(123doc) - Nghien-Cuu-Mat-Khau-Su-Dung-Mot-Lan-Va-Ung-Dung PDF

HC VIN CNG NGH BU CHNH VIN THNG
Khoa Cng ngh thng tin 1

----------
N
TT NGHIP I HC
ti:
Nghin cu mt khu s dng mt ln v
ng dng
Gio vin hng dn: TS. Hong Xun Du
Sinh vin thc hin: Nguyn Vit Huy
Lp: D09CNPM2
H Ni, 12/2013
N TT NGHIP
MC LC
LI M U ............................................................................................................................................... 3
DANH MC BNG BIU, HNH V, S .......................................................................................... 5
CHNG 1 TNG QUAN V OTP V NG DNG ...................................................................................... 6
1.1.
Khi qut v mt khu v xc thc s dng mt khu .................................................................. 6
1.1.1.
Mt khu l g?...................................................................................................................... 6
1.1.2.
Phng php xc thc s dng mt khu ............................................................................. 7
1.1.3.
an ton ca mt khu ....................................................................................................... 8
1.2.
Gii thiu v OTP ......................................................................................................................... 9
1.2.1.
OTP l g? ............................................................................................................................. 9
1.2.2.
u im ca OTP ................................................................................................................. 9
1.2.3.
Nhc im ca OTP.......................................................................................................... 10
1.3.
ng dng ca OTP ..................................................................................................................... 11
1.3.1.
ng dng trong xc thc giao dch ..................................................................................... 11
1.3.2.
ng dng trong ng nhp mt ln .................................................................................... 11
1.3.3.
S/KEY ................................................................................................................................. 13
1.3.4.
HOTP .................................................................................................................................. 15
1.3.5.
Security token ..................................................................................................................... 16
1.4.
Kt chng .................................................................................................................................. 20
CHNG 2. CC PHNG PHP SINH V CHUYN GIAO OTP .................................................................. 21

2.1.
Cc phng php sinh OTP ........................................................................................................ 21
2.1.1.
Phng php sinh OTP theo thi gian ................................................................................ 21
2.1.2.
Phng php sinh OTP bng thut ton da trn mt khu c ........................................... 22
2.1.3.
Phng php sinh OTP bng thut ton da trn giao thc thch thc tr li: ............... 23
2.2.
Cc phng php chuyn giao OTP ........................................................................................... 27
2.2.1.
Chuyn giao OTP bng giy ............................................................................................... 27
2.2.2.
Chuyn giao OTP bng tin nhn SMS ................................................................................ 28
2.2.3.
To OTP s dng token ...................................................................................................... 29
2.2.4.
To OTP s dng in thoi di ng .................................................................................. 33
2.3.
Kt chng .................................................................................................................................. 36
NGUYN VIT HUY D09CNPM2
Page | 1
N TT NGHIP
CHNG 3. NG DNG OTP TRONG XC THC GIAO DCH NGN HNG TRC TUYN ......................... 37
3.1.
Xc thc giao dch ngn hng trc tuyn s dng OTP chuyn giao qua SMS ......................... 37
3.1.1.
M t kch bn th nghim ................................................................................................. 37
3.1.2.
Ci t ................................................................................................................................. 39
3.1.3.
Kt qu ................................................................................................................................ 40
3.2. Xc thc giao dch ngn hng trc tuyn s dng OTP sinh trn in thoi di ng da trn
giao thc Thch thc Tr li ................................................................................................................ 44
3.2.1.
M t kch bn th nghim ................................................................................................. 44
3.2.2.
li
Ci t phn mm sinh OTP trn in thoi di ng da trn giao thc Thch thc Tr
............................................................................................................................................. 45
3.2.3.
Kt qu ................................................................................................................................ 46
3.3.
Kt chng .................................................................................................................................. 48
KT LUN................................................................................................................................................. 49
TI LIU THAM KHO .......................................................................................................................... 50
Page | 2
N TT NGHIP
LI M U
T lu, mt khu (password) c s dng rng ri trong khu ng nhp (log-on)
xc thc ngi dng truy nhp vo cc h thng my tnh v mng. T ng nhp vo
cc phn mm ng dng trn my tnh c nhn n ng nhp vo my ch cng ty v
c website ca cc t chc ti chnh, ngn hng, phng tin chnh xc thc ngi
dng ch l mt khu (tn ng nhp hay username - cng l mt dng password khng c ngha bo mt v thng khng c gi b mt). Tuy nhin, hu ht cc
chuyn gia bo mt u nhn nh password khng cn an ton trc cc th on tn
cng tinh vi hin nay. Mt khu c th b nghe ln, b nh cp, hoc b ph m (vi
cc mt c m ha hoc bm) v sau c th b lm dng tng i d dng. Mt
khu s dng mt ln - OTP (One Time Password) c gii thiu tng cng
an ton trong qu trnh xc thc ngi dng, xc thc cc giao dch, c bit l cc
giao dch thanh ton trc tuyn trong cc h thng ngn hng.
n "Nghin cu v mt khu s dng mt ln v ng dng" c la chn vi
mc ch nghin cu su v mt khu s dng mt ln, cc phng php sinh v to
mt khu s dng mt ln v ng dng. T vic phn tch v u, nhc im ca cc
phng php ny, n tp trung nghin cu v ci t th nghim ng dng mt
khu s dng mt ln nng cao an ton cho xc thc cc giao dch ngn hng trc
tuyn.
n gm 3 chng vi ni dung nh sau:
Chng 1 Tng quan v OTP v ng dng
Gii thiu tng quan v mt khu s dng mt ln (OTP): khi qut v mt khu
s dng mt ln v u, nhc im ca mt khu s dng mt ln. Gii thiu tng
quan v cc ng dng ca mt khu s dng mt ln.
Page | 3
N TT NGHIP
Chng 2 Cc phng php sinh v chuyn giao OTP

Chng 2 trnh by v cc phng php sinh v chuyn giao mt khu s dng mt
ln.
Chng 3 ng dng OTP trong xc thc giao dch ngn hng trc tuyn
Chng 3 trnh by vic ci t v th nghim ng dng xc thc giao dch ngn hng
trc tuyn s dng mt khu s dng mt ln chuyn giao qua SMS v sinh OTP rn
in thoi di ng da trn giao thc Thch thc Tr li
Nhn chung, n trnh by khi qut v mt khu s dng mt l v ng dng.
Tuy nhin, do thi gian thc hin cn c hn v kin thc cn hn ch nn n
khng trnh khi thiu st. Rt mong nhn c cc kin ng gp ca cc thy c
v cc bn quan tm n vn ny em c th hon thin hn kin thc ca mnh.
Page | 4
N TT NGHIP
DANH MC BNG BIU, HNH V, S

Hnh 1.1: Minh ha xc thc mt khu. .......................................................................................... 7
Hnh 1.2: Minh ha ng nhp mt ln ........................................................................................ 12
Hnh 1.3: Thit b sinh OTP OTP Token ................................................................................... 17
Hnh 1.4: ng dng Mobile OTP IOS ....................................................................................... 18
Hnh 1.5: ng dng Mobile OTP Window Phone 8 ................................................................. 19
Hnh 2.1: M hnh sinh m OTP theo thi gian........................................................................... 22
Hnh 2.2: M hnh xc thc ngi dng da trn giao thc Thch thc Tr li. ...................... 24
Hnh 2.3: Th mt khu OTP vi mt khu in sn ca VinaGame............................................... 27
Hnh 2.4: Chuyn giao OTP bng tin nhn SMS .......................................................................... 28
Hnh 2.5: Minh ha th EMV ....................................................................................................... 31
Hnh 2.6: Minh ha thit b E-Token ............................................................................................ 32
Hnh 2.7: M hnh kt ni SSL VPN n Vigor2950 c in thoi h tr xc thc .................... 33
Hnh 2.8: Ci t phn mm sinh OTP trn iPhone xc thc vi b nh tuyn Vigor2950. .. 35
Hnh 3.1: M hnh nhn OTP qua SMS........................................................................................ 37
Hnh 3.2: Mn hnh ng nhp vo trang ch Banking ................................................................ 40
Hnh 3.3: Trang Chuyn Khon .................................................................................................... 41
Hnh 3.4: Trang Xc Nhn ............................................................................................................ 42
Hnh 3.5: Thng bo hon tt giao dch .........................................Error! Bookmark not defined.
Hnh 3.6: M hnh to OTP qua Challenge Response trn in thoi di ng .......................... 44
Hnh 3.7: Trang Chuyn Khon khi xc thc bng Challenge - Response .................................. 46
Hnh 3.8: ng dng sinh OTP trn in thoi di ng ................................................................. 47
Page | 5
N TT NGHIP
CHNG 1 TNG QUAN V OTP V NG DNG

