在本節中,我們將在同樣的安全參數設定 (文字通行碼長度:8) 下,比較 A-ROT 與 T-RiS 之安全性與使用性,並將比較結果匯整於 (表 5.1) 中。另外,我們亦比較各設 計之登入記錄攻擊抵擋能力,(圖 5.5) 為 A-ROT 與 T-RiS 之登入記錄攻擊抵擋能力比 較圖,橫坐標為攻擊者完整記錄登入次數,縱座標為登入記錄攻擊成功機率。
圖 5.5:A-ROT 與 T-RiS 之登入記錄攻擊抵擋能力比較圖
表 5.1:A-ROT 與 T-RiS 之安全性與使用性之比較
第六章
結論與未來研究方向
使用者在登入過程中可能面臨肩窺攻擊、攝影機攻擊、間諜程式攻擊或竊聽攻擊等 登入記錄攻擊的威脅,登入記錄攻擊者藉由記錄使用者的登入資訊以直接獲得或經分析 比對後破解使用者的通行碼。由於一般的文字通行碼設計與圖形化通行碼設計無法抵擋 登入記錄攻擊,為了解決此問題,有不少學者提出可抵擋登入記錄攻擊的圖形化通行碼 設計。在本論文中,我們深入分析了五套現有較具代表性之可抵擋登入記錄攻擊的圖形 化通行碼設計,包括 CHC、Movable Frame、ColorLogin、TI-IBA 及 RiS,這些設計的 特色在於可提供較大的通行碼空間且多具有較佳的登入記錄攻擊抵擋能力。然而,在實 務上,以記憶圖形為主的圖形化通行碼設計對於長期習慣記憶文字通行碼的一般使用者 而言有適應上的問題,且當使用的諸系統採多種截然不同的圖形化通行碼設計時,使用 者的記憶負擔將大幅增加而難以推廣普及。因此,近年來,有另一類圖形化文字通行碼 設計被提出,使用者能以習慣使用的文字通行碼進行登入,對於一般習慣記憶文字通行 碼的使用者而言有較高的接受度。在本論文中,我們亦深入分析五套現有較具代表性之 可抵擋登入記錄攻擊的圖形化文字通行碼設計,包括 Pair-Based Scheme、Kim 等人的設 計、S3PAS、Advance Secure Login、及 T-RiS,在這些設計中,使用者僅須記憶傳統的 文字通行碼,並透過圖形化的介面以提供登入記錄攻擊的抵擋能力。然而,現有可抵擋 登入記錄攻擊的圖形化文字通行碼設計有一個共同的安全問題,攻擊者僅需藉由一次登
們提出了一套藉隱藏通行碼長度以強化登入記錄攻擊抵擋能力的圖形化文字通行碼設 計 ─ A-ROT,此設計以我們之前所提出的一套可抵擋登入記錄攻擊的圖形化文字通行 碼設計 T-RiS 為基礎,加入 start-character 與 end-padding 機制藉隱藏使用者的通行碼長 度,以強化登入記錄攻擊抵擋能力與原始設計 T-RiS 相比,A-ROT 除了加強登入記錄攻 擊的抵擋能力之外,使用性上亦得到改進。
在未來的研究方向上,由於當 A-ROT 使用者輸入通行碼之後可能會以較快的速度 連續按下確認鍵以完成剩餘的 padding,使用者不安全的操作習性仍可能影響 A-ROT 系 統的安全性。雖然可藉由限制使用者按確認鍵的速度以避免此問題,但此方法卻會明顯 地增加使用者的登入時間並降低使用性,更理想的解決方法則有待未來的研究。再者,
A-ROT 每次挑戰中意外登入的機率約為 1/4,雖然使用者可藉由記憶較長的通行碼以降 低意外登入的機率,但卻也會增加使用者登入的時間並降低使用性,此問題亦有待未來 的研究。
參考文獻
[Ange02] A. De Angeli , M. Coutts, L. Coventry, and G. I. Johnson, “VIP: a visual approach to user authentication,” Proceedings of the Wording Conference on Advanced Visual Interfaces, pp.
316-323, 2002.
