전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-

한국전기연구원 전문가 자문 발표
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜네트워크 서비스 등 차세대 기술 환경 맥락으로-
발표일:2009년 10월 20일
발표장소 : 한국전기연구원
발표자 : 강장묵(세종대 정보통신공학과)
redsea@sejong.ac.kr

Who is kang, JM?
연구 분야
웹 2.0 중 소셜 네트워크 서비스
유비쿼터스 컴퓨팅 중 증강현실
디지털컨텐츠 중 UCC
정보보호 중 개인정보
학제간 연구(정보 소통 및 사회문화의 기술사회구성론적 분석)

공학박사(정보보호 전공)
정보보호진흥원 등 자문 활동
(현)세종대학교 정보통신공학과 교수

-유비쿼터스 컴퓨팅 사업단-

미디어 다음 열린사용자 위원회 위원

2

생각할 문제
3
방송과 통신 융합은 서비스간 경계를 허물었다. 트위터와페이스북은OPEN환경에서 연동 및 공유된다.
유비쿼터스 컴퓨팅기술로 공간 융합, 서비스 통합, mash-up으로 정보 공유는 취약점을 키우는가? 편리함만 주는가?
서비스간 보안 규칙과 보안 대상 수준과 다루는 정보의 민감도도 허물어지지 않는가?
개인화된 서비스와 광고로 수익을 얻는 비즈니스는 개인정보 더 나아가 프라이버시에 치명적 위협이지 않은가?
전력기반 통신에 적용 가능한 유연한 기술은 새로운 보안 취약점을 야기하지 않는가?

발표 내용 및 보안 토픽
PGP S/MIME
SSL TLS
IPSec
Cryptography
Symmetric Key
Public Key
Algorithms
Encryption
Digital Signatures
Certificates
Algorithms
Encryption
Key Mgmt
발표내용
간략한 보안 이슈 중 선별한 개론 수준의 개념
소셜 네트워크 환경에서 보안 이슈와 적용
전력계통망에서 새로운 비즈니스에 대한 플랫폼 차원의 보안
발표자가 관심 갖는 보안 관련 연구 내용(기관 요청)

Platform Security
5
Protecting your information, technology, property, products and people, thus protecting your business.
The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.

Confidentiality
Integrity
Availability

보안 기술 소개 1.
IPSec – IP Security
Secures the IP packet by adding additional header
Selection of encryption, authentication and hashing methods left to the user
It requires a logical connection between two hosts, achieved using Security Association (SA)
An SA is defined by:
A 32-bit security parameter index (SPI)
Protocol type: Authentication Header (AH) Or Encapsulating Security Payload (ESP)
The source IP address
Transport Mode
IP Header
IPSec Header
Rest of the Packet
OR
Tunnel Mode
IP Header
IPSec Header
Rest of the Packet
New IP Header

Pretty Good Privacy (PGP)
One-time secret key
Sender site
Alice
3
+
Encrypt
Bob’s public key
4
Message plus Signed Digest
1
Alice’s private key
Hash Function
Encrypt
5
Encrypt
Digest
Signed Digest
2
+
6
The message and digest are encrypted using one time secret key created by Alice
Encrypted (secret key & message + digest) to Bob

PGP (contd.)
Receiver site
Bob’s private key
One-time secret key
7
Encrypted (secret key & message + digest)
Decrypt
Bob
Decrypt
Encrypted (message + digest)
8
9
10
Decrypt
Hash Function
Alice’s public key
The two digests are compared, thus providing authentication and integrity
11
Digest
Digest
X
Compare

S/MIME

Working principle similar to PGP
S/MIME uses multipart MIME type to include the cryptographic information with the message
S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information
Creating S/MIME message:

MIME Entity
CMS Object
S/MIME
Certificates
MIME
Wrapping
CMS
Processing
Algoidentifiers

Transport Layer Security (TLS)
Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack

Designed by IETF; derived from SSL
Lies on top of Transport layer
Uses two protocols:
Handshake Protocol

Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client
Server

Data exchange protocol
Uses secret key to encrypt data.
Secret key already shared during handshake

10

11
Chain of Trust

Query propagation similar to DNS queries
At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs.
Thumb-rule: Everyone trusts Root CA

