Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10
-
Upload
hai-nguyen -
Category
Documents
-
view
100 -
download
3
Transcript of Eco [3 c] introduction of national pki-sg-jaejung kim-15_apr10
3. PKI Status in Korea
Overview (1/3)
5 Accredited CA’s issued accredited certificates to user around 20 million in total
Major PKI ApplicationsMajor PKI ApplicationsInternet Banking, Online Stock, Internet Shopping, Procurement, e-Gov Services
17.218.7
20.7
Cyber tradingMar., 2003
Shopping mall: Credit card (over 300,000 KRW)
Nov.,2005
11.0
7 89.5
14.4
dd
Internet banking
Sep., 2002
1.5
4.9
7.8E-Bidding
Oct., 2000
20052001
0.3
2000 2002 2003 2004 2006 2007 2008 2009.6
38www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Number of annual issuance of certificates (published by MOPAS, Unit: Million)
Overview (2/3)
( bli h d b O S)i i di d ’
No.Accredited CA/
Web siteAccredited
DateCharacteristics
Main Business Area
(published by MOPAS)Statistics on Accredited CA’s
1SG (CA: SignGATE)http://www.signgate.com
2000. 02. 10 CorporationAll industry, government
2KOSCOM (CA: SignKorea)
2000 02 10Special purpose
Cyber trading2http://www.signkorea.com
2000. 02. 10Corporation
Cyber trading
3KFTC (CA: yessign)http://www.yessign.com
2000. 04. 12Non-commercial Organization
Internet banking
4CrossCert (CA: CrossCert)http://gca.crosscert.com
2001. 11. 24 Corporation -
KTNET (CA: TradeSign)State-run
5KTNET (CA: TradeSign)http://www.tradesign.net
2002. 03. 11 Corporation with special mission
Trading
39www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Overview (3/3)
d l i
GPKI NPKI
Established in 2001 pursuant to Established in 1999 under Electronic
PKI Model in Korea
ActEstablished in 2001 pursuant to E-Government Act
Established in 1999 under Electronic Signature Act
Ministry in Charge
MOPAS (Ministry of Public Administration and Security)in Charge
Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)
Main Customer
Public Servants Individual, CompanyCustomer
p y
Algorithm NEET (not open) SEED, AES
Types of Accredited Certificate and Fees
Types Entity Certificate Usage Field Fee
GeneralIndividual All electronic transactions ≅ US$ 4/year
Types of Accredited Certificate and Fees
GeneralCorporation All electronic transactions ≅ US$ 100/year
Specific
- G2C, Bank, Insurance Free
- G2C, Stock, Insurance Free
40www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Specific G2C, Stock, Insurance Free
- G4C, Credit Card Free
PKI Scheme
MutualRecognitiong
N ti l R t CAN ti l R t CA G t R t CAG t R t CA
Certification issuance / Management
Certification issuance / Management
National Root CANational Root CA(KISA)(KISA)
Government Root CAGovernment Root CA(GCMA)(GCMA)
Accredited CA
Accredited CA
g
Accredited CA
Accredited CA
g
Certification issuance / Certification issuance /
…… ……Certification issuance /
ManagementCertification issuance /
Management
Subscriber Subscriber
E-Government Service Provider
E-Government Service Provider
…… ……
41www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Role of Root CA
Accredited CA
Root CA
International Cooperation
Root CA
T h i l
Root CA(KISA)
Technical Specification Environment of
Usage of Electronic
Legal & Policy Issue
gSignature
42www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved www.sgco.kr Copyright 1999-2008@SG Inc. All rights reserved
Scope of Benchmarking
Subject contents
Law, Policy, Electronic Signature Act, Decree and Ordinance
C tifi ti P ti St t tLaw, Policy, Standards
Certification Practices Statement
Electronic Signature Certification Technology
Government PKI
National PKI
Electronic Signature PromotionProvide User’s Convenience
PKI Model
UserProvide User s ConvenienceEnd of Certificate Free Trial PeriodAdapt HSM (Hardware Security Module)
A di dInteroperability among Accredited CA’s
AccreditedCA
Interoperability among Accredited CA sUpgrading of PKI technologiesDivision of PKI Markets
R t CACross certification for NPKI and GPKI
Root CAAddition of Root CA Certificate to MS IE
Applications Mandating Accredited Certificate (bank, stock)
PKI
43www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
PKI Applications
