PKI in Korea

1Copyright 2013@KICA Inc. All rights reserved
INDEX
Necessity of National PKI
PKI Current Status in Korea

Anonymity of Internet

PKI History – RSA, DH
Ron Rivest, Adi Shamir and Len Adleman, the R, S and A in RSA Security
“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”(1977)
R, S and A win Lifetime Achievement AwardAdi Shamir Ron Rivest Len Adleman
Whitfield Diffie Martin Hellman

PKI History
1994: Smart card
1997: Smart card + PKI
2011: Cloud + PKI?
1995: PKI and US Postal Services
1996: Windows 95

PKI History
“PKI Integration – It’s Not All or Nothing”
Year of the PKI
The Second Coming of PKI
“I have PKI – Now What?”
“Reinventing PKI”

PKI (Public Key Infrastructure)?
 Personnel, policy, procedures, components and facilities to bind user
names to electronic keys so that applications can provide the desired
security services.
Client
Cert
Server
Cert
certificate
Directory
Server
repository PKI Server
Server-side software
Client-side softwareCertificate
Authority
Registration
Authority
(PC/Phone/PDA)
PKI Client
Digital
Signature

PKI Center System Configuration
 PKI Center
Internet
TS
Admin PC
DB
DS
OCSP
User
Firewall
RA
TSA
KRS/
Etc.
Admin: Administrator Program
User: User S/W
CA: Certificate Authority Server
RA: Registration Authority Server
DS: Directory Server
OCSP: Online Certificate
Status Protocol Server
VA: Validation Authority Server
HSM: Hardware Security Module
(Accelerator)
TS: Time Stamp Module
GPS: Time Accuracy Maintainer
TSA: Time Stamp Authority
Server
DVCS: Data Validation
Certification Server
KRS: Key Roaming Server
Etc.: Other Service Server
※All networks and servers are
double connected (Fault Tolerant)
L4 Switch
HSM
GPS Receiver
CA

Difference between NPKI and PKI system
 National PKI = Law/Standards + PKI system + Operation
Category National PKI PKI system
Customer Accredited CA, Root CA PKI products
Base
Law (Electronic transaction
Act and decrees)
Domestic/International
Standards
Scope of
Evaluation
Wide
(System, Policy, Operation)
Narrow
(Only System)
Compensation Easy to get compensated N/A
Interoperability Guaranteed by Law Impossible
Application
All for public (E-
Government, E-Procurement,
E-Commerce, E-Banking, E-
Tax, etc)
Only for the limited area
(Private Service)
Level of technology
and security
Very secure
(proved technology + law)
Secure
(proved technology)
Burden of Proof Accredited CA User
Usage Infrastructure System (Software)

Why need a NPKI?
 It will result to duplication of resources and confusion in
policy-making because of absence of unified infrastructure.
 It will not grow its national competitive edge in the same
region because a country doesn’t accumulate and retain its
own technologies related to security and certification.
 The interoperability issue among CA’s must happen due to
absence of united technical standards.
 It is difficult to build e-government framework because
PKI is the mandatory infrastructure in e-government.
 It is hard to cooperate with other nations about
international interoperability because of the absence of
accredited CA.
 User or entities have to use a lot of certificate for each
application.

Need for Digital Signature
Risk of deceiving
identity of sender Authentication Digital Signature
Risk of changing information
on transmission Integrity Digital Signature
Risk of denying a fact
information transmit Non-repudiation Digital Signature
Risk of exposing information
on transmission Confidentiality Encryption
SolutionsProblems
onlineOffline (face-to-face)
Industrial Society Informational Society

Digital Signature Technology
 Authentication, Integrity, Non-Repudiation
Signer Verifer
Hash
Algorithm
Hash Code Sign
Digital
Signature
Client Certificate
Hash Code
Hash Code
Compare
Private Key
Verify
Public Key
Hash
Algorithm
Certificate
Verification
Digital Signature Signing Digital Signature verificationSending
Encrypted
Private Key
AES
Decryption
Password
Message

