![Page 1: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/1.jpg)
The Status of Korea PKI
Jonghyun BAEKManager, KISA, Korea
INTER-REGIONAL STANDARDIZATION FORUM FOR BRIDGING THE STANDARDIZATION GAP (BSG)Muscat, Oman, 11-12 December 2017
![Page 2: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/2.jpg)
![Page 3: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/3.jpg)
![Page 4: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/4.jpg)
NPKI vs. GPKI
![Page 5: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/5.jpg)
PKI Scheme of Korea
![Page 6: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/6.jpg)
Legislations for NPKI
![Page 7: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/7.jpg)
Roles of Root CA(KISA) in NPKI
![Page 8: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/8.jpg)
Accredited CA in NPKI
![Page 9: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/9.jpg)
Accredited Certificate Subscriber
![Page 10: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/10.jpg)
International Cooperation on PKI
![Page 11: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/11.jpg)
![Page 12: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/12.jpg)
Accreditation Policy for CA
![Page 13: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/13.jpg)
Accreditation Procedure
![Page 14: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/14.jpg)
Annual Audit for accredited CA
![Page 15: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/15.jpg)
![Page 16: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/16.jpg)
Internet Banking
![Page 17: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/17.jpg)
Online Stock
![Page 18: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/18.jpg)
Public Service (G4C)
![Page 19: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/19.jpg)
Smart Phone Banking
![Page 20: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/20.jpg)
![Page 21: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/21.jpg)
This technology makes a link with certificates by using an extension message without changing of FIDO architecture and FIDO UAF protocol.
USER DEVICE
BROWSER / APP
FIDO CLIENT
ASM
PKI LIBRARY
PKISECURE STORAGE
FIDO AUTHENTICATORS
…
CERTIFICATION AUTHORITY
WEB SERVER
PKI SERVER(RA, CA)
FIDO SERVER
EXTERNAL PKI SERVICE
(CA, OCSP, CRL)
FIDO METADATA SERVICE
RELYING PARTY
UAF
CMP(RFC 4210,4211)
REE
TEE
FIDO - NPKI certificate Link Technology
![Page 22: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/22.jpg)
Encryption of Private Key Using Biometric Data
The FIDO authentication technology enables users to use certificates by using the registered biometric data(BT) without entering passwords (PKCS#5, #8).
Select Salt, Count, dkLen
M
(Private key)Encryption algorithm
Select S, C, dkLen
C
(Encrypted private key)
C
(Encrypted private key)
M
(Private key)
DK = KDF(BT, S, C, dkLen) DK = KDF(BT, S, C, dkLen)
DK DK
<Encryption> <Decryption>
![Page 23: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/23.jpg)
Certificate Issuing Flow
User Device Relying Party
RP Client
RP Server
FIDOClient
FIDOServer
Certificate Authority
CA Server
PKILibrary
Request for certificate
Request for registration in FIDO.
Respond to the request for registration in FIDO.
Request for information for issuing of certificate.
Request for certificate.
Issue certificate.
Biometric certification (fingerprint, iris, face recognition, PIN, etc.)
1
2
4
3
5
6
7
![Page 24: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/24.jpg)
Certificate Use Flow
User Device Relying Party
RP Client
RP Server
FIDOClient
FIDOServer
Certificate Authority
CA Server
PKILibrary
Click the certificate button
Request for FIDO certification
Respond to the request for FIDO certification
Request for digital signature
Respond to the request for digital signature
Biometric certification (fingerprint, iris, face recognition, PIN, etc.)
1
2
4
3
5
6
7Request for confirmation of certificate
8Result of confirmation of certificate
9Confirm the digital signature
![Page 25: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/25.jpg)
Use Cases of FIDO + NPKI certificates
Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords
In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone
![Page 26: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/26.jpg)
Use Cases of FIDO + NPKI certificates
Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords
In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone
![Page 27: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/27.jpg)
Vehicular PKI
![Page 28: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/28.jpg)
PKI Model of WAVE 1609.2 (IEEE)
![Page 29: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/29.jpg)
NPKI vs. Vehicular PKI
![Page 30: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/30.jpg)
Vehicular PKI system components
![Page 31: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/31.jpg)
Draft Korea Vehicular PKI Model
![Page 32: The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser / app fido client asm pki library pki secure storage fido authenticators … certification](https://reader034.vdocuments.net/reader034/viewer/2022042200/5e9f713102a63654046509ef/html5/thumbnails/32.jpg)
Thank you