Heasuk Jo

Off-Line Password-Guessing Attack to Yang's and Huang's Authentication Schemes for Session Initiation Protocol

The Session Initiation Protocol(SIP) is an application-layer control protocol for creating, modifying, and terminating sessions with one or more participants in the IP-based telephony environment.Yang et al. and Huang et al. proposed a secure authentication scheme for session initiation protocol.Yangs scheme is based on Deffi-Hellman key agreement scheme and a combination of hash functions. In 2006, Huang et al. pointed out that Yangs scheme is insecure, and proposed an improved authentication scheme for SIP. In this paper, the secure of Yangs and Huangs scheme is analyzed. It is demonstrated that both schemes still have some weaknesses: it cannot withstand against the off-line password-guessing attack. Based on our analysis, we found the security problem with these schemes and, in addition, shows how to fix it.

Advanced Information Security Management Evaluation System

Information security management systems (ISMSs) are used to manage information about their customers and themselves by governments or business organizations following advances in e-commerce, open networks, mobile networks, and Internet banking. This paper explains the existing ISMSs and presents a comparative analysis. The discussion deals with different types of ISMSs. We addressed issues within the existing ISMSs via analysis. Based on these analyses, then we proposes the development of an information security management evaluation system (ISMES). The method can be applied by a self-evaluation of the organization and an evaluation of the organization by the evaluation committee. The contribution of this study enables an organization to refer to and improve its information security levels. The case study can also provide a business organization with an easy method to build ISMS and the reduce cost of information security evaluation.

A study on comparative analysis of the information security management systems

Due to the advance of mobile network, E-commerce, Open Networks, and Internet Banking, Information Security Management System (ISMS) is used to manage information of their customer and themselves by a government or a business organization . The best known ISMSs are BS7799/ISO17799, Common Criteria, which are international standard. And some nations use their own ISMS, e.g., DITSCAP of USA, IT Baseline Protection Manual of Germany, ISMS of Japan. The paper explains the existed ISMSs and presents a comparative analysis on difference among ISMSs. The discussion deals with different aspects of types of the ISMSs: analysis on the present condition of the ISMSs, certification structure, and certification evaluation process. The study contribute so that a government or a business organization is able to refer to improve information security level of the organizations. The case study can also provide a business organization with an easy method for building ISMS.

Security Weakness in a Provable Secure Authentication Protocol Given Forward Secure Session Key

Shi, Jang and Yoo recently proposed a provable secure key distribution and authentication protocol between user, service provider and key distribution center(KDC). The protocol was based on symmetric cryptosystem, challenge-response, Diffie-Hellman component and hash function. Despite the claim of provable security, the protocol is in fact insecure in the presence of an active adversary. In this paper, we present the imperfection of Shi et al.s protocol and suggest modifications to the protocol which would resolve the problem.

A Study on Development of Information Security Evaluation Model

ABSTRACT The purposes of this study is development of information security evaluation model for governments to analyze domestic and foreign existing models. Recent domestic information security certification systems have several problems, because shortage of organic connectivity each other. Therefore we analysis on domestic and foreign existing models, specify security requirements, evaluation basis and other facts of models, optimize these facts for governments, and develop new model for domestic governments.Key Words:Information Security, Information Security System, Information Security Evaluation, Information Security Check, Information Security Management System, Information Security Evaluation Model 1. 서 론 1) 정보화의 급속한 발달로 정보보호의 중요성에 대한 인식이 증가하고 있으며, 이에 따라 조직은 정보보호정책을 수립하고 다양한 정보보호제품을 활용하여 정보보호수준을 향상시키기 위해 노력하고 있다. 이러한 조직의 정보보호수준을 평가하고 향상시키기 위해 국내·외 정보보호 관련기관에서는 다양한 제도를 개발하여 적용하고 있다. 국내에서는 한국정보보호진흥원이 정보보호 관리체계 인증제도를 2002년부터 운영하고 있으며, 국가정보원에서도 공공기관의 정보보안 관리수준평가를 2006년부터 시범 운영하고 있다. 하지만 이들은 평가인증제도, 정보통신기반보호제도, 정보보호 안전진단제도 등 기존 제도와의 유기적인 연결성 부족으로

Weakness and simple improvement of anonymous mutual authentication protocol with link-layer

In mobile communication environment, mutual authentication is very important. Lu et al. proposed an anonymous mutual authentication protocol with provable link-layer location privacy. In this paper, we identify a flaw in their design and demonstrate that the Lu et al. protocol is vulnerable to the QoS (Quality of Service) of a packets sending/receiving state and to DoS (Denial of Service) attack. We then propose a method for improving the protocol. We hope that through this analysis of flaws in the protocol, similar structural mistakes can be avoided in future designs, similar structural mistakes can be avoided in future designs.

A Study of Protection Profile and Analysis of Related Standard for Internet Banking Systems

ABSTRACT Due to the advance of Internet, offline services are expanded into online services and a financial transaction company provides online services using internet baning systems. However, security problems of the internet banking systems are caused by a lack of security for developing the internet banking systems. Although the financial transaction company has applied existing internal and external standards, ISO 20022, ISO/IEC 27001, ISO/IEC 9789, ISO/IEC 9796, Common Criteria, etc., there are still vulnerabilities. Because the standards lack in a consideration of security requirements of the internet banking system. This paper is intended to explain existing standards and discusses a reason that the standards have not full assurance of security when the internet baning system is applied by single standard. Moreover we make an analysis of a security functions for the internet baning systems and then selects the security requirements. In this paper, we suggest a new protection profile of the internet baning systems using Common Criteria V.3.1 from the analysis mentioned above.Keywords:Internet Banking System, Protection Profile, Common Criteria

Security Specification for Conversion Technologies of Heterogeneous DRM Systems

Digital Right Management (DRM) can be used to prohibit illegal reproduction, and redistribution of digital content, to protect copyrights. However, current DRM systems are incompatible and lack of interoperability which exchange of data, different platform, designed and protected by different content providers. To overcome these drawbacks, three ways of interoperability are full-formation interoperability, connected interoperability, configuration-driven interoperability, allowing consumers to use the purchased content in their equipments of choice. In this paper, we study on the security specification of configuration-driven interoperability for heterogeneous DRM systems, using the Common Criteria. Then, we study security boundary, security environment, security objectives, and rationale of an CTHDS_PP(Conversion Technologies of Heterogeneous DRM Systems Protection Profile) to find important security features. The CTHDS_PP gives a discussion covered the current security problems to conversion technologies and lists threats to solve those problems. Moreover, this CTHDS_PP can be used for potential developers and system integrators, and reviewed and assessed by evaluators.

An efficient dispute resolving method for digital images

Resolving rightful ownerships of digital images is an active research area of watermarking Though a watermark is used to prove the owners ownership, an attacker can invalidate it by creating his fake original image and its corresponding watermark This kind of attack is called ambiguity attack and can be tackled either by use of non-invertible watermarking schemes or by use of zero-knowledge watermark detections If a non-invertible watermarking scheme is used, then the owner should reveal her original image which should be kept secret And if a zero-knowledge watermark detection is used, then no one can verify the claimed ownership unless the owner is involved Moreover, in case of zero-knowledge watermark detection, the protocol is relatively complicated and needs more computations In this paper, using the MSBs string of the original image other than the original image itself, we propose an efficient dispute resolving method while preserving secrecy of the original image.