近來NFC手機的普及帶動相關應用服務之發展,其中以行動支付最受矚目。NFC卡片模擬模式可以將手機模擬成信用卡,以安全元件存取應用程式與個人化資料,行動網路業者與服務供應商可透過第三方的信託服務管理平台(TSM)進行安全元件與應用服務的生命週期管理。然而,安全元件之控制權會影響NFC生態系統中商業利益之分配,服務供應商需要額外的成本才能將應用服務透過TSM進行上架。本論文採用HCE技術,使得NFC手機可以不需使用安全元件就可達到NFC卡片模擬的應用服務。本論文亦提出利用加密演算法達到支付系統對於通訊與存取的安全需求,並在交易過程中利用HMAC函式結合時戳與隨機亂數機制對使用者進行驗證,確保行動支付系統運作更為安全。
The evolution of NFC-enabled mobile devices promotes the development of NFC-based mobile applications, especially in mobile payments. An NFC-enabled phone, in the card-emulation mode, behaves like a contactless smart card or a credit card, which allows payment applications with personal information stored in the Secure Element (SE). Mobile network operators and services providers control and dominate the lifecycle of SEs and related services through a third-party trust service manager. However, the solution relies on the cooperation of all parties in the NFC ecosystem. This paper presents a secure NFC mobile payment system based on HCE technology. The HCE technology enables the realization of a virtual smart card using software. In HCE mode, the host CPU can process APDU commands sent by an NFC Reader. This study aims to develop a mobile payment scheme without the need of SEs. The proposed system achieves security features based on contemporary AES and RSA encryption algorithms, and two effective authentication schemes are proposed with timestamp and nonce methods respectively.