1. South Korea has 5 accredited certificate authorities that issue digital certificates to around 20 million users for applications like internet banking, online stock trading, e-commerce, and e-government services.
2. The PKI landscape in South Korea consists of a national PKI (NPKI) established in 1999 and a government PKI (GPKI) established in 2001. The two systems were later cross-certified to ensure interoperability.
3. Over time, the Korean PKI system saw upgrades to technologies, expansion of mandatory certificate usage in certain industries, introduction of fees for individual certificates, and division of certificate markets between certificate authorities (CAs).
2. Overview (1/3)
5 Accredited CA’s issued accredited certificates to user around 20
million in total
Major PKI Applications
Internet Banking, Online Stock, Internet Shopping, Procurement, e-Gov
Services
Shopping mall: Credit card 20.7
(over 300,000 KRW)
Nov.,2005 18.7
Cyber trading
Mar., 2003
17.2
14.4
Internet banking
Sep., 2002 11.0
9.5
E-Bidding
dd
7.8
78
Oct., 2000
4.9
1.5
0.3
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009.6
Number of annual issuance of certificates (published by MOPAS, Unit: Million)
38
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
3. Overview (2/3)
Statistics on Accredited CA’s
i i di d ’ (published by O S)
( bli h d b MOPAS)
Accredited CA/ Accredited Main Business
No. Characteristics
Web site Date Area
SG (CA: SignGATE) All industry,
1 2000. 02. 10 Corporation
http://www.signgate.com government
KOSCOM (CA: SignKorea) Special purpose
2 2000. 02
2000 02. 10 Cyber trading
http://www.signkorea.com Corporation
KFTC (CA: yessign) Non-commercial
3 2000. 04. 12 Internet banking
http://www.yessign.com Organization
CrossCert (CA: CrossCert)
4 2001. 11. 24 Corporation -
http://gca.crosscert.com
State-run
KTNET (CA: TradeSign)
5 2002. 03. 11 Corporation with Trading
http://www.tradesign.net
special mission
39
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
4. Overview (3/3)
PKI Model i Korea
d l in
GPKI NPKI
Established in 2001 pursuant to Established in 1999 under Electronic
Act
E-Government Act Signature Act
Ministry MOPAS (Ministry of Public Administration and Security)
in Charge
Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)
Main
Public Servants Individual, Company
p y
Customer
Algorithm NEET (not open) SEED, AES
Types of Accredited Certificate and Fees
Types Entity Certificate Usage Field Fee
Individual All electronic transactions ≅ US$ 4/year
General
Corporation All electronic transactions ≅ US$ 100/year
- G2C, Bank, Insurance Free
Specific - G2C, Stock, Insurance Free
- G4C, Credit Card Free
40
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
5. PKI Scheme
Mutual
Recognition
g
N ti
National R t CA
l Root G
Government R t CA
t Root
(KISA) (GCMA)
Certification issuance / Certification issuance /
g
Management g
Management
Accredited
CA
… Accredited
CA
Accredited
CA
… Accredited
CA
Certification issuance / Certification issuance /
Management Management
… E-Government
… E-Government
Service Provider Service Provider
Subscriber Subscriber
41
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
6. Role of Root CA
Accredited CA
Root CA
International
Cooperation
Root CA
(KISA)
Technical
T h i l
Specification Environment of
Usage of
Electronic
Legal & Policy Signature
g
Issue
www.sgco.kr 42
Copyright 1999-2008@SG Inc.
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
All rights reserved
7. Scope of Benchmarking
Subject contents
Electronic Signature Act, Decree and Ordinance
Law, Policy,
Certification Practices St t
C tifi ti P ti Statement
t
Standards
Electronic Signature Certification Technology
Government PKI
National PKI
Electronic Signature Promotion
Provide User s Convenience
User’s
User
End of Certificate Free Trial Period
Adapt HSM (Hardware Security Module)
PKI Model
Interoperability among Accredited CA’s
CA s
Accredited
A di d
Upgrading of PKI technologies
CA
Division of PKI Markets
Cross certification for NPKI and GPKI
Root
R t CA
Addition of Root CA Certificate to MS IE
Applications Mandating Accredited Certificate (bank, stock)
PKI
E-Procurement, Internet Banking, Payment Gateway, G4C etc
Applications
43
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
8. Framework of Registration
- Ensure the security and reliability of electronic documents
Electronic
El t i and to promote their use
Signature
Act - Promoting nationwide informationalization and improving
convenience in people's living standard
people s
Electronic Signature Act, Decree and Ordinance
CA Accredited CA’s Accredited CA’s Accredited CA’s
accreditation Operation i
Protection CPS
measure
Regulation on Guideline for Regulation on Accredited CPS
Accredited CA’s
CA s Certification Practice Accredited CA’s
Facility and Equipment protective measures Framework
Technical Specification
44
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
9. CPS (Certification Practices Statement)
Contents Detail
- Transmission of Registered Information
- Request for Issuance of Certificate
Management
- Generation of Certificates
of
- Request for Suspension, Restoration and Revocation of Certificates
Certificates
- Generation of Certificate Suspension and Revocation List
- Public Announcement and Validation of Certificates
- Generation of Private Pairs - Protection of Private Pairs
Management - Backup of Private Pairs - Revocation of Private Pairs
of Key Pairs - Loss, Destruction, Theft or Leakage
of Private Keys
Other - Provision of Time Stamping - Time Reception and Correction
Certification - Storage of Time Stamping Records - Storage of Electronic Documents
Services - Backup of Time Stamping Records - Other Supplementary Services
- Conformity with Technical Specifications
- Scope and Intended Use of Certificates
- Conformity to Certification Procedure
- Matters concerning Facilities and Equipment
g q p
- Management of Certification Service Records
Others
- Management of Certification Service Records through the representative
- Management of Audit Records
- Management of Registration Authorities
g g
- Test Run of Certification Practice
- Correct Provision of Information and Public Notification
45
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
10. History of NPKI in Korea
Year ‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08
Activity
Electronic Signature Promotion
Interoperability among Accredited
CA’s
Provide User s Convenience
User’s
Cross certification for NPKI and GPKI
Mandating Accredited Certificate
(bank, stock, E-malls)
End of Certificate Free Trial Period
Upgrading of PKI technologies
Division of PKI Markets
Addition of Root CA Certificate to MS
IE and other Browsers
Adapt HSM (Hardware Security
Module)
46
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
11. Interoperability among Accredited CA’s
general-purpose
CA A certificate User A x Company 1
App 1
CA B User B App 2 Company 2
Accredited CA E-service Provider S/W development
p y
Company
-Subscriber who has an general-purpose accredited certificate can do
all kinds of electronic transaction at Internet
-To provide t h l i
T id technologies th t recognize and process accredited
that i d dit d
Goals certificates regardless of who issue them
-To provide data to policy-makers on how to determine the scope and
conditions of each accredited certificate
Lesson to The interoperability issue should be considered which
learn
l arises during early stages of the NPKI construction
construction.
47
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
12. Cross-Certification for NPKI and GPKI
A PKI B PKI
CTL
B
issuance A
Root CA Root CA
Hash Certificate Path Hash
A_RootCA A_RootCA Cert B_RootCA
CA
CTL
CTL issued by A_RootCA CTL
B_RootCA Cert
B_CA
B CA
A_CA B_CA Cert
B_User Cert
verify generate
signature
i signature
i B_USER
B USER
A_USER
-Two years after establishment of the NPKI in 1999, the GPKI was
brought to birth. The two got to have overlapped service areas.
Background -To smooth out simultaneous operation of both, realization of cross-
certification is vital, which was obtained by means of a simplified CTL
(i.e.
(i e Certificate Trust List)
List).
To avoid duplication of resources and confusion in
Lesson to
policy-making,
policy-making services should be provided through a
learn
single root CA.
48
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
13. Mandatory Use of Accredited Certificates
-The mandatory use was intended to protect the banking and trading
systems, where security breaches occurred frequently in the process of
Background identity verification, against hacking and other attacks and to enhance
security b mandating accredited certificates, a tool that verifies
i by d i di d ifi l h ifi
identification most efficiently.
-Accredited certificate in Banking and Stock Trade
◊ Mandating use of the certificate in banking & online stock trading
* Government consulted with Financial Supervisory Service (FSS)
about using the certificate in the financial field
* FSS made it mandatory to use the certificate in internet bank
(Sep., 2002) and online stock trading (March, 2003)
Progresses -Accredited certificate in Online Shopping
◊ Use credit card with the certificate at internet shopping mall
* FSS announces a new policy that credit cards should be used
with the certificate in Online Shopping (July, 2003)
* E-malls have to be configured to verify the identity of the
cardholder and the payer by September, 2006.
Lesson to To boost the certification market, the mandatory use
learn of PKI on some industries has been recommended.
49
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
14. Accredited Certificate Fees for Individuals
-To promote use of accredited certificates, services were provided free
of charge.
-Accredited certificates were provided without any charge to relieve
the initial burden of customers to secure adjustment period and to
customers, period,
build up the Internet services.
-The deteriorating financial status of CA’s led to efforts to improve
Background security and quality of certification services.
◊ Only corporate certificates began to be charged for
(Approximately, 100 $ /year).
◊ It was unable to impose any liabilities on CA’s since they did not
generate any profits
profits.
◊ CA’s were unable to make additional investments, for example, in
equipment.
-Individuals began to pay fees. (June, 2004)
◊ Individual accredited certificate of general purpose: $4/year
Progresses ◊ Individual accredited certificate of limited purpose:
Implementation thereof was in the sole discretion of a CA (CA’s were
CA. (CA s
able to charge only after September, 2004.)
Lesson to For CA’s to serve the public with stability in operation an
CA s
learn d services, free trial periods should not be provided.
50
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
15. Division of PKI Markets
Individual
CA Characteristics General Specific Purpose Corporation Total
Purpose (Bank)
non-profit 63% 76% 29% 67%
KCFC
organization 4$/year Free 100$/year or Free
-KESA (Korea Electronic Signature Act) amended to set
“borders” between different markets (December, 2005)
◊Th amended KESA d
◊The d d demands tougher requirements f
d h i for a
government agency or a non-profit organization to get designated as
Progresses CA.
-Implementation of PKI with divided roles (July, 2006)
Implementation
◊ The KCFC, under the new KESA, is not allowed to issue
certificates of general purpose; it can only issue certificates required
for banking.
Different natures of CA’s may lead to conflicts and
Lesson to harm to the market. Thus, it is necessary, in some case,
learn to t b
t set boundary between certificate markets.
d b t tifi t k t
51
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
16. Upgrading of PKI technologies
-The term “upgrading (or its verb form “to upgrade”) refers to any
effort made to increase system security and compatibility of
Background
technologies such as renewal of private keys, adjustment of length of
private keys application of RFC3280 etc
keys, RFC3280, etc.
-Renewal of Root CA certificate and Accredited CA Certificates
-Upgrading of private-key lengths
Upgrading private key
Before Feb., 2006 After Feb., 2006
Valid period Key Length Valid period Key Length
Root CA 10 years 2048 bit 20 years 2048 bit
Major
M j
Accredited CA 5 years 1024 bit 10 years 2048 bit
missions
User 1 year 1024 bit 1 year 1024 bit
-Application of RFC 3280
Application
◊ International standard changed: RFC 2459 RFC 3280
-Offline operation of Root CA’s directory
◊ The CRL’s of Root CA are posted on directories of six CA’s.
Advance of technologies does not always guarantee
Lesson to stability of certification technologies. Thus, counter-
counter
learn measures should be considered in advance.
52
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
17. Addition of Root CA Certificate to MS IE
JCSI
VeriSign RSA
Hongkong Post VISA
Thawte
Microsoft Korean Root CA
• Microsoft Root Certificate Program Members: 58 CA’s (15 accredited CA s)
CA s CA’s)
-When using services like e-mail and web server with domestic
certificates, security warnings popped up, causing confusion among
Problems users.
-Foreign CA’s (i.e., VeriSign) recognized by MS Windows got to
and
monopolize the Korean PKI markets for SSL, code signing certificates.
solutions
-By mounting certificates of Korean Root CA’s on MS Windows, it has
y ou t g ce t cates o o ea oot C s o S W do s, t as
become possible to apply their certificates to Windows-based web
services including web server, secured e-mail and code signing etc
A country should accumulate and retain its own
Lesson to technologies related to security and certification to
learn enhance its national competitive edge.
★ Inclusion KISA Root CA Certificate in Web Browsers (~'08)
Internet Explorer ('06.02), Safari ('07.03), Opera ('08.05), FireFox ('06~)
53
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
18. HSM Token as a secure storage
Storage for Certificate
Interface between the
Token and the
Subscriber s
Subscriber’s S/W
<Subscriber's S/W> <HSM Access Program> <HSM Token>
-A hardware protected secure storage with hardware cryptographic
accelerator to generate and store private keys
Background
① Digital signing and generation of a private key can be done
inside the Token ② Private keys can not be exported
Token,
-If subscriber uses hard disk for certificate storage, some malicious
Problems
programs can control subscriber’s PC and extract that information.
-Developing the technical specifications for HSM Token with
certificate ('06~'07.8)
Progresses
-Carrying out the evaluation for the interoperability of HSM Token
('07.9~)
Lesson to In order to enhance subscriber’s personal security
learn environment, HSM Token as a secure storage can use.
54
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
19. HSM Evaluation Process
Storage media for private key and certificate should be evaluated by Root CA in
order to provide the interoperability of personal security environment.
Evaluation Criteria
• HSM Storage Format Specification for Accredited Certificate
Root CA • Accredited Certificate Usage Specification for HSM
Request evaluation
Give certificate CA
Vender
Publish
Into Lists
Certified Product Lists User’s PC
EE A S/W
User can choose
Smar
any products PKCS#11
t
Card
PSE
• PSE: Personal Security Environment, HSM: Hardware Security Module
55
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
20. Asia PKI Consortium
• Non-profit i
fi international collaboration b d i Asia region, specialized f i f
i l ll b i body in i i i li d for information security areas
i i
• Objectives : To realize borderless and seamless e-commerce in a secure and trustworthy
way, in Asia regions
•F
Founded : N
d d Nov. 2007
• Member : Korea (KISA), China, Taiwan (As of June, 2008)
Composed of all P i i l member
C d f ll Principal b
Approve resolutions by GA
Determine policy, direction, strategy
Steering Committee (SC) Composed of all members
Elect Ch i
l Chairperson and Vice chairperson
d i h i
General Assembly (GA) Decide to Start and Dismiss WG
Task-force based
Working Group Secretariat
Actual WG
Mobile Privacy
PKI WG SME WG Other WG
WG WG Candidate
WG
Thoughts should be given to the issue of international
Lesson to interoperability. Close cooperation, for example, with
learn the Asia PKI Consortium will be helpful.
56
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved