智慧型手機認證機制 之設計 -...
TRANSCRIPT
-
1
2
3
4
5
-
1
-
http://tw.news.yahoo.com/article/url/d/a/110914/5/2yp2c.html
4
-
5
-
http://www.mobileindustryreview.com/2011/06/idcs-smartphone-forecast-55-increase-this-year-reckons-1-billion-will-ship-by-2015.html
2011 2015 Android 38.9% 43.8%BlackBerry OS 14.2% 13.4%Symbian 20.6% 0.1%iOS 18.2% 16.9%Windows Mobile 3.8% 20.3%Others 4.3% 5.5%
6
-
Android
2007/11 Google (Open Handset Alliance, OHA) Android
Linux
C/C++
Google Dalvik ( Oracle JVM )
Java
IDE Eclipse
7
Linux Kernel
LibrariesRuntime
Application Framework
Applications
-
iOS
iPhone OS20106iOS
iPhoneiPod touchiPad
Mac OS X
Objective-C
IDE X-code
8
Cocoa Touch
Media
Core Services
Core OS
-
Windows Phone
Pocket PC Windows Mobile Windows Phone
Mango
Silverlight XNA
IDE Visual Studio
9
-
vs.
HTML 5
iPhone/ iPad AndroidCanvas (Canvas Text API )
CSS3 Web Storage Web SQL Database Geolocation API
HTML5 iPhone, iPad, Android
10
-
2
-
(Physical Security) (Secure Data Storage) (Strong Authentication with Poor
Keyboard) (Multiple User Support with Security) (Safe Browsing Environment) (Application Isolation) (Information Disclosure) (Virus, Worms, Trojans, Spyware, and Malware) (Difficult Patching/ Updating Process) (Strict Use and Enforcement of SSL) (Phishing) (CSRF) (Location Privacy/ Security) (Insecure Device Driver) (Multiple Factor Authentication)
Source: Mobile Application Security, 2010 (Himanshu Dwivedo, Chris Clark, David Thiel )
12
-
13
-
(Physical Security) (Secure Data Storage) (Strong Authentication with Poor
Keyboard) (Multiple User Support with Security) (Safe Browsing Environment) (Application Isolation) (Information Disclosure) (Virus, Worms, Trojans, Spyware, and Malware) (Difficult Patching/ Updating Process) (Strict Use and Enforcement of SSL) (Phishing) (CSRF) (Location Privacy/ Security) (Insecure Device Driver) (Multiple Factor Authentication)
Source: Mobile Application Security, 2010 (Himanshu Dwivedo, Chris Clark, David Thiel )
14
-
VPN
Internet
Intranet
VPN
15
-
(Physical Security) (Secure Data Storage) (Strong Authentication with Poor
Keyboard) (Multiple User Support with Security) (Safe Browsing Environment) (Application Isolation) (Information Disclosure) (Virus, Worms, Trojans, Spyware, and Malware) (Difficult Patching/ Updating Process) (Strict Use and Enforcement of SSL) (Phishing) (CSRF) (Location Privacy/ Security) (Insecure Device Driver) (Multiple Factor Authentication)
Source: Mobile Application Security, 2010 (Himanshu Dwivedo, Chris Clark, David Thiel )
16
-
NIST SP 800-63
NIST SP 800-63
1
2
3 (Two-Factor)
(What you know?) (What you have?) (Who you are?)
4 (Token)
17
-
(Physical Security) (Secure Data Storage) (Strong Authentication with Poor
Keyboard) (Multiple User Support with Security) (Safe Browsing Environment) (Application Isolation) (Information Disclosure) (Virus, Worms, Trojans, Spyware, and Malware) (Difficult Patching/ Updating Process) (Strict Use and Enforcement of SSL) (Phishing) (CSRF) (Location Privacy/ Security) (Insecure Device Driver) (Multiple Factor Authentication)
Source: Mobile Application Security, 2010 (Himanshu Dwivedo, Chris Clark, David Thiel )
18
-
19
-
3
-
/
21
-
22
-
1.
2.
3.
4. Token
5. Token
6. Token
7. Token
23
-
Two Factor
1.
2.
3.
4.
24
-
OTP
1.
2.
3.
4. OTP
OTP
25
-
1.
2.
3.
4.
26
-
Ex.
1.
2.
3.
4.
27
[ SD ]
-
PKI
JB root
28
-
USB Mini-USB Micro-USB USB
29
-
30
-
31
-
4
-
33
-
34
1. 2.
3.
-
OTP
35
-
36
1. ()
2.
/
3.
4. Token
5. Token
-
(1/2)
37
/
1.
2.
3. App
4.
5.
6.
App
-
(2/2)
38
1.
2.
3.
4.
5. TokenToken Token
6. Token
7. Token ( Token )
8.
/
-
Ex. OpenID OAuth
39
-
40
1. ID
2.
3.
4.
-
41
/
1.
2. Token4.
3.
5.
-
API
Google Facebook API
App
IPC
42
-
43
1. 2. Token
3.
4.
-
Oops
44
-
45
1. App
1.
2a. Token
2b. ID
3. App
4. Token App
5. App
6, Token
-
46
1.
2.
3. ID
4. TokenToken
5. ID, Token Token ()
6. Token
-
5
-
48
-
49