luanvan full
DESCRIPTION
sadasdsadcfgvghvvgg dfgrfgggggggggggggggggvvvvvvvvvvvvvvvvvvvvvvvggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggTRANSCRIPT
-
B GIO DC V O TOTRNG I HC S PHM K THUT
THNH PH H CH MINH
LUN VN THC S
HUNH VN HOI THANH
NGHIN CU V TRIN KHAI GIIPHP BO MT MNG VPN NGUNM TI CNG AN TNH HU GIANG
NGNH: K THUT IN T - 60 52 70
Thng 10, 2014
-
B GIO DC V O TOTRNG I HC S PHM K THUT
THNH PH H CH MINH
LUN VN THC S
HUNH VN HOI THANH
NGHIN CU V TRIN KHAI GIIPHP BO MT MNG VPN NGUNM TI CNG AN TNH HU GIANG
NGNH: K THUT IN T - 60 52 70Hng dn khoa hc:
TS. PHAN VN CA
Thng 10, 2014
-
Li cm n
Trc tin, xin gi li cm n su sc nht n thy TS. Phan Vn Ca, ngi tn
tnh hng dn em trong sut qu trnh lm ti ny. Em xin by t li cm n su
sc n nhng thy c gio ging dy em trong sut kha hc qua, nhng kin
thc m chng em nhn c trn ging ng Cao hc s l hnh trang gip chng
em vng bc trong tng lai. Xin gi li cm n su sc n tt c bn b v tp
th lp K thut in t kha 12B, nhng ngi lun bn em trong sut kha hc.
c hon thnh trong thi gian hn hp, lun vn ny chc chn cn nhiu thiu
st. Xin cm n thy c, bn b c nhng kin ng gp chn thnh cho ni
dung ca lun vn ny em tip tc i su vo tm hiu v ng dng thc tin cng
tc.
Hunh Vn Hoi ThanhTp.HCM, thng 10, 2014
iii
-
Li cam oan
Em xin cam oan lun vn ny l cng trnh nghin cu ca em v khng trng lp
vi bt k cng trnh nghin cu khc, cha tng c cng b trn bt k tp ch
no.
Tp.HCM, ngy 25 thng 10, 2014
Hunh Vn Hoi Thanh
iv
-
NGHIN CU V TRIN KHAI GII PHP BO MT
MNG VPN NGUN M TI CNG AN TNH HU
GIANG
thc hin bi
HUNH VN HOI THANH
Np ti Khoa in - in tNgy 25 Thng 10, 2014 theo mt phn yu cu hon thnh chng trnh
Thc s ngnh K thut in tti Trng i Hc S Phm K Thut Thnh Ph H Ch Minh
Tm tt
S pht trin ca Internet v thng mi in t, cng vi nhng c hi m h mang
li, lm tng nhu cu truyn thng an ton gia cc mng cng ty, ngi dng c
nhn, v th gii bn ngoi. Khi truyn thng v thng mi qua Internet tng, ri
ro an ninh cho cc mng cng ty cng tng ln. Vn an ninh tr thnh mt yu t
quan trng trong vic xc nh kh nng tip cn ca mt t chc vi Internet. Mc
tiu ca an ninh mng l cung cp tnh b mt, tnh ton vn v xc thc. Trong s
cc gii php an ninh mng hin nay, mng ring o (VPN) c li th ring ca n
thu ht s quan tm ca nhiu ngi s dng. Nhng hu ht cc gii php VPN
Vit Nam c s dng t nc ngoi. Do tnh cht c th ca cc gii php an
ninh mng, chng ta phi pht trin gii php bo mt ca ring chng ta. Lun n
ny gii thiu mt phng php xy dng tng bc mng ring o ngun m bng
cch s dng OpenVPN. OpenVPN l phn mm ng dng ngun m dng trin
khai cng ngh VPN v vic thm cc lp xc thc l iu d dng i vi OpenVPN.
Sau khi c th nghim, phng php ny c th cu hnh thnh mt s sn phm
v
-
VPN cht lng cao, c th t c an ninh v bo mt ca mng truyn d liu
v p ng nhu cu ca hu ht ngi dng, gip tit kim chi ph u t v tng
bc lm ch cng ngh.
Hng dn khoa hc: TS. PHAN VN CAChc danh: Ging vin
vi
-
STUDY AND IMPLEMENT OF OPEN SOURCE VPN
NETWORK SECURITY SOLUTIONS FOR POLICE IN
HAU GIANG PROVINCE
by
VAN-HOAI-THANH HUYNH
Submitted to the Department of Electrical and Electronics Engineeringon October, 25, 2014 in partial fulfillment of the
requirements for the degree ofMaster of Science in Electronics and Communication Engineering at the
University of Technical Education Ho Chi Minh City
Abstract
The growth of the Internet and e-commerce, together with the opportunities they
bring, have increased the need for secure communication between company net-
works,individual users, and the outside world. As communication and commerce
through the Internet increase, security risks for company networks also increase.
Security issues have now become a crucial factor in determining an organizations
accessibility to the Internet. The goal of network security is to provide confidential-
ity, integrity and authenticity. Among the current network security solutions, VPN
with its own unique advantages have attracted the concern of many users. But most
of the VPN solutions in Vietnam are used from abroad. Due to the special nature
of network security solutions, we must develop our own security solutions. A Vir-
tual Private Network (VPN) is a network technology that creates a secure network
connection over a public network such as the Internet. Large corporations, educa-
tional institutions, and government agencies use VPN technology to enable remote
users to securely connect to a private network. This thesis introduced a method to
vii
-
build open source Virtual Private Networks by using OpenVPN. OpenVPN is an open
source software application that implements VPN techniques and additional layer of
authentication (e.g. PKI/AD/LDAP) can easily be added to OpenVPN. After be-
ing tested, this method could configure some high quality VPN products, which can
achieve security and confidentiality of network data transmission, and meet the needs
of most users, help to saves investment costs and gradually mastering technology.
Thesis Supervisor: VAN-CA PHAN, PhDTitle: Lecturer
viii
-
Mc lc
Danh sch hnh nh xii
Danh sch bng biu xiv
1 TNG QUAN 1
1.1 Tnh cp thit ca ti . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Bo mt l yu cu cn thit cho t chc, doanh nghip . . . 1
1.1.2 Chi ph u t ln cho gii php bo mt . . . . . . . . . . . 1
1.1.3 Vn b ng, ph thuc nh cung cp . . . . . . . . . . . . 2
1.1.4 Ch trng, chnh sch ca ng v nh nc . . . . . . . . . 3
1.1.5 Thc trng cng an tnh Hu Giang . . . . . . . . . . . . . . 3
1.2 Mc ch nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Tnh hnh nghin cu trong v ngoi nc . . . . . . . . . . . . . . . 4
1.3.1 Trong nc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2 Ngoi nc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Khch th v i tng nghin cu . . . . . . . . . . . . . . . . . . . 14
1.5 Phm vi nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.6 Nhim v nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Phng php nghin cu . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.8 Nhng ng gp mi ca ti . . . . . . . . . . . . . . . . . . . . . 16
1.9 Cu trc ti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 C S L THUYT 19
ix
-
2.1 Cc nguy c xm nhp d liu khi truyn . . . . . . . . . . . . . . . 19
2.1.1 Xm nhp th ng . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.2 Xm nhp ch ng . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Cng ngh mt m . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Mt m i xng . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.2 Mt m bt i xng . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Hm bm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3 Kim tra nhn dng . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4 Xc thc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5 C s h tng kha cng khai (PKI) . . . . . . . . . . . . . . . . . . 30
2.5.1 CA (Certificate Authority) . . . . . . . . . . . . . . . . . . . . 30
2.5.2 Chng ch s (digital certificate) . . . . . . . . . . . . . . . . . 30
2.6 Mng ring o (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.6.1 IPSEC VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6.2 OpenVPN (SSL VPN ngun m) . . . . . . . . . . . . . . . . 36
2.7 Smart Token (SafeNet iKey 1032) . . . . . . . . . . . . . . . . . . . . 41
3 GII PHP 44
3.1 t vn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2 Yu cu gii php . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3 Thit k m hnh gii php . . . . . . . . . . . . . . . . . . . . . . . 46
3.3.1 Cp pht chng ch s (2) . . . . . . . . . . . . . . . . . . . . 46
3.3.2 Qu trnh to ch k s CA (1) . . . . . . . . . . . . . . . . . 50
3.3.3 Qu trnh xc thc chng ch s (5) . . . . . . . . . . . . . . . 50
3.3.4 Trao i kha DH v to ng hm bo mt (6) . . . . . . . 51
3.4 Kin trc gii php . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5 u im v tnh mi ca gii php . . . . . . . . . . . . . . . . . . . 55
3.6 Pht trin gii php . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6.1 M hnh sn phm bo mt tch hp FVS . . . . . . . . . . . 55
3.6.2 Thit k phn cng FVS . . . . . . . . . . . . . . . . . . . . . 56
x
-
3.6.3 Kin trc phn mm . . . . . . . . . . . . . . . . . . . . . . . 56
3.7 Thit k m hnh h thng mng VPN . . . . . . . . . . . . . . . . . 58
4 TH NGHIM H THNG 60
4.1 Th nghim trn h thng thc . . . . . . . . . . . . . . . . . . . . . 60
4.1.1 Cu hnh OpenVPN Server . . . . . . . . . . . . . . . . . . . . 60
4.1.2 Cu hnh OpenVPN client trn Linux . . . . . . . . . . . . . . 63
4.1.3 Ci t, cu hnh SafeNet iKey 1032 . . . . . . . . . . . . . . 64
4.2 Kim tra tnh xc thc ca h thng . . . . . . . . . . . . . . . . . . 64
4.3 Th nghim trn h thng o . . . . . . . . . . . . . . . . . . . . . . 65
4.3.1 Cu hnh a ch IP . . . . . . . . . . . . . . . . . . . . . . . . 66
4.3.2 Kim tra tnh b mt ca thng tin truyn . . . . . . . . . . . 68
4.4 Nhn xt, nh gi kt qu th nghim . . . . . . . . . . . . . . . . . 70
5 KT LUN 72
5.1 Cc kt qu thc hin c . . . . . . . . . . . . . . . . . . . . . . 72
5.2 Cng vic tng lai . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.3 xut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.4 Kt lun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Ti liu tham kho 76
xi
-
Danh sch hnh v
1.1 Ri ro bo mt tng trong thi k thng mi in t . . . . . . . . 2
1.2 Bo mt kt ni trong h thng ATM s dng cng ngh VPN . . . . 5
1.3 M hnh Ipsec VPN ca tc gi Trn Quc Th . . . . . . . . . . . . 6
1.4 M hnh Ipsec VPN ca tc gi Nguyn Quc Cng . . . . . . . . . 7
1.5 M hnh Ipsec VPN ca Cisco [1, 2] . . . . . . . . . . . . . . . . . . . 10
1.6 D liu cha m ha bo mt Ipsec VPN Cisco . . . . . . . . . . . . 11
1.7 D liu m ha bo mt Ipsec VPN Cisco . . . . . . . . . . . . . . 11
1.8 M hnh SSL VPN ca Cisco, [3] . . . . . . . . . . . . . . . . . . . . 12
1.9 M hnh OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.10 M hnh TFA trn Cisco . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.11 M hnh th nghim TFA trn Cisco . . . . . . . . . . . . . . . . . . 13
1.12 M hnh Ipsec VPN ngun m . . . . . . . . . . . . . . . . . . . . . . 13
2.1 Cc hnh thc xm nhp ph bin . . . . . . . . . . . . . . . . . . . . 20
2.2 Gii thut m ha i xng v bt i xng . . . . . . . . . . . . . . 22
2.3 Thut ton Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Ch k s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Trao i d liu s dng thut ton RSA . . . . . . . . . . . . . . . . 27
2.6 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.7 Chng ch s X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.8 Giao thc ESP v AH . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.9 Giao thc SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.10 Th tc bt tay OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . 40
xii
-
3.1 S tn cng ca hacker ln knh truyn khng an ton . . . . . . . . 45
3.2 M hnh gii php . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3 C ch hot ng ca gii php . . . . . . . . . . . . . . . . . . . . . 48
3.4 Qu trnh cp pht chng ch s X.509 ca CA . . . . . . . . . . . . 49
3.5 Qu trnh to v xc thc ch k s ca CA . . . . . . . . . . . . . . 50
3.6 Trao i kha Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . 52
3.7 Cc module chnh ca gii php . . . . . . . . . . . . . . . . . . . . . 53
3.8 Dng d liu i t client n Server . . . . . . . . . . . . . . . . . . . 54
3.9 Phn cng thit b FVS . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.10 Kin trc phn mm FVS . . . . . . . . . . . . . . . . . . . . . . . . 57
3.11 S h thng mng VPN Cng an tnh Hu Giang . . . . . . . . . 59
4.1 Xy dng CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.2 To kha Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.3 To kha b mt v chng ch cho Server . . . . . . . . . . . . . . . . 63
4.4 To kha b mt v chng ch cho client . . . . . . . . . . . . . . . . 64
4.5 Ci t SafeNet iKey 1032 . . . . . . . . . . . . . . . . . . . . . . . . 65
4.6 Qu trnh xc thc my trm . . . . . . . . . . . . . . . . . . . . . . 66
4.7 S h thng th nghim . . . . . . . . . . . . . . . . . . . . . . . . 67
4.8 Kt qu kim tra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.9 D liu bt c khi cha thit lp tunnel OpenVPN . . . . . . . . . 69
4.10 D liu bt c khi tunnel OpenVPN thit lp . . . . . . . . . . 69
xiii
-
Danh sch bng
3.1 Thng s cu hnh thit b FVS . . . . . . . . . . . . . . . . . . . . . 58
4.1 Kt qu th nghim OpenVPN khi cha thit lp tunnel . . . . . . . 68
4.2 Kt qu th nghim OpenVPN khi thit lp tunnel . . . . . . . . 70
xiv
-
Chng 1
TNG QUAN
1.1 Tnh cp thit ca ti
1.1.1 Bo mt l yu cu cn thit cho t chc, doanh nghip
Vi s pht trin ca Internet v thng mi in t, nhu cu truyn thng v thng
mi thng qua mng Internet ngy cng gia tng v nguy c mt an ninh, an ton
thng tin, l lt b mt (thng mi, nh nc...) s ngy cng nghim trng nu
khng c gii php phng chng hu hiu v khng ch n thun nhm mc ch thu
thp thng tin b mt, ngng tr hot ng m cn mang mc ch kinh t, chnh
tr, b mt thng mi, s hu tr tu, thm ch tr thnh nhng loi v kh nguy
him c nguy c xm phm n an ninh quc gia. Vn bo mt thng tin by
gi tr thnh mt nhu cu ln v l yu t rt quan trng i vi t chc, doanh
nghip. Biu 1.1 minh ha cc ri ro an ninh tng ln khi mt t chc m rng
hot ng ra mng Internet, thng mi in t.
