Embed Size (px)
DESCRIPTION
WebCert - SOP. 2013. 7. 19. Sangrae Cho Authentication Research Team. Korean banking use case. 2. Issue certificate. Web Browser. 1. Public key pair is generated in the browser. 4. Verify certificate. 3. use certificate (digital signature). bank.com. - PowerPoint PPT Presentation
Citation preview
魂▪創▪通
Authentication Research Team 2013
2013. 7. 19.
WebCert - SOP
Sangrae ChoAuthentication Research Team
魂▪創▪通
Authentication Research Team 2013 2
Web Browser caserver.-com
bank.com
3. use certificate (digital signature)
2. Issue certificate
4. Verify certificate
Korean banking use case
Origin for certificate issue Origin for certificate use
1. Public key pair is generated in the browser.
魂▪創▪通
Authentication Research Team 2013 3
web clientbank.com
Wire transfer page for digital signature
Wire transfer request
Proposed solution
Trusted CA List
No trusted CA list – SOP governs Private key belongs to the origin server
Trusted CA list – SOP exception Display any certificate that is issued by trusted CAs Private key belongs to a user The user can prove its ownership by decrypting the
encrypted private key
魂▪創▪通
Authentication Research Team 2013 4
web client
Proposed solution
Cert Name Issuercert1 bank.comcert2 caserver.com
Preconditions Suppose we have javascript API to discover a certificate
Certificate [] = getCertificate(String trustedCAList) Certificates belonging to Trusted CA will be returned if trustedCAList
provided Certificate belonging to the origin will be return if no trustedCAList
provided
The following certificate are issued cert1 = Certificate issued from
bank.com cert2 = Certificate issued from
caserver.com
魂▪創▪通
Authentication Research Team 2013 5
web clientbank.com
2. Html page for digital signature with no Trusted CA List
1. Wire transfer request
Proposed solution Case 1: No trusted CA list – SOP governs
3. page returned with digital signature for wire transfer
After receiving no. 2 getCertificate(); is executed with no Trusted CA list getCertificate(); returns cert1(issued from bank.com) according to
SOP The user signs the page digitally with cert1 related private key and
send it to bank.com
魂▪創▪通
Authentication Research Team 2013 6
web clientbank.com
2. Html page for digital signature with Trusted CA List
1. Wire transfer request
Proposed solution Case 2: Trusted CA list – SOP exception
3. page returned with digital signature for wire transfer
After receiving no. 2 getCertificate(); is executed with trustedCAList = “caserver.com” getCertificate(); returns cert2(issued from caserver.com) according
to SOP exception The user signs the page digitally with cert2 related private key and
send it to bank.com
魂▪創▪通
Authentication Research Team 2013 7
Thank You