[Ange03] A. De Angeli, L. Coventry, G. I. Johnson, and M. Coutts, “Usability and user authentication:
pictorial passwords vs. PIN,” Proceedings of the 2003 International Conference on Contemporary Ergonomics, pp. 253-258, 2003.
[Blon96] G. E. Blonder, “Graphical passwords,” United States Patent 5559961, 1996.
[Calk98] M. W. Calkins, “Short studies in memory and association,” Psychological Review, vol. 5, pp.
451-462, 1898.
[Chen11a] W. P. Chen, B. R. Cheng, W. C. Ku, and Y. C. Yeh, “A graphical password scheme with dynamically adjustable resistance to login-recording attacks,” Proceedings of the 2011 National Computer Symposium, 2011.
[Chen11b] W. P. Chen, B. R. Cheng, W. C. Ku, and Y. C. Yeh, “A text-based graphical password scheme with resistance to login-recording attacks,” Proceedings of the 2011 Workshop on Consumer Electronics, 2011.
[Davi04] D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,”
Proceedings of the 13th USENIX Security Symposium, 2004.
[Dham00a] R. Dhamija and A. Perrig, “Déjà Vu: A user study using images for authentication,” Proceedings of 9th USENIX Security Symposium, 2000.
[Dham00b] R. Dhamija, “Hash visualization in user authentication,” Proceedings of the 2000 CHI, 2000.
[Gao09a] H. Gao, X. Liu, S. Wang, H. Liu, and R. Dai, “Design and analysis of a graphical password scheme,” Proceedings of Fourth International Conference on Innovative Computing, Information and Control, 2009.
[Gao09b] H. Gao, X. Liu, S. Wang, and R. Dai, “A new graphical scheme against spyware by using CAPTCHA,” Proceedings of the 2009 Symposium on Usable Privacy and Security, 2009.
[Grid08] GrIDsure, (http://www.gridsure.com).
[Goog11] Pattern Unlock, (http://iapp.com.tw/2011/11/google-pattern-unlock).
[Hart06] B. Hartanto, B. Santoso, and S. Welly, “The usage of graphical password as a replacement to the alphanumerical password,” Journal of Informatika, vol. 7, no. 2, pp. 91-97, 2006.
[Hoan05] B. Hoanca and K. Mock, “Screen oriented technique for reducing the incidence of shoulder surfing,” Proceedings of the International Conference on Security and Management, 2005.
[Hoan08] B. Hoanca and K. Mock, “Password entry scheme resistant to eavesdropping,” Proceedings of the International Conference on Security and Management, 2008.
[Jerm99] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, “The design and analysis of graphical passwords,” Proceedings of the 8th USENIX Security Symposium, 1999.
[Koma08] S. Komanduri and D. Hutchings, “Order and entropy in picture passwords,” Proceedings of the Graphics Interface Conference, 2008.
[Kim11] S. H. Kim, J. W. Kim, S. Y. Kim, and H. G. Cho, “A new shoulder-surfing resistant password for
Management and Communication, 2011.
[Kim12] S. H. Kim, and H. G. Cho, “Candidate password analysis of user-interactive password schemes,”
Proceedings of the 2012 International Conference on Information and Computer Applications, 2012.
[Li05] Z. Li, S. QIBIN, Y. Lian, and D. D. Giusto, “An association-based graphical password design resistant to shoulder-surfing attack,” Proceedings of the IEEE International Conference on Multimedia and EXPO, 2005.
[Ma83] S. Madigan, “Picture memory,” Imagery, memory and cognition, pp. 65-89, 1983.
[Poin02] Pointsec for Pocket PC, Pointsec Mobile Technologies, 2002, (http://www.pointsec.com/).
[Pass05] Passlogix, (http://www.passlogix.com/).
[Real01] The Science Behind Passfaces, Real User Corporation, Sep. 2001, (http://www.realuser.com/published/ScienceBehindPassfaces.pdf).
[Sfr00] Visual key-Technology, sfr GmbH, 2000, (http://www.viskey.com/tech.html).
[Sobr02] L. Sobrado and J. C. Birget, “Graphical passwords,” The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4, 2002.
[Sobr05] L. Sobrado and J. C. Birget, “Shoulder-surfing resistant graphical passwords ─ Draft,” 2005, ( http://clam.rutgers.edu/~birget/grPssw/srgp.pdf).