Identification and Signature
For Authentication
Name
SSN
Address
Issued Date
Finger Print
: Jaejung Kim
: XX0921-152XXXX
: KICA, Seoul, Kr
: 2002/6/1
:
National ID Card
Reusable
Real World
Name
Serial No
Address
Validity
Public Key
: Jaejung Kim
: 883XXX8377
: KICA, Seoul, Kr
: 2010/6/1~
2011/5/31
:
Accredited Certificate
CA’s
Signature
Impossible to reuse
Digital signature using
asymmetric encryption
/ decryption method
Encrypted
Private Key
+
Digital Signature
Cyberspace (Internet)
Signature or
Signature-seal

Electronic Signature
• What ensures that a signature is valid?
Signed Paper
Document
Digitally Signed
Document
Generate
Signature
Process of
Verification
National ID
Private Key Public Key
Certification
Authority
Process of
Verification
Generate
Signature

Types of Certificates
Certificate Without Accreditation (or Private Certificate)
A certificate is issued by a certification organization that is not accredited
by the government. It is used for a limited number of e-transactions
Accredited Certificate
The accredited certificate is issued by a CA, which in turn is designated by
the government pursuant to the laws after thorough screening, to be used
for various e-transactions.
Category Accredited Certificate
Certificate Without
Accreditation
Level of technology
and security
Passage of thorough screening
pursuant to the law
Impossible to verify
Legal effect Valid as provided by the laws Valid only by agreement
Compensation Easy to get compensated Hard to get compensated
Scope of applicable
services
Wide Narrow

Comparison of Certificates
• When endorsement is mandated by the law, use of the
accredited certificate grants the same legal effect and, thus, can
be used as evidence in the court of law.
• Use of a certificate without accreditation, however, does not
generate any binding authority; it takes effect only upon
agreement by both parties.
Legal
Effect
• Upon occurrence of any damage arising out of use of an
accredited certificate, the CA in charge has to compensate the
user unless it proves its innocence.
• On the other hand, the burden of proof shifts to a user when a
harm is done to the user during use of a certificate. Therefore, it
becomes hard to get compensated for the harm.
Compensation
• Only a single accredited certificate suffices to use various
services such as Internet banking AND online stock trading.
• The certificate without accreditation, however, is limited in
usage. Thus, a person can use for a certain field such as Internet
shopping OR e-transaction.
Scope of
applicable
services

Framework of National PKI
NPKI (National Public Key Infrastructure)
Preparation
PKI Scheme
Requirements for
PKI System
Operation
Requirements
PKI Standards
Education
Promotion Pilot Project
Law &
Regulations
PKI Decree
Recommendation
Accreditation
Generals
Organization of
PKI TFT
Implementation
Planning
Facilities and
Equipment
CPS
Framework
long-term
Security plan
RA
Construction
PKI Center
Education &
Promotion
PKI
Applications
Implementation steps

E-Government Framework
Economic Development (G2B)
e-Customs
e-Support for Foreign Firms
e-Intellectual Property
e-Procurement
Public Service(G2C)
Public Admin.
Reform(G2G)
e-Agriculture e-Land Registry
e-National ID
Shared Services National ID DB
Land Resources DB
Infrastructure
Public Key Infrastructure
Public Access Point
Government Information Network
Database
Management
Organization
Budget
HRD
Standards
Security
IT Management
Privacy
e-Government for National Development

National PKI Establishment
Application service authorities or companies using certificates
E-government seal/
Accredited e-signature
Citizen
Certificate Authority Certificate
Certificate
The Government
PKI Certification
System
PKI Application
Services
E-signature
Pilot services
E-signature pilot site
construction
(PKI application
service development)
Certification Services
PKI System Construction
(Root CA, Government
CA Construction)
E-Signature law
CPS
Standards and
technical guidelines
Establishment Law
(Electronic Signature),
PKI Standards
Accredited CA
Safe and reliable
Information society Establishment
Root CA
Company

PKI Scheme
RA Management
 











Subscribers Subscribers
RA Management
RA
Accreditation Annual Auditing
…
General/Special Purpose certificates
Accreditation Unit
Root CA Unit
Auditing Unit
Accredited
CA
Issuing certificates
RA 1 RA 2 RA N
Operation on Root CA
ACA ACA…
RA RA
 

