簡易檢索 / 詳目顯示
| 研究生: |
紀彥興 Yan-Sing Ji |
|---|---|
| 論文名稱: |
基於 Java Card 的 FIDO2 隱私保護身分鑑別機制之設計與實作 Design and Implementation of a Privacy Preserving FIDO2 Authentication Mechanism with Java Card |
| 指導教授: |
查士朝
Shi-Cho Cha |
| 口試委員: |
林俊叡
Raymund Lin 黃政嘉 Jheng-Jia Huang |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
| 論文出版年: | 2023 |
| 畢業學年度: | 112 |
| 語文別: | 中文 |
| 論文頁數: | 46 |
| 中文關鍵詞: | 數位身分識別證 、匿名鑑別 、FIDO2 、WebAuthn 、CTAP2 |
| 外文關鍵詞: | eID, Anonymous Authentication, FIDO2, WebAuthn, CTAP2 |
| 相關次數: | 點閱:121 下載:16 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年政府的數位化來隨著網頁服務的蓬勃發展,身分鑑別的需求也與日俱增,除了一般的身分鑑別機制,也會用自然人憑證或是健保卡等智慧卡,來提升民眾使用遠端服務時的身分保證強度。然而當使用這些卡片進行身分鑑別時,雖然都會基於ISO 7816的標準進行資料交換,但各種卡片都會有自己的訊息規格,並且前端網頁程式無法透過瀏覽器存取卡片,因此需要安裝專用的軟體元件,才能讓網頁服務與卡片進行互動。而為了要支援跨瀏覽器的網頁應用,這些元件就成為了駭客們所覬覦的目標。
此時FIDO聯盟與W3C共同推出的FIDO2與WebAuthn標準,能夠使瀏覽器透過標準的介面直接與卡片通訊,不需要額外的卡片支援元件,然而FIDO2標準本身只有鑑別使用者的數位身分,並未考慮到使用者身分資訊的確認與提供,需要將身分資訊的提供也一併納入考量。
本研究提出以目前發卡時會確認使用者身分的卡片,讓這些卡片能夠支援FIDO2,並且在現今瀏覽器都支援的情況下,可以不需要另外安裝程式的作法。此外,能夠考量到使用者的隱私,將卡片回傳的身分鑑別資訊匿名化,避免揭露非必要的資訊。也就是網頁服務須以匿名的身分鑑別資訊向身分提供者詢問,才能取得使用者身分真實性。最後依據此運行機制實作一雛型系統,驗證可行性並對其進行效能分析與安全性分析。
In recent years, with the flourishing development of web services, the government's digitization has led to an increasing demand for identity verification. Smart cards such as the Citizen Digital Certificate or National Health Insurance Card are utilized to enhance the strength of identity assurance level for citizens accessing remote services. However, although these cards are compatible with ISO 7816 standard, front-end web programs cannot access the card directly through browsers. Requiring the dedicated software components to facilitate interaction between front-end app and cards. To support front-end app, these components have become targets for hackers.
At this juncture, the FIDO Alliance and W3C jointly introduced the FIDO2 and WebAuthn standards. These standards enable browsers to communicate directly with cards through a standard interface. However, the FIDO2 standard itself only verifies the user's digital identity and does not consider the confirmation and provision of user identity information, necessitating the inclusion of identity information provision.
This study proposes an approach enabling cards that confirm user identity during issuance to support FIDO2. This allows these cards to function without the need for additional software, especially given the current widespread browser support. Additionally, privacy considerations are taken into account by anonymizing the identity information returned by the card, preventing the disclosure of unnecessary information. In this approach, web services must inquire about the user's identity authenticity from the identity provider using anonymous identity verification information to obtain the user's true identity. Finally, a prototype system is implemented based on this operational mechanism to verify its feasibility, and performance and security analyses are conducted.
[1] FIDO Specifications, FIDO-Alliance. [Online]. Available: https://fidoalliance.org/specifications/download/
[2] Web Authentication: An API for accessing Public Key Credentials Level 2, W3C, 2021. [Online]. Available: https://www.w3.org/TR/webauthn/
[3] SP 800-63-3 Digital Identity Guideline, NIST. [Online]. Available: https://pages.nist.gov/800-63-3/
[4] SP 800-63A Digital Identity Guidelines - Enrollment and Identity Proofing, NIST.
[5] 林宇翔. "當健保卡元件成為駭客的任意門." https://hitcon.org/2022/sessions/f1a4c0f0-d5f9-4a1c-bcdd-dc3fd6109b26/ (accessed.
