Académique Documents
Professionnel Documents
Culture Documents
SSL
Transféré par
Nguyễn Đăng0 évaluation0% ont trouvé ce document utile (0 vote)
18 vues53 pagesfdsa df
Titre original
Ssl
Copyright
© © All Rights Reserved
Formats disponibles
PDF ou lisez en ligne sur Scribd
Partager ce document
Partager ou intégrer le document
Avez-vous trouvé ce document utile ?
Ce contenu est-il inapproprié ?
Signaler ce documentfdsa df
Droits d'auteur :
© All Rights Reserved
Formats disponibles
Téléchargez comme PDF ou lisez en ligne sur Scribd
0 évaluation0% ont trouvé ce document utile (0 vote)
18 vues53 pagesSSL
Transféré par
Nguyễn Đăngfdsa df
Droits d'auteur :
© All Rights Reserved
Formats disponibles
Téléchargez comme PDF ou lisez en ligne sur Scribd
Vous êtes sur la page 1sur 53
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
i Gi6i thigu : i
Muc tigu thy hign 48 tai nay cita nhimg thinh vign tham gia li di su tim hig vé :
© Cau tric cing nhu co ché hoat dong cia SSL.
. La h xy dung mét web server chay SSL.
Kha ning img dung SSL trong bao mat thong tin
Day [a lan dau thye hign mot dé tai lin nén con nhidu
déng gép y kién dé dé tai duge hoan thin hon.
"u s6t , mong Thiy va cdc ban
Page 1
BE taitNghién ciru vé SSL va img dung cia SSL trong bio mat Web
SV:Pham Dire Hai - BKNP
MUC LUC
Giéi thigu ee
MUC LUC... a
CHUONG 1: TIM HIEU CHUNG VE SSL (SECURE SOCKET LAYER) VA TLS
(TRANSPORT LAYER SECURITY)...
LI SSL LA Gi? TAT SAO SU DUNG SSI
LSSL 1a gi?....
2.7ai sao sit dung SSLz...
3.Tién trinh SSL...
1.2 Kién trae SSL
1.3 Giao thie SSL Record
14 Giao thite SSL Change Cipher Spec :...
LS Giao thie SSL Alert
16 GIAO THUC SSL HANDSHAK!
1.6.1 Giai dogn 1 ~ Thiét lfp kha nang bao mat :.....
1.6.2 Giai dogn 2 ~ Xe thuc server va trao di khéa
1.6.3 Giai dogn 3 — Xéc thue client va trao di khéa
1.6.4 Giai dogn 4 ~ Két thiic:..
17 TINH TOAN MA HOA.
1.7.1 Vige tgo Master Secret
1.7.2 Vige sinh cae tham s6 ma héa :..
18 TRANSPORT LAYER SECURITY: ..
18.1 Version Number :
8.2 Message Authentication Code
1.8.3 Ham tinh sé nl
1.8.4 Ma eanh bao :
8.5 Cipher suite =
1.8.6 Cac dang client certificate
1.8.7 Certificate Verify va Finished Message
8.8 Tinh toan ma hoa
nhién
Page 2
BB ta:Nghién cir v8 SSL vA img dung cia SSL trong bio mat Web
$V:Pham Bie Hai - BKNP
1.8.9 Phin dém 34
CHUONG IT: UNG DUNG CUA SSL PHUONG PHAP TAN CONG WEB HTTP...36
IL.1 CAC UNG DUNG PHO BIEN CUA SSL : ssssee
1.2 VAI DIEM CO BAN CUA SSTP ..ueseeetnnenenen
11.3 Diém khic nhau gitta SSL 2 va SSL 3.
1.4 PHUONG PHAP TAN CONG HTTP.
CHUONG III:GIAI PHAP PHONG CHONG VA TRIEN KHAI SSL
HIL1 CAI DAT OPENSSL
IIL1.1 Ty tao ching thye cho CA eta chinh minh
IIL1.2 Tao chiing thye cho may chi
IIL.1.3 Cai dt MyCA vi MyServer trén
HL.2CAI CA CERTIFICATE (MyCA): ..
111.3 Cail End-use Certit
wae 36
in2000
cate (MyServer): ..
HIL4 Cho TIS ding MyServer.csssseseneneineneesennsntasensse
ns
CHUONG I
Page 3
BE taitNghién ciru vé SSL va img dung cia SSL trong bio mat Web
SV:Pham Dire Hai - BKNP
CHUONG 1: TIM HIEU CHUNG VE SSL (SECURE
SOCKET LAYER) VA TLS (TRANSPORT LAYER
SECURITY)
1.1 SSL LA Gi? TAI SAO SU DUNG SSL
1.SSL li gi?
iéc két ndi gitta mét Web browser téi bat ky diém nao trén mang Internet di qua rit
nhiéu céc hé théng déc lip ma khéng cé bit ky sur bao vé nao véi cdc théng tin trén duong.
truyén. Khong mit ai ké cd ngudi sir dung lin Web server cé bat ky sur kiém soat nado déi
Gi during di cia dit ligu hay c6 thé kiém sodt duge ligu c6 ai dé tham nh§p vio thong tin
trén dung truyén. Dé bio vé nhiing théng tin mat trén mang Internet hay bat ky mang
TCP/IP nio, SSL di két hop nhig yéu t6 sau dé thiét lap duge mot giao dich an to’n:
Xée the: dam bao tinh xéc thye cla trang ma ban sé lim vige & dau kia cua két ndi. Cing
nhu vay, eae trang Web ciing cin phai kiém tra tinh xde thye ctia ngwii sir dung.
Mé hod: dim bao thong tin khong thé bj truy cp bai d6i tugng thir ba. Dé loai tit vige nghe
‘rm nhimng thong tin “ nhay cém” khi nd duge truyén qua Internet, dat ligu phai duge ma hod
dé khdng thé bi doc duge boi nhimg ngudi khde ngoai ngudi gli va ngudi nha
Toan ven die ligu: dam bio thong tin khong bi sai Igch vi né phai thé hign chinh xéc thong
tin géc giti dén.
Giao thite SSL duge hinh thanh va phat tri tién nim 1994 boi nhém nghién ctru Netscape va
gay nay tré thanh chuan bao mat thyc hanh trén mang Internet. Phién ban hign nay la SSL 3.0 va
dang tigp tue duge bd sung hodn thign.
2.Tai sao sir dung SSL:
Ngay nay vige bao mat théng tin li yéu t6 quan trong dé quyét dinh sy sng cin ciia mét 6
chite ,mét céng ty hay doanh nghiép . Véi su phat trién nhanh chéng cua céng nghé dai mang
Igi nhieu tign ich cho ngudi ding nhung dong théi ciing dt ra mot nhu cau hét site cap thiét ve
swan toan va bio mat .Va SSL chinh la giai phap tt nhat hién nay
dap Ging nang nhu edu dé va né duge coi nh li “ld chin cudi cing” trong bio mat thuong
mai dién tir,
Giao thie SSL ban dau duoc phat trién boi Netscape. Version 1.0 thi da khéng bao gicr
Page 4
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
duge cong bé rong rai.Version 2.0 duge cong b6 vio thang 2/1995 nhung chita nhiéu 16
hong bao mit va sau cing dura dén m6 hinh SSL version 3.0 durge ban hinh nim 1996.Ban
sau cling niy duge ding cho TLS version 1.0 vi duge IETF xe dinh nhur mét giao thire
chuin trong RFC 2246 vao théng 1/1999. gay nay Visa, MasterCard, American Express
cing nhu nhiéu céng ty giai phdp tai chinh hing diu khdc trén thé gidi da va dang img
dung SSL trong thuong mai dign ti
‘Vike truyén cdc thong tin nhay cam trén mang rat khng an toan vi nhiing van dé sau:
Ban khdng thé Iuén Iuén chic ring ban dang trao déi théng tin voi diing déi tong
erin trao do
in vi vay dir ligu 6 thé bi 1 déi tuong thir 3 khde doc trdm,
thong dive biét dén nhucatt
{eu attacker c6 thé chan dif ligu, attacker cé thé sita di dir ligu truce Kkhi giri né dén
ngudi nhan,
iu tién bing cach cho phép 1 cach
ty chon méi bén trao d6i ¢6 thé chic chan vé dinh danh cia phia déi téc trong 1 qué trinh goi
la uthentication (xéc thuc).Mét khi cdc bén da duoc xéc thue,SSL cung cp | két néi duoc
ma héa gitta 2 bén dé truyén bio At cc message .Vige mai héa trong qua ti
tin gitta 2 bén cung cp sy rigng tw bi mat,vi vay ma gidi quyét duge vin dé thit 2.Thudt toa
‘mi h6a duge sit dung véi SSL bao g6m him bim mai héa,tuemg ty nh | checksum.N6 dim
‘bio ring dit ligu khong bj thay di trong qua trinh truyén din, Hm bam ma héa giai quyét vain
8 thi 3.tinh toan ven dir figu,
Cha ¥ ring,ca xac thye va ma héa déu la tay chon, va phy thudc vao cipher suites (cdc bo
‘mi héa) duge dam phan gitta 2 déi tugng.
Mot vi du 19 ring nht ma trong d6 ban nén sir dung SSL 1a trao d6i thing tin giao di
qua mang (e-commerce). Trong trao doi e-commerce.that dai dot khi gid dinh rang ban e6 thé
chic chin vé dinh danh cua server ma ban dang trao ddi théng tin.Ai dé ¢6 thé dé ding tgo ra
1 Website gia hita hen cac dich vu tuyét voi ,chi dé cho ban nh§p vao dé sé tai khoan, SSL
cho phép ban, client,xée thyc vé dinh danh ciia server.N6 cling cho phép server xae thye
dinh danh cua client,mic dit trong céc giao tac Internet,vige nay hiém khi durge lim,
_ Mét khi client va server da hai long véi dinh danh cia mdi bén déi téc.SSL cung cAp tinh
‘mat va tinh toan ven thong qua cdc thuat toan ma hoa ma no sir dung Dieu nay cho phép
cc thong tin nhay cim,nhur so tat khoain dure truyén di 1 cach an ton trén Internet
Trong khi SSL cung ep tinh xée thyc.tinh bao mat va todn ven dy ligu,nd khong cung
cdp non-repudiation (tinh khéng tir chéi).Non-repudiation cé nghia 1a khi 1 déi tugng giti
di 1 message ,thi sau d6 khong thé phi nhan vige minh da gi message d6.Khi I chit ki
s6 tuong duong duge lién két véi | message,viée trao déi nay sau dé c6 thé duge chimg
minh.SSL 1 minh né khéng cung cdp non-repudiation.
Page 5
18 taiNghién cin vé SSL va img dyng eta SSL trong bio mat Web
‘SV:Pham Dire Hai - BKNP_
opicaion Ser
(eters)
reer a
Perret emeteDeseop
i
3.Tién trinh SSL:
‘Vigc trao déi trén mang sit dung SSL bat dau vGi viée trao d6i théng tin qua Iai gida client va
server Sy trao d6i thdng tin nay goi la SSL handshake.
