Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

BO CO TI
B MN AN TON THNG TIN
ti: Tm hiu v chng ch s - CA v mt vi ng dng s dng CA
Gio vin hng dn: Nhm sinh vin thc hin: Th.S L c Nhng Nguyn Thanh Quang Ng N Kiu My Phm Tin t Nguyn Th Li CN Tin K9

Lp:

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Li cm n ! Chng em xin cm n thy L c Nhng hng dn gip chng em hon thnh ti ny Mc lc

I.Gii thiu ..................................................................................................................................3 II.C s h tng kha cng khai ...............................................................................................4 II.1 Khi nim.........................................................................................................................4 II.2 Nh Cung cp Chng ch s - Certificate Authority (CA)...........................................4 III.Chng ch s ..........................................................................................................................5 III.1 Khi nim ........................................................................................................................5 III.2 Nhng li ch ca chng ch s .....................................................................................6 III.3 Mt vi ng dng ca chng ch s ............................................................................10 III.3.1 ng dng chng ch s trong giao dch thng mi in t .............................10 III.3.2 ng dng chng ch s bo mt ni b trong doanh nghip ........................12 III.3.3 Lu tr chng ch s .............................................................................................12 IV.Trin khai dch v Certificate Authority trn h diu hnh Windows Server 2003 .....13 IV.1 Ci t dch v CA .......................................................................................................13 IV.2 Cc dch v chng ch CA Windows Server 2003 cung cp .....................................16 IV.3 Cc loi CA trn Windows Server 2003 .....................................................................17 IV.4 Cp pht v qun l chng ch s ...............................................................................17 IV.4.1 Cp pht t ng (Auto -Enrollment) ..................................................................17 IV.4.2 Cp pht khng t ng (Manual Enrollment) ..................................................18 IV.5 Cc cch yu cu cp pht CA ....................................................................................19 IV.5.1 S dng Certificate Snap -in..................................................................................19 IV.5.2 Yu cu cp pht thng qua Web (Web-Enrollment) ........................................19

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

IV.6 Thu hi chng ch s ....................................................................................................21 V. Mt s dch v s dng CA ................................................................................................21 V.1 Dch v chng thc Web Server s dng SSL ............................................................21 V.2 Dch v IP Sec.................................................................................................................28 V.3 Dch v VPN ...................................................................................................................33 VI.Kt qu v hng pht trin ..............................................................................................40 VI.1. Kt qu .........................................................................................................................40 VI.2. Hng pht trin .........................................................................................................40

I.Gii thi u
Ngy nay vic giao tip qua mng Internet ang tr thanh 1 nhu cu cp thit .Cc thng tin truyn trn mng u rt quan trng,nh m s ti khon,thng tin mt Tuy nhin,vi cc th on tinh vi,nguy c b n cp cc thng tin qua mng ngy cng gia tng Vic kt ni qua mng Internet hin nay ch yu s dng giao th c TCP/IP. TCP/IP cho php cc thng tin c gi t mt my tnh ny ti mt my tnh khc thng qua mt lot cc my trung gian hoc cc mng ring bit trc khi n c th i ti c ch. Tuy nhin, chnh v tnh linh hot ny ca giao thc TCP/IP to c hi cho "bn th ba" c th thc hin cc hnh ng bt hp php, c th l: Nghe trm (Eavesdropping): Thng tin vn khng h b thay i, nhng s b mt ca n th khng cn. V d, mt ai c th bit c s th tn dng, cc thng tin cn bo mt ca bn. Gi mo (Tampering). Cc thng tin trong khi truyn i b thay i hoc thay th trc khi n ngi nhn. V d, mt ai c th sa i mt n t hng hoc thay i l lch ca mt c nhn. Mo danh (Impersonation). Thng tin c gi ti mt c nhn mo nhn l ngi nhn hp php. C hai hnh thc mo danh sau: Bt chc (Spoofing). Mt c nhn c th gi v nh mt ngi khc. V d,dng a ch mail ca mt ngi khc hoc gi mo mt tn min ca mt trang web Xuyn tc (Misrepresentation). Mt c nhn hay mt t chc c th a ra nhng thng tin khng ng s tht v h. V d, c mt trang web mo nhn chuyn v kinh doanh trang thit b ni tht, nhng thc t n l mt trang chuyn n cp m th tn dng v khng bao gi gi hng cho khch.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Do vy, bo mt, cc thng tin truyn trn Internet ngy nay u c xu hn c m ho. Trc khi truyn qua mng Internet, ngi gi m ho thng tin, trong qu trnh truyn, d c ''chn'' c cc thng tin ny, k trm cng khng th c c v b m ho. Khi ti ch, ngi nhn s s dng mt cng c c bit gii m.Phng php m ho v bo mt ph bin nht ang c th gii p dng l Chng ch s (Digital Certificate). Vi chng ch s, ngi s dng c th m ho thng tin mt cch hiu qu, chng gi mo (cho php ngi nhn kim tra thng tin c b thay i khng), xc thc danh tnh ca ngi gi. Ngoi ra Chng ch s cn l bng chng gip chng chi ci ngun gc, ngn chn ngi gi chi ci ngun gc ti liu mnh gi.Mt cch m ha d liu m bo an ton l m ha kha cng khai. s dng c cch m ha ny, cn phi c mt chng ch s t t chc qun tr c gi l nh cung cp chng ch s ( Certification Authority CA).

II.C s h tng kha cng khai

II.1 Khi nim Mt PKI (public key infrastructure) cho php ngi s dng ca mt m ng cng cng khng bo mt, chng hn nh Internet, c th trao i d liu v tin mt cch an ton thng qua vic s dng mt cp m kho cng khai v c nhn c cp pht v s dng qua mt nh cung cp chng thc cc tn nhim. Nn tng kho cng khai cung cp mt chng ch s, dng xc minh mt c nhn hoc t chc, v cc dch v danh mc c th lu tr v khi cn c th thu hi cc chng ch s. Mc d cc thnh phn c bn ca PKI u c ph bin, nhng mt s nh cung cp ang mun a ra nhng chun PKI ring khc bit. Mt tiu chun chung v PKI trn Internet cng ang trong qu trnh xy dng. Mt c s h tng kho cng khai bao gm: Mt Nh cung cp chng thc s (CA) chuyn cung cp v xc minh cc chng ch s. Mt chng ch bao gm kho cng khai hoc thng tin v kho cng khai. Mt nh qun l ng k (Registration Authority (RA)) ng vai tr nh ngi thm tra cho CA trc khi mt chng ch d c cp pht ti ngi yu cu. Mt ho c nhiu danh mc ni cc chng ch s (vi kho cng khai ca n) c lu gi, phc v cho cc nhu cu tra cu, ly kho cng khai ca i tc cn thc hin giao dch chng thc s. Mt h thng qun l chng ch II.2 Nh Cung cp Chng ch s - Certificate Authority (CA) Trong cc h thng qun l chng thc s ang hot ng trn th gii, Nh cung cp chng thc s (Certificate Authority - CA) l mt t chc chuyn a ra v qun l cc ni dung xc thc bo mt trn mt mng my tnh, cng cc kho cng khai m ho thng tin. L mt phn trong C s h tng kho cng khai (public key infrastructure PKI), mt CA s kim sot cng vi mt nh qun l ng k (Registration authority RA) xc minh thng tin v mt chng ch s m ng i yu cu xc thc a ra. Nu RA xc nhn thng tin ca ngi cn xc thc, CA sau s a ra mt chng ch. Tu thuc vo vic trin khai c s h tng kho cng khai, chng ch s s bao m kho cng khai caa ngi s hu, thi hn ht hiu lc ca chng ch, tn ch s hu v cc thng tin khc v ch kho cng khai

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

III.Chng ch s
III.1 Khi nim Chng ch s l mt tp tin in t c s dng nhn din mt c nhn, mt my ch, mt cng ty trn Internet. N ging nh bng li xe, h chiu, chng minh th hay nhng giy t xc minh c nhn. c chng minh th, bn phi c c quan Cng An s ti cp. Chng ch s cng vy, phi do mt t chc ng ra chng nhn nhng thng tin ca bn l chnh xc, c gi l Nh cung cp chng thc s (Certificate Authority, vit tt l CA).CA phi m bo v tin cy, chu trch nhim v chnh xc ca chng ch s m mnh cp. Trong chng ch s c ba thnh phn chnh: Thng tin c nhn ca ngi,t chc c cp. Kho cng khai (Public key) ca ngi c cp. Ch k s ca CA cp chng ch.

a. Thng tin c nhn ca ngi c cp:

y l cc thng tin ca i tng c cp chng ch s, gm tn, quc tch, a ch, in thoi, email, tn t chc v.v Phn ny ging nh cc thng tin trn chng minh th ca mi ngi. Cc phng php xc nh thng tin ph thuc vo cc chnh sch m CA t ra. Chnh sch lp ra phi m bo vic cp chng ch s phi ng n, ai c cp v mc ch dng vo vic g. Thng thng, trc khi cp mt chng ch s, CA s cng b cc th tc cn phi thc hin cho cc loi chng ch s.

