FIDO UAF and PKI in Asia - Case Study and Recommendations

All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO UAF AND PKI IN ASIA –
A CASE STUDY AND
RECOMMENDATIONS
JOINT WHITE PAPER OF FIDO ALLIANCE AND ASIA PKI
CONSORTIUM (APKIC)
KAREN CHANG – EGIS TECHNOLOGY
WEI-CHUNG HWANG - APKIC
DECEMBER 5, 2018

BACKGROUND OF APKIC (1)
• Asia PKI Forum was founded in 2001,
and transform to Asia PKI Consortium
in 2007, with leading organizations
from Asia area supported by
government and industrial sectors
• Objectives:
▸ Promote the applications of PKI in e-commerce, e-
government, e-financial, etc.
▸ Advance the interoperability among PKIs in countries in
the Asia region
▸ Collaboration with global community to deliver a
comprehensive framework of e-authentication

BACKGROUND OF APKIC (2)
Policy and Technology Promotion and Awareness
 Asia PKI Interoperability Guideline
 CA Responsibilities and Liability
 Legal Issues on New Security
Technologies
 Mutual Recognition of National PKIs
(Greater China, ASEAN)
 Cross Border Applications(Trade,
Financial)
 Asia PKI Case Study
 Asia PKI Company List and Total
Solutions
 Asia PKI Best Practice Award
 Asia PKI Innovation Award
 PKI Market Survey
 International Collaboration(PAA,
AFACT, APSCA, FIDO, etc.)

NEEDS TO BE ADDRESSED
• Both financial and government sectors are highly regulated
in the regions
▸ Most regions in Asia/Europe have regulations to use PKI for digital(electronic)
signature with legal effects
▸ Financial transactions are required to use PKI in some regions
 With the certificate issued by the “Certificate Authority”(CA) endorsed by the
regulations for digital(electronic) signature
• Accelerate the adoption of FIDO in Asia
▸ APKIC Member companies are not so familiar with FIDO and its use of biometrics
▸ Whitelist FIDO is needed in certain regions
• e.g., FIDO is whitelisted in certain financial transactions in some regions(Korea, Taiwan)
▸ Different member companies have different ideas on how FIDO should be used,
especially together with an existing PKI system
▸ FIDO has its own policies/opinions, too

FIDO WEBSITE (APRIL 2018)

CURRENT DEVELOPMENT IN ASIA (1)
• Di g i ta l Si g na ture Reg ula ti o n, N a ti o na l PKI, Publi c / L i cens ed C A
Country/
Region
National/Regional
PKI
Digital Signature
Legislation
Financial Regulation on PKI eID and Other PKI Applications
China ✓ (Some regions) ✓ (ESL, 2005) Mandatory for financial transaction
above certain amount
eID (Optional, with PKI), e-Government,
e-Commerce, etc.
Hong Kong ✓ (HKPost[13]) ✓ (ETO[19], 2000) Optional eID (Mandatory, with PKI option),
e-Government, e-Commerce, etc.
India ✓ (CCA[14]) ✓ (ITA-CCA, 2000) Mandatory for high risk bank
transactions
eID[26] (Mandatory, signed by PKI),
Japan ✓ (JPKI[15]) ✓ (ESaCBA, 2000) Optional eID (Optional, with PKI option),
Korea ✓ (NPKI, GPKI) ✓ (ESA, 1999) Optional (Mandatory~2014) eID (Optional without PKI),
e-Government, e-Commerce
Macao ✓ (eSignTrust[16]) ✓ (EDSL, 2005) Optional eID (Mandatory, with PKI option),
Taiwan ✓ (GPKI[4], FRCA) ✓ (ESA, 2002) Mandatory for high risk bank
transactions and all online stock trading
eID (Optional, with PKI),
Thailand ✓ (NRCA[17]) ✓ (ETA, 2001) Optional
eID, e-Government, e-Commerce

CURRENT DEVELOPMENT IN ASIA (2)
• Deployment of FIDO, PKI, and Others
China
Korea (1)
Macao (5)
Thailand (3)
India (6)
Taiwan (2)
Hong Kong
• eID by MPS with PKI
• Domain/Regional PKI
CFCA, BJCA, …
• FIDO in Chinese
FCWG
• National eID(UIDAI)
AADHAAR(Fingerprint, IRIS)
• National PKI(CCA)
eMudhra, (n)Code, …
- Financial, Government,
Procurement, …
• Digital Signature Regulation
• Nation eID
NID card & i-PIN
• National PKI(KISA)
NPKI & K-FIDO/GPKI & G-FIDO
Financial, Commerce, Government…
• Private Sector
TWID (Financial Identification with PKI)+FIDO
TWID + Mobile ID
• Government Sector
T-FIDO & Government PKI (MOEACA for Citizen)
• Telecom (FIDO-based CRM)
• Local Government (IOTA Tangle ID)
• Hongkong Post, Macau Post -
eID with PKI (and FIDO)
• National PKI(NRCA by ETDA)
• eID (not active yet)
• Digital ID Committee
• National Digital ID Co., Ltd
Blockchain+MQ
• ETDA Connect
Blockchain(Omise)/FIDO
Singapore
Malaysia
• eID (SingPass)
• eID with PKI and fingerprint (MyKad, …)
Japan
• National eID
My Number Card with JPKI
• FIDO in Telecom/Financial/Commerce and others

FIDO VS. PKI
Authenticator
Token
Certificate
Authority
Authentication Server Relying Party
Relying Party
Registration
Authority
Validation
Authority
Attestation
Service
…
FIDO
PKI
Key pairs
Key pairs

CASE STUDY (1)
• K-FIDO (FIDO + NPKI certificate) by KISA

CASE STUDY (2)
• Taiwan Identification Center (FIDO + PKI) by TWCA

RECOMMENDATIONS
• T h r e e c l a s s e s t o i n t e g r a t e F I D O a n d P K I
▸ Class 1: Shared Authenticator
Only client side implementation is needed
▸ Class 2: Synchronized Registration Process
Server side integration with or without client side implementation (reference from derived credential model)
(1) Bootstrapping PKI Registration with FIDO
(2) Bootstrapping FIDO Registration with PKI
(3) Combined Registration for FIDO and PKI
▸ Class 3: Shared Key Pairs
Need both server side integration and client side implementation
(1) FIDO reuse PKI’s key pair
(2) PKI reuse FIDO’s key pair
(3) Generate new FIDO+PKI key pair
• C l a s s 1 a n d 2 c o u l d b e i m p l e m e n t e d b y e x t e n s i o n o f F I D O
s p e c i f i c a t i o n s
• C l a s s 3 m a y c o n f l i c t w i t h F I D O S e c u r i t y G u i d e l i n e a n d U A F
s p e c i f i c a t i o n
▸ Not in the scope of recommendations in this version of white paper

NEXT…

FIDO2 and PKI
13
Browser PKI
Platform PKI
Internal PKI Token
External PKI Token
RP APP Server
PKI Server
CA/RA/VA
Server
RP PKI App
PKCS#11
PKI Identification/Signature
Class 1
Class 2
•Browser
•Platform

14
FIDO2+PKI
• Future Use Cases:
▸United States:
• Education (Students and Teachers)
• Healthcare (Medical Wallet)
• Government (First Responders, DoD, DoI)
▸Taiwan:
• Government Mobile Identity for Citizen (G2C services)

Pilot Project for
Mobile Authentication & Identification Platform
MOICA
GCA
HCA
MOEACA
XCA
FIDO2
☞ Service Portal
☞ Tax filling
☞ Health bank
☞ e-Invoice
☞ Finance
☞ …
☞ Decentralized Identification &
Applications(e.g. Blockchain,
Distributed Ledger, …)
National
Citizen
Database
☞ Use PKI to bootstrap FIDO2 account (ID
proofing)
☞ Use FIDO2 to enhance the security of
cloud-based PKI system
☞ FIDO2 & PKI in one token/authenticator

WELCOME JOINING WITH US!

2018 FIDO TAIPEI SEMINAR
NOVEMBER 30, 2018
VICTORIA TAIPEI HOTEL
17
We Work together!
Moving Beyond Passwords!

CLIENT ARCHITECTURE (1)
• PKI us e F IDO ’s A uthentic ator

CLIENT ARCHITECTURE (2)
• F IDO us e PKI’s To ken

CLASS 2 (1)
• B o o ts tra ppi ng PKI reg i s tra ti o n wi th F IDO

CLASS 2 (2)
• B o o ts tra ppi ng F IDO reg i s tra ti on wi th PKI

CLASS 2 (3)
• C o m bi ned Reg i s tra ti on f o r F IDO a nd PKI

CLASS 2 (4)
• Rev o c a ti on Pro c es s

FIDO UAF and PKI in Asia - Case Study and Recommendations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to FIDO UAF and PKI in Asia - Case Study and Recommendations

Similar to FIDO UAF and PKI in Asia - Case Study and Recommendations (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (12)

FIDO UAF and PKI in Asia - Case Study and Recommendations