DOI QR코드

DOI QR Code

Implementation, Security, and Usability Analysis of Accredited Certificate-based Internet Banking

공인인증서 기반 인터넷 뱅킹의 구현, 보안성, 그리고 편의성 분석

  • Park, Hye-Seung (School of Computer Science and Engineering, Korea University of Technology and Education) ;
  • Lee, Jae-Hyup (School of Computer Science and Engineering, Korea University of Technology and Education) ;
  • Park, Seung-Chul (School of Computer Science and Engineering, Korea University of Technology and Education)
  • Received : 2017.03.10
  • Accepted : 2017.07.17
  • Published : 2017.08.31

Abstract

We expect that the accredited certificate-based open banking, which is actively deployed in recent times, will solve the Galapagosization problem of the existing accredited certificate-based closed banking by supporting standard communication protocol and web compatibility. However, it is questionable how much the open banking will answer the security and usability problems of the existing closed banking. This paper is focused on analyzing the differences between the existing closed banking and the open banking, and then evaluates how much the security and usability problems of the existing closed banking are resolved by the open banking. The study firstly analyzes the security vulnerabilities raised in the process of providing closed banking services for the past 15 years or more, the countermeasures applied to enhance security, and the convenience impact of countermeasures. And then, the security and convenience of the open banking is inferred by analyzing the implementation difference between the closed banking and the open banking. The paper also briefly discusses how to improve the open banking to resolve the remaining problems of the open banking.

최근 우리나라에서 활발하게 도입되고 있는 공인인증서 기반의 오픈 뱅킹은 표준 통신 프로토콜과 웹 호환성 지원을 통해 기존 공인인증서 기반의 폐쇄형 뱅킹의 갈라파고스화 문제를 상당 부분 해소할 수 있을 것으로 기대되고 있다. 그러나 새로운 오픈 뱅킹이 기존 폐쇄형 뱅킹에 대해 제기되어온 안전성 문제와 사용자 편의성 문제를 어느 정도 해소할 지에 대해서는 의문으로 남아있다. 본 논문은 기존의 공인인증서 기반의 폐쇄형 뱅킹과 오픈 뱅킹의 구현 방식 차이를 분석하고, 오픈 뱅킹이 폐쇄형 뱅킹이 안고 있는 보안성과 편의성 문제를 어느 정도 해소하고 있는지 분석하는데 초점을 맞추고자 한다. 이 분석은 기존 폐쇄형 뱅킹이 15년 이상 서비스를 제공하는 과정에서 제기된 보안성 취약점, 보안성 강화를 위해 적용된 대응책, 대응책의 편의성에 대한 영향을 먼저 분석하고, 폐쇄형 뱅킹과 오픈 뱅킹의 구현 방식 차이를 통해 오픈 뱅킹의 보안성과 편의성을 추론하는 방식으로 진행되었다. 분석 결과 오픈 뱅킹이 여전히 안고 있는 보안성과 편의성 문제를 해소하기 위해 향후 오픈 뱅킹이 어떻게 개선되어야 하는지에 대해서도 간략하게 논의하고자 한다.

Keywords

References

  1. J. H. Lee, "Usability and Problems of Accredited Certificate in Smart Environments," Internet & Security Focus, March 2013, pp. 23-53 http://www.kisa.or.kr/uploadfile/201306/201306121702079155.pdf
  2. National Information Agency, and et. al, "2016 National Information Security White Paper," White Paper, p. 345, April 2016. http://isis.kisa.or.kr/ebook/download_pdf/2016.pdf
  3. H. S. Kim, J. Mun, J. H. Huh, and R. Anderson, "On the Security of Internet Banking in South Korea," Oxford Univ. Computing Laboratory Research Report(CS-RR-10-01), p. 19, Oct 2010. https://www.cs.ox.ac.uk/files/2916/RR-10-01.pdf
  4. Korea Internet & Security Agency, "Research on the Actual Condition of Electronic Signature System Usage," KISA Research Report (KISA-WP-2015-0032), p. 122, Dec. 2015. https://www.kisa.or.kr/public/library/report_View.jsp?r egno=022108
  5. Ministry of Science, ICT and Future Planning and Korea Internet & Security Agency, "Technology Guideline for Improving Internet Usability Environment," MSIFP and KISA Special Publication, p. 259, Sept. 2014. https://www.kisa.or.kr/notice/press_View.jsp?mode=view&p_No=8&b_No=8&d_No=1302
  6. H. S. Yeom, "Banks, Enforce Internet Banking without Active X", Daehan Finance News, Nov. 2015. http://www.kbanker.co.kr/news/articleView.html?idxno=57708
  7. S. I. Lee, "Open Banking Service of Banks, Enforce Integration into Main Page", Digital Daily, March. 2017. http://www.ddaily.co.kr/news/article.html?no=154198
  8. FIDO Alliance, "Specifications Overview," https://fidoalliance.org
  9. KISA RootCA, "Secure and User-friendly Accredited Certificate," http://www.rootca.or.kr/
  10. Financial Services Commission, "Memory Hacking Related Press Release," FSC Press Release, Jan. 2014. https://www.fsc.go.kr/downManager?bbsid=BBS0030&no=88525
  11. Financial Security Agency, "A Management Guide for Financial Part Encryption Technologies," FSA Special Publication, p. 105, Jan. 2010. cfile1.uf.tistory.com/attach/2677683B5407CCEF088377
  12. CA/Browser Forum, "Guidelines for the Issuance and Management of Extended Validation Certificates Version 1.5.5," CA/Browser, p. 44, March. 2015. https://cabforum.org/wp-content/uploads/EV-SSL-Certificate-Guidelines-Version-1.4.6.pdf

Cited by

  1. 공인전자문서 소통을 위한 Document-HTML 문서 생성 기법의 설계 vol.44, pp.1, 2021, https://doi.org/10.11627/jkise.2021.44.1.051