• Title/Summary/Keyword: 보안취약점

Search Result 1,621, Processing Time 0.031 seconds

A Secure RFID Search Protocol Protecting Mobile Reader's Privacy Without On-line Server (온라인 서버가 없는 환경에서 이동형 리더의 프라이버시를 보호하는 안전한 RFID 검색 프로토콜)

  • Lim, Ji-Wwan;Oh, Hee-Kuck;Kim, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.20 no.2
    • /
    • pp.73-90
    • /
    • 2010
  • Recently, Tan et al. introduced a serverless search protocol in which a mobile reader maintains a tag authentication list and authenticates a tag using the list without connecting authentication server. A serverless RFID system is different from general RFID systems which use on-line server models. In the serverless RFID system, since the mobility of a personalized reader must be considered, we have to protect not only the privacy of a tag but also the privacy of a mobile reader. In this paper, we define new security requirements for serverless RFID search system and propose a secure serverless RFID search system. In our system, since tag authentication information maintained by a reader is updated in every session, we can provide the backward untraceability of a mobile reader. Also we use an encrypted timestamp to block a replay attack which is major weakness of search protocols. In addition, we define a new adversary model to analyze a serverless RFID search system and prove the security of our proposed system using the model.

OHDSI OMOP-CDM Database Security Weakness and Countermeasures (OHDSI OMOP-CDM 데이터베이스 보안 취약점 및 대응방안)

  • Lee, Kyung-Hwan;Jang, Seong-Yong
    • Journal of Information Technology Services
    • /
    • v.21 no.4
    • /
    • pp.63-74
    • /
    • 2022
  • Globally researchers at medical institutions are actively sharing COHORT data of patients to develop vaccines and treatments to overcome the COVID-19 crisis. OMOP-CDM, a common data model that efficiently shares medical data research independently operated by individual medical institutions has patient personal information (e.g. PII, PHI). Although PII and PHI are managed and shared indistinguishably through de-identification or anonymization in medical institutions they could not be guaranteed at 100% by complete de-identification and anonymization. For this reason the security of the OMOP-CDM database is important but there is no detailed and specific OMOP-CDM security inspection tool so risk mitigation measures are being taken with a general security inspection tool. This study intends to study and present a model for implementing a tool to check the security vulnerability of OMOP-CDM by analyzing the security guidelines for the US database and security controls of the personal information protection of the NIST. Additionally it intends to verify the implementation feasibility by real field demonstration in an actual 3 hospitals environment. As a result of checking the security status of the test server and the CDM database of the three hospitals in operation, most of the database audit and encryption functions were found to be insufficient. Based on these inspection results it was applied to the optimization study of the complex and time-consuming CDM CSF developed in the "Development of Security Framework Required for CDM-based Distributed Research" task of the Korea Health Industry Promotion Agency. According to several recent newspaper articles, Ramsomware attacks on financially large hospitals are intensifying. Organizations that are currently operating or will operate CDM databases need to install database audits(proofing) and encryption (data protection) that are not provided by the OMOP-CDM database template to prevent attackers from compromising.

Query-Efficient Black-Box Adversarial Attack Methods on Face Recognition Model (얼굴 인식 모델에 대한 질의 효율적인 블랙박스 적대적 공격 방법)

  • Seo, Seong-gwan;Son, Baehoon;Yun, Joobeom
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.6
    • /
    • pp.1081-1090
    • /
    • 2022
  • The face recognition model is used for identity recognition of smartphones, providing convenience to many users. As a result, the security review of the DNN model is becoming important, with adversarial attacks present as a well-known vulnerability of the DNN model. Adversarial attacks have evolved to decision-based attack techniques that use only the recognition results of deep learning models to perform attacks. However, existing decision-based attack technique[14] have a problem that requires a large number of queries when generating adversarial examples. In particular, it takes a large number of queries to approximate the gradient. Therefore, in this paper, we propose a method of generating adversarial examples using orthogonal space sampling and dimensionality reduction sampling to avoid wasting queries that are consumed to approximate the gradient of existing decision-based attack technique[14]. Experiments show that our method can reduce the perturbation size of adversarial examples by about 2.4 compared to existing attack technique[14] and increase the attack success rate by 14% compared to existing attack technique[14]. Experimental results demonstrate that the adversarial example generation method proposed in this paper has superior attack performance.

