi d liu,
chng hn nh a ch IP ngun v ch, cc giao thc vn chuyn, v cc cng
ngun v ch. Chnh sch ny c th ch nh cc hnh ng thc hin trn cc
gi tin. Nu gi d liu phi c loi b sau , cc hnh ng c thc hin v
x l IPsec kt thc. Nu gi d liu phi c x l (v d, p dng IPsec), sau
mt lin SA tn ti cho cc lu lng truy cp nht nh, v do , SA c ly t c

s d liu SAD ca SA, hoc SA khng tn ti, v do mt SA mi c to ra cho

cc lu lng truy cp.
Nu SA c ly ra, h thng c cc ch c p dng. Nu ch
ng hm c cung cp, sau mt gi mi c to ra. Cc gi tin ban u tr
thnh payload ca gi mi. Trong trng hp ny, cc thng tin ca cc gi tin ban
u l tri khng b sa i ngoi tr cc trng TTL ca tiu IP. V vy, cc
checksum ca gi tin ban u phi c tnh ton li. Cc tiu ca gi tin IP mi
c xy dng t cc tiu ban u bng cch sao chp hoc tnh ton cc thng
s da trn ni dung SA. Mt khi cc gi d liu mi c to ra, n c th c x
l bi AH hoc ESP theo SA. Cc lnh vc tiu tip theo cn c lp y vi cc
nh danh ca AH hoc ESP. Sau khi AH hoc ESP ch bin, cc gi c th c ti
ch
hnh 3.2 x l lu lng gi i.
mt ln na bi IPsec, nu mt b ca SA c p dng, hoc chuyn n
cc lp truyn thng thp.
l gi tr n thy rng s phn mnh c th xy ra sau khi x l IPsec.
Phn mnh l cn thit v cc gi tin IP c th tr nn ln hn so vi cc n v vn
ti imum max- c h tr bi cc lp pha di. Thao tc ny lm gim kch thc
ca gi tin IP bng cch chia n thnh cc phn vi kch thc nh hn. Hnh 3.2 m
t nm bc ca qu trnh x l IPsec. Cc bc tm tt cc cuc tho lun trn:
(1) nhn c gi tin; (2) truy vn SPD khm ph ra chnh sch p dng; (3)
que- rying SAD ly SA ph hp; (4) gi ch bin bng cch p dng AH hoc ESP
s dng SA; v (5) chuyn tip cc gi tin c sn xut. Cc bc b, c, d v c
looped n khi khng c nhiu chnh sch p dng (Juarez, 2000).
3.2.1.1.1 AH Outbound ch bin
AH c p dng cho mt gi tin i qua cc bc sau y:
1. u vo tiu AH trong gi tin IP x l.
2. Th h ca cc s th t. Con s ny ang tng ln v sao chp vi mi
ch bin AH vo trng tng ng ca AH. N c thit lp 0 th h ca SA.
3. MAC tnh ton. Cc thut ton MAC specifed bi SA c s dng nhn
chung n mt MAC ca gi tin.
4. Padding. Nu cn thit, cc trng d liu xc thc c m gn n
vo
IPv4 hay IPv6 nh dng.
5. Phn mnh. S phn mnh IP c th c p dng cho cc gi tin sau khi

X l AH.
3.2.1.1.2 ESP Outbound ch bin

ESP c p dng cho mt gi tin gi i ch sau mt thc hin IPsec ngn

chn, m m gi tin c lin kt vi mt SA c thnh lp x l ESP. Cc bc
x l ESP i c sau (Kent, 1998; 1998a):

1. u vo cc lnh vc ESP cc gi tin c x l.

2. B sung cc Padding nu cn thit. Chiu di lnh vc Pad v Next header
c thit lp gi tr ca h.
3. Encryption. Cc ESP payload c m ha bng cch s dng cc thut
ton v cc thng s quy nh ca SA.
4. To ra cc s th t. iu ny c thc hin trong cng mt cch nh cho
X l AH.
5. MAC tnh ton. iu ny c thc hin nu yu cu xc nhn. N c
tnh trn ton b gi tin ESP, ngoi tr trng cui cng c cha MAC.
6. Phn mnh. Nu cn thit, phn mnh c p dng cho cc gi sn xut
sau khi x l ESP.

3.2.1.2 Qun l giao thng Incoming

Khi nhn c mt gi tin IP n, cc gi tin c tp hp li. Sau , n c

ng h cessed nu, v ch nu, lnh vc Tip theo Ngh nh th quy nh mt gi tr
lin quan n AH hoc ESP. Nu khng, n l ch kim tra bng cch s dng SPD
xc minh nu n ph hp vi cc chnh sch n. Nu gi d liu thuc v mt lu
lng truy cp m khng cn phi c bo v IPsec, sau cc gi tin c
chuyn tip; nu khng, n s b loi b.
i vi cc trng hp khc, s tin thu c ch bin IPsec nh sau: Trong
bc u tin, cc a ch IP ch, giao thc IPsec, v SPI c s dng truy vn
SAD ly SA c s dng (ca ngi gi) bo v cc gi tin . Trong bc th
hai, cc im n kim tra cc b chn kim tra xem liu rng chng c nh

ngha bi cc SA, v nu n khng phi l trng hp, cc gi tin b loi b. Trong

bc th ba, mt chnh sch nhp cnh kim tra chn gi tm ra nu chnh sch
ny c thc thi. Trong bc cui cng, cc gi tin ban u c chuyn ti giao
din i. Trong qu trnh x IPsec, AH hoc ESP c th c p dng.

3.2.1.2.1 AH Inbound ch bin

Cc bc khc nhau ca AH x l lu lng truy cp n u c m t nh

sau:

xc nhn Sequence number: Nu SA ly nh chng pht li s bo v, dy

s c kim tra. Nu n c bt gp, cc gi tin b loi b, nu khng n c
chp nhn.
Xc nhn MAC: Gi tr MAC c xc minh bi recomputing gi tr ca n
da trn cc thng s SA. Nu gi tr MAC nhn v MAC tnh
gi tr ngang nhau, sau cc gi tin c chp nhn. Sau , cc tiu AH
c loi b, v chng pht li c iu chnh nu cn thit.

Mt ca s trt c dng pht hin s trng lp ca cc s th t. N

duy tr cc s th t nhn c t pha di v gii hn trn ca ca s. Khi mt s
chui n l thp hn so vi cc rng buc thp hn ca ca s, sau cc gi tin
b loi b. Khi s lng u vo ln hn cc rng buc cao hn, cc ca s c
trt ln pha trn v s th t c gi. Mt ca s kch thc ti thiu l 32 bit
phi c h tr. Nu s th t nhn c cc gi tin nm trong ca s, sau
ngi nhn s tin hnh xc minh ICV. Nu xc nhn ICV khng, ngi nhn c
loi b cc gi tin IP nhn l khng hp l. Nu xc minh ICV thnh cng, ca s
nhn c cp nht. Ghi nht k kim ton cho s kin ny nn bao gm cc gi tr
SPI, ngy / gi, Source Address, Destination Address, S Sequence, v Flow ID (trong
trng hp ca IPv6).

3.2.1.2.2 ESP Inbound ch bin

Ba bc sau y to thnh cc hot ng chnh thc hin bi cc ESP

qu trnh trn cc gi tin n:

1. Trnh t xc nhn s.
2. xc nhn MAC: Nu yu cu xc, gi tr MAC c tnh ton li v kim tra.
Nu hai m khng bng nhau, cc gi tin b loi b; khc khn ngoan ch bin trong
nc vn tip tc.
3. ti gi Original: ny c thc hin bng cch s dng mt lot cc ba
hot ng: (1) gii m cc d liu ESP Payload, padding, Pad Length, v cc lnh vc
Next Header s dng kha b mt, cc thut ton m ha, ch thut ton, v cc
mt m ng b ha d liu theo quy nh ca SA; (2) Add- ing bt k padding l
quy nh trong c t thut ton m ha; v (3) xy dng li d liu gc IP t IP
header ban u v cc thng tin giao thc lp trn trong lnh vc Payload ESP cho
phng tin giao thng, hoc t ng hm IP header v ton b datagram IP trong
lnh vc Payload ESP cho cc ch ng hm.

3.2.2 Hn ch IPsec

Nhng hn ch kinh nghim ca cc k thut v trin khai IPsec c th c

phn thnh bn lp hc (Arkko, 2003): (a) nhng gii hn ca kh nng din t
trong thng s k thut chnh sch; (B) nhng hn ch ca iu khin ng dng trn
cc chnh sch; (C) cc hn ch ca c ch h tr cho php v khng c kh nng
lin kt quyt nh autho- rization vi ch bin, an ninh; v (d) hn ch ca vic bo
v SAD v SPD. Sau y, chng ti cung cp cho mt s chi tit trong bn vn .
3.2.2.1 Hn ch ca biu cm in

N xut hin rng, trong mt s tnh hung, s biu cm ca cc mc chnh

sch an ninh cn c tng ln bao qut rng ca cc i tng hn cc vt
truyn thng (chng hn nh a ch IP, nhn dng giao thc trn lp, v nh danh
port). Nht nh, v d, vic s dng chung a ch ng, vic s dng ngy cng
tng ca di ng, v chuyn vng, ngi ta c th ni rng mt a ch IP l khng
xc nh duy nht my ch. Nh vy, thc t l cc thng s SA IPsec c
lin kt cht ch vi cc a ch IP s lm gim tnh ch ng ca cc nt mng di

ng trong vic la chn cc a ch m h s dng giao tip. c bit, n c th

hu ch c th s dng nhiu a ch thay v ch mt.

3.2.2.2 Hn ch ca Application Control

Vic kim sot ng dng ca cc chnh sch s dng trong IPsec c th c

yu cu trong nhiu tnh hung, c bit l nhng ngi c lin quan n cc ng
dng in thoi di ng. Cc v d ca cc ng dng i hi phi kim sot cc
chnh sch an ninh bao gm, v d, cn phi cu hnh cc chnh sch bo mt ca
mt ng dng trong mt mi trng ni m cc giao thc theo s dng phn ln
c trin khai m khng bo mt c bt; s cn thit phi xem xt a ch IP
ng v s cng; v nhu cu ca cc ng dng thm ch yu cu cc ng dng phi
c nhn thc ca cc c ch bo mt c bn (chng hn nh bit liu mt an
ninh c th l s dng hay khng). Ngoi ra, mt s thng s k thut tiu chun
ca cc ng dng thm ch i hi rng cc ng dng l nhn thc ca cc c ch
bo mt tim n, hoc t nht l liu bo mt c bt hoc tt.
gii quyt vn ny, chng ta cn bit rng cc quyt nh an ninh yu
cu thng tin thng n t cc lp ng dng v kin trc IPsec hin hy vng rng
tt c cc x l an ninh c thc hin lp IPsec. Nhiu quan trng, cc ng dng
thng khng bit liu cc IPsec c p dng.

3.2.2. 3 Hn ch ca cc th tc y quyn

Networks thc hin IPsec khng s dng kim sot truy cp a phng
cung cp c ch t authori-. iu ny s lm gim kh nng ca mt dch v ni
mng cung cp cc quyn c nhn ho da trn cc thng s lin quan n dch
v v ngi s dng cc tnh nng. Mt nt c th, v d, s dng danh sch kim
sot truy cp a phng, s dng cc lnh vc c th trong Giy chng nhn k
thut s, hoc to ra c s h tng chng ch s ring bit cho mi ng dng n
host. Tht khng may l vic trin khai IPsec khng i ph vi tt c cc nhu cu
.
Mt khc, cc giao thc trao i kha c s dng trong IPsec, nh IKE,
khng i vo xem xt cc thng tin y quyn c th c chit xut t giy chng

nhn trong vic chp nhn mt yu cu c th i vi mt SA mi. iu ny to ra

mt s vn trong giai on lp SA.
3.2.2.4 Hn ch ca Bo v SAD v SPD

Cc tiu chun hin hnh, trin khai, v thc tin p dng trong vic trin
khai IPsec khng th hin mt c ch c bit c thc hin c sn bo v
cc thnh phn nhy cm nht ca IPsec suite. Mt truy cp bt hp php vo SPD
s cho php k xm nhp thay i chnh sch bt k. Mt s xm nhp tri php
vo cc SAD s cho php k tn cng ly tt c cc ti liu c lu tr an ton
trong SA.
Hai cch tip cn c th c s dng khc phc nhng hn ch: Cc
phng php tip cn u tin lm gim vai tr ca IPsec l mt giao thc xy
dng dnh ring VPN, v cung cp cc gii php ng, bao gm cch thch cho vic
m bo cc ng dng. Cch tip cn th hai lm cho IPsec erative coop- vi cc
ng dng cn bo mt cao cp. Trong phn tip theo, chng ti tho lun v nhng
ci tin cn thit lin quan n cc phng php tip cn, c bit l khi di chuyn
c lin quan.

