English  |  正體中文  |  简体中文  |  Items with full text/Total items : 2737/2828
Visitors : 3540828      Online Users : 40
RC Version 4.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Adv. Search
LoginUploadHelpAboutAdminister

Please use this identifier to cite or link to this item: http://ir.lib.stu.edu.tw:80/ir/handle/310903100/1261

Title: 一次性通行碼認證機制之強健性與實用性研究
The research on robustness and practicability of the one–time password authentication
Authors: 鄭明和
Ming-Her Cheng
Contributors: Chun-Li Lin
資訊工程學系
Keywords: 一次性通行碼;偷竊攻擊;雙向認證;網路釣魚;離線式通行碼產生器
One-time password;Theft attack;Mutual authentication;Phishing;Off-line token
Date: 2008
Issue Date: 2011-05-24 15:12:03 (UTC+8)
Publisher: 高雄市:[樹德科技大學資訊工程學系]
Abstract: One-Time Password (OTP),是一種一次性通行碼的認證機制。所謂一次性通行碼認證,顧名思義即指每次登入,均採用不同之『認證資料』進入系統,在認證傳輸過程中,每次傳送的內容(通行碼)都不一樣,其最大的優點就是可以避免被重送攻擊。由於每次的認證內容都不一樣,因此用戶與伺服器必須有一套雙方協議好的機制來計算每次不同的認證內容以確認彼此的身份。若有需要,甚至在用戶與伺服器中均需要儲存一些訊息(認證資料)以供認證比對。
為了在安全的狀態下達成用戶與伺服器之間的身份確認,認證協定必須擁有強健性,才能避免攻擊者的不同攻擊手法。以目前的攻擊手法中,最難克服的是伺服器在遭遇偷竊攻擊後,儲存在伺服器端的私密金鑰被竊取,那麼攻擊者就能偽冒使用者登入伺服器,進而得到使用者的隱密資料,甚至能取得不當的利益。因此,本論文提出利用反向hash-chain的OTP雙向認證協定來克服偷竊攻擊,並提出Pre-computation的技術來降低hash-chain的運算負擔。
此外,隨著網際網路的蓬勃發展,網路交易提供使用者一個方便的交易管道,目前的網路銀行均使用SSL連線認證再加上使用者自行設定的帳號、密碼來進行身份認證,有些銀行會再配合特定的離線式通行碼產生器(Off-Line Token)所產生的一次性通行碼來防止鍵盤側錄與木馬程式的攻擊,但是目前這些做法卻無法有效抵擋網路釣魚(Phishing)的攻擊。本論文提出了一種challenge-response方式的OTP雙向認證機制,此機制確保網路釣魚攻擊者所竊取的通行碼是無效的,間接達到抵檔網路釣魚攻擊的目的;同時使用一個大眾化的行動運算器(如手機、PDA等)來取代傳統的Off-Line Token,不僅減少Token所需的成本,也增進使用者的方便性,此OTP機制可以非常實用地應用在網路銀行或線上遊戲等的登入系統。
One-Time Password (OTP), which is a disposable password, is a technique of user authentication. In each login, the user must use different password to enter the system. Due to the dissimilar password, OTP technique possesses the benefit of preventing the system from replaying attacks in the process of authentication transmission. Because the password for verifying is different in each authentication session, the user and the server must have an agreed mechanism to compute the variable password for authenticating each other. Moreover, the user and the server require storing some information so-called verifier to support the authentication process.
To verify identity between the user and the server, the authentication protocol must be robust to against any attack method from attackers. In the present attack techniques, the most difficult to solve is the server side theft attack. When server’s secret key was stolen, the attacker can use those stolen information to impersonal the user and login the server, even obtain the improper benefit. This thesis proposes an OTP mutual authentication protocol by using reverse hash-chain against theft attack. We also use pre-computation technique to reduce the overhead of computing hash-chain.
Recently, the Internet provides the user a convenient transaction way. For security, the network banks use the SSL protocol to protect user’s account number and password for authentication. Several banks even use specific off-line password generator (Off-Line Token) to against key loggers and Trojan horses attack. But those methods can not effectively prevent network phishing attacks.
This thesis proposes a challenge-response OTP authentication protocol, which guarantees the password stolen by the phisher is invalid, and hence indirectly prevents phishing attacks. The proposed protocol also uses a popular mobile device (for example, cell phone, PDA etc.) to replace traditional Off-Line Token. Such replacement not only reduces the cost of the token cost, but also increases the practicability. This proposed protocol is very practical and can be used for the login system of network banks and on-line games.
Appears in Collections:[資訊工程系(所) ] 博碩士論文

Files in This Item:

File Description SizeFormat
一次性通行碼認證機制之強健性與實用性研究__臺灣博碩士論文知識加值系統.htm國圖104KbHTML619View/Open


All items in STUAIR are protected by copyright, with all rights reserved.

 


無標題文件

著作權政策宣告:

1.

本網站之數位內容為樹德科技大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
 
2. 本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本校護人員(clairhsu@stu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
 
DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback