[Ecommerce] security defect of GPKI

[Takeshi Muramoto]

The group of an industrial technical research institute has indicated that
the government attestation base (GPKI) has a serious defect on security.
GPKI would be used as the basis of the "electronic government" which
performs administration procedure etc. using the Internet which is a network
system.
The group said that if a third party abuses this defect, it could to pretend
as the homepage of a government organization. As a result, there would be a
serious danger that the information of a user or a company will be stolen.
This was announced by the Information Processing Society of Japan computer
security study group held in Osaka in November, 2002.

The system pointed out as defect is the electronic application and a
notification system. The both system is developed by the Ministry of Public
Management, Home Affairs, Posts and Telecommunications. On this system, the
certificate authority of the Ministry of Public Management, Home Affairs,
Posts and Telecommunications publishes the route certificate of an electric
signal on a network first to the user who wants to take the necessary
procedure for approval of a country. A user checks that a connection place
is the computer of the Ministry of Public Management, Home Affairs, Posts
and Telecommunications. After that the user enciphers mutual communication
in a subsequent exchange.
However, the Ministry of Public Management, Home Affairs, Posts and
Telecommunications usually make the user receive a certificate through the
Internet, without enciphering. Therefore, it becomes possible for a third
party to seize and to alter during communication. If a certificate is
altered, a third person will be able to make a fake site and display "a real
site and a check" on it. Consequently, a third party can steal information,
such as a bank account number which a user transmits, or can send the
inaccurate program which destroys a personal computer to a user.
The Ministry of Public Management, Home Affairs, Posts and
Telecommunications is going to make other ministries and government offices
and local self-governing bodies use this system. The study group criticizes
the Ministry that the present distribution method is dangerous and should be
distributed using standard encryption communication "SSL" of a private
sector certificate authority.
The Ministry insists that the use of SSL will leave the fundamental part of
a government attestation system to a private sector, while the ministry
admits a possibility of being altered a route certificate communicates.

Takeshi Muramoto