• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.5
• /
• pp.11-21
• /
• 2004

To authorize IPSec-VPN Client in Client-to-Gateway type of the IPSec-VPN system, it can be normally used with ID/Password verification method or the implicit authorization method that regards implicitly IPSec-VPN gateway as authorized one in case that the IPSec-VPN client is authenticated. However, it is necessary for the Client-to-Gateway type of the IPSec-VPN system to have a more effective user authorization mechanism because the ID/Password verification method is not easy to transfer the ID/Password information and the implicit authorization method has the vulnerability of security. This paper proposes an effective user authorization mechanism using an attribute certificate and designs a user authorization engine. In addition, it is implemented in this study. The user authorization mechanism for the IPSec-VPN system proposed in this study is easy to implement the existing IPSec-VPN system. Moreover, it has merit to guarantee the interoperability with other IPSec-VPN systems. Furthermore, the user authorization engine designed and implemented in this paper will provide not only DAC(Discretional Access Control) and RBAC(Role-Based Access Control) using an attribute certificate, but also the function of SSO(Single-Sign-On).

• Journal of Internet Computing and Services
• /
• v.14 no.5
• /
• pp.11-26
• /
• 2013

In the wireless Internet, it is so restrictive to use the IPSec. The MIPv4 IPSec's path cannot include wireless links. That is, the IPSec of the wireless Internet cannot protect an entire path of Host-to-Host connection. Also wireless circumstance keeps a path static during the shorter time, nevertheless, the IKE for IPSec SA agreement requires relatively long delay. The certificate management of IPSec PKI security needs too much burden. This means that IPSec of the wireless Internet is so disadvantageous. Our paper is to construct the Mobile IPSec proper to the wireless Internet which provides the host-to-host transport mode service to protect even wireless links as applying excellent WP-IBE scheme. For this, Mobile IPSec requires a dynamic routing over a path with wireless links. FA Forwarding is a routing method for FA to extend the path to a newly formed wireless link. The FA IPSec SA for FA Forwarding is updated to comply the dynamically extended path using Source Routing based Bind Update. To improve the performance of IPSec, we apply efficient and strong future Identity based Weil Pairing Bilinear Elliptic Curve Cryptography called as WP-IBE scheme. Our paper proposes the modified protocols to apply 6 security-related algorithms of WP-IBE into the Mobile IPSec. Particularly we focus on the protocols to be applied to construct ESP Datagram.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.9B
• /
• pp.1342-1349
• /
• 2010

Full-mesh IPSec tunnels, which constitute a black network, are required so that the dynamically changing PT (Plain Text) networks can be reachable across the black network in military environments. In the secure and mobile black networks, dynamically re-configuring IPSec tunnels and security policy database (SPD) is very difficult to manage. In this paper, for the purpose of solving mobility and security issues in military networks, we suggest the relating main technologies in association with DMIDP (Dynamic Multicast-based IPSec Discovery Protocol) based on existing IPSec ESP (Encapsulating Security Payload) tunnels and IPSec key managements. We investigate the main parameters of the proposed DMIDP techniques and their operational schemes which have effects on mobility and analyze operational effectivemess of the DMIDP with proposed parameters.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2001.11a
• /
• pp.864-868
• /
• 2001

인터넷의 활용이 급속하게 증가하여 인터넷에서의 정보보호에 대한 필요성이 대두되면서 표준화된 인터넷 정보보호 프로토콜인 IPsec이 등장하게 되었다. 이러한 IPsec은 현재 여러 가지 플랫폼에서 구현되고 있으며 이러한 구현은 일반적으로 IP 계층에 통합하는 방법, BITS, BITW 중 하나의 방법론을 선택하고 있다. 본 논문에서는 IPsec 구현 방법론을 간단히 살펴보고 이들의 장단점을 분석하여 이 중 가장 효율저이라 생각되는 IP 계층에 IPsec을 통합하는 방법을 선택하여 구현하였다. 이에 본 논문은 공개된 운영체제인 리눅스 커널 상에서 IPsec을 구현하기 위해 리눅스 커널의 IP 계층 및 소켓 버퍼 구조를 분석하고 정보보호 정책(SPDB)과 SADB와 연동되는 IPsec 엔진을 IP 계층에 통합하여 구현하는 방법을 제안한다.

• Journal of Digital Convergence
• /
• v.12 no.8
• /
• pp.243-248
• /
• 2014

IPSec provides two services that are authentication header and Encapsulating Security Payload(ESP). In this research work, security issues on the Internet and the basic concept of IPSec are described. Security issues on the Internet are presented and proposed a possible solution for DDoS attack using IPSec. Therefore, this research will be able to contribute for building secure communication against DDoS attack.

