• Proceedings of the KAIS Fall Conference
• /
• 2009.05a
• /
• pp.696-699
• /
• 2009

A VPN is a private network that uses a public network to connect remote sites or users together. As its popularity grows, companies, organization and even the government turned to it as a means of extending their own networks. To setup a Virtual Private a proper IP VPN Architecture must first be selected. In this paper, the types of IP Virtual Private Network Architecture like the MPLS-Based, IPSec-Based and the SSL/TLS-Based are discussed and compared. The comparison may serve as a guide for selecting the proper IP Virtual Private Network Architecture that is suitable for the company's needs.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.10a
• /
• pp.856-858
• /
• 2003

기존의 인터넷 환경에서는 내부 자원들을 보호하기 위하여 인터넷과 같은 외부 네트워크와 내부 네트워크 사이에 방화벽을 설치하고 내부 네트워크에 존재하는 정보와 자원들에 대한 트래픽을 사전에 방어하거나, SSL, TLS, Ipsec 과 같은 보안 프로토콜을 사용함으로써 신뢰할 수 있는 통신을 제공하여 왔다. 그러나 최근 HTTP와 XML이라는 플랫폼 독립적인 업계 표준을 사용하는 웹 서비스의 등장과 더불어서 기존의 보안 시스템으로는 웹 서비스 보안문제를 완전히 해결해 줄 수 없게 되었다. 이는 웹 서비스의 전송 프로토콜이 HTTP를 사용함으로써, 전송되는 SOAP 메시지가 기존의 방화벽과 같은 보안 시스템에 영향을 받지 않기 때문이다. 이에 본 논문에서는 웹 서비스 환경에서 SOAP 메시지 전송에 대해 액세스를 제한하는 방화벽을 제안 및 설계한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.3
• /
• pp.119-131
• /
• 2009

The world's widely used key exchange protocols are open cryptographic communication protocols, such as TLS/SSL, whereas in the financial field in Korea, key exchange protocols developed by industrial classification group have been used that are based on PKI(Public Key Infrastructure) which is suitable for the financial environments of Korea. However, the key exchange protocols are not only vulnerable to client impersonation attacks and known-key attacks, but also do not provide forward secrecy. Especially, an attacker with the private keys of the financial security server can easily get an old session-key that can decrypt the encrypted messages between the clients and the server. The exposure of the server's private keys by internal management problems, etc, results in a huge problem, such as exposure of a lot of private information and financial information of clients. In this paper, we analyze the weaknesses of the cryptographic communication protocols in use in Korea. We then propose two key exchange protocols which reduce the replacement cost of protocols and are also secure against client impersonation attacks and session-key and private key reveal attacks. The forward secrecy of the second protocol is reduced to the HDH(Hash Diffie-Hellman) problem.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.4
• /
• pp.769-776
• /
• 2016

TELNET is vulnerable to network attack because it was designed without considering security. SSL/TLS and SSH are used to solve this problem. However it needs additional secure protocol and has no backward compatibility with existing TELNET in this way. In this paper, we have suggested STELNET(Secured Telnet) which supports security functionalities internally so that has a backward compatibility. STELNET supports a backward compatibility with existing TELNET through option negotiation. On STELNET, A client authenticates server by a certificate or digital signature generated by using ECDSA. After server is authenticated, two hosts generate a session key by ECDH algorithm. And then by using the key, they encrypt data with AES and generate HMAC by using SHA-256. After then they transmit encrypted data and generated HMAC. In conclusion, STELNET which has a backward compatibility with existing TELNET defends MITM(Man-In-The-Middle) attack and supports security functionalities ensuring confidentiality and integrity of transmitted data.

• ETRI Journal
• /
• v.42 no.3
• /
• pp.311-323
• /
• 2020

Encrypted traffic classification plays a vital role in cybersecurity as network traffic encryption becomes prevalent. First, we briefly introduce three traffic encryption mechanisms: IPsec, SSL/TLS, and SRTP. After evaluating the performances of support vector machine, random forest, naïve Bayes, and logistic regression for traffic classification, we propose the combined approach of entropy estimation and artificial neural networks. First, network traffic is classified as encrypted or plaintext with entropy estimation. Encrypted traffic is then further classified using neural networks. We propose using traffic packet's sizes, packet's inter-arrival time, and direction as the neural network's input. Our combined approach was evaluated with the dataset obtained from the Canadian Institute for Cybersecurity. Results show an improved precision (from 1 to 7 percentage points), and some application classification metrics improved nearly by 30 percentage points.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.3
• /
• pp.1212-1228
• /
• 2016

