Introduction to PKIsiteresources.worldbank.org/PSGLP/Resources/9.pdf · Introduction to PKI...

Introduction to PKIIntroduction to PKI

November, 2006November, 2006Kang, YoungKang, Young--ChulChul

CEO of KICA,CEO of KICA,BAWG Leader of Asia PKI ForumBAWG Leader of Asia PKI Forum

([email protected])([email protected])

www.signgate.com copyright@1999-2006 KICA,Inc. 2

1. PKI Overview 1. PKI Overview

2. The Status of PKI in Korea and Applications 2. The Status of PKI in Korea and Applications

3. PKI based e3. PKI based e--ProcurementProcurement

4. Introduction to KICA4. Introduction to KICA

List of ContentsList of Contents


1. PKI Overview 1. PKI Overview


©Th

e N

ew Y

orke

r Col

lect

ion

1993

Pet

er S

tein

er fr

om

cart

oonl

ink.

com

. All

righ

ts re

serv

ed.

On the Internet, Nobody knows you’re a dog


1.1 e1.1 e--Commerce Market Size in KoreaCommerce Market Size in Korea

358

1,0901,155

1,234 1,286 1298

315199

14899

0

200

400

600

800

1,000

1,200

1,400

2001 2002 2003 2004 2005

Onlinetrading

Totaltrading

Billion US$

Rapidly expanding area

Reach to 27.5% of total trading volume in 2005

358

99148

199

315

050

100150200250300350400

2001 2002 2003 2004 2005

Online Tr.

% of TotalTrading9.1%

12.8%16.8%

24.5%

Billion US$

27.5%

• Source: e-Commerce statistics

(2005 Korea National Statistical Office)


1.2 Increase of Cyber Crime in Korea1.2 Increase of Cyber Crime in Korea

33,289

60,068

68,445

77,099

88,731

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

2001 2002 2003 2004 2005

Cyber Crime

Source: Cyber Terror Response Center

(Scale: number)

Cyber Crime Types => Hacking (Intrusion, Data Theft, Dos Attack) , Virus, Fraud, Defamation


Risk of breach about transactions and personal profileDifficult to secure transmitted contentsEasy to make forgery document / Difficult to prove electrical document is in original state

Risk of breach about transactions and personal profileDifficult to secure transmitted contentsEasy to make forgery document / Difficult to prove electrical document is in original state

1.3 Issued problems of e1.3 Issued problems of e--CommerceCommerce

Online characteristicsOnline characteristicsOnline characteristics

Remote connection & no face to face contact

Difficult to verify who does issue transactions

Difficult to prove ‘transaction was happened’


1.4 Possible Security Holes1.4 Possible Security Holes

Breach of personal profile and credit card information at transaction Breach of personal profile in shared computerCyber stealing Hacking on cyber securities & bank account / Stock price manipulation ID and password stealing

Need of Strong Security Protection Need of Strong Security Protection With With PKI technologyPKI technology


ProblemProblem

Difficult Difficult to verify identityto verify identity

Matched Matched security methodsecurity method

Authentication Authentication of identityof identity

Digital Signature TechnologyDigital Signature Technology(User authentication)(User authentication)

Easy to make forgery or Easy to make forgery or modification on contentsmodification on contents

Guarantee Guarantee IntegrityIntegrity

Digital Signature TechnologyDigital Signature Technology(Message authentication)(Message authentication)

Repudiate transactionsRepudiate transactions NonNon--repudiationrepudiation Digital Signature TechnologyDigital Signature Technology(Message authentication)(Message authentication)

Breach informationBreach information ConfidentialityConfidentiality Encryption TechnologyEncryption Technology(Message authentication)(Message authentication)

1.5 PKI Solution to Hacking attempts 1.5 PKI Solution to Hacking attempts

Protection Protection TechnologyTechnology


1.6 PKI (Public Key Infrastructure)?1.6 PKI (Public Key Infrastructure)?

A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

DefinitionDefinitionDefinition

Elements of PKIElements of PKI- Certificate System : CA. RA. DS, OCSP, TSA- Service Policy : CPS (Certification Practices Statement) - PKI Application : e-tax, e-bank, e-trade


Internet

TS

Admin PC

DB

DS

OCSP/VA

Clients

Firewall

RA

KRS/Etc.

