• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.909-928
• /
• 2020

From the early 1970s, the US government began to recognize that penetration testing could not assure the security quality of products. Results of penetration testing such as identified vulnerabilities and faults can be varied depending on the capabilities of the team. In other words none of penetration team can assure that "vulnerabilities are not found" is not equal to "product does not have any vulnerabilities". So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed systematically and strictly. Therefore, the US government began to publish various standards related to the development methodology and evaluation procurement system embedding "security-by-design" concept from the 1980s. Security-by-design means reducing product's complexity by considering security from the initial phase of development lifecycle such as the product requirements analysis and design phase to achieve trustworthiness of product ultimately. Since then, the security-by-design concept has been spread to the private sector since 2002 in the name of Secure SDLC by Microsoft and IBM, and is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the actual field because the standard or guidelines related to Secure SDLC contain only abstract and declarative contents. Therefore, in this paper, we present the new framework in order to specify the level of Secure SDLC desired by enterprises. Our proposed CIA (functional Correctness, safety Integrity, security Assurance)-level-based security-by-design framework combines the evidence-based security approach with the existing Secure SDLC. Using our methodology, first we can quantitatively show gap of Secure SDLC process level between competitor and the company. Second, it is very useful when you want to build Secure SDLC in the actual field because you can easily derive detailed activities and documents to build the desired level of Secure SDLC.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.25 no.4B
• /
• pp.700-707
• /
• 2000

In this paper, we address vulnerabilities of legacy VOD system and implement secure-VOD system to protect security holes of it. Our secure-VOD system provide user authentication using one-time password, message authentication and encryption/decryption for video server information. To improve security of existing fixed password system, our secure-VOD system use one-time password. Also, our secure-VOD system provides integrity for video server information by generating and verifying message authentication code using HMAC-HAS 160 algorithm. Finally, our secure-VOD system uses RC5 encryption algorithm to guarantee confidentiality for video server information.

• 제어로봇시스템학회:학술대회논문집
• /
• 2005.06a
• /
• pp.1602-1605
• /
• 2005

An audit tracer is one of the last ways to defend an attack for network equipments. Firewall and IDS which block off an attack in advance are active way and audit tracing is passive way which analogizes a type and a situation of an attack from log after an attack. This paper explains importance of audit trace function in network equipment for security and defines events which we must leave by security audit log. We design and implement security audit system for secure router. This paper explains the reason why we separate general audit log and security audit log.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2001.11a
• /
• pp.315-320
• /
• 2001

최근 인터넷을 기반으로 하는 정보통신 인프라의 발달에 따라 다양한 서비스가 등장하였으며 이들 서비스들을 통합하여 제공하는 인스턴트 메시징 서비스가 등장하여 그 수요가 급증하고 있다. 그러나, 기존의 인스턴트 메시징 서비스들은 전송되는 메시지에 대하여 어떠한 보안장치도 제공되지 않아서 제 3자에 의한 개인정보 유출 및 차용이 문제점으로 부각되고 있다. 따라서 본 논문에서는 기존의 인스턴트 메시징 구조에 사용자 인증 기능 및 암호화 기능을 조합하여 안전한 메시지 전송을 위한 SMS(Secure Messenger System)를 설계하고 개발하였다.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.6 no.1
• /
• pp.33-54
• /
• 2010

Providing a secure 3-tier Web application has become a high priority for companies as e-businesses have increased the amount and the sensitivity of corporate information that can be accessed through the web. Web applications become more difficult to secure with this very increase in online traffic and transactions. This paper first reviews the 3-tier of web application, types of attacks that can threaten web application services and security principles. We then are designing and implementing a secure web application with open source software that able to mitigate the web application vulnerable to attack.

