研究生: |
王信翔 Shin-Shiang Wang |
---|---|
論文名稱: |
智慧型手機應用程式 DTLS 安全連線設定之自動測試機制之設計與實作 On the Design and Implementation Automatic Tools to Analyze DTLS Communication Security between Smartphone Applications and Remote Servers |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
葉國暉
Kuo-Hui Yeh 鄭欣明 Shin-Ming Cheng |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2016 |
畢業學年度: | 104 |
語文別: | 中文 |
論文頁數: | 42 |
中文關鍵詞: | CoAP 、DTLS 、中間人(MitM) |
外文關鍵詞: | CoAP, DTLS, MitM |
相關次數: | 點閱:230 下載:4 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著物聯網相關技術的興起,出現許多物聯網的應用。因為物聯網裝置資源有限,為了減少對於檔頭等資料傳輸的成本,並不會直接使用 HTTP 為基礎的 REST 方式與物聯網裝置進行溝通,而會採用基於UDP 而重新設計的 CoAP 協定。而因為是基於 UDP,所以必須要採用 DTLS 等方式進行安全連線。
然而,目前並沒有針對 DTLS 分析連線安全性的工具,若程式開發者使用 DTLS 連線造成設計不當,有可能會遭受到中間人攻擊。有鑑於此,本研究提出一個分析 DTLS 的連線是否可避免中間人攻擊的威脅,而透過分析是否可利用偽造憑證等方法,去分析 DTLS 連線之安全性。從而協助提升採用 DTLS 技術之物聯網應用的安全性。
As the advances of Internet of Things(IoT) technology, more and more organizations are willing to and able to deploy IoT applications. Communicating with IoT devices play an important role in IoT applications. However, because of resource constraints on IoT devices, IoT devices usually use UDP-based CoAP protocols to communicate with other smartphones, servers, or other devices rather than traditional REST-like (or HTTP-based) protocols. Since the CoAP protocol is implemented with UDP, the CoAP protocol adopts DTLS for communication.
To the best of our knowledge, there is no tool to analyze whether an IoT device uses DTLS correctly. For the very sake of that, IoT application users may suffer the man-in-the-middle attack which allow malicious people to steal sensitive data of the users. Therefore, this study proposes a system to analyze the DTLS security of IoT applications. Since the proposed system can discover whether an IoT device is vulnerable to man-in-the-middle-attack, this study can contribute to improve security of IoT applications.
[1] 經濟部通訊產業推動小組,"行動應用App基本資安自主檢測推動制度" 2015
[2] 經濟部工業局標準,行動應用App基本資安檢測基準 v2.0,2016
[3] Brupsuite,Available :https://portswigger.net/index.html
[4] Z. Shelby "The Constrained Application Protocol (CoAP)", June 2014 Available: https://tools.ietf.org/html/rfc7252
[5] M. Chatel, "Classical versus Transparent IP Proxies", March 1996 Available :https://tools.ietf.org/html/rfc1919
[6] T. Dierks, The Transport Layer Security (TLS) Protocol Version 1.2, IETF RFC 5246, August 2008 , Available: https://tools.ietf.org/html/rfc5246
[7] E. Rescorla , Datagram Transport Layer Security Version 1.2, IETF RFC 4347 , January 2012 Available : https://tools.ietf.org/html/rfc6347
[8] Certificate and Public Key Pinning , Available: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
[9] Thawatchai Chomsiri, HTTPS Hacking Protection, IEEE, May 2007 , Available: http://ieeexplore.ieee.org/xpl/abstractAuthors.jsp?arnumber=4221121&tag=1
[10] Canteaut, A.: Sieve-in-the-Middle: Improved MITM Attacks (Full Version). Cryptology ePrint Archive, Report 2013/324 (2013)
[11] D. Cooper, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,IETF RFC 5280, May 2008 , Available: https://tools.ietf.org/html/rfc5280