The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser /...
Transcript of The Status of Korea PKI · 2017-12-08 · architecture and fido uaf protocol. user device browser /...
The Status of Korea PKI
Jonghyun BAEKManager, KISA, Korea
INTER-REGIONAL STANDARDIZATION FORUM FOR BRIDGING THE STANDARDIZATION GAP (BSG)Muscat, Oman, 11-12 December 2017
NPKI vs. GPKI
PKI Scheme of Korea
Legislations for NPKI
Roles of Root CA(KISA) in NPKI
Accredited CA in NPKI
Accredited Certificate Subscriber
International Cooperation on PKI
Accreditation Policy for CA
Accreditation Procedure
Annual Audit for accredited CA
Internet Banking
Online Stock
Public Service (G4C)
Smart Phone Banking
This technology makes a link with certificates by using an extension message without changing of FIDO architecture and FIDO UAF protocol.
USER DEVICE
BROWSER / APP
FIDO CLIENT
ASM
PKI LIBRARY
PKISECURE STORAGE
FIDO AUTHENTICATORS
…
CERTIFICATION AUTHORITY
WEB SERVER
PKI SERVER(RA, CA)
FIDO SERVER
EXTERNAL PKI SERVICE
(CA, OCSP, CRL)
FIDO METADATA SERVICE
RELYING PARTY
UAF
CMP(RFC 4210,4211)
REE
TEE
FIDO - NPKI certificate Link Technology
Encryption of Private Key Using Biometric Data
The FIDO authentication technology enables users to use certificates by using the registered biometric data(BT) without entering passwords (PKCS#5, #8).
Select Salt, Count, dkLen
M
(Private key)Encryption algorithm
Select S, C, dkLen
C
(Encrypted private key)
C
(Encrypted private key)
M
(Private key)
DK = KDF(BT, S, C, dkLen) DK = KDF(BT, S, C, dkLen)
DK DK
<Encryption> <Decryption>
Certificate Issuing Flow
User Device Relying Party
RP Client
RP Server
FIDOClient
FIDOServer
Certificate Authority
CA Server
PKILibrary
Request for certificate
Request for registration in FIDO.
Respond to the request for registration in FIDO.
Request for information for issuing of certificate.
Request for certificate.
Issue certificate.
Biometric certification (fingerprint, iris, face recognition, PIN, etc.)
1
2
4
3
5
6
7
Certificate Use Flow
User Device Relying Party
RP Client
RP Server
FIDOClient
FIDOServer
Certificate Authority
CA Server
PKILibrary
Click the certificate button
Request for FIDO certification
Respond to the request for FIDO certification
Request for digital signature
Respond to the request for digital signature
Biometric certification (fingerprint, iris, face recognition, PIN, etc.)
1
2
4
3
5
6
7Request for confirmation of certificate
8Result of confirmation of certificate
9Confirm the digital signature
Use Cases of FIDO + NPKI certificates
Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords
In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone
Use Cases of FIDO + NPKI certificates
Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords
In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone
Vehicular PKI
PKI Model of WAVE 1609.2 (IEEE)
NPKI vs. Vehicular PKI
Vehicular PKI system components
Draft Korea Vehicular PKI Model
Thank you