pki in korea

PKI Current Status in Korea

1 Copyright 2013@KICA Inc. All rights reserved

INDEX

Necessity of National PKI

PKI Current Status in Korea

I. Necessity of National PKI


Anonymity of Internet


PKI History – RSA, DH

Ron Rivest, Adi Shamir and Len Adleman, the R, S and A in RSA Security

“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”(1977)

R, S and A win Lifetime Achievement Award Adi Shamir Ron Rivest Len Adleman

Whitfield Diffie Martin Hellman


PKI History

1994: Smart card

1997: Smart card + PKI

2011: Cloud + PKI?

1995: PKI and US Postal Services

1996: Windows 95


PKI History

“PKI Integration – It’s Not All or Nothing”

Year of the PKI

The Second Coming of PKI

“I have PKI – Now What?”

“Reinventing PKI”


PKI (Public Key Infrastructure)?

Personnel, policy, procedures, components and facilities to bind user names to electronic keys so that applications can provide the desired security services.

Client Cert

Server Cert

certificate

Directory Server

repository PKI Server

Server-side software

Client-side software Certificate Authority

Registration Authority

(PC/Phone/PDA)

PKI Client

Dig

ital

Sig

na

tur

e


PKI Center System Configuration

PKI Center

Internet

TS

Admin PC

DB

DS

OCSP

User

Firewall

RA

TSA

KRS/ Etc.

Admin: Administrator Program

User: User S/W

CA: Certificate Authority Server

RA: Registration Authority Server

DS: Directory Server

OCSP: Online Certificate

Status Protocol Server

VA: Validation Authority Server

HSM: Hardware Security Module

(Accelerator)

TS: Time Stamp Module

GPS: Time Accuracy Maintainer

TSA: Time Stamp Authority

Server

DVCS: Data Validation

Certification Server

KRS: Key Roaming Server

Etc.: Other Service Server

※All networks and servers are

double connected (Fault Tolerant)

L4 Switch

HSM GPS Receiver

CA


Difference between NPKI and PKI system

National PKI = Law/Standards + PKI system + Operation

Category National PKI PKI system

Customer Accredited CA, Root CA PKI products

Base Law (Electronic transaction Act and decrees)

Domestic/International Standards

Scope of Evaluation

Wide (System, Policy, Operation)

Narrow (Only System)

Compensation Easy to get compensated N/A

Interoperability Guaranteed by Law Impossible

Application

All for public (E-Government, E-Procurement, E-Commerce, E-Banking, E-Tax, etc)

Only for the limited area (Private Service)

Level of technology and security

Very secure (proved technology + law)

Secure (proved technology)

Burden of Proof Accredited CA User

Usage Infrastructure System (Software)


Why need a NPKI?

It will result to duplication of resources and confusion in policy-making because of absence of unified infrastructure.

It will not grow its national competitive edge in the same region because a country doesn’t accumulate and retain its own technologies related to security and certification.

The interoperability issue among CA’s must happen due to absence of united technical standards.

It is difficult to build e-government framework because PKI is the mandatory infrastructure in e-government.

It is hard to cooperate with other nations about international interoperability because of the absence of accredited CA.

User or entities have to use a lot of certificate for each application.


Need for Digital Signature

Risk of deceiving identity of sender Authentication Digital Signature

Risk of changing information on transmission Integrity Digital Signature

Risk of denying a fact information transmit Non-repudiation Digital Signature

Risk of exposing information on transmission Confidentiality Encryption

Solutions Problems

online Offline (face-to-face)

Industrial Society Informational Society


Digital Signature Technology

Authentication, Integrity, Non-Repudiation

Signer Verifer

Hash Algorithm

Hash Code Sign

Digital

Signature

Client Certificate

Hash Code

Hash Code

Compare

Private Key

Verify

Public Key

Hash Algorithm

Certificate Verification

Digital Signature Signing Digital Signature verification Sending

Encrypted Private Key

AES Decryption

Password

Message


Identification and Signature

For Authentication

Name SSN Address Issued Date Finger Print

: Jaejung Kim : XX0921-152XXXX : KICA, Seoul, Kr : 2002/6/1 :

National ID Card

Reusable

Real World

Name Serial No Address Validity Public Key

: Jaejung Kim : 883XXX8377 : KICA, Seoul, Kr : 2010/6/1~ 2011/5/31 :

Accredited Certificate

CA’s Signature

Impossible to reuse

Digital signature using asymmetric encryption

/ decryption method

Encrypted Private Key

+

Digital Signature

Cyberspace (Internet)

Signature or Signature-seal


Electronic Signature

• What ensures that a signature is valid?

Signed Paper Document

Digitally Signed Document

Generate Signature

Process of Verification

National ID

Private Key Public Key

Certification Authority

Process of Verification

Generate Signature


Types of Certificates

Certificate Without Accreditation (or Private Certificate)

A certificate is issued by a certification organization that is not accredited by the government. It is used for a limited number of e-transactions

Accredited Certificate

The accredited certificate is issued by a CA, which in turn is designated by the government pursuant to the laws after thorough screening, to be used for various e-transactions.

Category Accredited Certificate Certificate Without

Accreditation

Level of technology and security

Passage of thorough screening pursuant to the law

Impossible to verify

Legal effect Valid as provided by the laws Valid only by agreement

Compensation Easy to get compensated Hard to get compensated

Scope of applicable services

Wide Narrow


Comparison of Certificates

• When endorsement is mandated by the law, use of the accredited certificate grants the same legal effect and, thus, can be used as evidence in the court of law.

• Use of a certificate without accreditation, however, does not generate any binding authority; it takes effect only upon agreement by both parties.

Legal Effect

• Upon occurrence of any damage arising out of use of an accredited certificate, the CA in charge has to compensate the user unless it proves its innocence.

• On the other hand, the burden of proof shifts to a user when a harm is done to the user during use of a certificate. Therefore, it becomes hard to get compensated for the harm.

Compensation

• Only a single accredited certificate suffices to use various services such as Internet banking AND online stock trading.

• The certificate without accreditation, however, is limited in usage. Thus, a person can use for a certain field such as Internet shopping OR e-transaction.

Scope of applicable

services


Framework of National PKI

NPKI (National Public Key Infrastructure)

Preparation

PKI Scheme Requirements for

PKI System

Operation Requirements

PKI Standards

Education

Promotion Pilot Project

Law & Regulations

PKI Decree Recommendation

Accreditation Generals

Organization of PKI TFT

Implementation Planning

Facilities and Equipment

CPS Framework

long-term Security plan

RA Construction

PKI Center Education & Promotion

PKI Applications

Implementation steps


E-Government Framework

Economic Development (G2B)

e-Customs e-Support for Foreign Firms e-Intellectual Property e-Procurement

Public Service(G2C) Public Admin. Reform(G2G)

e-Agriculture e-Land Registry e-National ID

Shared Services National ID DB Land Resources DB

Infrastructure

Public Key Infrastructure Public Access Point Government Information Network

Database

Management

Organization

Budget

HRD

Standards

Security

IT Management

Privacy

e-Government for National Development


National PKI Establishment

Application service authorities or companies using certificates

E-government seal/ Accredited e-signature

Citizen

Certificate Authority Certificate

Certificate

The Government

PKI Certification System

PKI Application Services

E-signature Pilot services

E-signature pilot site construction

(PKI application service development)

Certification Services PKI System Construction

(Root CA, Government CA Construction)

E-Signature law CPS Standards and technical guidelines

Establishment Law (Electronic Signature),

PKI Standards

Accredited CA

Safe and reliable Information society Establishment

Root CA

Company


PKI Scheme

RA Management

Subscribers Subscribers

RA Management

RA

Accreditation Annual Auditing

…

General/Special Purpose certificates

Accreditation Unit

Root CA Unit

Auditing Unit

Accredited CA

Issuing certificates

RA 1 RA 2 RA N

Operation on Root CA

ACA ACA …

RA RA

(ACA: Accredited CA)

RA


Effectiveness of Expectations

PKI is making up the safe and trustful environment using electronic signature.

Law, Policies Standards & Technology

PKI enabled Applications

Accredited CA

• Reduce the time and cost.

• Convenience of application like Online Civil Service, Internet Banking etc.

