Giao Trinh Mat Ma ATTT

TS.
THI THANH TNG
Gio trnh
MT M HC
&
H THNG THNG TIN AN TON

(CRYPTOGRAPHY AND SECURE INFORMATION SYSTEM)
NH XUT BN THNG TIN V TRUYN THNG
GD 15 HM 11
LI GII THIU
Vi s bng n ca Cng ngh thng tin vo cui th k XX u
th k XXI, nhn loi ang bc vo mt thi i mi: Thi i ca
nn kinh t thng tin ton cu ha. Mi hot ng x hi, chnh tr,
kinh t trong thi i mi hin nay xt cho cng, thc cht u l
nhng hot ng thu thp, x l, lu tr v trao i thng tin. Trong
bi cnh An ton v Bo mt thng tin lun l mi quan tm
hng u trong mi giao dch x hi, c bit l giao dch in t
trn mi trng Internet, mt mi trng m, mi trng khng
c tin cy.
TS. Thi Thanh Tng da trn kinh nghim bn thn trong qu
trnh nhiu nm nghin cu, ging dy v hot ng thc t trong
lnh vc an ninh mng my tnh v bo mt thng tin, tp hp
mt s ti liu c s xut bn trn th gii trong nhng nm gn
y, ng thi cp nht nhng thnh tu mi nht trong lnh vc
ni trn xy dng nn cun sch ny.
Cun sch c trnh by hp l vi ni dung kh hon chnh,
khng nhng gip cho ngi bt u lm quen d tip thu nhng
kin thc c bn nht ca mt lnh vc chuyn mn kh m cn gi
m nhng hng ng dng thc t phong ph cho nhng ngi
mun nghin cu su hn.
Nhng ph lc c su tm chn lc a ra trong phn cui
cun sch c ngha b sung cho cc phn trnh by chnh v cng
l mt s h tr rt tt v ngun t liu cho nhng ngi mun i
su nghin cu.
Gio trnh Mt m hc v H thng thng tin an ton ca tc gi
Thi Thanh Tng c Ban Cng ngh Vin Nghin cu v pht
trin Tin hc ng dng (AIRDI) thuc Lin hip cc Hi Khoa hc v

K thut Vit Nam gii thiu v Hi ng t vn ngnh Cng ngh
thng tin Vin i hc M H Ni chp nhn s dng lm gio trnh
chnh thc ging dy hc phn An ninh v Bo mt thng tin trong
chng trnh o to K s Cng ngh thng tin cng nh Khoa Quc
t i hc Quc gia H Ni s dng trong chng trnh o to Cao
hc Qun l Thng tin lin kt vi i hc Lunghwa - i Loan.
Xin trn trng gii thiu cng bn c!
H Ni, thng 7 nm 2011
TS. TRNG TIN TNG
Trng Ban Cng ngh
Vin NC & PT Tin hc ng dng
LI M U
Con ngi lun sng trong mi trng trao i thng tin hng
ngy, hng gi. Ngi th sn h gi bn trong rng thm, ngi
c cng nim yt lnh phn cng trn bng tin tc ca cng
trng, ngi khch gi n t hng n ca hng, con ci i xa
gi in thoi, gi th v bo tnh hnh cho b m, tt c nhng
chuyn thng ngy u chnh l trao i thng tin.
Trong phn ln trng hp trao i thng tin gia hai i tc,
ngi ta khng h mun thng tin b l cho ngi th ba bit v
iu c th gy ra nhng tn tht c v vt cht cng nh v tinh
thn. Mt bo co v mt pht minh khoa hc cng ngh mi, mt
bn phn tch tnh hnh gi c hng ha mt th trng, mt b h
s d thu, nu b l ra trc khi n tay ngi nhn th thit hi
kinh t tht kh lng! Mt v nguyn soi gi lnh iu binh n
cho tng lnh di quyn: chuyn g s xy n cho ton qun nu
thng tin b l cho k ch bit?
bo v b mt cho thng tin ca mnh c gi i trong mt
mi trng m tc l mi trng c th c nhiu tc nhn tip
cn ngoi hai i tc trao i thng tin, ngi ta phi dng mt m
tc l dng nhng phng php bin i lm cho nguyn bn gc
ca thng tin (plaintext) dng thng thng ai cng c th hiu
c bin thnh mt dng b mt (ciphertext) m ch c nhng
ngi nm c quy lut mi c th bin i ngc li thnh dng
nguyn gc ban u c.
Mt m hc l khoa hc nghin cu c s l thuyt v cng

ngh thc hin vic xy dng v s dng cc h thng mt m.
Mt m hc (cryptography) l mt lnh vc lin quan n cc
k thut ngn ng hc v ton hc m bo an ton thng tin, c
th l trong thng tin lin lc. Qu trnh m ha c s dng ch
yu m bo tnh b mt ca cc thng tin quan trng, chng hn
trong cng tc tnh bo, qun s hay ngoi giao cng nh cc b mt
v kinh t, thng mi hay c n nhng thng tin c nhn ring t.
Trong nhng nm gn y, lnh vc hot ng ca mt m ha
c m rng: mt m ha hin i cung cp c ch cho nhiu
hot ng hn l ch duy nht vic gi b mt thng tin v cn c
mt lot cc ng dng quan trng nh: chng thc kha cng khai,
ch k s, thanh ton in t hay tin in t. Ngay c nhng ngi
khng c nhu cu cao v tnh b mt v khng c kin thc v lp
mt m, gii mt m cng c th s dng cc cng ngh mt m
ha, thng thng c thit k v tch hp sn trong cc c s h
tng ca cng ngh tnh ton v lin lc vin thng.
Mt m hc l mt ngnh c lch s t hng nghn nm nay.
Trong phn ln thi gian pht trin ca mnh (ngoi tr my thp k
gn y), lch s mt m hc chnh l lch s ca nhng phng
php mt m hc c in - cc phng php mt m ha vi bt v
giy, i khi c h tr t nhng dng c c kh n gin. Vo u
th k XX, s xut hin ca cc c cu c kh v in c, chng hn
nh my Enigma, cung cp nhng c ch phc tp v hiu qu
hn cho mt m ha.
S ra i v pht trin mnh m ca ngnh in t v my tnh
trong nhng thp k gn y to iu kin mt m hc pht
trin nhy vt ln mt tm cao mi.
S pht trin ca mt m hc lun i km vi s pht trin ca

cc k thut ph m (hay cn gi l thm m). Cc pht hin v ng
dng ca cc k thut ph m trong mt s trng hp c nh
hng ng k n cc s kin lch s. Mt vi s kin ng ghi nh
bao gm vic pht hin ra bc in Zimmermann khin Hoa K
tham gia Th chin II v vic ph m thnh cng h thng mt m
ca c quc x gp phn lm y nhanh thi im kt thc Th
chin II.
Cho ti u thp k 1970, cc k thut lin quan ti mt m hc
hu nh ch nm trong tay cc chnh ph. Hai s kin khin cho
mt m hc tr nn thch hp cho mi ngi, l: s xut hin ca
tiu chun mt m ha d liu DES (Data Encryption Standard) v
s ra i ca cc k thut mt m ha kha cng khai.
T hn mi nm trc, c vo thng ging hng nm mt s
nh nghin cu hng u th gii c mt cuc gp g trao i ti
thung lng Silicon c gi l Hi tho An ninh RSA RSA security
Conference (John Kinyon). Trong nhng nm u ch c mt s t nh
Ton hc, Mt m hc, cc T tng gia tin phong trong nhng lnh
vc lin quan n an ninh d liu cho my tnh in t v bo mt
thng tin trong giao dch in t tham gia. Trong nhng nm cui
ca thin nin k trc, vo thi k bng n ca Cng ngh thng tin
v Internet, vai tr quan trng ca cc hi tho an ninh in t
ngy mt ni bt ln v hng nm ngoi hi tho an ninh RSA cn c
hng chc hi tho an ninh thng tin in t v an ninh mng khc
c tin hnh, tp hp s tham d v ng gp ca nhng ti nng
kit xut nht trong k nguyn cng ngh thng tin ny.
C th khng nh rng, nu khng gii quyt c vn an
ton d liu cho my tnh in t, an ninh giao dch in t (c bit
l trn Internet) th hu nh phn ln thnh qu ca cng ngh thng

tin, ca mng Internet u tr thnh v ngha!
Do vy, mi k s, k thut vin, nh nghin cu, ngi ng
dng cng ngh thng tin u cn c trang b nhng kin thc c
bn ti thiu v Mt m hc. Nhm mc ch , tc gi s dng
nhng t liu, gio trnh ging dy v mt m hc cho bc i
hc, cao hc ngnh cng ngh thng tin, ton tin i hc Bch
khoa H Ni, Vin i hc M H Ni, tham kho nhng cng trnh
cng b quc t v trong nc trong vng mi nm gn y (xem
ti liu tham kho) bin son thnh cun sch ny. Gio trnh
mt m hc v h thng thng tin an ton l s sp xp trnh by
theo quan im ca tc gi, c tham kho nhiu ti liu nhng
khng da theo khun mu ca mt t liu no cng chuyn ngnh
cng b trc y. Tc gi khng dm hy vng trnh by c
tht chi tit y v i su vo nhng vn ton hc rt phc
tp, m ch mong p ng ph hp vi nhu cu ca ng o sinh
vin, k s, nh nghin cu trong vic tm hiu mt cch cn bn v
mt ngnh hc ang c hng lot ng dng quan trng trong cng
ngh thng tin v truyn thng hin nay.
Ni dung gio trnh trnh by nhng khi nim v nh ngha
chung v bo mt thng tin, i su phn tch 2 loi m ha: m kha
b mt cng cc giao thc, thut ton trao i kha m v m bt
i xng hay m kha cng khai v kha ring vi nhng ng dng
c th ca n. Bn cnh , ni dung gio trnh gii thiu n mt
vn rt c ngha hin nay trong cc giao dch thng mi in
t, ngn hng trc tuyn l: Ch k in t, ch k s v vn
phn phi kha cng khai vi cc h thng h tng c s kha cng
khai PKI v chun X509 cng nh h thng mng li tin cy v giao
thc PGP. c bit phn cui gii thiu cc giao thc v chun m
ha thng dng nht trn Internet trong cc dch v bo mt th

in t nh S/MIME, nhng giao thc v chun m ha s dng
bo m an ton thng tin c bit quan trng trong thng mi
in t, ngn hng in t, nh SSL/TLS v HTTPS, FTPS, SET,
SSH, IPsec cui mi phn l thuyt, gio trnh cung cp mt
danh mc cc phn mm ng dng thng mi v phi thng mi
ngi c tin tra cu, s dng.
Gio trnh c xut bn ln u s kh trnh khi nhng thiu
st. Rt mong nhn c kin nhn xt, gp ca bn c gio
trnh ngy cng c hon thin hn trong ln ti bn sau.
Xin chn thnh cm n cc bn ng nghip Khoa Cng ngh
Thng tin - Vin i hc M H Ni gp cho tc gi trong vic
bin son gio trnh ny.
H Ni, thng 7 nm 2011

Tc gi
Chng 1: Tng quan v bo mt thng tin v l thuyt m ha
11
1
TNG QUAN V BO MT THNG TIN
V L THUYT M HA
1.1. NHU CU BO MT THNG TIN GIAO DCH TRONG MI TRNG M
Trong ton b cun sch ny chng ta s quy c xem xt cc
giao dch gia hai i tc: An (A) l ngi gi (pht) thng tin v
Bnh (B) l ngi nhn (thu) thng tin. Ngoi hai i tc ni trn
chng ta cng gi thit rng tn ti mt k th ba l Cng (C), C
lun tm cch xm nhp nhng thng tin trao i gia A v B
nghe ln (trm thng tin) hoc thay i lm sai lch cc thng
tin c trao i gia A v B nhm mt mc ch no .
Gi s An c mt cu chuyn ring t b mt cn ni vi Bnh.
R rng l tng nht l hai ngi c th ko nhau vo mt cn
phng ca ng kn (tng cch m cng tt) v th tho vi nhau:
mi iu trao i ch c hai ngi bit, khng lt vo tai bt k mt
ngi th ba no. Mi trng giao dch l mt mi trng ng
(theo ngha l ngoi hai i tc giao dch, khng c s xm nhp ca
bt k mt ngi th ba no), mi trng ng l mt mi trng
tin cy.
Tuy nhin trong thc t, ngi ta thng phi tin hnh giao
dch trong nhng mi trng khng ng, tc l mi trng m
(open surrounding). Chng hn, v gp qu, khng tm ra ch kn
12
Gio trnh mt m hc v h thng thng tin an ton
o, An phi ng ngay u ng ni to ln vi Bnh ang ng

cui ng, cu chuyn hin nhin lt vo tai ca nhiu ngi khc.
Hoc An ang H Ni phi gi in thoi hay gi th cho Bnh
TP. H Ch Minh, khng th m bo l ni dung cuc ni chuyn
in thoi hoc ni dung l th khng b ngi th ba no nm
bt c. Mi trng m ni chung l mi trng khng tin cy.
Mi trng m
An
Bnh
Hnh 1.1: Mi trng m trong trao i thng tin

1.2. NHNG NGUYN L CA BO MT THNG TIN
Cc giao dch in t ni chung l giao dch trong mi trng
m, giao dch trn Internet, giao dch xuyn quc gia. Trong cc qu
trnh trao i thng tin cc i tc thng l khng mt i
mt c th nhn din ra nhau. V th rt kh c th thc hin
c nhng yu cu sau y ca vic trao i thng tin c xem l
nhng nguyn l c bn ca vn bo mt thng tin:
1. Tnh b mt/ring t.
2. Tnh ton vn.
3. Tnh xc thc.
4. Tnh khng th chi b.
5. Tnh nhn dng.
Thm vo , tc thc hin truyn tin (nhanh chng) cng l
mt yu cu cn ch . Ta s ln lt xt qua cc yu cu k trn.
13
1.2.1. Nguyn l 1: Nguyn l b mt/ring t

(Confidentiality/Privacy)
Gi s A gi mt vt mang tin n cho B. Nguyn l u tin
ca l thuyt bo mt l phi m bo tnh b mt v tnh ring t
cho qu trnh truyn tin. iu ny c ngha l vic truyn tin phi
m bo rng ch c hai i tc A v B khi tip cn vt mang tin mi
nm bt c ni dung thng tin c truyn. Trong qu trnh
truyn tin, nu c k th ba C (v mt nguyn nhn no ) c th
tip cn c vt mang tin th phi m bo rng k vn khng
th nm bt c, khng th hiu c ni dung thc s ca
thng tin cha trong vt mang tin .
1.2.2. Nguyn l 2: Nguyn l ton vn (Integrity)
Trong qu trnh truyn tin, c th v l do khch quan ca mi
trng, nht l do s xm nhp ph hoi ca k th ba, ni dung ca
thng tin ban u cha trong vt mang tin c th b mt mt hay b
thay i. Nguyn l ny khng yu cu n mc phi m bo rng
thng tin khng b thay i trong qu trnh truyn tin, nhng phi
m bo c l mi khi thng tin b thay i th ngi nhn (v tt
nhin l c ngi gi) u pht hin c. Chng hn vt mang tin
ca A gi cho B trn ng truyn tm thi lt vo tay ngi th ba
C. C tuy khng th hiu c ni dung thng tin (do qu trnh
truyn tin thc hin nguyn l 1) nhng vn c th tc ng vo
vt mang tin lm thay i thng tin n mang; khi nhn c vt
mang tin ( b lm thay i) B lp tc nhn bit rng n b lm
thay i.
1.2.3. Nguyn l 3: Nguyn l xc thc (Authentication)
Nguyn l 3 ca bo mt thng tin yu cu l trong mt qu
trnh truyn tin, ngi nhn tin (v c khi c ngi gi tin na) c
14
bin php chng minh vi i tc rng h chnh l h ch

khng phi l mt ngi th ba no khc. Chng hn khi bn nhn
mt l th bo m ti Bu in th bn phi c cch no chng
minh c rng bn chnh l ngi c quyn nhn l th , bng
cch xut trnh chng minh nhn dn hoc mt giy gii thiu c
gi tr no . S xc thc ny c th l xc thc mt chiu (oneway authentication): ngi nhn phi xc thc mnh vi ngi gi,
nhng cng c nhng trng hp i hi xc thc hai chiu (mutual
authentication): ngi nhn vi ngi gi v ngc li. Chng hn
khi A l khch hng gi tin bo cho B l ch nh hng chun b cho
mnh mt ba tic, A phi xc thc c rng ngi nhn tin ca
mnh ng l B (ngi c trch nhim ca nh hng) ch khng
phi l mt nhn vin no c th v trch nhim, qun lng lm
nh nhng cho khch ca mnh. Mt khc khi B nhn tin cng phi
xc thc c ng l n t hng ca A ch khng phi do mt k
ph ri no mo danh lm cho mnh b ba tic chun b.
1.2.4. Nguyn l 4: Nguyn l khng chi b (Non repudition)
Nguyn l ny i hi rng khi qu trnh truyn tin kt thc, A
gi cho B mt thng tin v B nhn thng tin th A khng th
chi b rng thng tin khng do mnh gi (hoc mnh khng gi
tin) mt khc B cng khng th chi b rng mnh cha nhn c.
Cng trong v d v vic t tic ni trn, nu A t tic nhng
khng n n th khng th chi l tin t tic khng do mnh gi,
ngc li khi khch kha n m B qun chun b th B cng khng
th chi l do mnh cha nhn c n t hng ca A.
1.2.5. Nguyn l 5: Nguyn l nhn dng (Identification)
Gi s mt h thng ti nguyn thng tin chung c nhiu ngi
s dng (users) vi nhng mc quyn hn khc nhau. Nguyn l 5
ca bo mt thng tin yu cu phi c bin php h thng c th
15
nhn dng c cc ngi s dng vi quyn hn km theo ca h.

Chng hn trong mt th vin c nhiu kho sch cha cc loi ti
liu thng thng v ti liu mt. Ngi c chia lm nhiu loi, c
loi ch c c sch thng thng ti ch, c loi c c ti
liu mt, c loi li c mn v nh. Ngi vo th vin phi xut
trnh th, c cc loi th khc nhau: Cn c vo th, ngi th th
nhn dng c ra ngi c phi l ngi c quyn s dng th
vin khng v c quyn s dng theo dng no.
Trong vn bo mt cn c mt iu cn lu : l s tin
tng. Khi chia s mt b mt cho mt ngi, bn phi tin tng
vo kh nng bo v b mt ca ngi . Nhng mt iu kh khn
y l: tin tng l mt phm tr c tnh tm l, x hi khng c
cc c trng ca mt loi quan h ton hc no:
- Tnh khng phn x: Mt ngi c lun lun tin tng vo
chnh mnh khng? (iu ny cha chc chn i vi tt c
mi ngi v trong tt c mi trng hp!)
- Tnh khng i xng: A tin tng vo B nhng liu B c tin
tng vo A khng? (Cha chc!)
- Tnh khng bc cu: A tin tng B, B tin tng C, nhng
khng c g m bo (trong rt nhiu trng hp) l A tin
tng vo C.
Chnh v vy, trong cc vn bo mt nhiu khi chng ta
khng th hon ton dng cc phng php suy lun logic thng
thng m phi ch n vic tun th cc nguyn l bo mt
thng tin.
1.3. KHI NIM V THUT NG
Trong mc ny chng ta thng nht vi nhau mt s thut ng
thng dng sau ny.
16
Thng ip (message) l mt thc th vt l mang thng tin

cn trao i. L th, in tn (telegraph), E-mail l thng ip dng
vn bn (text). Cu chuyn qua in thoi, bi ni trn i pht
thanh, pht biu trong mt cuc hp l nhng thng ip dng
m thanh (sound). Cc album nh, cc bc tranh l nhng thng
ip dng nh (picture), cn mt b phim cm, mt videoclip khng
c ting ni l nhng thng ip dng hnh nh ng (animation).
Cc thng ip bao gm c bn dng trn l nhng thng ip a
phng tin (multimedia) chng hn nh mt cun bng video, mt
chng trnh truyn hnh u l nhng thng ip multimedia.
Trong giao dch in t, mi thng ip d bt c dng no cng
u c s ha, tc l chuyn i thnh nhng dy bit, nhng dy
s nh phn ch gm hai con s 0 v 1. V vy c th ni rng: Mi
thng ip in t u l nhng dy con s dng nh phn. Nhng
mi con s dng nh phn li u c th chuyn tr li thnh dng
thp phn. Cho nn ngi ta cng c th dng mt con s thp phn
biu din mt thng ip. Chng hn khi c thng ip s ha
thnh s nh phn l: 1111011 ta cng c th ni rng thng ip
l s thp phn 123. V vy trong giao dch in t hin i, khi
xem xt vic x l cc thng ip in t chng ta hiu rng y l
vic x l cc thng ip s ha.
Plain text/message: l thng ip, d liu gc dng tng
minh dng ban u ca ngi pht hnh thng ip to ra, mi
ngi bnh thng trong cng mi trng x hi vi ngi to ra v
ngi c gi thng ip (v c nhng ngi th ba v l do no
c c hi tip cn c thng ip ) u c th hiu c ni
dung. Chng hn trong x hi c nhiu ngi bit ting Vit, An vit
mt l th bng ting Vit gi cho Bnh: l th l mt plaintext v
nu nhn c l th th khng nhng ch c Bnh hiu c ni
dung m bt k ngi no bit ting Vit c c l th cng hiu
ngay ni dung l th .
17
Cipher text/message: l thng ip d liu bin i theo mt

quy tc no thnh mt dng khc (dng n tng) m ch nhng
ngi no nm bt c quy tc bin i ngc tr li thnh
plaintext th mi hiu c ni dung thng ip. Chng hn trong
mt mi trng, ngoi An v Bnh khng c ngi no khc bit
ting Anh. Sau khi An vit mt bc th bng ting Vit (plaintext)
trc khi gi cho Bnh dch ra ting Anh, khi l th n tay Bnh,
v Bnh cng bit ting Anh nn d dng dch ngc li hiu ni
dung, cn nu bn dch ca l th ra ting Anh ri vo tay Cng, do
Cng (cng nh mi ngi xung quanh) khng bit ting Anh nn
khng th hiu c ni dung. Bn dch l th ra ting Anh trong
trng hp ny c xem l mt ciphertext.
Cipher (hay cypher): l thut ton dng ch quy tc thc
hin vic bin i thng ip dng tng minh (plaintext) thnh
thng ip dng n tng (ciphertext), qu trnh ny gi l m ha v
cng ch qu trnh bin i ngc t ciphertext tr li thnh
plaintext, qu trnh ny gi l gii m. Trong khun kh cun sch
ny ta u gi cc quy tc l nhng thut ton.
Encrypt (encipher, encryption: m ha): l qu trnh bin i
thng tin t dng ban u (dng tng minh) thnh dng n tng,
vi mc ch gi b mt thng tin .
Decrypt (decipher, decryption: gii m): l qu trnh ngc
li vi m ha, khi phc li nhng thng tin dng ban u t thng
tin dng c m ha.
Cryptosystem (Cryptographic system: H thng m ha thng
tin): c th l cc phn mm nh PGP, Ax-Crypt, Truecrypt... cc
giao thc nh SSL, IPsec dng trong Internet... hay n gin l mt
thut ton nh DEA.
Cha kha (Key): chnh l thng tin dng cho quy trnh m ha
v gii m. Password (mt khu) l mt hay dy k t, k hiu, tn
18
hiu m ngi dng c h thng bo mt cp xc nhn cp

quyn c php truy cp hoc can thip mt mc quy nh
(xem, nghe, sa, xa...) vo mt khu vc lu tr thng tin no .
Trong thc t, mt khu do ngi dng to ra thng khng
an ton c dng trc tip trong thut ton.
V vy, trong bt c h thng m ha d liu nghim tc no
cng phi c bc chuyn i mt khu ban u thnh cha kha c
an ton thch hp, thng gi l cng on to cha kha. Bc
to cha kha ny thng c gi l key derivation, key stretching
hay key initialization.
Key Derivation Function (Hm to kha): thng s dng mt
hm bm (hash function) (s gii thch r hn phn sau) c
thit k sao cho cha kha an ton hn i vi cc kiu tn cng
thm m. Hm ny c thc hin li nhiu ln trn mt khu ban
u cng vi mt con s ngu nhin to ra mt cha kha c
an ton cao hn. Con s ngu nhin ny gi l salt, cn s ln lp li
l iteration. V d mt mt khu l "pandoras B0x", cng vi salt l
"230391827", i qua hm hash SHA-1 1000 ln cho kt qu l mt
cha kha c di 160 bit (th hin di dng s thp lc phn: h
m c s 16) nh sau:
3BD454A72E0E7CD6959DE0580E3C19F51601C359
Keylength (Keysize): di (hay kch thc) ca cha kha. Ta
ni mt cha kha c di 128 bit c ngha cha kha l mt s
nh phn c di 128 ch s. Ta s thy rng mt thut ton c
cha kha cng di th cng c nhiu kh nng chng li cc kiu tn
cng. (Bn c th so snh nh s vin bi trong mt kha bi thng
dng: s bi cng nhiu th kha cng an ton).
Xem xt mt v d sau y. Mt th kha ti gii to ra mt
kha kiu t hp (combination lock: loi kha c kha (hay m)
19
bng cch xoay mt s ln theo chiu thun v mt s ln theo chiu

ngc kim ng h n nhng con s no , nh cc kha kt
st) v hng dn cch s dng cho khch hng. An v Bnh mi
ngi mua mt kha kiu mang v v mi ngi t mt kiu
t hp khc nhau cho mnh. Lc th tuy l dng chung mt loi
kha nhng An v Bnh khng th m c kha ca nhau, k c
ngi th kha cng khng m c kha ca hai ngi! kha
kiu t hp l mt thut ton m ha v gii m. Cch chn t hp
ca An hay Bnh l nhng kha (key) khc nhau. S ln quay m
An hay Bnh chn kha (v m) chnh l di ca kha. Nu An
khng bit kha ca Bnh t m mun ph kha th thng
thng phi d th mi kh nng c th c ca cc t hp, bng
khng th phi ... vc ba ra m p v kha! Kiu ph kha bng
cch d th tt c mi kh nng nh vy gi l tn cng bo lc:
brute force attack, tt nhin tn cng kiu bao gi cng thnh
cng (ngha l ph c kha) nhng r rng phng php tn
rt nhiu thi gian.
di kha cng ln (tc l s ln m ngi ch kha quy nh
phi quay kha hoc m) th vic tn cng bo lc cng mt
nhiu thi gian. Ngi ta nh gi mt kha l an ton trong
mt thi gian T nu nh kh nng tn cng bo lc phi mt thi
gian gp nhiu ln T. Chng hn mt ngi thng vng nh khng
qu 7 ngy, nu kha ch c th ph c bng tn cng bo lc
trong sut mt tun th kha c xem l an ton. Nhng nu
ngi i xa 1 thng th s dng kha l khng an ton na!
Mt chuyn gia ph kha c th c nhng phng php d tm
khc m thi gian ph kha rt t so vi kiu tn cng bo lc. Nh
vy mun nh gi mc an ton ca mt kha ta cn phi xem
xt mi kh nng ph kha c th c ch khng phi ch nh gi
qua thi gian tn cng bo lc.
20
1.4. MT M HC
1.4.1. Mt m hc (cryptography) l g?
Ngi ta gi mt m hc l mt khoa hc nghin cu ngh
thut nhm che giu thng tin, bng cch m ha (encryption) tc
l bin i thng tin gc dng tng minh (plaintext) thnh
thng tin m ha dng n tng (cipher text) bng cch s dng
mt kha m (thut ton m ha) no . Ch c nhng ngi gi
cha kha (key) b mt mi c th gii m (decryption) thng tin
dng n tng tr li thnh dng thng tin c dng tng minh.
ab
cd
Encryption
plaintext
Decryption
plaintext
cipher text
Key
ab
cd
Key
Hnh 1.2: S m ha v gii m
Thng tin n tng i khi vn b khm ph m khng cn bit

kha b mt: vic gi l b kha. Ngnh hc nghin cu v vic b
kha (attack/crack/hack) ny cn gi l cryptanalysis. Nh ni v
d trn, trong cc phng php tn cng thm m ta gi tn cng bo
lc - brute-force attack (exhaustive key search): l phng php tn
cng bng cch th tt c nhng kh nng cha kha c th c. y l
phng php tn cng th s nht v cng kh khn nht. Theo l
thuyt, tt c cc thut ton hin i u c th b nh bi bi
tn cng bo lc nhng trong thc tin vic ny ch c th thc hin
c trong thi gian rt di nn thc t l khng kh thi. V th c th
coi mt thut ton l an ton nu nh khng cn cch no khc tn
cng n ngoi cch s dng brute-force attack. chng li tn cng
ny, cha kha b mt c thay i mt cch thng xuyn hn.
21
Trong l thuyt mt m, ngi ta nghin cu ng thi cc

thut ton lp m v vn thm m c dng nh gi mc
an ton v kh nng bo mt thng tin ca mi thut ton m ha.
1.4.2. Mt m hc trong lch s
C th xem l lch s mt m hc bt ngun t ngi Ai Cp vo
khong nhng nm 2000 trc Cng nguyn khi h dng nhng k
hiu tng hnh kh hiu trang tr trn cc ngi m nhm b mt
ghi li tiu s v nhng chin tch, cng lao ca ngi khut.
Trong mt thi gian di hng th k mt trong nhng loi cng
trnh nghin cu thu ht rt nhiu nh khoa hc trn th gii l cc
nghin cu gii m nhng du tch b mt trn cc ngi m c Ai
Cp, nh m ta hiu bit c kh nhiu v lch s, phong tc,
tp qun sinh hot ca t nc Ai Cp c huyn b.
Ngi Hebrew (Do Thi c) sng to mt thut ton m ha
n gin v hiu qu gi l thut ton atbash m cha kha m ha
v gii m l mt s thay th (substitution) trong bng ch ci. Gi
s dng cha kha m ha l bng hon v:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZYXWVUTSRQPONMLKJIHGFEDCBA
Khi chng hn t gc (plaintext): JERUSALEM s c m
ha thnh t m (ciphertext): QVIFHZOVN. Nu ngi nhn tin c
cha kha th vic bin i QVIFHZOVN tr li thnh JERUSALEM l
iu hon ton n gin, nhng nu khng c cha kha th qu l
kh khn, ngi nhn c thng ip khng th no hiu ni
QVIFHZOVN c ngha l g c! Cho d bit rng quy lut m ha ch
l mt s thay th ca 25 ch ci nhng nu tn cng bo lc th
phi th ln lt ht mi kh nng to cha kha, tc l phi th 25!
kh nng (tt nhin v sau ngi ta c rt nhiu bin php gim
22
bt kh nng d tm, chng hn nu plaintext c di kh ln th

c th s dng d tm theo tn sut xut hin ca cc k t).
Thut ton m ha bng thay th ny ch dng mt k t (ch ci)
thay th cho mt k t nn c gi l thut ton m ha thay th n
(monoalphabetic substitution). Ngi ta cng c th to nhng thut
ton m ha thay th khi (multiple alphabetic substitution) nu thay v
thay th tng k t ta thay th mt dy k t gc bi mt dy k t m
ha: thut ton ny cho ta nhiu kh nng to kha hn nn kh nng
b tn cng li cng gim xung.
Vo khong nm 400 trc CN, ngi Sparte s dng mt dng
c gi l gy mt m. Cc i tc vit th ln mt hng ngang ca
mnh giy di cun quanh mt cy gy c ng knh v di quy
c vi nhau trc ri tho ra v in vo cc trng nhng k t bt
k. i tc nhn th phi c mt cy gy ging ht, cng ng knh
v di, li qun mnh giy vo gy v gii m c. Nu khng
hiu quy lut v khng c cy gy nh th th khng th no c hiu
nhng k t ni ui nhau mt cch v ngha trn mnh giy.
V thi Trung C, hong La M ni ting l Julius Caesar to
mt cng c lp m rt n gin cho thut ton gi l m vng
(cyclic code) tng t nh thut ton atbash ca ngi Hebrew
nhng y khng phi l mt s thay th bt k m l mt s thay
th theo hon v vng quanh. Caesar dng hai vnh trn ng tm,
trn c hai vnh u ghi bng ch ci La-tinh, vnh trong ng vi
plaintext cn vnh ngoi ng vi ciphertext. Cha kha m ha l
php xoay vnh trn bn ngoi mt s bc, do cc ch ci thay
i i. Chng hn nu cha kha l +3 tc l xoay theo chiu thun
+3 th cc ch ci A, B, CX, Y, Z trong plaintext s chuyn n
D, E, F A, B, C trong ciphertext, t HANOI trong plaintext c
m ha thnh t KDQRL trong ciphertext. Ngi nhn s gii m
bng cch xoay ngc vnh ch ngoi -3 th tm li c plaintext.
23
Ngy nay, cc phng php m ha v lp m xem ra qu n

gin nn khng cn c dng trong cc vn bo mt thng tin
quan trng, tuy nhin cng cn gi tr cho mt s ngi khi mun
dng bo mt nhng ghi chp c nhn thng thng ca mnh v
tng ca chng vn cn c s dng trong mt s cng c lp
m hin i. Mt m hc c pht trin mnh chu u v mi n
khong nm 1800 ch yu vn ch c s dng nhiu trong vic
bo mt cc thng ip qun s. Chnh nguyn l m vng ca
Caesar l tng cho vic pht trin mt thit b m ha ni ting
nht trong lch s: my m ha Enigma ca ngi c dng trong
i chin th gii ln th hai. Enigma c 3 quay, mi k t trong
plaintext khi a vo s c thay th 3 ln theo nhng quy lut
nh sn khc nhau cho nn qu trnh thm m rt kh khn.
V sau mt nhm cc nh mt m hc Ba Lan b kha c
thut ton lp m ca Enigma v cung cp cho ngi Anh mi thng
tin qun s ca c: ngi ta nh gi rng thnh cng ca vic ph
kha rt ngn thi gian ko di ca Th chin II bt c 2
nm. Sau khi Th chin II kt thc, b mt ca Enigma c cng b
v ngy nay mt my Enigma cn c trin lm ti Vin
Smithsonian, Washington D.C, Hoa K.
William Frederick Friedman (1891 1989)
24
Nm 1920, William Frederic Friedman cng b tc phm The

Index of Coincidence and Its Applications in Cryptography (Ch s
trng hp v ng dng ca n vo Mt m hc). ng c xem l
cha ca Mt m hc hin i.
1.4.3. Phn loi cc thut ton m ha
Ngy nay ngi ta phn bit ra hai nhm thut ton m ha
chnh l: Cc thut ton m ha c in v cc thut ton hin i.
- Cc thut ton c in: (nhng thut ton ny ngy nay i
khi vn cn c dng chng hn trong tr chi tm mt th) gm:
+ Thut ton thay th (Substitution) l thut ton m ha
trong tng k t (hoc tng nhm k t) ca plaintext
c thay th bng mt (hay mt nhm) k t khc. Thut
ton atbash ca ngi Hebrew hay thut ton vng ca Caesar
u l cc thut ton thay th. Chnh tng ca m vng
Caesar c ng dng trong my Enigma.
+ Thut ton chuyn v (Transposition) l thut ton m ha
trong cc k t trong vn bn ban u ch thay i v tr
cho nhau cn bn thn cc k t khng h b bin i.
Xt mt v d v thut ton hon v. Trong thut ton ny chng
ta ngt thng ip gc thnh tng nhm 4 k t nh s trong tng
nhm t 1 n 4. Cha kha y l mt hon v bt k ca 1234
gn cho mi nhm:
HAI PHONG
Plaintext
HAIP
HONG
Ngt on tng nhm 4 k t
1234
1234
Th t t nhin trong mi nhm
2413
3142
Kha m (chn hon v ty )
APHI
NHGO
Ciphertext
25
Cc thut ton hin i:

C nhiu cch phn loi cc thut ton m ha hin i hin
ang s dng. Trong cun sch ny ta s phn bit theo s cha kha
s dng trong mt thut ton v nh vy c 3 loi sau y:
a. M ha i xng hay kha b mt SKC (Secret Key
Cryptography): Ch dng mt cha kha cho c m ha v
gii m (bin i theo hai chiu ngc nhau)
b. M ha bt i xng hay kha cng khai v kha ring
PKC (Public and Private Keys Cryptography): S dng
hai kha ring bit: mt kha m ha (kha cng
khai: public key) v mt kha khc gii m (kha
ring: private key).
c. Hm bm (Hash function): M ha mt chiu (one-way
cryptography) dng mt bin i ton hc m ha
thng tin gc thnh mt dng khng bin i ngc
c: khng c cha kha v t ciphertext khng tm
ngc li c plaintext!
ciphertext
plaintext
plaintext
a. M ha kha b mt (i xng). SKC s dng mt kha cho

c m ha v gii m.
ciphertext
plaintext
plaintext
b. M ha kha cng khai (bt i xng). PKC s dng hai kha,

mt kha m ha v kha cn li gii m.
plaintext
Hm bm
ciphertext
c. Hm bm (m ha mt chiu). Hm bm khng c cha kha

do plaintext khng tm ngc li c ciphertext.
Hnh 1.3: Kha i xng, kha bt i xng v hm bm
26
Trong nhng chng sau chng ta s i vo ln lt nghin cu

v cc thut ton lp m v gii m cho cc loi m i xng, m bt
i xng, u im v nhc im ca chng v kh nng ng dng
ca chng trong vic truyn cc thng ip in t.
Sau y chng ta tham kho v d v thch thc bo mt thi
k thut s.
Vic pht tn thng tin mt ca B Quc phng M trn Wikileaks ang t
ra thch thc an ninh trong thi i k thut s.
Cc nh phn tch cho rng ngy 26/7/2010 d liu b nh cp c dung
lng tnh bng gigabytes c th c chia s ch bng mt ln ci nhp chut.
Ti ngh v vic ny trong mi lin h vi Ti liu Lu Nm Gc", James
Lewis, mt chuyn gia mng, ti Trung tm Chin lc v Nghin cu Quc t
(CSIS), so snh vi s c nm 1971 khi d liu trong h s Cuc chin Vit
Nam ca Lu Nm Gc b r r.
"S khc bit vi Ti liu Lu Nm Gc l ch Daniel Ellsberg ly nhiu ti
liu dng in trn giy v a cho mt phng vin", ng Lewis ni.
"Nay ngi ta c th ly nhiu ti liu hn nhiu v pht tn cho ton th gii."
Wikileaks khng xc nh ngun ti liu mt nhng mi nghi ng hin
ang nhm ti Bradley Manning, mt nh phn tch tnh bo qun i M ang
b giam ti mt nh t qun s Kuwait.
Julian Assange, mt nh bo v l ch trang Wikileaks cho bo ch Anh hay
trong chuyn n Lun n rng ng cn ang nm trong tay hng nghn t
liu nh v va qua nhng cha tung ra.
Lu Nm Gc tin tng nhn vin ca mnh, l iu tt, nhng khng .
James Lewis, Trung tm Chin lc v Nghin cu Quc t
Ring Manning b bt vo thng Nm sau khi Wikileaks pht on bng
video v mt chic trc thng Apache ca M ti I-rc tn cng v c dn
thng cht trong v oanh tc ny.
ng ta b buc ti cung cp thng tin quc phng cho mt ngun tri php.
B Quc phng M trong thng Su cho bit h tm hiu v co buc rng
ng Manning cung cp video mt v 260.000 in mt ngoi giao cho
Wikileaks.
27
ng Lewis cho bit B Quc phng M, ging nh bt k t chc no, u

c "nhng vai xu" bn trong chng li ngi tuyn dng h "nhng nay
lm nhng vic nh th ny th i vi h d dng hn rt nhiu."
Mt cu quan chc Lu Nm Gc cho bit cuc cch mng truyn thng k
thut s, trong khi mang li li ch to ln cho x hi ni chung, cng to ra lo
ngi v an ninh. S gia tng ca phng tin truyn thng k thut s v phn
mm x hi chc chn s lm tng ri ro dn ti nhng v vic nh th ny xy
ra", quan chc ny ni vi iu kin khng nu tn v ng vn cn ng mt
vai tr tch cc trong mng chnh sch an ninh quc gia.
Gii chuyn gia cho rng trong thi i dng giy th mt ti liu c ng
du mt l nhng vi thi k thut s th mi chuyn li khc.
James Lewis, chuyn gia v khng gian mng, ti Trung tm Chin lc v
Nghin cu Quc t (CSIS), a ra quan im trong thi i Internet "nhiu
ngi c th truy cp c s d liu v xem tt c ti liu c lu tr mt ni
no " "Nhng cch chng ta kim sot quyn truy cp li da trn mt
m hnh c hn, tc l da vo mc tin tng c nhn" "Lu Nm Gc
tin tng nhn vin ca mnh, l iu tt, nhng khng ."
Lewis cho bit mt "h thng tt hn c th thng bo ngay vic ti sao c
ai li c th ti xung hng ngn t liu?
Don Jackson t SecureWorks cho bit trc khi c Internet th ngi ta khng
qu lo lng v vic d kin b pht tn bi mt t bo c ng th cng khng th
pht tn c 90.000 vn bn, th nhng Wikileaks c th lm iu trong vi
giy. Cu quan chc ca Lu Nm Gc ni rng ng "rt tic xy ra vic pht
tn thng tin mt v p-ga-ni-xtan v Pa-ki-xtan, nhng ni ng hy vng v vic
ny s khng dn ti kh nng qun i bt s dng cc phng tin truyn
thng x hi. "V vic ny khng nn c dng bin minh cho n lc lm
ngi ta bt nm bt phng tin truyn thng mi cng nh khm ph ra
cch s dng truyn thng mi mt cch hiu qu hn", ng ni.
Mt khc, vic tng ln nhiu con s nhn vin dn s v qun s c tip
xc cc ngun tin mt cng d gy tht thot t liu. Hin nay c hn 800
nghn ngi M c quyn xem cc ngun tin mt.
Bo New York Times gn y trch cc nghin cu ca Hoa K cho rng hin
nc ny c hng trm c quan chnh ph cng qun l vic an ninh chng
khng b.
28
2
M HA KHA I XNG
2.1. KHI NIM
2.1.1. M ha kha i xng l g?
M ha kha i xng (hay cn gi l m ha kha ng b) l mt
thut ton m trong c hai qu trnh m ha v gii m u dng
mt kha. m bo tnh an ton, kha ny phi c gi b mt.
V th cc thut ton m ha kha ng b ny cn c tn gi khc
l m ha vi kha b mt (secret key cryptography). Mt iu cn
lu l khi mt ngi m ha mt thng ip gc (plaintext) thnh
thng ip m ha bng mt kha K (thut ton m ha)
(ciphertext) ri gi ciphertext cho i tc th i tc mun gii m
cng cn phi c kha K, ngha l trc hai i tc phi trao
i cho nhau chia s cng bit c kha K.
Trong v d v gy m ha ca ngi Sparte, cc i tc phi

bn giao cho nhau s hu nhng cy gy ging nhau trc khi
trao i thng ip. Caesar mun cho tng lnh di quyn c
c mt th ca mnh th trc khi ra i cc tng lnh phi c
Hong triu tp vo phng kn bo cho bit s bc xoay vng
v tt nhin iu ny (cha kha) phi c gi kn!
Gi s nu An ch gi thng ip m ha cho Bnh m khng
h bo trc v thut ton m ha s dng, Bnh s chng hiu
trong thng ip ca An mun ni g. V th bt buc An phi thng
Chng 2: M ha kha i xng
29
bo cho Bnh v cha kha v thut ton s dng ti mt thi im

no trc y.
Hnh 2.1: Thut ton m ha i xng

Bnh v An c cng mt kha K A B . Gi s m l thng ip
gc, kha ny c xy dng sao cho: m = K A B (K A B (m)) : dng
K A B va m ha va gii m.
2.1.2. M ha kha i xng c th phn thnh hai nhm ph
- Thut ton m ha theo khi (Block ciphers): trong tng
khi d liu trong vn bn gc ban u c thay th bng mt khi
d liu khc c cng di. di mi khi gi l kch thc khi
(block size), thng c tnh bng n v bit. V d thut ton
3-Way c kch thc khi bng 96 bit. Mt s thut ton khi thng
dng l: DES, 3DES, RC5, RC6, 3-Way, CAST, Camelia, Blowfish,
MARS, Serpent, Twofish, GOST...
- Thut ton m ha dng (Stream ciphers): trong d liu
u vo c m ha tng bit mt. Cc thut ton dng c tc
nhanh hn cc thut ton khi, c dng khi khi lng d liu cn
m ha cha c bit trc, v d trong kt ni khng dy. C th coi
thut ton dng l thut ton khi vi kch thc mi khi l 1 bit.
Mt s thut ton dng thng dng: RC4, A5/1, A5/2, Chameleon.
2.2. TIU CHUN M HA D LIU (DES)
2.2.1. Gii thiu v DES
Tiu chun m ha d liu DES (Data Encryption Standard) l
mt phng php mt m ha c FIPS (Federal Information
30
Processing Standard: Tiu chun x l thng tin Lin bang Hoa K)

chn lm chun chnh thc vo nm 1976. Thut ton m ha theo
tiu chun DES gi l DEA (Data Encryption Algorithm). (Ngi ta
cng thng gi ln ln DEA v DES trong khi s dng). DES l mt
m khi, mi khi gm 64 bit trong dnh 8 bit kim tra li
(Parity checking) cn li 56 bit kha (xem Ph lc 1). Cu trc tng
th ca thut ton c th hin hnh 2.2.
Hnh 2.2: M hnh thut ton DES
31
M t thut ton DES