Admin: Administrator ProgramClients: Client S/WCA: Certificate Authority ServerRA: Registration Authority ServerDS: Directory ServerOCSP: Online Certificate

Status Protocol ServerVA: Validation Authority ServerHSM: Hardware Security Module

(Accelerator)TS: Time Stamp ModuleTSA: Time Stamp Authority

ServerDVCS: Data Validation Certifi-

cation ServerKRS: Key Roaming ServerEtc.: Other Service Server※ All networks and servers are

double connected (Fault Tolerant)

Admin: Administrator ProgramClients: Client S/WCA: Certificate Authority ServerRA: Registration Authority ServerDS: Directory ServerOCSP: Online Certificate

Status Protocol ServerVA: Validation Authority ServerHSM: Hardware Security Module

(Accelerator)TS: Time Stamp ModuleTSA: Time Stamp Authority

ServerDVCS: Data Validation Certifi-

cation ServerKRS: Key Roaming ServerEtc.: Other Service Server※ All networks and servers are

double connected (Fault Tolerant)

L4 Switch

HSM

CA

1.7 PKI System1.7 PKI System

TSA


DefinitionDefinitionDefinition

Digital signature is an unique digital data; it is applied to a document keeping the unique information of the signer with the digital signature creation key and make it possible to verify the entity authentication of document and whether there was modifications or not

1.8 Digital Signature1.8 Digital Signature

It is not an Electronic signature but a Digital signatureIt is not an Electronic signature but a Digital signature


Can’t substitute the digital signature of “A” document to “B”

The private key holder is the maker of the document

Can’t modify the signed document without the private key

No forgery

Can’t repudiate signing of the private key holderNon-repudiation

No reuse

Entity Authentication

No modification

Can’t make a signed document without a private key

Impossible to reuse ReusableProblem

Digital signature using asymmetric encryption / decryption methodElectronic data as an identifier

Concept

Digital SignatureElectronic SignatureElectronic Signature

1.9 Comparison 1.9 Comparison

•Encryption/Decryption Type : RSA, DSS(Digital Signature Standard), ESIGN, Schnorr, KCDSA


1.10 Feature of electronic document 1.10 Feature of electronic document

ITEM Paper document Electronic document

Media

Delivery

Safety of contents

Entity Authentication

Paper

Mail, hand over

Difficult to make forgery document or to modify

Identification possible from physical

characteristics of paper

Handwriting signature, Seal

Digital media

Network transmission

Easy to make forgery document or modification

Impossible to acknowledge forgery

Digital Signature


Encryption

Hacker (Tapping)

※ Pictures are taken from the CryptMail User's Guide, Copyright (C) 1994 Utimaco Belgium,with the kind permission of Kurt Schoenmaekers, Managing Director.

IntegrityIntegrityConfidentialityConfidentiality

SourceSource AuthenticationAuthentication Entity Authentication NonNon--RepudiationRepudiation

1.11 Functions of Digital Signature1.11 Functions of Digital Signature


2. The Status of PKI in Korea 2. The Status of PKI in Korea and Applicationsand Applications


[Personal Information Protection Act] Enactment Propulsion

2.1 Related Digital Signature Law2.1 Related Digital Signature Law

Electronic Signature Act Ministry of Information and Communication (MIC)

Information and Communications Work Business Act

Ministry of Information and Communication (MIC)

Electronic Government Act Ministry of Government Administration and Home Affairs (MOGAHA)

Framework Act on Electronic Transaction

Ministry of Commerce, Industry and Energy (MOCIE)

The ministry and office concernedName of Act

Consumer Protection in Electronic Commerce, etc. Act Fair Trade Commission (FTC)


Purpose of EnactmentPurpose of Enactment

Digital Message

Promote usage of Digital documents

Guarantee safety & trust

Grant legal validity on certified digital signature

Enhance comport level of nation people & boost national infrastructure construction

2.2 Electronic Signature Act(1/4)2.2 Electronic Signature Act(1/4)


Main FocusMain Focus

Article 3(Effect, etc., of Digital Signature)Article 3(Effect, etc., of Digital Signature)

(1) Signature, signature and seal, or name and seal, it shall be deemed that such requirements are satisfied

(2) Signer of the electronic message concerned and that there has been no alteration in contents of such message

Grant legal validity on certified Grant legal validity on certified digital signature digital signature

Authentication, Confidentiality, Non-repudiation, Integrity

2.2 Electronic Signature Act (2/4)2.2 Electronic Signature Act (2/4)



Article 4(Designation of Accredited Certification Authority)Article 4(Designation of Accredited Certification Authority)

(1) Designation as a accredited certification authority an entity that is deemed to be capable of performing authorized certification work in a secure and reliable manner

