전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
Upcoming SlideShare
Loading in...5
×
 

전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-

on

  • 1,695 views

주최 : 한국전기연구원 전문가 자문 발표 ...

주최 : 한국전기연구원 전문가 자문 발표
발표장소 : 한국전기연구원
발표주제 :전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향 -소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
발표일:2009년 10월 20일
발표자 : 강장묵(세종대학교 정보통신공학과 BK사업단 소속 교수)
redsea@sejong.ac.kr
mooknc@gmail.com

Statistics

Views

Total Views
1,695
Views on SlideShare
1,694
Embed Views
1

Actions

Likes
1
Downloads
5
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 공학 박사 후 컴퓨터공학과에서 주로 강의와 연구를 수행하였다. 기술 및 비즈니스 특허 및국내외 논문과 저술을 다수 발표하였다.최근에는 기업체 CTO 및 위원, 국제교류에 주로 활동한다.mooknc@gmail.com 으로 연락,가능하다. 본 발표 내용은 발표 후 슬라이드 쉐어를 통해 공유되며, 슬라이드 하단에 주요 참조 연결이 있다.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조. While it’s easy to divorce the Certification and the Accreditation decision from the system development life cycle, understanding the relationship of the various activities within the life-cycle provides the context for our discussion.Successful AO/DAAs, project managers, security engineers, and certification and accreditation staff understand that in order to achieve a favorable accreditation decision, they need to communicate with each other early and often throughout the process.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조.

전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로- 전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로- Presentation Transcript

