201203115 六、發明說明: L發明所屬之技術領域3 發明的技術領域 本發明係有關用以對行動運算裝置部署軟體應用程式 之方法與系統。 t先前技冬紆]I 發明的技術背景 本發明係有關一種用以在一行動運算裝置上安裝一軟 體應用程式的方法與系統。 目前已經良好地建立了 一種使用一次性密碼(OTP)以增 進存取一公司網路之安全性的方式。利用OTP來實行一系 統的最普遍方式是對各個使用者提供一硬體符記,其為該 使用者必須插入到用以存取該網路的一終端機中,例如一 個人電腦(PC)。該符記含有硬體與軟體,並且可在使用者 每次存取該網路時產生一獨特密碼。對該種網路之各個使 用者提供一硬體符記所牽涉的費用與物流十分驚人。 為了解決上述符記的某些缺點,已經研發出系統與方法 以在一行動運算裝置上部署軟體應用程式,例如一種一次 性密碼(OTP)安全性應用程式。該OTP應用程式使該行動 運算裝置能作為一種鑑認符記,這與目前其他系統中用來 存取安全網路的一專屬鑑認符記相同。 本發明的一目的是提供一種替代方法與系統,其可用於 在一行動運算裝置上安裝一軟體應用程式,例如一種一次 性密碼應用程式。 201203115 L發明内容3 發明的概要說明 根據本發明,揭露了一種用以在一行動運算裝置上安裝 一軟體應用程式的方法,該方法包括下列步驟: 在一網路上針對一使用者產生一帳戶,該帳戶具有與其 相關聯的使用者識別資料,包括一使用者名稱、一使用 者電子郵件地址、以及該使用者之一行動運算裝置的一 位址; 在一鑑認伺服器上,利用一密碼式安全虛擬隨機碼產生 器產生一共享私密金鑰,並且利用一私密金鑰來加密該 共享私密金鑰; 從該鑑認伺服器發送不具有該私密金鑰的該經加密共 享私密金鑰到一部署伺服器; 把該經加密共享私密金鑰儲存在該部署伺服器上; 在該部署伺服器上產生一獨特部署URL,並且把它發送 到該鑑認伺服器; 從該鑑認伺服器發送含有該獨特部署URL的一註冊邀 請訊息到該使用者的一電腦終端機,以令該使用者能存 取該部署伺服器所支援的一網頁以接受該註冊邀請; 從該部署伺服器發送包含一獨特下載URL的一訊息到 該使用者的該行動運算裝置; 在該部署伺服器上,接收來自該行動運算裝置的一確認 請求,以安裝該軟體應用程式;以及 從該部署伺服器發送包含該軟體應用程式的資料到該 201203115 使用者的如動運异裝置,以供在該制者的該行動運 算裝置上安裝該軟體應用程式。 該使用者的該行動運算裝置較佳地為一行動電話、— PDA、或具有無線連結性的另一種行動運算裝置。 敲體應用程式可為安全性軟體,例如—種—次性密碼 應用程式或符記。 "" 該註冊邀請訊息較佳地呈發送到該使用者之一電子郵 件地址的電子郵件訊息形式而從該鑑制服轉送到該 使用者。 °Λ 該邀請訊息係較佳地由一使用者在該使用者之除了該 行動運算裝置以外的—電腦終端機上接收到。 該部署伺服器較佳地響應於由該使用者從該使用者之 除了該行動運算裝置财卜的該f腦終端機發送出的資料, 發送包含該㈣下載·的該訊息到該使用者的該行動運 算裝置。 較佳地,包含該獨特下載URL而從該部署舰器發送 到該使用者之該行動運算裝置的該訊息為—邮格式訊 息。 該方法較佳地包括經由頻外構件發送該私密金錄給使 用者,以供在該使用者的該行動運算裝置上安裝該應用程 式軟體。 例如,可把該私密金鑰發送到該使用者,作為發送到該 使用者之該電子郵件地址的一安全電子郵件訊息。 另根據本發明,揭露—種用以在一行動運算裝置上安裝 201203115 一軟體應用程式的系統,該系統包含: 與一網路相關聯的一鑑認伺服器,該網路具有多個使用 者,各個使用者具備含有與其相關聯之使用者識別資料 的一帳戶;以及 支援一應用程式安裝網頁的一部署伺服器; 該系統可運作以進行下列步驟: 在該網路上針對一使用者產生一帳戶,該帳戶具有與其 相關聯的使用者識別資料,包括一使用者名稱、一使用 者電子郵件地址、以及該使用者之一行動運算裝置的一 位址; 在該鑑認伺服器上,利用一密碼式安全虛擬隨機碼產生 器產生一共享私密金鑰,並且利用一私密金鑰來加密該 共享私密金鑰; 從該鑑認伺服器發送不具有該私密金鑰的該經加密共 享私密金鑰到該部署伺服器; 把該經加密共享私密金鑰儲存在該部署伺服器上; 在該部署伺服器上產生一獨特部署URL,並且把它發送 到該鑑認伺服器; 從該鑑認伺服器發送含有該獨特部署URL的一註冊邀 請訊息到該使用者的一電腦終端機,以令該使用者能存 取該部署伺服器所支援的一網頁以接受該註冊邀請; 從該部署伺服器發送包含一獨特下載URL的一訊息到 該使用者的該行動運算裝置; 在該部署伺服器上,接收來自該行動運算裝置的一確認 6 201203115 請求,以安裝該軟體應用程式;以及 從該部署伺服器發送包含該軟體應用程式的資料到該 使用者的該行動運算裝置,以供在該使用者的該行動運 算裝置上安裝該軟體應用程式。 圖式的簡要說明 第1圖以簡化概要圖展示出根據本發明之一種用以在 一使用者的一行動運算裝置上安裝一安全性軟體應用程式 的系統;以及 第2圖以流程圖展示出用以安裝該軟體應用程式之方法 的主要步驟。 t 方包方式!1 較佳實施例的詳細說明 在下面的說明中,為了解說的目的,列出了多種特定細 節,以便提供本發明之實施例的完整了解。然而,熟知技 藝者將可了解的是,不需要該等細節亦能夠實行本發明。 第1圖以簡化概要圖展示出根據本發明之一種用以在一 使用者的一行動運算裝置上安裝一軟體應用程式的系統。 針對本專利申請案,所謂的'λ行動運算裝置〃包括但不限 於:行動電話(包括蜂巢式電話)、個人數位助理(PDA)、智 慧型電話(Smartphone)、膝上型或筆記型電腦,以及其他 該等裝置。大致上,此種裝置具有包括一顯示器以及一按 鍵組或鍵盤的一使用者介面、一板上處理器與軟體、以及 較佳地為無線的一通訊介面。 201203115 本發明係有關在一行動運算裝置上安裝一軟體應用程 式的技術。該種軟體應用程式的一實例為一種一次性密碼 (OTP)安全性應用程式,且以下的說明將根據此實例而提 出。然而,熟知技藝者將可了解的是,本發明可應用到其 他軟體應用程式中,例如傳訊應用程式(如MXIT)以及遊 戲,舉例來說。 根據本發明的一例示實施例,一網路的一使用者,其典 型地為一公司或組織所操作的一安全電腦網路,具有一主 機電腦(其可為一家用電腦或一網路電腦)以及一行動運算 裝置(展示為一PDA或Smartphone)二者。該行動運算裝置 能夠經由GSM (在此實例中)與一無線電話網路通訊,該無 線網路包括一SMS(短訊服務)閘道器。可替代地使用其他傳 訊協定。 該使用者想要存取的該網路包括一鑑認伺服器。該網路 典型地包括一防火牆以及一管理者工作站,為了簡扼說明 的目的將省略說明上述二者以及該網路的其他部件。與該 網路相關聯的是部署伺服器26。 在本發明所說明的實施例中,所欲的是在該使用者的該 行動運算裝置上部署軟體,以令該行動運算裝置能作為一 鑑認符記,其與用以存取安全網路的一專屬鑑認符記相 同。本質上來說,安裝在該行動運算裝置上的該軟體將把 它轉換成該種鑑認符記,相似於習知專屬硬體符記,但在 某些面向較高階。 將可了解的是,在此例示實施例中,對行動裝置部署應 201203115 用程式軟體所牵涉的安全性是重要的。另一個要解決的問 題是行動電話、PDA以及Smartphones的多種款式以及合併 到該等裝置中之使用者介面的多樣性。 在此脈絡中,本發明提供一種中央部署伺服器,其可形 成使多重鑑認伺服器安全地連接至行動電話以及網路使用 者之其他行動運算裝置的一中樞,而不需要使該等鑑認伺 服器暴露在網際網路中。 本發明之方法與系統的大致操作方式為國際專利申請 案號 PCT/IB2008/051580 (公告為 w〇2〇08/13267〇)中所 說明之方法與系統的改進版,該案係以參考方式併入本發 明中說明。 在本發明之該方法的一例示實施例中進行的主要步驟 如下: 該部署程序以該網路系統管理者部署一使用者並且在 S玄網路上針對遠使用者產生_使用者帳戶來開始。 該鑑認伺服器利用-密碼式安全虛擬隨機碼產生器產 生一共子私牷金鑰,並且利用一私密金鑰來加密該共享私 密金錄。賴認㈣n料包含該共林較躺該經加 密資料(而非該私密金錄)_部署伺服器。該部署伺服器 儲存該經加«料,但料具有雜密金鑰。 该部署伺服器現在傳送一獨特部署到該鑑認饲服 斋。该鑑㈣服器以電子郵件傳送一獨特部署到該使 用者的電子郵件地址,該使肖者開啟該部署敝並且經由 該部署伺服ϋ所域的—網頁驗證他/她的帳戶明細。該使 201203115 用者可觀看GPRS設定建議,而同時等待來自該部署伺服 器的一 SMS格式訊息。 該部署伺服器現在傳送一 SMS訊息到該使用者的行動 運算裝置。該使用者開啟該SMS訊息中的一獨特下載 URL。該部署伺服器識別該行動運算裝置,並且針對該行動 裝置配裝模型特定應用程式,即,該部署伺服器上的一符 記應用程式將建構該應用程式並且把該應用程式供應給該 使用者的行動運算裝置。 如果該部署伺服器無法把資料注入到該應用程式中,它 便發佈一空白符記。該使用者從該部署伺服器下載包含經 加密資料的該符記應用程式。該符記應用程式對完成該安 裝動作的一企業系統伺服器進行安裝召回動作。 該鑑認伺服器經由頻外構件傳送一私密金鑰給使用 者,例如對先前使用的相同電子郵件地址發送安全的電子 郵件。該使用者把該私密金鑰輸入到該行動運算裝置上的 應用程式中,以解密資料,並且現在能夠視需要地產生 OATH相容雜湊一次性密碼。 該使用者把所產生的一次性密碼鍵入到一應用程式 中,例如當登入一網路銀行服務或者當進行一 VPN登入動 作時。該鑑認伺服器將鑑認該一次性密碼,並且准許或拒 絕該登入請求。 上述步驟係依序地展示於第1圖與第2圖中。 本發明所述的例示實施例因此針對使用者的特定電話 或其他行動運算裝置提供一種一次性密碼應用程式,而針 10 201203115 對該使用者的帳戶使用特定的經加密資料。此種方式能使 整個部署程序更加地容易。 I:圖式簡單說明3 第1圖以簡化概要圖展示出根據本發明之一種用以在 一使用者的一行動運算裝置上安裝一安全性軟體應用程式 的系統;以及 第2圖以流程圖展示出用以安裝該軟體應用程式之方法 的主要步驟。 【主要元件符號說明】 (無) 11201203115 VI. OBJECTS OF THE INVENTION: TECHNICAL FIELD OF THE INVENTION The present invention relates to a method and system for deploying a software application to a mobile computing device. BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and system for installing a software application on a mobile computing device. A way to use one-time password (OTP) to increase access to the security of a corporate network has been well established. The most common way to implement a system using OTP is to provide each user with a hardware token that the user must insert into a terminal for accessing the network, such as a personal computer (PC). The token contains hardware and software and generates a unique password each time the user accesses the network. The cost and logistics involved in providing a hard-coded note to each user of the network is staggering. In order to address some of the shortcomings of the above tokens, systems and methods have been developed to deploy software applications, such as an One Time Password (OTP) security application, on a mobile computing device. The OTP application enables the mobile computing device to act as an authentication token, which is the same as a proprietary authentication token used to access a secure network in other systems today. It is an object of the present invention to provide an alternative method and system for installing a software application, such as a one-time password application, on a mobile computing device. 201203115 L SUMMARY OF THE INVENTION 3 SUMMARY OF THE INVENTION In accordance with the present invention, a method for installing a software application on a mobile computing device is disclosed, the method comprising the steps of: generating an account for a user on a network, The account has user identification data associated therewith, including a user name, a user email address, and an address of one of the user's mobile computing devices; on an authentication server, a password is utilized The secure virtual random code generator generates a shared private key and encrypts the shared private key with a private key; the encrypted shared private key that does not have the private key is sent from the authentication server to a deployment server; storing the encrypted shared private key on the deployment server; generating a unique deployment URL on the deployment server and sending it to the authentication server; from the authentication server Sending a registration invitation message containing the unique deployment URL to a computer terminal of the user to enable the user to access the a webpage supported by the server to accept the registration request; send a message including a unique download URL to the mobile computing device from the deployment server; and receive the action from the deployment server