1.1.2 Chi ph u t ln cho gii php bo mt
Hin nay hu ht cc t chc, doanh nghip s dng cc sn phm an ninh nhp
khu t nc ngoi trong gii php bo mt ca mnh. Gii php ny i hi phi
u t chi ph ln cho gii php bo mt ca mnh.
Vic u t mt h thng bo mt s, kinh ph ln vi cc nh cung cp gii
1
-
!"#$
%&$'$
Hnh 1.1: Ri ro bo mt tng trong thi k thng mi in t
php bo mt hng u nh Cisco, Checkpoint, Juniper..l iu khng th vi cc
doanh nghip va v nh mc d h c nhu cu ln cho vic trin khai gii php bo
mt cho t chc ca mnh.
1.1.3 Vn b ng, ph thuc nh cung cp
Vic ph thuc vo nh cung cp c th dn ti tnh trng b p buc phi nng
cp phn mm hay trang b nhng tnh nng m ngi s dng khng c nhu cu s
dng n... Ngoi vic gi thnh cao, nhng thit b ny khin chng ta khng th
ch ng trong vic ng dng, ta hon ton khng bit cc m hnh s dng cho ci
t c th m ch bit cc ng dng do thit b cung cp. Hn na, cc phn mm
ng dng a phn l cc sn phm ng gi, do vic nhng cc c ch bo mt
do ngi dng to ra vo h thng l hu nh khng th thc hin c.
2
-
1.1.4 Ch trng, chnh sch ca ng v nh nc
Quyt nh s 235/2004/Q-TTg v ph duyt tng th ng dng v pht trin
phn mm ngun m Vit Nam giai on 2004-2008.
Ch th 07/2008/CT-BTTTT ngy 30 thng 12 nm 2008 v y mnh s dng
phn mm ngun m trong hot ng c quan, t chc Nh nc.
Quyt nh s 1605/Q-TTg ngy 27 thng 8 nm 2010 Chng trnh quc gia
v ng dng cng ngh thng tin trong hot ng ca c quan nh nc giai on
2011 - 2015.
Ch th 15/CT-TTg ngy 22 thng 5 nm 2012 v vic tng cng s dng vn
bn in t trong hot ng ca c quan nh nc v m bo an ton thng tin
qua mng.
Ch th s 28-CT/TW, ngy 16-9-2013 ca Ban B th Trung ng ng (kha
XI) v tng cng cng tc bo m an ton thng tin mng.
1.1.5 Thc trng cng an tnh Hu Giang
c thnh lp vo thng 01 nm 2004, gm 01 Trung tm ch huy v trn 30 phng
ban, 07 cng an huyn, th, thnh ph, 74 cng an phng x, th trn v c b
tr u trn a bn tnh Hu Giang. Do mi thnh lp, nn c s vt cht, h tng
vin thng, h thng thng tin cn gp nhiu kh khn, cha p ng tt theo yu
cu t ra. Trong khi cn mt s cn b, ng vin cha nhn thc ng v tm
quan trng v hiu qu ca vic ng dng cng ngh thng tin vo hot ng cng
tc, cha thy c tm quan trng ca vn bo m an ton thng tin v xem
n l vn sng cn ca t nc...
Hin nay trong Cng an tnh Hu Giang, vic trao i thng tin d liu t Cng
an tnh xung cc huyn, th, thnh ph trn a bn v ngc li ang thc hin
bng con ng giao lin hoc Fax. Vic ny tn rt nhiu thi gian, chi ph v khng
m bo c an ton v bo mt thng tin. H thng hin ti vn cn nhiu mt
3
-
hn ch, m hnh kt ni mng ch l kt ni mng LAN phm vi hp, thm ch
mt s phng ban, huyn, th, thnh ph cha c kt ni mng, vic truyn nhn
thng tin d liu cha c m ha, cha xy dng gii php an ninh, cha thc
hin phn cp phn quyn, cha t ra tnh an ton v bo mt thng tin...
khc phc thc trng ny, vic a ra mt m hnh gii php bo mt, m
hnh tng t nh cc h thng bo mt ca cc nh cung cp dch v nh Cisco,
Checkpoint, Juniper.. nhng quy m nh hn, ph hp vi iu kin thc t ca
cng an tnh. Do vy em mnh dn chn ti: Nghin cu v trin khai gii
php bo mt mng VPN ngun m ti Cng an tnh Hu Giang.
Nghin cu cng ngh mng ring o (VPN) l bo mt d liu trn ng
truyn, ngun m (cung cp di c dng m v ngun) l c th ty bin, ch
ng trong vic ng dng nh sa i, ci tin, pht trin hay nng cp.
1.2 Mc ch nghin cu
Nghin cu gii php xy dng tng bc mng ring o trn c s s dng cng
ngh ngun m OpenVPN sn c ca cng ng cho vic bo mt d liu truyn trn
mng.
1.3 Tnh hnh nghin cu trong v ngoi nc
1.3.1 Trong nc
(1) Cc c quan, doanh nghip, trng hc... Vit Nam v ang nghin cu ng
dng v pht trin gii php bo mt d liu trn ng truyn dng cng ngh VPN
phc v tt trong hot ng cng tc ca mnh nh Vin thng VNPT, FPT, ngn
hng Sacombank, Vietinbank... dng gii php VPN ca Cisco; Bo him Bo Vit
dng gii php VPN ca Juniper v mt s tnh thnh ph nh H Ni, Nng,
TP H Ch Minh, TP Cn Th, ng Nai, Ph Yn, Long An...c bit h thng
4
-
ATM ca cc ngn hng (Vietinbank, BIDV, Agribank, MHB, Sacombank...) u s
dng cng ngh mng ring o (VPN) thc hin cc kt ni bo mt ca mnh.
Qu trnh kt ni bo mt trong h thng ATM c minh ha c th hnh 1.2.
Theo c ch qun l cc giao dch vi ngn hng qua th ATM, nu mun rt c
Hnh 1.2: Bo mt kt ni trong h thng ATM s dng cng ngh VPN
tin th bt buc phi c c hai yu t th ATM v m s c nhn (m PIN). y
l mt gii php xc thc ngi dng hai yu t (ci m bn c (th ATM) v ci
m ch c bn bit (m PIN), nhng ta c th thy vic xc thc ngi dng bng
mt khu hin nay l khng an ton. y cng l khng nh ca Bill Gate (ch tch
Microsoft) trong mt hi tho v an ninh mng do hng RSA t chc vo thng 2
nm 2004. Hin nay khng t xy ra cc v vic khch hng b mt tin trong ti ti
khon ti hng t ng m khng r nguyn do...iu ny xy ra l do h thng xc
thc trong ATM cha mnh v khi hacker nh cp thng tin (m PIN, thng tin
c nhn), sau lm gi th ATM th hacker c th kt ni vo h thng rt tin.
Vy yu cu t ra, xy dng theo mt lp bo mt na ngoi vic xc thc ngi
dng hai yu t (Th ATM + M PIN).
(2) Nghin cu v gii php bo mt thng tin truyn trn mng s dng cng
ngh VPN, c tc gi tc gi Trn Quc Th (Lun vn thc s nm 2013, Hc
vin cng ngh Bu chnh Vin Thng), minh ha hnh 1.3 v Nguyn Quc Cng
(Lun vn thc s nm 2011, Hc vin cng ngh Bu chnh Vin Thng), minh ha
hnh 1.4. Tc gi trin khai cng ngh Ipsec VPN to ni bo mt t xa.
5
-
Hnh 1.3: M hnh Ipsec VPN ca tc gi Trn Quc Th
Cc gii php trn u dng gii php bo mt ca cc nh cung cp, chi ph u
t ln, ph thuc hon ton vo cng ngh, cha t pht trin gii php ring. Hn
na, phng php xc thc trong gii php ny ch c mt yu t v ta khng th
nhng thm cc c ch bo mt vo h thng.
1.3.2 Ngoi nc
Trong nhng nm gn y, khng t cc nghin cu ng dng gii php bo mt VPN
c xut. Trong cc bi bo [46], tc gi xut gii php ng dng cng
ngh VPN trong vic xy dng h thng mng truyn d liu mt cch hiu qu v
an ton cho cc trng cao ng v i hc. N c th cung cp cc chc nng ng
6
-
Hnh 1.4: M hnh Ipsec VPN ca tc gi Nguyn Quc Cng
tin cy cho vic truy cp t xa cho cc gio vin, sinh vin, chi nhnh ca trng
v gia cc trng vi nhau... Gii php trao i d liu an ton, nhanh chng, hiu
qu trong c quan chnh ph nhm bo mt cc d liu lin quan n an ninh quc
gia da trn cng ngh VPN cng c nu trong [7].
Cc nghin cu [1, 2, 8], tc gi dng IPSEC trong gii php bo mt VPN.
Trong [1, 2], tc gi trnh by vic trin khai IPSEC cho mc ch trao i d
liu an ton trong mi trng mng khng an ton nh Internet. Vic nghin cu
xy dng mt h thng mng truyn d liu an ton trong cc trng i hc dng
IPSEC c xut ti [8].
Vic dng SSL trong gii php bo mt VPN qua cc nghin cu [3, 913]. Tc
gi trong [3,9,11] nghin cu v trin khai mt Gateway bo mt VPN da trn giao
thc bo mt SSL. Gateway bo mt ny c th chng li mt s cuc tn cng ph
bin nh gim st, thu thp, chnh sa, gin on d liu trn ng truyn... SSL
VPN s dng mt chui cc k thut mt m, bao gm m ha i xng, m ha
7
-
bt i xng, ch k s, chng thc s, cng nh cc gii thut bm (message digest
algorithm) m bo cc c tnh b mt, xc thc v ton vn d liu. Vic m
bo an ton cho vic truy cp t xa trong mng khng dy l mt vn c bit
quan tm hin nay, thit k v trin khai mt h thng mng khng dy truy cp an
ton da trn giao thc SSL c tc gi xut trong [10,12]. Trong [13], tc gi
nghin cu cc u im v trin khai gii php bo mt SSL VPN trong cc trng
i hc, m bo an ton d liu trong qu trnh trao i...
Chnh sch la chn gii php bo mt VPN da trn cng ngh IPSEC v SSL
c a ra trong [1416]. Trong [15] tc gi nghin cu s khc bit gia hai
cng ngh IPSEC VPN v SSL VPN v cc tiu chun c a ra quyt nh
chnh xc cng ngh no s ph hp hn vi nhu cu bo mt cho ng dng thc t
l m ha, xc thc v ton vn d liu, tng la, IP Public, NAT, Port, iu khin
truy cp.... Vic phn tch, so snh cc u khuyt im gia hai cng ngh IPSEC
VPN v SSL VPN cng c nghin cu trong [14,16], trong tc gi phn tch
cc c tnh an ton hai cng ngh ny (xc thc, m ha, ton vn d liu). Hn
na, cc bi vit ny gii thiu chi tit v cc nguyn tc lm vic, c ch bo mt
ca SSL VPN v IPSec VPN, sau phn tch nhng li th v bt li (phm vi ng
dng, c ch bo mt, s phc tp trong hot ng, chi ph trin khai, kh nng m
rng v cc kha cnh khc ...) v cui cng tc gi a ra chnh sch la chn
tham kho cho gii php bo mt VPN ph hp vi ng dng thc t.
Gii php bo mt VPN ngun m c gii thiu trong [1720]. C hai vn
chnh trong cng ngh VPN, l vn an ton v tnh tin li khc (chi ph thp,
d ci t v s dng...). Hin nay c nhiu gii php VPN nhng a s ch p ng
c mt trong hai vn trn. IPSEC trin khai kh khn (kh ci t v s dng,
chi ph cao) nhng p ng c vn an ninh. Tuy nhin, cu trc phc tp ca
n lm cho n d b tn cng, li, v l hng bo mt. Gii php OpenVPN cung
cp mt s pha trn l tng ca c hai vn trn.
Trong [20] tc gi phn tch c tnh an ton OpenVPN (bo mt, ton vn
8
-
d liu, xc thc...), nhng thun li v mt s im yu trong OpenVPN nh thun
li v vn an ton, thun tin trong trin khai, chi ph thp...nhng im yu l
khng tng thch vi IPSEC VPN, t ngi bit cch s dng, khng c giao din
ha thn thin...Bn cnh , tc gi phn tch so snh OpenVPN vi gii php
IPSEC VPN v vn bo mt, kh nng s dng, m rng v trin khai...
Nghin cu v trin khai gii php bo mt OpenVPN trn h iu hnh ngun m
Linux (Ubuntu, Android), trong thit lp OpenVPN trn h iu hnh Ubuntu lm
Gateway (OpenVPN Server) v OpenVPN trn h iu hnh Android (lm OpenVPN
Client) c tc gi xut trong [18, 19]. Trong bi bo ny, tc gi phn tch
vn an ton v hiu sut mng OpenVPN chy h iu hnh Android trn my
tnh bng v cc thng s cu hnh OpenVPN...
Tc gi trong [17, 21] xut mt gii php bo mt VPN ngun m dng
IPSEC m bo an ton d liu trong khi truyn. Trong [21] cng ngh IPSEC
VPN ngun m c trin khai da trn phn mm Frees/WAN di h nhng Linux.
V tnh cht c th ca sn phm bo mt, tc gi cng gi hng pht trin
ca bi bo l pht trin gii php bo mt IPSEC VPN ngun m thnh sn phm
bo mt VPN phc v cho cc ng dng c th, p ng c nhu cu s dng ring
cho tng c quan, doanh nghip. Trong [17] tc gi gii thiu cng ngh IPSEC
VPN ngun m c trin khai da trn phn mm OpenSwan di h nhng Linux.
Thit k v trin khai thit b an ninh vi mt Firewall th h mi da trn
Netfilter c th hin qua [22, 23]. Gii php ny da trn cng ngh nhng v
Firewall ngun m Linux, gip tng cng an ninh mng LAN, ngn chn cc cuc
tn cng c th, kim sot lu lng ca mi my ch v ng thi tit kim chi ph
trin khai, thch hp cho cc doanh nghip nh va, vn u t km.
Trong cc bi bo [13], tc gi nghin cu gii php bo mt d liu trn
ng truyn dng cng ngh Ipsec VPN ( [1, 2], minh ha c th hnh 1.5, 1.6,
1.7), cng ngh SSL ( [3], minh ha c th hnh 1.8) trn gii php bo mt ca
Cisco, chi ph u t cao. Phng php xc thc trong gii php ny ch c mt yu
9
-
Hnh 1.5: M hnh Ipsec VPN ca Cisco [1, 2]
t v ta khng th nhng thm cc c ch bo mt vo h thng.
Tc gi trong cc bi bo [18, 19, 24] dng cng ngh OpenVPN bo mt d
liu trn ng truyn. Trong cc bi bo ny, tc gi ch trin khai trn m hnh
mng Host-to-Host v phng php xc thc ch mt yu t, khng kt hp vi phn
cng bo mt thng minh Smart Token tng cng tnh bo mt, minh ha c
th hnh 1.9.
Tc gi trong cc bi bo [25,26] xut gii php bo mt d liu trn ng
truyn dng cng ngh Ipsec vi phng php xc thc hai yu t. Nhng cc tc
gi trin khai gii php trn thit b ca Cisco, chi ph u t cao, ph thuc vo
cng ngh, minh ha c th hnh 1.10, 1.11.
Gii php nghin cu Ipsec VPN ngun m (FreeSwan) trong bi bo [21] cho
vic bo mt d liu trn ng truyn, gii php ny cu hnh ci t kh khn
v phc tp nu cc site (mng LAN chi nhnh t xa) tng ln. Hn na, gii php
ny xc thc bng phng php kha chia s trc RSA (pre-shared key) c mc
an ton thp hn phng php xc thc bng chng ch s. Thm vo , gii php
ny ch xc thc bo mt mt yu t (kha RSA) v khng th m rng v b sung
thm yu t xc thc tng cng tnh bo mt ca h thng. Cc kt qu nghin
10
-
Hnh 1.6: D liu cha m ha bo mt Ipsec VPN Cisco
Hnh 1.7: D liu m ha bo mt Ipsec VPN Cisco
11
-
Cipher spec, is used to specify secrets of data body and calculate the MAC hash. There are some other
Master password, is a 48 master of privacy shared
Can re-start mark, it specifies whether the session
SSL VPN is one kind of mainstream technology of VPN. It refers to using the SSL protocol to implement a new type of remote access VPN technology. SSL protocol is widely used of a variety of browsers and also used by Outlook
Relative to IPSec VPN and other traditional VPN technology, SSL VPN incorporates features of simple deploying, no client, maintaining a low-cost, network
SSL VPN products.
Figure 3. Solution of SSL VPN As can be seen from Figure 3, you just need to deploy
Hnh 1.8: M hnh SSL VPN ca Cisco, [3]
Hnh 1.9: M hnh OpenVPN
Figure 1. Components of TFAS system
Hnh 1.10: M hnh TFA trn Cisco
12
-
Figure 3. Simulation with GNS3
Hnh 1.11: M hnh th nghim TFA trn Cisco
Hnh 1.12: M hnh Ipsec VPN ngun m
cu trong [14, 15] cng chng minh rng Ipsec VPN phc tp trong trin khai v
hot ng v y l nguyn nhn d gy ra l hng bo mt hn gii php SSL VPN,
minh ha hnh 1.12
Trong cc kt qu nghin cu trn, hu ht dng gii php bo mt t cc sn
phm ca nc ngoi nh Cisco, Checkpoint, Juniper...v c sn cc cng c phn
mm th nghim do nh sn xut cung cp. Khng ch l gim s ch ng trong
vic ng dng (ph thuc hon ton v cng ngh nh cung cp, vic nhng cc c
ch bo mt do ngi dng to ra vo h thng l iu khng th thc hin c)
m i hi u t chi ph cao v l iu khng th i vi cc doanh nghip va v
nh.
Trn c s phn tch, tng hp cc kt qu ng dng, nghin cu trn. cc t
13
-
chc, doanh nghip nh v va c kh nng trin khai gii php bo mt ph hp
vi nhu cu v ng dng ca mnh, va tit kim chi ph va ch ng trong vic
ng dng cng. Nhim v nghin cu ca ti s tng bc xy dng mng VPN
da trn cng ngh ngun m OpenVPN. Gii php ny va tit kim chi ph, va c
th ty bin trong vic nhng thm cc c ch bo mt do ngi dng to ra (nhng
thm cng ngh bo mt Smart Token vo h thng tng cng bo mt). ng
thi pht trin gii php thnh sn phm bo mt VPN, mt gii php gip chng
ta hon ton c th ch ng trong vic ng dng cng nh kim sot bo mt trc
tnh hnh ti phm cng ngh cao, ti phm gin ip din bin phc tp nh hin
nay.
Nhng kt qu nghin cu c lin quan trn gip cho em tham kho, k tha
tng, ni dung v phng php trong qu trnh nghin cu ti. Gii php bo
mt ti nghin cu l gii php t pht trin. Do s dng cng ngh m nn d
dng nhng thm cc c ch bo mt vo h thng do ngi dng to ra v ch ng
s hu phn mm bo mt trn c s chnh sa m v ngun cng ngh m sn c
cho ph hp vi ng dng thc t.
Cho n nay cha c mt cng trnh khoa hc no nghin cu v trin khai gii
php bo mt mng VPN ngun m ti Cng an tnh Hu Giang.
1.4 Khch th v i tng nghin cu
i tng: Nghin cu v trin khai gii php bo mt mng VPN ngun m
ti Cng an tnh Hu Giang.
Khch th: Mng VPN ngun m ti Cng an tnh Hu Giang.
14
-
1.5 Phm vi nghin cu
Trong phm vi nghin cu ti em ch tp trung nghin cu gii php xy dng
tng bc mng ring o da trn cng ngh ngun m OpenVPN cho vic bo v
thng tin truyn trn mng.
1.6 Nhim v nghin cu
Nghin cu cc nguy c mt an ninh trong qu trnh trao i thng tin d liu
qua mng.
Nghin cu v cng ngh mt m, cng ngh bo mt dng trong VPN.
Nghin cu gii php bo mt d liu trn ng truyn dng cng ngh mng
ring o ngun m OpenVPN v cng ngh bo mt Smart Token (SafeNet iKey
1032).
nh gi thc trng v s cn thit ca vic nghin cu xut gii php bo
mt ring, mang tnh c th ca lnh vc an ninh khi trin khai mt mng
truyn d liu an ton trong ni b cng an tnh.
xut pht trin gii php thnh sn phm bo mt tch hp FVS (MultiSafe
VPN Firewall) bao gm gii php VPN, Firewall v c th tch hp cc gii php
bo mt m rng khc nh IDS/IPS (Intrusion Detection/Prevention System).
xut m hnh h thng mng truyn d liu cho Cng an tnh trn c s
thc trng v gii php bo mt xut.
M hnh ha v m phng h thng mng VPN xut.
15
-
1.7 Phng php nghin cu
Phn tch v tng hp l thuyt, kinh nghim thc tin v cc bi bo khoa
hc c cng b trn th vin s IEEE Xplore, ACM v lnh vc vin thng,
khoa hc my tnh...; cc lun vn, cng trnh nghin cu, tp ch, sch khoa
hc chuyn ngnh...
Phng php chuyn gia, m hnh ha v m phng.
Cc phng php h tr khc nh s dng cc cng c phn mm gi lp, m
phng, phn tch v bt gi tin nh VMWARE, NetCat, Tcpdump, WireShark,
OpenVPN, Openswan, h iu hnh nhng Linux, Unix, phn cng thit b bo
mt Smart Token (SafeNet iKey 1032).
1.8 Nhng ng gp mi ca ti
Gp phn gim dn gnh nng chi ph u t v ph thuc vo cng ngh nh cung
cp khi cc t chc, doanh nghip trin khai mt gii php bo mt, c bit l i
vi Cng an tnh Hu Giang.
Gp phn tng bc hnh thnh v pht trin tim lc cng ngh thng tin -
truyn thng trong nc ti mt mc mnh, ta lm ch cng ngh,
iu kin tip nhn li ch thc s m lnh vc cng ngh cao ny em li cho t
nc. To c hi pht trin cc sn phm trong nc, gim dn tnh trng nc ta
phi mua cc sn phm phn mm ca nc ngoi vi chi ph kh cao, l gnh nng
ng k cho nn kinh t cn non yu.
Bc u trong gii php ch s hu c phn mm mng ring o c tch
hp trn phn cng chuyn dng. Nu c trin khai cho Cng an Hu Giang s
gp phn nng cao hiu qu hot ng cng tc, gip cho vic trao i thng tin
gia Trung tm ch huy v cc n v trc thuc (cc phng ban, cng an huyn, th,
thnh ph trn a bn) c an ton, bo mt, nhanh chng, kp thi, gim khi
16
-
lng cng vic, to nn mt mi trng lm vic in t hin i, minh bch, tit
kim thi gian, chi ph hnh chnh (giy t, mc in...). ng thi cng qun trit,
thc hin tt theo cc ngh quyt, ch th ca ng, Nh nc v B Cng an v vic
ng dng v pht trin cng ngh thng tin, s dng phn mm ngun m trong c
quan nh nc v m bo an ninh, an ton thng tin qua mng, ph hp vi nhu
cu ng dng hin ti, to mi trng lm vic in t hin i, an ton, bo mt,
gim giy t, tit kim ngun nhn lc, chi ph v thi gian, nng cao hiu qu hot
ng cng tc trong Cng an Hu Giang.
Gii php gip nng cao nhn thc ca cn b, chin s Cng an Hu Giang v
tm quan trng ca vic ng dng, pht trin cng ngh thng tin trong hot ng
cng tc v m bo an ton thng tin qua mng cng an tnh cn c nhng quyt
sch v u t thch hp cho vic trin khai cc chin lc bo mt trong thc t.
Mi quc gia, mi t chc khi lu tr, x l v trao i thng tin rt cn cc
chun mc ring, c th. Nu phi s dng phn mm c quyn cho chun x l
v lu tr d liu ring th qu l bt cp. ti ny gp phn tng bc bin ci
chung sn c thnh ci ring mang tnh c th ca mt quc gia, t chc, doanh
nghip trn c s ng dng cng ngh m sn c ca cng ng.
1.9 Cu trc ti
Ngoi phn danh mc ti liu tham kho, ni dung ca ti gm 5 chng.
Chng 2, trnh by c s l thuyt cho hng nghin cu nh cng ngh mt
m, cc cng c mt m, cng ngh VPN...
Chng 3, Trnh by gii php bo mt d liu trn ng ng truyn dng
cng ngh OpenVPN ngun m kt hp vi cng ngh bo mt tin tin USB Smart
Token (SafeNet iKey 1032). Phn tch, nh gi so snh vi cc kt qu nghin cu
khc lin quan t cc bi bo trn th vin s IEEE Xplore, ACM; cc lun vn
nghin cu lin quan...
17
-
Chng 4, Th nghim m hnh gii php.
Chng 5, Kt lun v hng pht trin gii php.
18
-
Chng 2
C S L THUYT
2.1 Cc nguy c xm nhp d liu khi truyn
bo v an ton thng tin d liu trn ng truyn c hiu qu th iu trc
tin l phi lng trc hoc d on trc cc kh nng xm phm, cc s c ri ro
c th xy ra i vi thng tin d liu c trao i trn ng truyn tin cng nh
trn mng. Xc nh cc chnh xc cc nguy c ni trn th cng quyt nh c tt
cc gii php gim thiu cc thit hi, [27, 28].
2.1.1 Xm nhp th ng
Xm nhp th ng nhm mc ch cui cng l ly c thng tin trn ng truyn
nh nghe trm (eavesdropping), theo di (monitoring), phn tch, thu gi thng tin
trao i. Loi xm nhp ny khng lm nh hng (sai lch hoc hy) n ti nguyn
h thng .