3.2.2.5 Gii php an ninh ng dng-c th

Nhng gii php ny gi nh rng khng c yu cu b sung c p dng

i vi cc mentations thc hien IPsec v gii php bo mt thch nghi c cung
cp cho cc ng dng. H cng cho rng n c th c c th cung cp cc
cng c di dng cc nh dng i tng an ninh chung v mt th vin h tr
h. Cc th vin s cho php cc nh pht trin tch hp cc cng c sau y
cc ng dng lin quan:

Cng c cho vic thu hi, xc minh, x l, v bng chng v tials credenk thut s (nh giy chng nhn k thut s).
Th tc th cc c tnh ch yu bao gm liveness, t chi pht hin dch
v, v gi tr a ch.
c tip sc ca cc gi tin c ch k v m ha; chuyn thng tin v cc
thc th ng dng c giao tip vi; v p ng cc yu cu y quyn ca ng
dng.

Th vin hn ch tn ti ngy nay. H thng rt thch hp cho nhng ng

dng truyn thng v thiu c ch c th (chng hn nh kim tra a ch) yu cu
trong cc giao thc trol vn cho cc h thng in thoi di ng. Ba ci tin c th
hu ch cho vic trin khai ln ca IPsec trong cc h thng in thoi di ng v
cc ng dng in thoi di ng:

1.

Cung cp c ch cho cc ng dng kim sot cc chnh sch bo

mt: c th yu cu n t ng cung cp mt cu hnh mc nh
cho IPsec. iu ny c th c cung cp thng qua mt giao din
lp trnh ng dng (API) v s gip m bo rng mt dch v an ninh
khng dng li m khng c kin thc ca ngi s dng. Tuy
nhin, cch tip cn ny l mt nhc im; cu hnh mc nh nh
vy c th khng lun lun c hay ph hp. V d, cc cu hnh
mc nh c th khng tng thch vi mt s nhng yu cu i vi
vic bo v cc lu lng truy cp n t mt nt di ng c th.

2. Cho php cc ng dng a ra quyt nh y quyn. Mt cch tip cn cho

php cc ng dng kim sot y quyn l to ra mt giao din lp trnh ng
dng (API) gia IPsec, IKE, v cc ng dng kim sot. Mt API chun ha cng s
lm cho n c th cho cc ng dng da trn IPsec v IKE nhn c thng tin
bo mt bng cch sao chp cc c s d liu bo mt IPsec cc lp ng dng.
Tuy nhin, iu ny l khng v cc thng tin chnh sch lp cation appli- phi
c hon ton lin quan. s dng cc API, cc ng dng cn cc cng c i
ph vi cc vn y quyn, bao gm c nhng biu din tt c cc loi xc minh
lin quan n vic s dng giy chng nhn v s dng c hiu qu cc phn m
rng m lm cho n c th th hin thng tin v vic cp quyn mt cch d
dng.
3. Gim s ph thuc vo a ch IP. Gim s ph thuc vo cc c ch bo mt
c cung cp bi IPsec trn cc a ch IP l cn thit cho php a ch
dynamicity. Mc gim ny nn p dng i vi cc hip hi bo mt IPsec, trong
mc Chnh sch v chnh sch lp ng dng. N cng cn tun th cc yu cu v
th tc chuyn vng v bn giao.
3,3 cuc tn cng vo IPsec
Mt s cc cuc tn cng nhm vo cc b IPsec. Trong s cc cuc tn cng c th
con- Bit Sider Flipping tn cng vo ch CBC, cuc tn cng da trn Destination
Address Vit li, tn cng da vo Options IP ch bin, cuc tn cng da trn giao
thc Dng Manipulation, v gi gii m vi cc cuc tn cng Padding Oracle.
3.3.1 im n a ch Rewriting-Da tn cng

 gii thch cch thc tn cng ny c thc hin, chng ta hy xem xt mt k

tn cng nm ti a ch ADHck, hai cng giao tip bng ESP trong ch ng
hm khng c chng thc. Chng ti cng gi nh rng khi c 64 bit (cc cuc tn
cng, tuy nhin, l nhim fea- khi kch thc khi c 128 bit). Cui cng chng ti
cho rng k tn cng bit a ch ch ADDst ca ch n ca gi bn trong. Cc
cuc tn cng li dng s yu km sau y gi lt bit.
Cho C = <C0, C1, ..., Ck> c mt gi tin c m ha c cha cc khi k. Lt cc
gi bao gm chuyn mt trong cc khi, ni Ci, s dng mt mt n c la chn
vi chiu di tng t,
Ci '= Ci Mask
Vic gii m cc gi tin c sa i, C '= <C0, ..., Ci-1, Ci, Ci + 1, ..., Ck>, cung
cp cho cc gi tin sau y, trong P = <P0, P1, ..., Pk> l bn r ban u, DK l
hm gii m c s dng bi ESP, v cc bn m thu c sau
Hnh 3.3, trong m t cc mi quan h Pj = Cj-1 DK (Cj), cho tt c j. Chng ta
c:
hnh 3.3 CBC gii m.

P '=

P0, ..., Pi-1, Pi, Pi + '1, Pi + 2, ..., Pk

Pi + '1 = Ci' DK (Ci + 1) = Ci Mask DK (EK (Ci Pi + 1))

= Ci Ci Pi + 1 Mask = Pi + 1 Mask
Pi '= Ci-1 DK (Ci')

iu ny cho thy rng cc bit chn Pi + 1 l ln trong mt cch tng t nh Ci.

Tuy nhin, cc khi Pi c sa i mt cch ngu nhin.
a ch ch tn cng vit li da trn c thc hin theo hai bc:

1. Nhng k tn cng bt cc gi tin c m ha, C = <C0, C1, ..., Ck>, c vit

thnh cc khi k ca 64 bit. Sau , anh ta thay i khi C2 bng cch p dng
nhng mt n sau y
M = ADDDst ADDHck trn 32 bit u tin ca n, ni cc a ch IP ch
c cha. Sau , nu ng tim cc gi mi vo ng hm, cc ca ng
s gii m cc gi tin, xem a ch ch trong khi P3 v gi n trong r rng
nhng k tn cng (tr khi P2). K t khi thay i C2, k tn cng cng lm nhiu
lon s P2 khi. Khi ny cha mt phn ca tiu IP. V vy, nu mt s gi tr
khng cn gi tr (nh checksum), gateway s th cc gi tin. khc phc nhc
im ny, k tn cng c th c gng sa i
32 bit cui cng ca C2 mt cch ngu nhin, xin C2 "v tim mi
gi vo ng hm. Nhng k tn cng lp i lp li n lc ny cho n khi cc ca
ng
chp nhn cc gi tin. N c chng minh rng, sau khi 217 n lc, xc sut
thnh cng ca cuc tn cng l khong 60% (Paterson, 2005).
2. Sau , nhng k tn cng chn cc gi d liu c m ha mi t trong ng
hm, k hiu <0, 1, 2, .., k>, thay i bn khi u tin ca cc khi c s
dng trong bc u tin (tc l, C0, C1, C2 " , C1). iu ny cho php mt tiu
hp l mi c cha
a ch ca k tn cng l mt im n ngun. Cc gi tin c tim trong ng
hm v sau gateway s gi n trong r rng nhng k tn cng.

Chng ti cng c th gi nh rng nhng k tn cng khng bit ADDDst a ch.

Trong trng hp ny, ng phi c kh nng nm bt tt c cc lu lng truy cp
ri khi cng.

3.3.2 Tn cng da vo Options IP Ch bin

Mt cuc tn cng ca loi hnh ny s dng cc quy trnh lm vic tng t nh

trong cc cuc tn cng trc . V vy, n thc hin hai bc. S khc bit ch
yu xy ra trong giai on u tin, m k tn cng in thoi di ng thay i
ngu nhin 32 bit cui cng ca C2, v, do , lm thay i mt phn ca tiu IP
cha a ch ngun. Nhng k tn cng cng thay i C0 khi theo cch nh vy
c mt gi tr ln hn ca lnh vc IHL trong tiu IP. Kt qu l, cc ca ng thy
rng cc tiu c gi tr khng hp l v gi mt gi tin ICMP trong r rng cc
a ch IP ngu nhin bn trong c cha cc gi sa i. Nu k tn cng c th lng
nghe cc gi tin i ra, anh c th ghi li gi ICMP ny c cha cc tiu r rng v
mt phn ca ti trng. Ngoi ra, nu cc tions modifica- ngu nhin trong C2 thay
i gi tr tng kim tra, cc gi s c gim nu n c tuyn b v hiu. Do ,
k tn cng lp bc u tin cho n khi mt gi tin ICMP c gi i. N
c chng minh rng 216 lp s m bo rng xc sut thnh cng ca cc cuc
tn cng s vt qu 55% (Paterson, 2005).
Giai on th hai ca cuc tn cng l iu cn thit bc th hai ca cuc tn
cng u tin. Nhng k tn cng c th s dng li cc khi C0 v C2 lm cho
gi tin mi, m nhn chung s n cc gi ICMP vi tiu IP v mt phn ca ti
trng trong r rng.

3.3.3 Tn cng da trn giao thc Dng Manipulation

Cuc tn cng ny nhm mc ch thao tng lnh vc giao thc trong IP header ca
gi tin bt c m ha. Cuc tn cng ny l hiu qu khi kch thc khi ca gi
tin c m ha bng 128 v cc thut ton m ha AES. Trong phin bn ny
trng tocol trnh (trong cc gi tin b bt) nm trong P1 khi bn r. V vy, n
gin bng cch lt cc bit trong C0, lnh vc ny s ch ra mt giao thc lp trn m
khng c h tr bi cc my ch kt thc. Khi nhn c cc gi tin c m ha
sa i, my ch s gi mt gi tin ICMP c tn Nhng k tn cng vn cn phi sa
i a ch ngun, nhng k t khi ng i ch mt cht trong C0 cho n khi n
nhn c mt cu tr li "khng th truy cp cng."; iu ny c th cn khong
215 ln lp li.

3.3.4 xut tn cng

Gi s rng ngi khi xng ca mt giao tip s gi mt danh sch rt nhiu

xut trong th t u tin trong qu trnh m phn SA, v cho rng cc xut u
tin thp nht
ch cung cp an ninh bin. Nhng k tn cng c th sa i cc b p tr SA
chn ch yu km ny, v phn cn li ca cc kt thc trao i nh bnh
thng. Ngi khi xng by gi s bt u s dng cc phm SA mi m phn,
trong ng k l yu hn n nn c. Khi ngi khi xng bt u s dng cc
kha yu, k tn cng c th thc hin tm kim brute-force cho cc phm. Sau khi
tm thy, nhng k tn cng phc hi cc phm ISAKMP SA v by gi c th
thng lng vi y sc mnh IPsec SA vi ngi khi xng trong khi gi v
c tr li. y l mt s vi phm r rng v nh ca giao thc. Mt sng lc l
thay i SA ca responder c th thay i ch ang c s dng. Mt k tn
cng nh vy c th c tr li khi thc hin cc giao thc trong mt ch , v
ngi khi xng cc giao thc trong ch khc.

3.3.5 Oracle ESP Padding tn cng

Cc giao thc ESP cho bit thm mt s padding, vo cui ca gi tin IP, c mt
chiu di bng vi bi s ca kch thc khi. N cng cho bit thm hai byte,
Length Pad (PL) v Header Next (NH), sau khi b sung ny (xem Hnh 3.4 cho mt
m t ca tiu IP). Cc byte NH c gi tr 4 trong mt ch ng hm. Mi
cng IPsec nhn mt gi tin c m ha nn kim tra xem cc ming m ca cc
gi d liu c cu trc m t. Nu khng phi l trng hp, gateway s th cc
gi tin. By gi chng ta hy xem xt mt ng hm IPsec gia hai cng s dng
ESP khng c chng thc. K tn cng in thoi di ng c kh nng lng nghe lu
lng v bm cc gi bn trong ng hm. Sau k tn cng c th nm bt
c mt gi tin c m ha. Sau , anh thay i ngu nhin cc thnh phn ca
gi c cha cc gi tr IHL hoc trng Protocol (mt cch tng t nh cc cuc tn
cng th hai). Mc ch ca cuc tn cng l thc hin mt sa i c mt
thng bo ICMP bn trong ng hm. V vy, nhng k tn cng khng phi thay
i a ch ngun v ch. i vi iu ny, anh ta cn phi tip tc c gng cho n
khi gi to ra mt thng ip ICMP. K t khi c thng bo ICMP vn c m ha,
chng ti gi nh rng nhng k tn cng c th nhn ra n.

Bit 0-3 4-7 8-15 16-18 19-31

Version IHL Tos Total Length

Flags Identification Fragment offset

Ngh nh th TTL Checksum
Ngun a ch
im n a ch
Ty chn
D liu

hnh 3.4 Cu trc gi tin IP.

By gi chng ta vit tin nhn ICMP nhn c di cc hnh thc C = <C0, C1, ...,
Ck>. Cc cuc tn cng Padding Oracle c th c a ra (Vaudenay, 2002).
Gi s rng k tn cng mun gii m mt khi tin mi nhn c Ci '.
ng bt u bng cch gi tin nhn <C0, C1, ..., Ck, R, Ci '>, trong R l mt
ngu nhin
block v Cis l cc khi ca cc bn m ICMP rng nhng k tn cng qun l
c c trong giai on chun b. Khi nhn c thng bo ny, gateway s gii
thch cc byte cui cng ca Ci 'nh padding v s th cc gi tin nu n l khng
hp l. Mt thng bo ICMP c to ra nu hai byte cui cng ca R DK (Ci ') = R
+ Pi l
bng 0 v 4, tng ng, tng ng vi mt padding hp l ca chiu di 0. iu ny
c ngha l (a) phi mt t nht 216 ln lp c c nhng thng ip ICMP v (b)
nhng k tn cng c th thay i hai byte cui cng ca R cho n khi mt thng
ip ICMP c gi i. V khi iu ny xy ra, nhng k tn cng c m bo
rng ng tm thy hai byte cui cng ca Pi plaintext.
gii m byte trc , nhng k tn cng gi cc gi <C0, C1, ..., Ck, R ',
Ci '>, trong R' bng R tr rng ngy 6 byte R '[6] ca R' c cho bi

R '[6] = R [6] 1.

Nhng k tn cng s la chn ngu nhin cc gi tr ca byte R '[6] cho n khi

mt thng bo ICMP c gi i. iu ny c ngha rng nhng k tn cng c th
xy dng mt padding hp l ca chiu di 1 v, do , c th tm thy gi tr ca
th ba trc n byte cui cng ca Pi. Do , nhng k tn cng c th gii m tt
c cc byte ca Ci s dng phng php ny bng cch tng gi tr ca padding.
Cn t nht 256 ln lp li cho mi byte.
Cui cng, chng ta nhn thy rng cc bin php i ph hiu qu nht trnh
cc cuc tn cng l s dng ESP trong c hai ch m ha v xc thc t cc ch
s authentica- cho php pht hin cc gi tim bi mt k tn cng s dng m
xc thc thng ip thm vo cui ca gi. Mt phng php khc bo v chng
li mt s cuc tn cng c th l cm nhn ICMP.

3.4 Cc giao thc vn chuyn an

Mc ch ca phn ny l phn tch cc giao thc SSL / TLS v SET v nh th

no p ng cc yu cu bo mt cn thit cho mt mng khng dy. c bit,
phin bn khng dy ca TLS c nghin cu v gii hn ca n c gii quyt.

3.4.1 SSL / TLS tnh nng

SSL v TLS hin l cc giao thc c s dng rng ri nht m bo an ninh cho
cc lin kt Internet client / thng. SSL c xp lp trn u trang ca mt b
giao thc ng tin cy hin c, c th l cc giao thc TCP / IP. cung cp dch v
ca mnh, SSL c chia thnh hai lp: cc giao thc bt tay v cc lp k lc. Cc
giao thc bt tay
hnh 3.5 dng tin nhn trong phin giao dch SSL.
cho php cc bn giao tip ty chn xc thc mi phm phin trao i khc ri.
Khi chm dt th tc bt tay, cc bn giao tip chia s mt b mt m c th c
s dng xy dng mt knh an ton. SSL l mt giao thc khng i xng m p
dng cc m hnh my ch ca khch hng. Mt s dng in hnh ca SSL lm cho
vic s dng phin cc thut ton trao i kha RSA ch vi my ch xc thc. Hnh

3.5 m t lung thng bo thit lp mt phin. Thng thng, yu cu SSL cho

by bc ny (Freier, 1996):
1. Cc khch hng (hoc trnh duyt ca mnh) khi to cc thng tin lin lc bng
cch gi tin nhn ClientHello n my ch. Thng ip bao gm cc thng tin nh
SSL version sion, phng php nn d liu s dng, mt session ID, v mt num
lng ngu nhin c s dng trong nhng ci bt tay ngn chn cc cuc tn
cng replay.
2. Trong phn ng vi thng ip Hello, server tr li vi mt nh hin trit by
nhng thng ip ServerHello. Thng bo ny c cha mt s ngu nhin v mt
thuc tnh session ID c th c s dng bi khch hng xc nh mt phin
hp vi cc my ch. Thng ip ny c i km vi mt giy chng nhn, trong
c cc my ch chnh cng cng, cng vi cc thng tin (ty chn) kim tra
chng nhn.
3. Cc khch hng xc minh cc chng ch, bng cch kim tra ch k ca mnh.
Sau , kha cng khai ng bn sao ca my ch ca my ch, nu giy chng
nhn l hp l. Cc khch hng sau to ra mt b mt d b thc s, m ha n
vi kha cng khai ca server, v gi bn m cc my ch trong mt tin nhn
ClientKeyExchange.
4. Cc my ch gii m thng ip ClientKeyExchange s dng kha ring ca n
v nhn c mt bn sao ca cc b mt d b thc s c la chn bi khch
hng. C hai my ch v my khch s s dng mt thut ton c xc nh trc
suy ra mt b mt tng th t b mt d b thc s v nhng con s ngu nhin
c to ra bi cc my khch v my ch.
5. Cc bc thy kha b mt c s dng to ra cc kha i xng m ha
v xc thc thng ip. B mt ch thng c gi l trng thi ca phin lm vic
gia my khch v my ch. Cc phin c xc nh bng hai s ngu nhin. Cc
trng thi phin l cache ca my khch v my ch trong mt thi gian ngn.
6. Khch hng s gi Giy chng nhn (khi ng c mt), nu cn thit bi my ch.
Sau , ng / b s gi mt thng ip ClientKeyExchange c cha cc thng tin
quan trng s c s dng to ra mt cha kha b mt ch v cc phm s
c subse- xuyn c s dng m ha (v hng khc). Cc khch hng cng
s gi mt thng ip CertificateVerify chng minh rng anh / c y c cha kha
ring tng ng trong cc giy chng nhn.
7. Cc client gi mt thng ip ChangeCipherSpec ch ra im khi u ca mt
knh bo v. Sau , ng / b s gi mt thng ip Finished Khch hng ing ng
c mt hash ca ci bt tay thng ip trao i. Thng ip c m ha v xc
thc. Cc my ch s gi li mt tin nhn v ChangeCipherSpec ServerFinish.

Vic ti thnh lp mt session SSL s dng mt trng thi lu tr l tng i n

gin thc hin so vi cc bc khi to. Cc khch hng c th ch cn xc nh
cc ID phin ca phin (c hoc hin ti) m n mong mun ti s dng khi gi cc
thng ip Hello. Cc my ch s kim tra b nh cache ca n; nu nh nc vn
cn sng, b quyt ch c c s dng to ra cc phm b mt cho cc my
khch v my ch.
N xut hin r rng t cc m t v chc nng SSL rng:
Cc SSL bo v cc giao dch b mt bng cch s dng m ha i xng.
N bo v tnh bo mt ca d liu truyn chng li cc cuc tn cng nh chn
v cung cp bo v ton vn cho d liu chuyn giao.
Cc SSL s dng cc chng ch my ch nh l c s xc thc my ch. kt
thc ny, khch hng c th kim tra cc my ch xc thc bng cch kim tra kh
nng ca mnh gii m thng tin c m ha bng kha cng khai ca server.
Ngoi ra, SSL c th cung cp chng thc ca khch hng, nu khch hng c mt
kha cng khai k kt v vn chuyn bng cch s dng mt chng ch c th c
kim tra bi cc my ch. SSL cung cp bo v chng li cc cuc tn cng replay
ca bn th ba (vo bui) bng cch s dng mt s ngu nhin trong khi bt tay.
Cc SSL khng cung cp dch v khng thoi thc. Trong thc t, cc khch hng
v cc my ch khng c bt k bng chng mt m hin th cho mt bn th ba
m mt giao dch din ra.
Lp giao thng an ninh (TLS) giao thc (nh gii thiu vo nm 1995 bi IETF)
hot ng trong mt cch tng t nh SSL, nhng n trnh by mt s khc bit
m chng ti m t nh sau (Allen, 1997):
1. i vi xc thc thng ip, TLS da trn cc tnh ton ca cc m xc thc
thng ip.
2. xc minh chng ch, TLS cho rng cc thng tin bn k kt ch bao gm cc
bn tin bt tay trao i. Ngc li, cc cp thng tin trong SSL bao gm mt hash
vng hai ca tin bt tay (b mt ch v m lt).
3. i vi b mt th h phm, TLS s dng mt hm gi ngu nhin to ra cc
phm s dng mt b mt tng th, mt nhn trong tn ca kha c ch nh,
v mt ht ging nh u vo ban u. Ngc li, SSL s dng mt chng trnh
phc tp nhn chung n vt cht.

3.4.2 An ninh Hn ch ca SSL / TLS

Mc d s dng ln ca h, SSL v TLS chng kin mt s nhc im m c th

c tm tt nh sau:

Thng tin giao dch 1. c bo v chng cc cuc tn cng nh chn ch khi n

ang c truyn i. Do , cc thng tin nhy cm nh thng tin ti khon ca
khch hng l c sn cho cc thng gia. Do , khch hng cn phi tin tng cc
thng gia v phi da vo s an ton ca my ch Web ca thng gia. Nu cc
my ch thng xuyn thng, mt s lng ln cc chi tit ti khon ngi dng c
th b tn hi.
2. SSL / TLS cung cp gii php bo v ton vn cho d liu truyn qua SSL / TLS
phin; Tuy nhin, n khng cung cp bo v chng li sa i ca cc thng tin giao
dch ca cc thng nhn b hng hoc khch hng.
3. giao thc SSL / TLS s dng cc chng ch my ch nh l c s ca my ch
authentica- tion. Tuy nhin, vn cn mt s ri ro ca cc my ch gi mo. Manthe-middle tnh c cc cuc tn cng c th c gii thiu mt cch d dng bng
cch s dng mt ng dng sniffing nh chn cc thng tin lin lc gia hai
thc th trong cc bc khi to. Nu mt kt ni SSL / TLS c s dng, nhng k
tn cng c th ch cn thit lp hai kt ni an ton, mt vi cc khch hng v
khc vi cc my ch. Qua , nhng k tn cng c th c v chnh sa cc
thng tin c gi gia hai bn v c th thuyt phc khch hng v my ch m
h ang giao tip vi nhau thng qua mt knh an ton.
4. n xc thc khch hng trong SSL / TLS to ra mt mi e da nghim trng
cho php cc host ing ngi tri php thc hin cc cuc tn cng. Tht vy, bt
c ai c quyn truy cp vo my tnh ca khch hng v bit (hoc l c th bit)
m PIN hoc mt khu tng ng gii m / kha b mt ring t c th thc hin
giao dch thay mt cho khch hng. iu ny c bit quan trng khi cc thng gia
s dng cc tnh client truy cp cc bn ghi c cha thng tin khch hng t
nhn (v d, chi tit ti khon v a ch).
5. Cc phng php tip cn da trn SSL xy dng mt VPN gi nh rng
khch hng ch c th truy cp vo cc ng dng my ch Web. Ngc li, mt
IPsec VPN s cung cp quyn truy cp vo tt c cc loi ng dng.
6. Cc gii php SSL / TLS ch n gin l cung cp mt phng tin an ton ca
thng tin lin lc gia cc my khch v my ch, nhng khng cung cp bng
chng lu di bt chp ing giao dch. Trong thc t, cc quc gia phin v kha b
mt khng c lu tr trong mt thi gian ngn.

3.4.3 WTLS

Cc Wireless Transport Layer Security, WTLS, hot ng gia vn ti v cc lp giao

dch. Ging nh SSL, n chu trch nhim cho s an ton ca cc kt ni gia my
khch v my ch. Cng ngh ng sau WTLS c da trn TLS. WTLS mt cc
nguyn tc ca TLS v thc hin iu chnh i vi mi trng khng dy, c tnh
n gii hn ca n ngun lc. Mc ch ca WTLS l tr thnh mt phin bn nh
ca TLS v cung cp bn nhim v sau y: (a) cung cp bo mt, tnh ton vn
d liu v xc thc. i vi iu ny, n h tr mt s thut ton mt m thit
lp v duy tr mt kt ni an ton; (B) cung cp h tr gi khi s dng dch v
chuyn mch gi; (C) thc hin nhng ment mt ci bt tay ti u, tit kim
c thi gian v bng thng; v (d) m bo mt lm mi chnh nng ng
(Christinat, 2000).
Bng cch cho php thay i cc phm m ha v xc thc trong hot ng kt
ni, WTLS lm cho n rt kh, cho k nghe trm, gii m cc nh hin trit by
nhng thng ip chy qua cc kt ni t cc phm u khng ging nhau trong
sut c phin. Lm th no thng cc phm c thay i c quyt nh trong
th tc bt tay. Cc kin trc WTLS c chia thnh nm phn (nh m t trong
hnh 3.6). N tch hp mt giao thc Ghi v bn giao thc khch hng ang s dng
kt hp vi Ngh nh th Record. Cc tnh nng chnh ca WTLS c m t nh
sau.

