基於以太坊憑證暨網路用戶身份驗證之OAuth兼容服務

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：28

、訪客IP：3.12.36.30

姓名

鄒北辰(Pei-Chen Tsou) 查詢紙本館藏

畢業系所

軟體工程研究所

論文名稱

基於以太坊憑證暨網路用戶身份驗證之OAuth兼容服務
(An OAuth-compatible service based on Ethereum credentials to authenticate users on a website.)

相關論文

★ 以伸展樹為基礎的Android Binder Driver	★ 應用增量式學習於多種農作物判釋之研究
★ 應用分類重建學習偵測航照圖幅中的新穎坵塊	★ 一個建立在平行工作系統上的動態全球計算平台
★ 用權重參照計數演算法執行主動物件垃圾收集	★ 一個動態負載平衡之最大可能性估算計算架構
★ 利用多項系統負載資訊進行動態P2P系統重組的策略研究	★ 基於Hadoop系統的雲端應用程式特徵擷取與計算監測架構
★ 適用於大型動態分散式系統的調適性計算模型	★ 一個提供彈性虛擬資料中心的雲端服務平台
★ 雲端彈性虛擬機房服務平台之資源控管中心	★ 一個適用於自動供應雲端系統的動態調適計算架構
★ 線性相關工作與非相關工作的探索式排程策略	★ 適用於大資料集高效率的分散式階層分群演算法
★ 混合雲端環境上的多重代理人動態調適計算管理架構	★ 基於圖形的平行化最小生成樹分群演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著資訊技術的快速興起與成熟，網際網路的使用已然成為人們生活中密不可分的一環，舉凡社交活動、線上購物，都能在網際網路中完成，也因為如此的便利性，促使人們都在各種雲端服務平台中建立起自己的網路身份。然而近年來雲端服務平台洩漏使用者敏感資料的事件層出不窮，因此使用者已逐漸重視雲端服務平台的資訊安全及資源保護，進而使得更安全的身份驗證技術之需求更顯迫切。身份認證技術乃網路安全和資訊安全的根本，為在資訊安全時代備受關注之研究領域。
目前被雲端供應服務商所廣泛採用之身份認證方法為以下兩種：一為透過帳號及密碼登入、二為透過信任的第三方授權登入，然而以上兩種方法皆具有明顯缺陷：一則系統方無法保證能安全保管用戶敏感資料、二則由於數位的個人資料儲存在服務的資料庫，若發生中心化服務因意外或人為事故而暫時無法使用時，使用者將無法進行身份認證。
本研究提出一套身份認證系統的原型，當透過此系統架設之伺服器進行身份驗證時，伺服器會提供驗證資料，透過使用以太坊的個人帳戶簽署後將其回傳伺服器，即可進行身份驗證。讓每個平台都可以透過自行獨立運作驗證伺服器來與區塊鏈溝通，降低單一驗證廠商掌握大量資料被攻擊導致癱瘓的可能性，另以橢圓曲線密碼學(ECC)的加解密特性來保證驗證時資料的有效性；且使用者的敏感資料無需儲存於伺服器，即可有效解決傳統驗證流程上使用者無法掌控個人敏感資料的安全性與隱私性之問題。最終本論文提出一個兼具上述特性的系統雛形，期許能為未來便利又安全的驗證系統奠下基石。

摘要(英)

With the rapid development of information technology, the Internet has become one of the most indispensable parts of humans’ life. For instance, social events and online shopping can be done efficiently with the help of the Internet. Moreover, humans tend to create their online identities on different online platforms in the Internet world due to the convenience. However, more and more problems with leaking users’ sensitive data in recent years have drawn attention to the public. Therefore, they gradually take information security and data protection on Internet platforms seriously, making finding a safe identity authentication technique an extremely urgent task. Identity authentication technique is the fundament of information technology and Internet security, which is highly emphasize by scientists and researchers in the era of information security.

關鍵字(中)

★ 帳號密碼
★ 區塊鏈
★ 橢圓曲線密碼學

關鍵字(英)

★ Account password
★ Blockchain
★ ECC

論文目次

目錄
摘要 I
Abstract II
目錄 III
圖目錄 IV
第一章緒論 1
1-1 研究背景 1
1-2 研究動機與目標 2
1-3 論文架構 3
第二章背景知識 4
2-1 使用者身份鑑別與授權 4
2-1-1 使用者身份鑑別 4
2-1-1-1 使用者名稱和密碼 4
2-1-1-2 公開金鑰基礎建設 5
2-1-1-3 生物鑑別技術 5
2-1-1-4 多重因素鑑別 6
2-1-2 使用者身份授權 6
2-1-2-1 可擴展訪問控制標記語言(XACML) 6
2-1-2-2 OAuth 2.0 7
2-1-3 潛在漏洞 8
2-1-3-1 帳戶劫持 8
2-1-3-2 分散式阻斷服務 8
2-1-3-3 中間人攻擊 9
2-1-3-4 資料外洩 9
2-1-3-5 惡意內部人員 10
2-2 以太坊 10
2-2-1 介紹 10
2-2-2 以太坊區塊鍊與帳號 11
2-2-3 交易和訊息 12
2-2-4 智能合約 12
第三章系統設計 14
3-1 系統架構 14
3-2 系統流程 16
3-3 系統元件 18
3-3-1 身份驗證伺服器 18
參考文獻 20

