The standard evangelism group for universial access and trust of web in Korea
Mr. Vladimir said his experience of Korean internet banking to know technical issue about SEED. Thanks for his trouble in korean sites. I’ll introduce technical description for that. (Before you read this article, please read his It’s gone to SEED.)
In first introduction of SEED in 1997, there was only cryptographic ActiveX or NSPlugin (was deprecated after browser wars). It works issuing and managing personal certificate by national CAs and “adding digital signature” to “important text” as like account number to transfer money in transaction. InisafeWeb is one of them. (There are almost eight providers in Korea, so if you use several national CA services such as banking, cyber trading and e-government, you must install at least over three same functional ActiveX control. It’s so ridiculous)
I will explain a brief process of transactions using ActiveX. If someone want to make secure transaction, he inputs necessary information in HTML form. A javascript function called by submit sends them to Cryptographic ActiveX control. It encrypts them and adds digital signature with user’s public key. Encrypted message by ActiveX returns in HTML form again. And form.submit() is finally executed. Web server decrypts and validates form data made by user certificate with CA via OCSP. After requested tasks was executed by web server and it sends to results to his browser. In this stage, some bank site often gives encrypted message for decryption by interaction between ActiveX control and Javascript.
In fact, it’s almost same with SSL transaction. All browser has a certificate manager as similar User-interface as Mr. Vladimir saw. Why korean didn’t use browser’s basic function? One is SEED encryption algorithm. The other is the digital signature function not to be standardized in browser. It is similar with crypto.signText(), in fact, it was originated by that idea in 10 years. The cryptographic ActiveX has these functions.
Finally, I will explain the rest ActiveX controls. There has been a financial accidents by hacked personal certificate and security number affected by key logging tools. It caused by user’s insensible installing ActiveX in Korea. (Most people was educated by clicking “Yes” in prompting Security Warning in installing ActiveX by IE. Why? Most of public services has used ActiveX. So people cannot help affecting spywares or malwares. It’s just a vicious circle of security.) So most of bank started to give a prohibiting key logging(”SoftCamp”) and online firewall and vaccine ActiveXs(”Hauri”). InsisWeb is only Shinhan’s insurance processing ActiveX. As same as cryptographic ActiveX, there are each several providers of these tools. So installing ActiveXs were continually increased. Maybe most of korean has almost over 10 ActiveX controls to use public services.
The problem is that all ActiveX controls are highly coupled and there is no right to choose them to users. It’s not the end. Most of e-government sites offer DRM-enabled printing ActivX for all printer drivers. In credit card transactions, there are several providers and their ActiveX controls. In korea, even Visa3D was operated in ActiveX. (The government made a guideline to use National CA system over credit card transaction over $300. So If you want to buy something in online shopping mall, you must install above all.) If you want cyber trading…? Yes. There is another ActiveX.)
It’s very serious situation, there has been several warnings in Windows XP SP2 and ending support of Windows 98. But, korean government ignored them, most of software companies has used dodging tactics to protect their business.) Now it’s not only SEED’s problem in korean situation. It’s almost national Intranet system optimized in Windows and Internet Explorer attacked by inner hackers. It’s korean home brew.
The Web Standards Korea is the standard evangelism group for universal access and trust of web in Korea. We engage various evangelism activities including community, education, documentation, lecture and governmental relationship for standard issues.
Kelly Clowers
March 18th, 2007 at 1:54 am
Thanks for this interesting post. I have been curious about the Korean ActiveX security system since I first heard about it, and this post clearly explains just how the system works (or doesn’t work, as the case may be if you don’t like lock-in
crowder
March 18th, 2007 at 12:15 pm
I have been obsessed with this ever since I read Gen Kanai’s “Cost of Monoculture” article. Thank you so much for a more precise technical analysis of the situation. Given the issues that this is causing with Vista alone, is it possible that there will be political movement on this anytime soon? Moving away from SEED as quickly as possible seems the only way to resolve what must be an economically hobbling situation like this. I was talking to Vlad as he was exploring these bank-sites and installing the various “required” controlled and was literally flabbergasted at the promiscuity requested of users (-especially- as they are about to engage in online commerce!!).
It seems that once the policy here is addressed at the government level, banks and online commerce sites would want to switch as quickly as possible to a standards-based security model (for the convenience of their users, even if the browser-monopoly issue and the security hazards were ignored). Is there any movement on this at any level of Korean government?
Channy Yun
March 19th, 2007 at 4:15 am
Crowder, Thanks for your considerations.
In Korea, there is the law of digital signature and it didn’t force technical specification. But, National Intelligence Service (aka CIA in US) and Financial Supervisory Service compel highly-coupled security system. Now it’s not only SEED problem. Fortunately the lawsuit of Open Web rouses public opinion and government is aware of a matter of grave concern. Maybe alternatives such as Java applet will be offered in short-term.
Also I think there is two solutions in long term 1) changing loosely-coupled security system for users to choose their security level. 2) standardization of web signing process. Most of countries tend to have their own law of digital signature and CA system.