KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -Tokyo Seminar -Kim

v3.0

Dr. JJ Kim([email protected])

December 8th, 2016

FIDO Tokyo Seminar 2016

K-FIDO (/w Accredited Certificate)

Bio-Authentication Case Study

NID and Identification Method

PART

I.

National ID and Identification Method

- 4 -Copyright © 2016 KICA. All Rights Reserved.

Identification Method

Birthday

Gender Birth Area Code

Error Verification Code

Resident Registration Number

NID Card

AccreditedCertificate

MobileAuthentication

internet-Personal Identification Number

• Randomly Generated 13 digit numbers

17 M users(2015)

1. National ID and i-PIN


2. Type of Offline Identification Methods

• The citizen can use a lot of identification methods such as accredited certificate, mobile, bank account, credit card for internet services that needs non face-to-face identification service .

CitizenInternet Services

Credit Card IssuerBankTelco Company

Non Face-to-Face Identification Service

Accredited Certificate Mobile phone

Credit Card

OnlineIdentification

PassportNID Card Driver License

Face-to-Face Identification

Accredited CA

Bank Account,Check Card

Face-to-Face Identification


3. Type of Online Identification Methods

Credit CardAuthentication

i-PIN



• Name• Phone number• Telco name• Birthday• Gender• Citizen or Foreigner

• i-Pin ID• Password1• Password2(image letters)

• Credit card number

• Validity period(Month/Year)

• Password(2digits)

Certificate Password

Identification MethodAccredited CA

i-PIN Service ProviderCredit Card Issuer

Telco Company


4. Statistic of Identification Method

• The Use Rate of Identification Method in Korea

81% 84%

49%

27%

0%

95%

88%

56%

36%

7%

96%

84%

51%

35%

6%

0%

20%

40%

60%

80%

100%

120%



i-PIN OTP ETC

2013 2014 2015

(Source: Research on the Actual Condition of Electronic Signature System Usage(in Electronic Signature User)-KISA, December 2015)


5. User authentication method for various services

Service Function Identification Method

Web portal

Log-in (optional)• ID/Password

• OTP (software)

Registration • Mobile authentication

ID/password retrieval

(one selected)

• Registered mobile phone

• E-mail notification

• i-PIN

E-transaction

Log-in• Accredited certificate

• ID/Password (Inquiry only)

Electronic

payment

Account transfer • Account information + Accredited certificate

Credit card

payment

• PIN (6-digits) + Mobile authentication : Easy Payment

• Credit card information + Accredited certificate

- VISA Anshim Click, Internet Secure Payment (ISP)

Mobile phone Payment • Mobile phone information + resident registration number

Financial

institution

(Internet banking)

Log-in • Accredited certificate, ID/PW(Inquiry only)

Account

transfer

Type 1• Accredited certificate + OTP generator

• PKI token(Accredited certificate) + security card

Type 2 • Accredited certificate + security card (2-channel authentication)

Public Procurement

ServiceElectronic bidding • Accredited certificate + fingerprint security token(Bio-HSM)

• Various user authentication methods used for user authentication for web portals, e-transactions, financial institutions and e-government services are shown.

PART

II.

K-FIDO: Accredited Certificate + FIDO

+

FIDOAccredited Certificate


5 Accredited CAs issued accredited certificates to subscriber around 33 millions in total.

Major PKI Applications

* Internet Banking, Online Stock, Internet Shopping, e-Procurement, e-Government Services, etc.

-

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

The annual number of valid accredited certificates (as of December 2015, published by KISA)

1. Statistic of Accredited Certificate in Korea

33M


Accredited Certificate Applications- Top5

96%83%

65%

36% 32%

95%

65% 70%

32% 34%

97%

74% 71%

39% 37%

0%

20%

40%

60%

80%

100%

120%

Internet Banking Payment ofShopping Mall

E-governmentServices

Online Stocktrading

Internet Insurance

2013 2014 2015

63%

42% 43%

1% 1%

62%

42% 40%

3% 2%

60%

42% 43%

4% 4%

0%

10%

20%

30%

40%

50%

60%

70%

RemovableDisk(USB etc.)