b. Kho cng khai (Public key) ca ngi c cp

Trong khi nim mt m, kho cng khai l mt gi tr c nh cung cp chng ch s a ra nh mt kho m ho, kt hp cng vi mt kho c nhn duy nht c to ra t kho cng khai to thnh cp m kho bt i xng. Nguyn l hot ng ca kho cng khai trong chng ch s l hai bn giao dch phi bit kho cng khai ca nhau. Bn A mun gi cho bn B th phi dng kho cng khai ca bn B m ho thng tin. Bn B s dng kho c nhn ca mnh m thng tin ra. Tnh bt i xng trong m ho th hin ch kho c nhn c th gii m d liu c m ho bng kho cng khai (trong cng mt cp kho duy nht m mt c nhn s hu), nhng kho cng khai khng c kh nng gii m li thng tin, k c nhng thng tin do chnh kho cng khai m ho.y l c tnh cn thit v c th nhiu c nhn B,C,... cng thc hin giao dch v c kho cng khai ca A, nhng C,... khng th gii m c cc thng tin m B gi cho A d cho chn bt c cc gi thng tin gi i trn mng. Hiu theo cch khc, nu chng ch s l mt chng minh th nhn dn, th kho cng khai ng vai tr nh danh tnh ca bn trn giy chg minh th (gm tn,a ch, nh...), cn kho c nhn l gng mt v du vn tay ca bn. Nu coi mt bu phm l thng tin truyn i, c "m ho" bng a ch v tn ng i nhn ca bn n, th d ai c dng chng minh th ca bn vi mc ch ly bu phm ny, h

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

cng khng c nhn vin bu i n giao bu kin v nh mt v du vn tay khng ging.

c. Ch k s ca CA cp chng ch

Cn gi l chng ch gc cha , hn dng, tn ca CA cp chng ch s , m s th t, v nhng thng tin khc. iu quan trng nht l mt chng ch s lun lun cha ch k s ca CA cp chng ch s . y chnh l s xc nhn ca CA, bo m tnh chnh xc v hp l ca chng ch Trn chng minh th, y chnh l con du xc nhn ca Cng An Tnh hoc Thnh ph m bn trc thuc. V nguyn tc,khi kim tra chng minh th, u tin phi xem con du ny, bit chng minh th c b lm gi hay khng.. .

III.2 Nhng li ch ca chng ch s 4 c im chnh m chn g ch s em li cho ngi s dng : - M ha d liu gi i - Xc thc danh tnh - Chng gi mo - Chng chi ci ngun gc - Ton vn d liu Bn cnh s dng chng ch s cn c chc nng bo mt cho nhng dch v mng khc nhau nh: - Bo mt Email - Bo mt Website - m bo phn mm a.M ha

Li ch u tin ca chng ch s l tnh bo mt thng tin. Khi ngi gi m ho thng tin bng kho cng khai ca bn, chc chn ch c bn mi gii m c thng tin c . Trong qu trnh truyn thng tin qua Internet, d c c c cc gi tin m ho ny, k xu cng khng th bit c trong gi tin c thng tin g. y l mt tnh nng rt quan trng, gip ngi s dng hon ton tin cy v kh nng bo mt thng tin. Nhng trao i thng tin cn bo mt cao, chng hn giao dch lin ngn hng, ngn hng in t, thanh ton bng th tn dng, u cn phi c chng ch s m bo an ton.

Trng i hc Hi Phng Khoa Ton Tin b.Xc thc danh tnh - Chng gi mo

Tm hiu v Chng ch s - CA

Xc thc danh tnh (chng gi mo) Khi bn gi mt thng tin km chng ch s, ngi nhn c th l i tc kinh doanh, t chc hoc c quan chnh quyn s xc nh r c danh tnh ca bn. C ngha l d khng nhn thy bn, nhng qua h thng chng ch s m bn v ngi nhn cng s dng, ngi nhn s bit chc chn l bn ch khng phi l mt ngi khc. Xc thc l mt tnh nng rt quan trng trong vic thc hin cc giao dch in t qua mng, cng nh cc th tc hnh chnh vi c quan php quyn. Cc hot ng ny cn phi xc minh r ngi gi thng tin s dng t cch php nhn. c.Chng chi ci ngun gc

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Khi s dng mt chng ch s, bn phi chu trch nhim hon ton v nhng thng tin m chng ch s i km. Trong trng hp ngi gi chi ci, ph nhn mt thng tin no khng phi do mnh gi (chng hn mt n t hng qua mng), chng ch s m ngi nhn c c s l bng chng khng nh ngi gi l tc gi ca thng tin . Trong trng hp chi ci, CA cung cp chng ch s cho hai bn s chu trch nhim xc minh ngun gc thng tin, chng t ngun gc thng tin c gi. d.Ton vn d liu

