學術產出-學位論文
文章檢視/開啟
書目匯出
-
題名 加密貨幣交易平台之私鑰管理
Key management for cryptocurrency exchange platform作者 李依珊
Lee, Yi-Shan貢獻者 左瑞麟
Tso, Ray-Lin
李依珊
Lee, Yi-Shan關鍵詞 加密貨幣交易平台
金鑰管理
秘密分享
Cryptocurrency exchange platform
Key management
Secret sharing
FIDO日期 2019 上傳時間 7-八月-2019 17:08:09 (UTC+8) 摘要 近幾年加密貨幣與區塊鏈的話題倍受矚目,國內外加密貨幣交易平台亦紛紛設立,但其安全性問題也逐漸浮上檯面,由於現行有許多加密貨幣交易平台是中心化運作,除了扮演了資金託管的角色,甚至也保管了用戶錢包金鑰,因此而造成國內外多起駭客攻擊盜取金鑰之案件,導致用戶的加密貨幣遭移轉而損失慘重。另一方面,因私鑰遺失造成損失的消息也是不時出現在新聞媒體中,故金鑰保管在此領域中是相當重要的議題。本研究將先針對加密貨幣、交易所及交易平台之資訊進行蒐集,並針對金鑰保管之流程進行改良,使用秘密分享(Secret Sharing)方法,設計結合FIDO標準之身分辨識機制,讓用戶能夠使用密碼或FIDO之辨識機制登入或轉帳,避免因密碼遺失而造成損失。此外,本研究透過密碼延伸PBKDF2方法,將用戶密碼複雜化後再用於金鑰加密,可確保交易平台管理者無法取得或使用用戶之金鑰,以強化金鑰保管的隱私性與安全性。研究實作主要開發註冊、登入與密碼變更等功能,實際驗證將金鑰進行秘密分享、加密與還原等流程,皆能如設計運作完成。
In recent years, the topic of cryptocurrency and blockchain has attracted much attention. Domestic and foreign cryptocurrency exchange platforms have been set up, but their security issues have gradually surfaced. There are many cryptocurrency exchange platforms that are centralized, in addition to providing cryptocurrency hosting services, and also keeping the user`s wallet private key, thus causing many hackers to attack and steal keys. The user`s cryptocurrency was transferred and suffered heavy losses. On the other hand, the message of loss due to the loss of the private key is also frequently found in the news media, so key management is a very important issue.This research will first collect information on cryptocurrencies, exchanges and platforms, then improve the key management process, and use the Secret Sharing method to design an identity identification mechanism that combines the FIDO standard to enable users to use a password or FIDO identification mechanism to login or transfer to avoid loss due to lost password. In addition, this research uses "PBKDF2" method to protect the user`s password and then use it for key encryption to ensure that the exchange platform administrator cannot obtain and use the user`s private key to enhance the privacy and security of private key management.We successfully completed the secret sharing, encryption and recovery process of the key according to the design, and implemented functions such as registration, login and password change of the system in this research.參考文獻 [1] 北美智權報213期,ICO監管,關鍵得靠業者自律,Retrieved February 16 2019, from: http://www.naipo.com/Portals/1/web_tw/Knowledge_Center/Industry_Economy/IPNC_180613_0703.htm[2] 金融監督管理委員會重要公告, 金管會107年重要施政成果及108年工作重點, Retrieved February 16 2019, from: https://www.fsc.gov.tw/ch/home.jsp?id=97&parentpath=0,2&mcustomize=multimessage_view.jsp&dataserno=201901280001&dtable=Bulletin&aplistdn=ou=bulletin,ou=multisite,ou=chinese,ou=ap_root,o=fsc,c=tw[3] ABC News, Retrieved March 9 2019, from: https://www.abc.net.au/news/2018-01-28/coincheck-worlds-biggest-cryptocurrency-hack/9368056?pfmredir=sm[4] CCN News, Retrieved March 9 2019, from: https://www.ccn.com/17-million-nano-xrb-lost-on-bitgrail-exchange[5] Business Korea, Retrieved March 9 2019, from: http://www.businesskorea.co.kr/news/articleView.html?idxno=29374[6] The Wall Street Journal, Retrieved March 9 2019, from: https://www.wsj.com/articles/a-crypto-mystery-is-140-million-stuck-or-missing-11549449001[7] Satoshi Nakamoto, (2008), Bitcoin-A Peer-to-Peer Electronic Cash System, Retrieved February 16 2019, from: https://bitcoin.org/bitcoin.pdf[8] 商業周刊1600期,2018.07,區塊鏈活用指南,page 80-81.[9] 科學人雜誌No.192,2018.02,鑄造全新貨幣秩序特別報導,page 32-35.[10] Scott Vanstone, (July 1992), Responses to NIST`s Proposal, Communications of the ACM, Retrieved February 16 2019, from: https://dl.acm.org/citation.cfm?id=129905[11] 國家發展委員會重大政策,智慧政府推動策略計畫,Retrieved February 16 2019, from: https://www.ndc.gov.tw/Content_List.aspx?n=589F7971894A9B51&upn=4ACC9949162C6856[12] Trade Tech–A New Age for Trade and Supply Chain Finance, Retrieved February 16 2019, from: http://www3.weforum.org/docs/WEF_White_Paper_Trade_Tech_.pdf[13] Building Block(chain)s for a Better Planet, Retrieved February 16 2019, from: http://www3.weforum.org/docs/WEF_Building-Blockchains.pdf[14] iThome News, Retrieved March 9 2019, from: https://www.ithome.com.tw/news/115341[15] Business Insider News, Retrieved March 9 2019, from: https://www.businessinsider.com/dao-hacked-ethereum-crashing-in-value-tens-of-millions-allegedly-stolen-2016-6[16] Nick Szabo, (1994). Smart Contracts, Retrieved February 16 2019, from: https://web.archive.org/web/20011102030833/http://szabo.best.vwh.net:80/smart.contracts.html[17] Vitalik Buterin, (2013), Ethereum White Paper - A Next Generation Smart Contract & Decentralized Application Platform, Retrieved February 16 2019, from: http://blockchainlab.com/pdf/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf[18] 經濟日報, Retrieved March 9 2019,from: https://money.udn.com/money/story/5613/3675743[19] LocalEthereum Witepaper, Retrieved April 14 2019, From: https://whitepaper.localethereum.com/[20] 橢圓曲線Diffie-Hellman, Retrieved April 14 2019, From: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange[21] Alliance Overview, Retrieved February 16 2019, from: https://fidoalliance.org/overview/[22] FIDO UAF Architectural Overview(Draft 02), Retrieved February 16 2019, from: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-overview-v1.1-id-20170202.html[23] FIDO2 Project, Retrieved February 16 2019, from: https://fidoalliance.org/fido2/[24] Web Authentication: An API for accessing Public Key Credentials Level 1, Retrieved February 16 2019, from: https://www.w3.org/TR/webauthn/[25] Client to Authenticator Protocol (CTAP), Retrieved February 16 2019, from: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html[26] W3C and FIDO Alliance Finalize Web Standard for Secure, Retrieved April 20 2019, From: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html[27] G. R. Blakley, (1979), Safeguarding Cryptographic Keys, in Proc. AFIPS 1979 NCC, vol. 48, pp. 313-317.[28] A. Shamir, (1979), How to Share a Secret, Communications of the ACM, vol. 22, pp. 612-613.[29] RONG Hui-gui, MO Jin-xia, CHANG Bing-guo, SUN Guang, LONG Fei, (2015), Key distribution and recovery algorithm based on Shamir`s secret sharing, Journal on Communications, vol. 36, page 1-6.[30] F. Yao, Frances & Lisa Yin, Yiqun. (2005). Design and Analysis of Password-Based Key Derivation Functions. IEEE Transactions on Information Theory - TIT. 51. 245-261. 10.1109/TIT.2005.853307.