the status of korea pki · 2017-12-08 · architecture and fido uaf protocol. user device browser /...

The Status of Korea PKI

Jonghyun BAEKManager, KISA, Korea

INTER-REGIONAL STANDARDIZATION FORUM FOR BRIDGING THE STANDARDIZATION GAP (BSG)Muscat, Oman, 11-12 December 2017

NPKI vs. GPKI

PKI Scheme of Korea

Legislations for NPKI

Roles of Root CA(KISA) in NPKI

Accredited CA in NPKI

Accredited Certificate Subscriber

International Cooperation on PKI

Accreditation Policy for CA

Accreditation Procedure

Annual Audit for accredited CA

Internet Banking

Online Stock

Public Service (G4C)

Smart Phone Banking

This technology makes a link with certificates by using an extension message without changing of FIDO architecture and FIDO UAF protocol.

USER DEVICE

BROWSER / APP

FIDO CLIENT

ASM

PKI LIBRARY

PKISECURE STORAGE

FIDO AUTHENTICATORS

…

CERTIFICATION AUTHORITY

WEB SERVER

PKI SERVER(RA, CA)

FIDO SERVER

EXTERNAL PKI SERVICE

(CA, OCSP, CRL)

FIDO METADATA SERVICE

RELYING PARTY

UAF

CMP(RFC 4210,4211)

REE

TEE

FIDO - NPKI certificate Link Technology

Encryption of Private Key Using Biometric Data

The FIDO authentication technology enables users to use certificates by using the registered biometric data(BT) without entering passwords (PKCS#5, #8).

Select Salt, Count, dkLen

M

(Private key)Encryption algorithm

Select S, C, dkLen

C

(Encrypted private key)

C

(Encrypted private key)

M

(Private key)

DK = KDF(BT, S, C, dkLen) DK = KDF(BT, S, C, dkLen)

DK DK

<Encryption> <Decryption>

Certificate Issuing Flow

User Device Relying Party

RP Client

RP Server

FIDOClient

FIDOServer

Certificate Authority

CA Server

PKILibrary

Request for certificate

Request for registration in FIDO.

Respond to the request for registration in FIDO.

Request for information for issuing of certificate.

Request for certificate.

Issue certificate.

Biometric certification (fingerprint, iris, face recognition, PIN, etc.)

1

2

4

3

5

6

7

Certificate Use Flow

User Device Relying Party

RP Client

RP Server

FIDOClient

FIDOServer

Certificate Authority

CA Server

PKILibrary

Click the certificate button

Request for FIDO certification

Respond to the request for FIDO certification

Request for digital signature

Respond to the request for digital signature

Biometric certification (fingerprint, iris, face recognition, PIN, etc.)

1

2

4

3

5

6

7Request for confirmation of certificate

8Result of confirmation of certificate

9Confirm the digital signature

Use Cases of FIDO + NPKI certificates

Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords

In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone

Use Cases of FIDO + NPKI certificates

Enables users to use certificates by using the registered biometric data(Fingerprint or Iris) without entering passwords

In order to prevent a certificate leakage, NPKI certificate will be stored in the TZ(Trust zone) in smart phone

Vehicular PKI

PKI Model of WAVE 1609.2 (IEEE)

NPKI vs. Vehicular PKI

Vehicular PKI system components

Draft Korea Vehicular PKI Model

Thank you