Ch k in t c kh nng m bo tnh chnh xc ca d liu bn gi i

e.Bo mt Email

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Email rt d b tn thng bi nhng Hacker. Nhng thng ip c th b c hay b gi mo trc khi n ngi nhn. Vi chng ch s bn c th to thm mt ch k in t vo email nh mt bng chng xc nhn ca mnh. f.Bo mt Website

Khi website ca bn s dng cho mc ch thng mi in t hay cho nhng mc ch quan t rng khc, nhng thng tin trao i gia bn v khch hng ca bn c th b l gia chng. Chng ch s s cho php bn cu hnh website ca mnh c giao thc bo mt SSL, cung cp cho website ca bn mt nh danh duy nht nhm m bo vi khch hng ca bn v tnh xc thc v tnh hp php ca website. Chng ch s SSL cng s cho php trao i thng

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

tin an ton v bo mt gia website vi nhng khch hng, nhn vin v i tc ca bn thng qua cng ngh SSL m ni bt l: - Thc hin mua bn bng th tn dng - Bo v nhng thng tin nhy cm ca c nhn - m bo cc hacker khng th d tm c mt khu g.m bo phn mm Chng ch s cho php k vo nhng applet, script, Java software, ActiveX control, EXE, CAB v DLL. Nh vy s cho php ngi k m bo tnh hp php ca sn phm v cho php ngi s dng nhn din , pht hin c s thay i ca chng trnh (do v tnh hng hay do virus ph, b crack v bn lu) III.3 Mt vi ng dng ca chng ch s III.3.1 ng dng chng ch s trong giao dch thng mi in t

Smart Cart Th cn cc ,th tn dng (Smart Cart) cng l mt dng ca Chng ch s ng dng trong thng mi in t.Ngi s dng th s dng Thit b qut th t thc hin k ln cc giao dch B2G ( Business to Government) hay B2B (Business to Business)

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

B2G (Business to Governmen):c nh ngha chung l thng mi gia cng ty v khi hnh chnh cng. N bao hm vic s dng Internet cho mua bn cng, th tc cp php v cc hot ng khc lin quan ti chnh ph.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

B2B (Business to Business): l m hnh giao dch thng mi in t gia doanh nghip v doanh nghip. Thng mi in t B2B trc ht l qu trnh thc hin vic mua v bn trc tuyn trn mng gia cc cng ty vi nhau, l ni m cc cng ty c th mua bn hng ho trn c s s dng mt nn cng ngh chung III.3.2 ng dng chng ch s b o mt ni b trong doanh nghip

Window Logon: cho php kim tra,xc thc danh tnh ca ngi dng (cc nhn vin ca doanh nghip) khi ng nhp vo h thng mng ni b ca cng ty Web Authentication:Xc thc Web - cho php kim tra danh tnh ca c nhn ving v s dng cng web cho php ngi dng truy cp cng Web mt cch d dng v linh hot t bt k u trn bt k loi thit b no. Vi s h tr ca mt lot cc phng thc xc thc, bao gm c token v th thng minh VPN:Giao thc VPN s dng L2TP/IP Sec,chng thc bng chng ch s do CA cung cp Singel Sign On: ng dng cho php s dng cng mt User/Password hay Chng ch s ng nhp vo nhiu ng dng khc nhau trong mt t chc,doanh nghip OutLook: s dng chng ch s m ha,gii m Email Chng thc Web Server: Dch v Web s dng SSL(Sercue Socket Layer) chng thc.Cung cp s truyn thng an ton trn Internet nh Web Browsing,Emai... Bo v bn quyn ti sn s ha: s dng chng ch s cho php k vo nhng applet, script, Java software, ActiveX control, EXE, CAB v DLL. Nh vy s cho php ngi k m bo tnh hp php ca sn phm v cho php ngi s dng nhn din , pht hin c s th ay i ca chng trnh III.3.3 Lu tr chng ch s Chng ch s c th c lu tr v s dng mt cch d dng di nhiu hnh thc Tp tin lu trong my tnh (Soft Token) USB Token Th thng minh (Smart Card) + thit b c

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

IV.Trin khai dch v Certificate Authority trn h diu hnh Windows Server 2003

Trn mi trng h iu hnh Windows Server 2003, CA l mt phn mm c tch hp sn

IV.1 Ci t dch v CA ng nhp vo Windows Server 2003 vi quyn Administrator. 1. Click vo Start => Control Panel =>Add Or Remove Programs.Hp thoi Add Or Remove Programs xut hin. 2. Click Add/Remove Windows Components. Hp thoi Add/Remove Windows Components xut hin,chn Certificate Services.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

3. Click chn Details. Hp thoi Certificate Services xut hin. 4. Cnh bo v thnh vin domain v rng buc i tn my tnh xut hin click Yes.

