Sangrae Cho

On modeling system-centric information for role engineering

In this paper we present an approach to modeling system-centric information in order to facilitate role engineering (RE). In particular, we first discuss the general characteristics of the information required in RE. Afterwards, we discuss two informational flow types among authorities involved in RE process, forward information flow (FIF) and backward information flow (BIF), together with the introduction of an information model which is greatly suitable for use in the backward information flow. System-centic information is incorporated in the information model and UML extension mechanisms are exploited for modeling the information. Not only can the information model provide those different authorities with a method for both analysis of resources and communication of knowledge in the RE process, but it can also help lay a foundation for successful implementations of RBAC.

Managing IoT devices using blockchain platform

Since the start of Bitcoin in 2008[1], blockchain technology emerged as the next revolutionary technology. Though blockchain started off as a core technology of Bitcoin, its use cases are expanding to many other areas including finances, Internet of Things (IoT), security and such[2]. Currently, many private and public sectors are diving into the technology[3]. Aside from that, as software and hardware improve, we would see the beginning of IoT. And those IoT devices need to communicate and synchronize with each other. But in situations where more than thousands or tens of thousands of IoT devices connected, we expect that using current model of server-client may have some limitations and issues while in synchronization. So, we propose using blockchain to build IoT system. Using blockchain, we can control and configure IoT devices. We manage keys using RSA public key cryptosystems where public keys are stored in Ethereum and private keys are saved on individual devices. Specifically, we choose Ethereum as our blockchain platform because using its smart contract, we can write our own Turing-complete code to run on top of Ethereum. Thus, we can easily manage configuration of IoT devices and build key management system. Even though we can simply use account as a key management system, which most of blockchain platform supports, we decide to use Ethereum because we can manage the system in a more fine-grained way. For the proof of a concept, we use a few IoT devices instead of a full system of IoT system, which consists of thousands of IoT devices. But in our later study, we would like to build a fully scaled IoT system using blockchain.

Smartphone remote lock and wipe system with integrity checking of SMS notification

In this paper, we propose a MAC-based remote lock and wipe system through the SMS push notification to protect against the private data disclosure when smartphone is lost or stolen. The proposed system provides the integrity checking mechanism so that the malicious users are unable to launch denial-of-service attacks which send the lock or wipe commands to the normal users on purpose. Also, it satisfies the SMS length limitation of 80 bytes long without downgrading the security level.

A Location Privacy Protection Mechanism for Smart Space

Ubicomp (Ubiquitous Computing) makes computers ubiquitous in anywhere and anytime, and so provides users with seamless services. In this paper, we present a user location privacy protection mechanism for Smart Space which is a feasible Ubicomp environment. At first, we present a feasible Ubicomp use scenario and define Smart Space to support this derived scenario. Then, we analyze security requirements for Smart Space and derive conceptual security model for that Space. Among the conceptual security model, we focus on user location privacy protection. In order to protect user location privacy, we propose a location privacy protection mechanism based on policy. We classify the policy as user policy and space policy and present policy resolution mechanism to resolve policy conflicts. Further we present system configuration to execute the proposed mechanism.

A role-based infrastructure management system: design and implementation

Over the last decade there has been a tremendous advance in the theory and practice of role‐based access control (RBAC). One of the most significant aspects of RBAC can be viewed from its management of permissions on the basis of roles rather than individual users. Consequently, it reduces administrative costs and potential errors. The management of roles in various RBAC implementations, however, tends to be conducted on an ad hoc basis, closely coupled with a certain context of system environments. This paper discusses the development of a system whose purpose is to help manage a valid set of roles with assigned users and permissions for role‐based authorization infrastructures. We have designed and implemented the system, called RolePartner. This system enables role administrators to build and configure various components of a RBAC model so as to embody organizational access control policies which can be separated from different enforcement mechanisms. Hence the system helps make it possible to lay a foundation for role‐based authorization infrastructures. Three methodological constituents are introduced for our purposes, together with the design and implementation issues. The system has a role‐centric view for easily managing constrained and hierarchical roles as well as assigned users and permissions. An LDAP‐accessible directory service was used for a role database. We show that the system can be seamlessly integrated with an existing privilege‐based authorization infrastructure. Copyright

