指導教授：鄭振牟臺灣大學：電機工程學研究所吳忠憲Wu, Zhong-XianZhong-XianWu2014-11-282018-07-062014-11-282018-07-062014http://ntur.lib.ntu.edu.tw//handle/246246/262937近年來，愈來愈多人使用便捷的智慧型手機或平板電腦，通過各種雲端服務、應用軟體去存取個人資訊，而在這些行動裝置上，目前最常見的身份認證方法依舊是傳統的使用者名稱搭配「密碼」。不過，有別於傳統的個人電腦，在行動裝置上不依賴實體鍵盤輸入冗長的密碼相當困難。為了便於使用，人們通常選擇在安全性妥協：使用較短、易記的密碼，或一旦認證成功以後，就再也不登出這些行動裝置。 此外，「密碼」有一些根本的弱點，使得它無法為我們提供太高的安全性。因此除了密碼以外，其實有更安全的身份認證方案供我們選擇；搭配不斷更新的「一次性密碼」的「兩步驟驗證」就是個很常見的例子。可惜許多較「安全」的方案因為步驟繁複、不便於使用，並沒有得到廣泛的接納。 針對身份認證「易用」、「安全」兩個面向往往相互衝突的這個難題，我們在這篇論文提出了一個基於令牌的身份認證框架。並用它建構出行動裝置上可以使用的中央式單一登入服務和密碼管理員軟體。Nowadays, smartphones and tablets are widely used to access personal information through various applications and cloud services. On these mobile devices, the most commonly used identity authentications are still password-based, which have several usability and security issues. Because it is hard to type a long password on a mobile device without a physical keyboard, in contrast to traditional PCs, people usually choose to compromise the security for the ease of use by using a shorter password, or never log out the devices. In addition, with some fundamental weakness, ``password'' is insecure in many practical scenario. Therefore people have developed authentication solutions with a higher security level; for example, ``two-step verification'' with a one-time password. However, those ``better'' solutions is not widely adopted since they are not simpler to use than just typing a password. To overcome this issue, in this paper, we propose a token-based authentication architecture, based on which a centralized single sign-on service and a password manager can be easily built, in order to solve the problem in a secure and user-friendly manner.1 Introduction .....................................................1 2 Underlying Infrastructure ........................................3 2.1 Terminology ....................................................4 2.2 Token ..........................................................4 2.3 Backend ........................................................6 2.4 MgrApp .........................................................6 2.5 Operations .....................................................7 2.5.1 MgrAppregistration ...........................................7 2.5.2 Tokenauthentication ..........................................10 2.5.3 Tokenbinding .................................................10 3 Authentication Solutions .........................................13 3.1 Singlesign-onservice ...........................................13 3.2 Passwordmanager ................................................15 4 Threat Model .....................................................18 4.1 AttacksonBackend ...............................................19 4.2 AttacksontheToken ..............................................19 4.3 Attacksonthemobiledevices ......................................20 4.4 Attacksonthecommunicationchannels ..............................20 4.4.1 Betweenthe3rd-partyAppandtheMgrApp ...........................20 4.4.2 BetweentheMgrAppandtheBackend ................................21 4.4.3 BetweentheMgrAppandtheToken ..................................21 4.4.4 Between the Token and the Backend (indirect communication) ...21 5 System Properties and Some Comparisons ...........................22 6 Conclusion .......................................................25 Bibliography .......................................................26886719 bytesapplication/pdf論文公開時間：2016/09/12論文使用權限：同意有償授權(權利金給回饋本人)身份認證行動裝置安全性密碼身份令牌身份管理單一登入thesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/262937/1/ntu-103-R02921052-1.pdf