You are on page 1of 329

An ton H thng Thng tin

Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

Thng tin chung


Tn hc phn:
An ton H thng Thng tin

Thi lng: 45 tit nh gi


70% im thi vit 30% im qu trnh

Ging vin
Trn c Khnh B mn HTTT, Khoa CNTT, P. 325, nh C1 khanhtd@it-hut.edu.vn

Ti liu tham kho


Introduction to Computer Security.
Matt Bishop

Security in Computing, Fourth Edition.


Charles P. Pfleeger, Shari Lawrence Pfleeger

Handbook of Applied Cryptography.


A. Menezes, P. van Oorschot and S. Vanstone

Chuyn An ton & Bo mt.


Nguyn Khanh Vn

Cc Bi ging v An ton My tnh.


H Berkerley, MIT, H Edinburgh

Mc tiu chung
Sinh Sinh Sinh Sinh vin vin vin vin khng ng gt nm c kin thc t im thi tt thch mn hc

Mc tiu mn hc
Nm vng cc khi nim c bn trong an ton HTTT: mi e da, bin php ngn chn Nm c c s ca l thuyt mt m

nh gi tin cy ca cc HTTT Xc nh cc l hng bo mt, e da ca cc HTTT Hng n xy dng chnh sch v ra gii php an ton bo mt cho cc HTTT

Cc h mt m ng dng: ch k s, xc thc, giao thc truyn thng bo mt, thng mi in t,

Ni dung
Khi nim c bn v an ton thng tin Mt m hc
Mt m c in v cc h mt m ha cng khai Ch k in t, k thut hm bm Giao thc mt m v an ton thng tin

An ton cc HTTT
An An An An ton ton ton ton phn mm h iu hnh c s d liu mng, Web

S cn thit ca An ton HTTT


Thit hi an ton HTTT Thit hi thi gian: theo vin SANS, my tnh khng c bo v ch sng st < 20 trn internet Thit hi kinh t: ~ t USD hng nm
1. 2. 3. 4. Vi rt T chi dch v

[CERT]: Mi nguy

[CERT]: S c

[CERT]: Quy m, Tnh phc tp

Hi/p
Nhng nm v trc, mt s tin tc c tuyn dng vo cc cng ty hay t chc trn th gii m h ph hoi. Gn y khuynh hng ny gim r rt. Bn ngh g v s thay i ny? N tt hay xu? V sao?

An ton
Mc tiu ca an ton l bo v ti sn trnh khi cc mi e da, s dng cc bin php ngn chn Ti sn no? Mi e da no? Bin php ngn chn no?

An ton HTTT
Ti sn: phn cng, phn mm, d liu Mi e da: ph hoi, can thip, sa i Bin php ngn chn: m ha, kim sot thng qua phn mm/phn cng/cc chnh sch

An ton HTTT
3 Mc tiu: B mt (Confidentiability): ti sn ch c truy nhp bi nhng ngi c quyn Ton vn (Intergrity): ti sn ch c to/xa/sa i bi nhng ngi c quyn Sn dng (Availability): ti sn sn sng p ng s dng cho nhng ngi c quyn

Hi/p
Nhng bin php ngn chn no ang c s dng trn my tnh c nhn ca bn? Cc bin php ny nhm ngn chn nhng e da no?

An ton HTTT - Mi e da
Phn mm c tnh (Malware) Phishing Spam T chi dch v (Denial of service) Truy nhp tri php (Unauthorized access) Giao dch gian ln (Fraudulent transaction)

An ton HTTT - Bin php


Giao thc m ha Kim tra ngi s dng + mt khu Qut/dit phn mm c tnh Gii hn truy nhp Phn quyn trong h iu hnh Tng la H thng pht hin t nhp Th thng minh m ha Kha

Cc ch
Mt m hc An ton phn mm An ton h iu hnh An ton c s d liu An ton mng, Web

Trm t bng my tnh xch tay


2007, chic BMW X5 ca David Beckham b nh cp Madrid K cp s dng my tnh xch tay, ng ten v phn mm b kha ng ten thu sng pht ra t chp RFID c ci trong kha Phn mm c dng th tt c cc kh nng m ha (hng nghn t) Ngun:
http://www.msnbc.msn.com/id/13507939

2004, cc nh nghin cu ca H Johns Hopkins b c kha ca mt s xe i mi Texas Instruments, nh sn xut chip RFID, b qua li cnh bo ca nhm nghin cu

Gii m Enigma
My m ha v gii m pht minh bi Arthur Scherbius cui th chin th nht Enigma c s dng trong qun i c Quc x trong th chin th hai Cng trnh gii m Enigma ca qun ng minh c cc s gia nh gi l rt gn 2 nm thi gian th chin Mt trong nhng lc lng gii m ni ting l nhm HUT 8 ca Anh, do Alain Turing dn u

Cc ch (1)
Mt m hc
H Mt m c in H Mt m kha b mt H Mt m kha cng khai Hm bm, ch k s Qun l kha, giao thc mt m,

Tn cng iPhone
2007, cc nh nghin cu ca Independent Security Evaluators pht hin mt l hng to iu kin cho k t nhp kim sot iPhone Trnh duyt Safari ca iPhone chy vi c quyn admin -> phn mm c tnh chy vi c quyn admin t nhp thng qua im truy nhp khng dy (wireless access point) Cc trang Web Email, SMS c cha cc ng dn n cc trang web b chim ot
Ngun:
http://securityevaluators.com/content/case-studies/iphone//

Cc ch (2) & (3)


An ton phn mm
Cc mi e da Cc bin php an ton Sot li Kim nh Lp trnh an ton

An ton h iu hnh
Cc mi e da Cc bin php an ton Phn quyn, iu khin truy nhp, Sandbox Trusted computing

500 000 trang Web b tn cng


2008, hn na triu trang Web, trong c c cc trang ca Lin Hp Quc b tn cng Tn cng dng SQL injection Khai thc l hng trong SQL Server ca Microsoft Ngun:

http://www.computerworld.com/s/article/9080580/Huge _Web_hack_attack_infects_500_000_pages

Cc ch (4)
An ton c s d liu
Cc mi e da Cc bin php an ton
Gii php a tng

t nhp hp th Gmail
2008, ti hi ngh Defcon hacker mt nh nghin cu demo mt cng c cho php t nhp vo hp th Gmail, ngay c khi cc phin truy nhp hp th c m ha (https:// thay v http:// ) t nhp thng qua vic nh cp Session Cookie

Session Cookie chng nhn my tnh ng nhp thnh cng Session Cookie b nh cp s c s dng nh mt chng nhn hp l truy nhp hp th Gmal

Ngun: Washington Post

Cc ch (5)
An ton mng, Web
Cc mi e da Tn cng t chi dch v Spam Phn mm c tnh Cc cng c bo v

Mt m & ng dng
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

Mt m hc
Mt m hc (Cryptology)
Mt m (Cryptography) M thm (Cryptanalysis)

Mt m
Tng cng cc tnh cht B mt v Ton vn thng tin: cc php m ha Xy dng cc k thut trao i thng tin b mt: cc giao thc mt m

M thm
Ph m

Lch s ngnh Mt m
Giai on Tin s (~ 2000, TCN) Nhng du hiu u tin ca Mt m xut hin bn b sng Nile, Ai Cp Giai on Mt m th cng (~ 50, TCN) Php m ha Ceasar Giai on Mt m c hc (cho n Th chin 2) My Enigma c Cc nghin cu v Gii m Anh Giai on Mt m in t Da vo Ton hc v Tin hc c t nn mng bi Shanon, Diffie v Hellman Kha b mt (DES, AES,), Kha cng khai (RSA, ElGamal, )

Trao i thng tin b mt


Alice v Bob trao i thng tin b mt, c m ha Eve v Charlie tn cng bng gii m
Eve Alice Tn cng th ng Bob

Charlie

Tn cng ch ng

Mc tiu An ton
B mt (Confidentiality) Ton vn (Integrity) Xc thc (Authentication) Chng ph nhn (Non-repudiation)

Ch
H mt m c in H mt m kha b mt (i xng) H mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

H mt m
H Mt m = B 5 (K,M,C,E,D) Khng gian Kha (Key): K Khng gian Tin (Message/Plaintext): M Khng gian M (Cipher): C Hm m ha (Encryption)
E: K x M -> C

Hm gii m (Decryption)
D: K x C -> M

Ch
H mt m c in H mt m kha b mt (i xng) H mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

H mt m c in

M ha Tin

Gii m

Tin ban u

H mt m c in
M hon v M n th

M hon v
Cc k t trong Tin c hon v cho nhau

M hon v
Hon v ct
c1 c6 c11 c2 c7 c12 c3 c8 c4 c9 c5 c10

chuyn thnh
c1 c12 .. c6 c3 . c11 c8 . c2 . c7 .