Secure Technology, Physical environment, Financial capability

Guarantee safety & trustGuarantee safety & trust




Reparation for Injury

- Imputation a reason to party

- Burden of proof to licensed CA

Duty of Insurance

Protection of Protection of subscriber & Usersubscriber & User

Article 26(A Liability of reparation)Article 26(A Liability of reparation)



Law. System arrangementPlan national authenticationLicensed CA management

MIC

Digital SignatureAuthentication

Management Center

Licensed CA

Root CA

Government

KICAKICA KOSCOM KFTC

NCASignNIA

1st1st1st 2nd2nd 3rd3rd 4th4thAuthentication management Provide CA serviceCertificate issuanceCertificate termination / renewal

National Authentication system operation Field test for licensed CA designationIssue certificate for licensed CA

MIC (Policy Agency)

KISA (Root CA)

Accredited CA

Korea Information Security Agency

5th5th 6th6th

CROSSCERT KTNET

2.3 Root CA Architecture in Korea2.3 Root CA Architecture in Korea

Digital Signature Authentication Management System


G4C, Credit Card-

G2C, Stock, Insurance-

G2C, Bank, Insurance-

Specific

All electronic transactionsCorporation

All electronic transactionsIndividual General

Certificate Usage FieldEntityTypes

2.4 Types of Accredited Certificate2.4 Types of Accredited Certificate


0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

2000 2001 2002 2003 2004 2005 2006. 4

Number of annual issuance of certificates (As of April 30, 2006; published by MIC)

2.5 Number of Accredited Certificate 2.5 Number of Accredited Certificate

(Scale: number)


2.6 Applied Areas of PKI in Korea2.6 Applied Areas of PKI in Korea

Internet BankingInternet Banking

Online Stock Trading Online Stock Trading

EE--Government systemGovernment system

EE--Contract Contract

EE--Tax Receipt systemTax Receipt system

etc Purposeetc Purpose

Main PKI Application


2.6.1 PKI BM in e2.6.1 PKI BM in e--GovernmentGovernment

Broadband/MobileInfra

Petition Service(Identify oneself online by certificates)

E-Government

Certificate Infra

E-Supply (G2B)(Online bidding with certificate)

4 Major Insurances data exchange(Labor, Medical care, Pension, Industrial disaster)Internet access with certificate

National Financing Information System- Based on Internet banking, etc

Taxation -National Tax Agency-Access with certificates

Regional Administration-Service for counties-Access with certificates

Education Administration System-16 Educational department- Teachers can assess with cert.

Personal Management inside Government

- All employees inside Government

Electric document system- Interoperable with other systems

Digital Signature & Seal-Distribute certificates-Develop and enhance system adopting certificates

Enhance computerization- Sharing national resource information


Clients

Bank

Accredited CA(CA & OCSP Server)

Certificate Validation► Request account information► Currency transfer► Payment, etc.

(Should submit digital signature: Mandatory)

BankingServer

PKI Client S/WPKI Client S/W

Internet

Issue Certificate

PKI Server S/WPKI Server S/W

Keyboard Security S/WKeyboard Security S/W

security card

2.6.2 Internet Banking2.6.2 Internet Banking


Home Tax Server

Certificate validity authentication,

Verify the data integrityIssue Certificate

► Query tax information► Declare tax► Pay tax, etc.

National Tax ServiceTaxpayer

Accredited CA

Internet

PKI Client S/WPKI Client S/W PKI Server S/WPKI Server S/W

2.6.3 Home Tax Service2.6.3 Home Tax Service


Certificatevalidation

Accredited CA

Teachers Students Parents

Internet

National EducationInformation System

Issue Certificate

► Query educationinformation

► Input records► Issue petition, etc.

PKI Server S/WPKI Server S/W

PKI Client S/WPKI Client S/W

2.6.4 Education Service 2.6.4 Education Service


3. PKI based e3. PKI based e--ProcurementProcurement


Need PKI SystemNeed PKI System

Complex & Time Consuming

Difficult & Inefficiency

Handy Work process making Mistakes (Negative)

Tons of documents

3.1 Need of e3.1 Need of e--Procurement system Procurement system


E-Procurement Security Using PKI system

Internet

Certificate Authority

User E-Procurement system

Issue Certificate Issue Certificate

Digital signature creation and transmission(Encrypt document + Digital signature + Certificate)

• Timestamp Service

• Certification Service

3.2 Structure of E3.2 Structure of E--Procurement systemProcurement system


Evaluation of Evaluation of online document online document

integrityintegrity

Bidding applicant Bidding applicant Company identity Company identity

authenticationauthentication

Keeping dead lineKeeping dead lineBy time StampingBy time Stamping

Bidding Bidding NonNon--repudiationrepudiation

Effectiveness of PKI

3.3 Benefit of E3.3 Benefit of E--Procurement systemProcurement system

KONEPS

KICA e-Bidding Server With security add-on

for Web Application Server

KICA e-Bidding Server With security add-on

for Web Application Server


4. Introduction to KICA4. Introduction to KICA


Stage1 ▶Enforcement of laws and institutions

- Enacted “Electronic Signature Act.”- Established “Korea Information Certificate Authority Inc.”