• Convert offline business to online.

• Provide more secure and safe of service.

• Increase the trust of company.

• Increase the confidence and trust.

• Ensure interoperability of PKI infrastructure with other Government.

• Establishment of National Security Plan.

USER Corporation

Background

Government

National PKI Establishment Win (User) – Win (Government) – Win (Company)


Application Layers

Internet mall

International Law

E-network Law

Intellectual Property Law

Basic e-trade Law E-Signature

Law

Reserve Agent

E-pay

security

E-Auth

High-speed Internet

e-edu

E-govern

Cyber S1

Virtual-bank

Sales NW

E-procurement Research NW

Virtual Co Product NW

Supply NW

Netizen

E-park entertainment

E-missionary

E-health

Cyber insure

E-trade

Society rules

Basic Infra

B-to-G

B-to-B

B-to-C

Institutions Commercial Law

Civil Law

Criminal Law

City Cost..Law Building Law

road

energy

water

Communication

Law system

Basic Infra

Public Infra

Industry Infra

Environment Establish -ment

police Public office

Bank school land

Public site

Sales Co

Physical Co institute

Major Co factory

Small Co

Trade Co

The stores

House

theater

church

court restaurant

gym

Real World Cyberspace (Internet)


Types of PKI Model

Network Trust Model

Hierarchical Trust Model

Hybrid Trust Model

II. PKI Current Status in Korea


Overview (1/3)

5 Accredited CAs issued accredited certificates to subscriber around 25 million in total

Major PKI Applications

* Internet Banking, Online Stock, Internet Shopping, Procurement, e-Government Services

Numbers of annual issuance of certificates (2011.09, published by KISA)

0

500

1,000

1,500

2,000

2,500

3,000

2003 2004 2005 2006 2007 2008 2009 20102011.9

782950

1,100

1,437

1,7161,856

2,192

2,3662,593


Overview (2/3)

Statistics on Accredited CA’s

No. Accredited CA/

Web site Accredited

Date Characteristics

Main Business Area

1 KICA (CA: SignGATE) http://www.signgate.com

2000. 02. 10 Corporation All industry, government

2 KOSCOM (CA: SignKorea) http://www.signkorea.com

2000. 02. 10 Special purpose Corporation

Cyber trading

3 KFTC (CA: yessign) http://www.yessign.com

2000. 04. 12 Non-commercial Organization

Internet banking

4 CrossCert (CA: CrossCert) http://gca.crosscert.com

2001. 11. 24 Corporation -

5 KTNET (CA: TradeSign) http://www.tradesign.net

2002. 03. 11 State-run Corporation with special mission

Trading

(As of 2011; published by MOPAS)


Overview (3/3)

PKI Model in Korea

Types Entity Certificate Usage Field Fee

General Individual All electronic transactions US$ 4/year

Corporation All electronic transactions US$ 100/year

Specific

- G2C, Bank, Insurance Free

- G2C, Stock, Insurance Free

- G4C, Credit Card Free

GPKI NPKI

Act Established in 2001 pursuant to E-Government Act

Established in 1999 under Electronic Signature Act

Ministry in Charge

MOPAS (Ministry of Public Administration and Security)

Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)

Main Customer

Public Servants Individual, Company

Algorithm NEET (not open) SEED, AES

Types of Accredited Certificate and Fees


PKI Scheme in Korea

Foreign Government

Ministry of Public Administration and Security

Accredited CA

Accredited CA

Certification issuance / Management

Accredited CA

Accredited CA


Subscriber Subscriber

E-Government Service

Provider

E-Government Service

Provider



Mutual Recognition

…

…

…

…

National Root CA (KISA)

Government Root CA

(GCMA)


Role of Root CA

Accredited CA

Legal & Policy Issue

Technical Specification

Environment of Usage of Electronic Signature

International Cooperation

Root CA

Root CA (KISA)


Scope of Benchmarking

Subject contents

Law, Policy, Standards

Electronic Signature Act, Decree and Ordinance

Certification Practices Statement

Electronic Signature Certification Technology

PKI Model

Government PKI

National PKI

User

Electronic Signature Promotion Provide User’s Convenience End of Certificate Free Trial Period

