Abstract
This paper analyzes security of Korean USIM-based PKI certificate service. Korean PKI certificate consists of public key and password encrypted private key on disk. Due to insufficient security provided by single password, Korean mobile operators introduced USIM-based PKI system. We found several vulnerabilities inside the system, including private key’s RSA prime number leakage during certificate installation. We also suggest possible improvments on designing secure authentication system (Preliminary work of this paper was published previously [1]. This work was responsibly disclosed to the vendor and associated government organizations.).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Park, S., Park, S., Yun, I., Kim, D., Kim, Y.: Security analysis of USIM-based certificate service in Korea. In: Conference on Information Security and Cryptography (2014)
ASi Sertifitseerimiskeskus, About SK - History. https://www.sk.ee/en/about/history/
Vaata Maailma, NutiKaitse 2017. http://www.vaatamaailma.ee/en/nutikaitse
KISA, Operational Programs (in Korean). http://www.rootca.or.kr/kor/hsm/hsm.jsp
Laud, P., Roos, M.: Formal analysis of the estonian mobile-ID protocol. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 271–286. Springer, Heidelberg (2009)
Raonsecure Inc., Digital Signature System Using Mobile Device (in Korean), Patent KR 10–2013-0 065 149, 30 December 2013
Marlinspike, M.: SSLstrip. http://www.thoughtcrime.org/software/sslstrip/
Android Open Source Project, Android Developers: Log. http://developer.android.com/reference/android/util/Log.html
Android Open Source Project, Android Developers: logcat. http://developer.android.com/tools/help/logcat.html
dex2jar. https://code.google.com/p/dex2jar/
smali/baksmali. https://code.google.com/p/smali/
OsmocomBB Project, SIMtrace. http://bb.osmocom.org/trac/wiki/SIMtrace
Secure Element Evaluation Kit for the Android platform. https://code.google.com/p/seek-for-android/
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium, vol. 99, p. 16. McGraw-Hill (1999)
Themida. http://www.oreans.com/themida.php
Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS), RFC 6797 (Proposed Standard), Internet Engineering Task Force, November 2012. http://www.ietf.org/rfc/rfc6797.txt
Android Open Source Project, Android Developers: ProGuard. http://developer.android.com/tools/help/proguard.html
Android Open Source Project, Android Open Source: SIM Toolkit Application. http://www.kandroid.org/online-pdk/guide/stk.html
ARM Inc., TrustZone. http://www.arm.com/products/processors/technologies/trustzone/index.php
Samsung, Samsung KNOX. http://www.samsung.com/global/business/mobile/platform/mobile-platform/knox/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Park, S., Park, S., Yun, I., Kim, D., Kim, Y. (2015). Analyzing Security of Korean USIM-Based PKI Certificate Service. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-15087-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15086-4
Online ISBN: 978-3-319-15087-1
eBook Packages: Computer ScienceComputer Science (R0)