研究生: |
莊明雄 Chuang Ming Shiung |
---|---|
論文名稱: |
適用於非同質化符記證書應用之授權式區塊鏈資安管理框架 A Cybersecurity Management Framework for Permissioned Blockchain-based NFT Certificate Applications |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
吳宗成
Tzong-Chen Wu 羅乃維 Nai-Wei Lo 葉國暉 YEH KUO-HUI 左瑞麟 Raylin Tso |
學位類別: |
博士 Doctor |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2022 |
畢業學年度: | 110 |
語文別: | 中文 |
論文頁數: | 68 |
中文關鍵詞: | 授權式區塊鏈 、非同質化符記證書 、區塊鏈安全 、資安風險評估 |
外文關鍵詞: | permissioned blockchain, NFT, cyber security, blockchain risk evaluation |
相關次數: | 點閱:265 下載:1 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
因為區塊鏈技術具有去中心化、高可用性,與防止資料被竄改的特性,目前許多行業都開始發展基於區塊鏈的應用。尤其像是非同質化符記證書 (Non-Fungible Token, NFT) 的應用,更被視為下一代網際網路 (web3) 的代表型應用之一。然而,當區塊鏈的底層是由一個或數個組織或企業,以授權式區塊鏈的形式來做實作時,因為授權式區塊鏈的參與者數目通常遠小於公有鏈,就需要要求這些參與者符合一定的資安規範,以減低少數參與者的不小心或故意,而影響整個區塊鏈運作的情形。然而,近年來國際間尚未出現針對授權式區塊鏈應用的資安標準,因此,正需要有一套規範授權式區塊鏈應用的資訊安全管理框架。
本研究參考現今主流資訊安全管理框架標準,而制定出一套針對基於授權式區塊鏈的非同質化符記證書應用之資訊安全管理框架。該框架從周邊安全、主機端安全、節點與網路安全、共識協議安全、應用程式安全、組織安全等6個層面,規劃出34項安全控制。並以範例情境進行評估,以呈現本研究所提出的框架可以如何控制相關的資訊安全風險。而本文的貢獻即在於:(1) 建立授權式區塊鏈發行非同質化符記證書相關資安管理框架指引;(2) 透過範例情境,以呈現導入此框架時,不同角色的參與者所應該採取的作為。如此,當企業或組織應用授權式區塊鏈架構,去提供非同質化符記證書應用時,就可以套用本框架,去促進資訊安全。
Because blockchain technology has the characteristics of decentralization, high availability, and prevention of data tampering, many industries are currently beginning to develop blockchain-based applications. In particular, applications such as Non-Fungible Tokens (NFTs) are regarded as one of the representative applications of the next generation of the Internet (or Web3). However, the underlying layer of the blockchain is implemented by one or more organizations with permissioned blockchain. In this case, the number of participants in the permissioned blockchain is usually much smaller than that of the public blockchain. Therefore, it is necessary to require these participants to meet certain security requirements. To the best of our knowledge, currently, there is no international security standard for permissioned blockchain applications. For the very sake of that, it is necessary to have a set of information security management frameworks that standardize permissioned blockchain applications.
This study refers to the current mainstream information security management framework standards, and develops a cybersecurity management framework for permissioned blockchain-based NFT certificate applications. The framework plans 34 security controls from six levels, including perimeter security, host security, node management and network security, consensus mechanism security, application security and organizational security. It is evaluated in example scenarios to show how the framework proposed in this study can control related information security risks. The contribution of this study is to: (1) establish guidelines for the information security management framework related to the issuance of NFT certificates by permissioned blockchain; (2) illustrate the proposed framework can be used to improve security of NFT certificate applications with example scenarios. To sum up, the proposed framework can hopefully improve security of permissioned blockchain-based NTF certificate applications.
