發(fā)布時間：2018-12-06 07:22

【摘要】：隨著互聯(lián)網發(fā)展,其開放性已成必然趨勢,互聯(lián)網大公司紛紛推出各自開放平臺。開放平臺將服務包裝成統(tǒng)一接口,并且接口對第三方是開放的。第三方可以開發(fā)基于開放平臺接口的各種應用程序。在此過程中,用戶、第三方與開放平臺間的信任機制主要采用OAUTH授權方式。OAUTH協(xié)議的優(yōu)勢在于第三方可以使用目標網站的用戶資源,而無需知道目標網站用戶賬號和密碼,所以其得到各大互聯(lián)網廠商青睞,獲得廣泛地應用。而對于OAUTH協(xié)議來說,是一種授權協(xié)議而不是認證協(xié)議,所以OAUTH協(xié)議的安全問題也隨著它的廣泛使用而暴露出來。無論是OAUTH2.0還是OAUTH1.0,安全問題將阻礙其發(fā)展。 在對OAUTH協(xié)議、身份認證技術、動態(tài)口令技術深入研究的基礎上,首先,對OATUH協(xié)議進行BAN邏輯的形式化分析以及就OAUTH2.0四種授權模式展開具體分析,獲取安全問題的根源所在；其次,結合動態(tài)口令、應用廣播、日志記錄等相關技術和理論對OAUTH協(xié)議中涉及的安全問題進行嘗試性彌補；再者,將前文的研究成果以平臺形式來展示,對平臺中涉及的相關模塊進行設計,如動態(tài)口令實現(xiàn)、OAUTH授權實現(xiàn)、REST WEB服務等,具體包括比較不同身份認證技術和不同口令認證技術的優(yōu)劣、選取合適的健全的認證方式、設計口令生成算法、設計口令認證基礎流程、設計access token與authorization code等；最后,本文將前文設計的平臺進行JAVA編程實現(xiàn),完成一個安全可靠、開放并具有強擴展能力的平臺。 基于OAUTH協(xié)議的動態(tài)口令平臺,一方面可以提供健全的身份認證,以滿足安全性需求；另一個方面可以實現(xiàn)用戶資料的共享,提高網絡資源的利用率,降低平臺開發(fā)維護用戶管理系統(tǒng)成本,也省去用戶注冊賬號的環(huán)節(jié)。并且改進OAUTH協(xié)議,加入動態(tài)認證,從而避免攻擊者利用XSS、CSRF等挾持用戶賬號,進而對用戶進行統(tǒng)一的身份認證和權限管理。
[Abstract]:With the development of the Internet, its openness has become an inevitable trend, Internet companies have launched their own open platforms. The open platform wraps the service as a unified interface, and the interface is open to third parties. Third parties can develop applications based on open platform interfaces. In this process, the trust mechanism between the user, the third party and the open platform mainly adopts OAUTH authorization mode. The advantage of OAUTH protocol is that the third party can use the user resources of the target website without knowing the user account and password of the target website. Therefore, it has been favored by major Internet manufacturers and widely used. For OAUTH protocol, it is an authorization protocol rather than an authentication protocol, so the security problems of OAUTH protocol are exposed with its wide use. Whether it is OAUTH2.0 or OAUTH1.0, security issues will hinder its development. On the basis of deep research on OAUTH protocol, identity authentication technology and dynamic password technology, firstly, the formal analysis of BAN logic of OATUH protocol and the detailed analysis of four authorization modes of OAUTH2.0 are carried out to obtain the root of the security problem. Secondly, combined with dynamic password, broadcast, logging and other related technologies and theories are used to try to make up for the security problems involved in the OAUTH protocol. Furthermore, the previous research results are displayed in the form of platform, and the related modules involved in the platform are designed, such as dynamic password implementation, OAUTH authorization to implement, REST WEB services, etc. It includes comparing the advantages and disadvantages of different authentication technology and password authentication technology, selecting appropriate and sound authentication methods, designing password generation algorithm, designing password authentication basic flow, designing access token and authorization code, etc. Finally, the platform designed in this paper is implemented by JAVA programming, which is safe, reliable, open and has strong extensibility. On the one hand, the dynamic password platform based on OAUTH protocol can provide sound identity authentication to meet the security requirements. Another aspect can realize the sharing of user data, improve the utilization of network resources, reduce the cost of developing and maintaining user management system, and also save the link of user registration account. The OAUTH protocol is improved and dynamic authentication is added so as to avoid the attacker using XSS,CSRF to hijack the user account and then to unify the identity authentication and authority management of the user.
【學位授予單位】：北京郵電大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.04

【參考文獻】

相關期刊論文 前10條

1 孫冬梅,裘正定;生物特征識別技術綜述[J];電子學報;2001年S1期

2 陳振;;CSRF攻擊的原理解析與對策研究[J];福建電腦;2009年06期

3 王征;;比較IOS探討安卓系統(tǒng)的優(yōu)勢[J];才智;2013年20期

4 葉錫君,吳國新,許勇,束坤;一次性口令認證技術的分析與改進[J];計算機工程;2000年09期

5 吳晨清,榮震華;用JSP/Servlet技術構建Web應用[J];計算機工程;2001年01期

6 王惠芳,郭金庚;用BAN邏輯方法分析SSL 3.0協(xié)議[J];計算機工程;2001年11期

7 高能,向繼,馮登國;一種基于數(shù)字證書的網絡設備身份認證機制[J];計算機工程;2004年12期

8 劉知貴,楊立春,蒲潔,張霜;基于PKI技術的數(shù)字簽名身份認證系統(tǒng)[J];計算機應用研究;2004年09期

9 王建斌;胡小生;李康君;趙靚;;REST風格和基于SOAP的Web Services的比較與結合[J];計算機應用與軟件;2010年09期

10 宗華,李建民,萬長林;基于數(shù)字證書的Web身份認證機制的研究與實現(xiàn)[J];計算機與現(xiàn)代化;2005年06期

，

本文編號：2365651