第五章
結論
使用者在登入過程中可能面臨肩窺攻擊、隱藏攝影機攻擊、間諜程式攻擊與竊聽攻 擊等擷取攻擊的威脅,擷取攻擊者有機會藉由擷取使用者的登入資訊直接獲得或間接分 析比對後破解使用者的 PIN。由於傳統 PIN 的輸入方式無法抵擋擷取攻擊,因此有不少 學者提出防擷取攻擊之 PIN 認證設計來解決此問題。然而,有些擷取攻擊抵擋能力較強 之 PIN 認證設計的登入介面與規則較複雜而不易操作與學習,使用性較為不足;反之,
有些 PIN 認證設計的登入介面與規則簡單且容易操作,但對於意外登入或擷取攻擊的抵 擋能力則較弱,意即安全性較為不足。在本論文中,我們首先提出ㄧ套可抵擋擷取攻擊 之四位數 PIN 認證設計 — RotPIN (Rotary Personal Identification Number)。透過黑色數 字與紅色數字來混淆攻擊者以強化擷取攻擊的抵擋能力,登入畫面上運用簡單的英文字 母標示位置幫助使用者可正確且快速地登入系統。我們並以量化分析方法證實 RotPIN 具備基本的擷取攻擊抵擋能力與良好的使用性。然而,由於四位數 PIN 認證設計無法滿 足安全需求較高的使用環境,因此,我們又提出了一套安全性較高且具備彈性的八位數 PIN 認證設計 — Flex-RotPIN (Flexible RotPIN),使用者可根據使用環境自行選擇合適的 安全性設定,登入畫面上運用簡單的標示與提示讓使用者可正確且快速地登入系統。我
參考文獻
[Bian11] A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The phone lock: Audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices,” Proceedings of the 2011 Fifth International Conference on Tangible, Embedded and Embodied Interaction, pp. 197–200, 2011.
[Bian12] A. Bianchi, I. Oakley, and D. S. Kwon, “Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry,” Interacting with Computers, vol. 24, no.
5, pp. 409–422, 2012.
[Chen11] W. P. Chen, B. R. Cheng, W. C. Ku, and Y. C. Yeh, “A graphical password scheme with dynamically adjustable resistance to login-recording attacks,” Proceedings of the 2011 National Computer Symposium, 2011.
[Eeke13] W. V. Eekelen, J. V. D. Elst, and V. J. Khan, “Picassopass: a password scheme using a dynamically layered combination of graphical elements,” Proceedings of the 2013 CHI, 2013.
[Gao09a] H. Gao, X. Liu, S. Wang, H. Liu, and R. Dai, “Design and analysis of a graphical password scheme,” Proceedings of the 2009 International Conference on Innovative Computing, Information and Control, 2009.
[Gao09b] H. Gao, X. Liu, S. Wang, and R. Dai, “A new graphical scheme against spyware by using CAPTCHA,” Proceedings of the 2009 Symposium on Usable Privacy and Security, 2009.
[Haqu14] A. Haque and B. Imam, “A new graphical password: Combination of recall &
recognition based approach,” International Journal of Computer, Control, Quantum and Information Engineering, vol. 8, no. 2, 2014.
[Hart06] B. Hartanto, B. Santoso, and S. Welly, “The usage of graphical password as a replacement to the alphanumerical password,” Journal Informatika, vol. 7, no. 2, 2006.
[Hoan05] B. Hoanca and K. Mock, “Screen oriented technique for reducing the incidence of shoulder surfing,” Proceedings of the International Conference on Security and Management, 2005.
[Kita13] Y. Kita, F. Sugai, M. Park, and N. Okazaki, “A proposal and implementation of the shoulder-surfing attack resistant authentication method using two shift functions,”
Proceedings of the Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensic, pp. 54–59, 2013.
[Kuma07] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, “Reducing shoulder-surfing by using gaze-based password entry,” Proceedings of the 2007 Symposium On Usable Privacy and Security, pp. 13–19, 2007.
[Lee14] M. K. Lee, “Security notions and advanced method for human,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, April 2014.
[Li05] Z. Li, Q. Sun, Y. Lian, and D. D. Giusto, “An association-based graphical password design resistant to shoulder-surfing attack,” Proceedings of the IEEE International Conference on Multimedia and EXPO, 2005.
[Liu11] X. Liu, J. Qiu, L. Ma, H. Gao, and Z. Ren, “A novel cued-recall graphical password scheme,” Proceedings of the 2011 Sixth International Conference on Image and Graphics, pp. 949–956, 2011.
[Luca10] A. D. Luca, K. Hertzschuch, and H. Hussmann, “ColorPIN: Securing PIN entry through indirect input,” Proceedings of the 2010 CHI, pp. 1103–1106, 2010.
[Luca13] A. Luca, E. Zezschwitz, N. Nguyen, M. Maurer, E. Rubegni, M. Scipioni, and M.
Langheinrich, “Back-of-device authentication on smartphones,” Proceedings of the 2013 CHI, 2013.
[Mill56] G. A. Miller, “The magical number seven, plus or minus two: Some limits on our capacity for processing information,” Psychological Review, vol. 63, no. 2, pp. 81–97, 1956.
[Mulw13] K. Mulwani, S. Naik, N. Gurnani, N. Giri, and S. Sengupta, “3LAS (three level authentication scheme),” International Journal of Emerging Technology and Advanced Engineering, vol. 3, pp. 103–107, 2013.
