Author: |
林斯瑜 Szu-yu Lin |
---|---|
Thesis Title: |
針對在雲端運算頻外一次性密碼雙因子認證之安全改善 Enhancing the security of out-of-band one-time password two factor authentication in cloud computing |
Advisor: |
鄭博仁
ALBERT B. JENG 張立中 LI-CHUNG CHANG |
Committee: |
李漢銘
HAHN-MING LEE 曾德峰 Der-Feng Tseng |
Degree: |
碩士 Master |
Department: |
電資學院 - 電機工程系 Department of Electrical Engineering |
Thesis Publication Year: | 2011 |
Graduation Academic Year: | 99 |
Language: | 中文 |
Pages: | 52 |
Keywords (in Chinese): | 一次性密碼 、雙通道 、認證 、IAM 、簡訊釣魚 、CAPTCHA |
Keywords (in other languages): | OTP, dual channel, authentication, IAM, SMS phishing, CAPTCHA |
Reference times: | Clicks: 539 Downloads: 5 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
隨著科技的發達,網際網路的使用已經越來越成為人們生活中所不可替代的一項科技,舉凡社交活動、線上購物、線上轉帳、股票買賣,都能在網際網路中完成、也因為這樣的便利性,促使越來越多人在網路中建立起自己的網路身份(以帳號與密碼表示)。除了一般使用者,許多商家企業紛紛投向網路,開發客戶群,而為了有效管理企業自己的客戶群以及有效辨認各個客戶之正確性,身份與存取管理之機制(Identity and Access Management, IAM)變油然而生,在此機制的運作下,企業能讓欲使用服務或購買產品的使用者成員企業網站上之會員,以會員制度的方式來確認各個使用者身份的正確性,意即使用者建立一組個人帳號與密碼後,再使用者下次要登入時,經由企業伺服器的認證,若使用者的輸入與伺服器資料庫中的內容一樣,則判定此使用者的身份正確。然而,在現今的網路時代下,對於網路企業來說,單純的帳號密碼制度已經無法做為辨別使用者身份之工具,由於網路現今駭客的猖獗,只要駭客利用網路病毒得到使用者之帳號密碼,即駭客可在企業方毫無察覺之下自由的冒充使用者身份來進行各種服務,這對於使用者來說,無論是隱私、金錢、權力,都造成極大的傷害。為了達到有效阻絕駭客冒用使用者身份之可能,傳統的用戶名與密碼的認證機制已不足以有效阻絕,取而代之的是強力認證(Strong Authentication),所謂的強力認證即為多重因素之認證(Multi-factor Authentication),其中包含了使用者有什麼(Something you have)、使用者知道什麼(Something you know)、以及使用者之生物辨識(Something you are)。
然而,諸多基於雙通道認證的一次性密碼(One Time Password, OTP)機制已經發表出來,這些機制藉由簡訊以及電話來做為額外的一層安全防護,於此論文中,我們將這些一次性密碼機制分為不同種類例如 以硬體為基礎、以軟體為基礎、加密式以及非加密式之方法。我們將會針對上述之機制來做優劣分析以及比較表格。然而,諸多針對此雙通道認證之機制的攻擊已發表出來例如簡訊癱瘓、簡訊攔截以及簡訊釣魚。在未來的網路犯罪趨勢中,這些攻擊將會為雙通道認證機制帶來威脅以及暴露出雙通道認證機制之弱點,最後,我們針對這些網路犯罪趨勢對於現存的雙通道與雙因素之認證機制來提出一些補救錯失以及建議。
For the sake of our advanced technology, Internet has been used as our un-replaced articles for our daily use, like the mingled activity, online payment, online transferring, stocks; all of these things can be completed in internet. Because of the convenience of this, more and more people start to create their own internet identity. Except the normal user, the enterprises are also start to be involved in internet for benefit. For the efficiency of client management, the IAM (Identity and Access Management) has been developed. Under this mechanism, the enterprise can let user access the web by the member system for the correct identification. When users have their own account and password, the IAM system can compare the account and password that has been stored in the server when user wants to login. Nowadays, the account and passwords pairs have become hard to be a tool for user authentication because the hacker has method to break the protection of user’s security. The hacker can impersonate the authorized user to access the web-site to engage any service to achieve profit without any enterprise awareness and this is a huge damage whether in privacy or money. In this case, it goes without saying that the traditional account and password pairs are not strong enough to protect the user’s identity. In order to avoid the situation that hacker is easy to impersonate an authorized user, the Strong Authentication has been developed. The strong authentication means that the factor of user’s authentication needs to be two factors or multi-factor authentication including something you have, something you know and something you are. However, more and more one time password based on out-of-band authentication mechanism has been developed. They take advantage of cell phone to be another channel for an additional layer of security. In our thesis, we divide these mechanisms into different type like software-based, hardware-based, crypto-based or non-crypto-based one time password mechanism. Then based on those mechanisms , we made a comparison for the pros and cons on out-of-band authentication. Lots of attack for out-of band authentication has been proposed like phone flooding, SMS interception or SMS phishing. In the cybercrime trend of future, these attacks will become a threat for the out-of-band authentication. Based on these attacks, we will propose a set of remedy recommendations for the existing out-of-band two factor authentication solutions in dealing with the new cybercrime trend.
[1] J Forrester Research,” Developing, enforcing and auditing authentication and access control policies are a core element of compliance projects”, RSA white paper2004.
[2] Cormac Herley and Dinei Flor ˆencio,” How To Login From an Internet Caf′e Without Worrying About Keyloggers” Microsoft Research,2006.
[3] Peter Mell, Tim Grance,”Effectively and Securely Using the Cloud Computing Paradigm”, NIST, Information Technology Laboratory,2009
[4] RSA ,The Current State of Cybercrime and What to Expect in 2011, cybercrime trends report.
[5] RSA SecurID 700 Authenticator, Product Data Sheet.
http://www.rsa.com/products/securid/datasheets/10306_SID700_DS_0709.pdf
[6] RSA SecurIDp Authenticators,” Accelerate your business with the gold standard
in two-factor authentication”
http://www.sandiskcruzerenterprise.com/products/ProductBrochures/RSA-Securidp-Authent.pdf
[7] VeriSign Identity Protection, VeriSign White paper
http://www.verisign.com/static/043732.pdf
[8] Alzomai, M.; Josang, A.; McCullagh, A.; Foo, E.; , "Strengthening SMS-Based
Authentication through Usability," Parallel and Distributed Processing with
Applications, 2008. ISPA '08. International Symposium on , vol., no., pp.683-688,
10-12 Dec. 2008
[9] Shintaro MIZUNO,Authentication Using Multiple Communication
Channels,Proceeding DIM '05 Proceedings of the 2005 workshop on Digital
identity management.
[10] Shirali-Shahreza, Mohammad; , "Improving Mobile Banking Security Using
Steganography," Information Technology, 2007. ITNG '07. Fourth International
Conference on , vol., no., pp.885-887, 2-4 April 2007
[11] Yin Xue, Zou Junwei, Fan ChunXiao,” title:An Improved Dynamic Identity
Authentication Scheme Based on PKI-SIM Card”, Wireless Communications,
Networking and Mobile Computing, 2009. WiCom '09. 5th International
Conference
[12] Jrsys International Corp.
http://www.jrsys.com.tw/jrsys/
[13] S21sec blog report,” ZeuS Mitmo: Man-in-the-mobile”,2010
[14] Shuaifu Dai; Yaxin Liu; Tielei Wang; Tao Wei; Wei Zou; , "Behavior-Based
Malware Detection on Mobile Phone," Wireless Communications Networking
and Mobile Computing (WiCOM), 2010 6th International Conference on , vol.,
no., pp.1-4, 23-25 Sept. 2010
[15] Zyba, G.; Voelker, G.M.; Liljenstam, M.; Mehes, A.; Johansson, P.; , "Defending
Mobile Phones from Proximity Malware," INFOCOM 2009, IEEE , vol., no.,
pp.1503-1511, 19-25 April 2009.
[16] Hsiu-Sen Chiang; Woei-Jiunn Tsaur; , "Mobile Malware Behavioral Analysis
and Preventive Strategy Using Ontology," Social Computing (SocialCom), 2010
IEEE Second International Conference on , vol., no., pp.1080-1085, 20-22 Aug.
2010.
[17] RSA Online Fraud Report,”Prices of Goods and Services offered in the
Cybercriminal Underground”,August 2011
[18] A list of Email to SMS Gateways,
http://www.mutube.com/projects/open-email-to-sms/gateway-list/
[19] The cloud Security Alliance,Guidance for Identity & Access Management
V2.1,Report in April 2010.
[20] The Cloud Security Alliance,Top Threats To Cloud Computing V1.0, March
2010
[21] Albert B. Jeng, Li-Chung Chang, Szu-Yu Lin; “Some thought on enhancing the
out-of-band one time password two factor authentication”,CET 2011
[22] ALBERT B. JENG,LI-CHUNG CHANG,HAHN-MING LEE,TE-EN WEI,
SZU-YU LIN” How to solve collision and Authentication issues using RFID
protocol technology”,ICMCL 2010