Hard Disk Smart Phone PKI Token Smart Card

2013 2014 2015

Accredited certificate storage utilization rate by media

(Source: Research on the Actual Condition of Electronic Signature System Usage(in Electronic Signature User)-KISA, December 2015)

1. Statistic of Accredited Certificate Usage


Statistics on Accredited CA’s

NoAccredited CA/

Web siteAccredited

DateCharacteristics

Main Business Area

1KICA (CA: SignGATE)http://www.signgate.com

2000. 02. 10 CorporationAll industry, Government

2KOSCOM (CA: SignKorea)http://www.signkorea.com

2000. 02. 10Special purpose Corporation

Cyber trading

3KFTC (CA: yessign)http://www.yessign.com

2000. 04. 12Non-commercial Organization

Internet banking

4CrossCert (CA: CrossCert)http://gca.crosscert.com

2001. 11. 24 Corporation -

5KTNET (CA: TradeSign)http://www.tradesign.net

2002. 03. 11State-run Corporation with special mission

Trading

(As of 2016; published by MSIP)

1. Status of Accredited CAs in Korea


Status and Problems

SD Card

Internal Memory

(Android)

Storage

Improvements

Accredited certificates stored in Hard Disk(SD Card) are easy to hacking by malicious code.

NPKI Folder Stored in APP

Certificate Password: 10 digits(arphanumeric+1 special character)

Accredited certificates should be stored more secure storages such as HSM, USIM, etc.

User’s Biometric Authentication fingerprint, Face, Voice, Iris, etc.

Smart Authentication

(USIM)

Smart OTP HSM

Too many to remember, difficult to type, and not secure

Better Privacy, Better Experience, Better Security

User Authentication

Secure Storage

2. Problem statements


3. What is K-FIDO?

K-FIDO : Accredited Certificate + FIDO– K-FIDO stands for biometric accredited certification service that uses accredited certificate

without password using FIDO.

– K-FIDO uses biometric authentication such as fingerprint in smartphone instead of password.

– K-FIDO specification will be published by KISA(Korea Internet Security Agency) in 2016.

Password


Fingerprint Iris

(Source: Wooribank APP)


FIDO Authenticator

4. Service Architecture

RP APP

Smartphone(Samsung, LG, APPLE)

FIDO Client

FingerprintSensor

CA

Biometric

API PKI Module

FIDO Server

RP Server

OCSP

PC

CertificateIssuance/

Reissuance/Renewal

Certificate Paste/Move

FIDO UAF Protocol

• Developed by the extension of FIDO UAF Protocol.

• Distribute RP APP with FIDO Client and K-FIDO Authenticator.

• Recommend to use KeyStore, TrustZone, KeyChain as a storage of accredited certificate and private key.

• Any types of authentication method can be added.

K-FIDO

(Source: KISA Technical Specification)

K-FIDO Service Architecture

IrisSensor

CertificateVerification


4.1 Secure Storage for smartphone(1/2)

<Android 6.0 above (use AES Key)>

1) Android KeyStore

Encryption(AES)

Decryption(AES)

AES key

KeyStore

Encrypted private key1

RSA key pair

KeyStore


Encryption(AES)

Decryption(AES)

Session key

Encryption(RSA)

Decryption(RSA)

Session key


Encrypted Session key




<Android 4.3 above and 5.x below(Use RSA Key)>



4.1 Secure Storage for smartphone(2/2)

Encryption(AES)

Decryption(AES)

AES key

KeyChain




2) Android TrustZone(Source: www.arm.com)

<iOS 2.0 above (use AES Key)>

3) iOS KeyChain



5. Logical Architecture

RP Application

FIDO Client

ASM

Authenticator(Iris, Fingerprint)

REE (Normal World)

TEE (Secure World)

Crypto Module

PKI Module

Certificate Management Module(CA)

User (Smartphone)

Service Server

FIDO Server

RP Server

Service Provider(SP)

CA Server

OCSP Server(OCSP)

Accredited CA

Certificate Management

(Issuance, Reissuance,

Renewal,Revocation)

Electronic Signature


Biometric Sensors

FIDO Service Provider

FIDO AuthCode

FIDO UAF Protocol

CertificateVerification


The K-FIDO system consists of a smartphone, an accredited CA, a FIDO service provider, and a service provider.


5.1 Registration Process

FIDO Client

Authenticator

Biometric Sensor

Certificate Management Module(CA)

FIDO Server

CA Server

① Request Certificate Issuance

② UAF Registration Request

③ Bio-authentication

④ FIDO signature

⑤ UAF Registration Response

⑥ Request Certificate Issuance

Crypto Module

Secure Element

RP Application

⑦ Generate key pairs

⑧ Request Certificate Issuance

FIDO Registration

⑪ Save the accredited certificate and encrypted private key

The K-FIDO registration process uses FIDO registration protocol and issues the accredited certificate for CA after checked a bio-authentication of user.