E-Procurement, Internet Banking, Payment Gateway, G4C etc
Framework of Registration
El t i -Ensure the security and reliability of electronic documents
and to promote their useElectronic Signature
Act
and to promote their use
-Promoting nationwide informationalization and improvingconvenience in people's living standardconvenience in people s living standard
Electronic Signature Act, Decree and Ordinance
Accredited CA’sCA Accredited CA’si
Accredited CA’s
Guideline for Certification Practice
Operation
Regulation onAccredited CA’s
accreditation
Regulation onAccredited CA’s
Protection measure
Accredited CPSFramework
CPS
Certification PracticeAccredited CA sFacility and Equipment protective measures Framework
44www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Technical Specification
CPS (Certification Practices Statement)
Contents Detail
Management
- Transmission of Registered Information - Request for Issuance of Certificate
Management of Certificates
- Generation of Certificates - Request for Suspension, Restoration and Revocation of Certificates- Generation of Certificate Suspension and Revocation List- Public Announcement and Validation of Certificates
Management of Key Pairs
- Generation of Private Pairs- Backup of Private Pairs- Loss, Destruction, Theft or Leakage
of Private Keys
- Protection of Private Pairs- Revocation of Private Pairs
of Private Keys
Other Certification Services
- Provision of Time Stamping- Storage of Time Stamping Records- Backup of Time Stamping Records
- Time Reception and Correction- Storage of Electronic Documents- Other Supplementary Services
- Conformity with Technical Specifications- Scope and Intended Use of Certificates- Conformity to Certification Procedure- Matters concerning Facilities and Equipment
Others
g q p- Management of Certification Service Records- Management of Certification Service Records through the representative- Management of Audit Records- Management of Registration Authorities
45www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
g g- Test Run of Certification Practice- Correct Provision of Information and Public Notification
History of NPKI in Korea
‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08
Electronic Signature Promotion
YearActivity
Interoperability among Accredited CA’s
Provide User’s Convenience Provide User s Convenience
Cross certification for NPKI and GPKI
Mandating Accredited Certificate Mandating Accredited Certificate (bank, stock, E-malls)
End of Certificate Free Trial Period
Upgrading of PKI technologies
Division of PKI Markets
Addition of Root CA Certificate to MS IE and other Browsers
Adapt HSM (Hardware Security
46www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Adapt HSM (Hardware Security Module)
Interoperability among Accredited CA’s
xgeneral-purpose
CA A User AApp 1
xcertificate Company 1
CA B User B App 2
E-service Provider S/W developmentCompany
Company 2Accredited CA
-Subscriber who has an general-purpose accredited certificate can doall kinds of electronic transaction at InternetT id t h l i th t i d dit d
p y
Goals-To provide technologies that recognize and process accreditedcertificates regardless of who issue them-To provide data to policy-makers on how to determine the scope andconditions of each accredited certificateconditions of each accredited certificate
Lesson to l
The interoperability issue should be considered which arises during early stages of the NPKI construction
47www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learn arises during early stages of the NPKI construction.
Cross-Certification for NPKI and GPKI
A PKI CTL issuance
A Root CAHash
CA
B Root CAHash Certificate Path
B PKI
A_RootCA B_RootCA
B CA
CTLCTL A_RootCA Cert
CTL issued by A_RootCA
B_RootCA Cert
B USER
A_CAB_CA
B_User Cert
B_CA Cert
generate i
verify i
-Two years after establishment of the NPKI in 1999, the GPKI was
A_USERB_USERsignaturesignature
Backgroundbrought to birth. The two got to have overlapped service areas.-To smooth out simultaneous operation of both, realization of cross-certification is vital, which was obtained by means of a simplified CTL(i e Certificate Trust List)(i.e. Certificate Trust List).
