융합정보논문지 (Journal of Convergence for Information Technology)

중소기업융합학회 (Convergence Society for SMB)
권호 표지
DOI QR코드

DOI QR Code

다중 채널 기반 오픈 API 보안 프로토콜에 관한 연구

A Study on Open API Security Protocol based on Multi-Channel

  • 김상근 (성결대학교 컴퓨터공학과)
  • Kim, Sang-Geun (Department of Computer Engineering, SungKyul University)
  • 투고 : 2020.10.14
  • 심사 : 2020.11.20
  • 발행 : 2020.11.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

금융권 공동 오픈 플랫폼 구축·서비스에 따라 스타트업 생태계에 안전한 보안 기술이 요구되고 있다. 금융권 표준 오픈 API는 상호인증 과정의 핵심 API 인증키 보호를 위해, 결제 관련 핀테크 기업이 추가 보안 기술을 개발/적용하는 것을 권고하고 있다. 본 연구는 다중 채널을 사용하는 강화된 API 보안 프로토콜을 제안한다. 기존 오픈 API 관련 연구의 문제점과 취약점을 추가 분석하고, 이기종 플랫폼의 호환성을 고려하여 설계되었다. 기존 보안 프로토콜의 단일 채널에 추가 보안 채널을 분리하여 은닉하는 방법을 적용했다. 성능 분석 결과 다중 채널의 통신 세션 양방향 안전성과 강화된 인증키의 중간자 공격 안전성을 확인하였으며, 다중 세션에서 지연시간의 연산 성능(1초 이하)을 확인하였다.

Safe security technology is required for the startup ecosystem according to the construction and service of a joint open platform in the financial sector. Financial industry standard open API recommends that payment-related fintech companies develop/apply additional security technologies to protect core API authentication keys in the mutual authentication process. This study proposes an enhanced API security protocol using multiple channels. It was designed in consideration of the compatibility of heterogeneous platforms by further analyzing the problems and weaknesses of existing open API related research. I applied the method of concealment to remove the additional security channels into a single channel of the existing security protocols. As a result of the performance analysis, the two-way safety of the communication session of the multi-channel and the security of the man-in-the-middle attack of the enhanced authentication key were confirmed, and the computational performance of the delay time (less than 1 second) in the multi-session was confirmed.

키워드

참고문헌

  1. Yi, M. (2020). Comparison of MyData Use Among the US, Europe, and the Korean Governments. Journal of the Korean BIBLIA Society for library and Information Science, 31(2), 183-201. DOI: 10.14699/kbiblia.2020.31.2.183
  2. J. H. Park. Activation of My Data System and Legal Issues. Law Research Institute of Ajou University, 14(1), 96-119. DOI : 10.21589/ajlaw.2020.14.1.96
  3. J. A. Park. (2020). Study on methods for establishing legislation on data protection and distribution. The Institute for Legal Studies, Sogang University, 9(2), 3-41. DOI : 10.35505/slj.2020.06.9.2.3
  4. M. J. Song & I. S. Kim. (2019). A Study on Privacy Protection in Financial Mydata Policy through Comparison of the EU's PSD2. Journal of The Korea Institute of Information Security and Cryptology, 29(5), 1205-1219.
  5. Financial Security Institute. (n.d).. Convergence Security Department Fintech Security Team. Guide(Onlnie). http://www.fsec.or.kr/
  6. J. H. Seo. (2018). Innovation strategy of the domestic banking industry through activation of open API. Korea Institute of Finance, 1-60.
  7. Feike Hacquebord at el. (n.d.). When PSD2 Opens More Doors: The Risks of Open Banking, Trend Micro. Cyber Threats. https://blog.trendmicro.com/
  8. J. H. Na & J. C. Na (2018). Open platform standardization trend for safe fintech service. Korea Institute Of Information Security And Cryptology, 28(4), 13-17. UCI : I410-ECN-0101-2018-004-003408438
  9. I. S. Kim. (2018). Financial security and countermeasures for the financial sector in response to changes in the fintech environment. Korea Federation of Banks Financial webzine, 732, 6-13.
  10. Financial Security Institute. (n.d.). Security check related to open banking (main contents), Financial Security Institute(Online). https://www.fsc.go.kr/
  11. https://developers.open-platform.or.kr
  12. J. E. Kim, I. S. Kim. (2017). A Study on the Liability of Information Protection for the Third Party Supply of Personal Information/Focus on Fintech Companies Using OPEN APIs. Journal of Korea Society for e-Business Studies, 22(4), 21-38. UCI(KEPA) : I410-ECN-0101-2018-004-001571185
  13. D. H. Choi, I. S. Kim. (2019). A Study on the Policy Proposal and Model B2B2C for Safe Open Banking. Journal of The Korea Institute of Information Security and Cryptology, 29(6), 1271-1283. DOI : 10.13089/JKIISC.2019.29.6.1271
  14. J. K. Jung, Y. M. Kim. (2016). Secure Access Token Model of Open Banking Platform using Hash Chain. The Korean Society Of Computer And Information Proceedings of the Korean Society of Computer Information Conference, 24(2), 277-280.
  15. M. S. Son, H. Y. Kim. (2020). A Real Estate Lease Transaction System Using Blockchain and Open Banking API. Journal of Korean Institute of Information Technology, 18(5), 109-119. DOI : 10.14801/jkiit.2020.18.5.109
  16. K. J. Jang. (2017). A Study on Business Application of Payment System using BlockChain Technology. Global e-Business Association, 18(6), 113-130. DOI : 10.20462/TeBS.2018.12.19.6.349
  17. S. M. Yoo et el. (2018). POSCAL : A Protocol of Service Access Control by Authentication Level. Journal of The Korea Institute of Information Security and Cryptology, 28(6), 1509-1522. DOI : 10.13089/JKIISC.2018.28.6.1509
  18. H. B. Kang, H. C. Jang, C. S. Jang. (2019). IUWT Based Token Authentication Technology. The Journal of Korean Institute of Information Technology, 17(2), 143-150. DOI : 10.14801/jkiit.2019.17.2.143
  19. K. W. Jung, H. S. Shin, J. H. Park. (2017). Integrated Authentication Protocol of Financial Sector that Modified OAuth2.0. Journal of the Korea Institute of Information Security & Cryptology, 27(2), 373-381. DOI : 10.13089/JKIISC.2017.27.2.373
  20. B. C. Lee. (2018). Stateless Randomized Token Authentication for Performance Improvement of OAuth 2.0 MAC Token Authentication. Journal of the Korea Institute of Information Security & Cryptology, 28(6), 1343-1354. DOI : 10.13089/JKIISC.2018.28.6.1343
  21. B. D. Gocer and S. Bahtiyar, (2019, September). An Authorization Framework with OAuth for FinTech Servers. In 2019 4th International Conference on Computer Science and Engineering (UBMK) (pp. 536-541). IEEE. DOI: 10.1109/UBMK.2019.8907182.
  22. Jakob Nielsen. (n.d.). 10 Usability Heuristics for User Interface Design. Nielsen Norman Group (Online). https://www.nngroup.com/articles/ten-usability-heuristics/