臺灣博碩士論文加值系統

隨著時代的變遷與網際網路的快速成長，越來越多的企業將以往由Web為基礎(Web-based)的服務方式轉由雲端服務(Cloud Services)取代。多租戶技術(Multi-tenancy Technology)在雲端服務下相當之重要，尤其在軟體即服務(Software as a Service, SaaS)上。然而，在這樣的多租戶技術下，身分識別與存取管理(Identity and Access Management, IAM)的功能是一個值得關注的議題。過往以近場通訊為基礎(Near Field Communication -based, NFC-based)的驗證方法必須透過電腦的瀏覽器和讀卡機讀取近場通訊標籤(NFC Tag)才能進行操作，如果只想以行動裝置登入，並無法透過此方法驗證，且通常沒有針對使用者做足存取管理的功能。故本文針對上述不足之處，設計了一個以近場通訊為基礎的第三方(Third Party)雲端身分識別和存取管理的方法，稱為NFC-IAM，透過模擬實驗並進行關鍵績效指標(Key Performance Indicators, KPIs)之結果分析，NFC-IAM不僅在身分識別所需的驗證時間更短，縮短近30%，此外在準確率也高達99.9%以上，伺服器在身分識別時CPU使用率改善了約20%。而在存取管理方面導入了Container虛擬化技術，雖然在資料負荷量有所增加，但是在存取管理時的回應時間卻大幅減少約50%。在功能效益分析方面，NFC-IAM在延展性和行動性都有更好的表現。最後，我們透過NFC-IAM方法實作前端行動裝置應用程式(Application Software, App)和後端系統，來實現利用行動裝置在雲端服務環境中進行身分識別與存取管理，並在開發過程中利用威脅模型(Threat model)檢視系統的安全度，不但讓使用者更易於使用，同時達到更佳的安全性。未來，本研究之身分識別與存取管理方法可應用在不同層面，如：Fin Tech行動支付系統之身分識別、物聯網遠端設備監控之權限…等等。

In response to a changing world and the fast growth of the Internet, more and more enterprises are replacing web-based services with cloud-based ones. Multi-tenancy technology is getting more important especially with Software as a Service (SaaS). This, in turn, leads to a greater focus on the application of Identity and Access Management (IAM). Conventional Near-Field Communication (NFC)-based verification relies on a computer browser and a card reader to access an NFC tag. This type of verification does not support mobile device login and user based access management functions. This study designs an NFC-based third-party cloud identity and access management scheme (NFC-IAM) addressing this shortcoming. Data from simulation tests analyzed with Key Performance Indicators (KPI) suggests NFC-IAM not only takes less time in identity identification but also cuts time by 30% in terms of two-factor authentication and improves verification accuracy to 99.9% or better. CPU utilization reduces about 20% when the server verifies the identity. We import Container virtualization technology in terms of access management affects few more data overhead, but the response time declines about 50%. In functional performance analysis, NFC-IAM has better performance in scalability and portability. The NFC-IAM App (Application Software) and backend system to be developed and deployed in identity and access management of mobile devices also offer users a more user-friendly experience and stronger security protection in cloud services. In the future, our proposed NFC-IAM can be employed to different applications including identification for mobile payment systems of Fin Tech, permission management for remote equipment monitoring of Internet of Things (IoT), and other applications.

致謝 i
摘要 ii
Abstract iii
1. 緒論 1
1.1 研究背景 1
1.2 研究目的 3
1.3 章節結構說明 4
2. 文獻探討與相關研究 5
2.1 雲端運算簡介 5
2.2 多租戶與其身分識別與存取管理 7
2.3 雙因子身分識別方法及應用 9
2.4 NFC概述與NFC-based身分識別方法 11
2.5 Docker Container虛擬化技術 12
3. 研究架構與NFC-IAM設計 16
3.1 研究流程及說明 16
3.2 NFC-IAM方法之運作原理及流程 17
3.3 NFC-IAM方法之演算法設計 26
3.4 NFC-IAM方法之雛形系統 29
4. 模擬實驗與結果分析 38
4.1 模擬環境配置 38
4.2 實驗結果分析 45
4.2.1 實驗情境一之結果分析 45
4.2.2 實驗情境二之結果分析 52
4.3 威脅模型安全度分析 56
4.4 功能效益比較分析 61
4.4.1 功能效益定義 61
4.4.2 比較與分析 62
5. 結論 64
參考文獻 67
附錄一：NFC-IAM系統部分程式碼 70

