基于OAUTH协议的动态口令认证平台设计与实现
发布时间:2018-12-06 07:22
【摘要】:随着互联网发展,其开放性已成必然趋势,互联网大公司纷纷推出各自开放平台。开放平台将服务包装成统一接口,并且接口对第三方是开放的。第三方可以开发基于开放平台接口的各种应用程序。在此过程中,用户、第三方与开放平台间的信任机制主要采用OAUTH授权方式。OAUTH协议的优势在于第三方可以使用目标网站的用户资源,而无需知道目标网站用户账号和密码,所以其得到各大互联网厂商青睐,获得广泛地应用。而对于OAUTH协议来说,是一种授权协议而不是认证协议,所以OAUTH协议的安全问题也随着它的广泛使用而暴露出来。无论是OAUTH2.0还是OAUTH1.0,安全问题将阻碍其发展。 在对OAUTH协议、身份认证技术、动态口令技术深入研究的基础上,首先,对OATUH协议进行BAN逻辑的形式化分析以及就OAUTH2.0四种授权模式展开具体分析,获取安全问题的根源所在;其次,结合动态口令、应用广播、日志记录等相关技术和理论对OAUTH协议中涉及的安全问题进行尝试性弥补;再者,将前文的研究成果以平台形式来展示,对平台中涉及的相关模块进行设计,如动态口令实现、OAUTH授权实现、REST WEB服务等,具体包括比较不同身份认证技术和不同口令认证技术的优劣、选取合适的健全的认证方式、设计口令生成算法、设计口令认证基础流程、设计access token与authorization code等;最后,本文将前文设计的平台进行JAVA编程实现,完成一个安全可靠、开放并具有强扩展能力的平台。 基于OAUTH协议的动态口令平台,一方面可以提供健全的身份认证,以满足安全性需求;另一个方面可以实现用户资料的共享,提高网络资源的利用率,降低平台开发维护用户管理系统成本,也省去用户注册账号的环节。并且改进OAUTH协议,加入动态认证,从而避免攻击者利用XSS、CSRF等挟持用户账号,进而对用户进行统一的身份认证和权限管理。
[Abstract]:With the development of the Internet, its openness has become an inevitable trend, Internet companies have launched their own open platforms. The open platform wraps the service as a unified interface, and the interface is open to third parties. Third parties can develop applications based on open platform interfaces. In this process, the trust mechanism between the user, the third party and the open platform mainly adopts OAUTH authorization mode. The advantage of OAUTH protocol is that the third party can use the user resources of the target website without knowing the user account and password of the target website. Therefore, it has been favored by major Internet manufacturers and widely used. For OAUTH protocol, it is an authorization protocol rather than an authentication protocol, so the security problems of OAUTH protocol are exposed with its wide use. Whether it is OAUTH2.0 or OAUTH1.0, security issues will hinder its development. On the basis of deep research on OAUTH protocol, identity authentication technology and dynamic password technology, firstly, the formal analysis of BAN logic of OATUH protocol and the detailed analysis of four authorization modes of OAUTH2.0 are carried out to obtain the root of the security problem. Secondly, combined with dynamic password, broadcast, logging and other related technologies and theories are used to try to make up for the security problems involved in the OAUTH protocol. Furthermore, the previous research results are displayed in the form of platform, and the related modules involved in the platform are designed, such as dynamic password implementation, OAUTH authorization to implement, REST WEB services, etc. It includes comparing the advantages and disadvantages of different authentication technology and password authentication technology, selecting appropriate and sound authentication methods, designing password generation algorithm, designing password authentication basic flow, designing access token and authorization code, etc. Finally, the platform designed in this paper is implemented by JAVA programming, which is safe, reliable, open and has strong extensibility. On the one hand, the dynamic password platform based on OAUTH protocol can provide sound identity authentication to meet the security requirements. Another aspect can realize the sharing of user data, improve the utilization of network resources, reduce the cost of developing and maintaining user management system, and also save the link of user registration account. The OAUTH protocol is improved and dynamic authentication is added so as to avoid the attacker using XSS,CSRF to hijack the user account and then to unify the identity authentication and authority management of the user.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.04
本文编号:2365651
[Abstract]:With the development of the Internet, its openness has become an inevitable trend, Internet companies have launched their own open platforms. The open platform wraps the service as a unified interface, and the interface is open to third parties. Third parties can develop applications based on open platform interfaces. In this process, the trust mechanism between the user, the third party and the open platform mainly adopts OAUTH authorization mode. The advantage of OAUTH protocol is that the third party can use the user resources of the target website without knowing the user account and password of the target website. Therefore, it has been favored by major Internet manufacturers and widely used. For OAUTH protocol, it is an authorization protocol rather than an authentication protocol, so the security problems of OAUTH protocol are exposed with its wide use. Whether it is OAUTH2.0 or OAUTH1.0, security issues will hinder its development. On the basis of deep research on OAUTH protocol, identity authentication technology and dynamic password technology, firstly, the formal analysis of BAN logic of OATUH protocol and the detailed analysis of four authorization modes of OAUTH2.0 are carried out to obtain the root of the security problem. Secondly, combined with dynamic password, broadcast, logging and other related technologies and theories are used to try to make up for the security problems involved in the OAUTH protocol. Furthermore, the previous research results are displayed in the form of platform, and the related modules involved in the platform are designed, such as dynamic password implementation, OAUTH authorization to implement, REST WEB services, etc. It includes comparing the advantages and disadvantages of different authentication technology and password authentication technology, selecting appropriate and sound authentication methods, designing password generation algorithm, designing password authentication basic flow, designing access token and authorization code, etc. Finally, the platform designed in this paper is implemented by JAVA programming, which is safe, reliable, open and has strong extensibility. On the one hand, the dynamic password platform based on OAUTH protocol can provide sound identity authentication to meet the security requirements. Another aspect can realize the sharing of user data, improve the utilization of network resources, reduce the cost of developing and maintaining user management system, and also save the link of user registration account. The OAUTH protocol is improved and dynamic authentication is added so as to avoid the attacker using XSS,CSRF to hijack the user account and then to unify the identity authentication and authority management of the user.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.04
【参考文献】
相关期刊论文 前10条
1 孙冬梅,裘正定;生物特征识别技术综述[J];电子学报;2001年S1期
2 陈振;;CSRF攻击的原理解析与对策研究[J];福建电脑;2009年06期
3 王征;;比较IOS探讨安卓系统的优势[J];才智;2013年20期
4 叶锡君,吴国新,许勇,束坤;一次性口令认证技术的分析与改进[J];计算机工程;2000年09期
5 吴晨清,荣震华;用JSP/Servlet技术构建Web应用[J];计算机工程;2001年01期
6 王惠芳,郭金庚;用BAN逻辑方法分析SSL 3.0协议[J];计算机工程;2001年11期
7 高能,向继,冯登国;一种基于数字证书的网络设备身份认证机制[J];计算机工程;2004年12期
8 刘知贵,杨立春,蒲洁,张霜;基于PKI技术的数字签名身份认证系统[J];计算机应用研究;2004年09期
9 王建斌;胡小生;李康君;赵靓;;REST风格和基于SOAP的Web Services的比较与结合[J];计算机应用与软件;2010年09期
10 宗华,李建民,万长林;基于数字证书的Web身份认证机制的研究与实现[J];计算机与现代化;2005年06期
,本文编号:2365651
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2365651.html