3.4. 3.1 Ghi Ngh nh th

Cc giao thc ghi li c chia thnh bn khch hng giao thc khc nhau: Alert,
cc
ng dng, i Cipher, v cc giao thc bt tay. Mt d liu

WTLS

hnh 3.6 kin trc WTLS.

phi c chuyn giao cho mt n v khc, qua mng khng dy, v p dng cho
cc hot ng ferent nhau v n nh l nn, ng dng MAC, m ha, v truyn ti.
Khi Ngh nh th ghi nhn d liu, n c trch nhim decrypt- ing n, xc minh n,
gii nn n, v gi n cho cc lp tip theo. Tuy nhin, nn, xc thc v m ha cc
hot ng c thc hin ty chn v s dng ca h c quyt nh trong giai
on bt tay. Khng ging nh TLS, Ngh nh th ghi khng cho php phn mnh,
li nhim v ny cho cc lp truyn ti.
bo v cc ti trng, nh s th t r rng c th c s dng. Nu cc giao
thc truyn ti gi tin c s dng, sau iu ny l bt buc. Khi s dng nh
s th t, nhiu vn c th xy ra lin quan n trng lp v mt h s. gii
quyt nhng vn ny, mt ca s trt c s dng theo di cc tin nhn
nhn c. Cc s th t lun lun bt u vi gi tr zero v kt thc khi gi tr l
216 -1. Khi gii hn trn c t ti, cc kt ni an ton phi c ng li v mt
ChangeCipherSpec nhn c gi n khi to li cc s th t.

3.4. 3.2 Thay i Cipher Spec Ngh nh th

Nu mt khch hng hoc my ch mun thay i cc b mt m m phn cho

mt phin lm vic, n s gi mt thng ip Change Cipher Spec. Ngy nhn c
tin nhn, ngi nhn c vo mt trng thi ch. Ngi nhn sau ch i cho
n khi s xut hin ca mt tin nhn bt u kt ni. Sau , cc khch hng
v my ch s bt u mt kt ni sau khi thit lp mt b mt m mi. Khi ngi
gi c xc nhn cc thit lp ca b phn mm mi, hai thc th i vo tnh
trng hin ti v ch bin c th c khi ng li mt ln na.

3.4. 3. 3 Alert Ngh nh th

Giao thc ny l nguyn nhn to ra v truyn ti cc bo khc nhau gia khch

hng v my ch. Mt cnh bo c th l mt tin nhn ng kt ni gia mt
client v mt my ch hoc mt thng bo li. Mt thng bo ng thng bo
cho pha bn kia ca s ham mun ca ngi pht hnh chm dt mt phin.
Cc cnh bo li cha thng tin v cc vn gp phi v mc nghim trng
ca n. C ba loi thng bo li: gy t vong, quan trng, v cnh bo.
Nu mt cnh bo cht ngi c gi ti mt khch hng hoc mt my ch, my
trm v my ch nn lp tc chm dt imme- cc kt ni an ton do mnh thnh
lp, k t khi n c th c seri- ously b tn hi. Cc kt ni khc s dng cng
mt phin c th tip tc, nhng cc nh danh phin nn khng cn gi tr kt
ni tht bi khng th c s dng thit lp kt ni an ton mi. Cc thng bo
quan trng gy ra cc kt ni gia my ch v mt my khch chm dt. Cc
kt ni khc c th tip tc s dng phin an ton m khng lm v hiu nhn dng
ca n. iu ny ng rng cc kt ni mi c th c thnh lp bng cch s
dng phin an ton, bt chp cc cnh bo. Cui cng, cnh bo cnh bo ch c
gi n thng bo rng MAC ca i tng nhn l khng hp l. Cc kt ni khng
c chm dt; thay vo , cc gi tin vi tham nhng MAC c loi b.
3.4. 3.4 Handshake Ngh nh th

Tt c cc thng s bo mt lin quan phi c m phn trong ci bt tay. Cc

tham s ny bao gm thng tin hu ch v cc phin bn giao thc, cc thut ton
mt m ha c s dng, k thut xc thc, v cc k thut kha cng khai
to ra mt b mt chia s. Cc th tc bt tay bt u vi mt thng ip Hello (nh
th hin trong hnh 3.7). Cc khch hng s gi mt thng ip cho khch hng
n my ch. Cc my ch tr li thng bo vi mt my ch Cho nhn. Trong hai
cho hin nhn tin, giao tip bn ng vo kh nng phin.
Sau khi khch hng gi thng ip Hello, n bt u cho n khi nhn c tin
nhn Server Xin cho ip Done l nhn c. Cc my ch s gi mt thng ip
Certificate Server nu yu cu xc nhn thay mt cho cc my ch. Ngoi ra, cc
my ch c th yu cu khch hng xc nhn chnh mnh. Server Key Exchange
c s dng cung cp cho khch hng vi cc kha cng khai, c th c s
dng tin hnh hoc i d b thc s gi tr b mt.
Sau khi nhn c s cho ch Xong, khch hng vn tip tc l mt phn ca s
rung tay. Theo yu cu, khch hng s gi mt thng ip Certificate khch hng,
ni n authen- ticates chnh n. Sau , ng s gi mt thng ip khch hng Key

Exchange cha hoc mt b mt d b thc s c m ha vi kha cng khai ca

my ch hoc thng tin

Khch hng

My ch

Khch hng Xin cho

Xin cho my ch server Certificate Server Key Exchange server Certificate Request
Xin cho Done

Giy chng nhn khch hng Khch hng Key Exchange Certificate Verify
(Change Cipher Specification) Hon tt

(Change Cipher Spec) Hon tt

Application Data

hnh 3.7 y dng chy bt tay.

c hai bn u c th hon thnh vic trao i kha. Cui cng, ng gi mt
thng ip hon thnh, trong c xc nhn ca tt c cc d liu trc bao
gm cc thng tin bo mt lin quan n tnh ton.
Cc my ch p ng vi cc thng bo Hon tt ni n cng thm tra cc trao i
v cc thng tin c tnh ton. Bn cnh , c hai bn u phi gi mt tin nhn
Change Cipher Spec bt u s dng cc thng s phin m phn. Nu khch
hng v my ch quyt nh khi phc mt phin m phn trc , nhng ci bt
tay c th c bt u bng cch gi mt tin Khch hng Xin cho ni Identifier
Session c khi to vi cc nh danh ca phin trc.
Cc WTLS cng nh ngha mt ci bt tay vit tt, m ch Xin cho v cc thng
ip c gi Hon tt. Trong ci bt tay ny, c hai bn phi c s chia s b mt
c s dng nh mt b mt d b thc s. Bin th khc l ton nhng ci bt tay
ti u m cc my ch c th ly chng ch ca khch hng s dng mt bn th ba
ng tin cy, da trn cc thng tin c cung cp bi cc khch hng trong cc
khch hng Xin cho nhn. S dng cc thng tin c cung cp bi cc chng ch,
c hai bn u c th so plete cc gi tr chia s b mt s dng cc phng
php Diffie-Hellman trao i kha. Cc my ch gi Server Hello, Giy chng
nhn, v tin nhn Hon tt cho khch hng hon thnh nhng ci bt tay trn
danh ngha ca my ch. Cc khch hng p ng vi cc khch hng hon thnh
tin nhn.

3.4.4 An ninh c im ca WTLS

WTLS cung cp dch v khc nhau. Trong s cc dch v ny, ngi ta c th cp

n vic xc thc, tnh ton vn, bo mt, v trao i kha.

3.4.4.1 Xc thc

Vic xc thc, trong WTLS, c m bo bi chng th s. Authen- tication c th

c ln nhau, nu cc my khch v my ch chng ch hin din trong rung tay,
hoc n c th ch p dng i vi vic xc nh cc my ch. Hin nay, c ba loi
chng ch c th c s dng vi WTLS; c th l, cc chng ch X.509v3, X9.68,

v WTLS c h tr. Giy chng nhn WTLS c ti u ha cho cc kch c. Cc

trnh xc thc ngay lp tc din ra sau khi cc my khch v my ch thng ip
hello. Khi thc c s dng, cc my ch s gi mt thng ip Certificate Server
cho khch hng.
t c chng thc, kt thc nhn c th nhn c mt chui cc chng ch,
ni m mt trong nhng u tin l giy chng nhn ca chnh my ch. Mi phng
trong s cc chng ch sau certi- FIEs ngi trc . Vic xc minh tt c cc giy
chng nhn, trong chui, l cn thit xc thc cc bn gi. Mt xc minh r rng
c thc hin bi mi thc th, bo v cc thng ip c gi hoc nhn c
Giy chng nhn. Cc thc th mc ni tt c cc tin nhn nhn c t my ch
hoc to ra bi n v tnh ton mt gi tr hash c k kt. Ch k ny s c gi
n cc c quan khc, m c th m bo rng xc thc cng c thc hin cho
n nay.
3.4.4.2 Data Integrity

Tnh ton vn d liu c bo m bng vic s dng m xc thc thng ip. Cc

thut ton MAC s dng c quyt nh ti thi nh cc thut ton m ha. Cc
sion xi c thc hin da trn mt danh sch gi ca khch hng v cc thut
ton MAC h tr, khi cc thut ton c lit k lin quan n s thch ca khch
hng c vi. Cc my ch tr v cc thut ton c la chn trong Hello nhn
Server. Cc WTLS h tr cc thut ton MAC ph bin nht, bao gm c cc SHA v
MD5. N cng cho php cc phin bn khc nhau ca cc thut ton v kch c.
Mt thut ton MAC c bit c th c s dng bi WTLS, c th l cc
SHA_XOR_40, m l mt checksum 5-byte. Cc thut ton c thit k cho cc
thit b vi ngun ti nguyn CPU b hn ch. N hot ng nh sau: u tin cc
d liu u vo c chia thnh cc khi 5-byte. Sau , tt c cc khi c XORed
ci khc. l yu cu m cc MAC XOR phi c m ha v ch c s dng cho
ch CBC khi mt m. MAC c to ra trn cc d liu nn WTLS. Cc gi tr sau
y c s dng tnh ton MAC:

(MAC_Secret, seg_num WTLS_Compressed_data.record_type

WTLS_Compressed_data.data_length WTLS_Compressed_data.fragment)

3.4.4.2.1 Key Exchange

thit lp mt knh thng tin lin lc an ton, gi tr ban u tnh ton cc

kha v kha m ha c trao i mt cch an ton nh c m t di y.
Thng ip ch Key Exchange c th c s dng cung cp d liu b sung, khi
cn thit, tnh ton chnh. Cc c ch trao i kha ca WTLS cng cung cp mt
cch v danh trao i kha. Trong th tc ny, my ch s gi mt my ch th
ca Exchange Key, trong c cc kha cng khai ca server. Cc thut ton trao
i kha c th RSA, Diffie-Hellman, hoc cc ng cong elliptic Diffie-Hellman.
Khi RSA hoc v danh RSA c s dng, khch hng m ha b mt d b thc s
vi kha cng khai ca server v gi li cho my ch trong mt tin nhn khch hng
Key Exchange. Khi cc thut ton Diffie-Hellman c s dng, cc my ch v my
tnh b mt d b thc s da trn kha ring ca h v kha cng khai ca i tc.

3.4.4.2.2 Bo mt

Privacy trong WTLS c thc hin bng phng tin ca vic m ha cc knh
truyn thng. Cc phng php m ha c s dng v tt c cc gi tr cn thit
tnh chia s b mt c trao i mt cch an ton trong khi bt tay. B quyt
tng th l mt chui 20-byte, c tnh ton theo cng thc sau:
3.4.4.2 Data Integrity

Tnh ton vn d liu c bo m bng vic s dng m xc thc thng ip. Cc

thut ton MAC s dng c quyt nh ti thi nh cc thut ton m ha. Cc
sion xi c thc hin da trn mt danh sch gi ca khch hng v cc thut
ton MAC h tr, khi cc thut ton c lit k lin quan n s thch ca khch
hng c vi. Cc my ch tr v cc thut ton c la chn trong Hello nhn
Server. Cc WTLS h tr cc thut ton MAC ph bin nht, bao gm c cc SHA v
MD5. N cng cho php cc phin bn khc nhau ca cc thut ton v kch c.
Mt thut ton MAC c bit c th c s dng bi WTLS, c th l cc
SHA_XOR_40, m l mt checksum 5-byte. Cc thut ton c thit k cho cc
thit b vi ngun ti nguyn CPU b hn ch. N hot ng nh sau: u tin cc
d liu u vo c chia thnh cc khi 5-byte. Sau , tt c cc khi c XORed
ci khc. l yu cu m cc MAC XOR phi c m ha v ch c s dng cho

ch CBC khi mt m. MAC c to ra trn cc d liu nn WTLS. Cc gi tr sau

y c s dng tnh ton MAC:

(MAC_Secret, seg_num WTLS_Compressed_data.record_type

WTLS_Compressed_data.data_length WTLS_Compressed_data.fragment)

3.4.4.2.1 Key Exchange

thit lp mt knh thng tin lin lc an ton, gi tr ban u tnh ton cc

kha v kha m ha c trao i mt cch an ton nh c m t di y.
Thng ip ch Key Exchange c th c s dng cung cp d liu b sung, khi
cn thit, tnh ton chnh. Cc c ch trao i kha ca WTLS cng cung cp mt
cch v danh trao i kha. Trong th tc ny, my ch s gi mt my ch th
ca Exchange Key, trong c cc kha cng khai ca server. Cc thut ton trao
i kha c th RSA, Diffie-Hellman, hoc cc ng cong elliptic Diffie-Hellman.
Khi RSA hoc v danh RSA c s dng, khch hng m ha b mt d b thc s
vi kha cng khai ca server v gi li cho my ch trong mt tin nhn khch hng
Key Exchange. Khi cc thut ton Diffie-Hellman c s dng, cc my ch v my
tnh b mt d b thc s da trn kha ring ca h v kha cng khai ca i tc.

3.4.4.2.2 Bo mt

Privacy trong WTLS c thc hin bng phng tin ca vic m ha cc knh
truyn thng. Cc phng php m ha c s dng v tt c cc gi tr cn thit
tnh chia s b mt c trao i mt cch an ton trong khi bt tay. B quyt
tng th l mt chui 20-byte, c tnh ton theo cng thc sau:
Master_secret = PRF (pre_master_secret, "ch b mt," ClientHello.random
ServerHello.random),

ni PRF l mt hm gi ngu nhin m mt nh u vo l mt b mt, mt ht

ging, v mt nhn xc nh v to ra mt sn lng di ty .
Cc kha m ha c thc hin da trn mt khi cht, m c tnh ton bng
cch s dng cc gi tr ban u truyn trong th tc bt tay. Cc khi cht c
cho bi:
key_block = PRF (master_secret expansion_label

seq_num server_random client_random).

Cc biu hin block key s dng mt s th t m lm cho cc khi cht Bin. Cc

khi chnh c tnh ton li sau khong thi gian nht nh da trn tn s lm ti
cha kha, m l thng lng trong hello Client v Server cho ip. Cc nhn m
rng ng ch l mt biu thc chui tnh ton. Cc khch hng s dng chui
"m rng khch hng" v cc my ch "m rng my ch." Cha kha m ha, cc
vector ban u, v cc b mt ca MAC c tin hnh t nhng khi cht da trn
chiu di kha theo yu cu ca cc thut ton la chn.

3.4.5 SSH

Cc giao thc SSH cho php hai my ch (client v server) xy dng mt knh
an ton cho d liu truyn s dng DSA v Diffie-Hellman trao i quan trng, trong
cung cp mt kha b mt c chia s m khng th c xc nh bi mt
trong hai bn mnh. Cc kha b mt c chia s c s dng nh mt cha kha
phin. Mt khi mt ng hm c m ha c cre- ated s dng kha ny, bi
cnh cho cc thut ton nn m phn v cc thut ton m ha c khi to. C
ba phn chnh ca col nguyn thy SSH: tha thun thut ton, xc thc v m ha
d liu (Barrett, 2001).
Vic m phn ca cc thut ton c thc hin ch yu xc nh cc thut
ton encryp- tion, cc thut ton nn, v cc phng php xc thc sup- chuyn v
c s dng gia cc my khch v my ch. Vic m phn sau tip theo l
xc thc, m c thc hin bi mt qu trnh 2 bc: vic trao i kha v xc
thc khch hng. Mc tiu ca vic trao i chnh l c gng xc thc my ch
cho khch hng v thit lp mt kha chia s c s dng nh mt cha kha
session m ha tt c cc d liu c chuyn giao gia hai thc th. Cc kha
phin m ha d liu v mt hash c to ra kim tra ca cc ti trng bng

cch s dng kha ring ca my ch ton vn. Cc khch hng xc nhn kha
cng khai ca server v cc my ch nhn c ch k, v sau tip tc vi xc
thc ngi dng.
Phng php xc thc ngi dng c h tr bao gm, nhng khng gii hn, mt
khu, kha cng khai, giy chng nhn OpenPGP, v giy chng nhn X509v3. Mt
khi
xc thc thnh cng, mt trong nhng thut ton m ha thng lng c s
dng m ha d liu truyn ti gia hai my. Duces vic trao i kha trnh hai
gi tr: mt b mt K chia s, v H. ngoi bm i vi iu ny, khch hng to ra
mt s ngu nhin x ni (1 <x <q) v my ch to ra mt s ngu nhin y (0 <y
<q), trong q l mt s nguyn t. Vic qun l ca cc cp kha c thc hin
nh sau:

Ngi dng to ra mt / tin cp kha cng khai, nu anh c nh s dng "cng

chng thc kha" trn bt k my khch hng. Cc nhu cu kha cng khai c
thm vo c s d liu ca my ch, xc thc trc khi c th tham gia tho lun.
Tng t nh vy, cc my ch duy tr cp kha ring v cng chng c to ra
bi cc gc. Thng thng c mt cp kha da trn RSA v mt cp kha da trn
DSA.
Cc ti khon ngi dng trn my client duy tr mt c s d liu ca tt c cc
kha cng khai ca cc my ch SSH m mt ngi dng ng nhp.
Nu khch hng khng c mt kha cng khai ph hp vi mt my ch, ng c
th cu hnh bo mt trn my tnh ca mnh ng chp nhn kha cng khai
c cung cp bi cc my ch t xa.

Vi m t ngn gn v cch cc phm cng cng c qun l, n rt d dng

nhn thy rng cc khch hng mt cch m qung tin tng vo my ch v chp
nhn kha cng khai ca n trong mt kt ni ban u. Mt k tn cng c th nh
chn kch bn trao i nh vy v a ra cc knh SSH l khng an ton.
Cc cuc tn cng khc nhau c th c a ra vo kt ni s dng SSH. Mt cuc
tn cng u tin l nhng ngi n ng ni ting gia. Gi s rng mt ngi s
dng in thoi di ng A mun thit lp mt kt ni vi mt my ch S, v rng
mt ngi s dng c hi M mun khi ng cc l in-the-middle cuc tn cng
vo chng. Cc cuc tn cng c thc hin nh sau:

1. s dng di ng A khi u mt kt ni vi S, ngi gi kha cng khai ca ng

A, m k xm nhp M chn.
2. Nhng k tn cng M s gi kha cng khai ca mnh A, ngi chp nhn
kha cng khai mi v lu n trong c s d liu ca n. Nu n l "xc thc ln u
tin," Mt cch m qung s thm cc kha cng khai cung cp bi M ngh rng n
l kha cng khai ca B.
3. Mt ngi dng s gi username v password S m l mt ln na chn bi M,
ngi gii m username A v mt khu bng cch s dng kha phin v kha
ring ca mnh ca mnh.
4. K tn cng sau m ha thng tin M A bng cch s dng kha cng khai cung
cp bi S v chuyn tip cc gi tin mi S. Sau S xc M ngh rng n c
xc thc A. Nhng k tn cng M gi c th to ra nhng thit hi nghim trng i
vi A.

Mt cuc tn cng th hai vo SSH l mt gi mo. N cho php k tn cng yu

cu bi thng ngi s dng in thoi di ng A v thit lp mt knh an
ton vi in thoi di ng C, ngi ngh rng n c mt kt ni an ton vi A.
Nhng k tn cng giu danh tnh thc s ca mnh v rn nn mt sai lm
xc nh. K gi mo l c th khi mt ngi s dng B di ng trn my khch
hng mt n lc thit lp kt ni vi mt my ch t xa C. Mt my ch c hi
S chn knh khi n ang trong giai on ban u, hng gi l ch nh C t xa, v
tr li li vi kha cng khai ca mnh.
Nu cu hnh SSH client trn B c thit lp khng nghim ngt kim tra chnh
ch (l cu hnh mc nh), n s hi B ghi ln cc kho trc c lu tr
trong c s d liu ca n cho my ch C v tin hnh thit lp mt kt ni. Nu n
l "ln u tin" xc thc, B s ch n gin l chp nhn cha kha my server. Khi
ngi dng thc hin xc thc mt khu cc my ch t xa, cc my ch t xa
cious mali- chp nhn cc thng tin c cung cp bi B v sau kt qu c
thng bo li ni rng mt mt khu khng hp l c cung cp. Nhng k tn
cng c th bit thng tin ca B ly t my ch c hi v yu cu bi thng B.
3,5 tn cng chng li Dch v An ninh vn ti
Thut ton m ha hnh thnh mt tp hp cc nguyn thy c th c s dng
nh l cc khi xy dng xy dng cc c ch bo mt nhm mc tiu c th.
Giao thc bo mt mng, chng hn nh SSH, SSL / TLS v WTLS, kt hp cc khi
cung cp chng thc gia cc thc th giao tip, v m bo ninh integ- v bo
mt ca d liu truyn. Tuy nhin, cc dch v an ninh ch nh nhng chc nng
cn c thc hin, bt k nh th no cc cc chc nng c thc hin. c bit,
cc c im k thut ca mt giao thc bo mt thng c lp vi cch cc thut

ton m ha c thc hin trong phn mm chy trn mt b x l in hnh, hoc

c nhng vo trong mt n v phn cng, v liu b nh c s dng lu tr
cc d liu tnh ton trong qu trnh x t ca nhng rithms algo- c chia s bi
cc ng dng khc.
Do , cc c ch bo mt l xa l tions an ninh hon chnh solu-. Trn thc t,
thut ton m ha lun lun thc hin trong phn mm hoc phn cng trn cc
thit b vt l tng tc vi mi trng ca h. Nhng cc tng tc c th c
theo di bi nhng k tn cng v c th dn n nhng thng tin hu ch trong
vic bt ph ing cc dch v bo v. Loi thng tin ny c gi l bn knh thng
tin (SCA). Chng ti s xem xt trong phn ny nm trong s nhng mc tiu SCAS
SSL / TLS v WTLS. Cc cuc tn cng SCA c chng minh l c nhiu n t
hng ca cc cng hiu qu hn cc cuc tn cng khc bao gm c cc cuc
tn cng da analysis- ton hc.
i vi vic thiu khng gian, chng ta b qua tho lun v cc cuc tn cng
nhm mc tiu SSH.
3.5.1 Cc cuc tn cng chng li SSL v TLS
N c chng minh rng SSL khng phi l cng c hiu qu m bo d
liu; ng hn, n l mt cng c bo mt ca m phn. iu ny c ngha l bo
mt SSL khng ch
ph thuc vo cc c im k thut SSL thc t hoc thc hin, m cn trn s
xc thc v thut ton encryp- s dng. Mt s cc cuc tn cng c xut
trong erature lit- (Wagner, 2004), mt s trong ti mun gii thiu y. Hu ht
trong s h l kh l thuyt v khng thnh cng. (H chng minh rng SSL chnh
n l an ton?) Tn cng khc thnh cng, trong l thuyt. H khng c thc
hin. Mt trong s h c v l thc hin c, nhng n cho thy mt mi e da
i vi s ring t, tri ngc vi con- fidentiality v xc thc, y l mc tiu c
bn ca SSL.

3.5.1.1 Cipher Suite Rollback tn cng

Cipher Suite Rollback l mt cuc tn cng man-in-the-middle nhm mc ch hng

u ti cc bn tn cng s dng thut ton m ha cung cp an ton thp, mc
d nhng g h c th pos- Sibly ng trn. Mt cuc tn cng man-in-the-middle
chn cc thng ip ban u t my khch n my ch trong giai on bt tay v
thay i danh sch c cha cc thut ton mt m a thch. V my ch s chn cc
thut ton m ha tt nht n h tr t danh sch ny s dng sau ny, k tn

cng c th thao tc to ra cc quyt nh m ng mun. iu ny l kh d

dng lm trong SSL 2.0, k t khi thng bo bt tay u tin c ch gi khng
c m ha v thm nh. Chng ti lu , tuy nhin, cc mi quan h thc th tn
cng vn s s dng mt thut ton m ha, m khng phi l bo v nht. V d,
nu cc thut ton m ha gy ra l 40-bit DES, sau tnh bo mt l tng i
kh ph v tuyn, khi din xut ca con ngi gia. chng li cuc tn cng
ny, SSL
3.0 i vi vic xc thc ca cc thng ip bt tay. Tuy nhin, n vn c th tn
cng cc giao thc bt tay.

3.5.1.2 Messages ri Change Cipher Thng s k thut

Nh ni trc y, khi hon thnh nhng ci bt tay, khch hng SSL v thay i
trao i my ch thng ip c im k thut mt m chuyn i ty chn bo
mt ca h. C hai bn s, sau , ch giao tip bng cch s dng tnh nng bo
mt trn ng . buc c hai bn bt u thng tin bo mt m khng cn
thay i cc mi ng -on c im k thut mt m, mt ngi n ng trong
cuc tn cng gia ch c th c gng gi mt tin nhn Hon tt ngay trc khi
mt m thng ip c im k thut c th c gi i. Hai l do bin minh cho s
thnh cng ca cuc tn cng nh: Th nht, khng c hot ng trong SSL c
trch nhim kim tra xem mt c im k thut mt m thay i c gi i
trc khi nhn Hon tt. Th hai, cc thut ton m ha thay i c im k thut
tin khng xc thc ging nh tt c cc d liu bt tay khc.

3.5.1. 3 Key Exchange Algorithm Rollback tn cng

Cuc tn cng ny nhm mc ch buc cc khch hng v cc my ch s dng

hai thut ton key-hi oi khc nhau m k tn cng c th ch nh. N gi nh
rng nhng k tn cng c th khi ng mt cuc tn cng b rollback c yu. Cc
cuc tn cng hot ng nh sau: Cc lc lng tn cng
cc my ch v my khch s dng vic trao i kha Diffie-Hellman v trao i
kha RSA, tng ng. Cuc tn cng ny dn n mt tnh hung c bit, ni m
khch hng gii thch cc thng s Diffie-Hellman l s m v m un m ha RSA.

Ngoi ra, v v nhng cu trc d liu c s dng, cc modulus RSA nhn bi cc

khch hng s c mt s nguyn t, l cc m un Th Diffie-Hellman.
Sau khi thc hin cc rollback ciphersuite, k tn cng nh chn cc thng s
Diffie-Hellman, ni mt s g v s nguyn t p (modulus DF) m my ch gi cho
khch hng trong giai on xc thc ca my ch. Sau , nhng k tn cng
phi ch i cho pre_master_secret ca khch hng, m s c m ha bng RSA
s dng cc thng s ny. Sau , tt c nhng g anh ta lm l ly cn g-th cc
gi tr ny. By gi anh mi bit c pre_master_secret v c th ly c tt c
mi th anh cn gii m truyn SSL gia client v server.

3.5.2 Cc cuc tn cng chng li WTLS

Mt s lng ln cc cuc tn cng nhm vo cc WTLS cho thy nhng hn ch

ca n cung cp mt mc mnh m ca bo v. Trong phn tip theo chng
ti m t mt s cc cuc tn cng (Saarinen, 1999).

3.5.2.1 IVs d on c

WTLS s dng mt tnh ton tuyn tnh ca cc vector khi to, ngay c i vi cc
cng xuyn ng tin cy. Khi mt thut ton m ha khi c s dng trong ch
CBC, IV c tnh nh sau:

IVS = IV0 (s, s, s, s)

trong s l (16-bit) s th t ca cc gi d liu v IV0 l vector ha initial- gc c

ngun gc trong qu trnh to kha. Cc khi plaintext Ps, 0, Ps, 1, ..., Ps, n trong
gi Ps c m ha thnh cc khi Cs, 0, CPs, 1, ..., Cs, n nh sau:

C s, 0 = E K (IVs Ps, 0)

C s, j = E K (C s, j -1 Ps, j),

j> 0

Gi s by gi m mt ng dng thit b u cui c s dng bi ngi dng A

cho php mi ln bm phm g c gi nh mt gi tin c nhn. Khi ngi dng
nhp mt khu Mt mnh vo s applica-, k tn cng bt cc gi d liu c lin
quan. Nhng k tn cng c khi loi

C s, 0 = E K (IVs Ps, 0 (s, s, s, s))

ni Ps, 0 c cha mt bc th cha bit mt khu ca mt. Chng ti nhn thy,
ngoi ra, c s th t s c bit nhng k tn cng. By gi tng tng rng
nhng k tn cng on ch khng r ca mt khu, ni m. Sau , ng s gi cc
gi tin sau qua A ca knh:

Pt, 0 = m (t, t, t, t)

trong t l s th t ca gi tin ny. Ngi ta c th thy rng v (t, t, t, t) hy b

ra trong tnh ton CBC, on ng m = Ps, 0 dn n ph hp vi bn m Ct, 0 =
Cs, 0. Ni cch khc, y l mt cuc tn cng oracle m ni cho d bc th mt
khu c on ng. Nh vy, ton b mt khu c th c brute buc, tng ch
mt, vi mt s th nghim tn cng bng oracle ny.

3.5.2.2 35-Bit DES m ha

The 40-bit DES phng php m ha c s dng trong WTLS c nh ngha

s dng nm byte ca chnh xy dng cho cc dch v m ha. Bi v cc bit chn l
cha trong mi byte ca kha DES, ch c 35 bit ca kha hiu qu trong nm byte.
Thc t ny lm gim bi mt yu t ca 32 kch thc keyspace, trong trng hp
ca brute-force tn cng ly li mt phn hu ch ca kha m ha.

3.5.2. 3 Tin nhn Unauthenticated Alert

Mt s trong cc thng ip cnh bo c s dng trong cc giao thc WTLS c

gi trong cleartext v khng c xc thc. Hu ht cc th ny l li cnh bo v
khng gy ra cc phin c chm dt. S dng thc t l mt thng ip cnh
bo s c mt s th t trong cc giao thc WTLS, mt k tn cng ch ng c th
c gng thay th cho mt datagram c m ha vi mt thng ip cnh bo
r thm c s th t nh nhau v khng b pht hin. Cuc tn cng ny c th
c phn loi nh l mt cuc tn cng ct ngn v n cho php cc gi ty
c gim t dng d liu ca h. Cc bin php i ph chng li cuc tn cng
ny i hi n gin rng tt c cc th nh hng n trng thi giao thc phi
c chng thc mt cch thch hp.

3.6 C s h tng kha cng khai

C s h tng kha cng khai (PKI) c p dng mt phng php m ha kha

cng khai truyn ti trng cng ca ngi s dng v danh tnh ca ngi s
dng trong mt cch ng tin cy v an ton. Nhng ngi s dng mt m kha
cng khai c th truyn kha cng khai ca h nhng ngi s dng khc, v
nn gi kha ring tng ng vi kha cng khai bo v.
3.6.1 Cc thnh phn PKI

Cc PKI c s dng trong nhiu ng dng kinh doanh v nn tng dch v bo

mt khc nhau nh xc thc ngi dng, ch k k thut s, v khng thoi thc.
N s dng hai i tng chnh: Giy chng nhn k thut s, nh c m t bi
cc X.509 v3 dng cer- tificate v cc c im k thut ca danh sch thu hi Giy
chng nhn (RFC 2832). Cc m hnh PKIX nh ngha cc yu t bao gm mt
PKI. Cc m hnh PKIX hp phn tch hp bn thnh phn chnh: cui thc th, cng
chng nng ct, lnh fication certi-, v kho lu tr. Hnh 3.8 minh ha cc m hnh
bao gm cc n v PKIX di ng.

3.6.1.1 End Entity

Thc th cui cng c th c coi l nhng ngi s dng cc dch v lin quan
n PKI. Thi hn cui cng thc th l mt thut ng chung ch nh r cc thu
bao, thit b mng (nh ers serv- v b nh tuyn), quy trnh, hoc bt k t chc
no khc m c p dng v nhn c mt giy chng nhn k thut s s
dng trong vic h tr an ninh v s tin tng trong cc giao dch c hiu ly.
Mt kt thc thc th cng c th l mt bn th ba (mt c nhn hoc mt t
chc),

LDAP

CA

OCSP

URL ca
Giy chng nhn

Xc minh
Giy chng nhn

Mua li Giy chng nhn s dng URL hoc CRL

Ngn ngi hay

Giy chng nhn X.509

Internet

Xc minh
Giy chng nhn

Gi URL ca Giy chng nhn

Gi Certificate ngn ngi hoc Giy chng nhn X.509

hnh 3.8 m hnh PKI khng dy.

khng nm gi thit phi l mt giy chng nhn, nhng c th l ngi nhn Giy
chng nhn (trong khi thc hin mt giao dch) v nhng ngi do tc ng ln
s ph thuc ca cc giy chng nhn v / hoc ch k s phi c xc nhn bng
giy chng nhn .

3.6.1.2 Cng Chng Key (PKC, hay ch l Giy chng nhn)

Mt PKC hot ng nh mt th ID chnh thc. N cung cp mt phng tin xc

nh cui cng i tng (hay danh tnh ca h) kha cng khai ca h. PKCS c
th c phn phi, cng khai c xut bn, hoc sao chp m khng hn ch. H
khng cha bt k thng tin b mt. Mt PKC l mt ti liu k thut s v mt cu
trc d liu c cha mt kha cng khai, chi tit c lin quan v ch s hu cha

kha, v ty chn mt s thng tin khc, tt c cc k thut s c ch k ca mt

bn th ba ng tin cy, thng c gi l c quan chng nhn, chng nhn rng
kha cng khai km theo thuc cc thc th c lit k trong cc lnh vc ch
ca giy chng nhn. Li th ca mt chng ch c c trng bi mt thc t
rng n c coi l khng th thay i bt k lnh vc chng nhn m khng c mt
pht hin d dng trong vic thay i. Mt v d v mt PKC l giy chng nhn
X.509 v3. N l mt dng giy chng nhn s dng rng ri. N ang c s dng
trong cc ng dng PKI cho php chnh sn sng i lm trn th trng, chng hn
nh SSL v s ring t tng cng mail (PEM).

3.6.1. 3 Certification Authority (CA)

Mt c quan cp giy chng nhn l ngi pht hnh chng ch kha cng khai
trong mt PKI c. Giy chng nhn kha cng khai c k thut s c ch k ca
CA pht hnh, m hiu qu (v hp php) lin kt vi cc tn thuc din chu kha
cng khai v kha cng khai ca CA c s dng xc minh ch k trn giy
chng nhn pht hnh. CA cng l trch nhim cp giy chng nhn danh sch thu
hi (CRL), m bo co v chng v hiu, tr khi iu ny c giao cho mt thc
th ring bit, c gi l danh sch thu hi Giy chng nhn t chc pht hnh.
Mt CA nn tham gia vo mt s cng vic hnh chnh v k thut nh: ng k
ngi dng cui cng, xc minh thng tin ca ngi dng cui, qun l giy chng
nhn, giy chng nhn v cng b. Tuy nhin, mt s cc chc nng hnh chnh c
th c giao cho din vin khng bt buc, gi l c quan ng k (RA). Hot ng
ch yu ca CA bao gm vic pht hnh chng ch, gia hn giy chng nhn, certificate thu hi v kim tra giy chng nhn. Vic xc minh chng nhn kt thc
thc th c th bao gm mt danh sch cc CA, biu hin bng CAj, 1 <j <n, nh
vy l CA1
t chc pht hnh Giy chng nhn kt thc thc th, CAK + 1 l ngi pht hnh
chng ch c cp
cak k giy chng nhn, k> 1, v c th l mt CA ng tin cy (t im xc
minh
xem).
Do , giy chng nhn kt thc thc th i din cho nhng im khi u xc
nhn mt ng dn chng c a ra, trong i din cho mt danh sch cc
chng ch k ca CA v giao cho CA.

3.6.1.4 Certificate Repository (CR)

Mt kho chng ch l mt thnh phn (hoc h thng) c s dng lu tr v

truy xut thng tin lin quan n giy chng nhn nh PKCS cp cho end-thc th
v cc CRL rng bo co trn giy chng nhn thu hi. Mt kho c th l mt th
mc X.500 da trn vi cc c s cng cng qua Lightweight Directory Access
Protocol (LDAP) hoc File Transfer Protocol (FTP) cc chng ch c th c ly
bng cch no kt thc thc th cho cc nhu cu khc nhau.
C th gim ti chc nng xc minh mt s t h thng u cui thc th cho mt
bn th ba ng tin cy, nhng ngi s i din cho mnh. V d, mt giao thc c
th c th c thit lp ti cc trang web kt thc thc th yu cu mt bn th
ba ng tin cy v tnh trng thu hi giy chng nhn rng mt ngi s dng in
thoi di ng mun da vo. C th cho rng, cc bn th ba ng tin cy c th
c xem nh l mt kho lu tr o k t khi tnh trng thu hi v kim tra u ra
c ngun gc v tr li cho h thng kt thc thc th p ng vi yu cu c
th.

3.6.1.5 Certificate Revocation List (CRL) T chc pht hnh

Mt CRL l mt cu trc d liu c s dng thng bo cho ngi mun kim

tra trng thi ca mt chng ch anh mun da vo. Thng thng, mt CRL l vn
bn k kt c cha tham chiu n chng nhn, m c quyt nh l khng cn
gi tr. Cc cng ty pht hnh CRL c th l mt bn th ba m mt i biu CA xc
minh thng tin lin quan n thu hi, cp, cng b CRL. Thng thng, CA pht
hnh chng ch cng l trch nhim ban hnh cc thng tin lin quan n vic thu
hi Giy chng nhn ny, nu c.
N cng s xy ra rng mt CA chuyn ton b chc nng thu hi CA. khc CRL
c ban hnh bi cc CA khc c gi l gin tip CRL. Do , v v li ch ca
hiu qu v cht ch, mt chng ch bao gm mt lnh vc Cating gin a ch ca
a im ni CRL m c th bao gm chng ch ny c cng b khi no th s b
thu hi.

3.6.1.6 Registration Authority (RA)

ARA l mt phn hnh chnh m mt i biu CA mt s chc nng qun l hng

lin quan n vic ng k ca ngi s dng. Cc RA thng c gn lin vi qu
trnh ng k cui cng t chc. Tuy nhin, n c th chu trch nhim cho mt s
chc nng khc bao gm cc nhim v sau y:

m bo iu kin ca ngi np n c cp giy chng nhn, trong khi

veri- fying tnh chnh xc v ton vn ca thng tin cn thit c cung cp bi cc
ng vin.
Thm nh rng cui thc th ngh cp giy chng nhn c phin pos- ca
kha ring gn lin vi kha cng khai c cung cp.
Th h ca cp kha, lu tr cp kha v kha b mt, v cung cp cha kha
kt thc, cc thc th.
Thc hin s tng tc cn thit vi CA Delegating thay mt cho end-thc th,
trong trng hp cc thng bo tha hip chnh v yu cu khi phc kha.

The R Nh, tuy nhin, khng c php pht hnh chng ch hoc CRL. Trin khai
mt RA c th cung cp hai li th ln. u tin, RA c th gip gim chi ph chng
nhn tng th. iu ny c bit ng trong ln, phn b a l cng ty u yu cu
ngi dng ca h c th cht hin nay trc cc hot ng lin quan n PKI c
th c php. Th hai, gim ti cho cc chc nng qun tr t mt CA cho php
mt t chc hot ng ca CA off-line, lm gim cc c hi m mt k th ra mt
tn cng chng li CA.
Thng thng, mt kch bn dch v PKI lin quan n mt ngi s dng in thoi
di ng c m t nh sau:

1. CA thc hin nhn dng ngi dng thng qua tip xc trc tip.
2. CA cung cp cho ngi dng vi danh tnh v mt khu.
3. Mt in thoi di ng to ra mt cp v giy chng nhn tin nhn yu cu quan
trng.
4. Cc du hiu nhn in thoi di ng v cc yu cu chng thc ch k s verichnh fication vi chnh th h ch k k thut s.
5. Cc in thoi di ng gi h n CA.

6. CA xc nhn quyn s hu ca chnh th h ch k k thut s.

7. CA to ra mt giy chng nhn.
8. CA pht hnh chng ch c to ra trn mt th mc.
9. CA s gi cc thng tin chng cho ngi dng.
10 in thoi di ng c c giy chng nhn v c th trao i tin nhn vi ch
k k thut s bng cch s dng kha cng khai ch th khc.

3.6.2 Chc nng PKI

M hnh ny xc nh mt s chc nng chnh h tr qu trnh qun l chng th s.

Cc chc nng ny bao gm ng k, khi to, pht giy chng nhn, cp nht
chng ch, thu hi giy chng nhn, qun l ch cht, v cross-chng nhn. Chng
ti m t trong cc tnh nng chnh v nhng yu cu ca cc chc nng sau y.

3.6.2.1 ng k

Thc th cui cng phi ng k vi PKI trc khi h c th gi mt giy chng

nhn v tn dng li th ca cc dch v PKI-kch hot. Bc ny thng c kt
hp vi vic xc minh tim ini- bn sc cui thc th v cc thng tin ca n v
cung cp. Cc mc bo m kt hp vi qu trnh ng k c th khc nhau da
trn
mi trng mc tiu, mc ch s dng ca giy chng nhn, h thng thng tin
lin lc, v cc chnh sch bo mt c thc thi. Qu trnh ng k c th c
thc hin trc tip vi CA hoc thng qua mt trung gian R A. N cng c th c
thc hin trc tuyn hoc off-line ty thuc vo mc tin cy ca chng ch yu
cu v thc hnh an ninh c thc hin bi c quan cp.
Mt khi cc thng tin cn thit c cung cp bi cc thc th u cui v xc nhn
ph hp vi cc chnh sch hin hnh, kt thc thc th thng c ban hnh mt
hay nhiu b mt v thng tin nhn dng khc s c s dng xc thc quent
subse- nh qu trnh tuyn sinh tip tc chia s . S phn b ca cc b mt chia s

thng c thc hin sau y cch c th v c th da trn nhng b mt c

chia s t trc.

3.6.2.2 Khi to

Qu trnh ng k c theo sau bi cc qu trnh khi to. iu ny bao gm cc

lin ini- tializing tin tng neo (hoc im tn nhim) vi s kt thc thc th. Ngoi
ra, bc ny c kt hp vi vic cung cp cc u cui thc th vi cp kha lin
quan. Th h cp kha lin quan n vic to ra cc th mc / cng cp kha ring
gn lin vi mt kt thc thc th. Th h cp kha c th c thc hin trc khi
qa trnh tuyn sinh hoc n c th c thc hin p ng vi n. Cp kha c
th c to ra bi h thng thc th khch hng kt thc, RA, CA, hoc mt s
thnh phn PKI khc nh mt m-un bo mt phn cng. Tuy nhin, trong trng
hp kt thc thc th to ra cc cp kha, qu trnh ng k s bao gm vic xc
minh rng cc kha cng khai c cung cp bi cc thc th u cui c kt ni
vi kha ring c t chc vo cui thc th.
Cc v tr ca cc th h cp kho c iu khin bi nhng hn ch hot ng v
chnh sch hin hnh. Hn na, mc ch s dng ca vt liu keying c th c mt
vai tr quan trng trong vic xc nh ni m cc cp kha nn c to ra. N c
th l cng vic sng tc cc qu trnh khi to c th xy ra nhng thi im
khc nhau v a im. Tuy nhin, nhim v ny c thc hin bi ngi dng cui
khng nn c thc hin trc khi mt yu cu chng ch r rng c to ra.

3.6.2. 3 Giy chng nhn h

Qu trnh ny xy ra sau khi kt thc qu trnh khi to. N lin quan n vic pht
hnh ca n v chng nhn kha cng khai ca c quan cp giy chng nhn.
Thng thng, qu trnh to t chc cc thng tin cn thit (bao gm c bn sc
ca CA v cc a ch thu hi) trong mt cu trc d liu theo chun X.509 S NN &
PTNT v k thut s k tn. Nu cp kha lin quan n chng ch c to ra bn
ngoi vi CA, cc thnh phn quan trng cng cng phi c giao cho CA mt cch
an ton. Sau khi to ra, chng ch c tr li cho cc thc th cui cng v / hoc
xut bn cho mt kho lu tr chng ch (Housley, 2002).
3.6.2.4 Chng Update

Cc chng ch c cp vi thi gian sng c nh (gi l thi hn hiu lc ca giy

chng nhn). Thi hn ca kip trc c nh c th l mt nm hoc hai nm (hoc
thm ch lu hn). Ngy ht hn giy chng nhn, cc cp kha s dng giy chng
nhn cng c th c yu cu ca thc th u cui cho cc l do khc nhau. Kt
qu l, cc chng ch c cp nht (hoc gia hn) v nu cuc i l li c nh.
Tuy nhin, tt hn l mt i mi giy chng nhn lin quan n vic to ra mt cp
kha mi v cp giy chng nhn kha cng khai khc nhau, v n c cha mt
kha cng khai mi.
Cp kho cp nht c th xy ra trc khi ht hn ca cp i. iu ny s gip
m bo rng s kt thc thc th lun lun l s hu ca mt chng ch hp l.
Cp kha cp nht c th gy ra mt s i mi giy chng nhn trc khi kha
cng khai lin quan thc s ht hn. N cng cung cp mt khong thi gian m
cc chng ch lin quan n cc cp kha ban u vn unrevoked, c ngha l
chng ch ny c th c s dng cho mt ca s ngn thi gian xc minh ch
k s c to ra vi cp kha ny. iu ny s gip gim thiu cc thng ip cnh
bo khng ph hp m nu khng s c to ra kt thc thc th.

3.6.2.5 Thu hi

Giy chng nhn kha cng cng c ban hnh vi thi gian sng kh ln. Tuy
nhin, hon cnh tn ti khi cc chng ch c cp c th thay i n mt
trng thi khng th chp nhn trc khi chng ch c th n ht hn bnh thng.
L do khng chp nhn c th bao gm s tha hip chnh t nhn hoc thay i
cc thng tin lin quan n cc thu bao (v d, lin kt v thay i tn). V vy, n
c th tr nn cn thit thu hi giy chng nhn trc ngy ht hn ca n. Yu
cu thu hi cho php chm dt thc th (hoc RA bt u qu trnh ghi danh)
yu cu s revoca- ca chng ch. Thng tin thu hi Giy chng nhn phi c lm
sn c ca CA cp giy chng nhn hoc bng cch pht hnh CRL, m cc i
biu CA chc nng ny.
X.509 nh ngha mt phng php cho vic cng b thng tin trn thng qua danh
sch thu hi chng ch (CRL). Tn s xut bn v cc loi CRL c s dng l chc
nng ca chnh sch a phng. Cui cng, ngi ta c th nhn thy rng cui
cng cc thc th, hoc bn th ba ng tin cy hot ng trn danh ngha, phi
kim tra tnh trng thu hi tt c cc chng ch m n mun da vo. iu ny s
c cp trong cc phn tip theo.

Qun l 3.6.2.6 Key Pair

K t khi cp kha c th c s dng h tr vic to ch k k thut s, d liu

encryp- tion, v thng ip gii m, kt thc thc th c th cn phi da trn CA
cho vic to ra mt qun l ca cp kha. Khi mt cp kho c s dng m
ha / gii m, iu quan trng l cung cp mt c ch thu hi cn thit
gii m phm khi truy cp bnh thng n cc vt liu keying l khng cn c th,
nu khng n s khng th khi phc li cc d liu c m ha. Cp kho phc
hi cho php kt thc thc th khi phc li m ha / gii m cp kha ca h t
mt autho- hoc h chiu c s sao lu quan trng, cung cp bi CA.
N cng c th l mt hip hi cui cng ca thc th vi mt t chc c th thay
i (v d, nhn vin thi vic, sa thi, hoc b nhim mi), v s t chc c nhu
cu chnh ng phc hi d liu c m ha bng cch thc thc th. N
cng c th l truy cp vo cc ti liu keying c th c yu cu gn vi nhu cu
thc thi php lut hp php. Hn na, mt CA c th cung cp dch v chng thc
ni cp kha cn phi c qun l cp PKI. Qun l cp kha bao gm tt c cc
chc nng cn thit trong sut vng i chnh.

3.6.2.7 Cross-Chng nhn

Cross-chng nhn c cc hnh ng c thc hin bi mt CA khi n pht hnh

mt chng ch CA. khc Mc ch c bn ca mt cross-chng nhn l thit lp
mt mi quan h tin cy gia hai CA, m cc CA u tin xc nhn cc giy chng
nhn do CA th hai cho mt khong thi gian. Cross-chng nhn c cung cp
thit lp cc bng chng v ng dn chng ch cho mt hoc nhiu ng dng
bng cch cho php cc ity interoperabil- gia hai lnh vc PKI ring bit hoc gia
cc CA lm vic trong lnh vc PKI cng. Trong khi trc y c gi l lin min
cross-chng nhn, sau ny c gi l ni min cross-chng nhn.
Cross-chng nhn c th c n phng, song phng. Trong trng hp chng
nhn cho ln nhau, mt mi quan h i ng c thit lp gia cc CA: mt CA
cho xc nhn khc, v ngc li. n phng cross-chng nhn ch n gin c
ngha l CA u tin to ra mt cross-chng ch cho CA th hai, nhng th hai khng
to ra mt cross-certificate l ngi u tin. Thng thng, mt cross-certificate
n phng p dng trong mt h thng cp bc nghim ngt, ni mt mc cao

hn CA pht hnh mt chng ch cp di mt CA. Tuy nhin, qua xc nhn thm

mt s phc tp quan trng cho qu trnh chng thc giy chng nhn con ng.

3.6.3 PKI khng dy

Nhng hn ch ca cc thit b khng dy v tnh cht ca h thng thng tin lin

lc phi c xem xt khi thc hin mt PKI trong mt mng khng dy (Wireless
PKI hoc WPKI). Trong , nhiu vn thng tin lin lc phi c gii quyt v
lm cho n rt kh khn p dng h thng PKI c dy vi mt mng khng dy.
Nhng vn ny bao gm vic ti u ha s dng ngun lc hn ch, tr trao
i thng tin, v s bt an ca cc kt ni v cc thit b. Mt thit b u cui di
ng thiu kh nng tnh ton ca nhiu dch v PKI nh cc th h ch cht, th h
ch k, xc minh v xc nhn giy chng nhn, thu hi giy chng nhn, xc minh
thu hi v kch thc b nh ca giy chng nhn lu tr
3.6. 3.1 Cc yu cu WPKI
p dng PKI khng dy vi thit b u cui di ng gn lin vi mt h thng
thng tin di ng v cho php cung cp bo mt mc tng ng nh ca
truyn thng c dy, bn yu cu sau y phi c tha mn:
1. S dng thut ton ch k s ti u c tnh ton trong thit b u cui di
ng: RSA da trn thut ton mt m kha cng khai c la chn cho cc
thut ton ch k s ca PKI trong mt thi gian di. Tuy nhin, mt cp kha
eration qut cng da trn thut ton RSA trong mt in thoi di ng c th l
thi gian suming con- hoc l khng th do thiu b nh v hiu sut CPU. Do ,
mt thut ton kha cng khai thay th lm cho chnh th h c th c trong cc
in thoi di ng c th c yu cu. Ngoi ra, thi gian cn thit thc hin
mt hot ng ch k s phi c chp nhn cho ngi s dng.
2. Gim thiu kch thc d liu c lu tr trong in thoi di ng v c
truyn thng qua bng thng khng dy: Ni chung, mt giy chng nhn s dng
trong PKI l giy chng nhn X.509 ITU nh ngha bi ITU (Housley, 2002). Giy
chng nhn X.509 ny c cc lnh vc c bn xc minh giy chng nhn v m
rng trn nhiu lnh vc c yu cu xc nhn ng dn chng ch. Nhng lnh
vc m rng lm tng kch thc ca giy chng nhn v thc hin cc th tc ca
ng dn chng ch xc nhn phc tp. Nh vy, vic ti u ha cc h s chng
ch c yu cu m khng c tc dng ph i vi vic xc minh chng ch v xc
nhn con ng.