1.1. Khi qut v mt khu v xc thc s dng mt khu
1.1.1. Mt khu l g?
Hin nay, ng nhp (log-on) l mt khu quan trng trong m bo an ton cho h
thng my tnh v mng. Thng thng, ngi dng phi cung cp mt tn truy nhp
(username) v mt khu (password) km theo ng nhp vo h thng.
Tn truy nhp l mt tn do ngi dng la chn theo quy c h thng t ra v phi
duy nht trong mt h thng. Trong khi tn truy nhp thng khng cn gi b mt th
mt khu lun cn gi b mt ch ngi dng bit mt khu ca mnh.
Vy mt khu l g ?
Mt khu l mt hay nhiu t m ngi dng phi bit c cp quyn truy cp, l
mt dng thng tin c bit nh chui cc k t, hnh nh, du vn tay dng xc
thc, chng minh tnh chnh xc mt ngi khi ng nhp vo mt h thng, mt dch
v hay mt ng dng no [8].
Page | 6
N TT NGHIP
1.1.2. Phng php xc thc s dng mt khu

m bo an ton, mt khu cn c gi b mt v ch bn thn ngi dng mi
bit. Mt khu thng c s dng trong mt thi gian di v trao i thng xuyn
gia my khch (client) ca ngi s dng vi my ch (server).
Sau khi ngi dng g mt khu ca mnh, bn pha client s xc thc mt khu vi
server. Nu mt khu ng server s xc nhn v cp quyn truy nhp tng ng cho
client v qua ti ngi dng. Hnh 1.1 minh ha vic xc thc ngi dng da trn
mt khu.
Hnh 1.1: Minh ha xc thc mt khu.
Page | 7
N TT NGHIP
1.1.3. an ton ca mt khu

Do mt khu thng c gi t client n server di dng r (plaintext) nn n d
dng b nh cp, lm dng v c th gy thit hi cho ngi dng v e da n an
ton ca h thng. Cc chng trnh m c nh "Trojan horse" v "key logger"
thng c tin tc dng cho mc ch ny.Thng thng, d tm mt khu, cc tin
tc thng s dng cch thc tn cng vt cn (Brute-force), l cch thc s dng cc
cng c t ng th nghim ln lt cc chui k t cho n khi tm ra mt khu
ng.
Do vy, nu s dng cc mt khu qu n gin hay qu ngn, vic s dng phng
php tn cng da trn t in hoc vt cn c th gip tin tc d dng d ra mt khu
ca ngi dng m khng mt qu nhiu thi gian.
Trn thc t, mt mt khu an ton cn tha mn cc yu cu sau:
di ca mt khu phi t 8 k t tr ln. Khi di mt khu ln, kh nng b
on hoc tn cng vt cn gim i;
Mt khu khng nn cha cc t n gin, d on, nh tn ngi thn, tn con vt
yu thch, hoc ngy thng nm sinh. Cc mt khu nh vy thng d dng b d tm
thng qua tn cng da trn t in;
Mt khu phi l t hp ca cc ch ci in hoa, in thng, ch s v k t c bit
(nh cc k t ? $ #,...). Khi s loi k t c s dng tng ln, s t hp mt khu
c th c tr ln rt ln lm cho vic thc hin tn cng vt cn khng kh thi.
Page | 8
N TT NGHIP
1.2. Gii thiu v OTP

1.2.1. OTP l g?
Mt khu s dng mt ln hay cn gi l OTP (One time password), l mt khu ch
c s dng mt ln hoc ch c gi tr trong mt phin lm vic. OTP c th c s
dng mt ln trong xc thc ngi dng cho mt phin lm vic hoc xc thc mt giao
dch ca ngi dng. OTP thng c s dng trong cc giao dch in t hoc cc h
thng xc thc c bo mt cao.
Xut hin t u th k 20 v cn c tn gi khc l Vernam Cipher, OTP c mnh
danh l ci chn thnh ca ngnh m ha d liu. OTP l thut ton duy nht chng
minh c v l thuyt l khng th ph c ngay c vi ti nguyn v tn (tc l c
th chng li kiu tn cng brute-force) [16] . c th t c mc bo mt ca
OTP, tt cnhng iu kin sau phi c tha mn:
-
di ca cha kha phi ng bng di vn bn cn m ha.
Cha kha ch c dng mt ln.
Cha kha phi l mt s thc s ngu nhin.
1.2.2. u im ca OTP
OTP c nhiu u im so vi mt khu truyn thng. C th:
-
An ton: Gii quyt tt cc vn gi mo, nh cp, Key logger. i vi phng
php xc thc hai yu t, OTP c th c kt hp s dng vi mt m PIN hoc mt

kh thng thng.
-
D dng s dng: Vic nhn dng v xc thc c thc hin trong vi giy, trnh
c nguy c b li khi g cc m OTP di qua cc m t mt thit b chng thc vo

mt my tnh (V d OTP Token s dng mn hnh hin th). N hot ng vi ti
nguyn v ng nhp c trn hu ht cc nn tng my tnh, v trnh duyt khng
cn ci t phn mm Client chuyn dng.
-
Linh hot: Ngi dng d dng s dng cho cc my tnh khc nhau v d mang
theo thit b sinh OTP bn mnh.

Page | 9
N TT NGHIP
M ngun m: Sn sng tch hp vi nhiu ng dng m ngun m.
Cc gii php c th ng dng OTP gm: Web mail server, CRM (H qun l khch
hng), ERP (Hoch nh ngun lc doanh nghip), H thng qun l ti liu, Thng
mi in t...
1.2.3. Nhc im ca OTP
OTP s mt an ton khi ch ti khon b mt thit b sinh OTP (OTP Token) hay k
cp c th xm nhp vo h thng gi/nhn tin nhn SMS bit c OTP mi khi
khch hng thc hin giao dch. Ngoi ra, nu nh h thng mng vin thng b chm,
qu ti... hay v l do g m tin nhn SMS gi OTP n chm th giao dch da vo
OTP chuyn giao qua SMS s khng thc hin c.
Hin nay, do tit kim chi ph u t mt s doanh nghip ch s dng hnh thc xc
thc qua tn nh danh ngi dng (username) v mt khu dng mt ln (OTP)
chuyn giao n ngi dng qua tin nhn SMS n in thoi di ng. Tn nh danh
ngi dng d dng b l khi ngi dng ng nhp trn Internet, tham gia cc hot
ng trn mng x hi hoc din n Cn OTP s mt an ton khi ngi dng b
nh cp th SIM in thoi.
Page | 10
N TT NGHIP
1.3. ng dng ca OTP

1.3.1. ng dng trong xc thc giao dch
Hin nay, mt khu s dng mt ln thng c s dng kh ph bin trong lnh vc
ngn hng nhm tng tnh bo mt cho cc giao dch thanh ton nh chuyn khon,
chuyn tin,
Thng thng c hai hnh thc xc thc giao dch m ngn hng thng s dng,
l:
- H thng s dng Token sinh OTP ng b theo thi gian thc:
H thng ny s dng thi gian ng b vic sinh OTP gia my ch v mt
thit b phn cng c gi l OTP Token (mi c nhn s dng h thng s c cp
mt token c nhn sinh OTP theo thi gian thc).
- H thng khng s dng Token:
Trong h thng ny OTP c my ch sinh ra t ng cho mi phin giao dch v
c tn ti trong mt khong thi gian xc nh v c chuyn ti ngi s dng
thng qua tin nhn SMS, hay gi qua Email,
1.3.2. ng dng trong ng nhp mt ln

ng dng trong ng nhp mt ln (Single Sign On SSO) da trn mt khu s dng
mt ln c xy dng nhm xc thc ngi s dng khi ngi s dng truy cp vo
mt chui cc ng dng c lin kt trong mi trng phn tn. Ngi dng ch cn
cung cp thng tin ng nhp mt ln v c th truy nhp vo nhiu ng dng khc
nhau trong h thng phn tn.
Nh cc ng dng v cc ti nguyn khc nhau h tr cc c ch xc thc khc nhau,
SSO phi chuyn i ni bv lu tr cc thng tin y quyn khc nhau so snh vi
nhng g c s dng xc thc trong ln u. Hnh 1.2 minh ha c ch ng
nhp mt ln.
Page | 11
N TT NGHIP
Hnh 1.2: Minh ha ng nhp mt ln

Li ch ca vic s dng SSO:
- Lm gim s mt mi ca ngi dng khi phi ng nhp nhiu ln vo cc dch v
khc nhau;
- Lm gim thi gian nhp li mt khu cho cng 1 danh tnh;
- C th h tr cc chng thc thng thng nh Windows Credentials
(ID/password);
- Bo mt trn tt c cc cp trong vic truy cp, thot khi h thng m khng gy
bt tin cho ngi s dng;
- SSO s dng my ch xc thc tp trung tt c cc ng dng khc v cc h thng
s dng cho mc ch xc thc, v kt hp iu ny vi cng ngh m bo ngi
dng khng phi ng nhp li thng tin ca h thm mt ln no na.
Page | 12
N TT NGHIP
Nhng nhc im ca SSO:

- Lm tng cc tc ng tiu cc trong trng hp thng tin c sn cho
ngi khc v c s dng sai. V vy khi xy dng SSO cn tp trung
tng cng bo v thng tin ngi dng, do nn kt hp cc phng php
xc thc mnh, nh th thng minh hoc password dng mt ln.
- Yu cu v h thng xc thc rt quan trng, ch cn h thng b li hoc
ko tip cn c vi h thng, ngi dng s khng truy cp c vo tt c
cc dch v trong h thng. Cn m bo vic truy cp c thc hin mi lc
v an ton [19].
1.3.3. S/KEY
S/Key cn c gi l Lamport scheme [7], l mt gii php ph bin c pht trin
xc thc cc ng dng u cui trn cc h iu hnh thuc h Unix. Vic sinh mt
khu da trn hm bm.
Mt khu thc s ca ngi dng c kt hp vi mt thit b offline cha mt tp
ngn cc k t v mt b m gim dn to ra mt mt khu. V mi mt khu ch
c s dng mt ln nn chng v dng vi nhng k cp mt khu.
V tp cc k t khng thay i cho n khi b m gim v 0, nn c th chun b mt
danh sch mt khu dng mt ln m ngi dng c th mang theo. Ni mt cch
khc, ngi dng c th a ra mt khu, cc k t, v gi tr b m mong mun cho
mt my tnh cc b to ra mt khu dng mt ln ph hp, sau c th truyn
mt khu ny trn mng.
S/Key c h tr trong cc h iu hnh Linux, OpenBSD, NetBSD, v FreeBSD.
Mt ng dng m ngun m chung, nh ng dng OPIE [17] c th c dng h
tr vic s dng S/Key trn cc h thng khc. S/Key l thng hiu ca cng ty
Telcordia Technologies [17].
Page | 13
N TT NGHIP
Sau y l phn m t c th cho phng php ny:

- Sinh mt khu.
1. Bc ny bt u vi mt kha b mt W. Kha ny c th c a ra bi ngi
dng hoc my tnh ca server sinh ra v khng c gi cho client. Nu kha ny b
l th tnh bo mt ca S/Key s b gim.
2. Mt hm bm m ha H c p dng n ln cho kha b mt W, cch ny to ra mt
chui bm ca n mt khu dng mt ln. Mt khu l kt qu ca vic p dng hm
bm m ha : H(W), H(H(W)),, Hn(W).
3. Mt khu ban u W b hy i.
4. Ngi dng (client) c cung cp n mt khu dng mt ln, c in ra theo th t
ngc li: Hn(W), Hn-1(W) ,..., H(H(W)), H(W).
5. Nhng mt khu H(W), H(H(W)),, Hn-1(W) khng c lu li server m
server ch lu mt khu Hn(W).
- Xc thc
Sau qu trnh sinh mt khu, ngi dng c mt danh sch cc mt khu. Mt khu
u tin cng l mt khu server ang lu. Mt khu ny s khng c dng xc
thc, v mt khu th hai s c dng:
Ngi dng cung cp cho server mt khu pwd th hai trong danh sch ca mnh
v gch b n i.
Server tnh H(pwd) trong pwd l mt khu c cung cp. Nu H(pwd) l mt
khu u tin (ci server ang lu) th qu trnh xc thc thnh cng. Server s tnh
H(mt khu i) v so snh kt qu vi mt khu i-1, c lu trn server.
- Tnh bo mt
Tnh bo mt ca S/Key ph thuc vo phc tp ca hm bm m ha. Gi s rng
mt k tn cng gi mt mt khu c dng cho mt ln xc thc thnh cng.
Gi mt khu ny l i, mt khu ny khng cn gi tr trong qu trnh xc thc na
Page | 14
N TT NGHIP
v mi mt khu ch c dng mt ln. Nhng k tn cng s quan tm n vic tm

ra mt khu i-1, v mt khu ny s c s dng cho ln xc thc k tip. iu ny
cn phi chuyn ngc hm bm to ra mt khu i-1 t mt khu i (H(mt khu i1)=mt khu i) mt vic rt kh khn vi cc hm bm m ha hin thi. Tuy nhin
S/Key c th b tn cng kiu ngi ng gia (man-in- the middle) [18].
S/Key s dng cc s 64 bit, v cho ngi dng s dng, mi s c nh x thnh
6 t ngn, mi t c t 1 n 4 k t ly t t in 2048 t. V d , mt s 64 bit c th
c biu din thnh Roy Hurt Ski Fail Grim.
1.3.4. HOTP
HOTP c s dng da trn cc m xc thc thng ip bng hm bm (Hash-based
Message Authentication Code - HMAC) v hm bm SHA-1 (Secure Hash Algorithm
1) thng c s dng. HOTP c a ra bi t chc Initiative for Open
Authentication (OATH). V mt khi nim, HOTP tnh gi tr bm SHA-1 da trn
HMAC c m kha bi mt kha b mt c chia s trn mt b m. Nhng bc
tnh ton sinh ra mt mt khu HOTP nh sau [5]:
- Hai bn ngi dng a ra kha b mt dng chung S.
- Khi to b m c = 0.
- nh ngha H l HMAC c tnh ton bng SHA-1.
- t Truncate l hm la chn 4 byte theo mt cch no .
- Ngi dng cn xc thc gi gi tr Truncate(H(S,c)) & 0x7FFFFFFF cho server.
- Bn server cng tnh ton gi tr hm Truncate() theo cch tng t. Nu gi trxc
thc do server tnh ton khp vi gi tr ngi dng cung cp th ngi dng c
xc thc.
- C hai bn tng gi tr ca c.
Page | 15
N TT NGHIP
Vi h thng S/Key, kt qu thng qu di ngi s dng nhp vo thit b. Thay

v chuyn kt qu thnh chui k t nh S/Key, HOTP n gin ch tnh ra gi tr nh
sau:
Value = HOTP(K,C) mod 10d
Trong :
K l mt kha b mt;
C l b m;
d l s ch s mong mun ca kt qu.
C nhiu h thng ng dng phng php HOTP c pht trin v trin khai. Mt
h thng c th thay th HMAC bng gii thut m ha Data Encryption Standard
(DES), Advanced Encryption Algorithm (AES), hoc bt k mt gii thut m ha
khc. Time-based One Time Password (TOTP) l phng php thay th b m c bng
thi gian hin ti, do n chuyn HOTP da trn ton hc thnh OTP da trn thi
gian.
1.3.5. Security token
Security token hay thng gi l OTP Token, l loi kha hai chiu c dng ph
bin nht hin nay v gi thnh r v d dng. Nh tn gi, OTP sinh ra ch c gi tr
s dng mt ln nn tnh bo mt cao: sau khi ngi dng g vo v ng nhp thnh
cng th mt khu ny ht hiu lc (ln ng nhp sau s dng mt khu khc).Tin tc
nu c ly trm mt khu ny cng khng th ng nhp vo h thng c.Hnh 1.3
minh hot mt thit b sinh OTP.
Page | 16
N TT NGHIP
Hnh 1.3: Thit b sinh OTP OTP Token
Da trn thut ton sinh OTP, thit b OTP c 2 dng: ng b thi gian v dng b
m.
Loi thit b OTP ng b thi gian to ra m s kh on (mt m hay kha) da vo
ng h trong v m s ny c xc thc vi iu kin ng h trong ca thit b
OTP ng b vi my ch xc thc. Do s x dch ca ng h, vic ng b tuyt i
thi gian gia thit b OTP v my ch l khng th nn my ch xc thc phi chp
nhn cc kha c s sai lch i cht. iu quan trng l thu hp khung ca xc
thc n nh nht gim thiu kh nng b tn cng. a phn cc nh cung cp thit
b OTP p dng phng thc cng dn thi gian x dch iu chnh vi mi xc
thc thnh cng. Thit b OTP ng b thi gian c th phi cn chnh li nu khng
c s dng trong mt thi gian di.
Loi thit b OTP dng b m tng b m mi khi sinh ra mt kha mi v kha ny
c xc thc vi iu kin b m trong ca thit b OTP ng b vi my ch xc
thc. Khc vi b m trong ca thit b OTP, b m ca my ch c iu chnh
vi mi xc thc thnh cng. Vi loi ny, thit b OTP v my ch xc thc d b
mt ng b.
So vi thit b OTP ng b thi gian, thit b OTP dng b m km an ton hn
trong vic chng li kiu tn cng th ng online v offline. Tin tc c th thc hin
tn cng kiu gi mo (phishing) v thu thp nhiu kha dng sau , hay ai ly
Page | 17
N TT NGHIP
c thit b ny c th to sn cc kha m khng hnh ng ngay. Mt s thit b

OTP c bo v bng m PIN (tng t password), phng thc ny chng c
kiu tn cng offline nhng khng chng c kiu tn cng online. Cng c mt s
thit b OTP c kh nng sinh ch k s v y l cng c hiu qu chng li cc
cuc tn cng ch ng.C hai loi thit b OTP trn u dng pin lm ngun nui v
phi thay pin sau mt khong thi gian. Mi thit b c to duy nht vi m s ring
do vy ngi dng phi lp li quy trnh ng k mi khi thay th thit b OTP.
Mt bin th ca thit b OTP l dng phn mm gi lp thit b phn cng, ci trn
cc thit b di ng nh PDA hay in thoi di ng (TD). Hnh 1.4 minh ha mt
ng dng sinh OTP chy trn in thoi di ng Iphone:
Hnh 1.4: ng dng Mobile OTP IOS
Page | 18
N TT NGHIP
y l gii php hiu qu v t tn km, t nht cho n khi cc thit b di ng tr nn

d b can thip nh my tnh v ngi ta cng phi ci t firewall, trnh chng virus,
cng c lc spam... trn cc thit b ny. Thit b OTP "mm" thng l mc tiu ca
nhn bn v sao chp v ngi dng c th b mt quyn kim sot kha mm ca
mnh m khng hay bit. Hnh 1.5 minh ha mt ng dng sinh OTP chy trn nn
Windows Phone 8:
Hnh 1.5: ng dng Mobile OTP Window Phone 8

Thit b OTP mm trn thit b di ng c thm m PIN bo v gn t c an
ton nh thit b OTP phn cng. Tuy gim c chi ph phn cng (thit b di ng
c sn) v chi ph phn phi trc tip nhng khi trin khai i tr c th phi i mt
vi kh khn v tnh tng thch trong vic ci t v vn hnh phn mm do chng
loi in thoi di ng rt a dng v phn cng v nn tng phn mm cng khng
thng nht.
Page | 19
N TT NGHIP
1.4. Kt chng
Chng 1 gii thiu v cc khi nim c bn bao gm nh ngha mt khu, mt
khu s dng mt ln (OTP) cng nh cc phng php xc thc mt khu, mt khu
s dng mt ln. OTP c ng dng cho nhiu lnh vc nh: ng dng trong xc
thc giao dch, ng nhp mt ln, S/Key, HOTP, Security Token ... Mt khu s dng
mt ln tuy vn cn nhiu nhc im cha th khc phc, nhng hin ti n vn l
mt phng php bo mt kh an ton trong thi im hin nay so vi mt khu truyn
thng.
Page | 20
N TT NGHIP
CHNG 2. CC PHNG PHP SINH V CHUYN GIAO OTP

2.1. Cc phng php sinh OTP
2.1.1. Phng php sinh OTP theo thi gian
Theo phng php sinh OTP theo thi gian, ngi dng s c cp mt thit b sinh
m c gi l token. Token gm c ba thnh phn chnh: mt mseedcode, mt ng
h m thi gian, v mt thut ton m ha mt chiu. M seedcode l m c nh
sn xut ci t sn trong token. Mi token c mt m seedcode khc nhau. V m
seedcode ny cng c lu li trong h thng ca nh cung cp dch v tng ng
vi tn truy nhp ca ngi dng. ng h m thi gian l ng h ca token, n
c ng b vi ng h ca h thng trc khi giao cho ngi dng.Mi khi ngi
dng bm nt sinh m, token s ly bin thi gian ca ngh. Bin thi gian c ly
chi tit n tng pht, hoc 30 giy.
Thut ton m ha c s dng l thut ton bm SHA-1.
Thut ton Time-based One-Time Password (TOTP)l mt v d c th ca nhng gii
thut sinh mt khu mt ln da trn thi gian nh vy. Sau y s l phn m t thut
ton ny.
Thit lp:
-
a ra mt s nguyn b mt K c chia s gia bn xc thc v ngi s dng.
Thng nht mt gi tr bc nhy thi gian X v thi gian ban u T0.
Xc thc:

Ngi s dng tnh gi tr =
Ngi s dng gi cho bn xc thc HOTP(K,T) trong HOTP l thut ton
sinh OTP da trn cc hm bm.
Page | 21
N TT NGHIP
Bn xc thc c th xc nhn mt khu hp l hay khng, v bt k mt khu no

c sinh ra bn ngoi khong thi gian t T0 n thi gian hin ti u khc nhau. V
v c mt kha c dng chung nn nh xc thc c th chc chn rng mt khu
c sinh ra bi mt ngi ang s hu kha chia s . Hnh 2.1 minh ha m hnh
sinh m OTP theo thi gian.
Hnh 2.1: M hnh sinh m OTP theo thi gian.
2.1.2. Phng php sinh OTP bng thut ton da trn mt khu c
OTP sinh ra bng thut ton da trn mt khu c khng c gi tr thay i theo thi
gian, m chng c sinh ra theo thut ton mi khi c yu cu s dng. Thut ton
ca bn xc thc v ngi dng phi ng b vi nhau. Mi ln mt ngi dng c
xc thc thnh cng, bn xc thc s ch chp nhn mt OTP ktip c sinh ra bi
thut ton. Khng ging OTP da trn thi gian, OTP da trn ton hc ch c gi tr
cho mt ln s dng v khng b tn cng nh m t trn khi m mt khu c
s dng nhiu ln trong mt khong thi gian. V vic ng b ha ng h v sai s
ng h khng phi l vn . Mt vn cn quan tm l nu mt khu da trn ton
Page | 22
N TT NGHIP
hc b nh cp, n c th c gi tr nu nh ngi dng thc s cha thc hinvic

xc thc.
Mt vn khi ci t cc gii thut ny l vic gi cho thut ton ca bn xc thc v
ngi dng ng b vi nhau. V d, gi s mt thit b phn cng ca ngi dng
hin th mt mt khu v ngi dng ca thit b ny khng th nhp ng dy mt
khu cho bn xc thc. Nu ngi dng vi v ch cho phn cng bit rng mt
khu c chp nhn th h khng c cch no ly li mt khu c m bn xc
thc ang ch nhn. khc phc iu ny, a s cc ci t cho php bn xc thc
chp nhn mt ca s cc mt khu v iu chnh ca s ny da trn mt khu hp l
cui cng c nhp vo. S/Key v Hash-based OTP (HOTP) l hai dng ph bin ca
b sinh mt khu da trn cc thut ton.
2.1.3. Phng php sinh OTP bng thut ton da trn giao thc Thch thc
Tr li:
Giao thc th thch v tr li (Challenge Response) cho php ngi truy nhp t xc
thc mnh vi h thng bng cch chng minh hiu bit ca mnh v gi tr mt m b
mt m khng yu cu ngi truy nhp tit l gi tr b mt. H thng xc thc a ra
cho ngi truy nhp mt s c to ra mt cch ngu nhin c gi l th thch
(challenge). Ngi truy nhp nhp s th thch v gi tr bmt hm mt m tnh ra
cu tr li. H thngxc thcthng tinnhn dng ngi truy nhp thnh cng nu cu
tr li l gi tr mong i. Do th thch l mt s ngu nhin, nn giao thc th thch
tr li cung cp mt l chn c hiu qu chng li dng tn cng pht li. Hnh 2.2
minh ha qu trnh xc thc ngi dng da trn giao thc thch thc tr li.
Page | 23
N TT NGHIP
Hnh 2.2: M hnh xc thc ngi dng da trn giao thc Thch thc Tr li.
Xc thc khng mt m ni chung thch hp trong nhng ngy trc khi c Internet ,
khi ngi dng c th chc chn rng h thng yu cu mt khu thc s l h
thng m h ang c gng truy cp, v khng ai c kh nng nghe trm trn
cc ng truyn ly cc mt khu c nhp vo. gii quyt vn ny chng
ta cn phi c mt cch tip cn khc phc tp hn. Nhiu gii php lin quan n mt
m xc thc hai chiu, trong c ngi s dng v h thng phi dng mt phng
php thuyt phc khc m h bit c th chia s b mt (mt khu), m khng bao gi
b mt ny c truyn i mt cch r rng trn cc ng truyn, ni nhng k
trm c th l rnh rp, nh cp.
Mt trong nhng phng php c thc hin lin quan n vic s dng mt khu
l mt bn m ha mt s thng tin ngu nhin nhm to ra cc thch thc (challenge),
sau , u kia phi hi p li mt tr li (response) mt gi tr tng t nh m ha
l mt s chc nng c xc nh trc cc thng tin ban u c cung cp, do
chng minh rng n c th gii m cc th thch.
Page | 24
N TT NGHIP
V d, trong h Kerberos [10], thch thc l mt s nguyn m ha N , trong khi tr li