(ACA: Accredited CA)
RA

Effectiveness of Expectations
 PKI is making up the safe and trustful environment using electronic
signature.
Law, Policies
Standards &
Technology
PKI enabled
Applications
Accredited CA
• Reduce the time and cost.
• Convenience of application
like Online Civil Service,
Internet Banking etc.
• Convert offline business to
online.
• Provide more secure and safe
of service.
• Increase the trust of company.
• Increase the confidence and
trust.
• Ensure interoperability of PKI
infrastructure with other
Government.
• Establishment of National
Security Plan.
USER Corporation
Background
Government
National PKI Establishment
Win (User) – Win (Government) – Win (Company)

Application Layers
Internet mall
International
Law
E-network
Law
Intellectual
Property Law
Basic e-trade Law
E-Signature
Law
Reserve Agent
E-pay
security
E-Auth
High-speed
Internet
e-edu
E-govern
Cyber S1
Virtual-bank
Sales NW
E-procurementResearch NW
Virtual CoProduct NW
Supply NW
Netizen
E-park
entertainment
E-missionary
E-health
Cyber insure
E-trade
Society
rules
Basic
Infra
B-to-G
B-to-B
B-to-C
Institutions
Commercial Law
Civil
Law
Criminal
Law
City Cost..Law Building Law
road
energy
water
Communication
Law
system
Basic
Infra
Public
Infra
Industry
Infra
Environment
Establish
-ment
policePublic office
Bank schoolland
Public site
Sales Co
Physical Co
institute
Major Cofactory
Small Co
Trade Co
The stores
House
theater
church
court
restaurant
gym
Real World Cyberspace (Internet)

Types of PKI Model
Network Trust Model
Hierarchical Trust Model
Hybrid Trust Model

II. PKI Current Status
in Korea

Overview (1/3)
 5 Accredited CAs issued accredited certificates to subscriber around
25 million in total
 Major PKI Applications
* Internet Banking, Online Stock, Internet Shopping, Procurement, e-Government
Services
Numbers of annual issuance of certificates (2011.09, published by KISA)
0
500
1,000
1,500
2,000
2,500
3,000
2003 2004 2005 2006 2007 2008 2009 20102011.9
782
950
1,100
1,437
1,716
1,856
2,192
2,366
2,593

Overview (2/3)
 Statistics on Accredited CA’s
No.
Accredited CA/
Web site
Accredited
Date
Characteristics
Main Business
Area
1
KICA (CA: SignGATE)
http://www.signgate.com
2000. 02. 10 Corporation
All industry,
government
2
KOSCOM (CA: SignKorea)
http://www.signkorea.com
2000. 02. 10
Special purpose
Corporation
Cyber trading
3
KFTC (CA: yessign)
http://www.yessign.com
2000. 04. 12
Non-commercial
Organization
Internet banking
4
CrossCert (CA: CrossCert)
http://gca.crosscert.com
2001. 11. 24 Corporation -
5
KTNET (CA: TradeSign)
http://www.tradesign.net
2002. 03. 11
State-run
Corporation with
special mission
Trading
(As of 2011; published by MOPAS)

Overview (3/3)
 PKI Model in Korea
Types Entity Certificate Usage Field Fee
General
Individual All electronic transactions  US$ 4/year
Corporation All electronic transactions  US$ 100/year
Specific
- G2C, Bank, Insurance Free
- G2C, Stock, Insurance Free
- G4C, Credit Card Free
GPKI NPKI
Act
Established in 2001 pursuant to
E-Government Act
Established in 1999 under Electronic
Signature Act
Ministry
in Charge
MOPAS (Ministry of Public Administration and Security)
Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)
Main
Customer
Public Servants Individual, Company
Algorithm NEET (not open) SEED, AES
 Types of Accredited Certificate and Fees

PKI Scheme in Korea
Foreign
Government
Ministry of Public Administration and Security
Accredited
CA
Accredited
CA
Certification issuance /
Management
Accredited
CA
Accredited
CA
Management
Subscriber Subscriber
E-Government
Service
Provider
E-Government
Service
Provider
Management
Management
Mutual
Recognition
…
…
…
…
National Root CA
(KISA)
Government Root
CA
(GCMA)

Role of Root CA
Accredited
CA
Legal &
Policy Issue
Technical
Specification
Environment
of Usage of
Electronic
Signature
International
Cooperation
Root CA
Root CA
(KISA)

