The present invention relates to issuance of a digital certificate, and more particularly to, a system and method for issuing a digital certificate using an encrypted image, in which a digital certificate is sealed in a digital envelope image so as to protect a digital certificate user from damages caused by hacking, phishing attacks and the like in the course of issuance, update and re-issuance of the digital certificate.
The present invention relates to issuance of a digital certificate, and more particularly to, a system and method for issuing a digital certificate using an encrypted image, in which a digital certificate is sealed in a digital envelope image so as to protect a digital certificate user from damages caused by hacking, phishing attacks and the like in the course of issuance, update and re-issuance of the digital certificate.
Currently, in a public key cryptosystem, encryption and decryption are performed using a public key and a private key. Anyone can access the public key through a directory server unit, and a digital document signed by using the private key which is a counterpart of the public key is certified as one written by a specific user.
It is true that a digital certificate system using such a public key cryptosystem becomes a basic assumption for both the Internet banking and the electronic commerce transaction.
FIGS. 1 and 2 are signal flowcharts illustrating a digital certificate issuing procedure and a digital certificate updating/re-issuing procedure according to the prior art.
Currently, a digital certificate is initially issued by performing a procedure for confirming identity of a user, providing a security card and registering the user in a certificate authority (CA) server through a face-to-face confirming procedure. Such a face-to-face confirming procedure is free from worrying about hacking or phishing attacks.
However, in re-issuance or the like of the digital certificate after the initial issuing procedure, personal authentication information is transmitted on-line through a network in order to confirm whether the user is valid without a separate face-to-face confirming procedure. Therefore, there is a risk that the personal authentication information will be leaked to hackers or third parties.
One of reasons that further increases such a risk is that the personal authentication information is an account number, a password, a security card or the like, which is constructed by relatively simple means based on some numerals and texts, and thus personal authentication information can also be leaked by a well-known hacking method such as keyboard hacking, phishing or the like.
Of course, it is also true that a variety of insurance companies, medical institutions, financial institutions, certificate authorities and the like provide programs for preventing keyboard hacking or phishing attacks. However, since hacking techniques are also advanced together with the hacking prevention programs, there is a problem in that a conventional digital certificate issuing system cannot ensure absolute safety.
Moreover, since the programs or the like for preventing keyboard hacking or phishing attacks are provided mainly by the certificate authorities in reality, it is difficult to prevent the hacking or phishing attacks between users and certificate agencies, such as financial institutions, hospitals, insurance companies and the like, having a variety of certificate issuing procedures.
In addition, since an issued digital certificate is generally stored in a PC or a portable storage medium, theft of the digital certificate is not prevented at all in the digital certificate storing process.