Hon v ct
Tin
T H I S S A M E S A G E O S H O H O WA O L U M A R T R N S P O I T I O WOR K I S T W C N A S N S

Hon v ct
Tin
T H I S S A M E S A G E O S H O H O WA O L U M A R T R N S P O I T I O WOR K I S T W C N A S N S

M
t s oa ha l r i m u t s e mr i s n a s n a s g p e o t s o i s t h i o o w n h w o o w r a k c s

M n th
Mi k t c thay th bng mt k t khc

M n th
M Ceasar: c = m + n m: k t trong Tin c: k t tng ng trong M n: dch chuyn +: php cng modulo 26 V d: n = 3 Tin: ABCDEFGHIJKLMNOPQRSTUVWXYZ M: defghijklmnopqrstuvwxyzabc

M Ceasar
Tin
TREATY IMPOSSIBLE

M Ceasar
Tin
TREATY IMPOSSIBLE

M
WUHDWB LPSRVVLEOH

Ch
H mt m c in H mt m kha b mt (i xng) H mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

H mt m kha i xng
Duy nht mt kha cho qu trnh m ha v gii m
C = E(K,M) M = D(K,C)

Kha phi c gi b mt

H mt m kha i xng

Kha duy nht

M ha Tin

Gii m

Tin ban u

Cc H mt m kha i xng
M lung
M Vigenre M Vernam

M khi
DES AES

M lung
n v m ha c bn l cc k t
Cc k t trong Tin c m ha tch bit

M Vigenre
Kha

Tin

M Vigenre
Kha
BENCH A LIMERICK PACKS LAUGHS ANATOMICAL B ENCHBENC HBENC HBENCH BENCHBENCH

Tin Ni di Kha M ha
Kha: Tin: M:
B ENCHBENC HBENC HBENCH BENCHBENCH A LIMERICK PACKS LAUGHS ANATOMICAL B PVOLSMPM WBGXU SBYTJZ BRNVVNMPCS

M Vernam
K t l cc bit Kha
K = K1K2K3Kn S ngu nhin Ki Mi Ci = Ki xor Mi

Tin
M = M1M2M3Mn

0 0 1 1

0 1 0 1

0 1 1 0

M
C = C1C2C3Cn trong Ci = Ki xor Mi

M khi
n v m ha c bn l cc khi k t Cc tham s bao gm kch thc khi v chiu di kha
Kch thc khi ln chng tn cng bng thng k Chiu di kha ln chng tn cng vt cn

Data Encryption Standard (DES)


Lch s ~ 1970, NIST ku gi xy dng h mt m dnh cho cng chng 1974, IBM xy dng DES trn nn tng ca h Lucifer 1979, chun ha Mc tiu Mc ch s dng rng ri an ton cao Khng ph thuc vo tnh b mt ca thut ton ng dng ATM Truy nhp t xa

Data Encryption Standard (DES)


DES
Khi 64 bit Kha 56 bit 16 vng lp m ha Mi vng kt hp Hon v + n th
Kha 56 bit

Tin

M ha DES

M ha DES
TIN 64-bit Hon v u IP Vng 1 Vng 2 ...... Vng 16 Hon v cui FP M 64-bit K1 48-bit K2 48-bit K16 48-bit KHA 64-bit KS

IP, FP
IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7 40 39 38 37 36 35 34 33 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 12 11 10 9 FP 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25

IP(b1b2b64) = b58b50b7 FP(b1b2b64) = b40b8b25

KS
KS1 57 1 10 19 63 7 14 21 49 58 2 11 55 62 6 13 41 50 59 3 47 54 61 5 33 42 51 60 39 46 53 28 25 34 43 52 31 38 45 20 17 26 35 44 23 30 37 12 9 18 27 36 15 22 29 4 14 3 23 16 41 30 44 46 17 28 19 7 52 40 49 42 11 15 12 27 31 51 39 50 KS2 24 6 4 20 37 45 56 36 1 21 26 13 47 33 34 29 5 10 8 2 55 48 53 32

KS1 chuyn khi 64 bit thnh khi 2 khi 28 bit KS2 chuyn 2 khi 28 bit thnh khi 48 bit
KS2 (b1b2b56) = b14b17b32 KS1(b1b2b64) = b57b49b36 b63b55b4

KS
Kha ban u K (C0,D0) = KS1(K) Ki = KS2 (Ci,Di)
Ci
Dch chuyn vng trn sang tri 1 bit Ci-1 nu i = 1,2,9,16 Dch chuyn vng trn sang tri 2 bit Ci-1 trong cc trng hp khc

Tng t cho Di

Vng lp DES
32 bit tri 32 bit phi E xor S-boxes P xor 32 bit tri 32 bit phi kha 48-bit

E, P
E 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 16 29 1 5 2 32 19 22 7 12 15 18 8 27 13 11 P 20 28 23 31 24 3 30 4 21 17 26 10 14 9 6 25

E(b1b2b32) = b32b1b1 P(b1b2b32) = b16b7b25

S-Boxes
Chuyn khi 48 bit thnh khi 32 bit 8 khi 6 bit: S1, S2,,S8 (b1b2b3b4b5b6) Chuyn S1 thnh khi 4 bit
b1b6 cho gi tr thp phn i b2b3b4b5 cho gi tr thp phn j kt qu ti dng i ct j ca bng S1
0 0 1 2 3 14 0 4 15 1 4 15 1 12 2 13 7 14 8 3 1 4 8 2 4 2 14 13 4 5 15 2 6 9 6 11 13 2 1 7 8 1 11 7 8 3 10 15 5 9 10 6 12 11 10 6 12 9 3 11 12 11 7 14 12 5 9 3 10 13 9 5 10 0 14 0 3 5 6 15 7 8 0 13

Tng t i vi S2,S3,,S8 (c bng ring)

S-Boxes
Chuyn S1 (110001) thnh khi 4 bit
b1b6 (11) cho gi tr thp phn i (3) b2b3b4b5 (1000) cho gi tr thp phn j (8): kt qu (5) ti dng i (3) ct j (8) ca bng S1

0 0 1 2 3 14 0 4 15

1 4 15 1 12

2 13 7 14 8

3 1 4 8 2

4 2 14 13 4

5 15 2 6 9

6 11 13 2 1

7 8 1 11 7

8 3 10 15 5

9 10 6 12 11

10 6 12 9 3

11 12 11 7 14

12 5 9 3 10

13 9 5 10 0

14 0 3 5 6

15 7 8 0 13

5 (Thp phn) = 0101 (Nh phn)

Gii m DES
S dng cng mt dy kha Th t cc kha o ngc Hon i 2 na tri, phi Thc hin cng s vng lp

im yu DES
Tm kha bng vt cn S dng tnh b loi tr s kh nng kha
256 kh nng

c = DES (k , m) c = DES ( k , m )
V d

1011 = 0100

Kha yu M thm

c = DES(k, m) v m = DES(k, c) c = DES(k1,m) v c = DES(k2,m) Vi sai Tuyn tnh Davies

3DES
M ha
c = E(k3,(D(k2,E(k1,m)))

Gii m
m = D(k1,(E(k2,D(k3,c)))

La chn kha
k1,k2,k3 c lp k1,k2 c lp v k3 = k1 k1=k2=k3

Advanced Encryption Standard (AES)


1997, NIST ku gi xy dng mt h mt m mi thay th DES H Rijndael ca Daemen v Rijmen c la chn 2001, h Rijndael c chun ha thnh AES Da trn l thuyt Trng Galois Khi 128 bit Kha 128, 192, 256 bit n vng lp m ha, ph thuc vo chiu di kha
Kha 128 bit, n = 10 Kha 192 bit, n = 12 Kha 256 bit, n = 14

Mi vng kt hp Hon v + n th

Mt m & ng dng
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

Ch
H mt m c in H mt m kha b mt (i xng) H mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

Ti sao H mt m kha cng khai


H mt m kha i xng khng p ng c 2 mc tiu an ton
Xc thc Alice v Bob trao i thng tin b mt Alice cn phi bit thng tin chc chn n t Bob, v ngc li Chng ph nhn Alice v Bob trao i thng tin b mt Nu Alice gi thng tin no cho Bob th Alice khng th chi b thng tin l ca mnh

Ti sao H mt m kha cng khai


Qun l kha i xng l mt vn nan gii
Trong cc h kha i xng, mi cp ngi dng phi c kha ring N ngi dng cn N * (N-1)/2 kha Vic qun l kha tr nn phc tp khi s lng ngi dng tng

H mt m kha cng khai


Mi ngi dng c 1 kha ring v 1 kha cng khai
Kha ring b mt Kha cng khai c th chia x

Qun l kha
N ngi dng cn N kha cng khai c xc thc H tng kha cng khai PKI

H mt m kha cng khai


M ha dng kha cng khai k
C = E(k,M)

Gii m dng kha ring K


M = D(K,C)
Kha cng khai Kha ring

M ha Tin

Gii m

Tin ban u

H mt m kha cng khai


M ha dng kha ring K
C = E(K,M)

Gii m dng kha cng khai k


M = D(k,C)
Kha ring Kha cng khai

M ha Tin

Gii m

Tin ban u

Kha b mt vs. Kha cng khai


Kha b mt S kha Bo v kha ng dng Tc 1 Kha c gi b mt B mt v ton vn d liu Nhanh Kha cng khai 2 1 kha b mt 1 kha cng khai Trao i kha Xc thc Chm

H mt m kha cng khai


L thuyt nn tng
phc tp S hc ng d (Modular Arithmetic)

Cc h Mt m kha cng khai


RSA MerkleHellman ElGamal Rabin ng cong lip (Elliptic Curve)

phc tp
phc tp tnh ton (thi gian) Gii quyt cc vn P
Vn d: lp P Vn kh: lp NP

Gii quyt cc vn NP

S trng hp phi xt n l mt hm a thc S trng hp phi xt n l hm ly tha

Cc h mt m kha cng khai da trn kh/phc tp ca gii thut b kha

S hc ng d
S hc ng d
a mod n a op b mod n op = +, -, *, /, ^

V d:
40 mod 6 = 4 5 + 2 mod 6 = 1 9 4 mod 3 = 2 5 * 3 mod 6 = 3 4/2 mod 3 = 2 2^4 mod 6 = 4

S hc ng d
a mod n S d ca a chia n a + b mod n S d ca a + b chia n a - b mod n S d ca a - b chia n a * b mod n S d ca a * b chia n a ^ b mod n Th tc bnh phng a / b mod n Gii thut Euclide m rng

Th tc bnh phng
Da vo tnh cht
a*b mod n = ((a mod n)*(b mod n)) mod n

Tnh a^25
a^25 = a^(11001) a^(11001) = a^(10000+1000+1) a^(10000+1000+1) = a^10000 * a^1000 * a^1 a^10000 * a^1000 * a^1 = a^16 * a^8 * a^1

phc tp (O(logb*(logs)^2)) Hiu qu hn phng php tnh ly tha bng php nhn ng d (O(b*(logs)^2))