Scope of Benchmarking
Subject contents
Law, Policy,
Standards
Electronic Signature Act, Decree and Ordinance
Certification Practices Statement
Electronic Signature Certification Technology
PKI Model
Government PKI
National PKI
User
Electronic Signature Promotion
Provide User’s Convenience
End of Certificate Free Trial Period
Accredited
CA
Interoperability among Accredited CA’s
Upgrading of PKI technologies
Division of PKI Markets
Root CA
Cross certification for NPKI and GPKI
Addition of Root CA Certificate to MS IE
Applications Mandating Accredited Certificate (bank, stock)
PKI
Applications
E-Procurement, Internet Banking, Payment Gateway, G4C etc

Framework of Registration
Electronic
Signature
Act
-Ensure the security and reliability of electronic documents and
to promote their use
-Promoting nationwide informationalization and improving
convenience in people's living standard
Electronic Signature Act, Decree and Ordinance
Guideline on
Electronic Signature
Certification
Practices
Technical
Specification
CSP
Rules on Accredited
CA’s Facilities and
Equipment
Rules on
Accredited CA’s
Protective Measures
Methods
and Procedures
for I & A through
Representatives
* I & A: Identification and Authentication
* CPS: Certification Practices Statement
CA
accreditation
Accredited
CA’s
operation
Accredited CA’s
protection
measure
Subscriber’s
I & A

CPS (Certification Practices Statement)
Contents Detail
Management
of Certificates
- Transmission of Registered Information
- Request for Issuance of Certificate
- Generation of Certificates
- Request for Suspension, Restoration and Revocation of Certificates
- Generation of Certificate Suspension and Revocation List
- Public Announcement and Validation of Certificates
Management
of Key Pairs
- Generation of Private Pairs
- Backup of Private Pairs
- Loss, Destruction, Theft or Leakage of
Private Keys
- Protection of Private Pairs
- Revocation of Private Pairs
Other
Certification
Services
- Provision of Time Stamping
- Storage of Time Stamping Records
- Backup of Time Stamping Records
- Time Reception and Correction
- Storage of Electronic Documents
- Other Supplementary Services
Others
- Conformity with Technical Specifications
- Scope and Intended Use of Certificates
- Conformity to Certification Procedure
- Matters concerning Facilities and Equipment
- Management of Certification Service Records
- Management of Certification Service Records through the representative
- Management of Audit Records
- Management of Registration Authorities
- Test Run of Certification Practice
- Correct Provision of Information and Public Notification

History of NPKI in Korea
‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 ‘09 ‘10 ‘11
Electronic Signature Promotion
Provide User’s Convenience
Cross certification for NPKI and GPKI
Mandating Accredited Certificate (bank,
stock, E-malls)
End of Certificate Free Trial Period
Adapt HSM (Hardware Security Module)
Asia PKI Consortium
YearActivity

Goals
- Subscriber who has an general-purpose accredited certificate can do
all kinds of electronic transaction at Internet
- To provide technologies that recognize and process accredited
certificates regardless of who issue them
- To provide data to policy-makers on how to determine the scope and
conditions of each accredited certificate
Lesson to
learn
The interoperability issue should be considered which
arises during early stages of the NPKI construction.
CA A
CA B
User A
User B
App 1
App 2

x


general-purpose
certificate Company 1
E-service Provider S/W development
Company
Company 2
Accredited CA

Cross-Certification for NPKI and GPKI
Background
- Two years after establishment of the NPKI in 1999, the GPKI was
brought to birth. The two got to have overlapped service areas.
- To smooth out simultaneous operation of both, realization of cross-
certification is vital, which was obtained by means of a simplified CTL
(i.e. Certificate Trust List).
Lesson to
learn
To avoid duplication of resources and confusion in
policy-making, services should be provided through a
single root CA.
A PKI CTL issuance
A
Root CA
Hash
A_USER
B_USE
R
A_CA
A_RootCA B_RootCA
B_CA
CTL
CTL
B
Root CA
Hash
B_User Cert
B_CA Cert
A_RootCA Cert
CTL issued by A_RootCA
B_RootCA Cert
Certificate
Path
B PKI
generate
signatur
e
verify
signature

