Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10

  1. 1. 3. PKI Status in Korea
  2. 2. Overview (1/3) 5 Accredited CA’s issued accredited certificates to user around 20 million in total Major PKI Applications Internet Banking, Online Stock, Internet Shopping, Procurement, e-Gov Services Shopping mall: Credit card 20.7 (over 300,000 KRW) Nov.,2005 18.7 Cyber trading Mar., 2003 17.2 14.4 Internet banking Sep., 2002 11.0 9.5 E-Bidding dd 7.8 78 Oct., 2000 4.9 1.5 0.3 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009.6 Number of annual issuance of certificates (published by MOPAS, Unit: Million) Copyright 1999-2009@SG Inc. All rights reserved
  3. 3. Overview (2/3) Statistics on Accredited CA’s i i di d ’ (published by O S) ( bli h d b MOPAS) Accredited CA/ Accredited Main Business No. Characteristics Web site Date Area SG (CA: SignGATE) All industry, 1 2000. 02. 10 Corporation government KOSCOM (CA: SignKorea) Special purpose 2 2000. 02 2000 02. 10 Cyber trading Corporation KFTC (CA: yessign) Non-commercial 3 2000. 04. 12 Internet banking Organization CrossCert (CA: CrossCert) 4 2001. 11. 24 Corporation - State-run KTNET (CA: TradeSign) 5 2002. 03. 11 Corporation with Trading special mission Copyright 1999-2009@SG Inc. All rights reserved
  4. 4. Overview (3/3) PKI Model i Korea d l in GPKI NPKI Established in 2001 pursuant to Established in 1999 under Electronic Act E-Government Act Signature Act Ministry MOPAS (Ministry of Public Administration and Security) in Charge Root CA GCMA ( KISA ( Main Public Servants Individual, Company p y Customer Algorithm NEET (not open) SEED, AES Types of Accredited Certificate and Fees Types Entity Certificate Usage Field Fee Individual All electronic transactions ≅ US$ 4/year General Corporation All electronic transactions ≅ US$ 100/year - G2C, Bank, Insurance Free Specific - G2C, Stock, Insurance Free - G4C, Credit Card Free Copyright 1999-2009@SG Inc. All rights reserved
  5. 5. PKI Scheme Mutual Recognition g N ti National R t CA l Root G Government R t CA t Root (KISA) (GCMA) Certification issuance / Certification issuance / g Management g Management Accredited CA … Accredited CA Accredited CA … Accredited CA Certification issuance / Certification issuance / Management Management … E-Government … E-Government Service Provider Service Provider Subscriber Subscriber Copyright 1999-2009@SG Inc. All rights reserved
  6. 6. Role of Root CA Accredited CA Root CA International Cooperation Root CA (KISA) Technical T h i l Specification Environment of Usage of Electronic Legal & Policy Signature g Issue 42 Copyright 1999-2008@SG Copyright 1999-2009@SG Inc. All rights reserved All rights reserved
  7. 7. Scope of Benchmarking Subject contents Electronic Signature Act, Decree and Ordinance Law, Policy, Certification Practices St t C tifi ti P ti Statement t Standards Electronic Signature Certification Technology Government PKI National PKI Electronic Signature Promotion Provide User s Convenience User’s User End of Certificate Free Trial Period Adapt HSM (Hardware Security Module) PKI Model Interoperability among Accredited CA’s CA s Accredited A di d Upgrading of PKI technologies CA Division of PKI Markets Cross certification for NPKI and GPKI Root R t CA Addition of Root CA Certificate to MS IE Applications Mandating Accredited Certificate (bank, stock) PKI E-Procurement, Internet Banking, Payment Gateway, G4C etc Applications Copyright 1999-2009@SG Inc. All rights reserved
  8. 8. Framework of Registration - Ensure the security and reliability of electronic documents Electronic El t i and to promote their use Signature Act - Promoting nationwide informationalization and improving convenience in peoples living standard people s Electronic Signature Act, Decree and Ordinance CA Accredited CA’s Accredited CA’s Accredited CA’s accreditation Operation i Protection CPS measure Regulation on Guideline for Regulation on Accredited CPS Accredited CA’s CA s Certification Practice Accredited CA’s Facility and Equipment protective measures Framework Technical Specification Copyright 1999-2009@SG Inc. All rights reserved
  9. 9. CPS (Certification Practices Statement) Contents Detail - Transmission of Registered Information - Request for Issuance of Certificate Management - Generation of Certificates of - Request for Suspension, Restoration and Revocation of Certificates Certificates - Generation of Certificate Suspension and Revocation List - Public Announcement and Validation of Certificates - Generation of Private Pairs - Protection of Private Pairs Management - Backup of Private Pairs - Revocation of Private Pairs of Key Pairs - Loss, Destruction, Theft or Leakage of Private Keys Other - Provision of Time Stamping - Time Reception and Correction Certification - Storage of Time Stamping Records - Storage of Electronic Documents Services - Backup of Time Stamping Records - Other Supplementary Services - Conformity with Technical Specifications - Scope and Intended Use of Certificates - Conformity to Certification Procedure - Matters concerning Facilities and Equipment g q p - Management of Certification Service Records Others - Management of Certification Service Records through the representative - Management of Audit Records - Management of Registration Authorities g g - Test Run of Certification Practice - Correct Provision of Information and Public Notification Copyright 1999-2009@SG Inc. All rights reserved