Secure communication is an important aspect of today's interconnected environments and it can be achieved by the use of cryptographic algorithms and protocols. However, many existing cryptographic mechanisms are tightly integrated into communication protocols. Issues emerge when security vulnerabilities are discovered in cryptographic mechanisms because their replacement would eventually require replacing deployed protocols. The concept of cryptographic agility is the solution to these issues because it allows dynamic switching of cryptographic algorithms and keys prior to and during the communication. Most of today's secure protocols implement cryptographic agility (IPsec, SSL/TLS, SSH), but cryptographic agility mechanisms cannot be used in a standalone manner. In order to deal with the aforementioned limitations, we propose a lightweight cryptographically agile agreement model, which is formally verified. We also present a solution in the Agile Cryptographic Agreement Protocol (ACAP) that can be adapted on various network layers, architectures and devices. The proposed solution is able to provide existing and new communication protocols with secure communication prerequisites in a straightforward way without adding substantial communication overhead. Furthermore, it can be used between previously unknown parties in an opportunistic environment. The proposed model is formally verified, followed by a comprehensive discussion about security considerations. A prototype implementation of the proposed model is demonstrated and evaluated.

• The KIPS Transactions:PartD
• /
• v.10D no.7
• /
• pp.1197-1206
• /
• 2003

This paper describes the IPP (Internet Printing Protocol), a standard that makes network setup for printers potentially much easier and, not so incidentally, also user can print over the Internet and specifies an implementation of IPP client/server system. It allows the system administrator and operators to control IPP system users and printer devices. The focus of this effort is optimized capabilities the security features for authentication, authorization, and policies, also improved compatibility with existing WP devices. Finally this paper presents conclusions and further researches.

• International journal of advanced smart convergence
• /
• v.8 no.1
• /
• pp.44-57
• /
• 2019

Most banks in Korea have provided Internet banking services based on PKI(Public Key Infrastructure) certificates since the early 2000s when Internet banking began in Korea. To support PKI Internet banking, the Korean government backed the electronic signature law and supported the rapid spread of PKI-based Internet banking by regulating the application of PKI certificates to be compulsory in Internet banking until 2015. PKI Internet Banking in Korea has been developed as a pioneer in this field through many challenges and responses until its present success. Korea's PKI banking, which started with soft-token-based closed banking, has responded to various types of cyber attack attempts and promoted the transition to open banking by accepting various criticisms due to lack of compatibility with international standards. In order to improve the convenience and security of PKI Internet banking, various attempts have been made, such as biometric-integrated smartphone-based PKI authentication. In this paper, we primarily aim to share the experience and lessons of PKI banking by analyzing the evolution process of PKI Internet banking in Korea. It also has the purpose of presenting the challenges of Korea's PKI Internet banking and sharing its development vision.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1225-1228
• /
• 2010

최근 인터넷 뱅킹이 주요 국가들의 은행 거래 서비스에서 많은 비중을 차지하고 있다. 보안이 중요한 인터넷 뱅킹 분야에서 국내와 해외의 보안 방식을 비교하여 도출된 시사점을 적용한다면 더 안전한 시스템 설계에 바탕이 될 것이다. 따라서 본 논문에서는 국내와 해외의 인터넷 뱅킹 보안의 특징과 그 진행 과정을 살펴보았다. SSL/TLS(Secure Socket Layer/Transport Layer Security) 기술을 사용하는 외국 인터넷 뱅킹에 비해 공인인증서 체계를 채택한 국내 인터넷 뱅킹은 웹 브라우저에서 지원하지 않는 암호 알고리즘을 사용하기 위한 플러그인을 설치함으로써 사용자가 불편을 느끼며, 또한 이런 플러그인 때문에 인터넷 뱅킹을 이용할 수 있는 웹 브라우저의 종류가 제한된다. 마지막으로 이러한 플러그인을 은행 별로 서비스하기 위한 별도의 비용이 추가된다. 이런 문제점들을 해결하여 더 나은 인터넷 뱅킹 시스템을 구축하기 위해서는 면밀한 검증과 제도적 지원이 필요하다.

• International Commerce and Information Review
• /
• v.19 no.4
• /
• pp.29-50
• /
• 2017

In emerging technologies, innovation processes are dynamic in that the government needs to regularly review its policies to resonate with rapid technological advancements, changing public needs, and evolving global trends. In the 1990s, the Internet grew at an explosive rate, but many applications were constrained due to security concerns. Public Key Infrastructure (PKI) seemed to be the fundamental technology to address these concerns by providing security functions. As of 2017, PKI is still one of the best technologies for electronic authentication in an open network, but it is used only in limited areas: for user authentications in closed networks and for server authentications within network security infrastructure like SSL/TLS. The difference between expectation and reality of PKI usage is due to the evolution of the Internet along with the global adoption of new authentication policies under the Internet governance in the early 2000s. The new Internet governance based on the cooperation between multi-stakeholders is changing the way in which a government should act with regard to its technological policies. This paper analyzes different PKI policy approaches in the United States and Korea from the perspective of path-dependence theory. Their different policy results show evidence of the rise of the Internet governance, and may have important implications for policy-makers in the current global Internet society.