Browse > Article
http://dx.doi.org/10.7840/kics.2012.37C.9.841

On the Security of Public-Key-Certificate-Relay Protocol for Smart-Phone Banking Services  

Shin, DongOh (인하대학교 컴퓨터정보공학과 정보보호연구실)
Kang, Jeonil (인하대학교 컴퓨터정보공학과 정보보호연구실)
Nyang, DaeHun (인하대학교 컴퓨터정보공학과 정보보호연구실)
Lee, KyungHee (수원대학교 전기공학과)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.37C, no.9, 2012 , pp. 841-850 More about this Journal
Abstract
Most of banks in Korea provide smartphone banking services. To use the banking service, public key certificates with private keys, which are stored in personal computers, should be installed in smartphones. Many banks provides intermediate servers that relay certificates to smartphones over the Internet, because the transferring certificates via USB cable is inconvenient. In this paper, we analyze the certificate transfer protocol between personal computer and smartphone, and consider a possible attack based on the results of the analysis. We were successfully able to extract a public key certificate and password-protected private key from encrypted data packets. In addition, we discuss several solutions to transfer public key certificates from personal computers to smartphones safely.
Keywords
Public-key-certificate-relay; Financial security; Smart-phone banking; Network sniffing; Decompilation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Korea Commun. Commission, "Statistics of subscribers to telecommunications services," Retrieved from http://www.itstat.go.kr/board/boardDetailView. htm?identifier=02-008-120529-000003, Apr. 2012.
2 Law no. 10008, "Electronic signatures act," Feb. 2010.
3 Korea Internet & Security Agency, "Certificate transmission between PC to mobile device," Mar. 2010.
4 Java Decompiler-Graphic User Interface, Retrieved from http://java.decompiler.free.fr/, June 2012.
5 JAva Decompiler, Retrieved from http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler), June 2012.
6 B. Schneier, Applied cryptography, 2nd Ed., John Wiley & Sons. ISBN 0-471-11709-9, pp. 153-154, 1996.
7 PKCS#8 v1.2, "Private key information syntax standard," May 2008.
8 PKCS#5 v2.0, "Password-based cryptography standard," Mar. 1999.
9 C. Ellison, "Cryptographic random numbers," IEEE P1363 Appendix E, Draft v1.0, Retrieved from http://world.std.com/-cme/P1363/ranno.html, Nov. 1995.
10 SecureRandom, Retrieved from http://developer.android.com/reference/java/sec urity/SecureRandom.html, June 2012.
11 SecRandomCopyBytes, Retrieved from http://developer.apple.com/library/ios/#DOCU MENTATION/Security/Reference/Randomizati onReference/Reference/reference.html, June 2012.
12 E. Barker, "Recommendation for key management - Part 1: General rev.3," NIST Special Pub. 800-57, May 2011.
13 DaeHun Nyang, "System and method for transmitting certificate to mobile apparatus and system and method for transmitting and certifying data using multi-dimensional code," Pat. no. KR-10-1113446, Dec. 2010.
14 A. Kerckhoffs, "La cryptographie militaire," Jour. des sciences militaires, IX, pp. 5-38, Jan. 1883.