參考書目
[1]秦蕊,<NFT:基於區塊鏈的非同質化通證及其應用>,智慧科學與技術學報,第3卷第2期,pp.234-242,2021年2月。
[2]章峰、史博軒、蔣文保,<區塊鏈關鍵技術及應用研究綜述>,網路與資訊安全學報,北京資訊科技大學資訊管理學院,pp.22-29,2018年4月。
[3]戴方芳、樊曉賀、崔梟飛,、孟楠,<區塊鏈典型應用架構安全風險和應對分析>,資訊通信技術,中國信息通信研究院,pp.56-61,2018年。
[4]ABMedia,<嘟嘟房NFT鑄造出包!智能合約到底哪裡出了問題?>,網址: https://www.abmedia.io/20220312-what-is-wrong-with-car-man-smart-contract,上網日期:2022年3月15日。
[5]V.Lai,<騰訊發「中國世界文化遺產」NFT:收錄 9,999 枚敦煌莫高窟壁畫." 動區動趨>,網址:https://www.blocktempo.com/tencent-digitize-world-heritage-as-nft-through-private-blockchain/,上網日期:2022年 1月5日。
[6]x.yang,<Line Blockchain解決方案介紹>,網址: https://yangxinqi.com/2021/01/04/Line-Blockchain%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88%E4%BB%8B%E7%BB%8D/,上網日期:2022年01月11日。
[7]中央社,<全國首張區塊鏈加密數位畢業證書 清大接軌國際>,網址: https://www.cna.com.tw/news/ahel/202106240208.aspx,上網日期:2022年2月1日。
[8]比特幣乙太幣新聞,<NFT 協議 OMNI 遭受重入攻擊,測試資金損失 1,300 ETH>,網址:https://zh-tw.bitcoinethereumnews.com/ethereum/nft-protocol-omni-suffers-reentrancy-attack-loses-1300-eth-in-testing-funds/,上網日期:2022年4月16日。
[9]吳碧娥,<物聯網下的區塊鏈應用在哪裡?>,北美智權報230期,網址: http://www.naipo.com/Portals/1/web_tw/Knowledge_Center/Industry_Economy/IPNC_190213_0706.htm,上網日期:2022年5月19日。
[10]黃彥棻,<臺灣區塊鏈應用實例:司法聯盟鏈區塊鏈貫穿司法審判流程,聯盟鏈兼具技術和管理優勢>,iThome,網址: https://www.ithome.com.tw/news/151487,上網日期:2022年7月16日。
[11]D. Bayer, S. Haber, and W. S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," Sequences Ii:Springer, pp. 329-334, Mar. 1992.
[12]Seaman, Jim, "The Evolution of PCI DSS," PCI DSS. Apress, Berkeley, CA, pp. 29-60, 2020.
[13]X. Bai, Z. Cheng, Z. Duan, and K. Hu, "Formal modeling and verification of smart contracts," 7th international conference on software and computer applications, pp. 322-326. 2018.
[14]A. Biryukov, D. Khovratovich, and I. Pustogarov, "Deanonymisation of clients in Bitcoin P2P network," ACM SIGSAC Conference on Computer and Communications Security, pp. 15-29., 2014.
[15]J. Bonneau, "Why buy when you can rent?," in International Conference on Financial Cryptography and Data Security, Springer, pp. 19-26, 2016.
[16]M. Castro and B. Liskov, "Practical byzantine fault tolerance," in OsDI, vol. 99, pp. 173-186 ,1999.
[17]I. Grishchenko, M. Maffei, and C. Schneidewind, "A semantic framework for the security analysis of ethereum smart contracts," in International Conference on Principles of Security and Trust, Springer, pp. 243-269, 2018.
[18]W. Gräther, S. Kolvenbach, R. Ruland, J. Schütte, C. Torres, and F. Wendland, "Blockchain for education: lifelong learning passport," 1st ERCIM Blockchain workshop 2018, European Society for Socially Embedded Technologies (EUSSET), 2018.
[19]S. Haber and W. S. Stornetta, "How to time-stamp a digital document," the Theory and Application of Cryptography Conference, Springer, pp. 437-455, 1999.