[31] 比特幣-台灣 Bitcoin-tw.com, Retrieved February 24 2019, from: http://www.bitcoin-tw.com/bitcoin-risks.html[32] 趨勢科技2019年資安預測, Retrieved April 20 2019 , From: https://www.trendmicro.com/content/dam/trendmicro/global/zh_tw/security-intelligence/research/reports/rpt_2019-Security-Prediction-Mapping-the-Future_C.pdf[33] FIDO Alliance FIDO的工作原理, Retrieved April 20 2019 , From: https://fidoalliance.org/fido-%E7%9A%84%E4%B8%8E%E4%BC%97%E4%B8%8D%E5%90%8C%E4%B9%8B%E5%A4%84/?lang=zh-hans[34] White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations, Retrieved April 20 2019 , From: https://fidoalliance.org/white-paper-fido-uaf-and-pki-in-asia-case-study-and-recommendations/?lang=zh-hans 描述 碩士
國立政治大學
資訊科學系碩士在職專班
106971006資料來源 http://thesis.lib.nccu.edu.tw/record/#G0106971006 資料類型 thesis dc.contributor.advisor 左瑞麟 zh_TW dc.contributor.advisor Tso, Ray-Lin en_US dc.contributor.author (作者) 李依珊 zh_TW dc.contributor.author (作者) Lee, Yi-Shan en_US dc.creator (作者) 李依珊 zh_TW dc.creator (作者) Lee, Yi-Shan en_US dc.date (日期) 2019 en_US dc.date.accessioned 7-八月-2019 17:08:09 (UTC+8) - dc.date.available 7-八月-2019 17:08:09 (UTC+8) - dc.date.issued (上傳時間) 7-八月-2019 17:08:09 (UTC+8) - dc.identifier (其他 識別碼) G0106971006 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/125046 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊科學系碩士在職專班 zh_TW dc.description (描述) 106971006 zh_TW dc.description.abstract (摘要) 近幾年加密貨幣與區塊鏈的話題倍受矚目,國內外加密貨幣交易平台亦紛紛設立,但其安全性問題也逐漸浮上檯面,由於現行有許多加密貨幣交易平台是中心化運作,除了扮演了資金託管的角色,甚至也保管了用戶錢包金鑰,因此而造成國內外多起駭客攻擊盜取金鑰之案件,導致用戶的加密貨幣遭移轉而損失慘重。另一方面,因私鑰遺失造成損失的消息也是不時出現在新聞媒體中,故金鑰保管在此領域中是相當重要的議題。本研究將先針對加密貨幣、交易所及交易平台之資訊進行蒐集,並針對金鑰保管之流程進行改良,使用秘密分享(Secret Sharing)方法,設計結合FIDO標準之身分辨識機制,讓用戶能夠使用密碼或FIDO之辨識機制登入或轉帳,避免因密碼遺失而造成損失。此外,本研究透過密碼延伸PBKDF2方法,將用戶密碼複雜化後再用於金鑰加密,可確保交易平台管理者無法取得或使用用戶之金鑰,以強化金鑰保管的隱私性與安全性。研究實作主要開發註冊、登入與密碼變更等功能,實際驗證將金鑰進行秘密分享、加密與還原等流程,皆能如設計運作完成。 zh_TW dc.description.abstract (摘要) In recent years, the topic of cryptocurrency and blockchain has attracted much attention. Domestic and foreign cryptocurrency exchange platforms have been set up, but their security issues have gradually surfaced. There are many cryptocurrency exchange platforms that are centralized, in addition to providing cryptocurrency hosting services, and also keeping the user`s wallet private key, thus causing many hackers to attack and steal keys. The user`s cryptocurrency was transferred and suffered heavy losses. On the other hand, the message of loss due to the loss of the private key is also frequently found in the news media, so key management is a very important issue.This research will first collect information on cryptocurrencies, exchanges and platforms, then improve the key management process, and use the Secret Sharing method to design an identity identification mechanism that combines the FIDO standard to enable users to use a password or FIDO identification mechanism to login or transfer to avoid loss due to lost password. In addition, this research uses "PBKDF2" method to protect the user`s password and then use it for key encryption to ensure that the exchange platform administrator cannot obtain and use the user`s private key to enhance the privacy and security of private key management.We successfully completed the secret sharing, encryption and recovery process of the key according to the design, and implemented functions such as registration, login and password change of the system in this research. en_US dc.description.tableofcontents 摘要 iAbstract ii圖目錄 vi表目錄 viii第1章 前言 11.1 研究動機 11.2 研究方法及目標 21.3 論文架構 3第2章 技術背景 42.1 區塊鏈(BLOCKCHAIN) 42.2 以太坊(ETHEREUM) 72.2.1 智能合約(Smart Contract) 82.2.2 智能合約(Smart Contract)的運作 92.3 DAPP(DECENTRALIZED APPLICATION) 102.4 加密貨幣與交易平台 122.4.1 加密貨幣簡介與現況 122.4.2 加密貨幣交易平台 142.5 LOCALETHEREUM介紹 192.5.1 用戶密碼管理 202.5.2 點對點安全通訊 202.5.3 託管交易 212.6 FIDO標準 222.6.1 FIDO 1.0 222.6.2 FIDO運作 232.6.3 FIDO2 262.7 秘密分享(SECRET SHARING) 262.8 PBKDF2 272.9 TRUFFLE 29第3章 相關研究 313.1 私鑰保護機制 313.2 FIDO標準之原理與延伸 34第4章 研究方法與架構 374.1 設計概要 374.2 流程設計 384.3 系統介面設計 434.4 資料庫設計 45第5章 研究結果與實作 475.1 開發環境 475.2 實作驗證畫面 475.2.1 用戶輸入註冊資料畫面 475.2.2 用戶完成註冊畫面 485.2.3 用戶輸入登入資料畫面 485.2.4 用戶E-Mail驗證信畫面 495.2.5 用戶登入成功畫面 505.2.6 用戶變更密碼輸入畫面 505.2.7 用戶變更密碼成功畫面 515.3 金鑰管理的安全性分析 51第6章 結論與未來研究 53參考文獻 54 zh_TW dc.format.extent 5397697 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0106971006 en_US dc.subject (關鍵詞) 加密貨幣交易平台 zh_TW dc.subject (關鍵詞) 金鑰管理 zh_TW dc.subject (關鍵詞) 秘密分享 zh_TW dc.subject (關鍵詞) Cryptocurrency exchange platform en_US dc.subject (關鍵詞) Key management en_US dc.subject (關鍵詞) Secret sharing en_US dc.subject (關鍵詞) FIDO en_US dc.title (題名) 加密貨幣交易平台之私鑰管理 zh_TW dc.title (題名) Key management for cryptocurrency exchange platform en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] 北美智權報213期,ICO監管,關鍵得靠業者自律,Retrieved February 16 2019, from: http://www.naipo.com/Portals/1/web_tw/Knowledge_Center/Industry_Economy/IPNC_180613_0703.htm[2] 金融監督管理委員會重要公告, 金管會107年重要施政成果及108年工作重點, Retrieved February 16 2019, from: https://www.fsc.gov.tw/ch/home.jsp?id=97&parentpath=0,2&mcustomize=multimessage_view.jsp&dataserno=201901280001&dtable=Bulletin&aplistdn=ou=bulletin,ou=multisite,ou=chinese,ou=ap_root,o=fsc,c=tw[3] ABC News, Retrieved March 9 2019, from: https://www.abc.net.au/news/2018-01-28/coincheck-worlds-biggest-cryptocurrency-hack/9368056?pfmredir=sm[4] CCN News, Retrieved March 9 2019, from: https://www.ccn.com/17-million-nano-xrb-lost-on-bitgrail-exchange[5] Business Korea, Retrieved March 9 2019, from: http://www.businesskorea.co.kr/news/articleView.html?idxno=29374[6] The Wall Street Journal, Retrieved March 9 2019, from: https://www.wsj.com/articles/a-crypto-mystery-is-140-million-stuck-or-missing-11549449001[7] Satoshi Nakamoto, (2008), Bitcoin-A Peer-to-Peer Electronic Cash System, Retrieved February 16 2019, from: https://bitcoin.org/bitcoin.pdf[8] 商業周刊1600期,2018.07,區塊鏈活用指南,page 80-81.[9] 科學人雜誌No.192,2018.02,鑄造全新貨幣秩序特別報導,page 32-35.[10] Scott Vanstone, (July 1992), Responses to NIST`s Proposal, Communications of the ACM, Retrieved February 16 2019, from: https://dl.acm.org/citation.cfm?id=129905[11] 國家發展委員會重大政策,智慧政府推動策略計畫,Retrieved February 16 2019, from: https://www.ndc.gov.tw/Content_List.aspx?n=589F7971894A9B51&upn=4ACC9949162C6856[12] Trade Tech–A New Age for Trade and Supply Chain Finance, Retrieved February 16 2019, from: http://www3.weforum.org/docs/WEF_White_Paper_Trade_Tech_.pdf[13] Building Block(chain)s