• The Journal of the Korea Contents Association
• /
• v.14 no.12
• /
• pp.565-573
• /
• 2014

We have various e-commerce like on-line banking, stock trading, shopping using a PC or SmartPhone. In e-commerce, two parties use the certificate for identification and non-repudiation but, the attack on the certificate user steadily has been increasing since 2005. The most of hacking is stealing the public certificate and private key files. After hacking, the stolen public certificate and private key file is used on e-commerce to fraud. Generally, the private key file is encrypted and saved only with the user's password, and an encrypted private key file can be used after decrypted with user password. If a password is exposed to hackers, hacker decrypt the encrypted private key file, and uses it. For this reason, the hacker attacks user equipment in a various way like installing Trojan's horse to take over the user's certificate and private key file. In this paper, I propose the management method to secure private key of PKI using One Time Password certification technique. As a result, even if the encrypted private key file is exposed outside, the user's private key is kept safely.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.41-55
• /
• 2007

The certificate is used to confirm and prove the user's identity in online finance and stocks business. A user's public key is stored in the certificate(for e.g., SignCert.der) and the private key, corresponding to public key, is stored in the private key file(for e.g., SignPri.key) after encryption using the password that he/she created for security. In this paper, we show that the certificate, deleted by the commercial certificate software, can be recovered without limitation using the commercial forensic tools. In addition, we explain the problem that the private key encryption password can be detected using the SignCert.der and the SignPri.key in off-line and propose the countermeasure about the problem.

• Journal of Digital Convergence
• /
• v.19 no.10
• /
• pp.287-293
• /
• 2021

Recently, public certificates issued by nationally-recognized certification bodies have been abolished, and internet companies have issued their own common certificates as certification authority. The Electronic Signature Act was amended in a way to assign responsibility to Internet companies. As the use of a joint certificate issued by Internet companies as a certification authority is allowed, it is expected that the fraud damage caused by the theft of public key certificates will increase. We propose an authentication model that can be used in a security gateway that combines PKI with a blockchain with integrity and security. and to evaluate its practicality, we evaluated the security of the authentication model using Sugeno's hierarchical fuzzy integral, an evaluation method that excludes human subjectivity and importance degree using Delphi method by expert group. The blockchain-based joint certificate is expected to be used as a base technology for services that prevent reckless issuance and misuse of public certificates, and secure security and convenience.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2012.05a
• /
• pp.73-75
• /
• 2012

공인인증서는 온라인상에서 금융거래, 전자상거래, 전자정부 등에서 본인확인을 위한 수단으로 사용되고 있다. 공인인증서의 유효성을 확인하기 위한 방법 중 하나인 CRL(Certificate Revocation List) 검증방법은 실시간으로 검증하기 어렵기 때문에 공인인증서가 부정하게 사용될 수 있다. 본 논문에서는 해쉬값을 이용하여 CRL 검증방식에서 효력이 정지된 인증서의 정보만을 빠르게 갱신하는 방법을 제안하고자 한다.

• 한국IT서비스학회:학술대회논문집
• /
• 2009.05a
• /
• pp.201-204
• /
• 2009

정보통신 기술의 발달로 우리가 이용하는 많은 부분에서 전자문서를 이용한 전자거래가 사용되고 있다. 비대면 방식의 특성상 전자거래는 신원확인 문제가 존재한다. 본 논문에서는 이 문제에 대한 해결책인 PKI기반의 공인인증서의 개념과 구조, 활용방안 그리고 그에 따른 취약점을 살펴보고자 한다.

• 월간 기계설비
• /
• no.8 s.205
• /
• pp.54-54
• /
• 2007

오는 10월부터 조달청 전자입찰 입찰자의 신원 확인제도가 시행된다. 조달청은 나라장터를 이용하는 일부 업체들이 공인인증서를 불법으로 대여하여 입찰질서를 문란 시키는 행위를 근절시키기 위해 오는 10월부터 개인용 공인인증서에 의하여 전자입찰에 참가하는 입찰자의 신원을 확인하며, 신원 확인 결과 사전에 등록된 자격 있는 입찰자(대표자 또는 지정대리인)만 입찰서 제출이 가능토록 했다. 기타 자세한 사항은 다음과 같다.

• Journal of IKEEE
• /
• v.19 no.4
• /
• pp.610-616
• /
• 2015

In this paper, an electronic ID system satisfying security requirements of authentication certificate was designed using fingerprint recognition. The proposed electronic ID system generates a digital signature with forgery prevention, confidentiality, content integrity, and personal identification (=non-repudiation) using fingerprint information, and also encrypts, sends, and verify it. The proposed electronic ID system exploits fingerprint instead of user password, so it avoids leakage and hijacking. And it provides same legal force as conventional authentication certificate. The proposed electronic ID consists of 4 modules, i.e. HSM device, verification server, CA server, and RA client. Prototypes of all modules are designed and verified to have correct operation.

• Proceedings of the KAIS Fall Conference
• /
• 2010.11a
• /
• pp.247-250
• /
• 2010

아이폰 출시 이후로 스마트폰의 강세를 이루는 현재, 스마트폰의 보안문제도 많은 화제가 되고 있다. 그 중에서도 Active X를 설치해야 사용할 수 있는 공인인증서가 스마트폰 환경에서 사용할 수 없는 문제가 제기 되었다. 그 대안으로 KISA나 ETRI에서 스마트폰에서 공인인증서를 사용할 수 있는 앱(Application)을 개발 중이지만 공인인증서를 사용하지 않고 USIM정보와 해시함수를 이용하여 기존의 PKI시스템보다 시스템 복잡도를 낮추며 공개키 프레임워크의 확립 및 관리와 관련된 비용절감 효과를 볼 수 있는 시스템을 제안한다.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.8
• /
• pp.1466-1477
• /
• 2016

Public key infrastructure(PKI), principle technology of the certificate, is a security technology providing functions such as identification, non-repudiation, and anti-forgery of electronic documents on the Internet. Our government and financial organizations use PKI authentication using ActiveX to prevent security accident on the Internet service. However, like ActiveX, plug-in technology is vulnerable to security and inconvenience since it is only serviceable to certain browser. Therefore, the research on HTML5 authentication system has been conducted actively. Recently, domestic bank introduced PKI authentication complying with web standard for the first time. However, it still has inconvenience to register a certification on each website because of same origin policy of web storage. This paper proposes the certificate based SSO protocol that complying with web standard to provide user authentication using certificate on several sites by going around same origin policy and its security proof.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.16 no.9
• /
• pp.6282-6289
• /
• 2015

Today, there is an increasing number of cases in which certificate information is leak, and accordingly, electronic finance frauds are prevailing. As certificate and private key a file-based medium, are easily accessible and duplicated, they are vulnerable to information leaking crimes by cyber-attack using malignant codes such as pharming, phishing and smishing. Therefore, the use of security token and storage toke' has been encouraged as they are much safer medium, but the actual users are only minimal due to the reasons such as the risk of loss, high costs and so on. This thesis, in an effort to solve above-mentioned problems and to complement the shortcomings, proposes a system in which digital signature for Internet banking can be made with a simply bio-authentication process. In conclusion, it was found that the newly proposed system showed a better capability in handling financial transitions in terms of safety and convenience.