Th tc bnh phng
ModExp1(a,b, s) Vo: 3 s nguyn dng a,b,s sao cho a < s bn1 b1b0 l biu din nh phn ca b, n = [logb] Ra: a^b mod s p[0] = a mod s for i = 1 to n1 p[i] = p[i1]^2 mod s r=1 for i = 0 to n1 if b[i] = 1 then r = r*p[i] mod s return r

Bi tp
Tnh 6^73 mod 100
73 = 2^0 + 2^3 + 2^6 6^73 = 6 * 6^(2^3)*6^(2^6) 6 = 6 mod 100 6^(2^3) = 16 mod 100 6^(2^6) = -4 mod 100 6^73 = 6 * (16) * (-4) = 16 mod 100

Gii thut Euclide m rng


Gii thut Euclide
Tnh SCLN(a,b) Da trn tnh cht
Nu a > b th SCLN(a,b) = SCLN(a mod b,b)

Gii thut Euclide m rng


Tnh 2 s x, y sao cho
a*x + b*y = SCLN(a,b)

Gii quyt bi ton tm x sao cho


a*x = 1 mod s

Gii thut Euclide m rng


Extended-Euclid(a,b) Vo: 2 s nguyn dng a,b Ra: 3 s nguyn x,y,d sao cho d = SCLN(a,b) v ax+by = d 1. 2. 3. 4. Nu b = 0 th tr v (1,0,a) Tm q, r sao cho a = b*q+r (x,y,d) = Extended-Euclid(b, r) Tr v (y,xq*y,d)

Bi tp
Dng gii thut Euclide m rng tm SCLN(120,23)
a 120 23 5 3 2 1 b 23 5 3 2 1 0 q 5 4 1 1 2 _ r 5 3 2 1 0 _ x -9 2 -1 1 0 1 y 47 -9 2 -1 1 0 d 1 1 1 1 1 1

Bi tp
Dng gii thut Euclide m rng tm tm x sao cho 51*x mod 100 = 1
Nu a*x mod n = 1 th tn ti k trong a*x = 1 + n*k Ta c a*x n*k = 1 t y = -k, ta c a*x + b*y = 1 Tm x,y bng gii thut Euclide m rng x = -49, y = 25

H Mt m kha cng khai RSA


RSA
1978 Rivest, Shamir v Adlerman pht minh ra h mt m RSA H mt m kha cng khai ph bin v a nng nht trong thc t S dng cc kt qu trong s hc ng d Da trn phc tp ca bi ton
phn tch s nguyn ra tha s nguyn t

RSA To kha
Chn ngu nhin 2 s nguyn t p, q n=p*q Chn e sao cho 1 < e < (p-1) * (q-1) SCLN(e, (p-1) * (q-1)) = 1 Chn d sao cho 1 < d < (p-1) * (q-1) e*d = 1 mod (p-1) * (q-1) Kha cng khai (n,e) Kha ring (p,q,d)

RSA To kha
V d
p = 11, q = 23 n = 11*23 = 253 (p-1)*(q-1) = 10*22=220 SCLN(e,220) = 1
gi tr nh nht e = 3

p dng gii thut Euclide m rng


d = 147

RSA M ha
M ha s dng kha cng khai
Tin m Kha cng khai (n,e) M
c = m^e mod n

RSA M ha
V d
p = 11, q = 23 n = 11*23 = 253 (p-1)*(q-1) = 10*22=220 e=3 d = 147 Tin m = 165 M
c = 165^3 mod 253 = 110

RSA Gii m
Tin m Kha cng khai (n,e) Kha ring (p,q,d) M c = m^e mod n Gii m
m = c^d mod n

RSA Gii m
V d
p = 11, q = 23 n = 11*23 = 253 (p-1)*(q-1) = 10*22=220 e=3 d = 147 M c = 165^3 mod 253 = 110 Tin m = 110^147 mod 253 = 165

RSA nh l RSA
Nu (n,e) l kha cng khai (p,q,d) l kha ring 0 <= m < n th (m^e)^d mod n = m

RSA nh l Euler & Fermat


Nu ef(n) l s s nguyn dng nh hn n v nguyn t cng nhau vi n x v n l hai s nguyn t cng nhau th x^ef(n) = 1 mod n

RSA- an ton
RSA v bi ton phn tch tha s nguyn t
Kha cng khai (n,e) Kha ring (p,q,d) c gi b mt an ton ca RSA da trn kh/phc tp ca bi ton tnh (p,q,d) t (n,e) p,q l 2 s nguyn t,

n = p*q e,d c tnh t p,q Do bi ton trn qui v bi ton PTTSNT(n)

RSA- an ton
La chn p,q
m bo rng bi ton PTTSNT(n) thc s kh Trnh tnh trng p,q ri vo nhng trng hp c bit m bi ton trn tr nn d dng
V d: p-1 c cc tha s nguyn t nh

p,q phi c di ti thiu l 512 bt p,q xp x nhau

RSA- an ton
La chn e
e nh nht c th e khng nh qu trnh b tn cng theo dng low exponent

La chn d
d khng nh qu (d < n/4) trnh tn cng dng low decryption

RSA Hiu nng


Nhn, chia, s d php chia Tnh ly tha modulo
m^e mod n c^d mod n

Tc rt chm so vi DES

RSA Bi tp
Cho p = 7, q = 11. Gi s Alice dng kha cng khai (n,e) = (77,17). Tm kha ring. Bit rng cc k t t A n Z c biu din bng cc s nguyn t 00 n 25. Du cch c biu din bng s 26. Bob mun gi cho Alice Tin HELLO WORLD s dng h mt m RSA. Tnh M tng ng.

RSA Bi tp
p n
(p,q,d) = (7,11,53) Tin
H E L L O W O R L D 07 04 11 11 14 26 22 14 17 11 03

M
28 16 44 44 42 38 22 42 19 44 75

Cc Mt m kha cng khai khc


MerkleHellman ElGamal Rabin ng cong lip (Elliptic Curve)

Bi tp
Chng minh nh l Euler & Fermat Chng minh nh l RSA

Mt m & ng dng
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

Ch
H mt m c in H mt m kha b mt (i xng) H mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

Nhu cu ton vn thng tin


Cc ng dng ch trng mc tiu Ton vn
Ti liu c s dng ging ht ti liu lu tr Cc thng ip trao i trong mt h thng an ton khng b thay i/sa cha

Nim phong ti liu/thng ip


Nim phong khng b sa i/ph hy ng ngha vi ti liu/thng ip ton vn Nim phong: bm (hash), tm lc (message digest), c s kim tra (checksum) To ra nim phong: hm bm

Hm bm
Mc tiu an ton
Ton vn (Integrity)

Hm bm c kha
u vo l mt chui c chiu di bin thin, v u ra c chiu di c nh
Tin:

h: *K n

Ct (Digest): Kha: K

h l hm mt chiu (one way function)


h c tnh phi ng lng (weak collision resistence)


cho x, rt kh tm y /= x sao cho h(x,k) = h(y,k) rt kh tm c x /= y sao cho h(x,k) = h(y,k)

bit y, rt kh tm x sao cho h(x,k)=y nhng rt kh tnh

h c tnh phi ng cht (strong collision resistence)

Hm bm khng kha
u vo l mt chui c chiu di bin thin, v u ra c chiu di c nh

h : * n

Tin:

Ct (Digest):

h l hm mt chiu (one way function)


h c tnh phi ng lng (weak collision resistence)


cho x, rt kh tm y /= x sao cho h(x) = h(y) rt kh tm c x /= y sao cho h(x) = h(y)

bit y, rt kh tm x sao cho h(x)=y nhng rt kh tnh

h c tnh phi ng cht (strong collision resistence)

K thut to hm bm
Dng cc hm m ha
CBC RMDP DM

Dng cc php ton s hc ng d


QCMDC DP

Dng cc hm thit k c bit


MD4/5 SHA/SHS

K thut to hm bm
Dng cc hm m ha
CBC RMDP DM

Dng cc php ton s hc ng d


QCMDC DP

Dng cc hm thit k c bit


MD4/5 SHA/SHS

CBC - Chaining Block Cipher


Mt m i xng
Hm m ha E Kha K

Hm bm
M = M1M2Mn Hi = E(K,Mi xor Hi-1) H = Hn

RMDP Rabin, Matyas, Davise, Price


Mt m i xng
Hm m ha E Kha l cc khi ca tin

Hm bm
M = M1M2..Mn H0 = r (r ngu nhin) Hi = E(Mi,Hi-1) H= Hn

DM Davies, Meyer
Mt m i xng
Hm m ha E Kha l cc khi ca tin

Hm bm
M = M1M2..Mn H0 = r (r ngu nhin) Hi = E(Mi,Hi-1) xor Hi-1 H = Hn

K thut to hm bm
Dng cc hm m ha
CBC RMDP DM

Dng cc php ton s hc ng d


QCMDC DP

Dng cc hm thit k c bit


MD4/5 SHA/SHS

QCMDC Quadratic Congruential Manipulation Dectection Code


M = M1M2Mn
Mi khi n bit

N l s nguyn t sao cho


N >= 2^(n-1)

Hm bm
H0 = r (r ngu nhin) Hi = (Hi-1+Mi)^2 mod N H = Hn

DP Davies, Price
M = M1M2Mn N l s nguyn t sao cho
N >= 2^r

Hm bm
H0 = 0 Hi = (Hi-1 xor Mi)^2 mod N H = Hn

K thut to hm bm
Dng cc hm m ha
CBC RMDP DM

Dng cc php ton s hc ng d


QCMDC DP

Dng cc hm thit k c bit


SHA/SHS MD4/5

SHA-1
SHA = Secure Hash Algorithm c xut v bo tr bi NIST Dng trong h DSS (Digital Signature Standard) ca NIST c s dng rng ri
SSL, PGP, SSH, S/MIME, IPSec

