BjngTh jThnmwif l lg T?p chl KHOA HOC & CONG NGHE 151(06) 79 83 C T O S ^ r t l i n '''' ^ ™ * '''' '''' ^ '''' ^ ^ ^ "^"^ ™ V C R S A S E C U R I D C H O H ? T H O N G W E B S I T E Q U A N L Y D I E M S I N H V[.]
BjngThjThnmwifllg T?p chl KHOA HOC & CONG NGHE 151(06): 79-83 C T O S ^ r t l i n ' ^ ™ * ' ' ^ ' ^ ^ ^ "^"^ ™ V C R S A S E C U R I D CHO H ? THONG WEBSITE QUAN LY DIEM SINH V I £ N B i n g Thi Thn Ha', U Khanh Durnig"' Dao Sy Nbl6n', Pham Th] Thanh', Dong Thi Thu' V • t ., ^ Tnrdng Bat hac Hoa Lu truong Bg, hgc Cong nghi didng tin i Truyin d,dng -BHThdi Nguyen T6MTAT CrJSg''™b'';i:S'^^ti^'^^:*l*'*''^"*'.""'°^«''g «"»""«*» IS hdng THifiT KE D A M BAO AN TOAN THONG sit dung giao ttiiic HTTPS d i ma hoa dudng TIN CHO H $ THONG cac xam nhap bit hgp phap rln lodn thdngcho tin,cac Xgcmlhuc, IA hdng bdo ttuyin, mgt SSAehdng SECURID DamTu biokhoa: an (oin, an ninh i y khach Dam bao an toan, an nmh cho m i y chu web Khi oac may tinh sir dimg cae ttinh duyet d i Cic giai phip hien dugc sir dung d i dam Iruy xuit vio cae ttang web, eac ttidng Un bio an loan, an mnh cho m i y chu web gdm co: quan ttong U8n quan d i n hanh vi ngudi diing - Kiem soat ttuy nhap va xac fliitc: phan c6 the ducrc luu lai thdng qua cac ttinh duyet quyen va xae fliuc ngudi dung dang nhjp web dieu dan d i n nguy co hi m i t thdng vao may chii web tin lidn quan d i n c i nhan bing each dgc - Kiem soil chinh sich cua he diiu hanh cookie D i giii quyit vin d i cd flii sii - Sd dung giai p h i p ttjdng liia d\mg giii p h i p chiing chi sd d i x i c fliue nguoi dling nham ttinh eho ngudi dung - Co CO c h i chong lai e i c cudc tin cong tir khdng bj lira dao bdi cie website g i i m^o chdi dich vu (DoS, DdoS) Giii p h i p d a m b i o an t o i n , an ninh trSn - Co CO che phan tii cac m i y chii d i tang hieu dudng t r u y i n nang phuc vu va chil lugmg djch vii - M i h o i cie flidng fln quan ttijng ttudc giii tten dudng ttuyin nhu ten ttuy nhilp, mat k h i u - Sil dung giao thiic bao m i l SSL ttong ttuyin thdng: giao fliile SSL i p dung giii p h i p chiing fliuc Si ngan ngira nghe len va g i i mao nSi dung message duge ttuyin di tren dudng ttuyin SSL cung cap mot k i t ndi bao mjl giiia client v i server b i n g each cho phep chllng nhfn, x i c minh qua liii lin nhau, sd dung chii kf dign til d i d i m bao tmh toin ven v i m i h o i oho muc dieh b i o ve Unh rieng hi; Tel: 098! S00747: Emrrll: lk,hrang@icm.edu.v D i m bao an ttian, an ninh cho may chd CSDL - Kiem soat ttuy nhap va xae thuo: phan quyen v i xac fliue ngudi dimg dang nhiip vao may chil web - Kiem soil ehinh sach cua hg diiu hanh - Su dung giii phap ttidng lua - M a hoa dii lieu quan ttong ttudc Iuu vao CSDL - Thiel lap va c i u htah CSDL an loin - Thiet lap co chi luu v i phuc hoi - Cii djt eac iing dung bao ve - Tao c i c bang ao, fliay flii cac bang flijt da dugc ma hoi 79 Ding Thi Thu Ha i a Dig Tap chi KHOA HOC & CONG NGHE 151(06); 79-83 XAC THirC MAT KRAU NGlTCil SU" DUNG giai phap xac thirc tot hem Mot giai phap xac thuc chi diroc goi la tot ma no dap img duoc nhung yeu cau chu yeu saii^ D U A TREN THIET BI RSA SECURID - Chl phi thap Cac phSti cua RSA SECURID - De dang, thuan tien cho nguai sir dung vasii dung duac nhieu he thong - Quan Iy phan quviSn tni\ cap den cac cot se diroc quan ly a cac bang ao - RSA SECURID Authenticators: La