Trong trng hp ny Hacker chn cc thng ip A gi cho B, v xem c ni
dung ca thng ip, phn tch dng thng tin, c th xc nh v tr ca cc my
tham gia vo qu trnh truyn tin, gim st tn sut v kch thc thng ip, ngay
c vic m ha suy on c ni dung thng ip truyn... Tc nhn ca cc
hnh vi xm nhp ny c th l mt ngi, mt phn mm hay mt my tnh lm
19
-
Hnh 2.1: Cc hnh thc xm nhp ph bin
vic bng cch gim st dng thng tin nhng khng lm thay i thng tin gc.
Hnh thc xm nhp ny tc ng vo c tnh b mt ca thng tin, tham kho
hnh 2.1(a).
M ha l gii php hiu qu chng li cc cuc tn cng th ng.
2.1.2 Xm nhp ch ng
Hacker c th xm nhp vo knh truyn thm, sa i hoc xa cc gi d liu
truyn gia hai bn.
Gi mo
Gi mo l mt i tng khc. Trong trng hp ny Hacker gi l A gi thng
ip cho B. B khng bit iu ny v ngh rng thng ip l ca A. Hnh thc xm
nhp ny tc ng vo c tnh xc thc ca thng tin, hnh 2.1(b).
20
-
Chnh sa thng ip (Modification of messages)
Ni dung thng ip hoc d liu c chn ly, chnh sa trc khi n ch. Hacker
chn cc thng ip A gi cho B v ngn khng cho cc thng ip ny n ch.
Sau Hacker chnh sa, thay i ni dung ca thng ip v gi tip cho B. B ngh
rng nhn c thng ip nguyn bn ban u ca A m khng bit rng chng
b sa i. Hnh thc xm nhp ny tc ng vo tnh ton vn ca thng tin, nh
c trnh by trong hnh 2.1(c).
Gin on truyn tin
Cm hoc ngn chn s dng cc dch v, cc kh nng truyn thng. Tn cng ny
thng khng gy tit l thng tin hay mt mt d liu m ch nhm vo tnh kh
dng ca h thng. Tuy nhin, do tnh ph bin ca t chi dch v v c bit l
hin nay cha c mt gii php hu hiu cho vic ngn chn cc tn cng loi ny
nn t chi dch v c xem l mt nguy c rt ln i vi s an ton ca cc h
thng thng tin. Hnh thc xm nhp ny tc ng vo tnh sn sng ca h thng,
nh c trnh by trong hnh 2.1(d).
Xc thc l gii php hiu qu chng li cc cuc tn cng ch ng.
2.2 Cng ngh mt m
nghin cu v VPN, chng ta phi bit v mt m. VPN ch yu da vo mt
m m bo tnh b mt, tnh ton vn, xc thc, v khng thoi thc ca thng
tin. Cc loi mt m lin quan v VPN l mt m i xng (symmetric ciphers),
mt m bt i xng (asymmetric ciphers), hm bm (hash), ch k s (digital
signatures) [2729].
21
-
Hnh 2.2: Gii thut m ha i xng v bt i xng
2.2.1 Mt m i xng
m bo an ton d liu t nhng cp mt t m ca ngi khc, ta phi m ha
n. Mt m ha (m ha) l mt trong nhng yu t quan trng nht trong vic bo
mt VPN v ng mt vai tr quan trng trong vic bo mt d liu trong sut qu
trnh truyn. N l c ch chuyn i d liu sang mt nh dng khng c c
hay cn gi l vn bn m ha. Nh vy truy cp tri php vo d liu c th c
ngn chn do d liu c truyn qua mt mi trng mng khng an ton. Gii
mt m hay gii m l qu trnh ngc li, phc hi li vn bn thng t vn bn
m. Mt m l thut ton mt m ha v gii mt m.
M ha i xng da trn mt kha n. Kha ny l kha ring (hay kha b
mt), l mt chui bit c di c nh v c s dng m ha cng nh gii
m. Cc thut ton m ha i xng l cc thut ton m cc kha m ha v gii
m u ging nhau. Ngi gi v ngi nhn phi chia s kha b mt trc khi giao
tip an ton. S an ton ca mt thut ton i xng nm trong b mt ca kha
i xng. M ha i xng thng c gi l m ha kha b mt, c trnh by
22
-
hnh 2.2(a). Bi v cc thut ton kha i xng da trn cc php ton n gin,
h l kh nhanh v thng c s dng cho cc dch v m ha, h c th d dng
tng tc bng phn cng. Trong VPN, mt m i xng m bo tnh b mt ca
thng tin. Mt s thut ton m ha i xng c s dng ph bin trong gii php
VPN nh: DES (Data Encryption Standard), 3DES (Triple DES), AES (Advanced
Encryption Standard), RC4 (Rivest Cipher or Rons Code)...
Tuy nhin, h thng m ha i xng t ra hai vn chnh. Th nht, nu k
xm nhp bit c kha b mt th tt c cc thng tin m ha s b nguy him. Do
, kha phi c i nh k. Th hai, nu s kt ni qu nhiu th vic qun l
kha tr thnh mt nhim v phc tp. Thm vo , giai on u tin lin quan
n vic thit lp cp kha, phn phi v s thay i kha nh k u tn km v
mt thi gian. H thng m ha i xng gii quyt c hai vn trn.
2.2.2 Mt m bt i xng
ngi gi v ngi nhn nhn dng chnh xc nhau, l hai thc th ch thc, ta
phi xc thc. Ta s dng mt m bt i xng (m ha bt i xng) hay mt m
kha cng khai gii quyt vn ny. M ha bt i xng c thit k theo mt
cch m cc kha c s dng m ha v gii m l khc nhau. Kha b mt
dng cho gii m, kha cng khai dng cho m ha. M ha kha cng khai da ch
yu trn cc hm ton hc, do thch hp vi thc thi bng phn mm v tc
m ho thp, hnh 2.2(b).
Chiu di cha kha thng thng cho cc thut ton bt i xng trong khong
512-2048 bit. Chiu di thut ton bt i xng khng th so snh trc tip vi
chiu di gii thut i xng bi v hai thut ton ny khc nhau c bn v thit
k. Trong gii php VPN, hai thut ton m ha bt i xng ni ting nht l: DH
(Diffie-Hellman), RSA (Rivest Shamir Adleman).
Mt m ha dng kha cng khai ch c u im khi n c mt c ch phn phi
kha cng khai mt cch an ton v hiu qu cho cc thc th trong h thng. Chng
23
-
thc kha cng khai (Certificate) m mt c ch hiu qu thc hin vn ny.
Mi chng thc kha bao gm nhn dng thc th u cui, kha cng khai ca thc
th u cui v xc nhn (bng ch k s) ca mt thc th th 3. Mt h thng
cung cp c ch to ra v qun l chng thc kha c gi l c s h tng kha
cng khai PKI.
Mt m dng kha cng khai c nhiu ng dng khc nhau nh: mt m d liu,
to ch k s, trao i kha b mt ca mt m i xng, . . .
Trong VPN, mt m bt i xng m bo c tnh xc thc, tnh ton vn,
khng t chi v trao i kha.
Thut ton trao i kho DH
Trong VPN, thut ton DH (Diffie-Hellman) s dng cho vic trao i cc kha mt
cch bo mt thng qua mi trng mng khng bo mt. DH trao i kha trn
tnh ton cc s Logarit phc tp, thng dng chia s kha b mt gia cc bn
(cc kha b mt ny c th s dng trong m ha i xng v hm bm HMAC),
hnh 2.3. Nhng bt li chnh ca thut ton kha i xng l kha phi c gi
Hnh 2.3: Thut ton Diffie-Hellman
b mt mi lc. c bit l trao i kha b mt c th kh khn, d b l. Mt gii
24
-
php cho vn phn phi kha l s dng mt thut ton trao i kha mt m
Diffie-Hellman cho php tha thun kha m khng thc s tit l cha kha trn
mng. Tuy nhin, Diffie-Hellman khng m bo danh tnh ca cc bn vi ngi m
bn ang trao i kha. Mt s loi c ch xc thc l cn thit m bo rng
bn khng v tnh trao i kha vi k tn cng.
Thut ton trao i kha Diffie-Hellman da trn cng ngh kha cng khai v
c th c s dng t c cc im cui ging nhau bng cch trao i kha
i xng, c s dng thc hin m ha v gii m d liu. Thut ton DH hot
ng theo cch thc sau:
Bn gi s dng kha cng khai ca ca bn nhn. Kha ny sn c cho tt c
cc pha kt ni.
Bn gi sau thc hin bc tnh ton bao gm kha ring ca bn gi v
kha cng khai ca bn nhn. Kt qu tnh ton cho ra kha b mt chia s.
Vn bn c m ha s dng kha b mt chia s c to ra trn.
Vn bn m ha sau c gi ti bn nhn.
Ti pha nhn vn bn m ha, ngi nhn to ra kha b mt chia s bng
cch thc hin mt tnh ton tng t gm kha ring ca chnh n v kha
cng khai ca bn gi.
Gi thit c bn ca thut ton ny l nu mt ngi no chn v xem c vn
bn m ha th ngi khng th nhn c thng tin ban u bi v khng c
kha ring ca ngi nhn.
Qu trnh trao i d liu da trn thut ton DH c coi nh bo mt bi t c
kh nng xy ra rng d liu c th b xem trm hoc chnh trong qu trnh truyn.
Thm vo , bi khng c qu trnh trao i kha b mt trong sut phin VPN
nn kh nng kha b mt ca bt k thc th no trong qu trnh kt ni b k xm
25
-
nhp bit c l rt thp. Hn na, vic qun l kha khng tn nhiu thi gian
nh vi qu trnh m ha i xng mc d mt s lng kt ni c to ra.
Tuy thut ton DH cung cp kh nng bo mt hn m ha i xng nhng vn
cn mt vn l m bo rng cc kha chung c trao i trc khi qu trnh
truyn d liu c tin hnh. V d, nu hai kt ni giao tip trao i kha chung
qua mt mi trng khng bo mt nh Internet th rt d dng b k xm nhp
thay i yu cu cho cc kha chung v gi kha chung ca n ti c hai kt ni.
Trong trng hp ny, k xm nhp d dng tn cng vo qu trnh kt ni bi hai
kt ni gi s trao i d liu s dng kha chung ca k xm nhp. Kiu xm nhp
ny l tn cng t gia (Man-in-the-Middle).
Thut ton RSA
Trong VPN, RSA ch yu c s dng cho mc ch xc thc, chng t chi (ch
k s RSA) v trao i kha. Ch k s hay cn gi l ch k in t c th c
hnh dung tng t nh ch k vit tay. Ch k s c s dng trong cc giao dch
in t, l thng tin i km theo d liu nhm mc ch xc nhn ngi ch ca d
liu , gn vi tp tin cha chng ch s. Qu trnh m ha bt i xng c s
dng to ra ch k s, hnh 2.4.
Hnh 2.4: Ch k s
Ch k s cung cp ba tnh nng an ton trong truyn thng l xc thc, ton
26
-
Hnh 2.5: Trao i d liu s dng thut ton RSA
vn v chng chi b giao dch. Ch k s RSA kt hp vi hm bm m bo c
vn xc thc v ton vn d liu, trnh by trong hnh 2.5. Thut ton RSA gii
quyt hiu qu hnh thc tn cng Man-in-the-Middle vo im yu ca thut ton
DH. Chnh v vy thut ton RSA ni ln nh mt trong nhng c ch m ha bt
i xng mnh nht. Khng ging nh DH, bn tin ban u c m ha s dng
kha chung ca ngi gi. Ngi nhn c c bn tin ban u bng cch s dng
kha chung ca ngi gi. Thut ton RSA c s dng cho qu trnh trao i d
liu s dng ch k in t nh sau:
Bc 1: Kha cng khai ca ngi gi c yu cu t pha ngi nhn v sau
c chuyn i.
Bc 2: Ngi gi s dng hm bm hash gim kch c ca bn tin ban u.
Bn tin nhn c l tp bn tin (Message digest)
Bc 3: Ngi gi m ha bn tin bng kha ring ca mnh. Kha ring ny
to ra mt ch k in t duy nht.
Bc 4: Bn tin v ch k in t c kt hp v chuyn ti ngi nhn.
Bc 5: Khi ngi nhn c bn tin m ha, ngi nhn s ti to li bn tin
s dng cng hm bm ging nh ngi gi.
27
-
Bc 6: Ngi nhn sau gii m ch k in t s dng kha chung ca
ngi gi.
Bc 7: Ngi nhn sau so snh tp bn tin c ti to (bc 5) v tp tin
c c t ch k in t. Nu khp vi nhau th d liu khng b thay i,
chnh sa trong sut qu trnh truyn. Nu khng th d liu b loi i.
Qu trnh trao i d liu da vo thut ton RSA trn, RSA m bo an ton v
bo mt qu trnh truyn d liu bi ngi nhn kim tra tnh chnh xc ca d liu
ba ln (bc 5,6,7). RSA cng n gin ha nhim v ca qun l kha.
2.2.3 Hm bm
Mt trong nhng c ch c s dng m bo tnh ton vn d liu l bm.
Bm da trn hm ton hc mt chiu. Bm d liu gc thnh chui d liu c chiu
di khng i u ra c gi l tm tt thng ip (message digest). Khng th
khi phc d liu gc t gi tr bm v nu d liu gc b thay i cht t th gi tr
bm gn nh thay i hon ton. Hm bm khng cung cp m ha trong qu trnh
truyn, d b tn cng Man-in-the-middle. Mt s hm bm ph bin: MD5 vi 128
bits, SHA-1 vi 160 bits.
!
Hnh 2.6: HMAC
28
-
HMAC (Hash Message Authentication Code): HMAC s dng thm mt
kha b mt nh ng vo ca hm bm (bm cng vi d liu gc). Kha b mt ch
c bn gi v bn nhn bit, tng thm tnh xc thc cho s ton vn d liu v v
hiu ha hon ton cc cuc tn cng t gia.
Phng php hm bm v HMAC c s dng trong VPN cung cp ton vn
d liu v m bo tnh xc thc, tham kho hnh 2.6.
2.3 Kim tra nhn dng
i tng tham gia truyn thng c th c kim tra nhn dng di mt phng
thc no . C th kim tra nhn dng mt i tng (con ngi) no thng qua
iu m i tng bit (mt khu); vt m i tng c (h chiu, CMND, th
thng minh, chng ch s...); c tnh vt l ca i tng (vn tay, vng mc,
ging ni...); kt qu ca mt hnh ng bc pht ca i tng (ch k).
2.4 Xc thc
Hai thc th A v B c s trao i d liu vi nhau, t A n B hoc t B n A.
cho vic trao i c ch xc th A cn phi kim tra nhn dng B v B cn
phi kim tra nhn dng A, d liu trao i phi ch thc l ca pha bn i tc
gi. Mong mun l B nhn c on d liu ch xc l ca A gi, khng lm thay
i ni dung trong qu trnh truyn t A n B, hay ni cch khc ch thc l
on d liu A gi cho B.
Vic xc thc l mt th tc m bo s chnh xc cc thc th tham gia truyn
thng, n c chc nng xc minh, kim tra nhn dng (identity) ca mt i tng
trc khi trao quyn truy xut cho i tng ny n mt ti nguyn no . Xc
thc m t cc phng thc m cc i tc truyn tin s dng kim tra nhn dng
ln nhau.
29
-
2.5 C s h tng kha cng khai (PKI)
PKI thng c dng ch ton b h thng bao gm nh cung cp chng ch s
(CA) cng cc c ch lin quan ng thi vi ton b vic s dng cc thut ton
m kho cng khai trong trao i thng tin.
2.5.1 CA (Certificate Authority)
CA l c quan tin cy th ba v c nhim v cp pht chng ch s cho cc server v
user. CA s dng kha ring ca mnh to mt ch k s trn chng ch. Server
v user c th s dng kha cng khai ca chng ch CA (file ca.crt) kim tra xc
thc chng ch ca CA k v cp pht.
2.5.2 Chng ch s (digital certificate)
Trong VPN, chng ch s c dng cho vic xc thc v trao i kha. N l ng
dng ca ch k s khi xc thc gi tr kha cng khai (public key) ca cc i tng
tham gia giao dch. Kha cng khai c k s bi mt bn th ba ng tin cy
CA (Certificate Authority) v c CA m bo tnh xc thc ca kho cng khai
(chng ch ny c cung cp bi CA). Thng c cc chng ch ta phi mua ca
cc t chc c uy tin nh VeriSign chng hn hoc c th t xy dng mt CA ni
b giao dch trong mt h thng ng.
Chng ch s (chng ch kho cng khai) l mt file in t dng xc minh
mt c nhn, mt cng ty, mt my ch, mt trang web. . . trn internet. N ging
nh bng li xe, h chiu, chng minh th hay giy t c nhn ca mt ngi. Cng
tng t nh chng minh th hay h chiu, c mt chng ch s bn phi xin cp
c quan c thm quyn tin cy xc minh nhng thng tin ca bn, c quan
c gi l CA (Certificate Authority). CA chu trch nhim v chnh xc ca cc
trng thng tin trn chng ch.
Khi mt thc th c chng nhn, CA s k kha cng khai ca thc th vi
30
-
kha ring ca CA. chng minh rng thc th thc s l thc th ta mun
trao i, ta ch cn chng minh rng h c ph duyt bi CA. chng minh
rng CA l tin cy i vi thc th , ta cn kha cng khai ca CA. Khi ta nhn
c mt chng thc s (c ch k s c to bi kha ring ca CA), ta s dng
kha cng khai ca CA gii m ch k m bo giy chng nhn l hp l. Nu
c 100 host c chng thc bi CA, ta c th xc thc cc host ny bng cch kim
tra ch k CA trn chng ch s ca n bng kha cng khai ca CA v ch cn gi
mt kha cng khai ca CA trn h thng.
Chng ch s X.509 Chng ch kho cng khai X.509 c Hi vin thng quc
!"
#
$%&
'%
(
%$
%)
!&*+,--$%
(%
#*+,--$%
#
)
(%
.)
#.)
/0
)%%
Hnh 2.7: Chng ch s X.509
t (ITU) a ra ln u tin nm 1988 nh l mt b phn ca dch v th mc
X.500 gm thng tin ngi dng, thng tin v t chc cp pht chng ch, s hiu
thi gian hiu lc, tn bn cp pht, tn ch th...Chng ch X.509 v3 l nh dng
chng ch c s dng ph bin v c hu ht cc nh cung cp sn phm PKI
trin khai. Chng ch gm 2 phn (hnh 2.7): Phn u l nhng trng c bn cn
31
-
thit phi c trong chng ch. Phn th hai cha thm mt s trng ph, nhng
trng ph ny c gi l trng m rng dng xc nh v p ng nhng yu
cu b sung ca h thng, c th nh sau:
Version: Ch nh phin bn ca chng nhn X.509.
Serial Number: S lot pht hnh c gn bi CA. Mi CA nn gn mt m
s lot duy nht cho mi giy chng nhn m n pht hnh.
Signature Algorithm: Thut ton ch k ch r thut ton m ha c CA s
dng k giy chng nhn. Trong chng nhn X.509 thng l s kt hp
gia thut ton bm (nh MD5 hoc SHA-1) v thut ton kha cng khai
(nh RSA).
Issuer Name: Tn t chc CA pht hnh giy chng nhn.
Validity Period: Trng ny bao gm 2 gi tr ch nh khong thi gian m giy
chng nhn c hiu lc. Hai phn ca trng ny l not-before v not-after.
Not-before ch nh thi gian m chng nhn ny bt u c hiu lc, Not-after
ch nh thi gian m chng nhn ht hiu lc. Cc gi tr thi gian ny c
o theo chun thi gian Quc t, chnh xc n tng giy.
Subject Name: xc nh i tng s hu giy chng nhn m cng l s hu
ca kha cng khai. Mt CA khng th pht hnh 2 giy chng nhn c cng
mt Subject Name.
Public key: Xc nh thut ton ca kha cng khai (nh RSA) v cha kha
cng khai c nh dng ty vo kiu ca n.
Issuer Unique ID v Subject Unique ID: Hai trng ny c gii thiu trong
X.509 phin bn 2, c dng xc nh hai t chc CA hoc hai ch th khi
chng c cng DN. RFC 2459 ngh khng nn s dng 2 trng ny.
32
-
Extensions: Cha cc thng tin b sung cn thit m ngi thao tc CA mun
t vo chng nhn. Trng ny c gii thiu trong X.509 phin bn 3.
Signature: y l ch k in t c t chc CA p dng. T chc CA s
dng kha b mt c kiu quy nh trong trng thut ton ch k. Ch k bao
gm tt c cc phn khc trong giy chng nhn. Do , t chc CA chng
nhn cho tt c cc thng tin khc trong giy chng nhn ch khng ch cho
tn ch th v kha cng khai.
2.6 Mng ring o (VPN)
VPN (Virtual Private Network) l mt mng ring o trn mng cng cng (c th
l mng Internet, c s h tng IP, mng Frame Replay (RL) hoc ATM. N s dng
cng ngh mt m bo m tnh b mt, xc thc v tnh ton vn ca thng
tin d liu trn ng truyn, m bo an ton kt ni point-to-point gia hai hoc
nhiu im trn mng khng an ton. Cc kt ni ny c thit lp bng cch to
mt ng hm gia hai node c kt ni, sau m ha thng tin d liu truyn
qua tunnel. Cng ngh ng hm ny cho php d liu truyn c an ton gia
cc im cui trn mng [3032].
VPN l s m rng ca mt mng ni b. N c th gip ngi dng t xa, cc
chi nhnh ca cng ty, cc i tc kinh doanh v cc nh cung cp thit lp kt ni
an ton v tin cy vi mng ni b ca mt cng ty v m bo vic truyn ti d
liu c an ton. VPN l mt gii php logic nhm m bo an ton cho vic truy
cp t xa, cho php cc im cui kt ni vi nhau qua Internet nh trong mng
LAN m khng cn phi cc thu ng thu bao dnh ring t tin (leased lines).
Mt trong nhng yu t chnh ca VPN l m ha. bo v cc d liu nhy
cm truyn qua mng cng cng, chng ta cn phi to ra mt ng hm ring o
bng cch m ha cc packet hoc frame trc khi truyn.
VPN lm vic bng cch to ra mt ng hm o qua Internet cng cng.
33
-
to ng hm ny, m ha i xng c s dng. C hai im cui ca ng hm
chia s kha b mt cho vic m ha v gii m v s dng chng m ha tt c
lu lng truyn gia hai site. S dng mt m bt i xng, hm bm xc thc,
trao i kha v m bo ton vn d liu.
VPN l gii php hiu qu chng li cc cuc tn cng ch ng v th ng.
2.6.1 IPSEC VPN
IPSEC VPN l mt cng ngh VPN s dng giao thc bo mt IPSEC m bo
tnh b mt ca d liu, ton vn thng ip v xc thc cc thc th tham gia truyn
thng.
IPSec (IP Security) l mt tp hp cc tiu chun m c pht trin bi IETF,
RFC 2401 v RFC (Request-For-Comments) lin quan cho php to ra mng VPN.
N cung cp cho vic m ha v xc thc ti lp mng bo v cc gi tin IP gia
cc thit b tng thch IPSec. IPSec cho php ngi gi xc thc hoc m ha gi
tin IP hoc p dng c hai hot ng cho cc gi tin. Tch cc ng dng xc thc
v m ha gi tin c dn n hai phng php khc nhau ca vic s dng IPSec,
c gi l ch . Trong ch vn chuyn (transport mode), ch c segment lp
vn chuyn ca mt gi tin IP c xc thc hoc m ha. Trong ch ng hm
(tunnel mode), m ha ton b gi tin IP, [29, 30]. IPSec c xy dng da trn
cng ngh mt m cung cp tnh b mt, xc thc v ton vn d liu.
IPSec to ra mt ng hm an ton bng cch u tin s dng mt giao thc
bt tay c gi l IKE (Internet Exchange Key). IKE xc thc gia cc im cui
ng hm, v sau l cc th tc an ton to ra mt ng hm lu di hn
bng cch s dng m ha i xng...
Cc giao thc bo mt trong IPSEC
IPSec s dng ba giao thc chnh m bo an ton VPN.
34
-
IKE: Tha thun cc thng s an ninh, thit lp cc kha xc thc. Giao thc
IKE l chun giao thc qun l kha c s dng kt hp vi cc IPSec.
ESP (Encapsulating Security Protocol): l giao thc s 51, cung cp bo mt,
ton vn d liu, v xc thc ngun d liu ca gi tin IP, v cng cung cp
bo v chng li cuc tn cng pht li. N chn mt header sau IP header v
trc d liu c bo v v gn thm mt trailer ESP. Hnh 2.8(a) minh ha
cch ESP ng gi mt gi tin IP.
AH (Authentication Header): l giao thc s 51, n xc thc c phn header
v payload. Giao thc AH khng m ha d liu, n khng cung cp bo mt.
Hnh 2.8(b) minh ha cch AH ng gi mt gi tin IP.
Hnh 2.8: Giao thc ESP v AH
Ipsec yu cu Firewall cho php cc gi tin sau y:
UDP port 500 cho giao thc IKE (Internet Key Exchange).
UDP port 4500 cho IKE NAT-Traversal. Tha thun kha IKE din ra trn
UDP port 500, gi tin IPsec hin th nh l gi tin ESP. Khi kt ni VPN cn
35
-
phi i qua mt b nh tuyn NAT, cc gi tin ESP c ng gi trong cc
gi tin UDP trn cng 4500.
Protocol 50 cho cc gi tin ESP (Encapsulated Security Payload).
Protocol 51 cho cc gi tin AH (Authenticated Header)
Thng thng, khi mt ng hm site-to-site c thit lp, cc Gateway giao tip
vi nhau bng a ch IP ni b thay v a ch IP cng cng. iu ny c th c
thc hin bng cch s dng mt ng hm duy nht.
2.6.2 OpenVPN (SSL VPN ngun m)
SSL VPN ngun m l mt cng ngh VPN s dng giao thc bo mt SSL (Secure
Sockets layer) nhm m bo tnh b mt d liu, tnh ton vn thng ip v tnh
xc thc ca thc th tham gia truyn thng, l mt gii php VPN s dng SSL
m bo an ton d liu trn ng truyn. SSL l mt giao thc mt m c thit
k bi Netscape cho php bo v an ton d liu truyn gia hai thit b trn mt
mng cng cng. Mc tiu ca SSL l dng thit lp mt knh truyn thng an
ton gia Client v Server. An ton ca n c cung cp bng cch s dng cng
ngh mt m, tham kho [30, 3336].
SSL cung cp tnh b mt, xc thc v ton vn d liu thng qua vic s dng
cng ngh mt m. SSL cha mt lot cc thut ton trao i kha (RSA, DH,...),
m ha (RC4, 3DES...) v hm bm (MD5, SHA,...). Nh hnh 2.9, giao thc SSL
nm gia lp ng dng v lp vn chuyn trong m hnh tham chiu TCP/IP, l
mt giao thc lp bao gm giao thc Handshake (thit lp v duy tr an ton truyn
thng bng vic trao i kha v thut ton mt m..), giao thc change cipher spec
(gm cc byte thng ip n c s dng xc nhn cc thut ton mt m hin
hnh) v giao thc alert (cc cnh bo v li bng vic truyn cc thng ip cnh
bo); giao thc Record cung cp dch v m ha, xc thc v ton vn (ng gi d
liu t lp ng dng bng vic phn on, nn, thm MAC v m ha).
36
-
Hnh 2.9: Giao thc SSL
SSL VPN ngun m c trin khai trn OpenVPN di h thng nhng Linux.
OpenVPN l mt gii php mi, ni bt ca VPN, n thc hin vic ni kt lp 2
hay lp 3, v kt hp gn nh tt c cc tnh nng ca gii php VPN khc, tham
kho [20, 34, 36].
OpenVPN l mt gii php VPN ngun m. N hot ng ti lp ng dng v
tng tc vi TCP/IP protocol stack qua giao tip o TUN/TAP. OpenVPN h tr
hai ch xc thc: ch kha tnh vi kha chia s trc (pre-shared key) v ch
TLS vi chng ch kha cng khai X.509. M hnh mng OpenVPN da trn cc
thit b o TUN / TAP lp 3 hoc lp 2; TUN / TAP l mt phn ca nhn Linux.
Trnh iu khin TUN u tin trong Linux c pht trin bi Maxim Krasnyansky.
OpenVPN thc hin hon ton trong ch ngi dng (user-space mode) trong
vng bo v c quyn nht ca h thng cung cp bo mt tt hn. OpenVPN s
dng giao thc TCP v UDP thit lp cc kt ni v p ng c nhiu loi cu
hnh mng dng Peer-to-Peer (point-to-point hoc site-to-site) v Multi-client-Server.
Ci t v cu hnh OpenVPN l n gin so vi IPsec. OpenVPN h tr xc thc
RSA, trao i kha Diffie-Hellman, kim tra tnh ton vn HMAC-SHA1 v nhiu
hn na. Khi chy trong ch my ch (server mode), n h tr nhiu client (ln
ti 128) kt ni n mt my ch VPN trn cng mt cng. Ta c th thit lp
CA Server to ra chng ch s v kha cho OpenVPN server v nhiu Client.
37
-
An ton trong OpenVPN l s dng th vin mt m ngun m OpenSSL cho
cc nhim v m ha v xc thc. OpenSSL cung cp bo mt mnh m trn SSL
s dng cc thut ton m ha nh thut ton i xng (3DES, AES), bt i xng
(RSA, DH), hm bm (MD5, SHA-1), ch k s (RSA), chng ch s X.509...Trong
OpenSSL, mt m khi c s dng m ha i xng v c th c s dng
trong cc ch khc nhau.
c tnh Cross-platform c h tr trong OpenVPN nn OpenVPN l gii php
VPN c th chy trn h iu hnh Linux trong Router nhng v c trin khai
trn cc h thng khc gm cc router nhng (embedded routers).
OpenVPN l mt phn mm c pht minh bi James Yonan trong nm 2001
v khng ngng c ci thin v lun lun chng t l gii php tt nht, khng c
mt gii php VPN khc p ng hn hp cc vn v an ton, kh nng s dng
(chi ph thp, d trin khai v s dng..), tnh nng phong ph... N thc hin cc
gii php VPN cho to cc kt ni an ton im-im (point-to-point) hoc mng -
mng (site-to-site) trong cu hnh nh tuyn hoc cu ni v cc phng tin truy
cp t xa.
An ton trong OpenVPN
Xc thc
Vic s dng chng ch s X.509 cho vic xc thc mang n tnh bo mt cao
trong OpenVPN. Kim tra tnh hp php ca mt thc th giao tip trn mng c
quyn s dng ti nguyn ca mng. Mt thc th c th l mt ngi s dng, mt
chng trnh ng dng, hoc mt thit b phn cng. Cc hot ng kim tra tnh
xc thc c nh gi l quan trng nht trong cc hot ng ca mt phng thc
bo mt. Mt h thng thng thng phi thc hin kim tra tnh xc thc ca mt
thc th trc khi thc th thc hin kt ni vi h thng.
OpenVPN s dng giao thc bt tay SSL xc thc v trao i kha. Giao thc
bt tay l giao thc quan trng nht ca SSL, c hai pha s dng xc thc ln
38
-
nhau v thng lng thng nht cc thut ton xc thc MAC v m ho. Th
tc ny cng trao i kho b mt dng cho m ho v MAC. Th tc bt tay phi
thc hin trc khi trao i d liu. Tin trnh bt tay gm 4 giai on (phase) c
trnh by hnh 2.10, c th nh sau:
Giai on 1: Thit lp ni kt logic
Client gi yu cu kt ni n Server (bng thng ip "client hello"). Server nhn
yu cu v gi thng ip tr li cho Client (bng mt thng ip Sever Hello). Client
gi tt c cc danh sch thut ton n Server cng vi mt s ngu nhin m s
dng nh u vo trong mt qu trnh to kha.
Giai on 2: Xc thc Server v trao i kha
Server gi chng ch s ca mnh cho Client nh thng tin nhn dng. Da trn
cc ni dung ca danh sch, Server chn thut ton m ha v gi li cho Client cng
vi chng ch s cha kha cng khai ca Server. Chng ch ny cng cha cc k
hiu ca Server cho mc ch xc thc, ng thi Server cung cp mt s ngu nhin
nh l mt phn ca u vo trong qu trnh to kha.
Giai on 3: Trao i kha v xc thc Client
Client kim tra chng ch ca Server v ly kha cng khai ca Server. Sau n
to ra mt chui mt khu ngu nhin c t tn l pre master secret v s dng
kha cng khai ca Server m ha chng. Cui cng, Client gi thng tin c
m ha n Server.
Giai on 4: Bt tay hon thnh
Theo pre master secret v s ngu nhin ca Client v Server, Client v Server
tnh ton kha m ha v MAC. Client gi cc gi tr MAC ca tt c cc thng ip
bt tay n Server. Server gi cc gi tr MAC ca tt c cc thng ip bt tay n
Client. Qu trnh bt tay kt thc, khi to ng hm cho vic trao i d liu an
ton.
Tnh b mt:
Bo m d liu khng b tip xc, b s dng bi ngi khng c thm quyn.
39
-
!"#
!"#
$
%
Hnh 2.10: Th tc bt tay OpenVPN
L c tnh thng tin khng b tit l cho cc thc th hay qu trnh khng c y
quyn bit hoc khng cho cc i tng li dng. Chng hn d liu truyn
trn mng c m bo khng b ly trm bng cch m ha d liu trc khi
truyn. OpenVPN s dng cc thut ton m ha nh DES, 3DES, AES... bo
mt d liu.
Ton vn d liu:
D liu truyn khng b thay i gia ngi gi v ngi nhn, ch nhng ngi
dng c y quyn mi c php chnh sa d liu, tc l thng tin trn mng khi
ang lu gi hoc trong qu trnh truyn m bo khng b xa b, sa i, gi mo,
lm ri lon trt t, pht li, xen vo mt cch ngu nhin hoc c . OpenVPN s
dng cc thut ton hm bm (HMAC, SHA1..) m bo tnh ton vn d liu.
40
-
TUN/TAP trong OpenVPN
Cu trc module ca OpenVPN khng ch c th c tm thy trong m hnh bo
mt ca n, m cn trong s mng. James Yonan chn b iu khin TUN/TAP
cho lp mng ca OpenVPN. B iu khin TUN/TAP l mt cng trnh nghin cu
m ngun m c bao gm trong tt c cc bn phn phi Linux/Unix cng nh
Windows v Mac OS X. Cng ging nh SSL/TLS n c s dng trong nhiu cng
trnh nghin cu, v do n c dn c ci thin v thm nhiu tnh nng mi.
S dng cc thit b TUN/TAP mt i rt nhiu phc tp t cu trc ca OpenVPN.
Cu trc n gin ca n mang li vn an ninh gia tng so vi cc gii php VPN
khc. Phc tp lun lun l k th chnh ca an ninh. V d, IPsec c mt cu trc
phc tp vi nhng thay i phc tp trong nhn (Kernel) v ngn xp IP, do c
th to ra nhiu l hng bo mt.
TUN/TAP c pht trin cung cp h tr nhn Linux cho lu lng ng
hm IP. N l mt giao din mng o, xut hin nh xc thc cho tt c cc ng
dng v ngi s dng. Mi ng dng c kh nng s dng mt giao din mng c
th s dng giao din ng hm. Trnh iu khin ny l mt trong nhng yu t
chnh lm cho OpenVPN d hiu, d cu hnh v an ton.
Mt thit b TUN c th c s dng nh mt giao tip o t im-im. y
l ch nh tuyn (route), bi v nh tuyn c thit lp cho cc i tc VPN.
Mt thit b TAP c th c s dng nh mt b Ethernet adapter o. iu ny
cho php ngi khc nghe trn giao tip mng capture frame Ethernet, iu ny
khng th vi cc thit b TUN. Ch ny c gi l ch cu ni (bridging) v
cc mng c kt ni nh th qua mt cy cu ni.
2.7 Smart Token (SafeNet iKey 1032)
Vi cng ngh tin tin, gii php SafeNet iKey 1032 thay th phng php xc thc
truyn thng username v password. SafeNet iKey 1032 l gii php xc thc mnh
41
-
02 yu t, cho php ta xc nh mt s nhn dng ca client da trn mt iu g
m client bit (m PIN) v mt th g m client c (Ikey). SafeNet iKey 1032
cung cp vic lu tr thng tin mt, chng ch s v kha b mt ca ngi dng
trong gii php xc thc mng LAN, WAN, VPN, giao dch thng mi, my tnh
di ng. SafeNet iKey 1032 h tr cc tiu chun xc thc v m ha quc t. Gii
php SafeNet iKey 1032 l l tng i vi cc yu cu xc thc bo mt cho vic
truy cp t xa v ng nhp an ton (secure logon).
Gii php ny c th:
Xc thc mnh, s dng cng ngh mt m tiu chun, hin i. Ngn chn
cc cuc tn cng bao gm gim st phm (keystroke monitoring), tn cng x
hi (social engineering), tn cng t gia (man-in-the middle), gim st mng
(network monitoring), b mt khu v lm dng nhn vin IT.
Bo mt cao: S dng gii php phn cng mc bo mt cao hn cc gii
php ch phn mm. Gii php bo v da trn phn cng cho cc thng tin
mt xy ra trn chip.
Tit kim chi ph: chi ph thp, hiu qu hn gii php phn cng khc.
Kh khn cho client t chi tham gia vo mt giao dch v client phi chu
trch nhim cho tt c hnh ng sau khi xc thc thnh cng.
t c kh nng dn n gian ln hoc truy cp tri php vo d liu ca cng
ty.
D dng s dng: khng cn phn cng b sung, ch cn chn cc thng tin
mt, chng ch, kha vo l xong.
Tnh tng thch cao: s dng c trn cc mi trng khc nhau, h iu
hnh v h tr cc API mt m ln tiu chun, chng hn nh Microsoft CAPI
v PKCS 11...
42
-
D dng qun l.
SafeNet iKey 1032 h tr cc chun giao tip sau:
PKCS 11: cho cc nh cung cp PKI nh Netscape, VeriSign, Baltimore, En-
trust...
PKCS 12: Lu tr kha b mt v chng ch s vo iKey.
MS-CAPI: Th vin mt m API ca Microsoft, h tr cc ng dng nh
Internet, Explorer, Outlook v cc dch vu Win2000 PKI.
PC/SC: Smart Card my tnh c nhn...
43
-
Chng 3
GII PHP
3.1 t vn
Gi s ngi gi (my trm client) gi thng tin n ngi nhn (my ch Server)
thng qua knh truyn b kim sot bi i phng (hacker), minh ha hnh 3.1.
Cc hnh ng ca hacker c nhiu dng, nhng ph bin nht l:
Nghe trm, theo di dng thng tin.
Ghi thng tin v thay i ni dung thng tin bng cch xa, chn, thm bt
hoc o ln th t cc mu thng tin v sau truyn li...
Trong khi bn nhn cn c kh nng xc nh c l:
Thng tin nhn c thc s c phi t ngi gi mong mun khng?
Ni dung thng tin c b c c hay b thay i khi truyn trn knh
khng?...
3.2 Yu cu gii php
Yu cu t ra ca gii php c th nh sau:
44
-
Hnh 3.1: S tn cng ca hacker ln knh truyn khng an ton
Thc hin tt theo Ngh quyt, ch th ca ng, Nh nc v B Cng an v
vic pht trin, ng dng cng ngh thng tin v m bo an ton thng tin
qua mng...
m bo an ton thng tin d liu khi trao i. Ngn chn truy cp tri php
vo mng.
Chi ph hp l, d dng trin khai trong thc t cng nh trong vic cu hnh,
qun tr, nng cp v khc phc s c.
Ch ng trong vic ng dng, tit kim chi ph, khng ph thuc nh cung
cp.
Tn dng ti a cc thit b sn c gim chi ph u t mua sm thit b.
p ng c cc kh nng m rng mng (bng thng, s lng ngi dng,
my ch, mng LAN v cc dch v ng dng khc...) m khng nh hng
n cu trc hin c ca mng.
S dng gii php cng ngh hin i, tng lai. La chn cc dch v vin
thng ph hp vi kh nng kinh ph.