SHA-1
u vo bi s ca 512 bit Gi tr bm 160 bit 80 vng lp tnh ton

Vng lp SHA-1

Vng lp SHA-1
A,B,C,D,E khi 32 bit Kt hng s ca vng lp t Wt c tnh t cc khi ca Tin <<< dch chuyn cc bit sang tri cng modulo 32 F l hm kt hp cc php ton logic
not, and, or, xor

MD5
MD = Message Digest MD5 c xut bi Rivest vo nm 1991 c s dng rng ri
Truyn tp tin Lu tr mt khu

MD5
u vo 512 bit Gi tr bm 128 bit 64 vng lp tnh ton

Vng lp MD5

Vng lp MD5
A,B,C,D khi 32 bit Ki hng s ca vng lp i Mi khi 32 bit ca Tin <<< dch chuyn cc bit cng modulo 32 F l hm kt hp cc php ton logic
not, and, or, xor

Tn cng Hm bm
e da/mi nguy
Nghch l sinh nht Trong mt nhm 23 ngi, xc sut c hai ngi c cng mt sinh nht l khng nh hn 1/2 Tn cng dng sinh nht Tnh N gi tr bm trong thi gian v khng gian cho php Lu tr cc gi tr bm tm ra ng Xc sut ng
Nu N > 2^(n/2) gi tr bm, th xc sut ng l > 1/2, trong n l di ca chui gi tr bm

Ch k s
1976, Diffie & Hellman ln u tin cp n khi nim Ch k s 1989, phin bn thng mi Ch k s u tin trong Lotus Notes, da trn RSA ng dng
Hp ng s Bu c in t Giao dch ngn hng

Ch k s
Mc tiu an ton
Xc thc (Authentication) Chng ph nhn (Non-repudiation)

H ch k s
Thut ton to ch k
K hiu S u vo l mt thng tin m Ch k S(m)

Thut ton kim nh ch k


K hiu V u vo l thng tin m v ch k km theo s V(m,s) = true khi v ch khi s = S(m)

K thut to Ch k s
Mt m kha cng khai Mt m kha cng khai + Hm bm
RSA + Hm bm ElGamal + Hm bm DSA

Ch k s dng Mt m kha cng khai


RSA
Chn ngu nhin 2 s nguyn t p, q n=p*q Chn e sao cho 1 < e < (p-1) * (q-1) SCLN(e, (p-1) * (q-1)) = 1 Chn d sao cho 1 < d < (p-1) * (q-1) e*d = 1 mod (p-1) * (q-1) Kha cng khai: (n,e) Kha ring: (p,q,d) M ha: c = m^e mod n Gi m: m = c^d mod n

Ch k s dng RSA
Tin m Kha cng khai (n,e) Kha ring (p,q,d) To ch k
s = m^d mod n

Kim nh ch k
m =? s^e mod n

Ch k s dng RSA
e da/mi nguy
Tn cng dng tro kha Tn cng dng chn tin, da trn c im nhn tnh ca RSA Nu m1^d mod n l ch k ca m1, m2^d mod n l ch k ca m2, th (m1*m2)^d mod n l ch k ca m1*m2 Tn cng dng khng Tin Ly kha cng khai k ca Alice To tin m v ch k s ca m sao cho m v s c cng nhn bi thut ton kim nh s dng k

Ch k s dng Mt m kha cng khai + Hm bm


Tng cng an ton bng kt hp
H mt m kha cng khai Hm bm

Thut ton to ch k
Hm m ha s dng kha ring Hm bm

Thut ton kim nh ch k


Hm gii m s dng kha cng khai Hm bm

Chun Ch k s - DSS
To ch k
Tin Hm bm Tm lc Kha cng khai Kha ring Sinh ch k Ch k Hp l/ Khng hp l Kim nh ch k

Kim nh ch k
Tin Hm bm Tm lc

Ch k s RSA + Hm bm
Cc thng s
Hm bm h 2 s nguyn t p,q

Ch k s RSA + Hm bm
To kha
n = p*q Chn e sao cho 1 < e < (p-1) * (q-1) SCLN(e, (p-1) * (q-1)) = 1 Chn d sao cho 1 < d < (p-1) * (q-1) e*d = 1 mod (p-1) * (q-1) Kha cng khai (n,e) Kha ring (p,q,d)

Ch k s RSA + Hm bm
To ch k
Tin m Ch k s = h(m)^d mod n

Ch k s RSA + Hm bm
Kim nh ch k
Ch k s Tin m Kim nh h(m) ?= s^e mod n

Ch k s ElGamal + Hm bm
Cc thng s
Hm bm h S nguyn t p S nguyn g sao cho
g^c = b mod p trong b,p nguyn t cng nhau

Ch k s ElGamal + Hm bm
To kha
Chn a sao cho 0 < a < p-1
A = g^a mod p a c gi l logarit ri rc ca A

Kha cng khai


(p,g,A)

Kha ring
a

Ch k s ElGamal + Hm bm
To ch k
Tin m Chn k sao cho
0 < k < p-1 k nguyn t cng nhau vi p-1

Ch k
r = g^k mod p s = k^(-1) * (h(m) a*r) mod (p-1)

Ch k s ElGamal + Hm bm
Kim nh ch k
Ch k (r,s) Tin m Kim nh
0<r<p 0 < s < p-1 A^r*r^s ?= g^h(m) mod p

Ch k s DSA
Cc thng s
Hm bm h S nguyn t q S nguyn p sao cho
p-1 la bi s ca q

S nguyn g sao cho


g = x^((p-1)/q) mod p trong x < p

Ch k s DSA
To kha
Chn a < q
A = g^a mod p

Kha cng khai


(p,q,g,A)

Kha ring
a

Ch k s DSA
To ch k
Tin m Chn k sao cho 0 < k < q Ch k
r = (g^k mod p) mod q s = k^(-1) * (h(m) + a*r) mod q

Ch k s DSA
Kim nh ch k
Ch k (r,s) Tin m Kim nh
0<r<q 0<s<q r = ((g^(s^(-1)*h(m) mod q) A^(r*s^(-1) mod q)) mod p) mod q

Mt m & ng dng
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

Ch
H Mt m khng Kha H Mt m kha b mt (i xng) H Mt m kha cng khai (bt i xng) Hm bm, ch k s Qun l kha, giao thc mt m,

Qun l kha, giao thc mt m,


Qun l kha
Kha i xng TTP Kha cng khai PKI

Giao thc mt m Thng nht kha


Diffie-Hellman

Xc thc
Needham-Schroeder

Qun l kha, giao thc mt m,


Qun l kha
Kha i xng TTP Kha cng khai PKI

Giao thc mt m Thng nht kha


Diffie-Hellman

Xc thc
Needham-Schroeder

Qun l kha
Qun l kha l mt vn quan trng
Tnh b mt: kha i xng Tnh ton vn: kha i xng, kha cng khai

Gii php qun l kha


Kha i xng Trng ti (Trusted Third Party) Kha cng khai PKI (Public Key Infrastructure)

Qun l kha i xng


M hnh c bn trao i thng tin kha i xng
A2 A3

A1

A4

A6

A5

M hnh c bn trao i thng tin kha i xng


u im
D dng thm bt cc thc th

Nhc im
Mi thc th phi lu tr nhiu kha di hn trao i vi cc thc th khc Thng nht, chia x kha kh khn i hi cc thc th phi tin tng nhau

Qun l kha i xng nh trng ti


Trng ti (Trusted Third Party)
Thc th c tt c cc thc th tham gia khc tin tng Mi thc th tham gia chia x mt kha i xng vi Trng ti Hai thc th trao i thng tin bng kha i xng c Trng ti to ra

Qun l kha i xng nh Trng ti

A2 E(k2,k) A1 E(k,m) k

A3

TTP
Ngun kha

A4

E(k6,k) A6 A5

Qun l kha i xng nh Trng ti


u im
D dng thm bt cc thc th Mi thc th ch cn lu tr mt kha i di hn

Nhc im

Tt cc cc cuc trao i thng tin u cn tng tc ban u vi Trng ti Trng ti phi lu tr nhiu kha i xng di hn Trng ti phi x l khi lng ln thng tin Nu Trng ti b e da, tt c cc trao i thng tin u b e da

Qun l kha cng khai


M hnh c bn trao i thng tin kha cng khai
c = E(e6,m) A2: d2 A3: d3

Th mc cng cng
A1: d1 e6 c A1: e1 A2 : e2 A3 : e3 A4 : e4 A5 : e5 A6 : e6 A5:d5 A4: d4

m = D(d6,c) A6: d6

M hnh c bn trao i thng tin kha cng khai


u im
Khng cn TTP Th mc cng cng c th c lu tr cc b cng cc thc th S kha lu tr bng s thc th tham gia

Nhc im
Tn cng ch ng

M hnh c bn trao i thng tin kha cng khai


Tn cng ch ng
A2: d2 c = E(e*,m) K tn cng: d* e* A3: d3

Th mc cng cng
A1: e1 A2 : e2 A3 : e3 A4 : e4 A5 : e5 A6 : e6 e* A5:d5 A4: d4

c = E(e6,m) m = D(d6,c) A6: d6

Qun l kha cng khai nh PKI


H tng kha cng khai (PKI)
L mt h tng an ton trong cc dch v c xy dng v cung cp da trn cc khi nim v k thut kha cng khai Mc tiu ca PKI ni kha cng khai vi thc th thng qua mt thc th c tin cy c thm quyn cp pht chng nhn s
Certificate Authority

