跳到主要內容

臺灣博碩士論文加值系統

(44.213.60.33) 您好!臺灣時間:2024/07/20 06:50
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:賴緯宸
研究生(外文):LAI, WEI-CHEN
論文名稱:具多模式的可抵擋釣魚攻擊與擷取攻擊之文字通行碼認證系統
論文名稱(外文):Multi-Mode Textual Password Authentication Systems with Resistance to Capture Attacks and Phishing Attacks
指導教授:顧維祺顧維祺引用關係
指導教授(外文):KU, WEI-CHI
口試委員:王丕中林嬿雯顧維祺
口試委員(外文):WANG, PI-CHUNGLIN, YEN-WENKU, WEI-CHI
口試日期:2020-07-08
學位類別:碩士
校院名稱:國立臺中教育大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2020
畢業學年度:108
語文別:中文
論文頁數:64
中文關鍵詞:擷取攻擊釣魚攻擊安全性文字通行碼使用者身分認證
外文關鍵詞:Capture AttacksPhishing AttacksSecurityTextual PasswordUser Authentication
相關次數:
  • 被引用被引用:0
  • 點閱點閱:136
  • 評分評分:
  • 下載下載:3
  • 收藏至我的研究室書目清單書目收藏:1
近年來,釣魚攻擊的事件頻傳,對於資訊安全的威脅與日俱增。然而,在釣魚攻擊手法日新月異的現今,既有的釣魚攻擊防禦方法尚有不足之處。因此,本論文主要針對以釣魚攻擊騙取使用者用於身分認證中使用的文字通行碼之問題,提出具創新性的解決方法。我們的研究動機為運用可抵擋擷取攻擊之文字通行碼認證系統具有間接輸入文字通行碼的特性以防止釣魚攻擊者騙取使用者的文字通行碼。然而,我們的研究發現現有可抵擋擷取攻擊之文字通行碼認證系統未必能夠提供理想的釣魚攻擊抵擋能力,我們在論文中以一套知名的可抵擋擷取攻擊之文字通行碼認證系統為例,說明其釣魚攻擊的抵擋能力不足。接著,我們提出一套改進的可抵擋釣魚攻擊與擷取攻擊的文字通行碼認證系統RC-GT,此改進系統透過瀏覽器擴充元件可讓釣魚攻擊者無法完全控制使用者回應的挑戰內容,藉以強化釣魚攻擊的抵擋能力,並提供三種登入模式以滿足不同環境的安全與使用需求。此外,我們也改進了系統的使用者操作介面以強化擷取攻擊抵擋能力並有效減少所需登入時間。然而,我們的第一套系統對於一般使用者而言,使用性仍不夠理想,尚有改進的空間。因此,我們提出了第二套可抵擋釣魚攻擊與擷取攻擊的文字通行碼認證系統RC-VCK。此系統同樣透過瀏覽器擴充元件讓釣魚攻擊者無法完全控制使用者的挑戰內容並採用類qwerty鍵盤作為操作介面,能夠讓多數使用者更為快速地完成登入,並具有較佳的擷取攻擊抵擋能力,且同樣提供三種登入模式以滿足不同環境的安全與使用需求。
The number of phishing attacks grew fast in recent years. However, none of existing anti-phishing countermeasures can achieve enough security. In this thesis, we propose a novel anti-phishing solution that can mitigate the danger of password-stealing phishing attacks. Our motivation is to employ capture attacks resistant textual password authentication schemes, which has the characteristic of indirectly entering passwords, to mitigate password-stealing phishing attacks. However, our investigation found that none of existing capture attacks resistant textual password authentication schemes can provide enough resistance to phishing attacks. In this thesis, we first show that the resistance to phishing attacks of a well-known capture attacks resistant textual password authentication scheme is insufficient. Next, we propose a multi-mode textual password authentication system pseudo-Random Challenge based Grid Textual password authentication system, RC-GT, with resistance to capture attacks and phishing attacks. By using our tailored browser extension, the adversary cannot fully control the challenge mechanism to obtain the desired corresponding response from the user for cracking the password, i.e., the resistance to phishing attacks is enhanced . In addition, we improve the user interface so that the average login time is significantly reduced and the resistance to capture attacks is enhanced. RC-GT provides three login modes to meet the requirements of security and usability for various environments. However, the usability of RC-GT is still unsatisfactory for some applications. Therefore, we propose another multi-mode textual password authentication system pseudo-Random Challenge based password authentication system using Virtual Color Keyboard, RC-VCK, with resistance to capture attacks and phishing attacks. By using a virtual qwerty-like keyboard as the basis of the user interface, users who are familiar with qwerty-like keyboard can easily and efficiently log into the system. Compared with RC-GT, RC-VCK can provide shorter login time and better resistance to capture attacks. In addition, RC-VCK also provides three login modes to meet the requirements of security and usability for various environments.
