TI MN BO MT THNG TIN
Ths.L Phc
Hunh Anh Ho
V Th Thu Nguyt
L Thanh Phong
Nguyn Th Thanh Tho
Thnh ph H Ch Minh
12/2009
PTIT 2009
ti mn Bo mt thng tin
MC LC
Gii Thiu
CHNG I : SECURE SOCKET LAYER & TRANSPORT LAYER SECURITY ........................................... 5
I.1 Ti sao s dng SSL ............................................................................................................................................ 5
I.2 Kin trc SSL....................................................................................................................................................... 9
I.3 Giao thc SSL Record ....................................................................................................................................... 10
I.4 Giao thc SSL Change Cipher Spec .................................................................................................................. 13
I.5 Giao thc SSL Alert........................................................................................................................................... 13
I.6 Giao thc SSL Handshake ................................................................................................................................. 15
I.6.1 Giai on 1 : Thit lp kh nng bo mt .............................................................................................. 16
I.6.2 Giai on 2 : Xc thc server v trao i kha...................................................................................... 18
I.6.3 Giai on 3 : Xc thc client v trao i kha ...................................................................................... 19
I.6.4 Giai on 4 : Kt thc ............................................................................................................................ 19
I.7 Tnh ton m ha ............................................................................................................................................... 20
I.7.1 Vic to Master Secret ........................................................................................................................... 20
I.7.2 Vic sinh cc tham s m ha ................................................................................................................ 21
I.8 Transport Layer Security ................................................................................................................................... 22
I.8.1 Version number ..................................................................................................................................... 22
I.8.2 Message Authentication Code ............................................................................................................... 22
I.8.3 Hm tnh s ngu nhin ......................................................................................................................... 23
I.8.4 M cnh bo........................................................................................................................................... 24
I.8.5 Cipher suite ............................................................................................................................................ 25
I.8.6 Cc dng client certificate ..................................................................................................................... 25
I.8.7 Certificate Verify v Finished Message................................................................................................. 26
I.8.8 Tnh ton m ha ................................................................................................................................... 26
I.8.9 Phn m ............................................................................................................................................... 26
CHNG II : JAVA SECURE SOCKET EXTENSION API ............................................................................. 27
II.1 Quan h gia cc Class ..................................................................................................................................... 27
II.2 Cc Class v Interface chnh ............................................................................................................................. 28
II.2.1 Lp SocketFactory v ServerSocketFactory ........................................................................................ 28
II.2.2 Lp SSLSocketFactory v SSLServerSocketFactory .......................................................................... 28
II.2.3 Lp SSLSocket v SSLServerSocket ................................................................................................... 29
PTIT 2009
ti mn Bo mt thng tin
Tham kho
ti mn Bo mt thng tin
PTIT 2009
Gii thiu :
Mc tiu thc hin ti ny ca nhng thnh vin tham gia l i su tm hiu v :
PTIT 2009
ti mn Bo mt thng tin
Chng I :
PTIT 2009
ti mn Bo mt thng tin
Mt khi client v server hi lng vi nh danh ca mi bn i tc.SSL cung cp tnh bo mt v tnh ton vn
thng qua cc thut ton m ha m n s dng.iu ny cho php cc thng tin nhy cm,nh s ti khon,c
truyn i 1 cch an ton trn Internet.
Trong khi SSL cung cp tnh xc thc,tnh bo mt v ton vn d liu,n khng cung cp non-repudiation (tnh
khng t chi).Non-repudiation c ngha l khi 1 i tng gi i 1 message ,th sau khng th ph nhn vic
mnh gi message .Khi 1 ch k s tng ng c lin kt vi 1 message,vic trao i ny sau c th
c chng minh.SSL 1 mnh n khng cung cp non-repudiation.
Tin trnh SSL:
Vic trao i trn mng s dng SSL bt u vi vic trao i thng tin qua li gia client v server.S trao i
thng tin ny gi l SSL handshake.
Ba mc tiu chnh ca SSL handshake l:
m phn cipher suite.
Xc thc nh danh (ty chn).
Hnh thnh c ch bo mt thng tin, bng cch tha thun cc c ch m ha.
m phn Cipher suite :
Mt phin SSL bt u vi vic m phn gia client v server xem cipher suite no m chng s s dng.Mt
cipher suite l 1 tp cc thut ton m ha v kch thc kha m my tnh c th dng m ha d liu.Mt
cipher suite bao gm thng tin v cc thut ton trao i kha cng khai v cc thut ton tha thun kha,v cc
hm bm m ha.Client ni vi server cc cipher suite no n c sn v server la chn cipher suite tt nht c th
chp nhn.
Xc thc server :
Trong SSL,bc xc thc l ty chn,nhng trong v d v giao tc e-commerce trn Web, client theo thng thng
s mun xc thc server.Vic xc thc server cho php client chc chn rng chnh server ny i din cho i
tng m client tin tng.
chng minh server thuc v t chc m n khng nh l n i din,server phi trnh chng ch kha cng
khai ca n cho client.Nu chng ch ny l hp l ,client c th chc chn v nh danh ca server.
Thng tin trao i qua li gia client v server cho php chng tha thun 1 kha b mt chung.V d,vi
RSA,client dng kha cng khai ca server,c c t chng ch kha cng khai, m ha thng tin kha b
mt.Client gi thng tin kha b mt c m ha n server.Ch c server mi c th gii m ci message ny
bi v qu trnh gii m phi cn n kha ring ca server.
Gi d liu m ha:
By gi,c client v server c th truy cp n kha b mt chung.Vi mi message ,chng dng n hm bm m
ha, c chn trong bc th nht ca tin trnh ny,v chia s thng tin b mt, tnh ton 1 HMAC ni thm
vo message.Sau ,chng dng kha b mt v thut ton kha b mt c m phn bc u tin ca tin
trnh ny m ha d liu v HMAC an ton.Client v server gi y c th trao i thng tin vi nhau 1 cch an
ton vi cc d liu bm v m ha.
Giao thc SSL:
PTIT 2009
ti mn Bo mt thng tin
Phn trc cung cp s m t s lc v SSL handshake, l s trao i thng tin gia client v server trc khi gi
cc message c m ha.Phn ny m t chi tit hn.Hnh sau minh ha chui tun t cc message c trao
i trong SSL handshake.Cc message m ch c gi trong 1 trng hp no c nh du l ty chn.
Hnh II: Cc message SSL
Client
Server
1.Client hello
2.Server hello
3.Certificate
ty chn
4.Certificate request
ty chn
ty chn
ty chn
ty chn
14.Encrypted data
15.Close messages
15.Close message
PTIT 2009
ti mn Bo mt thng tin
5) Server key exchange: server gi cho client 1 message trao i kha server trong khi kha cng khai c
gi phn 3) bn trn th khng cho trao i kha.
6) Server hello done: server ni vi client rng n hon thnh cc message m phn ban u.
7) Certificate: nu server cn chng ch t client trong message 4, client gi chui chng ch ca n,cng
ging nh server lm trong message 3.
8) Client key exchange: client sinh ra thng tin c dng to ra kha trong m ha i xng.Vi RSA,
client m ha thng tin kha ny bng kha cng khai ca server ri gi n n server.
9) Certificate verify: message ny c gi khi client trnh ra chng ch nh trn.Mc tiu ca n l cho php
server hon thnh tin trnh xc thc client.Khi message ny c dng,client gi thng tin vi ch k s
to bng hm bm m ha.Khi server gii m thng tin ny bng kha cng khai ca client,server c th
xc thc client.
10) Change cipher spec: client gi message bo server thay i kiu m ha.
11) Finished: client ni vi server rng n sn sng bt u trao i d liu an ton.
12) Change cipher spec: server gi message bo client thay i kiu m ha.
13) Finished: server ni vi client rng n sn sng bt u trao i d liu an ton.Kt thc SSL
handshake.
14) Encrypted data: client v server trao i vi nhau,s dng thut ton m ha i xng v hm bm m ha
m phn message 1 v 2,v dng kha b mt m client gi cho server trong message 8.
15) Closed messages : Kt thc 1kt ni,mi bn gi 1 message close-notify thng bo u kia bit kt ni
b ng.
Nu cc tham s c sinh ra trong 1 phin SSL c lu li,cc tham s ny c th thnh thong c dng li cho
cc phin SSL sau.Vic lu li cc tham s phin SSL cho php cc trao i bo mt v sau c bt u nhanh
chng hn.
La chn Cipher suite v xa Entity verification:
Giao thc SSL/TLS nh ngha 1 chui cc bc c bit bo m 1 kt ni c bo v.Tuy nhin,vic la
chn Cipher suite s tc ng trc tip n loi bo mt m kt ni c c.V d,nu 1 cipher suite nc danh c
chn,ng dng khng c cch no kim tra nh danh ca u xa.Nu 1 suite-khng c m ha, c chn,tnh
b mt ca d liu khng th c bo v.Thm vo ,giao thc SSL/TLS khng ch r rng nhng ti liu chng
nhn nhn c phi khp vi nhng ci m u kia gi.Nu kt ni theo cch no m b redirect n 1 k
xu,nhng ti liu chng nhn ca k xu ny khi trnh ra th c chp nhn da trn nhng t liu tin tng hin
ti,kt ni ny s c xt l hp l.
Khi dng SSLSockets/SSLEngines,nn lun lun kim tra ti liu chng nhn ca u xa trc khi gi bt k d liu
no.Cc lp SSLSockets v SSLEngines khng t ng kim tra hostname trong URL c khp vi hostname trong
ti liu chng nhn ca u kia hay khng.Mt ng dng c th b khai thc bng URL spoofing nu hostname
khng c kim tra.
Cc giao thc nh HTTPS cn thit phi kim tra hostname.Cc ng dng c th dng HostnameVerifier vit
chng ln lut hostname HTTPS mc nh .
PTIT 2009
ti mn Bo mt thng tin
HTTP
SSL Record Protocol cung cp cc dch v bo mt c bn cho nhiu giao thc khc nhau cc lp trn.Trong thc
t, Hyper Text Transfer Protocol (HTTP),cung cp dch v trao i cho tng tc Web client/server,c th hot
ng trn nh ca SSL.Ba giao thc lp trn c nh ngha nh l cc phn ca SSL: Handshake Protocol,
Change Cypher Spec Protocol v Alert Protocol.Cc giao thc mang tnh c trng-SSL ny c dng trong phn
qun l trao i SSL v c xt n trong phn sau.
Hai khi nim SSL quan trng l SSL session (phin SSL) v SSL connection ( kt ni SSL) ,c nh ngha nh
sau:
Connection ( kt ni): 1 kt ni l 1 transport _ trong nh ngha m hnh phn lp OSI_ cung cp 1 loi
dch v thch hp.Vi SSL,nhng kt ni nh vy l nhng mi quan h ngang hng.Cc kt ni th trao
i nhanh chng.Mi kt ni gn vi 1 phin.
Session (phin): 1 phin SSL l 1 lin kt gia 1 client v 1 server.Cc phin c to ra bng Handshake
Protocol (giao thc bt tay).Cc phin nh ngha 1 tp cc tham s bo mt bng mt m,c th c chia
s gia nhiu kt ni.Cc phin c dng trnh nhng m phn tn km_v cc tham s bo mt
mi_cho mi kt ni.
Gia bt k 1 cp ca nhm no (cc ng dng nh HTTP trn client hay server),c th c nhiu kt ni bo mt
.V l thuyt ,c th c nhiu phin ng thi gia cc nhm,nhng c trng ny khng c dng trong thc tin.
Thc s c nhiu trng thi gn vi mi phin.Mt khi 1 phin c thnh lp,c trng thi hot ng hin thi cho
c c v ghi, (nh nhn v gi..).Thm vo , trong sut qu trnh Handshake Protocol, trng thi treo c v ghi
c to ra.Da trn kt lun thnh cng ca Handshake Protocol,cc trng thi treo tr thnh trng thi hin thi.
-Mt trng thi phin c nh ngha bi cc thng s sau (cc nh ngha ly t c trng SSL):
Session Identifier : 1 chui byte bt k c chn bi server nhn dng trng thi phin l hot ng
(active) hay phc hi li (resumable).
Peer certificate: mt chng ch X509.v3.Thnh phn ny ca trng thi c th l null.
Compression method: thut ton c dng nn d liu trc khi m ha.
PTIT 2009
ti mn Bo mt thng tin
Cypher spec : ch ra thut ton m ha d liu (nh rng,AES) v thut ton bm (nh MD5 hay SHA1) s dng tnh ton MAC.N cng nh ngha cc thuc tnh m ha nh hash-size.
Master secret : 48 byte b mt c chia s gia client v server.
Is resumable : mt c ch ra rng phin ny c th c dng khi to cc kt ni khc hay khng.
-Mt trng thi kt ni c nh ngha bi cc tham s sau:
Server and client random: cc chui byte c chn bi server v client cho mi kt ni.
Server write MAC secret: kha b mt c s dng bi php tnh MAC trn d liu, c gi bi server.
Client write MAC secret: kha b mt c s dng bi php tnh MAC trn d liu,c gi bi client.
Server write key: kha m ha quy c cho d liu c m ha bi server v gii m bi client.
Client write key :kha m ha quy c cho d liu c m ha bi client v gii m bi server.
Initialization vectors: khi 1 khi m trong mode CBC c dng, mt vector khi to (IV) c duy tr
cho mi key.Phn ny c khi to trc tin bi SSL Handshake Protocol.Sau ,khi m ha cui cng
t mi record c dnh li dng lm IV cho record sau .
Sequence number : mi bn duy tr cc sequence number ring cho mi message c truyn hoc c
nhn trong mi kt ni.Khi 1 bn gi hoc nhn mt change cypher spec message,sequence number thch
hp c thit lp v 0.Sequence number khng th vt qu 264-1.
10
PTIT 2009
ti mn Bo mt thng tin
Hnh I.2 : Hot ng ca SSL Record Protocol
D liu ng dng:
Phn mnh:
Nn:
Thm MAC:
M ha:
Bc u tin l phn mnh.Mi message ca lp bn trn c phn mnh thnh cc block ,mi block l 214
byte (16384 byte) hoc t hn.
Tip theo,nn c p dng 1 cch ty chn.Nn phi l khng mt mt thng tin v c th khng lm tng chiu
di ni dung nhiu hn 1024 byte (D nhin,ngi ta mong mun nn lm co li d liu hn l ni rng d liu.Tuy
nhin ,vi nhng block ngn,c th ,do nh dng quy c,thut ton nn thc s lm cho output di hn
input).Trong SSLv3 (cng nh phin bn hin ti ca TLS),khng c thut ton nn no c ch r,v vy thut
ton nn mc nh l null.
Bc x l k tip l tnh ton MAC (m xc thc message) trn d liu c nn. thc hin cn dng n1
kha b mt c chia s.Php tnh c nh ngha nh sau:
hash(MAC_write_secret || pad_2 || hash(MAC_write_secret || pad_1 ||seq_num ||SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment))
trong :
|| : php ni/hoc.
MAC_write_secret: kha b mt c chia s.
hash: thut ton bm m ha, MD5 hoc SHA-1.
pad_1: byte 0x36 (0011 0110) c lp li 48 ln (384 bit) cho MD5 v 40 ln (320 bit) cho SHA-1.
pad_2: byte 0x5c (0101 1100) c lp li 48 ln cho MD5 v 40 ln cho SHA-1.