Lesson to To avoid duplication of resources and confusion in policy-making services should be provided through a
48www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learn policy-making, services should be provided through a single root CA.
Mandatory Use of Accredited Certificates
Background
-The mandatory use was intended to protect the banking and tradingsystems, where security breaches occurred frequently in the process ofidentity verification, against hacking and other attacks and to enhance
i b d i di d ifi l h ifisecurity by mandating accredited certificates, a tool that verifiesidentification most efficiently.
-Accredited certificate in Banking and Stock Trade-Accredited certificate in Banking and Stock Trade ◊Mandating use of the certificate in banking & online stock trading * Government consulted with Financial Supervisory Service (FSS)about using the certificate in the financial field
Progresses
* FSS made it mandatory to use the certificate in internet bank(Sep., 2002) and online stock trading (March, 2003)-Accredited certificate in Online Shopping◊ Use credit card with the certificate at internet shopping mall◊ Use credit card with the certificate at internet shopping mall * FSS announces a new policy that credit cards should be usedwith the certificate in Online Shopping (July, 2003)
* E-malls have to be configured to verify the identity of the
Lesson to To boost the certification market, the mandatory use
cardholder and the payer by September, 2006.
49www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Lesson to learn
To boost the certification market, the mandatory useof PKI on some industries has been recommended.
Accredited Certificate Fees for Individuals
-To promote use of accredited certificates, services were provided freeof charge.-Accredited certificates were provided without any charge to relievethe initial burden of customers to secure adjustment period and to
Background
the initial burden of customers, to secure adjustment period, and tobuild up the Internet services.-The deteriorating financial status of CA’s led to efforts to improvesecurity and quality of certification services.◊ Only corporate certificates began to be charged for
(Approximately, 100 $ /year). ◊ It was unable to impose any liabilities on CA’s since they did notgenerate any profitsgenerate any profits. ◊CA’s were unable to make additional investments, for example, inequipment.
Progresses
-Individuals began to pay fees. (June, 2004)◊ Individual accredited certificate of general purpose: $4/year ◊ Individual accredited certificate of limited purpose:Implementation thereof was in the sole discretion of a CA (CA’s were
Lesson to For CA’s to serve the public with stability in operation an
Implementation thereof was in the sole discretion of a CA. (CA s wereable to charge only after September, 2004.)
50www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Lesson to learn
For CA s to serve the public with stability in operation and services, free trial periods should not be provided.
Division of PKI Markets
CA Characteristics
Individual
Corporation TotalGeneral
Purpose
Specific Purpose
(Bank)Purpose (Bank)
KCFCnon-profit
organization
63% 76% 29% 67%
4$/year Free 100$/year or Free
-KESA (Korea Electronic Signature Act) amended to set“borders” between different markets (December, 2005)◊Th d d KESA d d h i f
Progresses
◊The amended KESA demands tougher requirements for agovernment agency or a non-profit organization to get designated asCA.-Implementation of PKI with divided roles (July, 2006)Implementation of PKI with divided roles (July, 2006) ◊ The KCFC, under the new KESA, is not allowed to issuecertificates of general purpose; it can only issue certificates requiredfor banking.
Lesson to learn
Different natures of CA’s may lead to conflicts and harm to the market. Thus, it is necessary, in some case, t t b d b t tifi t k t
51www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learn to set boundary between certificate markets.
Upgrading of PKI technologies
Background
-The term “upgrading (or its verb form “to upgrade”) refers to anyeffort made to increase system security and compatibility oftechnologies such as renewal of private keys, adjustment of length ofprivate keys application of RFC3280 etcprivate keys, application of RFC3280, etc.
-Renewal of Root CA certificate and Accredited CA Certificates-Upgrading of private-key lengths
M j
Upgrading of private key lengths
Before Feb., 2006 After Feb., 2006
Valid period Key Length Valid period Key Length
Root CA 10 years 2048 bit 20 years 2048 bitMajor
missions
-Application of RFC 3280
Root CA 10 years 2048 bit 20 years 2048 bit
Accredited CA 5 years 1024 bit 10 years 2048 bit
User 1 year 1024 bit 1 year 1024 bit
Application of RFC 3280◊ International standard changed: RFC 2459 RFC 3280-Offline operation of Root CA’s directory◊ The CRL’s of Root CA are posted on directories of six CA’s.
