Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

Certificate-based SSO Protocol Complying with Web Standard

웹 표준을 준수하는 인증서기반 통합 인증 프로토콜

  • Yun, Jong Pil (Graduate School of Information Security, Korea University) ;
  • Kim, Jonghyun (Graduate School of Information Security, Korea University) ;
  • Lee, Kwangsu (Graduate School of Information Security, Korea University)
  • Received : 2016.06.09
  • Accepted : 2016.06.22
  • Published : 2016.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Public key infrastructure(PKI), principle technology of the certificate, is a security technology providing functions such as identification, non-repudiation, and anti-forgery of electronic documents on the Internet. Our government and financial organizations use PKI authentication using ActiveX to prevent security accident on the Internet service. However, like ActiveX, plug-in technology is vulnerable to security and inconvenience since it is only serviceable to certain browser. Therefore, the research on HTML5 authentication system has been conducted actively. Recently, domestic bank introduced PKI authentication complying with web standard for the first time. However, it still has inconvenience to register a certification on each website because of same origin policy of web storage. This paper proposes the certificate based SSO protocol that complying with web standard to provide user authentication using certificate on several sites by going around same origin policy and its security proof.

공인인증서의 원리 기술인 공개키 기반 구조는 인터넷 환경에서 본인확인, 부인 방지, 문서의 위변조 방지 등의 기능을 제공하는 보안기술이다. 국내 정부기관 및 금융기관들은 인터넷 서비스의 보안 사고 방지를 위해 ActiveX를 이용한 PKI인증시스템을 사용하고 있다. 그러나 ActiveX와 같은 플러그인 기술은 보안에 취약할 뿐만 아니라 특정 브라우저에서만 사용가능하기 때문에 사용자에게 불편함을 초래한다. 이러한 문제점을 해결하기 위해 웹 표준(HTML5) 기반의 인증 기술 연구가 활발하게 진행되고 있다. 최근 국내은행에서 최초로 웹 표준 기반의 PKI인증 기술을 도입하였다. 하지만 채택된 방법은 웹 스토리지의 동일 출처 정책으로 인해 각 사이트마다 인증서를 등록해야 하는 불편함이 있다. 본 논문에서는 동일 출처 정책의 단점을 해결하면서 웹 표준을 준수하는 인증서 기반 통합 인증 프로토콜을 제안하고 안전성을 증명한다.

Keywords

References

  1. Financial Services Connission, "Electronic Financial Transaction Act," 2016. [Internet]. Available: http://www.aw.go.kr/lsInfoP.do?lsiSeq=180500&efYd=20160127#AJAX
  2. Fido Alliance, "Fido Specifications Overview," 2015. [Internet]. Available: https://fidoalliance.org/specifications/verview/
  3. Korea Internet Security Agency, "The technical report for adoption and implementation of web standard-based authentication service," Technical Guideline of Korea certification authority central, 2014.
  4. W3C, "Same Origin Policy," 2010. [Internet]. Available: https://www.w3.org/Security/wiki/Same_Origin_Policy#Same-Origin_Policy
  5. W3C, "Web Storage," 2016. [Internet]. Available: http://www.w3.org/TR/2016/REC-webstorage-20160419/
  6. H. Jani. "Single sign-on," Proc. Helsinki Uiniversity of Technology Seminar on Network Security, Nov. 1997.
  7. R. Housley and W. Polk. et. al, "Internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile," 2002.
  8. ISO. Information Technology - Security Techniques - Entity Authentication Mechanisms - Part 3: Entity Authentication Using a Public Key Algorithm ISO/IEC 9798-3, 2nd edition, 1998.
  9. M. Bellare and P. Rogaway, "Entity authentication and key distribution," Proceedings of the 13th annual international cryptology conference on Advances in cryptology. Springer-Verlag New York, Inc, pp. 232-249, Jan. 1994.
  10. J. Katz and Y. Lindell, "Private-key encryption and pseudorandomness," in Introduction to Modern Cryptography, Chapman & Hall/CRC Cryptography and Network Security., ch.3, pp. 47-109, 2007.
  11. W3C, "HTML5: A Vocabulary and Associated APIs for HTML and XHTML," 2014. [Internet]. Available: http://www.w3.org/TR/html5/
  12. W3C, "Web Crypto API," 2014. [Internet]. Available: http://www.w3.org/TR/WebCryptoAPI/

Cited by

  1. OAuth2.0을 변형한 금융권 통합인증 프로토콜 vol.27, pp.2, 2016, https://doi.org/10.13089/jkiisc.2017.27.2.373
  2. 인원 출입 권한과 연계한 스마트폰 카메라 제어 시스템 vol.8, pp.11, 2016, https://doi.org/10.15207/jkcs.2017.8.11.093