Cc hp phn ca PKI
Pht hnh chng nhn (Certificate Issuance) Mt hay nhiu thc th tin cy c quyn pht hnh chng nhn Cc thc th ny gi l Certificate Authorities Thu hi chng nhn (Certificate Revocation) Thu hi chng nhn ht hn s dng Sao lu/Phc hi/Cp nht kha (Key Backup/Recovery/Update) Sao lu kha ring Phc hi trong trng hp b mt Cp nht kha m bo an ton Tem thi gian (Time Stamping) Thi gian cp pht chng nht

Qun l kha cng khai nh PKI


M hnh trao i thng tin
V(A6||e6,s6) c = E(e6,m) A2: d2 A3: d3

Certificate Authority
Cp chng nhn

A1: d1 c

A6||e6,s6 A1, A2, A3, A4, A5, A6,

e1, e2, e3, e4, e5, e6,

s1 s2 s3 s4 s5 s6

= = = = = =

S(A1||e1) S(A2||e2) S(A3||e3) S(A4||e4) S(A5||e5) S(A6||e6)

A4: d4

m = D(d6,c) A6: d6

A5:d5

Qun l kha cng khai nh PKI


u im
Chng tn cng ch ng CA ch cp chng nhn, khng tham gia vo vic trao i thng tin gia cc bn C th gim thiu tng tc vi CA bng cch lu cc chng nhn cc b

Nhc im
Nu thut ton sinh ch k ca CA b e da, tt c cc trao i thng tin u b e da tin cy hon ton da trn CA

Qun l kha, giao thc mt m,


Qun l kha
Kha i xng TTP Kha cng khai PKI

Giao thc mt m Thng nht kha


Diffie-Hellman

Xc thc
Needham-Schroeder

Giao thc
Giao thc
Mt chui cc bc thc hin Cc bc thc hin phi tng minh Tt c cc tnh hung phi c d tnh v c cc bc thc hin trc C t nht 2 bn tham d Cc bn tham d phi hiu bit v tun th cc bc thc hin

Giao thc mt m
Giao thc truyn thng = Giao thc trong cc bc thc hin l trao i thng tin Giao thc mt m = Giao thc truyn thng + Mt m hc Thng thng mt giao thc mt m kt hp cc kha cnh sau
Thng nht kha Xc thc M ha Chng ph nhn

M t giao thc mt m
Cc thc th tham gia giao thc Cc bc thc hin ca giao thc
1. Bc 1 2. Bc 2 3.

Mt bc thc hin
Alice gi cho Bob thng tin M
Aice -> Bob: M

Giao thc mt m SSL/TLS


SSL/TLS
Giao thc mt m trao i thng tin trn Internet SSL c pht trin bi Netscape TLS k tha t SSL phin bn 3.0 ng dng
Duyt Web, Email, IM, VoIP, Thng mi in t: Visa, MasterCard, American Express,

Khi to phin SSL/TLS


Cc pha khi to SSL/TSL
1. Bt tay 2. Thng lng la chn gii thut
Thng nht kha: RSA, Diffie-Hellman, M ha kha i xng: 3DES, AES, Ch k s: RSA, DSA, Hm bm: SHA, MD5,

3. Xc thc 4. Thng nht kha

Khi to phin SSL/TLS


1. 2. 3. 4. 5. 6. 7. 8. Client cho Server C -> S: Hi, Im Client Server cho Client S -> C: Hi, Im Server Server xc thc vi Client S -> C: PK, sig(PK) Client kim nh ch k sig(PK) Client to ra mt s ngu nhin b mt MS Client gi Server MS m ha C - > S: y=E(PK,MS) Server gii m y MS = D(K,y) Client v Server to 2 kha b mt K1, K2 = h(MS)

Qun l kha, chia x b mt


Qun l kha
Kha i xng TTP Kha cng khai PKI

Giao thc mt m Thng nht kha


Diffie-Hellman

Xc thc
Needham-Schroeder

Thng nht kha


Trao i thng tin b mt vi tc nhanh
Mt m kha i xng

Thit lp v trao i kha


Cc thc th tham gia phi thng nht kha i xng Qu trnh thng nht kha phi m bo
Tnh b mt Tnh ton vn

Giao thc Diffie-Hellman


1976, Diffie v Hellman pht minh giao thc thng nht kha
Hnh thnh v trao i kha chung b mt trn mt knh truyn tin khng an ton

S dng cc kt qu trong l thuyt nhm s nguyn nhn tnh ng d Da trn phc tp ca bi ton
Logarit ri rc

Diffie-Hellman
1. Alice (A) chn v gi cho Bob (B) s nguyn t p v mt phn t nguyn thy g thuc nhm nhn tnh mod p
A -> B: p,g

2. 3. 4. 5. 6.

Alice chn mt s t nhin ngu nhin a v gi g^a mod p cho Bob Bob chn mt s t nhin ngu nhin b v gi g^b mod p cho Alice Alice tnh (g^b mod p)^a mod p Bob tnh (g^a mod p)^b mod p Kha chung b mt g^(a*b) mod p
B -> A: g^b mod p A -> B: g^a mod p

Diffie-Hellman
V d: p = 23, g = 5, a = 6, b = 15 1. Alice gi Bob p=23, g=5
2. Alice chn a=6, v gi Bob g^a mod p = 5^6 mod 23 = 8 3. Bob chn b=15, v gi Alice g^b mod p = 5^15 mod 23 = 19 4. Alice tnh 5. Bob tnh
B -> A: 19 19^6 mod 23 = 2 8^15 mod 23 = 2 A -> B: 8 A -> B: 23,5

6. Kha K = 2

an ton ca Diffie-Hellman
Kha b mt
Bi ton Diffie-Hellman Bit g, g^a, g^b. Tm g^(a*b)? Bi ton Logarit ri rc Bit g^a. Tm a?

Tnh xc thc
Tn cng dng Man-in-the-middle Alice v Bob mun thng nht kha b mt Eve l k gia Alice v Eve thng nht g^(a*e) Bob v Eve thng nht g^(b*e)

Qun l kha, giao thc mt m,


Qun l kha
Kha i xng TTP Kha cng khai PKI

Giao thc mt m Thng nht kha


Diffie-Hellman

Xc thc
Needham-Schroeder

Xc thc
Rt nhiu ng dng i hi cc thc th tham gia phi chng minh danh tnh
M hnh Client-Server an ton

Qu trnh cc nhn danh tnh ca cc thc th phi m bo


Tnh ton vn
Chng mo danh

Giao thc Needham-Schroeder


1978, Needham v Schroeder pht minh giao thc xc thc trn mng my tnh khng an ton
Chng minh nhn dng ca cc thc th trao i thng tin Ngn chn nghe ln, thay i thng tin

ng dng
Xc thc trong m hnh Client-Server: Kerberos

2 loi giao thc


Kha i xng Kha cng khai

Needham-Schroeder kha i xng


Alice (A) mun trao i thng tin vi Bob (B) Alice v Bob cng tin tng mt Server (S) trung gian
Kas kha i xng gia A va S Kbs kha i xng gia B va S Na v Nb l cc nonce Kab l kha i xng gia A v B

Needham-Schroeder kha i xng


1. 2. 3. 4. 5. A gi thng tin ca mnh v B cho S A -> S: A,B,Na S gi kha Kab cho A, thng tin c m ha S -> A: {Na,Kab,B,{Kab,A}_Kbs}_Kas A gi kha Kab cho Bob, thng tin c m ha A -> B: {Kab,A}_Kbs B tr li A nhn c kha Kab, thng tin c m ha B -> A: {Nb}_Kab A bo B rng A sn sng v ang gi kha Kab, thng tin c m ha A -> B: {Nb-1}_Kab

Tn cng Needham-Schroeder kha i xng


Tn cng Replay
Charlie ly c {Kab,A}_Kbs v s dng Kab mt phin trao i thng tin khc vi Bob m Bob khng pht hin c

Ngn chn tn cng Replay


Gii php dng trong Kerberos
Tem thi gian (Timestamp) Nonce

Needham-Schroeder kha cng khai


Alice (A) mun trao i thng tin vi Bob (B) Alice v Bob cng tin tng mt Server (S) trung gian
Ka v ka kha ring v cng khai ca A Kb v kb kha ring v cng khai ca B Ks v ks kha ring v cng khai ca S Na v Nb l cc nonce

Needham-Schroeder kha cng khai


1. 2. 3. 4. 5. 6. 7. A S A B S B A yu cu S kha cng khai ca B A -> S: A,B gi kha cng khai ca B cho A S -> A: {kb,B}_Ks gi nonce ca mnh cho B A -> B: {Na,A}_kb yu cu S kha cng khai ca A B -> S: B,A gi kha cng khai ca A cho B S -> B: {ka,A}_Ks gi nonce ca mnh v ca A cho A B -> A: {Na,Nb}_ka khng nh nhn c nonce ca B A ->B: {Nb}_kb

Tn cng Needham-Schroeder kha cng khai

Tn cng Man-in-the-middle
1. 2. 3. 4. 5. A -> I: {Na,A}_ki I -> B: {Na,A}_kb B -> I: {Na,Nb}_ka I -> A: {Na,Nb}_ka A -> I: {Nb}_ki

6. I -> B: {Nb}_kb

middle
Thay

Ngn chn tn cng Man-in-the-

B -> A: {Na,Nb}_ka

Bi
B -> A: {Na,Nb,B}_ka

An ton Phn mm
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

Phn mm c tnh
Chy theo ch nh ca ngi lp trnh ra n Chy v phn ng theo cch bt thng, khng trng i t pha ngi dng n nu trong h thng, hoc gn vo cc phn mm khng c tnh C th lm c mi th m mt phn mm c th lm

Cc phn mm c tnh thng gp


Vi rut (Virus)

