• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.11a
• /
• pp.1266-1269
• /
• 2007

IPv6 환경에서는 NDP(Neighbor Discovery Protocol)를 이용한 주소 자동 설정 메커니즘을 지원한다. 그러나, NDP 는 메시지 내 중요 정보가 네트워크 상에 그대로 노출됨으로 인해 각종 공격에 취약하다. 이러한 취약성을 극복하기 위해, CGA(Cryptographically Generated Address)를 사용하여 주소의 소유권 증명이 가능한 SEND(SEcure Neighbor Discovery)가 도입되었다. 그러나 SEND 는 높은 비용 연산으로 인해 모바일 기기 등에 적용하는데 한계점을 가진다. SEND 의 한계점을 보완하고자 해쉬 함수를 이용해 주소 자동 설정에 사용되는 임시 주소를 감추는 기법이 제안되었다. 이 기법은 DAD(Duplicate Address Detection) 과정 중 SEND 수준의 보안을 제공하면서도 빠르게 동작할 수 있는 장점을 갖는다. 본 논문에서는 리눅스 환경에서 제안 기법을 구현해 보고, 주소 생성 시간 측정 및 DAD 과정에서 드러난 서비스 거부 공격에 대한 안전성을 검증한다.

• Journal of KIISE:Information Networking
• /
• v.29 no.3
• /
• pp.286-298
• /
• 2002

The Remote Procedure Call(RPC) has been traditionally used for Inter Process Communication(IPC) among precesses in distributed computing environment. As distributed applications have been complicated more and more, the Mobile Agent paradigm for IPC is emerged. Because there are some paradigms for IPC, researches to evaluate and compare the performance of each paradigm are issued recently. But the performance models used in the previous research did not reflect real distributed computing environment correctly, because they did not consider the evacuation elements for providing security services. Since real distributed environment is open, it is very vulnerable to a variety of attacks. In order to execute applications securely in distributed computing environment, security services which protect applications and information against the attacks must be considered. In this paper, we evaluate and compare the performance of the Remote Procedure Call with that of the Mobile Agent in IPC paradigms. We examine security services to execute applications securely, and propose new performance models considering those services. We design performance models, which describe information retrieval system through N database services, using Petri Net. We compare the performance of two paradigms by assigning numerical values to parameters and measuring the execution time of two paradigms. In this paper, the comparison of two performance models with security services for secure communication shows the results that the execution time of the Remote Procedure Call performance model is sharply increased because of many communications with the high cryptography mechanism between hosts, and that the execution time of the Mobile Agent model is gradually increased because the Mobile Agent paradigm can reduce the quantity of the communications between hosts.

• Journal of Internet Computing and Services
• /
• v.21 no.1
• /
• pp.17-31
• /
• 2020

With the rapid development of block chain technology, attempts have been made to put the block chain technology into practical use in various fields such as finance and logistics, and also in the public sector where data integrity is very important. Defense Operations In addition, strengthening security and ensuring complete integrity of the command communication network is crucial for operational operation under the network-centered operational environment (NCOE). For this purpose, it is necessary to construct a command communication network applying the block chain network. However, the block chain technology up to now can not solve the security issues such as the 51% attack. In particular, the Practical Byzantine fault tolerance (PBFT) algorithm which is now widely used in blockchain, does not have a penalty factor for nodes that behave maliciously, and there is a problem of failure to make a consensus even if malicious nodes are more than 33% of all nodes. In this paper, we propose a Adaptive Consensus Bound PBFT (ACB-PBFT) algorithm that incorporates a penalty mechanism for anomalous behavior by combining the Trust model to improve the security of the PBFT, which is the main agreement algorithm of the blockchain.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.18 no.4
• /
• pp.19-26
• /
• 2018

