FIDO UAF and PKI in Asia - Case Study and Recommendations by Karen Chang and Wei-Chung Hwang, APKIC
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
FIDO UAF and PKI in Asia - Case Study and Recommendations
1. All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO UAF AND PKI IN ASIA –
A CASE STUDY AND
RECOMMENDATIONS
JOINT WHITE PAPER OF FIDO ALLIANCE AND ASIA PKI
CONSORTIUM (APKIC)
KAREN CHANG – EGIS TECHNOLOGY
WEI-CHUNG HWANG - APKIC
DECEMBER 5, 2018
2. All Rights Reserved | FIDO Alliance | Copyright 20182
BACKGROUND OF APKIC (1)
• Asia PKI Forum was founded in 2001,
and transform to Asia PKI Consortium
in 2007, with leading organizations
from Asia area supported by
government and industrial sectors
• Objectives:
▸ Promote the applications of PKI in e-commerce, e-
government, e-financial, etc.
▸ Advance the interoperability among PKIs in countries in
the Asia region
▸ Collaboration with global community to deliver a
comprehensive framework of e-authentication
3. All Rights Reserved | FIDO Alliance | Copyright 20183
BACKGROUND OF APKIC (2)
Policy and Technology Promotion and Awareness
Asia PKI Interoperability Guideline
CA Responsibilities and Liability
Legal Issues on New Security
Technologies
Mutual Recognition of National PKIs
(Greater China, ASEAN)
Cross Border Applications(Trade,
Financial)
Asia PKI Case Study
Asia PKI Company List and Total
Solutions
Asia PKI Best Practice Award
Asia PKI Innovation Award
PKI Market Survey
International Collaboration(PAA,
AFACT, APSCA, FIDO, etc.)
4. All Rights Reserved | FIDO Alliance | Copyright 20184
NEEDS TO BE ADDRESSED
• Both financial and government sectors are highly regulated
in the regions
▸ Most regions in Asia/Europe have regulations to use PKI for digital(electronic)
signature with legal effects
▸ Financial transactions are required to use PKI in some regions
With the certificate issued by the “Certificate Authority”(CA) endorsed by the
regulations for digital(electronic) signature
• Accelerate the adoption of FIDO in Asia
▸ APKIC Member companies are not so familiar with FIDO and its use of biometrics
▸ Whitelist FIDO is needed in certain regions
• e.g., FIDO is whitelisted in certain financial transactions in some regions(Korea, Taiwan)
▸ Different member companies have different ideas on how FIDO should be used,
especially together with an existing PKI system
▸ FIDO has its own policies/opinions, too
5. All Rights Reserved | FIDO Alliance | Copyright 20185
FIDO WEBSITE (APRIL 2018)
6. All Rights Reserved | FIDO Alliance | Copyright 20186
CURRENT DEVELOPMENT IN ASIA (1)
• Di g i ta l Si g na ture Reg ula ti o n, N a ti o na l PKI, Publi c / L i cens ed C A
Country/
Region
National/Regional
PKI
Digital Signature
Legislation
Financial Regulation on PKI eID and Other PKI Applications
China ✓ (Some regions) ✓ (ESL, 2005) Mandatory for financial transaction
above certain amount
eID (Optional, with PKI), e-Government,
e-Commerce, etc.
Hong Kong ✓ (HKPost[13]) ✓ (ETO[19], 2000) Optional eID (Mandatory, with PKI option),
e-Government, e-Commerce, etc.
India ✓ (CCA[14]) ✓ (ITA-CCA, 2000) Mandatory for high risk bank
transactions
eID[26] (Mandatory, signed by PKI),
e-Government, e-Commerce, etc.
Japan ✓ (JPKI[15]) ✓ (ESaCBA, 2000) Optional eID (Optional, with PKI option),
e-Government, e-Commerce, etc.
Korea ✓ (NPKI, GPKI) ✓ (ESA, 1999) Optional (Mandatory~2014) eID (Optional without PKI),
e-Government, e-Commerce
Macao ✓ (eSignTrust[16]) ✓ (EDSL, 2005) Optional eID (Mandatory, with PKI option),
e-Government, e-Commerce, etc.
Taiwan ✓ (GPKI[4], FRCA) ✓ (ESA, 2002) Mandatory for high risk bank
transactions and all online stock trading
eID (Optional, with PKI),
e-Government, e-Commerce, etc.
Thailand ✓ (NRCA[17]) ✓ (ETA, 2001) Optional
eID, e-Government, e-Commerce
7. All Rights Reserved | FIDO Alliance | Copyright 20187
CURRENT DEVELOPMENT IN ASIA (2)
• Deployment of FIDO, PKI, and Others
China
Korea (1)
Macao (5)
Thailand (3)
India (6)
Taiwan (2)
Hong Kong
• eID by MPS with PKI
• Domain/Regional PKI
CFCA, BJCA, …
• FIDO in Chinese
FCWG
• National eID(UIDAI)
AADHAAR(Fingerprint, IRIS)
• National PKI(CCA)
eMudhra, (n)Code, …
- Financial, Government,
Procurement, …
• Digital Signature Regulation
• Nation eID
NID card & i-PIN
• National PKI(KISA)
NPKI & K-FIDO/GPKI & G-FIDO
Financial, Commerce, Government…
• Digital Signature Regulation
• Private Sector
TWID (Financial Identification with PKI)+FIDO
TWID + Mobile ID
• Government Sector
T-FIDO & Government PKI (MOEACA for Citizen)
• Telecom (FIDO-based CRM)
• Local Government (IOTA Tangle ID)
• Digital Signature Regulation
• Hongkong Post, Macau Post -
eID with PKI (and FIDO)
• Digital Signature Regulation
• National PKI(NRCA by ETDA)
• eID (not active yet)
• Digital ID Committee
• National Digital ID Co., Ltd
Blockchain+MQ
• ETDA Connect
Blockchain(Omise)/FIDO
• Digital Signature Regulation
Singapore
Malaysia
• eID (SingPass)
• eID with PKI and fingerprint (MyKad, …)
Japan
• National eID
My Number Card with JPKI
• FIDO in Telecom/Financial/Commerce and others
• Digital Signature Regulation
8. All Rights Reserved | FIDO Alliance | Copyright 20188
FIDO VS. PKI
Authenticator
Token
Certificate
Authority
Authentication Server Relying Party
Relying Party
Registration
Authority
Validation
Authority
Attestation
Service
…
FIDO
PKI
Key pairs
Key pairs
9. All Rights Reserved | FIDO Alliance | Copyright 20189
CASE STUDY (1)
• K-FIDO (FIDO + NPKI certificate) by KISA
10. All Rights Reserved | FIDO Alliance | Copyright 201810
CASE STUDY (2)
• Taiwan Identification Center (FIDO + PKI) by TWCA
11. All Rights Reserved | FIDO Alliance | Copyright 201811
RECOMMENDATIONS
• T h r e e c l a s s e s t o i n t e g r a t e F I D O a n d P K I
▸ Class 1: Shared Authenticator
Only client side implementation is needed
▸ Class 2: Synchronized Registration Process
Server side integration with or without client side implementation (reference from derived credential model)
(1) Bootstrapping PKI Registration with FIDO
(2) Bootstrapping FIDO Registration with PKI
(3) Combined Registration for FIDO and PKI
▸ Class 3: Shared Key Pairs
Need both server side integration and client side implementation
(1) FIDO reuse PKI’s key pair
(2) PKI reuse FIDO’s key pair
(3) Generate new FIDO+PKI key pair
• C l a s s 1 a n d 2 c o u l d b e i m p l e m e n t e d b y e x t e n s i o n o f F I D O
s p e c i f i c a t i o n s
• C l a s s 3 m a y c o n f l i c t w i t h F I D O S e c u r i t y G u i d e l i n e a n d U A F
s p e c i f i c a t i o n
▸ Not in the scope of recommendations in this version of white paper
13. FIDO2 and PKI
13
Browser PKI
Platform PKI
Internal PKI Token
External PKI Token
RP APP Server
PKI Server
CA/RA/VA
Server
RP PKI App
PKCS#11
PKI Identification/Signature
Class 1
Class 2
•Browser
•Platform
14. 14
FIDO2+PKI
• Future Use Cases:
▸United States:
• Education (Students and Teachers)
• Healthcare (Medical Wallet)
• Government (First Responders, DoD, DoI)
▸Taiwan:
• Government Mobile Identity for Citizen (G2C services)
15. Pilot Project for
Mobile Authentication & Identification Platform
MOICA
GCA
HCA
MOEACA
XCA
FIDO2
☞ Service Portal
☞ Tax filling
☞ Health bank
☞ e-Invoice
☞ Finance
☞ …
☞ Decentralized Identification &
Applications(e.g. Blockchain,
Distributed Ledger, …)
National
Citizen
Database
☞ Use PKI to bootstrap FIDO2 account (ID
proofing)
☞ Use FIDO2 to enhance the security of
cloud-based PKI system
☞ FIDO2 & PKI in one token/authenticator
16. All Rights Reserved | FIDO Alliance | Copyright 201816
WELCOME JOINING WITH US!
17. 2018 FIDO TAIPEI SEMINAR
NOVEMBER 30, 2018
VICTORIA TAIPEI HOTEL
17
We Work together!
Moving Beyond Passwords!
18. All Rights Reserved | FIDO Alliance | Copyright 201818
CLIENT ARCHITECTURE (1)
• PKI us e F IDO ’s A uthentic ator
19. All Rights Reserved | FIDO Alliance | Copyright 201819
CLIENT ARCHITECTURE (2)
• F IDO us e PKI’s To ken
20. All Rights Reserved | FIDO Alliance | Copyright 201820
CLASS 2 (1)
• B o o ts tra ppi ng PKI reg i s tra ti o n wi th F IDO
21. All Rights Reserved | FIDO Alliance | Copyright 201821
CLASS 2 (2)
• B o o ts tra ppi ng F IDO reg i s tra ti on wi th PKI
22. All Rights Reserved | FIDO Alliance | Copyright 201822
CLASS 2 (3)
• C o m bi ned Reg i s tra ti on f o r F IDO a nd PKI
23. All Rights Reserved | FIDO Alliance | Copyright 201823
CLASS 2 (4)
• Rev o c a ti on Pro c es s