魂▪創▪通魂▪創▪通 2013. 11. 15. use case and requirement for future work sangrae cho...
TRANSCRIPT
魂▪創▪通
Authentication Research Team 2013
2013. 11. 15.
Use Case and Re-quirement for Fu-
ture Work
Sangrae ChoAuthentication Research Team
魂▪創▪通
Authentication Research Team 2013 2
Web Browser caserver.com
bank.com
3. use certificate (digital signature)
2. Issue certificate
4. Verify certificate
Korean banking use case
1. Public key pair is generated in the browser.
魂▪創▪通
Authentication Research Team 2013
Prototype Architecture
3
CA Server
Issuing/Updating/RevokingWebCertGateway
Client Side Server Side
魂▪創▪通
Authentication Research Team 2013
CMP in Browser
4
Firefox Web Browser
Crypto Library
WebCert App
CMP (Certificate Management Protocol) Library
WebCert API
Cert and Key Store
ASN.1 Library
PKCS#11 Library
HTML/JavaScript
Firefox Cert/Key DB
NSS Library
Open Source
ETRI Imp.
魂▪創▪通
Authentication Research Team 2013
CMP operation flow in Browser
5
CMP message handling
CMP ASN.1 encoding
Crypto operation
Certificate issuing request
CMP ASN.1 decoding
Crypto operation
CMP message handling
Certificate issuing response
Storage operation
HTTP request
HTTP response
CMP operation flow in the case of certificate issuing
Key generation and Encryption
Digital Signature Ver-ification
Store private key and cert to DB
魂▪創▪通
Authentication Research Team 2013
Requirement for future work
6
Private keyPrivate key should be wrapped and unwrapped using a passwordPrivate key should be wrapped when not in usePassword policy is required for strong password
Digital signature and encryption APIAPI that support PKCS#7 or JOSE for digital signature and encryption
CertStorage APIAPI that can access a key and certificate DB in a browserWithout this API, a certificate can not be used
External secure device supportStrong requirement that a private key should be stored in secure element such
as Smart Card or USIM in KoreaNeed to support for PKCS11 compatible devices
UI for certificate management & usageGuideline to suggest UI for better user experience in cert management & usage