[20]S. Haber and W. S. Stornetta, "Secure names for bit-strings," the 4th ACM Conference on Computer and Communications Security, pp. 28-35, 1997.
[21]S. Kalra, S. Goel, M. Dhawan, and S. Sharma, "Zeus: analyzing safety of smart contracts," Ndss, pp. 1-12, 2018.
[22]Y. Kwon, D. Kim, Y. Son, E. Vasserman, and Y. Kim, "Be selfish and avoid dilemmas: Fork after withholding (faw) attacks on bitcoin," 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 195-209, 2017.
[23]K. Liao and J. Katz, "Incentivizing blockchain forks via whale transactions," in International conference on financial cryptography and data security, Springer ,pp. 264-279, 2017.
[24]R. A. Mallah and B. Farooq, "Actor-based risk analysis for blockchains in smart mobility," 3rd Workshop on Cryptocurrencies and Blockchains for Distributed Systems, pp. 29-34, 2020.
[25]C. Molina-Jimenez, E. Solaiman, I. Sfyrakis, I. Ng, and J. Crowcroft, "On and off-blockchain enforcement of smart contracts," in European Conference on Parallel Processing, Springer, pp. 342-354, 2018.
[26]K. Nayak, S. Kumar, A. Miller, and E. Shi, "Stubborn mining: Generalizing selfish mining and combining with an eclipse attack," 2016 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, pp. 305-320, 2016.
[27]D. Ongaro and J. Ousterhout, "In search of an understandable consensus algorithm," in 2014 USENIX Annual Technical Conference (Usenix ATC 14), pp. 305-319, 2014.
[28]M. Saad, L. Njilla, C. Kamhoua, and A. Mohaisen, "Countering selfish mining in blockchains," 2019 International Conference on Computing, Networking and Communications (ICNC), IEEE, pp. 360-364, 2019.
[29]A. Sapirshtein, Y. Sompolinsky, and A. Zohar, "Optimal selfish mining strategies in bitcoin," in International Conference on Financial Cryptography and Data Security, Springer, pp. 515-532, 2016.
[30]H. Takahashi and U. Lakhani, "Voting blockchain for High Security NFT," in 2021 IEEE 10th Global Conference on Consumer Electronics (GCCE), IEEE, pp. 358-361, 2021.
[31]M. Wohrer and U. Zdun, "Smart contracts: security patterns in the ethereum ecosystem and solidity," in 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), IEEE, pp. 2-8, 2018.
[32]X. Zhao and Y. W. Si, "NFTCert: NFT-Based Certificates With Online Payment Gateway," in 2021 IEEE International Conference on Blockchain (Blockchain), DOI: 10.1109/Blockchain53845.2021.00081, pp. 538-543, Dec. 2021.
[33]S.-C. Cha, C.-M. Shiung, G.-Y. Lin, and Y.-H. Hung, "A Security Risk Management Framework for Permissioned Blockchain Applications," IEEE, pp. 301-310, 2021.
[34]Gilbert, Seth, and Nancy Lynch, "Brewer's conjecture and the feasibility of consistent, available, partition-tolerant web services," Acm Sigact News 33, pp. 51-59, 2002.
[35]L. Mueller et al., "Conceptual framework for legal and risk assessment of crypto tokens," Academic Press, 2018.
[36]A. Back, "Hashcash-a denial of service counter-measure," 2002.
[37]A. Baliga, I. Subhod, P. Kamat, and S. Chatterjee, "Performance evaluation of the quorum blockchain platform," arXiv preprint arXiv:1809.03421, 2018.
[38]M. P. Barrett, "Framework for improving critical infrastructure cybersecurity version 1.1," 2018.
[39]G. Bissias, B. N. Levine, A. P. Ozisik, and G. Andresen, "An analysis of attacks on blockchain consensus," (in English), arXiv preprint arXiv:1610.07985, 2016.
[40]V. Buterin, "A next-generation smart contract and decentralized application platform," white paper, 2014.
