• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.2
• /
• pp.73-90
• /
• 2010

Recently, Tan et al. introduced a serverless search protocol in which a mobile reader maintains a tag authentication list and authenticates a tag using the list without connecting authentication server. A serverless RFID system is different from general RFID systems which use on-line server models. In the serverless RFID system, since the mobility of a personalized reader must be considered, we have to protect not only the privacy of a tag but also the privacy of a mobile reader. In this paper, we define new security requirements for serverless RFID search system and propose a secure serverless RFID search system. In our system, since tag authentication information maintained by a reader is updated in every session, we can provide the backward untraceability of a mobile reader. Also we use an encrypted timestamp to block a replay attack which is major weakness of search protocols. In addition, we define a new adversary model to analyze a serverless RFID search system and prove the security of our proposed system using the model.

• Journal of Information Technology Services
• /
• v.21 no.4
• /
• pp.63-74
• /
• 2022

Globally researchers at medical institutions are actively sharing COHORT data of patients to develop vaccines and treatments to overcome the COVID-19 crisis. OMOP-CDM, a common data model that efficiently shares medical data research independently operated by individual medical institutions has patient personal information (e.g. PII, PHI). Although PII and PHI are managed and shared indistinguishably through de-identification or anonymization in medical institutions they could not be guaranteed at 100% by complete de-identification and anonymization. For this reason the security of the OMOP-CDM database is important but there is no detailed and specific OMOP-CDM security inspection tool so risk mitigation measures are being taken with a general security inspection tool. This study intends to study and present a model for implementing a tool to check the security vulnerability of OMOP-CDM by analyzing the security guidelines for the US database and security controls of the personal information protection of the NIST. Additionally it intends to verify the implementation feasibility by real field demonstration in an actual 3 hospitals environment. As a result of checking the security status of the test server and the CDM database of the three hospitals in operation, most of the database audit and encryption functions were found to be insufficient. Based on these inspection results it was applied to the optimization study of the complex and time-consuming CDM CSF developed in the "Development of Security Framework Required for CDM-based Distributed Research" task of the Korea Health Industry Promotion Agency. According to several recent newspaper articles, Ramsomware attacks on financially large hospitals are intensifying. Organizations that are currently operating or will operate CDM databases need to install database audits(proofing) and encryption (data protection) that are not provided by the OMOP-CDM database template to prevent attackers from compromising.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.6
• /
• pp.1081-1090
• /
• 2022

The face recognition model is used for identity recognition of smartphones, providing convenience to many users. As a result, the security review of the DNN model is becoming important, with adversarial attacks present as a well-known vulnerability of the DNN model. Adversarial attacks have evolved to decision-based attack techniques that use only the recognition results of deep learning models to perform attacks. However, existing decision-based attack technique[14] have a problem that requires a large number of queries when generating adversarial examples. In particular, it takes a large number of queries to approximate the gradient. Therefore, in this paper, we propose a method of generating adversarial examples using orthogonal space sampling and dimensionality reduction sampling to avoid wasting queries that are consumed to approximate the gradient of existing decision-based attack technique[14]. Experiments show that our method can reduce the perturbation size of adversarial examples by about 2.4 compared to existing attack technique[14] and increase the attack success rate by 14% compared to existing attack technique[14]. Experimental results demonstrate that the adversarial example generation method proposed in this paper has superior attack performance.

• Journal of Industrial Convergence
• /
• v.20 no.10
• /
• pp.17-24
• /
• 2022

Lora, a non-band network technology of the long-distance wireless standard LPWAN standard, uses ABP and OTTA methods and AES-128-based encryption algorithm (shared key) for internal terminal authentication and integrity verification. Lora's recent firmware tampering vulnerability and shared-key encryption algorithm structure make it difficult to defend against MITM attacks. In this study, the consensus algorithm(PBFT) is applied to the Lora network to enhance safety. It performs authentication and PBFT block chain creation by searching for node groups using the GPS module. As a result of the performance analysis, we established a new Lora trust network and proved that the latency of the consensus algorithm was improved. This study is a 4th industry convergence study and is intended to help improve the security technology of Lora devices in the future.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.26 no.7
• /
• pp.1060-1070
• /
• 2022

With the development of information technology, the size of the system has become larger and diversified, and the existing role-based access control has faced limitations. Blockchain technology is being used in various fields by presenting new solutions to existing security vulnerabilities. This paper suggests efficient role-based access control in a blockchain where the required gas and processing time vary depending on the access frequency and capacity of the storage. The proposed method redefines the role of reusable units, introduces a hierarchical structure that can efficiently reflect dynamic states to enhance efficiency and scalability, and includes user-centered authentication functions to enable cryptocurrency linkage. The proposed model was theoretically verified using Markov chain, implemented in Ethereum private network, and compared experiments on representative functions were conducted to verify the time and gas efficiency required for user addition and transaction registration. Based on this in the future, structural expansion and experiments are required in consideration of exception situations.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.6
• /
• pp.947-960
• /
• 2023

In Korea, traditional paper promissory notes are currently undergoing a transformation, being gradually replaced by electronic notes. This transformation is being steered under the Korea Financial Telecommunications Institute, a trusted authority. However, existing electronic systems have security vulnerabilities, including the risk of hacking and internal errors within the institute. To this end, we have defined a novel anonymous electronic promissory note system based on blockchain. We have constructed a concrete protocol and conducted security analysis of our protocol. Note that, in our protocol, every note information is committed so that the note remains undisclosed until the point of payment. Once the note information becomes public on the blockchain, it enables the detection of illicit activities, such as money laundering and tax evasion. Furthermore, our protocol incorporates a feature of split endorsement, which is a crucial functionality permitted by the Korean electronic note system. Consequently, our proposed protocol is suitable for practical applications in financial transactions.

• Journal of Internet Computing and Services
• /
• v.25 no.2
• /
• pp.1-9
• /
• 2024

Although federated learning is designed to be safer than centralized methods in terms of security and privacy, it still has many vulnerabilities. An attacker performing an adversarial attack intentionally manipulates the deep learning model by injecting carefully crafted input data, that is, adversarial examples, into the client's training data to induce misclassification. A common defense strategy against this is so-called adversarial training, which involves preemptively learning the characteristics of adversarial examples into the model. Existing research assumes a scenario where all clients are under adversarial attack, but considering the number of clients in federated learning is very large, this is far from reality. In this paper, we experimentally examine aspects of adversarial training in a scenario where some of the clients are under attack. Through experiments, we found that there is a trade-off relationship in which the classification accuracy for normal samples decreases as the classification accuracy for adversarial examples increases. In order to effectively utilize this trade-off relationship, we present a method to perform adversarial training by adaptively selecting a loss function depending on whether the client is attacked.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.1
• /
• pp.187-196
• /
• 2016

Android applications are inherently vulnerable to a repackaging attack such that malicious codes are easily inserted into an application and then resigned by the attacker. These days, it occurs often that such private or individual information is leaked. In principle, all Android applications are composed of user defined methods and APIs. As well as accessing to resources on platform, APIs play a role as a practical functional feature, and user defined methods play a role as a feature by using APIs. In this paper we propose a scheme to analyze sensitive APIs mostly used in malicious applications in terms of how malicious applications operate and which API they use. Based on the characteristics of target APIs, we accumulate the knowledge on such APIs using a machine learning scheme based on Naive Bayes algorithm. Resulting from the learned results, we are able to provide fine-grained numeric score on the degree of vulnerabilities of mobile applications. In doing so, we expect the proposed scheme will help mobile application developers identify the security level of applications in advance.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.46 no.1
• /
• pp.64-77
• /
• 2009

A proxy re-encryption scheme allows Alice to temporarily delegate the decryption rights to Bob via a proxy. Alice gives the proxy a re-encryption key so that the proxy can convert a ciphertext for Alice into the ciphertext for Bob. Recently, ID-based proxy re-encryption schemes are receiving considerable attention for a variety of applications such as distributed storage, DRM, and email-forwarding system. And a non-interactive identity-based proxy re-encryption scheme was proposed for achieving CCA-security by Green and Ateniese. In the paper, we show that the identity-based proxy re-encryption scheme is unfortunately vulnerable to a collusion attack. The collusion of a proxy and a malicious user enables two parties to derive other honest users' private keys and thereby decrypt ciphertexts intended for only the honest user. To solve this problem, we propose two ID-based proxy re-encryption scheme schemes, which are proved secure under CPA and CCA in the random oracle model. For achieving CCA-security, we present self-authentication tag based on short signature. Important features of proposed scheme is that ciphertext structure is preserved after the ciphertext is re-encrypted. Therefore it does not lead to ciphertext expansion. And there is no limitation on the number of re-encryption.

• The Journal of Society for e-Business Studies
• /
• v.20 no.4
• /
• pp.1-17
• /
• 2015

A river water level monitoring system which prevents salt water damages and effectively excludes floods has been developed to contribute efficient operation of Nakdong river estuary barrage. The system can be used for monitoring upstream conditions more quickly and do appropriate responses over changes. Telemetry and telecontrols using PLCs have been built at the three sites that directly influence on the operation of barrage gates, and are linked to Nakdong river estuary barrage's IOS (Integrated Operation System) through public communication networks. By using PLC, the system can achieve even higher reliability and versatility than before as well as easy management. By power control devices, we can remotely control the power of PLCs to treat the minor troubles instantly without going on-sites. The power control devices also save data in preparation for the cases of communication failures. The system uses ADSL (FTTH) as a main network between SCADA server and PLCs, and CDMA (M2M) as a secondary network. In order to compensate security vulnerabilities of public communication network, we have installed the VPNs for secure communication between center and the observation stations, just like a dedicated network. Generally, river water level observations have been used custom-manufactured remote terminals to suit their special goals. However, in this case, we have established a system with open architecture considering the interface between different systems, the ease of use and maintenance, security, price, etc.