  10. 10. History of NPKI in Korea Year ‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 Activity Electronic Signature Promotion Interoperability among Accredited CA’s Provide User s Convenience User’s Cross certification for NPKI and GPKI Mandating Accredited Certificate (bank, stock, E-malls) End of Certificate Free Trial Period Upgrading of PKI technologies Division of PKI Markets Addition of Root CA Certificate to MS IE and other Browsers Adapt HSM (Hardware Security Module) Copyright 1999-2009@SG Inc. All rights reserved
  11. 11. Interoperability among Accredited CA’s general-purpose CA A certificate User A x Company 1 App 1 CA B User B App 2 Company 2 Accredited CA E-service Provider S/W development p y Company -Subscriber who has an general-purpose accredited certificate can do all kinds of electronic transaction at Internet -To provide t h l i T id technologies th t recognize and process accredited that i d dit d Goals certificates regardless of who issue them -To provide data to policy-makers on how to determine the scope and conditions of each accredited certificate Lesson to The interoperability issue should be considered which learn l arises during early stages of the NPKI construction construction. Copyright 1999-2009@SG Inc. All rights reserved
  12. 12. Cross-Certification for NPKI and GPKI A PKI B PKI CTL B issuance A Root CA Root CA Hash Certificate Path Hash A_RootCA A_RootCA Cert B_RootCA CA CTL CTL issued by A_RootCA CTL B_RootCA Cert B_CA B CA A_CA B_CA Cert B_User Cert verify generate signature i signature i B_USER B USER A_USER -Two years after establishment of the NPKI in 1999, the GPKI was brought to birth. The two got to have overlapped service areas. Background -To smooth out simultaneous operation of both, realization of cross- certification is vital, which was obtained by means of a simplified CTL (i.e. (i e Certificate Trust List) List). To avoid duplication of resources and confusion in Lesson to policy-making, policy-making services should be provided through a learn single root CA. Copyright 1999-2009@SG Inc. All rights reserved
  13. 13. Mandatory Use of Accredited Certificates -The mandatory use was intended to protect the banking and trading systems, where security breaches occurred frequently in the process of Background identity verification, against hacking and other attacks and to enhance security b mandating accredited certificates, a tool that verifies i by d i di d ifi l h ifi identification most efficiently. -Accredited certificate in Banking and Stock Trade  ◊ Mandating use of the certificate in banking & online stock trading   * Government consulted with Financial Supervisory Service (FSS) about using the certificate in the financial field   * FSS made it mandatory to use the certificate in internet bank (Sep., 2002) and online stock trading (March, 2003) Progresses -Accredited certificate in Online Shopping ◊ Use credit card with the certificate at internet shopping mall   * FSS announces a new policy that credit cards should be used with the certificate in Online Shopping (July, 2003) * E-malls have to be configured to verify the identity of the cardholder and the payer by September, 2006. Lesson to To boost the certification market, the mandatory use learn of PKI on some industries has been recommended. Copyright 1999-2009@SG Inc. All rights reserved
  14. 14. Accredited Certificate Fees for Individuals -To promote use of accredited certificates, services were provided free of charge. -Accredited certificates were provided without any charge to relieve the initial burden of customers to secure adjustment period and to customers, period, build up the Internet services. -The deteriorating financial status of CA’s led to efforts to improve Background security and quality of certification services. ◊ Only corporate certificates began to be charged for (Approximately, 100 $ /year).  ◊ It was unable to impose any liabilities on CA’s since they did not generate any profits profits.  ◊ CA’s were unable to make additional investments, for example, in equipment. -Individuals began to pay fees. (June, 2004) ◊ Individual accredited certificate of general purpose: $4/year  Progresses ◊ Individual accredited certificate of limited purpose: Implementation thereof was in the sole discretion of a CA (CA’s were CA. (CA s able to charge only after September, 2004.) Lesson to For CA’s to serve the public with stability in operation an CA s learn d services, free trial periods should not be provided. Copyright 1999-2009@SG Inc. All rights reserved
