隨著智慧型手機或平板越來越普及，越來越多的開發者開發應用程式或微型應用程式供智慧型手機與平板使用。當應用程式要存取遠端資源時，需要認證使用者身份，乃至於綁定可使用服務的裝置，此時會需要比傳統的帳號與密碼更強的認證方式，如實體認證。考量到不是每個智慧型手機或平板都能支援實體認證，本研究採用軟體憑證的方式，將認證資料加密後存在裝置裡。另外，在裝置綁定上，過去常用硬體特徵資訊，然而近年來常見駭客破解硬體特徵的新聞。因此，本研究提出一個考量認證資訊可能被複製的軟體認證機制。其特色在於即便是軟體認證資訊被複製到別台電腦，仍能夠限制應用程式只能在指定的裝置上使用。本研究所提之架構，除了採用硬體特徵外，更使用一次性密碼的概念，在伺服器端儲存一個動態的識別碼。應用程式必須要傳送硬體特徵與相對應的動態識別碼才能使用其服務，且每次使用後就立即更新動態識別碼。即便將應用程式複製到其他裝置上使用，因為該裝置沒有動態識別碼，因此無法偽造使用者身分登入。由此可補強目前智慧型手機或平板在應用程式向遠端服務認證上的缺點。此外，本研究也依照此認證機制，實作此種認證方式的認證系統，以便微型應用程式與後台服務的開發者採用，而提升其資訊安全。

Because of the popularity of smart phones and tablets, a huge number of mobile applications are emerging. A mobile application may utilize remote resources. When a person uses mobile applications to access remote resources, service providers of the resources need to authenticate the person and whether the person has permissions to access the resources. In addition, the service provider may restrict that person can only access through the certain devices.
Among different types of authentication methods, such as id/password, public/private key, hardware tokens. Hardware tokens would be more secured than other authentication methods. However, current smart phones and tablets usually do not support hardware tokens.
Therefore, this study purposes a method to enhance public/private key authorized scheme. Also, the proposed scheme constrains a person can only access remote resources through certain devices. In this paper, we use device signature to generate a temporary password for future authentication. When connecting to network, a mobile application verifies itself by forwarding its device signature and the temporary password to remote servers and obtains a new password from server. While the password is changed every time, even if the application moves to another device, it can not work without corresponding authentication data. Therefore, the mechanism provides more secure and stronger authentication. Furthermore, we also implement this mechanism into an authentication system that can be an example to program developers.

[1]Ramon Llamas, Kevin Restivo, Michael Shirer, “Smartphone Market Hits All-Time Quarterly High Due To Seasonal Strength and Wider Variety of Offerings”, IDC-Press Release, http://www.idc.com/getdoc.jsp?containerId=prUS23299912, Feb 2012.
[2]Zach Epstein, “Major mobile app store revenue will grow 77.7% in 2011”, BGR Media, LLC. Online Report, http://www.bgr.com/2011/05/05/major-mobile-app-store-revenue-will-grow-77-7-in-2011/, May 2011.
[3]148Zpps.biz, ”Count of Active Applications in the App Store”, http://148apps.biz/app-store-metrics/?mpage=appcount, 2012
[4]Himanshu Dwivedo, Chris Clark, and David Thiel, “Mobile Application Security”, McGraw Hill, 2010.
[5]OWASP, https://www.owasp.org/index.php/Main_Page.
[6]Microsoft Corporation, “Smart Card Functions”, Online API reference document, http://msdn.microsoft.com/en-us/library/aa924246.aspx, 2010.
[7]Q. Liu, R. Safav-Naini and N. P. Sheppard, “Digital rights management for content distribution”, Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, vol. 21, 2003.
[8]M. Stamp, “Digital rights management: the technology behind the hype”, Journal of Electronic Commerce Research, vol. 4, pp. 102-112, 2003.
[9]Adobe, http://www.adobe.com/.
[10]L. Lamport , “Password authentication with insecure communication” Communications of ACM, New York, U.S., Vol. 24, No. 11, pp. 770-772, 1981.
[11]T. Hwang, Y. Chen and C.S. Laih, “Non-interactive password authentication without password tables”, IEEE region 10 Conference on Computer and Communication Systems, pp. 429-431, 1990.
