簡易檢索 / 詳目顯示
| 研究生: |
蘇之彧 Su, Chih-Yu |
|---|---|
| 論文名稱: |
具備安全多因子認證協定之個人網路存取控制模組 Design of a per-user-based Network Access Control (NAC) Module with a Secure Multi-Factor Authentication Protocol |
| 指導教授: |
鄭憲宗
Cheng, Sheng-Tzong |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 資訊工程學系 Department of Computer Science and Information Engineering |
| 論文出版年: | 2020 |
| 畢業學年度: | 108 |
| 語文別: | 英文 |
| 論文頁數: | 69 |
| 中文關鍵詞: | 網路存取控制 、網路安全 、Linux安全模組 、多因子認證 、安全金鑰 |
| 外文關鍵詞: | Network Access Control, Network Security, Linux Security Module, Multi-Factor Authentication, Security Key |
| 相關次數: | 點閱:64 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著網際網路的蓬勃發展,各式各樣的網路攻擊也隨之而來。管控網路權限可以降低發生網路攻擊的可能性,像是攻擊有弱點的伺服器、殭屍網路或是透過網路竊取敏感資料在未管控網路權限時都比較容易攻擊成功。但現今仍沒有一個可以直接管控作業系統中網路權限且不依靠作業系統中使用者帳號機制但仍可根據使用者給予不同網路權限的網路權限管控方式。我們所提出的個人網路存取控制模組是以使用者及機器作為主體管控網路,讀取每位使用者受簽章保護的權限規則,從Linux作業系統核心直接管控網路權限。並且透過USB安全金鑰和機器上的各種輸出裝置或是使用者的智慧型手機作為驗證使用者身份及避免各種攻擊之方法,提出一個核心與USB安全金鑰以及使用者手機之間認證的通訊協定,即使使用者空間被攻擊,仍然能保證只有取得授權的使用者可以取得相對應的網路權限。
Along with the flourish of the Internet, various attacks via the network are increased. Network Access Control (NAC) could decrease the possibility of the network attacks. Without NAC, the attacks such as preventing being attacked by the server which had vulnerabilities, botnets or stealing sensitive data via the network are easier to achieve. However, there are no existing mechanisms for controlling the network permissions from the operating system kernel which can give different users different network permissions without relying on the user accounts mechanism the operating system provided. The per-user-based NAC module we proposed is for controlling the network permissions of a machine with various users. It loads the signed rules of each user, controls the network permission directly from the Linux kernel. Moreover, it authenticates the users and prevents various attacks with USB security keys and various output devices on the machine or users’ smart phone. We proposed a secure protocol which can authenticate the users from the kernel space with USB security keys and user’s smart phone via an insecure user space. It can guarantee only the authorized users can obtain the corresponded network privilege.
D. Goodin. "Wanna Decryptor: The NSA-derived ransomware worm shutting down computers worldwide." https://arstechnica.com/information-technology/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/ (accessed 11 Jul, 2020).
[2] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "DDoS in the IoT: Mirai and Other Botnets," Computer, vol. 50, no. 7, pp. 80-84, 2017.
[3] "CVE-2019-14287." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 (accessed 27 Jul, 2020).
[4] S. Smalley, T. Fraser, and C. Vance. "Linux Security Modules: General Security Hooks for Linux." https://www.kernel.org/doc/html/latest/security/lsm.html (accessed 24 Jul, 2020).
[5] J. García-Alfaro, S. Castillo, J. Castellà-Roca, G. Navarro, and J. Borrell, "Protection of Components Based on a Smart-Card Enhanced Security Module," Berlin, Heidelberg, 2006: Springer Berlin Heidelberg, in Critical Information Infrastructures Security, pp. 128-139.
[6] A. Pietig, Functional specification of the OpenPGP application on ISO smart card operating systems, 2019. [Online]. Available: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.0.pdf.
[7] "OpenPGP Attestation." Yubico. https://developers.yubico.com/PGP/Attestation.html (accessed 27 Jul, 2020).
[8] B. Blanchet, "Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif," Foundations and Trends® in Privacy and Security, vol. 1, no. 1-2, pp. 1-135, 2016.
[9] B. Blanchet, B. Smyth, V. Cheval, and M. Sylvestre, "ProVerif 2.01: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial," 2020.
[10] D. Dolev and A. Yao, "On the security of public key protocols," IEEE Transactions on information theory, vol. 29, no. 2, pp. 198-208, 1983.
校內:2025-09-01公開校外:2025-09-01公開