  15. 15. Division of PKI Markets Individual CA Characteristics General Specific Purpose Corporation Total Purpose (Bank) non-profit 63% 76% 29% 67% KCFC organization 4$/year Free 100$/year or Free -KESA (Korea Electronic Signature Act) amended to set “borders” between different markets (December, 2005) ◊Th amended KESA d ◊The d d demands tougher requirements f d h i for a government agency or a non-profit organization to get designated as Progresses CA. -Implementation of PKI with divided roles (July, 2006) Implementation  ◊ The KCFC, under the new KESA, is not allowed to issue certificates of general purpose; it can only issue certificates required for banking. Different natures of CA’s may lead to conflicts and Lesson to harm to the market. Thus, it is necessary, in some case, learn to t b t set boundary between certificate markets. d b t tifi t k t Copyright 1999-2009@SG Inc. All rights reserved
  16. 16. Upgrading of PKI technologies -The term “upgrading (or its verb form “to upgrade”) refers to any effort made to increase system security and compatibility of Background technologies such as renewal of private keys, adjustment of length of private keys application of RFC3280 etc keys, RFC3280, etc. -Renewal of Root CA certificate and Accredited CA Certificates -Upgrading of private-key lengths Upgrading private key Before Feb., 2006 After Feb., 2006 Valid period Key Length Valid period Key Length Root CA 10 years 2048 bit 20 years 2048 bit Major M j Accredited CA 5 years 1024 bit 10 years 2048 bit missions User 1 year 1024 bit 1 year 1024 bit -Application of RFC 3280 Application ◊ International standard changed: RFC 2459 RFC 3280 -Offline operation of Root CA’s directory ◊ The CRL’s of Root CA are posted on directories of six CA’s. Advance of technologies does not always guarantee Lesson to stability of certification technologies. Thus, counter- counter learn measures should be considered in advance. Copyright 1999-2009@SG Inc. All rights reserved
  17. 17. Addition of Root CA Certificate to MS IE JCSI VeriSign RSA Hongkong Post VISA Thawte Microsoft Korean Root CA • Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA s) CA s CA’s) -When using services like e-mail and web server with domestic certificates, security warnings popped up, causing confusion among  Problems users. -Foreign CA’s (i.e., VeriSign) recognized by MS Windows got to and monopolize the Korean PKI markets for SSL, code signing certificates. solutions -By mounting certificates of Korean Root CA’s on MS Windows, it has y ou t g ce t cates o o ea oot C s o S W do s, t as become possible to apply their certificates to Windows-based web services including web server, secured e-mail and code signing etc A country should accumulate and retain its own Lesson to technologies related to security and certification to learn enhance its national competitive edge. ★ Inclusion KISA Root CA Certificate in Web Browsers (~08) Internet Explorer (06.02), Safari (07.03), Opera (08.05), FireFox (06~) Copyright 1999-2009@SG Inc. All rights reserved
  18. 18. HSM Token as a secure storage Storage for Certificate Interface between the Token and the Subscriber s Subscriber’s S/W <Subscribers S/W> <HSM Access Program> <HSM Token> -A hardware protected secure storage with hardware cryptographic accelerator to generate and store private keys Background ① Digital signing and generation of a private key can be done inside the Token ② Private keys can not be exported Token, -If subscriber uses hard disk for certificate storage, some malicious Problems programs can control subscriber’s PC and extract that information. -Developing the technical specifications for HSM Token with certificate (06~07.8) Progresses -Carrying out the evaluation for the interoperability of HSM Token (07.9~) Lesson to In order to enhance subscriber’s personal security learn environment, HSM Token as a secure storage can use. Copyright 1999-2009@SG Inc. All rights reserved
  19. 19. HSM Evaluation Process Storage media for private key and certificate should be evaluated by Root CA in order to provide the interoperability of personal security environment. Evaluation Criteria • HSM Storage Format Specification for Accredited Certificate Root CA • Accredited Certificate Usage Specification for HSM Request evaluation Give certificate CA Vender Publish Into Lists Certified Product Lists User’s PC EE A S/W User can choose Smar any products PKCS#11 t Card PSE • PSE: Personal Security Environment, HSM: Hardware Security Module Copyright 1999-2009@SG Inc. All rights reserved
  20. 20. Asia PKI Consortium • Non-profit i fi international collaboration b d i Asia region, specialized f i f i l ll b i body in i i i li d for information security areas i i • Objectives : To realize borderless and seamless e-commerce in a secure and trustworthy way, in Asia regions •F Founded : N d d Nov. 2007 • Member : Korea (KISA), China, Taiwan (As of June, 2008) Composed of all P i i l member C d f ll Principal b Approve resolutions by GA Determine policy, direction, strategy Steering Committee (SC) Composed of all members Elect Ch i l Chairperson and Vice chairperson d i h i General Assembly (GA) Decide to Start and Dismiss WG Task-force based Working Group Secretariat Actual WG Mobile Privacy PKI WG SME WG Other WG WG WG Candidate WG Thoughts should be given to the issue of international Lesson to interoperability. Close cooperation, for example, with learn the Asia PKI Consortium will be helpful. Copyright 1999-2009@SG Inc. All rights reserved
  21. 21. Mr. Jaejung T. +82-10-2223-4978 +82 10 2223 4978