5. Trong trang loi CA, click chn Enterprise Root CA=> click Next

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

6. Trn trang thng tin CA, trong mc Common name,nh tn ca server click next.

7.Trn trang Certificate Database Settings, ng dn mc nh trong mc Certificate database box v Certificate database log click Next.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

8. Cnh bo dng Internet Information Services xut hin 9. Enable Active Server Pages (ASPs) click Yes. 10. Khi qu trnh ci t hon t t click Finish. IV.2 Cc dch v chng ch CA Windows Server 2003 cung cp Ch k inn t: S dng xc nhn ngi gi thng ip, file hoc d liu khc. Ch k in t khng h tr bo v d liu khi truyn. Chng thc internet: C th s dng PKI chng thc client v server c thit lp kt ni trn internet, v vy server c th nhn dng my client kt ni n n v client c th xc nhn kt ni ng server. Bo mt IP ( IP Security - IPSec): m rng IPSec cho php m ha v truyn ch k s, nhm ngn chn d liu b l khi truyn trn mng. Trin khai IPSec trn Windows Server 2003 khng phi dng PKI c c kha m ha ca n, nhng c th dng PKI vi mc ch ny. Secure e-mail: Giao thc e-mail trn internet truyn thng ip mail ch bn r, v vy ni dung mail d dng c c khi truyn. Vi PKI, ngi gi c th bo mt e-mail khi truyn bng cch m ha ni dung mail dng kha cng khai ca ngi nhn. Ngoi ra, ngi gi c th k ln thng ip bng kha ring ca mnh. Smart card logon: Smart card l mt loi th tn dng. Windows Server 2003 c th dng smart card nh l mt thit b chng thc. Smart card cha chng ch ca user v kha ring, cho php ngi dng logon ti bt k my no trong doanh nghip vi an ton cao. Software code signing: K thut Authenticode ca Microsoft dng chng ch chng thc nhng phn mm ngi dng download v ci t chnh xc l c a tc gi v khng c chnh sa. Wireless network authentication: Khi ci t mng LAN wireless, phi chc chn r ng ch ng i dng chng thc ng th mi c kt ni mng v khng c ai c th nghe ln khi giao tip trn wireless. C th s dng Windows Server 2003 PKI

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

b o v mng wireless bng cch nhn dng v chng thc ngi dng tr c khi h truy cp mng. IV.3 Cc loi CA trn Windows Server 2003 Trn windows Server 2003 c hai loi CA: Enterprise: Enterprise Ca c tch hp trong dch v Active Directory. Chng s dng mu chng ch, xut bn (publish) chng ch v CRLs n Active Directory,s dng thng tin trong c s d liu Active Directory chp nhn hoc t chi yu cu cp pht chng ch t ng. Bi vy client ca t chc,doanh nghip CA phi truy xut n Active Directory nhn chng ch, nhiu t chc CA khng thch hp cho vic cp pht chng ch cho cc client bn ngoi t chc. Stand-alone: Stand-alone CA khng dng mu chng ch hay Active Directory,chng lu tr thng tin cc b ca n. Hn na, mc nh, Standalone CA khng t ng p li yu cu cp pht chng ch s nh E nterprise CA lm. Yu cu ch trong hng i cho ngi qun tr chp nhn hoc t chi. D ngi dng chn to ra mt Enterprise CA hay l mt stand-alone CA, u phi ch r CA l gc (root) hay cp d i (subordinate). IV.4 Cp pht v qun l chng ch s IV.4.1 Cp pht t ng (Auto -Enrollment) Auto-Enrollment cho php client yu cu t ng v nhn chng ch s t CA m khng cn s can thip ca ngi qun tr. dng Auto-Enrollment th phi c Domain Controller chy Windows Server 2003, mt Enterprise CA chy trn Windows Server 2003 v client c th chy Windows XP Professional. iu khin tin trnh Auto-Enrollment bng s phi hp ca Group Policy v mu chng ch s. Mc nh, G roup Policy Objects (GPOs) cho php Auto-Enrollment cho tt c cc ngi dng v my tnh nm trong Domain. ci t,ta m chnh sch ci t Auto-Enrollment, nm trong thu mc Windows Settings\ Sercurity Settings\Public Key Policies trong c 2 node Computer Configuration v User Configuration ca Group Policy Object Editor. Hp thoi Autoenrollment Settings Properties xut hin,ta c th cm hon ton Auto-Enrollment cho cc i tng s dng GPO ny. Ta cng c th cho php cc i tng thay i hoc t ng cp nht chng ch s ca chng.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Mt k thut khc ta c th dng i u khin Auto-Enrollment l xy dng mu chng ch c xc nh c tnh ca kiu chng ch s r rng. qun l mu chng ch s, ta dng mu chng ch s c sn ( Certificate Templates snap-in).S dng cng c ny, ta c th ch r thi gian hiu lc v thi gian gia hn c a loi chng ch s ch,chn dch v m ha (cryptographic) cung cp cho chng. Dng tab Security,ta cng c th ch r nhng user v group c php yu cu chng ch s dng mu ny.