C 16 chu trnh ging nhau trong qu trnh x l. Ngoi ra cn
c hai ln hon v u v cui (Initial and final permutation: IP & FP).
Hai qu trnh ny c tnh cht i nhau (trong qu trnh m ha th
IP trc FP, khi gii m th ngc li). IP v FP, c s dng t thp
nin 1970, khng c vai tr xt v mt m hc v vic s dng chng
ch c ngha p ng cho qu trnh a thng tin vo v ly thng
tin ra t cc khi phn cng.
Trc khi i vo 16 chu trnh chnh, khi thng tin 64 bit c
tch lm hai phn 32 bit v mi phn s c x l tun t (qu
trnh ny cn c gi l mng Feistel). Cu trc ca thut ton
(mng Feistel) m bo rng qu trnh m ha v gii m din ra
tng t. im khc nhau ch ch cc kha con c s dng theo
trnh t ngc nhau. iu ny gip cho vic thc hin thut ton tr
nn n gin, c bit l khi thc hin bng phn cng.
K hiu (trong hnh 2.2) th hin php ton XOR (hm tuyn
ngt: Exclusive OR) hay l hm cng theo modulo 2. Hm F lm
bin i mt khi 32 bit ang x l vi mt kha con.
u ra sau hm F c kt hp khi 32 bit cn li v hai phn
c tro i x l trong chu trnh k tip. Sau chu trnh cui
cng th 2 na khng b tro i; y l c im ca cu trc
Feistel khin cho qu trnh m ha v gii m tr nn ging nhau.
Hm Feistel (F)
Hm F, nh c miu t nh hnh 2.3, hot ng trn khi
32 bit v bao gm bn giai on:
1. M rng: 32 bit u vo c m rng thnh 48 bit s
dng thut ton hon v m rng (expansion permutation)
vi vic nhn i mt s bit. Giai on ny c k hiu l
E trong s .
32
2. Trn kha: 48 bit thu c sau qu trnh m rng c

XOR vi kha con. Mi su kha con 48 bit c to ra
t kha chnh 56 bit theo mt chu trnh to kha con
(key schedule) miu t phn sau. (Xem khi nim hm
XOR ph lc I)
3. Thay th: 48 bit sau khi trn c chia lm 8 khi con
6 bit v c x l qua hp thay th S-box. u ra ca mi
khi 6 bit l mt khi 4 bit theo mt chuyn i phi
tuyn c thc hin bng mt bng tra. Khi S-box m
bo phn quan trng cho an ton ca DES. Nu khng
c S-box th qu trnh s l tuyn tnh v vic thm m s
rt n gin.
4. Hon v: Cui cng, 32 bit thu c sau S-box s c sp
xp li theo mt th t cho trc (cn gi l P-box).
Hnh 2.3: Hm F (Feistel) dng trong DES

Qu trnh lun phin s dng S-box v s hon v cc bit cng
nh qu trnh m rng thc hin c tnh cht gi l s xo
33
trn v khuch tn (confusion and diffusion). y l yu cu cn c

ca mt thut ton m ha c Claude Shannon pht hin trong
nhng nm 1940.
Qu trnh to kha con (Sub-key)
Hnh 2.4: Qu trnh to kha con trong DES

Hnh 2.4 m t thut ton to kha con cho cc chu trnh. u
tin, t 64 bit ban u ca kha, 56 bit c chn (Permuted Choice 1,
hay PC-1); 8 bit cn li b loi b. 56 bit thu c c chia lm hai
phn bng nhau, mi phn c x l c lp. Sau mi chu trnh, mi
phn c dch i 1 hoc 2 bit (ty thuc tng chu trnh).
Cc kha con 48 bit c to thnh bi thut ton la chn 2
(Permuted Choice 2, hay PC-2) gm 24 bit t mi phn. Qu trnh
dch chuyn bit (c k hiu l "<<<" trong s ) khin cho cc
kha con s dng cc bit khc nhau ca kha chnh; mi bit c s
dng trung bnh l 14 trong tng s 16 kha con.
34
Qu trnh to kha con khi thc hin gii m cng din ra

tng t nhng cc kha con c to theo th t ngc li. Ngoi
ra sau mi chu trnh, kha s c dch chuyn phi thay v dch
chuyn tri nh khi m ha.
2.2.2. S ra i ca DES
Cho n trc nhng nm 60 ca th k XX, cng ngh bo mt
thng tin hu nh l c quyn ca cc c quan an ninh quc phng
ca cc Nh nc, chng hn nh M l C quan an ninh quc gia
NSA (National Security Agency). T thp k 70 ca th k XX, nhu
cu giao dch x hi v kinh t trn phm vi ton cu i hi mt s
pht trin mnh m v lnh vc bo mt thng tin, c th l trong
cc vn lp m v gii m. Nhiu cng ty ra i v pht trin
nhiu cng c bo mt nhng khng c mt s thm nh ng tin
cy no cho nhng cng c .
Cui cng n nm 1972, Vin quc gia v tiu chun v cng
ngh, nay l Vin quc gia v tiu chun NIST (National Institute of
Standards and Technolgy) ca M quyt nh ch tr vn ny v
xut vic xy dng mt tiu chun quc gia v bo mt d liu ly tn
l Tiu chun m ha d liu (quc gia) DES (Data Encryption
Standard) v nm 1974 NIST chn mt thut ton m ha do IBM
gii thiu lm thut ton t tiu chun v gn tn cho thut ton
l Thut ton m ha tiu chun DEA (Data Encryption Algorithm).
tng chnh ca thut ton DEA do mt nh lp trnh ca IBM
l Horst Feistel sng to, l vic thc hin lp nhiu chu trnh m ha
bng c cc lut thay th v cc lut chuyn v ca m ha c in.
Trc kia, ch vi cc cng c c gii vic thc hin lp cc qu trnh
chuyn v rt kh khn nn cc cng c m ha phc tp trc y
(nh my Enigma) ch s dng cc thay th lp, khng dng chuyn
v. Sau nm 1970 vi s pht trin ca my tnh in t, Feistel
thc hin c iu cho nn phc tp ca DEA tri hn so vi
cc thut ton m ha trc y. NIST yu cu NSA tr gip pht
35
trin DEA v NSA p ng. Tuy nhin c ngi cho rng NSA
ngh gim di kha do IBM a ra lc ban u l 128 bit xung ch
cn 56 bit sau ny l v lo ngi mc bo mt qu cao, vt khi
trnh khng ch ca NSA thi v nh th c kh nng nh
hng n vn an ton bo mt ca quc gia.
NSA cng ngh ch sn xut cc phn cng tch hp phn
mm bo mt DEA ph bin trn th trng nhng khng c
ph bin cc kt qu nghin cu v phn mm. Tuy nhin, d c s
phn ng (khng cng khai) ca NSA, kt qu l DEA vn c cng
nhn l mt phn mm m ha t tiu chun m ha d liu quc
gia ca M dnh cho vic bo mt cc thng tin d liu kinh t v x
hi, khng thuc phm vi c quy nh l TUYT MT ca Nh
nc. T DEA nhanh chng pht trin v ph bin rng khp,
khng nhng ch M m cn lan rng khp ton th gii. C th
ni rng t xa n nay cha c mt thut ton m ha no c
tha nhn v s dng ph bin rng ri trn th gii trong mt thi
gian di nh vy.
T nm 1977 NIST ph bin cng khai tiu chun DES v quy
nh c sau 5 nm s xem xt li mt ln. Vo cc nm 1983, 1987
v 1993 DES u c cng nhn gia thi hn s dng thm 5 nm
tip sau.
Cho n nm 1997, do s pht trin tc ca my tnh in t
v nhng kt qu nghin cu mi v thm m, DES bt u bc l
nhng bt cp v NIST t vn tm cch thay th DES bng cc
thut ton m ha mi c bo mt cao hn qua cc k thi tuyn
chn cc thut ton m ha tin tin AEA (Advanced Encryption
Algorithm).
2.2.3. An ton v s gii m
Thut ton DES c s dng l mt chun m ha trong
thng mi v mc d c nhiu nghin cu v ph m DES hn
bt k phng php m ha khi no khc, nhng phng php ph
36
m thc t nht hin nay vn l tn cng bng bo lc. Nhiu c

tnh mt m ha ca DES c xc nh v t c ba phng
php ph m khc c xc nh vi mc phc tp nh hn tn
cng bo lc, tuy nhin cc phng php ny i hi mt s lng
plaintext qu ln ( tn cng la chn tn sut trong plaintext) nn
hu nh khng thc hin c trong thc t.
Tn cng bo lc (Bruce force attack)
- i vi bt c phng php m ha no, kiu tn cng c bn
nht l tn cng bng bo lc: th ln lt tt c cc kha c th
cho n khi tm ra kha ng. di ca kha s xc nh s lng
php th ti a cn thc hin v do th hin tnh kh thi ca
phng php. Trong trng hp ca DES, nghi ng v an ton
ca n c t ra ngay t khi n cha tr thnh tiu chun.
Ngi ta cho rng chnh NSA ng h IBM gim di kha t
128 bit xung 64 bit v tip tc xung 56 bit. (iu ny dn n suy
on rng NSA c th c h thng tnh ton mnh ph v
kha 56 bit ngay t nhng nm 1970).
Hnh 2.5. M t s ph m
37
H thng ph m DES ca Hip hi EFF c xy dng vi ngn

sch 250.000 USD (vo thi ). H thng bao gm 1536 b vi x l
thit k ring v c kh nng duyt ht mi kha DES trong vng vi
ngy. Hnh 2.5 th hin mt phn bng mch ca h thng cha mt
vi b vi x l.
Trong gii nghin cu, nhiu xut v cc h thng ph m
DES c ra. Nm 1977 Diffie v Hellman d tho mt h thng
c gi khong 20 triu USD v c kh nng ph kha DES trong 1
ngy. Nm 1993, Wiener d tho mt h thng khc c kh nng
ph m trong vng 7 gi vi gi 1 triu USD.
Nhng im yu ca DES c thc s chng minh vo cui
nhng nm 1990. Vo nm 1997, cng ty bo mt RSA ti tr
mt lot nhng cuc thi vi gii thng 10.000 USD cho i u
tin ph m c mt bn tin m ha bng DES. i chin thng
trong cuc thi ny l d n DESCHALL vi nhng ngi lnh o l
Rocke Verser, Matt Curtin v Justin Dolske. H s dng hng
nghn my tnh ni mng ph m.
Kh nng ph m DES c chng minh thm ln na vo nm
1998 khi t chc Electronic Frontier Foundation (EFF), mt t chc
hot ng cho quyn cng dn trn Internet, xy dng mt h thng
chuyn bit ph m vi gi thnh 250.000 USD. ng c thc y
EFF trong hnh ng ny l nhm chng minh DES c th b ph v
trn l thuyt cng nh trn thc t: "Nhiu ngi khng tin vo
chn l ny cho n khi h nhn thy s vic bng chnh mt mnh.
Xy dng mt b my c th ph kha DES trong vng vi ngy l
cch duy nht chng t vi mi ngi rng h khng th m bo an
ninh thng tin da vo DES."
H thng ny tm c kha DES bng phng php bo lc
trong thi gian hn 2 ngy; trong khi vo khong thi gian , mt
nh lnh o ca B T php Hoa K (DOJ) vn tuyn b rng DES
l khng th b ph v.
38
Cc kiu tn cng khc hiu qu hn phng php bo lc

Hin nay c 3 kiu tn cng c kh nng ph v DES (vi 16
chu trnh) vi phc tp kh thp: ph m vi sai DC (Differential
Cryptanalysis), ph m tuyn tnh LC (Linear Cryptanalysis) v ph
m Davies (Davies' attack). Tuy nhin cc dng tn cng ny cha
thc hin c trong thc t.
- Ph m vi sai, i hi dng 247 plaintexts c xem l do
Eli Biham v Adi Shamir tm ra vo cui nhng nm 1980 mc d
c IBM v NSA bit n trc ph m DES vi 16 chu
trnh (nhng cha c cng b chnh thc).
- Ph m tuyn tnh c tm ra bi Mitsuru Matsui, i hi
2 plaintexts (Matsui, 1993). Phng php ny c Matsui thc
hin v l cuc thc nghim ph m u tin c cng b. Khng c
bng chng chng t DES c kh nng chng li tn cng dng ny.
43
Mt phng php tng qut hn, ph m tuyn tnh a chiu

(multiple linear cryptanalysis), c Kaliski v Robshaw nu ra vo
nm 1994, sau Biryukov v cng s tip tc ci tin vo nm
2004. Nghin cu ca h cho thy m phng tuyn tnh a chiu c
th s dng gim phc tp ca qu trnh ph m ti 4 ln (ch
cn 241 plaintexts).
- Ph m Davies: trong khi ph m vi sai v ph m tuyn tnh l
cc k thut ph m tng qut, c th p dng cho cc thut ton
khc nhau, ph m Davies l mt k thut dnh ring cho DES. Dng
tn cng ny c xut ln u bi Davies vo cui nhng nm
1980 v ci tin bi Biham v Biryukov (1997). Dng tn cng mnh
i hi 250 plaintexts, phc tp l 250 v t l thnh cng l 51%.
Ngoi ra cn c nhng kiu tn cng da trn bn thu gn ca
DES (DES vi t hn 16 chu trnh). Nhng nghin cu ny cho chng
ta bit s lng chu trnh cn c v ranh gii an ton ca h thng.
Nm 1994, Langford v Hellman xut ph m vi sai tuyn tnh
39
(differential-linear cryptanalysis) kt hp gia ph m vi sai v tuyn

tnh. Mt dng ci tin ca phng php ny c th ph v DES 9 chu
trnh vi 215,8 plaintexts v c phc tp l 229,2 (Biham et al, 2002).
Thng 6/1997 d n DESCHALL ph v c mt bn tin m
ha bng DES ln u tin trc cng chng. Thit b thm m
DEEP CRACK ca t chc Electronic Foundation ph c mt kha
ca DES trong vng 56 gi v n thng 01/1999 cng vi
distributed.net ph c mt kha ch trong vng 22 gi 15 pht.
* tng an ton, ngi s dng DES trc y chuyn sang
dng Double DES v Triple DES (2DES v TDES). 2DES thc hin 2
ln thut ton m ha DEA vi hai kha ring bit, tng di kha
t 56 ln 112 bit. Thot u ngi ta ngh rng, theo tnh ton th
tng thm 1 bit ca di kha th phc tp ca kha (s trng
hp phi duyt trong tn cng bo lc) tng gp i. V nh vy th
phc tp kha trong 2DES ln n 256 ln so vi kha trong DES!
Nhng Whitfield Diffie v Martin Hellman pht minh ra mt
phng php thm m gi l tn cng gp ti im gia (meetin
themiddle attack) lm cho phc tp ca 2DES ch tng gp i
ca DES tc l ch bng: 2.256 = 257. Triple DES cng s dng DES
ba ln cho mt plaintext vi nhng kha khc nhau lm tng
di kha ln. Hin nay Triple DES c xem l an ton mc d
tc thc hin qu chm.
2.2.3. Mt vi c im v cch gii m
Thut ton m ha theo chun DES c tnh cht b ngha l:
EK (P) = C E K (P) = C
trong x l phn b ca x theo tng bit (1 thay bng 0 v

ngc li). EK l bn m ha ca E vi kha K. P v C l plaintext
(trc khi m ha) v ciphertext (sau khi m ha). Do tnh b, ta c
th gim phc tp ca tn cng bo lc xung 2 ln (tng ng
vi 1 bit) vi iu kin l ta c th la chn plaintext.
40
Ngoi ra DES cn c 4 kha yu (weak keys). Khi s dng kha

yu th m ha (E) v gii m (D) s cho ra cng kt qu:
EK(EK(P)) = P hoc tng ng EK = DK
Bn cnh , cn c 6 cp kha na yu (semi-weak keys). M
ha vi mt kha trong cp K1, tng ng vi gii m vi kha cn
li K2:
EK1(EK2(P) = P hoc tng ng EK = DK
Tuy nhin c th d dng trnh c nhng kha ny khi thc
hin thut ton, c th bng cch th hoc chn kha ngu nhin
th kh nng chn phi kha yu l rt nh.
DES c chng minh l khng to thnh nhm. Ni mt
cch khc, tp hp {EK} (cho tt c cc kha c th) vi php hp
thnh U khng to thnh mt nhm hay nhiu nhm (pseudo-group)

(kt qu ca Campbell and Wiener, 1992).
Vn ny tng l mt cu hi m trong kh lu. Nu nh to

thnh nhm th DES c th b ph v d dng hn bi v vic p dng
DES nhiu ln (v d nh trong 2DES, Triple DES) s khng lm tng
thm an ton ca DES.
2.3. TIU CHUN M HA TIN TIN (AES)
2.3.1. S ra i ca AES
T cui thp nin 1980, u thp nin 1990, xut pht t nhng
lo ngi v an ton v tc thp khi p dng bng phn mm,
gii nghin cu xut kh nhiu thut ton m ha khi thay
th DES. Nhng v d tiu biu bao gm: RC5, Blowwfish, IDEA
(International Data Encryption Algorithm: Thut ton m ha d
liu quc t), NewDES, SAFER v FEAL. Hu ht nhng thut ton
ny c th s dng t kha 64 bit ca DES mc d chng thng
c thit k hot ng vi t kha 64 bit hay 128 bit. Bn thn
DES cng ci tin c th c s dng an ton hn.
41
Nm 2001, sau mt cuc thi quc t, NIST chn ra mt thut

ton mi l Tiu chun m ha tin tin AES (Advanced Encryption
Standard) thay th cho DES. Thut ton c trnh din di tn
l Rijndael. Nhng thut ton khc c tn trong danh sch cui cng
ca cuc thi AES gm: RC6, Serpent, MARS v Twofish. AES l thut
ton m ha khi c chnh ph Hoa K p dng lm tiu chun
m ha thay cho tiu chun DES trc . Ging nh tiu chun
DES, AES c k vng p dng trn phm vi ton th gii v
c nghin cu rt k lng. AES c chp thun lm tiu chun
lin bang bi Vin Tiu chun v Cng ngh Quc gia Hoa K (NIST)
trong mt qu trnh tiu chun ha ko di 5 nm.
Thut ton c thit k bi hai nh mt m hc ngi B:
Joan Daemen v Vincent Rijmen. Thut ton c t tn l
"Rijndael" khi tham gia cuc thi thit k AES theo cch ghp tn
ca hai ng tc gi. Thut ton c da trn bn thit k Square
c trc ca Daemen v Rijmen; cn Square li c thit k
da trn Shark. Khc vi DES s dng mng Feistel, Rijndael s
dng mng thay th-chuyn v. AES c th d dng thc hin vi tc
cao bng phn mm hoc phn cng v khng i hi nhiu b
nh. Do l mt tiu chun m ha mi, AES ang c trin khai s
dng rng ri hng lot.
2.3.2. M t thut ton
Mc d 2 tn AES v Rijndael vn thng c gi thay th cho

nhau nhng trn thc t th 2 thut ton khng hon ton ging
nhau. AES ch lm vic vi khi d liu 128 bit v kha c di
128, 192 hoc 256 bit trong khi Rijndael c th lm vic vi d liu
v kha c di bt k l bi s ca 32 bit nm trong khong t
128 ti 256 bit. Cc kha con s dng trong cc chu trnh c to
bi qu trnh to kha con Rijndael. Hu ht cc php ton trong
thut ton AES u thc hin trong mt trng hu hn. AES lm
42
vic vi tng khi d liu 44 bytes (ting Anh: state, khi trong
Rijndael c th c thm ct). Qu trnh m ha gm 4 bc:
1. AddRoundKey: mi byte ca khi c kt hp vi kha con,
cc kha con ny c to ra t qu trnh to kha con
Rijndael.
2. SubBytes: y l php th (phi tuyn) trong mi byte s
c th bng mt byte khc theo bng tra (Rijndael S-box).
3. ShiftRows: i ch, cc hng trong khi c dch vng.
4. MixColumns: qu trnh trn lm vic theo cc ct trong khi
theo mt php bin i tuyn tnh. Ti chu trnh cui th
bc MixColumns c thay th bng bc AddRoundKey.
Bc AddRoundKey. Ti bc ny, kha con c kt hp vi
cc khi. Kha con trong mi chu trnh c to ra t kha chnh
vi qu trnh to kha con Rijndael; mi kha con c di ging
nh cc khi. Qu trnh kt hp c thc hin bng cch XOR tng
bit ca kha con vi khi d liu.
Bc SubBytes. Cc byte c th thng qua bng tra S-box.
y chnh l qu trnh phi tuyn ca thut ton. Hp S-box ny c
to ra t mt php nghch o trong trng hu hn GF (28) c tnh
cht phi tuyn. chng li cc tn cng da trn cc c tnh i
s, hp S-box ny c to nn bng cch kt hp php nghch o
vi mt php bin i affine kh nghch. Hp S-box ny cng c
chn trnh cc im bt ng (fixed point).
Bc ShiftRows. Cc hng c dch vng mt s v tr nht
nh. i vi AES, hng u c gi nguyn. Mi byte ca hng th
2 c dch tri mt v tr. Tng t, cc hng th 3 v 4 c dch
2 v 3 v tr. Do vy, mi ct khi u ra ca bc ny s bao gm
cc byte 4 ct khi u vo. i vi Rijndael vi di khi
khc nhau th s v tr dch chuyn cng khc nhau.
43
Bc MixColumns. Bn byte trong tng ct c kt hp li

theo mt php bin i tuyn tnh kh nghch. Mi khi 4 byte u
vo s cho mt khi 4 byte u ra vi tnh cht l mi byte u
vo u nh hng ti c 4 byte u ra. Cng vi bc ShiftRows,
MixColumns to ra tnh cht khuch tn cho thut ton. Mi ct
c xem nh mt a thc trong trng hu hn v c nhn vi
a thc c(x) = 3x3 + x2 + x + 2 (modulo x4 + 1). V th, bc ny c
th c xem l php nhn ma trn trong trng hu hn.
Trong bc AddRoundKey, mi byte c kt hp vi mt byte

trong kha con ca chu trnh s dng php ton XOR.
Trong bc SubBytes, mi byte c thay th

bng mt byte theo bng tra, S; bij = S(aij).
Trong bc ShiftRows, cc byte trong mi hng dch vng tri.

S v tr dch chuyn ty tng hng.
44
Trong bc MixColumns, mi ct c nhn vi mt h s c nh c(x).
Hnh 2.6: S thut ton AES
2.3.3. Ti u ha
i vi cc h thng 32 bit hoc ln hn, ta c th tng tc
thc hin thut ton bng cch st nhp cc bc SubBytes,
ShiftRows, MixColumns v chuyn chng thnh dng bng. C c
thy 4 bng vi 256 mc, mi mc l 1 t 32 bit, 4 bng ny chim
4096 byte trong b nh. Khi , mi chu trnh s c bao gm 16
ln tra bng v 12 ln thc hin php XOR 32 bit cng vi 4 php
XOR trong bc AddRoundKey.
Trong trng hp kch thc cc bng vn ln so vi thit b
thc hin th ch dng mt bng v tra bng kt hp vi hon v
vng quanh.
2.3.4. an ton ca AES
Vo thi im nm 2006, dng tn cng ln AES duy nht thnh

cng l tn cng knh bn (side channel attack). Vo thng 6 nm
2003, Chnh ph Hoa K tuyn b AES c th c s dng cho
thng tin mt.
"Thit k v di kha ca thut ton AES (128, 192 v
256 bit) l an ton bo v cc thng tin c xp vo
loi TI MT (secret). Cc thng tin TUYT MT (top
secret) s phi dng kha 192 hoc 256 bit. Cc phin bn
thc hin AES nhm mc ch bo v h thng an ninh hay
thng tin quc gia phi c NSA kim tra v chng nhn
trc khi s dng."
45
iu ny nh du ln u tin cng chng c quyn tip xc vi

thut ton mt m m NSA ph chun cho thng tin TUYT MT.
Nhiu phn mm thng mi hin nay s dng mc nh kha
c di 128 bit.
Phng php thng dng nht tn cng cc dng m ha
khi l th cc kiu tn cng ln phin bn c s chu trnh thu gn.
i vi kha 128 bit, 192 bit v 256 bit, AES c tng ng 10, 12 v
14 chu trnh. Ti thi im nm 2006, nhng tn cng thnh cng
c bit n l 7 chu trnh i vi kha 128 bit, 8 chu trnh vi
kha 192 bit v 9 chu trnh vi kha 256 bit.
Mt s nh khoa hc trong lnh vc mt m lo ngi v an ninh
ca AES. H cho rng ranh gii gia s chu trnh ca thut ton v
s chu trnh b ph v qu nh. Nu cc k thut tn cng c ci
thin th AES c th b ph v. y, ph v c ngha ch bt c
phng php tn cng no nhanh hn tn cng kiu duyt ton b
(tn cng bo lc).
V th mt tn cng cn thc hin 2120 plaintexts cng c coi
l thnh cng mc d tn cng ny cha th thc hin trong thc
t. Ti thi im hin nay, nguy c ny khng thc s nguy him v
c th b qua.
Tn cng kiu duyt ton b quy m nht tng thc hin l
do distributed.net thc hin ln h thng 64 bit RC5 vo nm 2002
(Theo nh lut Moore th n tng ng vi vic tn cng vo h
thng 66 bit hin nay).
Mt vn khc na l cu trc ton hc ca AES. Khng ging
vi cc thut ton m ha khc, AES c m t ton hc kh n
gin. Tuy iu ny cha dn n mi nguy him no nhng mt s
nh nghin cu s rng s c ngi li dng c cu trc ny trong
tng lai.
46
Vo nm 2002, Nicolas Courtois v Josef Pieprzyk pht hin mt

tn cng trn l thuyt gi l tn cng XSL v ch ra im yu tim
tng ca AES. Tuy nhin, mt vi chuyn gia v mt m hc khc
cng ch ra mt s vn cha r rng trong c s ton hc ca tn
cng ny v cho rng cc tc gi c th c sai lm trong tnh ton.
Vic tn cng dng ny c thc s tr thnh hin thc hay khng
vn cn ng v cho ti nay th tn cng XSL vn ch l suy on.
2.3.5. Tn cng knh bn (Side channel attacks)
Tn cng knh bn khng tn cng trc tip vo thut ton m

ha m thay vo , tn cng ln cc h thng thc hin thut ton
c s h lm l d liu.
Thng 4 nm 2005, Daniel J. Bernstein cng b mt tn cng
ln h thng m ha AES trong OpenSSL. Mt my ch c thit
k a ra ti a thng tin v thi gian c th thu c v cuc
tn cng cn ti 200 triu plaintexts la chn. Mt s ngi cho
rng tn cng khng th thc hin c trn Internet vi khong
cch vi im mng.
Thng 10 nm 2005, Adi Shamir v 2 nh nghin cu khc c
mt bi nghin cu minh ha mt vi dng khc. Trong , mt tn
cng c th ly c kha AES vi 800 ln ghi trong 65 mili giy.
Tn cng ny yu cu k tn cng c kh nng chy chng
trnh trn chnh h thng thc hin m ha.
2.4. U/NHC IM V PHM VI S DNG CA M HA I XNG
u im ni bt ca m ha i xng l tc lp m, gii m
kh nhanh chng. Hin nay c nhiu phn mm thng mi h tr
thut ton m ha i xng hu hiu v rt ph dng.
u im th hai l tuy c nhiu nghin cu thm m thc
hin nhng vi cc thut ton c ci tin gn y nh 3-DES v
47
nht l AES th bo mt kh cao, trong thc t vic ph m cng

khng d dng.
Tuy vy nhc im ln nht ca thut ton m ha i xng l
vn chuyn giao cha kha gia cc i tc, c bit l trong mi
trng m.
Nh trong v d ni u chng v vic trao i thng ip

gia An v Bnh. Bnh nhn c thng ip m ha ca An,
mun gii m c th Bnh phi c cha kha m ca An. An khng
th chuyn giao kha m ng thi vi thng ip v nh vy th vic
m ha tr thnh v tc dng.
V vy An phi dng mt phng php no chuyn giao
kha gii m cho Bnh trc khi gi thng ip. M d dng phng
thc thng tin no trong mi trng m: gi th, E-mail, gi in
thoi v.v. th vn c nguy c c ngi th ba nm bt c kha m
v kt qu vn nh th!
So snh li vi 5 nguyn l bo mt thng tin, xt trng hp
giao dch ca 2 i tc An v Bnh. Gi s An v Bnh hon ton tin
tng vo nhau v trao cho nhau m kha i xng bng mt
phng php ng tin cy no (trao tay trc tip hoc c mt
phng php no c th thay th cho trao tay trc tip m cng c
gi tr tng ng nh th) v sau hai ngi s dng m kha
truyn cc thng ip m ha cho nhau, ta thy rng:
- S dng m i xng (trong cc iu kin ni trn) m bo
c nguyn l b mt/ring t v thng tin khng th b l.
- m bo tnh xc thc, tnh khng chi b v tnh nhn dng,
nhng iu ny ch yu c thc hin khi chuyn giao kha m
cho nhau ch khng phi trong qu trnh trao i thng ip m
ha v sau. V gi s An v Bnh trc tip trao kha m K cho nhau
v tin tng nhau l khng lm l kha m cho ngi th ba, nh
vy khi nhn c thng ip c m ha bi K, hai i tc c th
nhn dng ra thng ip chnh l do i tc ca mnh gi. Mt
48
khc nu Bnh nhn c thng ip ca An m ha bi K th An

khng th chi b rng khng phi do mnh pht hnh thng ip
(v ngoi Bnh ch c An bit kha K). Tuy nhin khi Bnh nhn
c m chi l khng nhn c th phi do tnh tin tng gia
hai i tc ch khng phi do kha K m bo.
- M ha i xng khng m bo tnh ton vn d liu. Gi s
th ca An gi cho Bnh lt vo tay Cng. Cng khng hiu g v
ni dung thng ip nhng vn c th thm bt d liu lm thay i,
sai lch ni dung thng ip ri vn gi tip cho Bnh: Bnh khng th
bit l thng ip b thay i ni dung (C th do khng bit kha
m nn d liu thm bt ca Cng c th lm cho thng ip khng
gii m c hay l v ngha nhng Bnh vn khng th chc chn l
c ngi can thip m vn ngh l chnh do An to ra nh vy!)
V nhng l do trn cc thut ton m ha i xng loi ny l
nhng phng php m ha l tng cho mt ngi s dng (single
user) vi mc ch m ha d liu ca c nhn hay t chc n l
chng xm nhp ca k xu. Khng phi ch c nhng b mt v an
ninh quc phng m ngay nhng thng tin b mt trong cng ngh,
trong thng mi v.v. u c th l mc tiu xm nhp ca nhng
gin ip cng ngh, kinh t, hoc xm nhp trc tip hoc s dng
cc bin php nh gi v ci Spyware, Trojan hay cc phn mm c.
V vy c nhn hay t chc, trc khi lu gi cc d liu thng tin
quan trng c th v nn m ha bng nhng kha m t to v gi
b mt kha cho ring mnh bit.
M i xng bc l hn ch khi thng tin mt cn c chia s
vi mt bn th hai v khi cn phi chuyn giao cha kha cho i
tc m vic chuyn giao cha kha trong mi trng m c nhiu
nguy c b l v nh vy vic m ha v sau tr thnh v ngha!
M i xng ch c th s dng cho nhiu i tc (multiple
users) vi iu kin l c th mt i mt trc tip chuyn giao
kha m trong mi trng tin cy hoc c mt bin php tin cy no
49
chuyn giao kha m mt cch an ton. Nu khng c bin

php chuyn giao kha m an ton, tng ng vi vic trao tay
trc tip th hu nh m i xng khng m bo c yu cu no
trong 5 nguyn l bo mt thng tin nu chng trc c! (Vn
ny s c xem xt nhng chng 3 v 4 sau y).
2.5. MT S PHN MM M HA I XNG
Blowfish
Blowfish l mt thut ton m ha i xng (64 bit cipher) do

Bruce Schneier thit k nm 1993. Blowfish c cc di kha t 32
n 448 bit. Ngi ta nghin cu phn tch kh k v cc thuc
tnh ca Blowfish v n cng c nh gi l mt thut ton m
ha mnh.
CAST
CAST c t theo tn vit tt ca cc nh pht minh ra n l

Carlisle Adams v Stafford Tavares. CAST l mt thut ton m ha
rt ph bin, m ha khi cipher 64 bit v cho php di kha ln
n 128 bit.
IDEA
Thut ton m ha d liu quc t IDEA (International Data

Encryption Algorithm) l mt thut ton m ha i xng do TS. X. Lai
v GS. J. Massey xy dng nhm thay th thut ton DES chun. IDEA
cng s dng kha c di l 128 bit. Kch thc ln ca kha lm
cho IDEA rt kh b ph v bng tn cng bo lc do thi gian duyt tt
c cc kh nng c th c ca kha l qu ln.
RC2
RC2 l mt thut ton m ha c kch thc kha thay i.

Ron Rivest thit k RC2 cho Cng ty An ton D liu RSA nhng
mi chi tit vn gi b mt, cha c cng b.
50
RC4
RC4 cng l mt thut ton do Ron Rivest pht trin nm 1987.

y l mt thut ton m ha dng vi kha c kch thc thay i.
Kch thc kha ca RC4 c th t ti 2048 bit (thng thng l
256 bit)
RC6
RC6 l thut ton m ha khi i xng do Ron Rivest, Matt

Robshaw, Ray Sidney, v Yiqun Lisa Yin thit k nhm p ng yu
cu ca cuc thi AES (Advanced Encryption Standard). Thut ton
RC6 l phn mm lt vo chung kt ca cuc thi v c chn l
phn mm m ha tin tin tiu chun (AES).
Serpent
Serpent l thut ton m ha khi i xng do Ross Anderson,

Eli Biham and Lars Knudsen pht trin. Serpent c th lm vic vi
nhiu t hp kha c di khc nhau. Serpent cng l mt trong 5
phn mm lt vo chung kt cuc thi AES.
Twofish
Twofish l mt thut ton m ha i xng khi, c kch thc

khi l 128 v chp nhn cc kha c mi di cho n 256 bit.
Twofish do Bruce Schneier, John Kelsey, Chris Hall, Niels Ferguson,
David Wagner and Doug Whiting thit k. Vin quc gia v tiu
chun v cng ngh NIST (The National Institute of Standards and
Technology) chp nhn u t Twofish tr thnh mt trong cc
d n thay th cho thut ton m ha DES trc y.
Chng 3: Qun l v phn phi kha
51
3
QUN L V PHN PHI KHA
Nh thy chng 2, nhc im ln nht ca m ha i
xng l vn chuyn giao, trao i kha m gia cc i tc trong
mi trng khng tin cy. R rng l mt ngi dng c th s dng
m ha i xng bo v rt tt thng tin ca chnh mnh chng
s xm nhp ca k khc nhng nu mun s dng c m ha i
xng trong bo mt thng tin giao dch gia nhiu i tc th nht
thit phi xc lp nhng phng thc chuyn giao kha m an ton.
3.1. TRUNG TM PHN PHI KHA (KDC)
3.1.1. Khi nim KDC
Trong mt m hc, Trung tm phn phi kha (KDC: Key
Distribution Center) l mt phn ca mt h thng mt m c mc
ch gim thiu nhng him ha khi trao i kha m gia cc i
tc. KDC thng c t chc thnh h thng, trong mt s
ngi dng c th c php s dng mt vi dch v ch trong mt
khong thi gian no .
Chng hn, mt ngi qun tr mng my tnh thit lp mt quy
nh ch cho php mt s ngi dng c s dng chc nng phc
hi d liu t mt s vn bn (c th v s rng nu s dng ty
52
tin th c nhng k xu s thm nhp c nhng thng tin ni b

cn bo mt). Nhiu h iu hnh c th kim tra vic tip cn chc
nng phc hi d liu vn bn thng qua mt dch v h thng.
Nu dch v h thng c t chc theo c ch l ch cp quyn
truy cp chc nng cho nhng ngi dng no c mt th chng
nhn quyn truy cp th vn quy li ch l vic t chc cp th
cho nhng i tng m h thng cng nhn l thch hp. Trong
trng hp th chng nhn l mt kha m hoc bao gm mt
kha m th ta c th xem c ch nh l mt KDC.
3.1.2. M t hot ng
Hot ng in hnh ca cc KDC gm trc ht l vic tip
nhn mt yu cu ca ngi dng i vi mt dch v no y. KDC
dng k thut m ha nhn tnh xc thc ca dng ngi dng,
tip kim tra xem ngi dng c thuc danh sch ngi c
quyn s dng dch v m h yu cu khng. Nu xc thc v kim
tra ng th KDC c th cp th chng nhn truy cp.
KDC thng hot ng vi cc m kha i xng.
Trong phn ln cc trng hp KDC chia s mt kha m vi
mi i tc. KDC to mt th chng nhn da trn mt kha m ha
my ch (server key). Ngi dng nhn kha m v xut trnh
cho my ch tng ng kim tra, nu ph hp th s cp quyn truy
cp s dng dch v.
3.2. TRAO I KHA DIFFIE (D-H)
3.2.1. Khi nim (D-H)
Trao i kha DH (DiffieHellman) l phng thc s dng mt
s c bit dng trao i kha m gia cc i tc mt cch an
ton. Phng thc DiffieHellman cho php hai i tc khng bit g
vi nhau t trc c th tha thun vi nhau s dng chung mt
53
kha m b mt thng qua mt mi trng giao dch khng an ton.

Kha b mt (thng l mt kha i xng c tc lp m, gii
m nhanh chng) v sau s c hai hoc nhiu i tc s dng cho
nhng thng ip giao dch ni b ca mnh.
S trao i kha ny c Whitfield Diffie v Martin Hellman
cng b ln u tin vo nm 1976 trong mt cng trnh hp tc
nghin cu v phng thc chia s b mt qua mt knh truyn
thng khng tin cy. n nm 2002, Hellman ngh gi tn thut
ton l trao i kha Diffie-Hellman-Merkle ghi nhn ng gp
ca Ralph Merkle. Tip , John Gill ngh ng dng thm cc bi
ton logarit ri rc, tng ny c Malcolm Williamson nghin
cu trc t lu nhng mi n 1997 mi cng b cng khai.
3.2.2. M t
Diffie-Hellman thit lp mt s trao i b mt ring t c
th s dng cho vic truyn cc thng tin b mt bng cch trao i
d liu qua mt mng truyn thng cng cng.
Sau y l s minh ha (hnh 3.1).
Hnh 3.1: Trao i kha Diffie-Hellman

tng n gin v c o ca th tc ny l vic ng dng
mt nhm nhn s t nhin modulo p, trong p l mt s nguyn
t cn g l nguyn t gc mod p. Xem v d sau y:
54

An
B mt
a
a
a
a, s
Bnh
Cng khai
Tnh ton
g mod p = A
Cng khai
B mod p = s
B mt
b
A
B
p, g, A
p, g, A, B
Tnh ton
p, g
p, g
p, g, A
Gi
p, g
p, g, A, B
p, g, A, B
b, s
g mod p = B
A mod p = s
1. An v Bnh thng nht dng s nguyn t p=23 v c s g = 5.

2. An chn mt s nguyn b mt a = 6, ri gi cho Bnh s
A = ga mod p (cng khai)
A = 56 mod 23
A = 15.625 mod 23
A=8
3. Bnh chn mt s nguyn b mt b = 15, ri gi cho An s
B = gb mod p
B = 515 mod 23
B = 30.517.578.125 mod 23
B = 19
4. An tnh ton: s = B a mod p
s = 196 mod 23
s = 47.045.881 mod 23
s=2
5. Bnh tnh ton s = A b mod p
s = 815 mod 23
s = 35.184.372.088.832 mod 23
s=2
55
6. An v Bnh chia s nhau con s b mt: s = 2. S d nh vy l

v 6*15 cng nh l 15*6. Khi nu bt k ngi no bit
c c hai s nguyn ring ca c An v Bnh th cng u
c th tnh c s nh sau:
s = 56*15 mod 23
s = 515*6 mod 23
s = 590 mod 23
s = 807.793.566.946.316.088.741.610.050.849.573.099.
185. 363.389.551.639.556.884.765.625 mod 23
s=2
C An v Bnh cng tm ra mt kt qu do bi (ga)b v (gb)a l
bng nhau theo mod p. Ch l ch cn gi b mt a, b v gab = gba
mod p. Mi gi tr khc nh p, g, ga mod p, v gb mod p u c th
gi i cng khai. Mt khi An v Bnh tnh ra c con s nguyn
b mt m h chia s th h c th s dng n nh l mt kha lp
m m ch c hai ngi h bit trao i thng ip cho nhau
thng qua chnh knh thng tin m . Tt nhin nu mun m
bo b mt hn th cn phi chn cc s a, b, v p kh ln v nh ta
thy, c th d dng duyt ht mi gi tr c th c ca gab mod 23 v
rng ch c 23 s nguyn c kh nng l s d trong php chia cho
23 (mod 23). Nu p l mt s nguyn t vi t nht khong 300 con
s cn a v b c di t nht 100 con s th mi thut ton hiu
nghim nht hin nay c bit n cng u khng c kh nng
tm ra s a nu ch bit cc s g, p, gb mod p v ga mod p, cho d tn
dng mi nng lc tnh ton ca con ngi. Bi ton ny c bit
n di tn gi l bi ton logarit ri rc. Cng nn ch thm l g
khng cn phi chn s ln, trong thc hnh ngi ta thng ch
cn ly g bng 2 hoc 5 l c.
Sau y ta xem xt mt cch m t tng qut hn ca thut ton
An v Bnh thng nht vi nhau mt nhm cyclic hu hn G v
mt phn t sinh g thuc G. (Trong sut ton b thut ton v sau ta
56
u gi thit nh vy v gi s nhng k tn cng u bit c g).