for a Better Planet, Retrieved February 16 2019, from: http://www3.weforum.org/docs/WEF_Building-Blockchains.pdf[14] iThome News, Retrieved March 9 2019, from: https://www.ithome.com.tw/news/115341[15] Business Insider News, Retrieved March 9 2019, from: https://www.businessinsider.com/dao-hacked-ethereum-crashing-in-value-tens-of-millions-allegedly-stolen-2016-6[16] Nick Szabo, (1994). Smart Contracts, Retrieved February 16 2019, from: https://web.archive.org/web/20011102030833/http://szabo.best.vwh.net:80/smart.contracts.html[17] Vitalik Buterin, (2013), Ethereum White Paper - A Next Generation Smart Contract & Decentralized Application Platform, Retrieved February 16 2019, from: http://blockchainlab.com/pdf/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf[18] 經濟日報, Retrieved March 9 2019,from: https://money.udn.com/money/story/5613/3675743[19] LocalEthereum Witepaper, Retrieved April 14 2019, From: https://whitepaper.localethereum.com/[20] 橢圓曲線Diffie-Hellman, Retrieved April 14 2019, From: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange[21] Alliance Overview, Retrieved February 16 2019, from: https://fidoalliance.org/overview/[22] FIDO UAF Architectural Overview(Draft 02), Retrieved February 16 2019, from: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-overview-v1.1-id-20170202.html[23] FIDO2 Project, Retrieved February 16 2019, from: https://fidoalliance.org/fido2/[24] Web Authentication: An API for accessing Public Key Credentials Level 1, Retrieved February 16 2019, from: https://www.w3.org/TR/webauthn/[25] Client to Authenticator Protocol (CTAP), Retrieved February 16 2019, from: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html[26] W3C and FIDO Alliance Finalize Web Standard for Secure, Retrieved April 20 2019, From: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html[27] G. R. Blakley, (1979), Safeguarding Cryptographic Keys, in Proc. AFIPS 1979 NCC, vol. 48, pp. 313-317.[28] A. Shamir, (1979), How to Share a Secret, Communications of the ACM, vol. 22, pp. 612-613.[29] RONG Hui-gui, MO Jin-xia, CHANG Bing-guo, SUN Guang, LONG Fei, (2015), Key distribution and recovery algorithm based on Shamir`s secret sharing, Journal on Communications, vol. 36, page 1-6.[30] F. Yao, Frances & Lisa Yin, Yiqun. (2005). Design and Analysis of Password-Based Key Derivation Functions. IEEE Transactions on Information Theory - TIT. 51. 245-261. 10.1109/TIT.2005.853307.[31] 比特幣-台灣 Bitcoin-tw.com, Retrieved February 24 2019, from: http://www.bitcoin-tw.com/bitcoin-risks.html[32] 趨勢科技2019年資安預測, Retrieved April 20 2019 , From: https://www.trendmicro.com/content/dam/trendmicro/global/zh_tw/security-intelligence/research/reports/rpt_2019-Security-Prediction-Mapping-the-Future_C.pdf[33] FIDO Alliance FIDO的工作原理, Retrieved April 20 2019 , From: https://fidoalliance.org/fido-%E7%9A%84%E4%B8%8E%E4%BC%97%E4%B8%8D%E5%90%8C%E4%B9%8B%E5%A4%84/?lang=zh-hans[34] White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations, Retrieved April 20 2019 , From: https://fidoalliance.org/white-paper-fido-uaf-and-pki-in-asia-case-study-and-recommendations/?lang=zh-hans zh_TW dc.identifier.doi (DOI) 10.6814/NCCU201900275 en_US