Ba muc tiéu chinh cia SSL handshake 1a:
* Dam phan cipher suite.
Xe thue dinh danh (tity chon),
* Hinh thanh co ché bao mat thong tin, bing cach théa thudn cdc co ché ma héa.
Bim phan Cipher suite +
‘M6ét phién SSL bit dau véi viée dim phan gitta client va server xem cipher suite nio ma
ching s& sir ding. M6t cipher suite 1A 1 tp cée thudt todn ma héa va kich thue khéa ma
miy tinh cé thé ding 48 ma héa dir ligu.M6t cipher suite bao gdm thong tin vé cde thudt
toin trao ddi khéa cOng khai va cde thuat toén thoa thun Khéa,va cic ham bam ma
héa.Client néi vii server ede cipher suite n’o n6 6 sin va server lyr chon cipher suite t6t
nhat co thé chap nh§n,
‘Xie thue server
Page 6
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Trong SSL,bube xc thyc IA tiy chon,nhung trong vi du vé giao téc e-commerce trén Web, client
theo thdng thuong s® muén xdc thye server. Vige xc thc server cho phép client chiie chin ring
chinh server ny dai dién cho déi tong ma client tin tudmg.
Bé chimg minh server thude vé 6 chire ma né khing dinh li n6 dai dign.server phai trinh
chimg chi khéa céng khai cia né cho client.Néu chimg chi nay 1a hgp 1é ,client e6 thé chic
chin vé dinh danh ctia server.
Thong tin trao ddi qua Iai gitta client va server cho phép ching thda thudn 1 khda bi mat
chung, Vi du,voi RSA.client ding khéa cdng Khai cia server.cé duge tir chimg chi khéa cong
‘mi héa thong tin khéa bf mft.Client giri thong tin khéa bi mt da duge ma héa dé
c6 server méi cé thé giai ma cai message nay béi vi qua trinh gidi ma phai can dén
kha rigng cia server.
Giri dit tigu da ma héa:
Bay gidca client va server c6 thé truy cp dén khda bi mét chung. V6i mdi message ching
ding dén ham bam ma héa,da duge chon trong bude thir nhat cita tién trinh nay,va chia sé thong
tin bi mat,dé tinh toan 1 HMAC néi thém vao message. Sau d6,ching diing khoa bi mt va thuat
toan khéa bi mt di duge dim phan & bude dau tién cia tién trinh nay dé ma héa dit ligu va
HMAC an toin.Client va server gid day c6 thé trao déi th6ng tin véi nhau I cdch an toan véi
cde dit ligu da bam vi ma héa,
Giao thire S:
Phan truée cung cdp su mé ta so luge vé SSL handshake, la su trao déi théng tin gitta client va
server trudc khi giri cdc message di duoc ma héa.Phan nay mé ta chi tiét hon.Hinh sau minh
hoa chudi tuan ty cic message durge trao déi trong SSL handshake.Céc message ma chi duge git
trong I truong hap nao dé durge danh dau la tiy chon,
Hinh 2: Cac message SSL
Page 7
pit Glient Server
svi
1 Client hello [+
\*—— 2.Server hello
+ 3. Certificate tity chon
}¢——J 4.Certificate request tiy chon
le——J 5Server key exchange tigy chon
\¢———_ 6 Server hello done
7.Certificate tity chon -——>}
8.Client key exchange —
9.Centificate verify tiv chon |»
10.Change cipher spec —
11 Finish t-—
l¢——J 12.Change cipher spec
}+—— 13 Finished
14 Encrypted data \*—— >) 14. Encrypted data
15.Close messages J+) 15.Close message
Cac message SSL due giti theo thi ty sau:
1) Client hello: client giri dén server cdc thong tin bao gom phién ban SSL cao nhat va 1 danh
sich céc cipher suite ma né hé tre. (TLS 1.0 duge chi ra nhu la SSL3.1).Théng tin cipher suite
‘bao gm ede thudt todin ma hda va kich thude khéa.
2). Server hello: server chon ra phién bin SSL cao nhit va cipher suite t6t nhat ma ci client va
server h6 trg, va giti thong tin nay vé cho client,
3) Certificate: server giti cho client 1 chimg chi hoe 1 chudi chiig chi. V8 ca bain,1 ch
chimg chi bit dau bing chimg chi khda cong khai ciia server va ket thie bing chimg chi goc
iia 16 chire ¢6 thim quyén chimg chi.Message niy Ia tay chon.nhung_né duge ding bat eit
Page 8
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Khi nao xéc thye server 1 cdn thiét
4) Certificate request: néu server cin xée thie
chi.Trong cae ing dung internet,message nay hi
Jient.né giri cho client 1 _yéu clu xem chimg
khi duge giti di,
5) Server key exchange: server giri cho client 1 message trao d6i Khéa server trong khi khéa
cong khai duge giti 6 phan 3) bén irén thi khdng dii cho trao d6i Khéa,
6) Server hello done: server néi véi client ring né hoan thinh céc message dim phan ban
di.
7) Certificate: néu server cin chimg chi tir client trong message 4, client gi chudi chimg
chi eta né,ciing giéng nhur server lim trong message 3.
8) Client key exchange: client sinh ra thong tin durge ding dé tao ra khda trong ma hia di
xtmg. Voi RSA, client mi hoa théng tin khéa nay bing khéa céng khai cia server réi giti no
dén server.
9) Certificate verify: message nay duge giti khi client trinh ra chimg chi nhur trén.Muc tiéu cita
nl cho phép server hodn thinh tién trinh xée thye client. Khi message nay duge diing.client git
théng tin véi chir ki s6 tao bing him bam ma héa.Khi server giai ma théng tin ndy bing khéa
céng khai ctia client,server c6 thé xéc thue client.
10) Change cipher spec: client giti message bio server thay di kiéu ma héa.
11) Finished: client ndi vai server ring né sin sang dé bat dau trao di dit ligu an toan.
12) Change cipher spec: server giti message bio client thay déi kiéu ma héa.
13) Finished: server ndi véi client ring né sin sang dé bat dau trao ddi dit ligu an toan.Két thie
SSL handshake.
14) Encrypted data: client va server trao ddi véi nhausit dung thuat ton ma héa ddi ximg va
ham bam ma héa da dim phin & message 1 va 2,va ding khéa bi mat ma client giti cho server
trong message 8.
15) Closed messages : Két thiic 1két ndi,mdi bén giri 1 message close-notify dé théng bao dau
kia biét két ndi bi déng.
Néu cde tham s6 duge sinh ra trong I phién SSL duge fu Igi,cde tham s6 nay ¢6 thé thinh
thong duge diing lai cho ede phién SSL sau. Vige Iuu lai cde tham s6 phién SSL cho phép cic
trao d6i bao mat vé sau duge bat dau nhanh chéng hon.
Page
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Lua chon Cipher suite va x6a Entity verification: __
Giao thite SSLITLS dinh nghia 1 chudi ce bude de bigt dé bio dam 1 két nd
vé".Tuy nhién,vige Iva chon Cipher suite sé téc dng tryc tiép dén logi bio mat ma két ndi cd
duge.Vi dy.néu 1 cipher suite nge danh duge chon,img dung khong c6 cach no dé kiém tra
inh danh cua diu xa.Néu I suite-khOng e6 ma héa, duge chon,tinh bi mat cia dir ligu khong
thé duge bio vé.Thém vio dé.giao thite SSL/TLS khong chi r0 ring nhimg ti ligu ching nhin
hin durge phai khép v6i nhiing cai ma du kia guri.Néu két n6i theo céch no a6 ma bj. redi
den 1 ké xdu,nhung tai ligu chimg nhan ca ké xau nay khi trinh ra thi duge chap nhan dya trén
nhitng tw ligu tin tong hign tai,két noi nay sé duge xét la hop Ié.
Khi ding SS/Sockets/SSLEngines,nén luén luén kiém tra tai 1igu chimg nhan cia du xa trade
Khi giti bit ki dir ligu nio.Cic lip SSLSockets va SSLEngines khong tw ding kiém tra hostname
trong URL e6 khép véi hostname trong tai ligu chimg nhdn eta du kia hay khong. Mot img dung
€6 thé bi khai thac bing URL spoofing néu hostname khéng duge kiém tra.
Cae giao thite nhu HTTPS cin thiét ph iém tra hostname.Cac tng dung cé thé ding
HostnameVerifier dé viet chéng lén luat hostname HTTPS mic dinh .
1.2 Kién trie SSL:
SSL duge thiét ké dé ding TCP cung cdp 1 dich vu bio mat diu cudi-dén-dau cudi ding tin
cfly.SSL khong phai 1a m6t giao thite don ma 18 2 16p giao thite,nhu minh hoa dui day.
Hinh 1.1: Chéng giao thite SSL
SSL Handshake SSL Change SSL Alert | HTTP
Protocol Cypher Protocol
Spee Protocol
SSL Record Protocol
TCP
1P
SSL Record Protocol cung cp cdc dich vu bio mat co bin cho nhiéu giao thite khéc nhau & cde
lop trén.Trong thye té, Hyper Text Transfer Protocol (HTTP),cung cap dich vu trao ddi cho
tuong tic Web client/servercé thé hoat déng trén dinh cia SSL.Ba giao thite lép trén durge dinh
Page 10
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
nghia nhw li ede phin cta SSL: Handshake Protocol,Change Cypher Spec Protocol va Alert
Protocol.Cic giao thire mang tinh dic trng-SSL nay durge ding trong phan quan ly trao di SSL.
va duge xét dén trong phin sau.
Hai khdi nigm SSL quan trong I SSL session (phign SSL) vi SSL connection ( két ndi_ SSL)
duige dinh nghia nhur
sau:
HT Connection ( két néi): 1 két ndi 1a 1 transport _ trong dink nghia mé hinh phan lép OSL
cung cp 1 loai dich vu thich hgp.Véi SSL,nhimg két néi nhur vay 1a nhiing mdi quan he
ngang hing, Cac két néi thi trao doi nhanh chéng. Méi két néi gin véi | phién.
[__ Session (phign): 1 phién SSL 18 1 lign két gita I client va 1 server.Cée phién duge wo ra
bing Handshake Protocol (giao thie bit tay).Céc phign dinh nghia 1 tp ce tham s6 bio mit
bing mt ma,cé thé duge chia sé gitta nl ndi.Cée phién duoc diing dé tranh nhting dam
phan tén kém_vé cdc tham s6 bio mat méi_cho mdi két ndi,
bit ki 1 cAp ciia nhém nio (cic tg dung nhur HTTP trén client hay server),c6 thé c6
nhigu két ndi bao mit. Vé ly thuyét ,c6 thé e6 nhigu phién déng thi gitta cic mhém,nhung dic
trumg nay khong duye ding trong thue tién,
‘Thye su cé nhiéu trang thai gin véi mdi phién.M6t khi 1 phién duge thanh 1p,cé trang thai hoat
dong hign thai cho ca doc va ghi, (nhur nhdn va giti..).Thém vao d6, trong sudt qué trinh
Handshake Protocol, trang thai treo doc vi ghi duge tao ra.Dya trén két ludn thinh céng cia
Handshake Protocol,céc trang thai treo trd thin trang thai hién thé
-M6t trang thai phién duge dinh nghia boi ede théng s6 sau (cic dinh nghia ly tir de tng
SSL):
Session Identifier : 1 chudi byte bat ki duge chon béi server dé nhan dang trang thai phién
a hoat dong
(active) hay phyc héi lai (resumable).
I Peer certificate: mot chimg chi X509.v3.Thinh phin nay cia trang thai c6 thé 1a null
TE Compression method: thuat to’in duge diing dé nén dir ligu true khi ma hoa
[Cypher spec : chi ra thudt toan ma héa dit ligu (nhur réng,AES.. va thudt todn bam (nhur
MDS hay SHA -
1) sit dung dé tinh toan MAC.NG cting dinh nghia cae thude tinh ma hoa nhu hash-size.
Master secret : 48 byte bi mat duge chia sé gita client va server.
Page 11
BE taitNghién ciru vé SSL va img dung cia SSL trong bio mat Web
SV:Pham Dire Hai - BKNP
[Is resumable : mét cd chi ra ring phién nay c6 thé duge ding dé khdi tao cdc két
hay khong.
khae
-M6t trang thai két ndi duge dinh nghia bai cdc tham s6 sau:
LT Server and client random: cic chudi byte durge chon béi server va client cho mdi két ndi,
I Server write MAC secret: khéa bi mat duge sir dung boi phép tinh MAC trén dtr ligu, duge
atti boi server.
[Client write MAC secret: khéa bi mit duge sir dung boi phép tinh MAC trén dit ligu,durge
atti boi client,
[Server write key: khéa ma héa quy woe cho dit ligu duge ma héa bi server vl
client,
ii ma bOI
[Client write key :khéa ma héa quy ue cho dit Higu durge ma héa bai client va gidi ma bai
server.
[Initialization vectors: khi 1 khéi ma trong mode CBC dugc ding, mét vector khéi tao (IV)
duge duy tri cho méi key.Phan_niy due khdi tao trudc tién béri SSL Handshake Protocol.Sau
46,kh6i ma héa cudi cing tir méi record durge dé dnh tai dé ding lam TV cho record sau
[Sequence number : méi bén duy tri efe sequence number riéng cho mdi message duge
truyén hod duge nhén trong mdi két ndi.Khi 1 bén giri hode nhén mét change cypher spec
message, sequence number thich hgp duge thiét lap vé 0.Sequence number khéng thé wugt qué
64.
2
1.3 Giao thire SSL Record :
SSL Record Protocol cung cp 2 dich vy cho két néi SSL:
[Confidentiality (tinh can mat): Handshake Protocol dinh nghia 1 khéa bi mit duge chia sé,
khda nay duge sir dung cho ma hoa quy uée cde dit ligu SSL.
[Message integrity (tinh toan ven thong digp):Handshake Protocol cing dinh nghia I khéa bi
mit duge chia sé, khéa nay duge sir dung dé hinh thanh MAC (ma xéc thc message)
Hinh sau chi ra toan b6 hoat déng cla SSL Record Protocol.SSL Record Protocol nhan 1
message tmg dung sip duge truyén diphan manh dit ligu thanh nhiéu block,nén di ligu 1 each
tay chon,ap dung vao | MAC,mé héa,thém vao header,va truyén khdi két qua thu duge trong 1
segment TCP.Di ligu nhiin duge duce gidi ma,kiém tra ,gidi nén,sip xép lai va phan phéi dén
Page 12
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
ngudi sir dung 6 lp cao hon,
Hinh 1,2 : Hoat déng cua SSL Record Protocol
Dit ligu tmg dung:
block
Bude dau tién 1a phin minh. Mai message cia lop bén trén duge phan minh than
ami block 1 214 byte (16384 byte) hode it hon
Tiép theo,nén doje ap dung 1 cach tiy chon.Nén phai la khong mat mat thong tin va cé the
khéng lam ting chiéu dai ndi dung nhiéu hon 1024 byte (Di nhién,nguoi ta mong mudn nén lam
co lai dir ligu hon 14 ndi rong dit figu.Tuy nhién .v6i nhing block ngin,cé thé .do dinh dang quy
thuadt ton nén thyc su 1m cho output dai hon input). Trong SSLv3 (ciing nhu phién ban hign
tai cia TLS),khéng c6 thuat tod nén no duge chi r3,vi vay thuat todn nén mc dinh 18 null
Page 13
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Bojée xir li ké tiép
hign can ding
inh ton MAC (ma xac thyte message) trén dit ligu da durge nén.Dé thye
Khéa bi mat duge chia sé.Phép tinh duge dinh nghia nhur sau:
hash(MAC_write_secret || pad_2 || hash(MAC_write secret || pad_I \|seq_num
||SSLCompressed.type || SSLCompressed. length || SSLCompressed,fragment))
trong dé:
||: phép néi/hoae.
MAC_write_secret: khéa bi mat durgc chia sé
hash: thugt ton bam ma héa, MDS hode SHA-1.
pad_I: byte 0x36 (0011 0110) duge lap lai 48 lin (384 bit) cho MDS va 40 Lin (320 bit)
cho SHA-1.
pad_2: byte OxSc (0101 1100) duge lap lai 48 lan cho MDS va 40 lin cho SHA-I.
sseq_num: sequence number cho message nay.
SSLCompressed. type: giao thite 6 lop trén duge ding dé xit li phan manh nay.
‘SSLCompressed length: chiéu dai ciia phn manh da durge nén,
SSLCompressed. fragment: phan ménh da duge nén (néu nén khong durge ding, phan manh
dang
plaintext)
hii y ring,cdi nay tuong te nhu thugt ton HMAC.Diém khée biét 1d 2 phan dém (pad) due
|| trong SSLv3 va duge XOR trong HMAC. Thuat ton MAC trong SSLv3 durge dya trén ban
phac thao Internet ban dau cho HMAC. Phién ban gan nhat cia HMAC duge dinh nghia trong
RFC 2104,sir dung XOR.
Ké tiép, message d4 nén cOng them MAC duge ma héa theo phojong phap ma héa déi
xing. Ma héa c6 thé kh6ng lim ting chiéu dai noi dung hon 1024 byte,vi vay chiéu dai tong
cong khéng vugt qua 2!4+2048. Céc thuat toan ma héa sau duge cho phép:
Block cipher (Ma hoa khéi) ‘Stream cipher (Ma héa Tuéng)
Thuat toan Kich thuée khéa_|Thuat toan Kich thuée khéa
‘AES 128,256 RC440 40.
IDEA 128 RC4-128 128
Page 14
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
DES-40 40
DES 56
3DES 168
Fortezz 80
+ DES (Data Encryption Standard) ki mt thudt todn ma hod cé chidu dai khod Ia $6 bit.
‘+ 3-DES (Triple-DES): li thudt toan mai hod e6 dé di khod gap 3 lin 46 dai khod trong mi hod DES
+ DSA (Digital Signature Algorithm): li mt phan trong chun vé xéc thye 86 dang duge duge chinh
phit My sir dung.
+ KEA (Key Exchange Algorithm) ls mat thudt toan trao 46i khod dang duge chinh phi My sit dung,
+ MDS (Message Digest algorithm) duoc phat thién béi Rivest.
+ RSA: 14 thuat todn ma hod cng khai ding cho ca qué trinh x4c thye va ma hod dit ligu duge
Rivest, Shamir, and Adleman phat trién
«RSA key exchange: \a thuat toan trao déi khod ding trong SSL dya trén thuat todn RSA.
+ RC2 and RC4: 1h cde thust ton ma hod duge phat trién bi Rivest ding cho RSA Data
Security.
+ SHA-1 (Secure Hash Algorithm): li m6t thudt ton bam dang durge chinh phi My sit dung,
Cac thudt toan trao di khod nh KEA, RSA key exchange duge sit dung dé 2 bén client va
server xéc lap khoa déi xing mi hg sé sir dung trong suét phién giao dich SSL. Va thuat toan
duge sit = dung = phd sbién = das RSA key — exchange.
Cie phién bin SSL 2.0 va SSL 3.0 hé try cho hau hét cde 69 mai hod. Ngudi quan tr c6 thé tuy
chon bé ma hoa sé ding cho ca client va server. Khi mot client va server trao déi théng tin
trong giai doan bat tay (handshake), ho s€ xc dinh b6 ma hod manh nhat c6 thé va sir dung
chiing trong phién giao dich SSL.
Fortezza cé thé duge sir dung trong myc tiéu ma héa smart card,
‘VGi ma héa stream (ludng),message da nén céng them MAC duige ma héa.Chii ¥ ring MAC
duge tinh ton truéc khi ma héa xdy ra va MAC duge ma héa cing véi_ plaintext hodc 1
plaintext da nén.
Voi ma héa block (khdi),MAC 6 thé duge dém thém trudc khi ma héa.Phin dém them
(padding) cé dang gdm nhiéu byte dém duge theo sau bai I byte chi rd chiéu dai cia phan
dém.Téng s6 lugng dém vao A Iugng nho nhat sao cho téng kich thude dit ligu duge ma hoa
(plaintext +MAC + padding) la 1 béi s6 ctia chiéu dai khdi ma héa.Vi du, plaintext (hodc text
da nén néu nén duge ding) la 58 byte, voi MAC 1a 20 byte (ding SHA-1), duge ma héa véi
chidu dai block 18 8 byte (nh DES..).Cing v4i byte padding.tength .né sinh ra téng eng 79
byte.Dé tao ra 1 s6 nguyén Ia béi ciia 8,1 byte dém duge thém vio,
Page 15
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
i cling ciia xir li SSL Record Protocol la gin thém vaol header ,bao gdm cic myc
sau:
LT Content Type (8 bit): giao thire lap trén duge ding dé xir li phan manh di kém.
LT Major Version (8 bit): chi ra phién ban SSL t6i da duge ding. Vi dy, SSLV3, gid tri nay la
3.
[Minor Version (8 bit) : chi ra phién ban 16i thiéu duge ding. Vi dy, SSLv3 ,gia tri nay 18 0.
LT Compressed Length (16 bit) : chiéu dai theo byte cita phan manh plaintext (hoge chiéu dai
theo byte cia phn manh da nén néu nén duge diing).Gia tri lin nhat ta 2!4+2048.
Cée logi ndi dung duge dinh nghfa li change_cipher_spec.alert,handshake, va application_data,
Ba cai dau tién 1A cdc giao thire dic trang-SSL,dugc ban dén trong phan ké tiép.Chis ¥ rin
khéng cé sy khic biét ndo duge tao ra giita cac img dung (nhuw HTTP..) co thé ding SSL.néi
dung dir ligu dugc tao ra béi cic img dung dé thi khéng trong suét déi voi SSL.
