Mr. Vladimir customer source said his experience of Korean internet banking to know technical issue about SEED. Thanks for his trouble in korean sites. I’ll introduce technical description for that. (Before you read this article, please read his It’s gone to SEED.)

In first introduction of SEED in 1997, there was only cryptographic ActiveX or NSPlugin (was deprecated after browser wars). It works issuing and managing personal certificate by national CAs and “adding digital signature” to “important text” as like account number to transfer money in transaction. InisafeWeb is one of them. (There are almost eight providers in Korea, so if you use several national CA services such as banking, cyber trading and e-government, you must install at least over three same functional ActiveX control. It’s so ridiculous)

I will explain a brief process of transactions using ActiveX. If someone want to make secure transaction, he inputs necessary information in HTML form. A javascript function called by submit sends them to Cryptographic ActiveX control. It encrypts them and adds digital signature with user’s public key. Encrypted message by ActiveX returns in HTML form again. And form.submit() is finally executed. Web server decrypts and validates form data made by user certificate with CA via OCSP. After requested tasks was executed by web server and it sends to results to his browser. In this stage, some bank site often gives encrypted message for decryption by interaction between ActiveX control and Javascript.

In fact, it’s almost same with SSL transaction. All browser has a certificate manager as similar User-interface as Mr. Vladimir saw. Why korean didn’t use browser’s basic function? One is SEED encryption algorithm. The other is the digital signature function not to be standardized in browser. It is similar with crypto.signText(), in fact, it was originated by that idea in 10 years. The cryptographic ActiveX has these functions.

Finally, I will explain the rest ActiveX controls. There has been a financial accidents by hacked personal certificate and security number affected by key logging tools. It caused by user’s insensible installing ActiveX in Korea. (Most people was educated by clicking “Yes” in prompting Security Warning in installing ActiveX by IE. Why? Most of public services has used ActiveX. So people cannot help affecting spywares or malwares. It’s just a vicious circle of security.) So most of bank started to give a prohibiting key logging(”SoftCamp”) and online firewall and vaccine ActiveXs(”Hauri”). InsisWeb is only Shinhan’s insurance processing ActiveX. As same as cryptographic ActiveX, there are each several providers of these tools. So installing ActiveXs were continually increased. Maybe most of korean has almost over 10 ActiveX controls to use public services.

The problem is that all ActiveX controls are highly coupled and there is no right to choose them to users. It’s not the end. Most of e-government sites offer DRM-enabled printing ActivX for all printer drivers. In credit card transactions, there are several providers and their ActiveX controls. In korea, even Visa3D was operated in ActiveX. (The government made a guideline to use National CA system over credit card transaction over $300. So If you want to buy something in online shopping mall, you must install above all.) If you want cyber trading…? Yes. There is another ActiveX.)

It’s very serious situation, there has been several warnings in Windows XP SP2 and ending support of Windows 98. But, korean government ignored them, most of software companies has used dodging tactics to protect their business.) Now it’s not only SEED’s problem in korean situation. It’s almost national Intranet system optimized in Windows and Internet Explorer attacked by inner hackers. It’s korean home brew.