Accredited CA

Interoperability among Accredited CA’s Upgrading of PKI technologies Division of PKI Markets

Root CA Cross certification for NPKI and GPKI Addition of Root CA Certificate to MS IE

Applications Mandating Accredited Certificate (bank, stock)

PKI Applications

E-Procurement, Internet Banking, Payment Gateway, G4C etc


Framework of Registration

Electronic Signature

Act

-Ensure the security and reliability of electronic documents and to promote their use -Promoting nationwide informationalization and improving

convenience in people's living standard

Electronic Signature Act, Decree and Ordinance

Guideline on Electronic Signature

Certification Practices

Technical Specification

CSP

Rules on Accredited CA’s Facilities and

Equipment

Rules on Accredited CA’s

Protective Measures

Methods and Procedures

for I & A through Representatives

* I & A: Identification and Authentication * CPS: Certification Practices Statement

CA accreditation

Accredited CA’s

operation

Accredited CA’s protection measure

Subscriber’s I & A


CPS (Certification Practices Statement)

Contents Detail

Management of Certificates

- Transmission of Registered Information - Request for Issuance of Certificate - Generation of Certificates - Request for Suspension, Restoration and Revocation of Certificates - Generation of Certificate Suspension and Revocation List - Public Announcement and Validation of Certificates

Management of Key Pairs

- Generation of Private Pairs - Backup of Private Pairs - Loss, Destruction, Theft or Leakage of

Private Keys

- Protection of Private Pairs - Revocation of Private Pairs

Other Certification Services

- Provision of Time Stamping - Storage of Time Stamping Records - Backup of Time Stamping Records

- Time Reception and Correction - Storage of Electronic Documents - Other Supplementary Services

Others

- Conformity with Technical Specifications - Scope and Intended Use of Certificates - Conformity to Certification Procedure - Matters concerning Facilities and Equipment - Management of Certification Service Records - Management of Certification Service Records through the representative - Management of Audit Records - Management of Registration Authorities - Test Run of Certification Practice - Correct Provision of Information and Public Notification


History of NPKI in Korea

‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 ‘09 ‘10 ‘11

Electronic Signature Promotion

Interoperability among Accredited CA’s

Provide User’s Convenience

Cross certification for NPKI and GPKI

Mandating Accredited Certificate (bank, stock, E-malls)

End of Certificate Free Trial Period

Upgrading of PKI technologies

Division of PKI Markets

Addition of Root CA Certificate to MS IE

Adapt HSM (Hardware Security Module)

Asia PKI Consortium

Year Activity


Interoperability among Accredited CA’s

Goals

- Subscriber who has an general-purpose accredited certificate can do all kinds of electronic transaction at Internet - To provide technologies that recognize and process accredited

certificates regardless of who issue them - To provide data to policy-makers on how to determine the scope and

conditions of each accredited certificate

Lesson to learn

The interoperability issue should be considered which arises during early stages of the NPKI construction.

CA A

CA B

User A

User B

App 1

App 2

x

general-purpose certificate Company 1

E-service Provider S/W development Company

Company 2 Accredited CA


Cross-Certification for NPKI and GPKI

Background

- Two years after establishment of the NPKI in 1999, the GPKI was brought to birth. The two got to have overlapped service areas. - To smooth out simultaneous operation of both, realization of cross-

certification is vital, which was obtained by means of a simplified CTL (i.e. Certificate Trust List).

Lesson to learn

To avoid duplication of resources and confusion in policy-making, services should be provided through a single root CA.

A PKI CTL issuance

A Root CA

Hash

A_USER B_USE

R

A_CA

A_RootCA B_RootCA

B_CA

CTL

CTL

B Root CA

Hash

B_User Cert

B_CA Cert

A_RootCA Cert

CTL issued by A_RootCA

B_RootCA Cert

Certificate Path

B PKI

generate signatur

e

verify signature


Mandatory Use of Accredited Certificates

Background

- To promote use of accredited certificates, services were provided free of charge. - Accredited certificates were provided without any charge to relieve the initial

burden of customers, to secure adjustment period, and to build up the Internet services.

- The deteriorating financial status of CA’s led to efforts to improve security and quality of certification services.

