The Pratical Use of Mobile PKI in Korean Financial Industy Kim, Gwang Yeol Information Security Dept. Manager Koscom Corporation October 29, 2010
Contents I. Koscom & Sing. Korea II. Smart. Phone and Mobile Issues III. Environment of Banking in Smart. Phone IV. Practical Use of Banking & Trading V. Others 2
Koscom & Sign. Korea p Established by Mo. FE and Korea Exchange n n n to computerize the Securities Market and the Member Systems (In 1977) Organization : 5 Headquarters, 16 Departments, 1 Office (17 Divisions) Staffs : 4 Corporate Directors and 574 Employees p Main Businesses of Koscom n Exchange IT Services, Financial Information Services, Financial IT Solution Services, IT Infrastructure Services n IT Infrastructure Services : Security Service(Certification Service, Information Sharing and Analysis Center, Certified e. Document Authority), Network Service, DR & BCP Center p Sign. Korea n Issues 4, 500, 000 Certificates for Investment Banks (38 Securities Companies, 10 Futures Companies) and 5 Commercial Banks n Issues 1, 200, 000 General Purpose Personal Certificates (feecharging) 3
Koscom Main Business Exchange IT Services The exchange system for securities and derivatives market • • • IT center for securities and derivatives firms which provide consulting, system planning, developing, operation etc KRX Stock Market System KRX KOSDAQ Market System KRX Derivatives Market System KFIA Free. Board Market System Foreign Investors Management System Financial Information Services KOSCOM Total IT Solution • Market Data Distribution Service • CHECK Expert Terminal Service • Data. Mall, Historical Data Service Delivering real time market information and calculate the composite index Financial IT Solution Services • • • • Total Securities Solution (Power. Base) HTS (Home Trading System) Direct Trading Service(VARO) Millennium Trading System (MTS) Dealing System (KOSMOS) Pension System (Pen. Star) STP-HUB (Straight Through Processing) Network Service (STOCK-Net) Business Continuity Plan (BCP+) Authentication Service (Sign. Korea) Financial Service (FS) ISAC All&Security Integration Management (Ansim) Certified e-Document Authority (Docustar) Providing the best IT infrastructure Including telecommunication network services to guarantee safe and reliable financial trades IT Infrastructure Services 4 -
Sign. Korea Customers p 4, 500, 000 certificates users – 4, 400, 000 Personal Certificates, 100, 000 Corporate Certificates p About 200 Applied Applications and Sites p About 100 Business Partners Futures RA Partners Companies 7 10 Securities KRX, KSDA, Banks 5 Companies 38 Savings Banks 11 KSD, KSFC Etc 12 Hospitals 23 Government 3 Total 113 Financial Companies 68 5
CAs and RAs in Korean National PKI p CAs and RAs in Korea National PKI FSC MOPAS FSS KISA Koscom KFTC KICA Cross. Cert KTNET RAs (Financial Institutions(IB, CB) etc. ) RAs (Financial Institutions(CB) ) RAs (Post Office etc. ) RAs 6
Stages of Korea PKI p Stage 1. Introduction : 1999 ~ 2001 n Digital Signature Law, Accredited CAs n Interoperability among Accredited CAs p Stage 2. Take-off : 2002 ~ 2005 n Providing User-friendliness, Increase in certificates and applications n Mandatory use of certificates (Banking, Stock) n Cross Certification for NPKI and GPKI p Stage 3. Maturity : 2006 ~ 2008 n Upgrading of PKI technologies(RFC 3280) n Addition of Root CA Certificate to Microsoft IE for secure web server p Stage 4. Reinforcement : 2009 ~ 2011 n Enhancement of Digital Signature Cryptosystem n improvement of certificate storage and reissuance procedures n Revitalization of PKI based mobile banking by smart phone 7
II. Smart Phone & Mobile Issue p Key Success Factor of the Mobile PKI in Korean Financial Market n Expansion the Smart Phone Users in 2010 n Needs for Banking Service in Smart. Phone n Government Regulation p Expansion the Smart Phone Users in 2010 n No. of Smart Phone users(End of 2009) : 1 mil. (i. Phone released in Nov 2009 in Korea) n No. of Smart Phone Users(Sep 2010) : 4. 4 mil - Android Phone starts in Feb. 2010 - Samsung Galaxy S : June 2010, Apple i. Phone : Sep 2010 8