Trojan horse

Gn vo mt chng trnh, pht tn bn sao ra khc chng trnh khc C cc tnh nng bt thng Pht ng khi iu kin c tha mn Pht ng khi n hn thi gian Cho php truy nhp tri php cc tnh nng Pht tn bn sao qua mng Nhn bn n khi khng cn ti nguyn

Bom logic (Logic bomb)

Bom thi gian (Time bomb) Trapdoor

Su (Worm)

Th (Rabbit)

Kch hot Virus


Virus ch gy hi khi c kch hot
Virus chy cng vi mt chng trnh khc chy bi ngi dng Virus chy khi m tp nh km trong emails, tp nh, tp ha

M virus ni vo m chng trnh

M virus bao quanh m chng trnh

M virus tch hp vo m chng trnh

Virus ti liu
Ti liu
Slide Spreadsheet

Lnh
Macro Bin Th tc Truy nhp tp, CSDL Gi h thng

Virus ot quyn kim sot

Ni n nu Virus
Vng Boot (Boot Sector) B nh (Memory-Resident) ng dng (Application Program) Th vin (Library)

Boot Sector Virus

Du hiu nhn bit Virus


M virus c kiu mu c bit
C th nhn bit cc on m ca tng loi virus Chng trnh nhim virus s ln hn chng trnh ban u V tr virus nh km khng thay i

Cch thc pht ng v hu qu

Nhn dng Code Red


/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%u cdb3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u9090%u8190%u00c3%u 0003%ub00%u531b%u53ff %u0078%u0000%u00=a HTTP/1.0

Cch thc pht ng v hu qu


nh km tp

Xm nhp trong b nh Ly lan qua a


Thay i th mc, tp

Thay i bng tn hiu ngt Ti ln b nh khi c tn hiu ngt n tn hiu ngt, gi hm h thng Thay i tp h thng/tp thc thi Ly lan vo vng Boot, chng trnh h thng, chng trnh v d liu n gi h thng Thay i kt qu

Pht tn ly lan n nu

Cc bin php ngn chn


S dng phn mm thng mi t ngun tin cy Kim th phn mm trn mt my tnh/h thng tch bit M tp nh km ch khi no bit r ngun gc Lu ni an ton mt phin bn c th ti to ca h thng ang s dng S dng phn mm qut dit virus

Mt s ng nhn v virus
Virus ch ly nhim trn cc h thng MS Windows Virus khng th thay i cc file hidden hoc read-only Virus ch xut hin trong tp d liu, chng trnh Virus ch pht tn thng qua qua a, email Virus khng th tn ti trong b nh sau khi reboot power off/on Virus ly nhim trn phn cng

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

Li phn mm
Lp trnh vin thng mc li
khng c khng c tnh nhng i khi gy hu qu nghim trng

Cc li phn mm thng gp
Trn b m (Buffer Overflow)
Array Index Out of Bound

Khng y (Incomplete Mediation)


Implicit Cast, Integer Overflow

ng b (Synchronization)
File stat()/open()

Li trn b m
1. 2. 3. 4. 5. 6. int authenticated = 0; int (*fnptr)(); void vulnerable() { char buf[80]; gets(buf); }

iu g xy ra nu u vo c hn 80 byte
authenticated /= 0 int (*fnptr)() tr n m ca hm khc

Li khng y
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t; iu g s xy ra?
len l s m, copy mt on b nh khng l

Li ng b
1. int openfile(char *path) { 2. struct stat s; 3. if (stat(path, &s) < 0) 4. return -1; 5. if (!S_ISRREG(s.st_mode)) { 6. error("only allowed to regular files; nice try!"); 7. return -1; 8. } 9. return open(path, O_RDONLY); 10. } iu g s xy ra? trng thi h thng thay i gia stat() v open()

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

Kim th
Mc ch ca kim th l tm ra li ca h thng
Nu khng tm ra li, chng ta hi vng rng h thng l an ton

Quy trnh kim th


1. 2. 3. 4. 5. 6. n v (Unit Testing) Tch hp (Integration Testing) Chc nng (Function Testing) Hiu nng (Performance Testing) Cng nhn (Acceptance Testing) Ci t (Installation Testing)

Mt s loi hnh kim th c bit


Hi quy (Regression Testing)
Nu h thng c thay i, chnh sa

Xon (Fuzz Testing)


Cc trng hp c bit, d b khai thc v tn cng

Cc tip cn trong kim th


Hp en (Black-box)
Khng c thng tin v cu trc bn trong ca phn mm Dng cho tt c cc mc ca quy trnh kim th

Hp trng (White-box)
Bit cu trc bn trong ca phn mm Thng dng cho kim th n v

Hp xm (Grey-box)
Hn hp en: kim th Trng: thit k ca kim th

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

Kim nh hnh thc


Mc ch ca kim nh hnh thc l chng minh h thng an ton

Cc tip cn trong kim nh hnh thc


Kim nh m hnh (Model checking)
Phn mm c c t bng mt m hnh Qu trnh kim nh thc hin bng cch duyt tt c cc trng thi thng qua tt c cc chuyn tip

Suy din logic (Logical Inference)


u vo ca phn mm b rng buc bng mt biu thc logic Tng t vi u ra Bn thn phn mm cng b rng buc bng mt biu thc logic

Kim nh hnh thc s dng suy din logic

u vo

Chng trnh u ra

u vo + iu kin trc

Chng trnh + iu kin

u ra +iu kin sau

iu kin trc (Precondition)


1. /* Requires: n >= 1 */ 2. int fact(int n) { 3. int t; 4. if (n == 1) 5. return 1; 6. t = fact(n-1); 7. t *= n; 8. return t; 9. }

iu kin sau (Postcondition)


1. /* Ensures: returnvalue >= 0 */ 2. int fact(int n) { 3. int t; 4. if (n == 1) 5. return 1; 6. t = fact(n-1); 7. t *= n; 8. return t; 9. }

iu kin trong chng trnh


1. int fact(int n) { 2. int t; 3. if (n == 1) 4. return 1; 5. /* n>=2 */ 6. t = fact(n-1); 7. /* t>=0 */ 8. t *= n; 9. /* t>=0 */ 10. return t; 11. }

iu kin
1. /* Requires: n >= 1; Ensures: returnvalue >= 0 */ 2. int fact(int n) { 3. int t; 4. if (n == 1) 5. return 1; 6. /* n>=2 */ 7. t = fact(n-1); 8. /* t>=0 */ 9. t *= n; 10. /* t>=0 */ 11. return t; 12. }

An ton Phn mm
Phn mm c tnh
Cc phn mm c tnh thng gp Cc bin php ngn chn

Li phn mm
Cc li phn mm thng gp Cc bin php an ton
Kim th (Testing) Kim nh hnh thc (Formal Verification) Lp trnh an ton (Secure Coding)

Lp trnh an ton (Secure Coding)


Nguyn tc
M un (Modularity) ng gi (Encapsulation) Giu thng tin (Information Hiding)

M un
Thit k cc hp phn
Mt mc tiu/nhim v Nh n gin c lp

ng gi
Giu thng tin v cch thc ci t cc hp phn
V d: lp o C++, giao din Java

Gim thiu chia x gia cc hp phn


V d: cc th vin

Cc hp phn tng tc thng qua cc giao din


V d: tng tc gia cc i tng thng qua cc phng thc

Giu thng tin


Mt hp phn nh mt hp en nhn t pha ngoi
V d: mt lp C++, Java

Cc phn t bn ngoi khng th thay i sa cha thng tin mt cch c v tri php
V d: cc thuc tnh private, protected

Lp trnh an ton (Secure Coding)


Mt s quy tc thc hnh
S dng mt chun lp trnh Lp trnh phng th
Kim tra d liu u vo/u ra S dng c quyn thp nht c th

Thit k theo chnh sch an ton S dng cc cng c m bo cht lng


Kim th Kim nh Duyt li m

An ton H iu hnh
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

H iu hnh
Vai tr
Giao din gia phn cng v phn mm Qun l ti nguyn Cung cp cc phng tin bo v phn cng v ng dng

An ton H iu hnh
Cc vn bo v trong H iu hnh
Bo v b nh v a ch Bo v tp Xc thc ngi dng

iu khin truy nhp


Cc m hnh KTN KTN trong Unix, Windows NT/2000

Nguyn tc thit k H iu hnh


Gim st thm quyn (Reference Monitor) Phn hoch (Separation)/Cch ly (Isolation) Thit k phn tng (Layered Design)

An ton H iu hnh
Cc vn bo v trong H iu hnh
Bo v b nh v a ch Bo v tp Xc thc ngi dng

iu khin truy nhp Nguyn tc thit k H iu hnh


Gim st thm quyn (Reference Monitor) Phn hoch (Separation)/Cch ly (Isolation) Thit k phn tng (Layered Design)

Bo v b nh v a ch
Lm th no ngn chn mt chng trnh/ngi dng can thip vo khng gian b nh ca chng trnh/ngi dng khc?
Phn on (Segmentation) Phn trang (Paging)

Phn on (Segmentation)
Phn chia chng trnh thnh cc on
Tng ng vi cc on d liu, cc chng trnh con Mi on c quyn khc nhau (R,W,E)

Phn chia b nh vt l thnh cc on


Tng ng vi, cc mng d liu ngi dng hoc cc on m chng trnh

Mi on c mt tn duy nht
<Name,Offset>

H iu hnh phi duy tr mt bng cc on

on logic v on vt l

Tnh a ch on

Phn trang (Paging)


Phn chia chng trnh thnh cc trang (page) cng kch thc Phn chia b nh vt l thnh cc khung trang (page frame) cng kch thc
512 n 4096 byte

Mi trang c mt tn duy nht


<Page,Offset>

H iu hnh phi duy tr mt bng cc trang

Tnh a ch trang

Kt hp Phn on v Phn trang


u im ca phn on
Bo v b nh bng cch phn quyn theo chng trnh/ngi dng H iu hnh kim sot vic quyn c/ghi/thc hin trn b nh

u im ca phn trang
Tc

Trong cc h iu hnh hin i


Kt hp Phn on+Phn trang

Kt hp Phn on v Phn trang

Bo v tp
Bo v nhm
Tt c ngi dng c phn thnh nhm Quyn s dng c mt ngi dng thit lp cho mnh v c nhm

Bo v c th
Mi ngi dng c mt s quyn
Quyn s dng lu di Quyn s dng tm thi

Bo v tp
H thng tp UNIX/LINUX
Mi tp c ch s hu v nhm s hu Quyn c thit lp bi ch s hu
R,W,E setid, owner, group, other

Ch c ch s hu v root mi c php thay i quyn

Xc thc ngi dng


H iu hnh qun l nhiu ngi dng
Ai l ai?