11
PTIT 2009
ti mn Bo mt thng tin
12
PTIT 2009
ti mn Bo mt thng tin
13
PTIT 2009
ti mn Bo mt thng tin
illegal_parameter: mt trng trong mt handshake message th vt khi dy hoc tri vi nhng trng
khc
Phn cn li ca cnh bo th nh sau:
close_notify: thng bo cho bn nhn rng bn gi s khng gi thm message no na trong kt ni
ny.Mi nhm th c yu cu gi mt close_notify cnh bo trc khi kt thc phn ghi ca mt kt ni.
no_certificate: c th c gi tr li cho mt yu cu certificate nu khng certificate thch hp no c
sn.
bad_certificate: certificate nhn c th khng hp l(v d nh cha mt ch k khng xc minh).
unsupported_certificate: dng certificate nhn c th khng h tr.
certificate_revoked: certificate b thu hi bi nh cung cp.
certificate_expired: certificate ht hn ng k.
certificate_unknown: mt s pht sinh khng ni r xut hin trong qu trnh x k certificate lm cho n
khng th chp nhn.
14
PTIT 2009
ti mn Bo mt thng tin
Phn kh nut nht ca SSL l giao thc Handshake.Giao thc ny cho php server v client chng thc vi nhau
v thng lng c ch m ha , thut ton MAC v kha mt m c s dng bo v d liu c gi trong
SSL record.Giao thc SSL Handshake thng c s dng trc khi d liu ca ng dng c truyn i.
Giao thc SSL Handshake bao gm mt lot nhng message trao i gia client v server .Mi message c ba
trng:
Type (1 byte): ch ra mt trong mi dng message .
Length (3 bytes): di ca message theo bytes.
Content (>=0 bytes): tham s i km vi message ny, c lit k trong Hnh I.5a
Hnh I.5a Cc kiu message giao thc SSL handshake
Kiu message
Hello_request
Client_hello
Server_hello
Certificate
Server_key_exchange
Certificate_request
Server_done
Certificate_verify
Client_key_exchange
Finished
Thng s
Null
version, random, session id, cipher suite, compression
method
version, random, session id, cipher suite, compression
method
chain of X.509v3 certificates
parameters, signature
type, authorities
Null
signature
parameters, signature
hash value
Hnh I.5b th hin trao i lc ban u cn c thit lp mt kt ni logic gia client v server.Vic trao i c th
xem nh c bn giai on.
15
PTIT 2009
ti mn Bo mt thng tin
16
PTIT 2009
ti mn Bo mt thng tin
Session ID: mt ID ca phin c chiu di thay i c.SessionID khc 0 ngha l client mun cp nht
tham s ca mt kt ni ang tn ti hay to mt kt ni mi trn phin ny.SessionID = 0 ch ra rng client
mun thit lp mt kt ni mi trn mt phin mi.
CipherSuite: y l 1 danh sch m cha nhng b bin dch ca nhng thut ton m ha c h tr bi
client, tham kho theo th t gim dn. Mi thnh phn trong danh sch (mi b m ha) nh ngha c mt
kha trao i v mt CipherSpec, nhng thng s ny s c bn n sau.
Compression Method: y l danh sch ca nhng phng thc nn m client h tr.
Sau khi gi client_hello message, client ch nhn server_hello message m cha cng thng s vi client_hello
message.Vi server_hello message, nhng tha thun km theo c p dng. Trng Version cha version thp
hn c ngh bi client v cao nht c h tr bi sever.Trng Random c sinh ra bi server v c lp
vi trng Random ca client. Nu trng SessionID ca client khc 0, th gi tr tng t c dng bi server,
ngc li th trng SessionID ca server cha gi tr ca mt phin mi. Trng CipherSuite cha b m ha chn
bi server t nhng xut ca client. Trng Compression cha phng thc nn chn bi server t nhng
xut ca client.
Thnh phn u tin ca thng s Cipher Suite l phng thc trao i kha (v d nh bng cch no nhng kha
m ha cho vic m ha thng thng v MAC c trao i ). Nhng phng thc trao i kha sau c h tr:
RSA: kha b mt c m ha vi kha cng khai RSA ca bn nhn. Mt public-key certificate cho kha
bn nhn phi c to sn.
Fixed Diffie-Hellman: y l s trao i kha Diffie-Hellman trong certificate ca server cha cc thng
s cng khai Diffie-Hellman c k bi Certificate Authority (CA) .Ngha l certificate kha cng khai
cha cc thng s kha cng khai Diffie-Hellman. Client cha sn cc thng s kha cng khai DiffieHellman trong certificate nu chng thc client c yu cu hoc trong mt message trao i
kha.Phng thc ny mang li kt qu mt kha b mt c nh gia hai u, da trn tnh ton DiffieHellman s dng kha cng khai c nh.
Ephemeral Diffie-Hellman: Phng php c s dng to kha ephemeral(tm thi,1 ln) kha tm
thi. Trong trng hp ny, kha cng khai Diffie-Hellman c trao i,c k s dng kha b mt
RSA hoc DSS ca bn gi.Bn nhn c th s dng kha cng khai tng ng xc minh ch k.
Certificate c s dng xc thc kha cng khai. iu ny nh l s bo m nht ca ba la chn
Diffie-Hellman bi v n l kt qu ca s tm thi v kha xc thc.
Anonymous Diffie-Hellman: thut ton Diffie-Hellman c bn c s dng, khng chng thc.Ngha l
mi ln mt bn gi thng s Diffie-Hellman cng khai ca n cho bn kia th khng xc thc.iu ny
gn nh l c th b tn cng bi tn cng Man-in-the-middle ,trong k tn cng iu khin c nhm
anonymous Diffie-Hellman.
Fortezza: phng php nh ngha cho lc Fortezza.
nh ngha km theo cho mt phng php trao i kha l CipherSpec , bao gm nhng trng sau :
CipherAlgorithm: mt vi thut ton k n : RC4, RC2, DES, 3DES, DES40, IDEA, Fortezza.
MACAlgorithm: MD5 hoc SHA-1.
CipherType: lung hoc khi.
17
PTIT 2009
ti mn Bo mt thng tin
18
PTIT 2009
ti mn Bo mt thng tin
Trong trng hp khc, mc ch l xc minh quyn s hu ca client vi kha b mt cho chng thc
client.Cho d l bt c ai ang lm dng certificate ca client th cng s khng th gi message ny.
19
ti mn Bo mt thng tin
PTIT 2009
20
PTIT 2009
ti mn Bo mt thng tin
21
PTIT 2009
ti mn Bo mt thng tin
opad)||H[(K+
ipad)||M]]
22
PTIT 2009
ti mn Bo mt thng tin
Ipad =00110110(36H) lp li 64 ln (512 bits)
Opad =01011100(5CH) lp li 64 ln (512 bits)
SSLv3 dng cng gii thut, ngoi tr cc byte m c ni vo vo kha b mt hn l c XOR vi kha b
mt c m vo chiu di khi.Mc an ton cng ging trong c 2 trng hp.
i vi TLS, php tnh ton MAC hon thnh cc trng hp c ch ra trong ng thc sau:
HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type || TLSCompressed.version ||
TLSCompressed.length || TLSCompressed.fragment)
Php ton MAC bao gm tt c cc trng c hm cha bi php tnh ton SSLv3, cng vi trng
TLSCompresses.version, m l version ca giao thc ang c dng.
