Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Comparative Analysis of PKI Authentication and FIDO Authentication

PKI 인증과 FIDO 인증에 대한 비교 분석

  • Park, Seungchul (School of Computer Science and Engineering, Korea University of Technology and Education)
  • Received : 2017.03.08
  • Accepted : 2017.05.17
  • Published : 2017.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

The two factor authentication capability, private key possession and key protection password knowledge, and the strong public key cryptography protocol of PKI authentication have largely contributed to the rapid construction of Internet transaction trusted infrastructure. The reusability of a certificate-based identity for every PKI site was another contribution factor of the spread of PKI authentication. Nevertheless, the PKI authentication has been criticised mainly for the cost of PKI construction, inconvenience of individual certificate management, and difficulties of password management. Recently FIDO authentication has received high attention as an alternative of the PKI authentication. The FIDO authentication is also based on the public key cryptography which provides strong authentication services, but it does not require individual certificate issuance and provides user-friendly and secure authentication services by integrating biometric technologies. The purpose of this paper is to concretely compare the PKI-authentication and FIDO-authentication and, based on the analysis result, to propose their corresponding applications.

PKI(Public Key Infrastructure) 인증은 개인키 소지(possession)와 개인키 보호 패스워드 지식(knowledge)이라는 2 요소 인증(2 factor authentication) 능력과 안전한 공개키 암호 프로토콜을 통해 인터넷 거래의 신뢰 인프라 구축에 많은 기여를 해왔다. 하나의 인증서로 모든 PKI 사이트를 접근할 수 있는 점도 PKI 인증의 활성화에 기여하였다. 그럼에도 불구하고 인증서 인프라 구축 비용, 인증서 관리에 따른 사용자 불편함, 그리고 개인키 보호 패스워드 관리의 어려움 등에 따른 여러 가지 문제점들이 노출되어 왔다. 최근에 주목받고 있는 FIDO(Fast IDentity Online) 인증은 PKI 인증과 같이 공개키 암호 프로토콜에 기초한 강력한 인증 서비스를 제공하면서도 사용자별 인증서 발급이 불필요하고, 생체 인증 등과 결합하여 안전하고 편리한 인증 서비스 제공을 추구하고 있다. 본 논문은 PKI 인증과 FIDO 인증의 동작 방식을 구체적으로 비교하여 각각의 장단점을 분석하고, 그에 따른 각각의 응용 분야를 제시하는 데 목적이 있다.

Keywords

References

  1. Korea Internet & Security Agency. 2016 National Information Security White Paper[Internet]. Avaliable : http://isis.kisa.or.kr/ebook/download_pdf/.
  2. FIPS PUB 201-2, Personal Identity of Verification(PIV) of Federal Employees and Contractors, National Institute of Standards and Technology, August 2013.
  3. FSA 2010-001, A Management Guide for Financial Part Encryption Technologies, Financial Security Agency, Jan. 2010.
  4. Y. K. Song, "Lessons of Public Certificate-related Debates and A Policy-direction Proposal for Future Digital Transactions," KDI FOCUS, No. 51, pp. 1-8, March 2015.
  5. J. H. Lee, "Usability of Accredited Certificate and Its Problems in Smart Environments," Internet & Security Focus, pp. 23-53, March 2013.
  6. H. S. Kim, J. H. Huh, and R. Anderson, "On the Security of Internet Banking in South Korea," Oxford Univ. Computing Laboratory, Technical Report CS-RR-10-01, Oct. 2010.
  7. S. W. Chai, K. S. Min, and J. H. Lee, "A Study of Issues about Accredited Certification Methods in Korea," International Journal of Security and Its Applications, vol. 9, no. 3, pp. 77-84, March 2015. https://doi.org/10.14257/ijsia.2015.9.3.08
  8. FIDO Alliance, Specifications Overview [Internet]. Avaliable : https://fidoalliance.org.
  9. RFC 5246, The Transport Layer Security(TLS) Protocol Version 1.2, IETF, Aug. 2008.
  10. S. C. Park, "A Comparative Analysis of NPKI and SSL/PLS for Secure Internet Transactions," Journal of the Korea Institute of Information and Communication Engineering, vol 20, no. 2, pp. 289-298, Feb. 2016. https://doi.org/10.6109/jkiice.2016.20.2.289
  11. KISA, "Research on the Actual Condition of Electronic Signature System Usage," Technical Report KISA-WP- 2015-0032, Dec. 2015.
  12. A. Hiltgen, T. Kramp, and T. Weigold, "Secure Internet Banking Authentication," IEEE Security & Privacy, pp. 21-29, March/April 2006.
  13. FIDO Alliance, Universal 2nd Factor(U2F) Overview [Internet]. Avaliable : https://fidoalliance.org.
  14. FIDO Alliance, FIDO UAF Architectural Overview [Internet]. Avaliable : https://fidoalliance.org.
  15. FIDO Alliance, Response to NIST RFI on the Framework for Improving Critical Infrastructure Cybersecurity [Internet]. Avaliable : http://csrc.nist.gov/cyberframework/rfi_comments_02_2016/.
  16. Korea JoongAng Daily, Hana to Use Biometrics to Make Internet Banking Safer[Internet]. Avaliable : http://koreajoongangdaily.joins.com/news/article/.
  17. RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF, May 2008.
  18. Y. J. Maeng, D. O. Shin, S. H. Kim, D. H. Nyang, and M. K. Lee, "A Vulnerability Analysis of MITB in Online Banking Transactions in Korea," Internet and Information Security, vol 1, no. 2, pp. 101-118, Nov. 2010.