Gii php xc thc ngi dng


Mt khu Mt s c im sinh trc hc

Xc thc bng mt khu


H iu hnh lu tr mt tp ngi dng/mt khu
Tp thng thng Thng tin lu dng vn bn an ton thp Tp m ha M ha c tp hoc ch m ha mt khu an ton ph thuc vo h mt m

tng cng an ton


Mt khu di, trnh cha cc thng tin c bit Thay i mt khu u n phng tn cng dng ng nhp gi

Thng k la chn mt khu

Xc thc bng sinh trc hc


Cc c im sinh trc hc
Vn tay, mt, khun mt, ch vit

Xc thc bng sinh trc hc tng i mi


Pht trin nhanh trong nhng nm

Mt s nhc im
Gi thnh Tc / chnh xc Gi mo

An ton H iu hnh
Cc vn bo v trong H iu hnh
Bo v b nh v a ch Bo v tp Xc thc ngi dng

iu khin truy nhp


Cc m hnh KTN KTN trong Unix, Windows NT/2000

Nguyn tc thit k H iu hnh


Gim st thm quyn (Reference Monitor) Phn hoch (Separation)/Cch ly (Isolation) Thit k phn tng (Layered Design)

iu khin truy nhp


Rt nhiu i tng c truy nhp
B nh Phn cng Tp Thng tin h thng: bng, c ch bo v, lnh c quyn

Vn an ton t ra
Ai c truy nhp g vi c quyn no?

C ch iu khin truy nhp


Truy nhp th mc
Mi i tng cn bo v ging nh mt tp Mi ngi dng c mt s quyn nht nh trn mt s tp

Danh sch iu khin truy nhp


Danh sch cc i tng truy nhp Mi i tng c mt danh sch cc ch th

Ma trn iu khin truy nhp


Mt chiu l danh sch cc ch th Mt chiu l danh sch cc i tng truy nhp tng ng vi cc ch th

Truy nhp th mc Directory Access

ng dn truy nhp th mc

Danh sch iu khin truy nhp Access Control List

Ma trn iu khin truy nhp Access Control Matrix


BIBLIOG TEMP F HELP.TXT C_COM P X LINKER SYS_CL OCK R PRINTE R W USER A ORW ORW ORW R X

USER B

USER S

RW

USER T

SYS_M GR USER_S VCS

RW

OX

OX

ORW

KTN trong UNIX/LINUX


Dng ACL i vi cc tp, thuc tnh rwx cho Ch s hu Nhm Tt c V d drwxrwxrwx Alice Accounts -rw-r------ Bob Accounts Cc chng trnh chy trong lc h thng khi ng c c quyn qun tr (root) Cc chng trnh khc chy vi quyn ngi dng (user)

KTN trong UNIX/LINUX


Lm th no duy tr b 3 (ngi dng, chng trnh, tp)
UNIX/LINUX dng suid v sgid

Vn an ton
suid root

Vn theo di thc thi chng trnh


Thu hi c quyn

Vn qun l tin trnh


Tin trnh c mt group id

KTN trong WINDOWS NT/2000


Qun l (nhm) ngi dng s dng Active Directory Xc thc s dng Kerberos Cc thuc tnh ca tp mn hn UNIX/LINUX
read, write, execute, accessdenied, accessallowed, systemaudit,

Vn qun tr c ton quyn


Dng Registry, mt hnh thc ca ACL

An ton H iu hnh
Cc vn bo v trong H iu hnh
Bo v b nh v a ch Bo v tp Xc thc ngi dng

iu khin truy nhp


Cc m hnh KTN KTN trong Unix, Windows NT/2000

Nguyn tc thit k H iu hnh


Gim st thm quyn (Reference Monitor) Phn hoch (Separation)/Cch ly (Isolation) Thit k phn tng (Layered Design)

Gim st thm quyn


Phn quan trng nht ca h iu hnh L mt tp cc iu khin truy nhp cc i tng
B nh, thit b, tp, thng tin cc tin trnh,

c im
Khng bao gi b suy yu, t lit Lun c gi n khi mt i tng c yu cu s dng Nh gn, c th d dng phn tch v kim th v m bo tnh y

Gim st thm quyn

Phn hoch/Cch ly
Phn hoch vt l Cc tin trnh khc nhau s dng cc thit b khc nhau Phn hoch thi gian Cc tin trnh vi yu cu khc nhau thc hin ti cc thi gian khc nhau Phn hoch logic (Cch ly) Ngi dng/tin trnh thc hin nhim v ca mnh trong khng gian ca mnh Phn hoch mt m Ngi dng/tin trnh giu thng tinh ca mnh

Thit k phn tng


1. Li an ton (Security Kernel) 2. Li h iu hnh 3. H iu hnh
1. ng b 2. Cp pht 1. Phn cng 2. An ton

4. ng dng

1. Sp t, Chia x, Qun l b nh 2. H thng tp, Cp pht thit b 3. Tnh nng khc

Thit k phn tng


Mt m un = nhiu m un hp phn
Mi m un hp phn thuc mt tng khc nhau ca kin trc a tng

V d: M un xc thc ngi dng


1. 2. 3. 4. Cp nht thng tin ngi dng So snh thng tin ngi dng Tm kim ngi dng Giao din xc thc ngi dng

Thit k phn tng

Mun xc thc trong thit k phn tng

An ton C s d liu
Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

C s d liu
Tp hp cc d liu c quan h c lu tr (tp trung hoc phn tn) ngi dng c th truy nhp khi cn

Mc tiu an ton CSDL


B mt
D liu nhy cm

Ton vn
Vt l Logic

Sn dng iu khin truy nhp Xc thc ngi dng

An ton CSDL
Cc mi e da CSDL
Cp nht CSDL D liu nhy cm Suy din

Thit k CSDL tin cy


CSDL a tng

An ton CSDL
Cc mi e da CSDL
Cp nht CSDL D liu nhy cm Suy din

Thit k CSDL tin cy


CSDL a tng

Cp nht CSDL
S c h thng
H thng b s c khi ang cp nht CSDL

Tng tranh
Nhiu ngi dng truy nhp sa i cng lc vo cng d liu

S c h thng: v d CSDL vn phng phm


Kho cha vn phng phm
Giy, bt,

Qun tr kho chu trch nhim t mua vn phng phm Phng, ban s dng vn phng phm
Mi vn phng phm c mt quota kinh ph vn phng phm c nh

CSDL vn phng phm: mt kch bn cp nht


Phng k ton yu cu 50 hp ghim giy Gi s cn 107 hp ghim giy trong kho Qun tr kho s t hng nu s lng hp ghim giy nh hn 100

Cc bc thc hin kch bn


1. Kim tra kho cn 50 hp hay khng. Nu khng, yu cu b t chi. Kt thc giao tc 2. Cn s lng. Lm php tr (10750=57) 3. Tr quota kinh ph ca phng k ton 4. Kim tra s lng hp c di 100 hay khng (57). t mua thm 5. Gi 50 hp ghim giy cho phng k ton

S c kch bn
iu g xy ra nu c s c h thng sau cc bc 1,2,3,4

Gii php phng chng s c h thng


Gii php 2 pha
1. Intent
1. Thu thp ti nguyn v thng tin, tnh ton v chun b d liu cho pha sau 2. nh du kt thc pha Intent
Set COMMIT-FLAG

2. Commit
1. Thc hin cp nht CSDL vi cc d liu chun b pha trc 2. nh du kt thc pha Commit
Unset COMMIT-FLAG

V d gii php 2 pha: cp nht CSDL vn phng phm


Intent 1. Kim tra gi tr COMMIT-FLAG. Nu khc 0, ch cho n khi COMMIT-FLAG bng 0 2. So snh s hp ghim giy ang c vi s yu cu; nu s yu cu ln hn, kt thc 3. Tnh TCLIPS = ONHAND - REQUISITION 4. Xem BUDGET hin nay ca phng k ton. Tnh TBUDGET = BUDGET - COST, trong COST l gi thnh ca 50 hp ghim 5. Kim tra TCLIPS < 100 hay khng; nu ng, TREORDER = TRUE; nu khng TREORDER = FALSE

V d gii php 2 pha: cp nht CSDL vn phng phm


Commit 1. COMMIT-FLAG = 1 2. Cp TCLIPS vo CLIPS trong CSDL 3. Cp TBUDGET vo BUDGET trong CSDL 4. Cp TREORDER vo REORDER trong CSDL 5. Chun b giy bo giao hng cho phng k ton. Ghi ch giao tc hon thnh vo log 6. COMMIT-FLAG = 0

Tng tranh: v d CSDL v my bay


Vn phng du lch A
SELECT (SEAT-NO = '11D') ASSIGN 'MOCK,E' TO PASSENGER-NAME

Vn phng du lch B
SELECT (SEAT-NO = '11D') ASSIGN 'EHLERS,P' TO PASSENGER-NAME

Gii php tng tranh


Cp nht CSDL l mt thao tc c bn
Ch mt thao tc cp nht thc hin trn mt d liu H qun tr CSDL s bo v d liu ang c cp nht Khi thao tc cp nht mt d liu kt thc, cc thao tc kh mi c quyn thc hin trn d liu