[6] how2hack(CCoE), "HiCOS 自然人憑證元件客戶端 - Stack Buffer Overflow," 2022. [Online]. Available: https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html
[7] Crt.sh. "Public Identity Certificates." https://crt.sh/?Identity=%25&iCAID=13509 (accessed.
[8] 衛生福利部中央健康保險署. "健保卡簡介." https://www.nhi.gov.tw/Content_List.aspx?n=ABBBF3906BFF712A&topn=5FE8C9FEAE863B46 (accessed.
[9] FIDO UAF Architectural Overview, FIDO-Alliance, 2020. [Online]. Available: https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-overview-v1.2-ps-20201020.html
[10] Universal 2nd Factor (U2F) Overview, FIDO-Alliance, 2017. [Online]. Available: https://web.archive.org/web/20220520201808/https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html
[11] Client to Authenticator Protocol (CTAP), FIDO-Alliance, 2022. [Online]. Available: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html
[12] M. D. Network. "Web Authentication API #Browser compatibility." https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#browser_compatibility (accessed.
[13] Wikipedia. "Electronic Identification." https://en.wikipedia.org/wiki/Electronic_identification (accessed.
[14] Estonian Electronic ID–card application specification, Estonia. [Online]. Available: https://www.id.ee/wp-content/uploads/2020/02/TB-SPEC-EstEID-Chip-App-v3_5-20140327.pdf
[15] J. Team. "JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents." https://jmrtd.org/ (accessed.
[16] G. M. Verzeletti, E. R. d. Mello, and M. Wangham, "A Mobile Identity Management System to Enhance the Brazilian Electronic Government," presented at the IEEE Latin America Transactions, 2018.
[17] W. H. Lin, G. Y. Yang, and K. H. Yeh, "Integrating FIDO Authentication with New Digital Identity in Taiwan," in 2022 IEEE 11th Global Conference on Consumer Electronics (GCCE), 18-21 Oct. 2022 2022, pp. 311-312, doi: 10.1109/GCCE56475.2022.10014031.
[18] adesso. "BSI FIDELIO Projekt 276 FIDO - eID Integration." https://gitlab.com/adessoAG/FIDELIO (accessed.
[19] M. Keil, P. Markert, and M. Dürmuth, "“It’s Just a Lot of Prerequisites”: A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator," presented at the Proceedings of the 2022 European Symposium on Usable Security, Karlsruhe,Germany, 2022. [Online]. Available: https://doi.org/10.1145/3549015.3554208.
[20] S. Ranise, G. Sciarretta, and A. Tomasi, "Enroll, and Authentication Will Follow," Cham, 2020: Springer International Publishing, in Foundations and Practice of Security, pp. 156-171.
[21] F. Schwarz, K. Do, G. Heide, L. Hanzlik, and C. Rossow, "FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs," presented at the Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, 2022. [Online]. Available: https://doi.org/10.1145/3548606.3560584.
[22] W.-Z. Yeoh, M. Kepkowski, G. Heide, D. Kaafar, and L. Hanzlik, "Fast identity online with anonymous credentials (FIDO-AC)," presented at the Proceedings of the 32nd USENIX Conference on Security Symposium, Anaheim, CA, USA, 2023.
[23] J. Ji. "How to use webauthn extension?" FIDO dev forum. https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/vDJiNrHUD10/m/grIOZGnACAAJ (accessed.
[24] RFC 8949 Concise Binary Object Representation (CBOR), IETF. [Online]. Available: https://www.rfc-editor.org/rfc/rfc8949.html
[25] Vivokey. "VivoKey fork of U2F Applet." https://github.com/josh20170311/vk-u2f (accessed.
[26] Google. "WebauthnDemo-java." https://github.com/google/webauthndemo/tree/java (accessed.
[27] Pivotal. "SpringFramework." https://spring.io/projects/spring-framework (accessed.
[28] Oracle. "MySQL Community Downloads." https://dev.mysql.com/downloads/ (accessed.
[29] V. S. Miller, "Use of Elliptic Curves in Cryptography," Springer Berlin Heidelberg, pp. 417-426.
[30] Secure Hash Standard (SHS), NIST. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
[31] IETF, "RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF)." [Online]. Available: https://datatracker.ietf.org/doc/html/rfc5869.
[32] Signal, "The Double Ratchet Algorithm - KDF Chains." [Online]. Available: https://signal.org/docs/specifications/doubleratchet/#kdf-chains.
[33] BITMAIN. "Bitcoin Miner S21 Hyd." https://shop.bitmain.com/zh/product/detail?pid=00020231212155652620HkaEf2SU0686 (accessed.