Hinh sau minh hoa dinh dang SSL record.
we nes ne
= ia
Es
3 see
ee) wc enn 5/21 (alt af fnsto
=
Giao thie SSL Change Cipher Spec Ii giao thite don gin nht trong ba giao thie dc trumg
ciia SSL ma sit dung giao thire SSL Record . Giao thite nay bao gdm mot message dom 1 byte
gid 1. Muc dich chinh ciia message
nay ld sinh ra trang thai tiép theo dé gan vao trang thai hign tai,va trang thai hién tai cp nhi
1b6 mi héa dé sit dung trén két ndi nay.
Page 16
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
+ | ems | ope | open | aeons
oe
7:
pes elon enath
14 awe an 3 :
[|
ces protcot wpe
Li.Giao thite SSL Alert
Giao thite SSL Alert duge ding dé truyén canh bdo lién két SSL véi du cudi bén kia.Nhw
‘oi nhimg img dung khéc sit dung SSL, alert messages durge nén va ma héa, duge chi dinh
boi trang thai hign tai.
message trong giao thirc nay gdm 2 bytes .Byte dau tién gitt gia tri canh bio(1) hode
nguy hiém(2) dé thong bio 46 nghiém ngat cia message.Néu miic d6 Li nguy hiém,SSL lap tite
chap dirt két ndi. Nhimg két néi cung phién khac vin cé thé tiép tuc nhung sé khéng két ndi nao.
khéc trén phign niy duge khéi tg thém.Byte thir hai chira mot ma chi ra canh bio dic trumg,
Dau tién , ching ta ligt ké nhiing cinh béo d6 ma ludn 6 mire nguy hiém ( duge dinh nghia tir
nhiing thong s6 SSL):
' unexpected_message: message khOng thich hop.
' bad_record_mac: MAC khong chinh xéc.
1 decompression failure: vige gidi nén nhgn input khong thich hgp(vi du nhw khong
thé giai nén hodc gii nén lon hom dé dai toi da cho phép).
' handshake failure: ben wi Kivdng thé thuong lugng.mdt bd chip nin duge cia ce
thong sO bad mat durge dura ra tir mhimg Iya chon c6 San,
illegal parameter: mt trong trong mgt handshake message thi vugt khdi day hove
' qdtvorohing tuougkhae ee ¥
Phan cén lai ctia céinh bio thi nhw sau:
1 close_notify,, thang bio cho bén nhan ring bén giti sé khéng giti thém message nio
nita ffong két noi-nay.Moi nhom thi, duge yéu cau giri mot close_notify canh bao
trutée khi ket thie phan ghi cua mot két noi,
1 no_certificate: cé thé duge_giti dé tra 1di cho mot yéu cau certificate néu khong
Ceftificate thich hyp nao e6 sin.
1 bad_certificate: certificate nhin duge thi khong hyp 16(vi du nhur chia mot chit ky
Page 17
‘Dé taiNghién ciru vé SSL va king dung cia SSL trong bio mat Web
‘SV:Pham Dire Hai - BENP
khéng xac minh).
' unsupported certificate: dang certificate nhin duge thi khong hé tro.
1 certificate_revoked: certificate 43 bi thu hdi bai nha cung cp.
certificate_expired: certificate 43 hét han dang ky.
certificate_unknown: m6t s6 phat sinh khéng ndi rd x
certificate lam cho né khéng thé chap nhan,
hign trong qué trinh xt ky
+) breve | pret ever | Byes
=
= es
a eee
a
paw
1.6 GIAO THUC SSL HANDSHAKE
Byte +0 Bye Byte #2
‘ined hte 15.8) (ot 7.0)
ndshake message dete length Cones
io 23.18) (ou 158) | OBTO erent
Handshake message data 13 CemreataRecuest
Slot)
oe |e Handshake message data lengh aes
nn) Ee (ts 23.16) (ot 15.5) mete |'°__ Cetreteverty
ma 18 ChertkeyExctange
ae Handshake message data ane
Phan .khé hiéu" nhét cia SSL 1a giao thite Handshake. Giao thite nay cho phép server va
client chiing thye véi nhau va thuong lung co ché mai héa , thugt ton MAC va khoa mat ma
duge sir dung dé bao vé dir ligu durge giti trong SSL record.Giao thite SSL Handshake thudng
duge sir dung trude khi dir ligu cia ting dung duge truyén di.
Page 18
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
[Type (1 byte): chi ra mét trong mudi dang message
Giao thie SSL Handshake bao gdm m6t loat nhiing message trao di git client va
server. Mdi message c6 ba trong:
Length (3 bytes): d dai ciia message theo bytes.
LT Content (>=0 bytes): tham sé di kém véi message nay, duge ligt ké trong Hinh 15a
Hinh 15a Cac kiéu message giao thie SSL handshake
‘Kieu message Thong so
Hello_request Null
Client hello version, random, session id, cipher suite
compression
Server_hello version, random, session id, cipher suite
compression
Certificate chain of X.509v3 certificates
Server_key_exchange
Certificate Tequest
parameters. signature
type, authorities
Server_done ‘Null
Certificate_verif signature
Client_key exchange parameters, Signature
Finished hash value
Hinh L5b thé hign trao déi lic ban dau can duge thiét lap mot
server. Vige trao doi c6 thé xem nhur e6 4 giai doan,
. ndi logie gitta client va
Hinh 5b Co ché giao thir SSL Handshake
Page 19
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
racine “@ Chant server"? "rene
nna cn = vrs a see
ernie ton ante ID
~3e- a eto | ee
generate random nurcor EB plete
eee eee sno rciononemin Ga) Y| EB — o—e
den dt te Phe
ES cer ite
ct eee cet Phase 3
rat eto ne penance
06 3232 GD een th a yee
cess tree ne SD
argete cys cma wth ED sy
Phase 4
1.6.1 Gi
loan 1 — Thiét lap kha nding bao mat :
Giai doan nay duge dung dé bat du mot két ndi logic va thi kha nding bao mat ma sé lién
két v6i n6.Vige trao doi thi duge khdi tg0 bai client bang vige giri m6t client_hello message véi
nig thong sé sau day:
I Version: version SSL méi nhat ma client biét.
E Random: mét céu trac sinh ra ngau nhién tir client, bao gdm mét nhan thi gian 32 bit va
Page 20
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
28 bytes sinh bai mét b6 sinh s6 ngau nhién an toan, Nhimg gia tri nay phyc vu cho Lin nay
vsit dung su6t qua trinh trao ddikhéa dé ngain tin céng 1p lai.
[Session 1D: m6t 1D cia phién 6 chiéu dai thay d6i duge.SessionID_khic 0 nghia la client
mudn cap nhat tham s6 cia mét két néi dang t6n tai hay tao mot két néi moi tén phién
diy. SessionID = 0 chi ra ring client muén thiét lap mot két ndi méi trén mot phién msi,
1 CipherSuite: day 18 1 danh sich ma chita nhimg b6 bién dich eda nhtng thut ton ma
ha duge hé try béi client, tham khao theo thir ty giam Méi thanh phan trong dan sich
(mdi b6 ma héa) cl mOt khéa trao déi va mét CipherSpec, nhitng théng sé nay sé
duge bin dén sau.
[Compression Method: day 1h danh sich cia nhiing phuong thie nén ma elient hd tro.
Sau khi giti client_hello message, client ché nhfin server_hello message ma chita cling théng sé
‘Gi client_hello message. Véi server_hello message, nhiing théa thugn kém theo duge 4p dung.
Trung Version chita version thap hon duge dé nghj béi client va cao nhat duge hé try boi
sever.Triimg Random duge sinh ra béi server va de lip véi trudg Random cita client. Néu
trudng SessionID cia client khie 0, thi gi
trudng SessionID ciia server chita gia tri cia mot phién méi, Trung CipherSuite chita bo
héa chon boi server tir nhimg dé xuat cia client. Truémg Compression chia phuong thire nén
chon boi server tir nhimg dé xudt cia elient.
tri tuong ty duge diing bai serversnguge Iai thi
‘Thanh phan dau tién cita théng s6 Cipher Suite la phuong thite trao déi kha (vi dy nhw bing
céch ndo nhiing khéa ma héa cho vige ma héa thong thuéng va MAC duge trao di ), Nhing
phuong thife trao doi khéa sau duge hd try:
TSA: kha bi mat duge ma héa voi khéa cng khai RSA cua bén nhin, Mot public-key
certificate cho khéa bén nhjn phai duge tgo sin,
I Fixed Diffie-Hellman: day la sy trao d6i khéa Diffie-Hellman trong certificate cia server
chita cc thong 6 cdng Khai Diffie-Hellman duge ky boi Certificate Authority (CA) .Nghia la
certificate khéa céng Khai chita cdc théng s6 khéa céng khai Diffie-Hellman. Client chtta sin
ic théng s6 khda cong khai Diffie- Hellman 6 trong certificate néu ching thye client duge
‘yeu cau hogc trong mgt message trao d6i khéa Phuong thire nay mang lai két qua mt khéa bi
mat 06 dinh gitta hai dau, dua trén tinh toan Diffie- Hellman sir dung khéa céng khai cé dinh.
1 Ephemeral Diffie-Hellman: Phuong phap duge sit dung dé tg0 khéa ,ephemeral"(tam théi, 1
in) khéa tam thoi, Trong truéng hyp nay, khéa cOng khai Diffie-Hellman duge trao ddi,duge
ky sir dung khéa bi mat RSA hoe DSS ctia bén giri.Bén nhan c6 thé sir dung khéa céng khai
tuong tng dé xac minh chit ky. Certificate duge sir dung dé xac thye khéa céng khai. Digu nay
Page 21
BE taitNghién ciru vé SSL va img dung cia SSL trong bio mat Web
SV:Pham Dire Hai - BKNP
1
nhur Ia sur bao dam nhat ciia ba Iva chon Diffie-Hellman bdi vi né 1a két qua ctia sy tam thoi va
kha xe thye
[Anonymous Diffie-Hellman: thuit to’n Diffie-Hellman co ban duge sit dung, khdng ching
thye.Nghia 4 mdi kin mot bén giti thong s6 Diffie-Hellman cong khai etia né cho bén kia thi
khéng xdc thye.Diéu nay gan nhu li 6 thé bj tan cng bi tin cong Mar
dé ké tan c6ng diéu khién ca nhém anonymous Diffie-Hellman.
L_ Fortezza: phuong php dinh nghia cho luge a Fortezza
Dinh nghia kém theo cho mgt phutong phap trao ddi Khéa li CipherSpec , bao gém nhing
trudng sau:
L CipherAlgorithm: mét vai thuat toin ké dén : RC4, RC2, DES, 3DES, DES40, IDEA,
Fortezza.
LT MACAlgorithm: MDS hoac SHA-L
1 CipherType: uing hoac khéi.
[LsExportable: True hoac False
L HashSize: 0, 16 (cho MDS), hay 20 (cho SHA-1) bytes,
[Key Material: this ty cia cic bytes ma chita dit ligu duge ding trong sinh khéa .
LIVSize: kich thude cita gid tr} khdi tao cho ma héa Cipher Block Chaining (CBC).
2. Giai dogn 2 — Xie thye server va trao di khéa :
IT Server bit du giai doan nay bing cach giri certificate cia né néu né cdn duge xéc thyc;
thong digp chira mOt hose mt chudi certificate(chimg thc) X.509. Thong digp chimg thye
duge yéu ciu cho bat ki m6t phuong phdp trao déi khéa nao duge théa thudn, ngoai trir
anonymous Diffie-Hellman.Chi ¥ ring néu fixed Diffie-Hellman due diing.thi thong digp
chiing thye e6 chtie nang nhu 1d thong diép trao déi khéa cia server vi nd chita ede tham sé
Diffie-Hellman cng khai cla server.
TL Sau do mot thong digp server_key_exchange duge giti di néu né duge yéu cau.N6 khong
duge yéu cau trong 2 truég hyp sau’
(1) Server da giri mt certificate véi cic tham sé fixed Diffie-Hellman,
Page 22
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
(2) Trao déi khod RSA duge ding.
‘Théng digp server_key_exchange can cho cdc trréng hgp sau:
- Anonymous Diffie-Hellman : Noi dung théng digp bao
cuc(mdt sé nguyén té va mot sé nguyén t6 cing nhau v
cia server.
m hai gid tri Diffie-Hellman toan
s6 d6) cing voi khéa Diffie- Hellman
- Ephemeral Diffie-Hellman : néi dung théng digp bao gém 3 tham sé Diffie-Hellman cung
cp cho anonymous Diffie-Hellman,ciing vi mot chir ki cua cdc tham s6 nay.
- Trao doi khéa RSA,ma theo do server sit dung RSA nhung c6 mot khéa chit ki chi cia
RSA. Theo d6,client khong thé gui di céch don gian m6t khéa bi mat duge ma héa voi
khéa céng khai/bi mat RSA phu va sir dung théng diép server_key_exchanged dé giri khéa cong.
khai.N6i dung thong diép bao gém hai tham s6 ciia khéa cong khai RSA phu(sé mat
va s6 du) cling véi mét chit ky ciia ede tham s6 may.
- Fortezza: mét vai chi tiét thém vé chit ki dugc dim bao. Nhu thuéng 1é,mét chit ki duoc
taora béi viée ly ma bam ca mét théng digp va ma héa n6 voi khéa bi mat ciia bén gi.
Trong trudng hop nay ma bam duge dinh nghia:
Hash (Client#ello.random||ServerHello.random||ServerParams)
Vi_vay ma bam bao gdm khong chi céc théng s Diffie-Hellman hay RSA,ma con co hai sO
ngiu nhién tir théng digp hello khéi tao.Diéu nay dam bao ching Iai tin cOng replay va
misrepresentation(gid dang). Trong tung hgp chir ki DSS,ma bam duge biéu dign sir dung giai
thudt SHA-1,
‘Trong trudng hgp chit ki RSA,cd mi bim MDS va SHA-1 déu duge tinh ton, va sy ndi nhau
ciia hai ma bim(36 byte) durge ma hod véi khéa bi mat ciia server.
LT _ Ké dén, mt nonanonymous server(server khéng ding anonymous Diffie-Hellman) cé
thé yéu cdu mét certificate tir client. Mét théng diép certificate_request bao gdm hai théng s6
certificate_type va certificate_authorities. Kiéu certificate chi ra giai thudt khéa cng khai,va
né ding:
s RSA,chi ding chit ki
- DSS,chi ding chit ki
x RSA cho Diffie-Hellman thich hop, trong trudng hgp nay chit ki duge ding chi dé
xdic thye,bing cach giti ding certificate duge ki voi RSA.
- DSS cho fixed Diffie-Hellman, mt lan nita,chi ding dé xc thy.
: RSA cho ephemeral Diffie-Hellman.
: DSS cho ephemeral Diffie-Hellman
- Fortezza.
Thong sé thir 2 ca thong digp certificate request 18 mt danh sch cdc tén cia nhing CA dic
biét duge chip nhn. Théng diép cudi cing trong giai doan 2, va 1a mét phan Iuén duge yéu
cdu,la théng digp Server_done,ma duge giti cho server dé chi ra diém cudi cita thong digp cudi
Page 23
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
cia server hello vi cic message di kémSau khi giti thong digp.server s@ cho hdi dip cia
client. Thong digp nay khong c6 tham sé.
1.6.3 Giai doan 3 — Xie thye client va trao di khéa :
‘Trong khi nhén théng diép server_done, client sé xac nhdn xem server cung cp mét chimg
chi hgp 1Ié hay chura néu duge yéu cau va kiém tra xem cdc thong sé ctia server_hello duge chip
nh§n hay khéng.Néu tét ca déu thoa man, client giti mét hay nhiéu message tré lai cho server.
Néu server yeu ciu mot certificate.client bit du giai doan nay bing céch giti 1 théng dip
certificate.Néu khéng cé certificate phi hop nao hgp 1é, client giri m6t cinh bao no_certificate
thay thé,
Ké dén la thong digp client_key_exchange phai duge giti di trong giai doan nay.N6i dung cia
théng digp phy thudc vao kiéu trao déi khéa. Nhu sau:
-RSA: client sinh mt trating 48 byte pre-master secret va ma héa v6i khéa cing khai tir
chitng thy ctia server hoge khéa RSA phy tir thong digp server_key exchange. N6 ding dé
tinh toan mot master secret(sé due ndi sau).
-Ephemeral hoc Anonymous Diffie-Hellman: cic tham sé Diffie-hellman céng khai cia
client duge giti di
-Fixed Diffie-Hellman: cde tham s6 Diffie-Hellman cng Khai cia client duge giti di
trong mot thong digp certificate.vi vay n6i dung eta thong digp 1a null
-Fortezza: cic tham sé Fortezza ctia client duge giti di,
Cudi ciing,trong giai doan nay, client s@ giri | message certificate_verify dé cung cp xac thye
tuéng minh cia mét chimg chi client.Théng diép nay chi duge giri theo sau bat ki mét client
certificate ndo d4 dénh dau la cé kha nang(nghia 14 Ut ca certificate ngogi trir nhtng cai chira
tham sé fixed Diffie-Hellman). Thong digp nay dénh déu mét ma bam dita trén cde thong digp
c6 truée,duge dinh nghia nhw sau:
CertificateVerifv.signature.md3_hash — MD5(master_secret || pad 2
Déthandshake_messages || master_seeret \| pad_1)); Certificate.signature.sha_hash
SHA(master_secret || pad_2 || SHA(handshake_messages || master_secret ||
pad_l));
Voi pad_| va pad_2 la cde gid tri duge dinh nghia sm hon cho MAC, handshake_messages
xem xét dén tit cd cde thong digp giao thie bit tay duge giti di hay duge nhan bit diu tir
client_hello nhung khéng bao gm thong digp niy.vi master_secret la khéa bi mit duge tinh ton
ma qua trinh xy dyg sé duge tim hiéu sau, Néu khéa bi mat ca user 14 DSS, thi né duge ding
dé ma héa ma bam SHA-1. Néu khéa bi mat cita user 1a RSA, né duge ding dé ma héa chudi ma
Page 24
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
bam MDS va SHA-1
Trong tradng hgp khiic, mye dich la dé xe minh quyén s& hitu etia client voi khéa bi mat
cho chimg thye client.Cho dit 18 bat cir ai dang lam dung certificate cia client thi cing sé
khéng thé giri message nay.
1.6.4 Giai doan 4 — Két thite:
Giai doan nay hoan thanh thiét lip cia mOt két ndi an toan,Client iri mot thong digp
change_cipher_spee va chép CipherSpee dém vaio CipherSpee hign tai.Cha ring théng digp
nay khdng duge xem lA mot phin ctia giao thite bat tay nhung duge giti di str dung giao thite
Change Cipher Spec. Client sau d6 ngay Ip te giti thong diép két thie theo giai thudt méi, véi
cdc khéa va cde bi mit. Théng diép két thie xac minh xem qué trinh trao déi khéa va xac
thye c6 thinh cong hay khdng.nOi dung ca thng digp hoan tit 18 mot chudi cia hai gid tri
bam:
MD5(master_secret || pad? \| MDS(handshake_messages || Sender || master_secret || padl))
SHA(master_secret || pad2 || SHA(handshake_messages || Sender || master_s
ceret || padl))
Tai d6 bén giri Li mOt ma ma xée dinh ring bén giti 1a client , va handshake_messages 1A
tt ca dit ligu tir tat ca thong digp bit tay tro 1én nhung khong bao gdm théng diép nay.
Khi dap lai hai thong digp nay,server giti thong digp change _cipher_spec ciia chinh né,
chuyén déi trang thai treo cho cipherSpec hign tai va gii thong digp két thic cia né di. diém
niy qué trinh bit tay hodn thinh va client va server c6 thé bit dau trao 6i dir ligu lop img dung.
1.7 TINH TOAN MA HOA
Gém viée tao ra 1 shared master secret bing cach trao déi khéa, va sw sinh ra céc tham sé
m@t ma tir master secret.
1.7.1 Vige tao Master Secret :
Dau tign, mt pre-master-secret duge trao déi
-Thir hai, master_secret duge tinh todin bang ca ai nhém, D6i véi trao doi pre_master_secret,
6 hai kha nang xay ra:
RSA: 48 byte pre_master_s
‘cret duge sinh ra béi client, ma héa véi khéa RSA cong
Page 25
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
khai cla server, va giri cho server.Server giai ma ciphertext sir dung khéa bi mat cla né-
dé phuc hai Iai pre_master_secret.
Diffie-Hellman: ed client vi server sinh ra khéa cOng khai Diffie-Hellman, Sau dé, nhtng
khéa nay duge trao di bén biéu dién vigc tinh toan Diffie-Hellman dé tao ra
shared_pre_master_seeret,
Ca 2 bén tinh todn master_secret ne sau:
master_secret. = MDS (pre_master_secret || SHA (‘A || pre_master_secret
||ClientHfello.random \| ServerHlello.random))
MDS (pre_master_secret \| SHA (‘BB' || pre_master_secret \| ClientHello.random ||
ServerHello.random)) || MDS (pre_master_secret || SHA (‘CCC' || pre_master_secret ||
ClientHello.random || ServerHello.random))
\Véi ClientHello.random va ServerHello.random li 2 gid tri s6 nglu nhién duge trao déi trong
théng diép hello khdi tgo ban dau.
®
«
Bes) =e =
Gan es Gust)
a a
Page 26
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
1.7.2 Vige sinh cae tham s6 ma héa :
CipherSpee yéu cu mot khéa xéc thyc cia client, mot khéa xée thye ciia server, vi mot
khéa mat ma cla client, mot khéa mat ma cua server, mOt vector Khoi tao IV cla client, mot
vector khdi tgo IV ciia server, ma duge sinh ra tir master_secret theo thir ty d6.Nhiing tham s6
niy duge sinh ra tit master_secret bing céch bam master_secret thinh chudi lién tye cae byte
bio mat véi chiéu dai vira dii cla nhiing tat ed cic tham s6 edn thiét
Vige sinh nguyén ligu khéa tir master_secret sit dung cing dinh dang cho vige sinh ra
master_secret tir pre_master_ secret:
key_block = MDS(master_secret || SHA(‘A’ || master_secret || ServerHello.random ||
ClientHello.random)) || MDS(master_ secret || SHA('BB' || master_secret ||
ServerHello.random || ClientHello.random)) || MDS(master_secret || SHACCCC' |\
‘master_seeret || ServerHello.random || ClientHetlo.random)) ||
Cho dén khi dii sé output due phat sinh.Két qua cia cdu tric giai thuat nay 1A ham sinh sé
ngiu nhién
Ta cé thé xem master_secret nhw gid tri ngiu nhién dua hat gidng sinh sé ngiu nhién vio
trong ham sinh sé ngau
nhién.Cac sé ngiu nhign client va server cé thé dugc nhin nh 1a cdc gid tri khong dang tin
cy(salt value) kim phitetap sur giai ma cic mat ma,
Page 27
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Die Hai - BKNP
® ®
‘Servaelo ano Cetra
OOO
« [O1ole] [= ]Orore] [ec[OIoro]
Gust Gar) sant
C Css) Cae)
j ®
T TT
Oo * oO o*
ah pie
eD) eo
1.8 TRANSPORT LAYER SECURITY:
1.8.1 Version Number :
Dinh dang cua mOt record TLS giéng dinh dang ciia record SSL, va cac trudng trong phan
header cing cé ¥ nghia giéng nhau.Mét su khac biét 1a trong cac gid tri phién bin TLS hién
tai,ban chinh 1a 3 va ban phu la 1
1.8.2 Message Authentication Code :
Page 28
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Cé 2 diém Khac biét gitta SSLv3 va TLS MAC schemes: gidi thudt thye t8 va pham vi ctia
phép tinh MAC.
‘© TLS tao ra viée sir dung gidi thugt HMAC duge dinh nghia trong RFC 2104.Nhé Iai, HMAC
duge dinh nghia nhur sau:
HMACk(M) = H[(K+ opad)| | H[(K+ipad) | | MJ]
Voi
H: him bam nhiing(dinh cho TLS, h
M: théng digp dau ra di voi HMAC
ic MDS hode SHA-1)
K® : khéa bi mt dém ede sé 0 vao phia bén trai dé két qua biing v6i chiéu dai khé
voi MDS, va SHA-1, chiéu dai khéi bang 512 bits)
Ipad =001101 10(36H) lap lai 64 lan (512 bits)
Opad =01011100(5CH) lap lai 64 lan (512 bits)
‘© SSLv3 ding ciing giai thugt, ngogi trit cae byte dém duge ndi vao vio khéa bi mgt hon
la duge XOR voi khéa bi mat duge dém vao chiéu dai khdi. Mite d@ an toan cing giéng
trong ca 2 trong hop.
Gi v6i TLS, phép tinh toan MAC hoatn thanh céc trudng hep duge chi ra trong diing thie sau:
HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type ||
TLSCompressed. version || TLSCompressed length || TLSCompressed. fragment)
Phép ton MAC bao gOm tit cd cde trudng duge ham chita bdi phép tinh ton SSLv3, cong voi
truing TLSCompresses. version, mi la version ctia giao thire dang durge ding.
Page 29
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
Maccniessont | putt |apanm | S8iComprnedinpe| SSLCanprtiengh| —SSL.Comprat figment
Hasnain | MDSerSHAt
xconsesccrt | putz |
1.8.3 Ham tinh s6 nbdu nhién :
TLS tgo cach sir dung him tgo s6 ngiu nhién ding cho PRF dé mé rng cdc secret(phin bi
mt) thinh ec khdi dir ligu cho mue dich sinh khéa hay phé chudn.Bdi twong 1a dé tyo ra edich
sit dung cde gid tri shared secret nhé c6 lien hé véi nhau, nhung dé phat sinh cic khéi dai hon
theo cach an to’n khdi sy tin cng dya trén him bim va MACx.PRE dya trén him m6 rong dit
tigu sau:
P_hash(secret, seed) = HMAC_hash(secret, A(1) || seed) ||
MAC _hash(secret, A(2) || seed) || HMAC_hash(secret, A(3) ||
seed) ||...
Vai AQ duge dinh nghia:
A(0)=seed
A(i) =HMAC hash(secret,A(i-1))
Page 30
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
SeetiA10)
Seorst —p—o[ HMAC
S| AW =HMAC task Gea A)
}—4
trac HMAC
a2)
MAC HMAC
A) AB)=HMAC. hash weet, A)
HMAC
ay
Ham mé rong dit 1igu tao cich sit dung gidi thuit HMAC, véi hoe MDS hode SHA-1 nhur fa
trén eg i him bam.Nhur ta e6 the thay.P_hash e6 thé lip di Ip Tain n nhur su cn thidt d&
tao ra sé long dit ligu durge yéu ciu.Vi du, néu P_SHA-1 duge diing dé sinh ra 64 byte dit
ligu.n6 sé duge lip di lap Iai 4 Lan tao ra 80 byte dir ligu,ma 16 byte cudi bj loai bé.Trong truong
hop nay,P_MDS ciing sé duoc lap lai 4 1an,tao ra chinh xac 64 bytes dit ligu.Chi ¥ ring mdi lin
{3p Iai sé goi 2 ham thyc thi HMAC, mi mot edi s® quay sang goi 2 him thye thi trén co
86 gidi thugt ham bam,
Dé tao ra PRF an toan dén mite c6 thé,n6 sit dung 2 gidi thuat bim theo cach ma sé dim bao su
an ton cia né néu gidi thuat vin con bao mat.PRF duge dinh nghia :
hash(ClientHello.random || ServerHello.random || ServerParams)
PRF ldy khi dau vao mot gid tri bi mat, mét nhan xéc dinh, va mot gia tri hat giéng(seed) va tao
ra mét output c6 chiéu dai tiy y-Output dugc tao bing céch phan cat gia tri bi mat thanh hai ntra
(SI va S2 va biéu dién P_hash & méi mia,sir dung MDS 6 m6t nira va SHA-1 6 nira khac.Hai ket
qui duge thuc hign bai phép XOR dé to ra output, cho mue dich nay,P_MDS nhin chung phi
Jap lai nhiéu lin hon P_SHA-1 dé tao mét Iwong dit liu ngang bang cho input bing him XOR)
Page 31
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
1.8.4 Ma can bao
TLS hé trg tit cd cée ma alert code duge dinh nghia trong SSLv3 véi ngoai 1é no_certificate.
M6t sé céc code thém vao duge dinh nghia trong TLS, sau day 14 mét sé canh bio mite nguy
hiém:
deeryption_failed : mot cipher text duge gidi ma theo edich sai, hode né khong phai lA phép
i tri dém cia n6.khi kiém tra 1a khong ding.
record_overflow:mét TLS record duoc nhan véi mét payload(ciphertext) cé chiéu dai
21442048 bytes, hodc ciphertext duge giai mi véi chiéu dai lon hon 2!4+1024 byte.
unknown_ca : mét chudi certificate hyp 1é hoc 1 phan chudi dugc nhin,nhung certificate
khong duge chip nhan bdi vi CA certificate khong thé duge cp phat hoa khOng thé tao ra két
néi voi 1 CA hiéu biét,tin cay.
access_defined: m6t certificate hgp Ig duge nhan, vi khi access_control durge thira nhan,
sender quyét dinh khéng thyc thi véi théa thun.
decord_error : mot thong digp khong thé duge gidi ma vi | truvng bj thiéu range de bigt
hoc chiéu dai cia message khéng ding.
export_restriction : mot théa thufn khéng duge chap nh§n v6i viée xuat ra cac hgn ché trén
chigu dai khéa bi phat hién.
protocol_version: phién ban giao thire ma client nd Ive théa thudn duge nhan thay nhung
khong hé tro.
insufficient_security: tri vé thay thé handshake_failure khi théa thudn bj that bai 1 ciich dae
biét bai vi server yéu cdu cipher nhiéu bao mat hon nhitng cai khac dug hé try bai client.
internal_error: mt 16i bén trong khéng lién hé véi cap twong duong hoa su sita loi ctia
giao thire tao ra khong thé dé tiép tuc.
Phan cdn Iai cia cdc cinh bao méi bao gdm:
deerypt_error: toan hang ma héa bit tay bj hu, bao gdm khéng thé xe minh | cl
1 trao adi khéa hay cng nhan | théng digp hoan tat.
ki,ma hoa.
user_canceled: qua trinh bat tay nay bj hodin Iai vi | sé li do khdng lién quan dén sy that bai
giao thie.
no_renegotiation: gi client trong phan dap Igi client hello sau khi thiét lap bat
Page 32
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
tay.hodc nhiing thng digp nay s@ c6 két qua binh thuong trong vige théa thun laisnhumg canh
bao nay chi ra ring sender khong thé théa thuin. Thong digp may won Tudn 14 1 eénh
béo(warning).
1.85 Cipher suite :
Cé nhigu sur khée nhau nhé gitta cde cipher suite sin e6 dudi SSLv3 va dusi TLS:
Trao déi khéa:TLS hi tro tét 4 cde cong nghé trao déi khéa ciia SSLv3 véi ngoai 1é cia
Fortezza.
Cae giai thuat ma héa déi ximg:TLS bao gém tit ca cac giai thudt ma héa déi xing duge tim
thay trong
SSLv3,v6i ngoai Ig cha Fortezza
1.8.6 Cae dang client certificate :
TLS dinh nghia ca kiéu certificate sau day duge yén clu trong thong digp
certificate_request:rsa_sign,dss_sign,rsa_fixed_dh, va dss_fixed_dh. Tat ca nhitng kiéu nay duge
dinh nghia trong SSLv3. Thém vio 46,SSLv3 bao gdm rsa_ephemeral_dh, dss_ephemeral_dh va
fortezza_kea.
Ephemeral Diffie-Hellman bao gém dinh déu ede tham sé Difie-Hellman v6i howe RSA hose
DSS, vai TLS, rsa_sign va kiéu danh dau riéng khéng can thiét dé dinh dau cac tham s6 Diffie-
Hellman. TLS khéng bao gm hé théng Fortezza.
1.8.7 Certificate Verify va Finished Message :
Trong théng di¢p TLS_certificate_verify, ma bam MDS va SHA-I duge tinh ton chi trén
cae théng digp bat tay(handshake_message).Nhé lai ring SSLv3 tinh toan ham bam c6n bao
gdm master_secret va dém.Cac trang thém v6 nay that bai trong viée cng thém bio mat
khong durge thém vio,
Khi cfc thong digp hoan tit trong SSLv3, thong digp két thie trong TLS 18 1 mai bam da trén
shared_master_secret, thong diép bat tay & truée, va mét nhan x4c dinh client hay server, viée
tinh toan e6 d6i chit khée big.
Déi voi TLS tac:
Page 33
‘Dé tai:Nghién ciru vé SSL va tmg dung ciia SSL trong bio mat Web
SV:Pham Bute Hai - BKNP
PRF(master secret, fnished label, MDS(handshake_messages)|| SHA-I(handshake_messages))
Vi finished_label li chudi “client_finished” d4i véi client va “server finished” d4i vai server.
1.8.8 Tinh toan mi héa :
Pre_master secret déi véi TLS duge tinh toén cing 1 cach nhur trong SSLv3.Nhw trong,
‘SSLv3, master_secret trong TLS duge tinh toan nhu | ham bam cia pre_master_secret va hai
s6 ngau nhién hello.Céng thie cia phép tinh toan TLS khac véi cng thite tinh cia
SSLv3,duge dinh nghia nhu sau:
master_secret. = PRF(pre_master_secret, "master secret", CientHfello.random ||
ServerHello.random)
Giai thuat biéu din cho dén khi 48 byte eta output s6 ngdu nhién duge tgo ra.Phép tinh tosn
caia khéi vat ligu key(MAC secret keys,khéa ma héa phién, vi ma tran khéi tao IVs) durge
inh nghia nhur sau:
key_block=PRF(master_secret, keyexpansion”, SecurityParameters.server_r
andom || SecurityParameters.client_random)
Cho dén khi dit output duge sinh ra. Nhu vi SSLv3,key_block 1a I him ciia master_secret
va client va server random numbers, nhumg véi TLS giai thudt thye 18 i khéc bidt
1.8.9 Phan dem:
‘Trong SSL, phan dém thém vao trudc dé ma héa dir ligu user 1a sé Irgng nho nhat duge
chu dé ma kich thuée tng cita dit ligu duge ma héa Ki mt phép nhdn cia chiéu dai khdi tia
cipher.Trong TLS, padding cé thé 14 bat kis6 Ingng nao ma c6 két qui trong mot téng ma 1a mot
phép nhan cia chiéu dai khéi cia cipher lén dén 1 gid tri lon nhat la 255 byte.Vi du, néu 1
plaintext (hoc van ban nén dugc ding) cong voi MAC+padding length byte la dai 79 byte.Sau
do chiéu dai padding,tinh theo byte, 6 thé li 1,9,17 va hon nita,dén 249. Chiéu dai phan dém
tity bién c6 thé chéng lai cdc tin céng dya trén mét phép phan tich cdc chiéu dai cia céc théng
trao déi.
Page 34
8 taiNghiém v8 SSL va ing dung cia SSL trong bio mat Web
‘SV:Pham Dire Hai - BKNP
SSL 2.0 hogt dong nhur sau:
1. Két ndi tir client dén server durgc thyc hién bing giao thire HTTPS (HTTP+SSL)
2. Server ki khéa cong khai (public key) bing khéa bi mét (private key) ciia minh va
agiti cho client
3. Client ding khéa cong khai ciia server dé xée nhfin diing server dang lién lac
4. Client kiém tra xem ¢6 CA nao da ki vio khéa, Néu khdng client sé hoi ngudi
ding xem e6 nén tin tudng vao server khong
5. Client sinh ra m6t khéa bat déi xiing (asymmetric key) cho phién giao dich, khéa
nay duge ma héa bing khda cong khai ca may chil va giri ngugc lai, Khod nay cing
s® duge ding dé ma héa tit ca cdc théng tin sau nay.
SSL 3.0 bé sung thém cho SSL 2.0 bing céch hd trg cho chimg thye may khdch
(client certificate), giip server c6 thé nhin dién ngugc lai client. SSL 3.0 hoat d6
nhur SSL 2.0 , nhumng sau khi client di xéc thy server, dén luot server sé kid
nguge lai client.
Page 35
Dé tdiNghign cia v SSL va ting dung ca SSL trong bio mit Web
‘SV:Pham Dire Hai - BKNP
CHUONG II : UNG DUNG CUA SSL PHUONG
PHAP TAN CONG WEB HTTP
IL1 CAC UNG DUNG PHO BIEN CUA SSL :
Tuy dén nay van edn t6n tai mot sé 18 héng c6 thé bi khai thée nhung SSL. van Ia giao
thie béo mat cao nhdt ma chua mgt giao thie bio mét nio c6 thé thay thé vai trd cua
nd, No phé bién dén mire néu thay tén mot giao thie c6 hau 6 “s” thi ngudi ta biét
ngay giao thire ting dung dé duege két hop kém vGi SSL. Sau day 1a mot s6 port pho
bién cua nhiing img dung di keém SSL duge IANA c6ng nhan
‘Name Port Description
Nsiiop 261 Dich wwHlOP teen TESST
Hips 443 HTTP trén TLS/SSL
‘Smips 465 SMTP trén TLS/SSL_
Natps 563 NNTP trén TLS/SSL
Ldaps 636 LDAP trén TLS/SSL
Ftps-data 989 PTP-dit ligu tren TLS/SSL.
Fips 990, FTP-diéu khién trén.
Telnets 902 TELNET trén TLS/SSL
Imaps 994 IRC wrén TLS/SSL.
Pop3s 995 POP3 trén TLS/SSL_
Ngoai mot sé ting dung phé bién hign nay ctia SSL nhu bdo mat trong Remote
Desktop Protocol cho két néi Terminal Service, Http cho Outlook Web Access hay
Smip/Imap/Pop3 cho mail , ‘mg dung quan trong cia SSL mi khéng thé khéng nhac
Gi 1a SSL VPN. Dé 1a ly do tai sao khng chi cde nha cung cap thiét bj mang phin
cig dang dua nhau trong vige phat trién cdc san phim hé trg SSL VPN ma cd nhiing
nha cung cap thiét bj mang “mém” nhu Microsoft cing dua né vao san pham
Windows Server 2008 va Windows Vista Service Pack I ciia minh véi co ché Secure
Socket Tunneling Protocol (SSTP).
Page 36
Ea hién citu vé SSL va tmg dyng cia SSL trong bao mat Web
‘SV:Pham Dire Hai ~ BKNP
ROP packets
encapsulated inside
‘SSL VPN
SSL VPN Server
+ Firewall
Terminal Server +
management tools
11.2 VAI DIEM CO BAN CUA SSTP
* — SSTP li co ché két ndi VPN client to gateway bang HTTP over Secure Socket
Layer (HTTP over SSL) port 443. Thing thuimg, trong mot hé théng mang hign nay
dit li cae Firewall hay Proxy server déu cho phép truy cap HTTP va HTTPS. Vi vay,
dit 6 bat cir dau cic may Client déu cé thé két ndi VPN bing co ché SSTP va dam
vi ap dung phuong phip ma héa SSL.
rg NAP dé bao vé ngudn tai nguyén mang tét hon bing
cach thi hanh ede chinh sach vé system health.
Page 37
Dé tdiNghign cia v SSL va ting dung ca SSL trong bio mit Web
‘SV:Pham Dire Hai - BKNP
SSTP hd try IPV6 - dudng him SSTP va IPV6 dura trén vige két ndi SSTP thong
qua IPV6.
© Honnita, SSTP thiét lap HTTP riéng lé théng qua session SSL tir SSTP client dén
SSTP server. Ding
HTTP théng qua SSL Session sé giam thiéu duge chi phi va cn bang tai tét hon.
SSTP khong hé ing site to site,
Sau day la bang so sanh tom tit SSTP v6i 2 co ché VPN phé bién hign nay ~ PPTP va
L2TP/PSec
Thude PPTP L2TP/PSec SSTP
tinh
eae
C6 dink. Cé dinh Tam thoi
Quan li duge Quan li duge Khéng quan li
Kiéw duge
thiét bj
Kiém Khong chi tiét Khong chi tiét Chi tidt
soat truy
cap
Dang két Client to site Client to site Client to site
ni thich
hop
Yeu chu Phan mém Client Phan mém brower
Client Client
Twong Kém Kém Tét
thich
Firewall/
NAT
Dong gsi GRE L2TPover UDP STP over TCP
Microsoft Point to IPSec ESP véi SSL voi RCS
Co ehé Point Encryption 3DES hole AES hodc AES
ma hoa (MPPE) véi RC4
Tunnel PPTP L21P ssTP
Page 38
Dé tdiNghign cia v SSL va ting dung ca SSL trong bio mit Web
‘SV:Pham Dire Hai - BKNP
maintena’
nee
protocol
Co ché Radius,CHAP,PAP,MS RADIUS, Active RADIUS, Active
xde thyre ~CHAP,MS-MAP Directory,RSA, Direetory,RSA,
Scure ID,X509 Secure ID,X509
Qua Tre Khi qué trinh ma Sau khi IPSec Sau khi SSL
trinh hhéa bit diu session duge session duge
ching koi tao khdi tao
‘thye user
Yeu clu Khong Certificate ctia Certificate cia
Certificat ca VPN server ca VPN server
echo va client va root CA
Certificate trén
client
Moi ting dung trén nén ‘Moi tng dung. Trén nén
Ung IP trén nén IP ‘Web.mail,
dung, ‘TerminalService
CIS
113 Diém khée nhau gitta SSL 2 vit SSL 3
SSL 2.0 host dng nhur sau:
1. Két ndi tir client dén server duge thye hign bang giao thire HTTPS (HTTP+SSL)
2. Server ki khéa céng khai (public key) bing khéa bi mét (private key) ctia minh va
agiri cho client
3. Client diing khéa céng khai cita server dé xéc nhfin diing server dang lién Ic
4, Client kiém tra xem ¢6 CA nao da ki vio khéa, Néu khéng client sé hoi ngudi
diing xem c6 nén tin tung vo server khong
5. Client sinh ra mét khéa bat déi xing (asymmetric key) cho phién giao dich, khéa
nay duge ma héa bang khéa céng khai ciia may chit va giti ngugc lai. Kho nay cing
sé duge ding dé ma héa tit ca cde thong tin sau nay.
Page 39
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
SSL 3.0 bé sung thém cho SSL 2.0 bang cach hd try cho chimg thye may khach
(client certificate), giip server e6 thé nhan dign ngugc Iai client. SSL 3.0 hoat déng
nhu SSL 2.0 , nhung sau khi client da xéc thyc server, dén lugt server sé kiém tra
nguge lai client.
IL4 PHUONG PHAP TAN CONG HTTP
‘Thiét bi:
© May server A
Tp:10.0.0.2 /24
Dung 1 trang web e6 ndi dung
© May Vietim
Ip: 10.0.0.3 /24
‘Truy cap vao web ciia server A
© May Attacker
Tp: 10.0.0.4 /24
Cai Wireshark dé bat goi tin
Kich bai
May victim truy cp vao web http.may attacker dung phan mém WireShark dé
nghe 1én doc trom noi dung web ma may vietim truy cép.
Qué trinh
May server
Dung web thinh cong
Page 40
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
Cac ban da bi hacker Sniffer Web
ban da bilo thong tin ca nhan.
pa
ria ve oe 3
Om OAD Powe drm © BS e
rote rnc. SBS ue
Cac ban da bi hacker Sniffer Web
ban da bi lo thong tin ca nhan.
May Attacker diing Wireshark
Page 41
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
Cai dat Wireshark
Be ind coe nt een
2 ed oe TT ps usage teh ere Me,
tent
=
hismdy victim try cip Web thi tase bit duge cic w6itin
Gees caxegyevora OH 2can ewes x
& it dumg cin web
Mo g6i tin HTTP/1.1 200 OK (text/html) ta sé thy durge ngi dung trang web
Page 42
Dé tai:Nghién cttu vé SSL va ting dung cia SSL trong bio mat Web
SV:Pham Dite Hai - BKNP
CHUONG I1I:GIAI PHAP PHONG CHO
TRIEN KHAI SSL
111.1 CAI DAT OPENSSL
\i dit OpenSSL trén Windows Server, ban cin cé
Dé c6 thé cd
Perl for Win32 ( e6 thé download tai http://www. activestate.com/ActivePer! )
- M6t trong s6 céc trinh bién dich C sau: Visual C++, Borland C va GNU C
(Mingw32
ry Cygwin32)
LL.1 Ty tgo ching thye cho CA cia chink minh
1.Tg0 cp koa MyCA:
Openssl> genrsa -des3 -out MyCA.key 1024
Password 1a “phamduchai”
ee
ee ce Cec
Seer tires Cratos
coestaerar:
ey
2. Tao ching thye ty ky (self-signed CA certificate)
req -new -config openssl.cnf -x509 ~days 365 -key MyCA.key -out
Openssl>
MyCA.crt
Page 43
Dé tai:Nghién cttu vé SSL va ting dung cia SSL trong bio mat Web
SV:Pham Dite Hai - BKNP
Qik OP Pewrts S rotns x9
fe lore SB
= 191 xi}
Pass phrase for MyCA. key :phamduchai
Country Name: VN
State or Province Name: VietNam
Common Name:Hai
3. Chuyén sang dang PKCS#12 dé c6 thé import vio IIS.
Openssl> pkes12 export -in MyCA.crt -inkey MyCA.key -out MyCA. pfx
Ome P| Dawe Crates ed
ees [E> C0900 5 EG
Boe
Eeenaine
Jono
Brycnce
Biren
Pass phrase for MyCa.key: phamduchai
Export password:bknp
.2 Tgo chimg thye cho may chit
1.T90 cap khéa MyServer:
Openssl> genrsa -des3 -out MyServer.key 1024
Page 44
Dé tai:Nghién eu vé SSL va ting
SV:Pham Dite Hai - BKNP
dung cita SSL trong bio mat Web
Pernt sce rime
rere ey
ena cs
2.Ta0 yéu ca
iu chimg thure (certi
OpenssI> req -config openssl.enf -out MyServer.cs
prrererrerr
eee nee ree emer
ah raereet et called a Distinguished Mane or DN
Pace wid
a Set are irr
SEER Ses CmMTE TE aR TIE
Pee uN
emcees een)
er eee ee
Pareto ery
teed
errr]
3.Ki vio yéu cdu (certificate request) véi khéa bi mat cla MyCA va tao chimg the
cho MyServer
openss! x509 ~CAcreateser
-CAserial MyCA.srl in MyServer.esr -days 370 -req ~
exttile openssl.cnf -extensions v3_req ~CA MyCAcrt -CAkey MyCA.key -out
MyServer.ert
Page 45
Dé tai:Nghién cttu vé SSL va ting dung cia SSL trong bio mat Web
SV:Pham Dite Hai - BKNP
eet ithe seeceere ries the ess eerie eee
See ee eae
Hose
eae reat iy
Pass phrase for MyCa.key: phamduchai
4.Chuyén sang dang PKCS#12 dé c6 thé import vio IS
openss! pkes12 -export -in MyServer.ert -inkey MyServer.key -out MyServe.pfx
poe
che ee ee ene oe
Pass phrase for Myserver.key: 12345678
Export password:bknp
I1L.1.3 Cai dit MyCA va MyServer trén Win2000
Chay MMC:
Menu StarvRun.../mme
Page 46
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
‘here arrofenetn hw nt
Menu Console/Add/Remove snap-in.../Standalone/Add
Certificates/Add/Computer Account/Next/Finish/Close/OK,
IIL.2CAI CA CERTIFICATE (MyCA):
Console root
+Certificates
+Trusted Root Certification Authorities
Right-click vio Certificates/All Tasks/Import...
Chon dung din dén MyCA.pfx da tgo ra 6 trén
Page 47
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
‘yptonaghic Mesa Stax tarda CS 47 Cates P78)
i
Parznal rmaten Exchange PICS #12 (FPP)
roc Seed Create Sor (SS)
i
F Enable strona private ley protection. You vl be prompted every ine the
pte ey suse by an applcatin you ensbe th open,
F tks key ae exportable. Ths wll alow you to back un or ansart your
Irys a later te.
Pasword: bknp
cox [wes] ce
Page 48
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
TIT.3 Cail End-use Certificate (MyServer):
+Console root
+Certificates
Personal
Right-click Certificates/ All Tasks/Import...
Chon during din dén MyServer.pfx da tg0 6 trén
11.4 Cho IIS ding MyServer:
Menu Start/Settings/Control Panel/Administratove Tools/Internet Services Manager
Nhin chugt phai vio Default Web Site/Properties/Directory Security/Server
Certificate
‘Next/Assign an existing certificate/Next/Chon MyServer
Page 49
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
a
one conten
The cece: you can uefa you Web sever etd eon 8
IIL5 Kiém tra:
‘MG Internet Explorer ciia may victim, truy cap vao trang web da thiét lap SSL , néu
thay biéu tugng 6 khéa & bén dui gée phai man hinh la ban da thanh céng.
Page 50
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
O- DAG Pt rom ©
‘cman ey xhare wih is crete vine
‘orale Hove ei spotien hes
‘eam oeticoe
The say cece wes inal compere yuo
@ rseetinn Ventocenense Mote ma
Jouve obuate cau eltat
The ecny ate diva
& Trenance tess cates val ds at
aches dese
Dosounarto pecs?
Dama hon HTTP sang HTTPS
‘Trén may Attacker ding Wireshark kiém tra thi chi thay céc goi tin 43 ma
hoa!!!Khdng hé doc duge ndi dung trang web.
Page 51
Dé tai:Nghién ctu vé SSL va ing dung cla SSL trong bao mat Web
SV:Pham Dite Hai - BKNP
Ching ta d3 dam bao duge an ninh
Page 52
DA tdiNghim cin v8 SSL va ing dung cia SSL trong bio mgt Web
‘SV:Pham Dire Hai - BKNP
CHUONG IV: TAI LIEU THAM KHAO
htip:/vww.blackhat.comy (BlackHat-DC-09-Marlinspike-Defeating-SSL pdf)
‘hutp://www.thoughterime.ory/
|hitp://vwww.ox
hitp://en.wikipedia.org/
‘hutp://msopenlab.com/
hitp://vn-zoom.com/
http://peworld.com.vn/
Page 53
Vous aimerez peut-être aussi
- Art of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyD'EverandArt of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyÉvaluation : 4 sur 5 étoiles4/5 (3321)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeD'EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeÉvaluation : 4.5 sur 5 étoiles4.5/5 (20037)
- The 7 Habits of Highly Effective People: The Infographics EditionD'EverandThe 7 Habits of Highly Effective People: The Infographics EditionÉvaluation : 4 sur 5 étoiles4/5 (2475)
- American Gods: The Tenth Anniversary EditionD'EverandAmerican Gods: The Tenth Anniversary EditionÉvaluation : 4 sur 5 étoiles4/5 (12948)
- Habit 3 Put First Things First: The Habit of Integrity and ExecutionD'EverandHabit 3 Put First Things First: The Habit of Integrity and ExecutionÉvaluation : 4 sur 5 étoiles4/5 (2507)
- Pride and Prejudice: Bestsellers and famous BooksD'EverandPride and Prejudice: Bestsellers and famous BooksÉvaluation : 4.5 sur 5 étoiles4.5/5 (20479)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeD'EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeÉvaluation : 4 sur 5 étoiles4/5 (5796)
- Never Split the Difference: Negotiating As If Your Life Depended On ItD'EverandNever Split the Difference: Negotiating As If Your Life Depended On ItÉvaluation : 4.5 sur 5 étoiles4.5/5 (3282)
- The 7 Habits of Highly Effective PeopleD'EverandThe 7 Habits of Highly Effective PeopleÉvaluation : 4 sur 5 étoiles4/5 (2568)
- Habit 1 Be Proactive: The Habit of ChoiceD'EverandHabit 1 Be Proactive: The Habit of ChoiceÉvaluation : 4 sur 5 étoiles4/5 (2556)
- Habit 6 Synergize: The Habit of Creative CooperationD'EverandHabit 6 Synergize: The Habit of Creative CooperationÉvaluation : 4 sur 5 étoiles4/5 (2499)
- Orgueil et Préjugés - Edition illustrée: Pride and PrejudiceD'EverandOrgueil et Préjugés - Edition illustrée: Pride and PrejudiceÉvaluation : 4.5 sur 5 étoiles4.5/5 (20391)
- How To Win Friends And Influence PeopleD'EverandHow To Win Friends And Influence PeopleÉvaluation : 4.5 sur 5 étoiles4.5/5 (6523)
- The 7 Habits of Highly Effective PeopleD'EverandThe 7 Habits of Highly Effective PeopleÉvaluation : 4 sur 5 étoiles4/5 (353)
- Remarkably Bright Creatures: A NovelD'EverandRemarkably Bright Creatures: A NovelÉvaluation : 4.5 sur 5 étoiles4.5/5 (5533)
- The Perfect Marriage: A Completely Gripping Psychological SuspenseD'EverandThe Perfect Marriage: A Completely Gripping Psychological SuspenseÉvaluation : 4 sur 5 étoiles4/5 (1111)
- Wuthering Heights (Seasons Edition -- Winter)D'EverandWuthering Heights (Seasons Edition -- Winter)Évaluation : 4 sur 5 étoiles4/5 (9486)
![American Gods [TV Tie-In]: A Novel](https://imgv2-1-f.scribdassets.com/img/audiobook_square_badge/626321117/198x198/22ab6b48b6/1712683119?v=1){kind=icon}
