Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10

3. PKI Status in Korea

Overview (1/3)

5 Accredited CA’s issued accredited certificates to user around 20 million in total

Major PKI ApplicationsMajor PKI ApplicationsInternet Banking, Online Stock, Internet Shopping, Procurement, e-Gov Services

17.218.7

20.7

Cyber tradingMar., 2003

Shopping mall: Credit card (over 300,000 KRW)

Nov.,2005

11.0

7 89.5

14.4

dd

Internet banking

Sep., 2002

1.5

4.9

7.8E-Bidding

Oct., 2000

20052001

0.3

2000 2002 2003 2004 2006 2007 2008 2009.6

38www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved

Number of annual issuance of certificates (published by MOPAS, Unit: Million)

Overview (2/3)

( bli h d b O S)i i di d ’

No.Accredited CA/

Web siteAccredited

DateCharacteristics

Main Business Area

(published by MOPAS)Statistics on Accredited CA’s

1SG (CA: SignGATE)http://www.signgate.com

2000. 02. 10 CorporationAll industry, government

2KOSCOM (CA: SignKorea)

2000 02 10Special purpose

Cyber trading2http://www.signkorea.com

2000. 02. 10Corporation

Cyber trading

3KFTC (CA: yessign)http://www.yessign.com

2000. 04. 12Non-commercial Organization

Internet banking

4CrossCert (CA: CrossCert)http://gca.crosscert.com

2001. 11. 24 Corporation -

KTNET (CA: TradeSign)State-run

5KTNET (CA: TradeSign)http://www.tradesign.net

2002. 03. 11 Corporation with special mission

Trading


Overview (3/3)

d l i

GPKI NPKI

Established in 2001 pursuant to Established in 1999 under Electronic

PKI Model in Korea

ActEstablished in 2001 pursuant to E-Government Act

Established in 1999 under Electronic Signature Act

Ministry in Charge

MOPAS (Ministry of Public Administration and Security)in Charge

Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)

Main Customer

Public Servants Individual, CompanyCustomer

p y

Algorithm NEET (not open) SEED, AES

Types of Accredited Certificate and Fees

Types Entity Certificate Usage Field Fee

GeneralIndividual All electronic transactions ≅ US$ 4/year

Types of Accredited Certificate and Fees

GeneralCorporation All electronic transactions ≅ US$ 100/year

Specific

- G2C, Bank, Insurance Free

- G2C, Stock, Insurance Free


Specific G2C, Stock, Insurance Free

- G4C, Credit Card Free

PKI Scheme

MutualRecognitiong

N ti l R t CAN ti l R t CA G t R t CAG t R t CA

Certification issuance / Management

Certification issuance / Management

National Root CANational Root CA(KISA)(KISA)

Government Root CAGovernment Root CA(GCMA)(GCMA)

Accredited CA

Accredited CA

g

Accredited CA

Accredited CA

g

Certification issuance / Certification issuance /

…… ……Certification issuance /

ManagementCertification issuance /

Management

Subscriber Subscriber

E-Government Service Provider

E-Government Service Provider

…… ……


Role of Root CA

Accredited CA

Root CA

International Cooperation

Root CA

T h i l

Root CA(KISA)

Technical Specification Environment of

Usage of Electronic

Legal & Policy Issue

gSignature

42www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved www.sgco.kr Copyright 1999-2008@SG Inc. All rights reserved

Scope of Benchmarking

Subject contents

Law, Policy, Electronic Signature Act, Decree and Ordinance

C tifi ti P ti St t tLaw, Policy, Standards

Certification Practices Statement

Electronic Signature Certification Technology

Government PKI

National PKI

Electronic Signature PromotionProvide User’s Convenience

PKI Model

UserProvide User s ConvenienceEnd of Certificate Free Trial PeriodAdapt HSM (Hardware Security Module)

A di dInteroperability among Accredited CA’s

AccreditedCA

Interoperability among Accredited CA sUpgrading of PKI technologiesDivision of PKI Markets