◊ Only corporate certificates began to be charged for (Approximately, 100 $ /year).

◊ It was unable to impose any liabilities on CA’s since they did not generate any profits.

◊ CA’s were unable to make additional investments, for example, in equipment.

Lesson to learn

For CA’s to serve the public with stability in operation and services, free trial periods should not be provided.

Progresses

-Individuals began to pay fees. (June, 2004)

◊ Individual accredited certificate of general purpose: $4/year ◊ Individual accredited certificate of limited purpose: Implementation

thereof was in the sole discretion of a CA. (CA’s were able to charge only after September, 2004.)


Division of PKI Markets

Lesson to learn

Different natures of CA’s may lead to conflicts and harm to the market. Thus, it is necessary, in some case, to set boundary between certificate markets.

Progresses

-KESA (Korea Electronic Signature Act) amended to set “borders” between different markets (December, 2005)

◊ The amended KESA demands tougher requirements for a government agency or a non-profit organization to get designated as CA.

-Implementation of PKI with divided roles (July, 2006) ◊ The KCFC, under the new KESA, is not allowed to issue certificates of general

purpose; it can only issue certificates required for banking.

CA Characteristics

Individual

Corporation Total General

Purpose

Specific Purpose

(Bank)

KCFC non-profit

organization

63% 76% 29% 67%

4$/year Free 100$/year or Free


Upgrading of PKI technologies

Background

-The term “upgrading (or its verb form “to upgrade”) refers to any effort made to increase system security and compatibility of technologies such as renewal of private keys, adjustment of length of private keys, application of RFC3280, etc.

Lesson to learn

Advance of technologies does not always guarantee stability of certification technologies. Thus, countermeasures should be considered in advance.

Major

missions

-Renewal of Root CA certificate and Accredited CA Certificates -Upgrading of private-key lengths to RSA 2048 bit

- Application of RFC 3280: International standard changed - RSA 1024 and SHA-1 algorithm don't guarantee their security in 2013. - Offline operation of Root CA’s directory ◊ The CRL’s of Root CA are posted on directories of accredited CA’s.

Before Feb., 2006 After Feb., 2006 After Jan., 2011

Valid Key Valid Key Valid Key

Root CA 10

years 2048

bit(SHA1) 20

years 2048 bit(SHA1)

20 years

2048 bit(SHA256)

Accredited CA

5 years 1024

bit(SHA1) 10 years

2048 bit(SHA1)

10 years 2048

bit(SHA256)

User 1 year 1024

bit(SHA1) 1 year 1024 bit(SHA1) 1 year

2048 bit(SHA256)


Addition of Root CA Certificate to MS IE

Lesson to learn

A country should accumulate and retain its own technologies related to security and certification to enhance its national competitive edge.

Problems and

solutions

- When using services like e-mail and web server with domestic certificates, security warnings popped up, causing confusion among users. - Foreign CA’s (i.e., VeriSign) recognized by MS Windows got to monopolize

the Korean PKI markets for SSL, code signing certificates. - By mounting certificates of Korean Root CA’s on MS Windows, it has

become possible to apply their certificates to Windows-based web services including web server, secured e-mail and code signing etc.

Thawte

• Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA’s)

Microsoft

VeriSign

VISA

RSA

Korean Root CA

JCSI

Hongkong Post

★ Inclusion KISA Root CA Certificate in Web Browsers (~'08) Internet Explorer ('06.02), Safari ('07.03), Opera ('08.05), FireFox ('06~)


HSM Token as a secure storage

Lesson to learn

In order to enhance subscriber’s personal security environment, HSM Token as a secure storage can use.

Problems -If subscriber uses hard disk for certificate storage, some malicious programs can control subscriber’s PC and extract that information.

Storage for Certificate

<Subscriber's S/W> <HSM Token>

Interface between the Token and the Subscriber’s S/W

<HSM Access Program>

Background

-A hardware protected secure storage with hardware cryptographic accelerator to generate and store private keys

① Digital signing and generation of a private key can be done inside the Token, ② Private keys can not be exported

Progresses

-Developing the technical specifications for HSM Token with certificate ('06~'07.8) -Carrying out the evaluation for the interoperability of HSM Token ('07.9~)


Asia PKI Consortium

Lesson to learn

Thoughts should be given to the issue of international interoperability. Close cooperation, for example, with the Asia PKI Consortium will be helpful.