摘要 i
目錄 iii
圖目錄 v
表目錄 vi
第一章 序論 1
第二章 相關研究 6
2.1 竊取通行碼的釣魚攻擊 6
2.2 可抵擋擷取攻擊之文字通行碼認證系統 8
第三章 Kim等人的系統之安全性與使用性分析 10
3.1 Kim等人的文字通行碼認證系統介紹 11
3.1.1 Kim等人的系統簡介 11
3.2 Kim等人的系統之分析 12
3.2.1 通行碼空間 12
3.2.2 意外登入抵擋能力 12
3.2.3 擷取攻擊抵擋能力 12
3.2.4 釣魚攻擊抵擋能力 13
3.2.4.1 特定條件下的釣魚攻擊 14
3.2.4.2 通用形釣魚攻擊 16
3.2.4.3 反向代理釣魚攻擊 16
3.2.5 使用性分析 18
第四章 RC-GT的設計與分析 19
4.1 RC-GT介紹 19
4.1.1 註冊階段 19
4.1.2 認證階段 20
4.2 RC-GT之安全性分析 26
4.2.1 通行碼空間 26
4.2.2 意外登入抵擋能力 26
4.2.3 擷取攻擊抵擋能力 28
4.2.4 釣魚攻擊抵擋能力 29
4.3 RC-GT之使用性分析 31
第五章 RC-VCK的設計與分析 32
5.1 RC-VCK介紹 32
5.1.1 註冊階段 32
5.1.2 認證階段 33
5.2 RC-VCK之安全性分析 41
5.2.1 通行碼空間 41
5.2.2 意外登入抵擋能力 41
5.2.3 擷取攻擊抵擋能力 43
5.2.4 釣魚攻擊抵擋能力 44
5.3 RC-VCK之使用性分析 46
第六章 綜合比較 47
6.1 RC-GT、RC-VCK與Kim等人的系統之安全性比較 47
6.2 RC-GT、RC-VCK與Kim等人的系統之使用性比較 49
6.3 綜合比較結果 51
第七章 結論與未來研究方向 52
參考文獻 54
著作目錄 57
[Aler17]A. Aleroud and L. Zhou, “Phishing environments, techniques, and countermeasures: a survey,” Computers & Security, Vol. 68, pp. 160-196, 2017.
[APWG20]APWG. Phishing activity trends report, 4th quarter 2019, Technical Report. [Online]. Available: https://docs.apwg.org/reports/apwg_trends_report_q4_2019.pdf. (2020).
[Chan19]W. L. Chang, W. C. Ku, W. C. Lai, and C. C. Lin, “A novel capture attacks resistant textual password authentication scheme using new password length hiding mechanism,” Proc. of the 13th International Conference on Advanced Information Technologies, Taichung, Taiwan, Mar. 2019.
[Chen13]Y. L. Chen, W. C. Ku, Y. C. Yeh, and D. M. Liao, “A simple text-based shoulder surfing resistant graphical password scheme,” Proc. of the IEEE 2nd International Symposium on Next-Generation Electronics, Kaohsiung, Taiwan, Feb. 2013.
[Dham05]R. Dhamija and J. D. Tygar, “The battle against phishing: dynamic security skins,” Proc. of the 2005 symposium on Usable privacy and security, SOUPS’05, pp. 77-88, Jul. 2005.
