Page 53 - Implementation of Secure Authentication Technologies for Digital Financial Services

P. 53

7.2.3 Example: K-FIDO authentication
Various user authentication methods used for user authentication for web portals, e-transactions, financial insti-
tutions and e-government services are typically supported. Figure 37 illustrates K-FIDO authentication.

Figure 37 – Authentication Process of K-FIDO Service

① RP App performs bio-authentication and requests electronic signature for a service provider.
② FIDO server triggers UAF authentication request to FIDO client.
③ A User performs a bio-authentication by the FIDO authenticator using the same method as at registration time.
④ The FIDO authenticator generates FIDO signature (using the FIDO authentication private key).
⑤ The FIDO client sends UAF authentication response to FIDO server. The FIDO server checks FIDO authentication
message and if passed, the RP server generates an Authcode.
⑥ The FIDO client requests electronic signature generation to PKI module.
⑦ The PKI module requests electronic signature generation to Crypto module.
⑧ In case of secure element such as Trustzone, or USIM, the electronic signature will be generated by the private key
inside the secure element. However, in case of keystore or keychain, the encrypted private key should be decrypted
by a decryption key stored in keystore or keychain and electronic signature will be generated by the private key
with crypto module.
⑨ RP App sends the signed data to Service server.
⑩ Service server verifies the signed data.
⑪ Service server or RP Server checks user certificate’s verification from OCSP server.
⑫ Service server checks the Authcode from FIDO service provider. And Service server sends the result to the user.

Implementation of Secure Authentication Technologies for Digital Financial Services 51

48 49 50 51 52 53 54 55 56 57 58