Mandatory Use of Accredited Certificates
Background
- To promote use of accredited certificates, services were provided free of charge.
- Accredited certificates were provided without any charge to relieve the initial
burden of customers, to secure adjustment period, and to build up the Internet
services.
- The deteriorating financial status of CA’s led to efforts to improve security and
quality of certification services.
◊ Only corporate certificates began to be charged for (Approximately, 100
$ /year).
◊ It was unable to impose any liabilities on CA’s since they did not generate any
profits.
◊ CA’s were unable to make additional investments, for example, in equipment.
Lesson to
learn
For CA’s to serve the public with stability in operation
and services, free trial periods should not be provided.
Progresses
-Individuals began to pay fees. (June, 2004)
◊ Individual accredited certificate of general purpose: $4/year
◊ Individual accredited certificate of limited purpose: Implementation
thereof was in the sole discretion of a CA. (CA’s were able to charge
only after September, 2004.)

Lesson to
learn
Different natures of CA’s may lead to conflicts and
harm to the market. Thus, it is necessary, in some case,
to set boundary between certificate markets.
Progresses
-KESA (Korea Electronic Signature Act) amended to set “borders”
between different markets (December, 2005)
◊ The amended KESA demands tougher requirements for a government agency
or a non-profit organization to get designated as CA.
-Implementation of PKI with divided roles (July, 2006)
◊ The KCFC, under the new KESA, is not allowed to issue certificates of general
purpose; it can only issue certificates required for banking.
CA Characteristics
Individual
Corporation TotalGeneral
Purpose
Specific Purpose
(Bank)
KCFC
non-profit
organization
63% 76% 29% 67%
4$/year Free 100$/year or Free

Background
-The term “upgrading (or its verb form “to upgrade”) refers to any
effort made to increase system security and compatibility of
technologies such as renewal of private keys, adjustment of length of
private keys, application of RFC3280, etc.
Lesson to
learn
Advance of technologies does not always guarantee
stability of certification technologies. Thus, counter-
measures should be considered in advance.
Major
missions
-Renewal of Root CA certificate and Accredited CA Certificates
-Upgrading of private-key lengths to RSA 2048 bit
- Application of RFC 3280: International standard changed
- RSA 1024 and SHA-1 algorithm don't guarantee their security in 2013.
- Offline operation of Root CA’s directory
◊ The CRL’s of Root CA are posted on directories of accredited CA’s.
Before Feb., 2006 After Feb., 2006 After Jan., 2011
Valid Key Valid Key Valid Key
Root CA
10
years
2048
bit(SHA1)
20
years
2048 bit(SHA1)
20
years
2048
bit(SHA256)
Accredited
CA
5 years
1024
bit(SHA1)
10 years
2048
bit(SHA1)
10 years
2048
bit(SHA256)
User 1 year
1024
bit(SHA1)
1 year 1024 bit(SHA1) 1 year
2048
bit(SHA256)

Lesson to
learn
A country should accumulate and retain its own
technologies related to security and certification to
enhance its national competitive edge.
Problems
and
solutions
- When using services like e-mail and web server with domestic certificates,
security warnings popped up, causing confusion among users.
- Foreign CA’s (i.e., VeriSign) recognized by MS Windows got to monopolize
the Korean PKI markets for SSL, code signing certificates.
- By mounting certificates of Korean Root CA’s on MS Windows, it has
become possible to apply their certificates to Windows-based web services
including web server, secured e-mail and code signing etc.
Thawte
• Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA’s)
Microsoft
VeriSign
VISA
RSA
Korean Root CA
JCSI
Hongkong Post
★ Inclusion KISA Root CA Certificate in Web Browsers (~'08)
Internet Explorer ('06.02), Safari ('07.03), Opera ('08.05), FireFox ('06~)

HSM Token as a secure storage
Lesson to
learn
In order to enhance subscriber’s personal security
environment, HSM Token as a secure storage can use.
Problems
-If subscriber uses hard disk for certificate storage, some malicious
programs can control subscriber’s PC and extract that information.
Storage for Certificate
<Subscriber's S/W> <HSM Token>
Interface between
the Token and the
Subscriber’s S/W
<HSM Access Program>
Backgrou
nd
-A hardware protected secure storage with hardware cryptographic
accelerator to generate and store private keys
 ① Digital signing and generation of a private key can be done
inside the Token, ② Private keys can not be exported
Progresse
s
-Developing the technical specifications for HSM Token with certificate
('06~'07.8)
-Carrying out the evaluation for the interoperability of HSM Token ('07.9~)