23
PTIT 2009
ti mn Bo mt thng tin
Hm m rng d liu to cch s dng gii thut HMAC, vi hoc MD5 hoc SHA-1 nh l trn c s hm
bm.Nh ta c th thy,P_hash c th lp i lp li nhiu ln nh s cn thit to ra s lng d liu c yu
cu.V d, nu P_SHA-1 c dng sinh ra 64 byte d liu,n s c lp i lp li 4 ln to ra 80 byte d
liu,m 16 byte cui b loi b.Trong trng hp ny,P_MD5 cng s c lp li 4 ln,to ra chnh xc 64 bytes
d liu.Ch rng mi ln lp li s gi 2 hm thc thi HMAC, mi mt ci s quay sang gi 2 hm thc thi trn c
s gii thut hm bm.
to ra PRF an ton n mc c th,n s dng 2 gii thut bm theo cch m s m bo s an ton ca n nu
gii thut vn cn bo mt.PRF c nh ngha :
hash(ClientHello.random || ServerHello.random || ServerParams)
PRF ly khi u vo mt gi tr b mt, mt nhn xc nh, v mt gi tr ht ging(seed) v to ra mt output c
chiu di ty .Output c to bng cch phn ct gi tr b mt thnh hai na (S1 v S2 v biu din P_hash mi
na,s dng MD5 mt na v SHA-1 na khc.Hai kt qu c thc hin bi php XOR to ra output, cho
mc ch ny,P_MD5 nhn chung phi lp li nhiu ln hn P_SHA-1 to mt lng d liu ngang bng cho
input bng hm XOR)
I.8.4 M cnh bo :
TLS h tr tt c cc m alert code c nh ngha trong SSLv3 vi ngoi l no_certificate. Mt s cc code thm
vo c nh ngha trong TLS, sau y l mt s cnh bo mc nguy him:
decryption_failed : mt cipher text c gii m theo cch sai, hoc n khng phi l php nhn ca chiu di
khi hoc gi tr m ca n,khi kim tra l khng ng.
24
PTIT 2009
ti mn Bo mt thng tin
25
PTIT 2009
ti mn Bo mt thng tin
I.8.9 Phn m :
Trong SSL, phn m thm vo trc m ha d liu user l s lng nh nht c yu cu m kch thc
tng ca d liu c m ha l mt php nhn ca chiu di khi ca cipher.Trong TLS, padding c th l bt k
s lng no m c kt qu trong mt tng m l mt php nhn ca chiu di khi ca cipher ln n 1 gi tr ln
nht l 255 byte.V d, nu 1 plaintext (hoc vn bn nn c dng) cng vi MAC+padding length byte l di 79
byte.Sau chiu di padding,tnh theo byte, c th l 1,9,17 v hn na,n 249. Chiu di phn m ty bin c
th chng li cc tn cng da trn mt php phn tch cc chiu di ca cc thng ip trao i.
26
PTIT 2009
ti mn Bo mt thng tin
Chng II :
27
PTIT 2009
ti mn Bo mt thng tin
28
PTIT 2009
ti mn Bo mt thng tin
Secure socket factories ng gi chi tit ca vic to v cu hnh ban u secure sockets. Bao gm xc thc keys,
cng nhn certificate u bn kia, kch hot b m ha v tng t.
Lp javax.net.ssl.SSLServerSocketFactory th tng t lp SSLSocketFactory, nhng c s
dng ring cho vic to server sockets.
To mt SSLSocketFactory :
C ba cch c bn to SSLSocketFactory:
Ly factory mc nh bng vic gi phng thc tnh SSLSocketFactory.getDefault.
Nhn mt factory nh l 1 thng s API . l code cn to sockets nhng khng quan tm chi tit nh th
no sockets c cu hnh c th bao gm 1 phng thc vi 1 thng s SSLSocketFactory c gi
bi clients ch r SSLSocketFactory dng to sockets,vd : javax.net.ssl.HttpsURLConnection.
Xy dng mt factory mi vi cch chy c cu hnh ring bit.
Factory mc nh c cu hnh c trng h tr chng thc server ch khi sockets c to bi mt factory mc
nh khng r r bt c thng tin no v v client hn mt TCP socket bnh thng lm.
Nhiu lp to v dng sockets th khng cn bit chi tit ca cch to sockets.Vic to sockets qua mt sockets
factory c lt qua nh mt thng s nh l mt cch tt cch ly chi tit ca cu hnh socket v tng s ti
dng ca lp m to v dng sockets.
Bn c th to mt socket factory mi bng vic trin khai socket factory subclass ca bn hay s dng lp khc m
hot ng nh mt factory cho socket factories. Mt v d l lp SSLContext m c cung cp trong JSSE
nh l mt lp cung cp cu hnh c s.
II.2.3 Lp SSLSocket v SSLServerSocket :
Lp javax.net.ssl.SSLSocket l mt subclass ca lp chun java.net.Socket . N h tr tt c
phng thc socket chun v thm nhng phng thc b sung c trng vo secure sockets. C bit ca lp ny l
ng gi SSLContext bn di nhng g m n to. C nhng APIs iu khin vic to secure socket sessions cho
mt socket ring bit nhng vic qun l trust v key khng c che y mt cch trc tip.
Lp javax.net.ssl.SSLServerSocket th tng t lp SSLSocket ,nhng c dng c trng cho
cho vic to server sockets.
ngn spoofing u bn,bn nn lun xc minh u cui cho mt SSLSocket.
Ghi ch b sung : do s phc tp ca giao thc SSL v TLS ,n kh d on c hay khng bytes vo trn mt
kt ni l handshake hay d liu ng dng,v nh th no d liu c th tc ng trng thi kt ni hin ti (ngoi
tr trng hp qu trnh b block). Trong thc thi ca Sun JSSE, phng thc available()trn i tng t
c t SSLSocket.getInputStream()tr v tng s ca bytes d liu ng dng gii m thnh cng t
kt ni kt ni SSL nhng lc ny cha c bi ng dng.
To mt SSLSocket :
SSLSocket c th to c bng hai cch. Th nht, mt SSLSocket c th to bi SSLSocketFactory qua mt
vi phng thc createSocket trn lp . Cch th hai to SSLSockets qua phng thc accept trn lp
SSLServerSocket .
29
PTIT 2009
ti mn Bo mt thng tin
II.2.4 Non-blocking I/O vi SSLEngine :
SSL/TLS ang ngy cng ph bin. N c dng trong cc ng dng a dng trn mt din rng cc nn my tnh
. Theo s ph bin hin nay dn n yu cu s dng n vi nhng I/O v m hnh chui khc nhau m tha
mn hiu sut , kh nng , theo di v nhng yu cu khc ca ng dng. l s i hi s dng n trong trong
nhng knh I/O blocking v non-blocking , I/O khng ng b, cc lung input v output a dng , v nhng b
m byte. l s yu cu n trong mi trng nhy cm c bin i v hiu sut cao m yu cu qun l hng
ngn network connections.
Trc J2SE 5 , JSSE API h tr ch mt khi nim tru tng transport n : lung sockets nn thng qua
SSLSocket. Trong khi dng ny tng thch vi nhiu ng dng , n khng gp phi nhng yu cu ca ng dng
m cn dng I/O khc nhau hay m hnh lin kt. Trong 1.5.0 , mt khi nim tru tng mi c gii thiu
cho php ng dng s dng giao thc SSL/TLS trong mt ng vn chuyn c lp , v vy nhng ng dng t
do chn cch thc vn chuyn v m hnh tnh ton tt nht m n cn. N cn thch nghi vi nhiu m hnh lin
kt. iu ny cho php mt cch hiu qu I/O v lin kt vo ng dng . Bi v tnh linh hot ny , ng dng by
gi phi qun l I/O v lin kt ( nhng topic phc tp vo trong chnh n) cng nh nm r giao thc SSL/TLS.
Mt khi nim tru tng mi cho ra mt API cao cp : ngi dng nn s dng SSLSocket.
Mt ngi mi tip xc API c th t hi Ti sao khng ch c mt SSLSocketChannel m thuc
java.nio.channels.SocketChannel?" C hai l do chnh sau :
C nhiu cu hi kh v mt SSLSocketChannel th nn nh th no gm c h thng phn lp ca
n v n nn lin kt vi Selectors v nhng dng khc ca SocketChannels nh th no.Mi
xut th mang li nhiu cu hi hn l tr li . N c gii thch rng khi nim tru thng API mi m
rng lm vic vi SSL/TLS yu cu cng mt cc php phn tch quan trng v c th dn n nhng
APIs ln v phc tp.