D liu nhy cm
D liu cng chng khng nn c Loi d liu nhy cm
Bng Bn ghi Trng

D liu nhy cm
Cc loi r g d liu nhy cm
D liu chnh xc Cn Kt qu m Tn ti Gi tr xc xut

Bo v d liu nhy cm
H qun tr CSDL qun l truy nhp d liu nhy cm bng iu khin truy nhp

Suy din
Suy din d liu nhy cm t d liu khng nhy cm

Suy din
Cc loi tn cng suy din
Trc tip (Direct) Gin tip (Indirect)
Tng (Sum) m (Count)

V d
Name Adams Bailey Chin Dewitt Earhart Fein Groff Hill Koch Liu Majors Sex M M F M F F M F F F M Race C B A B C C C B C A C Aid 5000 0 3000 1000 2000 1000 4000 5000 0 0 2000 Fines 45. 0. 20. 35. 95. 15. 0. 10. 0. 10. 0. Drugs 1 0 0 3 1 0 3 2 1 2 2 Dorm Holmes Grey West Grey Holmes West West Holmes West Grey Grey

V d: tn cng trc tip


List NAME where SEX=M DRUGS=1
Tr v thng tin lin quan n Adam H CSDL c th t chi cu truy vn ny v qu c bit

List NAME where (SEX=M and DRUGS=1) or (SEX /= M and SEX /= F) or (DORM=AYRES)
Cu truy vn phc tp hn nhng kt qu ging nh trn

V d: tn cng gin tip


Dng tng (Sum): tng ca kinh ph h tr theo gii tnh v khu vc
Holmes M F Total 5000 7000 12000 Grey 3000 0 3000 West 4000 4000 8000 Total 12000 11000 23000

V d: tn cng gin tip


Dng m kt hp tng (Count & Sum): s sinh vin theo gii tnh v khu vc
Holmes M F Total 1 2 3 Grey 3 1 4 West 1 3 4 Total 5 6 11

Bin php ngn chn tn cng suy din


Phn tch cu truy vn Ngy trang thng tin Loi b thng tin nhy cm

An ton CSDL
Cc mi e da CSDL
Cp nht CSDL D liu nhy cm Suy din

Thit k CSDL tin cy


CSDL a tng

CSDL a tng
Cc tng CSDL tng ng vi mc nhy cm ca d liu Cc tip cn
Phn ngn (Partitioning) M ha (Encryption) Kha Kha ton vn (Integrity Lock) Kha nhy cm (Sensitive Lock) Front-end tin cy (Trusted Front-end) B lc giao hon (Commutative Filter) Ca s (Window/View)

Phn ngn
CSDL c chia thnh cc CSDL khc nhau mc nhy cm khc nhau u im
Qun l an ton nhiu mc khc nhau

Nhc im
D tha Khng kt hp d liu cc mc nhy cm khc nhau

M ha
Mi d liu nhy cm s c m ha bng mt kha tng ng u im
Qun l an ton nhiu mc khc nhau

Nhc im
Tc Khng gian lu tr

Kha ton vn
Mc tiu m bo tnh ton vn v gii hn truy nhp Kha
Checksum
Tnh ton bng hm m ha hoc hm bm Gi tr ph thuc vo Data ID + Data + Sensitivity Label

Kha nhy cm
Mc tiu che giu nhy cm ca d liu Kha
M
Tnh ton bng hm m ha hoc hm bm Gi tr ph thuc vo Data ID + Sensitivity Level

Front-end tin cy
Hot ng ging Gim st thm quyn iu khin truy nhp CSDL
1. 2. 3. 4. 5. Xc thc ngi dng Kim tra quyn ngi dng Gi truy vn cho h qun tr CSDL Nhn kt qu truy vn Phn tch nhy cm ca kt qu truy vn, so snh vi quyn ngi dng 6. nh dng li kt qu truy vn 7. Gi kt qu truy vn cho ngi dng

B lc giao hon
Hot ng ging Front-end tin cy iu khin truy nhp CSDL
1. 2. 3. 4. 5. 6. Xc thc ngi dng Kim tra quyn ngi dng nh dng li truy vn Gi truy vn cho h qun tr CSDL Nhn kt qu truy vn Phn tch nhy cm d liu ca kt qu truy vn, so snh vi quyn ngi dng 7. nh dng li kt qu truy vn 8. Gi kt qu truy vn cho ngi dng

Ca s
Mc tiu gii hn tm nhn ca ngi dng theo quyn
Quyn c, ghi

Mi ca s l mt tp con ca CSDL
Mi tp con tng ng vi d liu m ngi dng c quyn s dng

An ton Mng v Web


Trn c Khnh B mn HTTT Vin CNTT&TT H BKHN

An ton Mng v Web


An ton Mng An ton Web

An ton Mng v Web


An ton Mng An ton Web

Mng my tnh
Mi trng s dng Tp v kch thc Phng tin truyn thng Cp, Cp quang, Vi sng, Hng nga, Satellite Giao thc 7 tng OSI: Vt l, Lin kt D liu, Mng, Vn chuyn, Phin, Trnh din, ng dng a ch MAC, IP nh tuyn Loi mng LAN, WAN, Internets

An ton Mng
Cc mi e da Thm d Nghe trm Mo danh, la o L hng trang Web T chi dch v M lu ng Cc bin php ngn chn M ha Xc thc Tng la Pht hin t nhp

An ton Mng
Cc mi e da Thm d Nghe trm Mo danh, la o L hng trang Web T chi dch v M lu ng Cc bin php ngn chn M ha Xc thc Tng la Pht hin t nhp

Thm d
Qut cng (Port Scan)
Thu thp thng tin i tng tn cng
dch v, cng ang hot ng (HTTP:80, POP:110, SMTP:25, FTP:21) phin bn h iu hnh phin bn ng dng

Tham kho danh sch cc l hng ca cc phin bn Thc hin tn cng

Nghe trm
ng truyn cp
S dng packet sniffer Lp trnh li card

Wireless
Tn hiu rt d b nghe trm
S dng ng ten

Mo danh, la o
Phng on thng tin xc thc ca i tng tn cng on mt khu Nghe trm thng tin xc thc ca i tng tn cng Nghe trm mt khu Tn dng l hng c ch xc thc Trn b m Thng tin xc thc cng cng Thit b mng qun l bi SNMP Man-in-the-middle Phishing

L hng trang Web


Trn b m Dot-Dot-Slash
../..

Gi phng thc pha my ch

T chi dch v
Trn kt ni (Connection Flooding)
Tn cng giao thc TCP, UDP, ICMP
Ping, Smurf, Syn Flood

DNS (Domain Name Server)


Tn dng li Buffer Overflow thay i thng tin nh tuyn
DNS cache poisoning

T chi dch v phn tn (DDoS)


Dng cc Zombie ng lot tn cng

M lu ng
Cookie Scripts
Cookie lu thng tin ngi dng (phin, lu di) Tn cng cc trang ASP, JSP, CGI, PHP

ActiveX M Java
Applet

Auto Exec Bot

.exe, .doc Trojan Horse

An ton Mng
Cc mi e da Thm d Nghe trm Mo danh, la o L hng trang Web T chi dch v M lu ng Cc bin php ngn chn M ha Xc thc Tng la Pht hin t nhp

M ha
M ha lin kt

M ha end-to-end

Thng tin c m ha tng Data Link ca m hnh OSI Thng tin c m ha tng Application ca m hnh OSI Trao i thng tin gia ngi dng v Firewall thng qua knh m ha Mt m cng khai v chng nhn SSH, SSL, IPSec

VPN (Virtual Private Network) PKI

Giao thc mt m

Xc thc
Mt khu mt ln
Password Token

H Challenge-Response Xc thc s phn tn Kerberos

Tng la
Cng c lc thng tin di chuyn gia mng bn trong v mng bn ngoi
V d: Mng LAN v Internet

Mc tiu ngn chn nguy c n t mng bn ngoi Thc hin ngn chn thng qua chnh sch an ton

Tng la
Cc loi tng la Lc gi (Packet Filtering Gateways) Duyt trng thi (Stateful Inspection Firewalls) Cng ng dng (Application Proxies) Gc (Guards) C nhn (Personal Firewalls)

Pht hin t nhp


Kim tra ngi dng v hot ng h thng Ghi li cu hnh h thng pht hin nguy c nh gi tnh ton vn ca h thng v d liu Pht hin cc dng tn cng Pht hin cc hot ng bt thng thng qua phn tch thng k Sa cha li cu hnh h thng Ci t v vn hnh cc h thng by t nhp

Pht hin t nhp


Cc loi h thng pht hin t nhp H pht hin t nhp da trn mu H pht hin t nhp dng Heuristics H pht hin t nhp hot ng b mt H Tripwire

An ton Mng v Web


An ton Mng An ton Web

SQL Injection
SQL
Structured Query Language Ngn ng truy vn CSDL

SQL Injection
Tn cng SQL Injection
statement = SELECT * FROM users WHERE name = + userName + ; iu g xy ra nu userName = a or t=t iu g xy ra nu userName = a';DROP TABLE users;

SQL Injection
Bin php ngn chn
Mc lp trnh
Kim sot cht ch u vo Loi b cc k t c bit

mc CSDL
Dng lnh prepare nh dng cu truy vn

Phn tch tnh cu truy vn


Pht hin iu kin t = t

Kim th

Mt s vn an ton Internet khc


Tn cng XSS
Scripts, PhP,

Qun l Cookie
Xc thc B mt: thng tin ngi dng

An ton Browser
Ton vn: malware, ti khon B mt: mt khu, mail, thng tin d liu