45
-
M hnh mng Domain (Client/Server), h tr cc ngi dng di ng t xa.
Dch v trin khai trn mng: truyn file (cc vn bn, ti liu phc v cho vic
thng tin, bo co, ch o, iu hnh, thng bo, lch cng tc, chng trnh,
k hoch, x l cng tc nghip v...)
3.3 Thit k m hnh gii php
Vn t ra ca gii php l lm sao bo v d liu trn ng truyn trc s
tn cng ca hacker. Vic bo v thng tin truyn trn mng gia my ch Server v
my trm client c t ra theo m hnh gii php c trnh by hnh 3.2.
bo mt d liu trn ng truyn, gii php hu hiu nht l dng cng ngh
mt m (m ha, xc thc, ton vn...) v cng ngh VPN s gii quyt tt c vn
ny.
th hin mang tnh ring t, c th, mm do ca gii php, s ty bin, ch
ng trong ng dng cng nh kim sot vn bo mt, ti quyt nh chn gii
php ngun m.
S dng gii php xc thc mnh (s dng ch k s v chng ch s, Smart
Token) gip ti u ha, gim thiu ri ro bo mt.
Vy cui cng gii php xut bo v an ton d liu trn ng truyn l
gii php OpenVPN kt hp vi cng ngh xc thc mnh Smart Token.
Hnh 3.3, m t lu qu trnh hot ng gii php.
3.3.1 Cp pht chng ch s (2)
Qu trnh cp pht chng ch s (chng ch kha cng khai), hnh 3.4, c trnh
by c th nh sau:
Mi thc th bao gm CA Server u c cp kha public/private
(1) client yu cu kha cng khai ca CA.
46
-
!" #!" $!!%&'(
)$!*
" +,-./0
"1234!%-
#.567589
:;? !2"3
"@ -4A
Hnh 3.2: M hnh gii php
47
-
!
!"#"$% &
'"()*+,-."+/.0((12"(,3.435
!6"#"$% 78"!9"#"$7
6"#"$% 78"!
://";"#"$%
-
!"#$%&!"$%&!"$'$$!"()!*+$",!-'$./&
!"#$%&!"$'$
&&
$"
0123$
4
5
6
$
0123$
#7!"#$%&!"$'$
8
9
Hnh 3.4: Qu trnh cp pht chng ch s X.509 ca CA
(2) CA gi kha cng khai ca mnh cho client.
(3) client to ra yu cu cp chng ch trong c thng tin nhn dng v kha
cng khai ca client.
(4) CA tip nhn yu cu, kim tra nhn dng client v to mt chng ch s
cho client. Chng ch nhn dng ny c k bi CA v nh mt s rng buc
gia vic nhn dng ca client v CA.
(5) CA pht hnh chng ch cho client.
(6) Khi nhn chng ch nhn dng ca client, client chuyn n Server to
s tin cy.
(7) Server tin cy kha cng khai ca client sau khi kim tra ch k ca CA
qua vic s dng kha cng khai ca CA.
49
-
!"#$%&'%()*+ !"#$%,"%-%()*+
Hnh 3.5: Qu trnh to v xc thc ch k s ca CA
3.3.2 Qu trnh to ch k s CA (1)
Kha ring c th dng to ch k s xc thc tnh khng t chi ca thc th
. Hnh 3.5, c minh ha c th nh sau:
Khi nhn c yu cu chng thc v kha cng khai ca A, CA s dng mt
thut ton bm (HMAC- SHA hoc HMAC-MD5) gim kch c ca bn tin
ban u. Bn tin nhn c l bn tin tm lc (Message digest). Bn tm
lc ny c di nh nhau i vi mi thng ip, l duy nht vi mt thng
ip.
Tip theo, CA m ho bn tm lc s dng kho ring ca mnh. Kt qu m
ho chnh l ch k s duy nht ca CA.
Cui cng, ch k s gn vi thng ip. Nh vy l CA k xong thng ip
ca mnh.
3.3.3 Qu trnh xc thc chng ch s (5)
L qu trnh xc thc ch k s ca CA qua kha cng khai ca CA. kim tra
client l tin cy, ta dng s dng kha cng khai ca CA gii m ch k ca CA
50
-
trong chng ch s ca client m tnh hp hp l ca chng ch .
V d, ta c 100 client, c th xc thc cc client ny bng cch kim tra ch k
ca CA trn chng ch s ca h cp cho client vi kha cng khai ca CA.
Vic xc thc CA, tnh ton vn d liu v chng chi b c thc hin s dng
ch k s. Qu trnh xc thc c minh ha, hnh 3.5, v c th c m t nh
sau:
Khi nhn c thng ip (chng ch kha cng khai), bit bn gi l client.
Server tch ch k s ca CA ra khi thng ip.
Server ly kho cng khai ca CA gii m ch k s ca CA, v c c bn
tm lc thng ip. Vic gii m c ch k s ca CA bng kho cng khai
ca CA (c ly t c s d liu tin cy).
Server s dng thut ton bm to ra bn tm lc cho thng ip nhn
c t client, ri em so snh vi bn tm lc c gii m trn. Nu
kt qu so snh cho thy hai bn tm lc l nh nhau th chng t rng ni
dung ca thng ip ng l nguyn bn t client m khng b thay th hoc
sa i (xc thc tnh ton vn d liu).
3.3.4 Trao i kha DH v to ng hm bo mt (6)
Sau khi xc thc kha cng khai ca my trm l hp l, dng kha cng khai
ca my trm s m ha d liu v ch c gii m vi kha b mt. Mi h thng
u cui u c cp kha public/private. Kha cng khai c mi bit v dng
m ha v kha ring dng gii m.
DH trao i kha trn tnh ton cc s Logarit phc tp, thng dng chia
s kha b mt gia cc bn (cc kha b mt ny c th s dng trong m ha i
xng v hm bm HMAC), hnh 3.6. Thut ton trao i kha Diffie-Hellman da
trn cng ngh kha cng khai v c th c s dng t c cc im cui
51
-
Hnh 3.6: Trao i kha Diffie-Hellman
ging nhau bng cch trao i kha i xng, c s dng thc hin m ha v
gii m d liu. Thut ton DH hot ng theo cch thc sau:
Bn gi s dng kha cng khai ca ca bn nhn. Kha ny sn c cho tt c
cc pha kt ni.
Bn gi sau thc hin bc tnh ton bao gm kha ring ca bn gi v
kha cng khai ca bn nhn. Kt qu tnh ton cho ra kha b mt chia s.
Vn bn c m ha s dng kha b mt chia s c to ra trn.
Vn bn m ha sau c gi ti bn nhn.
Ti pha nhn vn bn m ha, ngi nhn to ra kha b mt chia s bng
cch thc hin mt tnh ton tng t gm kha ring ca chnh n v kha
cng khai ca bn gi.
Gi thit c bn ca thut ton ny l nu mt ngi no chn v xem c vn
bn m ha th ngi khng th nhn c thng tin ban u bi v khng c
kha ring ca ngi nhn.
52
-
!"#$%&
'(
)*
Hnh 3.7: Cc module chnh ca gii php
3.4 Kin trc gii php
OpenVPN s dng th vin mt m Openssl to ng hm bo mt ni m tt
c cc d liu s c truyn i sau khi c m ha bo mt. Gii php ny cha
ng 5 module chnh cho c hai bn Server v client u cui, c trnh by hnh
3.7 Server c 02 card mng: eth0 kt ni vi mng ngoi (Internet); eth1 kt ni
mng ni b. Ngoi ra cn xut hin card mng th 03: tun0 l card mng o khi
ng hm VPN c thit lp. Tng ng, client cng c card mng eth0 v tun0
Hnh 3.8 trnh by ton b qu trnh dng d liu i t client n Server, c th
nh sau:
Khi lung d liu t client n Server, n i vo b (stack) giao thc TCP/IP
ca Server ni ip header s c kim tra v sau giao cho chng giao thc
lp cao hn. Module Authentication pht hin gi d liu, xc thc v gii m
gi d liu c ng gi thnh gi d liu gc (ban u). Sau , trnh iu
khin thit b char (char device driver) s chuyn thng ip gc n card mng
53
-
!"
#
Hnh 3.8: Dng d liu i t client n Server
o tun/tap ni m thng ip s c chuyn tip n b giao thc TCP / IP.
Trong chng giao thc TCP/IP, cc thng bo ban u s c gi n card
mng ni b eth1 v sau vo mng ni b Intranet. Bc 1 n bc 8 cho
thy ton b qu trnh.
Khi lung d liu ia ra t Intranet (mng ni b), d liu s c x l theo
hng ngc li t bc 8 n bc 1 nh du trong hnh.
Cng ngh OpenVPN trong gii php ny s dng gii php mt m cho vic m
ha v xc thc bo m an ton d liu trong qu trnh trao i. c bit gii
php ny s dng phng php xc thc mnh (2 yu t) dng thit b bo mt phn
cng SafeNet iKey 1032 cho vic xc thc, lm tng tnh bo mt ca d liu trn
ng truyn.
54
-
3.5 u im v tnh mi ca gii php
Chi ph thp, ph hp vi kh nng u t gii php bo mt i vi cc doanh
nghip nh v va.
Gii php t pht trin, n gin, mm do, ch ng v phn mm, ph hp vi
nhu cu ng dng. Ngi dng c th t thay i, chnh sa, ty bin, nhng cc c
ch bo mt cho ring mnh ph hp theo nhu cu ng dng, khng nh cc gii
php bo mt hin nay ca cc t chc doanh nghip u phi ph thuc vo nh
cung cp, cc phn mm ng dng a phn l cc sn phm ng gi. Do vic
nhng cc c ch bo mt do ngi dng to ra vo h thng l hu nh khng
th thc hin c.
Gii php c tng cng tnh bo mt bng phng php xc thc mi dng
ch k s v chng ch s kt hp vi phn cng bo mt Smart Token SafeNet ikey
1032, gim thiu c mt s l hng bo mt so vi cc gii php truyn thng.
3.6 Pht trin gii php
y l phn xut m hnh thit k phn cng trong gii php.
3.6.1 M hnh sn phm bo mt tch hp FVS
Sau khi nghin cu, th nghim, gii php VPN ngun m c th c cu hnh
thnh sn phm VPN cht lng cao. Tuy nhin, qu trnh thit k chc chn s
khng . tng cng tnh an ton, bo mt ca thit b, ta cn nhng thm cc
c ch bo mt nh Firewall, IDS/IPS...pht trin thnh sn phm FVS. Do l sn
phm phn mm ngun m nn vic m rng, nhng cc c ch bo mt do ngi
dng to ra vo thit b FVS l ty . FVS c cc chc nng c bn nh sau:
Chc nng Router: Cho php nh tuyn cc gi tin n mng ch.
Chc nng Firewall: Ngn chn cc cuc tn cng t bn ngoi, kim sot
55
-
cc thng tin ra vo h thng v c xy dng trn h thng Netfilter/Iptable ca
Linux, hot ng trn c s tp cc lut (rule) lc gi (xc nh rule cho cc gi IP
ra vo v cho php n chuyn i (nh tuyn) hay hy b...).
Chc nng VPN: bo v an ton thng tin d liu trong qu trnh trao i qua
mng. Mc tiu VPN l cung cp tnh b mt, ton vn, tnh xc thc v tnh khng
t chi ca thng tin.
Mt s chc nng m rng: IDS (l cc camera gim st, theo di v pht
hin cc hnh ng tn cng xm nhp), phn mm Antivirus...
3.6.2 Thit k phn cng FVS
Phn cng thit b hnh 3.9 c chia gm 2 phn:
Phn 1: B x l ARM chy trn h iu hnh nhng Linux, cung cp vic kim
sot lu lng v cc thut ton lc gi tin vi Netfilter/Iptable, OpenVPN...
Phn 2: B x l FPGA cung cp cc giao tip Ethernet v cc chc nng iu
khin, chuyn mch Ethernet.
Thit b gm c 7 card giao tip Ethernet:
01 port Internet (WAN): Port 1
06 port LAN Ethernet: T port 2 n port 7.
3.6.3 Kin trc phn mm
Kin trc phn mm c th hin hnh 3.10.
Cu hnh thit b c tm tt trong bng 3.1 :
56
-
Hnh 3.9: Phn cng thit b FVS
!
!"#$% !&!'!$()
Hnh 3.10: Kin trc phn mm FVS
57
-
Bng 3.1: Thng s cu hnh thit b FVS
Thnh phn c im
CPU ARM S3C2440
SDRAM 32MB
Flash Memory 16 MB
WAN/LAN Port 1/6 Ports
Kernel Version linux-2.6
OpenVPN openvpn 2.0.7
Firewall Netfilter/Iptable
ng dng khc PHP/Wedmin
3.7 Thit k m hnh h thng mng VPN
Thit b FVS c t ti Trung tm ch huy v cng an huyn, th, thnh ph. Ti
Trung tm ch huy, FVS phn h mng lp ngoi v phn mng ca trung tm ch
huy lm 3 vng mng ring, c th nh sau:
Vng phi qun s DMZ (vng m rng) : C mc bo mt cao hn so vi
on bn ngoi, nhng mc bo mt thp hn so vi on bn trong. DMZ
thng cp truy xut cho ngi dng bn ngoi ti ti nguyn cng cng
hay ti nguyn thng mi in t: Web server (Public), mail server.
Vng server farm (vng m rng): cha server quan trng ca h thng nh
Database server, Application server, Report server, Web Server (D kin vng
ny s s dng Firewall ring).
Vng mng Lan: bao gm cc my trm t ti trung tm, mng LAN cc
phng ban v cc truy cp t cc chi nhnh v.