A role administration system in role-based authorization infrastructures: design and implementation

In this paper we describe a system whose purpose is to help establish a valid set of roles and role hierarchies with assigned users and associated permissions. We have designed and implemented the system, called RA system, which enables role administrators to build and configure various components of a role-based access control (RBAC) model, thereby making it possible to lay a foundation for role-based authorization infrastructures. Three methodological constituents for our purpose are introduced, together with the design and implementation issues. The system has a role-centric view for easily managing constrained roles as well as assigned users and permissions. An LDAP-accessible directory service was used for a role database. We show that the system can be seamlessly integrated with an existing privilege-based authorization infrastructure. We finally discuss our plans for future development of the system.

A Cancellable Ranking Based Hashing Method for Fingerprint Template Protection

Despite a variety of theoretical-sound techniques have been proposed for biometric template protection, there is rarely practical solution that guarantees non-invertibility, cancellability, non-linkability and performance simultaneously. In this paper, a cancellable ranking based hashing is proposed for fingerprint template protection. The proposed method transforms a real-valued feature vector into an index code such that the pairwise-order measure in the hashed codes are closely correlated with rank similarity measure. Such a ranking based hashing offers two major merits: (1) Resilient to noises/perturbations in numeric values; and (2) Highly nonlinear embedding based on the rank correlation statistics. The former takes care of the accuracy performance mitigating numeric noises/perturbations while the latter offers strong non-invertible transformation via nonlinear feature embedding from Euclidean to Rank space that leads to toughness in inversion yet still preserve accuracy performance. The experimental results demonstrate reasonable accuracy performance on benchmark FVC2002 and FVC2004 fingerprint databases. The analyses justify its resilience to inversion, brute force and preimage attack as well as satisfy the revocability and unlink ability criteria of cancellable biometrics.

Context-Aware Service System Architecture based on Identity Interchange Layer

This paper presents context-aware service system architecture based on identity interchange layer. We will also introduce context-aware agent named mobile digital identity wallet (MDIW). MDIW is a personalized agent being operated on a personal device which has a main key function to provide users identity information to an entity that requests. Digital identity interchange mechanism of MIDW employs the concept of digital identity wallet that can control the interchange of digital identity. MIDW can also provide a transparent identity interchange link to facilitate identity interchange between entities and to give a user full control to enforce her/his security and privacy policies over the process of service. Finally, MIDW based on a wide spectrum of user information can be a basic layer to get rid of ambiguity, which has been introduced by previous works based on only sensed information in ubiquitous computing research area.

A Unified User Consent Acquisition and Delivery Mechanism for Multi-Source User Data Integrated Service

Internet service providers have usually collected and maintained user data necessary for their services. Recently, many SP (service provider)s supply users with integrated services which combine existent user data of other service providers. When UdP(User Data Provider) provides SP with user data, it should acquire user consent to preserve user privacy and to avoid future responsibility. However, UdP has not direct session with user, so it is very difficult that the UdP acquires user consent directly from the user. In addition, if user may give its consent base on individual UdP, this may be inconvenient for user. In this paper, we propose a unified user consent acquisition and delivery mechanism for multi-source user data integrated service. We introduce DA(delegation authority) for user consent acquisition and delivery. DA acquires user consent to UdPs data providing from user and generates an ELA(electronic letter of authorization) from user consent information, and sends it to SP. SP sends the ELA with user data request to UdPs, which use the ELA for deciding whether to provide user data. We design ELA scheme, message protocols and other components such as bindings, metadata and identifier. The proposed mechanism enables user to control explicitly its own data flow and to give its consent to all SP service-related UdPs only for one interaction.

New Security Paradigm for Application Security Infrastructure

The recent and upcoming computing environment is characterized by distribution, integration, collaboration and ubiquity. The existing security technology alone can not successfully provide necessary security services for this environment. Therefore, it is necessary that the provision of security services reflects the characteristics of such an environment. In this paper, we analyze security requirements for existing and upcoming applications and services. We then survey deployed security services and identify the required information security services to satisfy the result of the security requirement analysis. Hence we suggest UASI (Unified Application Security Infrastructure) as a new security paradigm. UASI is a framework, which describes how a single security infrastructure can provide all the necessary security services for the ubiquitous computing environment in a seamless manner.