Asia PKI Consortium
Lesson to
learn
Thoughts should be given to the issue of international
interoperability. Close cooperation, for example, with
the Asia PKI Consortium will be helpful.
• Non-profit international collaboration body in Asia region, specialized for information security areas
• Objectives : To realize borderless and seamless e-commerce in a secure and
trustworthy way, in Asia regions
• Founded : Nov. 2007
• Member : Korea (KISA), China, Taiwan (As of June, 2008)
Steering Committee (SC)
General Assembly (GA)
PKI WG Other WG
Composed of all Principal member
Approve resolutions by GA
Determine policy, direction, strategy
Composed of all members
Elect Chairperson and Vice chairperson
Decide to Start and Dismiss WG
SecretariatTask-force based
Working Group
SME WG
Privacy
WG
Mobile
WG Candidate
WG
Actual WG

Lesson to learn
• It is inevitable for the government to lead the efforts to build up a NPKI.
• To avoid duplication of resources and confusion in policy-making, services
should be provided through a single root CA.
• A country should accumulate and retain its own technologies related to
security and certification to enhance its national competitive edge.
• The interoperability issue should be considered which arises during early
stages of the NPKI construction.
• For CA’s to serve the public with stability in operation and services, free trial
periods should not be provided.
• To boost the certification market, it is recommendable to impose mandatory
use on some industries.
• Different natures of CA’s may lead to conflicts and harm to the market. Thus,
it is necessary, in some case, to set boundary between certificate markets.
• Advance of technologies does not always guarantee stability of certification
technologies. Thus, countermeasures should be considered in advance.
• In order to enhance subscriber’s personal security environment, HSM Token
as a secure storage can use.
• Thoughts should be given to the issue of international interoperability. Close
cooperation, for example, with the Asia PKI Consortium will be helpful.

Development steps of PKI
Past Present Future
Special Purpose Infancy of EC Take off Leap
 The Internet
was born
 Fundamental
Investigation
 For Military
Purpose
 Special
Financial
Application
 Web sites and
email users are
exploding
 PKI
standardization
 The birth of CA
 Access control by
Certificate
 The law of
Electronic
Signature
 Mainly “B to B”
 Desktop
Commerce
 Certificates in
HSM, Smart
Card
 Products
confirming PKI
standard will
spread
 Data > Voice
“B to C” will
rise(PKI will
enter in every
day life)
 Digital contents
will increase
rapidly
 Digital
signature >
Handwritten
Signature

Upgrade PKI Cryptography(1/2)
• The existing encryption algorithms' security was declined due to
rapid computing technology development
 According to NIST key size recommendations, RSA 1024 and SHA-1
algorithm used by Korean digital certificate management system don't
guarantee their security in 2013 ※ (“Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths", 2011.1.13)
Digital
Signature
Use
Digital
Signature
Generation
RSA: 1024 ≤
|n| < 2048
• Acceptable through 2010
• Deprecated from 2011
through 2013
• Disallowed after 2013
RSA: |n| ≥
2048
• Acceptable
Hash
Function
Use
SHA-1
Digital
signature
generation
• Acceptable through 2010
• Deprecated from 2011
through 2013
• Disallowed after 2013
Non-digital
signature
generation
applications
• Acceptable
SHA-256 Acceptable for all hash function applications
• With hacking prevention through digital certificate itself such as illegal
duplication and forgery, an advanced encryption system of digital
certificates for certificate reliability is needed.

