• The KIPS Transactions:PartC
• /
• v.18C no.5
• /
• pp.331-338
• /
• 2011

The RFID system includes a section of wireless communication between the readers and the tags. Because of its vulnerability in terms of security, this part is always targeted by attackers and causes various security problems including the leakage of secret and the invasion of privacy. In response to these problems, various protocols have been proposed, but because many of them have been hardly implementable they have been limited to theoretical description and theorem proving without the accurate verification of their safety. Thus, this study tested whether the protocol proposed by Kenji et al. satisfies security requirements, and identified its vulnerabilities such as the exposure of IDs and messages. In addition, we proposed an improved RFID security protocol that reduced the number of public keys and random numbers. As one of its main characteristics, the proposed protocol was designed to avoid unnecessary calculations and to remove vulnerabilities in terms of security. In order to develop and verify a safe protocol, we tested the protocol using Casper and FDR(Failure Divergence Refinements) and confirmed that the proposed protocol is safe in terms of security. Furthermore, the academic contributions of this study are summarized as follows. First, this study tested the safety of a security protocol through model checking, going beyond theorem proving. Second, this study suggested a more effective method for protocol development through verification using FDR.

• The KIPS Transactions:PartA
• /
• v.15A no.1
• /
• pp.45-52
• /
• 2008

In this paper we define a vulnerable code to symbolic link exploit and propose a technique to detect this using program analysis. The existing methods to solve symbolic link exploit is for protecting it, on accessing a temporary file they should perform an investigation whether the file is attacked by symbolic link exploit. If programmers miss the investigation, the program may be revealed to symbolic link exploit. Because our technique detects all the vulnerable codes to symbolic link exploit, it helps programmers keep the program safety. Our technique add two type qualifiers to the existing type system to analyze vulnerable codes to symbolic link exploit, it detects the vulnerable codes using type checking including the added type qualifiers. Our technique detects all the vulnerable codes to symbolic link exploit automatically, it has the advantage of saving costs of modifying and of overviewing all codes because programmers apply the methods protecting symbolic link exploit to only the detected codes as vulnerable. We experiment our analyzer with widely used programs. In our experiments only a portion of all the function fopen() is analyzed as the vulnerabilities to symbolic link exploit. It shows that our technique is useful to diminish modifying codes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1159-1174
• /
• 2014

As the use of smartphones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There has been only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology(CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced QWERTY keyboard and numeric keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.1
• /
• pp.65-75
• /
• 2011

Power Line Communication (PLC) is a system for carrying data on a conductor used for electric power transmission. Recently, PLC has received much attention due to connection efficiency and possibility of extension. It can be used for not only alternative communication, in which communication line is not sufficient, but also for communication between home appliances. Korea Electronic Power Cooperation (KEPCO) is constructing the system, which automatically collects values of power consumption of every household. Due to the randomness and complicated physical characteristics of PLC protocol (KS X4600-1), it has been believed that the current PLC is secure in the sense that it is hard that an attacker guesses or modifies the value of power consumption. However, we show that the randomness of the protocol is closely related to state of the communication line and thus anyone can easily guess the randomness by checking the state of the communication line. In order to analyze the security of PLC, we study the protocol in detail and show some vulnerability. In addition, we suggest that PLC needs more secure protocol on higher layers. We expect that the study of PLC help in designing more secure protocol as well.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.1
• /
• pp.67-75
• /
• 2022

When acquiring a product having an OS, it is very important to identify the exact kernel version of the OS. This is because the product's administrator needs to keep checking whether a new vulnerability is found in the kernel version. Also, if there is an acquisition requirement for exclusion or inclusion of a specific kernel version, the kernel identification becomes critical to the acquisition decision. In the case of the Linux kernel used in various equipment, sometimes it becomes difficult to pinpoint the device's exact version. The reason is that many manufacturers often modify the kernel to produce their own firmware optimized for their device. Furthermore, if a kernel patch is applied to the modified kernel, it will be very different from its base kernel. Therefore, it is hard to identify the Linux kernel accurately by simple methods such as a specific file existence test. In this paper, we propose a static method to classify a specific kernel version by analyzing function names stored in the symbol table. In an experiment with 100 Linux devices, we correctly identified the Linux kernel version with 99% accuracy.

• Korean Journal of Culture and Social Issue
• /
• v.27 no.4
• /
• pp.629-659
• /
• 2021

This study compared the influences of Korean psycho-social experiences on emotional-distress(stress, depression, anxiety, anger) of Koreans between two-periods during COVID-19. First, an online survey was conducted among 600 participants between April 13, 2020 and 21, while WHO had declared the pandemic, and Daegu-Gyungbuk were declared as a special-disaster area. Second, an online survey was conducted among 482 participants out of 600 study participants from the first study during August 21 to September 2, while COVID-19 re-spreaded around the world, and total confirmed cases were over 1,000 for a week in Seoul-Gyeonggi province. Hierarchical-regression analysis was used to determine the influence of personal characteristics, fear and social constraints, relationship conflict and income-decreasing factors on stress, depression, anxiety, anger in the two-time points. Results suggest that gender, quality-of-life, 'frequent information-checking about COVID-19', 'fear of unpredictability' and 'difficulties on hospital treatment access' predicted distress(stress, depression, anxiety, anger) at both Time1 and 2. 'Difficulties with official schedule' predicted distress at Time 1, and age, vulnerability to infection and difficulties with personal schedules predicted distress(stress, depression, anxiety, anger) at Time 2. Based on the reseults, implications and recommendations were presented.

• Information Systems Review
• /
• v.20 no.1
• /
• pp.137-158
• /
• 2018

Online platforms recently expanded their connectivity through an authing service. The growth of authing services enabled consumers to enjoy easy log in access without exerting extra effort. However, multiple points of access increases the security vulnerability of platform ecosystems. Despite the importance of balancing authing service and security, only a few studies examined platform connectivity. This study examines the optimal level of authing service of a platform and how authing strategies impact participants in a platform ecosystem. We used a game-theoretic approach to analyze security problems associated with authing services provided by online platforms for consumers and other linked platforms. The main findings are as follows: 1) the decreased expected loss of consumers will increase the number of players who participate in the platform; 2) linked platforms offer strong benefits from consumers involved in an authing service; 3) the main platform will increase its effort level, which includes security cost and checking of linked platform's security if the expected loss of the consumers is low. Our study contributes to the literature on the relationship between technology convenience and security risk and provides guidelines on authing strategies to platform managers.