Ta s vit nhm G di dng nhm nhn.
1. Bnh ly mt s t nhin bt k b v gi gb cho An.
2. An tnh (gb)a.
3. Bnh tnh (ga)b.
By gi c Bnh v An u c phn t gab ca nhm, phn t c
th s dng nh l kha trao i gia hai ngi. Cc gi tr (gb)a = (ga)b
v nhm c tnh kt hp i vi php nhn.
S tm tt: (Gi s tn ti Cng l mt k c ln thng tin giao
dch gia An v Bnh)
Gi s = kha b mt c chia s. s = 2
g = c s cng khai. g = 5
p = s nguyn t cng khai. p = 23
a = kha b mt ca An. a = 6
A = kha cng khai ca An. A = ga mod p = 8
b = kha b mt ca Bnh. b = 15
B = kha cng khai ca Bnh. B = gb mod p = 19
An
Bit
p = 23
Bnh
Khng
bit
b=?
Bit
p = 23
C s g = 5
C s g = 5
a=6
b = 15
6
A = 5 mod 23 = 8
b
B = 5 mod 23 = 19
6
s = 19 mod 23 = 2
b
s = 8 mod 23 = 2
6
Cng
Khng
bit
a=?
Bit
p = 23
a=?
C s g = 5
b=?
s=?
15
A = 5 mod 23 = 8
B = 5 mod 23 = 19
15
s = 19 mod 23
B = 5 mod 23 = 19
A = 5 mod 23 = 8
s = 8 mod 23 = 2
a
s = 19 mod 23 = 2
15
s = 19 mod 23
b
= 8 mod 23
s = 8 mod 23
a
= 19 mod 23
s=2
s=2
Khng
bit
a
b
s = 8 mod 23
a
s = 19 mod 23
b
= 8 mod 23
57
3.2.3. Tnh bo mt
An rt kh c th tnh ton tm ra kha ring ca Bnh cng
nh Bnh kh tm ra kha ring ca An. Nu iu d dng th k
ng gia Cng c th tn cng bng cch gi cc kha ca mnh
gi mo thay th v c th nm bt c mi thng tin trao i gia
An v Bnh ng thi c th gi nhng thng ip gi mo.
Sau y l lp lun ca Diffie-Hellman chng t iu (Ch
s dng hai s b tin cho thc hnh).
Giao thc c xem l b mt i vi nhng k c ln nu nh
G v g c chn ng n. K c ln phi gii bi ton
Diffie-Hellman phn tch c gab, iu ny hin nay c xem l
rt kh. Mt thut ton gii c bi ton logarit ri rc s cho
php ta tnh c a hoc b v t gii c bi ton Diffie-Hellman
do lm cho thut ton m ha ny cng nh nhiu h thng m
ha kha cng khai khc tr thnh khng an ton na. Cp ca
nhm G phi l mt s nguyn t hoc phi c mt c s nguyn t
ln khng dng c thut ton Pohlig-Hellman khi tm a hoc b.
V l do i khi ngi ta dng mt s nguyn t Sophie Germain
q tnh p=2q+1, c gi l s nguyn t an ton v rng cp ca
G khi ch chia ht cho 2 v q. Lc y nhiu khi ta thng chn
chnh l g thay cho G tng qut ha nhm con cp q ca G, sao
cho k hiu Legendre ca ga nhng khng bao gi l ra bit cp
thp hn ca a.
Nu An v Bnh dng nhng s sinh ngu nhin c cc s h qu
khng hon ton ngu nhin m c th d on mt mc no
th cng vic ca k nghe ln Cng s d dng hn nhiu. Cc s
nguyn b mt a v b u loi b khi kt thc phin giao dch. V vy
trao i kha Diffie-Hellman c th hng ti kh nng bo mt
ton vn v khng c kha b mt no c tn ti s dng lu cho
nn kh nng b l kha l rt thp.
58
Trong m t u tin, bn thn s trao i ca Difie-Hellman

khng cung cp vic xc thc nhau ca hai i tc, do c kh
nng b s tn cng ca ngi ng gia. Mt k nghe ln nh Cng
c th to ra hai s trao i Diffie-Hellman, lc trao i vi An th
mo danh Bnh v ngc li lc trao i vi Bnh th mo danh An,
do vy c th tn cng nm bt c b mt trao i ca c hai
ngi. V vy ta thy nht thit cn phi c bin php xc thc i
tc khi s dng s trao i kha Diffie-Hellman.
3.2.4. Tha thun kha nhn dng mt khu
Khi An v Bnh chia s mt mt khu, h phi dng mt dng
tha thun kha xc thc mt khu PAKE (Password-authenticated
key agreement) ca Diffie-Hellman phng nga tn cng ca k
ng gia. Mt s n gin l dng phn t sinh g lm mt khu.
Mt c im ca cc s ny l mt k tn cng ch c th th
mt mt khu duy nht cho mt ln trao i vi i tc, do h
thng c th m bo an ton cao i vi c nhng mt khu yu. S
ny c m t trong bn Khuyn co X.1035 ca ITU-T, s dng
cho chun kt ni mng gia nh.
3.3. KERBEROS
Kerberos l mt h thng giao thc xc thc an ton trn mng
my tnh trc tin c pht trin ti Vin Cng ngh
Massachusett MIT (Massachusett Institute of Technology) v sau
c dng rng ri M. Kerberos cho php cc nt mng chng
minh cn cc (identity) ca mnh vi cc i tc, thng qua mt
mi trng giao dch khng tin cy. Thot u Kerberos c thit
k theo s xc thc client-server (gia my khch - my ch) v
sau cung cp dch v xc thc ln nhau (mutual authentication),
Kerberos c mc nh s dng cng 88.
59
Kerberos dng m kha i xng. Cc kha i xng ny c

my ch Kerberos trao cho tng ngi s dng ng nhp h
thng. Mi ngi s dng c php to mt mt khu xc thc gi
cho my ch Kerberos c nhn v dng kha m. thc hin
c, h thng Kerberos i hi cu hnh mng rt phc tp v kh
qun l: my ch ca mi website ng k s dng u phi c my
ch ring c ci t Kerberos v my ch ca h thng (bn th
ba) s phn phi kha m cho mi website ng thi lu gi chng
li kim tra v i chng khi cn thit.
3.3.1. Vi nt lch s
MIT pht trin Kerberos nhm bo v cc dch v mng cung
cp bi d n c tn l Athena. Do vy giao thc c t mt tn
gi theo thn thoi Hy Lp l Kerberos (hay Cerberus), tn ca con
ch ngao 3 u trn gi cung in ca Dim vng Hades.
Hnh 3.2: Dim vng Hades v con ch ngao 3 u Cerberus

Cc phin bn 1 - 3 ch c lu hnh trong ni b MIT. Steve
Miller v Clifford Neuman cng b phin bn 4 vo cui nhng nm
60
1980. Phin bn 5 do John Kohn v C. Neuman thit k, c cng

b nm 1993 ly tn l RFC 1510 (sau nng cp thnh RFC 4120
nm 2005) vi khc phc nhng hn ch v bo mt ca phin
bn 4.
Nm 2007 MIT thnh lp cng ty Kerberos nhm pht trin
thm cng c bo mt ny vi s bo tr ca cc cng ty thng mi
hng u trong CNTT nh Sun Microsystems. Apple Inc., Google,
Microsoft v mt s trng i hc nh Vin Cng ngh Hong gia
KTH (KTH-Royal Institute of Technology) v i hc Stanford.
Thot u chnh ph Hoa K cm xut khu Kerberos v n s
dng thut ton m ha DES vi kha 56 bit nn c xp vo danh
sch cng ngh h tr quc phng. Ti Vin Cng ngh Hong gia
KTH, Thy in, da trn mt phin bn n gin eBones do MIT
c php xut khu pht trin mt phin bn Kerberos bn
ngoi Hoa K t trc khi Hoa K thay i quy nh v xut khu mt
m nm 2000.
Windows 2000 v cc h iu hnh Windows tip sau u s
dng Kerberos lm phng thc xc thc mc nh. Mt s phn b
sung ca Microsoft vo h giao thc Kerberos suite c cung cp
trong phin bn RFC 3244 (t v thay i mt khu) "Microsoft
Windows 2000 Kerberos Change Password and Set Password
Protocols". RFC 4757 ca Microsoft s dng thut ton m ha RC4
cipher. Tuy nhin Microsoft ch s dng giao thc Kerberos m
khng s dng phn mm c pht trin ca MIT.
Nhiu h iu hnh UNIX v ta UNIX bao gm FreeBSD, Mac
OS X ca hng Apple, Red Hat Enterprise Linux 4, Sun's Solaris, AIX
ca IBM, OpenVMS ca HP v nhiu h iu hnh khc cng tch
hp phn mm xc thc Kerberos cho ngi dng hay cho cc dch
v ca h. T nm 2005, nhm cng tc IETF Kerberos lin tc cp
61
nht nhng kt qu mi ca h. Nhng kt qu c cp nht gn

y l:
- Encryption and Checksum Specifications" (RFC 3961).
- Advanced Encryption Standard (AES) Encryption for
Kerberos 5 (RFC 3962).
- "The Kerberos Network Authentication Service (V5)"
( RFC 4120)
- "The Kerberos Version 5 Generic Security Service
Application Program Interface (GSS-API) Mechanism:
Version 2." (RFC 4121).
- Mi nht gn y ngy 22 - 12 - 2010 - krb5-1.9 c cng b
3.3.2. C s l thuyt
C s l thuyt ca Kerberos l giao thc i xng NeedhamSchroeder. Giao thc ny s dng mt bn th ba c tn nhim,
chnh l mt trung tm phn phi kha KDC (Key Distribution Center)
gm hai thnh phn tch bit nhau v mt logic: Mt my ch xc
thc AS (Authentication Server), v mt my ch cp tch-k TGS
(Ticket Granting Server). Kerberos hot ng da trn cc tch-k
c s dng xc thc cn cc ca ngi dng.
KDC lu gi mt c s d liu kha b mt, mi thnh vin trn
mng (tc l mi my ch hay ngi dng bt k) c chia s mt
kha m ch c thnh vin v KDC cng bit m thi: kha b mt
cng dng chng minh cn cc ca thnh vin. Khi hai thnh
vin cn giao tip, KDC s sinh ra mt kha phin nhm bo m
tng tc gia hai thnh vin . Tnh an ton ca giao thc ph
thuc rt nhiu n vic cc thnh vin m bo giao dch ng b
trong mt thi gian ngn thng gi l tch-k Kerberos.
62
3.3.3. M t minh ha
u phin giao dch, thnh vin An c xc thc ti my ch
xc thc (AS) v nhn c mt th tch-k c nh du thi gian.
Tip An lin lc vi my ch cp tch-k (TGS) dng th tch-k
chng minh cn cc ca mnh v yu cu cung cp dch v. Nu
thm nh ng l An c quyn s dng dch v yu cu th TGS
li gi thm mt tch-k khc cho An. By gi An tip xc vi my
ch cung cp dch v, xut trnh tch-k mi chng minh rng
mnh c cho php s dng dch v yu cu.
AS = My ch xc thc;
SS = My ch cung cp dch v;
TGS = My ch cp pht tch-k;
TGT = Tch-k cp tch-k.
Hnh 3.3: S giao dch thng lng Kerberos
63
Thnh vin c xc thc t AS khi s dng mt mt khu (b

mt chia s di hn) v nhn c mt TGT t AS. Tip khi thnh
vin mun tip xc vi SS no th ngi phi dng tch-k
ngh TGS cp thm cho mnh mt TGT b sung giao dch vi
SS m khng l mt khu b mt chia s gia mnh vi AS. SS cn
c vo TGT b sung xc thc khch hng cung cp dch v.
Cc bc chi tit c m t nh sau y:
ng nhp pha khch:
1. Khch dng mt tn s dng v mt mt khu (username &
password) trn my khch.
2. Khch thc hin mt hm mt chiu (thng l mt hm bm)
i vi mt khu: y l kha b mt ca khch /thnh vin.
Nhn dng khch:
1. Khch gi mt thng ip r v ID ca ngi s dng cho AS
yu cu dch v (Ch : Khng gi kha b mt v mt
khu cho AS). AS sinh mt kha b mt bng cch dng hm
bm i vi mt khu ca ngi dng lu c s d liu
ca mnh (Active Directory trong my ch Windows)
2. AS kim tra xem ngi khch c trong c s d liu cha.
Nu c, AS gi li 2 thng ip cho khch:
+ Thng ip A: Kha phin TGS cho khch c m ha bi
kha b mt ca khch - ngi dng.
+ Thng ip B: Tch-k nhn tch-k (ticket-to Get-Ticket)
(bao gm cn cc - ID ca khch, a ch mng ca khch v
thi hn c hiu lc ca tch-k), c m ha bng kha b
mt ca TGS.
64
3. Khi ngi khch nhn c 2 thng ip A v B, phi gii m

thng ip A bng kha b mt sinh t mt khu m khch
nhp. Nu mt khu khch nhp khng ng vi mt khu
lu trong c s d liu ca AS th kha b mt s khc i, do
khng gii m c thng ip. Nu ng, khch gii m
c thng ip A v nhn c kha phin TGS cho khch.
Kha phin ny s c dng cho vic lin lc v sau vi TGS
(Ch : Khch khng th gii m thng ip B v thng ip
ny m ha bng kha b mt ca TGS). n lc , ngi
khch c thng tin c xc thc bi TGS.
Dch v cp php:
1. Khi yu cu dch v, khch gi 2 thng ip sau y n TGS: C
- Thng ip C: Gm TGT nhn c trong thng ip B v ID
ca dch v mnh yu cu.
- Thng ip D: Thng ip xc thc (Authenticator) (gm ID
ca khch v du xc nhn thi hn hiu lc), m ha bng
kha phin TGS cho khch.
2. Khi TGS nhn c 2 thng ip C v D, s tch thng ip B
t trong C ra v dng kha b mt ca TGS gii m v thu
c kha phin TGS cho khch. Dng kha phin TGS
gii m thng ip xc thc D v gi cho khch 2 thng ip
sau y:
- Thng ip E: Tch-k my khch sang my ch gm ID ca
khch, a ch mng ca khch, thi hn hiu lc v kha phin
My khch/My ch) u c m ha bi kha b mt ca
my ch cung cp dch v kha.
- Thng ip F: Kha phin my khch/my ch (client/server)
c m ha bi kha phin TGS cho my khch.
65
Yu cu dch v ca khch hng:

1. Khi nhn c thng ip E v F t TGS, khch hng c
thng tin c xc thc ti SS. Khch kt ni vi SS
gi 2 thng ip sau:
- Thng ip E ca bc trc y (tch-k my khch n my
ch, m ha bng kha b mt ca SS)
- Thng ip G, mt thng ip xc thc khc, gm ID ca
khch v thi hn hiu lc c m ha bng kha phin my
khch/my ch.
2. SS gii m tch-k nhn c bng kha b mt ca bn thn
nhn c kha phin my khch/my ch. S dng kha
phin , SS gii m thng ip xc thc v gi li thng ip
H (cng dng kha phin my khch/my ch m ha),
nhm khng nh l SS xc thc c khch v sn sng
phc v (thi hn hiu lc c cng thm 1).
3. Khch gii m H bng kha phin my khch/my ch v
kim tra xem thi hn hiu lc cp nht ng cha. Nu
ng ri th c th bt u thc hin dch v mnh yu cu.
4. SS cung cp dch v c yu cu cho khch (thanh ton,
chuyn khon, giao dch khc,v.v.)
3.3.5. Mt s nhc im
Kerberos c mt s nhc im chnh sau y:
- H thng yu cu phi c mt my ch trung tm hot ng
lin tc, nu my ch Kerberos b ngng th ton h thng
khng cn truy cp c. Mun trnh c iu ny ta c th
s dng ng thi nhiu my ch ng dng.
66
- Giao thc Kerberos yu cu thi gian ng b rt chnh xc v

cc tch-k dng trong vic xc thc c mt thi hn hiu lc
rt ngn. Nu ng h ca cc thnh vin tham gia mng c
sai lch ng k vi ng h ca my ch Kerberos th vic
xc thc khng thc hin c do dch v cng khng th
hot ng.
- Giao thc qun tr khng c tiu chun ha gia cc cu
trc mng s dng khc nhau.
- Do mi vic xc thc u tp trung vo mt KDC trung tm
nn nu thit b trung tm b xm nhp th tt c cc thnh
vin s dng u chu nh hng.
Chng 4: M ha kha cng khai
67
4
M HA KHA CNG KHAI
Nh ni chng 2, cc thut ton m ha kha i xng c
mt nhc im cn bn l hai ngi mun trao i thng tin b
mt cn phi trao i kha b mt trc . Kha b mt ny cn
phi c trao i theo mt cch thc an ton, khng phi bng cc
phng thc thng dng lin lc trong mi trng m v d b
l. iu ny kh thc hin v ni chung l khng th m bo b
mt, nht l trong trng hp mun trao i thng tin vi nhiu i
tc th thc t l khng thc hin c.
V vy m ha kha cng khai (hay kha bt i xng) c a
ra nh l mt gii php thay th. Thc ra m bt i xng khng
thay th hon ton m i xng m ngi ta s dng ng thi c
hai loi b sung, h tr cho nhau.
4.1. VI NT LCH S
Nm 1874, William Stanley Jevons xut bn mt cun sch m
t mi quan h gia cc hm mt chiu (one way function) vi mt
m hc, ng thi i su vo bi ton phn tch ra tha s nguyn t
(s dng trong thut ton RSA). Thng 7 nm 1996, mt nh nghin
cu bnh lun v cun sch trn nh sau:
68
Trong cun The Principles of Science: A Treatise on Logic and

Scientific Method c xut bn nm 1890, William S. Jevons
pht hin nhiu php ton rt d thc hin theo mt chiu
nhng rt kh theo chiu ngc li, iu chng t nhiu
thut ton m ha thc hin rt d dng trong khi gii m th
rt kh khn. Chng hn tc gi nu ra bi ton: ta c th
nhn tm tch s ca cc s nguyn t nhng ngc li,
mun phn tch mt s t nhin kh ln ra cc tha s nguyn
t th l iu khng d dng (thut ton Euclide).
y chnh l nguyn tc c bn ca thut ton mt m ha
kha cng khai RSA (tuy rng tc gi khng phi l ngi
pht minh ra mt m ha kha cng khai)
Thut ton mt m ha kha cng khai c thit k ln u
tin bi James H. Ellis, Clifford Cocks, v Malcolm Williamson ti
Anh vo u thp k 70 ca th k trc. Thut ton sau ny c
pht trin v bit n di tn thut ton Diffie-Hellman, v l mt
trng hp c bit ca RSA. Tuy nhin nhng thng tin ny ch
c tit l ra vo nm 1997.
Nm 1976, Whitfield Diffie v Martin Hellman cng b mt h
thng mt m ha kha bt i xng trong nu ra phng php
trao i kha cng khai. Cng trnh ny chu s nh hng t cc
cng b trc ca Ralph Merkle v phn phi kha cng khai.
Trao i kha Diffie-Hellman l phng php u tin c th p
dng trong thc t phn phi kha b mt trong mi trng m,
thng qua cc knh thng tin khng an ton. K thut tha thun
kha ca Merkle c tn l h thng cu Merkle.
Thut ton m ha kha cng khai c c s hon chnh u tin
cng c Ron Rivest, Adi Shamir v Leonard Adleman khi xng
vo nm 1977 ti Hc vin K thut Massachusett MIT (Massachusett
69
Institute of Technology). Cng trnh ny c cng b vo nm 1978

v thut ton c t tn l thut ton RSA - theo 3 ch ci u
ca cc ng tc gi. RSA s dng php ton ly tha theo modulo
(vi modulo c tnh bng tch s ca 2 s nguyn t ln) m
ha v gii m cng nh to ch k s. an ton ca thut ton
c m bo v khng tn ti k thut hiu qu phn tch mt s
rt ln thnh tha s nguyn t.
K t thp k 1970, c rt nhiu thut ton m ha, to ch
k s, tha thun kha... c pht trin. Cc thut ton nh
ElGamal do Netscape pht trin hay thut ton m ha i xng
DSA do NSA v NIST ch tr cng da trn cc bi ton lgarit ri
rc tng t nh RSA. Vo gia thp k 1980, Neal Koblitz bt u
cho mt dng thut ton mi: mt m ng cong elliptic v cng
to ra nhiu thut ton m bt i xng. Mc d c s ton hc ca
dng thut ton ny phc tp hn nhng li gip lm gim khi
lng tnh ton c bit khi kha c di ln.
4.2. M HA KHA CNG KHAI
M ha kha cng khai l mt dng m ha cho php ngi s
dng trao i cc thng tin mt m khng cn phi trao i cc kha
b mt trc . iu ny c thc hin bng cch s dng mt cp
kha c quan h ton hc vi nhau l kha cng khai (Public key)
v kha ring (Private key) hay kha b mt (secret key).
4.2.1. Khi nim chung
Thut ng m ha bt i xng thng c dng ng ngha
vi m ha kha cng khai mc d hai khi nim khng hon ton
tng ng. C nhng thut ton m bt i xng khng c tnh
cht kha cng khai v b mt nh cp trn m c hai kha
(cho vic m ha v gii m) u cn phi gi b mt.
70
Trong mt m kha cng khai, kha ring cn phi c gi b

mt trong khi kha cng khai c ph bin cng khai. Trong 2
kha, mt dng m ha v kha cn li dng gii m.
iu quan trng i vi h thng l khng th (hoc rt kh)
tm ra kha b mt nu ch bit kha cng khai.
H thng mt m ha kha cng khai c th s dng vi cc
mc ch:
- M ha: gi b mt thng tin v ch c ngi c kha b mt
mi gii m c.
- To ch k s: cho php kim tra mt vn bn xem n c phi
c to vi mt kha b mt no hay khng.
- Tha thun kha: cho php thit lp kha trao i thng tin
mt gia hai bn.
Thng thng, cc k thut mt m ha kha cng khai i hi
khi lng tnh ton nhiu hn cc k thut m ha kha i xng
nhng do nhng u im ni bt nn chng c s dng nhiu.
Thut ton m ha bt i xng s dng hai kha: kha cng
khai (hay kha cng cng) v kha b mt (hay kha ring). Mi
kha l nhng s c nh s dng trong qu trnh m ha v gii m.
Kha cng khai c cng b rng ri cho mi ngi v c dng
m ha. Nhng thng tin c m ha bng kha cng khai ch
c th c gii m bng kha b mt tng ng. Ni cch khc, mi
ngi bit kha cng khai u c th m ha nhng ch c ngi
bit kha ring (b mt) mi c th gii m c.
Ta c th m phng trc quan mt h m ha kha cng khai
nh sau: Bnh mun gi cho An mt thng tin mt m Bnh mun
cho ch duy nht An c th c c. lm c iu ny, An gi
cho Bnh mt chic hp kn c kha m sn v gi li cha
kha. Bnh nhn chic hp, cho vo mt l th vit bnh thng
71
v bm kha li (loi kha thng thng ch bm l kha, sau khi

sp cht l kha li ngay c Bnh cng khng th m li c, khng
c li hay sa thng tin trong th c na). Sau Bnh gi chic
hp cho An qua bu in thng thng hoc nh ngi no mang
h. Nhn vin bu in hay ngi mang h d mun cng khng th
m hp xem th. Ch khi chic hp n tay An, An c cha kha
ring mi m c hp v c c thng tin trong th. Trong v d
ny, chic hp vi kha m An gi cho Bnh ng vai tr kha cng
khai, chic cha kha ring ca An chnh l kha b mt.
4.2.2. S to v chuyn giao kha cng khai
Cc h thng m ha kha cng khai thng thng c thc
hin vi 3 bc c bn. Bc th nht l cng on sinh kha, mt
cp kha public key v private key c quan h v ton hc c to
ra da vo cc bi ton ca lt mt chiu. Bc hai l bc m ha
s dng kha cng khai (public key), kha ny c th c chuyn
giao trn mi trng m. Qu trnh gii m l bc cui cng s
dng kha ring b mt (private key).
Cc bc thc hin nh sau:
- A chn mt s ngu nhin ln sinh cp kha, kha cng
khai E v kha b mt ring D.
- A gi E-kha cng khai (public key) cho B, gi D-kha ring
(private key) cho mnh.
- Dng kha cng khai m ha, nhng dng kha b mt
gii m.
- B nhn c kha cng khai E. B c thng ip gc P, dng E
m ha E(P) = C, C l thng ip m ha gi cho A.
- A nhn c C, dng D gii m D(C) = P: c li thng
ip gc.
72
Hnh 4.1: Chuyn giao kha cng khai

+ Ch ring c A (c D) mi gii m c
+ Ai c E u m ha c
+ D dng gii E, nhng nu ch bit E th hu nh chc chn
l khng th tm c D.
4.2.3. Phong b s dng n gin
M i xng c nhiu u im nht l tc lp m v gii m
nhanh chng. Th nhng n li c nhc im cn bn l s khng
an ton khi chuyn giao kha trong mi trng khng tin cy. Ngc
li, m bt i xng m bo c an ton trong vic chuyn giao
kha m nhng li c nhc im l tc lp m, gii m rt chm.
Phong b s (Digital envelope) l mt bin php kt hp ca hai
loi m i xng v bt i xng chuyn giao thng ip an ton
v tin cy. Trong trng hp giao dch 2 i tc c th dng s
trao i kha cng khai ni trn lm mt phong b s chuyn giao
kha m i xng cho i tc ca mnh trong mi trng giao dch
khng tin cy (chng hn trong iu kin khng th c mt i
mt) nh l dng sau y.
S chuyn giao kha b mt bng phong b s dng n gin:
Bc 1: To phong b s
- A to kha cng khai E1 gi cho B, gi kha ring D1
73
- B to kha ring D2 (ca B) gi cho mnh, to kha cng khai

E2 (ca B), dng E1 (nhn t A) m ha: E1(E2) = E2 gi E2
cho A.
- Ch c A s hu kha ring D1 nn gii m c: E1(E2) = E2. T
ch c A v B cng s hu kha cng khai E2 (do B to)
Bc 2: Chuyn giao kha i xng
- A to kha i xng K dng E2 m ha: E2(K) = K gi cho B
- B dng D2 gii m: D2(K) = K
- Ch c A v B cng bit kha K, t giao dch bng kha i
xng K.
tng tnh an ton, A hoc B thng xuyn c th thay i
kha i xng v dng phong b s to chuyn giao cc kha
i xng mi cho nhau.
Tuy nhin cn ch rng phong b s n gin loi ny nu s
dng lu th c nhiu nguy c b tn cng ca ngi ng gia
(man-in-the-middle attack) cho nn thng thng khi trao i
xong mt phong b s n gin hai i tc phi tin hnh xc thc
li bng mt phng php b sung no .
4.2.4. Vn phn phi kha cng khai
Cng ging nh cc thut ton m ha khc, cch thc phn
phi kha cng khai l mt trong nhng yu t quyt nh i vi
an ton ca m bt i xng. Qu trnh phn phi kha cn chng
li c tn cng ca ngi ng gia.
Gi s ngi th ba Cng c th gi cho Bnh mt kha bt k
v khin Bnh tin rng l kha (cng khai) ca An. Nh vy ng
thi Cng c kh nng c c thng tin trao i gia Bnh v An.
Mun vy, Cng s gi cho Bnh kha cng khai ca chnh mnh
74
(v lm cho Bnh ngh rng l kha ca An). Sau , Cng c tt

c vn bn m ha do Bnh gi, gii m vi kha b mt ca mnh,
gi li mt bn copy ng thi m ha bng kha cng khai ca An
v gi cho An. V nguyn tc, c Bnh v An u khng pht hin ra
s can thip ca ngi th ba. Cc phng php chng li dng tn
cng ny da trn cc chng thc s (digital certificate) hoc cc
thnh phn ca h tng kha cng khai PKI (Public Key Infrastructure
- xem chng 5).
4.3. THUT TON RSA
Thut ton ny c Rivest, Shamir v Adleman m t ln u
tin nm 1977 ti trng i hc MIT.
Gi s An v Bnh cn trao i thng tin b mt thng qua mt
knh khng an ton (v d nh qua Internet). Vi thut ton RSA,
An u tin cn to ra cho mnh mt cp kha gm kha cng khai
E v kha b mt D theo cc bc sau:
4.3.1. M t thut ton
1. Chn 2 s nguyn t kh ln (>1024bit) P v Q, P Q
2. Ly tch s: N = PQ, N c gi l modulo m ha.
3. Chn s E sao cho: 1< E < PQ, E v (P-1)(Q-1) nguyn t
cng nhau (vy E phi chn l mt s l). E c gi l s
m m ha.
4. Tnh s D sao cho tch s DE 1[mod(P-1)(Q-1)] c ngha l
tch s DE chia cho tch s (P-1)(Q-1) c s d l 1, hay l
DE-1 chia ht cho (P-1)(Q-1). Ta dng phng php th dn
cc s nguyn X sao cho c c: D = [X(P-1)(Q-1) +1]/E
l s nguyn. D c gi l s m gii m.
75
Kha cng khai An gi cho Bnh (qua ng thng tin bt k) l

cp s [N,E]
Kha b mt An gi cho ring mnh l cp s [N,D]
M ha
- Bnh nhn c kha cng khai ca An gi. Bnh c thng ip
gc (plaintext) T (thng ip c s ha, T thc ra l mt con s
dng nh phn c i thnh s thp phn no ) cn gi cho An.
- Bnh m ha bng php ton: T
mod N = C; T = plaintext,
C = ciphertext. Php ton ly tha theo modulo c ngha l ly T

ly tha E ri chia cho N v ly s d.
- Bnh gi thng ip m ha C cho An.
Gii m
- An nhn c C.
D
- An gii m bng php ton: C mod N = T.

- Nh vy l y ta cn phi chng minh c rng:
E
(T mod N) mod N = T
iu ny c chng minh bng cch ng dng nh l
Trung Hoa v s d (The Chinese Remainders Theorem) mt thnh
tu rt cao v s hc, trong ton hc C Trung Hoa thng gi l
Bi ton Hn Tn im binh (Hn Tn l mt v tng nh Tin Hn,
vo khong th k th II trc cng nguyn, xem ph lc II). Thc
cht vic tm kha ring D chnh l tm mt php ton ngc trong
vnh modulo N ca E.
Mt s lu :
- Cc s nguyn t thng c chn bng phng php th
ngu nhin.
76
- Cc bc 3 v 4 c th c thc hin bng gii thut Euclid

m rng.
Mt dng khc ca kha b mt:
- P v Q, hai s nguyn t chn ban u,
- D mod (P-1) v D mod (Q-1) (thng c k hiu l DmP1
v DmQ1),
- (1/Q) mod P (thng c gi l iQmP)
Dng ny cho php thc hin gii m v lp m nhanh hn vi
vic s dng nh l s d Trung Hoa (Chinese Remainder Theorem)
dng CRT.
dng ny, tt c thnh phn ca kha b mt phi c gi
b mt. An gi kha cng khai cho Bnh v gi b mt kha ring
ca mnh.
y, P v Q gi vai tr rt quan trng. Chng l cc nhn t
ca N v h tr cho kh nng tnh D khi bit E.
Nu khng s dng dng sau ca kha b mt (dng CRT) th P
v Q s c xa ngay sau khi thc hin xong qu trnh to kha, ch
gi li N, E, D.
V d: y ch minh ha phng php nn ta chn p, q kh
b cho d tnh ton.
Chn 2 s nguyn t: p = 61 = (111101)2; q = 53 = (11011)2
(hy ngay p v q sau khi to kha),
n = p*q = 3233 - modulo
e = 17 - s m m ha (cng b cng khai)
Kha cng khai A gi i cho B: (3233, 17)
d = 2753 - s m gii m (A gi ring)
77
Thng ip gc (s ha thnh s dng nh phn ri i ra s

thp phn): 123
B dng kha cng khai (n,e) m ha: 123
17
mod 3233 = 855
Thng ip m ha c gi i: 855
2753
A dng kha ring (n,d) gii m: 855
mod 3233 = 123
4.3.2. u v nhc im ca m RSA

Thut ton RSA thc hin mt dy php tnh ly tha modulo
kh ln.
phc tp tnh ton
Kha cng khai = O(k2) bc tnh ton, Kha ring = O(k3),
Tng qut m RSA c phc tp tnh ton l O(k4) k l s bit
ca modulo. V vy m RSA c nhc im u tin l tc lp m
v gii m rt chm.
Tuy nhin m RSA c bo mt cao: hu nh khng c thut
ton gii tng qut m phi d th dn (tn cng bo lc). Nu chn
P, Q ln th kt qu t ch bit s m lp m E, tm ngc li s m
gii m D rt phc tp hu nh khng lm c trong thi gian
thc. Chng hn ta to mt kha m m ha thng tin cho cc
th tn dng ch cho php s dng trong 2 nm. Nu kh nng b
ph kha l trong thi gian 1000 nm hay lu hn na th trong thc
t c th xem l an ton.
Mt nhc im ln khc ca m RSA l nguy c v tnh tin
cy. Khi B dng kha cng khai nhn t A gi tin, chc chn ch
A c c: tin cy pha ngi gi tin. Khi A nhn tin, cha chc do
B gi (v kha cng khai c th l v ngi th ba bit kha cng
khai, c th dng m ha nhng thng ip gi gi cho A): khng
tin cy pha ngi nhn tin.
78
khc phc iu , phi c phng php phn phi kha

cng khai mt cch tin cy hn. Trong trng hp ch c 2 i tc
trao i vi nhau, ngi ta c th dng s trao i kha cng
khai m bo an ton v tin cy cho c hai pha gi v nhn tin.
S trao i kha cng khai
- A to mt cp kha, kha cng khai (ca A) l E1 cho B v
kha ring D1 gi cho mnh.
- B to kha ring D2, kha cng khai E2 (ca B).
- Dng E1 nhn c ca A m ha E2: E1(E2) = E2, B gi E2
cho A v gi D2 cho ring mnh.
- A nhn c E2, gii m bng D1 (Ch mnh A c D1): Ch c A
c c E2. Khi ch c 2 i tc A v B cng s hu kha
cng khai E2.
- A c thng ip gc P, dng E2 (ca B m ha thng ip:
E2(P) = C, gi thng ip m ha (bng kha cng khai ca
B) cho B chc chn ch c B c c.
- B: nhn chc chn do A gi, c: D2(C) = P.
S dng s trao i kha cng khai, chng ta to c s tin
cy c cho hai pha ngi gi tin v ngi nhn tin. Nhng mt khc
phc tp tnh ton tng ln v tc lp m, gii m cng chm!
Mc an ton
V kha cnh an ton, cc thut ton mt m ha kha bt i
xng cng khng khc nhiu vi cc thut ton m ha kha i
xng. C nhng thut ton c dng rng ri, c thut ton ch
yu trn l thuyt; c thut ton vn cn c xem l an ton, c
thut ton b ph v. Cng cn lu l nhng thut ton c
dng rng ri khng phi lc no cng m bo an ton. Mt s
thut ton c nhng chng minh v an ton vi nhng tiu chun
khc nhau. Nhiu chng minh gn vic ph v thut ton vi nhng
79
bi ton ni ting vn c cho l khng c li gii trong thi gian

a thc. Nhn chung, cha c thut ton no c chng minh l an
ton tuyt i. V vy, cng ging nh tt c cc thut ton mt m
ni chung, cc thut ton m ha kha cng khai cn phi c s
dng mt cch thn trng.
4.4. MT S H MT M KHA CNG KHAI KHC
Trong mc ny ta s xem xt mt s h mt m kha cng
khai khc.
Chng hn nh ngi ta cng s dng s Diffie-Hellman
(Chng 3) nh l mt thut ton to kha cng khai. Gi s An v
Bnh thng nht vi nhau chn mt nhm cyclic hu hn Gm,
mt phn t sinh g thuc Gm v p l mt s nguyn t cng khai. An
ly mt s nguyn b mt cho ring mnh l a. Kha cng khai ca
An gi cho Bnh chnh l (ga, g, p).
gi thng ip ca mnh n An, Bnh chn mt s ngu
nhin b, v gi gb (khng m ha) cho An cng vi thng ip c
m ha bi kha i xng (ga)b. Ch c An s hu a mi c th gii
m thng ip. Mt kha cng khai c chia s trc cng c th
ngn nga cc tn cng ca ngi ng gia.
Tuy nhin trong thc t th ngy nay ngi ta khng s dng
kha cng khai theo s Diffie-Hellman v thut ton m ha kha
cng khai RSA l thut ton c s dng qu ph bin vi cc u
im ca n v nht l RSA thnh lp c mt c quan chng
thc in t hin nay ang hot ng rng khp chnh l VeriSign.
H mt m Elgamal da trn bi ton logarit ri rc cng l mt
thut ton c dng kh ph bin trong nhiu th tc mt m.
cc phn sau s xem xt thm n mt h mt m kha cng khai ra
i sm nht l h mt m xp ba l Merkle-Hellman v im qua s
80
lc mt s h mt m kha cng khai khc bao gm cc h thng

loi Elgamal da trn cc trng hu hn v cc ng cong elliptic.
4.4.1. H mt m ElGamal
H mt m ElGamal l mt thut ton tng t nh h thng
Diffie-Hellman trnh by mc sau, c xy dng trn bi ton
logarit ri rc.
D rng tc gi ca h mt m ny (Taher Elgamal) khng ng
k xin cp bn quyn cho sng to ca mnh nhng nhng ngi s
hu bn quyn ca h mt m Diffie-Hellman v l do no vn xem
h ny cng thuc phm vi bo v ca giy php bn quyn ca
mnh. Cng khng ai r l do thc s ca vic ng k tn thut
ton l ElGamal (ch G vit hoa) trong khi h ca tc gi l Elgamal
(ch g khng vit hoa).
C th thy ngay nhc im r rng ca h ElGamal l thng
ip sau khi m ha c kch thc rt ln, xp x gp hai ln thng
ip gc! Chnh v vy h mt m ny thng khng dng m ha
cc khi d liu thng tin ln m ch yu dng cho cc thng ip
ngn chng hn nh to cc kha chung.
To kha cng khai ElGamal
Cng nh trong trng hp ca m Diffie-Hellman, hai i tc
An v Bnh c chung (cng khai) mt s nguyn t p v mt s sinh
g (generator). An chn mt s ngu nhin a v tnh A = ga, Bnh
cng chn mt s ngu nhin b v tnh B = gb. Kha cng khai ca
An l A v kha ring l a; tng t nh vy, kha cng khai ca
Bnh l B cn kha ring l b.
M ha v gii m thng ip
Nu Bnh mun gi mt thng ip m cho An, Bnh s chn
ngu nhin mt s k b hn p ri tnh:
81
c1 = gk mod p; c2 = Ak * m mod p tip gi c1 v c2 cho An.

An s dng c1 v c2 ti hin thng ip bng cch tnh:
c1-a * c2 mod p = m bi v rng:
c1-a * c2 mod p = (gk)-a * Ak * m = g-a * k * Ak * m
= (ga)-k * Ak * m = A-k * Ak * m = 1 * m = m
4.4.2. H mt m xp ba l Merkle-Hellman
Mt m xp ba l Merkle-Hellman l mt trong nhng h mt
m kha cng khai ra i sm nht, do Ralph Merkle v Martin
Hellman pht minh vo nm 1978. V mt tng h mt m ny
c xy dng n gin hn nhiu so vi h RSA nhng n nhanh
chng b v.
M t
Merkle-Hellman l mt h mt m bt i xng, c ngha l khi
giao dch cn c hai kha: mt kha cng khai v mt kha ring.
Hn na, cng ging nh RSA, hai kha u l mt chiu vi
ngha l kha cng khai ch dng m ha cn kha ring ch dng
gii m. Cng v vy n khng th s dng nhn dng qua vic
k tn bng mt m.
V mt ton hc, h Merkle-Hellman da trn bi ton tng tp
hp con subset sum problem (mt trng hp ring trong bi ton
ci ba l (knapsack) quen thuc trong Ton ri rc). Bi ton c
th pht biu nh sau: Cho mt tp hp cc con s A v mt con s
b, hy tm mt tp hp con ca A cng li bng b. Trong trng hp
tng qut, bi ton c bit l c tnh NP- (NP complete)
(kh gii bc NP). Tuy nhin trong trng hp ring khi tp hp cc
con s (c gi l ci ba l) l siu tng (superincreasing) vi
ngha l c th sp xp thnh mt dy cho mi phn t ca tp
hp u ln hn tng cc phn t i trc n, th bi ton c th
82
gii c d dng trong thi gian a thc bng mt thut ton

tham lam n gin.
To kha
Trong h mt m Merkle-Hellman, cc kha l cc ba l. Kha
cng khai l mt ba l y cn kha ring l mt ba l vi
(hard and easy knapsacks) kt hp vi hai s phn t ca php cng,
mt s nhn v mt modulo, cc s ny c dng bin i cc ba
l siu tng thnh ba l y. Nhng con s cng c dng
bin i tng ca cc tp con ca ba l y thnh tng cc tp con
ca ba l vi, tnh ton thc hin c trong thi gian a thc.
M ha
m ha mt thng ip, mt tp con c ba l y c chn
ra bng cch so snh n vi mt tp hp cc bit (plaintext) c di
bng di cha kha v lm cho mi thnh phn ng vi s 1 trong
plaintext mt phn t trong tp con m b qua nhng thnh phn
ng vi s 0 trong plaintext. Cc phn t ca tp con cng li vi
nhau, tng s thu c cho ta ciphertext.
Gii m
Vic gii m thc hin c bi v s nhn v modulo dng
bin i ba l vi siu tng thnh kha cng khai, cng c th
dng bin i con s i din cho ciphertext thnh tng cc phn
t tng ng ca bal siu tng. Nh vy, dng mt thut ton tham
lam n gin, bal vi gii ra c bng cch dng O(n) php ton
s hc gii m.
Phng php ton hc
To kha
m ha mt thng ip n bit, ta chn mt dy siu tng:
w = (w1, w2, ..., wn)
83
ca n s t nhin khc 0. Ly ngu nhin mt s nguyn q, sao cho:

n
q > wi
i =1
V mt s nguyn ngu nhin r, sao cho USCLN(r,q) = 1 (r v q

nguyn t cng nhau). q c chn nh vy bo m cho
ciphertext l duy nht. Nu chn q b hn th c th c nhiu hn
mt plaintext c m ha ra cng mt ciphertext. r phi nguyn t
cng nhau vi q nu khng s khng tn ti s nghch o mod q
ca n. S tn ti ca s nghch o l cn thit cho qu trnh gii
m thc hin c.
By gi ta tnh dy:
= (1, 2, ..., n)
trong :
i = rwi mod q.
Kha cng khai chnh l , cn kha ring l: (w, q, r).

M ha
m ha mt thng ip n bit: ( 1 , 2 ,..., n ),

trong i l bit th i ca thng ip v i {0,1} , ta tnh:
n
c > i i
i =1
Thng ip m ha chnh l c.
Gii m
gii m ciphertext c ngi nhn thng ip cn tm cc bit

i sao cho tha mn:
n
c = i i
i =1
84
y l mt bi ton rt kh ni chung nu i l nhng gi tr bt

k v ngi nhn thng ip phi gii mt lot bi ton tng tp hp
con m bi ton c bit l NP- kh khn! Tuy nhin y
cc gi tr ca i c chn sao cho vic gii m l d dng khi
bit kha ring (w, q, r).
Mu cht ca vic gii m l phi tm c mt s nguyn s l
nghch o ca r theo modulo q. iu ny c ngha l: s tha mn
phng trnh:
s*r mod q = 1
hay ni khc i, tn ti mt s nguyn k sao cho:
sr = kq + 1.
Do bi r c chn sao cho USCLN(r,q) =1 chc chn c th

tm c cc s s v k bng cch p dng thut ton Euclid m rng.
(Xem ph lc II). Tip ngi nhn thng ip tnh:
c cs(mod q)
Trong :
n
c cs ii s(mod q)
i =1
Do bi: rs mod q = 1 v i = rwi mod q

ko theo: is w i rs w i (mod q)
T :
n
c i w i (mod q)
i =1
Tng ca mi s wi l b hn q do :
khong [0, q-1].
i w i cng vy trong
i =1
85
V nh vy ngi nhn phi gii bi ton tng s cc tp hp con:

n
c i w i
i =1
Bi ton ny gii c v rng w l mt dy siu tng. Chng

hn ly phn t ln nht trong w, gi l wk. Nu wk > c', th k = 0,
nu wkc', th k = 1. Sau tr wkk vo cho c', v lp li cc
bc cho n khi tm ra c mi i.
V d: Cho mt dy siu tng:
w = {2, 7, 11, 21, 42, 89, 180, 354}

gi s y l c s ca mt kha ring, s dng n tnh tng:
w = 706
Chn mt s q ln hn tng s trn, chng hn ly: q = 881
Li chn mt s r nm trong khong [1,q) v nguyn t cng
nhau vi q: r = 588
Kha ring by gi gm q, w v r.
tnh ra mt kha cng khai, hy sinh mt dy bng cch
nhn mi phn t trong w vi r mod q
= {295, 592, 301, 14, 28, 353, 120, 236}
bi v:
2 * 588 mod 881 = 295
7 * 588 mod 881 = 592
11 * 588 mod 881 = 301
21 * 588 mod 881 = 14
42 * 588 mod 881 = 28
89 * 588 mod 881 = 353
86
180 * 588 mod 881 = 120

354 * 588 mod 881 = 236
Dy to nn kha cng khai.
Gi s An mun m ha thng ip "a". Trc tin An phi s
ha a thnh mt dy k t {0,1} (dng ASCII hoc Unicode):
a = 01100001
An nhn ln lt mi bit vi thnh phn tng ng trong
a = 01100001
0 * 295
+ 1 * 592
+ 1 * 301
+ 0 * 14
+ 0 * 28
+ 0 * 353
+ 0 * 120
+ 1 * 236
= 1129
An gi thng ip m ha 1129 vo thng th v Bnh nhn
c. gii m, Bnh nhn 1129 vi r-1 mod q (Xem nghch o
modulo phn ph lc 2):
1129 * 442 mod 881 = 372
By gi Bnh phn tch s 372 thnh nhng thnh phn trong w
b hn hoc bng 372, chn t cc thnh phn gn nht cho n khi
cn s d bng 0:
372 - 354 = 18
87
18 - 11 = 7
7-7=0
Cc thnh phn ta chn trong kha ring ng vi s 1 trong
thng ip gc:
01100001
Bin i s nh phn thnh s thp phn, ta li c a.
4.4.3. Logarit ri rc
Trong ton hc, c bit trong i s hc tru tng, logarit ri

rc (discrete logarithm) l mt nhm l thuyt tng t nh logarit
thng thng. Mt logarit thng thng loga(b) l nghim ca
phng trnh ax = b trong trng s thc hay s phc. Tng t nh
th, nu g v h l phn t ca mt nhm cyclic hu hn G th mt
nghim ca mt phng trnh gx = h cng c gi l logarit c s g
ca h trong nhm G.
V d. Xt nhm (Zp) l tp hp cc lp tng ng
{1, , p 1} i vi php nhn theo modulo ca mt s nguyn t

p. Nu mun tm ly tha k ca mt s trong nhm ta ch vic ly
ly tha k ca s nguyn ri chia kt qu thu c cho p v ly s
d. Php ton gi l php ly tha ri rc hay ly tha modulo.
Chng hn xt nhm (Z17).
Mun tnh 34 trong nhm , hoc 34 (mod 17) trc tin ta
tnh 34 = 81, chia 81 cho 17 c: 81 = 17 * 4 + 13: s d l 13,
vy: 34 (mod 17) = 13. Logarit ri rc l mt php ton ngc.
Chng hn ly phng trnh 3k 13 (mod 17) i vi k. Nh ta
thy trn phn u ca v d th k = 4 l mt nghim ca phng
trnh nhng khng phi l nghim duy nht.
88
V rng do 34+16
13 1n 13 (mod 17), nu n l mt s
nguyn th: 34+16 n 13 1n 13 (mod 17) v nh vy phng trnh

ny c v s nghim di dng 4 + 16n.
Ngoi ra, v 16 l s nguyn dng m b nht tha mn phng
trnh 3m 1 (mod 17), ta gi 16 l cp (order) ca 3 trong (Z17), th
khi li ch c nghim duy nht.
Tng t nh vy p s c th c biu din l k6 4 (mod 16).
nh ngha
Tng qut, cho G l mt nhm cyclic vi n phn t. Ta gi thit

y l nhm nhn. Gi b l mt phn t sinh ca G, khi mi phn
t g ca G u c vit thnh dng g = bk vi k l mt s nguyn
no . Nu mt cp s nguyn nh k1 v k2 cng biu din c
thnh g = bk1 = bk2 th k1 v k2 l ng d theo modulo n. Ta nh
ngha mt hm s:
logb : G n
(trong Zn biu th vnh s nguyn modulo n) bng cch gn

cho mi phn t g mt lp ng d ca k modulo n. Hm s l
mt nhm ng cu gi l logarit ri rc c s b. Cng thc i c
s logarit thng thng vn ng, chng hn nh nu c l mt phn
t sinh khc ca G th:
logc (g) = logc (b).logb (g)
Thut ton
Hin nay cha c mt thut ton c hiu lc no c bit

tnh ton logarit ri rc logb(g) tng qut. Thut ton nhn tm
thng l c nng s b ln ly tha k cao mi cho n khi tm c
g. Thut ton ny i hi thi gian thc hin tuyn tnh i vi kch
89
thc ca nhm g tc l thi gian hm m i vi s con s trong

kch thc ca nhm G. Cng c mt s thut ton nhanh hn thut
ton nhn tm thng nhng cng khng c thut ton no thc
hin c trong thi gian a thc (i vi s con s trong kch
thc ca nhm). C th lit k ra y mt s thut ton:
Bc tr con v bc khng l (Baby-step giant-step).
Thut ton Pollard cho l-ga-rit (Pollard's algorithm for
logarithms).
Thut ton chut ti ca Pollard (thut ton Lamda
):
Pollard's kangaroo algorithm (Pollard's lambda algorithm).

Thut ton Pohlig-Hellman
Thut ton tnh ch s (Index calculus algorithm)
Sng lc trng s (Number field sieve)
Sng lc trng hm s (Function field sieve)
Tuy rng bi ton logarit ri rc v bi ton tha s nguyn l

nhng bi ton hon ton khc bit nhng chng c chung mt s
tnh cht sau:
C hai bi ton u rt kh (hin nay cha c mt thut ton
gii hu hiu no i vi cc my tnh phi lng t, khng

phi l cc my tnh lng t).
C hai bi ton u c bit l c nhng thut ton hu hiu
trn my tnh lng t.

Cc thut ton dng c cho bi ton ny thng cng u
dng c cho bi ton kia.

kh ca c hai bi ton c s dng xy dng mt
s h mt m.
90
4.4.4. H mt m ng cong Elliptic
Mt m ng cong elliptic ECC (Elliptic Curve Cryptography)

l mt dng m ha kha cng khai da trn cu trc i s ca cc
ng cong elliptic trn nhng trng hu hn. Vic s dng cc
ng cong elliptic trong mt m hc do Neal Koblitz v Victor S,
Miller xut vo nm 1985. Trong giao dch x hi ni chung t s
dng h mt m ng cong elliptic. V vy trong phm vi cun sch
ny chng ta khng i su m t h thng mt m ny m ch gii
thiu qua mt s tnh cht v c im ca n.
Mt m kha cng khai da trn tnh cht kh gii ca mt s
bi ton tm thut ton ngc. Chng hn nh tnh bo mt ca
thut ton RSA c bo m l do tnh cht kh khn ca bi ton
phn tch mt s t nhin ln thnh 2 hoc nhiu tha s nguyn t.
i vi cc th tc lp - gii m da trn c s ng cong elliptic
th c th khng nh rng vic tm c logarit ri rc ca mt
phn t ca ng cong elliptic ngu nhin da trn mt im c s
bit l khng th lm c. Kch thc ca ng cong elliptic
xc nh kh ca bi ton. Ngi ta tin rng bo mt ca mt
h thng m ha RSA vi modulo ln c th t c vi mt nhm
ng cong elliptic b hn rt nhiu. M nu ta s dng mt nhm
b th c th gim bt b lu tr cng nh gim bt cc yu cu v
truyn tin.
Vi cc i tng ca mt m hc hin ti, mt ng cong
elliptic l mt ng cong phng cha nhng im c ta tha
mn phng trnh:
y 2 = x 3 + ax + b
Cng vi mt im c bit c gi l im v tn k hiu l .

y cc ta c chn trong mt trng hu hn c nh, c s
c trng khc 2 v 3 (nu khng, phng trnh ca ng cong s
c th phc tp hn nhiu). Tp hp cng vi php ton nhm
91
ca l thuyt nhm elliptic lp thnh mt nhm Abel (nhm giao

hon) vi im v tn l phn t trung ha (phn t ng nht: n
v ).
Tnh bo mt trong ECC ph thuc vo kh nng tnh c mt
im nhn nhng khng tnh c tha s nu cho bit im gc v
im tch s.
Cc s mt m
Mt s th tc m ha da trn c s logarit ri rc c lm
thch hp vi cc thut ton da trn c s ng cong elliptic bng
cc thay th nhm ( p ) bi mt ng cong elliptic.
S tha thun kha ng cong elliptic da trn s
DiffieHellman.
Thut ton Ch k s ng cong elliptic da trn thut ton
ch k s.
S tha thun kha ECMQV da trn s tha thun
kha MQV.
Ti Hi tho RSA nm 2005, NSA (C quan bo mt quc gia
Hoa K) cng b dy B (suite B) mt dy thut ton mt m c
bit ch dng ECC cho vic sinh ch k in t v trao i kha. Dy
B nhm s dng bo v c hai loi thng tin v h thng c xp
hng v khng c xp hng b mt cp quc gia.
92
5
CH K IN T V CHNG THC IN T
5.1. KHI NIM V CH K IN T
Trong mt giao dch, An gi cho Bnh mt l th ca mnh. Vic
gi l th trc ht phi m bo ba yu cu sau y trong cc
nguyn l bo mt thng tin:
- Tnh bo mt: L th d lt vo tay k khc ngoi Bnh th
k cng khng hiu c ni dung th.
- Tnh ton vn thng tin: Nu l th b ngi trung gian lm
bin i ni dung trong qu trnh truyn tin th Bnh phi
nhn bit l th b can thip (ch pht hin (detect)
nhng c th khng bit ni dung b can thip nh th no
nh chnh li cho ng (correct)).
- Tnh nhn bit: Khi nhn c th, Bnh nhn ra c ng
l th do An gi, khng phi l do mt k th ba gi mo.
- Tnh khng chi b: Sau ny An khng th chi b rng l
th khng phi ca mnh.
Trong giao dch thng thng, An k tn vo l th xc nhn
rng th do mnh pht hnh, sau ny khng th chi b c. Khi
Bnh thy ch k ca An cui th th tin tng l th ca An.
Chng 5: Ch k in t v chng thc in t
93
Trong giao dch in t, nu gia An v Bnh c s trao i

thng nht mt kha m b mt K (ch hai ngi bit) th nu l th
c m ha bng kha m , hai yu cu ni trn u tha mn.
Tuy nhin trong nhiu trng hp, nu c mt thng ip rt
ln cn gi i (Hp ng, cung cp t liu v.v.) m ni dung khng
c g cn thit phi b mt ton b, nu phi m ha (v gii m) th
qu phin phc v tn thi gian.
Vy c cch no gii quyt c bn yu cu ni trn m khng
cn phi m ha ton b thng ip khng?
Ni cch khc, c th to ra mt cng c ng vai tr nh ch
k ca ngi pht hnh thng ip trong dng giao dch thng
thng khng?
5.1.1. Ch k in t
Ch k in t (Electronic signature) chnh l cng c p ng
c nhng yu cu ra trn y cho vic trao i thng ip in
t. Khng nhng th, ngoi ra ch k in t cn c mt s tnh
cht khc m bo cc nguyn l khc ca vn bo mt d liu
nh tnh ton vn thng tin, tnh xc thc v tnh nhn dng i tc.
Hin nay, ch k in t c th bao hm cc cam kt gi bng
E-mail, vic nhp cc s nhn dng c nhn (PIN) vo cc my ATM,
k bng bt in t vi thit b mn hnh cm ng ti cc quy tnh
tin], chp nhn cc iu khon ngi dng (EULA) khi ci t phn
mm my tnh, k cc hp ng in t online...
5.1.2. Cc nh ngha php l
Nhiu lut c ban hnh trn th gii cng nhn gi tr php
l ca ch k in t nhm thc y cc giao dch in t xuyn
quc gia.
94
Lut Giao dch in t Vit Nam, iu 4 nh ngha:

(1) Chng th in t l thng ip d liu do t chc cung cp
dch v chng thc ch k in t pht hnh nhm xc nhn c
quan, t chc, c nhn c chng thc l ngi k ch k in t.
(2) Chng thc ch k in t l vic xc nhn c quan, t
chc, c nhn c chng thc l ngi k ch k in t.
(5) D liu l thng tin di dng k hiu, ch vit, ch s, hnh
nh, m thanh hoc dng tng t.
(12) Thng ip d liu l thng tin c to ra, c gi i,
c nhn v c lu tr bng phng tin in t.
B lut ESIGN (Hoa K), iu 106 nh ngha:
(2) in t (electronic): ch cc cng ngh lin quan ti in, s,
t, truyn tin khng dy, quang, in t hoc cc kh nng tng t.
(4) Vn bn in t (electronic record): Cc hp ng hoc cc
vn bn khc c to ra, lu tr, trao i di dng in t.
(5) Ch k in t (electronic signature): Cc tn hiu m thanh,
k hiu, qu trnh gn (vt l hoc logic) vi hp ng hay vn bn v
c thc hin bi ngi mun k vo hp ng hay vn bn .
B lut GPEA (Hoa K), iu 1710 nh ngha:
(1) Ch k in t (electronic signature): l cch k cc vn bn
in t m bo:
(A) Nhn dng v xc thc c nhn to ra vn bn;
(B) Ch ra s chp thun ca ngi k i vi ni dung trong
vn bn.
B lut UETA (Hoa K), iu 2 nh ngha:
(5) in t (electronic 'valeking132') ch cc cng ngh lin
quan ti in, s, t, khng dy, quang, in t hoc cc kh nng
tng t.
95
(6) Tc t in t (electronic agent) l cc chng trnh my

tnh hoc cc phng tin t ng khc s dng c lp khi u
mt hnh ng hoc p li cc tn hiu in t m khng cn s
gim st ca con ngi.
(7) Vn bn in t (electronic record 'valeking132') Cc vn
bn c to ra, lu tr, trao i di dng in t.
(8) Ch k in t (electronic signature) Cc tn hiu m thanh,
k hiu, qu trnh gn (vt l hoc logic) vi hp ng hay vn bn v
c thc hin bi ngi mun k vo hp ng hay vn bn .
Commodity Futures Trading Commission 17 CFR Phn 1 iu 1.3
nh ngha:
(tt) Ch k in t l tn hiu m thanh, k hiu, qu trnh gn
(vt l hoc logic) vi hp ng hay vn bn v c thc hin bi
ngi mun k vo hp ng hay vn bn .
Food and Drug Administration 21 CFR iu 11.3 nh ngha:
(5) Ch k s l cc ch k in t da trn cc phng php
mt m nhn thc ngi to vn bn da trn cc quy tc v
tham s sao cho c th kim tra c nhn dng ca ngi to v
tnh ton vn ca vn bn.
(7) Ch k in t l cc s liu (my tnh) c to ra, chp
nhn v cho php bi c nhn c thm quyn (tng ng vi ch
k vn bn giy truyn thng).
Lut ch k in t ca Trung Quc
Mc tiu hng ti thng nht vic thc hin, khng nh tnh
php l v bo v quyn li hp php ca cc bn lin quan ti vic
thc hin ch k in t.
Lin minh chu u (EU)
Lin minh chu u (EU) thit lp khung php l cho ch k
in t:
96
Hng dn s 1999/93/EC ca Quc hi chu u ngy 13 thng

12 nm 1999 v khung php l ca ch k in t.
Quyt nh 2003/511/EC s dng 3 tha thun ti hi tho
CEN lm tiu chun k thut.
Mt s quc gia thc hin quyt nh 1999/93/EC.
o: Lut Ch k, 2000
Anh, Scotland v Wales: Lut Thng tin in t, 2000
c: Lut Ch k, 2001
Li-thu-a-ni-a: Lut Ch k in t, 2002
Na Uy: Lut Ch k in t, 2001
Ty Ban Nha: o lut 59/2003 ngy 19/12 v Ch k in t.
Thy in: o lut Ch k in t (SFS 2000:832).
n : Lut Cng ngh thng tin, 2000
Niu Di-ln: Lut Giao dch in t, 2003 iu 22-24
5.1.3. To ch k in t
Gi s gia An v Bnh c trao i (ring) mt kha m K.
Nu An gi cho Bnh mt thng ip s dng kha K m ha th
chc chn Bnh nhn ra thng ip l do An pht hnh, mt khc v
ch c An v Bnh cng s hu kha K nn An khng th chi l
thng ip khng phi do mnh to ra. Tuy nhin nu mc ch l
cho Bnh nhn bit l mnh dng kha K th An khng cn m
ha ton b thng ip m ch cn m ha mt phn rt nh ca
thng ip ri gi cho Bnh l !
Ch k in t l mt b phn thng c kch thc nh to ra
t thng ip, c ngi gi m ha bng kha K trao i thng
nht gia hai i tc gi v nhn thng ip, gi km vi ton b
thng ip cho ngi nhn.
97
to ra mt b phn ca thng ip ngi ta thng dng k

thut hm bm (hash function). Nh vy iu quan trng y
khng phi l Bnh hiu c ni dung ca b phn thng ip m
ha l g m ch yu l nhn ra i tc ca mnh bng quy lut m
ha trao i thng nht. Ch k ca cng mt ngi gi, km vo
trong cc thng ip khc nhau do ngi pht hnh c th c ni
dung hon ton nhau, iu quan trng duy nht l quy lut m ha K
vn gi nguyn!
Nu m hm bm tnh c khng trng vi kt qu gii m ch k s th kt lun

l ni dung ti liu nhn c b sa i so vi ti liu gc ca ngi gi
Hnh 5.1: S to v kim tra ch k in t

5.1.4. Ch k s
Vic to ch k in t qua m ha gi tr bm ca mi thng
ip qu thc khng d dng vi nhng c nhn, t chc khng c
trang b tt v cng ngh thng tin. Nu ch nhm mc ch nhn bit
v khng chi b, ngi ta thng dng mt phng php n gin
hn: l cc ch k s (digital signature).
98
Ch k s c th xem l mt lp con ca ch k in t. Sau

khi hai i tc trao i kha m K, An dng kha K m ha
mt ni dung d liu c nh S no : K(S) = S v s gn S vo
mi thng ip ca mnh pht hnh. Khi An nhn c mt thng
ip c gn S, dng K gii m c li S th nhn ra thng ip
l do An pht hnh. S l ch k s ca An. Ni dung ch k s rt
phong ph: c th l mt on vn bn (h v tn, ch k tht scan
ln my tnh, ch k v ln my tnh v lu tr li), mt hnh nh,
mt cu ni, hoc mt on video v cng c th s dng hm bm
ly gi tr bm trc khi m ha.
Hin nay c nhng nh cung cp dch v to kha m v to ch
k s cho nhng ngi cn s dng, h ch cn tr ph. Tt nhin
ch k s c tnh bo mt thp hn v ni dung c nh nn sau mt
thi gian c th dng phng php thng k thm m. tng
bo mt, ngi s dng c th thng xuyn thay i ni dung
ch k s. Ch k in t hay ch k s thng thuc quyn s dng
ring ca mt ngi, ging nh ch k thng thng.
Mt t chc, mt c quan hay doanh nghip cng c th to
mt ch k s s dng chung xc nhn cho nhng thng ip m
c quan mnh pht hnh. Ni dung ch k s dng chung l logo
biu tng ca doanh nghip, mt cu khu hiu ca t chc hoc
chnh l con du ca t chc . V vy ch k s s dng chung cho
t chc cng c gi l con du s ca t chc.
Tuy nhin phn nhiu trong cc quy nh php l ca giao dch
in t ngi ta khng ni n gi tr ca con du s, ni khc i,
trong giao dch in t khng dng con du s i km vi ch k
s/ch k in t ca ngi c trch nhim pht hnh thng ip
ca c quan t chc v hai l do sau y:
99
- Ch k s/in t ch c mt ngi bit v c quyn s dng

trong khi con du s ca mt t chc (nu c) th rt nhiu
ngi c quyn s dng, do vy bo mt ca con du s
thp hn ch k s.
- Trong mt c quan, t chc, ngi gi con du s thng c
mc trch nhim thp hn nhiu so vi nhng ngi dng
ch k s.
V vy, nu mt t chc c to con du s s dng trong cc
thng ip do c quan mnh pht hnh (km vi ch k s ca ngi
c trch nhim trong t chc) th cng ch c xem nh mt s
xc nhn b sung khng c gi tr tin cy cao, ging nh trong cc
vn bn thng thng ca mt t chc ngi ta dng cc giy t,
phong b c in logo, tiu ca t chc vy thi!
5.2. HM BM
5.2.1. Khi nim v hm bm
ly mt b phn nh ca mt thng ip, ta s dng mt
phng php ton hc gi l phng php hm bm (Hash function)
l mt gii thut ton hc (mt nh x mt - mt (mt chiu)), cho
ng vi mi khi d liu (mt dy bit hay mt i tng trong lp
trnh hng i tng ca thng ip gc) mt gi tr bm duy nht.
Ch y tnh mt chiu c ngha l: Mi khi d liu gc qua
mt hm bm s cho mt gi tr bm duy nht, tuy vy c th c mt
gi tr bm ng vi hai khi d liu gc khc nhau v vy khng th
t gi tr bm tm ngc li khi d liu sinh ra n. Trng hp
qua mt hm bm H, nu c hai khi d liu gc no cho cng
mt gi tr bm th ta gi y l mt s ng .
Tuy nhin iu quan trng l: Nu hai gi tr bm khc nhau
th chc chn hai khi d liu to ra chng l khc nhau. V vy
100
ngi nhn c th tnh li gi tr bm ca thng ip nhn c ri

so snh vi gi tr tnh c khi gii m ch k in t kim tra:
nu hai gi tr khc nhau th c th khng nh ni dung thng ip
b thay i.
Mt hm bm c nh gi l tt nu s ng xy ra rt nh
(xc sut rt thp, hu nh khng th xy ra).
Mt vi k thut tnh ton chng hn nh phn b xc sut
Poisson (phn b xc sut tim cn cho cc s kin him hoi) c th
dng phn kh nng xy ra ng ca nhng hm bm khc
nhau i vi nhng nhm d liu khc nhau. V l thuyt th ni
chung vi mi nhm d liu u tn ti mt hm bm c xem nh
l hm bm hon ho nht cho nhm d liu . Mt hm bm
hon ho (theo nh ngha) l hm bm m i vi mi d liu trong
nhm ang xt khng to ra nhng gi tr bm trng nhau. Nhng
trong thc t rt kh tm c hm bm hon ho cho mi nhm
d liu nn ngi ta thng bng lng nhng hm bm gn hon
ho ngha l ch to ra mt s rt t ng i vi tng nhm d
liu (c th kim tra c).
5.2.2. Cc phng php to hm bm
Mt hm bm tt phi tha mn cc iu kin sau:
- Tnh ton nhanh
- Cc kha c phn b u trong bng
- t xy ra ng
- X l c cc loi kha c kiu d liu khc nhau.
Cc hm bm c xc nh theo cch to ra gi tr bm t mt
d liu. C hai phng php chnh to hm bm thng dng l
phng php cng v nhn v phng php quay vng.
101
Phng php bm kiu cng v nhn

Theo phng php ny gi tr bm c to ra bng cch duyt
dc theo chui d liu v lin tc cng thm vo mt gi tr xut
pht t mt gi tr c tnh cho mi phn t trong d liu. Gi tr
tng thm ng vi mi phn t thng c tnh di dng nhn vi
mt s nguyn t no .
h(m) = h 1 (m p)
m
h(m) = mi pi
i =0
1
h(m) = h
(m p)
h(m) = mi pi
i =0
Phng php bm bng cch quay vng

Cng cng thm vo mi phn t trong dy mt gi tr ging
nh phng php bm kiu cng nhng y gi tr cng thm
c xt t c hai pha bn tri v bn phi, tnh ton cng thm
vo ti mi phn t,
h(m) = h 1 (m << p) (m >> p)
m
h(m) = (mi << pi ) (mi >> q i )

i =0
m
h(m) = (mi << pi ) (mi >> q i )

i =0
Cc dng hm bm thng dng

Trong Th vin hm bm tng qut (The General Hash
function Library) c nu ln mt s hm bm hn hp cng v quay
vng chng hn nh cc thut ton sau y.
102
RS Hash Function: Mt hm bm n gin t thut ton Robert

Sedgwicks.
JS Hash Function: Hm bm tnh t hai pha do Justin Sobel

xut.
PJW Hash Function: Thut ton bm da trn cng trnh ca
Peter J. Weinberger thuc Phng th nghim AT&T Bell.
BKDR Hash Function: Hm bm ny c m t trong tc
phm ca Brian Kernighan v Dennis Ritchie's "The C Programming
Language" (Ngn ng lp trnh C).
SDBM Hash Function: y l dng hm bm c chn s dng
trong cc d n m ngun m SDBM.
DJB Hash Function do GS. Daniel J. Bernstein xy dng v gii
thiu ln u tin trn newsgroup comp.lang.c. C l y l mt trong
nhng hm bm hiu qu nht t trc n nay c cng b.
Message Digest (MD) algorithms: Nhng dy thut ton hng
byte, sn sinh ra mt gi tr bm 128 bit cho cc thng ip c
di bt k.
- MD2 (RFC 1319): c thit k cho nhng h thng c b nh
hn ch chng hn nh cc th thng minh.
- MD4 (RFC 1320): do Rivest pht trin, tng t nh MD2
nhng c thit k c bit cho nhng qu trnh x l nhanh
trong phn mm.
- MD5 (RFC 1321): Cng do Rivest pht trin sau khi pht hin
mt s nhc im ca MD4; s ny tng t nh MD4
nhng hot ng chm hn do phi x l nhiu trn d liu
gc. MD5 c tch hp vo nhiu sn phm d rng vn cn
mt s nhc im m nh mt m hc ngi c Hans
Dobbertin ch ra nm 1996.
103
Secure Hash Algorithm (SHA): Thut ton ca chun hm bm an

ton ca NIST. NIST's Secure Hash Standard (SHS). SHA-1 to ra mt
gi tr bm 160 bit ban u c cng b vi tn gi l FIPS 180-1 v
RFC 3174. FIPS 180-2 (tc l SHA-2) m t 5 thut ton trong chun
SHS: SHA-1 cng vi SHA-224, SHA-256, SHA-384, v SHA-512 c th
to ra gi tr bm c di 224, 256, 384, hoc 512 bit.
Ch : Nm 2004 mt s nh nghin cu pht hin rng
c nhng s ng trong thc hnh xy ra i vi MD5, SHA-1, v
mt vi hm bm khc!
RIPEMD: Mt dy thut ton bin i thng ip (message
digest) thot u xut pht t d n RIPE (RACE Integrity Primitives
Evaluation). RIPEMD-160 do Hans Dobbertin, Antoon Bosselaers, v
Bart Preneel thit k v ti u ha cho qu trnh x l 32 bit nhm
thay th cho hm bm 128 bit ang ph bin thi . C nhng
phin bn khc l RIPEMD-256, RIPEMD-320, v RIPEMD-128.
HAVAL (HAsh of VAriable Length): Hm bm c di bin
thin: Do Y. Zheng, J. Pieprzyk v J. Seberry, l mt hm bm vi
nhiu cp an ton khc nhau. HAVAL c th to cc gi tr bm
vi di 128, 160, 192, 224, hoc 256 bit.
Whirlpool: L mt hm bm tng i mi do V. Rijmen v
P.S.L.M. Barreto thit k. Whirlpool lm vic trn cc thng ip c
di khng qu 2256 bit v to ra gi tr bm vi 512 bit. Thit k
ca Whirlpool rt khc bit vi thit k ca MD5 v SHA-1, lm cho
n chng li c nhng tn cng m cc hm bm khc khng
chng c.
Tiger: Do Ross Anderson v Eli Biham thit k. Tiger c thit
k m bo an ton cao chy hiu qu vi b x l 64 bit nn thay
th d dng MD4, MD5, SHA and SHA-1 trong nhng ng dng
khc Tiger/192 to nn u ra 192 bit v tng thch vi kin trc
104
64 bit; Tiger/128 v Tiger/160 to ra gi tr bm c di 128 v

160 bit, tng thch vi cc hm bm nu trn.
5.2.3. Cng dng ca hm bm
Hm bm thng c dng xy dng cc bng bm tc l
bng ghi cc gi tr bm ng vi mt s khi d liu mu: khi cn so
snh hai khi d liu no (thng c kch thc rt ln) ta ch
cn so snh cc gi tr bm c kch thc rt nh ca chng: iu
ny rt c ch.
V d v hot ng ca mt hm bm:
Hai chui d liu gc ch khc nhau mt t (runs v walks
nhng qua hm bm cho ra hai gi tr bm hon ton khc nhau. So
snh hai gi tr bm thy khc nhau ta bit ngay hai chui d liu
gc l khc nhau (d khng th bit chng khc nhau u!)
V tnh thng dng ca bng bm, ngy nay, a s ngn ng lp

trnh u cung cp th vin ng dng bng bm, trong c cc vn
nh: b su tp (collection), cc danh sch (list), cc bng (table),
cc nh x (mapping), cc t in (dictionary).
Thng thng, cc lp trnh vin ch cn vit hm bm cho cc
i tng nhm tch hp vi th vin bng bm c xy dng
105
sn. Bng bm l mt ng dng quan trng ca cc hm bm, cho

php tra cu nhanh mt bn ghi d liu nu cho trc kha m ca
bn ghi (Lu : cc kha ny thng khng b mt v c dng
"m kha" hoc truy nhp thng tin).
Cc hm bm dnh cho vic pht hin v sa li tp trung phn
bit cc trng hp m d liu b lm nhiu trong qu trnh
truyn tin, gi tr bm tng i nh c th c dng kim
chng rng mt tp d liu c kch thc ty b sa i hay
khng. Hm bm c dng pht hin li truyn d liu nh sau.
Pha bn gi, hm bm c tnh cho d liu c gi, gi tr bm
ny c gi cng d liu. Pha bn nhn, hm bm li c tnh ln
na, nu cc gi tr bm khng trng nhau th li xy ra u
trong qu trnh truyn.
Vic ny gi l kim tra thng d (redundancy check).
- Gi s An c thng ip V cn gi cho Bnh. An ly gi tr bm
H(V), m ha bng kha K trao i vi Bnh: K[H(V)] = H gn
vi V v gi tt c cho Bnh. H chnh l ch k in t ca An trong
thng ip.
- Bnh nhn c thng ip, trc ht gii m H tm ra mt
gi tr bm H. Tip dng hm bm chung tnh li gi tr bm ca
thng ip nhn c. Nu gi tr bm trng vi gi tr H ni trn
th Bnh c hai kt lun:
1. Thng ip chnh do An gi (qua kim tra kha K).
2. Thng ip khng b thay i trong qu trnh truyn tin (gi
tr bm trng nhau). Trng hp hai gi tr tm c khc
nhau th:
- Hoc khng phi l thng ip do An gi.
106
- Ni dung thng ip sai lc trong qu trnh truyn.
Hnh 5.2: S to ch k in t
S dng ch k in t (c chng thc) gn km vo thng
ip, c th m bo cc yu cu:
- Nhn din nh danh ngi pht hnh thng ip
- Ngi pht hnh khng th chi b
- m bo tnh ton vn thng tin, pht hin c trng hp
thng ip b can thip trn ng chuyn vn.
5.2.4. Phong b s an ton
mc 4.2.4 ta thy rng c th dng s trao i kha
cng khai gia hai i tc to mt phong b s kh n gin dng
chuyn giao kha i xng. Tuy nhin dng phong b s khng
an ton v c kh nng b tn cng ca ngi ng gia.
Bng cch phi hp c hai loi kha m ha i xng, bt i
xng vi thut ton hm bm, ta c th to c mt s giao dch
in t an ton m bo c cc yu cu ca cc nguyn l bo mt
trong giao dch.
Hnh 5.3 m t mt qu trnh m ha hn hp gia 3 loi thut
ton m ha i xng, bt i xng v hm bm to ra mt ch
107
k in t v mt phong b s. Trong v d hnh 5.3, An l ngi

gi cn Bnh l ngi nhn.
Hnh 5.3: Phi hp hm bm v hai loi m ha i xng,

bt i xng to phong b s an ton trong giao dch in t
Mt phong b s bao gm mt thng ip m ha v mt kha
phin c m ha. An dng kha m ha b mt m ha thng
ip m ha s dng kha phin m An to ra mt cch ngu
nhin cho tng phin giao dch. An dng kha cng khai ca Bnh
m ha kha phin. C thng ip m ha v c kha phin to
nn phong b s. Khi Bnh nhn thng ip, Bnh s dng kha ring
ca mnh gii m.
Ch k in t c to thnh bi 2 bc. Trc tin An tnh
ton gi tr bm ca thng ip, tip An m ha gi tr bm
bng kha b mt ca mnh.
Khi nhn c ch k s, Bnh dng kha m tha thun vi
An gii m ch k s v tm li c gi tr bm thng ip ca
An. Bnh li dng kha ca An gii m tm kha phin v tip
108
gii m thng ip ca An s dng kha phin v kha m trao

i vi An.
Sau cng Bnh tm li gi tr bm ca thng ip gii m v
so snh vi gi tr bm c c t vic gii m ch k in t. Nu
hai gi tr l trng nhau th Bnh tin chc l thng ip ton vn,
khng b can thip trong qu trnh truyn, mt khc cng m bo
thng ip ng l ca An.
V phn An, sau khi gi thng ip hon ton tin tng rng
chc chn ch c Bnh mi gii m ton b v c c thng ip
ca mnh v ch c Bnh c kha b mt.
5.3. H TNG C S KHA CNG KHAI
5.3.1. Nhu cu chng thc trong giao dch in t
Nh trnh by chng 3, vn phn phi, trao i kha
m (thng l kha i xng) trc khi tin hnh giao dch in t
an ton l iu rt kh khn v thng xuyn i mt vi nhiu
him ha.
Gi s An v Bnh trao i kha (cng khai) v ch k in t
giao dch vi nhau. Vic giao dch tin hnh bnh thng: mi bn
i tc hon ton nhn bit cc thng ip do pha bn i tc kia
pht hnh.
Tuy nhin vic trao i kha cng khai v ch k in t l giao
dch hon ton ring t gia 2 i tc nn c nguy c l nu mt
trong hai pha chi b nhng thng ip do mnh pht hnh bng
cch khng tha nhn kha cng khai v ch k in t trao i
l ca mnh th vic giao dch v v khng th quy trch nhim
php l cho ai c.
Pht sinh nhu cu l phi c bn th ba (trent) lm chng
cho vic trao i . Ni mt cch khc, khi mt c nhn, php nhn
mun s dng kha m v ch k in t ca mnh xc nh trch
109
nhim i vi cc thng ip do mnh pht hnh th phi c s

chng thc ca mt t chc c trch nhim v quyn lc no .
C quan chng thc in t CA (Certification Authority) l mt
t chc ng vai tr bn th ba trong cc giao dch in t. Mun
c tn nhim trong giao dch, mt t chc/c nhn phi n ng
k vi mt CA.
CA cp cc chng th s (cn gi l chng thc in t chng th) xc nhn vic s dng ch k s v gn mt kha cng
khai vi mt thc th (c nhn, php nhn, hoc my ch cung cp
dch v...)
Mt chng thc kha cng khai tiu biu thng bao gm kha
cng khai v cc thng tin (tn, a ch...) v thc th s hu kha .
Chng th in t cn c th c s dng kim tra mt
kha cng khai no thuc v ai.
Trong mt m hnh h tng kha cng khai (PKI) tiu biu, ch k
trong chng thc thuc v c quan cp chng thc s CA th Trent
chnh l c quan cp chng thc s.
Trong m hnh mng li tn nhim (Web of trust), th ch k c
th l ca chnh thc th hoc ca mt thc th khc, Trent c th
l bt k ngi dng no v mc tin tng ty thuc vo s nh
gi ca ngi dng.
Trong bt k trng hp no th ch k trong chng thc l s
m bo ca ngi k v mi lin h gia kha cng khai v thc th
c chng nhn.
Vic s dng chng thc s to iu kin p dng rng ri mt
m ha kha cng khai. i vi h thng m ha kha b mt (kha
i xng), vic trao i kha gia nhng ngi s dng trn quy m
ln l khng th thc hin c. H thng m ha kha cng khai
c th trnh c vn ny.
110
Nh trong v d xt trn, v nguyn tc nu An v Bnh mun

ngi khc gi thng tin mt cho mnh th ch cn cng b kha
cng khai ca chnh mnh. Bt k ai c c kha ny u c th gi
thng tin mt cho h. Tuy nhin, bt k ngi no khc (Cng
chng hn) cng c kh nng a ra mt kha cng khai khc v gi
mo rng l kha ca An. Bng cch lm nh vy k tn cng c
th c c mt s thng tin gi cho An. Nhng nu An a kha
cng khai ca mnh vo mt chng thc v chng thc ny c
mt bn th ba (Trent) xc nhn bng ch k in t th bt k ai tin
tng vo Trent s c th kim tra xem kha cng khai c ng
l ca An khng.
5.3.2. H tng c s kha cng khai
Trong mt m hc, h tng c s kha cng khai PKI (Public
Key Infrastructure) l mt c ch cho mt bn th 3 (thng l
c quan cp chng thc s) cung cp v xc thc nh danh cc bn
tham gia vo qu trnh trao i thng tin. C ch ny cng cho php
gn cho mi ngi s dng trong h thng mt cp kha cng
khai/kha b mt. Cc qu trnh ny thng c thc hin bi mt
phn mm t ti trung tm v cc phn mm phi hp khc ti cc
a im ca ngi dng.
Kha cng khai thng c phn phi trong chng thc in
t. Khi nim h tng kha cng khai thng c dng ch ton
b h thng bao gm c quan cp chng thc s (CA) cng cc c
ch lin quan ng thi vi ton b vic s dng cc thut ton mt
m ha kha cng khai trong trao i thng tin. Tuy nhin phn sau
c bao gm khng hon ton chnh xc bi v cc c ch trong PKI
khng nht thit s dng cc thut ton m ha kha cng khai. PKI
cho php nhng ngi tham gia xc thc ln nhau v s dng thng
tin t cc chng thc kha cng khai m ha v gii m thng tin
trong qu trnh trao i. Thng thng, PKI bao gm phn mm my
111
khch (client), phn mm my ch (server), phn cng (nh th

thng minh) v cc quy trnh hot ng lin quan. Ngi s dng
cng c th k cc vn bn in t vi kha b mt ca mnh v mi
ngi u c th kim tra vi kha cng khai ca h.
PKI cho php cc giao dch in t c din ra m bo tnh b
mt, ton vn v xc thc ln nhau m khng cn phi trao i cc
thng tin mt t trc. Hu ht cc h thng PKI quy m doanh
nghip u da trn cc chui chng thc xc thc cc thc th.
Chng thc ca ngi dng s c mt c quan cp chng thc s
cp, n lt nh cung cp ny li c chng thc c mt nh cung
cp khc cp cao hn to ra... (hnh cy). H thng s bao gm
nhiu my tnh thuc nhiu t chc khc nhau vi cc gi phn
mm tng thch t nhiu ngun khc nhau. V vy, cc tiu chun
l yu t rt quan trng i vi hot ng ca cc PKI. Hu ht cc
tiu chun v PKI hin ti c son tho bi nhm lm vic PKIX
ca IETF.
Cc h thng PKI doanh nghip thng c t chc theo m
hnh danh b trong kha cng khai ca mi ngi dng c lu
tr (bn trong cc chng thc s) km vi cc thng tin c nhn (s
in thoi, E-mail, a ch, ni lm vic...). Hin nay, cng ngh danh
b tin tin nht l LDAP v nh dng chng thc ph bin nht
X.509 cng c pht trin t m hnh trc ca LDAP l X.500.
Mc tiu chnh ca PKI l cung cp kha cng khai v xc nh
mi lin h gia kha v nh dng ngi dng. Nh vy ngi dng
c th s dng trong mt s ng dng nh:
M ha E-mail hoc xc thc ngi gi E-mail (OpenPGP
hay S/MIME).
M ha hoc nhn thc vn bn (Cc tiu chun ch k XML
hoc m ha XML khi vn bn c th hin di dng XML).
112
Xc thc ngi dng ng dng (ng nhp bng th thng

minh nhn thc ngi dng trong SSL).
Cc giao thc truyn thng an ton dng k thut Bootstrapping
(IKE, SSL): trao i kha bng kha bt i xng, cn m ha
bng kha i xng.
5.3.3. Chun X.509
Khi p dng chng thc quy m ln, c rt nhiu CA cng hot
ng. V vy chng hn nh An c th khng quen thuc (khng
tin tng) vi CA ca Bnh. Do chng thc ca Bnh c th phi
bao gm ch k ca CA mc cao hn. Qu trnh ny dn n vic
hnh thnh mt h thng mng li quan h phc tp v phn tng
gia cc CA. Mt h thng t chc nh vy l mt c s h tng kin
trc kha cng khai PKI. PKI l mt kin trc phn cp nhng i
tung c trch nhim xc minh cc kha cng khai ln nhau.
Chun chng thc kha cng khai ph bin nht hin nay l
X.509 do ITU-T ban hnh. Chun ny c lm thch ng vi
Internet bi nhm cng tc IETF PKIX working group. X.509 l mt
ngh ca ITU Lin minh Vin thng Quc t (ITU) nh ngha mt
hot ng khung (framework) v chng thc. Thc ra hin ti chun
X.509 ang c din gii theo mt s cch, ty theo cng ty cung
cp quyt nh s dng nh th no.
X.509 ln u tin c cng b vo nm 1988, v cc phin
bn tip theo c a ra gii quyt cc vn an ton. X.509
h tr c hai m b mt (m n) v m cng khai. X.509 nh ngha
cc ni dung v mt chng thc, bao gm s phin bn, s serial, ID
ch k, tn cng b, thi im c hiu lc, nh ngha ch , phn
m rng v ch k trn cc trng trn.
113
V c bn, mt ngi c trch nhim chng nhn s t kha

cng khai ca mt ngi no c nhu cu chng thc vo th tc
chng thc, sau xc thc li bng kha ring. iu ny bt buc
kha v th tc chng thc phi lun i km vi nhau. Bt c ai cn
dng kha cng cng ca mt i tng no u c th m th
tc chng thc bng kha cng cng ca cc i tng ny do ngi
c trch nhim chng thc cung cp (cc kha cng cng ny c
k hoc kha bng kha ring ca ngi c trch nhim chng thc).
V vy, ngi s dng phi tin rng ngi c trch nhim chng
thc s bo m vic hp l ha ngi ch ca kha cng khai v
thc s kha cng khai y chnh l kha cng khai ca ngi c
trch nhim chng thc. y chnh l lnh a ca cc PKI.
Trong chun X.509 v h thng h tng kha cng khai, mng
li CA to thnh cy t trn xung vi gc l mt CA trung tm
u tin CA gc (Root CA), khng cn c chng thc bi mt bn
no khc.
5.3.4. Thu hi kha
Mt chng thc kha cng khai c th b thu hi nu nh kha
ring tng ng ca n b l hoc mi lin h gia kha cng
khai v ch th s hu thay i. iu ny c th xy ra mc
khng thng xuyn nhng ngi s dng phi lun kim tra tnh
php l ca chng thc mi khi s dng.
Vic kim tra ny c th thc hin bng cch so snh chng
thc c th cn xem xt vi danh sch cc chng thc b thu hi
CRL (Certificate Revocation List). Vic m bo danh sch ny chnh
xc v cp nht l chc nng c bn ca h tng kha cng cng tp
trung. Tuy nhin cng vic ny i hi tn km ln v nhn cng
cng nh ngn sch nn thng khng c thc hin y .
114
thc s t hiu qu, danh sch ny phi lun sn sng cho bt k ai

cn n vo bt k thi im no ti mi ni.
Mt cch kim tra khc l truy vn vo ni cung cp chng
thc vi giao thc kim tra chng thc trc tuyn OCSP (Online
Certificate Status Protocol).
C hai phng php trn u c th b thay th bng mt chun
mi l chun XKMS. Tuy nhin tiu chun XKMS ny hin nay cn
cha c s dng rng ri. Mt chng thc s tiu biu gm cc
thnh phn sau:
- Kha cng khai;
- Tn: c th l tn ngi, my ch hoc t chc;
- Thi hn s dng;
- a ch URL ca trung tm thu hi chng thc ( kim tra).
5.3.5. C quan cp chng thc s t ng
Cc r bt CA (Robot CA) l cc chng trnh my tnh t ng
c kh nng kim tra v xc nhn mt s kha cnh ca kha cng
cng. Cc r bt ny c th lm gim ng k nhng tn cng vo
h thng, c bit l cc tn cng nhm vo vic lm chch hng
cc lung thng tin trn mng. Cc kha cnh ca kha cng cng
thng c kim tra l:
- Kha c cng b di nhn thc ca ngi s hu a ch
E-mail gn vi kha,
- Ngi s hu a ch E-mail ang c kha b mt,
- Tnh trng s dng kha.
Phn loi chng thc s
Cng ty Verisign a ra m hnh gm 3 loi chng thc in t
sau y:
115
- Loi 1 dnh cho c nhn, d kin dng gn vo cho E-mail.