Upgrade PKI Cryptography(2/2)
• Raise the key size of digital signature
• Adjust the key size of subscribers’ digital certificates to be higher (1,024
bit to 2,048 bit)
• As hackers try to get an digital certificate key from 21,024 up to 22,048
times, it can guarantee certificate security until the year of 2030
• Exchange a hash algorithm
• Exchange a hash algorithm used for certificate issuance and digitally
signing
• 160bit hash (SHA-1) → 256bit hash (SHA-256)
Change subscriber S/W of e-
transaction companies
(~ complete by October 2011)
Integration
Test
(November
2011 ~ )
Issue new certificates
(January 2012 ~ )
2011 2012

Cryptography Key Length - NIST
 NIST Draft SP 800-57 Recommendation for Key Management
- Part1: General(Revision 3) (2011.05)
Date
Minimum
of Strength
Symmetric
Algorithms Asymmetric
Discrete Logarithm Elliptique
Curve
Hash (A) Hash (B)
Key Group
2010 80 2TDEA* 1024 160 1024 160
SHA-1**
SHA-224
SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
2011 - 2030 112 3TDEA 2048 224 2048 224
SHA-224
SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
> 2030 128 AES-128 3072 256 3072 256
SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
>> 2030 192 AES-192 7680 384 7680 384
SHA-384
SHA-512
SHA-224
SHA-256
SHA-384
SHA-512
>>> 2030 256 AES-256 15360 512 15360 512 SHA-512
SHA-256
SHA-384
SHA-512

Certificate for Smart Phone
iPhone App(iOS)
Android App
4. Select Certificate and
Generate digital signature
1. Request digital
signature
3. Request digital
signature
8. Verify signature
Web
Page
User
Smart
phone
Relay Server
1.Issue Certificate
3. Input auth_code
4. Select certificate
5. Export certificate
(PKCS#12)
2. Send
identification
number
User
PC
Smart
Phone
Relay
Server
CA
1.Import certificate
2. Generate
auth_code
6. Input NID
PC
2. Request digital
signature Generation
7. Digital signature
5. Signature information
6. Digital signature
 Certificate Issuance and Export/Import Digital Signature using Smart Phone

Open WEB Environment
USER Server
Service Provider Server
PKI
Client
Toolkit
Internet
Microsoft AcitveX JAVA Applet
BIO HSM
Smart Card
HSM
PKI
Server
Toolkit
Any Web Browser

U-Authentication System
 Establishing a reliable u-Authentication System
• Extending the authentication object to devices
(smart grid, VoIP-phones, CCTV cameras, and etc)
Internet Banking, Log-in
ID/Pass
Human ↔ Human
SSL Server, ETC
Device ↔ Device
RFID/USN Environment BroadcastingTelecommunication
Environment U-City Environment
U-home Environment
Extending the Target of Authentication
i-PIN
Certs.
OTP
BIO
Extending the
Authentication
Method
Human Device
As is
U-health Environment
Traditional Network Environment Ubiquitous Network Environment
To be
Human ↔ Device

PKI Roaming Service
 The PKI certificate and the private key can be stored at the safe CA
 By the user authentication(OTP, two-channel authentication) the PKI
certificate and the private key can be downloaded at the device the user
already registered
 After the use, the key and the certificate will be erased safely
4. Internet Banking
CA USER
BANK
Roaming Server
Registered devices
1. issuance 2. Key escrow
3. User authentication

USIM as PKI Storage and NFC service
 USIM as a secure mobile storage
※ HSM : Hardware Security Module
※ USIM : Universal Subscriber Identification Module
 NFC using a PKI certificate
※ adopt the PKI at NFC (Near field Communication)
PKI certificate

Strengthening Authentication(1/2)
 Two-channel Authentication
 For important baking accounts or accessing secured government data,
more safe authentication method is required
 If the user PC is hacked and is monitored by the hacker the channel
itself would be in dangerous despite the safety of the PKI ※ registered
PC, mobile phone SMS authentication and etc.
Network Device (PC)
Other channel
1- channel (WEB)
2- channel

Strengthening Authentication(2/2)
 Internet Banking Authentication
• For 1st-level transaction
• PKI + ACS(Auto-Calling System)
 E-Government Authentication
• Registered PC, HSM, mobile phone SMS authentication must be adapted
for important transaction (issuance of resident registration and etc.)
1.Request transaction using PKI
2. Bank calls the user
3. User approves the transaction by ACS
USER
BANK
USER E-Government
System
1) HSM PKI, or
2) PKI + registered PC,
or
PKI + mobile phone SMS authentication

PKI in Korea

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à PKI in Korea

Similaire à PKI in Korea (20)

Plus de The World Bank

Plus de The World Bank (20)

Dernier

Dernier (20)

PKI in Korea