臺灣博碩士論文加值系統

隨著資訊科技的進步，與智慧型裝置的普及，應用程式App (Application)已相當多樣。然而，便利的背後下卻潛藏的未知的風險，一些來路不明的第三方應用程式，很可能就是惡意的應用程式，這些第三方應用程式，有些是使用官方發佈的API (Application Programming Interface) 進行開發；有些則是藉由反組譯等非法手段取得API進行開發。如果不小心誤用了惡意的應用程式，那麼在傷害發生之前，使用者是很難察覺的。
API的用途是供程式開發上更加便利，但考慮到資訊安全等因素，有些開發者選擇不將API供給第三方使用，僅供內部使用。所謂防不勝防，再多的防禦還是抵擋不了有心人士的攻擊，不論是透過反組譯、封包攔截等辦法，都有可能促使惡意應用程式的誕生，此時使用者就要特別小心，自己正在使用的應用程式是否安全。
為了讓伺服器端能夠驗證呼叫API的客戶端，是否為官方認可的應用程式，本研究設計了一套結合數位簽章的應用程式驗證系統，在HTTP Header加入了自訂的欄位，透過RSA加密演算法進行數位簽章，只要伺服器端接收到憑證等資訊，便可進行應用程式的身份驗證，辨識其真偽。

With the fast development of Internet and the widely adoptions of intelligent devices, APPs (Applications) have being playing a more and more role in our life. However, there may be hidden risks that threatens us when using APPs. Malicious applications may hide in third-party applications, especially in those applications with anonymous developers. Sometimes, malicious programs may be developed by using official Application Programming Interface (API). Malicious programs may also be developed by illegal way such as de-compiler. Taking information security into account, some developers restrict their APIs to be used for internal users only. However, there are still some ways for malicious programs to be generated, for example, decompiling, packet blocking. In this paper, a digital signature-based application verification system is proposed to assist servers to justify legal and official applications. Client application uses RSA for digital signature to encrypt a user defined data that is add onto the HTTP header and send server to verify. Therefore, server can block illegal third party access then achieve the effect of verification.

摘　　要 i
ABSTRACT ii
誌　　謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
一、 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 2
1.3 論文架構 3
二、 背景知識與相關文獻探討 4
2.1 HTTP Header 4
2..1.1 HTTP Referer 4
2.2 API 5
2.2.1 RESTful API 5
2.2.2 API安全性議題 7
2.3 第三方應用程式 7
2.4 密碼學 8
2.4.1 對稱式加密 11
2.4.2 非對稱式加密 12
2.5 RSA加密演算法 13
2.5.1 公鑰與私鑰產生過程 13
2.5.2 加密與解密過程 14
2.6 數位簽章 14
2.6.1 雜湊函數 15
2.6.2 數位簽章－簽署流程 16
2.6.3 數位簽章－驗證流程 16
三、 系統架構與設計 17
3.1 系統環境 17
3.2 系統概念設計 17
3.3 系統驗證流程設計 18
四、 實驗與效益評估 22
4.1 模擬實驗 22
4.2 效益評估 26
五、 結論 31
參　考　文　獻 32

[1] TechCrunch, "Snapchat Reminds Us That Users Are To Blame For Photo Leaks", Retrieved from https://techcrunch.com/2014/10/14/snapchat-reminds-us-that-users-are-to-blame-for-photo-leaks/
[2]Wikipedia, " List of HTTP Header fields", Retrieved from https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
[3]R. Fielding, et al.. "Hypertext Transfer Protocol -- HTTP/1.1". RFC 2616. Retrieved 28 May 2017, from http://www.rfc-editor.org/rfc/rfc2616.txt
[4]Wikipedia, " HTTP Referer", Retrieved from https://en.wikipedia.org/wiki/HTTP_Referer
[5]Wikipedia, " Application programming interface", Retrieved from https://en.wikipedia.org/wiki/Application_programming_interface
[6] Fielding, R. T., & Taylor, R. N. (2000). Architectural styles and the design of network-based software architectures (p. 151). Doctoral dissertation: University of California, Irvine.
[7]OWASP, Retrieved from https://www.owasp.org/
[8]iThome, "【資安周報第70期】OWASP釋出新十大資安風險，API風險是新威脅", Retrieved from http://www.ithome.com.tw/news/113873
[9] 黃相文，2015，以Token為基礎的RESTful API資料交換身分驗證機制，國立臺北科技大學，碩士論文。
[10]Wikipedia, " Third-party software component", Retrieved from https://en.wikipedia.org/wiki/Third-party_software_component
[11] Kessler, G. C. (2003). An overview of cryptography.
[12] Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE transactions on Information Theory, 22(6), 644-654.
[13]Wikipedia, " RSA (cryptosystem)", Retrieved from https://en.wikipedia.org/wiki/RSA_(cryptosystem)
[14] TechWorld,” RSA 1024-bit private key encryption cracked”, Retrieved from http://www.techworld.com/news/security/rsa-1024-bit-private-key-encryption-cracked-3214360/
[15]Wikipedia, " Digital signage", Retrieved from https://en.wikipedia.org/wiki/Digital_signage
[16]Wikipedia, " Hash function", Retrieved from https://en.wikipedia.org/wiki/Hash_function
[17] 翁浩正，2014-06-19，"如何正確的取得使用者IP"，DEVCORE，取自 http://devco.re/blog/2014/06/19/client-ip-detection/