- Loi 2 dnh cho t chc vi yu cu chng minh ngun gc v
t cch php nhn.
- Loi 3 dnh cho my ch v phn mm vi kh nng kim tra
c lp bng cch truy vn ti CA ni cung cp.
5.3.6. Mt s h thng PKI
Vic Diffie, Hellman v Rivest, Shamir, Adleman cng b cng
trnh nghin cu v trao i kha an ton v thut ton mt m ha
kha cng khai vo nm 1976 (Chng 3) lm thay i hon ton
cch thc trao i thng tin mt. Cng vi s pht trin ca cc h
thng truyn thng in t tc cao (Internet v cc h thng
trc n), nhu cu v trao i thng tin b mt tr nn cp thit.
Thm vo mt yu cu na pht sinh l vic xc nh nh dng
ca nhng ngi tham gia vo qu trnh thng tin. V vy tng v
vic gn nh dng ngi dng vi chng thc c bo v bng cc
k thut mt m c pht trin mt cch mnh m.
Cc nh doanh nghip k vng vo mt th trng ha hn mi
thnh lp nhng cng ty hoc d n mi v PKI v bt u vn
ng cc chnh ph hnh thnh nn khung php l v lnh vc ny.
Mt d n ca American Bar Association xut bn mt
nghin cu tng qut v nhng vn php l c th ny sinh khi vn
hnh PKI. Khng lu sau , mt vi tiu bang ca Hoa K m i u
l Utah (nm 1995) thng qua nhng d lut v quy nh u tin.
Cc nhm bo v quyn li ngi tiu dng th t ra cc vn
v bo v quyn ring t v cc trch nhim php l. Tuy nhin, cc
lut v quy nh c thng qua li khng thng nht trn th gii.
Thm vo l nhng kh khn v k thut v vn hnh khin cho
vic thc hin PKI kh khn hn rt nhiu so vi k vng ban u.
116
Ti thi im u th k XXI, ngi ta nhn ra rng cc k thut

mt m cng nh cc quy trnh/giao thc rt kh c thc hin
chnh xc v cc tiu chun hin ti cha p ng c cc yu cu
ra. Th trng PKI thc s tn ti v pht trin nhng khng
phi vi quy m c k vng t nhng nm gia ca thp k
1990. PKI cha gii quyt c mt s vn m ngi ta t hy
vng vo n.
Nhng PKI thnh cng nht ti nay l cc phin bn do cc
chnh ph thc hin.
Di y l danh sch mt s h thng PKI, trong mt s c
quan cp chng thc s hng u (v d VeriSign) khng c lit k
v cc phn mm ca h khng c cng b cng khai.
- H thng qun l chng thc Red Hat
- Computer Associates eTrust PKI
- Entrust
- Microsoft
- US Government External Certificate Authority (ECA)
- Nexus
- OpenCA (Mt m hnh PKI m ngun m)
- RSA Security
- phpki
- GenCerti
- ejbca
- newpki
- Papyrus CA Software
- pyCA
- IDX-PKI
117
- TinyCA
- ElyCA
- SimpleCA
- SeguriData
- Safelayer Secure Communications
5.4. GIAO THC PGP V MNG LI TIN CY
5.4.1. Chun PGP

Chun PGP (Pretty Goods Privacy) l mt chng trnh my
tnh m ha v gii m cc d liu c truyn trn cc E-mail cn
bo mt, do Phillip Zimmermann xut nm 1991 v l mt trong
nhng chng trnh ang c pht trin rng ri v hin nay Tp
on PGP ang cung cp nhiu phn mm da trn nn tng ny.
Vi mc tiu ban u l phc v cho m ha th in t, PGP
n nay tr thnh mt gii php m ha cho cc chnh ph, cc
cng ty ln cng nh cc c nhn. Cc phn mm da trn PGP
c dng m ha v bo v thng tin lu tr trn my tnh xch
tay, my tnh bn, my ch v trong qu trnh trao i thng qua
E-mail, YM hoc chuyn file. Giao thc hot ng ca h thng ny
c nh hng ln v tr thnh mt trong hai tiu chun m ha th
in t (tiu chun cn li l S/MIME, c s dng ph bin hn).
M ha PGP s dng mt t hp cc thut ton hm bm, nn
d liu, m ha kha i xng v cui cng l to ra cc cp kha
ring v kha cng khai cng thm vi h thng xc lp mi quan h
gia kha cng khai v ch danh ngi dng (cn cc - ID). Phin
bn u tin ca h thng ny thng c bit di tn mng li
tin cy da trn cc mi quan h ngang hng (khc vi h thng
X.509 vi cu trc cy da vo cc c quan cp chng thc s). Cc
118
phin bn PGP v sau da trn cc kin trc tng t nh h tng

kha cng khai.
Ban u PGP nhm vo mc tiu ch yu l mt m ha ni
dung cc thng ip th in t v cc tp nh km cho ngi dng
ph thng. Bt u t 2002, cc sn phm PGP c a dng ha
thnh mt tp hp ng dng mt m v c th c t di s qun
tr ca mt my ch. Cc ng dng PGP gi y bao gm: th in
t, ch k s, mt m ha a cng my tnh xch tay, bo mt tp
v th mc, bo mt cc phin trao i YM, mt m ha lung
chuyn tp, bo v cc tp v th mc lu tr trn my ch mng.
Phin bn PGP Desktop 9.x dnh cho my bn bao gm cc
tnh nng: th in t, ch k s, bo mt YM, mt m ha a
cng my tnh xch tay, bo mt tp v th mc, tp nn t gii m,
xa file an ton. Cc tnh nng ring bit c cp php theo cc
cch khc nhau ty theo yu cu.
Phin bn PGP Universal 2.x dnh cho my ch cho php trin
khai ng dng tp trung, thit lp chnh sch an ninh v lp bo co.
Phn mm ny c dng mt m ha th in t mt cch t
ng ti cng ra vo (gateway) v qun l cc phn mm my khch
PGP Desktop 9.x. N lm vic vi my ch kha cng khai PGP (gi
l PGP Global Directory) tm kim kha ca ngi nhn v c kh
nng gi th in t an ton ngay c khi khng tm thy kha ca
ngi nhn bng cch s dng phin lm vic HTTPS.
Vi ng dng PGP Desktop 9.0 c qun l bi PGP Universal
Server 2.0, tt c cc ng dng mt m ha PGP c da trn nn
kin trc proxy mi. Cc phn mm ny gip loi b vic s dng
cc plug-in ca th in t v trnh cho ngi dng vic s dng cc
ng dng khc. Tt c cc hot ng ca my ch cng nh my
khch u t ng tun theo mt chnh sch an ninh. PGP Universal
server cn t ng ha cc qu trnh to, qun l v kt thc cc
kha chia s gia cc ng dng PGP.
119
Cc phin bn mi ca PGP cho php s dng c 2 tiu chun:

OpenPGP v S/MIME, cho php trao i vi bt k ng dng no tun
theo tiu chun ca NIST.
5.4.2. Hot ng ca PGP
Nh ni trn, PGP s dng kt hp mt m ha kha cng
khai v thut ton kha i xng. Trong cc h thng ny, ngi s
dng u tin phi c mt cp kha: kha cng khai v kha b mt.
Ngi gi s dng kha cng khai ca ngi nhn m ha mt
kha chung (kha phin - session key) dng trong cc thut ton
mt m ha kha i xng. Mi kha cng khai do PGP to ra ch
c trao cho mt ngi dng (user) hay mt a ch E-mail. Phin
bn u tin ca h thng ny c tn gi l mng li tin cy c
m bo bi cc kha cng khai cp cho mi thnh vin khi ng k
gia nhp. Mi ngi s dng u c th ng k mt mt khu ring
ty s dng kha cng khai c cp nhng nu mt ngi
s dng bit mt khu ring ca ngi s dng khc th h vn c
th dng kha cng khai c cp cho ngi . V vy h thng
ny c nhc im l ch m bo an ton vi s ngi s dng
khng qu ln c th kim sot c vic s dng mt khu c
nhn bng nhng bin php i km khc.
PGP gi nhng thng ip b mt c m ha bng mt kha
i xng, kha ny ch s dng mt ln gi l kha phin (session
key). Kha phin c m ha bng kha ring tng ng vi kha
cng khai c phn phi trc cho ngi dng (hoc cho a ch
E-mail cn gi). Ngi dng s dng kha cng khai mnh c cp,
gii m tm kha phin v tip dng kha phin gii m
thng ip.
Kha phin ny chnh l kha mt m ha cc thng tin c
gi qua li trong phin giao dch. Rt nhiu kha cng khai ca
120
nhng ngi s dng PGP c lu tr trn cc my ch kha PGP

trn khp th gii (cc my ch soi - mirror ln nhau).
Ngi nhn trong h thng PGP s dng kha phin gii m
cc gi tin. Kha phin ny cng c gi km vi thng ip nhng
c mt m ha bng h thng mt m bt i xng v c th t
gii m vi kha b mt ca ngi nhn. H thng phi s dng c 2
dng thut ton tn dng u th ca c hai: thut ton bt i
xng n gin vic phn phi kha cn thut ton i xng c u
th v tc (nhanh hn c 1000 ln).
Mt chin lc tng t cng c dng (mc nh) pht
hin xem thng ip c b thay i hoc gi mo ngi gi. thc
hin 2 mc tiu trn ngi gi phi k vn bn vi thut ton RSA
hoc DSA. u tin, PGP tnh gi tr hm bm ca thng ip ri to
ra ch k s vi kha b mt ca ngi gi. Khi nhn c vn bn,
ngi nhn tnh li gi tr bm ca vn bn ng thi gii m ch
k s bng kha cng khai ca ngi gi. Nu 2 gi tr ny ging
nhau th c th khng nh (vi xc sut rt cao) l vn bn cha b
thay i k t khi gi v ngi gi ng l ngi s hu kha b mt
tng ng.
Trong qu trnh m ha cng nh kim tra ch k, mt iu v
cng quan trng l kha cng khai c s dng thc s thuc v
ngi c cho l s hu n. Nu ch n gin l ti v (download)
mt kha cng khai t u s khng th m bo c iu ny.
PGP thc hin vic phn phi kha thng qua chng thc s c
to nn bi nhng k thut mt m sao cho vic sa i (khng hp
php) c th d dng b pht hin. Tuy nhin ch iu ny thi th
cha v n ch ngn chn c vic sa i sau khi chng thc
c to ra. Ngi dng cn cn phi c trang b kh nng kim
tra xem kha cng khai c thc s thuc v ngi c cho l s
hu hay khng. T phin bn u tin, PGP c mt c ch h tr
121
iu ny l mng li tin cy. Mi kha cng khai (rng hn l cc

thng tin gn vi mt kha hay mt ngi) u c th c mt bn
th 3 xc nhn (in t).
Trong cc c t gn y ca OpenPGP, cc ch k tin cy c
th c s dng to ra do cc c quan cp chng thc s (CA).
Mt ch k tin cy c th chng t rng mt kha thc s thuc v
mt ngi s dng v ngi ng tin cy k xc nhn mt
kha ca mc thp hn. Mt ch k c mc 0 tng ng vi ch
k trong m hnh mng li tn nhim. Ch k mc 1 tng ng
vi ch k ca mt CA v n c kh nng xc nhn cho mt s lng
khng hn ch ch k mc 0. Ch k mc 2 tng t nh ch k
trong danh sch cc CA mc nh trong Internet Explorer; n cho
php ngi ch to ra cc CA khc.
PGP cng c thit k vi kh nng hy b/thu hi cc chng
thc c kh nng b v hiu ha. V mt kha cnh no , iu
ny tng ng vi danh sch chng thc b thu hi ca m hnh
h tng kha cng khai. Cc phin bn PGP gn y cng h tr tnh
nng hn s dng ca chng thc.
Vn xc nh mi quan h gia kha cng khai v ngi s
hu khng phi l vn ring ca PGP. Tt c cc h thng s
dng kha cng khai/b mt u phi i ph vi vn ny v cho
n nay cha c mt gii php hon thin no c tm ra. M hnh
ban u ca PGP trao cho quyn quyt nh cui cng ngi s dng
cn cc m hnh PKI th quy nh tt c cc chng thc phi c
xc nhn (c th khng trc tip) bi mt nh cung cp chng thc
trung tm.
5.4.3. An ton bo mt
Khi c s dng ng quy cch, PGP c xem l c an
ton rt cao. Hin nay cha c phng php no c bit ti c kh
nng ph v c PGP tt c cc phin bn. Nm 1996, nh mt
122
m hc Bruce Schneier nh gi cc phin bn u tin ca PGP l

"th gn nht vi mt m ha ca qun i m mi ngi c c"
(Applied Cryptography, xut bn ln 2, trang 587).
Tri vi nhng h thng an ninh/giao thc nh SSL ch nhm
bo v thng tin trn ng truyn, PGP c th bo v c d liu cho
mc ch lu tr lu di (h thng file).
Cng ging nh cc h thng mt m v phn mm khc, an
ninh ca PGP c th b v hiu trong trng hp s dng sai hoc
thng qua cc dng tn cng gin tip. Trong mt trng hp, FBI
c ta n cho php ci t b mt phn mm ghi nhn bn
phm (keystroke logging) thu thp mt khu PGP ca ngi b
tnh nghi. Sau , ton b cc tp/E-mail ca ngi b v hiu v
l chng c php l nh ti danh.
Ngoi nhng vn trn, v kha cnh mt m hc, an ninh ca
PGP ph thuc vo cc gi nh v thut ton m n s dng trong
iu kin v thit b v k thut ng thi. Chng hn, phin bn
PGP u tin s dng thut ton RSA m ha kha phin; an ninh
ca thut ton ny li ph thuc vo bn cht hm mt chiu ca
bi ton phn tch ra tha s nguyn t. Nu c k thut mi gii bi
ton ny c pht hin th an ninh ca thut ton, cng nh PGP
s b ph v. Tng t nh vy, thut ton kha i xng trong PGP
l IDEA cng c th gp phi nhng vn v an ninh trong tng
lai. Nhng phin bn PGP gn y h tr thm nhng thut ton
khc na; v th mc an ton trc s tn cng v mt mt m
hc cng thay i.
V rng cc t chc nghin cu ln v mt m hc (nh NSA,
GCHQ...) khng cng b nhng pht hin mi ca mnh nn c th tn
ti nhng phng php gii m nhng thng ip PGP m khng cn
bit n kha b mt c s dng. iu ny cng ng vi bt k h
thng mt m no khc khng ch l PGP.
123
Hin nay PGP cho php s dng mt s thut ton khc nhau
thc hin vic m ha. V th cc thng ip m ha vi PGP hin ti
khng nht thit c nhng im yu ging nh PGP phin bn u.
Tuy nhin cng c mt s tin n v s khng an ton ca PGP
phin bn u tin (s dng cc thut ton RSA v IDEA).
Phil Zimmermann, tc gi ca PGP, tng b chnh ph Hoa K
iu tra trong vng 3 nm v vic vi phm nhng quy ch trong xut
khu phn mm mt m. Qu trnh iu tra c kt thc mt
cch t ngt. Zimmermann cng tng tuyn b rng s d chnh ph
Hoa K kt thc iu tra l v h tm ra cch ph v PGP trong
thi k .
T nhng lp lun trn, c th khng nh tng i chc
chn rng ti thi im hin ti ch nhng c quan thuc v chnh
ph mi c nhng ngun lc cn thit c th ph v nhng
thng ip PGP. i vi tn cng phn tch mt m t pha c nhn
th PGP vn tng i an ton.
5.4.4. Vi nt lch s
Phil Zimmermann to ra phin bn PGP u tin vo nm 1991.
Vo thi im ny, ng ta l mt nh hot ng chng nng
lng ht nhn v mc ch to PGP l phc v nhng ngi c
mc tiu tng t c th s dng cc h thng bng thng bo in
t (bulletin board) v lu tr tp mt cch an ton. i vi mc tiu
s dng phi thng mi, PGP hon ton min ph v ton b m
ngun c bao gm trong tt c sn phm. PGP d dng thm nhp
vo Usenet v t vo Internet.
Tn gi "Pretty Good Privacy" (tm dch: B mt tng i tt)
c t theo tn ca mt ca hiu tp ha thnh ph gi tng
Lake Wobegon trong chng trnh pht thanh ca tc gi Garrison
Keillor. Trong chng trnh ny, tn ca hiu tp ha l "Ralph's
Pretty Good Grocery" (Tim tp ha tng i tt ca Ralph).
124
T khi mi xut hin, PGP gp ro cn v chnh sch hn ch

xut khu phn mm mt m ca chnh ph Hoa K.
Ngay sau khi xut hin, PGP thu ht c kh nhiu ngi s
dng trn Internet. Nhng ngi s dng v ng h bao gm nhng
ngi bt ng quan im ti nhng nc chuyn ch, nhng ngi
bo v quyn t do c nhn v nhng ngi ng h t do thng tin
(cypherpunk).
Khng lu sau khi ra i, PGP c s dng bn ngoi Hoa
K v vo thng 02 nm 1993, Zimmermann tr thnh mc tiu ca
mt cuc iu tra ca chnh ph Hoa K v vic xut khu "v kh"
khng c giy php. Ti thi im , cc h thng mt m vi kha
ln hn 40 bit c xp hng cng vi v kh trong khi PGP cha
bao gi s dng kha c di nh hn 128 bit. Mc hnh pht cho
ti ni trn kh nng nhng cuc iu tra t ngt dng li m
khng c mt li kt ti no.
Chnh sch hn ch xut khu mt m vn cn hiu lc nhng
c ni lng rt nhiu k t thp k 1990. T nm 2000 tr i th
vic tun th cc chnh sch ny khng cn l iu kh khn na.
PGP khng cn c xp l v kh khng c php xut khu v
c php xut khu ti bt k ni no nu khng b cm ti ni .
Bng sng ch
Cc phin bn PGP u tin cn gp phi vn v bng sng
ch. Phin bn u tin s dng mt thut ton m ha kha i
xng do chnh Zimmermann thit k (c tn l Bass-O-Matic). Ngay
sau , ng ta thy c thut ton ny khng m bo an ninh v
thay th bng IDEA. C hai thut ton RSA v IDEA u c cp
bng sng ch v i hi c bn quyn s dng. c nhng tranh
ci kh gay gt v vic Zimmermann s dng RSA v IDEA trong phn
mm ca mnh. Zimmermann tuyn b rng RSA Data Security (nay
l RSA Security) cho php (bng li ni) i vi vic s dng cho
125
cc mc ch phi thng mi nhng RSA khng chnh thc tha

nhn vic ny. Cuc iu tra bt u t n kin ca RSA DSI ti
hi quan Hoa K v vic s dng thut ton RSA trong PGP.
Vn cn tr nn phc tp hn do tnh trng v bn quyn khc
nhau cc quc gia. RSA ch c cp bng sng ch ti Hoa K;
nhng ngi nm bn quyn IDEA t ra rng ri hn so vi RSA.
Thm vo , bn quyn ca thut ton RSA c kim sot mt phn
bi MIT thng qua RSA DSI (RSA Data Security Inc.). MIT khng phn
i PGP nhng cc tc gi PGP vn gp kh khn do thi th ch
ca RSA DSI i vi cc s dng phi thng mi ca RSA.
Tranh chp v bn quyn RSA c gii quyt bng vic pht
trin PGP theo 2 nhnh:
Phin bn s dng trong Hoa K: s dng th vin RSAREF
(shareware ca RSA).
Phin bn quc t: PGP-i, s dng m RSA nguyn gc ca
Zimmermann. iu ny cng gip trnh nhng kh khn
vi quy ch hn ch xut khu phn mm mt m. PGP-i
c duy tr v phn phi bi Stale Schumacher Na Uy.
Phin bn dnh cho Hoa K c phn phi bi nhiu nh cung
cp, trong bao gm c MIT trn Internet, BBS, cc c nhn v
nhm ngi dng. t nht l trn website ca MIT, nhn c
PGP th a ch E-mail phi thuc v Hoa K hoc Ca-na-a. Bn
ngoi Hoa K, ngi s dng ti v t trang web ca Schumacher:
http://pgp.org.
Pht trin trong giai on sau
Ngay trong thi gian tranh chp, i ng pht trin ca
Zimmermann tip tc a ra phin bn PGP 3. Phin bn ny c
nhiu ci thin v an ninh, trong cu trc mi ca chng thc
c sa vi li nh ca phin bn 2.x cng nh cho php dng cc
126
kha khc nhau cho qu trnh m ha v k xc nhn. Bn cnh ,

xut pht t bi hc v bn quyn v xut khu, PGP 3 loi b
hon ton bn quyn. PGP 3 s dng thut ton mt m kha i
xng CAST-128 (cn gi l CAST5) v thut ton mt m ha kha
bt i xng DSA v ElGamal. Cc thut ton ny u khng b rng
buc bi bn quyn.
PGP thng mi
Nh nu phn trc, ngay t khi xut hin, PGP gp
phi rc ri trong vn xut khu ra ngoi Hoa K. Sau khi cuc
iu tra ca chnh ph kt thc vo nm 1996, Zimmermann v cc
cng s ca mnh khi s thnh lp mt cng ty pht trin cc
phin bn mi ca PGP. Cng ty ny c st nhp vi cng ty
Viacrypt (cng ty mua bn quyn thng mi ca PGP cng nh
c bn quyn s dng RSA t RSA DSI) v i tn thnh tp on
PGP. Cng ty mi thnh lp ny bt u pht trin cc phin bn
PGP mi da trn PGP 3. Khc vi PGP 2 l phn mm da trn
dng lnh (command line), PGP c thit k t u l mt th vin
hm cho php ngi dng c th lm vic trn dng lnh cng nh
thng qua mi trng ha (GUI).
Tha thun ban u gia Viacrypt v Zimmermann l Viacrypt
to ra cc phin bn nh s chn cn Zimmermann cc phin bn
nh s l. Trn c s , Viacrypt to ra phin bn PGP 4 da trn
PGP 2. trnh nhm ln v vic PGP 3 l phin bn tin thn ca
PGP 4 th PGP 3 c i tn l PGP 5 v c tung ra vo thng
5/1997.
Ngay ti PGP Inc., vn c mi lo ngi v vn bn quyn. RSA
DSI a ra phn i v bn quyn s dng RSA i vi cng ty mi
thnh lp. PGP Inc chuyn sang s dng mt tiu chun ni b gi
l "Unencumbered PGP": khng s dng bt k mt thut ton no b
rng buc bi bn quyn.
127
OpenPGP v cc phn mm da trn PGP

Do tm nh hng ln ca PGP trn phm vi th gii (c xem
l h thng mt m cht lng cao c s dng nhiu nht), rt
nhiu nh pht trin mun cc phn mm ca h lm vic c vi
PGP 5. i ng pht trin PGP thuyt phc Zimmermann v i
ng lnh o ca PGP Inc. rng mt tiu chun m cho PGP l iu
cc k quan trng i vi cng ty cng nh cng ng s dng mt
m. Ngay t nm 1997 c mt h thng tun th theo cc tiu
chun ca PGP ca mt cng ty B tn l Veridis (lc c tn l
Highware) vi bn quyn PGP 2 nhn c t Zimmermann.
V vy vo thng 7 nm 1997, PGP Inc. xut vi IETF v mt
tiu chun m c tn l OpenPGP. PGP Inc. cho php IETF quyn s
dng tn OpenPGP cho tiu chun cng nh cc chng trnh tun
theo tiu chun mi ny. IETF chp thun xut v thnh lp
nhm lm vic v OpenPGP.
Hin nay, OpenPGP l mt tiu chun Internet v c quy nh
ti RFC 2440 (thng 7 nm 1998). OpenPGP vn ang trong giai
on pht trin v quy nh tip theo ca RFC 2440 ang c nhm
lm vic tip tc hon thin (vo thi im thng 1 nm 2006).
Qu pht trin phn mm t do
Qu pht trin phn mm t do (Free Software Foundation)
cng pht trin mt chng trnh tun theo OpenPGP c tn l GNU
Privacy Guard (GnuPG). GnuPG c phn phi min ph cng vi
m ngun theo giy php GPL. u im ca vic s dng GnuPG so
vi PGP (tuy GnuPG cha c giao din GUI cho Windows) l n lun
c cung cp min ph theo giy php GPL. iu ny c bit quan
trng nu ngi s dng mun gii m nhng ti liu m ha ti thi
im hin nay trong mt tng lai xa. iu tng t khng ng vi
PGP v khng c g m bo PGP s c cung cp min ph trong
128
tng lai. Trn thc t, i vi PGP 9 th ph bn quyn tng t

nht cho nhng ngi s dng PGP Personal; thm vo , lch s
phc tp ca bn quyn PGP cng gy ra nhiu lo lng.
Ngoi ra, nhiu nh cung cp khc cng pht trin cc phn
mm da trn OpenPGP.
Cc phin bn PGP xut hin sau khi c tiu chun vn tun
theo hoc h tr OpenPGP.
Vo thng 12 nm 1997, PGP Inc. c Network Associates Inc.
(NAI) mua li. Zimmermann v i ng pht trin PGP tr thnh
nhn vin ca NAI. NAI tip tc vic i tin phong trong vic xut
khu vi chnh sch xut bn phn mm (cng ty u tin c chnh
sch xut khu bng vic cng b m ngun). Di s bo h ca
NAI, i ng PGP b sung cc tnh nng nh m ha a, tng
la, pht hin xm nhp v IPsec VPN vo h cc sn phm PGP.
Nm 2000, sau khi chnh sch xut khu phn mm c thay
i v khng cn i hi vic cng b m ngun, NAI ngng xut
bn m ngun ca mnh bt chp s phn i ca i ng pht trin
PGP. Vic ny gy ra s kinh ngc cho ngi s dng PGP trn
ton th gii.
u nm 2001, Zimmermann b vic ti NAI. Sau , ng ta gi
vai tr lnh o v mt m cho Hush Communications, mt nh
cung cp dch v th in t da trn OpenPGP. ng ta cng lm
vic vi Verisdis v mt s cng ty khc.
Thng 10/2001, NAI tuyn b bn cc ti sn lin quan ti PGP
v ngng cng vic pht trin PGP. Phn duy nht c gi li l
PGP E-Business Server (nguyn gc l PGP Commandline). Thng 2
nm 2002, NAI ngng mi h tr cho PGP tr phn c gi li ni
129
trn. NAI (gi y l McAfee) tip tc bn v h tr sn phm ny

di tn l McAfee E-Business Server.
Thng 8 nm 2002, mt s thnh vin c ca i ng pht trin
PGP thnh lp Tp on PGP (PGP Corporation) v mua li cc ti
sn lin quan ti PGP t NAI. PGP Corp tip tc h tr nhng ngi
s dng PGP v tn trng cc hp ng h tr cn hiu lc.
Zimmermann tr thnh c vn c bit v nh t vn cho PGP Corp
ng thi vn tip tc cc mi quan h ti Hush Communications v
Veridis cng nh iu hnh cng ty t vn ring ca mnh.
NAI vn gi bn quyn phin bn dng lnh ca PGP v tip tc
bn ra di tn l "McAfee E-Business Server."
Cho ti trc thng 01 nm 2004, theo tha thun k vi
NAI, PGP Corp khng c quyn cung cp phin bn dng lnh ca
PGP. Ti gia nm 2004, PGP Corp bt u cung cp sn phm ny.
Vi s hp tc ca Zimmermann, Veridis pht trin v bn mt
phin bn dng lnh tng thch vi OpenPGP c tn l Filecrypt.
Filecrypt v GnuPG c cung cp y m ngun cng nh cung
cp cc phin bn trc trn nhiu nn tng khc nhau.
Sau khi mua li ti sn lin quan ti PGP t NAI (2002), PGP
Corp cung cp h tr k thut v PGP trn ton th gii.
5.4.5. Cc phin bn ca PGP Corp. Theo th t thi gian:
2002
- PGP 7.2 cho Mac OS 9.
- PGP Personal v PGP Freeware.
- PGP 8.0 cho Macintosh v Windows.
- PGP Corporation cng b m ngun.
130
2003
- PGP Desktop 8.0.1DE cho Windows ting c.
- PGP Desktop 8.0.2.
- PGP Desktop 8.0.3 cho Macintosh v Windows.
- Cng b v ng gi PGP Universal INFO, mt dng sn
phm mi.
- PGP Universal 1.1 (30 thng 12).
2004
- PGP Universal 1.2.
- PGP Desktop 8.1.
- PGP Command Line 8.5.
- PGP Corporation v Symantec a ra gii php an ninh th
in t tch hp PGP Universal cho doanh nghip.
- PGP Software Development Kit (SDK) nhn c FIPS 140-2
Level 1 t NIST.
2005
- PGP Universal 2.0 v PGP Desktop 9.0 cng nh dch v
PGP Global Directory.
- "Tiger" cho Mac OS X 10.4 .
- Nng cp PGP 9.0.1 Freeware thnh bn y tnh nng
di dng phn mm dng th 30 ngy.
- PGP Whole Disk Encryption c chnh thc pht hnh
nh mt sn phm c lp.
- PGP 9.0.2 vi phn cp nht cho bn chuyn m quc t v
bn a ha ting c.
- PGP 9.0.2 vi phn cp nht cho bn a ha ting Nht.
131
S tng thch gia cc phin bn PGP

Cc vn v bn quyn v chnh sch xut khu gy ra mt
s vn tng thch gia cc phin bn PGP. Tuy nhin t khi
OpenPGP c chp thun v t khi Tp on PGP c thnh lp
(2002) th tnh trng ni trn c ci thin ng k.
OpenPGP quy nh cc c ch thng lng gia cc chng
trnh PGP cc pha ca ng truyn cng nh thut ton m ha
c s dng v cc tnh nng b sung khc t phin bn PGP 2.x.
Tt c cc chng trnh tun theo PGP u bt buc phi thc hin
nhng quy nh ny. V vy, khng tn ti nhng vn tng thch
ln gia cc phin bn PGP, bt k n c lp trnh t u: PGP
Corp, McAfee, Gnu/FSF (ie, GPG), Hushmail, Veridis, Articsoft,
Forum... Cc lp trnh vin ca cc chng trnh ny cng c mi
quan h nht nh vi nhau. H coi nhng bt tng thch l cc li
phn mm v sa mi khi pht hin ra.
Tng thch ca PGP 2.x
Kh nng tng thch ca cc phin bn PGP gn y vi
PGP 2.x c phn phc tp hn. PGP 2 s dng cc thut ton c
bn quyn di nhiu iu khon khc nhau. Bn quyn ca RSA
ht hiu lc t nm 2000 nhng bn quyn ca IDEA ch ht hiu
lc vo 2010-2011.
Mt s phin bn PGP gn y cung cp kh nng tng thch
vi PGP 2.x (cc phin bn ca PGP Corp v Hushmail) nhng cc
phin bn ca cc nh cung cp khc th khng tng thch. ng k
nht l GnuPG khng m bo tnh nng ny (IDEA). c th lm
vic vi PGP 2.x th phi c m-un b sung (plug-in) cho GnuPG.
Tuy nhin ngi dng phi t xy dng m-un ny. s dng IDEA
cho cc mc ch thng mi th ngi dng cn phi c giy php
trong khi h c th s dng min ph cho cc mc ch khc.
132
Vo thi im nm 2004, cch tt nht trnh cc vn

khng tng thch vi PGP 2.x l khng s dng chng v s dng
cc phin bn tun theo chun OpenPGP.
Mt s vn nh v an ninh ca PGP 2.x c pht hin v
mt s c sa. Tuy nhin mt s trong cc giao thc c bn
dng trong PGP 2.x c nhng im yu c th b tn cng v chng
vn cha c sa. Cc li ny khng xut hin trong tiu chun
OpenPGP cng nh cc bn thc hin tiu chun.
Mc d cc bn PGP 2.x v li khng c vn nghim trng
no nhng nhm lm vic ca IETF vn khng tn thnh vic tng
thch vi OpenPGP. Staale Schumacher Ytteborg vn duy tr trang
web pgpi.org trong cung cp hu ht cc phin bn PGP k t 2.x.
Do nguyn nhn lch s, gia cc phin bn PGP 2.x tn ti vn
khng tng thch mt cch ch (do bn quyn RSA). Mt phn
trong nhng n lc gii quyt iu ny l yu cu ca phin bn 2.6
phi tng thch vi cc phin bn 2.x trc n. iu ny c thc
hin bng cch nng cp cu trc d liu bn trong v s dng bn
thc hin RSAREF ca RSA.
M ngun ca PGP thc hin thut ton RSA c th c s
dng hp php bn ngoi Hoa K (chng hn PGP 2.6.3i). B m ny
c tc thc hin thut ton nhanh gp i so vi m ca RSAREF.
Trong thi im , ti Hoa K, i ng pht trin PGP vit
PGP 3 (sau ny i tn thnh PGP 5, xem phn trn) v tiu chun
OpenPGP c chp nhn. Cc kh khn v bn quyn buc
h phi loi b RSA nhng vo nm 2000 (khi bn quyn ht hn)
th PGP v OpenPGP tip tc h tr thut ton ny. V t khng
tn ti cc phin bn cho Hoa K v quc t ring bit na.
133
Tm li, trong thi im hin nay, ngi s dng nn dng cc

phin bn mi tun theo OpenPGP. S hp tc gia cc nh pht
trin gii quyt phn ln cc vn khng tng thch gia chng.
So snh c tnh ca cc phin bn. So snh vi RFC 1991
(PGP 2.x), OpenPGP a ra nhiu tnh nng mi. N h tr
kh nng tng thch ngc, c ngha l cc phin bn thc
hin OpenPGP c th c v s dng cc kha, chng thc
ca cc phin bn trc .
PGP 2.x khng c kh nng tng thch xui v n khng th
s dng cc vn bn hay kha tun theo OpenPGP.
Trong bng sau, cc thut ton bt buc c nh du bng
du *.
c tnh
nh dng kha
Thut ton kha
bt i xng
PGP 2.x (RFC 1991)
OpenPGP (RFC 2440)
Kha v3
Kha v4
*RSA (m ha & ch k)
RSA (m ha v ch k)
*DSA (ch k)
*Elgamal (m ha)
Thut ton kha

i xng
*IDEA
IDEA
*Triple-DES
CAST5
Blowfish
AES 128, 192, 256
Twofish
Hm bm mt m
*MD5
MD5
*SHA-1
RIPEMD-160
SHA-256
SHA-384
SHA-512
Thut ton nn
ZIP
ZIP
gzip
bzip2
134
Cc tnh nng b sung ca kha v4 so vi v3 ca OpenPGP:

- Kha cng khai c th c cc kha con bn cnh kha chnh,
cho php s dng cc kha khc nhau cho m ha v ch k.
- H tr nhiu thut ton khc nhau m bo kh nng
tng thch:
+ Mt s thut ton l bt buc
+ Kha cng khai ca ngi nhn c th xc nh th t u tin
ca cc thut ton
- M hnh mng li tn nhim c m rng vi kh nng h tr
tnh nng ch k c tin tng (ch k ny khng nhng c tin
m cn c quyn xc nhn nhng ch k khc), cho php thc
hin mt dng ca c quan cp chng thc s.
- Mt chng thc s c th quy nh mt kha khc c kh nng
thu hi n.
- Mt s li an ninh nh trong m t ID v nh dng c sa.
(v3 v v4 ch n h thng phin bn s dng bn trong nh
dng d liu ch khng phi phin bn phn mm PGP)
5.4.6. Cc phn mm thc hin
Sau y l danh mc mt s phn mm thc hin cc phin bn
ca PGP.
- Authora Inc. Thnh vin sng lp ca Open PGP Alliance Ngi to ra Zendit (phn mm PGP m bn t do dnh
cho c nhn) v EDGE (Dng lnh m PGP).
- McAfee Inc. - McAfee E-Business Server Dng ln PGP gc
dnh cho Windows, Solaris, AIX, LINUX, HPUX, v my tnh
ln (OS/390, z/OS).
- PGP Corporation - nh gim st, nh cung cp v nh h tr
hin ti ca PGP vn phng.
135
- GNU Privacy Guard (aka GnuPG hoc GPG).