  • 한국전기연구원 전문가 자문 발표
    전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜네트워크 서비스 등 차세대 기술 환경 맥락으로-
    발표일:2009년 10월 20일
    발표장소 : 한국전기연구원
    발표자 : 강장묵(세종대 정보통신공학과)
    redsea@sejong.ac.kr
  • Who is kang, JM?
    연구 분야
    웹 2.0 중 소셜 네트워크 서비스
    유비쿼터스 컴퓨팅 중 증강현실
    디지털컨텐츠 중 UCC
    정보보호 중 개인정보
    학제간 연구(정보 소통 및 사회문화의 기술사회구성론적 분석)
    • 공학박사(정보보호 전공)
    • 정보보호진흥원 등 자문 활동
    • (현)세종대학교 정보통신공학과 교수
    -유비쿼터스 컴퓨팅 사업단-
    • 미디어 다음 열린사용자 위원회 위원
    2
  • 생각할 문제
    3
    방송과 통신 융합은 서비스간 경계를 허물었다. 트위터와페이스북은OPEN환경에서 연동 및 공유된다.
    유비쿼터스 컴퓨팅기술로 공간 융합, 서비스 통합, mash-up으로 정보 공유는 취약점을 키우는가? 편리함만 주는가?
    서비스간 보안 규칙과 보안 대상 수준과 다루는 정보의 민감도도 허물어지지 않는가?
    개인화된 서비스와 광고로 수익을 얻는 비즈니스는 개인정보 더 나아가 프라이버시에 치명적 위협이지 않은가?
    전력기반 통신에 적용 가능한 유연한 기술은 새로운 보안 취약점을 야기하지 않는가?
  • 발표 내용 및 보안 토픽
    PGP S/MIME
    SSL TLS
    IPSec
    Cryptography
    Symmetric Key
    Public Key
    Algorithms
    Encryption
    Digital Signatures
    Certificates
    Algorithms
    Encryption
    Key Mgmt
    발표내용
    간략한 보안 이슈 중 선별한 개론 수준의 개념
    소셜 네트워크 환경에서 보안 이슈와 적용
    전력계통망에서 새로운 비즈니스에 대한 플랫폼 차원의 보안
    발표자가 관심 갖는 보안 관련 연구 내용(기관 요청)
  • Platform Security
    5
    Protecting your information, technology, property, products and people, thus protecting your business.
    The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.
    • Confidentiality
    • Integrity
    • Availability
  • 보안 기술 소개 1.
    IPSec – IP Security
    Secures the IP packet by adding additional header
    Selection of encryption, authentication and hashing methods left to the user
    It requires a logical connection between two hosts, achieved using Security Association (SA)
    An SA is defined by:
    A 32-bit security parameter index (SPI)
    Protocol type: Authentication Header (AH) Or Encapsulating Security Payload (ESP)
    The source IP address
    Transport Mode
    IP Header
    IPSec Header
    Rest of the Packet
    OR
    Tunnel Mode
    IP Header
    IPSec Header
    Rest of the Packet
    New IP Header
  • 보안 기술 소개 2.
    Pretty Good Privacy (PGP)
    One-time secret key
    Sender site
    Alice
    3
    +
    Encrypt
    Bob’s public key
    4
    Message plus Signed Digest
    1
    Alice’s private key
    Hash Function
    Encrypt
    5
    Encrypt
    Digest
    Signed Digest
    2
    +
    6
    The message and digest are encrypted using one time secret key created by Alice
    Encrypted (secret key & message + digest) to Bob
  • 보안 기술 소개 2.
    PGP (contd.)
    Receiver site
    Bob’s private key
    One-time secret key
    7
    Encrypted (secret key & message + digest)
    Decrypt
    Bob
    Decrypt
    Encrypted (message + digest)
    8
    9
    10
    Decrypt
    Hash Function
    Alice’s public key
    The two digests are compared, thus providing authentication and integrity
    11
    Digest
    Digest
    X
    Compare
  • 보안 기술 소개 3.
    S/MIME
    • Working principle similar to PGP
    • S/MIME uses multipart MIME type to include the cryptographic information with the message
    • S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information
    • Creating S/MIME message:
    MIME Entity
    CMS Object
    S/MIME
    Certificates
    MIME
    Wrapping
    CMS
    Processing
    Algoidentifiers
  • 보안 기술 소개 4.
    Transport Layer Security (TLS)
    Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack
    • Designed by IETF; derived from SSL
    • Lies on top of Transport layer
    • Uses two protocols:
    • Handshake Protocol
    Hello
    Certificate
    Secret key
    End Handshaking
    Encrypted Ack
    Client
    Server
    • Data exchange protocol
    • Uses secret key to encrypt data.
    • Secret key already shared during handshake
    10
  • 11
    보안 기술 소개 5.
    Chain of Trust
    • Query propagation similar to DNS queries
    • At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs.
    • Thumb-rule: Everyone trusts Root CA
    Root CA
    Level-1
    CA 1
    Level-1
    CA 2
    Level-2
    CA 3
    Level-2
    CA 4
    Level-2
    CA 5
    Level-2
    CA 6
    Level-2
    CA 2
    Level-2
    CA 1
  • 12
    최근 분산공격 사례
    DDoS Attack Scenario
    공격자
    Step 1.
    Probing vulnerable computers
    to make them zombies
    Step 2.
    Install attack program in
    Compromised zombies
    Zombiei
    Zombien
    Zombie1
    . . . . . .
    . . . . . .
    Step 3.
    Send attack commands
    to zombies to launch DDoS
    * Source: Random Spoofed Address
    * Destination: Victim Address
    Step 4.
    Victim network capacity was
    Saturated by DDoS attack traffic
    희생자
  • 13
    The Components of Information Security
    • The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.
    • People
    • Processes
    • Technology
  • Need for message security
    Privacy
    Am I sure no body else knows this?
    Authentication
    Am I sure that the sender is genuine and not an imposter?
    Integrity
    Am I sure that the message has not been tampered on its way?
    Non-repudiation
    What will I do if the sender denies sending the message?
  • 15
    XML의 발전과 위협
  • 16
    Web 2.0 기반 언어 체계의 위협
  • 17
    정책의 유연성
    : 융합 환경에서 이기종 간 정책의 일관성 유지 수준에서
  • Study Group Organization
    (WTSA)
    (TSAG)
    ITU-T
    Telecommunication
    standardization of
    network and service
    aspects
    ITU-D
    Assisting implementation
    and operation of
    telecommunications in
    developing countries
    ITU-R
    Radiocommunication
    standardization and
    global radio spectrum
    management
    What is International Telecommunication Union (ITU) ?
    • SG 17, Security, Languages and Telecommunication Software
    • Lead Study Group on Telecommunication Security
    • SG 2, Operational Aspects of Service Provision, Networks and Performance
    • SG 4, Telecommunication Management
    • SG 5, Protection Against Electromagnetic Environment Effects
    • SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission
    • SG 11, Signalling Requirements and Protocols
    • SG 13, Next Generation Networks
    • SG 15, Optical and Other Transport Network Infrastructures
    • SG 16, Multimedia Terminals, Systems and Applications
    • SG 19, Mobile Telecommunication Networks
    Headquartered in Geneva, is the UN specialized agency for telecom
  • Federal Information Security Management Act
    19
    Roles & Responsibilities
    • Agency Head
    • CIO
    • Agency Security Officer
    Security Program
    Periodic risk assessments
    Policies and procedures
    Security plans
    Security awareness training
    Periodic testing & evaluation
    Remediation activities
    Incident response capabilities
    Continuity of operations
    Annual Security Review
    • Determine sufficiency of security program
    • Independent Evaluation (e.g., IG)
    • Safeguard evaluation data
    Annual Reporting
    • Reports from CIO & IG
    • Report material weaknesses
    • Provide performance plans
    §§ 3544(c), 3545 (e)
    §3544(a)
    §§ 3544(c), 3545 (e)
    §3544(b)
  • 인증과 인가:IT Security in the SDLC
    --NIST SP 800-64
  • Security Control Automation Protocol—SCAP
    XML and protocols to exchange technical security information between products
    “Glue Code” between the following data sets:
    Common Vulnerabilities and Exposures (CVE)
    Common Configuration Enumeration (CCE)
    Common Platform Enumeration (CPE)
    Common Vulnerability Scoring System (CVSS)
    Extensible Configuration Checklist Description Format (XCCDF)
    Open Vulnerability and Assessment Language (OVAL)
    More products certified weekly
    21
  • Observations and Truthinesses(보안 방식의 결정)
    Control v/s audit burdens
    Skill of the constituency
    Need a security professional at each layer
    Is it all just a matter of centralized v/s decentralized?
    22
  • Applications
    Service User
    Profiles
    ANI
    Application Support Functions & Service Support Functions
    Service Control
    Functions
    Transport User
    Profiles
    Network Attachment
    Control Functions
    Service stratum
    Management Functions
    End-User
    Functions
    Resource and
    Admission
    Control Functions
    Other
    Networks
    Transport Control Functions
    Transport Functions
    UNI
    NNI
    Transport stratum
    Control
    Media
    NGN architecture overview (Y.2012)
    • Packet-based network with QoS supportand Security
    • Separation between Services and Transport
    • Access can be provided using many underlying technologies
    • Should be reflected in policy
    • Decoupling of service provision from network
    Support wide range of services/applications
    Converged services between Fixed/Mobile
    • Broadband capabilities with end-to-end QoS
    • Compliant with regulatory requirements
    • Emergency communications, security, privacy, lawful interception
    • ENUM Resources, Domain Names/ Internet Addresses
  • Provider B from
    Provider A’s point of view
    Provider A
    Trusted
    Zone
    Trusted but
    Vulnerable
    Zone
    Untrusted
    Zone
    Domain
    Border
    Elements
    (DBE)
    Domain
    Border
    Elements
    (DBE)
    NGN
    network
    Elements
    NGN
    network
    Elements
    NGN Peering Trust Model
  • PDA
    Cellular
    At your Desk
    In the Air
    Managed Office
    On the Road
    In Town
    At Home
    IdentityConnecting users with services and with others (Federation)
    People have multiple identities, each within a specific context or domain
    Work – me@company.com
    Family – me@smith.family
    Hobby – me@icedevils.team
    Volunteer – me@association.org
    Collaboration
    PC
    Video
    Voice Telephony
    Smart Phone
    Whatever you’re doing
    (applications)
    Whatever you’re using
    (devices)
    Web Apps
    ERP
    Wherever you are
    (across various access types)
    • Network Identity is essential
    • Need end-to-end trust model
  • 노드-허브-클러스트 등 네트워크 계층
    26
    • At what layer do you address a specific problem?
    • Can a specific solution “scale up” to the Federation/ Community Layer?
    • How do I get “clueful” people at each layer?
    • How do I communicate between layers?
  • Trusted Internet Connections—TIC
    Reduce Government Internet connections to 50
    Lowers the demand for skilled personnel
    Uses models from DoD and DHS
    Agencies share Internet connections
    In theory: simplifies protecting Internet connections Government-wide
    http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf
    27
  • The Cybertastic Future: Management
    Use the Enterprise, Project, and Integration Layers
    Start in bite-sized pieces and consolidate wherever possible
    Need “clueful” people at all layers
    Organization at the Federation Layer for self-regulation—some people are already doing it
    28
  • Some useful web resources
    ITU-T Home page http://www.itu.int/ITU-T/
    Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
    Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en
    Cybersecurity Portal http://www.itu.int/cybersecurity/
    Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html
    Recommendations http://www.itu.int/ITU-T/publications/recs.html
    ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml
    ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html
    LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html
  • 30
    질의와 토론
  • 최근 특허 사례 (출원인:세종대,동국대, 발명가:강장묵 외)
    효율적인 개인정보 유통경로의 안전관리를 위한 개인 정보 보호 장치 및 방법
    {PERSONAL INFORMATION PROTECTION APPARATUS AND METHOD
    FOR MANAGING DISTRIBUTION CHANNEL OF PERSONAL INFORMATION EFFICIENTLY AND SAFELY}