⑨ Issue a certificate

⑩ accredited certificate


5.2 Authentication Process

FIDO Client

Authenticator

Biometric Sensor

PKI Module

FIDO Server

① Request electronic signature

② UAF Authentication Request

③ Bio-authentication

④ FIDO signature

⑤ UAF Authentication Response⑥ Request electronic

signature

Crypto Module

Secure Element

RP Application

⑦ Request electronic signature

⑧ Generate electronic signature

Service Server⑨ Send Signed Data

OCSP Server

FIDO Authentication

⑪ Certificate Verification

RP Server

⑩ Verify Signed Data

⑫ Verify AuthCode

The K-FIDO authentication process uses FIDO authentication protocol and generates an electronic signature by user’s private key. Service provider verifies the signed data from OCSP server.


6. K-FIDO Service Demo

Settings Lock screen and security Fingerprints

Demo Scenario of K-FIDO Service

PC

Push

Mobile

Mobile

(Source: KICA K-FIDO Demo APP)


6. Service Demo: ① Registration

The Registration of Accredited Certificate

– Fingerprint match policy is single matching with each accredited certificate and fingerprint.

– User can choose the different biometric authentications if a site provides multiple authenticators.

Execute KICA App Register Fingerprint Verify Password Registration Result

1. Client “Bio-Authentication Center” icon

3. If matched, perform fingerprint authentication

2. Input the password for the selected an accredited

certificate.

4. If succeeded, fingerprint registration for the accredited

certificate will be completed.



6. Service Demo: ② APP Login

Example of Smartphone Login

– The accredited certificates store in user’s smartphone.

– K-FIDO authenticator can connect any FIDO clients and any Service Provide APPs with SDK.

App Execution Select Certificate Complete Login

1. Click “login” icon based on accredited certificate.

2. Select an accredited certificate to use and authenticate with a

registered fingerprint.

3. It matched, login process will be succeed.



6. Service Demo : ③ Web Login

Example of Web page Login

– Web Brower in PC doesn’t install any ActiveX software. (HTML5)

– The User signed up for the web site and registered his/her mobile phone number.

1. Select login based on fingerprint.2. Input an ID and click “Login”

KICA App PushService to the

registered user’s

smartphone

Select Certificate

5. Complete Web page Login

3. Select an accredited certificate to use, touch the fingerprint, and authenticated with a registered fingerprint.

4. Send authentication result to the service provider server.


PART

III.

Bio-Authentication Case Study


1. Bio-Authentication Service Model

• Samsung’s payment platform

• Support credit card/account payment, ATM saving /withdrawal, etc.

• Alternative to certificate passwords (KISA)

• Firmware-level support from Samsung Galaxy Note7 (Samsung PASS)

• Cloud-based service (SECaaS)

• Target for small & medium business

• Alternative to Passwords (FIDO Alliance)

• User authentication method with fingerprint, Iris, etc.

CASEStudy

On-Premises Type

Cloud TypeASP Type

?


2. Bio-authentication Case Study

Name PurposeAuthentication

TypeAuthenticator Service Type FIDO Service Phone Brand Open Date

Samsung Pay

Payment,ATM Saving/Withdrawal, etc

FIDO(Samsung)

Fingerprint, Iris

ASP Type KICA Samsung 2015.08.20

SamsungCard

Login,Payment

FIDO(KICA)

Fingerprint ASP Type KICASamsung, APPLE

2016.08

IBK Bank Money TransferK-FIDO(KICA)

Fingerprint ASP Type KICA Samsung 2016.08.12

KEB Hana bank

Money Transfer FIDO(Samsung PASS)

Iris On-Premise Samsung Samsung 2016.08.19

WooribankLogin,Money Transfer

K-FIDO(Samsung PASS)

Iris ASP TypeSamsung + KICA

Samsung2016.08.19

(Source: Samsung Pay APP, Samsung Card APP, IBK APP, Wooribank APP, KEB Hana bank APP)


Samsung(FIDO)

FIDO Client

ASM

Authenticator

KICA Library SAMSUNG(Samsung PASS)

Authentication Framework

RP Client SDK

FIDO Client

ASM

Authenticator

FIDOModule

K-FIDOModule

K-FIDO Module

FIDO Module

Crypto Module

Certificate Management

Module

PKI Module

SAMSUNG(Samsung PAY)