l s nguyn m ha N + 1 , chng minh rng bn kia c th gii m cc s
nguynN . Trong cc bin th khc, mt hm bm hot ng trn mt mt khu v mt
gi tr thch thc ngu nhin to ra mt gi tr mi.
Vic trao i cc gi tr c m ha hoc gi tr bm khng trc tip tit l mt
khu k nghe trm c th nh cp c. Tuy nhin, cc trao i th cung cp
thng tin cho php mt k nghe trm suy ra mt khu l g, s dng mt cuc tn cng
da trn t in hoc kiu vt cn. Vic s dng cc thng tin c to ra ngu nhin
trn mi sn chng khon c th bo v chng li kh nng b tn cng pht li (replay
attack).
Giao thc xc thc thch thc tr li thng s dng mt chui m ha
(cryptographic nonce) nh thch thc m bo rng tt c cc chui challengeresponse l duy nht. iu ny bo v chng li kiu cuc tn cng ngi ng gia
(man-in-the-middle) v sau l tn cng pht li (replay attack).
Xc thc ln nhau c thc hin bng giao thc thch thc -tr li c hai chiu, my
ch m bo rng my khch bit gi tr b mt, v my khch cng m bo rng cc
my ch bit gi tr b mt. iu ny c th gip bo v chng li mt my ch gi
mo, mo nhn l cc my ch thc s.
Xc thc challenge-response c th gip gii quyt vn trao i kha phin m
ha. Nhng gi tr thch thc v nhng gi tr b mt c th c kt hp to ra mt
kha m ha khng th on trc cho phin lm vic. iu ny c bit hiu qu
chng li kiu tn cng ngi ng gia, bi v nhng k tn cng s khng th ly
c kha phin t cc thch thc m khng bit cc gi tr b mt, v do s khng
c kh nng gii m cc thng ip d liu.
Page | 25
N TT NGHIP
V d v qu trnh xc thc s dng giao thc thch thc tr li:
u tin my ch s to v gi mt gi tr thch thc sc cho my khch
My khch to ra gi tr thch thc cc
My khch tnh cr = hash (cc + sc + m b mt)
My khch gi cr v cc cho my ch
My ch tnh ton gi tr k vng ca cr v m bo my khch tr li mt cch
chnh xc
My ch tnh sr = hash (sc + cc + m b mt)
My ch s gi sr
My khch tnh ton gi tr k vng ca sr v m bo my ch tr li mt cch
chnh xc
sc l thch thc to ra bi my ch
cc l thch thc my khch to ra
cr l tr li ca my khch
sr l tr li ca my ch
Page | 26
N TT NGHIP
2.2. Cc phng php chuyn giao OTP

2.2.1. Chuyn giao OTP bng giy
Trong mt s trng hp, mt khu OTP cng c in ra giy, vi mi giao dch trc
tuyn, ngi dng c yu cu nhp mt gi tr OTP c th t danh sch in
sn.Hnh 2.3 minh ha mt th chi games vi OTP in sn:
Hnh 2.3: Th mt khu OTP vi mt khu in sn ca VinaGame.

Nhm bo v ngi chi trc nn trm cp ti khon, vt phm trong game, cng ty
VinaGame [20] a ra gii php mt khu s dng 1 ln (One Time Password OTP) p dng trn game "V lm truyn k" do cng ty cung cp. Trn mi th ngi
ta in sn 48 mt khu OTP theo cch ngu nhin. Vic ng nhp cc ti khon m
ngi s dng ng k ti website ca nh cung cp dch v, ch c thc hin
thnh cng bng cc mt khu ny. Khi thot khi game, mt khu va c s dng
s t hu sau 1 n 5 pht do ngi chi nh sn.
Tuy vy phng php ny vn c hn ch khi k trm nh cp th v c th xm nhp
vo ti khon ca khch hng.
Page | 27
N TT NGHIP
2.2.2. Chuyn giao OTP bng tin nhn SMS

Mt cng ngh ph bin thng c s dng cho vic cung cp cc OTP l tin nhn
vn bn. T cc h thng xc thc tin nhn SMS , mt mt khu OTP c sinh v
gi thng qua mt tin nhn vn bn n in thoi di ng ca ngi dng. Tng t
nh vi th bo mt, ngi dng phi nhp OTP nhn c nhp vo giao din
ng nhp nhm xc minh tnh chnh xc v khng nh an ton truy nhp h
thng dch v hoc ng dng.
Phng php ny l mt trong cc phng php thng dng nht m cc ngn hng
thng s dng. u tin, khch hng ng k dch v cng vi s in thoi cho ngn
hng.Khi thc hin giao dch, khch hng nhp thng tin thanh ton, my ch ca ngn
hng s to OTP v gi cho khch hng thng qua mt tng i bng tin nhn SMS.
Sau khi khch hng nhn c tin nhn cha OTP , khch hng s phi nhp OTP vo
my ch xc thc. My ch kim tra OTP, nu ng v trong thi gian hp l th s
thc hin giao dch, nu khng s c bo li. Hnh 2.4 minh ha qu trnh chuyn giao
OTP bng tin nhn SMS.
Hnh 2.4: Chuyn giao OTP bng tin nhn SMS

Page | 28
N TT NGHIP
u im ca phng php chuyn giao OTP bng tin nhn SMS l tin nhn vn
bn l mt knh truyn thng ph bin, c sn trong gn nh tt c cc thit b cm
tay vi lng ngi s dng kh ln. y cng l mt li th so snh ln ca loi cng
c ny so vi vic s dng cc loi thit b phn phi OTP khc. Trn thc t th loi
cng c ny c nhiu tim nng ph bin ti nhiu ngi tiu dng vi tng chi
ph thp. Tt nhin cng vi mt s trng hp khc th gi ca mi tin nhn thng
xuyn cho mi mt OTP khng hn ph hp.
Cch thc gi nhn OTP qua tin nhn vn bn cng bc l mt s vn , l n
khng c bo v cn thit chng li cc cuc tn cng m s tinh vi ang ngy
cng gia tng. Cc tin nhn c th c m ha bng cch s dng mt s tiu
chun nh A5/x, iu m theo bo co ca mt s nhm tin tc c th gii m trong
vng vi pht hoc vi giy, hoc n khng c m ho bi nhng nh cung cp dch
v khi nhn v gi i ti tt c. Ngoi cc mi e do t tin tc, cc nh mng in
thoi di ng cng l mt thnh phn trong vic m bo s tin cy. V d trong
trng hp chuyn vng, qua nhiu hn mt nh mng in thoi di ng n l rt
cn phi to c s tin tng. V bt c ai nh cp c thng tin ny, u c th
gn kt vi nhng k tn cng, chng hn nh cc cuc tn cng man-in-themiddle. Gii php cho vn l xc thc Out of Band, trong s dng mt knh
ring bit cho yu t xc thc th hai, ang tr thnh mt thc tin tt nht cho vn
xc thc hai yu t.
2.2.3. To OTP s dng token
Token l mt thit b dng xc thc ngi dng thay cho c ch ID/Username v
mt khu ng nhp. Mi thit b token u phn bit nhau v c nh cung cp dch
v gn vi mt ngi dng c th. OTP c th c sinh trn token.
Thit b token hot ng theo phng thc t to cc dy s ngu nhin (OTP) v c
gi tr ch trong mt khong thi gian nht nh (thng di 1 pht). Chng hn, khi
ngi dng mun ng nhp vo trang web ngn hng - ni cung cp thit b token,
Page | 29
N TT NGHIP
thc hin giao dch, ngi dng phi nhp dy s OTP trn thit b token vo mt
khu th mi c truy cp. Nu sau thi gian qui nh trn thit b token, OTP ny s
khng cn gi tr, v nu ngi dng vn cha ng nhp hay hon tt giao dch th h
phi nhn nt hay thit b token s t ng to ra OTP mi v ngi dng nhp OTP
mi ny ng nhp hay hon tt giao dch. C th tham kho mt s dch v dng
thit b token: www.payoo.com.vn,www.fpts.com.vn.
Thit b Token gm 2 loi chnh: th EMV v E-Token

