關於密碼系統抵抗側錄攻擊之研究

Abstract

在使用者認證的機制方面，傳統上是利用使用者自行設定的帳號與密碼來進行身分認證，用來保障使用者帳戶的安全。然而實際上帳戶盜用的情形並不少見，除了一些易於被猜到的密碼或人為疏失造成的密碼外流之外，側錄工具也是造成文字形式的密碼被他人知道的一大主因，尤其部分側錄工具的功能完整且難以被發覺，在側錄成功的情況下，就等同於登入過程被他人監視，有如直接觀察他人舉動的肩窺攻擊一般。 雖然新式的認證型態較不易受到側錄攻擊影響，但多半需要靠額外的硬體裝置才能進行認證因此便有一些研究是探討如何只利用基本輸入裝置來達到相對的安全性。 本研究提出一套認證方法，也是在不依靠額外硬體的情況下，利用隨機產生的網格資料搭配使用者自定的處理規則，達到動態密碼的功能，可以抵抗螢幕與鍵盤側錄和肩窺攻擊。一般傳統文字密碼只要被側錄登入過程，側錄者就取得使用者的帳號與密碼。但是本論文所提出的認證方法，即使登入過程被側錄，側錄者仍無法從側錄資料分析出登入規則。

The most common way to protect the user accounts is to authenticate users through their textual account/password. However, account stealing is still a serious problem. Besides the use of weak/simple password or accidently letting out the password by themselves, data logging tools like keystroke logger (keylogger) are often used to steal account/password. This behavior is called “shoulder surfing” attack because that it is very similar to the case that someone watching you while you are typing your password. Although there are new types of authentication method, which data logging has less effect on, but those methods usually need extra hardware during the login procedure. Some researchers had been trying to find better authenticating methods without extra hardware. In this thesis, we proposed a method with shoulder surfing resistance to authenticate user without special hardware by using an on screen grid structure with user defined rules. Applying user-defined rules to random grid layout on the screen, a dynamic password is required during the login procedure. And thus, it is hard to analyze the logging data when the authenticating rules are unknown.