Blockchain (A-PBFT) Based Authentication Method for Secure Lora Network (안전한 Lora 네트워크를 위한 블록체인(A-PBFT) 기반 인증 기법)

  • Kim, Sang-Geun
    • Journal of Industrial Convergence
    • /
    • v.20 no.10
    • /
    • pp.17-24
    • /
    • 2022
  • Lora, a non-band network technology of the long-distance wireless standard LPWAN standard, uses ABP and OTTA methods and AES-128-based encryption algorithm (shared key) for internal terminal authentication and integrity verification. Lora's recent firmware tampering vulnerability and shared-key encryption algorithm structure make it difficult to defend against MITM attacks. In this study, the consensus algorithm(PBFT) is applied to the Lora network to enhance safety. It performs authentication and PBFT block chain creation by searching for node groups using the GPS module. As a result of the performance analysis, we established a new Lora trust network and proved that the latency of the consensus algorithm was improved. This study is a 4th industry convergence study and is intended to help improve the security technology of Lora devices in the future.

A Blockchain-based User-centric Role Based Access Control Mechanism (블록체인 기반의 사용자 중심 역할기반 접근제어 기법 연구)

  • Lee, YongJoo;Woo, SungHee
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.26 no.7
    • /
    • pp.1060-1070
    • /
    • 2022
  • With the development of information technology, the size of the system has become larger and diversified, and the existing role-based access control has faced limitations. Blockchain technology is being used in various fields by presenting new solutions to existing security vulnerabilities. This paper suggests efficient role-based access control in a blockchain where the required gas and processing time vary depending on the access frequency and capacity of the storage. The proposed method redefines the role of reusable units, introduces a hierarchical structure that can efficiently reflect dynamic states to enhance efficiency and scalability, and includes user-centered authentication functions to enable cryptocurrency linkage. The proposed model was theoretically verified using Markov chain, implemented in Ethereum private network, and compared experiments on representative functions were conducted to verify the time and gas efficiency required for user addition and transaction registration. Based on this in the future, structural expansion and experiments are required in consideration of exception situations.

Anonymous Electronic Promissory Note System Based on Blockchain (블록체인 기반 익명 전자 어음 시스템)

  • HyunJoo Woo;Hyoseung Kim;Dong Hoon Lee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.6
    • /
    • pp.947-960
    • /
    • 2023
  • In Korea, traditional paper promissory notes are currently undergoing a transformation, being gradually replaced by electronic notes. This transformation is being steered under the Korea Financial Telecommunications Institute, a trusted authority. However, existing electronic systems have security vulnerabilities, including the risk of hacking and internal errors within the institute. To this end, we have defined a novel anonymous electronic promissory note system based on blockchain. We have constructed a concrete protocol and conducted security analysis of our protocol. Note that, in our protocol, every note information is committed so that the note remains undisclosed until the point of payment. Once the note information becomes public on the blockchain, it enables the detection of illicit activities, such as money laundering and tax evasion. Furthermore, our protocol incorporates a feature of split endorsement, which is a crucial functionality permitted by the Korean electronic note system. Consequently, our proposed protocol is suitable for practical applications in financial transactions.

Effective Adversarial Training by Adaptive Selection of Loss Function in Federated Learning (연합학습에서의 손실함수의 적응적 선택을 통한 효과적인 적대적 학습)

  • Suchul Lee
    • Journal of Internet Computing and Services
    • /
    • v.25 no.2
    • /
    • pp.1-9
    • /
    • 2024
  • Although federated learning is designed to be safer than centralized methods in terms of security and privacy, it still has many vulnerabilities. An attacker performing an adversarial attack intentionally manipulates the deep learning model by injecting carefully crafted input data, that is, adversarial examples, into the client's training data to induce misclassification. A common defense strategy against this is so-called adversarial training, which involves preemptively learning the characteristics of adversarial examples into the model. Existing research assumes a scenario where all clients are under adversarial attack, but considering the number of clients in federated learning is very large, this is far from reality. In this paper, we experimentally examine aspects of adversarial training in a scenario where some of the clients are under attack. Through experiments, we found that there is a trade-off relationship in which the classification accuracy for normal samples decreases as the classification accuracy for adversarial examples increases. In order to effectively utilize this trade-off relationship, we present a method to perform adversarial training by adaptively selecting a loss function depending on whether the client is attacked.