thi4t bi dirge gan vai rguoi sir dung Chung co the la phan cung hoac phan mem \'a duoc goi la cac Token, Cac thiet bi tao cac eon so khae mpt khoang thoi gian nhat dmh - RSA ^CE/Agent Software !a phan mem duoc cai ien tren cac diem truy cap vao mang, cac may chu va cac tai nguyen thong tin can dirac bao ve No hoal dong giong nhu la mot nguoi gac cira Khi co yeu cau dang nhap cua nguiri su dung giJi den, no se tiep nhan va chuyen nhiing ihong'tin dang nhap toi may chu CO Ihanh phan RSA ACE/Servcr de thuc hien xac thuc Hau het cac san pham router, remote access ser\'er, firewall, VPN, wireless access, , cua cac hang san xuat hang diu tren the gioi deu da tich hop sfin ph5n cac san pham cua minh - RSA ACE/Server la phin quan tn ciia giai phap RSA SECURID diroc sir dung d6 kicm tra cac yeu cau xac thuc va quan In tap trung chinh sach xac thuc cua Ircn toan mang \;i CO the mo rong RSA ACE/Server co kha nang xac lhuc diroc hang tneu nguai sir dung, xac Ihirc nguoi diing mang cue bo, ngirai dimg truy ciip tir xa, nguai diing qua \'PN RSA ACE/Sen.'er tuong thich hoan loan VOl cac thi^t bi mang, RAS, VPN, Access Pomt,, cua tat ca cac hang san xult Ion tren the gioi, Giai phap xac thirc hai yeu to SecurlD ciia RSA (Two - Factors Authentication) Hau hel cac phuong thirc xac lhuc dgu dua tren - Nhung gi ban bi^t (Uscrname Password) - NhCmg gi ban co (Smart Card Cerlificate) - Nhung gi la ban (Smh trac hoc) Vol \'iec sir dung gia, phap xac thuc Iruyen Ihong la khong an toan nguoi la cm nhdng • Kha nang mo rong va tuong thich voi cac he thong khac tot De dap iing duoc nhirng yeu cau mai vl an mnh mang hien nay, RSA da dua mgl giai phap xac thuc nguoi dung dugc gpi la giai phap xac lhuc dua tren hai yeu to SECURID, Nhu da de cap a tren, SECURID bao g6in ba phin Thanh phin RSA SECURID Authenticator hay duac goi la Token se dugc (rao cho nguai sir dimg Thanh phan CO mot chirc nang la tao nhirng chuoi so khac nliau sau mot khoang thoi gian nhit djnh (Thong thuang la mgt phut) Gia sir mpt nguai sir dung he th5ng diroc cap phai mgt Token, dang nhap vao he (hong, nguai su dung se dirge yeu cau nhap ten dang nhap va mot day so duoc gpi la Passcodc Day so g6m co hai phan la so PIN va d i y so xuit hien Iren token (Token code) ciia nguoi vao thoi di^m dang nhap Tit ca cac thong tin (Ten dang nhap va Passcode) dupc phin RSA ACE/Agcnt tifip nhan va phin se lai gui nhirng thong tm d6n RSA ACE/Server Server se co s6 PIN ciia nguai sir dung co sa dii lieu ciia no Ngoai ra, no cung co mot co chg cho phep no Iinh loan mgt day s6 ciia no ACE/Server se ghep so PIN co so du lieu va diy s6 cua no vai sau so sanh voi Passcode cua nguoi su dung cung cip NSu hai day s3 giong nhau, nguai diing dugc xac thuc la hgp Ic va dugc quyen dang nhap vao mang Trong tnrang hgp ngugc lai, quy^n truy cap sc bl tir choi Hoac duac chap nhan truy cap hoac khong, nhCrng thong tin so duac RSA ACE/Server giri den nguoi su dung thong qua phin RSA ACE/Agent BjngThJThuHavaB^; Tap eU KHOA HOC & C N G NGHE 9Timt If ll Hinh i Xdc lhuc hal yeu to SECURID cua RSA Co c M dS RSA ACE/Server tinh toan dudc mdt d i y s6 ciia nd dS so khdp vdi d i y sd tren token cda ngudi su dung la nrong tfdi don gian Nhu duoc mmh hoa tren, de lao duoc dly so fliay doi sau mdi khoang Uidi gian, mdt token se cd nhflng flianh p h i n sau: - Mpt dong hd ben ttong (Tmh