• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.171-182
• /
• 2014

Common Criteria is a scheme that minimize IT products's vulnerabilities in accordance with the evaluation assurance level. SSDLC(Secure Software Development Lifecycle) is a methodology that reduce the weakness that can be used to generate vulnerabilities of software development life cycle. However, Common Criteria does not consider certificated IT products's vulnerabilities after certificated it. So, it can make a problem the safety and reliability of IT products. In addition, the developer and the evaluator have the burden of duplicating evaluations of IT products that introduce into the government business due to satisfy both Common Criteria and SSDLC. Thus, we researched the relationship among the Common Criteria, the static code analysis tools, and the SSDLC. And then, we proposed how to combine SSDLC into Common Criteria.

• Journal of KIISE:Information Networking
• /
• v.27 no.4
• /
• pp.465-475
• /
• 2000

초고속 통신망에서의 정보 침해는 짧은 시간에 많은 데이터의 손실을 초래할 수 있기 때문에 정보보호의 필요성이 제기되고 있다. ATM 망에서의 정보보안을 위해 보안 서비스를 ATM계층과 AAL 계층에 적용시킬 수도 있고 이 계층들 사이에도 적용시킬수 있으며 보안 계층을 따로 두어 보안 서비스를 하나의 계층에서 다양하고 투명하게 적용할 수 있다. 그러나 이러한 연구들의 결과가 이론에 그치고 있고 실제로 암호 알고리즘 등의 보안 서비스를 적용한 망에서의 성능을 평가하는 부분에 대해서는 연구가 부족한 상황이다. 본 논문에서는 사용자 평면에서 데이터의 비밀성, 무결성, 데이터 원천 인증 등의 보안 서비스를 적용한 보안 계층을 구현하고 SDL이라는 모델링 툴을 이용하여 망에서의 메시지 전달 지연 시간 등을 측정한후 그 성능을 비교.분석하였다 모델링하는 세가지 종류의 망은 첫 번째는 보안 서비스가 적용되지 않은 ATM망이고 두 번째는 보안계층이 CS 부계층과 SAR 부계층 사이에 삽입된 망이며 세 번째는 보안 계층이 ATM계층과 AAL계층 사이에 삽입된 망이다.

• Information and Communications Magazine
• /
• v.24 no.11
• /
• pp.51-57
• /
• 2007

본 고에서는 미 국방성(DoD: Department of Defense) 커뮤니티 지원 하에 국가안전보장국 (NSA: National Security Agency)에 의해 작성된 공개키 기반구조 및 키 관리 기반구조 보안토큰 보호프로파일에서의 평가대상(TOE: Target of Evaluation) 분석을 통해 보안토큰에서의 평가대상 (TOE)에 대한 응용과 보안환경에 대하여 분석한다.

• Journal of the Korean Institute of Illuminating and Electrical Installation Engineers
• /
• v.24 no.4
• /
• pp.50-56
• /
• 2010

Supervisory Control and Data Acquisition Systems (SCADAs) is real-time monitor and control systems. SCADA systems are used to monitor or control chemical and transportation processes, in municipal water supply systems, electric power generation, transmission and distribution, gas and oil pipelines, and other distributed processes. SCADA refers to a large-scale distributed system. The supervisory control system is placed on top of a real time control system to control external processes. Emerging security technologies and security devices are decreasing the vulnerability of the power system against cyber threats. Dealing with these threats and analyzing vulnerabilities is an important task for equipment such as RTU, IED and FEP. To reduce such risks, we develop such a SCADA testbed. This paper presents the development of a testbed designed to assess the vulnerabilities SCADA networks(including serial communication).

• Journal of Korea Multimedia Society
• /
• v.17 no.1
• /
• pp.52-59
• /
• 2014

These days, smart card management system(SCMS) have been broadly used for security conformability, efficiency of issuance management, key management and expert management in the smart card market. SCMS is composed of card management, issuance management, key management, application management, and issuers management systems. SCMS enables card issuers from banks, credit card companies, and telecommunications companies to provide these cards to card users. And then SCMS enables card users to download new programs to chips for use of these cards successively and provide related smart card data in safety and efficiency. In this paper, we propose a framework for security assessment and an efficient method for security improvement through fault analysis which is more effective.

• Journal of Internet Computing and Services
• /
• v.20 no.3
• /
• pp.111-117
• /
• 2019

We categorize the model of simple payment into Magnetic Secure Transmission, Near Filed Communication, and App Card based on the Focus Group Interview. We also define the key drivers for the diffusion of simple payment services based on the literature review with the experts. Through Analytic Hierarchy Process our finding suggests that the degree of acceptance at the stores is the most critical factor which decides the diffusion of simple payment service model. Security is also the important driver but due to the fact that service providers should follow the information security rule and supervisory guidance, it actually did not make a big difference in terms of assessing competence of each model.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.3
• /
• pp.687-704
• /
• 2017

As Korea's industrial competitiveness and technological prowess increase, collaboration and technical exchanges with contracting companies are increasing. In an environment where cooperation with the contracting company is unavoidable ordering companies are also striving to prevent leakage of technologies through various security systems, policy-making and security checks. However, although the contracting companies were assessed to have a high level of security management the leakage of technical datas are steadily increasing. Issues are being raised about the effectiveness of the security management assessment and the actual security management levels. Therefore, this study suggested a security management system model to improve security management efficiency in the general contract structure. To prove this, analyze the efficiency of 36 contractor companies for the technical datas security management system using the DEA model. The results of the analysis are reflected in the assessment results. Lastly, suggestions for improving the effectiveness of the technical datas security system are proposed.

• The KIPS Transactions:PartC
• /
• v.9C no.3
• /
• pp.367-374
• /
• 2002

IPsec offers not odd Internet security service such as Internet secure communication and authentication but also the safe key exchange and anti-replay attack mechanism. Recently IPsec is implemented on the various operating systems. But there is no existing tool that checks the servers, which provide IPsec services, work properly and provide their network security services well. In this paper, we design and implement the rule based security evaluation system for IPsec engine. This system operated on Windows and UNX platform. We developed the system using Java and C language.

• Convergence Security Journal
• /
• v.2 no.1
• /
• pp.17-33
• /
• 2002

The major goal of this study is to develop an index that can evaluate the quality of the appropriate network in a series of projections that analyze, design, and then build a network. The existing software engineering and/or the methods of developing a system are limited. The process of defining the requirements in building a network, designing the system, and building the network focuses on arranging the methods of building a network. Based upon this, we tried to develop a necessary index to evaluate the security of a network.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1407-1417
• /
• 2012

In order to protect a software system from security attacks, it is important to remove the software security weaknesses through the entire life cycle of software development. To remove the software weaknesses more effectively, software weaknesses are prioritized and sorted continuously. In this paper, we introduce the existing scoring systems for software weakness and software vulnerability, and propose a new quantitative standard for the scoring system, which helps evaluate the importance of software weakness objectively. We also demonstrate the practicability of the proposed standard by scoring 2011 CWE/SANS Top 25 list with the proposed standard and comparing it to the original score of MITRE.