[Rao12] M. K. Rao and S. Yalamanchili, “Novel shoulder-surfing resistant authentication schemes using text-graphical passwords,” International Journal of Information &
Network Security, vol. 1, no. 3, pp. 163–170, 2012.
[Ritt13] D. Ritter, F. Schaub, M. Walch, and M. Weber, “MIBA: Multitouch image-based authentication on smartphones,” Proceedings of the 2013 CHI, 2013.
[Roth04] V. Roth, K. Richter, and R. Freidinger, “A PIN-entry method resilient against shoulder surfing,” Proceedings of the 2004 ACM Conference on Computer and Communication Security, pp. 236–245, 2004.
[Shi09] P. Shi, B. Zhu, and A. Youssef, “A rotary pin entry method resilient to shoulder-surfing,” Proceedings of the 2009 International Conference for Internet
[Sobr02] L. Sobrado and J. C. Birget, “Graphical passwords,” The Rutgers Scholar, vol. 4, 2002.
[Sobr05] L. Sobrado and J. C. Birget, “Shoulder-surfing resistant graphical passwords,” Draft, 2005.
[SSL11] Network Working Group of the IETF, The secure sockets layer (SSL) protocol version 3.0, RFC 6101, 2011.
[Thor05] J. Thorpe, P. van Oorschot, and A. Somayaji, “Pass-thoughts: Authenticating with our minds,” Proceedings of the 2005 Workshop On New Security Paradigms, pp. 45–56, 2005.
[TLS08] Network Working Group of the IETF, The Transport Layer Security (TLS) protocol version 1.2, RFC 5246, 2008.
[Wied06] S. Wiedenbeck, J. Waters, L. Sobrado, and J. C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password scheme,” Proceedings of the 2006 Advanced Visual Interfaces, 2006.
[Yama09] T. Yamamoto, Y. Kojima, and M. Nishigaki, “A shoulder-surfing-resistant image-based authentication system with temporal indirect image selection,” Proceedings of the 2009 International Conference on Security & Management, pp. 188–194, 2009.
[Zhao07] H. Zhao and X. Li, “S3PAS: A scalable shoulder-surfing resistant textual-graphical password authentication scheme,” Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, vol. 2, pp. 467–472, 2007.
[Zhen09] Z. Zheng, X. Liu, L. Yin, and Z. Liu, “A stroke-based textual password authentication scheme,” First International Workshop on Education Technology and Computer Science, 2009.
[Zhen10] Z. Zheng, X. Liu, L. Yin, and Z. Liu, “A hybrid password authentication scheme based on shape and text,” Journal of Computers, vol. 5, no. 5, 2010.
著作目錄
1. Wei-Chi Ku, Yu-Chang Yeh, Bo-Ren Cheng, and Chia-Ju Chang, “A Sector-Based Graphical Password Scheme with Resistance to Login-Recording Attacks,” IEICE Transactions on Information and Systems, vol.E98-D, no.4, pp.894–901, April 2015. [full paper] (SCI, EI) 2. Chia-Ju Chang, Wei-Chi Ku, Hao-Jun Xu, and Pei-Jia Qiu, “A Flexible Capture Attacks
Resistant 8-Digit PIN-Entry Method,” Proceedings of the 2015 Cryptology and Information Security Conference (CISC 2015), Kaohsiung, Taiwan, May 28–29, 2015.
(獲學生論文獎佳作)
3. Pei-Jia Qiu, Wei-Chi Ku, Chia-Ju Chang, and Hao-Jun Xu, “An Observation Attacks Resistant Graphical Password Scheme Using Earphones,” Proceedings of the 2015 Cryptology and Information Security Conference (CISC 2015), Kaohsiung, Taiwan, May 28–29, 2015.
4. Chia-Ju Chang, Wei-Chi Ku, Hao-Jun Xu, and Pei-Jia Qiu, “A Simple Shoulder-Surfing Attacks Resistant PIN-Entry Method,” Proceedings of the 9th International Conference on Advanced Information Technologies, Taichung, Taiwan, April 24–25, 2015.
5. Pei-Jia Qiu, Wei-Chi Ku, Chia-Ju Chang, and Hao-Jun Xu, “An Enhanced Capture Attacks Resistant Graphical Password Scheme Based on Moving Icons,” Proceedings of the 9th International Conference on Advanced Information Technologies, Taichung, Taiwan, April 24–25, 2015.
6. Wei-Chi Ku, Dum-Min Liao, Chia-Ju Chang, and Pei-Jia Qiu, “An Enhanced Capture Attacks Resistant Text-Based Graphical Password Scheme,” Proceedings of the 2014 IEEE/CIC International Conference on Communications in China: Privacy and Security in Commutations (PSC), pp.204–208, Shanghai, China, Oct. 13–15, 2014.
7. D. M. Liao, W. C. Ku, C. J. Chang, and P. J. Qiu, “A High-Usability Capture Attacks Resistant Text-Based Graphical Password Scheme with Password Length Hiding Mechanism,”
Proceedings of the 2014 Cryptology and Information Security Conference (CISC 2014), May 2014.
8. D. M. Liao, W. C. Ku, and C. J. Chang, “A Hybrid Capture Attacks Resistant Password Scheme Based on Texts and Graphics,” National Computer Symposium (NCS 2013), Taichung, Taiwan, Dec. 13–14, 2013.