In recent years, the substantial increase in the population's average age leads to an exceeded number of older persons comparing with the number of any other age group. As a result, both industry and academia are focused on the development of several solutions aimed to guarantee a healthy and safe lifestyle to the elderly. Ambient Assisted Living (AAL) approach is the way to guarantee better life conditions for the aged and for monitoring their health conditions by the development of innovative technologies and services. AAL technologies can also provide more safety for the elderly, offering emergency response mechanisms, fall detection solutions, and video surveillance systems. Unfortunately, due to the sensitive nature of AAL data, AAL systems should satisfy security requirements such as integrity, confidentiality, availability, anonymity, and others. In this paper, we propose an adaptive authentication protocol for the AAL systems. The proposed authentication protocol not only supports several important security requirements needed by the AAL systems, but can also withstand various types of attacks. In addition, the security analysis results show that the proposed authentication protocol is more efficient and secure than the existing authentication protocols.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.39-52
• /
• 2006

Recently purpose is used by an crucial part to security management when collecting data about privacy. The W3C(World Wide Web Consortium) describes a standard spec to control personal data that is provided by data providers who visit the web site. But they don't say anymore about security management about personal data in transit after data collection. Recently several researches, such as Hippocratic Databases, Purpose Based Access Control and Hippocratic in Databases, are dealing with security management using purpose concept and access control mechanism after data collection a W3C's standard spec about data collection mechanism but they couldn't suggest an efficient mechanism for privacy protection about personal data because they couldn't represent purpose expression and management of purposes sufficiently. In this paper we suggest a mechanism to improve the purpose expression. And then we suggest an accesscontrol mechanism that is under least privilege principle using the purpose classification for privacy protection. We classify purpose into Along purpose structure, Inheritance purpose structure and Stream purpose structure. We suggest different mechanisms to deal with then We use the role hierarchy structure of RBAC(Role-Based Access Control) for flexibility about access control and suggest mechanisms that provide the least privilege for processing the task in case that is satisfying using several features of purpose to get least privilege of a task that is a nit of business process.

• Convergence Security Journal
• /
• v.24 no.1
• /
• pp.51-57
• /
• 2024

Although industrial control systems (ICSs) recently keep evolving with the introduction of Industrial IoT converging information technology (IT) and operational technology (OT), it also leads to a variety of threats and vulnerabilities, which was not experienced in the past ICS with no connection to the external network. Since various control command messages are sent to field devices of the ICS for the purpose of monitoring and controlling the operational processes, it is required to guarantee the message integrity as well as control center authentication. In case of the conventional message integrity codes and signature schemes based on symmetric keys and public keys, respectively, they are not suitable considering the asymmetry between the control center and field devices. Especially, compromised node attacks can be mounted against the symmetric-key-based schemes. In this paper, we propose message authentication scheme based on double hash chains constructed from cryptographic hash function without introducing other primitives, and then propose extension scheme using Merkle tree for multiple uses of the double hash chains. It is shown that the proposed scheme is much more efficient in computational complexity than other conventional schemes.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.3
• /
• pp.192-207
• /
• 2006

Today, the SSL protocol has been used as core part in various computing environments or security systems. But, the SSL protocol has several problems, because of the rigidity on operating. First, SSL protocol brings considerable burden to the CPU utilization so that performance of the security service in encryption transaction is lowered because it encrypts all data which is transferred between a server and a client. Second, SSL protocol can be vulnerable for cryptanalysis due to the key in fixed algorithm being used. Third, it is difficult to add and use another new cryptography algorithms. Finally. it is difficult for developers to learn use cryptography API(Application Program Interface) for the SSL protocol. Hence, we need to cover these problems, and, at the same time, we need the secure and comfortable method to operate the SSL protocol and to handle the efficient data. In this paper, we propose the SSL component which is designed and implemented using CBD(Component Based Development) concept to satisfy these requirements. The SSL component provides not only data encryption services like the SSL protocol but also convenient APIs for the developer unfamiliar with security. Further, the SSL component can improve the productivity and give reduce development cost. Because the SSL component can be reused. Also, in case of that new algorithms are added or algorithms are changed, it Is compatible and easy to interlock. SSL Component works the SSL protocol service in application layer. First of all, we take out the requirements, and then, we design and implement the SSL Component, confidentiality and integrity component, which support the SSL component, dependently. These all mentioned components are implemented by EJB, it can provide the efficient data handling when data is encrypted/decrypted by choosing the data. Also, it improves the usability by choosing data and mechanism as user intend. In conclusion, as we test and evaluate these component, SSL component is more usable and efficient than existing SSL protocol, because the increase rate of processing time for SSL component is lower that SSL protocol's.

• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.45 no.10
• /
• pp.40-48
• /
• 2008

Security of self organized mobile ad hoc networks is an important issue because administration information in the networks is managed by the constituent nodes. Especially authentication mechanism is necessary for trust setup between newly joining nodes and the network. The authentication models and protocols which are based on the wireline infrastructure could not be practical for mobile ad hoc network. Although public key algorithm-based method is widely used for authentication, it is not easy to be applied to mobile ad hoc networks because they do not have infrastructure such as centralized CA which is needed for certificate verification. In this paper, we consider the public key based random CA group method proposed in [1] to provide efficient authentication scheme to mobile ad hoc networks and analyze the performance of the method, which is then compared to the home CA method. From the analysis results, we see that the random CA method where the function of CA is distributed to some mobile nodes and the authentication information is propagated to randomly chosen CAs shows higher reliability and lower cost than home CA method.

• The KIPS Transactions:PartC
• /
• v.12C no.4 s.100
• /
• pp.473-480
• /
• 2005

We can obtain useful information by deploying large scale sensor networks in various situations. Security is also a major concern in sensor networks, and we need to establish pairwise keys between sensor nodes for secure communication. In this paper, we propose new pairwise key establishment mechanism based on clustering and polynomial sharing. In the mechanism, we divide the network field into clusters, and based on the polynomial-based key distribution mechanism we create bivariate Polynomials and assign unique polynomial to each cluster. Each pair of sensor nodes located in the same cluster can compute their own pairwise keys through assigned polynomial shares from the same polynomial. Also, in our proposed scheme, sensors, which are in each other's transmission range and located in different clusters, can establish path key through their clusterheads. However, path key establishment can increase the network overhead. The number of the path keys and tine for path key establishment of our scheme depend on the number of sensors, cluster size, sensor density and sensor transmission range. The simulation result indicates that these schemes can achieve better performance if suitable conditions are met.

• Journal of KIISE:Information Networking
• /
• v.34 no.5
• /
• pp.405-422
• /
• 2007

Recently, according to the network environment, there are many researches for home network. Nowadays, in home network, the method that access control policy is managed for each home device by using ACL is popular, and EAM (Extranet access management) is applied as a solution. In addition, the research about secure OS is ongoing based on open operating system and the research of user authentication mechanisms for home network using home server is also in progress. However, these researches have some problems as follows; First, the transmission scope of expected access technology in home network is wide, so unauthenticated outside terminal can access the home network. Second, user is inconvenient because user need to set the necessary information for each device. Third, user privacy and convenience are not considered. OSGi provides a service platform for heterogeneous technologies in home network environment. Here, user access control is one of the core parts which should have no problems such as above items, but there are no concrete researches yet. Thus in this paper, we propose an access control policy management framework and access control operation based on RBAC for user access control in home network environment in which OSGi service platform is operated. First, we list the consideration which is not clearly mentioned in OSGi standard, and then we solve these above problems through new framework. In addition, we propose the effective and economical operation method which reduces the policy change frequency for user access control by using RBAC concept though limited resource of home gateway. Besides, in this paper, these proposed policies are defined separately as user-role assignment policy and permission-role assignment policy, and user decide their own policies. In conclusion, we provide the scheme to enhance the user convenience and to solve the privacy problem.