- WinPT, giao din ha.
- GPGee, m rng Windows explorer dnh cho GnuPG.
- GPGshell, ngun vo Windows dnh cho GnuPG.
- Enigmail, s m rng E-mail i vi h Mozilla.
+ MacGPG, the Mac OS X port of GnuPG.
+ GPGMail, a plugin for Apple's Mail
+ KGPG - a simple, KDE frontend for GnuPG.
+ GPGol - a plugin for Microsoft Outlook 2003.
+ Gpg4win - a windows bundle of WinPT, GPGee, GPA, GPGol,
and more
- Patrick Townsend & Associates l mt cng ty thng mi u
tin a GPP n h iu hnh IBM os/400 iSeries.
- EasyByte Cryptocx - OpenPGP tng thch vi thnh phn DLL.
- Veridis - phin bn dng lnh ca PGP.
- BSD Privacy Guard - BSD cp giy php thc hin PGP, bt u bi
NetBSD cng s tr gip ca Google Summer of Code.
- PGPfreeware 6.0.2i
- Danh sch Website PGP bng ting Anh
- PGPfreeware 7.0.3 for Windows (s dng cho mc ch phi
thng mi).
- Hng dn cho ngi mi bt u hc PGP 6.5.8
- PGP 6.5.8 for Inix (phn mm min ph)
136
6
MT S GIAO THC BO MT
THNG DNG KHC
Ngoi nhng vn bo mt trong quc phng, an ninh mt
trong nhng loi giao dch in t ph bin rng ri trong x hi c
yu cu bo mt rt cao l nhng giao dch thng mi, nht l vn
thanh ton trong Thng mi in t. Cc giao dch thc cht
u l vic trao i nhng thng ip c cha thng tin cn c
bo mt (th trao i, hp ng, thanh ton tin, v.v.).
Sau y ta ln lt xt n mt s giao thc bo mt s dng
ph bin hin nay trong giao dch in t, ch yu l trong cc dch
v Internet v thng tin thanh ton trong thng mi in t.
Cc h thng mt m hin nay ang c s dng ph bin ni
chung c th chia lm hai nhm chnh.
Nhm th nht bao gm cc chng trnh v giao din c s
dng trong m ha d liu trong cc th in t: cc chng trnh
c cc thng ip trong th in t v lu gi di dng mt m
hoc chuyn cho i tc c cp kha m nh l S/MIME.
Cc chng trnh ny cng c s dng cho mt ngi (single
user) t bo v cc tp lu gi trn my tnh c nhn ca mnh.
Nhm th hai l cc h thng giao din mng c s dng vi
mc ch cung cp cc tnh nng nh bo mt, xc nhn, ng b
Chng 6: Mt s giao thc bo mt thng dng khc
137
ha v lc thng tin trong mi trng mng. Cc h thng ny u

yu cu phn hi tc thi gia tng ngi dng trong h thng
khch hng vi mt my ch c cu hnh chun hot ng ng
quy cch. Nhiu h thng trong nhm ny tr thnh cng c nn
tng cho cc website thng mi in t nh: SSL, PCT. S-HTTP,
SET, v SSH
6.1. GIAO THC BO MT TH IN T M RNG A PHNG TIN
PGP cng l mt giao thc c s dng bo mt c hiu qu
cho dch v th in t. Tuy vy do bi cc cng ty cung cp dch v
hm th in t u c quan h kinh doanh rt cht ch vi RSA
Data Security nn S/MIME thng dng ph bin cho cc hm th
in t hn l PGP.
6.1.1. Giao thc m rng th in t a phng tin trn Internet
c bo mt (S/MIME)
Giao thc m rng th in t a phng tin trn Internet - c
bo mt S/MIME (Secure/Multipurpose Internet Mail Extension) l
mt chng trnh do RSA Data Security thit k ging nh mt hp
cng c m ha cho php gn ch k s ca ngi gi vo cc tin
nh km trong hp th m rng a phng tin s dng giao thc
MIME (Multipurpose Internet Mail Extension). MIME c m t
trong giao thc RFC 1521 v c xut s dng lm chun chnh
thc cho th in t m rng, tc l s dng cho vic truyn ti cc
tp nh km multimedia trong hp th in t
gi tp nh km th in t cn c bo v cho mt i
tc, c hai hm th u phi ng k s dng S/MIME v ngi gi
phi c cung cp kha cng khai ca ngi nhn.
S/MIME(1) c tiu chun ha chuyn thnh IETF v xut
hin nhiu cng b m t S/MIME phin bn th ba. Hin thi
(1)
Thng tin chi tit v MIME c th tm c ti a ch: ftp://ftp.isi.edu/in-notes

/rfc1521.txt
138
S/MIME c gn vi mt s nh cung cp dch v mng v dch v

th in t hng u nh: ConnectSoft, Frontier, FTP Software,
Qualcomm, Microsoft, Lotus, Wollongong, Banyan, NCD, SecureWare,
VeriSign, Netscape, v Novell.
6.1.2. Chc nng
S/MIME cung cp nhng dch v m ha bo mt sau y cho cc
ng dng truyn thng ip: Nhn dng, ton vn thng tin v chng
chi b ca ngi pht hnh thng ip (s dng ch k s) cng nh
b mt v an ton d liu (dng mt m ha). S/MIME c dng c
bit cho cc ng dng thng ip m rng a phng tin (MIME)
kiu application/pkcs7-mime (kiu smime "d liu c bc") nhm
m ha d liu trong ton b thc th MIME c bao bc v ng
gi thnh mt i tng, i tng ny tip c chn vo mt
thc th application/pkcs7-mime MIME.
Mt thng ip th in t gm hai phn: phn tiu (header)
v phn ni dung hay phn thn (body). Cu trc ca phn tiu
c th tm thy trong giao thc RFC 822. Cu trc ca phn thn
thng khng xc nh sn ngoi tr trng hp th in t c s
dng nh dng MIME. MIME quy nh cu trc mc nh ca phn
thn th in t, cho php th in t bao gm nhng phn vn bn
tng cng, hnh nh, m thanh c tiu chun ha thng qua
cc h thng th MIME. MIME cho php cc h thng E-mail tch
hp c thng tin d liu dng vn bn, hnh nh v m thanh tuy
nhin bn thn MIME khng cung cp dch v bo mt. Ni dung ca
giao thc S/MIME chnh l xc nh nhng dch v bo mt cn
thit, tun theo c php trong PKCS#7 cho ch k s v thut ton
m ha. Phn thn ca MIME mang mt thng ip PKCS#7, bn
thn n l kt qu m ha trn mt phn thn ca MIME.
6.1.3. Cc chng th S/MIME
Trc khi S/MIME c dng cho mt trong cc ng dng ni
mc trn, ch hm th cn phi nhn c v phi ci t mt kha
139
km theo chng th c nhn do mt c quan chng thc s ni b

hoc do mt c quan chng thc s cng cng cp. Thc t nht l
nn dng nhng kha b mt (v nhng chng th km theo) ring
r cho vic s dng ch k v cho vic m ha v iu ny cho php
bn trao i kha m ha m khng lm nh hng l b mt v ch
k. Thut ton m ha i hi trong kho d liu lu tr ca bn phi
c chng th ca i tc nhn thng ip ca bn (vic lu tr ny
l hon ton t ng ha mi khi bn nhn c thng ip t mt
i tc c km mt ch k c gi tr hp l). V mt cng ngh, bn
hon ton c th gi mt thng ip m ha (s dng chng th
ca ngi nhn th) d rng bn khng c chng th v ch k ca
mnh, tuy nhin trong thc t cc khch s dng S/MIME bao gi
cng yu cu bn ci t chng th ca chnh bn trc khi h cho
php bn s dng kha m ca h.
Mt chng th c nhn c bn (lp th nht) ch c th kim
tra xc thc cn cc ngi gi, xem th ngi gi E-mail
c thc s l ch nhn ca a ch ghi From: trong E-mail
nhn c hay khng theo ngha l ngi gi E-mail n cho bn
c th nhn c nhng th tr li gi n a ch ghi trong
From hay khng. Chng th lp c bn ny khng cho php
bn kim tra c tn v doanh nghip ca ngi gi E-mail.
Mun bit c iu ny, bn cn i hi mt chng th lp th
hai t mt CA c lu tr v xc nhn nhng thng tin chi tit hn
ca ngi c cp chng th.
Ty thuc vo chnh sch ca tng CA, c nhng CA quy nh
nim yt cng khai thng tin ca ngi c cp chng th
phc v cho vic tm kim v kim tra trong khi nhiu CA khc li
khng cung cp cc thng tin c nhn c th nh tn, doanh nghip
cng tc m ch cung cp nhng thng tin ti thiu nh s chng
th (serial) v danh sch cc chng th b thu hi bn t kim
tra m thi.
140
6.1.4. Tr ngi khi trin khai S/MIME trong thc t

Khi trin khai s dng S/MIME cho cc ng dng trn Internet
ta c th gp mt s tr ngi sau y.
- Khng phi l phn mm E-mail no cng ti vo c ch
k ca S/MIME, kt qu l tp tin nh km c gi l smime.p7s
c th lm cho mt s ngi b nhm ln.
- Nhiu khi S/MIME b xem l khng thc s ph hp cho khch
s dng thng qua webmail. D rng c th c nhng tr gip chn
c vo trnh duyt nhng c nhng dch v thc hnh bo v vn
i hi mt kha ring cho pha ngi dng c th truy cp cn
t pha my ch webmail th khng truy cp c: iu ny gy
phin phc cho li th ca kha webmail trong vic cung cp kh
nng truy cp mt cch ph bin. iu ny khng ring g cho
S/MIME, thc ra nhng bin php an ton khc k (signing) mt
webmail cng c th i hi trnh duyt web (browser) phi m ha
to ch k, ngoi tr PGP Desktop v mt s phin bn ca
GnuPG, cc phn mm ny c th tch d liu ra khi webmail, k
bng clipboard ri chuyn li d liu k vo trang webmail. V
mt an ton th thc ra y li l bin php tt hn.
- S/MIME c thit k ring cho vic bo v an ton u-ncui. Thut ton m ha s khng ch m ha cc thng tin ca bn
gi i m cng m ha lun c cc phn mm c (virus) nu c. V
vy, nu mail ca bn c qut cc phn mm c khp mi ni
nhng ch tr cc im cui, chng hn nh cc cng kt ni ca
ton cng ty ca bn th vic m ha s v hiu ha cc my qut v
bn mail s pht tn thnh cng cc phn mm c.
Gii php khc phc c th l:
- Thc hin qut m c ti u cui my trm sau khi gii m.
- Lu tr cc kha ring trn my ch ca cng, nh vy th vic
gii m c th thc hin trc khi qut m c. (Tuy nhin v mt
141
bo mt th bin php ny khng c ti u v c th cho php vi

k no truy cp vo my ch cng c th ca ngi khc!)
- S dng b qut ni dung thng ip c thit k c bit
cho vic qut ni dung ca thng ip m ha cn vn gi nguyn
cc ch k v bn m ha. Gii php ny phi cha mt cng c bo
v c tch hp, s dng cho c kha ring dng gii m thng
ip v cho c phn ni dung tm thi c gii m.
6.2. AN NINH TNG GIAO VN V TNG M BO MT
6.2.1. SSL v TLS
SSL (Secure Socket Layer) l giao thc a mc ch c thit
k to ra cc giao tip gia hai chng trnh ng dng trn mt
cng nh trc (socket 443) nhm m ha ton b thng tin i/n,
m ngy nay c s dng rng ri cho giao dch in t nh truyn
s hiu th tn dng, mt khu, s b mt c nhn PIN (Personal
Information Number) trn Internet, trn cc th tn dng v.v.
Giao thc SSL c hnh thnh v pht trin bi Netscape, v
ngy nay c s dng rng ri trn World Wide Web trong vic
xc thc v m ha thng tin gia pha khch (client) v pha my
ch (server). T chc IETF (Internet Engineering Task Force: Lc
lng cng tc k thut v Internet) chun ha SSL v t li tn
l TLS (Transpot Layer Security: An ninh lp giao vn). Tuy nhin
SSL vn l thut ng c s dng rng ri hn.
SSL c thit k nh l mt giao thc ring cho vn bo
mt c th h tr rt nhiu ng dng. Giao thc SSL hot ng bn
trn TCP/IP v bn di cc giao thc ng dng tng cao hn nh l
HTTP (Hyper Text Transpot Protocol: Giao thc truyn ti siu vn
bn), IMAP (Internet Messaging Access Protocol: Giao thc truy
nhp bn tin Internet) v FTP (File Transport Protocol: Giao thc
truyn file). SSL c th s dng h tr cc giao dch an ton cho
142
rt nhiu ng dng khc nhau trn Internet, v hin nay SSL c

s dng chnh cho cc giao dch trn Web.
SSL khng phi l mt giao thc n l, m l mt tp hp cc
th tc c chun ha thc hin cc nhim v bo mt sau:
Xc thc Server
Cho php ngi s dng xc thc c server mun kt ni. Lc
ny, pha browser s dng cc k thut m ha cng khai chc
chn rng certificate v public ID ca server l c gi tr v c cp
pht bi mt CA trong danh sch cc CA ng tin cy ca client.
iu ny rt quan trng i vi ngi dng. V d nh khi gi m s
credit card qua mng th c ngi dng thc s mun kim tra liu
server s nhn thng tin c ng l server m h nh gi n khng.
Xc thc Client
Cho php pha server xc thc c ngi s dng mun kt
ni. Pha server cng s dng cc k thut m ha cng khai
kim tra xem certificate v public ID ca server c gi tr hay khng
v c cp pht bi mt CA trong danh sch cc CA ng tin cy
ca server khng. iu ny rt quan trng i vi cc nh cung cp.
V d khi mt ngn hng nh gi cc thng tin ti chnh mang tnh
bo mt ti khch hng th h rt mun kim tra nh danh ca
ngi nhn. M ha kt ni: Tt c thng tin trao i gia client v
server c m ha trn ng truyn nhm nng cao kh nng bo
mt. iu ny rt quan trng i vi c hai bn khi c cc giao dch
mang tnh ring t. Ngoi ra, tt c cc d liu c gi i trn mt
kt ni SSL c m ha cn c bo v nh c ch t ng
pht hin cc xo trn, thay i trong d liu.
6.2.2. Hot ng ca SSL
im c bn ca SSL l n c thit k c lp vi tng ng
dng m bo tnh b mt, an ton v chng gi mo lung thng
143
tin qua Internet gia hai ng dng bt k, v d nh webserver v cc

trnh duyt khch (browsers), do c s dng rng ri trong
nhiu ng dng khc nhau trn mi trng Internet.
Ton b c ch hot ng v h thng thut ton m ha s
dng trong SSL c ph bin cng khai, tr kha phin chia s tm
thi (session key) c sinh ra ti thi im trao i gia hai ng
dng l to ngu nhin v b mt i vi ngi quan st trn mng
my tnh.
Ngoi ra, giao thc SSL cn i hi ng dng ch phi c
chng thc bi mt i tng lp th ba (CA) thng qua chng thc
in t (digital certificate) da trn mt m cng khai (v d RSA).
Giao thc SSL da trn hai nhm con giao thc l giao thc bt
tay (handshake protocol) v giao thc bn ghi (record protocol).
Giao thc bt tay xc nh cc tham s giao dch gia hai i
tc c nhu cu trao i thng tin hoc d liu, cn giao thc bn ghi
xc nh khun dng cho vic tin hnh m ha v truyn tin hai
chiu gia hai i tc . Khi hai ng dng my tnh, v d gia mt
trnh duyt web v my ch web, lm vic vi nhau, my ch v my
khch s trao i li cho di dng cc thng ip gi cho nhau
vi xut pht u tin ch ng t my ch, ng thi xc nh cc
chun v thut ton m ha v nn s liu c th c p dng gia
hai ng dng.
Ngoi ra, cc ng dng cn trao i s nhn dng/kha theo
phin (session ID, session key) duy nht cho ln lm vic . Sau
ng dng khch (trnh duyt) yu cu c chng thc in t (digital
certificate) xc thc ca ng dng ch (web server). Chng thc
in t (chng th) thng c xc nhn bi mt c quan trung
gian l CA nh RSA Data Sercurity.., mt dng t chc c lp,
trung lp v c uy tn. Cc t chc ny cung cp dch v xc nhn
s nhn dng ca mt cng ty v pht hnh chng ch duy nht cho
144
cng ty nh l bng chng nhn dng (identity) cho cc giao dch

trn mng, y l cc my ch (web server).
Sau khi kim tra chng th (chng ch in t) ca my ch (s
dng thut ton mt m cng khai, nh RSA ti trnh my trm),
ng dng my trm s dng cc thng tin trong chng th m
ha thng ip gi li my ch m ch c my mi c th gii m.
Trn c s , hai ng dng trao i kha chnh (master key) (kha
b mt hay kha i xng) lm c s cho vic m ha lung thng
tin/d liu qua li gia hai ng dng ch khch.
TLS hoc SSL c th xem nh mt tng giao thc trung gian
gia tng mng v tng giao vn trong m hnh DoD (5 tng) hoc
OSI (7 tng) ca mng my tnh. Trong TLS hoc SSL, mi thng
ip c chuyn i cho mt i tc c cp chng nhn giao dch
hoc nhn t i tc u c m ha bi mt kha i xng khi
chuyn i v c gii m khi nhn n, thng ip cn c gn
mt mt m nhn dng (c vai tr nh mt ch k in t) c h
thng cp cho mi i tc. SSL s dng s xc nhn thng qua mt
m chung X509.
SSL
Tng giao vn
Tng giao vn
M ha
SSL
Gii m
Tng mng
Tng mng
Hnh 6.1: SSL trong giao thc mng

Mt website s dng giao thc http c tch hp SSL c tnh
nng bo mt thng tin gi t pha my khch (client side) vo trang
web n pha my ch (server side) v thng tin tng giao vn bn
my khch phi qua tng ph SSL c m ha (theo lut m ha
145
cng khai c SSL cung cp cho my ch trang web) ri mi

quay v tng mng tip tc chuyn i: d liu truyn i trn mi
trng Internet c m ha (ciphertext). Pha my ch khi d
liu v n tng mng th li c a sang tng ph SSL c
gii m (bng kha ring ca pha my ch tng ng vi kha cng
khai trn trang web) ri quay v tng giao vn chuyn xung tng
p dng: thng tin tng ng dng nhn c li l thng tin tng
minh (plaintext).
Giao thc http c tch hp SSL thng k hiu l: https. Cc
trang web dng cho dch v ngn hng trc tuyn ca cc website
thanh ton in t an ton nht thit u cn c s dng giao
thc ny.
Cng ngh truyn thng ring t (PCT)
Cng ngh truyn thng ring t PCT (Private Communication
Technology) PCT 1.0 cng l mt giao din an ton tng giao vn
(transport layer) c hng Microsoft pht trin vo khong gia
nhng nm 1990 khc phc nhng l thng trong phin bn 2.0
v thc p hng Nescape t b quyn kim sot SSL 2.0 m lc
h ang s hu bn quyn.
V sau PCT c thay th bi SSLv3 v TLS. Trong mt giai
on ngn PCT cn c Internet Explorer h tr nhng cc phin
bn sau ny khng cn na. PCT hin cn c thy trong IIS v
trong cc th vin h iu hnh Windows tuy nhin trong Windows
Server 2003 th mc nh l khng cho php s dng.
6.3. CC GIAO THC TRUYN THNG C BO MT
6.3.1. HTTPS
Giao thc truyn thng siu vn bn c bo mt HTTPS
(Hypertext Transfer Protocol Secure) l mt t hp ca HTTP
(Hypertext Transfer Protocol: giao thc truyn thng siu vn bn)
146
vi SSL/TLS cung cp dch v truyn thng c m ha v nhn

dng an ton cho mt my ch web. Giao thc HTTPS thng c
dng cho cc website thanh ton in t trn WWW hoc cho cc
giao dch nhy cm trong mt h thng thng tin ln.
Netscape Communications to ra HTTPS trong nm 1994 dng
cho trnh duyt web Netscape Navigator. Thot u, HTTPS c
dng vi chun m ha SSL nhng sau SSL pht trin thnh TLS
cho nn phin bn hin nay ca HTTPS c k hiu nh danh l
RFC 2818 vo hi thng 5 nm 2000.
tng chnh ca HTTPS l tm cch to ra mt knh truyn tin
an ton trn mt mng khng an ton. iu ny c th cung cp
nhng phng thc bo v c hiu qu chng li nhng k nghe
ln v chng li s tn cng ca k ng gia bng cch dng
mt dy quy tc m ha thch hp v thit k sao cho chng th ca
my ch phi c kim tra v tin tng. Nim tin to c trong
HTTPS da ch yu vo c s cc c quan chng thc in t (CA)
c ci t trc trn trnh duyt. Do vy, mt s kt ni HTTPS
n mt website c th c tin cy khi v ch khi cc iu kin sau
y c thc hin:
1. Ngi s dng tin tng rng trnh duyt ca h thc hin
mt cch ng n giao thc HTTPS c ci t trc
vi nhng CA ng tin cy.
2. Ngi s dng tin tng l CA ch chng thc cho nhng
website hp php, khng c quan h vi nhng website la o.
3. Website xut trnh mt chng th hp l, ngha l c k
xc nhn bi mt CA ng tin cy.
4. Trong chng th ch r cn cc nhn dng ca website
(ngha l nu trnh duyt truy cp n a ch:
https://vidu.com th chng th ca website thc s thuc
v cng ty vidu ch khng phi thuc v t chc khc!)
147
5. Hoc l mi can thip ngu nhin trn Internet u ng tin

cy hoc l ngi s dng tin tng l tng mng c m
ha bi giao thc bo mt (TLS hay SSL) l khng th b
nghe ln.
a ch URL ca cc website thng thng dng giao thc HTTP
bt u vi cm k t http:// v mc nh s dng cng 80. Cc
website s dng giao thc c bo mt HTTPS c a ch URL bt u
bi cm k t https:// v s dng mc nh cng 443.
Tng mng
HTTP hot ng ngay tng ng dng, tng cao nht trong m
hnh tham chiu OSI nhng giao thc bo mt th li hot ng
mt tng ph thp hn: giao thc ny m ha thng ip trc khi
gi i v gii m thng ip sau khi nhn c. Ni ng ra, HTTPS
khng hn l mt giao thc m l dng ch vic s dng HTTP
thng thng pha trn mt kt ni c m ha bi SSL hoc TLS:
tt c ni dung trong thng ip HTTP u c m ha, k c tiu
ca gi tin. tin cy ca HTTPS l rt cao v ngoi tr tn cng
CCA (s ni sau) cn th k tn cng nu nm bt c thng ip
cng s ch bit c a ch IP n v i ca thng ip (m iu
ny th h bit ri) cn ngoi ra khng th hiu g.
Ci t my ch
chun b cho mt website tip nhn lin kt HTTPS, ngi
qun tr cn to mt kha cng khai cho my ch web. Chng th
cp cho kha ny phi c k xc nhn bi mt CA ng tin cy i
vi trnh duyt c tip nhn. CA cn chng nhn rng ngi
mang chng th ng thc l thc th m ngi ng k. Cc
trnh duyt thng c phn phi km theo nhng chng th c
k bi a s cc CA do c th thm nh c cc chng th do
nhng CA k xc nhn.
148
Tip nhn chng th

Cc chng th c th c cp min ph bi mt s CA, mt s
khc yu cu np l ph duy tr khng ln (nm 2010 l t 13USD
cho n khong 1,500USD mi nm). Cc t chc ln, c uy tn
cng c th cho lu hnh chng th do CA ca chnh t chc mnh
pht hnh, c bit trong trng hp h thit k ly trnh duyt
truy cp cc website ca h (chng hn cc mng Intranet ca cc
cng ty, ca cc i hc ln). Cc t chc ny cng c th gn thm
bn sao chng th t to ca h vo cc chng th ng tin cy
c phn phi cng vi trnh duyt. Cng c th c nhng t chc
chng thc ln nhau c gi l CACert.
Tch hp trnh duyt
Hu ht cc trnh duyt khi nhn c mt chng th khng c
gi tr u a ra mt cnh bo. Cc trnh duyt loi c hn th mi
khi kt ni vi mt website c chng th khng hp l thng a ra
mt hp thoi cho ngi s dng v hi h c mun tip tc kt ni
hay khng. Cc trnh duyt mi hn th a ra cnh bo hin trn
ton b ca s. Cc trnh duyt mi nht gn y cn c th trnh
thng tin v s an ton ca tng website ngay trong thanh a ch.
S dng qun l ng nhp
H thng cng c th s dng nhn dng pha khch nhm
hn ch ch cho nhng ngi s dng c cp php mi c th truy
cp my ch web. Mun lm iu ny, ngi qun tr website s to
cho mi ngi s dng mt chng th, chng th c ti vo
trnh duyt ca n. Thng thng chng th gm tn v a ch
E-mail ca ngi dng c cp php v c my ch kim tra t
ng thm nh cn cc ca ngi dng ngay mi ln kt ni
li, khng cn n nhp mt khu.
149
Trng hp b l kha ring

Mt chng th c th b hy trc khi ht hn, chng hn v l
do l kha ring ng vi n b l. Cc trnh duyt mi gn y
nh Google Chrome, Firefox, Opera v Internet Explorer trn
Windows Vista c b sung thm giao thc trng thi chng th
trc tuyn OCSP (Online Certificate Status Protocol) thm nh
iu . Trnh duyt s gi s serial ca chng th cho CA hay cho
i din ca CA thng qua OCSP v CA tr li ngay l chng th
b hy hay cha.
Mt s im hn ch
SSL khng ngn chn c ton b mt website s dng mt
ng lch (crawler) v i khi c th on ra c a ch URL
ca ngun m ha khi ch bit kch thc ca cc lnh request v
response yu cu/tr li. iu ny lm cho k tn cng d tin hnh
thm m.
Do bi giao thc SSL hot ng bn di HTTP v khng h bit
g v cc giao thc cc tng trn cho nn cc my ch SSL ch c
th trnh ra c mt chng th cho mi b a ch IP/Cng. iu
ny c ngha l trong hu ht cc trng hp, vic s dng cch t
tn to hosting o l khng kh thi i vi HTTPS. C mt gii
php cho iu ny l tch hp mt phn mm gi l Ch th tn my
ch SNI (Server Name Indication). SNI s gi tn ca host n my
ch trc khi m ha kt ni. Tuy nhin ch c cc trnh duyt mi
t Firefox-2, Opera-8, Safari 2.1, Google Chrome 6 v Internet
Explorer 7 trn Windows Vista mi c h tr SNI, cn cc browser
c th khng tng thch.
6.3.2. S-HTTP
Bn ng ln ln HTTPS vi giao thc S-HTTP trong h giao
thc RFC 2660.
150
HTTP an ton S-HTTP (Secure HTTP) l mt giao thc truyn

thng hng thng ip c bo mt c s dng kt hp vi HTTP.
S-HTTP c thit k nhm cng tn ti vi m hnh truyn thng
ip ca HTTP v c th tch hp d dng vo cc ng dng ca
HTTP. Cn ch rng: S-HTTP m ha tng thng ip ring l
trong khi HTTPS m ha ton b mt knh truyn thng. V vy
S-HTTP khng th dng bo v an ton mng ring o VPN
(Virtual Private Network) nhng HTTPS th li c.
S-HTTP cung cp hng lot c ch an ninh cho pha my khch
v pha my ch ca HTTP, nhng c ch ny cung cp cc dng dch
v an ninh ph hp vi nhiu mc ch s dng rng ri cho WWW.
S-HTTP cung cp nhng kh nng hon ton i xng v bnh ng
cho pha my khch v pha my ch m vn gi nguyn m hnh
giao tip v cc c tnh ca HTTP.
Nhiu dng tiu chun m ha thng ip c tch hp vo
pha my khch v my ch S-HTTP. S-HTTP h tr cc tng tc
trong hng lot hot ng tng thch vi HTTP. S-HTTP khng i
hi chng th kha cng khai ca pha my khch v n ch hot
ng vi h thng kha i xng. iu ny rt c ngha v thng
c th xut hin nhng giao dch, thanh ton t xut khng th i
hi ngi dng c nhn phi c sn mt kha cng khai c thit
lp. Tuy l S-HTTP c u th l c th thit lp h tng c s chng
thc khp ni nhng trin khai s dng n th li khng cn n
iu y.
S-HTTP h tr cc giao dch an ton t u n cui. Khch c
th thot tin bt u mt giao dch b mt (in hnh l dng
nhng thng tin trong phn tiu ca thng ip), iu c th
dng h tr vic m ha cc mu phi in chng hn. Vi
S-HTTP th khng c d liu nhy cm no phi gi i di dng
tng minh trn mng.
151
S-HTTP cung cp nhng thut ton, nhng phng thc v

tham s m ha hon ton mm do. Vic thng lng chn la
cho php pha my khch v pha my ch tha thun v cc thut
ton m ha cho phng thc giao dch (RSA thay bi DSA k,
DES thay bi RC2 m ha v.v.) v tuyn chn chng th.
S-HTTP c thc hin nhm trnh khi qu ph thuc vo mt
m hnh tin cy ring bit no d rng nhng ngi thit k ra
n tha nhn gi tr v to iu kin d dng thc hin m hnh
h thng tin cy theo tn ti t gc v cng chp nhn l c th c
nhiu chng thc kha cng khai.
S-HTTP khc vi Digest-Authentication ch l D-A c h tr cho
kh nng s dng m ha kha cng khai v ch k s ng thi
cng m bo tnh b mt ring t.
6.3.3. FTPS
Giao thc truyn tp c bo mt (FTPS)
Giao thc truyn tp c bo mt FTPS (File Transfer Protocol
Secure) l s b sung kt hp s h tr ca cc giao thc bo mt
SSL hay TLS vo giao thc truyn tp FTP. Thit k v hot ng ca
FTPS cng tng t nh HTTPS.
FTP c son tho t 1971 s dng cho cng tc trao i
nghin cu khoa hc trn lin mng ARPANET. Vo thi vic truy
cp vo ARPANET c hn ch cho mt s mng qun s v mt vi
trng i hc v ch c mt cng ng ngi s dng rt hp mi
c th lm vic m khng yu cu tnh b mt hoc ring t cho d
liu trong giao thc.
ARPANET phn r mt b phn thnh lin mng NSFnet, mng
ny v sau tr thnh Internet vi s ngi s dng truy cp vo my
ch thng qua nhng con ng truyn thng di trn Internet tng
152
ln rt nhiu cho nn c hi cho nhng k c trm nhng d liu

trao i cng rt ln.
Nm 1994, Cng ty Netscape tung ra b giao thc SSL bo v
cho vic truyn thng trn Internet chng li s c trm thng tin.
SSL c s dng km theo vi HTTP to ra giao thc truyn
thng c bo mt HTTPS v n nm 1996 vi bn phc tho RFC
(Request for Comments) giao thc SSL cng bt u c s dng
km vi giao thc truyn tp FTP. Sau khng lu mt cng thng
tin ca IANA c ng k chnh thc, tuy nhin cng phi n
nm 2005 th RFC mi chnh thc hon thnh.
Cc phng php gi chc nng bo v
C hai phng php khc nhau c pht trin s dng cho
vic gi chc nng bo v an ninh pha my ch cho cc my khch
s dng FTP: Phng php tng minh/phng php hin (Explicit)
v phng php ngm/n (Implicit). Phng php hin l mt s b
sung tng thch qua FTPS thng bo cho ngi s dng c th
gi chc nng bo v an ninh vi mt my ch (c bo v FTPS) m
khng gy nh hng n hot ng ca FTP i vi nhng khch s
dng khng gi n FTPS. Phng php n i hi mi khch s
dng my ch FTPS u phi c cnh bo l trong phin giao dch
SSL ang c s dng v nh vy s khng tng thch vi
nhng khch khng gi n FTPS.
Phng php tng minh
Trong phng php tng minh, cng c gi l FTPES, mt
khch s dng FTPS phi nu r rng yu cu s bo v an ninh t
pha mt my ch FTPS v ngay tip sau l trao i tha thun
mt kha m. Nu pha khch khng yu cu an ninh th pha ch c
th: hoc l cho pha khch tip tc lm vic vi ch khng an
ton, hoc l t chi hay gii hn vic kt ni.
153
C ch thng lng v cch nhn dng v bo v an ninh vi

FTP c tng cng bng giao thc RFC 2228, bao gm c mt
lnh FTP mi l AUTH. Trong khi RFC khng quy nh r rng
mt c ch an ninh no c yu cu (ngha l SSL hay TLS) nhng
li i hi khch s dng FTPS phi trao i vi my ch FTPS v
mt c ch an ninh m c i bn u bit.
Nu pha khch FTPS a ra cho pha my ch FTPS mt c ch
an ninh m pha my ch khng bit th my ch FTPS s tr li vi
lnh AUTH l c sai lm m s 504 (khng c h tr) (Error Code
504). Pha khch c th xc nh xem l c h tr bi c ch an
ninh no bng cch yu cu my ch FTPS bng lnh FEAT, nhng
pha my ch khng nht thit phi thng bo l n s h tr mc
an ninh no.
Cc phng php chung thng gm: AUTH TLS v AUTH SSL.
Trong phin bn mi sau ny RFC 4217, FTPS yu cu pha
khch lun lun phi dng phng php AUTH TLS thng
lng. RFC cng lun khuyn co cc pha my ch FTPS chp nhn
c ch AUTH TLS-C.
Phng php n
Vi cc cu trc FTPS dng n, ngi ta khng cho php thng
lng. Pha khch ngay lp tc phi gi n pha my ch FTPS mt
thng ip Hello TLS/SSL (TLS/SSL ClientHello message), nu
khng nhn c thng ip cho hi th pha my ch ngt ngay
kt ni.
bo m tng thch vi nhng khch s dng FTP khng
dng TLS/SSL, s ny hin nay vn c, FTPS dng n phi trng i
c knh qun l FTPS v knh 989/TCP v d liu FTPS trn
Cng 990/TCP quen thuc ca IANA. iu ny cho php cc ngi
qun tr bo m c nhng dch v tng thch hp php trn
knh qun tr gc 21/TCP FTP.
154
Nn nh rng thng lng dng n khng c xc nh trong

RFC 4217. Do vy i hi phi c mt bin php thng lng
TLS/SSL cho FTP c tin hnh trc.
H tr chung
FTPS h tr ton phn cho cc giao thc m ha TLS v SSL,
bao gm c s dng ca chng thc thm nh kha cng khai cho
pha my ch ln s dng ca chng th cp php cho pha khch.
N cng h tr cc thut ton m ha tng thch thng dng nh
AES, RC4, Triple DES v cc hm bm SHA, MD5, MD4, v MD2.
Phm vi ng dng
Trong phng thc n, ton b phin FTPS u c m ha.
Phng thc hin khc ch l pha khch c s kim sot hon
ton v nhng vng no ca lin kt cn c m ha. C th cho
hot ng hoc ngng hot ng chc nng m ha cho knh qun
l FTPS v ca knh d liu FTPS bt c lc no. iu hn ch duy
nht l t pha my ch v n c kh nng t chi mt s lnh da
trn chnh sch m ha ca my ch.
Knh iu khin an ton
Phng thc Knh iu khin an ton (Secure Command
Channel) c th a vo bng cch pht xut nhng lnh AUTH TLS
hay AUTH SSL. Sau mi ln nh vy, mi truyn thng knh d liu
gia pha khch FTPS v pha my ch u gi thit l c m
ha. Ni chung c khuyn co l nn nhp vo mt trng thi
c m ha nh vy trc khi tin hnh nhn dng v cp php cho
ngi s dng, iu ny nhm chng k th ba nghe trm tn v
mt khu ca ngi s dng.
Knh d liu an ton
Knh d liu an ton c th a vo thng qua vic pht xut
lnh PROT. iu ny mc nh l khng c php khi c lnh
155
AUTH TLS pht xut trc . Sau mi ln nh vy, mi truyn

thng knh d liu gia pha khch FPTS v pha my ch u gi
thit l c m ha. Pha khch FTPS c th thot khi kiu
knh d liu an ton bt c lc no bng cch pht xut mt lnh
Xa knh d liu CDC (Clear Data Channel).
L do ngng chc nng m ha
Khi thc hin truyn thng tin di nhng tnh hung nh sau
y th s dng vic m ha knh d liu c th khng li:
Cc tp c truyn c ni dung bnh thng, khng c g
nhy cm, khng cn phi m ha.
Cc tp c truyn m ha t trc trong tp
M ha TLS hay SSL khng t yu cu bo mt. iu ny
thng xy ra i vi phn mm pha khch v pha ch FTPS
i c, b gii hn giao thc SSL 40 bit do lut cm xut
khu phn mm m ha cao cp ca Hoa K trc y.
Trong nhng tnh hung nh sau th s dng vic m ha knh
qun l cng c th khng c li:
S dng FTPS khi m my khch hoc my ch t pha sau
mt tng la mng hoc mt thit b thay i a ch mng
NAT (Network Address Translation).
C nhng khch s dng FTP v danh s dng lp li AUTH
hay CCC/CDC cng trong mt phin giao dch. Hnh vi nh
vy c th dng cho mt tn cng t chi dch v DOS (Denial
of Service) v rng c mi ln nh vy th mt phin TLS/SSL
li phi c to ra lm mt thi gian x l ca my ch.
Chng th SSL
Ging nh HTTPS (nhng khc vi SFTP), cc my ch FTPS c
th cung cp chng thc kha cng khai.
156
Cc chng thc c th c to ra bng cch s dng nhng

cng c ca Unix nh l ssl-ca ca OpenSSL.
Chng thc phi c mt c quan chng thc in t (CA)
k nu khng th pha khch FTPS s thy mnh c cnh bo l
chng th khng hp l.
Khng tng thch vi tng la
Do bi FTP s dng mt cng th cp ng (cho cc knh d
liu) nn nhiu tng la c thit k lun d xt cc thng
ip trong giao thc FTP nhm xc nh xem nhng lin kt d liu
th cp no cn c cp php. Th nhng, nu kt ni qun l FTP
c dng TLS/SSL m ha th tng la khng th xc nh
c s hiu Cng ca cc d liu trao i gia pha khch v pha
ch FTP.
V th trong nhiu mng my tnh c tng la, khi trin khai
cc tp khng m ha th c nhng vi cc tp m ha th li
khng trin khai c.
Vn ny c th gii quyt bng cch l ch s dng mt s t
Cng cho d liu v ta s nh dng cho tng la chp nhn cc
cng .
Khng nn nhm ln FTPS vi SFTP (SSH File Transfer Protocol:
Giao thc truyn tp bao v s), mt h thng con ca SSH dng
truyn cc tp tin ln.
C rt nhiu c ch truyn tp s dng giao thc SSH:
- Secure copy (SCP), c pht trin t giao thc RCP trn SSH
- SSH File Transfer Protocol (SFTP), mt giao thc truyn tp c
bo mt bng SSH thay th cho ETP.
- FTP trn SSH (A.K.A. FISSH) a ra t nm 1998, c pht
trin t cc lnh Unix shell trn SSH.
157
6.4. SSH
6.4.1. Giao thc v s bo mt (SSH)
Giao thc v s bo mt SSH (Secure Shell Protocol) l mt
giao thc mng an ton kim tra v bo v vic truy cp t xa
trong dch v TELNET v cng c th m ha bo mt d liu
trong dch v truyn cc tp tin in t ln (FTP) trong mi trng
khng tin cy chng hn nh mi trng Internet.
SSH cho php trao i d liu gia 2 thit b mng thng qua
mt knh tin cy. Hai phin bn chnh ca SSH l SSH1 hay SSH-1 v
SSH2 hay SSH-2.
V tr ca SSH trong chui giao thc Internet
Chui giao thc Internet
Tng ng dng
BGP DHCP DNS FTP HTTP IMAP IRC LDAP MGCP
NNTP NTP POP RIP RPC RTP SIP SMTP SNMP SSH
Telnet TLS/SSL XMPP
..
Tng giao vn
TCP UDP DCCP SCTP RSVP ECN
Tng mng
IP (IPv4, IPv6) ICMP ICMPv6 IGMP IPsec
Tng lin kt d liu
ARP/InARP NDP OSPF Tunnels (L2TP) PPP Media Access
Control (Ethernet, DSL, ISDN, FDDI) (more)
v. v
158
SSH s dng mt m kha cng khai nhn dng mt my

tnh xa ng thi cng cho php my tnh xa nhn dng c
ngi ang kt ni s dng nu cn thit. Cng tiu chun TCP 22
SSH quy nh s dng lin kt vi cc my ch SSH.
6.4.2. Phin bn 1.x
Nm 1995, Tatu Ylnen mt nghin cu vin ti i hc Cng
nghip Helsinki, Phn Lan (Helsinki University of Technology)
thit k phin bn u tin ca giao thc ngy nay gi l SSH-1 ngay
sau khi cm nhn c nguy c tn cng nh cp mt khu trong
mng my tnh ca trng i hc. Mc ch ca giao thc l
tng cng bo v cho cc giao thc TELNET, rlogin v rsh ang
c s dng trong mng. Cng trnh ca Ylnen c cho php s
dng t do t thng 7 nm 1995 v nhanh chng tr nn ph bin.
n cui 1995 s ngi s dng c s SSH ln n hn 20.000
ngi trn 50 quc gia.
n thng 12 nm 1995 Ylnen thnh lp t chc An ninh
truyn thng SSH (SSH Communications Security) tip th v
pht trin SSH. Phin bn gc ca SSH s dng nhiu b phn ca
nhng phn mm min ph nh l GNU libgmp nhng v sau cc
phn mm do Cng ty an ninh truyn thng SSH dn pht trin
thnh nhng phn mm c bn quyn. n nm 2000 ngi ta c
lng c khong hn 2 triu ngi s dng SSH.
M c tn cng
Vo nm 1998 mt m c c m t trong phin bn SSH 1.5,
m c ny c th chn nhng ni dung bt hp php vo cc dng
d liu m ha do bi phin bn ny c s dng CRC-32 vn khng
kh nng bo v ton vn d liu. Sau mi phin bn sau u
c tch hp mt phn mm dit m c gi l b pht hin tn
cng ca SSH. Thng ging nm 2001 ngi ta pht hin mt m
c c kh nng cho php k tn cng lm thay i khi (block) cui
159
cng ca mt phin m ha IDEA. Cng trong thng ngi ta li

pht hin thm mt m c c kh nng cho php mt my ch mo
danh c th chuyn tip vic nhn dng khch s dng sang mt
my ch khc.
Phin bn 1.99
Thng ging nm 2001, sau khi phin bn 2.1 c xy dng
xong, RFC 4253 quy nh rng mt my ch SSH h tr c phin
bn 2.0 v c cc phin bn trc c gi l phin bn 1.99. y
khng phi l mt phin bn hin ti m ch l mt cch nhn r
kh nng ti lp ca n (backward compatibility).
OpenSSH v OSSH
Nm 1999, cc nh pht trin phn mm mun c mt phin
bn s dng t do nn quay li vi phin bn 1.2.12 ca chng
trnh SSH u tin, y l phin bn cui cng c pht hnh di
dng m ngun m. OSSH ca Bjrn Grnvall c pht trin trn
c s . Khng lu sau cc nh pht trin phn mm OpenBSD
pht trin cng trnh ca Grnvall' v to ra Open SSH ra i
ng thi vi phin bn 2.6 ca OpenBSD. T phin bn ,
OpenSSH c mang s dng cho nhiu h iu hnh khc.
n nm 2005 th SSH vn l phin bn ph bin duy nht ca
SSH c s dng mc nh trong rt nhiu h iu hnh. Mi n
nay (2011) OpenSSH vn cn c dng v hin ang h tr c cc
phin bn 1.x v 2.0.
6.4.3. Phin bn 2.x. "Secsh"
L tn gi chnh thc ca Lc lng cng tc k thut Internet
IETF (Internet Engineering Task Force) t cho b phn ca IETF chu
trch nhim pht trin phin bn 2 ca giao thc SSH. Nm 2006,
mt phin bn c duyt li ca giao thc l SSH-2 c tha nhn
l phin bn tiu chun. Phin bn ny khng tng thch vi SSH-1
160
v vt tri hn SSH-1 c v bo mt cng nh v phm vi ni

dung pht trin. Chng hn nh v bo mt l do vic s dng s
trao i kha Diffie-Helman v v bo v ton vn thng tin l do
s dng cc m nhn dng thng ip. Mt ni dung mi na ca
SSH-2 l kh nng chy c mt s phin shell bt k ch trn mt
kt ni n SSH.
M c
Thng 11 nm 2008 ngi ta pht hin mt m c xm nhp
mi phin bn ca SSH, m c cho php ti hin 32 bit ca
plaintext t mt khi ca ciphertext c m ha bng cch s
dng thut ton m ha i xng c mc nh l tiu chun CBC.
Cc phin bn tiu chun ca SSH
T chc IETF xut danh mc cc phin bn sau y ca SSH
c xem l tiu chun s dng trn Internet.
RFC 4250, The Secure Shell (SSH) Protocol Assigned
Numbers.
RFC 4251, The Secure Shell (SSH) Protocol Architecture
RFC 4252, The Secure Shell (SSH) Authentication Protocol
RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
RFC 4254, The Secure Shell (SSH) Connection Protocol
RFC 4255, Using DNS to Securely Publish Secure Shell (SSH)
Key Fingerprints
RFC 4256, Generic Message Exchange Authentication for the
Secure Shell Protocol (SSH)
RFC 4335, The Secure Shell (SSH) Session Channel Break
Extension
RFC 4344, The Secure Shell (SSH) Transport Layer Encryption
Modes
161
RFC 4345, Improved Arcfour Modes for the Secure Shell (SSH)
Transport Layer Protocol
Sau c thm nhng phin bn nng cp:
RFC 4419, Diffie-Hellman Group Exchange for the Secure
Shell (SSH) Transport Layer Protocol (March 2006)
RFC 4432, RSA Key Exchange for the Secure Shell (SSH)
Transport Layer Protocol (March 2006)
RFC 4462, Generic Security Service Application Program
Interface (GSS-API) Authentication and Key Exchange for the
Secure Shell (SSH) Protocol (May 2006)
RFC 4716, The Secure Shell (SSH) Public Key File Format
(November 2006)
RFC 5656, Elliptic Curve Algorithm Integration in the Secure
Shell Transport Layer (December 2009)
Do bi SSH-1 c nhng l hng c hu trong thit k nn c th
b tn cng ca ngi ng gia. Nn ngy nay, ngi ta xem nh
li thi, khng cn s dng na. Cc phn mm pha my ch v
pha my khch hin i u c h tr s dng SSH-2.
Tuy nhin trong mi phin bn ca SSH iu ti quan trng l
vic thm tra kha cng khai ca ngi l trc khi chp nhn
rng y l nhng kha hp l. Vic chp nhn mt kha cng khai
ca k tn cng giu mt lm kha hp l c h qu nguy him l
lm l cc mt khu chuyn giao trong h thng v to iu kin cho
s tn cng ca ngi ng gia.
6.5. THANH TON IN T AN TON
6.5.1. SET
Thanh ton in t an ton SET (Secure Electronic Transaction)
l mt giao thc chun m bo an ton thanh ton cho cc th
162
tn dng trn mt mng truyn thng khng tin cy, nht l trn
Internet.
Bn thn SET khng phi l mt h thng thanh ton m thc
ra l mt tp hp giao thc v th tc cho php ngi dng c th
thc hin c ch sn c ca mt h thng thanh ton th mt cch
an ton trong mi trng m.
SET c pht trin bi SETco, mt cng ty an ninh mng do
VISA v MasterCard ch o, k t 1996 v sau mt s cng ty
khc nh GTE, IBM, Microsoft, Netscape, RSA v VeriSign cng
tham gia. SET c bn da trn chun X.509 vi mt s tiu chun
m rng. Phin bn u tin hon thnh vo thng 5 nm 1997 v
bn dng th ln u tin th nghim vo thng 7 nm 1998.
SET cho php cc bn i tc nhn dng ra nhau (thng tin
nhn dng m ha) v sau trao i thng tin mt cch an
ton. SET dng mt thut ton cho php ngi bn hng thay th
mt chng th cho mt s ca th tn dng ca ngi s dng.
Bn thn ngi bn hng khng bao gi cn bit n s ca th
tn dng m ngi dng (ngi mua) gi n, m vn kim tra c
vic thanh ton tr tin mt khc bo v c cho ch th v nh
pht hnh th khi b la o.
Ngy nay SET thc t tr thnh giao thc tiu chun cho vic
thanh ton trn Internet giao dch gia ngi bn hng, ngi mua
v cc cng ty pht hnh th. Mt h thng SET bao gm cc thnh
vin sau y:
- Ch th
- Ngi bn hng
- Nh pht hnh th
- Ni chp nhn th
163
- Cng thanh ton

