i-pin Service (internet-personal Identification Number Service) Identity Management across the Public and Private Sectors in Korea 1 Contents The Genesis of i-pin The Concept of i-pin & Integrated IDM The Trust Foundation of i-pin The Function of i-pin The Future of i-pin 2
The Genesis of i-pin A Korean has an RRN (Resident Registration Number) Contains various kinds of personal information Unique and permanent number assigned to an individual by Government Example of Resident Registration Number : 880101-1234568 Web site Joining Web Site Credit Inquiry Company name Resident Registration Number Alice 881213-1234567 DB Server Bob 811104-2345678 Bob Zeus 740311-1245678 DB Table 3 The Genesis of i-pin Personal information disclosure, through RRN theft are posing a serious threat to Korean society The primary type of privacy infringement is to create a website membership using other s RRN 10,835 9,810 (46.4%) (53.9%) 2,565 1,140 (11.0%) (6.3%) 916 917 (5.0%) (3.9%) : The # of complaints in 2005 (Total : 18,206) : The # of complaints in 2006 (Total : 23,333) 923 771 (3.9%) (4.2%) 8,093 5,569 (34.8%) (30.6%) RRN infringement Collection without agreement Usage except purpose Request refusal Others : infringements not specified by law, management inadequacy, etc. Others 4
The Concept of i-pin i-pin issuance procedure Website(SP) 1 Request Membership Joining 2 Request i-pin 3 apply for i-pin issuance User <Verification methods> 5 Send user s information < 5 TTPs > 4 Interaction for i-pin issuance - proof of owner s RRN - registration of i-pin ID & PW, etc Trusted Third Parties (IDSP) After issuance of i-pin, users use i-pin ID & PW instead of RRN Prevent privacy from infringement caused by RRN theft User information is real name, i-pin, protection information for multiple subscription, birth date, sex, etc. 5 The Concept of Integrated IDM Integrated ID issuance procedure Village Office 2 Registration of User s info. 1 Face-to-Face Confirmation - registration of user s information 3 Join the IDSP Integrated ID Center (IDSP) 5 Request ID federation after user s agreement 6 Establishment of ID federation User 4 Request the Joining the SP Trust relationship (SAML 2.0 Protocol) Governmental Website (SP) ID federation means that user s information is transferred by IDSP to SP. User information is real name, unique number, birth date, sex, etc. 6
The Trust Foundation of i-pin Authentication based knowledge Accredited Certificate : private key of certificate Accredited certificate is issued by ACA (Accredited Certification Authority), after user visit ACA or RA (Registration Authority) Credit Card Information : Secret Number of Credit Card Credit Card is issued by CCC (Credit Card Company), after user identification is confirmed by CCC. Cell Phone SMS : Authentication Number Cell phone is sold by CPTC (Cell Phone Telecommunication Company), after user identification is confirmed by CPTC. Authentication based possession Face-to-Face User visit TTP with his certificate of residence 7 The Function of i-pin Difference with using RRN on the Internet Re-issuance i-pin at any time (changeable with no restriction, cost) No Personal information into i-pin (Only issuer information) Strong identity verification method than RRN Non-traceable of other website registration information Improving Expediency of i-pin Whenever i-pin service users choose among 5 different TTPs, they can access to any websites applied i-pin service Protection information for multiple subscription Provide only unique information into website Non-traceable of other website unique information Other information for marketing Birth date, Sex, Real name, etc. 8
The Future of i-pin Facilitation of i-pin usage Current No. of i-pin users : 25,000 persons Future : Every user owns more than one i-pin Developing Next i-pin version Interoperability with Integrated ID Management System for Governmental web site served by MOGAHA (Ministry of Government Administration and Home Affaires) Interoperability with Electronic Wallet by ETRI (Electronics and Telecommunication Research Institute), KISA (Korea Information Security Agency), and MS (Microsoft Korea) Enhancing Security, User Control, etc 9 Question & Answer Do you want to more information about i-pin, contact me cjchung@kisa.or.kr 10