II. Smart Phone & Mobile Issue p Needs for Banking Service in Smart. Phone n Financial service as a killer application n 1 st stage : Introduce Mobile Banking and Trading n 2 nd stage : Enhance banking /trading service Expand service area (Insurance, Credit Card, Loans, etc) p Government regulation n Korean Government strongly recommend to use the Certificate for online banking and online trading in the wired. n Government also required Mobile Banking/Trading in the Smart. Phone are equivalent in security level to the PC n FSS announced the criteria what the mobile financial app equips for safe banking/trading 9
II. Smart Phone & Mobile Issue p Online financial Service PC Smart. Phone Network Wired / Wireless Applications Banking, Stock trading (Standalone/Web applications) Banking, Stock trading (Standalone applications) Policy Certificate/Digital Signature Anti-Virus SW, Anti-Keylogger SW Platform MS Windows and else Apple i. OS Google Android MS Mobile Windows Device Desktop, Notebook Smart. Phone PKI Sha 1 with RSA 1024 -bit until 2010 Sha 2 with RSA 2048 -bit in 2011 Future device Notebook, tablet PC Smart phone, tablet PC, PMP etc Future Platform N/C Windows Phone 7 Nokia Mee. Go etc 10
III. Environment of Banking in Smart Phone Internet Smartphone Banking/Trading Client Program Digital Certificate PKI/Crypto toolkit Anti-Keylogger/Virtual Keyboard Banking/Trading System Banking/Trading Server Program PKI/Crypto toolkit Anti-Virus SW 11
III. Environment of Banking in Smart Phone Measures against the Security Issues p FSS(Financial Supervisory Service) established the Security measure to online financial service in smart phone against potential security risk. (’ 10. 1) p Focusing on setting suitable criteria against predictable potential security threat for safe customer information. 12
III. Environment of Banking in Smart Phone p Key Points of Safety Measures Authentication Intrusion detection Vulnerability Monitoring 13
III. Environment of Banking in Smart Phone p Mobile Banking/Trading n Multiple steps to confirm about customer information for creating new account. - ID/Password → One time password → Certificate etc n To accept after the user agree to ‘in terms of use’ n To reinforce User’s certification at log-in - to use the certificate for log-in or additional one-time password with ID/PW - two-factor authentication n To require the Mobile Banking/Trading in Smart Phone are equivalent in security level to the wired PC - certificate, one-time password, digital signature - equivalent limitation in the amount of wired transaction 14
III. Environment of Banking in Smart Phone p Intrusion Detection n The Transaction data are transmitted on channel encryption for confidentiality and Integrity in wired transaction. n Important input data such as P/W must be protected by input data protection tools for leakage and falsification n Prevention to save important data in Smart. Phone (e. g. P/W) n Prevention measure is required for Malignant code such as virus in mobile banking & trading. n To make use of Digital signature for Non-repudiation p Vulnerability Monitoring n Financial institution should establish the system(365 X 24) for vulnerability analysis and enterprise security monitoring. n By self-operating or special facilities 15
IV. Practical Use of Banking & Trading 16
IV. Practical Use of Banking & Trading p Example of Korean banking App in Smart Phone n n main page : lists of services provided by the bank Registered certificate list Applied Anti-Keylogger/Virtual Keyboard Input data are covered up by dots 17
IV. Practical Use of Banking & Trading 18
IV. Practical Use of Banking & Trading p Exmple of Korean Stock Trading App p Log-in Page, Certificate, and Anti-Keylogger/Virtual Keyboard 19
V. Others Now and Outlook Year 2010 Year 2011 (e) Year 2012(e) 20 Commercial Banks 30 Securities More Securities (stock trading) Saving Banks Credit Cards Insurance i. Phone Android Windows Mobile Bada Windows Phone 7 i. Pad Meego, RIM Android Tablet Windows 7 tablet 20
Скачать презентацию The Pratical Use of Mobile PKI in Korean
a35953a51c043613b488c4e6b65bc78f.ppt