Pay Framework

FIDO Module

Pay Module

Sensor

2. Case Study: Device Configuration

FIDO

FIDO Client

ASM

Authenticator

KICA LibraryRP Client SDK

FIDO Client

ASM

Authenticator

FIDOModule

K-FIDOModule

Sensor


Android

iOS

Windows

Credit Card Payments

Internet Banking

Money TransferAccount Payment

ATM SavingATM Withdraw

AuthenticationLogin

AndroidSamsung

LGOthers

WindowsPCs

Mobile AppStores

Google PlayiOS AppStore

3. CASE1: Samsung Pay

GeneralPurpose Protocols

FIDO(UAF)K-FIDO(UAF)

HardwareARM TrustZone

Secure ElementUSIM

IC Card

SoftwareIn Apps

SecurityFoundations

On DevicePIN

FingerprintIris

VoiceFace

Platforms Distribution

On Premise Type

ASP TypeSamsung Pay

KICASamsung PASS

Cloud TypeSecurity as a Service

Authenticator Use CasesServices Model

Samsung Pay is the new, simple and secure way to pay with your Samsung Galaxy device. Accepted almost anywhere you can swipe or tap your card.

CASE 1


3.1 Samsung Pay: Overview

Safe and secure mobile payments virtually anywhere you can swipe your card

Everywhere Secure

MST, NFC payment

Offline & online Payment

One hand operation

Easy to setup

Consistent User Experience

Value Added Service

Fingerprint Authentication(FIDO support)

Samsung KNOX

Tokenization

Simple

CASE 1

(Source: Samsung Pay)


3.2 Samsung Pay: Security

Security & Protection: Designed with our highest level of security available

Fingerprint Authentication Samsung Knox

Each transaction uses a random token instead of your card number, which means

your actual information isn’t shared when you shop and your details stay safe.

TokenizationTransaction are authorized with your fingerprint, so you’re in control of when each payment is made.

With Samsung KNOX, your phone is constantly monitored

for vulnerabilities.Even if your phone is ever compromised, your card information is still safely

encrypted within a separate and secure data vault.

CASE 1



3.3 Samsung Pay: Credit Card Payment

Settings Lock screen and security

Fingerprints

• NFC : Near Field Communication• MST: Magnetic Secure Transmission

NFC MST+

Payment process of Samsung Pay

CASE 1


http://www.google.co.kr/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://smartdevice.kr/1547&ei=0IpQVeLbO9H28QWfk4CIDw&bvm=bv.92885102,d.dGc&psig=AFQjCNF3ZXutDlW_ToYaNCW1inirig0Tzg&ust=1431428140968242


3.4 Samsung Pay: Add Card Process

Select ‘Add Card’ Add Card Enter card info Agree Term Mobile Authentication

Fingerprint VerificationType Payment Password Enter Signature Complete

1 2 3 4 5

6 7 8 9 10

CASE 1



3.5 Samsung Pay: Payment Process

Fingerprint or Iris AuthenticationSelect Card or Bank Account Touch POS Device

1 2 3

Number 1: Samsung Pay(Easy and Secure)

Customer Satisfaction Survey of Easy Payment Service

(August 30, 2016, Korea Consumer Agency)

CASE 1



3.6 Samsung Pay: ATM Saving/Withdrawal

Smart Phone(Samsung)

This is a working scenario of FIDO based ATM in Wooribank.

ATM (NFC Reader)

① Select Withdraw from bank account② Enter your bank account PIN③ Type in the withdrawal amount

④ Scan your fingerprint to withdraw your cash

④ Hold your device near the ATM card reader

⑤ Withdraw the money from ATM machine

CASE 1

(Source: Wooribank ATM)


Android

iOS

Windows

Easy Payments


Internet Banking

AuthenticationLogin

AndroidSamsung

LGOthers

WindowsPCs

Mobile AppStores


4. CASE2: Samsung Card




Secure ElementUSIM

IC Card

SoftwareIn Apps

SecurityFoundations

On DevicePIN

FingerprintIris

VoiceFace


On Premise Type

ASP TypeSamsung Pay

KICASamsung PASS



Fingerprint based FIDO Service Samsung Card: This model provides a fingerprint authentication for login, easy payment

using Samsung, APPLE smartphone.

CASE 2


4. Samsung Card: Fingerprint Login

Agree Term Mobile Authentication Fingerprint Authentication Registration End

Login Start Fingerprint Authentication Login Success

Step1 : The User registers fingerprint logins

Step2: The user logs in with the fingerprint.