Khi client yu cu mt chng ch s, CA kim tra c tnh i tng Active Directory ca client quyt nh liu client c quyn ti thiu c nhn chng ch khng?Nu client c quyn thch hp th CA s cp pht chng ch s mt cch t ng. IV.4.2 Cp pht khng t ng (Manual Enrollment) Stand-alone CA khng th dng Auto-Enrollment, v vy khi mt stand-alone CA nhn yu cu v chng ch s t client, n s lu tr nhng yu cu vo trong mt

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

hng i cho ti khi ng i qun tr quyt nh c cp pht chng ch s hay khng?. gim st v x l cc yu cu,s dng Certification Authority console

Trong Certification Authority console, tt c yu cu cp pht chng ch s xut hin trong th mc Pending Request. Sau khi snh gi thng tin trong mi yu cu,ngi qun tr c th chn chp nhn (issue) hay t chi yeu cu Ngi qun tr cng c th xem c tnh caa vic cp pht chng ch v thu hi chng ch khi cn. IV.5 Cc cch yu cu cp pht CA IV.5.1 S dng Certificate Snap-in Certificate Snap-in l mt cng c dng xem v qun l chng ch ca mt user hoc computer c th. Mn hnh chnh ca snap -in bao gm nhiu th mc cha tt c hng mc chng ch s c ch nh cho user hoc computer. N u t chc ca ngi dng s dng Enterprise CA, Certificate Snap-in cng cho php ngi dng yu cu v thay i chng ch s bng cch dng Certificate Request Wizard v Certificate Renewal Wizard.

IV.5.2 Yu cu cp pht thng qua Web (Web-Enrollment)

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Khi ci t Certificate Services trn my tnh chy Windows Server 2003, ngi dng c th chn ci t module Certificate Services Web Enrollment Support. hot ng mt cch chnh xc, module ny yu cu ngi dng phi ci t IIS trn my tnh trc. Chn module ny trong qu trnh ci t Certificate Services to ra trang Web trn my tnh chy CA, nhng trang Web ny cho php ng i dng gi yu cu cp chng ch s yu cu m h chn.

Giao din Web Enrollment Support c dng cho ngi s dng bn ngoi hoc bn trong mng truy xut n stand-alone CA. V stand-alone server khng dng mu chng ch s, client gi yu cu bao gm tt c cc thng tin cn thit v chng ch s v thng tin v ngi s dng chng chi s. Khi client yu cu chng ch s dng giao din Web Enrollment Support, chng c th chn t danh sch loi chng ch c nh ngha trc hoc to ra chng ch cao cp bng cch ch r tt c cc thng tin yu cu trong form Web -based.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

IV.6 Thu hi chng ch s C vi nguyn nhn cnh bo cho ngi qun tr thu hi chng ch. Nu nh kha ring ( private key) b l, hoc ngi dng tri php li dng truy xut n CA, thm ch nu ta mun cp pht chng ch dng tham s khc nh l kha di hn, ta phi c thu hi chng ch trc . Mt CA duy tr mt CRL (Certificate Revocation List). Enterprise CA xut bn CRL ca chng trong c s d liu Active Directory, v vy client c th truy xut chng dng giao thc truyn thng Active directory chun, gi l Lightweight Directory Access Protocol (LDAP). Mt stand-alone CA lu tr CRL ca n nh l mt file trn a cc b ca server, v vy client truy xut dng giao thc truyn thng Internet nh Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP). Mi chng ch s cha ng dn ti im phn phi ca CA cho CRL. C th sa i dng dn ny trong Certification Authority console bng cch hin th hp thoi Properties cho CA, click vo tab Extension. Khi mt ng dng chng thc client ang dng chng ch s, n kim tra i m phn phi CRL nh r trong chng ch s, chc chn rng chng ch s khng b thu hi. Nu CRL khng c ti im phn phi nh r ca n, ng dng t chi chng ch. Bng cch chn th mc Revoked Certificates trong Certification Authority console v sau hin th Properties ca n, ta c th ch r bao lu th CA nn xut bn mt CRL mi, v cng cu hnh CA xut bn delta CRLs.Mt delta CRL l mt danh sch tt c cc chng ch thu hi t khi CRL cui cng xut bn. Trong t chc vi s lng chng ch s ln, s dng CRL thay v CRL c bn c th lu mt s ln.