Bt k vic thc thi JSSE no cho mt API mi s t do chn la I/O v chin lc tnh ton tt nht ,
nhng n i nhng chi tit khng thch hp cho yu cu iu khin ng dng . Bt k s thc thi c
trng nn tch ri vi cc phn on ng dng.
Bng vic tru tng I/O v d liu x l nh nhng chui bytes, kt qu c gii quyt v API mi c th s
dng vi bt c m hnh I/O no hin nay v sp ti.Trong khi gii php ny lm I/O v CPU chuyn giao trch
nhim cho ngi lp trnh , vic thc thi JSSE th b ngn khng cho tr nn khng s dng c bi v nhng chi
tit bn trong khng th cu hnh hay thay i.
Ngi dng nhng API ngn ng lp trnh lp trnh Java khc nh JGSS v SASL s thng bo nhng iu tng
t rng ng dng th cng chu trch nhim cho d liu vn chuyn.
SSLEngine
Lp chnh trong khi nim mi ny l javax.net.ssl.SSLEngine .N ng gi mt SSL/TLS c ch trng thi v
cch vn hnh trn b m byte inbound v outbound h tr bi ngi dng ca SSLEngine. Lc sau s minh
ha lung d liu ca data t ng dng , n SSLEngine , n c ch vn chuyn v quay v
30
PTIT 2009
ti mn Bo mt thng tin
Tng ng dng bn tri cung cp d liu ng dng (plaintext) trong mt application buffer v chuyn n cho
SSLEngine . SSLEngine x l d liu cha trong buffer hoc bt c d liu handshaking no to ra d liu
m ha SSL/TLS vo t vo network buffer cung cp bi ng dng. ng dng th sau chu trch nhim cho
vic vn chuyn tng ng (bn phi) gi ni dung ca network buffer n u bn.Lc nhn d liu m ha
SSL/TLS t u bn ( thng qua tng vn chuyn) , ng dng a d liu vo trong network buffer v chuyn n
n SSLEngine . SSLEngine x l ni dung network buffer to ra d liu handshaking hay d liu ng dng.
V tng th , SSLEngine c th l mt trong nm trng thi :
Creation sn sng cu hnh.
Initial handshaking - thc thi chng thc v thng lng thng s truyn thng.
Application data sn sng cho trao i d liu.
Rehandshaking - ti thng lng thng s truyn thng / chng thc;d liu handshaking c th c
gn vo d liu ng dng.
5. Closure sn sng ng kt ni.
1.
2.
3.
4.
31
PTIT 2009
ti mn Bo mt thng tin
SSL/TLS message
ClientHello
ServerHello/Cert/ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
HSStatus
NEED_UNWRAP
NEED_WRAP
NEED_WRAP
NEED_WRAP
NEED_UNWRAP
NEED_UNWRAP
FINISHED
By gi th vic handshaking hon thnh, trng thi tip theo s gi wrap() th dng d liu ng dng v
packages cho vn chuyn. unwrap()th lm ngc li.
gi d liu n u bn , ng dng trc ht phi cung cp d liu m n mun gi n SSLEngine thng
qua SSLEngine.wrap() thu c d liu m ha SSL/TLS tng ng.ng dng sau gi d liu cho
u bn theo c ch vn chuyn m n chn . Khi ng dng nhn c d liu m ha SSL/TLS qua c ch
32
PTIT 2009
ti mn Bo mt thng tin
vn chuyn, n cung cp d liu ny cho SSLEngine thng qua SSLEngine.unwrap() thu c d liu
plaintext m u kia mun gi.
y l mt th d ca mt ng dng SSL m s dng mt non-blocking SocketChannel lin lc vi bn
kia(N c th c to thng v c th hay i bng vic dng mt Selector vi non-blocking
SocketChannel.) on code sau s gi chui "hello" n u bn kia, bng vic vit m n s dng
SSLEngine to trong v d trc.N s dng thng tin t SSLSession nh ngha ln ca byte
buffers l bao nhiu.
// To mt non-blocking socket channel
SocketChannel socketChannel = SocketChannel.open();
socketChannel.configureBlocking(false);
socketChannel.connect(new InetSocketAddress(hostname, port));
// Hon tt vic kt ni
while (!socketChannel.finishedConnect()) {
// lm bt c g cho n khi kt ni hon tt
}
// To byte buffers cho vic gi ng dng v d liu m ha
SSLSession session = engine.getSession();
ByteBuffer myAppData =
ByteBuffer.allocate(session.getApplicationBufferSize());
ByteBuffer myNetData = ByteBuffer.allocate(session.getPacketBufferSize());
ByteBuffer peerAppData =
ByteBuffer.allocate(session.getApplicationBufferSize());
ByteBuffer peerNetData = ByteBuffer.allocate(session.getPacketBufferSize());
// Lm Handshake ban u
doHandshake(socketChannel, engine, myNetData, peerNetData);
myAppData.put("hello".getBytes());
myAppData.flip();
while (myAppData.hasRemaining()) {
// Sinh ra d liu m ha SSL/TLS (d liu handshake hoc ng dng)
SSLEngineResult res = engine.wrap(myAppData, myNetData);
// X l trng thi ca bn gi
if (res.getStatus() == SSLEngineResult.Status.OK) {
myAppData.compact();
// Gi d liu m ha SSL/TLS cho u bn kia
while(myNetData.hasRemaining()) {
int num = socketChannel.write(myNetData);
if (num == -1) {
// iu khin ng channel
} else if (num == 0) {
// Nu khng byte no c vit th th li ln na
}
}
}
// iu khin nhng trng thi khc:
...
BUFFER_OVERFLOW, CLOSED
33
PTIT 2009
ti mn Bo mt thng tin
}
on code sau c d liu t cng non-blocking SocketChannel v ly d liu plaintext ra t n bng cch
dng SSLEngine to trc .Mi vng lp ca on code c th hoc khng sinh ra bt c d liu paintext
no,ph thuc vo c hay khng handshaking th ang c x l.
// c d liu m ha SSL/TLS t u bn
int num = socketChannel.read(peerNetData);
if (num == -1) {
// iu khin ng channel
} else if (num == 0) {
// Khng c c bytes no ,th li . . .
} else {
// X l d liu vo
peerNetData.flip();
res = engine.unwrap(peerNetData, peerAppData);
if (res.getStatus() == SSLEngineResult.Status.OK) {
peerNetData.compact();
if (peerAppData.hasRemaining()) {
// Dng peerAppData
}
}
// iu khin cc trng thi khc: BUFFER_OVERFLOW, BUFFER_UNDERFLOW,
CLOSED
...
}
II.2.7 Trng thi ca qu trnh hot ng :
ch ra trng thi ca engine v nhng hnh ng m ng dng nn c , phng thc SSLEngine.wrap() v
SSLEngine.unwrap()tr li mt SSLEngineResult c th,nh trong v d trc. SSLEngineResult cha
hai phn ca thng tin trng thi : trng thi tng th ca b my v trng thi handshaking.
Nhng trng thi tng th c th c c biu din bi SSLEngineResult.Status enum. Mt vi v d ca
trng thi ny bao gm Ok, c ngha la khng c li, v BUFFER_UNDERFLOW, c ngha l input buffer c d liu
cha , ch ra rng ng dng cn thu thm d liu t u bn (v d nh c thm d liu t network).
Nhng trng thi handshaking c th c th c biu din bi the SSLEngineResult.HandshakeStatus
enum.Chng biu din vic handshaking c hon thnh hay cha, c hay khng bn gi cn thu thm d liu
handshaking t u bn, gi thm d liu handshaking cho u bn v vn vn.
Mi kt qu ca hai trng thi cho php engine ch ra rng ng dng phi mang hai hnh ng : mt l tr li
handshaking v mt l biu din trng thi tng th ca phng thc wrap()/unwrap() .Cho mt v d ,c th
engine , nh l mt kt qu ca lnh gi n SSLEngine.unwrap() , tr v
SSLEngineResult.Status.OK ch ra rng d liu nhn vo x l thnh cng v
SSLEngineResult.HandshakeStatus.NEED_UNWRAP ch ra rng ng dng cn thu thm d liu m ha
SSL/TLS t u bn v cung cp n cho SSLEngine.unwrap() ln na m handshaking c th tip tc.Nh
bn thy , v d trc th c n gin rt nhiu, chng cn c pht trin y iu khin chnh xc tt c
trng thi ny.
34
PTIT 2009
ti mn Bo mt thng tin
II.2.8 Blocking Tasks :
Sut qu trnh Handshaking, SSLEngine c th bt gp cc tasks m c th block hay chim mt thi gian
di.Cho v d nh mt TrustManager c th cn kt ni n mt dch v ph chun certificate t xa, hay mt
KeyManager c th cn thc gic user xc nh certificate no dng chng thc client. gi cho trng thi
t nhin ca SSLEngine, khi engine gp phi vic, n s tr v
SSLEngineResult.HandshakeStatus.NEED_TASK. Trong lc nhn trng thi ny,ng dng cn gi
SSLEngine.getDelegatedTask() ly task, sau s dng kiu threading dnh ring cho yu cu ca n,
x l task.ng dng c th thu thread t mt thread pool x l task m thread chnh thng l ang i iu
khin I/O khc.
y l mt v d m thc thi mi task trong mt thread c to mi.
if (res.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Task c th hot ng;
while ((task=engine.getDelegatedTask()) != null) {
new Thread(task).start();
}
}
Engine s block nhng lnh call wrap/unwrap s c cho n khi tt tasks ang ng bn ngoi c hon tt .
II.2.9 Kt thc :
Cho mt shutdown c trt t ca mt kt ni SSL/TLS , giao thc SSL/TLS yu cu chuyn giao ca close
message.V vy, khi mt ng dng c thc hin vi kt ni SSL/TLS,n nn thu close message trc tin t
SSLEngine, sau truyn chng cho u bn dng c ch vn chuyn, v cui cng shut down c ch vn
chuyn.y l mt th d
// Ch ra ng dng c thc hin vi engine
engine.closeOutbound();
while (!engine.isOutboundDone()) {
// Nhn close message
SSLEngineResult res = engine.wrap(empty, myNetData);
// Kin tra trng thi
// Gi close message cho u bn
while(myNetData().hasRemaining()) {
int num = socketChannel.write(myNetData);
if (num == -1) {
// iu khin ng channel
} else if (num == 0) {
// khng c c byte no,th li ln na
}
myNetData().compact();
}
}
// ng transport
socketChannel.close();
Thm vo ng dng kt thc SSLEngine mt cch dt khot , SSLEngine c th c ng bi u bn kia
( thng qua vic nhn mt close message trong khi n x l d liu handshake) hoc bng cch SSLEngine bt
gp mt li trong khi x l ng dng hoc d liu handshake, ch ra bi mt SSLException..Trong trng hp
nh th ,ng dng nn gi SSLEngine.wrap() ly close message v gi n cho u bn n khi
SSLEngine.isOutboundDone() tr v true, nh trong v d trc , hoc
SSLEngineResult.getStatus() tr v CLOSED.
35
PTIT 2009
ti mn Bo mt thng tin
36
PTIT 2009
ti mn Bo mt thng tin
Mt cch khc c th thu mi trng hp hoc mi lp SSLSocketFactory bng vic to mt lnh gi phng
thc getSSLSocketFactory/getDefaultSSLSocketFactory , tng ng tng ci mt.
Ty chnh HostnameVerifier ch nh
Nu hostname ca URL khng trng vi hostname trong xc minh c nhn nh mt phn ca SSL/TLS
handshake, n c th xy ra URL spoofing.Nu vic thc thi khng th xc minh hostname vi l do chc chn,
vic thc thi SSL s thc thi mt lnh gi li HostnameVerifier ch nh ca trng hp cho kim tra. Vic
xc nhn hostname c th thc thi bt c bc no cn thit lm quyt nh, nh l thc thi vic so snh mu
hostname xen k hay c l pop up mt dialog box tng tc. Mt vic xc minh khng thnh cng bi vic kim tra
hostname s ng kt ni s ng kt ni.(Xem RFC 2818 bit thm thng tin lin quan n vic xc minh
hostname.)
Phng thc setHostnameVerifier/setDefaultHostnameVerifier hot ng cng mt kiu phng
thc setSSLSocketFactory/setDefaultSSLSocketFactory , trong c ch nh trn mi trng
hp v mi lp c bn, v gi tri hin thi c th c thu bi mt lnh gi phng thc
getHostnameVerifier/getDefaultHostnameVerifier .
KeyFactory
RSA
KeyPairGenerator
RSA
KeyStore
PKCS12
Signature
MD2withRSA,MD5withRSA,SHA1withRSA
KeyManagerFactory
SunX509,NewSunX509
TrustManagerFactory
SSLContext
SunPKIX(aka X509/PKIX),SunX509
SSLv3(aka SSL),TSLv1(aka TLS)
37
PTIT 2009
ti mn Bo mt thng tin
II.3.1 Lp SSLContext :
Javax.net.ssl.SSLContext l 1 lp engine cho vic thc thi ca 1 giao thc SSL.Mt thc th ca lp ny hnh ng
nh 1 factory cho cc SSL socket factories v SSL engine.Mt SSLContext gi tt c cc thng tin trng thi c
chia s qua tt c cc i tng c to di ng cnh ny.V d,trng thi phin c kt hp vi SSLContext
khi n tha thun thng qua giao thc bt tay bng socket c to bi socket factories cung cp bi ng
cnh.Nhng phin c lu c th c ti s dng v chia s bi cc socket khc c to di cng ng cnh.
Mi thc th c cu hnh thng qua phng thc khi to init vi cc kha,chui chng thc,v cc chng thc
CA gc c tin cy m n cn biu din xc thc.Cu hnh ny c cung cp di dng cc manager ng tin
cy v kha.Nhng manager ny cung cp h tr cho vic xc thc v cc kha cnh tha thun kha ca cc cipher
suite c h tr bi ng cnh.
Hin ti ch h tr X509 da trn cc manager .
Vic to 1 i tng SSLContext
Ging nh cc provider JCA da trn cc lp engine,cc i tng SSLContext c to s sng phng thc
factory getInstanse ca lp SSLContext.Nhng phng thc tnh ny mi ci tr v 1 thc th m thc hin t nht
1 giao thc SSL c yu cu.Thc th tr v cng c th thc hin giao thc khc.V d,getInstance(SSLv3) c
th tr v 1 thc th m thc hin SSLv3 v TLSv1.Phng thc getSupportedProtocols tr v 1 danh sc cc
giao thc h tr khi 1 SSLSocket,SSLServerSocket hoc SSLEngine c to t ng cnh ny.Bn c th kim
sot ci m cc giao thc thc s dng cho kt ni SSL bng cch s dng phng thc
setEnabledProtocols(String[] protocols).
Note: 1 i tng SSLContext c to ra t ng,c khi to v nh du tnh i vi lp SSLSocketFactory
khi bn gi SSLSocketFactory.getDefault.V vy,bn khng cn phi to trc tip v khi to 1 i tng
SSLContext(nu bn khng mun ghi ln thuc tnh mc nh).
to 1 i tng SSLContext bng cch gi 1 phng thc factory getInstance,bn c th xc nh tn giao
thc.bn cng c th xc nh cc m nh cung cp mun bn cung cp cch thc hin giao thc yu cu:
public static SSLContext getInstance(String protocol);
public static SSLContext getInstance(String protocol,String provider);
public static SSLContext getInstance(String protocol,Provider provider);
38
PTIT 2009
ti mn Bo mt thng tin
Protocol
Comment
SSL
SSLv2
SSLv3
TLS
TLSv1
SecureRandom random);
Nu tham s KeyManager[] l null,th 1 KeyManager rng s c nh ngha cho ng cnh ny.Nu tham s
TrustManager[] l null,cc provider bo mt c ci t s c tm kim cho vic thc hin c u tin cao
nht ca TrustManagerFactory,t 1 TrustManager thch hp s c thu cc.Theo cch ,tham s
SecureRandom s l null,trong trng hp ta thc hin mc nh.
Nu ta dng ng cnh c khi to mc nh(nh SSLContext c to bi SSLSocketFactory .getDefault() hoc
SSLServerSocketFactory.getDefault()),1 KeyManager mc nh v 1 TrustManager c to ra.Ta chon vic thc
hin SecureRandom mc nh.
II.3.2 TrustManager Interface :
Trch nhim c bn ca TrustManager l xc nh th xem giy y quyn xc thc c a ra c phi l ng tin
cy.Nu giy y quyn khng ng tin,kt ni s b kt thc. xc thc thc th t xa ca 1 im u cui socket
bo mt,bn cn phi khi to 1 i tng SSLContext vi 1 hoc nhiu TrustManager.Bn cn vt qua 1
TrustManager cho mi c ch xc thc m c h tr.Nu gi tr null c gi vo vic khi to,1 trust manager
s c to ra cho bn.Thng thng,c 1 trust manager n h tr xc thc da trn chng thc kha cng khai
X.509 (nh X509TrustManager).Mt vi secure socket implement cng h tr xc thc da trn vic chia s kha
b mt,nh Kerberos,hoc 1 vi c ch khc.
TrustManager c to hoc l bng TrustManagerFactory,hoc bng vic cung cp 1 thc hin c th ca
interface.
II.3.3 Lp TrustManagerFactory :
Javax.net.ssl.TrustManagerFactory l 1 lp engine dng cho 1 provider da trn dch v m hnh ng nh 1
factory cho 1 hay nhiu kiu i tng TrustManager .V n l provider c s,cc factory b sung c th c thc
hin v cu hnh m cung cp cc trust manager thm vo v lun phin m cung cp nhiu dch v phc tp hoc
thc hin cc policy xc thc c ci t c th.
To 1 TrustManagerFactory:
39
PTIT 2009
ti mn Bo mt thng tin
Bn to 1 thc th ca lp ny theo kiu tng t vi SSLContext,ngoi tr vic thng qua 1 chui tn gii thut
thay v tn 1 giao thc vi phng thc getInstance:
public static TrustManagerFactory getInstance(String algorithm);
public static TrustManagerFactory getInstance(String algorithm, String provider);
public static TrustManagerFactory getInstance(String algorithm, Provider provider);
Vic gi trn s to ra 1 thc th ca trust manager factory PKIX ca nh cung cp SunJSSE.Factory ny sau
c th dng to trust manager m cung cp kim tra tnh hp l ng dn chng thc X.509 PKIX c s.
Khi khi to 1 SSLContext,bn c th dng cc trust manager c to ra t 1 trust manager factory,hoc bn c
th vit trust manager ca chnh bn,c th s dng CertPath API.Bn khng cn phi dng trust manager factory
nu bn thc hin 1 trust manager s dng giao din X509TrustManager.
1 factory c to mi nn c khi to bng cch gi 1 trong nhng phng thc init:
public void init(KeyStore ks);
public void init(ManagerFactoryParameters spec);
40
PTIT 2009
ti mn Bo mt thng tin
41
PTIT 2009
ti mn Bo mt thng tin
new CertPathTrustManagerParameters(pkixParams);
// To TrustManagerFactory cho PKIX phc v cho trust manager
TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX");
// Chuyn thng s cho factory c chuyn cho vic thc thi CertPath
factory.init(trustParams);
// Dng factory
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, factory.getTrustManagers(), null);
Nu phng thc init(KeyStore ks) c dng,cc tham s PKIX mc nh c dng vi ngoi l rng b kim tra
thu hi b v hiu.N c th c kch hot bng cch lp thuc tnh h thng com.sun.net.ssl.checkRevocation
thnh true.Ch rng vic thit lp ny yu cu CertPath implementation t n c th xc nh v tr thng tin thu
hi.PKIX implementation trong nh cung cp SUN c th lm nhng iu ny trong nhiu trng hp nhng yu
cu rng thuc tnh h thng com.sun.security.enableCRLDP c lp thnh true.
II.3.4 X509TrustManager Interface :
Interface javax.net.ssl.X509TrustManager l m rng ca interface c bn TrustManger .Interface ny phi c
thc hin bng 1 trust manager khi s dng X.509 da trn xc thc.
h tr xc thc X.509 ca im u cui socket xa thng qua JSSE,v thc th ca interface ny phi
c gi vo phng thc init ca i tng SSLContext.
To mt X509TrustManager
Bn c th hoc l t bn thc hin giao din ny trc tip hoc thu nhn 1 t 1 nh cung cp da
trnTrustManagerFactory (nh c cung cp bi nh cung cp SunJSSE).bn c th cng thc hin giao din ca
bn m y quyn cho 1 factory to ra trust manager.V d,bn c th lm iu ny lc kt qu quyt nh tin cy
v truy vn 1 user u cui thng qua 1 giao din ha ngi dng.
Ch : nu 1 tham s null KeyStore c gi vo SunJSSE SunX509 hoc SunPKIX
TrustManagerFactory,factory s dng cc bc theo sau c gng tm kim nguyn liu tin cy:
1.Nu l thuc tnh h thng:
javax.net.ssl.trustStore
c nh ngha,sau TrustManagerFactory n lc tm 1 file s dng tn file c th bng thuc tnh h
thng,v s dng file cho KeyStore.Nu thuc tnh h thng javax.net.ssl.trustStorePassword cng c nh
ngha,gi tr ca n c dng kim tra tnh ton vn d liu trong truststore trc khi m n.
Nu javax.net.ssl.trustStore c nh ngha nhng cc file xc nh khng tn ti,th 1 TrustManager mc
nh s dng 1 keystore rng c to.
2. Nu thuc tnh h thng javax.net.ssl.trustStore khng c xc nh,th nu file:
<java-home>/lib/security/jssecacerts
tn ti,file c dng.
42
PTIT 2009
ti mn Bo mt thng tin
3. Nu file:
<java-home>/lib/security/cacerts
tn ti,file c dng.
43
PTIT 2009
ti mn Bo mt thng tin
Mt khi bn to ra 1 trust manager nh th,gn n cho 1 SSLContext thng qua phng thc khi
to.SocketFactories tng lai c to t SSLContext ny s s dng TrustManager mi ca bn khi to cc quyt
nh ng tin cy.
TrustManager[] myTMs = new TrustManager []{new MyX509TrustManager() };
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, myTMs, null);
44
PTIT 2009
ti mn Bo mt thng tin
tr xc thc da trn cc chng thc kha cng khai X.509.Mt vi secure socket implement cng c th h tr xc
thc da trn cc kha b mt c chia s,Kerberos,hay cc c ch khc.
Cc KeyManager c to ra hoc bng KeyManagerFactory,hoc bng vic cung cp 1 thc thi c th ca
interface.
II.3.6 Lp KeyManagerFactory :
Javax.net.ssl.KeyManagerFactory l 1 lp engine cho ngi cung cp da trn dch v m hnh ng nh 1 factory
cho 1 hoc nhiu kiu i tng KeyManager.Ngi cung cp SunJSSE thc thi 1 factory c th tr v 1 key
manager X.509 c s.V l nh cung cp c s,cc factory thm vo c th c thc hin v cu hnh cung
cp cc key manager c th thm vo hay thay i.