theo gid UTC) - M0t sd Seed ed dai 64 hoac 128 bits - Thuit loan tao sd g i i ngau nhien Vdi hai yia Id la thoi gian va so seed, sau ap dyng thu^t toan tao so g i i ngiu nhien, token se cd mpt eon sd xuit hifn tren man hinh cda nd (token code) v i sau mpt khoang thdi gian x i c dinh, fliujl toan lai t?o dupe mdt sd khac iing vdi flidi gian dd Thuit toin n i y ludn 1^0 dupc nhung sd fliay ddi flieo ttidi gian v i khdng l}p Iji Do v^y, viec du d o i n trudc s6 se xuit hicn tiep flieo hoac sd se xuit hien 1^ mpt flidi diem nao dd hong hiong lai l i khdng fli^ (ehi cd flii fliyc h i t a duoc cd s6 seed v i Umal loan) Khi g i n mpt token cho mpt ngudi su dung, quan hi niimg cOng se phai cap nhJt sd seed cua token vio co sd dii lieu eiia RSA ACE/Server tuong dug vdi ngudi dung Tren RSA ACE/Server cdng cd mpt chuong trinh ch9y fliuat toin tao sd g i i ngiu nhien gidng vdi tten token Khi cd yen cau dang nhap eua ngudi sir dvmg, can cii vao ten dang nhap, ean cd vio ddng hd h? flidng, can cti vao sd seed dupc luu ttong CO sd dfl lifu, chay ttiuat loin l?o so g i i ngau nhien, RSA ACE/Server cilng s6 cd dupc mpt day sd gidng vdi d i y sd 151(06): 79-83 trdn token ciia ngudi su dung tai cling mpt thdi diem Day sd n i y duoc ghep vdi so PIN ciia ngirdi su dung ttDng c o sd du lieu, RSA ACE/Server cd thg kiem tra dupe ngudi su dung n i y ed hop le hay khdng T h n ^ t toan tao sd gia n g a a nhiSn Hinh 2.Sadd Ilin Irinh xir ly di dua rama token - 64/128 bit bi mat hm ttfl hong SECURID token - I i 64 bit ttfl ddng hd gid hien tai theo chuan ISO(yr/mo/day/hour/min/second) - Trong 30 giay hay 60 giay dua ma codes hay so - hay sd tti^p phan eiia lokeneode, gia tti dupc lay ttt gia tt) hexadecimal, dupc gpi la "Pre-Convert value", ham thiit k i d i chuyin ddi gia tti hexadecunal flianh gia tri fliip phan nhim muc dich lang tinh bio m§t cho ttiuit toin SECURID Thuat loin ciia RSA SECURID Token: dupe phit ttiin tit "AUeged SecurlD Hash Funclion" (ASHF): Thuat toan ASHF dl liy cap Ihdng tin cda 128 bit bi mat; Thuat toan cai tien la AES-base token: su dung ttiuat loan AHASH RiK:(Ri-l+Si) AHASH duoc xay dung dua tten C(H,P), kit q u i cua C li gia ttj R, C dugc dinh nghia nhu sau: to - Hll:l6^ t, = Hill.i2] -X ' E^lFi&P J"= E^tP)đp ã JT1:81 II r[9:10) ll H I S ) IUl diem tai triroTig Dai hoc Hoa LIT - Chi phi thap- vdi viec khong phai su dime va quan ly qua nhieu password, nguoi su dung se kliong phai yeu cau ho trg tir bo phan ky thuat Qua ciu tnic cung nhu ngu\en ly hoat dgng cua giai phap RSA SECURID ta lhi>- no co nhiing uu diem sau - Do an loan cao- dugc \ a c thuc dua tren hai yeu 16 (PIN + Token code) \ a luon thay doi mot co chan bat duac passcodc ciia nguai su dung thi ciing the su dung no de dang nhap \'ao he ihong - Quan ly password day la mot nhuac diem CO hiru cua password Nhung doi vdi SercurlD dugc xac thuc tap trung tren RSA ACE/Scrver va ACE/Agent co the dirac cji dai tai rat nhieu diem, chi can su dung mot token la ngucn su dung co the xac thuc diroc lai bat cCr dau Irong mang, tranh duoc viec phai sir dung nhieu passvtord - Thuan ticn, dc dang sir dung la yeu to quan de ihanh cong- voi nhieu lua chon cho phin RSA SECURID Authenticator, ngucn sir dung co the lua chon duoc phan thich hop nhat cho minh - Tnen khai giai phap xac thuc bao mat RS.A de dang, giai phap xiic thuc bao mal