[12]M.L. Das, A. Saxena and V.P Gulati, “A dynamic ID-based remote user authentication scheme”, IEEE Transactions on Consumer Electronics, pp. 629-631, 2004.
[13]A.K. Awasthi, “Comment on a dynamic ID-based remote user authentication scheme”, Transaction on Cryptology, vol.01, issue 02, pp.15–16, 2004.
[14]I.E. Liao, C.C. Lee and M.S. Hwang, “Security enhancement for a dynamic ID-based remote user authentication scheme”, IEEE Proceedings of International Conference on Next Generation Web Services Practices, pp. 437-440, 2005.
[15]Y.Y Wang, J.Y Liu, F.X Xiao, J. Dan, “A more efficient and secure dynamic ID-based remote user authentication scheme”, Computer Communications, vol.32, pp. 583-585, 2009.
[16]S. MIZUNO, “Authentication using multiple communication channels”, Proceeding DIM ’05 Proceedings of the 2005 workshop on Digital identity management, 2005.
[17]D. E. Dilger, “How FairPlay Works: Apple’s iTune DRM Dilemma”, Roughly Drafted Magazine, http://www.roughlydrafted.com/RD/RDM.Tech.Q1.07/2A351C60-A4E5-4764-A083-FF8610E66A46.html, 2010.
[18]MSDN, “Device Status for Windows Phone”, http://msdn.microsoft.com/en-us/library/ff941122(v=VS.92).aspx.
[19]Android Developers, http://developer.android.com/index.html.
[20]Richard Sinn, “Software Security Technologies”, Course Technology, ISBN 978-1428319455, 2007.
[21]Tomas Sander, Christian F. Tschudin, “On Software Protection Via Function Hiding”, 2nd International Workshop on Information Hiding, 1998.
[22]Patrick C.K. Hung, Kamalakar Karlapalem, “Security and Privacy Aspects of SmartFlow Internet Payment System”, Proceedings of the 32nd Hawaii International Conference on System Sciences, 1999.
[23]M. Abdalla, P. A. Fouque and D. Pointcheval,“Password-based authenticated key exchange in the three-party setting”, in PKC 2005, Volume 3386, pp. 65-84, Springer-Verlag, 2005.
[24]C. Neuman, T. Yu, S. Hartman, K. Raeburn, “The Kerberos Network Authentication Service (v5) ”, IETF RFC 4120, 2005.
[25]P. Leach, M. Mealling, and R. Salz, “A Universally Unique Identifier (UUID) URN Namespace”, IETF RFC 4122, 2005.
[26]蘇文彬, “IDC：國內智慧型手機出貨超越功能型”, ITHome 電子報, http://www.ithome.com.tw/itadm/article.php?c=69719, 2011年9月.
[27]黃勤穎, “遍地烽火中的智慧行動終端產業競爭”, 工研院產業經濟與趨勢研究中心(IEK), 2012年5月.
[28]台北富邦行動銀行, http://www.fubon.com/mobile/index.html#/home
[29]永豐行動銀行, http://www.mma.com.tw/MMA7txt/promote/electronic/mobile/index.html.
[30]中國信託行動銀行3.0, http://consumer.chinatrust.com.tw/html/fileUpload/NB2011011306/.
[31]行政院研究發展委員會, “政府機關公開金鑰基礎建設:憑證政策” , http://www.rdec.gov.tw/mp100.htm.
[32]玉山證券, http://www.esunsec.com.tw/cus_service/transaction.asp.
[33]新光證券, http://www.skis.com.tw/index.html.
[34]段鋼, “加密與解密” 第三版, 碁峰, 2009.
[35]林祝興,李鎮宇, “網路軟體保護方法之研究：一次安裝方案”, 二○○○網際網路與分散式系統研討會論文集I, 438-441 頁, 台南, 2000.
[36]莊吳祐, “軟體保護之研究”, 國立交通大學資訊科學系碩士論文, 2005.
[37]林清展, “軟體使用權控管機制之研究”，靜宜大學資訊管理學系碩士論文，2001.