圖目錄
圖一、系統架構圖 14
圖二、流程圖 16
圖三、身份驗證伺服器流程圖 18

參考文獻

[1] D. Spence, J. Vollbrecht, L. Gommans, G. Gross and C. de Laat. Generic AAA Architecture. August, 2000. Available: http://www.ietf.org/rfc/rfc2903.txt.
[2] H. Kalodner, M. Carlsten, P. Ellenbogen, J. Bonneau and A. Narayanan. "An empirical study of namecoin and lessons for decentralized namespace design," presented at the 2015 Workshop of the Economics of Information Security, BM Delft, Nederland, 2015.
[3] V. V. S. S. S. Balaram, "Cloud computing authentication techniques: A survey," presented at the 2017 International Journal of Scientific Engineering and Technology Research, vol. 6, no. 3, pp. 458-464, January 2017.
[4] ZDNet. (2016). These were the biggest hacks, leaks and data breaches of 2016. Available: http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/7/.
[5] G. Greenwald and E. MacAskill. Nsa prism program taps in to user data of apple, google and others. June 2013. Available: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.
[6] A. C. Weaver, "Biometric authentication," in Computer, vol. 39, no. 2, pp. 96-97, February 2006.
[7] A. L. Marcon, A. O. Santin, M. Stihler and J. Bachtold, "A (rmuconABC ) resilient authorization evaluation for cloud computing," IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 457-467, February 2014.
[8] T. Seals. Massive brute-force attack on alibaba affects millions. February 2016. Available: https://www.infosecurity-magazine.com/news/massive-bruteforce-attack-on/.
[9] D. Hakobyan, "Authentication and authorization systems in cloud environments," KTH School of Information and Communication Technology, Master’s thesis, 2012.
[10] W. D. Chadwick and K. Fatema, "A privacy preserving authorisa- tion system for the cloud," Journal of Computer and System Sciences, vol. 78, no. 5, pp. 1359 -1373, 2012.
[11] M. Verna. XML Security: Control information access with XACML.October 2014. Available: https://www.ibm.com/developerworks/xml/library/x-xacml/.
[12] E. Rissanen. eXtensible Access Control Markup Language (XACML) Version 3.0. Technical report. January 2013. Available: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.
[13] D. Hardt and Ed.. The oauth 2.0 authorization framework. Rfc 6749. October 2012. Available: https://tools.ietf.org/html/rfc6749.
[14] M. Nouriddine and R. Bashroush, "A performance optimization model towards oauth 2.0 adoption in the enterprise," in Proceedings of the 7th International Conference on Global Security, Safety & Sustainability , 2011.
[15] B. Leiba, "Oauth web authorization protocol," IEEE Internet Computing, vol. 16, no. 1, pp. 74-77, January 2012.
[16] T. Chou, "Security threats on cloud computing vulnerabilities," International Journal of Computer Science & Information Technology, vol. 5, no. 3, pp. 79, June 2013.
[17] A. Aich and A. Sen, "Study on cloud security risk and remedy," International Journal of Grid Distribution Computing, vol. 8, no. 2, pp. 155-166, 2015.
[18] Net losses. Estimating the global cost of cybercrime. June 2014. Available: https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf.
[19] P. Ducklin. Github hit by massive password guessing attack. June 2016. Available: https://nakedsecurity.sophos.com/2016/06/16/github-hit-by-massive-password-guessing-attack/.
[20] L. Shin. Hackers are hijacking phone numbers and breaking into email, bank accounts: How to protect yourself. December 2016. Available: https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/.
[21] N. Woolf. DDos attack that disrupted internet was largest of its kind in history. October 2016. Available: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.
[22] OWASP. (2015). Man-in-the-middle attack. August 2015. Available: https://www.owasp.org/index.php/Man-in-the-middle_attack.
[23] R. Yang, W. C. Lau and T. Liu. Signing into one billion mobile app accounts effortlessly with oauth2.0. Technical report. 2016. Available: https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20-wp.pdf.
[24] S. Thielman. Yahoo hack: 1bn accounts compromised by biggest data breach in history. December 2016. Available: https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached.
[25] S. Perez. 117 million linkedin emails and passwords from a 2012 hack just got posted online. May 2016. Available: https://techcrunch.com/2016/05/18/117-million-linkedin-emails-and-passwords-from-a-2012-hack-just-got-posted-online/.
[26] P. Mutton. Wikileaks.org taken down by us dns provider, December 2010. Available: https://news.netcraft.com/archives/2010/12/03/wikileaks-org-taken-down-by-us-dns-provider.html.
[27] V. Buterin. Ethereum: A next-generation smart contract and decentralized application platform. Technical report. 2013. Available: https://github.com/ethereum/wiki/wiki/White-Paper.
[28] A. Narayanan, J. Bonneau, E. Felten, A. Miller and S. Goldfeder. Bitcoin and Cryptocurrency Technologies. Princeton University Press. Feburary 2016.
[29] Crypto-currencies statistics. Available: https://bitinfocharts.com/
[30] G. Wood. Solidity. Available: https://github.com/ethereum/wiki/wiki/The-Solidity-Programming-Language.
[31] J. Krug. Serpent. Available: https://github.com/ethereum/wiki/wiki/Serpent.
[32] Ethereum wallet and mist. Available: https://github.com/ethereum/mist/.
[33] Application programming interface. Available: https://en.wikipedia.org/wiki/Application_programming_interface.
[34] Google Authenticator. Available: https://en.wikipedia.org/wiki/Google_Authenticator.

指導教授

王尉任(Wei-Jen Wang)

審核日期

2019-7-3

推文