Stage2 ▶Approved by MIC as the first accredited CA► Major Shareholders: MIC, Samsung SDS, LG,

KT, SK Telecom, DAOU Tech, etc.► Provide accredited CA services to various

applications

■ July 1, 1999 Buildup of National PKI

■ Feb. 10, 2000 Designated Accredited CA

Total USD 22M of Capital

4.1 KICA Establishment 4.1 KICA Establishment


Conducted PKI feasibility studies consulting (Philippines, Egypt, Vietnam)04

Developed linux based banking system and applied to ePost banking service012006

Launched OnePASS (Instead of NID Number) Service04

The NIS recognized our PKI solution as satisfactory conditions012005

Awarded the first prize by the Minister of Information and Communication12

Company granted ISMS (Information Security Management System) certification102004

Awarded a special prize in the second Information Security Award12Passed the quality test of Wireless PKI CA system for SKT 07

2003Participated Hong Kong ITU Telecom ASIA 2002 as an exhibitorSigned Reseller Agreement with Hong Kong Postmaster General

122002

MOU with Digicert in Malaysia about interoperability, MOU with ID Safe in Singapore about interoperability 10

Provided licensed certificate to 'Home tax service' of National Tax Service04

Provided the 1st wireless PKI Certificate Authority service in the world03Certificate Authority service for the Internet banking of the Korea Post MOU with Shanghai CA, Elected as co-chair leader in APKI forum Business Case & Application WG

122001

Assigned as a Venture Company, Mr.Kang Young Chul appointed as the second CEO08Signed Cooperation Agreement with Hong Kong Post for Global Interoperability05Signed Wireless Certificate Partnership Agreements with KTF and KTm.com01

Provided CA Service to Public Procurement Service for Electronic Bidding System112000World’s the first provision of Certification Authority Service to ASEM (Asia-Europe Meeting) 10Provided Certification Authority Service to Public Agency for Electronic Tax Payment System 06

Approved by MIC as the first Accredited Certification Authority02

1999 Completed Construction of 'signGATE' Certification Center at Korea Information Certificate Authority Inc.07

Provided e-Petition service to major 4 national insurances11

4.2 Brief History4.2 Brief History


4.3 Business Scope 4.3 Business Scope

PKI Technologies

SolutionsServices

CertificationService

WirelessService

DataSecurity

Biometrics

SystemSecurity

Water-marking

Smartcard Applications

Total Solutions

Services Solutions Global Business► Issuing Certificates

(wired/wireless)► Time Stamping► Device Authentication► i-PIN Service► Domain hosting, …etc.

► SignGATE CA System► SignGATE TrustTax► SignGATE Contract► Crypto Toolkit (C, Java, XML)► SignGATE EWS, …etc.

► Cooperation MOU(China,Taiwan,

HongKong, etc.) ► PKI Consulting ► Asia PKI Forum


KT, DACOM, S1EDI for medical

service

MND (Ministry of National Defense), PPS (Public Procurement Service), KEPCO, SKT, KTF, … etc. (over 20 companies)

e-Procurement

Korail, KRIHS (Korea Research Institute forHuman Settlements)Others

Ilsan Hospital, KT Medilinks, … etc.e-Prescription

NTS (National Tax Service), Pusan province office

Home-Tax Service

KT Medilinks, En2Be-Marketplace

for medicine

Boyond Networks (SI Company), Local Governmental Office (Seo-Cho, Song-Pa, Gang-Nam Gu…etc.)

