本論文主要探討適用於雲端運算環境的身份存取管理與認證之技術，著重於解決雲端中許多惡意攻擊方式，例如:殭屍網路、釣魚網站、阻斷式服務攻擊…等。我們改良了應用於對抗垃圾郵件與自動程式攻擊為主的人機識別機制(CAPTCHA)，並加入圖形化挑戰(Challenge)與個人化認證機制並且利用影像雜湊值驗證使用者之回應(Response)訊息來提升身份認證的安全度。最後我們整合這種創新的圖形化人機識別機制與一次性密碼機制作為雲端運算中的安全認證技術。
首先我們將於第二章介紹雲端運算目前所應用的身份認證與存取管理技術，其中包括雲端大型服務商Microsoft、Google所開發的認證服務與一次性密碼的簡介。第三章我們介紹人機識別機制的設計方式與分析它們的安全缺失，同時針對各種安全攻擊提出解決的建議。第四章簡單地介紹影像雜湊值的作法。接著我們在第五章分析各種圖形化人機識別機制，我們將在第六章提出創新的圖形化人機識別機制同時結合影像雜湊值驗證使用者的回應訊息並且分析其安全性與實用性。最後我們整合一次性密碼與圖形化人機識別機制作為雲端運算中的身份認證技術，未來的研究方向也將以這個方向為主並研究針對各種人工智慧攻擊的防範措施與補救辦法。

This paper discusses identity management, access control and authentication technology, which is applicable in cloud computing environment, especially with a special focus on defending many of the cloud malicious attacks, such as: botnets, phishing and denial-of-service attacks, etc. We enhanced the CAPTCHA system which is commonly used to defeat spam and automatic program attacks, and added graphical challenges and personal authentication mechanisms to increase its security, usability, robustness and user-friendliness. Furthermore, we deployed an image hashing technique which could accurately verify the correctness of a user's response message and mitigate the “random guess” attacks in order to improve authentication security. Finally, we combined this novel image recognition CAPTCHA with the one-time password mechanism as a recommended authentication technology for cloud computing.

In Chapter 2, we first introduced some well-known IAM technologies such as, Google and Microsoft authentication solutions in cloud and the one-time password (OTP) mechanism which is more secure than traditional static passwords. Then we gave an overview of CAPTCHA in chapter 3 including the discussion of threats and attacks in CAPTCHA system, and some remedies for those attacks. In chapter 4, we presented DWT & SVD image hashing algorithms. We analyzed all kinds of image recognition CAPTCHA in chapter 5. Then we proposed a novel image recognition CAPTCHA and compared its security and usability with other image recognition CAPTCHAs in chapter 6. Finally, we combined the one-time password scheme with an image recognition CAPTCHA embedded with an image hashing algorithm as the recommended cloud authentication technology. We concluded that future research on Cloud IAM should focus on defeating the state-of-the-art more sophisticated security attacks (e.g. Artificial Intelligence –based attacks) in addition to the so called “no-effort” random guess attacks.

[1] Liberty Alliance Project, ID-FF 2.0 Specifications：
(http://www.projectliberty.org/resource_center/specifications)

[2]OASIS, Security Assertion Markup Language (SAML)： (http://xml.coverpages.org/saml.html)

[3] OASIS，Web Services Federation Language Specification :
(http://docs.oasis-open.org/wsfed/federation/v1.2)

[4] OpenID Foundation
(http://openid.net/)

[5] B. Clifford Neuman, Theodore Ts'o. Kerberos, “An Authentication Service for Computer Networks,” In IEEE Communications, 32(9):33-38. (1994)

[6] OASIS
(http://www.oasis-open.org/home/index.php)

[7] T. Scavo, S. Cantor ,“Shibboleth Architecture Technical Overview”
(http://shibboleth.internet2.edu/shibboleth-documents.htm)

[8]Windows Cardspace： (http://www.microsoft.com/windows/products/winfamily/cardspace)

[9] OAuth
(http://oauth.net/)

[10] RSA ,”The Current State of Cybercrime and What to Expect in 2011
cybercrime trends report.”

[11] RSA Report, SecurID two factor authentication
(http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.)

