English  |  正體中文  |  简体中文  |  Items with full text/Total items : 2737/2828
Visitors : 3542140      Online Users : 29
RC Version 4.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Adv. Search
LoginUploadHelpAboutAdminister

Please use this identifier to cite or link to this item: http://ir.lib.stu.edu.tw:80/ir/handle/310903100/1297

Title: 一次性通行碼認證之研究與實作
Research and Implementation of One-Time Password Authentication
Authors: 謝鉛俊
Chiang-Jiun Shie
Contributors: Chun-Li Lin
資訊工程學系
Keywords: 一次性通行碼;通行碼認證;雜湊函式
one-time password;password authentication;hash function
Date: 2005
Issue Date: 2011-05-24 15:12:09 (UTC+8)
Publisher: 高雄市:[樹德科技大學資訊工程學系]
Abstract: 遠端使用者身份認證在網際網路上是一件非常重要的事,伺服端可以透過身份認證來過濾非法的使用者。在開放的網際網路環境中,以通行碼為基礎之身份認證機制是最常被使用的,然而,傳統以通行碼為基礎之機制是利用靜態通行碼(Static Password),使用者每次所使用的通行碼都是固定值,因此攻擊者可利用重送攻擊、猜測攻擊等方法偽冒成合法使用者。於是便有學者提出利用動態(一次性)通行碼(Dynamic Password;One-Time Password)進行使用者身份認證;動態通行碼的好處在於,每次使用者所使用的通行碼皆不相同且只使用一次,因此攻擊者利用各種手法取得本次的通行碼時,也無法在未來利用同一組通行碼偽冒成合法使用者。
通行碼可分為弱通行碼(Weak Password)與強通行碼(Strong Password)兩種類型,弱通行碼指由使用者自行選擇方便記憶的通行碼,便利性高卻無法抵抗易實行的猜測攻擊;強通行碼指適當(亂度高且不易猜測)的通行碼,然而強通行碼對於使用者而言是難以記憶的,所以使用強通行碼之機制會將強通行碼置於儲存裝置(例如智慧卡)中,但其安全性將會受到儲存裝置的影響。
一次性通行碼身份認證機制的概念最早由Lamport在1981年提出,此機制以低複雜度的雜湊函式為基礎,因此有運算量低與實作成本低等優點,但後續有學者指出此機制有安全上的漏洞,並陸續提出以一次性通行碼為基礎的身份認證機制,例如S/KEY、CINON等機制。由於早期的一次性通行碼認證機制並未強制使用強通行碼,易遭受暴力攻擊與猜測攻擊,因此後期學者所提出之一次性通行碼認證機制皆強制使用強通行碼。雖然這些機制可抵抗暴力攻擊與猜測攻擊,但卻無法抵抗一些已知的攻擊,例如中間人、偽冒、竊取驗證資訊等攻擊法。
本論文將國內外學者所提出之一次性通行碼認證機制做完整方法分析與比較,接著提出本研究之一次性通行碼認證機制,本研究之機制可以有效抵抗所有已知的攻擊法,並且只需用到低複雜度的雜湊函數與XOR運算,適合應用在低運算能力的設備上,最後將本研究之機制以智慧卡實現。
In the internet environment, user authentication is very important. Server can avoid illegal user with user authentication. A password-based scheme is the most generally used method of authentication on the internet. However, static password is used in conventional password authentication scheme. Therefore, attackers may impersonate a regular user with replay or guessing attack. For this reason, user authentication system with OTP (One-Time Password) has been proposed. Authentication systems of one-time password change the verifier every time by sending the present verifier along with the next verifier. Therefore, attackers can not impersonate a regular user with verifier which had been used.

  There are two kinds of password, weak password and strong password. Weak password which user is used to choosing easy to remember password, can not resist guessing attack. A strong password means that it is well-chosen, confused and hard to guess. Strong password is too hard to remember. Therefore, strong password must store in tamper-resistant hardware device, such as smart card.

  In 1981, Lamport first proposed a one-time password method based on low-computation hash functions, but this method has problems. For solving these problems, many one-time password authentication methods have been proposed, such as S/KEY, CINON. Before, one-time password method do not force user to use strong password, thus these methods are unable to resist brute-force and guessing attacks. Till now, many one-time password authentication methods have been proposed with strong password. These methods can resist brute-force and guessing attacks, but none of them can resist all well-known attacks, such as man in the middle, impersonate and stolen verifier attacks.

  In this thesis, we will review one-time password methods. Then, we propose a secure and low-computation one-time password method that can resist all well known attacks. Finally, we will implement this method with smart card.
Appears in Collections:[資訊工程系(所) ] 博碩士論文

Files in This Item:

File Description SizeFormat
一次性通行碼認證之研究與實作__臺灣博碩士論文知識加值系統.htm國圖99KbHTML685View/Open


All items in STUAIR are protected by copyright, with all rights reserved.

 


無標題文件

著作權政策宣告:

1.

本網站之數位內容為樹德科技大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
 
2. 本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本校護人員(clairhsu@stu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
 
DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback