Accredited Certification Services on Cloud Environment. SungEun Moon KOSCOM 17 September, 2012

Transcription

1 Accredited Certification Services on Cloud Environment SungEun Moon KOSCOM 17 September, 2012

2 Index Existing Accredited Certificate Use and Enhanced Security Measure Accredited Certificate Issues on Mobile and Cloud Environment Accredited Certificate Service Model on Cloud Environment 2

3 Existing AC Use(1) Existing AC Use and Enhanced Security Measure AC : Accredited Certificate As you know that accredited certificate(below AC) has been established very important authentication mean on internet trading such as Banking, Stock trading, and Government for Citizen in Korea Existing AC Issuance A Number of Issuance : 2,441M ( 11.2) - Individual : 2,214M - Corporation/Business Operator : 227M Internet Banking use(per day) : 3,370M/29.6T AC Awareness Internet users are almost recognized AC 98.9%(former, 99.8%) Origin from : Fact Finding Survey for Nation(KISA) - It represents the rate used digital certificate or AC as using internet banking, online stock trading, and credit card payment on internet (Unit : %) - Non-users are recognized 88.5% about AC AC Awareness AC Necessity 3

4 Existing AC Use(2) Internet Users have been used the most AC for identification Existing Authentication Means Use (Unit : %) Internet users are used the most accredited certificate(97.4%, Multiple-reply) for identification - 20 ~ 50 age : They are used the most AC(95% over) - 10 age : Name + National ID(89.7%), Mobile Identification(91.1%) AC has used the most on Website for registering and modifying information AC Mobile Name + IdentificationNational ID Security Card Credit Card Identification I-PIN PC Phone Private Image OTP Designation Authentication for Service Service preventing phishing Mainly used ID/PW(44.0%, Multiple-reply) and AC (33.9%) for identification to sign on Website 44.0 (AC Users, n=2,992,unit : %) 33.9 AC Security Awareness - AC Users think that AC is very securely (78.6%) Leaked accredited certificate by hacked PC on public reporting(80.9%) that s why is not securely to use AC to Non-users ID/PWD AC Name + National ID /PWD I-PIN 4

5 Existing AC Use(3) AC has spreading to use on mobile devices, but it should improve for convenience Existing Mobile Banking Use Total 66.2% of repliers have experienced mobile banking - Males are higher than females, 20 ages are used the most - Reasons why non-users are not used : No needs(39.0%), Fee(8.1%) The response that AC to be used on mobile banking help to improve security : 65.4% 20.1 Excellent Improvement on Mobile Banking 45.3 good 27.4 Common Use 66.8% No Use 33.8% Not Bad (Total, n=3,300,unit : %) (Mobile Banking Users, n=1,428,unit : %) Bad (33.3%) Not issued a AC directly to mobile devices (27.2%) Not easy transmitted a AC between PC s and Mobile devices (22.9%) Retransmitted inconvenience as updating AC (16.6%) Inconvenience for transmitting AC per banks 5

6 Enhanced Security Measures for AC(1) MOPAS has prepared enhanced security measures, which prevent for leaked AC and strengthen storage media and password system to avoid stolen and loss, for using and managing AC on April in 2011 Enhanced Security Measures MOPAS = Ministry of Public Administration and Security To use AC securely, printing out warning message as saving AC on PC - Gradually AC constrains to save on PC among storages Expanding system for using IC card, HSM(Hardware Security Module) with function that prevent for leaked AC - Establishing environment to use secure elements Enhanced guideline and system for setting AC password - Printing out guide message to be included special characters as setting password Origin from MOPAS 6

7 Enhanced Security Measures for AC(2) Expanding Restoration System Establishing and Operating 24 hours response system to prevent a leak - The report of loss(subscriber) Accepting application thru 118(KISA) AC revocation(ca) Conducting to prevent illegal action on real-time by receiving the current status(dead, missing) of subscriber from public agencies - Based on digital signature act Noticing usages as using accredited certificate to subscriber thru SMS, - Recommending subscriber notice service - Conducting notice service to banks as to update, reissuance status of AC Limited reissuance on internet gradually 7

8 Security Measures for Mobile Electronic Finance Service Financial supervisory administration has prepared security measures to resolve latent security threats by spreading mobile devices Electronic Financial Service Security Measures for Mobile(Summary) (Basic Concept) To provide secure electronic financial service from latent security threats, keeping reasonable security level (similar to PC environment) Using AC as sign on website or adding OTP(including security card) except ID/PW Financial transaction data have to send/receive between communication channels Not leaked and modified critical data such as password, applying input information security measure Not permitted critical data to save on mobile Preventing malicious code such as virus Using digital signature for preventing non- repudiation Establishing monitoring system to cope with new threats 8

9 AC Issues on Mobile AC Issues on Mobile and Cloud Environment We will prepare to prevent AC leak, and resolve inconvenience such as transmitting AC between mobile and PC like AC leak prevention measure on PC Categories Contents Remarks Preparing to prevent AC leak latently Preparing to prevent AC leak on mobile devices Similar to PC Enhanced security Improving Functions Not easy to transmit AC to mobile device Transmitting AC per financial agencies Retransmitting AC as updating AC Happened inconvenience issues Improving compatibility for Web Activating for mobile web Similar to PC 9

10 AC Issues on Cloud(1) Way to manage AC in focused on mobile device has increased inconvenience according to spread mobile devices 2009 AC on PC in house and PC in office. OK~ Purchased Smartphone. OK Purchased Tablet PC. Inconvenience? Where located AC? Leak threat? Removing HDD/USB on PC in office? 10

11 AC Issues on Cloud(2) In case of using AC on a variety of cloud devices and services, happened remarkable issues additionally Categories Preparing to prevent AC leak latently Improving Functions Contents Resolving leak possibility by hacker on smart device, cloud storage, and virtual desktop Resolving leak possibility of plural AC on a variety of smart devices Not easy to transmit AC in a variety of smart devices Transmitting AC per financial agencies Retransmitting AC as updating Preparing measure if no HDD/USB or not permitted them Improving compatibility for Web Activating for mobile web Applying diversity smart devices such as chrome book 11

12 AC Service Model on Cloud Environment AC Service Model on Cloud To resolve AC issues on cloud service environment, managing AC by using secure server instead of devices can be leaked highly and studying suitable service model to use AC conveniently on cloud environment Using mobile phone anytime, anyplace Sharing multimedia anytime, anyplace Using AC anytime, anyplace 12

13 Basic Conditions for Cloud Authentication Service Showing basic conditions for trustworthy authentication service implementation, which can be used more comfortable AC and can be relieved leak possibility on a variety of devices, as below Categories Trustworthy Service Provider Secure storage and management on Server Secure storage and management on device Managing life cycle in focused on server Supporting a variety of devices and platforms Secure identification CA Contents Saving key information to be divided to plural servers. Even though someone gets key information, no gain private key without owner Not saved private key on non-volatile(hdd, USB) memory but saved on volatile Only saved accredited certificate on server as updating(not saved AC per devices) Supporting PC, Smart phone, Tablet, and Multi OS Identification using secure security means(two- Factor, Two-Channel) 13

14 Cloud Auth Service Flow Saved AC on auth-server as issued it on device, downloading it from auth-server by identification on device to be needed it (saved it on volatile memory, and removed it from volatile memory after finished) 1 AC to be issued has saved on auth- server with identification information 2 Downloading AC from auth-server after performing identification process in the instant that AC is necessary 3 Using AC 4 Removing AC after using it(auto) 14

15 Expected Effect of Cloud Auth Service Cloud auth service in future might be deal with AC and electronic documents effectively Unlike individual, Not easy to manage import and export for employee in case of corporation purpose AC In case of using auth-service, setting to control that specific staff can works specific task in specific times AC Management for individual and corporation It is possible to implement function for managing key thru identification of persons in charge(plural) As doing digital signature anywhere and anytime, generating electronic document to be attached digital signature Electronic Document Activation Reducing documents by digital signature, attributing to establish paperless environment 15

16 Considerations The Continuous Correspondence for Security Threats on Cloud Service Requested monitoring and updating as to a variety of security threats to be issued newly In case of not confirmed security by vulnerability of desktop virtual solution, applying additional security solution for resolving security vulnerability to reflect secure cloud auth service(in case of leaked key input information of subscribers, applying input information security solution) Studying continuous identification means such as biometric for secure identification, and reflecting them on field Studying Identification means Choose Service Happened repulsion about saving critical information to outer server 16

17 17