Page 46 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 46

Authentication, i-PIN, K-FIDO, or FIDO depending on   mobile device. Once registered, the citizen identity
            the required authentication levels of assurance.   data can be provided to other service providers after
               The citizen must register in order to connect   a strong FIDO authentication.
            their PKI certificate and i-PIN to their FIDO-enabled   Figure 31 illustrates the registration process.

            Figure 31 – Registration process of K-FIDO service


































                ①      RP App starts bio-registration and requests a user certificate issuance.
                ②      The FIDO server triggers a UAF registration request to the FIDO client.
                ③      The user performs a bio-authentication with FIDO authenticators using their respective user verification
                       method, e.g. fingerprint, iris, etc.
                ④      The selected FIDO authenticator generates the FIDO authentication private key. The selected FIDO authen-
                       ticator generates a FIDO signature using the attestation private key.
                ⑤      The FIDO server verifies the signature using the attestation public and verifies the authentication public key.
                       If verified, the FIDO server trusts the authenticator it is talking to and the authentication public key that was
                       sent from the authenticator in the authentication response. The FIDO server checks FIDO registration mes-
                       sage and if passed, the FIDO server stores the authentication public key.
                ⑥      The FIDO client requests the user certificate issuance to the certificate management module.
                ⑦      The crypto module generates a private and public key pair for the user certificate.
                ⑧      The certificate management module requests the user certificate issuance from the certification authority.
                ⑨      The certificate management module stores the user certificate and the private key in the secure element such
                       as USIM, Trustzone, etc. However, the private key should be encrypted by an encryption key in keystore or
                       keychain. The registration process is completed.
















           44    Implementation of Secure Authentication Technologies for Digital Financial Services
   41   42   43   44   45   46   47   48   49   50   51