Th EMV: l dng th chp c cng dng to OTP, khng c kh nng dng chi
tiu nh cc loi th thanh ton khc. EMV l chun th thng minh do 3 lin minh th
ln nht th gii l Europay, Master Card v Visa International a ra. Cc lin minh
ny khuyn co cc nc v vic cn thit phi chuyn i t th t c tnh bo mt
thp sang th chp c tnh nng bo mt cao hn rt nhiu. Khuyn co ny c a
ra t nm 2004, sau nhng con s thit hi do gian ln th ngy cng ln.
Sau mc thi gian quy nh, nu ngn hng no cn s dng th t, c th chu pht
ln ti 50 ngn USD mt nm tnh theo cc v gian ln th. Mc pht ny p dng cho
c ngn hng pht hnh th v ngn hng chp nhn th.
Qu trnh chuyn i sang chun EMV trn ton th gii v ang din ra t vi
nm nay. Vit Nam nm trong khu vc c hn p dng t 1/1/2006, nhng ti thi
im ny, mi ch c VPBank thc hin pht hnh th EMV. Cc ngn hng khc
cha cng b k hoch chuyn i chnh thc. Hnh 2.5 minh ha th EMV:
Page | 30
N TT NGHIP
Hnh 2.5: Minh ha th EMV

V mt k thut, th chp c nhiu tnh nng hn th t. Mt th chp c th s
dngnh l mt th ngn hng, chng minh th, th tn dng, cng c th dng tr
ph giao thng hay lu tr thng tin v y t, bo him x hi, thng tin c nhn...
E-Token: l thit b c cng dng to OTP da trn s kt ni thit b vi my tnh
m khch hng ang thc hin giao dch. E-Token l mt thit b nhn dng s, c
tch hp nhng gii php phn mm bo mt chuyn dng, theo ng chun quc t v
kt ni vi my tnh thng qua cng giao tip USB.E-Token cho php c ngi dng
ln ngi qun tr bo mt v qun l hiu qu qu trnh chng thc ngi dng h
thng bng cch lu tr v sinh mt khu, chng ch s v m ha tt c thng tin ng
nhp (c kha chung v kha ring).E-Token cung cp nn tng bo mt an ton, hiu
qu, d s dng v trin khai trn din rng.Hnh 2.6 minh ha thit b E-Token:
Page | 31
N TT NGHIP
Hnh 2.6: Minh ha thit b E-Token

Di y l nhng li ch chnh ca E-Token:
a) ng nhp h thng, ng nhp trnh ng dng, ng nhp mng ...
b) M ha th in t v to ch k s ...
c) Bo mt my tnh c nhn: bo v khi ng my v m ha tp tin th mc...
d) Thng mi in t theo m hnh B2B v B2C: chng thc v k giao dch cho cc
ng dng thng mi in t ...
e) Kt hp gii php truy cp my ch t xa, mng ring o, chng thc da trn 2 yu
t s dng E-Token v cng ngh mt m tin tin.
f) H tr cc dch v ti chnh trn mng: chng thc, k giao dch ngn hng in t
v cc ng dng thng mi ...
g) H tr cc dch v trn mng: chnh ph in t, chm sc sc khe, o to trc
tuyn...
Page | 32
N TT NGHIP
2.2.4. To OTP s dng in thoi di ng
a) Gii thiu v MOTP

Ngoi vic s dng cc loi token, ngi dng cn c th dng ngay chic in thoi
di ng ca mnh, cng phn mm min ph mt khu dng mt ln di ng (Mobile
One Time Password MOTP) to OTP.
Mi khi mun truy cp vo h thng mng ni b qua SSL VPN, ngi dng phi
nhp m PIN ( bit trc) vo in thoi di ng to ra mt khu ng nhp. Sau
khi thc hin kt ni SSL VPN, trnh ng nhp xut hin yu cu nhp username v
password. Lc ny ngi dng nhp username ( bit trc) v mt khu va c
to trn in thoi di ng ng nhp vo mng ni b. Hnh 2.7 m t m hnh kt
ni SSL VPN n Vigor2950 c in thoi h tr xc thc:
Hnh 2.7: M hnh kt ni SSL VPN n Vigor2950 c in thoi h tr xc thc
Page | 33
N TT NGHIP
b) Ci t v s dng ng dng MOTP

B nh tuyn Vigor2950 ca hng DrayTek (Firmware v3.2.6_RC5) tch hp sn c
ch mt khu dng mt ln trong xc thc kt ni SSL v VPN (theo giao thc PPTP,
L2TP) l mt trong nhng ng dng MOTP in hnh s dng trn in thoi di
ng[21]. Hnh 2.8 minh ha qu trnh ci t phn mm sinh OTP trn iPhone xc
thc vi b nh tuyn Vigor2950.
Sau khi ci t xong phn mm MOTP vo in thoi, bc tip theo v cng quan
trng nht l ngi dng phi thit lp cng thi gian trn c in thoi v Vigor2950.
Nu thi gian sai lch s dn n vic to mt khu sai 1 pht l thi gian ti a
ngi dng nhp mt khu c to ra t in thoi vo mt khu ng nhp trn
mn hnh my tnh, khi thc hin mt kt ni SSL VPN. y xc lp thi gian
chnh xc, trn Vigor2950 ngi dng thit lp ng b thi gian vi my ch ntp.org,
chn time zone GMT+7; v ngi dng nn canh thi gian trn Vigor2950 va
nhy qua pht mi th chnh ngay li thi gian trn in thoi.
Page | 34
N TT NGHIP
Hnh 2.8: Ci t phn mm sinh OTP trn iPhone vi Vigor2950.

Sau khi ngi dng thit lp xong cc thng s SSL VPN trn Vigor2950, phn thng
s mc SSL VPN\User Account l phn m ngi dng cn quan tm. Ti nhp
username, ngi dng nhn chn Enable Mobile One-Time Password (mOTP), lc ny
hai Pin Code v Secret s hin ra, password s n i.
Vi gii php SSL VPN kt hp c ch mt khu dng mt ln di ng, vic truy
cp t xa vo mng ni b s tin cy, an ton v bo mt hn.
Page | 35
N TT NGHIP
2.3. Kt chng
Chng 2 trnh by cc phng php sinh mt khu s dng mt ln (OTP) v cc
phng php chuyn giao chng n ngi s dng. C 3 phng php sinh OTP
thng dng, bao gm phng php sinh s dng thi gian ng b, sinh s dng thut
ton v sinh OTP da trn giao thc thch thc - tr li. Cc phng php chuyn giao
OTP n ngi s dng gm phng php in ra giy, gi OTP bng tin nhn SMS, s
dng token v phng php MOTP. Mi phng php sinh v chuyn giao OTP u
c nhng c trng v cc u, nhc im ring. Do , theo yu cu bo mt c th
ca mi h thng m ta la chn mt phng php ph hp.
Page | 36
N TT NGHIP
CHNG 3. NG DNG OTP TRONG XC THC GIAO DCH NGN HNG