• Journal of KIISE:Information Networking
• /
• v.31 no.2
• /
• pp.207-216
• /
• 2004

IPsec protocol has been developed to provide security services to Internet. Recently IPsec is implemented on the various operating systems Hence, it is very important to evaluate the stability of the Ipsec protocol as well as other protocols that provide security services. However, there has been little effort to develop the tools that require to evaluate the stability of IPsec protocols. Therefore, in this paper, we develope the security requirements and suggest a security evaluation system for the Internet packet protection protocols that provide security services at the If level that can be used to check if the security protocols Provide the claimed services correctly This system can be used as debugging tool for developing IPsec based security system.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.26 no.11C
• /
• pp.102-112
• /
• 2001

This paper analyzes Security Performance and Processing Performance to measure performance between nodes by using AH and ESP protocol. IPsec VPN provides application with security service implemented in IP Layer while traffic cost and packet processing time it increased by encryption, decryption and authentication in AH and ESP. We measured overall packet processing time and IPsec module processing time. The result of the efficiency test showed that the factors of influencing electrical transmission efficiency were the size of electrical transmission packets, codes used for tunnelling, authentication functions, CPU velocity of host7, and the embodiment of IPsec; for a high capacity traffic, IPsec transmission was not appropriate, because transmission velocity was delayed by more than ten times in comparison with Non-IPsec.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.11a
• /
• pp.1246-1249
• /
• 2007

IP(Internet Protocol)프로토콜에 기밀성과 무결성을 지원해 주기 위해 IPSec(IP Security) 프로토콜이 등장하였다. 이러한 IPSec 프로토콜은 안전한 통신채널을 만들기 위해 IKE(Internet Key Exchange) 프로토콜을 사용하고 있지만, IKE 프로토콜에서 이루어지는 협약단계의 복잡성 문제로 인하여 IPSec 프로토콜을 사용 할 수 없는 상황이 생기고 있다. 본 논문은 이러한 상황을 해결하기 위해 협약단계를 간소화 시킨 P-IPSec(이하 Premade IPSec)프로토콜을 제시한다. P-IPSec 프로토콜은 사전정보의 협약단계의 어려움을 줄이기 위해 IPSec 세션 설정에 참여하는 호스트들이 협상을 해야 하는 사전정보를 목적지 호스트에서 결정, 전송하는 방식을 사용하고 있다. P-IPSec 프로토콜은 사전정보 협상과 배포의 복잡성 문제로 인하여 IPSec 통신을 하지 못하는 호스트들에게 IPSec 통신을 할 수 있는 수단을 제공해 준다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.4
• /
• pp.127-138
• /
• 2006

The IPSec is a basic security mechanism of the IPv6 protocol, which can guarantee an integrity and confidentiality of data that transmit between two corresponding hosts. Also, both data and communication subjects can be authenticated using the IPSec mechanism. However, it is difficult that the IPSec mechanism protects major important network from attacks which transmit mass abnormal IPSec traffic in session-configuration or communication phases. In this paper, we present a design of the security system that can effectively detect and defeat abnormal IPSec traffic, which is encrypted by the ESP extension header, using the IPSec Session and Configuration table without any decryption. This security system is closely based on a multi-tier attack mitigation mechanism which is based on network bandwidth management and aims to counteract DDoS attacks and DoS effects of worm activity.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2001.11a
• /
• pp.228-231
• /
• 2001

인터넷의 활용이 급속하게 증가하여 인터넷에서의 정보보호에 대한 필요성이 대두되면서 표준화된 인터넷 정보보호 프로토콜인 IPsec이 등장하게 되었다. 이러한 IPsec은 현재 여러 가지 플랫폼에서 구현되고 있으며, 이러한 구현은 일반적으로 IP 계층에 통합하는 방법, BITS, BITW 중 하나의 방법론을 선택하고 있다. BITW는 outboard crypto processor를 사용하여 물리적인 인터페이스 카드 내에 IPsec을 구현하는 방법으로 효율성이 문제가 되므로 본 논문에서는 IP 계층에 통합하는 방법과 BITS 방법을 중심으로 장단점을 분석한다. 이에 본 논문은 리눅스 커널 상에서 IPsec을 구현하기 위해 리눅스 커널 모듈을 분석하고 가장 효율적이라 생각되는 IP 계층에 통합된 IPsec을 구현하는 방법을 제안한다.