發(fā)布時(shí)間：2018-12-06 07:22

【摘要】：隨著互聯(lián)網(wǎng)發(fā)展,其開(kāi)放性已成必然趨勢(shì),互聯(lián)網(wǎng)大公司紛紛推出各自開(kāi)放平臺(tái)。開(kāi)放平臺(tái)將服務(wù)包裝成統(tǒng)一接口,并且接口對(duì)第三方是開(kāi)放的。第三方可以開(kāi)發(fā)基于開(kāi)放平臺(tái)接口的各種應(yīng)用程序。在此過(guò)程中,用戶、第三方與開(kāi)放平臺(tái)間的信任機(jī)制主要采用OAUTH授權(quán)方式。OAUTH協(xié)議的優(yōu)勢(shì)在于第三方可以使用目標(biāo)網(wǎng)站的用戶資源,而無(wú)需知道目標(biāo)網(wǎng)站用戶賬號(hào)和密碼,所以其得到各大互聯(lián)網(wǎng)廠商青睞,獲得廣泛地應(yīng)用。而對(duì)于OAUTH協(xié)議來(lái)說(shuō),是一種授權(quán)協(xié)議而不是認(rèn)證協(xié)議,所以O(shè)AUTH協(xié)議的安全問(wèn)題也隨著它的廣泛使用而暴露出來(lái)。無(wú)論是OAUTH2.0還是OAUTH1.0,安全問(wèn)題將阻礙其發(fā)展。 在對(duì)OAUTH協(xié)議、身份認(rèn)證技術(shù)、動(dòng)態(tài)口令技術(shù)深入研究的基礎(chǔ)上,首先,對(duì)OATUH協(xié)議進(jìn)行BAN邏輯的形式化分析以及就OAUTH2.0四種授權(quán)模式展開(kāi)具體分析,獲取安全問(wèn)題的根源所在；其次,結(jié)合動(dòng)態(tài)口令、應(yīng)用廣播、日志記錄等相關(guān)技術(shù)和理論對(duì)OAUTH協(xié)議中涉及的安全問(wèn)題進(jìn)行嘗試性彌補(bǔ)；再者,將前文的研究成果以平臺(tái)形式來(lái)展示,對(duì)平臺(tái)中涉及的相關(guān)模塊進(jìn)行設(shè)計(jì),如動(dòng)態(tài)口令實(shí)現(xiàn)、OAUTH授權(quán)實(shí)現(xiàn)、REST WEB服務(wù)等,具體包括比較不同身份認(rèn)證技術(shù)和不同口令認(rèn)證技術(shù)的優(yōu)劣、選取合適的健全的認(rèn)證方式、設(shè)計(jì)口令生成算法、設(shè)計(jì)口令認(rèn)證基礎(chǔ)流程、設(shè)計(jì)access token與authorization code等；最后,本文將前文設(shè)計(jì)的平臺(tái)進(jìn)行JAVA編程實(shí)現(xiàn),完成一個(gè)安全可靠、開(kāi)放并具有強(qiáng)擴(kuò)展能力的平臺(tái)。 基于OAUTH協(xié)議的動(dòng)態(tài)口令平臺(tái),一方面可以提供健全的身份認(rèn)證,以滿足安全性需求；另一個(gè)方面可以實(shí)現(xiàn)用戶資料的共享,提高網(wǎng)絡(luò)資源的利用率,降低平臺(tái)開(kāi)發(fā)維護(hù)用戶管理系統(tǒng)成本,也省去用戶注冊(cè)賬號(hào)的環(huán)節(jié)。并且改進(jìn)OAUTH協(xié)議,加入動(dòng)態(tài)認(rèn)證,從而避免攻擊者利用XSS、CSRF等挾持用戶賬號(hào),進(jìn)而對(duì)用戶進(jìn)行統(tǒng)一的身份認(rèn)證和權(quán)限管理。
[Abstract]:With the development of the Internet, its openness has become an inevitable trend, Internet companies have launched their own open platforms. The open platform wraps the service as a unified interface, and the interface is open to third parties. Third parties can develop applications based on open platform interfaces. In this process, the trust mechanism between the user, the third party and the open platform mainly adopts OAUTH authorization mode. The advantage of OAUTH protocol is that the third party can use the user resources of the target website without knowing the user account and password of the target website. Therefore, it has been favored by major Internet manufacturers and widely used. For OAUTH protocol, it is an authorization protocol rather than an authentication protocol, so the security problems of OAUTH protocol are exposed with its wide use. Whether it is OAUTH2.0 or OAUTH1.0, security issues will hinder its development. On the basis of deep research on OAUTH protocol, identity authentication technology and dynamic password technology, firstly, the formal analysis of BAN logic of OATUH protocol and the detailed analysis of four authorization modes of OAUTH2.0 are carried out to obtain the root of the security problem. Secondly, combined with dynamic password, broadcast, logging and other related technologies and theories are used to try to make up for the security problems involved in the OAUTH protocol. Furthermore, the previous research results are displayed in the form of platform, and the related modules involved in the platform are designed, such as dynamic password implementation, OAUTH authorization to implement, REST WEB services, etc. It includes comparing the advantages and disadvantages of different authentication technology and password authentication technology, selecting appropriate and sound authentication methods, designing password generation algorithm, designing password authentication basic flow, designing access token and authorization code, etc. Finally, the platform designed in this paper is implemented by JAVA programming, which is safe, reliable, open and has strong extensibility. On the one hand, the dynamic password platform based on OAUTH protocol can provide sound identity authentication to meet the security requirements. Another aspect can realize the sharing of user data, improve the utilization of network resources, reduce the cost of developing and maintaining user management system, and also save the link of user registration account. The OAUTH protocol is improved and dynamic authentication is added so as to avoid the attacker using XSS,CSRF to hijack the user account and then to unify the identity authentication and authority management of the user.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.04

