一個基於QR Code的新認證法

Abstract

傳統在網頁上輸入帳號密碼作為認證的方式，一但遇到側錄程式或者釣魚網站時認證資料很容易被取得，且固定式密碼一但被竊取則可能會在不知情的狀況下重複被使用。近來的身分認證方法諸如智慧卡、USB KEY、及OTP Card皆需要額外的硬體成本，而且因為使用的頻率較低，一但遺失不易察覺。而手機是目前最普及而且隨身攜帶的一項設備，由於它在日常生活中使用相當頻繁，即使遺失也可以在較短時間內察覺。

OTP的優點即在於其密碼為一次性使用，相較於固定式密碼，安全性較高。RSA是非對稱性加密演算法的一種，現今在各領域經常使用。它能使需要交換訊息的雙方在較為安全的狀況下達成目的，除了持有private key的使用者，加密的內容即使被竊取也難以得到有用的秘密資訊。QR code是二維矩陣碼的一種，加解密快速，不但可以儲存大量資訊，也具有還原錯誤的能力，被廣泛的應用在許多服務上。

在這篇論文當中，我們嘗試以手機來發展一個安全且有效率的認證方式並且將其實作於門禁系統當中。其中採用OTP一次性使用的優點，RSA加密隱密資訊的能力，並將祕密資訊儲存於QR code當中。不但達到兩次加密的效果，並且利用QR code容易偵測及解密的優點搭配網路攝影機來避免使用者輸入錯誤的情況。期望可以達到一個安全，快速，有效的認證方式。

The secret information is easier to be stolen in the traditional authentication way to enter account and password if a phishing site or the key logger exist. Forthermore, the password might be illegal used repeatly without knowing. Recently, the authentication method such as smart card, USB key, or OTP card needs the extra hardware cost and it is not easier to detect if it got lost because its lower using rate. However, the mobile phone today is one of the most common used and carry-on device. It would be detected in shorter time when a mobile gets lost because it was often used in daily time.

One of the advantage in OTP is that it is only used once and it is securer compared to the fixed password. RSA is one of the asymmetric encryption algorithm used widely in many domain and it can afford a secuier way to achieve comnunication. The secret information is hardly to be extracted from encryption content even it was stolen unless the user has the secret key. QRcode is kind of two-dimension matrix code, having high encryption and decryption speed, it can not only sotre large information but also has the error-correction ability and it is widely applied in many service.

In this thesis, we try to develop a safe and efficient authentication way by mobile phone and implement it on the access control system. We take the advantage of one-time used by OTP, the ability to enctyption the secret information through RSA and sotre the secret information into QR code. It is not only achieve the effect of the twice encryption, but also prevent the situation of typing error by combineing the webcam and the advantage of QR code which is easy to be detected and decryption. Expect to achieve a safe, quick, and effective authentication method.