CASE 2

(Source: Samsung Card APP)


Android

iOS

Windows

Easy Payments


Internet Banking

AuthenticationLogin

AndroidSamsung

LGOthers

WindowsPCs

Mobile AppStores


5. CASE3: IBK Bank




Secure ElementUSIM

IC Card

SoftwareIn Apps

SecurityFoundations

On DevicePIN

FingerprintIris

VoiceFace


On Premise Type

ASP TypeSamsung Pay

KICASamsung PASS



Fingerprint based K-FIDO Service IBK Bank: This model provides a fingerprint authentication instead of accredited certificate

password for site login, money transfer and so on using Samsung smartphone.

CASE 3


5. IBK Bank: Registration(1/2)

The i-ONE Bank service in IBK Bank provides K-FIDO based smart banking service.

① Click “Authentication Center” menu

② Click “Fingerprint Registration” menu

③ Select Accredited Certificate

④ Type the passwordof selected accredited certificate

Certification Center

Certification List

Certificate Password

Register Fingerprint

CASE 3

(Source: IBK bank APP)

http://www.google.co.kr/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiorrDr_orOAhWFppQKHcfKBrMQjRwIBw&url=http://lalawin.com/entry/IBK-smart-banking&bvm=bv.127984354,d.dGo&psig=AFQjCNFBmr85GtRJ5PlnHCT_Pd6QOeW6SQ&ust=1469411523591532


5. IBK Bank: Registration(1/2)

This is an accredited certificate registration process with fingerprint.

Complete Registration

⑥ Click “User Agreement”

⑦ Mobile Authentication⑧ OTP Authentication

⑨ Perform Fingerprint authentication

⑩ Complete Registration

⑤ Start Fingerprint Registration

OTP Numbers

OTP Numbers

Mobile authentication

Term and Conditions

Next

Fingerprint

CASE 3

(Source: IBK bank APP)


Android

iOS

Windows

Easy Payments


Internet Banking

AuthenticationLogin

AndroidSamsung

LGOthers

WindowsPCs

Mobile AppStores


6. CASE4: KEB Hana Bank




Secure ElementUSIM

IC Card

SoftwareIn Apps

SecurityFoundations

On DevicePIN

FingerprintIris

VoiceFace


On Premise Type

ASP TypeSamsung Pay

KICASamsung PASS



Iris based FIDO service KEB Hana Bank: This model provides a iris authentication of Samsung Pass for money transfer

and so on using Samsung smartphone. (Alternative of Accredited certificate but ARS authentication and OTP are still used)

CASE 4


6. KEB Hana Bank: Iris Registration(1/2)

Iris-login Information Agree Term Create Samsung Account

Iris Registration Start Login Select Iris-Login

1 2 3

4 5 6

CASE 4

(Source: KEB Hana Bank APP)


6. KEB Hana Bank: Iris Registration(2/2)

Check User Info SMS / Security CardAuthentication

Show Iris Info Samsung PASS info Agree S-PASS Term Set S-PASS PIN

Iris Authentication Registration End

7 8 9 10 11 12

13 14

CASE 4

(Source: www.etnews.com)


6. KEB Hana Bank: Money Transfer

ARS AuthenticationStart Money Transfer Iris Authentication End Money Transfer

1 2 3 4

ARS: 2-channeal authentication(phone, internet)

Withdrawal account informationDeposit account information

CASE 4



Android

iOS

Windows

Easy Payments


Internet Banking

AuthenticationLogin

AndroidSamsung

LGOthers

WindowsPCs

Mobile AppStores


7. CASE5: Wooribank




Secure ElementUSIM

IC Card

SoftwareIn Apps

SecurityFoundations

On DeviceFingerprint

IrisPIN

VoiceFace


On Premise Type

ASP TypeSamsung Pay

KICASamsung PASS



Iris based K-FIDO Service Wooribank: This model provides a iris authentication of Samsung Pass instead of accredited

certificate password for site login, money transfer and so on using Samsung smartphone.(No use ARS authentication and security card)

CASE 5


7. Wooribank: Certificate Registration

Bio-Auth CenterLogin Start Registration User Notification Agree Term

Mobile Authentication Iris Authentication Certificate Issuance Complete Registration

1 2 3 4 5

6 7 8 9

CASE 5



7. Wooribank: Login / Money Transfer

Select Money TransferWooribank APP Iris Authentication Iris Verification

Input account info Confirm info Iris Verification Complete Transfer

1 2 3 4Login

1 2 3 4

MoneyTransfer

CASE 5

(Source: wooribank APP)

Dr. JJ Kim([email protected])


About KICA

No.1 Certification Service and Bio-authentication Service in Korea

PKI Solutions

FIDO Certified Products

Over 20 Countries

KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -Tokyo Seminar -Kim

Technology

Transcript of KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -Tokyo Seminar -Kim