FIDO U2F伺服器端的實作和分析

Abstract

近年來，各式各樣的網路服務發展迅速，電子訊息。電子支付。網路交易。的出現，提高了使用者的方便性，卻也增加了相應的安全性隱憂，安全性多依賴於密碼的複雜程度，但密碼的複雜性卻取決於使用者的設定。因此為了增加安全性，產生了二步驟驗證的驗證方式。目前來說，二步驟驗證方式又分為 SMS簡訊傳送驗證碼，應用程式產生驗證碼，電子郵件傳送驗證碼等方式，多依賴於其他的途徑產生驗證碼後，再做確認從而達到第二步驟的驗證。有鑒於皆須仰賴其他的傳送途徑，FIDO聯盟因而提出了一種全新的驗證方式U2F，使用橢圓曲線數位簽章的驗證方式，不需要仰賴於其他傳送途徑且極其安全的二步驟驗證，本篇論文著重於伺服器端，也就是服務提供方面的實作和分析。

Many internet services grow fast in recent decades, such as e-mail, electronic payment and e-commerce. The services bring people a more convenient shopping way. However, the services also come with more security concerns. The level of the security was traditionally only decided by the complexity of a user’s password. To enhance the security, the 2-step verification was introduced. The 2-step verification is to deliver a set of the verification code to the users, and let the users to pass the code back to the server for the identity verification. The common ways for doing the 2-step verification include by SMS, by authenticator application, and by email. As all the ways listed above rely on the operation of other services, FIDO (Fast Identity Online) Alliance [1] proposed a new way called U2F (Universal Second Factor) [2] for the 2-step verification. The U2F verification was based on ECDSA (Elliptic Curve Digital Signature Algorithm) [3] and did not need a user to get the verification code from any other way. This thesis is focus on the implementation of the U2F verification from the server side and the analysis of the verification’s performance.