- T chc chng thc in t
H thng giao din ca SET c 3 thnh phn:
- Giao din v in t: c ci t trong th/my tnh ca
ngi tr tin (ngi mua).
- Giao din my tnh/my c th ca ngi nhn tin
(ngi bn).
- Giao din ti my ch ca ngn hng pht hnh th lin kt
vi my ch ngn hng c ti khon ca ngi nhn tin.
6.5.2. Hot ng thanh ton
Quy trnh thanh ton din ra nh sau:
1. Khch hng yu cu v nhn c mt ti khon th tn dng
t mt ngn hng c h tr thanh ton in t v SET.
2. Khch hng nhn mt chng th s X509v3 do ngn hng
k xc nhn.
3. Ngi bn cng c chng th s ca h
4. Khch hng lp phiu t hng
5. Ngi bn gi mt bn sao chng th ca mnh cho
khch hng c th kim tra xc minh rng y l mt ca
hng hp l
6. Gi phiu t hng v lnh chi tr
7. Ngi bn yu cu kim tra s cho php chi tr
8. Ngi bn xc nhn phiu t hng
9. Ngi bn gi hng ha hay dch v n cho ngi mua
10. Ngi bn yu cu chi tr
164
Trong tiu dng trc tip khi ngi mua a th tr tin,

ngi bn cm vo my my c v ghi li ton b thng tin
m ha gi n cho ngn hng cp th. Ti y cc thng tin c
gii m, ngn hng nhn din (ti khon) ca ngi tr tin v ca
ngi nhn tin, nu ng s thng bo chp nhn thanh ton v b
phn k ton thc hin vic chuyn khon t ti khon ngi tr
tin n ti khon ngi nhn tin. Khi thc hin xong (hoc chp
nhn thc hin) b phn k ton ti ngn hng thng bo cho c hai
bn ngi tr tin v ngi nhn tin l giao dch hon thnh.
Ni chung hin nay cc ngn hng ang thc hin giao dch
thanh ton th tn dng qua mng u tin tng vo h thng SET v
h thng ny m bo vic nhn dng chnh xc cc i tc tr tin
v nhn tin ng thi khng cho php ngi nhn tin gii m
nm c thng tin trong th ca ngi tr tin, iu ny gim bt
nguy c b trm thng tin th (pharming).
6.5.3. Ch k song hnh
Sng to c do ca SET l phng php s dng ch k song
hnh (Dual signature). Ch k song hnh cng c chc nng tng
t nh ch k in t l xc nhn ngi pht hnh thng tin v s
ton vn thng tin.
Mun vy SET t chc kt ni so snh hai bn tin c gi
cho hai hm th khc nhau. Gi s ngi mua ch gi thng tin mua
hng OI (Order Information) cho ngi bn hng v thng tin tr
tin PI (Payment Information) cho ngn hng, nh vy ngi bn
khng bit g v thng tin ti khon ca ngi mua, ngn hng cng
khng cn bit v thng tin hng ha. Gi tr bm ca thng tin mua
hng v ca thng tin tr tin c m ha bi cc kha ring (khc
nhau) ca ngi mua hng thnh mt cp ch k, cp ch k
c gn c vo tng thng ip OI v PI gi cho c ngi bn v
ngn hng. Ngi bn gii m gi tr bm ca OI kim tra v lu
gi tr bm ca PI lm chng t i chiu nu sau ny cn thit,
165
nhng khng bit ni dung ca PI. Ngc li ngn hng gii m

c gi tr bm ca PI kim tra nhng li khng th bit ni
dung ca OI.
SET l mt h thng thanh ton m bo c cc yu cu: xc
nhn c cc i tc tham gia giao dch, khng th chi b, thng
tin thanh ton minh bch v c bo mt an ton, thc hin thanh
ton nhanh.
Tuy nhin v cc chi tit giao dch v i tc u c lu t
nht l trn b phn k ton ngn hng cho nn vic thanh ton
khng m bo c b mt, ring t cho ngi mua v ngi bn.
6.6. IPsec
Giao thc Internet an ton IPsec (Internet Protocol Security) l
s ni tip ca giao thc an ninh tng mng ca m hnh chun ISO
NLSP (Network Layer Security Protocol). NLSP li da trn c s ca
giao thc SP3 c NIST cng b nhng li c thit k do d n
An ninh D liu H thng Mng ca NSA (National Security Agency:
C quan an ninh quc gia) ca Hoa K.
Cc t chc, cng ty khi trao i d liu gia cc my tnh t
Hi s chnh n cc chi nhnh u c yu cu phi bo mt d liu
ca mnh khng lt ra ngoi. S dng ng truyn kt ni trc
tip (leased line) l mt bin php hu hiu thc hin iu ,
tuy nhin gi thnh ca bin php ny qu cao v vic truyn thng
li khng c linh hot nh truyn thng qua Internet. Hin nay
phng n thng mi c ngi ta thch la chn l vic to mt
mng ring o VPN (Virtual Private Network) da trn c s ca giao
thc Internet an ton.
Ngy nay, truyn thng in t B2B (Business to Business)
tr thnh mt nhu cu sng cn i vi cc doanh nghip. Chng
hn, mt doanh nghip k hp ng bao thu cung cp cho mt
khch sn ln thng xuyn phi truy vn vo c s d liu ca
166
khch sn kp thi cung cp vt t, hng ha cho khch sn: iu

ny rt cn thit v c li cho c khch sn ln nh cung cp.
Th nhng v pha khch sn, c nhiu thng tin, d liu ca
mng ni b cn c bo mt chng hn nh danh sch khch
hng, cc d liu k ton v.v. v vy nhu cu bo mt tng b phn
d liu trong mt mng ni b, phn quyn cho nhng lp ngi s
dng khc nhau khi truy cp vo mt mng my tnh nht l thng
qua Internet, l mt vn c tm quan trng rt ln i vi vic
kinh doanh ca doanh nghip.
6.6.1. Kh nng xc thc
IPsec cung cp kh nng xc thc (authentication), b mt, ton
vn thng tin, qun l truy cp, chng tn cng phn tch lung d
liu, ni chung l c kh nng nhn dng c mi gi d liu vo v
m ha mi gi d liu ra ca mt mng cc b.
IPsec l mt chui giao thc nhm bo v cc truyn thng qua
giao thc Internet (IP) bng cch xc thc v m ha mi gi tin IP
ca tng phin giao dch. IPsec cng bao gm c nhng giao thc
nhm thit lp s xc thc ln nhau gia cc i tc khi khi u
mt phin v s thng lng tha thun cc kha mt m dng
cho phin giao dch .
IPsec l mt s bo v an ninh cc thit b u cui hot
ng tng Internet ca chui giao thc Internet. N c th s
dng bo v lung d liu gia hai my khch (host-to-host) gia
hai mng (network-to-network) hoc gia mt mng v mt my
khch (network-to-host)
Mt s h thng an ninh khc c s dng rng ri nh SSL,
TLP, SSH hot ng nhng tng trn ca m hnh TCP/IP. IPsec
hot ng pha di tng ng dng v l trong sut (transparent)
i vi mi ngi s dng. V vy IPsec bo v cho mi truyn thng
167
ng dng qua mt mng IP: E-mail, trnh duyt web, cc file truyn
i ... v ni chung l mi truyn thng in t gia mt my tnh vi
mi my tnh khc cng c ci t IPsec. Cc ng dng khng cn
phi thit k c bit s dng c IPsec, trong khi mun s
dng TLS/SSL, ngi ta phi thit k thnh mt ng dng ring
bo v cc giao thc ng dng.
IPsec c IETF to nn mt dy t liu Yu cu bnh lun
(Request for Comment documents) gi n cc thnh phn khc
nhau trong mng v v th c tn gi ca giao thc l IPsec.
Dy IPsec l mt chun m s dng cc giao thc sau y
thc hin cc hm.
6.6.2. Tiu xc thc (AH)
Mt trong nhng thnh phn ca chui giao thc IPsec protocol
suite l Authentication Headers. AH m bo s ton vn thng tin
lin tc v kim tra a ch ngun ca cc gi tin IP. Ngoi ra n cn
bo v chng kiu tn cng lp li (replay attacks) bng cch dng
k thut ca s trt v k thut dp tt c cc gi tin c.
Trong IPv4, AH bo v cc gi IP v mi trng tiu ca mt
bn thng ip ch tr cc trng thng c s bin i. Cc trng
tiu c bin i l: DSCP/TOS, ECN, Flags, Fragment Offset, TTL
v Header Checksum.
Trong IPv6, AH t bo v ngay chnh n, bo v tiu m rng
cc mc tiu n (Destination Options) sau AH, v gi tin IP. N cng
bo v c tiu IPv6 c nh v cc tiu m rng trc AH ngoi
tr cc tiu c thay i nh DSCP. ECN, Flow Label v Hop Limit.
AH hot ng trc tip trn nh IP, s dng giao thc IP s
hiu 51.
Cc s gi AH sau y ch r cch thc kin to v minh ha
mt gi AH (Bng 6.1):
Octet16
Bit10
32
64
96
Offsets
Octet16
Next Header
0 1 2 3 4 5 6 7
Integrity Check Value (ICV)
Sequence Number
Security Parameters Index (SPI)
Payload Len
Reserved
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
nh dng Authentication Header
Bng 6.1
168
169
Next Header (8 bit): Tiu k tip

Kiu ca tiu k tip, ch ra rng giao thc tng trn c
bo v nh th no. Gi tr c ly t bng lit k s hiu ca cc
giao thc IP.
Payload Len (8 bit)
di ca tiu xc thc (Authentication Header) tnh theo
n v 4-octet tr 2 (mt gi tr ca 0 l 8 octets, 1 l 12 octets,
v.v.). Mc d kch thc c o theo n v 4-octet, di ca tiu
cn phi l mt bi s ca 8 octets nu c mang bi mt gi
tin IPv6. iu ny khng cn thit i vi cc gi tin IPv4.
Reserved (16 bit): D tr
D tr s dng sau (mi s 0 cho n lc ).
Security Parameters Index (32 bit): Ch s cc tham s an ninh
Mt gi tr ty chn c s dng cng vi a ch ngun IP
nhn dng t hp an ninh (security association) ca pha gi
thng ip.
Sequence Number (32 bit): S hiu chui
Mt dy n iu tng ngt nhm ngn nga tn cng lp li.
Integrity Check Value (multiple of 32 bit): Gi tr kim tra tnh ton vn
Mt gi tr c di thay i, n cha cc dy c th trin
khai ra trong mt trng c bin 8-octet i vi IPv6 hoc trng c
bin 4-octet i vi IPv4.
6.6.3. Khi ng gi an ton
Khi ng gi an ton ESP (Encapsulating Security Payloads)
cung cp kh nng bo mt, kh nng xc thc ngun ca d liu,
170
kim tra tnh ton vn, dch v chng tn cng lp li. ESP cng l
mt thnh phn trong dy giao thc IPsec. Trong IPsec, ESP to ra
chc nng xc thc ngun, ton vn, v bo v b mt ring t cho
cc gi tin. ESP cng h tr cc cu hnh ch m ha hoc ch
gii m nhng hnh ng m ha m khng c nhn dng c
khuyn co l khng nn s dng v km an ton.
Khng ging nh AH, ESP dng trong ch vn chuyn
(Transport mode) khng cung cp kh nng bo v ton vn v nhn
dng cho ton b gi IP. Tuy nhin trong kiu ng ng (Tunnel
mode) khi m ton b gi tin TP gc c ng gi li v gn mt
tiu mi thm vo th ESP bo v cho tt c gi tin IP bn trong
(k c tiu bn trong) trong khi tiu bn ngoi vn khng
c bo v.
ESP hot ng trn nh ca IP, s dng s hiu IP l 50.
Cc s gi ESP packet sau y ch r cch thc kin to v
minh ha mt gi ESP (Bng 6.2).
32
96
Bit10
Octet16
Octet16
Offsets
0 1 2 3 4 5 6
Integrity Check Value (ICV)
Pad length
Padding (0-255 octets)
Payload data
Sequence Number
Security Parameters Index (SPI)
Next Header
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Encapsulating Security Payload nh dng
Bng 6.2

171
172
Security Parameters Index (32 bit): Ch s cc tham s an ninh

y l mt gi tr ty chn c s dng (cng vi a ch
ngun IP) nhn dng t hp an ninh ca pha gi tin.
Sequence Number (32 bit): S hiu chui
L mt dy s n iu tng (vi mi gi tin gi i th tng
thm 1) nhm chng kiu tn cng lp li. C mt b m ring cho
mi t hp an ninh.
Payload data (bin thin): D liu ng gi
Ni dung c bo v ca gi tin IP gc, bao gm c mi d liu
s dng bo v ni dung ca n (tc l mt Vc-t khi u ca
thut ton m ha). Loi ca ni dung c bo v c ch r trong
trng tiu k tip.
Padding (0-255 octets): Lp m
Lp m dng cho m ha nhm m rng d liu c ng
gi t n kch thc ph hp vi mt khi m ha v va vi kch
thc ca trng k tip.
Pad Length (8 bit): di m
Kch thc ca lp m tnh theo n v octet.
Next Header (8 bits): Tiu k tip
Kiu ca tiu k tip. Gi tr c ly trong danh sch s
hiu ca cc giao thc IP.
Value (Bi s ca 32 bit): Gi tr
Gi tr kim tra di bin thin. N c th c mt lp m
cho trng ang xt ph hp vi mt trng bin 8-octet i vi IPv6
hoc 4-octet i vi IPv4.
6.6.4. T hp an ninh (SA)
T hp an ninh SA (Security associations): Cung cp mt gi
thut ton v d liu sn sinh ra nhng tham s cn thit kch
173
hot cc hot ng ca AH v ESP. Internet Security Association v

Key Management Protocol (ISAKMP) to nn mt khung cho hot
ng xc thc v trao i kha vi nhng b cng c ph bin hin
nay Internet Key Exchange (IKE and IKEv2), Kerberized Internet
Negotiation of Keys (KINK), hoc IPSECKEY DNS records.
Kin trc ca IPsec s dng quan im v mt t hp an ninh
lm c s cho vic xy dng cc hm an ninh vo trong IP. Mt t
hp an ninh n gin ch l mt gi gm cc thut ton v cc tham
s (nh l cc kha) s c dng m ha v nhn dng mt
lung thng tin c th theo mt hng. Do vy, trong cc lu thng
hai chiu thng thng, cc lung lu thng c m bo an ninh
bng mt cp t hp an ninh.
Cc t hp an ninh c thit lp bng cch dng T hp an
ninh Internet v Giao thc qun l kha (ISAKMP). ISAKMP c
trang b bng mt cu hnh th cng vi nhng b mt trao i
trc nh Trao i kha Internet - Internet Key Exchange (IKE and
IKEv2), Thng lng kha Internet Kerberos - Kerberized Internet
Negotiation of Keys (KINK), v s dng IPSECKEY cc bn ghi DNS.
quyt nh dng bo v no c cung cp cho mt gi tin s
gi i, IPsec s dng ch s tham s an ninh SPI (Security Parameter
Index), mt ch s cho c s d liu ca t hp an ninh SADB
(Security Association Database), ng thi vi a ch ch trong
tiu ca gi tin. Mt quy trnh tng t cng c dng bo v
cc gi tin n, khi IPsec s thu thp cc kha gii m v xc
thc t c s d liu ca t hp an ninh.
Khi giao dch vi mt nhm nhiu i tc, mt t hp an ninh
c cung cp cho c nhm v c sao gi n cho mi ngi nhn
tin trong nhm. C th dng cc SPI cp cho cc i tc trong
nhm mt s t hp an ninh nhiu hn v nh vy s lm tng mc
an ninh trong ni b nhm. Tht vy, khi mi ngi gi tin
trong nhm c th c nhiu t hp an ninh nhn dng i tc
174
trong khi ngi nhn tin ch c th bit l c mt ngi no

bit c kha v gi tin cho mnh.
6.6.5. Cc ch hot ng
IPsec c th thc hin theo ch vn chuyn t my khch
n my khch ng thi cng c th c thc hin theo kiu
ng ng trong mng my tnh.
Ch vn chuyn
Trong ch vn chuyn, thng thng ch c phn ng gi
(tc l d liu c truyn i) ca gi tin IP l c m ha hay
c nhn dng. Tuyn ng vn chuyn l khng thay i v rng
tiu ca gi tin IP khng h b thay i m cng khng b m
ha, tuy nhin, khi s dng tiu xc thc th a ch IP khng th
c phin dch v nh vy s nh hng n gi tr bm. Cc tng
giao vn v tng ng dng lun c bo v an ton bng hm bm,
do vy chng khng th no thay i c (chng hn bng cch
phin dch s hiu cng). Ch vn chuyn s dng cho truyn
thng t my khch n my khch.
Mt phng tin ng gi cc thng ip IPsec dng trong phn
mm bin i a ch mng NAT (Network Address Translation)
c nh ngha bi cc ti liu RFC, c m t trong c ch NAT-T.
Ch ng ng
Trong ch ng ng, ton b gi tin IP c m ha
v/hoc c nhn dng. Khi ta ng gi n thnh mt gi tin IP
mi vi mt tiu IP mi. Ch ng ng c dng to ra
mt mng ring o VPN (Virtual Private Network) s dng c trong
truyn thng t mng my tnh n mng my tnh (ngha l gia
cc b nh tuyn kt ni cc min thng tin), trong truyn
thng my khch n mng my tnh (ngha l s truy cp ca ngi
s dng xa) cng nh trong truyn thng my khch n my
khch (ngha l hi thoi c nhn: chat). Ch ng ng cng h
tr NAT.
175
6.6.6. S pht trin

IPsec c pht trin gn vi IPv6 do vy mi thc hin ca n
phi hon tng thch vi thc hin ca IPv6 nhng mt khc Ipv6
li l mt s m rng khng rng buc ca Ipv4. Tuy nhin do vic
trin khai Ipv6 qu chm nn IPsec thng thng c s dng
nhiu hn bo v truyn thng trn IPv4. Cc giao thc IPsec ban
u c xc nh trong RFC 1825 and RFC 1829, c cng b
nm 1995.
n nm 1998, cc ti liu c thay th bi RFC 2401 v
RFC 2412 c v khng tng thch vi cc phin bn c tuy v quan
im th ng nht.
Tip mt giao thc nhn dng tng h v trao i kha IKE
(Internet Key Exchange) li c xc nh nhm to ra v qun l cc
t hp an ninh. Thng Chp nm 2005, nhng chun mi c nh
ngha trong RFC 4301 and RFC 4309 thay th rng ri cc phin
bn c vi mt phin bn mi ca chun trao i kha l IKEv2.
T gia nm 2008, mt nhm cng tc bo tr v pht trin
thng xuyn hot ng ti IETF.
Cc thut ton m ha
Cc thut ton m ha c xc nh d dng vi IPsec gm:
HMAC-SHA1 bo v ton vn thng tin v nhn dng
TripleDES-CBC bo mt thng tin
AES-CBC cng bo mt thng tin.
C th tra cu chi tit trong RFC 4835.
Cc cng c phn mm
H tr IPsec thng c thc hin trong ht nhn vi mt
phn mm qun l kha v mt quy trnh thng lng ISAKMP/IKE.
C nhiu cng c thc hin cc giao thc IPsec v ISAKMP/IKE
nh l:
176
OpenBSD, vi m ring ca n pht trin t mt cng c

BSD/OS c vit bi John Ioannidis and Angelos D.
Keromytis vo nm 1996.
NRL IPsec, mt trong nhng ngun gc ca m IPsec.
Cm phn mm KAME, bao gm Mac OS X, NetBSD and
FreeBSD.
"IPsec" trong Cisco IOS Software
"IPsec" trong Microsoft Windows, bao gm c Windows XP,
Windows 2000, Windows 2003, Windows Vista, Windows
Server 2008, v Windows 7.
IPsec trong Windows Vista v sau na.
B cng c Authentec QuickSec
IPsec trong Solaris
H iu hnh IBM AIX
IBM z/OS
IPsec v IKE trong HP-UX (HP-UX IPsec)
Cm phn mm Linux IPsec do Alexey Kuznetsov v David
S. Miller vit.
Openswan trn Linux, FreeBSD v Mac OS X s dng cm
phn mm sinh Linux IPsec stack, hoc cm phn mm
KLIPS ca chnh n.
StrongSwan trn Linux, FreeBSD, Mac OS X, v Android s
dng cm phn mm sinh IPsec.
177
Phn ph lc
PHN PH LC
178
Ph lc 1
1. HM LOGIC XOR
Hm tuyn ngt (Exclusive OR) hay l hm cng modulo 2 l mt

trong nhng hm c bn c s dng kh ph bin trong mt m hc
(cng nh trong nhiu ng dng khc). Nh ton hc Anh George
Boole cui th k XIX sng lp ra mt ngnh i s hc m
sau ny tr thnh nn tng cho vic xy dng ch to cc my tnh
in t v cc chip vi in t. Boole nh ngha mt s hm logic
hai bin c bn dng: f = f(x,y) trong x, y (bin u vo: input) v f
(bin u ra: output) u l nhng bin logic, ngha l nhng bin s
ch ly gi tr trong tp hp {0, 1} vi 0 l gi tr phi l - gi tr sai,
cn 1 l gi tr chn l - gi tr ng.
Cc hm Boole mt v hai bin c bn thng dng nht l:
NOT
Hm ph nh ca bin u vo a l . Gi tr ca bin u ra
i lp vi bin u vo a. ( ngha: lun tri ngc vi a)
a
AND
Hm hi f = a b. Gi tr ca bin u ra f bng 1 khi v ch khi
c hai bin u vo cng c gi tr bng 1, cc trng hp cn li f ly
gi tr bng 0. ( ngha: f ng khi v ch khi va a va b cng ng)
179
Phn ph lc
ab
OR
Hm tuyn f = a b. f bng 1 khi v ch khi c hoc a hoc b,
hoc c a v b c gi tr bng 1. ( ngha: f ng khi hoc a ng hoc
b ng hoc c hai a v b cng ng)
a
ab
XOR
Hm tuyn ngt (Exclusive OR) hay cn gi l hm cng modulo
2: f = p XOR q hay f = p q. f ly gi tr 1 khi v ch khi ch c mt
trong hai bin p hoc q c gi tr bng 1. ( ngha: nu c a v b cng
sai hay cng ng th f sai)
a
a XOR b
180
Ba hm logic NOT, AND v OR qu quen thuc trong i s

logic v ngha rt r rng. Ta ch ni thm v hm XOR. Theo nh
ngha th hm XOR ch c gi tr bng 1 khi m mt trong hai bin
u vo ca n bng 1. ngha ca hm XOR lin quan n tnh
cht ng nht ca cc bin u vo: Nu hai bin u vo c cng
gi tr th XOR l sai, cn nu hai bin u vo khc gi tr nhau th
XOR l ng.
ng dng trong cc thut ton lp m: Gi s ta ly bn plaintext
P v XOR n vi mt cha kha K: n s bin thnh mt bn
ciphertext C trong c mt s bit thay i. Nu ta li ly
ciphertext XOR vi cha kha K y mt ln na th ta c li
plaintext.
V d:
Plaintext:
P=
100110001
Kha K:
K=
001111001
M ha: Ciphertext C = P XOR K =
101001000
Gii m: Plaintext
100110001
P = C XOR K =
Nhn xt:
- di (kch thc s bit) ca kha K r rng c tc ng rt
ln n kh nng bo mt ca m i xng. Chng hn trong m
block c kch thc block l 56 - 64 bit th ta dng kha K c kch
thc cng l 56 - 64 bit. V mi v tr trong kha c th ty chn 1
trong 2 gi tr 0 hay 1 nn c tt c: 256 cch to kha khc nhau! y
l mt con s rt ln cho nn thng thng nguy c b tn cng bo
lc thp.
- Tuy nhin v php ton XOR c thc hin hon ton n gin
nn tc lp m, gii m vn kh nhanh.
Phn ph lc
181
2. TNH TON THC HNH M SA SAI HAMMING
Trong m i xng DEA ta c nhc n khi nim bit d ngang

bc (extra parity bits) sa sai. Bn c quen bit vi vic m
ha thng tin trong truyn thng in t, vi cc giao thc trong h
TCP/IP chc chn u bit v nhng phng php m ha pht
hin sai (Error detection) v m ha t sa sai (Error correction)
chng hn nh m Hamming.
Di y ch nhc li tm tt phng php tnh ton thc hnh
c th.
Nguyn tc mu cht ca m Hamming l vic s dng mt s
bit d ngang bc (extra parity bit) nhn din ra mt bit sai trong
thng tin c truyn i.
Xut pht t mt t mang thng tin, mt t m tng ng c
to nh sau:
1. nh du mi bit ti cc v tr l ly tha ca 2 lm bit
d ngang bc (Cc v tr th 1, 2, 4, 8, 16, 32, 64)
2. Tt c cc bit nhng v tr khc cn li dng ghi thng
tin gc cn truyn (V tr th 3, 5, 6, 7, 9, 10, 11, 12, 13,
14, 15, 17,)
3. Mi bit d ngang bc c tnh ton theo gi tr ca mt s
bit thng tin trong thng ip. V tr ca bit d ngang bc
xc nh dy cc bit ln lt c xt hay b qua:
- V tr 1: Xt 1 bit, b qua 1 bit, xt 1 bit, b qua 1 bit,v.v.
(1, 3, 5, 7, 9, 11, 13, 15)
- V tr 2: Xt 2 bit, b qua 2 bit, xt 2 bit, b qua 2 bit,v.v.
(2, 3, 6, 7, 10, 11, 14, 15)
- V tr 4: Xt 4 bit, b qua 4 bit,v.v. (4, 5, 6, 7, 12, 13, 14, 15,
20, 21, 22, 23, )
182
- V tr 8: Xt 8 bit, b qua 8 bit, (8 - 15, 24 - 31, 40 - 63,

80 - 95, )
- V tr 16: Xt 16 bit, b qua 16 bit, (16 - 31, 48 - 63,
80 - 95, )
4. Chn ly gi tr ca bit d parity l 1 nu s cc k t s 1
ti cc v tr c xt ca n l l. Chn ly gi tr ca bit
d parity l 0 nu s cc k t s 1 ti cc v tr c xt
ca n l chn.
V d: Mt thng ip cn truyn l: 10011010
To mt thng ip d liu truyn thng ip , ginh cc v
tr thch hp cho cc bit d:
__1_001_1010
Tnh gi tr cho tng bit d parity (Du ? k hiu cho gi tr ca
bit parity cn tnh)
V tr 1 cc bit c xt l 1, 3, 5, 7, 9, 11:
? _ 1 _ 0 0 1 _ 1 0 1 0. C 4 s 1: chn, vy gi tr bit parity
v tr 1 l 0: 0 _ 1 _ 0 0 1 _ 1 0 1 0
V tr 2, cc bit c xt l: 2, 3, 6, 7, 10, 11:
0 ? 1 _ 0 0 1 _ 1 0 1 0. C 3 s 1: l, vy gi tr bit parity
v tr 2 l 1: 0 1 1 _ 0 0 1 _ 1 0 1 0
V tr 4 cc bit c xt l: 4, 5, 6, 7, 12:
0 1 1 ? 0 0 1 _ 1 0 1 0. S l: gi tr parity l 1:
0111001_1010
V tr 8, cc bit c xt l: 8, 9, 10, 11, 12:
0 1 1 1 0 0 1 ? 1 0 1 0. S chn: gi tr parity l 0:
011100101010
Thng ip m ha: 011100101010.
Phn ph lc
183
Pht hin bit sai

Vic s dng bit parity n cho php bn pht hin l tn ti mt
bit sai trong thng ip nhn c. Mun sa sai ta cn bit thm v
tr c th ca bit sai trong thng ip v nu ch bit l trong thng
ip c mt bit sai m khng bit v tr ca n th khng th sa c.
Nu c nhiu bit d parity gn vo mt thng ip v cc bit d
c t chc sao cho s hin din ca cc bit sai ti cc v tr khc
nhau s cho ra nhng kt qu tnh ton sai khc nhau th cc bit sai c
th nhn din c. Trong mt thng ip 7 bit chng hn, v tr ca
bit sai c th c 7 kh nng, v vy vi 3 bit kim tra l ta c th
pht hin khng nhng l c 1 bit sai m cn c th nh v bit sai .
Tng t nh vy, nu mt h t m ha c chn sao cho khong
cch b nht gia cc t t nht bng 3 th m sa sai vi 1 bit l c
th. Vic tip cn theo khong cch c tnh cht hnh hc, trong
khi lp lun tnh ton bit sai trn kia c tnh cht i s. Nhng lp
lun trn y dng dn dt ta n khi nim v M t sa sai
Hamming, mt phng php kim tra cho php bn t sa 1 sai.
Chng hn, trong v d trn cho ta thng ip m ha l:
011100101010. Bn A gi thng ip i. Gi s do mt l do no
trong qu trnh truyn tin, thng ip bn B nhn c li l:
011100101110. Ngi nhn (B) s cn c vo vic kim tra cc bit d
parity pht hin xem trong thng ip c bit no sai v do c th
t sa sai. B s tnh li tng bit kim tra trong thng ip nhn c
bng phng php nh trc. Lm nh vy ta thy ngay cc bit parity
th 2 v th 8 l sai! Vy th: 2 + 8 = 10. 10 l v tr ca bit thng tin
b sai (s 1 trong thng ip nhn c v tr th 10 l sai, cn sa
thnh s 0). Trong trng hp tng qut, kim tra li tt c cc bit
parity sai, tng ca cc v tr ca chng cho ta v tr ca bit thng tin
b sai.
184
Bn hy t kim tra bng phng php m Hamming xem trong

cc thng ip nhn c sau y, thng ip no c sai v tr no
v cn c sa li nh th no?
010101100011
111110001100
000010001010
185
Phn ph lc
Ph lc 2
1. HM MODULO - NG D THC
Hm modulo c th hiu mt cch n gin chnh l s d trong

php chia cc s nguyn. Mun tnh X modulo Y (thng k hiu l
X mod Y) ta ch cn lm php chia X cho Y v tm s d trong php
chia , ni khc i: ta tr vo X bi s ln nht ca Y b hn X. R
rng X mod Y ch c th ly cc gi tr t 0, 1, cho n Y-1.
V d:
25 mod 5 = 0
15 mod 7 = 1
33 mod 12 = 9
203 mod 256 = 203
Trong s hc, hai s nguyn A v B c gi l ng d theo
modulo N nu chng c cng s d trong php chia cho N. Ta k
hiu: A B (mod N) v c l A ng d vi B theo modulo N.
Biu thc gi l mt ng d thc.
V d: 18 4 (mod 7) 11 (mod 7)
Hm modulo trong s hc rt hu ch trong cc thut ton mt m
v n cho php chng ta xc nh kch thc ca mt php ton v do
chc chn l khng c kt qu l nhng con s qu ln. y l mt
nhn xt rt quan trng khi s dng my tnh k thut s. Hm
modulo c dng trong thut ton RSA lp kha m cng khai v
kha m ring.
186
2. GII THUT EUCLID
Gii thut Euclid, hay thut ton Euclid, l mt gii thut tnh c
s chung ln nht (USCLN) ca hai s (nguyn) mt cch hiu qu.
Gii thut ny c bit n t khong nm 300 trc Cng Nguyn.
Nh ton hc C Hy Lp Euclid nu gii thut ny trong cun sch
C s (Elements) ni ting.
V d: Tnh c s chung ln nht ca 91 v 287.
Trc ht ly 287 (s ln hn trong 2 s) chia cho 91:
287 = 91*3+14 (91 v 14 s c dng cho vng lp k tip)
Nhn xt: Bt k s no chia ht bi 287 v 91 cng s chia ht
bi 287 - 91*3 = 14. Tng t, s chia ht bi 91 v 14 cng chia ht
bi 91*3 + 14 = 287. Do , USCLN(91,287) = USCLN(91,14). Bi
ton tr thnh tm USCLN(91,14). Lp li quy trnh trn cho n khi
php chia khng cn s d na. 91 = 14*6 + 7 (14 v 7 s c dng
cho vng lp k tip) 14 = 7*2 + 0 (khng cn s d, kt thc, nhn 7
lm kt qu).
Cui cng ta c:
7 = USCLN(14,7) = USCLN(91,14) = USCLN(287,91).
B . Gi s a = bq + r, vi a, b, q, r l cc s nguyn, ta c:
nu r = 0
b
UCLN(a, b) =
UCLN(b, r) nu r 0
M gii:
Chng trnh quy procedure USCLN(a, b: positive integers)
Begin
if a mod b = 0 then USCLN:= b
else USCLN(b; a mod b);
End
Phn ph lc
187
Chng trnh dng vng lp procedure USCLN(a, b: positive

integers)
Begin
x:= a
y:= b
while y 0
begin
r:= x mod y
x:= y
y:= r
End {x l USCLN cn tm}
End
3. GII THUT EUCLID M RNG
Gii thut Euclid m rng s dng gii phng trnh v nh

nguyn (cn c gi l phng trnh i--phng)
a*x + b*y = c
trong a, b, c l cc h s nguyn, x, y l cc n nhn gi tr
nguyn. iu kin cn v phng trnh ny c nghim (nguyn)
l UCLN(a, b) l c ca c.
Khng nh ny da trn mnh sau trong s hc:
Ta bit rng nu d = USCLN(a,b) th tn ti cc s nguyn x,
y sao cho: a*x + b*y = d.
C s l thuyt ca gii thut
Gii thut Euclid m rng kt hp qu trnh tm UCLN(a, b)
trong thut ton Euclid vi vic tm mt cp s x, y tha mn phng
trnh i--phng. Gi s cho hai s t nhin a, b, ngoi ra a > b > 0.
t ro = a, r1 = b, chia r0 cho r1 c s d r2. Nu r2 = 0 th dng,
nu r2 khc khng, chia r1 cho r2 c s d r3,... V dy cc ri l gim
thc s nn sau hu hn bc ta c s d rm = 0.
188
ro = q1 * r1 + r2, 0 < r2 < r1;

r1 = q2 * r2 + r3, 0 < r3 < r2;
....
rm 1 = qm * rm + rm + 1, 0 < rm + 1 < rm;
r m = q m + 1 * r m + 1;
trong s d cui cng khc 0 l rm + 1 = d.
Bi ton t ra l tm x, y sao cho: a * x + b * y = rm + 1( = d)
lm iu ny, ta tm x, y theo cng thc truy hi, ngha l tm
xi v yi sao cho: a * xi + b * yi = ri vi i = 0, 1,....
Ta c:
a * 1 + b * 0 = a = ro v a * 0 + b * 1 = b = r1,
ngha l:
xo = 1, x1 = 0 v yo = 0, y1 = 1
(1)
Tng qut, gi s c:
a * xi + b * yi = ri
vi i = 0,1,.... a * xi + 1 + b * yi + 1 = ri + 1 vi i = 0,1,....
Khi t: ri = qi + 1 * ri + 1 + ri + 2
suy ra:
ri qi + 1 * ri + 1 = ri + 2
(a * xi + b * yi) qi + 1 * (a * xi + 1 + b * yi + 1) = ri + 2
a * (xi qi + 1 * xi + 1) + b * (yi qi + 1 * yi + 1) = ri + 2
t , c th chn:
xi + 2 = xi qi + 1 * xi + 1
(2)
yi + 2 = yi qi + 1 * yi + 1
(3)
189
Phn ph lc
Khi i = m - 1 ta c c xm + 1 v ym + 1.
Cc cng thc (1), (2), (3) l cng thc truy hi tnh x, y.
Gii thut
Gii thut sau ch thc hin vi cc s nguyn a > b > 0, biu
din bng:
Procedure Euclid_Extended (a,b)
Var Int x0:=1, x1:=0, y0=0,y1:=1;
While b>0
do
{r:= a mod b
q:= a div b
x:= x0-x1*q
y:= y0-y1*q
if r=0 then Break
a:=b
b:=r
x0:=x1
x1:=x
y0:=y1
y1:=y}
Return d:=b, x, y;
V d:
Gi s cho a = 29, b = 8, gii thut tri qua cc bc nh sau:
Bc i
ri
ri + 1
ri + 2
qi + 1
xi
xi + 1
xi + 2
yi
yi + 1
yi + 2
29
-3
-1
-3
-1
-3
-7
-1
-3
-7
11
190
Kt qu thut ton cho ng thi:

d = UCLN(29,8) = 1 v x = 3, y = 11.
D dng kim tra h thc 29 * (3) + 8 * 11 = 1
p dng gii thut Euclid m rng tm s nghch o trong vnh m
S nghch o trong vnh m
Trong l thuyt s, vnh m c nh ngha l vnh thng ca
(vnh cc s nguyn) vi quan h ng d theo modulo m (l mt

quan h tng ng) m cc phn t ca n l cc lp ng d theo
modulo m (m l mt s nguyn dng ln hn 1). Ta cng c th xt
m ch vi cc i din ca n.
Khi :
m = {0, 1,..., m 1}
Php cng v nhn trong m l php ton thng thng rt gn

theo modulo m:
a + b = (a + b) mod m
a * b = (a * b) mod m
Phn t a ca m c gi l kh o trong m hay kh o
theo modulo m nu tn ti phn t a' trong m sao cho a*a' = 1
trong m . Khi a' c gi l nghch o modulo m ca a. Trong l
thuyt s chng minh rng, s a l kh o theo modulo m khi v
ch khi USCLN ca a v m bng 1 (a v m nguyn t cng nhau). Khi
tn ti cc s nguyn x, y sao cho: m * x + a * y = 1.
ng thc ny li ch ra y l nghch o ca a theo modulo m. Do
c th tm c phn t nghch o ca a theo modulo m nh thut
ton Euclid m rng khi chia m cho a.
191
Phn ph lc
Gii thut
Gii thut sau ch thc hin vi cc s nguyn m > a > 0, biu

din bng dy m:
Procedure Euclid_Extended (a,m)
int, y0=0,y1:=1;
While a>0
do {r:= m mod a
if r=0 then Break
q:= m div a
y:= y0-y1*q
m:=a
a:=r
y0:=y1
y1:=y}
If a>1 Then Return "A khng kh nghch theo modulo m"
else Return " Nghch o modulo m ca a l y"
V d: Tm s nghch o (nu c) ca 30 theo m-un 101

Bc i
y0
y1
101
30
11
-3
30
11
-3
11
-3
-10
-10
27
-10
27
-37
Kt qu tnh ton trong bng cho ta -37. Ly s i ca 37 theo

m-un 101 c 64. Vy 301 mod 101 = 64.
192
ng dng
S nghch o theo modulo c ng dng nhiu trong vic gii

phng trnh ng d, trong l thuyt mt m, c bit trong thut
ton RSA.
4. NH L S D TRUNG QUC
nh l s d Trung Quc (Chinese Theorem of Remainders) l

tn ngi phng ty t cho nh l ny. Ngi Trung Quc gi n
l bi ton Hn Tn im binh.
Hn Tn l mt danh tng thi Hn S tng c phong tc
vng thi Hn Cao T Lu Bang dng nghip. S k ca T M
Thin vit rng Hn Tn l tng tri g khng ni, nhng rt c ti
qun s. Tng truyn rng khi Hn Tn im qun, ng cho qun
lnh xp hng 3, hng 5, hng 7 ri bo co s d. T ng tnh
chnh xc qun s n tng ngi.
Gn y, nh l s d Trung Quc c nhiu ng dng trong cc

bi ton v s nguyn ln p dng vo l thuyt mt m.
nh l: Cho n s nguyn dng m1, m2, m3,, mn i mt
nguyn t cng nhau. Khi h ng d tuyn tnh:
x a i (mod mi )
i = 1, n
c nghim duy nht m-un M = m1m2mm.
nh l s d Trung Quc khng nh v s tn ti duy nht ca

mt lp thng d cc s nguyn tha mn ng thi nhiu ng d
thc tuyn tnh. Do c th s dng nh l gii quyt nhng bi
ton v s tn ti v m cc s nguyn tha mn mt h cc iu
Phn ph lc
193
kin quan h ng d, chia ht, hay m s nghim ca phng

trnh ng d. Bn cht ca bi ton Hn Tn im binh l vic gii h
phng trnh ng d bc nht.
x a1(mod m1 )
x a2(mod m2 )
...
x a (mod m )
k
k
trong m1, m2,..., mk i mt nguyn t cng nhau.