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 孫冬梅,裘正定;生物特征識(shí)別技術(shù)綜述[J];電子學(xué)報(bào);2001年S1期

2 陳振;;CSRF攻擊的原理解析與對(duì)策研究[J];福建電腦;2009年06期

3 王征;;比較IOS探討安卓系統(tǒng)的優(yōu)勢(shì)[J];才智;2013年20期

4 葉錫君,吳國(guó)新,許勇,束坤;一次性口令認(rèn)證技術(shù)的分析與改進(jìn)[J];計(jì)算機(jī)工程;2000年09期

5 吳晨清,榮震華;用JSP/Servlet技術(shù)構(gòu)建Web應(yīng)用[J];計(jì)算機(jī)工程;2001年01期

6 王惠芳,郭金庚;用BAN邏輯方法分析SSL 3.0協(xié)議[J];計(jì)算機(jī)工程;2001年11期

7 高能,向繼,馮登國(guó);一種基于數(shù)字證書(shū)的網(wǎng)絡(luò)設(shè)備身份認(rèn)證機(jī)制[J];計(jì)算機(jī)工程;2004年12期

8 劉知貴,楊立春,蒲潔,張霜;基于PKI技術(shù)的數(shù)字簽名身份認(rèn)證系統(tǒng)[J];計(jì)算機(jī)應(yīng)用研究;2004年09期

9 王建斌;胡小生;李康君;趙靚;;REST風(fēng)格和基于SOAP的Web Services的比較與結(jié)合[J];計(jì)算機(jī)應(yīng)用與軟件;2010年09期

10 宗華,李建民,萬(wàn)長(zhǎng)林;基于數(shù)字證書(shū)的Web身份認(rèn)證機(jī)制的研究與實(shí)現(xiàn)[J];計(jì)算機(jī)與現(xiàn)代化;2005年06期

，

本文編號(hào)：2365651