臺灣博碩士論文加值系統

文字通行碼因易於使用，故廣泛使用在各種應用系統的使用者身分認證機制。然而，傳統的文字通行碼認證系統之設計並未考慮肩窺攻擊、間諜程式攻擊、攝影機攻擊與竊聽攻擊等擷取攻擊，無法有效抵擋擷取攻擊，故後來有不少具備擷取攻擊抵擋能力之文字通行碼認證系統被提出。然而，由於這些通行碼認證系統未具備隱藏通行碼長度的機制，因此攻擊者通常僅需透過一次擷取攻擊即可獲得使用者通行碼的長度。攻擊者在獲得通行碼長度後，除了將大幅增加破解通行碼的機率之外，同時也可藉由已知通行碼長度的意外登入攻擊以增加成功機率。因此，若文字通行碼認證系統能有效隱藏使用者通行碼的長度，則可強化系統的整體安全性。於是，近年來有一些可隱藏通行碼長度之可抵擋擷取攻擊的文字通行碼認證系統被提出。然而，雖然這些通行碼認證系統增加了安全性，但同時也因為操作規則複雜造成使用者登入時間過長而降低使用性。在本論文中，我們提出兩套改良的可隱藏通行碼長度之可抵擋擷取攻擊的文字通行碼認證系統。第一套改良的系統 — ColorNDot，系統於每次畫面會隨機指定每個字元的回應次數，使得使用者每次登入的回應總次數也將隨機變動，藉以隱藏使用者通行碼的長度。相較於現有可隱藏通行碼長度之可抵擋擷取攻擊的文字通行碼認證系統，ColorNDot能提供在無特殊安全需求的應用環境下足夠的安全性與較良好的使用性。然而，對於一般的使用者而言，ColorNDot的使用性仍不夠理想，尚有改進的空間。為了更進一步提升使用性，我們提出第二套改良的系統 — ColorBV，系統藉由在通行碼字元之間隨機插入偽裝回應，使得使用者每次登入的回應總次數也將隨機變動，藉以隱藏使用者通行碼的長度。相較於ColorNDot，ColorBV能更進一步縮短使用者登入時間以進一步提升使用性。相較於現有可隱藏通行碼長度之可抵擋擷取攻擊的文字通行碼認證系統，我們所提出的兩套改良的系統ColorNDot與ColorBV皆大幅縮短使用者登入時間，藉此改進使用性以提升系統的接受度與實用性，同時具備在一般無特殊安全需求的應用環境下足夠的安全性。

Textual password has been widely used for user authentication for many application systems because of its simplicity. However, conventional textual password authentication schemes are vulnerable to capture attacks, which may be the shoulder-surfing attack, the hidden camera attack, the spyware attack, and/or the wiretapping attack. Therefore, numerous textual password authentication schemes with the resistance to capture attacks have been proposed. However, these schemes are not capable of hiding the password length, the attacker can obtain the user’s password length by just performing capture attacks once. As long as the attacker obtains the user’s password length, the success probability of cracking password and the success probability of accidental login will be significantly increased. If the password length can be concealed effectively by the textual password authentication scheme, the overall security of the system will be strengthened. Therefore, some capture attacks resistant textual password authentication schemes with the capability of hiding password length have been proposed in recent years. However, since the operations of these schemes are very complicated, the login time of these schemes is rather long, which leads to low usability. Thus, in this thesis, we propose two capture attacks resistant textual password authentication schemes using password length hiding technique with improved usability. The first improved scheme, ColorNDot, based on a dots-responding mechanism, which assigns dot(s) randomly to every character on the qwerty-like keyboard and the number of dot(s) determines the number of times for entering the character. Users who are familiar with qwerty-like keyboard can easily and efficiently log into the system. Compared with existing similar schemes, ColorNDot can provide sufficient security and better usability. However, the usability of ColorNDot is still unsatisfactory for general application environments. To improve the usability further, we propose the second improved capture attacks resistant textual password authentication scheme using password length hiding technique, ColorBV, based on a color-bars-vanishing mechanism, which deploys fake response randomly between every password character. Compared with ColorNDot, ColorBV can provide shorter login time and better usability. Compared with existing similar schemes, Both ColorNDot and ColorBV can provide sufficient security and significantly reduce the login time so as to improve their usability to increase the acceptance of the public.