anh Uudng toi thieu den ca sd tang dang ton lai va CO the duac tnen khai chi vai tuan Vdi cac im diem tren, chiing ta thay rang giai phap xac thuc ngudi sir dung RSA SECURID thuc su la mot giai phap rat toi im Trong mgl he thong, vdi nliirng ca iihan cd quyen tmy cap Viio cac thiing tin quan va nhay cam nhu lanli dao nha trudng, phong dao lao, cae quan tri he Ihong, thi sir dung giai phap xac thirc sc giam thieu den miic thiip nlial cac nguy CO nhu bi danh cap thong tin hay pha hoai xudng den mirc thap nhat vict quan !y diem ciia sinh vicn Irong trudng Mdt sd hinh anh giao dien chuang trinh - Kha nang ma rong- voi vice diroc cai dai RSA ACE/Servcr len nhieu may chii, mot to chirc CO nhieu chl nhanh co the cung cap kha nang xac thuc thong qua mot may chu ban duoc dat tai chi nhanh ihay vi phai su dung nhiing ket noi dit ti^n \'i trung tam dc xac lhuc Nguoi dung SECURID ciia 16 chirc cung co the dang nhap thong qua mgl to chirc khac mien la RSA ACE'Ser\'cr ciia hai t5 chirc lin cay (Trusted) lln Tich hap vol he dieu hdnh MS Windows, khong chl bao vc nguoi diing iniy cap vao irong mang truy cfip vao may linh ca nhan RSA SECURID cung duoc kich boat dc bao \e ma> tinh nguoi dimg Gia day, password dc tmy cap \ao may tinh ca nhan se dugc thay biing passcode Day la mot Hinh Trang web nhdp diem cho Dai Iwc llaa Lu Bgng Thi Thu Ha Mfl S ^ Tjp cW KHOA HOC & CONG NGHE KETLUAN Bai bao da x ^ dung dupc cac giai phap an toan thong tin, n ^ e n cmi ^ i phap xac thuc ra^nh cua RSA SECURID cho he thfing web quan ly diem tai Bai hoc Hoa Lu, cung voi gjai p h ^ la cac thuat toan va cac ky thuat na hoa tien tifin duoc ap dung Bay la c a hoi de chung toi tifip can, hoc hoi cac giai phap b M mat cua nhiing hang cong n ^ e ldn (ren the g i o i Khong co giai p h ^ xac thuc don 1^ nao du sue chdng Iai cac t§n cong tren hiternet, ma phai thuc hien k i t hgp nhigu giai phap ve cong nghe cimg vdi nhiing quy trinh nghifip vp ch^t che Huong nghien cliu tilp theo chung toi se tich hop c a sd ting khoa cong khai (PKl) vdi RSA SECURID 151(06): - TAI LIEU THAM K H A O Nguyln Xuan Diing (2007), Bdo m^l thong tin mo hinh vd ung dung, Nxb Thfing ke Hi NpL Ngiiycn Ngpc Tuan, HSng Phiic (2005), Cong ngke bdo mat World Wide Web, Nxb Thfing ke HaNoi Dang Tniong Son (2012), Gido ttinh Bdo mat thong tin, Nxb Dai hoc quoc gia TP.HCM Alex Biiyukov, Joseph Lano and Bart Prencel, (2003) "Ciyptanalysis of the Alleged SecurlD Hash Function", ht^y/citeseenc-isLpsu.edu John Viega (2004), 'TTie AHASH Mode of Operation", ht^:/Avww.cryptobam.com/papers/ahash.plf>bai:25/3/2016:Ns^phdnblin:19/4aOI6:Ngayduyildang: 30/5/2016 ""••^^"•^•l^-'TSNguyinTodmhing-TnrangBgihocCdngn^eTMngtiniTnryinthdng.DmN ' Tel: 0982 500747; Email: llBhu>iig@iau.ahLvn ... THIET BI RSA SECURID - Chl phi thap Cac phSti cua RSA SECURID - De dang, thuan tien cho nguai sir dung vasii dung duac nhieu he thong - Quan Iy phan quviSn tni\ cap den cac cot se diroc quan ly... lai bat cCr dau Irong mang, tranh duoc viec phai sir dung nhieu passvtord - Thuan ticn, dc dang sir dung la yeu to quan de ihanh cong- voi nhieu lua chon cho phin RSA SECURID Authenticator, ngucn... hexadecunal flianh gia tri fliip phan nhim muc dich lang tinh bio m§t cho ttiuit toin SECURID Thuat loin ciia RSA SECURID Token: dupe phit ttiin tit "AUeged SecurlD Hash Funclion" (ASHF): Thuat toan ASHF