서명용 개인키 노출 탐지 기법

Abstract

ABSTRACT A Public Key Infrastructure (PKI) is security standards to mana ge and use public key cryptosystem. A PKI is used to provide digital signature, authentication, public key encryption functi onality on insecure channel, such as E-banking and E-commerce o n Internet. A soft-token private key in PKI is leaked easily because it is stored in a file at standardized location. Also it is vulnerable to a brute-force password attack as is protected by password-based encryption.In this paper, we proposed a new method that detects private ke y compromise and is probabilistically secure against a brute-force password attack though soft-token private key is le aked. The main idea of the proposed method is to use a genuine signature key pair and () fake signature key pairs to make an attacker difficult to generate a valid signature with probability  even if the attacker found the correct password. The proposed method provides detection and notification functionality when an attacker make an attempt at authentication, and enhances the security of soft-token private key without the additional cost of construction of infrastructure thereby extending the function o f the existing PKI and SSL/TLS.Keywords: Public Key Infrastructure, key compromise detection, certificate revocation, revocation notification 접수일(2014년 6월 3일), 수정일(2014년 9월 11일), 게재확정일(2014년 9월 25일)* 이 논문은 2014년도 정부(미래창조과학부)의 재원으로 한국연구재단-차세대정보・컴퓨팅기술개발사업의 지원을 받 아 수행된 연구임(No. 2010-0020726)†주저자, rudrnrwlska@naver.com‡교신저자, donghlee@korea.ac.kr(Corresponding author)