Journal of the Korea Convergence Society (한국융합학회논문지)

Korea Convergence Society (한국융합학회)
권호 표지
DOI QR코드

DOI QR Code

A study on the FIDO authentication system using OpenSource

OpenSource를 이용한 FIDO 인증 시스템에 관한 연구

  • Lee, Hyun-Jo (Dept. of Computer Engineering, Jeonbuk National University) ;
  • Cho, Han-Jin (Dept. of Energy IT, Far East University) ;
  • Kim, Yong-Ki (Dept. of IT Convergence System Engineering, VISION College of JeonJu) ;
  • Chae, Cheol-Joo (Dept. of General Education, Korea National College of Agriculture and Fisheries)
  • 이현조 (전북대학교 컴퓨터공학과) ;
  • 조한진 (극동대학교 에너지IT공학과) ;
  • 김용기 (전주비전대학교 IT융합시스템과) ;
  • 채철주 (한국농수산대학 교양공통과)
  • Received : 2020.03.31
  • Accepted : 2020.05.20
  • Published : 2020.05.28
Download PDF
⟨ Previous Next ⟩

Abstract

As the number of mobile device users increases, research on various user authentication methods has been actively conducted to protect sensitive personal information. Knowledge-based techniques have the disadvantage that security is deteriorated due to easy exposure of authentication means, and proprietary-based techniques have a problem of increasing construction cost and low user convenience to use the service. In order to solve this problem, a FIDO authentication system, which is a user authentication method using a smart device, has been proposed. Since the FIDO authentication system performs authentication based on the biometric information of the user, the risk of the authentication means being leaked is low, and since the authentication information is stored in the user's smart device, the user information due to server hacking is solved. Through this, it is possible to select and utilize user authentication technology suitable for the security level of the service. In this paper, we introduce the FIDO authentication system, explain the main parts required for FIDO UAF client-server development, and show examples of implementation using UAF open source provided by ebay.

모바일 기기 사용자가 증가함에 따라서 민감한 개인정보를 보호하기 위해 다양한 사용자 인증 방식에 대한 연구가 활발하게 진행되고 있다. 지식기반 기법들은 인증 수단 노출이 쉬워 보안성이 저하되는 단점이 존재하며, 소유기반 기법들은 서비스를 사용하기 위한 구축비용 증가 및 사용자 편리성이 낮은 문제점이 존재한다. 이러한 문제를 해결하기 위해 본인의 스마트 기기를 활용하는 사용자 인증 기법인 FIDO 인증 시스템이 제안되었다. FIDO 인증 시스템은 사용자의 생체 정보기반 인증을 수행하기 때문에 인증 수단이 유출되는 위험이 낮으며, 아울러 사용자의 스마트 기기에 인증 정보를 저장하기 때문에, 서버 해킹에 의한 사용자 정보가 노출되는 문제점을 해결한다. 이를 통해 서비스의 보안 수준에 맞는 사용자 인증기술을 선정하고 활용할 수 있다. 논문에서는 FIDO 인증 시스템에 대해 소개하고, FIDO UAF 클라이언트-서버 개발에 필요한 주요 부분을 설명하고 실제 ebay에서 제공하는 UAF 오픈소스를 활용한 구현 예제를 보여준다.

Keywords

References

  1. T. H. Park, G. R. Lee & H. W. Kim. (2017). Survey and Prospective on Privacy Protection Methods on Cloud Platform Environment. Journal of the Korea Institute of Information Security and Cryptology, 27(5), 1149-1155. https://doi.org/10.13089/JKIISC.2017.27.5.1149
  2. T. Y. Kim, H. J. Jun & T. S. Kim. (2018). An Analysis on Intention to Use Information Service for Personal Information Breach. Journal of the Korea Institute of Information Security and Cryptology, 28(1), 199-213. https://doi.org/10.13089/JKIISC.2018.28.1.199
  3. S. J. Kim & S. S. Yeo. (2013). A Study on Secure Data Access Control in Mobile Cloud Environment. Journal of Digital Convergence, 11(2), 317-322. https://doi.org/10.14400/JDPM.2013.11.2.317
  4. H. T. Chae & S. J. Lee. (2014). Security Policy Proposals through PC Security Solution Log Analysis (Prevention Leakage of Personal Information). Journal of the Korea Institute of Information Security & Cryptology, 24(5), 961-968. https://doi.org/10.13089/JKIISC.2014.24.5.961
  5. S. Yun. (2017). The Biometric Authentication Scheme Capable of Multilevel Security Control. Journal of the Korea Convergence Society, 8(2), 9-14. https://doi.org/10.15207/JKCS.2017.8.2.009
  6. S. Khandelwal. (2016). QRLJacking-Hacking Technique to Hijack QR Code Based Quick Login System, The Hacker New(Online). https://thehackernews.com/2016/07/qrljacking-hackingqr-code.html
  7. J. H. Jeon. (2016). A Study on Security Risk according to the activation of Bio-Authentication Technology. Convergence security journal, 16(5), 57-63.
  8. https://fidoalliance.org/
  9. J. Kim. (2015). Study on the password-free certification system using the FIDO (Fast IDentity Online). Communications of the Korea Information Science Society, KIISE, 33(5) .
  10. FIDO Alliance. (2016). FIDO UAF Application API and Transport Binding Specification v1.0, https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-20141208.html
  11. npesic et al. (2016). UAF - Universal Authentication Framework. https://github.com/eBay/UAF
  12. FIDO Alliance. (2016). FIDO UAF Architectural Overview. https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-overview-v1.0-ps-20141208.html
  13. FIDO Alliance. (2016). FIDO UAF Protocol Specification v1.0. https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html
  14. FIDO appID and facet specification. https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-appid-and-facets-v1.0-ps-20141208.html
  15. JSON, http://www.json.org/
  16. RFC 7515 - JSON Web Signature, https://tools.ietf.org/html/rfc7515