雲端個人身分鑑別的改善

Improve User Authentication in Cloud Computing

葉慈章(Yeh, Tzu-Chang)；蔡峻福(Tsai, Jiun-Fu)；詹雅鈞(Chan, Ya-Chun)

雲端計算 ； 身分鑑別 ； 單一登入 ； OAuth ； Cloud computing ； Authentication ； Single Sign-On ； OAuth

明新學報

42卷2期（2016 / 08 / 01）

119 - 137

繁體中文

雲端運算讓用戶能隨時隨地以各種上網裝置透過網路動態地使用雲端無限的資源，大幅降低系統建置維運的時間與成本。將用戶使用的應用軟體與敏感性資料由自己掌控的封閉環境移往開放式的雲端，產生了許多新的安全與隱私顧慮。本論文詳細分析目前最廣為使用的雲端單一登入機制OAuth，探討開發者架設網站上容易產生的安全問題並提出改善方法，希望藉此讓使用者對雲端的身分鑑別有更清楚的了解，也增加對雲端服務的信心。

Cloud computing is a way to let users dynamically access unlimited resources anytime anywhere through Internet using various Internet-enabled devices. The cost and time of system implementation and maintenance can thus be reduced, the risk can be lowered. Moving user’s applications and sensitive data of individual users/enterprise users from closed environments to open cloud environments raises many new concerns about security and privacy. This paper analyzes the problems of the mostly widely used single sign-on mechanisms - OAuth, and then proposes solutions to improve the above-mentioned problems. Hope that the risks of user authentication in cloud computing should be understood in more detail, and the users’ confidence in adopting cloud services can thus be increased.

1. Hunt, P., Richer J., Mills W., & Mishra P. (2015). OAuth 2.0 proof-of-possession (PoP) security architecture. Retrieved Mar. 9, 2016, from https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
2. Hammer-Lahav, E. (2010). The OAuth 1.0 protocol. Retrieved Apr. 7, 2015, from https://tools.ietf.org/html/rfc5849
3. Gibbons, K.,Raw, J. O.,Curran, K.(2014).Security evaluation of the OAuth 2.0 framework.Information Management & Computer Security,22(3),1-8.
4. Hardt, D.(2012).The OAuth 2.0 authorization framework.Internet Engineering Task Force
5. Leiba, B.(2012).OAuth web authorization protocol.IEEE Internet Computing,16(1),74-77.
6. Lodderstedt, T.,McGloin, M.,Hunt, P.(2013).OAuth 2.0 threat model and security considerations.Internet Engineering Task Force