[41]V. Buterin, "Ethereum white paper," GitHub repository, vol. 1, pp. 22-23, 2013.
[42]M. Conti, E. S. Kumar, C. Lal, and S. Ruj, "A survey on security and privacy issues of bitcoin," IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3416-3452, 2018.
[43]G. Coulouris, J. Dollimore, and T. Kindberg, "Distributed Systems: Concepts and Design Edition 3," vol. 2, no. 11, p. 15, 2001.
[44]B. De Win, R. Scandariato, K. Buyens, J. Grégoire, and W. Joosen, "On the secure software development process: CLASP, SDL and Touchpoints compared," Information and software technology, vol. 51, no. 7, pp. 1152-1171, 2009.
[45]W. Entriken, D. Shirley, J. Evans, and N. Sachs, "Eip-721: Erc-721 non-fungible token standard," Ethereum Improvement Proposals, no. 721, 2018.
[46]S. Gao, T. Yu, J. Zhu, and W. Cai, "T-PBFT: An EigenTrust-based practical Byzantine fault tolerance consensus algorithm," China Communications, vol. 16, no. 12, pp. 111-123, 2019.
[47]D. Huang, X. Ma, and S. Zhang, "Performance analysis of the raft consensus algorithm for private blockchains," IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 50, no. 1, pp. 172-181, 2019.
[48]L. Khikhadze, "Future development of blockchain technology and digital communications in the modern global business," 2019.
[49]S. King and S. Nadal, "Ppcoin: Peer-to-peer crypto-currency with proof-of-stake," self-published paper, August, vol. 19, no. 1, 2012.
[50]D. Larimer, "Delegated proof-of-stake (dpos)," Bitshare whitepaper, vol. 81, p. 85, 2014.
[51]Y. Marcus, E. Heilman, and S. Goldberg, "Low-resource eclipse attacks on ethereum's peer-to-peer network," Cryptology ePrint Archive, 2018.
[52]A. L. Mesquida and A. Mas, "Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension," Computers & Security, vol. 48, pp. 19-34, 2015.
[53]A. Mietala, "When should an organisation start vulnerability management?," 2020.
[54]S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," Decentralized Business Review, p. 21260, 2008.
[55]S. D. Raziel, "Private and Verifiable Smart Contracts on Blockchains," Raziel': chastnyye i proveryayemyye smart-kontrakty na blokcheynakh, 2018.
[56]Z. Rui, X. Rui, and L. Ling, "Security and privacy on blockchain," ACM Comput. Surv, vol. 52, no. 3, 2019.
[57]F. Vogelsteller and V. Buterin, "Eip 20: Erc-20 token standard," Ethereum Improvement Proposals, vol. 20, 2015.
[58]Q. Wang, R. Li, Q. Wang, and S. Chen, "Non-fungible token (NFT): Overview, evaluation, opportunities and challenges," arXiv preprint arXiv:2105.07447, 2021.
[59]J. H. Lee, "Systematic approach to analyzing security and vulnerabilities of blockchain systems," Massachusetts Institute of Technology, 2019.
[60]K. Bird, "New version of ISO/IEC 27001 to better tackle IT security risks." https://www.iso.org/news/2013/08/Ref1767.html ,accessed 2022/3/25.
[61]T. Conversation, "Mark Zuckerberg wants to turn Facebook into a ‘metaverse company’ – what does that mean?" https://theconversation.com/mark-zuckerberg-wants-to-turn-facebook-into-a-metaverse-company-what-does-that-mean-165404, accessed 2022/2/25.
[62]P. S. S. Council, "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018." PCI Security Standards Council, LLC. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss, accessed 2022/3/3.
[63]P. Daian, "Analysis of the DAO exploit." https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/, accessed2022/3/25.
[64]F. E, "CRITICAL UPDATE Re: DAO Vulnerability." https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/, accessed 2022/4/14.
[65]C. f. I. Security, "The 18 CIS Critical Security Controls." (CIS). https://www.cisecurity.org/controls/cis-controls-list, accessed 2022/7/16.