a confirmation request of the device to install the software application; and transmitting, from the deployment server, the data including the software application to the 201203115 user's mobile device for the mobile computing device of the manufacturer Install the software application on it. The mobile computing device of the user is preferably a mobile phone, a PDA, or another mobile computing device with wireless connectivity. The plug-in application can be a security software such as a sub-secondic password application or token. "" The registration invitation message is preferably forwarded from the uniform to the user in the form of an email message sent to one of the user's email addresses. The invitation message is preferably received by a user on a computer terminal other than the mobile computing device of the user. Preferably, the deployment server sends the message including the (4) download to the user in response to the data sent by the user from the f brain terminal of the user other than the mobile computing device. The mobile computing device. Preferably, the message containing the unique download URL and transmitted from the deployment vessel to the mobile computing device of the user is a postal format message. The method preferably includes transmitting the private credit to the user via the extra-frequency component for installation of the application software on the mobile computing device of the user. For example, the private key can be sent to the user as a secure email message to the email address of the user. According to the present invention, there is disclosed a system for installing a 201203115 software application on a mobile computing device, the system comprising: an authentication server associated with a network having a plurality of users Each user has an account with user identification information associated therewith; and a deployment server that supports an application installation web page; the system is operative to perform the following steps: generating a user for the user on the network An account having associated user identification data, including a user name, a user email address, and an address of one of the user's mobile computing devices; on the authentication server, utilizing A cryptographic secure virtual random code generator generates a shared private key and encrypts the shared private key with a private key; and sends the encrypted shared private key without the private key from the authentication server Key to the deployment server; storing the encrypted shared private key on the deployment server; in the deployment server Generating a unique deployment URL and sending it to the authentication server; sending a registration invitation message containing the unique deployment URL to the computer terminal of the user from the authentication server to enable the user to Accessing a webpage supported by the deployment server to accept the registration invitation; transmitting, from the deployment server, a message including a unique download URL to the mobile computing device of the user; on the deployment server, receiving from the deployment server a confirmation 6 201203115 request of the mobile computing device to install the software application; and transmitting, from the deployment server, the data containing the software application to the user's mobile computing device for the user's The software application is installed on the mobile computing device. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a simplified schematic diagram showing a system for installing a security software application on a mobile computing device of a user in accordance with the present invention; and FIG. 2 is a flow chart showing The main steps of the method used to install the software application. t square package way! DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT In the following description, numerous specific details are set forth in order to provide a complete understanding of the embodiments of the invention. However, it will be apparent to those skilled in the art that the present invention can be practiced without these details. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a simplified schematic diagram showing a system for installing a software application on a mobile computing device of a user in accordance with the present invention. For the purposes of this patent application, the so-called 'λ mobile computing device 〃 includes, but is not limited to, a mobile phone (including a cellular phone), a personal digital assistant (PDA), a smart phone, a laptop or a notebook computer. And other such devices. Generally, such a device has a user interface including a display and a button set or keyboard, an on-board processor and software, and preferably a wireless communication interface. 201203115 The present invention relates to a technique for installing a software application on a mobile computing device. An example of such a software application is a one-time password (OTP) security application, and the following description will be made based on this example. However, it will be appreciated by those skilled in the art that the present invention can be applied to other software applications, such as messaging applications (e.g., MXIT) and games, for example. According to an exemplary embodiment of the present invention, a user of a network is typically a secure computer network operated by a company or organization having a host computer (which may be a computer or a network computer) And a mobile computing device (shown as a PDA or Smartphone). The mobile computing device is capable of communicating with a wireless telephone network via GSM (in this example), the wireless network including an SMS (Short Message Service) gateway. Other communication protocols can be used instead. The network that the user wants to access includes an authentication server. The network typically includes a firewall and a manager workstation, and the foregoing and other components of the network will be omitted for the sake of brevity. Associated with the network is a deployment server 26. In the illustrated embodiment of the present invention, it is desirable to deploy software on the mobile computing device of the user to enable the mobile computing device to function as an authentication token and to access the secure network. One of the exclusive authentication tokens is the same. Essentially, the software installed on the mobile computing device will convert it into such an authentication token, similar to the conventional proprietary hardware token, but in some areas facing higher order. It will be appreciated that in this illustrative embodiment, it is important to deploy the security involved in the mobile device in 201203115. Another problem to be solved is the variety of styles of mobile phones, PDAs, and Smartphones, as well as the variety of user interfaces incorporated into such devices. In this context, the present invention provides a central deployment server that can form a hub for securely connecting multiple authentication servers to mobile phones