The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

On the Security of Public-Key-Certificate-Relay Protocol for Smart-Phone Banking Services

스마트폰뱅킹을 위한 공인인증서 복사 프로토콜의 취약점 분석

  • 신동오 (인하대학교 컴퓨터정보공학과 정보보호연구실) ;
  • 강전일 (인하대학교 컴퓨터정보공학과 정보보호연구실) ;
  • 양대헌 (인하대학교 컴퓨터정보공학과 정보보호연구실) ;
  • 이경희 (수원대학교 전기공학과)
  • Received : 2012.06.26
  • Accepted : 2012.08.14
  • Published : 2012.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Most of banks in Korea provide smartphone banking services. To use the banking service, public key certificates with private keys, which are stored in personal computers, should be installed in smartphones. Many banks provides intermediate servers that relay certificates to smartphones over the Internet, because the transferring certificates via USB cable is inconvenient. In this paper, we analyze the certificate transfer protocol between personal computer and smartphone, and consider a possible attack based on the results of the analysis. We were successfully able to extract a public key certificate and password-protected private key from encrypted data packets. In addition, we discuss several solutions to transfer public key certificates from personal computers to smartphones safely.

최근 대다수의 국내 은행들은 스마트폰뱅킹 서비스를 제공한다. 스마트폰뱅킹을 이용하기 위해서는 PC에 보관된 공인인증서와 개인키를 스마트폰으로 복사해야 한다. 하지만 사용자가 USB 케이블을 이용해 PC에서 스마트폰으로 직접 복사하는 방법은 편의성이 떨어지기 때문에 이를 해결하기 위해 다수의 보안 솔루션 기업은 중개서버를 두어 공인인증서를 복사해주는 방법을 택하고 있다. 이 논문에서는 공인인증서 복사 프로토콜의 보안성을 분석하고 이를 토대로 한 공격을 보인다. 우리는 네트워크 도청을 통해 사용자의 공인인증서와 개인키를 추출할 수 있었다. 또한, 공인인증서를 안전하게 복사하기 위한 방법을 모색한다.

Keywords

References

  1. Korea Commun. Commission, "Statistics of subscribers to telecommunications services," Retrieved from http://www.itstat.go.kr/board/boardDetailView. htm?identifier=02-008-120529-000003, Apr. 2012.
  2. Law no. 10008, "Electronic signatures act," Feb. 2010.
  3. Korea Internet & Security Agency, "Certificate transmission between PC to mobile device," Mar. 2010.
  4. Java Decompiler-Graphic User Interface, Retrieved from http://java.decompiler.free.fr/, June 2012.
  5. JAva Decompiler, Retrieved from http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler), June 2012.
  6. B. Schneier, Applied cryptography, 2nd Ed., John Wiley & Sons. ISBN 0-471-11709-9, pp. 153-154, 1996.
  7. PKCS#8 v1.2, "Private key information syntax standard," May 2008.
  8. PKCS#5 v2.0, "Password-based cryptography standard," Mar. 1999.
  9. C. Ellison, "Cryptographic random numbers," IEEE P1363 Appendix E, Draft v1.0, Retrieved from http://world.std.com/-cme/P1363/ranno.html, Nov. 1995.
  10. SecureRandom, Retrieved from http://developer.android.com/reference/java/sec urity/SecureRandom.html, June 2012.
  11. SecRandomCopyBytes, Retrieved from http://developer.apple.com/library/ios/#DOCU MENTATION/Security/Reference/Randomizati onReference/Reference/reference.html, June 2012.
  12. E. Barker, "Recommendation for key management - Part 1: General rev.3," NIST Special Pub. 800-57, May 2011.
  13. DaeHun Nyang, "System and method for transmitting certificate to mobile apparatus and system and method for transmitting and certifying data using multi-dimensional code," Pat. no. KR-10-1113446, Dec. 2010.
  14. A. Kerckhoffs, "La cryptographie militaire," Jour. des sciences militaires, IX, pp. 5-38, Jan. 1883.