Mt khc, vic xc nhn Giy chng nhn X.509 i hi CRL xc minh. nhn ra
iu ny, mt thit b di ng cn ti CRL t CA v kim tra xem giy chng nhn b
thu hi. Quy trnh ny tiu tn ca thit b di ng v khng dy truyn ti trn
khng ng k. Nh vy, mt phng php ng tin cy ht v effi- c yu cu
ph chun chng nhn X.509 m khng xc minh trc tip ca cc thit b di ng
CRL.
3. Ti u ha cc giao thc qun l giy chng nhn (CMP): Current dy CMP c
da trn giao thc SSL, trong khi yu cu giy chng nhn c cp bi cc thit b
v gi bng WTLS. V bo mt da trn WTLS khng tr gip trong end-to-end an
ninh, thng tin cn thit cho cc yu cu chng ch c th khng c an ton
chuyn giao cho CA. V vy, mt CMP khng dy mi (hoc WCMP) cn phi c
xy dng v khng nn c da trn SSL, khng phi trn WTLS. Tuy nhin, cc
WCMP phi m bo cc chc nng ging nh CMP c dy v c nh hn v c
ti u ha cho ch bin trong cc thit b di ng v truyn qua kt ni khng dy.
4. Ti u ha chng trnh xc thc chng: xc nhn giy chng nhn X.509,
chui chng ch v CRL phi c thu thp v kim chng trong cc thit b di ng.
Nu vic xc minh chng ch cn xc nhn ca chui di ca giy chng nhn,
nhim v nh vy c th xut hin kh x l. Phng php hiu qu v ng tin
cy cho ng dn chng ch xc nhn ph hp cho cc thit b di ng l cn thit.
Cc gii php thc hin theo cc yu cu ni trn c th s dng cc khi nim
v ng bng CRL, lm gim kch thc ca CRL ti v bng cch gi cc thay
i c thc hin cho cc CRL t yu cu cui cng. Mt phng php khc c th
giao ton b xc minh phc tp cho cc i tng nm trn nt c nh (trong mng
di ng) hoc cho bn th ba ng tin cy c thm ngun lc.

3.6. 3.2 V d v WPKI Kin trc

Nhiu kin trc WPKI c xut trong vn hc. Chng ti m t y mt v

d v kin trc c ngun gc t mt trong nhng trnh by ca mt m hnh WPKI
tha mn cc yu cu cp trc, kim tra vic xut m hnh PKI, cng
ngh chi tit, v c im ca n. Hnh 3.8 cho thy m hnh WPKI xut. Chng
ti gi nh sau y:

Chng ti xem xt thng tin lin lc gia in thoi di ng v my ch nh l

nh cung cp ni dung, v khng bao gm thng tin lin lc gia cc in thoi di
ng.

 m hnh ny c mt CA. N l mt kin trc phn cp hai cp.

End tng nh mt chic in thoi di ng hoc my ch ch c mt cp kha
cng khai v
mt giy chng nhn cho mt mc ch.
Mt in thoi di ng v my ch c mt tn duy nht.
Chng ti xem xt cc kh nng m in thoi di ng nhn X.509 dy certificate thuc s hu ca mt my ch c thit k cho Internet c dy.

Trong m hnh ny, chng ti p dng chng ch X.509 l Giy chng nhn ca in
thoi di ng. Bi v giy chng nhn X.509 thuc s hu ca in thoi di ng
c xc minh bi my ch, kim tra giy chng nhn khng phi l kh khn trong
cc my ch c hiu sut. Ngay c vic lu tr ca mt chng ch c gnh
nng cho my in thoi di ng v in thoi di ng ch gi n n bn kia m
khng c bt k hot ng cp giy chng nhn. Trong m hnh ny, CA pht hnh
chng ch, xut bn th mc ca n, v ch gi URL ca giy chng nhn cho cc
in thoi di ng. Khi mt in thoi di ng giao tip vi mt my ch, in thoi
di ng gi mt URL ca giy chng nhn cho my ch, khng giy chng nhn
ring ca mnh. Cc my ch c th d dng truy cp vo cc th mc v c c
cc chng ch. Kt qu l, in thoi di ng c th tit kim khng gian b nh
s dng khc.
i vi my ch, chng ti s dng mt chng ch X.509 v ngn ngi (Housley,
2002). Nu mt my ch s gi mt giy chng nhn X.509 in thoi di ng,
mt chng trnh xc thc chng nhn hiu qu v nh c th c yu cu trong
cc in thoi di ng. i khi in thoi di ng c th xc nhn giy chng nhn
X.509 bi v n c th c gng kt ni vi mt my ch c thit k phc v
ch mt thit b u cui c dy v ch c giy chng nhn X.509. Chng ti a vo
s Duce Online Certificate Status Protocol (OCSP), v cc i biu in thoi di ng
OCSP xc nhn giy chng nhn thay v xc nhn trong cc in thoi di ng
ca chnh n. Trong trng hp ny, in thoi di ng c th trnh c nhng th
tc phc tp ca vic xc nhn giy chng nhn v c c mt kt qu t cc my
ch OCSP ng tin cy (Myers, 1999).
Mt WTLS-chng ch c th c nh ngha nh l mt chng ch ngn ngi kt
ni WTLS. Mt chng ch ngn ngi khng c phn m rng c s dng chng
nhn xc nhn con ng ngh Bi v ch c mt khong thi gian hp l trong
mt thi gian ngn. N c xc minh ch khi ch k ca CA v thi gian hp l
xc nhn giy chng nhn l hp l. Do , in thoi di ng c th trnh gnh
nng ca CRL ti v xc nhn ng dn chng ch. Chng ti gii thch cc thnh
phn chi tit kin trc WPKI.

3.6.3.2.1 Digital Signature Algorithm

Bi v mt chic in thoi di ng c b nh nh hn nhiu v hiu sut CPU chm
hn so vi mt my ch, n l kh khn cho in thoi di ng chy tnh ton
chnh cng phc tp. Chng ta hy xem xt mt thut ton ch k k thut s ti u
cho in thoi di ng. u tin, th h ca cp kha cng khai l cn thit cho ch
k k thut s. Thi gian m n cn gn kt mt cuc tn cng brute-force vo
encipher ca d liu l t l thun vi kch thc phm c s dng encipher d
liu. Mc d thi gian ph thuc vo phn cng c s dng, ngi ta c tnh
rng mt cuc tn cng brute-force vo kch thc kha 128 bit cho DES thut ton,
s dng a t la phn cng chuyn dng, vn s mt 1.011 nm vo nm 1995.
Chng ti quyt nh rng kch thc kha t nht l 128 bit s l bo v tnh
bo mt ca d liu. V vy, chng ti chn mt RSA 1024-bit kch thc quan trng
m l mc bo mt tng t nh t 128 bit.
Giy chng nhn X.509 (nh minh ha trong Bng 3.1) bao gm cc lnh vc c bn
v cc lnh vc m rng cho sion. H ng rng mt chng ch bao gm cc lnh
vc quy nh, ch bin v ng rng nu cc lnh vc c th c mt trong cc giy
chng nhn, cc trng phi c kim tra khi chng ch c xc minh. Trong lnh
vc c bn, ch nh danh duy nht v cng ty pht hnh nh danh duy nht c
mt trong cc giy chng nhn x l kh nng ti s dng ca i tng v /
hoc tn t chc pht hnh theo thi gian. Mt h s tt xc nh rng tn khng
nn c ti s dng cho cc i tng khc nhau v CA ph hp vi h s ny
khng nn to ra chng ch vi nh danh duy nht.
C quan nhn dng chnh v nhn dng i tng chnh c s dng xc nh
cc trng im i chng m t chc pht hnh v / hoc i tng c nhiu phm
k. Trong phn trc, chng ta gi nh rng tt c cc n v ch c mt phm k. V
vy, chng ti xc nh rng cc phn m rng c th c x l ty chn. Cha
kha m rng thi gian s dng ring cho php cc t chc pht hnh chng ch
xc nh mt thi hn hiu lc khc nhau cho cc kha ring so vi thi hn hiu lc
ca chng ch. Chng ti cng gi nh rng thi gian s dng kha ring cng
ging nh thi hn hiu lc ca Giy chng nhn v khng s dng phn m rng
ny. Bi v phn m rng chnh sch bn c s dng trong cc chng ch CA,
chng ta khng xc nh phn m rng ny cho end-thc th.
Cc th mc thuc tnh m rng i tng c s dng truyn t butes xc
attri- (v d, quc tch) ca ch th; m rng ny khng c nh ngha cho cc
thc th thc- vi mt nh danh duy nht.
Vic s dng phm di cho thy mt hoc nhiu mc ch m cc kha cng khai
xc nhn c th c s dng, thm vo hoc thay cho cc mc ch c bn ch ra
trong phn m rng s dng chnh. Nu phn m rng l hin nay, sau n phi
c kim tra. T

p dng OCSP xc nhn giy chng nhn trong m hnh ny, chng ti s dng
tn min cp thng tin v m rng quyn tip cn thng tin xc nh lm th
no truy cp vo my ch OCSP (Myers, 1999). i vi my ch, cc im phn
phi CRL c th c s dng c c thng tin CRL. Vic tip cn thng tin v
cc c quan c CRL m rng cc im phn phi phi c mt theo giy chng nhn
xc nhn giy chng nhn, nhng ngi xc minh c th chn cc phng thc
xc nhn giy chng nhn, hoc l CRL hoc OCSP.
3.6.3.2.2 Certificate Request v Wireless Management Protocol
Chng ti xem xt lm th no mt in thoi di ng an ton yu cu mt giy
chng nhn cho CA v CA pht hnh n vo in thoi di ng. Sau y l nhng
yu cu ca cc giao thc yu cu chng ch.
Nhng tin nhn yu cu giy chng nhn c xy dng ti cc in thoi di
ng. Gi tr ny nn bao gm mt kha cng khai, v s tham chiu cui cng thc
th (chng hn nh mt ID) v mt khu. Chng ti cho rng cc lnh vc khc theo
yu cu chng ch, v kim sot thng tin b sung lin quan n qu trnh ng k,
c thc hin trong out-of-band.
A POP (Proof of Possession) ca kha ring tng ng vi kha cng khai m mt
chng ch ang c gi tr ngh c bao gm trong yu cu giy chng nhn
tin nhn.
Phng php m cc thng ip yu cu chng nhn l an ton truyn t
mt CA.
p ng cc yu cu ny, mt giao thc qun l giy chng nhn khng dy c
th c pht trin trn in thoi di ng. Mt mt khu c th c chuyn giao
cho mt CA bi gi tr bm; bo mt ca mt khu c th c m bo. Chng ti
s dng kha cng khai l mt thng tin thi gian cho cng tc phng chng tn
cng replay.
3.6.3.2.3 Certificate Validation Scheme
Nh cp trc , mt i biu chnh quyn in thoi di ng in thoi xc
nhn (VA) vali- giy chng nhn ngy trong m hnh ny. Cc in thoi di ng
c th trnh c nhng gnh nng ca CRL ti v v lu tr cng nh cc th tc
phc tp t c v xc minh chui chng ch. i vi mt chng ch ngn
ngi, in thoi di ng xc nhn cc chng nhn qua kim tra cate ch ch k
v thi hn hiu lc trong giy chng nhn.
Mt CRL ng bng lit k cc giy chng nhn c tnh trng thu hi thay i k
t khi pht hnh ca mt hon CRL tham chiu c th c s dng xc minh
CRL trong mt in thoi di ng. Nhng th tc cu to ca CRL hon chnh t
delta CRL l khng d dng cho cc in thoi di ng v i hi phi c m-un b
sung. Ngoi ra in thoi di ng nn lu tr cc c s CRL, cui cng hon

thnh CRL. Nh vy, chng ta loi tr vic xc minh CRL delta CRL da trn t m
hnh ca chng ti. Hnh 3.9 cho thy th tc rn cc vali- giy chng nhn. Cc
my ch c c mt giy chng nhn t th mc bng cch s dng URL ca cc
chng ch nhn c t in thoi di ng, v xc nhn n bng cch s CRL hay
VA.
hnh 3.9 OCSP th tc trong in thoi di ng.
Ngc li, cc my ch s gi n in thoi di ng ca mnh vi giy chng nhn
chng ch CA v ARL (Authority Revocation List) vi nhau. Do , cc in thoi di
ng khng cn phi c c giy chng nhn v ARL CA t th mc nh trong hnh
3.9. N lm gim s lng cc kt ni khng dy gia in thoi di ng v cc th
mc.
ti liu tham kho