Online Civil Service

KRA (Korea Racing Agency)InternetLottery

Hansol CSN, InterPark, Auction, … etc.Internet Shopping

Almost all insurance companiesInternet

Insurance

LG Electronics, Lotte Department Store, Lotte Magnet, Sinshege Department Store, E-mart, Hyundai Department Store, … etc.

e-Tax Service

MIC e-POST, Standard Chartered First Bank,Korea Exchange Bank, Woori BankInternet Banking

KDC (Korea Development Cooperation), Kolon Engineering & Construction, … etc.Digital Contract

ECFC (Electronic Contractors’ Financial Cooperative), CG (Construction Guarantee)

e-Warranty Service

Samsung Heavy Industries, Hyundai Heavy Industries, … etc.e-Marketplace

CustomersModelCustomersModel

More 200 major companies are customers of KICAMore 200 major companies are customers of KICA

4.5 Major Customers 4.5 Major Customers


Service Know-how

No failure in service for 6 yearsOperational regulationsFull sets of service utilities

Service Know-how

No failure in service for 6 yearsOperational regulationsFull sets of service utilities

Total SolutionsHardwareSoftware (applications)PKI SystemsNetwork/System security facilities, …

Total SolutionsHardwareSoftware (applications)PKI SystemsNetwork/System security facilities, …

Best Solutions

Verified solutions in the field Well-prepared additional solutions100% comply with internationalStandards

Best Solutions

Verified solutions in the field Well-prepared additional solutions100% comply with internationalStandards

Ready To Transfer

Be able to transfer the know-ledge of PKI systemsProvide source code and relevant documents

Ready To Transfer

Be able to transfer the know-ledge of PKI systemsProvide source code and relevant documents

KOREA 1st Certificate Authority

4.4 Strengths of KICA 4.4 Strengths of KICA


Government

Accredited CA

Application Service organizations or companies

Clients

Root CA

PKI Model

Accredited Certificate

Accredited Electronic Signature

Establishment Law

(Electronic Signature),

PKI Standards

Building PKI Center

Developing PKI

enabled Applications

LicenseLaw, Policy,Standards

Certification Service

E-procurement,Internet Banking,E-commerce, etc

To establish safe and reliableInformation society

4.6 Establishment of PKI (1/3) 4.6 Establishment of PKI (1/3)


Phase 1.Preparations

Designing of PKI schemeLaunching of PKI TFTFinding ways to finance

Phase 1.Preparations

Designing of PKI schemeLaunching of PKI TFTFinding ways to finance

National PKINational PKINational PKI

Phase 2.Law & Regulation Setup

Setup decree (D.S)PKI Standardization

Phase 2.Law & Regulation Setup

Setup decree (D.S)PKI Standardization

Phase 3.PKI Center Construction

PKI systemsFacilities / EquipmentOperation guideline

Phase 3.PKI Center Construction

PKI systemsFacilities / EquipmentOperation guideline

Phase 5.PKI Application Development

Pilot projectRA ConstructionsPlanning of long-term National PKI services

Phase 5.PKI Application Development

Pilot projectRA ConstructionsPlanning of long-term National PKI services

Phase 4.Education & Promotion

Education & TrainingDevelopment of Promotional policies

Phase 4.Education & Promotion

Education & TrainingDevelopment of Promotional policies

Implementation Steps of PKI



ConsultingLaw & Regulation SetupAccreditation & Auditing DetailsPromotion Strategy

ConsultingLaw & Regulation SetupAccreditation & Auditing DetailsPromotion Strategy

Education & Training

Training for Operators(including operational know-how)Education for DevelopersEducation for Manager

Education & Training

Training for Operators(including operational know-how)Education for DevelopersEducation for Manager

Establishment of National PKIEstablishment of National PKIEstablishment of National PKI

PKI Center

Accredited CA SystemsFacilities and Equipment

PKI Center

Accredited CA SystemsFacilities and Equipment

Branch RA ConstructionRA Software / HardwareOther Equipment (Smartcard)

Branch RA ConstructionRA Software / HardwareOther Equipment (Smartcard)

Root CA Center

PKI System for root CABasic Facilities and Equipment

Root CA Center

PKI System for root CABasic Facilities and Equipment

Budget: Approximately USD 7 millionTime Cost: About to 6 MonthsBudget: Approximately USD 7 millionTime Cost: About to 6 Months

Estimated Cost for PKI


Thank you!

Address : 100-791, 9th Floor KICA Inc. The Han-Kyoung Building,441 Joonglim-Dong Joong-Gu, Seoul, Korea

Tel +82-2-360-3030 / Fax +82-2-360-3209 Homepage : www.signgate.com

www.signgate.com

Introduction to PKIsiteresources.worldbank.org/PSGLP/Resources/9.pdf · Introduction to PKI...

Documents

Transcript of Introduction to PKIsiteresources.worldbank.org/PSGLP/Resources/9.pdf · Introduction to PKI...