An accredited certificate that uses PCs and USBs for storage will disappear as early as 2017 in order to reduce the leakage of personal information, malicious code infections, and losses of certificates. Authentication certificates are currently maintained, but its security will be strengthened further through an encryption procedure. In addition, a measure to store the certificate in ICs for credit cards is going to be established by Aug. or Sept.
According to sources in the financial sector on Aug. 5, the Korea Financial Telecommunications & Clearings Institute (KFTC) has embarked on the development of programs to make an accredited certificate safer and to improve consumer convenience, in partnership with certificate authorities (CAs) and local banks.
The KFTC is working with CAs like Koscom, KTNET, the Korea Electronic Certification Authority, and the Korea Information Certificate Authority to develop an encrypted accredited certificate. It is also talking with banks about storing the encrypted certificates to ICs for credit cards. An official at KFTC remarked, “It is easy to copy accredited certificates stored on PCs and USBs. And files are frequently leaked as a result of malicious code infections.” The official added, “So, we are actively seeking to find a way to encode an authentication certificate when it is stored on storage devices.”
When documents are encrypted, other people can see the files, but cannot open the encoded documents without a password. Likewise, it is possible to change an accredited certificate into a kind of software by adding a security token to the certificate. To accomplish the goal, five institutions, including the KFTC, are planning to finish the development of an encoded authentication certificate for PCs by the end of the latter half of this year, and to apply the encoded certificate to USBs next year.
The official also said, “In the case of the termination of an accredited certificate for PCs and USBs, we will consider consumer inconvenience first and so abolish the file-type authentication certificate within 2 to 3 years, in line with the phase-out policy of the Ministry of Science, ICT and Future Planning that will be announced in the future.”
A security token will replace a file-type accredited certificate, and a more secure alternative method will be used for mobile devices, using a Universal Subscriber Identity Module (USIM). But when an encrypted accredited certificate is used, a relevant program, like ActiveX, will not be automatically installed. The KFTC plans to actively promote the program through the homepage of banks or the five CAs in consideration of the various negative side effects of ActiveX.
The institute is also working to develop a method to store an encoded authentication certificate in ICs for credit cards, together with banks. It is planning to insert the encoded certificate to check cards, credit cards, and One Time Password (OTP) tokens in an effort to make it more secure and convenient.
In the past, this kind of technology was integrated into an accredited certificate, but it was unable to be popularized at that time due to the necessity of a separate reader. A new method capable of reading an accredited certificate without a reader using NFC tech is currently being studied.
An official at a bank said, “I think that a measure to store an encrypted accredited certificate to ICs for credit cards will be available in Oct. at the latest,” adding, “In the long term, a method for using ICs for credit cards will be used instead of storing an authentication certificate in the PC or USB.”