• Non-profit international collaboration body in Asia region, specialized for information security areas

• Objectives : To realize borderless and seamless e-commerce in a secure and trustworthy way, in Asia regions

• Founded : Nov. 2007

• Member : Korea (KISA), China, Taiwan (As of June, 2008)

Steering Committee (SC)

General Assembly (GA)

PKI WG Other WG

Composed of all Principal member

Approve resolutions by GA

Determine policy, direction, strategy

Composed of all members

Elect Chairperson and Vice chairperson

Decide to Start and Dismiss WG

Secretariat Task-force based Working Group

SME WG Privacy

WG

Mobile

WG Candidate WG

Actual WG


Lesson to learn

• It is inevitable for the government to lead the efforts to build up a NPKI.

• To avoid duplication of resources and confusion in policy-making, services

should be provided through a single root CA.

• A country should accumulate and retain its own technologies related to

security and certification to enhance its national competitive edge.

• The interoperability issue should be considered which arises during early

stages of the NPKI construction.

• For CA’s to serve the public with stability in operation and services, free trial

periods should not be provided.

• To boost the certification market, it is recommendable to impose mandatory

use on some industries.

• Different natures of CA’s may lead to conflicts and harm to the market. Thus,

it is necessary, in some case, to set boundary between certificate markets.

• Advance of technologies does not always guarantee stability of certification

technologies. Thus, countermeasures should be considered in advance.

• In order to enhance subscriber’s personal security environment, HSM Token

as a secure storage can use.

• Thoughts should be given to the issue of international interoperability. Close

cooperation, for example, with the Asia PKI Consortium will be helpful.


Development steps of PKI

Past Present Future

Special Purpose Infancy of EC Take off Leap

The Internet was born

Fundamental Investigation

For Military Purpose

Special Financial Application

Web sites and email users are exploding

PKI standardization

The birth of CA

Access control by Certificate

The law of Electronic Signature

Mainly “B to B”

Desktop Commerce

Certificates in HSM, Smart Card

Products confirming PKI standard will spread

Data > Voice

“B to C” will rise(PKI will enter in every day life)

Digital contents will increase rapidly

Digital signature > Handwritten Signature


Upgrade PKI Cryptography(1/2)

• The existing encryption algorithms' security was declined due to

rapid computing technology development

According to NIST key size recommendations, RSA 1024 and SHA-1

algorithm used by Korean digital certificate management system don't

guarantee their security in 2013 ※ (“Recommendation for Transitioning

the Use of Cryptographic Algorithms and Key Lengths", 2011.1.13)

Digital Signature

Use

Digital Signature

Generation

RSA: 1024 ≤ |n| < 2048

• Acceptable through 2010 • Deprecated from 2011

through 2013 • Disallowed after 2013

RSA: |n| ≥ 2048

• Acceptable

Hash Function

Use

SHA-1

Digital signature generation

• Acceptable through 2010 • Deprecated from 2011

through 2013 • Disallowed after 2013

Non-digital signature generation applications

• Acceptable

SHA-256 Acceptable for all hash function applications

• With hacking prevention through digital certificate itself such as illegal

duplication and forgery, an advanced encryption system of digital

certificates for certificate reliability is needed.


Upgrade PKI Cryptography(2/2)

• Raise the key size of digital signature

• Adjust the key size of subscribers’ digital certificates to be higher (1,024

bit to 2,048 bit)

• As hackers try to get an digital certificate key from 21,024 up to 22,048

times, it can guarantee certificate security until the year of 2030

• Exchange a hash algorithm

• Exchange a hash algorithm used for certificate issuance and digitally

signing

• 160bit hash (SHA-1) → 256bit hash (SHA-256)

Change subscriber S/W of e-transaction companies

(~ complete by October 2011)

Integration Test

(November 2011 ~ )

Issue new certificates

(January 2012 ~ )

2011 2012


Cryptography Key Length - NIST

NIST Draft SP 800-57 Recommendation for Key Management - Part1: General(Revision 3) (2011.05)