TRC TUYN
3.1. Xc thc giao dch ngn hng trc tuyn s dng OTP chuyn giao qua SMS
3.1.1. M t kch bn th nghim
Ngy nay, nhiu ngn hng ng dng cc phng php xc thc giao dch trc
tuyn s dng OTP khc nhau.Mi phng php sinh v chuyn giao OTP c u v
nhc im ring nh phn tch chng 2 v do chng c kh nng ng dng
vi mc khc nhau. Trong s cc phng php chuyn giao OTP, phng php
chuyn giao OTP qua SMS c nhiu ngn hng s dng v tnh c ng trong giao
dch ca n. Hnh 3.1 m tm hnh nhn OTP qua SMS.
Hnh 3.1: M hnh nhn OTP qua SMS
Page | 37
N TT NGHIP
Kch bn th nghim:
Trc khi c th thc hin cc giao dch trc tuyn c xc thc bng OTP, ngi dng
cn thc hin cc th tc ng k ti khon giao dch trc tuyn, gm username,
passwordv s in thoi vi ngn hng. Sau , ngi dng s s dng cc thng tin
ny khi giao dch chuyn tin trn trang thanh ton trc tuynca ngn hng . Kch
bn thc hin giao dch trc tuyn c xc thc bng OTP gm cc bc sau:
1. Ngi dng ng nhp vo trang thanh ton trc tuyn ca ngn hng s dng
username v password ng k.
2. H thng xc thc thng tin ti khon ngi dng; Nu chnh xc s cho ngi dng
truy cp vo h thng.
3. Ngi dngvo ng dng chuyn tin trc tuyn. Giao din chuyn tin trc tuyn
xut hin.
4. Ngi dng s nhp ln lt cc thng tin ca giao dch vo giao din chuyn tin
trc tuyn bao gm: ti khon ngi nhn, s tin chuyn khon, ni dung chuyn
tin; v ngi dng s la chn Gi tin nhn SMS trong Hnh thc nhn m giao
dch.
5. Ngi dng nhn vo nt Chp nhn. Giao din xc thc OTP xut hin. ng
h m li 1 pht (thi gian sng hp l ca OTP) bt u chy.
6. Mt tin nhn s c gi t tng i ca h thng ti in thoi ca ngi dng
cha m giao dch OTP. Ngi dng nhp m OTP nhn c t tin nhn SMS vo
xc thc v nhn nt Chp nhn. Nu ngi dng nhp ng OTP v trong khong
thi gian cho php th giao din giao dch thnh cng xut hin. Nu ngi dng nhp
sai th h thng s yu cu ngi dng nhp li OTP.
Page | 38
N TT NGHIP
3.1.2. Ci t
Chng trnh th nghim c ci t trn h iu hnh Microsoft Windows, ngn
ng C# trn phn mm lp trnh Microsoft Visual Studio kt hp vi h qun tr c s
d liu My SQL h thng c th truy xut c s d liu.
Thut ton bm SHA 1 c s dng to ra OTP. C s d liu c s dng
xc thc ngi dng, lu lch s giao dch. C s d liu lu tr username, password,
tn ch ti khon, s tin hin c v cc ln giao dch.
Phn mm bn server c xy dng di dng web server. Pha server da vo OTP
gi ti di ng ngi dng a ra quyt nh cho php ngi dng thanh ton
hay t chi yu cu ny. Phn mm ny tng tc vi c s d liu lu thng tin ca
ngi dng cng nh ti khon ca h. Chng trnh s dng mt in thoi m
phng mt tng i gi tin nhn cha OTP.
Page | 39
N TT NGHIP
3.1.3. Kt qu
Trong phn demo, mt trang ch Banking v hai trang khc nhau c ci t. Trang
ch c hin thdanh sch hai trang ny trn trang web ca mnh ngi s dng c
th click vo trang. Ban u ngi dng phi ng nhp vo trang ch vi
username v password ca mnh. Mn hnh ng nhp nh minh ha trn Hnh 3.2.
Hnh 3.2:Mn hnh ng nhp vo trang ch Banking
Page | 40
N TT NGHIP
Trn trang web c cha danh sch hai trang m ngi dng c quyn c truy
cp sau khi ng nhp l: Chuyn khon v Lch s giao dch. Sau khi ng nhp
thnh cng bng username v password ng k trc , ngi dng click vo
Chuyn khon v s c hng ti trang Chuyn khon. Trang Chuyn khon
c thit k nh trn Hnh 3.3.
Hnh 3.3: Trang Chuyn Khon
Page | 41
N TT NGHIP
Sau khi ng nhp bng ti khon ca mnh, trn trang chuyn khon s hin ln thng
tin ca ngi dng vi c s d liu hin ti bao gm: s ti khon, h tn, s d ti
khon, s in thoi. Ngi dng s phi nhp s tin chuyn khon, s ti khon
ngi nhn, ni dung chuyn tin. Trong Hnh thc nhn m giao dch c hai la
chn cho ngi dng l: Tin nhn SMS v Challenge Response, phn ny chng ta
s la chn Tin nhn SMS. Sau khi in y thng tin cho ln giao dch, ngi
dng n vo nt Chp nhn, mt tin nhn cha OTP s c gi ngay n cho ngi
dng v ngi dng s c hng ti trang Xc Nhn xc thc OTP. Trang Xc
Nhn c thit k nh trn hnh 3.4.
Hnh 3.4: Trang Xc Nhn
Page | 42
N TT NGHIP
Bt u t lc chuyn sang trang xc nhn, ng h bt u m li. Ngi dng c

mt pht in m giao dch. Tin nhn s c h thng gi ngay ti s in thoi
ca ngi dng cng lc khi trang chuyn hng v vy ngi dng c thi gian
in m giao dch v hon tt giao dch. Ngi dng in m giao dch xong v nhn
nt Chp nhn, h thng s xc thc m giao dch v s c thng bo ti ngi
dng.
Nu nh m giao dch chnh xc th s nhn c thng bo giao dch thnh cng nh
hnh 3.5, nu nhp sai m giao dch th h thng s yu cu ngi dng nhp li.Khi
qu thi gian giao dch th ngi dng s phi thc hin li giao dch v h thng s
tip tc gi mt tin nhn cha mt m giao dch khc ti s in thoi di ng ca
ngi dng.
Hnh 3.5: Thng bo hon tt giao dch
Page | 43
N TT NGHIP
3.2. Xc thc giao dch ngn hng trc tuyn s dng OTP sinh trn in thoi di
ng da trn giao thc Thch thc Tr li
3.2.1. M t kch bn th nghim
Hnh 3.6 m t qu trnh xc thc s dng OTP sinh trn in thoi di ng s dng
giao thc Thch thc Tr li (Challenge Response).
Hnh 3.6: M hnh to OTP qua Challenge Response trn in thoi di ng

Kch bn th nghim:
Trc khi c th thc hin cc giao dch trc tuyn c xc thc bng OTP, ngi dng
cng cn thc hin cc th tc ng k ti khon giao dch trc tuyn, gm username,
password v s in thoi vi ngn hng. Sau , ngi dng s s dng cc thng tin
nykhi giao dch chuyn tin trn trang thanh ton trc tuynca ngn hng . Kch
bn thc hin giao dch trc tuyn c xc thc OTP sinh trn in thoi di ng s
dng giao thc Thch thc Tr li gm cc bc sau:
1. Ngi dng ng nhp vo trang thanh ton trc tuyn ca ngn hng s dng
username v password ng k.
2. H thng xc thc thng tin ti khon ngi dng; Nu chnh xc s cho ngi dng
truy cp vo h thng. Ngi dng vo ng dng chuyn tin trc tuyn. Giao din
chuyn tin trc tuyn xut hin.
Page | 44
N TT NGHIP
3. Ngi dng s nhp ln lt cc thng tin ca ln giao dch vo giao din chuyn
tin trc tuyn bao gm: s tin chuyn khon, ti khon ngi nhn, ni dung chuyn
tin; v ngi dng s la chn Challenge - Response trong Hnh thc nhn m
giao dch. Mt Challengecha mt OTP v mt M giao dch trng hin
ln.
4. Ngi dng khi ng ng dng Mobile OTP ci trn in thoi; ng dng hin
ln bao gm cc : Challenge, Money, OTP. Ngi dng nhp m Challenge v s tin
cn chuyn c trn trang web vo in thoi v nhn nt OK. ng dng s sinh ra
mt OTP cho ngi dng.
5. Ngi dng nhp OTP va nhn c vo M giao dch v nhn nt Chp
nhn. Nu ngi dng nhp ng OTP th giao din giao dch thnh cng lp tc
xut hin. Nu ngi dng nhp sai th h thng s yu cu ngi dng nhp li OTP.
3.2.2. Ci t phn mm sinh OTP trn in thoi di ng da trn giao thc

Thch thc Tr li
Cng nh xc thc giao dch ngn hng trc tuyn s dng OTP chuyn giao qua
SMS, chng trnh th nghim sinh OTP trn my ch da trn giao thc thch thc
tr lic ci t trn h iu hnh Microsoft Windows, ngn ng C# trn phn mm
lp trnh Microsoft Visual Studio kt hp vi h qun tr c s d liu My SQL h
thng c th truy xut c s d liu.
Thut ton bm SHA 1 c s dng to ra OTP c server v client. C s d
liu c s dng xc thc ngi dng, lu lch s giao dch. C s d liu lu tr
username, password, tn ch ti khon,s tin hin c v cc ln giao dch.
Sau khi nhn c yu cu thanh ton, server s sinh mt m thch thc (challenge).
Ngi dng (client) s nhp s challenge v s tin giao dch vo ng dng trn in
thoi ca mnh sinh OTP cho giao dch.
Page | 45
N TT NGHIP
Phn mm bn client c xy dng trnMicrosoft Visual Window Phone v thut