摘要 i
目錄 iii
圖目錄 vi
表目錄 vii
第一章 序論 1
第二章 相關研究 6
第三章 ColorNDot的設計與分析 9
3.1 ColorNDot的介紹 9
3.1.1註冊階段 10
3.1.2登入階段 10
3.2 ColorNDot的安全性分析 13
3.2.1 ColorNDot之通行碼空間 13
3.2.2 ColorNDot之意外登入抵擋能力 13
3.2.3 ColorNDot之擷取攻擊抵擋能力 14
3.3 ColorNDot的使用性分析 15
3.3.1 ColorNDot之記憶負擔 16
3.3.2 ColorNDot之操作負擔 16
3.3.3 ColorNDot之學習難易度 16
3.3.4 ColorNDot之登入時間 17
第四章 ColorBV的設計與分析 18
4.1 ColorBV的介紹 18
4.1.1註冊階段 19
4.1.2登入階段 19
4.2 ColorBV的安全性分析 22
4.2.1 ColorBV之通行碼空間 22
4.2.2 ColorBV之意外登入抵擋能力 23
4.2.3 ColorBV之擷取攻擊抵擋能力 24
4.3 ColorBV的使用性分析 25
4.3.1 ColorBV之記憶負擔 26
4.3.2 ColorBV之操作負擔 26
4.3.3 ColorBV之學習難易度 26
4.3.4 ColorBV之登入時間 27
第五章 綜合比較 28
5.1 ColorNDot、ColorBV與現有的認證系統之安全性比較 28
5.2 ColorNDot、ColorBV與現有的認證系統之使用性比較 29
5.3 綜合比較結果 30
第六章 結論 32
參考文獻 34
著作目錄 36

[AM13]I. AM and P. Patil, “Graphical password authentication using persuasive cued click point,” International Journal of Advanced Research in Electrical, Electronics and Instrumentation Engineering, vol. 2, Issue 7, July 2013.
[Bidd11]R. Biddle, S. Chiasson, and P. C. Van Oorschot, “Graphical passwords: learning from the first twelve years,” Technical Report TR-11-01, School of Computer Science, Carleton University, 2011.
[Bidd12]R. Biddle, S. Chiasson, and P. C. Van Oorschot, “Graphical passwords: learning from the first twelve years,” ACM Computing Surveys (CSUR), vol. 44, no. 4, article 19, 2012.
[Chen12] W. P. Chen, “Design and in-depth analysis of graphical passwords with resistance to login-recording attacks,” Master’s Thesis, National Taichung University of Education, 2012.
[Hoan08]B. Hoanca and K. Mock, “Password entry scheme resistant to eavesdropping,” Proceedings of the International Conference on Security and Management, 2008.
[Imra11]Z. Imran and R. Nizami, “Advance secure login,” International Journal of Scientific and Research Publications, vol. 1, 2011.
[Kim11]S. H. Kim, J. W. Kim, S. Y. Kim, and H. G. Cho, “A new shoulder-surfing resistant password for mobile environments,” Proceeding of the 5th International Conference on Ubiquitous Information Management and Communication, 2011.
[Ku14]W. C. Ku, D. M. Liao, C. J. Chang, and P. J. Qiu, “An enhanced capture attacks resistant text-based graphical password scheme,” International Conference on Communications in China (ICCC), 2014, pp.204–208.
[Ku16]W. C. Ku, B. R. Cheng, Y. C. Yeh, and C. J. Chang, “A simple sector-based textual-graphical password scheme with resistance to login-recording attacks,” IEICE Transactions on Information and Systems, vol. E99-D, no. 2, pp. 529–532, Feb. 2016.
[Lada13]A. Ladage, S. Gaikwad, and A. Chougule, “Graphical based password authentication,” International Journal of Engineering Research & Technology, vol. 2, Issue 4, 2013.
[Mulw13]K. Mulwani, S. Naik, N. Gurnani, N. Giri, and S. Sengupta, “3LAS (three level authentication scheme),” International Journal of Emerging Technology and Advanced Engineering, vol. 3, pp.103–107, 2013.

[Rao12]M. K. Rao and S. Yalamanchili, “Novel shoulder-surfing resistant authentication schemes using text-graphical passwords,” International Journal of Information & Network Security, vol. 1, no. 3, pp. 163–170, 2012.
[Sobr02]L. Sobrado and J. C. Birget, “Graphical passwords,” The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4, 2002.
[Sree11]M. Sreelatha, M. Shashi, M. Anirudh, M. Sultan Ahamer, and V. M. Kumar, “Authentication schemes for session passwords using color and images,” International Journal of Network Security & Its Applications, Vol. 3, No. 3, pp. 111–119, 2011.
[TLS18]Network Working Group of the IETF, The Transport Layer Security (TLS) protocol version 1.3, RFC 8446, 2018.
[Yeh11]Y. C. Yeh, W. C. Ku, W. P. Chen, and Y. L. Chen, “An easy-to-use login-recording attacks resistant password scheme,” Proceedings of the 2011 Conference on Innovative Applications of Information Security Technology, 2011.
[Zhao07]H. Zhao and X. Li, “S3PAS: A scalable shoulder-surfing resistant textual-graphical password authentication scheme,” Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, vol. 2, pp. 467–472, 2007.