Your SlideShare is downloading. ×
0
한국전기연구원 전문가 자문 발표<br />전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜네트워크 서비스 등 차세대 기술 환경 맥락으로-<br />발표일:2009년 10월 20일<br />발표장소 :...
Who is kang, JM?<br />연구 분야<br />웹 2.0 중 소셜 네트워크 서비스<br />유비쿼터스 컴퓨팅 중 증강현실<br />디지털컨텐츠 중 UCC<br />정보보호 중 개인정보<br />학제간 연구(...
정보보호진흥원 등 자문 활동
(현)세종대학교 정보통신공학과 교수</li></ul>-유비쿼터스 컴퓨팅 사업단-<br /><ul><li>미디어 다음 열린사용자 위원회 위원</li></ul>2<br />
생각할 문제<br />3<br />방송과 통신 융합은 서비스간 경계를 허물었다.  트위터와페이스북은OPEN환경에서 연동 및 공유된다. <br />유비쿼터스 컴퓨팅기술로 공간 융합, 서비스 통합, mash-up으로 정보 ...
발표 내용 및 보안 토픽<br />PGP S/MIME<br />SSL TLS<br />IPSec<br />Cryptography<br />Symmetric Key<br />Public   Key<br />Algorith...
Platform Security<br />5<br />Protecting your information, technology, property, products and people, thus protecting your...
Integrity
Availability</li></li></ul><li>보안 기술 소개 1.<br />IPSec – IP Security<br />Secures the IP packet by adding additional header...
보안 기술 소개 2.<br />Pretty Good Privacy (PGP)<br />One-time secret key<br />Sender site<br />Alice<br />3<br />+<br />Encrypt...
보안 기술 소개 2.<br />PGP (contd.)<br />Receiver site<br />Bob’s private key<br />One-time             secret key<br />7<br />E...
보안 기술 소개 3.<br />S/MIME<br /><ul><li>Working principle similar to PGP
S/MIME uses multipart MIME type to include the cryptographic information with the message
S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information
Creating S/MIME message:</li></ul>MIME Entity<br />CMS Object<br />S/MIME<br />Certificates<br />MIME <br />Wrapping<br />...
보안 기술 소개 4.<br />Transport Layer Security (TLS)<br />Server decrypts secret key with its private key. Uses secret key to d...
Lies on top of Transport layer
Uses two protocols:
Handshake Protocol</li></ul>Hello<br />Certificate<br />Secret key<br />End Handshaking<br />Encrypted Ack<br />Client<br ...
  Uses secret key to encrypt data.
  Secret key already shared during handshake</li></ul>10<br />
11<br />보안 기술 소개 5.<br />Chain of Trust<br /><ul><li>Query propagation similar to DNS queries
At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs.
Thumb-rule: Everyone trusts Root CA</li></ul>Root CA<br />Level-1<br />CA 1<br />Level-1<br />CA 2<br />Level-2<br />CA 3<...
12<br />최근 분산공격 사례<br />DDoS Attack Scenario<br />공격자<br />Step 1.<br />Probing vulnerable computers <br />to make them zo...
13<br />The Components of Information Security<br /><ul><li>The Information Security Triad is the foundation for  Informat...
People
Processes
Technology</li></li></ul><li>Need for message security<br />Privacy<br />Am I sure no body else knows this?<br />Authentic...
15<br />XML의 발전과 위협<br />
16<br />Web 2.0 기반 언어 체계의 위협<br />
Upcoming SlideShare
Loading in...5
×

전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-

1,229

Published on

주최 : 한국전기연구원 전문가 자문 발표
발표장소 : 한국전기연구원
발표주제 :전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향 -소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
발표일:2009년 10월 20일
발표자 : 강장묵(세종대학교 정보통신공학과 BK사업단 소속 교수)
redsea@sejong.ac.kr
mooknc@gmail.com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,229
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 공학 박사 후 컴퓨터공학과에서 주로 강의와 연구를 수행하였다. 기술 및 비즈니스 특허 및국내외 논문과 저술을 다수 발표하였다.최근에는 기업체 CTO 및 위원, 국제교류에 주로 활동한다.mooknc@gmail.com 으로 연락,가능하다. 본 발표 내용은 발표 후 슬라이드 쉐어를 통해 공유되며, 슬라이드 하단에 주요 참조 연결이 있다.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조. While it’s easy to divorce the Certification and the Accreditation decision from the system development life cycle, understanding the relationship of the various activities within the life-cycle provides the context for our discussion.Successful AO/DAAs, project managers, security engineers, and certification and accreditation staff understand that in order to achieve a favorable accreditation decision, they need to communicate with each other early and often throughout the process.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조.
  • (Michael Smith, SecTor 2009, Massively Scaled Security Solutions for Massively Scaled IT 의발표를 강장묵이2009.10.한국전기연구원 전문가자문을 위해 인용함) 자세한 내용은 http://www.slideshare.net/search/slideshow?q=+security&submit=post&searchfrom=header 에서 참조.
  • Transcript of "전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-"

    1. 1. 한국전기연구원 전문가 자문 발표<br />전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜네트워크 서비스 등 차세대 기술 환경 맥락으로-<br />발표일:2009년 10월 20일<br />발표장소 : 한국전기연구원<br />발표자 : 강장묵(세종대 정보통신공학과)<br />redsea@sejong.ac.kr<br />
    2. 2. Who is kang, JM?<br />연구 분야<br />웹 2.0 중 소셜 네트워크 서비스<br />유비쿼터스 컴퓨팅 중 증강현실<br />디지털컨텐츠 중 UCC<br />정보보호 중 개인정보<br />학제간 연구(정보 소통 및 사회문화의 기술사회구성론적 분석)<br /><ul><li>공학박사(정보보호 전공)
    3. 3. 정보보호진흥원 등 자문 활동
    4. 4. (현)세종대학교 정보통신공학과 교수</li></ul>-유비쿼터스 컴퓨팅 사업단-<br /><ul><li>미디어 다음 열린사용자 위원회 위원</li></ul>2<br />
    5. 5. 생각할 문제<br />3<br />방송과 통신 융합은 서비스간 경계를 허물었다. 트위터와페이스북은OPEN환경에서 연동 및 공유된다. <br />유비쿼터스 컴퓨팅기술로 공간 융합, 서비스 통합, mash-up으로 정보 공유는 취약점을 키우는가? 편리함만 주는가?<br />서비스간 보안 규칙과 보안 대상 수준과 다루는 정보의 민감도도 허물어지지 않는가?<br />개인화된 서비스와 광고로 수익을 얻는 비즈니스는 개인정보 더 나아가 프라이버시에 치명적 위협이지 않은가?<br />전력기반 통신에 적용 가능한 유연한 기술은 새로운 보안 취약점을 야기하지 않는가?<br />
    6. 6. 발표 내용 및 보안 토픽<br />PGP S/MIME<br />SSL TLS<br />IPSec<br />Cryptography<br />Symmetric Key<br />Public Key<br />Algorithms<br />Encryption<br />Digital Signatures<br />Certificates<br />Algorithms<br />Encryption<br />Key Mgmt<br />발표내용<br />간략한 보안 이슈 중 선별한 개론 수준의 개념 <br />소셜 네트워크 환경에서 보안 이슈와 적용<br />전력계통망에서 새로운 비즈니스에 대한 플랫폼 차원의 보안 <br />발표자가 관심 갖는 보안 관련 연구 내용(기관 요청)<br />
    7. 7. Platform Security<br />5<br />Protecting your information, technology, property, products and people, thus protecting your business. <br />The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.<br /><ul><li>Confidentiality
    8. 8. Integrity
    9. 9. Availability</li></li></ul><li>보안 기술 소개 1.<br />IPSec – IP Security<br />Secures the IP packet by adding additional header <br />Selection of encryption, authentication and hashing methods left to the user<br />It requires a logical connection between two hosts, achieved using Security Association (SA)<br />An SA is defined by:<br />A 32-bit security parameter index (SPI)<br />Protocol type: Authentication Header (AH) Or Encapsulating Security Payload (ESP)<br />The source IP address<br />Transport Mode<br />IP Header<br />IPSec Header<br />Rest of the Packet<br />OR<br />Tunnel Mode<br />IP Header<br />IPSec Header<br />Rest of the Packet<br />New IP Header<br />
    10. 10. 보안 기술 소개 2.<br />Pretty Good Privacy (PGP)<br />One-time secret key<br />Sender site<br />Alice<br />3<br />+<br />Encrypt<br />Bob’s public key<br />4<br />Message plus Signed Digest<br />1<br />Alice’s private key<br />Hash Function<br />Encrypt<br />5<br />Encrypt<br />Digest<br />Signed Digest<br />2<br />+<br />6<br />The message and digest are encrypted using one time secret key created by Alice<br />Encrypted (secret key & message + digest) to Bob<br />
    11. 11. 보안 기술 소개 2.<br />PGP (contd.)<br />Receiver site<br />Bob’s private key<br />One-time secret key<br />7<br />Encrypted (secret key & message + digest)<br />Decrypt<br />Bob<br />Decrypt<br />Encrypted (message + digest)<br />8<br />9<br />10<br />Decrypt<br />Hash Function<br />Alice’s public key<br />The two digests are compared, thus providing authentication and integrity<br />11<br />Digest<br />Digest<br />X<br />Compare<br />
    12. 12. 보안 기술 소개 3.<br />S/MIME<br /><ul><li>Working principle similar to PGP
    13. 13. S/MIME uses multipart MIME type to include the cryptographic information with the message
    14. 14. S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information
    15. 15. Creating S/MIME message:</li></ul>MIME Entity<br />CMS Object<br />S/MIME<br />Certificates<br />MIME <br />Wrapping<br />CMS <br />Processing<br />Algoidentifiers<br />
    16. 16. 보안 기술 소개 4.<br />Transport Layer Security (TLS)<br />Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack<br /><ul><li>Designed by IETF; derived from SSL
    17. 17. Lies on top of Transport layer
    18. 18. Uses two protocols:
    19. 19. Handshake Protocol</li></ul>Hello<br />Certificate<br />Secret key<br />End Handshaking<br />Encrypted Ack<br />Client<br />Server<br /><ul><li> Data exchange protocol
    20. 20. Uses secret key to encrypt data.
    21. 21. Secret key already shared during handshake</li></ul>10<br />
    22. 22. 11<br />보안 기술 소개 5.<br />Chain of Trust<br /><ul><li>Query propagation similar to DNS queries
    23. 23. At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs.
    24. 24. Thumb-rule: Everyone trusts Root CA</li></ul>Root CA<br />Level-1<br />CA 1<br />Level-1<br />CA 2<br />Level-2<br />CA 3<br />Level-2<br />CA 4<br />Level-2<br />CA 5<br />Level-2<br />CA 6<br />Level-2<br />CA 2<br />Level-2<br />CA 1<br />
    25. 25. 12<br />최근 분산공격 사례<br />DDoS Attack Scenario<br />공격자<br />Step 1.<br />Probing vulnerable computers <br />to make them zombies<br />Step 2.<br />Install attack program in <br />Compromised zombies<br />Zombiei<br />Zombien<br />Zombie1<br />. . . . . .<br />. . . . . .<br />Step 3.<br />Send attack commands <br />to zombies to launch DDoS<br />* Source: Random Spoofed Address<br />* Destination: Victim Address<br />Step 4.<br />Victim network capacity was <br />Saturated by DDoS attack traffic<br />희생자<br />
    26. 26. 13<br />The Components of Information Security<br /><ul><li>The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.
    27. 27. People
    28. 28. Processes
    29. 29. Technology</li></li></ul><li>Need for message security<br />Privacy<br />Am I sure no body else knows this?<br />Authentication<br />Am I sure that the sender is genuine and not an imposter?<br />Integrity<br />Am I sure that the message has not been tampered on its way?<br />Non-repudiation<br />What will I do if the sender denies sending the message?<br />
    30. 30. 15<br />XML의 발전과 위협<br />
    31. 31. 16<br />Web 2.0 기반 언어 체계의 위협<br />
    32. 32. 17<br />정책의 유연성 <br />: 융합 환경에서 이기종 간 정책의 일관성 유지 수준에서 <br />
    33. 33. Study Group Organization<br />(WTSA)<br />(TSAG)<br />ITU-T<br />Telecommunication<br />standardization of<br />network and service<br />aspects<br />ITU-D<br />Assisting implementation<br />and operation of<br />telecommunications in<br />developing countries<br />ITU-R<br />Radiocommunication<br />standardization and<br />global radio spectrum<br />management<br />What is International Telecommunication Union (ITU) ?<br /><ul><li>SG 17, Security, Languages and Telecommunication Software
    34. 34. Lead Study Group on Telecommunication Security
    35. 35. SG 2, Operational Aspects of Service Provision, Networks and Performance
    36. 36. SG 4, Telecommunication Management
    37. 37. SG 5, Protection Against Electromagnetic Environment Effects
    38. 38. SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission
    39. 39. SG 11, Signalling Requirements and Protocols
    40. 40. SG 13, Next Generation Networks
    41. 41. SG 15, Optical and Other Transport Network Infrastructures
    42. 42. SG 16, Multimedia Terminals, Systems and Applications
    43. 43. SG 19, Mobile Telecommunication Networks</li></ul>Headquartered in Geneva, is the UN specialized agency for telecom<br />
    44. 44. Federal Information Security Management Act<br />19<br />Roles & Responsibilities<br /><ul><li>Agency Head
    45. 45. CIO
    46. 46. Agency Security Officer</li></ul>Security Program<br />Periodic risk assessments<br />Policies and procedures<br />Security plans<br />Security awareness training<br />Periodic testing & evaluation<br />Remediation activities<br />Incident response capabilities<br />Continuity of operations<br />Annual Security Review<br /><ul><li>Determine sufficiency of security program
    47. 47. Independent Evaluation (e.g., IG)
    48. 48. Safeguard evaluation data</li></ul>Annual Reporting<br /><ul><li>Reports from CIO & IG
    49. 49. Report material weaknesses
    50. 50. Provide performance plans</li></ul>§§ 3544(c), 3545 (e)<br />§3544(a)<br />§§ 3544(c), 3545 (e)<br />§3544(b)<br />
    51. 51. 인증과 인가:IT Security in the SDLC<br />--NIST SP 800-64<br />
    52. 52. Security Control Automation Protocol—SCAP<br />XML and protocols to exchange technical security information between products<br />“Glue Code” between the following data sets:<br />Common Vulnerabilities and Exposures (CVE) <br />Common Configuration Enumeration (CCE) <br />Common Platform Enumeration (CPE) <br />Common Vulnerability Scoring System (CVSS) <br />Extensible Configuration Checklist Description Format (XCCDF) <br />Open Vulnerability and Assessment Language (OVAL)<br />More products certified weekly<br />21<br />
    53. 53. Observations and Truthinesses(보안 방식의 결정)<br />Control v/s audit burdens<br />Skill of the constituency<br />Need a security professional at each layer<br />Is it all just a matter of centralized v/s decentralized?<br />22<br />
    54. 54. Applications<br />Service User<br />Profiles<br />ANI<br />Application Support Functions & Service Support Functions<br />Service Control<br />Functions<br />Transport User <br />Profiles<br />Network Attachment<br /> Control Functions <br />Service stratum<br />Management Functions<br />End-User<br />Functions<br />Resource and <br />Admission<br /> Control Functions <br />Other<br />Networks<br />Transport Control Functions<br />Transport Functions<br />UNI<br />NNI<br />Transport stratum<br />Control<br />Media<br />NGN architecture overview (Y.2012)<br /><ul><li>Packet-based network with QoS supportand Security
    55. 55. Separation between Services and Transport
    56. 56. Access can be provided using many underlying technologies
    57. 57. Should be reflected in policy
    58. 58. Decoupling of service provision from network</li></ul>Support wide range of services/applications <br />Converged services between Fixed/Mobile<br /><ul><li>Broadband capabilities with end-to-end QoS
    59. 59. Compliant with regulatory requirements
    60. 60. Emergency communications, security, privacy, lawful interception
    61. 61. ENUM Resources, Domain Names/ Internet Addresses</li></li></ul><li>Provider B from<br />Provider A’s point of view<br />Provider A<br />Trusted<br />Zone<br />Trusted but<br />Vulnerable<br />Zone<br />Untrusted<br />Zone<br />Domain<br />Border<br />Elements<br />(DBE)<br />Domain<br />Border<br />Elements<br />(DBE)<br />NGN<br />network<br />Elements<br />NGN<br />network<br />Elements<br />NGN Peering Trust Model<br />
    62. 62. PDA<br />Cellular<br />At your Desk<br />In the Air<br />Managed Office<br />On the Road<br />In Town<br />At Home<br />IdentityConnecting users with services and with others (Federation)<br />People have multiple identities, each within a specific context or domain<br />Work – me@company.com<br />Family – me@smith.family<br />Hobby – me@icedevils.team<br />Volunteer – me@association.org<br />Collaboration<br />PC<br />Video<br /> Voice Telephony<br />Smart Phone<br />Whatever you’re doing<br />(applications)<br />Whatever you’re using<br />(devices)<br />Web Apps<br /> ERP<br />Wherever you are<br />(across various access types)<br /><ul><li>Network Identity is essential
    63. 63. Need end-to-end trust model </li></li></ul><li>노드-허브-클러스트 등 네트워크 계층<br />26<br /><ul><li>At what layer do you address a specific problem?
    64. 64. Can a specific solution “scale up” to the Federation/ Community Layer?
    65. 65. How do I get “clueful” people at each layer?
    66. 66. How do I communicate between layers?</li></li></ul><li>Trusted Internet Connections—TIC<br />Reduce Government Internet connections to 50<br />Lowers the demand for skilled personnel<br />Uses models from DoD and DHS<br />Agencies share Internet connections<br />In theory: simplifies protecting Internet connections Government-wide<br />http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf<br />27<br />
    67. 67. The Cybertastic Future: Management<br />Use the Enterprise, Project, and Integration Layers<br />Start in bite-sized pieces and consolidate wherever possible<br />Need “clueful” people at all layers<br />Organization at the Federation Layer for self-regulation—some people are already doing it<br />28<br />
    68. 68. Some useful web resources<br />ITU-T Home page http://www.itu.int/ITU-T/<br />Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html<br />Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en<br />Cybersecurity Portal http://www.itu.int/cybersecurity/<br />Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html<br />Recommendations http://www.itu.int/ITU-T/publications/recs.html<br />ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml<br />ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html<br />LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html<br />
    69. 69. 30<br />질의와 토론<br />
    70. 70. 최근 특허 사례 (출원인:세종대,동국대, 발명가:강장묵 외)<br />효율적인 개인정보 유통경로의 안전관리를 위한 개인 정보 보호 장치 및 방법<br />{PERSONAL INFORMATION PROTECTION APPARATUS AND METHOD <br />FOR MANAGING DISTRIBUTION CHANNEL OF PERSONAL INFORMATION EFFICIENTLY AND SAFELY}<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×