• The KIPS Transactions:PartC
• /
• v.18C no.6
• /
• pp.369-378
• /
• 2011

To ensure data confidentiality and fine-grained access control in business environment, system model using KP-ABE(Key Policy-Attribute Based Encryption) and PRE(Proxy Re-Encryption) has been proposed recently. However, in previous study, data confidentiality has been effected by decryption right concentrated on cloud server. Also, Yu's work does not consider a access privilege management, so existing work become dangerous to collusion attack between malicious user and cloud server. To resolve this problem, we propose secure system model against collusion attack through dividing data file into header which is sent to privilege manager group and body which is sent to cloud server. And we construct the model of access privilege management using AONT based XOR threshold Secret Sharing, In addition, our scheme enable to grant weight for access privilege using XOR Share. In chapter 4, we differentiate existing scheme and proposed scheme.

• Journal of Advanced Navigation Technology
• /
• v.13 no.4
• /
• pp.586-599
• /
• 2009

Recently, a lot of nations are establish and researches the u-City which ubiquitous technology based city, and u-City Management Center(UMC) is also establish and researches. Technical researches of UMC are increasing. However, administrator privilege management researches for UMC is not enough. If we don't manage to administrator privilege who can access and control all of information in UMC, security problems will be occurs. Therefore, in this paper, analyses of administrator privilege management security problems, and proposed administrator privilege management system classification.

• Journal of Korean Society of Industrial and Systems Engineering
• /
• v.24 no.66
• /
• pp.27-35
• /
• 2001

The Gateway Server Authorization System(GSAS) presented in this thesis is a database authorization system. GSAS is responsible for user\`s authorization, and privilege management, audit service. Only users that are filtered in GSAS can access the DBMS(Data Base Management System) through middleware. GSAS is located at the DBMS and already contains an authorization record for user accessing a specific DBMS. GSAS on consists of several components, namely an authorization manager, a privilege manager, and an audit manager. As an authorization manager and a privilege manager can only approve a pass at the same time, a user can get accessibility for DBMS.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.15 no.3
• /
• pp.101-109
• /
• 2019

In addition to enabling access, database accounts play a protective role by defending the database from external attacks. However, because only a single account is used in the database, the account becomes the subject of vulnerability attacks. This common practice is due to the lack of database support, large numbers of users, and row-based database permissions. Therefore if the logic of the application is wrong or vulnerable, there is a risk of exposing the entire database. In this paper, we propose a Least-Privilege Account Separation Model (LPASM) that serves as an information guardian to protect the database from attacks. We separate database accounts depending on the role of application services. This model can protect the database from malicious attacks and prevent damage caused by privilege escalation by an attacker. We classify the account control policies into four categories and propose detailed roles and operating plans for each account.

• Journal of Internet Computing and Services
• /
• v.7 no.5
• /
• pp.109-121
• /
• 2006

In this paper, we suggest lattice based role graph security management model which changes security level in mandatory access control model as well as constraint and role hierarchy systematically in role base access control model. In this model, we solved privilege abuse of senior role that is role graph model's problem, and when produce conflict between privileges, we can keep integrity of information by reseting grade of subject through constraint. Also, we offer strong security function by doing to be controlled by subject's security level as well as privilege inheritance by role hierarchy, Finally, we present the role graph algorithms with logic to disallow roles that contain conflicting privileges.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.4B
• /
• pp.288-299
• /
• 2012

To ensure data confidentiality and fine-grained access control in business environment, system model using KP-ABE(Key Policy-Attribute Based Encryption) and PRE(Proxy Re-Encryption) has been proposed recently. However, in previous study, data confidentiality has been effected by decryption right concentrated on cloud server. Also, Yu's work does not consider a access privilege management, so existing work become dangerous to collusion attack between malicious user and cloud server. To resolve this problem, we propose secure system model against collusion attack through dividing data file into header which is sent to privilege manager group and body which is sent to cloud server and prevent modification attack for proxy re-encryption key using d Secret Sharing, We construct protocol model in medical environment.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.39-52
• /
• 2006

Recently purpose is used by an crucial part to security management when collecting data about privacy. The W3C(World Wide Web Consortium) describes a standard spec to control personal data that is provided by data providers who visit the web site. But they don't say anymore about security management about personal data in transit after data collection. Recently several researches, such as Hippocratic Databases, Purpose Based Access Control and Hippocratic in Databases, are dealing with security management using purpose concept and access control mechanism after data collection a W3C's standard spec about data collection mechanism but they couldn't suggest an efficient mechanism for privacy protection about personal data because they couldn't represent purpose expression and management of purposes sufficiently. In this paper we suggest a mechanism to improve the purpose expression. And then we suggest an accesscontrol mechanism that is under least privilege principle using the purpose classification for privacy protection. We classify purpose into Along purpose structure, Inheritance purpose structure and Stream purpose structure. We suggest different mechanisms to deal with then We use the role hierarchy structure of RBAC(Role-Based Access Control) for flexibility about access control and suggest mechanisms that provide the least privilege for processing the task in case that is satisfying using several features of purpose to get least privilege of a task that is a nit of business process.

• The KIPS Transactions:PartC
• /
• v.19C no.1
• /
• pp.63-70
• /
• 2012

To ensure privacy of individual information in remote healthcare service, health data should be protected through a secure technology such as encryption scheme. Only user who delegated decryption right can access to sensitive health data and delegator needs capability for revocating access privilege. Recently, in ubiquitous environment, CP-ABTD(Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes) which extends CP-ABE(Ciphertext-Policy Attribute-Based Encryption) has been proposed for these requirements. In this paper, we construct remote healthcare monitoring system with delegation and revocation capability for attribute in CP-ABTD. Finally, we analyze collusion attack between users in our system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.4
• /
• pp.37-45
• /
• 2003

Role-based Access Control(RBAC) model has advantage of easy management of access control with constraints such as permission inheritance and separation of duty in role hierarchy. However, previous RBAC studies could not properly reflect the real-world organization structure with its role hierarchy. User who is a member of senior role can perform all permissions because senior role inherits all permissions of junior roles in the role hierarchy. Therefore there is a possibility for senior role members to abuse permissions due to violation of the least privilege principle. In this paper, we present a new model of role hierarchy, which restricts the unconditional permission inheritance. In the proposed model, a role is divided into sub roles(unconditional inheritance. restricted inheritance, private role), keeping organization structure in corporate environment. With restricted inheritance, the proposed model prevents permission abuse by specifying the degree of inheritance in role hierarchy.

• Journal of Internet Computing and Services
• /
• v.6 no.5
• /
• pp.1-9
• /
• 2005

In a role based access control through attribute certificate, the use of role assignment certificates and role specification certificates can reduce management cost and the overhead incurred by changing roles, Highly distributed computing environments such as ubiquitous computing environments not having global or broad control. need another attribute certificate management technique, Actually just having role specification certificate separately reduce management cost, But for better performance we structure role specification, We group roles and make the role group relation tree, It results secure and efficient role renewing and distribution, For scalable role specification certificate distribution, the multicasting of packets is used, We take into account the packet lass and quantify performance enhancements of structuring role specification certificates.