H phng trnh ng d ni trn c nghim duy nht theo
m-un M = m1.m2...mk l:
x a 1.M1.y1 + a 2 .M2 .y2 + ... + a k .M k .y k (mod M)
trong :
M1 = M/m1, M2 = M/m2,..., Mk = M/mk
v:
y1 = (M1) 1(mod m1),
y2 = (M2) 1(mod m2),
...
yk = (Mk) 1(mod mk)
trong :
(M1) 1(mod m1) l nghch o theo modulo ca m1
vi: y1 = (M1) 1(mod m1) y1M1 = 1(mod m1)
V d: Mt i qun, nu xp hng 3 th d ra 2 ngi, xp hng
5 th d ra 3 ngi cn xp hng 7 th d ra 5 ngi. Hy tnh chnh
xc qun s x ca i qun .
194
Gii h phng trnh ng d:
x 2 (mod 3)
x 3 (mod 5)
x 5 (mod 7)
ta c:
M = 3.5.7 = 105; M1 = 5.7 = 35,
M2 = 3.7 = 21, M3 = 3.5 = 15.
y1 = 35 1(mod 3) = 2 1(mod 3) = 2;
y2 = 21 1(mod 5) = 1 1(mod 5) = 1;
y3 = 15 1(mod 7) = 1 1(mod 7) = 1.
T :
x 2.35.2 + 3.21.1 + 5.15.1 (mod 105)
x 140 + 63 + 75 (mod 105) 278 (mod 105)
x 68 (mod 105)
Nh vy x c dng x = 68 + k.105, k l s nguyn bt k (hoc
s nguyn thch hp nu tm nghim tha mn mt s rng buc ph
no y).
Cn lu truyn li mt pht biu ca cng thc gii bi ton Hn
Tn im binh c dng mt khu quyt kh hiu c lu truyn
cho n nay di dng mt bi th tht ngn t tuyt l:
* Tam (3) nhn ng hnh, tht thp (70) hi 3 ngi cng
i, him k 70 tui, hiu l: ly s d khi xp hng 3 nhn
cho 70
* Ng (5) th mai hoa, trp nht (21) chi 5 cy hoa mai c
21 cnh, hiu l: ly s d khi xp hng 5 nhn cho 21
Phn ph lc
195
* Tht (7) t on vin chnh bn nguyt (15) 7 a con

sum vy trong ngy 15, hiu l: ly s d khi xp hng 7
nhn cho 15
* Gia bch linh ng (105) nh vi k thm vo 105 th
c s phi tm.
Thc ra nghim ca bi ton ny l khng duy nht, phi c thm
rng buc ngoi, chng hn c tnh s qun trong n v l trong mt
khong no , chng hn trong v d c th sau y:
Mt n v khong 200 - 300 qun, sau mt trn nh quay v,
cn im li xem qun s chnh xc cn li l bao nhiu bng cch
xp hng 3, m s d, xp hng 5, m s d, xp hng 7 m s d;
y ta ly k = 2: tnh c qun s cn li sau trn nh l 278
(v t k 3 hoc k 1 th sai vi iu kin rng buc v qun s ban
u l 200 300, chnh rng buc ny cho php ta xc nh nghim
s duy nht ca bi ton).
5. BI TON XP BA L
Bi ton xp ba l (mt s sch ghi l bi ton ci ti) l mt bi

ton ti u ha t hp. Bi ton c t tn t vn chn nhng g
quan trng c th nht va vo trong mt ci ti (vi gii hn khi
lng) mang theo trong mt chuyn i. Cc bi ton tng t
thng xut hin trong nhiu vn ca ton ng dng nh: Bi ton
la chn phng n kinh doanh, cc bi ton t hp, l thuyt phc
tp tnh ton, mt m hc.
Pht biu ca bi ton thc t
Mt ngi i xa ch c mt ci ti (ba l) c sc cha ti a v

trng lng l C. Ngi c n mt hng, mi loi c trng lng v
gi tr khc nhau, vy ngi nn b vo ba l nhng loi hng no
v mi loi vi s lng bao nhiu t tng gi tr cao nht trong
kh nng c th mang i c.
196
Trong cc pht biu sau y ta gi xj l s lng vt loi j, pj l

n gi ca vt loi j cn j l gi tr ca mt n v loi j.
Bi xp ba l dng 0-1
Hn ch v s vt thuc mi loi l 0 (khng c chn) v 1

(c chn). Bi xp ba l 0-1 c th c pht biu ton hc nh sau:
Cc i ha dng tuyn tnh:
n
p jx j
j=1
vi cc iu kin rng buc:

n
w jx j c,
j=1
x j = 0 hoc 1, j = 1,..., n
Bi xp ba l b chn
Hn ch s vt thuc mi loi khng c vt qu mt lng

no . Bi xp ba l b chn c th c pht biu bng ton hc nh
sau:
Cc i ha:
n
p jx j
j=1
Vi cc rng buc:
n
w jx j c,
j=1
0 x j b j , j = 1,..., n
Bi xp ba l khng b chn
Khng c mt hn ch no v s vt mi loi.
Mt trng hp c bit ca bi ton ny nhn c nhiu quan
tm, l bi ton vi cc tnh cht:
Phn ph lc
197
- L mt bi ton quyt nh
- L mt bi ton 0/1
- Vi mi vt, chi ph bng gi tr: C = V
Lu rng trong trng hp c bit ny, bi ton tng ng vi:
- Cho mt tp cc s nguyn, tn ti hay khng mt tp con c
tng ng bng C?
- Hoc nu vt c php c chi ph m v C c chn bng
0, bi ton c dng: Cho trc mt tp s nguyn, tn ti hay khng
mt tp con c tng ng bng 0?
Trng hp c bit ny c gi l bi ton tng cc tp con
(subset sum problem). Vi mt s l do, trong ngnh mt m hc,
ngi ta thng dng cm t "bi ton xp ba l" khi thc ra ang c
ni v "bi ton tng con".
Bi ton xp ba l thng c gii bng quy hoch ng, tuy
cha c mt thut ton thi gian a thc cho bi ton tng qut. C
bi xp ba l tng qut v bi ton tng con u l cc bi NP-kh, v
iu ny dn n cc c gng s dng tng con lm c s cho cc h
thng mt m ha kha cng khai, chng hn Merkle-Hellman. Cc c
gng ny thng dng nhm thay v cc s nguyn. Merkle-Hellman
v mt s thut ton tng t khc b ph, do cc bi ton tng con
c th m h to ra thc ra li gii c bng cc thut ton thi gian
a thc.
Phin bn bi ton quyt nh ca bi xp ba l c m t trn
l NP-y v trong thc t l mt trong 21 bi ton NP-y ca
Karp.
Bi xp ba l dng phn s
Vi mi loi, c th chn mt phn ca n (v d: 1kg bnh m c

th c ct ra thnh nhiu phn b vo ba l)
198
Cch gii bng quy hoch ng
Bi ton xp ba l c th c gii trong thi gian gi-a thc

bng quy hoch ng. Di y l li gii quy hoch ng cho bi
ton xp ba l khng b chn.
Gi cc chi ph l c1,..., cn v cc gi tr tng ng l v1,..., vn. Ta
cn cc i ha tng gi tr vi iu kin tng chi ph khng vt qu
C. Khi , vi mi i C, t A(i) l gi tr ln nht c th t c vi
tng chi ph khng vt qu i. R rng, A(C) l p s ca bi ton.
nh ngha A(i) mt cch quy nh sau:
A(0) = 0
A(i) = max { vj + A(i cj) | cj i }
y, gi tr ln nht ca tp rng c ly bng 0. Tnh dn cc
kt qu t A(0) ti A(C), ta s c li gii. Do vic tnh mi A(i) i
hi xem xt n vt (tt c cc gi tr ny c tnh t trc), v
c C gi tr ca cc A(i) cn tnh, nn thi gian chy ca li gii quy
hoch ng l O(nC). iu ny khng mu thun vi thc t rng bi
ton xp ba l l NP-y , do C, khng nh n, khng thuc mc a
thc theo di ca u vo cho bi ton. di u vo bi ton t
l thun vi s bit trong C, ch khng t l vi chnh C.
Mt gii php quy hoch ng tng t cho bi ton xp ba l
0-1 cng chy trong thi gian gi-a thc. Cng nh trn, gi cc chi
ph l c1,..., cn v cc gi tr tng ng l v1,..., vn. Ta cn cc i ha
tng gi tr vi iu kin tng chi ph khng vt qu C. nh ngha
mt hm quy A(i, j) l gi tr ln nht c th t c vi chi ph
khng vt qu j v s dng cc vt trong khong t x1 ti xi.
A(i,j) c nh ngha quy nh sau:
A(0, j) = 0
A(i, 0) = 0
A(i, j) = A(i - 1, j) nu ci > j
A(i, j) = max(A(i - 1, j), vi + A(i - 1, j - ci)) nu ci j
Phn ph lc
199
c li gii, ta tnh A(n, C). lm iu ny, ta c th dng 1

bng lu cc tnh ton trc . Cch gii ny s chy trong thi
gian O(nC) v khng gian O(nC), tuy ta c th gim phc tp
khng gian xung O(C) bng mt s sa i nh.
Thut ton tham lam
Martello v Toth (1990) a ra mt thut ton gn ng kiu

tham lam (greedy approximation algorithm) gii bi ton xp ba l.
Gii thut ny sp xp cc vt theo th t gim dn v gi tr, sau
theo th t xp cc vt vo ba l cho n khi khng cho
thm c vt no vo na.
200
Ph lc 3
THNG T S 09/2011/TT-BCT
NGY 30/3/2011 CA B CNG THNG
Quy nh v vic qun l, s dng ch k s, chng th s
v dch v chng thc ch k s ca b cng thng
B TRNG B CNG THNG

- Cn c Ngh nh s 189/2007/N-CP ngy 27 thng 12 nm
2007 ca Chnh ph quy nh chc nng, nhim v, quyn hn v c
cu t chc ca B Cng thng; Cn c Ngh quyt 59/NQ-CP v
vic n gin ha th tc hnh chnh thuc phm vi chc nng qun
l ca B Cng thng;
- Cn c Ngh nh s 26/2007/N-CP ngy 15 thng 02 nm
2007 ca Chnh ph quy nh chi tit thi hnh Lut Giao dch in t v
ch k s v dch v chng thc ch k s; Cn c Ngh nh s
64/2007/N-CP ngy 10 thng 4 nm 2007 ca Chnh ph quy nh v
ng dng cng ngh thng tin trong hot ng ca c quan nh nc;
- B trng B Cng thng quy nh v vic qun l, s dng
ch k s, chng th s v dch v chng thc ch k s ca B Cng
thng nh sau:
Chng I. QUY NH CHUNG
iu 1. Phm vi iu chnh
Thng t ny quy nh vic qun l, s dng ch k s, chng

th s v dch v chng thc ch k s trong giao dch in t ca B
Cng thng.
Phn ph lc
201
iu 2. i tng p dng
1. T chc, c nhn thuc B Cng thng, S Cng thng cc

tnh, thnh ph trc thuc Trung ng.
2. T chc, c nhn khc la chn s dng dch v ch k s ca
B Cng thng trong cc hot ng giao dch in t do B Cng
thng t chc.
iu 3. Gii thch t ng: Trong Thng t ny, cc t ng di y
c hiu nh sau:
1. Chng th s l mt dng chng th in t do T chc

cung cp dch v ch k s ca B Cng thng cp.
2. Ch k s l mt dng ch k in t c to ra bng s
bin i mt thng ip d liu s dng h thng mt m khng i
xng theo ngi c c thng ip d liu ban u v kha cng
khai ca ngi k c th xc nh c chnh xc:
a) Vic bin i nu trn c to ra bng ng kha b mt
tng ng vi kha cng khai trong cng mt cp kha;
b) S ton vn ni dung ca thng ip d liu k t khi thc
hin vic bin i nu trn.
3. Dch v chng thc ch k s l mt loi hnh dch v do T
chc cung cp dch v ch k s ca B Cng thng qun l. Dch
v chng thc ch k s bao gm:
a) To cp kha bao gm kha cng khai v kha b mt cho
thu bao;
b) Cp, gia hn, tm dng, phc hi v thu hi chng th s ca
thu bao;
c) Duy tr trc tuyn c s d liu v chng th s;
d) Nhng dch v khc c lin quan theo quy nh ca Ngh nh
s 26/2007/N-CP ngy 15 thng 02 nm 2007 ca Chnh ph quy
nh chi tit thi hnh Lut Giao dch in t v ch k s v dch v
chng thc ch k s (gi tt l Ngh nh ch k s).
202
4. K s l vic a kha b mt vo mt chng trnh phn

mm t ng to v gn ch k s vo thng ip d liu.
5. Ngi k l thu bao dng ng kha b mt ca mnh k
s vo mt thng ip d liu.
6. Ngi nhn l t chc, c nhn nhn c thng ip d liu
c k s bi ngi k, s dng chng th s ca ngi k
kim tra ch k s trong thng ip d liu nhn c v tin hnh
cc hot ng, giao dch c lin quan.
7. Thu bao l t chc, c nhn quy nh ti iu 2 Thng t
ny; c T chc cung cp dch v ch k s ca B Cng thng
cp chng th s; chp nhn chng th s v gi kha b mt tng
ng vi kha cng khai ghi trn chng th s c cp.
8. T chc qun l thu bao l cc n v thuc B Cng
thng, hoc cc t chc khc ngh cp chng th s cho t chc,
c nhn thuc t chc mnh v chu trch nhim theo quy nh ca
php lut v qun l t chc, c nhn .
9. Giao dch in t ca B Cng thng l cc hot ng, nghip
v c tin hnh bng phng thc in t ca B Cng thng.
iu 4. T chc cung cp dch v ch k s ca B Cng thng
T chc cung cp dch v ch k s ca B Cng thng, do Cc

Thng mi in t v Cng ngh thng tin qun l, iu hnh v l
t chc duy nht ca B Cng thng cung cp dch v chng thc
ch k s.
iu 5. Chng th s
1. Ni dung chng th s: Chng th s do T chc cung cp

dch v ch k s ca B Cng thng qun l phi bao gm cc ni
dung sau:
a) Tn t chc cung cp dch v ch k s;
b) Tn thu bao;
Phn ph lc
203
c) Tn t chc qun l thu bao;

d) S hiu ca chng th s;
) Thi hn c hiu lc ca chng th s;
e) Kha cng khai ca thu bao;
g) Ch k s ca t chc cung cp dch v ch k s;
h) Cc hn ch v mc ch, phm vi s dng ca chng th s;
i) Cc hn ch v trch nhim php l ca T chc cung cp dch
v ch k s;
k) Cc thng tin khc cho mc ch qun l, s dng, an ton, bo
mt do T chc cung cp dch v ch k s quy nh.
2. Thi gian c hiu lc ca chng th s: Khng qu 05 (nm)
nm i vi chng th s ca thu bao.
Chng II. CHC NNG, NHIM V CA T CHC
CUNG CP DCH V CH K S, QUYN V NGHA V
CA CC I TNG S DNG DCH V CH K S
iu 6. Chc nng, nhim v ca T chc cung cp dch v ch k s
1. Qun l vic cp, gia hn, tm dng, thu hi, khi phc chng
th s v thay i cp kha cho thu bao khi c yu cu. Hnh thnh
v pht trin dch v bo m an ton v an ninh thng tin; cung cp
dch v ch k s.
2. Qun l, vn hnh h thng trang thit b k thut cung cp
dch v chng thc ch k s ca B Cng thng, nghin cu, nng
cp, m bo duy tr hot ng cung cp dch v chng thc ch k s
ca B Cng thng an ton, lin tc. Th nghim v xut ng
dng cc cng ngh mi m bo an ninh, an ton thng tin phc
v giao dch in t.
3. Lu tr y , chnh xc v cp nht thng tin ca thu bao
phc v vic qun l chng th s trong sut thi gian chng th s
204
c hiu lc. Trong trng hp chng th b thu hi th phi lu tr cc

thng tin chng th s ca thu bao trong thi hn t nht 05 nm k
t khi chng th s b thu hi.
4. T chc cung cp dch v ch k s c chc nng chng thc
cc ch k s lu hnh trn cc vn bn, ti liu in t v trong cc
giao dch in t.
5. Hng dn cc t chc qun l thu bao, thu bao thc hin
ng cc quy nh ti Thng t ny.
iu 7. Quyn v ngha v ca t chc qun l thu bao
1. c cung cp thng tin hng dn v trnh t, th tc cp

pht, qun l v s dng chng th s.
2. c yu cu T chc cung cp dch v ch k s cp, gia
hn, tm dng, khi phc, thu hi chng th s hoc thay i cp
kha cho cc thu bao do mnh qun l.
3. Chu trch nhim v tnh chnh xc ca cc thng tin trn giy
ngh cp, gia hn, tm dng, khi phc, thu hi chng th s v
thay i cp kha ca thu bao do mnh qun l.
4. Hng dn, kim tra cc thu bao thuc t chc mnh qun l,
s dng chng th s v kha b mt theo ng cc quy nh ti
Thng t ny.
5. Thng bo kp thi bng vn bn cho T chc cung cp dch
v ch k s tm dng hoc thu hi chng th s ca thu bao trong
cc trng hp quy nh ti iu 15 Thng t ny.
iu 8. Quyn v ngha v ca thu bao
1. c cung cp thng tin hng dn v trnh t, th tc cp

pht, qun l v s dng chng th s.
2. Thng qua t chc qun l thu bao ca mnh ngh cp, gia
hn, tm dng, khi phc, thu hi chng th s hoc thay i cp kha.
Phn ph lc
205
3. Thu bao c th trc tip gi vn bn ngh T chc cung

cp dch v ch k s tm dng chng th s ca mnh v phi chu
trch nhim trc php lut v ngh .
4. S dng chng th s ng mc ch ng k.
5. Bo qun v s dng kha b mt, cc d liu trong thit b lu
gi kha b mt theo ch Mt.
6. Thng bo kp thi cho T chc cung cp dch v ch k s v
t chc qun l thu bao ca mnh trong trng hp pht hin hoc
nghi ng chng th s, kha b mt khng cn an ton.
7. Tun th cc quy nh khc ca php lut v qun l v s
dng chng th s.
iu 9. Ngha v ca ngi nhn
1. Trc khi chp nhn ch k s ca ngi k, ngi nhn phi

kim tra nhng thng tin sau:
a) Hiu lc, phm vi s dng, gii hn trch nhim chng th s
ca ngi k v ch k s ca T chc cung cp dch v ch k s;
b) Ch k s phi c to bi kha b mt ng vi kha cng
khai trn chng th s ca ngi k.
2. Ngi nhn phi chu mi thit hi xy ra trong trng hp sau:
a) Khng tun th cc quy nh ti khon 1 iu ny;
b) bit hoc c thng bo v s khng cn tin cy ca
chng th s v kha b mt ca ngi k.
Chng III. DCH V CHNG THC CH K S
iu 10. ng k s dng dch v chng thc ch k s
1. T chc, c nhn tham gia s dng dch v chng thc ch k

s ca B Cng thng ng k mt trong cc th tc sau:
206
a) Cp chng th s (quy nh ti iu 12 ca Thng t ny);

b) Gia hn chng th s (quy nh ti iu 13 ca Thng t ny);
c) Thay i cp kha (quy nh ti iu 14 ca Thng t ny);
d) Tm dng, thu hi chng th s (quy nh ti iu 15 ca
Thng t ny);
) Khi phc chng th s (quy nh ti iu 16 ca Thng t ny).
2. T chc, c nhn c th la chn ng k qua mng Internet ti
a ch http://www.vsign.vn hoc ng k ti Tr s ca B Cng thng
- Cc Thng mi in t v Cng ngh thng tin, 25 Ng Quyn,
Hon Kim, H Ni.
iu 11. Trnh t ng k s dng dch v chng thc ch k s
qua mng Internet
1. T chc, c nhn phi khai bo cc thng tin vo phn mm do

B Cng thng cung cp v gi d liu in t v B Cng thng.
H s np qua mng Internet bao gm:
a) Bn khai in t yu cu ng k s dng dch v chng thc
ch k s ca t chc, c nhn;
b) Bn scan t bn gc quyt nh thnh lp ca t chc qun l
thu bao i vi h s ngh cp chng th s ln u (khng p
dng i vi cc n v thuc B Cng thng).
2. Cc cn b tip nhn h s v tin hnh xem xt thng tin khai
bo qua mng Internet v thng bo kt qu kim tra qua mng
Internet v cho cc t chc, c nhn. Kt qu kim tra c th thuc
mt trong hai trng hp sau:
a) ng qua mng Internet trong trng hp cc thng tin khai
bo qua mng Internet ph hp v hp l;
b) ngh t chc, c nhn sa i, b sung thng tin.
Phn ph lc
207
3. i vi trng hp yu cu sa i, b sung thng tin, t chc,

c nhn tin hnh sa i, b sung thng tin theo yu cu ca t chc
cp v truyn d liu khai bo ny qua mng Internet v t chc cp
kim tra li cho n khi cc thng tin ph hp vi yu cu ca t
chc cp.
4. Sau khi nhn c thng bo chp nhn ca t chc cp v
vic thng tin h s khai bo qua mng Internet y , hp l, n
v chu trch nhim cung cp dch v chng thc ch k s s tin
hnh cung cp dch v theo yu cu. Kt qu s c tr v qua ng
bu in hoc trc tip ti tr s ca B Cng thng.
iu 12. Cp chng th s
1. iu kin ngh cp chng th s: T chc, c nhn ngh

cp chng th s phi tha mn cc iu kin sau:
a) iu kin chung:
- Thuc i tng theo quy nh ti iu 2 Thng t ny;
- Chp thun tun th cc quy nh i vi thu bao ti Thng
t ny.
b) iu kin b sung i vi cc i tng quy nh ti khon 2
iu 2:
- L doanh nghip c thnh lp theo php lut Vit Nam;
- C kh nng trang b cc thit b k thut, t chc v duy tr hot
ng ph hp vi h thng giao dch in t ca B Cng thng;
- Ngi i din theo php lut hiu bit php lut v ch k s
v dch v chng thc ch k s.
2. H s ngh cp chng th s:
T chc, c nhn ngh cp chng th s c th khai bo trc
tuyn qua mng Internet hoc np ti tr s ca B Cng thng (trc
tip hoc qua ng bu in). Trong trng hp t chc, c nhn la
208
chn np h s qua mng Internet s thc hin theo quy nh ti iu

11 ca Thng t ny.
Trong trng hp t chc, c nhn la chn np h s trc tip
ti tr s B Cng thng, h s ngh cp bao gm:
a) Giy ngh cp chng th s ca t chc, c nhn, c xc
nhn ca t chc qun l thu bao;
b) Bn sao hp l quyt nh thnh lp ca t chc qun l thu
bao i vi h s ngh cp chng th s ln u (khng p dng
i vi cc n v thuc B Cng thng).
3. Trong thi hn khng qu 05 (nm) ngy lm vic, k t ngy
nhn c h s ngh cp chng th s hp l, t chc cung cp
dch v ch k s c trch nhim kim tra, cp chng th s cho thu
bao nu iu kin hoc c vn bn t chi trong nu r l do t
chi nu khng iu kin cp chng th s.
iu 13. Gia hn chng th s
1. Th tc gia hn chng th s:
a) Chng th s c ngh gia hn phi m bo cn thi hn
s dng t nht l 30 ngy;
b) T chc, c nhn gia hn chng th s c th khai bo trc
tuyn qua mng Internet hoc np ti tr s B Cng thng (trc tip
hoc qua ng bu in) giy ngh gia hn chng th s ca thu
bao, c xc nhn ca t chc qun l thu bao;
c) Mi chng th s c gia hn khng qu 03 (ba) ln, thi
gian gia hn cho mi ln khng qu 01 (mt) nm.
2. Thi hn x l h s gia hn chng th s:
Trong thi hn khng qu 05 (nm) ngy lm vic, k t ngy
nhn c h s ngh gia hn chng th s hp l, T chc cung
cp dch v ch k s c trch nhim kim tra, gia hn chng th s
Phn ph lc
209
cho thu bao nu iu kin hoc c vn bn t chi trong nu r

l do t chi nu khng iu kin gia hn chng th s.
iu 14. Thay i cp kha
1. iu kin thay i cp kha:

a) C yu cu thay i cp kha ca thu bao v phi m bo thi
hn s dng cn li ca chng th s t nht l 30 (ba mi) ngy;
b) T chc, c nhn mun thay i cp kha c th khai bo trc
tuyn qua mng Internet hoc np ti tr s B Cng thng (trc tip
hoc qua ng bu in) giy ngh thay i cp kha ca thu bao,
c xc nhn ca t chc qun l thu bao.
2. Thay i cp kha c tin hnh nh sau:
a) m bo knh thng tin tip nhn yu cu thay i cp kha
hot ng 24 (hai mi t) gi trong ngy v 7 (by) ngy trong tun;
b) Trong thi hn khng qu 05 (nm) ngy lm vic, k t ngy
nhn c h s ngh thay i kha hp l, T chc cung cp dch
v ch k s kim tra, thay i cp kha cho thu bao;
c) Lu tr thng tin lin quan n hot ng thay i cp kha
trong thi gian t nht 05 nm, k t thi im thay i.
iu 15. Tm dng, thu hi chng th s
1. Chng th s ca thu bao b tm dng trong cc trng hp sau:

a) T chc, c nhn mun tm dng chng th s c th khai bo
trc tuyn qua mng Internet hoc np ti tr s B Cng thng (trc
tip hoc qua ng bu in) vn bn yu cu t thu bao, c xc
nhn ca t chc qun l thu bao trong cc trng hp: kha b mt b
l hoc nghi b l; thit b lu gi kha b mt b tht lc, b sao chp
hoc cc trng hp mt an ton khc;
b) Theo yu cu bng vn bn t cc c quan nh nc c
thm quyn;
c) Theo yu cu bng vn bn t t chc qun l thu bao;
210
d) T chc cung cp dch v ch k s c cn c xc nh thu

bao vi phm cc quy nh ti Thng t ny;
) T chc cung cp dch v ch k s pht hin ra bt c sai st,
s c no c th nh hng n quyn li ca thu bao hoc an ninh,
an ton ca h thng cung cp dch v chng thc ch k s.
2. Chng th s ca thu bao b thu hi trong cc trng hp sau:
a) Chng th s ht hn s dng;
b) Theo yu cu bng vn bn t cc c quan nh nc c
thm quyn;
c) T chc, c nhn mun thu hi chng th s c th khai bo
trc tuyn qua mng Internet hoc np ti tr s B Cng thng
(trc tip hoc qua ng bu in) vn bn yu cu t thu bao, c
xc nhn ca t chc qun l thu bao;
d) Theo yu cu bng vn bn ca t chc qun l thu bao;
) T chc qun l thu bao, thu bao b gii th hoc ph sn
theo quy nh ca php lut;
e) C cn c xc nh thu bao vi phm cc quy nh v qun l,
s dng kha b mt v thit b lu gi kha b mt ti Thng t ny;
g) Thi gian tm dng chng th s ti a l 06 (su) thng.
3. T chc cung cp dch v ch k s phi m bo cc yu
cu sau:
a) m bo knh thng tin tip nhn yu cu tm dng, thu hi
chng th s hot ng 24 (hai mi t) gi trong ngy v 07 (by)
ngy trong tun;
b) Lu tr thng tin lin quan n hot ng tm dng hoc thu
hi chng th s trong thi gian t nht 05 (nm) nm k t thi im
chng th s b tm dng hoc thu hi;
c) Khi nhn c h s yu cu tm dng hoc thu hi chng th
s ca t chc, c nhn hoc khi c cn c tm dng, thu hi
Phn ph lc
211
chng th s, T chc cung cp dch v ch k s phi tin hnh tm

dng hoc thu hi chng th s trong thi hn khng qu 05 (nm)
ngy lm vic.
iu 16. Khi phc chng th s
1. Chng th s khi phc trong cc trng hp sau:

a) Theo yu cu bng vn bn t pha cc c quan Nh nc c
thm quyn;
b) T chc, c nhn mun khi phc chng th s c th khai bo
trc tuyn qua mng Internet hoc np ti tr s B Cng thng
(trc tip hoc qua ng bu in) vn bn yu cu t thu bao, c
km theo xc nhn ca t chc qun l thu bao, trong trng hp
thu bao, t chc qun l thu bao ngh tm dng chng th s
trc ;
c) Thi gian tm dng chng th s theo ngh tm dng ht;
d) Chng th s b tm dng theo quy nh ti im khon 1
iu 15 Thng t ny v nhng sai st, s c c khc phc.
2. Trong thi hn khng qu 05 (nm) ngy lm vic, k t ngy
nhn c h s ngh khi phc chng th s hp l, T chc cung
cp dch v ch k s c trch nhim kim tra, khi phc chng th
s cho thu bao.
Chng IV. IU KHON THI HNH
iu 17. X l vi phm, khiu ni v gii quyt tranh chp
Vic x l vi phm, khiu ni v gii quyt tranh chp lin quan

n vic thc hin Thng t ny c thc hin theo quy nh ca
Ngh nh ch k s v cc quy nh khc ca php lut c lin quan.
iu 18. Trch nhim thi hnh
1. Cc Thng mi in t v Cng ngh thng tin c trch nhim:
212
a) Hng dn, theo di v kim tra vic chp hnh Thng t ny

ca cc n v thuc B Cng thng v cc t chc khc c s dng
dch v chng thc ch k s ca B Cng thng;
b) m bo s hot ng n nh, an ton, lin tc ca h thng
ch k s, nghin cu v trin khai cc cng ngh ch k s tin tin,
ph hp vi hot ng ca B Cng thng.
2. Thanh tra B Cng thng c trch nhim phi hp vi Cc
Thng mi in t v Cng ngh thng tin kim tra vic thc hin
Thng t ny.
3. Th trng cc n v thuc B Cng thng v th trng
cc t chc khc c s dng dch v chng thc ch k s ca B
Cng thng c trch nhim t chc trin khai v kim tra vic thc
hin ti n v mnh theo ng cc quy nh ca Thng t ny.
iu 19. Thng t ny c hiu lc k t ngy 15 thng 5 nm
2011 v thay th Quyt nh s 40/2008/Q-BCT ngy 31 thng 10
nm 2008 v vic ban hnh Thng t qun l, s dng ch k s,
chng th s v dch v chng thc ch k s ca B Cng thng.
iu 20. Chnh Vn phng B, Cc trng Cc Thng mi in
t v Cng ngh thng tin, Th trng cc n v trc thuc B Cng
thng v cc t chc, c nhn c lin quan chu trch nhim thi hnh
Thng t ny./.
K/T. B TRNG
TH TRNG
( k)
H Th Kim Thoa
THUT NG VIT TT
Thut ng
Ting Anh
Ting Vit
AEA
Advanced Encryption Algorithm
Thut ton m ha tin tin
AS
Authentication Server
My ch xc thc
CA
Certification Authority
C quan chng thc in t
CDC
Clear Data Channel
Xa knh d liu
CRL
Certificate Revocation List
Danh sch cc chng thc

b thu hi
DC
Differential Cryptanalysis
Ph m vi sai
DEA
Data Encryption Algorithm
Thut ton m ha d liu
DES
Data Encryption Standard
Tiu chun m ha d liu
DOS
Denial of Service
Tn cng t chi dch v
ECC
Elliptic Curve Cryptography
Mt m ng cong elliptic
ESP
Encapsulating Security Payloads
Khi ng gi an ton
FIPS
Federal Information Processing

Standard
Tiu chun x l thng tin

Lin bang Hoa K
FTP
File Transport Protocol
Giao thc truyn tp
FTPS
File Transfer Protocol Secure
Giao thc truyn tp c bo mt
HS
Hash Function
Hm bm
HTTP
Hyper Text Transpot Protocol
Giao thc truyn ti siu vn bn
HTTPS
Hypertext Transfer Protocol

Secure
Giao thc truyn thng siu vn bn

c bo mt
IDEA
International Data Encryption

Algorithm
Thut ton m ha d liu

quc t
IMAP
Internet Messaging Access

Protocol
Giao thc truy nhp bn tin Internet
IPsec
Internet Protocol Security
Giao thc Internet an ton
KDC
Key Distribution Center
Trung tm phn phi kha
LC
Linear Cryptanalysis
Ph m tuyn tnh
MIME
Multipurpose Internet Mail

Extension
Giao thc m rng th in t a

phng tin trn Internet
MIT
Massachusett Institute of
Technology
Vin Cng ngh Massachusett
NAT
Network Address Translation
Thay i a ch mng
NIST
National Institute of Standards

and Technolgy
Vin Quc gia v Tiu chun

v Cng ngh
NLSP
Network Layer Security Protocol
Giao thc an ninh tng mng
NSA
National Security Agency
C quan an ninh quc gia
OCSP
Online Certificate Status

Protocol
Giao thc trng thi

chng th trc tuyn
OI
Order Information
Thng tin mua hng
PAKE
Password-authenticated key
agreement
Tha thun kha xc thc

mt khu
PCT
Private Communication
Technology
Cng ngh truyn thng

ring t
PI
Payment Information
Thng tin tr tin
PKI
Public Key Infrastructure
H tng kha cng khai
RFC
Request for Comments
Bn phc tho
S/MIME
Secure/Multipurpose Internet
Mail Extension
Giao thc m rng th in t a

phng tin trn Internet - c bo mt
SA
Security Associations
T hp an ninh
SADB
Security Association Database
C s d liu ca t hp an ninh
SCC
Secure Command Channel
Knh iu khin an ton
SFTP
SSH File Transfer Protocol
Giao thc truyn tp bao v s
SKC
Secret Key Cryptography
M ha vi kha b mt
SPI
Security Parameter Index
Ch s tham s an ninh
SS
Service Server
My ch cung cp dch v
SSH
Secure Shell Protocol
Giao thc v s bo mt
SSL
Secure Socket Layer
Tng m bo mt
TLS
Transpot Layer Security
An ninh lp giao vn
VPN
Virtual Private Network
Mng ring o
TI LIU THAM KHO

[1] Thi Thanh Tng, Gio trnh An ninh mng v bo mt d liu,
i hc M H Ni, 2006.
[2] Thi Thanh Sn - Thi Thanh Tng, Thng mi in t, NXB
Thng tin v Truyn thng, 2011.
[3] Thi Thanh Sn, i s hc, NXB i hc Quc gia H Ni, 2004.
[4] Nguyn c Ngha - Nguyn T Thnh, Ton ri rc, NXB i
hc Quc gia H Ni, 2004.
[5] Phan inh Dieu, Le Cong Thanh, Le Tuan Hoa, Average
Polynomial Time Complexity of Some NP-Complete Problems,
Theor. Comput. Sci. 46(3): 219-327 (1986)
[6] E. Biham & A. Shamir, Differential cryptanalysis of DES-like
cryptosystems, Journal of Cryptology, Springer-Verlag, 1991.
[7] Alfred J. Menezes, Paul Van Oorschot, Scott A. Vanstone,
Handbook of applied cryptography, CRC Press.1996.
[8] H.X. Mel & Doris Baker, Cryptography decrypted, Addison-Wesley
2003.
[9] Douglas Robert Stinton, Cryptography: Theory and Practice,
Chapman & Hall/CRC, 2006.
[10] Gary C. Kesler, An Overview of Cryptography, Edition of
Handbook on Local Area Networks, 2010.
[11] www.barcodesinc.com/articles/cryptography2.htm
[12] www.cryptography.com/
MC LC
Li gii thiu ......................................................................................... 3
Li m u............................................................................................ 5
Chng 1. Tng quan v bo mt thng tin v l thuyt m ha ..... 11
1.1. Nhu cu bo mt thng tin trong mi trng m .................... 11
1.2. Nhng nguyn l ca bo mt thng tin................................... 12
1.3. Khi nim v thut ng ............................................................ 15
1.4. Mt m hc............................................................................... 20
Chng 2. M ha kha i xng ...................................................... 28
2.1. Khi nim ................................................................................. 28
2.2. Tiu chun m ha d liu (DES) ............................................ 29
2.3. Tiu chun m ha tin tin (AES) .......................................... 40
2.4. u/nhc im v phm vi s dng ca m ha i xng ....... 46
2.5. Mt s phn mm m ha i xng.......................................... 49
Chng 3. Qun l v phn phi kha............................................... 51
3.1. Trung tm phn phi kha (KDC)............................................ 51
3.2. Trao i kha Diffie-Hellman (D-H)........................................ 52
3.3. Kerberos ................................................................................... 58
Chng 4. M ha kha cng khai .................................................... 67
4.1. Vi nt lch s........................................................................... 67
4.2. M ha kha cng khai............................................................. 69
4.3. Thut ton RSA ........................................................................ 74
4.4. Mt s h mt m ha kha cng khai ..................................... 79
Chng 5. Ch k in t v chng thc in t ............................. 92

5.1. Khi nim v ch k in t ..................................................... 92
5.2. Hm bm .................................................................................. 99
5.3. H tng c s kha cng khai ................................................ 108
5.4. Giao thc PGP v mng li tin cy ....................................... 117
Chng 6. Mt s giao thc bo mt thng dng khc.................. 136
6.1. Giao thc bo mt th in t
m rng a phng tin ........................................................ 137
6.2. An ninh tng giao vn v tng m bo mt........................... 141
6.3. Cc giao thc truyn thng c bo mt ................................. 145
6.4. SSH......................................................................................... 157
6.5. Thanh ton in t an ton .................................................... 161
6.6. IPsec....................................................................................... 165
PHN PH LC ................................................................................ 177
Ph lc 1 ........................................................................................... 178
1. Hm logic XOR.......................................................................... 178
2. Tnh ton thc hnh m sa sai Hamming................................ 181
Ph lc 2 ........................................................................................... 185
1. Hm modulo - ng d thc ..................................................... 185
2. Gii thut Euclid ....................................................................... 186
3. Gii thut Euclid m rng ........................................................ 187
4. nh l s d Trung Quc. ........................................................ 192
5. Bi ton xp ba l...................................................................... 195
Ph lc 3: Thng t s 09/2011/TT-BCT v vic qun l,
s dng ch k s, chng th s v dch v
chng thc ch k in t.............................................. 200
Thut ng vit tt ............................................................................. 213
Ti liu tham kho ............................................................................ 216
gio trnh mt m hc
v h thng thng tin an ton
Chu trch nhim xut bn

NGUYN TH THU H
Bin tp:
NG M HNH
Trnh tHU CHU
Trnh by sch:
bi ngc bo
Sa bn in:
Trnh tHU CHU
Thit k ba:
TRN HNG MINH
NH XUT BN THNG TIN V TRUYN THNG

Tr s: S 9, Ng 90, Ph Ngy Nh Kon Tum, Qun Thanh Xun, TP. H Ni
T Bin tp: 04.35772143
T Pht hnh: 04.35772138
E-mail: nxb.tttt@mic.gov.vn
Fax: 04.35772194, 04.35779858
Website: www.nxbthongtintruyenthong .vn
Chi nhnh TP. H Ch Minh: 8A ng D2, P25, Qun Bnh Thnh, TP. H Ch Minh
in thoi: 08.35127750, 08.35127751
Fax: 08.35127751
E-mail: cnsg.nxbtttt@ mic.gov.vn
Chi nhnh TP. Nng: 42 Trn Quc Ton, Qun Hi Chu, TP. Nng
in thoi: 0511.3897467
Fax: 0511.3843359
E-mail: cndn.nxbtttt@ mic.gov.vn
In 1000 bn, kh 16x24cm ti Cng ty In HI Nam

S ng k k hoch xut bn: 579-2011/CXB/15-166/TTTT
S quyt nh xut bn: 176/Q-NXB TTTT ngy 20 thng 7 nm 2011
In xong v np lu chiu thng 7 nm 2011

Giao Trinh Mat Ma ATTT

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Giao Trinh Mat Ma ATTT

Uploaded by

Copyright:

Available Formats

TS.

THI THANH TNG

H THNG THNG TIN AN TON

NH XUT BN THNG TIN V TRUYN THNG

trin Tin hc ng dng (AIRDI) thuc Lin hip cc Hi Khoa hc v

Mt m hc l khoa hc nghin cu c s l thuyt v cng

S pht trin ca mt m hc lun i km vi s pht trin ca

l trn Internet) th hu nh phn ln thnh qu ca cng ngh thng

ha thng dng nht trn Internet trong cc dch v bo mt th

H Ni, thng 7 nm 2011

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

Gio trnh mt m hc v h thng thng tin an ton

o, An phi ng ngay u ng ni to ln vi Bnh ang ng

Hnh 1.1: Mi trng m trong trao i thng tin

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

1.2.1. Nguyn l 1: Nguyn l b mt/ring t

Gio trnh mt m hc v h thng thng tin an ton

bin php chng minh vi i tc rng h chnh l h ch

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

nhn dng c cc ngi s dng vi quyn hn km theo ca h.

Gio trnh mt m hc v h thng thng tin an ton

Thng ip (message) l mt thc th vt l mang thng tin

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

Cipher text/message: l thng ip d liu bin i theo mt

Gio trnh mt m hc v h thng thng tin an ton

hiu m ngi dng c h thng bo mt cp xc nhn cp

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

bng cch xoay mt s ln theo chiu thun v mt s ln theo chiu

Gio trnh mt m hc v h thng thng tin an ton

Hnh 1.2: S m ha v gii m

Thng tin n tng i khi vn b khm ph m khng cn bit

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

Trong l thuyt mt m, ngi ta nghin cu ng thi cc

Gio trnh mt m hc v h thng thng tin an ton

bt kh nng d tm, chng hn nu plaintext c di kh ln th

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

Ngy nay, cc phng php m ha v lp m xem ra qu n

William Frederick Friedman (1891 1989)

Gio trnh mt m hc v h thng thng tin an ton

Nm 1920, William Frederic Friedman cng b tc phm The

Ngt on tng nhm 4 k t

Th t t nhin trong mi nhm

Kha m (chn hon v ty )

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

Cc thut ton hin i:

a. M ha kha b mt (i xng). SKC s dng mt kha cho

b. M ha kha cng khai (bt i xng). PKC s dng hai kha,

c. Hm bm (m ha mt chiu). Hm bm khng c cha kha

Hnh 1.3: Kha i xng, kha bt i xng v hm bm

Gio trnh mt m hc v h thng thng tin an ton

Trong nhng chng sau chng ta s i vo ln lt nghin cu

Chng 1: Tng quan v bo mt thng tin v l thuyt m ha

ng Lewis cho bit B Quc phng M, ging nh bt k t chc no, u

Gio trnh mt m hc v h thng thng tin an ton

Trong v d v gy m ha ca ngi Sparte, cc i tc phi

Chng 2: M ha kha i xng

bo cho Bnh v cha kha v thut ton s dng ti mt thi im

Hnh 2.1: Thut ton m ha i xng

Gio trnh mt m hc v h thng thng tin an ton

Processing Standard: Tiu chun x l thng tin Lin bang Hoa K)

Hnh 2.2: M hnh thut ton DES

Chng 2: M ha kha i xng

M t thut ton DES

Gio trnh mt m hc v h thng thng tin an ton