• Proceedings of the Korean Information Science Society Conference
• /
• 1998.10a
• /
• pp.530-532
• /
• 1998

본 연구에서는 안전한 네이밍 서비스를 제공하는 기존 Secure DNS를 확장시켜 GUI방식의 관리자 인터페이스를 설계하였다. 따라서 시스템 설정에 대한 configuration과 보안관련 도구의 핵심이라 할 수 있는 로그의 관리가 용이해 졌다. 또한 관리자 인터페이스에 의해 각각의 자원 레코드에 대한 자동적인 삽입, 삭제가 가능하며, 암호화 알고리즘의 추가를 interactive하게 처리한다. 그밖에 기존 Secure DNS에서는 새로운 암호와 알고리즘을 추가할 때마다 재 컴파일 해야하는 단점이 있다. 이를 해결하기 위해 'Dynamic link interface'를 설계하였다. 이는 암호화 알고리즘의 입출력 표준을 정하고 이를 단일한 시스템 API로 구성하여 Secure DNS가 초기화 될 때 동적 라이브러리를 사용하여 각각의 암호화 알고리즘을 메모리에 적재하는 방식을 택한다. 그 밖에 Secure DNS를 이용하여 제공할 수 있는 응용방안으로 개인의 공개키 분배서비스와 X.509 체계를 이용한 인증서를 제공하는 서비스를 제안한다. 따라서 본 연구에서는 인터넷의 기본 인프라스트럭쳐인 DNS를 최대한 활용할 수 있는 여러 가지 방안과 그 해결책을 제시한다.

• Journal of the Korea Society of Computer and Information
• /
• v.3 no.4
• /
• pp.91-96
• /
• 1998

In this paper we designed a secure client-server system to be able to protect messages between client and server using cryptography We authenticated each other using a asymmetric encryption algorithm on the logon procedure and minimized the time to encrypt and decrypt messages using a symmetric encryption algorithm on exchanging messages. We proved that it is possible to make a digital signature on our secure client-server system. And we suggested the efficient key management method to generate and distribute cryptograpic key securely.

• Journal of Internet Computing and Services
• /
• v.23 no.2
• /
• pp.9-17
• /
• 2022

In this paper, we propose a secure smart home network model and a novel cryptographic protocol called the Smart Home Security Protocol (SHSP). Authentication, key distribution, and encryption functions are properly supported in order to make a smart home secure, and a residential gateway (RG) plays a central role in performing these functions. According to the characteristics of networks and attached devices, we classify smart homes into three different types of sub-networks and these networks are interconnected with one another by the RG. Depending on a sub-network, we use different types of secure schemes to reduce the burden of the process and the delay in devices while it provides proper security functions. The proposed secure smart home model is implemented and verified by using a variety of embedded system environments.

• Journal of Korean Society for Quality Management
• /
• v.47 no.1
• /
• pp.151-162
• /
• 2019

Purpose: This study is in order to secure high quality of military supplies, it is important to secure design quality in the development phase. I will review how to establish a quality assurance system in the development phase based on the author's seminar presentation contents and application example of Hanwha Systems Co., Ltd. Methods: To guarantee design quality in the development phase, in 2002, quality assurance system that is adequate for SQA(Software Quality Assurance)'s requirements of CMM(Capability Maturity Model) was conduct. In 2009, based on the CMMI(Capability Maturity Model Integration) Level 5, there has been continuous and reenforced quality assurance activities. Results: By suggesting the construction and a case study on application of R&D quality assurance, it would be helpful for companies aiming to construct or enhance quality assurance system. Conclusion: To secure high quality for military supplies, a development QA system should be established to secure quality in the development phase. In addition, Total life cycle QA system for development, mass production and operation phase should be reestablished.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.11 no.3
• /
• pp.943-950
• /
• 2010

A secure entrance system is complicated because it should have various functions like monitoring, logging, tracing, authentication, authorization, staff locating, managing staff enter-and-leave, and gate control. In this paper, we built and applied a secure entrance system for a domestic nuclear plant using Aspect Oriented Programming(AOP) and design pattern. Using AOP has an advantage of clearly distinguishing the role for each functional module because building a system separated independently from the system's business logic and security logic is possible. It can manage system alternation flexibility by frequent change of external environment, building a more flexible system based on increased code reuse, efficient functioning is possible which is an original advantage of AOP. Using design pattern enables to design by structuring the complicated problems that arise in general software development. Therefore, the safety of the system can also be guaranteed.