Date Minimum

of Strength

Symmetric Algorithms

Asymmetric

Discrete Logarithm Elliptique Curve

Hash (A) Hash (B) Key Group

2010 80 2TDEA* 1024 160 1024 160

SHA-1** SHA-224 SHA-256 SHA-384 SHA-512

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

2011 - 2030 112 3TDEA 2048 224 2048 224

SHA-224 SHA-256 SHA-384 SHA-512


> 2030 128 AES-128 3072 256 3072 256 SHA-256 SHA-384 SHA-512


>> 2030 192 AES-192 7680 384 7680 384 SHA-384 SHA-512

SHA-224 SHA-256 SHA-384 SHA-512

>>> 2030 256 AES-256 15360 512 15360 512 SHA-512 SHA-256 SHA-384 SHA-512


Certificate for Smart Phone

iPhone App(iOS)

Android App

4. Select Certificate and

Generate digital signature

1. Request digital

signature

3. Request digital

signature

8. Verify signature

Web

Page

User

Smart

phone

Relay Server

1.Issue Certificate

3. Input auth_code

4. Select certificate

5. Export certificate

(PKCS#12)

2. Send

identification

number

User

PC

Smart

Phone

Relay

Server

CA

1.Import certificate

2. Generate

auth_code

6. Input NID

PC

2. Request digital

signature Generation

7. Digital signature

5. Signature information

6. Digital signature

Certificate Issuance and Export/Import Digital Signature using Smart Phone

http://cfile2.uf.tistory.com/original/2002CB304C5F24BE407212

http://cfile2.uf.tistory.com/original/2002CB304C5F24BE407212


Open WEB Environment

USER Server

Service Provider Server

PKI Client

Toolkit

Internet

Microsoft AcitveX JAVA Applet

BIO HSM

Smart Card

HSM

PKI Server Toolkit

Any Web Browser


U-Authentication System

Establishing a reliable u-Authentication System

• Extending the authentication object to devices

(smart grid, VoIP-phones, CCTV cameras, and etc)

Internet Banking, Log-in

ID/Pass

Human ↔ Human

SSL Server, ETC

Device ↔ Device

RFID/USN Environment BroadcastingTelecommunication

Environment U-City Environment

U-home Environment

Extending the Target of Authentication

i-PIN

Certs.

OTP

BIO

Extending the

Authentication

Method

Human Device

As is

U-health Environment

Traditional Network Environment Ubiquitous Network Environment

To be

Human ↔ Device


PKI Roaming Service

The PKI certificate and the private key can be stored at the safe CA

By the user authentication(OTP, two-channel authentication) the PKI

certificate and the private key can be downloaded at the device the user

already registered

After the use, the key and the certificate will be erased safely

4. Internet Banking

CA USER

BANK

Roaming Server

Registered devices

1. issuance 2. Key escrow

3. User authentication


USIM as PKI Storage and NFC service

USIM as a secure mobile storage

※ HSM : Hardware Security Module

※ USIM : Universal Subscriber Identification Module

NFC using a PKI certificate

※ adopt the PKI at NFC (Near field Communication)

PKI certificate


Strengthening Authentication(1/2)

Two-channel Authentication

For important baking accounts or accessing secured government data,

more safe authentication method is required

If the user PC is hacked and is monitored by the hacker the channel

itself would be in dangerous despite the safety of the PKI ※ registered

PC, mobile phone SMS authentication and etc.

Network Device (PC)

Other channel

1- channel (WEB)

2- channel


Strengthening Authentication(2/2)

Internet Banking Authentication

• For 1st-level transaction

• PKI + ACS(Auto-Calling System)

E-Government Authentication

• Registered PC, HSM, mobile phone SMS authentication must be adapted

for important transaction (issuance of resident registration and etc.)

1.Request transaction using PKI

2. Bank calls the user

3. User approves the transaction by ACS USER

BANK

USER E-Government System

1) HSM PKI, or 2) PKI + registered PC,

or PKI + mobile phone SMS authentication

pki in korea

Government & Nonprofit

pki system national

cloud pki

reinventing pki

smart card pki

service server

rights reserved difference

directory server ocsp

key roaming server