and other mobile computing devices of network users without the need for such a reference. The server is exposed to the Internet. The general operation of the method and system of the present invention is an improved version of the method and system described in International Patent Application No. PCT/IB2008/051580 (Announcement: 〇 〇 〇 08/13 267 ,), which is incorporated by reference. It is described in the present invention. The main steps performed in an exemplary embodiment of the method of the present invention are as follows: The deployment procedure begins with the network system administrator deploying a user and generating a user account for the remote user on the S-network. The authentication server generates a common sub-private key using a cryptographic secure virtual random code generator and encrypts the shared private record with a private key. Lai (4) n material contains the shared forest rather than the encrypted data (not the private record) _ deployment server. The deployment server stores the added material, but has a hash key. The deployment server now delivers a unique deployment to the authentication feed. The server sends an unique email to the user's email address, which enables the viewer to open the deployment and verify his/her account details via the web page of the deployment server. This allows the 201203115 user to view the GPRS settings suggestion while waiting for an SMS format message from the deployment server. The deployment server now transmits an SMS message to the user's mobile computing device. The user opens a unique download URL in the SMS message. The deployment server identifies the mobile computing device and configures the mobile device with a model specific application, ie, an application running on the deployment server will construct the application and supply the application to the user Mobile computing device. If the deployment server is unable to inject data into the application, it issues a blank token. The user downloads the token application containing the encrypted data from the deployment server. The token application installs a recall action on an enterprise system server that completes the installation. The authentication server transmits a private key to the user via the extra-frequency component, for example, sending a secure e-mail to the same e-mail address that was previously used. The user enters the private key into the application on the mobile computing device to decrypt the data and can now generate OATH compatible hash one-time passwords as needed. The user types the generated one-time password into an application, such as when logging in to an online banking service or when performing a VPN login. The authentication server will authenticate the one-time password and grant or deny the login request. The above steps are sequentially shown in Figures 1 and 2. The exemplary embodiment of the present invention thus provides a one-time password application for a particular telephone or other mobile computing device of the user, while pin 10 201203115 uses a particular encrypted material for the user's account. This approach makes the entire deployment process much easier. I: BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a simplified schematic diagram showing a system for installing a security software application on a mobile computing device of a user according to the present invention; and FIG. 2 is a flow chart The main steps to demonstrate the method of installing the software application. [Main component symbol description] (none) 11