To 1 KeyManagerFactory
Bn to 1 thc th ca lp ny theo 1 kiu tng t nh SSLContext,ngoi tr gi vo chui tn gii thut thay v
tn ca giao thc phng thc getInstance:
public static KeyManagerFactory getInstance(String algorithm);
public static KeyManagerFactory getInstance(String algorithm, String provider);
public static KeyManagerFactory getInstance(String algorithm,
Provider provider);
45
PTIT 2009
ti mn Bo mt thng tin
Mt vi factory c th cung cp truy cp n nguyn liu xc thc m khng phi khi to vi 1 i tng
KeyStore hoc bt k tham s no khc.V d,h c th truy cp nguyn liu kha nh l 1 phn ca c ch login
nh l 1 c ch da trn JAAS(Java Authentication and Authorization Service)
Nh dn trn, nh cung cp SunJSSE h tr 1 factory SunX509 m phi c khi to vi 1 tham
s KeyStore.
II.3.7 X509KeyManager Interface :
Interface javax.net.ssl.X509Manager m rng interface c s KeyManager.N phi c thc hin bi 1 key
manager cho X509 da trn xc thc. h tr xc thc X509 iu khin cc im u cui socket thng qua
JSSE, 1 thc th ca interface ny phi c gi vo phng thc init ca i tng SSLContext.
To 1 X509KeyManager:
Bn c th hoc l thc thi interface ny 1 cch trc tip hoc nhn n t 1 nh cung cp da trn
KeyManagerFactory(nh cc interface c cung cp bi nh cung cp SunJSSE).Bn cng c th thc thi ca
ring bn y quyn n 1 factory sinh ra key manger.V d,bn c th lm iu ny lc cc key kt qu v truy
vn user u cui thng qua 1 interface ha ngi dng.
Ch : Nu khng c tham s KeyStore c gi qua SunJSSE mc nh SunX509
KeyManagerFactory,factory c gng tm nguyn liu kha bng cch tham kho cc thuc tnh h thng:
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
Function
Xc nh th xem xc thc credentials xa no(v c
kt ni) nn c tin cy
Xc nh xc thc credentials no gi cho host xa.
46
PTIT 2009
ti mn Bo mt thng tin
47
PTIT 2009
ti mn Bo mt thng tin
(new URL("https://www.sun.com/")).openConnection();
urlc.setHostnameVerifier(new MyHostnameVerifier());
II.4.7 Lp X509Certificate :
Nhiu giao thc socket bo mt biu din xc thc s dng cc chng thc kha cng khai, cng c gi l cc
chng thc X.509 .y l c ch xc thc mc nh dnh cho giao thc SSL v TLS.
Lp tru tng java.security.cert.X509Certificate cung cp 1 cch chun truy cp cc thuc tnh ca cc
chng thc X.509
Ch : lp javax.security.cert.X509Certificate c h tr ch tng thch tr li vi phin bn c (1.0.x
, 1.1.x) ca JSSE. Cc ng dng mi nn s dng java.security.cert.X509Certificate, khng phi
javax.security.cert.X509Certificate
48
PTIT 2009
ti mn Bo mt thng tin
Chng III :
Lc ny attaker s dng 2 kha, 1 kha giao dch vi Client v kha cn li giao dch vi Server.C Client v
Server u khng nhn thy c s thay i bt thng
49
PTIT 2009
ti mn Bo mt thng tin
50
PTIT 2009
ti mn Bo mt thng tin
51
PTIT 2009
ti mn Bo mt thng tin
Chng IV :
Port
261
443
465
563
636
989
990
992
994
995
Description
Dch v IIOP trn TLS/SSL
HTTP trn TLS/SSL
SMTP trn TLS/SSL
NNTP trn TLS/SSL
LDAP trn TLS/SSL
FTP-d liu trn TLS/SSL
FTP-iu khin trn TLS/SSL
TELNET trn TLS/SSL
IRC trn TLS/SSL
POP3 trn TLS/SSL
Ngoi mt s ng dng ph bin hin nay ca SSL nh bo mt trong Remote Desktop Protocol cho kt ni
Terminal Service, Http cho Outlook Web Access hay Smtp/Imap/Pop3 cho mail , ng dng quan trng ca SSL m
khng th khng nhc ti l SSL VPN. l l do ti sao khng ch cc nh cung cp thit b mng phn cng
ang ua nhau trong vic pht trin cc sn phm h tr SSL VPN m c nhng nh cung cp thit b mng mm
nh Microsoft cng a n vo sn phm Windows Server 2008 v Windows Vista Service Pack 1 ca mnh vi c
ch Secure Socket Tunneling Protocol (SSTP).
52
PTIT 2009
ti mn Bo mt thng tin
SSTP l c ch kt ni VPN client to gateway bng HTTP over Secure Socket Layer (HTTP over SSL) port
443. Thng thng, trong mt h thng mng hin nay d l cc Firewall hay Proxy server u cho php truy
cp HTTP v HTTPS. V vy, d bt c u cc my Client u c th kt ni VPN bng c ch SSTP v
m bo bo mt c gi tin v p dng phng php m ha SSL.
SSTP c tch hp h tr NAP bo v ngun ti nguyn mng tt hn bng cch thi hnh cc chnh
sch v system health.
SSTP h tr IPV6 - ng hm SSTP v IPV6 da trn vic kt ni SSTP thng qua IPV6.
Hn na, SSTP thit lp HTTP ring l thng qua session SSL t SSTP client n SSTP server. Dng
HTTP thng qua SSL Session s gim thiu c chi ph v cn bng ti tt hn.
SSTP khng h tr site to site.
Sau y l bng so snh tm tt SSTP vi 2 c ch VPN ph bin hin nay PPTP v L2TP/IPSec :
Thuc tnh
Dng kt ni
C nh
L2TP/IPSec
C nh
Tm thi
Kiu thit b
Qun l c
Qun l c
Khng qun l c
Chi tit
Dng kt ni thch hp
Client-to-Site
Site-to-Site
Client-to-Site
Yu cu Client
Phn mm Client
Phn mm Client
Browser
Tng thch
Firewall/NAT
Km
Km
Tt
ng gi
GRE
C ch m ha
L2TP
SSTP
C ch xc thc
Radius,CHAP,PAP,
MS-CHAP,MS-MAP
Yu cu certificate cho
khi to VPN tunnel
Khng
Certificate ca c VPN
server v client
ng dng
Mi ng dng trn nn IP
Mi ng dng trn nn IP
Tunnel maintenance
protocol
PPTP
SSTP
53
PTIT 2009
ti mn Bo mt thng tin
54
PTIT 2009
ti mn Bo mt thng tin
55
PTIT 2009
ti mn Bo mt thng tin
=> Paste ni dung vo Paste Certificate Signing Request (CSR) ,chn Server Platform l Microsoft , version l IIS
6.0 ,chn mc ch s dng certificate ny l Web Server
=>t cu hi b mt v cu tr li (ch c tc dng nu sau ny mun quay li sa thng tin v certificate ny)
=> Xem li summary v acceptance
=>Finish
56
PTIT 2009
ti mn Bo mt thng tin
57
PTIT 2009
ti mn Bo mt thng tin
58
PTIT 2009
ti mn Bo mt thng tin
59
PTIT 2009
ti mn Bo mt thng tin
=> OK
60
PTIT 2009
ti mn Bo mt thng tin
61
PTIT 2009
ti mn Bo mt thng tin
Tham Kho :
Cryptography and Network Security Principles and Practices, Fourth Edition By William Stallings
JDK 5.0 Documentation
Information Security Principles and Practice By Mark Stamp
Internet Security Cryptographic Principles, Algorithms and Protocols By Man Young Rhee
Beginning Cryptography with Java By David hook
62