V. Mt s dch v s dng CA
V.1 Dch v chng thc Web Server s dng SSL SSL-Sercue Socket Layer, l mt giao thc m ha cung cp s truyn thng an ton trn Internet nh web browsing, e-mail.SSL cung cp s chng thc ti cc im cui ca kt ni, knh truyn thng ring t trn Internet bng cch m ha. Thng thng ch c Server l c chng thc, c ngha l ch c ngi dng cui (ngi s dng, ng dng, ) bit r mnh ang ni chuyn vi ai. mc b o mt cao hn, c hai pha u phi bit nhau, chng thc ln nhau. Chng thc ln nhau yu cu dng h tng kha cng khai-PKI. 1) M hnh dch v

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

My Web Server c cu hnh dch v web s dng SSL bng cch nhn chng ch t CA service 2) Cu hnh dch v Ti Web server yu cu cp pht chng ch: Bc 1: M IIS, click chut phi vo website cn cu hnh SSL, chn tab Directory Security, chn Server Certificate

Bc 2: Chn to mi mt chng ch

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Nhn Next, chn Prepare for Request now, but send it later v lu yu cu cp pht xung file

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bc 3: M Internet Explorer, g vo cc a ch CA Service yu cu cp pht chng ch qua web

Chn Request a Certificate v chn Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file:

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

M file yu cu trn v copy ni dung v dn vo Saved Request:

Nu CA Service khng cp pht t ng th vo my CA cp pht(Issue) cho chng ch va yu cu. Vo li trang web yu cu CA, chn Download Certificate ti chng ch va c cp pht v

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bcc 4: Quay tr li IIS, chn Process the pending request and install the certificate Import chng ch va c c trn.

Chn Edit, chn Require secure channel(SSL) cu hnh cho web site dng SSL khi c yu cu kt ni.

3) Minh ha kt qu Gi s ta c trang web vi ni dung sau c t ti web server v client s kt n i bng giao thc HTTP xem trang web ny.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Khi khng dng SSL, nu dng cc cng c bt gi tin ta c th xem c ni dung, cn khi dng SSL d liu s c m ha v khng xem cc d bt c gi tin.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

V.2 Dch v IP Sec IPSec-Internet Protocol Security, l mt giao thc c thit k bo v d liu bng ch k i n t v m ha trc khi truyn i.IPSec m ha cc thng tin trong gi tin IP theo cch ng gi n, nn ngay c khi bt c cc gi tin s khng c c ni dung bn trong. Do IPSec hot ng tng mn g nn IPSec to mt knh m ha lin tc gia cc im kt ni(end -to-end), ngha l khi d liu c m ha my gi th ch c gii m khi ti my nhn. IPSec Protocol: a) IP Authentication Header-AH: khng m ha d liu trong gi tin IP, m ch m ha phn header. AH cung cp cc dihch v bo mt c bn, d liu c th c c khi bt gi tin, nhng ni dung th khng th thay i

b) IP Encapsulating Security Payload-ESP: m ha ton b ni dung gi tin IP, ngn khng cho ngi nghe ln c th c c ni dung khi gi tin di chuyn trn mng. ESP cung cp cc dch v chng thc, m bo ton vn v m ha d liu.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

1) M hnh dch v

Trong m hnh trn, FTP server l my tnh cung cp cc dch v truyn file trong mng, client s kt ni vo server ny download v upload cc file d liu.Tr c khi cc client to kt ni th phi qua mt qu trnh chng thc, m bo an ton trong qu trnh ny, cng nh cho ni dung ca cc file d liu, ta s tch hp vi dch v CA.My CA Service s cung cp cc chng ch thc hin chng thc gia FTP server v cc client. lm cc iu ny th my cung cp dch v CA cng ng vai tr l Domain Controler, cp cc chng ch t ng cho cc my khi c yu cu. 2) Trin khai dch v Phn ny trnh by mt s bc thit lp chnh sch IPSec c s dng CA cho m hnh bn trn. Chnh sch ny to ti mi my c yu cu truyn thng bng IPSec. Bc 1: Trong ca s chng trnh IP Security Policy, to mt chnh sch mi

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bcc 2: Chn Next thm mt lut mi, trong tab Rule chn Add thm mt danh sch cc yu cu lc trn giao thc IP (IP Filter List)

Bc 3: Chn Add thm cc lut theo yu cu cn lc. Gi s y ta thit lp lut lc giao thc FTP khi chng thc gia my hin ti vi tt c cc my khc

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Trong From this port, nhp gi tr 21, y l cng m FTP s dng chng thc ng i dng.

