1

i-PIN Service(internet-Personal Identification Number Service)

Identity Management across the Public and Private Sectors in Korea

22

Contents

The Genesis of i-PINThe Genesis of i-PIN

The Concept of i-PIN & Integrated IDMThe Concept of i-PIN & Integrated IDM

The Function of i-PINThe Function of i-PIN

The Future of i-PINThe Future of i-PIN

The Trust Foundation of i-PINThe Trust Foundation of i-PIN

33

The Genesis of i-PIN

A Korean has an RRN (Resident Registration Number) Contains various kinds of personal informationUnique and permanent number assigned to an individual by GovernmentExample of Resident Registration Number : 880101-1234568

Web site JoiningWeb Site

Credit InquiryCompany

DB Server

Bob

nameResident Registration

Number

Alice 881213 - 1234567

Bob 811104 - 2345678

… …

Zeus 740311 - 1245678

DB Table

44

Personal information disclosure, through RRN theft are posing a serious threat to Korean societyThe primary type of privacy infringement is to create a website membership using other’s RRN

█ : The # of complaints in 2005 (Total : 18,206)█ : The # of complaints in 2006 (Total : 23,333)

9,810(53.9%)

1,140(6.3%)

10,835(46.4%)

2,565(11.0%)

RRN infringement Collection without agreement

Usage except purpose

916(5.0%)

917(3.9%) 771

(4.2%)

923(3.9%)

Request refusal

5,569(30.6%)

8,093(34.8%)

Others

※ Others : infringements not specified by law, management inadequacy, etc.

The Genesis of i-PIN

55

The Concept of i-PIN

i-PIN issuance procedure

After issuance of i-PIN, users use i-PIN ID & PW instead of RRNPrevent privacy from infringement caused by RRN theft

※ User information is real name, i-PIN, protection information for multiple subscription, birth date, sex, etc.

<Verification methods>

< 5 TTPs >

Website(SP) User① Request Membership Joining

② Request i-PIN

③ apply for i-PIN issuance

Trusted Third Parties(IDSP)

④ Interaction for i-PIN issuance- proof of owner’s RRN- registration of i-PIN ID & PW, etc

⑤ Send user’s information

66

The Concept of Integrated IDMIntegrated ID issuance procedure

※ ID federation means that user’s information is transferred by IDSP to SP.※ User information is real name, unique number, birth date, sex, etc.

Governmental Website(SP)

UserIntegrated ID Center

(IDSP)

Village Office ① Face-to-Face Confirmation- registration of user’s information② Registration of User’s info.

③ Join the IDSP

④ Request the Joiningthe SP

⑤ Request ID federation after user’s agreement

⑥ Establishment of ID federation

Trust relationship(SAML 2.0 Protocol)

77

The Trust Foundation of i-PIN

Authentication based knowledgeAccredited Certificate : private key of certificate

Accredited certificate is issued by ACA (Accredited Certification Authority), after user visit ACA or RA (Registration Authority)

Credit Card Information : Secret Number of Credit CardCredit Card is issued by CCC (Credit Card Company), after user identification is confirmed by CCC.

Cell Phone SMS : Authentication NumberCell phone is sold by CPTC (Cell Phone Telecommunication Company), after user identification is confirmed by CPTC.

Authentication based possessionFace-to-Face

User visit TTP with his certificate of residence

88

Difference with using RRN on the InternetRe-issuance i-PIN at any time (changeable with no restriction, cost)No Personal information into i-PIN (Only issuer information)Strong identity verification method than RRNNon-traceable of other website registration information

Improving Expediency of i-PINWhenever i-PIN service users choose among 5 different TTPs, they can access to any websites applied i-PIN service

Protection information for multiple subscriptionProvide only unique information into websiteNon-traceable of other website’ unique information

Other information for marketingBirth date, Sex, Real name, etc.

The Function of i-PIN

99

The Future of i-PIN

Facilitation of i-PIN usageCurrent No. of i-PIN users : 25,000 personsFuture : Every user owns more than one i-PIN

Developing Next i-PIN versionInteroperability with “Integrated ID Management System for Governmental web site” served by MOGAHA (Ministry of Government Administration and Home Affaires)Interoperability with “Electronic Wallet” by ETRI (Electronics and Telecommunication Research Institute), KISA (Korea Information Security Agency), and MS (Microsoft Korea)Enhancing Security, User Control, etc

1010

Question & Answer

Do you want to more information about i-PIN, contact mecjchung@kisa.or.kr