58
-
Kt ni site-to-site OpenVPN s c thc hin t FVS cng an huyn, th, thnh
ph v FVS trung tm. Qua ng hm VPN, cc my tnh trn mng LAN ca cc
Cng an huyn th, thnh ph s trao i d liu vi Trung tm ch huy mt cch an
ton, bo mt.
Mi vng mng c tnh cht khc nhau nn chnh sch bo mt khc nhau, vic
phn vng bo mt gip ngi qun tr nh hng chnh sch bo mt nhanh chng
thun li. Hnh 3.11 trnh by m hnh thit k h thng mng VPN Cng an tnh.
!
"
#$%&
#$'(
#$%
"
""
#$%#
#$%)
#$%
"
"
"
#$%
"
Hnh 3.11: S h thng mng VPN Cng an tnh Hu Giang
59
-
Chng 4
TH NGHIM H THNG
4.1 Th nghim trn h thng thc
Gii php c th nghim vi phn mm ngun m mng ring o OpenVPN c
tch hp trn phn cng chuyn dng. H thng th nghim bao gm:
Mt my ch Server ci h iu hnh Linux, phn mm ngun m OpenVPN l
OpenVPN Server v c chc nng to CA v t CA to chng ch s v kha cho cc
my ch Server v cc my trm client.
My trm client c ci h iu hnh Win Xp (c th s dng Linux, Unix), sau
ci t gi phn mm ngun m OpenVPN lm OpenVPN client.
Phn cng Smart Token iKey 1032 h tr cho vic xc thc my trm client.
M hnh th nghim, hnh 3.2, c th nh sau:
4.1.1 Cu hnh OpenVPN Server
(1) Chun b cc bin trong vars
source ./vars
./clean-all
File vars.bat cha ng cc bin c s dng bi OpenVPN to chng ch v
mt s thng s cn thit trong cc bc k tip.
60
-
(3) Xy dng CA (certificate authority), hnh 4.1
./build-ca
Hnh 4.1: Xy dng CA
Kt qu to ra file chng thc ca.crt v file ca.key ca CA.
(4) To kha Diffie-Hellman, hnh 4.2
./build-dh
Kt qu to ra file kha DH dh1024.pem
(5) To kha b mt v chng ch cho Server, hnh 4.3 Kt ni VPN s
dng chng ch s xc thc. Nu xc thc chng ch khng phi do h thng cung
cp th h thng khng cho php kt ni. Chng ch bao gm chng ch cho VPN
Server v VPN Client.
./build-key-server Server
Cn ch 2 file c to ra Server.key, Server.crt. File c ui m rng .key cha
ng kha server, file c c m rng .crt cha ng chng ch server.
(6) To kha b mt v chng ch cho client, hnh 4.4
61
-
Hnh 4.2: To kha Diffie-Hellman
./build-key Client1
Ch 2 file mi c to ra Client1.key v Client1.crt
(7) Phn b cc file to ra cc bn VPN:
Server.crt: Chng ch c k ca Server, c t Server.
Server.key: Kha b mt RSA ca Server, t Server.
Client1.crt: Chng ch ca Client1, t Client1.
Client1.key: Kha b mt RSA ca Client1, t Client1.
ca.crt Chng ch CA, c t c Server v Client1.
ca.key Kha ca CA, ch c gi trn CA. Phi gi b mt, n c th c s
dng k mt chng ch hp l.
Cui cng, ta phi chuyn 3 file Client1.crt, Client1.key, ca.crt n VPN client.
(9) Chnh sa file code cu hnh openvpn
Mt s thng s cn iu chnh file code server.conf
port 1194
proto tcp
dev tun
62
-
Hnh 4.3: To kha b mt v chng ch cho Server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
push "route 192.168.168.0 255.255.255.0"
route 192.168.169.0 255.255.255.0
route 192.168.170.0 255.255.255.0
4.1.2 Cu hnh OpenVPN client trn Linux
Mt s thng s cn iu chnh file code client.conf
proto tcp
dev tun
tls-client
remote 192.168.20.2 1194
ca /etc/openvpn/certs/ca.crt
63
-
Hnh 4.4: To kha b mt v chng ch cho client
dh keys/dh2048.pem
cert /etc/openvpn/certs/client1.crt
key /etc/openvpn/certs/client1.key
4.1.3 Ci t, cu hnh SafeNet iKey 1032
Ci t SafeNet iKey 1032
Hnh 4.5
4.2 Kim tra tnh xc thc ca h thng
Hnh 4.6 trnh by qu trnh xc thc v kt ni VPN.
to kt ni vi VPN server, VPN Client yu cu ta nhp mt khu ca iKey.
Khi nhp ng mt khu ca iKey, VPN Client to kt ni ti VPN server xc
thc chng ch. Nu chng ch ng v qu trnh xc thc chng ch thnh cng, t
VPN server s to mt kt ni ring o v c cp mt a ch IP o ti my VPN
64
-
Hnh 4.5: Ci t SafeNet iKey 1032
client. My ch v my trm lc ny c th trao i d liu vi nhau theo knh ring
o, d liu trn ng truyn s c m ha bo mt.
4.3 Th nghim trn h thng o
Tng t nh th nghim trn h thng thc nhng phn ny ta cu hnh thm Ipsec
VPN.
S dng VMWARE gi lp PC, PC dng lm my trm, dng lm router, FVS.
H iu hnh c s dng l Linux (CentOS kernel t 2.6), Unix (FreeBSD 8.0).
Cc cng c th nghim gm phn mm VMWARE (xy dng v th nghim cc
ng dng mng nh to my tnh o, Switch o, mng o.., cho php nhiu h iu
hnh v cc ng dng chy ng thi trn mt my tnh vt l mt cch ng tin
cy; NetCat (tin ch ca Unix, dng truyn d liu qua kt ni mng, s dng
giao thc TCP hoc UDP); Tcpdump (cng c phn tch mng ph bin trong mi
trng Unix hay Linux); WireShark (bt v phn tch gi tin), Iperf (o bng thng),
SafeNet iKey 1032
Xy dng PC dng h iu hnh nhng Linux gi lp thit b FVS gm chc nng
65
-
Hnh 4.6: Qu trnh xc thc my trm
Router, Firewall v VPN. Mi thit bi FVS c t u mi site v ta cn cu
hnh VPN ti cc site ny thc hin kt ni VPN.
Dng mt PC trn mng Internet (hacker) thc hin bt v phn tch cc gi d
liu trong qu trnh trao i gia cc site. S h thng th nghim c trnh by
trong hnh 4.7
Vic th nghim c tin hnh theo cc bc sau:
4.3.1 Cu hnh a ch IP
Cu hnh a ch IP cho thit b FVS (lm VPN Server) t ti Trung tm ch huy
Cng an tnh (SiteA) v cc FVS (lm VPN client) t ti cc huyn th, thnh
ph (SiteB, SiteC) v ngi dng di ng (MobiUser), my Gateway trn giao thng
mng. Cc thng s th nghim c trnh by trong hnh 4.7 v cu hnh a ch
IP c thc hin trong phn /etc/sysconfig/network-scripts ca h thng Linux.
Cu hnh a ch IP v nh tuyn phi t c kt qu ng nh trong hnh
4.8(a) khi cha thit lp ng hm VPN, hnh hnh 4.8(b) khi thit lp ng hm
VPN.
66
-
!"
!#$%&'%(
!#$%&'%(
!#$%&'%(
!#
$%&'%(
!#
$%&'%(
!#$%&'%(
!#$%&'%(
!#$%&'%(
!#$%&'%(!#$%&'%(
)
)
!#
$%&'%(
*
*
!#$%&'%(
!#
$%&'%(
)
!#*
$%&'%(
*
+,-
+
.
+
.
.
+
.
,/
+
.,/
.
,/
.
)
,-
,-
-
Hnh 4.7: S h thng th nghim
Hnh 4.8: Kt qu kim tra
67
-
4.3.2 Kim tra tnh b mt ca thng tin truyn
Bt gi tin khi cha kt ni OpenVPN v Ipsec VPN:
Kt qu c trnh by trong bng 4.1, c th nh sau:
S dng NC (NetCat) truyn d liu gia PC ca mng LAN trung tm v
PC ca mng LAN t xa.
S dng chng trnh tcpdump, WireShark bt gi tin v phn tch gi tin
truyn trn mng.
Phn tch gi tin:
Trong hnh 4.9 trnh by gi d liu m hacker bt c khi truyn. Kt qu cho
thy vic m ha d liu cha c thc hin, ni dung thng tin truyn trn mng
khng c bo v trong lc ny.
Bng 4.1: Kt qu th nghim OpenVPN khi cha thit lp tunnel
D liu truyn (Bn A) D liu bt c D liu nhn (Bn B)
Truong dai hoc su pham Hnh 4.9 Truong dai hoc su pham
ky thuat TPHCM D liu khng c bo mt ky thuat TPHCM
Bt gi tin khi kt ni OpenVPN thnh cng:
Kt qu c trnh by trong bng 4.2, c th nh sau:
S dng NC (NetCat) truyn d liu gia PC ca mng LAN trung tm v
PC ca mng LAN t xa.
S dng trnh trnh tcpdump, WireShark bt gi tin truyn trn mng.
Phn tch gi tin:
Qua qu trnh xc thc, trao i kha, thit lp ng hm, d liu c m ha,
ng gi v truyn trn ng hm bo mt. Trong hnh 4.10 trnh by gi d liu
OpenVPN m hacker bt c khi truyn. Kt qu cho thy vic m ha d liu
c thc hin, ni dung thng tin truyn trn mng c bo v trong lc ny.
68
-
Hnh 4.9: D liu bt c khi cha thit lp tunnel OpenVPN
Hnh 4.10: D liu bt c khi tunnel OpenVPN thit lp
69
-
Bng 4.2: Kt qu th nghim OpenVPN khi thit lp tunnel
D liu truyn (Bn A) D liu bt c D liu nhn (Bn B)
Truong dai hoc su pham Hnh 4.10 Truong dai hoc su pham
ky thuat TPHCM D liu c m ha bo mt ky thuat TPHCM
4.4 Nhn xt, nh gi kt qu th nghim
Kha b mt v chng ch s c to ra t CA v lu trong SafeNet iKey 1032. Khi
SafeNet iKey 1032 c gn vo client v tc ng n vi m PIN. M PIN (ci m
ngi dng bit) l yu t xc thc th nht, iKey 1032 (ci m ngi dng c) l
yu t xc thc th hai, kim tra chng ch s c lu tr trong SafeNet iKey 1032
nh l mt yu t xc thc th 3. Qu trnh xc thc thnh cng nu c ba yu t
ny tha mn. Nh vy ta phi tri qua vic xc thc ba yu t mi c th kt ni
vo h thng, c th l:
M PIN xc thc ca SafeNet iKey 1032 (ci m ngi bit)
SafeNet iKey 1032 (vt m ngi ang c)
Kim tra chng th s c lu trong iKey.
to kt ni vi my ch (VPN server), my trm (VPN client) yu cu ta nhp
mt khu ca SafeNet iKey 1032. Khi nhp ng mt khu ca iKey, VPN Client
to kt ni ti VPN server xc thc chng ch. Nu chng ch ng v qu trnh
xc thc chng ch thnh cng, t VPN server s to mt kt ni ring o v c
cp mt a ch IP o ti my client. My trm v my ch lc ny c th trao i
thng tin vi nhau theo knh ring o, d liu trn ng truyn s c m ha bo
mt.
70
-
Chng ch lu trong SafeNet iKey 1032 theo nh dng PKCS12, do vy ngi
dng phi c cp mt chng ch s trn VPN server, ly chng ch s v ta c
th lin h vi ngi qun tr VPN server.
Trong qu trnh xc thc mt khu iKey, nu ngi dng nhp mt khu iKey
qu 3 ln khng ng, h thng s t ng thot v thng bo li.
Nu trong qu trnh to kt ni VPN ngi dng s dng iKey khng c ng
k hoc iKey cha c cm vo u c USB, h thng s thng bo li.
Qua qu trnh kim tra th nghim v tnh an ton trong c ch xc thc v m
ha bo mt trong gii php, cho thy gii php ta m bo c tnh an ton nh
cc gii php bo mt khc nhng c mt vi u im nh sau:
Chi ph u t cho gii php thp, ph hp cho cc t chc, doanh nghip nh
v va.
Ch ng trong vic s hu phn mm bo mt.
C th ty bin theo tng yu cu ng dng bo mt, c th d dng b sung
thm cc c ch xc thc bo mt theo nhu cu ngi dng.
71
-
Chng 5
KT LUN
5.1 Cc kt qu thc hin c
thc hin hon thnh cc nhim v nghin cu ra. Nghin cu xy dng v
th nghim thnh cng mng ring o da trn cng ngh ngun m OpenVPN ca
cng ng (thay i, chnh sa m ngun li cho ph hp vi ng dng thc t).
xy dng bc u mng ring o da trn cng ngh m. To c sn phm
phn mm bo mt cng ngh mng ring o ngun m OpenVPN cho ring mnh
trn c s khai thc m v ngun OpenVPN sn c, tin ti ch ng trong vic s
hu phn mm bo mt, va tit kim chi ph u t gii php va tng bc ch
ng v mt cng ngh, khng ph thuc vo nh cung cp.
Hn na gii php c th ty bin, d dng nhng thm cc c ch bo mt vo h
thng nhm khc phc cc l hng bo mt cc gii php cng ngh truyn thng.
Hn na, c th ch ng trong vic ng dng (nh sa i, ci tin, pht trin hay
nng cp). To nn tng cho vic t pht trin cc thit b an ninh trn gii php
ny. Trong iu kin ngun vn cn hn ch