A Scheme for Identifying Malicious Applications Based on API Characteristics (API 특성 정보기반 악성 애플리케이션 식별 기법)

  • Cho, Taejoo;Kim, Hyunki;Lee, Junghwan;Jung, Moongyu;Yi, Jeong Hyun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.1
    • /
    • pp.187-196
    • /
    • 2016
  • Android applications are inherently vulnerable to a repackaging attack such that malicious codes are easily inserted into an application and then resigned by the attacker. These days, it occurs often that such private or individual information is leaked. In principle, all Android applications are composed of user defined methods and APIs. As well as accessing to resources on platform, APIs play a role as a practical functional feature, and user defined methods play a role as a feature by using APIs. In this paper we propose a scheme to analyze sensitive APIs mostly used in malicious applications in terms of how malicious applications operate and which API they use. Based on the characteristics of target APIs, we accumulate the knowledge on such APIs using a machine learning scheme based on Naive Bayes algorithm. Resulting from the learned results, we are able to provide fine-grained numeric score on the degree of vulnerabilities of mobile applications. In doing so, we expect the proposed scheme will help mobile application developers identify the security level of applications in advance.

ID-Based Proxy Re-encryption Scheme with Chosen-Ciphertext Security (CCA 안전성을 제공하는 ID기반 프락시 재암호화 기법)

  • Koo, Woo-Kwon;Hwang, Jung-Yeon;Kim, Hyoung-Joong;Lee, Dong-Hoon
    • Journal of the Institute of Electronics Engineers of Korea CI
    • /
    • v.46 no.1
    • /
    • pp.64-77
    • /
    • 2009
  • A proxy re-encryption scheme allows Alice to temporarily delegate the decryption rights to Bob via a proxy. Alice gives the proxy a re-encryption key so that the proxy can convert a ciphertext for Alice into the ciphertext for Bob. Recently, ID-based proxy re-encryption schemes are receiving considerable attention for a variety of applications such as distributed storage, DRM, and email-forwarding system. And a non-interactive identity-based proxy re-encryption scheme was proposed for achieving CCA-security by Green and Ateniese. In the paper, we show that the identity-based proxy re-encryption scheme is unfortunately vulnerable to a collusion attack. The collusion of a proxy and a malicious user enables two parties to derive other honest users' private keys and thereby decrypt ciphertexts intended for only the honest user. To solve this problem, we propose two ID-based proxy re-encryption scheme schemes, which are proved secure under CPA and CCA in the random oracle model. For achieving CCA-security, we present self-authentication tag based on short signature. Important features of proposed scheme is that ciphertext structure is preserved after the ciphertext is re-encrypted. Therefore it does not lead to ciphertext expansion. And there is no limitation on the number of re-encryption.

A Case Study on the Implementation of a River Water Level Monitoring System using PLC(Programmable Logic Controller) and Public Telecommunication Network (PLC(Programmable Logic Controller)와 공중통신망을 이용한 하천수위감시시스템 구축 사례 연구)

  • Kim, Seokju;Kim, Minsoo
    • The Journal of Society for e-Business Studies
    • /
    • v.20 no.4
    • /
    • pp.1-17
    • /
    • 2015
  • A river water level monitoring system which prevents salt water damages and effectively excludes floods has been developed to contribute efficient operation of Nakdong river estuary barrage. The system can be used for monitoring upstream conditions more quickly and do appropriate responses over changes. Telemetry and telecontrols using PLCs have been built at the three sites that directly influence on the operation of barrage gates, and are linked to Nakdong river estuary barrage's IOS (Integrated Operation System) through public communication networks. By using PLC, the system can achieve even higher reliability and versatility than before as well as easy management. By power control devices, we can remotely control the power of PLCs to treat the minor troubles instantly without going on-sites. The power control devices also save data in preparation for the cases of communication failures. The system uses ADSL (FTTH) as a main network between SCADA server and PLCs, and CDMA (M2M) as a secondary network. In order to compensate security vulnerabilities of public communication network, we have installed the VPNs for secure communication between center and the observation stations, just like a dedicated network. Generally, river water level observations have been used custom-manufactured remote terminals to suit their special goals. However, in this case, we have established a system with open architecture considering the interface between different systems, the ease of use and maintenance, security, price, etc.