[Sree11a] M. Sreelatha and M. Shashi, “A well known tool based graphical authentication technique,”
Proceedings of the International Conference on Computer Science Engineering and Applications, pp. 97-104, 2011.
[Sree11b] M. Sreelatha, M. Shashi, M. Anirudh, M. Sultan Ahamer, and V. M. Kumar, “Authentication schemes for session passwords using color and images,” International Journal of Network Security
& Its Applications, Vol. 3, No. 3, pp. 111–119, 2011.
[Thor04] J. Thorpe and P. C. Van Oorschot, “Graphical dictionaries and the memorable space of graphical passwords,” Proceedings of the 13th USENIX Security Symposium, 2004.
[Wang10] L. Wang, X. Cheng, Z. Ren, H. Gao, X. liu, and U. Aickelin, “Against spyware using CAPTCHA in graphical password scheme,” Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, 2010.
[Wied05] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, “PassPoints: design and longitudinal evaluation of a graphical password system,” International Journal of Human Computer Studies, 2005.
[Wied06] S. Wiedenbeck, J. Waters, L. Sobrado, and J. C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password scheme,” Proceedings of the Advanced Visual Interfaces, 2006.
[Yama09] T. Yamamoto, Y. Kojima, M. Nishigaki, “A shoulder-surfing-resistant image-based authentication system with temporal indirect image selection,” Proceedings of 2009 International Conference on Security and Management, pp.188-194, 2009.
[Zaid11] Z. Imran and R. Nizami, “Advance secure login,” International Journal of Scientific and Research Publications, vol. 1, 2011.
[Zhao07] H. Zhao and X. Li, “S3PAS: A scalable shoulder-surfing resistant textual-graphical password authentication scheme,” Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, vol. 2, pp. 467- 472, 2007.
[Zheng09] Z. Zheng, X. Liu, L. Yin, and Z. Liu, “A stroke-based textual password authentication scheme,”
First International Workshop on Education Technology and Computer Science, 2009.
[Zheng10] Z. Zheng, X. Liu, L. Yin, and Z. Liu, “A hybrid password authentication scheme based on shape and text,” Journal of Computers, vol. 5, no. 5, 2010.
著作目錄
1. 鄭博仁、陳維屏、顧維祺、葉育彰, “可抵擋登入記錄攻擊之圖形化通行碼的安全性與使用性分析,”
電子商務研究, 2012 年.
2. B. R. Cheng, W. C. Ku, and W. P. Chen, “An Efficient Login-Recording Attack Resistant Graphical Password Scheme-SectorLogin,” Proceedings of the 2010 Conference on Innovative Applications of Information Security Technology, 2010.
3. W. P. Chen, B. R. Cheng, W. C. Ku, and Y. C. Yeh, “A Graphical Password Scheme with Dynamically Adjustable Resistance to Login-Recording Attacks,” Proceedings of the 2011 National Computer Symposium, 2011.
4. W. P. Chen, B. R. Cheng, W. C. Ku, and Y. C. Yeh, “A Text-Based Graphical Password Scheme with Resistance to Login-Recording Attacks,” Proceedings of the 2011 Workshop on Consumer Electronics, 2011.
5. Y. C. Yeh, W. C. Ku, W. P. Chen, and Y. L. Chen, “An Easy-to-Use Login-Recording Attacks Resistant Password Scheme,” Proceedings of the 2011 Conference on Innovative Applications of Information Security Technology, 2011.
6. 陳維屏、顧維祺、葉育彰、陳奕綸,“一套具強化登入記錄攻擊抵擋能力之圖形化文字通行碼系統,”
第二十二屆資訊安全會議, 2012 年.
7. 鄭博仁、陳維屏、顧維祺、葉育彰, “可抵擋登入記錄攻擊之圖形化通行碼的安全性與使用性分析,”
第十五屆電子商務研討會暨第七屆行銷學術研討會, 2012 年.
8. Y. C. Yeh, W. C. Ku, W. P. Chen, and Y. L. Chen, “'An Enhanced Simple Secure Remote Password Authentication Scheme Without Using Cryptography,” to be published in Proceedings of the First IEEE International Conference on Communications in China, 2012.