ton sinh OTP ca c server v client l ging nhau. Phn mm c ci t trn in
thoi Nokia Lumia 520 s dng h iu hnh Window Phone 8.
3.2.3. Kt qu
Hnh 3.7: Trang Chuyn Khon khi xc thc bng Challenge Response
Page | 46
N TT NGHIP
Tng t nh vic xc thc giao dch ngn hng trc tuyn s dng OTP chuyn giao
qua SMS, sau khi ng nhp vo khon ca mnh, ngi dng hng ti trang Chuyn
Khon, nhp cc thng tin giao dch v chn Challenge Response trong Hnh
thc nhn m giao dch. Lc ny h thng s t ng to ra mt OTP Challenge.
Ngi dng s s dng OTP ny cng vi s tin nhp vo ng dng trong thit b
di ng nh Hnh 3.8.
Hnh 3.8: ng dng sinh OTP trn in thoi di ng
Ngi dng sau khi bit c challenge t server s nhp challenge v s tin s dng
trong giao dch vo in thoi, sau nhn nt OK , phn mm s kt hp challenge
v s tin sinh ra mt OTP mi xc thc giao dch.
Page | 47
N TT NGHIP
3.3. Kt chng
Trong chng ny, chng ta tin hnh xy dng v th nghim chng trnh th
nghim v xc thc giao dch ngn hng trc tuyn s dng OTP chuyn giao qua
SMS v xc thc giao dch ngn hng trc tuyn s dng OTP sinh trn in thoi di
ng da trn giao thc Thch thc Tr li. C hai phng php sinh v chuyn giao
OTP c ci t c kh nng cung cp tnh bo mt cao cho xc thc giao dch trc
tuyn. Cc ng dng ny c kh nng trin khai rng ri trong thc t do khng i hi
b sung phn cng hay phn mm phc tp.
Page | 48
N TT NGHIP
KT LUN
Mt khu s dng mt ln (OTP) l mt khu ch c s dng mt ln duy nht
xc thc mt giao dch hoc mt phin lm vic. Do OTP ch c s dng mt ln
nn c an ton cao hn so vi mt khu truyn thng, trnh c cc dng tn cng
nh nghe ln. n nghin cu v mt khu s dng mt ln, cc k thut sinh v
chuyn giao mt khu mt ln v ng dng vo xc thc cc giao thc trc tuyn. C
th, cc ni dung n thc hin:
- Nghin cu tng quan v mt khu s dng mt ln v ng dng ca mt khu s
dng mt ln.
- Nghin cu cc phng php sinh mt khu s dng mt lnda trn thi gian,
da trn thut ton; phng php sinh mt khu bng Token v in thoi di ng;
cc phng php chuyn giao mt khu s dng mt ln bng giy, bng tin nhn
SMS.
- n ci t v th nghim thnh cng ng dng mt khu s dng mt ln
trong xc thc giao dch ngn hng trc tuyn s dng phng php chuyn giao
OTP thng qua tin nhn SMS v sinh OTP trn in thoi di ng.
Hng pht trin tip theo ca n c th l:
- Nghin cu v ng nhp mt ln s dng mt khu s dng mt ln;
- Ci tin ng dng sinh OTP trn in thoi di ng v giao din v tnh nng
vic xc thc ngi dng tr nn thn thin, tin li v m bo an ton cao
hn.
Page | 49
N TT NGHIP
TI LIU THAM KHO

[1].
D. MRaihi, J. Rydell, S. Bajaj, S. Machani, D. Naccache, OATH ChallengeResponse Algorithm, June 2011.
[2].
D. MRaihi, J. Rydell, S. Bajaj, S. Machani, D. Naccache, Time-Based OneTime Password Algorithm, May 2011.
[3].
Neil M. Haller, Bellcore, Morristown, New Jersey - THE S-KEY ONE-TIME

PASSWORD SYSTEM, 2011
[4].
http://www.rsa.com/node.aspx?id=1156 , 9/2013
[5].
HOTP http://en.wikipedia.org/wiki/HOTP, 9/2013
[6].
HMAC http://en.wikipedia.org/wiki/HMAC, 9/2013
[7].
S/Key http://en.wikipedia.org/wiki/S/KEY, 9/2013
[8].
Xc thc http://vi.wikipedia.org/wiki/X%C3%A1c_th%E1%BB%B1c
[9].
One Time Password http://en.wikipedia.org/wiki/One-time_password, 9/2013
[10].
Challenge-Response Algorithm
http://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication,
9/2013
[11].
Lamport Schem http://www.javaworld.com/javaworld/jw-03-2009/jw-03lamport-otp.html, 9/2013
[12].
http://datasecurity.vn/tech/business-tech/1590-chng-thc-trong-mt-ngan-hanginternet.html, 10/2013
[13].
Dng Hong Anh, Nguyn Vit Huy, Nguyn Vn Tn, Phm Minh T Bo
co nghin cu khoa hc: Nghin cu v mt khu s dng mt ln v ng
dng, 12/2012.
[14].
Nguyn Vn Hng n tt nghip: ng nhp mt ln, 12/2011.
[15].
Phm Tun Dng Lun vn: Nghin cu phng php bo mt cho c ch

ng nhp mt ln ng dng trong h phn tn, 2011.
Page | 50
N TT NGHIP
[16].
Th gii vi tnh
http://pcworld.com.vn/pcworld/printArticle.asp?atcl_id=5f5e5d5e5e5f5a,
10/2013
[17].
An ton mt khu trn h thng mng UNIX v LINUX

http://www.quantrimang.com.vn/an-toan-mat-khau-tren-he-thong-mang-unixva-linux-1758, 10/2013
[18].
Man in the middle attack http://en.wikipedia.org/wiki/Man-in-themiddle_attack, 10/2013
[19].
Single sign on http://en.wikipedia.org/wiki/Single_sign-on, 10/2013
[20].
http://gamethu.vnexpress.net/gt/diem-tin/2006/03/3b9ad22c/, 10/2013
[21]. MOTP http://www.pcworld.com.vn/mobile/anpham/tm/408/articles/congnghe/ung-dung/2010/06/1219120/motp-mat-khau-dung-mot-lan-di-dong/ ,

9/2013
[22]. http://www.vietinbank.vn/web/home/vn/index.html, 10/2013
Page | 51

(123doc) - Nghien-Cuu-Mat-Khau-Su-Dung-Mot-Lan-Va-Ung-Dung PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(123doc) - Nghien-Cuu-Mat-Khau-Su-Dung-Mot-Lan-Va-Ung-Dung PDF

Uploaded by

Copyright:

Available Formats

HC VIN CNG NGH BU CHNH VIN THNG

Khoa Cng ngh thng tin 1

Khi qut v mt khu v xc thc s dng mt khu .................................................................. 6

Phng php xc thc s dng mt khu ............................................................................. 7

an ton ca mt khu ....................................................................................................... 8

Gii thiu v OTP ......................................................................................................................... 9

ng dng ca OTP ..................................................................................................................... 11

ng dng trong xc thc giao dch ..................................................................................... 11

ng dng trong ng nhp mt ln .................................................................................... 11

Security token ..................................................................................................................... 16

CHNG 2. CC PHNG PHP SINH V CHUYN GIAO OTP .................................................................. 21

Cc phng php sinh OTP ........................................................................................................ 21

Phng php sinh OTP theo thi gian ................................................................................ 21

Cc phng php chuyn giao OTP ........................................................................................... 27

Chuyn giao OTP bng giy ............................................................................................... 27

Chuyn giao OTP bng tin nhn SMS ................................................................................ 28

To OTP s dng token ...................................................................................................... 29

To OTP s dng in thoi di ng .................................................................................. 33

NGUYN VIT HUY D09CNPM2

M t kch bn th nghim ................................................................................................. 37

M t kch bn th nghim ................................................................................................. 44

NGUYN VIT HUY D09CNPM2

NGUYN VIT HUY D09CNPM2

Chng 2 Cc phng php sinh v chuyn giao OTP

NGUYN VIT HUY D09CNPM2

DANH MC BNG BIU, HNH V, S

NGUYN VIT HUY D09CNPM2

CHNG 1 TNG QUAN V OTP V NG DNG

NGUYN VIT HUY D09CNPM2

1.1.2. Phng php xc thc s dng mt khu

Hnh 1.1: Minh ha xc thc mt khu.

NGUYN VIT HUY D09CNPM2

1.1.3. an ton ca mt khu

NGUYN VIT HUY D09CNPM2

1.2. Gii thiu v OTP

di ca cha kha phi ng bng di vn bn cn m ha.

Cha kha ch c dng mt ln.

Cha kha phi l mt s thc s ngu nhin.

An ton: Gii quyt tt cc vn gi mo, nh cp, Key logger. i vi phng

php xc thc hai yu t, OTP c th c kt hp s dng vi mt m PIN hoc mt

c nguy c b li khi g cc m OTP di qua cc m t mt thit b chng thc vo

theo thit b sinh OTP bn mnh.

M ngun m: Sn sng tch hp vi nhiu ng dng m ngun m.

NGUYN VIT HUY D09CNPM2

1.3. ng dng ca OTP

1.3.2. ng dng trong ng nhp mt ln

NGUYN VIT HUY D09CNPM2

Hnh 1.2: Minh ha ng nhp mt ln

NGUYN VIT HUY D09CNPM2

Nhng nhc im ca SSO:

NGUYN VIT HUY D09CNPM2

Sau y l phn m t c th cho phng php ny:

v mi mt khu ch c dng mt ln. Nhng k tn cng s quan tm n vic tm

NGUYN VIT HUY D09CNPM2

Vi h thng S/Key, kt qu thng qu di ngi s dng nhp vo thit b. Thay

NGUYN VIT HUY D09CNPM2

Hnh 1.3: Thit b sinh OTP OTP Token

c thit b ny c th to sn cc kha m khng hnh ng ngay. Mt s thit b

Hnh 1.4: ng dng Mobile OTP IOS

NGUYN VIT HUY D09CNPM2

y l gii php hiu qu v t tn km, t nht cho n khi cc thit b di ng tr nn

Hnh 1.5: ng dng Mobile OTP Window Phone 8

NGUYN VIT HUY D09CNPM2