Bc 4: Nhn oK n ca s Filter Action, chn Require Security yu cu s dng IPSec bt c khi no cn chng thc FTP.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bc 5: Chn phng php chng thc, chn cch chng thc bng CA, nhn nt Browse dn CA ca m hnh mng trn.

Bc 6: Vi chnh sch va to, chn Assign chnh sch c p dng 3) Minh ha kt qu Gi s ti client1 kt ni vo FTP Server, khi khng dng IPSec ta s bit c username v password khi ng i dng chng thc nu bt c cc gi d liu ny. Khi s dng m ha IP Sec s khng c c ni dung.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

V.3 Dch v VPN VPN-Virtual Private Network, l mt mng ring dng mng cng c ng (Internet) kt ni cc im hoc ngi s dng ti mng LAN trung tm.VPN cho php truyn d liu gia hai my tnh s dng mi tr ng mng cng cng ging nh cch c mt ng kt ni ring gia hai my ny. to mt kt ni point-to-point, d liu c ng gi(encapsulate), bao bocc(wrap) vi mt header cung cp cc thng tin nh tuyn. gi lp mt knh truyn ring, d liu s c m ha.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

1) M hnh dch v

Trong m hnh ny, dch v VPN s c trin khai ti tr s chnh ti Hi Phng, ngi dng ni khc nh H Ni,Tp H Ch Minh c th kt ni, truy cp cc ti nguyn bn trong mng LAN ca tr s ti Hi Phng . Giao thc VPN s dng L2TP/IPSec, chng thc bng chng ch s do CA cung cp 2) Trin khai dch v Phn ny s gii thch chc nng v trnh by mt s cu hnh quan trng ca cc my tnh trong m hnh trn.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

a. Domain Controller: hot ng nh mt trung tm iu khin, cung cp cc dch v phn gii tn min (DNS-Domain Name System), cp pht a ch IP ng (DHCP -Dyamic Host Configuration Protocol). ng thi y cng l CA server ni cp pht cc chng ch theo yu cu. b. Web Server: cung cp d ch v Website cho ngi dng. c. IAS: l my qun l ngi s dng truy cp t xa, RADIUS (Remote Access Dial-in User Service). s dng, dch v phi cc ci t trc. ci t IAS chn Control Panel->Add and Remove Program>Window Component-> Network Services -> Internet Authentication Serivce.

M chng trnh IAS, to mi mt RADIUS client v mt chnh sch chng nhn nhm hoc ng i dng no c php truy cp t xa. _ Thm RADIUS client:

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

_ Thm chnh sch mi, qui nh cho nhng ngi dng trong nhm VPNUsers c truy cp.

d. VPN Server: l my ch VPN, nhn yu cu kt ni t bn ngoi. Mt s cu hnh chnh: Bcc 1:M chng trnh Routing and Remote Acces, chn Configure and Enable Routing and Remote Access B c 2:Chn Remote Access(dial-up or VPN)

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bcc 3: Chn VPN

Bcc 4: Nhp a ch RADIUS server

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bc 5:Trong phn DHCP Relay Agent, nhp a ch ca my cung cp dch v DHCP

3) To kt ni t cc my ngi dng ngoi mng Bc 1:To kt ni VPN

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

Bcc 2: M kt ni, nhp username v password ca ng i dng c php truy cp

Bc 3: Chn Properties, chn loi VPN l L2TP/IPSec.Nhn OK v Connect.

Trng i hc Hi Phng Khoa Ton Tin

Tm hiu v Chng ch s - CA

VI.Kt qu v hng pht trin

VI.1. Kt qu

Thng qua vic thc hin ti, nhm chng em tm hiu cc kin thc c bn v chng ch s trn c s ha tng kha cng khai PKI, mt m hnh ang c s dng rt nhiu cho vic truyn thng trn mng hin nay. Tm hiu v trin khai dch v CA, mt thnh phn quan trng ca PKI, trn mi trng Windows Server 2003. Cui cng l tch hp c dch v CA vo mt s dch v mng khc to nn cc dch v c tnh bo mt cao. VI.2. Hng pht trin Cc m hnh dch v trn c thc hin gi lp trong mi trng mng LAN.Nu c s h tng mng tt hn, s c th trin khai trn phm vi ln hn vi mi trng Internet tht