[12] VeriSign Identity Protection, VeriSign White paper
(http://www.verisign.com/static/043732.pdf)

[13]全景軟體,MOTP(Mobile One-Time Password)行動動態密碼系統,
(http://www.changingtec.com/UserFiles/motp%20instructions.pdf)

[14]Arpan Desai, Pragnesh Patadia: Drag and Drop: “A Better Approach to CAPTCHA.” In: 2009 Annual IEEE India Conference, pp. 1--4. IEEE Press, New York (2009)

[15] Vimina E R, Alba Urmese Areekal, “Telling Computers and Human
Apart Automatically Using Activity Recognition.” In IEEE International Conference on Systems,Man and Cybernetics, New York (2009)

[16] PWNtcha caca labs
(http://caca.zoy.org/wiki/PWNtcha)

[17]Kumar Chellapilla, Kevin Larson, “Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs).” In Proceeding of the ACM conference (2005)

[18]Jeff Yan, Ahmad Salah El Ahmad, “A Low-cost Attack on a Microsoft CAPTCHA.” In Proceedings of the 15th ACM conference on Computer and communications security, pp. 543--54. (2008)

[19]Mori G., Malik J, ”Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA.” In Proc. IEEE Conf. on Computer Vision & Pattern Recognition. (2003)

[20] Moy G., Jones N., Harkless C., and Potter R., “Distortion estimation
techniques in solving visual CAPTCHAs.” In IEEE Conf. on Computer Vision & Pattern Recognition. (2004)

[21] Chellapilla, K. and Simard, P., “ Using machine learning to break
visual human interaction proofs.” In Neural Information Processing Systems (NIPS'04).(2004)

[22]Yan, J. and El Ahmad, “Breaking Visual CAPTCHAs with naive
pattern recognition algorithms.” In Proc. Ann. Comp. Security Applications Conf. (2007)

[23]Yan, J. and El Ahmad, “A low-cost attack on a Microsoft
CAPTCHA.” In ACM CCS'2008. (2008)

[24]Chew, M. and Tygar, J. D. “Image Recognition CAPTCHAs.” In
Proc. 7th Info. Security. LNCS 3225, 268-279.

[25] Rui, Y. and Liu, Z. 2004. ARTiFACIAL: Automated reverse Turing
test using FACIAL features. Multimedia Systems 9 (2004).

[26] Datta, R., Li, J., and Wang, J. Z .“IMAGINATION: A robust
image-based CAPTCHA Generation System.” In ACM Multimedia 2005, 331-334. (2005)

[27] Elson, J., Douceur , J. R., Howell , J., and Saul, J . ”Asirra: a
CAPTCHA that exploits interest-aligned manual image categorization.” In ACM CCS’2007, 366-374. (2007)

[28] Gossweiler, R., Kamvar, M., and Baluja, ”What’s up CAPTCHA? a
CAPTCHA based on image orientation.” In WWW’2009, 841-850.
(2009)

[29] Kluever, K. A. and Zanibbi, R. Balancing usability and security in a
video CAPTCHA. In Proc. Symp. Usable Privacy and Security, (2009).

[30] Elson, J., Douceur , J. R., Howell , J., and Saul, J . ”Asirra: a
CAPTCHA that exploits interest-aligned manual image categorization.” In ACM CCS’2007, 366-374. (2007)

[31] Datta, R., Li, J., and Wang, J. Z .” IMAGINATION: A robust
image-based CAPTCHA Generation System.” In ACM Multimedia 2005, 331-334. (2005)

[32] B.B. Zhu , Jeff Yan , Qiujie Li, “ Attacks and Design of Image
Recognition CAPTCHAs.” In CCS’10 Proceedings of the 17th ACM conference on Computer and communications security. (2010)

[33] R. Gossweiler , M.Kamvar, S.Baluja ” What’s Up CAPTCHA? A
CAPTCHA Based On Image Orientation .”WWW '09 Proceedings of the 18th international conference on World wide web

[34] V. Monga and B. L. Evans, "Perceptual image hashing via feature
points: performance evaluation and tradeoffs," IEEE Trans Image Process, vol. 15, pp. 3452-65. (2006)

[35] ISGC2011
(http://event.twgrid.org/isgc2011/index.html)

[36] Albert B. Jeng , Chien-Chen Tseng ,Der-Feng Tseng, “ A Study of
CAPTCHA and Its Application to User Authentication” In Computational Collective Intelligence. Technologies and Applications Lecture Notes in Computer Science. (2010)

[37] Albert B. Jeng, Chien-Chen Tseng , Der-Feng Tseng “An Enhanced
Image Recognition CAPTCHA Applicable to Cloud Computing Authentication” , 2nd Annual International Conference on Business Intelligence and Data Warehousing (BIDW 2011)