Lesson to Advance of technologies does not always guarantee stability of certification technologies. Thus, counter-
52www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learnstability of certification technologies. Thus, countermeasures should be considered in advance.
Addition of Root CA Certificate to MS IE
VeriSign
VISA
RSAJCSI
Hongkong Post
Thawte
• Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA’s)
Microsoft Korean Root CA
-When using services like e-mail and web server with domesticcertificates, security warnings popped up, causing confusion among
Microsoft Root Certificate Program Members: 58 CA s (15 accredited CA s)
Problems and
solutions
users.-Foreign CA’s (i.e., VeriSign) recognized by MS Windows got tomonopolize the Korean PKI markets for SSL, code signing certificates.-By mounting certificates of Korean Root CA’s on MS Windows, it has
A country should accumulate and retain its own
y ou t g ce t cates o o ea oot C s o S W do s, t asbecome possible to apply their certificates to Windows-based webservices including web server, secured e-mail and code signing etc
Lesson to learn
A country should accumulate and retain its own technologies related to security and certification to enhance its national competitive edge.
53www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
★ Inclusion KISA Root CA Certificate in Web Browsers (~'08)Internet Explorer ('06.02), Safari ('07.03), Opera ('08.05), FireFox ('06~)
HSM Token as a secure storage
Storage for CertificateInterface between the
Token and the Subscriber’s S/W
<Subscriber's S/W> <HSM Token>
Subscriber s S/W
<HSM Access Program>
Background
-A hardware protected secure storage with hardware cryptographicaccelerator to generate and store private keys① Digital signing and generation of a private key can be doneinside the Token ② Private keys can not be exported
Problems-If subscriber uses hard disk for certificate storage, some maliciousprograms can control subscriber’s PC and extract that information.
inside the Token,② Private keys can not be exported
Progresses
-Developing the technical specifications for HSM Token withcertificate ('06~'07.8)-Carrying out the evaluation for the interoperability of HSM Token
Lesson to In order to enhance subscriber’s personal security
-Carrying out the evaluation for the interoperability of HSM Token('07.9~)
54www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learn environment, HSM Token as a secure storage can use.
HSM Evaluation Process
Storage media for private key and certificate should be evaluated by Root CA in order to provide the interoperability of personal security environment.
Evaluation Criteria
Root CA
Request evaluation
• HSM Storage Format Specification for Accredited Certificate• Accredited Certificate Usage Specification for HSM
CAVender
Give certificate
Publish
Certified Product Lists User’s PC
PublishInto Lists
EE A S/W
PKCS#11User can choose any productsSmar
t Card
55www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
PSE• PSE: Personal Security Environment, HSM: Hardware Security Module
Asia PKI Consortium
fi i i l ll b i b d i i i i li d f i f i i • Non-profit international collaboration body in Asia region, specialized for information security areas
• Objectives : To realize borderless and seamless e-commerce in a secure and trustworthy way, in Asia regions
F d d N • Founded : Nov. 2007
• Member : Korea (KISA), China, Taiwan (As of June, 2008)
C d f ll P i i l b
Steering Committee (SC)
Composed of all Principal member
Approve resolutions by GA
Determine policy, direction, strategyComposed of all members
l Ch i d i h i
General Assembly (GA)Elect Chairperson and Vice chairperson
Decide to Start and Dismiss WG
SecretariatTask-force based Working Group
PKI WG Other WGSME WGPrivacy
WG
Mobile
WG Candidate WG
Actual WG
Lesson to learn
Thoughts should be given to the issue of international interoperability. Close cooperation, for example, with
WG
56www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
learn the Asia PKI Consortium will be helpful.
Mr. Jaejung Kim
[email protected] T. [email protected] T. +82 10 2223 4978