[Do19]Q. Do, B. Martini, and K. K. R. C, “The role of the adversary model in applied security research,” Computers & Security, Vol. 81, pp. 156-181, 2019.
[Dusz20]P. Duszynski. Modlishka. [Online]. Available: https://github.com/drk1wi/Modlishka. (2020).
[Gupt18]B. B. Gupta, N. A. G. Arachchilage, and K. E. Psannis, “Defending against phishing attacks: taxonomy of methods, current issues and future directions,” Telecommunication Systems, Vol. 67, pp. 247-267, 2018.
[Hoan08]B. Hoanca and K. Mock, “Password entry scheme resistant to eavesdropping,” Security and Management, 2008.
[Jako18]M. Jakobsson, “Two-factor inauthentication – the rise in SMS phishing attacks,” Computer Fraud & Security, Vol. 2018, pp. 6-8, Jun. 2018.
[Kim11]S. H. Kim, J. W. Kim, S. Y. Kim, and H. G. Cho, “A new shoulder-surfing resistant password for mobile environments,” Proc. of the 5th International Conference on Ubiquitous Information Management and Communication, ICUIMC’11, Seoul, Korea, Article No. 27, Feb. 2011.
[Ku16]W. C. Ku, B. R. Cheng, Y. C. Yeh, and C. J. Chang, “A simple sector-based textual-graphical password scheme with resistance to login-recording attacks,” The Institute of Electronics, Information and Communication Engineers, Vol. E99-D, No. 2, pp. 529-532, Feb. 2016.
[Mats98]M. Matsumoto and T. Nishimura, “Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator,” ACM Transactions on Modeling and Computer Simulation, Vol. 8, No. 1, pp. 3-30, Jan. 1998.
[Mulw13]K. Mulwani, S. Naik, N. Gurnani, N. Giri, and S. Sengupta, “3LAS (three level authentication scheme),” International Journal of Emerging Technology and Advanced Engineering, Vol. 3, Aug. 2013.
[Rao12]M. Kameswara Rao and S. Yalamanchili, “Novel shoulder-surfing resistant authentication schemes using text-graphical passwords,” International Journal of Information & Network Security (IJINS), Vol. 1, No. 3, pp. 163-170, Aug. 2012.
[Reko11]K. Rekouche. Early phishing. [Online]. Available: https://arxiv.org/ftp/arxiv/papers/1106/1106.4692.pdf. (2011).
[Resc18]E. Rescorla, “The transport layer security (TLS) protocol version 1.3,” IETF, RFC 8446, Aug. 2018. [Online]. Available: https://tools.ietf.org/html/rfc8446.
[Sche07]S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, “The emperor’s new security indicators,” Proc. of the 2007 IEEE Symposium on Security and Privacy, SP’07, pp. 51-65, 2007.
[SHS15]F. PUB, “Secure hash standard (SHS),” FIPS PUB 180-4, 2015.
[Sigu19]T. T. Sigurdardottir and M. Sigurdsson. Evasive phishing driven by phishing-as-a-service. [Online]. Available: https://www.cyren.com/blog/articles/evasive-phishing-driven-by-phishing-as-a-service?utm_medium=pr&utm_source=bleeping_computer_20190701. (2019).
[Sree11]M. Sreelatha, M. Shashi, M. Anirudh, MD. S. Ahamer, and V. M. Kumar, “Authentication schemes for session passwords using color and images,” International Journal of Network Security & Its Applications, IJNSA, Vol. 3, No. 3, pp. 111-119, 2011.
[Wiki20a]Wikipedia. Pseudorandom number generator. [Online]. Available: https://en.wikipedia.org/wiki/Pseudorandom_number_generator. (2020).
[Wiki20b]Wikipedia. SiteKey. [Online]. Available: https://en.wikipedia.org/wiki/SiteKey. (2020).
[Zhao07]H. Zhao and X. Li, “S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme,” Proc. of the 21st International Conference on Advanced Information Networking and Applications Workshops, AINAW’07, Niagara Falls, Ont., Canada, May 2007.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