R t CACross certification for NPKI and GPKI

Root CAAddition of Root CA Certificate to MS IE

Applications Mandating Accredited Certificate (bank, stock)

PKI


PKI Applications

E-Procurement, Internet Banking, Payment Gateway, G4C etc

Framework of Registration

El t i -Ensure the security and reliability of electronic documents

and to promote their useElectronic Signature

Act

and to promote their use

-Promoting nationwide informationalization and improvingconvenience in people's living standardconvenience in people s living standard

Electronic Signature Act, Decree and Ordinance

Accredited CA’sCA Accredited CA’si

Accredited CA’s

Guideline for Certification Practice

Operation

Regulation onAccredited CA’s

accreditation

Regulation onAccredited CA’s

Protection measure

Accredited CPSFramework

CPS

Certification PracticeAccredited CA sFacility and Equipment protective measures Framework


Technical Specification

CPS (Certification Practices Statement)

Contents Detail

Management

- Transmission of Registered Information - Request for Issuance of Certificate

Management of Certificates

- Generation of Certificates - Request for Suspension, Restoration and Revocation of Certificates- Generation of Certificate Suspension and Revocation List- Public Announcement and Validation of Certificates

Management of Key Pairs

- Generation of Private Pairs- Backup of Private Pairs- Loss, Destruction, Theft or Leakage

of Private Keys

- Protection of Private Pairs- Revocation of Private Pairs

of Private Keys

Other Certification Services

- Provision of Time Stamping- Storage of Time Stamping Records- Backup of Time Stamping Records

- Time Reception and Correction- Storage of Electronic Documents- Other Supplementary Services

- Conformity with Technical Specifications- Scope and Intended Use of Certificates- Conformity to Certification Procedure- Matters concerning Facilities and Equipment

Others

g q p- Management of Certification Service Records- Management of Certification Service Records through the representative- Management of Audit Records- Management of Registration Authorities


g g- Test Run of Certification Practice- Correct Provision of Information and Public Notification

History of NPKI in Korea

‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08

Electronic Signature Promotion

YearActivity

Interoperability among Accredited CA’s

Provide User’s Convenience Provide User s Convenience

Cross certification for NPKI and GPKI

Mandating Accredited Certificate Mandating Accredited Certificate (bank, stock, E-malls)

End of Certificate Free Trial Period

Upgrading of PKI technologies

Division of PKI Markets

Addition of Root CA Certificate to MS IE and other Browsers

Adapt HSM (Hardware Security


Adapt HSM (Hardware Security Module)

Interoperability among Accredited CA’s

xgeneral-purpose

CA A User AApp 1

xcertificate Company 1

CA B User B App 2

E-service Provider S/W developmentCompany

Company 2Accredited CA

-Subscriber who has an general-purpose accredited certificate can doall kinds of electronic transaction at InternetT id t h l i th t i d dit d

p y

Goals-To provide technologies that recognize and process accreditedcertificates regardless of who issue them-To provide data to policy-makers on how to determine the scope andconditions of each accredited certificateconditions of each accredited certificate

Lesson to l

The interoperability issue should be considered which arises during early stages of the NPKI construction


learn arises during early stages of the NPKI construction.

Cross-Certification for NPKI and GPKI

A PKI CTL issuance

A Root CAHash

CA

B Root CAHash Certificate Path

B PKI

A_RootCA B_RootCA

B CA

CTLCTL A_RootCA Cert

CTL issued by A_RootCA

B_RootCA Cert

B USER

A_CAB_CA

B_User Cert

B_CA Cert

generate i

verify i

-Two years after establishment of the NPKI in 1999, the GPKI was

A_USERB_USERsignaturesignature

Backgroundbrought to birth. The two got to have overlapped service areas.-To smooth out simultaneous operation of both, realization of cross-certification is vital, which was obtained by means of a simplified CTL(i e Certificate Trust List)(i.e. Certificate Trust List).

Lesson to To avoid duplication of resources and confusion in policy-making services should be provided through a


learn policy-making, services should be provided through a single root CA.

Mandatory Use of Accredited Certificates

Background

-The mandatory use was intended to protect the banking and tradingsystems, where security breaches occurred frequently in the process ofidentity verification, against hacking and other attacks and to enhance

i b d i di d ifi l h ifisecurity by mandating accredited certificates, a tool that verifiesidentification most efficiently.

-Accredited certificate in Banking and Stock Trade-Accredited certificate in Banking and Stock Trade　◊Mandating use of the certificate in banking & online stock trading　 * Government consulted with Financial Supervisory Service (FSS)about using the certificate in the financial field

Progresses

　 * FSS made it mandatory to use the certificate in internet bank(Sep., 2002) and online stock trading (March, 2003)-Accredited certificate in Online Shopping◊ Use credit card with the certificate at internet shopping mall◊ Use credit card with the certificate at internet shopping mall　 * FSS announces a new policy that credit cards should be usedwith the certificate in Online Shopping (July, 2003)

* E-malls have to be configured to verify the identity of the

Lesson to To boost the certification market, the mandatory use

cardholder and the payer by September, 2006.


Lesson to learn

To boost the certification market, the mandatory useof PKI on some industries has been recommended.

Accredited Certificate Fees for Individuals

-To promote use of accredited certificates, services were provided freeof charge.-Accredited certificates were provided without any charge to relievethe initial burden of customers to secure adjustment period and to

Background

the initial burden of customers, to secure adjustment period, and tobuild up the Internet services.-The deteriorating financial status of CA’s led to efforts to improvesecurity and quality of certification services.◊ Only corporate certificates began to be charged for

(Approximately, 100 $ /year).　◊ It was unable to impose any liabilities on CA’s since they did notgenerate any profitsgenerate any profits.　◊CA’s were unable to make additional investments, for example, inequipment.

Progresses

-Individuals began to pay fees. (June, 2004)◊ Individual accredited certificate of general purpose: $4/year　◊ Individual accredited certificate of limited purpose:Implementation thereof was in the sole discretion of a CA (CA’s were

Lesson to For CA’s to serve the public with stability in operation an

Implementation thereof was in the sole discretion of a CA. (CA s wereable to charge only after September, 2004.)


Lesson to learn

For CA s to serve the public with stability in operation and services, free trial periods should not be provided.

Division of PKI Markets

CA Characteristics

Individual

Corporation TotalGeneral

Purpose

Specific Purpose

(Bank)Purpose (Bank)

KCFCnon-profit

organization

63% 76% 29% 67%

4$/year Free 100$/year or Free

-KESA (Korea Electronic Signature Act) amended to set“borders” between different markets (December, 2005)◊Th d d KESA d d h i f

Progresses

◊The amended KESA demands tougher requirements for agovernment agency or a non-profit organization to get designated asCA.-Implementation of PKI with divided roles (July, 2006)Implementation of PKI with divided roles (July, 2006)　◊ The KCFC, under the new KESA, is not allowed to issuecertificates of general purpose; it can only issue certificates requiredfor banking.

Lesson to learn

Different natures of CA’s may lead to conflicts and harm to the market. Thus, it is necessary, in some case, t t b d b t tifi t k t


learn to set boundary between certificate markets.

Upgrading of PKI technologies

Background

-The term “upgrading (or its verb form “to upgrade”) refers to anyeffort made to increase system security and compatibility oftechnologies such as renewal of private keys, adjustment of length ofprivate keys application of RFC3280 etcprivate keys, application of RFC3280, etc.

-Renewal of Root CA certificate and Accredited CA Certificates-Upgrading of private-key lengths

M j

Upgrading of private key lengths

Before Feb., 2006 After Feb., 2006

Valid period Key Length Valid period Key Length

Root CA 10 years 2048 bit 20 years 2048 bitMajor

missions

-Application of RFC 3280

Root CA 10 years 2048 bit 20 years 2048 bit

Accredited CA 5 years 1024 bit 10 years 2048 bit

User 1 year 1024 bit 1 year 1024 bit

Application of RFC 3280◊ International standard changed: RFC 2459 RFC 3280-Offline operation of Root CA’s directory◊ The CRL’s of Root CA are posted on directories of six CA’s.

Lesson to Advance of technologies does not always guarantee stability of certification technologies. Thus, counter-


learnstability of certification technologies. Thus, countermeasures should be considered in advance.

Addition of Root CA Certificate to MS IE

VeriSign

VISA

RSAJCSI

Hongkong Post

Thawte

• Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA’s)

Microsoft Korean Root CA

-When using services like e-mail and web server with domesticcertificates, security warnings popped up, causing confusion among

Microsoft Root Certificate Program Members: 58 CA s (15 accredited CA s)

　Problems and

solutions

users.-Foreign CA’s (i.e., VeriSign) recognized by MS Windows got tomonopolize the Korean PKI markets for SSL, code signing certificates.-By mounting certificates of Korean Root CA’s on MS Windows, it has

A country should accumulate and retain its own

y ou t g ce t cates o o ea oot C s o S W do s, t asbecome possible to apply their certificates to Windows-based webservices including web server, secured e-mail and code signing etc

Lesson to learn

A country should accumulate and retain its own technologies related to security and certification to enhance its national competitive edge.


★ Inclusion KISA Root CA Certificate in Web Browsers (~'08)Internet Explorer ('06.02), Safari ('07.03), Opera ('08.05), FireFox ('06~)

HSM Token as a secure storage

Storage for CertificateInterface between the

Token and the Subscriber’s S/W

<Subscriber's S/W> <HSM Token>

Subscriber s S/W

<HSM Access Program>

Background

-A hardware protected secure storage with hardware cryptographicaccelerator to generate and store private keys① Digital signing and generation of a private key can be doneinside the Token ② Private keys can not be exported

Problems-If subscriber uses hard disk for certificate storage, some maliciousprograms can control subscriber’s PC and extract that information.

inside the Token,② Private keys can not be exported

Progresses

-Developing the technical specifications for HSM Token withcertificate ('06~'07.8)-Carrying out the evaluation for the interoperability of HSM Token

Lesson to In order to enhance subscriber’s personal security

-Carrying out the evaluation for the interoperability of HSM Token('07.9~)


learn environment, HSM Token as a secure storage can use.

HSM Evaluation Process

Storage media for private key and certificate should be evaluated by Root CA in order to provide the interoperability of personal security environment.

Evaluation Criteria

Root CA

Request evaluation

• HSM Storage Format Specification for Accredited Certificate• Accredited Certificate Usage Specification for HSM

CAVender

Give certificate

Publish

Certified Product Lists User’s PC

PublishInto Lists

EE A S/W

PKCS#11User can choose any productsSmar

t Card


PSE• PSE: Personal Security Environment, HSM: Hardware Security Module

Asia PKI Consortium

fi i i l ll b i b d i i i i li d f i f i i • Non-profit international collaboration body in Asia region, specialized for information security areas

• Objectives : To realize borderless and seamless e-commerce in a secure and trustworthy way, in Asia regions

F d d N • Founded : Nov. 2007

• Member : Korea (KISA), China, Taiwan (As of June, 2008)

C d f ll P i i l b

Steering Committee (SC)

Composed of all Principal member

Approve resolutions by GA

Determine policy, direction, strategyComposed of all members

l Ch i d i h i

General Assembly (GA)Elect Chairperson and Vice chairperson

Decide to Start and Dismiss WG

SecretariatTask-force based Working Group

PKI WG Other WGSME WGPrivacy

WG

Mobile

WG Candidate WG

Actual WG

Lesson to learn

Thoughts should be given to the issue of international interoperability. Close cooperation, for example, with

WG


learn the Asia PKI Consortium will be helpful.

Mr. Jaejung Kim

[email protected] T. [email protected] T. +82 10 2223 4978

Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10

Documents

Transcript of Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10