[1]S. Barber, “How Fast Does a Website Need to Be,” PertTestPlus Inc. in Florida, 2007.
[2]J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” University of Cambridge, Computer Laboratory, Tech. Rep. 817, March 2012.
[3]B. Chess and B. Arkin, “The Case for Mobile Two-Factor Authentication. Security & Privacy”, IEEE Security & Privacy, Vol. 9, No. 5, pp. 81-85, 2011.
[4]F. Chong, G. Carraro, and R. Wolter, “Multi-Tenant Data Architecture,” in MSDN Library, Microsoft Corp., Jun. 2006.
[5]R. J. Creasy, “The Origin of the VM/370 Time-Sharing System,” IBM Journal of Research and Development, Vol. 25, No. 5, pp. 483-490, 1981.
[6]W. Gerlach, Wei Tang, K. Keegan, T. Harrison, A. Wilke, J. Bischof, M. D’Souza, S. Devoid, D. Murphy-Olson, N. Desai and F. Meyer, “Container-based Execution Environment Management for Multi-cloud Scientific Workflows,” In Proceedings of the 5th International Workshop on Data-Intensive Computing in the Clouds, pp. 25-32, Nov. 2014.
[7]E. Haselsteiner and K. Breitfuß, “Security in Near Field Communication (NFC): Strengths and Weaknesses,” In Proceedings of Workshop on RFID Security, pp. 1-10, 2006.
[8]Zheng-Qin Jian, Yu-Chung Huang, Jehn-Ruey Jiang, “A Privacy Preserving NFC Guestbook System,” M.S. Thesis, National Central University, 2015.
[9]R. Krebs, “Architectural Concerns in Multi-tenant SaaS Applications,” In Proceedings of the 2nd International Conference on Cloud Computing and Services Science, 2012.
[10]Haw Lee, Wei-Chih Hong, Chia-Hung Kao and Chen-Mou Cheng, “A User-friendly Authentication Solution using NFC,” In Proceedings of 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, pp. 271-278, 2014.
[11]Xiao-Yong Li, Yong Shi, Yu Guo, Wei Ma, “Multi-Tenancy Based Access Control in Cloud,” In Proceedings of 2010 International Conference on Computational Intelligence and Software Engineering (CiSE), 2010.
[12]D. Linthicum, “The Silly Debate over Multitenancy,” InfoWorld Corp., 9 Apr. 2010.
[13]C. Lu, A. L. M. Santos, F. R. Pimentel, “Implementation of Fast RSA Key Generation on Smart Cards” In Proceedings of the 2002 ACM Symposium on Applied Computing, pp. 214-220, 2002.
[14]J. D. Meier, A. Mackman, M. Dunner, S. Vasireddy, R. and A. Murukan, “Improving Web Application Security: Threats and Countermeasures,” In Security Guidance for Applications, Microsoft Corp., Jun. 2003.
[15]Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing,” National Institute of Standards and Technology, Special Publication 800-145.
[16]S. A. Mokhtar, S. H. S. Ali, A. Al-Sharafi, A. Aborujilah, “Cloud Computing in Academic Institutions,” In Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication, 2013.
[17]R. Morris and K. Thompson, “Password Security: a Case History,” Communications of the ACM, Vol. 22, pp. 594-597, Nov. 1979.
[18]C. Pahl, “Containerisation and the PaaS Cloud,” IEEE Cloud Computing Magazine, pp. 24-31, 6 May 2015.
[19]A. Regalado, “Who Coined ‘Cloud Computing’?,” MIT Technology Review, 31 Oct. 2011.
[20]D. Rinner, H. Witschnig, E. Merlin, “Broadband NFC - A System Analysis for the Uplink,” Information Forensics and Security, pp. 292-296, 2009.
[21]R. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” Communications of the ACM 21, pp. 120-126, 1978.
[22]A. Slominski, V. Muthusamy and R. Khalaf, “Building a Multi-tenant Cloud Service from Legacy Code with Docker Containers,” In Proceedings of 2015 IEEE International Conference on Cloud Engineering(IC2E), Mar. 2015.
[23]B. Stone, “Monday Morning Madness,” Twitter Inc. 5 Jan. 2009.
[24]S. Thurm, “Apple’s iCloud Service Is Under Attack in Mainland China,” The Wall Street Journal, 21 Oct. 2014.
[25]K.P. Weiss, “Method and apparatus for positively identifying an individual,” U.S. 6 676 626, US4720860 A, 19 Jan. 1988.
[26]B. Wilder, “Multitenancy and Commodify Hadware Primer,” In Cloud Architecture Patterns: Using Microsoft Azure, O'Reilly Media, Inc., 2015, Ch. 8, Sec. 1, pp. 77-78.
[27]K. Zetter, “Weak Password Brings ‘Happiness’ to Twitter Hacker,” Wired Corp., 1 Jun. 2009.
[28]Consultancy.uk, http://consultancy.uk/
[29]Docker, https://www.docker.com/
[30]Google 2-steps verification, https://developers.google.com/identity/
[31]NFC-Forum, http://nfc-forum.org/
[32]RSA SecurID, https://www.rsa.com/
[33]VMware, http://www.vmware.com/