Root CA
Level-1
CA 1
Level-1
CA 2
Level-2
CA 3
Level-2
CA 4
Level-2
CA 5
Level-2
CA 6
Level-2
CA 2
Level-2
CA 1

12
최근 분산공격 사례
DDoS Attack Scenario
공격자
Step 1.
Probing vulnerable computers
to make them zombies
Step 2.
Install attack program in
Compromised zombies
Zombiei
Zombien
Zombie1
. . . . . .
. . . . . .
Step 3.
Send attack commands
to zombies to launch DDoS
* Source: Random Spoofed Address
* Destination: Victim Address
Step 4.
Victim network capacity was
Saturated by DDoS attack traffic
희생자

13
The Components of Information Security

The Information Security Triad is the foundation for Information Security and is based on concepts and principles known as CIA.
People
Processes
Technology

Need for message security
Privacy
Am I sure no body else knows this?
Authentication
Am I sure that the sender is genuine and not an imposter?
Integrity
Am I sure that the message has not been tampered on its way?
Non-repudiation
What will I do if the sender denies sending the message?

15
XML의 발전과 위협

16
Web 2.0 기반 언어 체계의 위협

17
정책의 유연성
: 융합 환경에서 이기종 간 정책의 일관성 유지 수준에서

Study Group Organization
(WTSA)
(TSAG)
ITU-T
Telecommunication
standardization of
network and service
aspects
ITU-D
Assisting implementation
and operation of
telecommunications in
developing countries
ITU-R
Radiocommunication
standardization and
global radio spectrum
management
What is International Telecommunication Union (ITU) ?

SG 17, Security, Languages and Telecommunication Software
Lead Study Group on Telecommunication Security
SG 2, Operational Aspects of Service Provision, Networks and Performance
SG 4, Telecommunication Management
SG 5, Protection Against Electromagnetic Environment Effects
SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission
SG 11, Signalling Requirements and Protocols
SG 13, Next Generation Networks
SG 15, Optical and Other Transport Network Infrastructures
SG 16, Multimedia Terminals, Systems and Applications
SG 19, Mobile Telecommunication Networks

Headquartered in Geneva, is the UN specialized agency for telecom

Federal Information Security Management Act
19
Roles & Responsibilities

Agency Head
CIO
Agency Security Officer

Security Program
Periodic risk assessments
Policies and procedures
Security plans
Security awareness training
Periodic testing & evaluation
Remediation activities
Incident response capabilities
Continuity of operations
Annual Security Review

Determine sufficiency of security program
Independent Evaluation (e.g., IG)
Safeguard evaluation data

Annual Reporting

Reports from CIO & IG
Report material weaknesses
Provide performance plans

§§ 3544(c), 3545 (e)
§3544(a)
§§ 3544(c), 3545 (e)
§3544(b)

인증과 인가:IT Security in the SDLC
--NIST SP 800-64

Security Control Automation Protocol—SCAP
XML and protocols to exchange technical security information between products
“Glue Code” between the following data sets:
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL)
More products certified weekly
21

Observations and Truthinesses(보안 방식의 결정)
Control v/s audit burdens
Skill of the constituency
Need a security professional at each layer
Is it all just a matter of centralized v/s decentralized?
22

Applications
Service User
Profiles
ANI
Application Support Functions & Service Support Functions
Service Control
Functions
Transport User
Profiles
Network Attachment
Control Functions
Service stratum
Management Functions
End-User
Functions
Resource and
Admission
Control Functions
Other
Networks
Transport Control Functions
Transport Functions
UNI
NNI
Transport stratum
Control
Media
NGN architecture overview (Y.2012)

Packet-based network with QoS supportand Security
Separation between Services and Transport
Access can be provided using many underlying technologies
Should be reflected in policy
Decoupling of service provision from network

Support wide range of services/applications
Converged services between Fixed/Mobile

Broadband capabilities with end-to-end QoS
Compliant with regulatory requirements
Emergency communications, security, privacy, lawful interception
ENUM Resources, Domain Names/ Internet Addresses

Provider B from
Provider A’s point of view
Provider A
Trusted
Zone
Trusted but
Vulnerable
Zone
Untrusted
Zone
Domain
Border
Elements
(DBE)
Domain
Border
Elements
(DBE)
NGN
network
Elements
NGN
network
Elements
NGN Peering Trust Model

PDA
Cellular
At your Desk
In the Air
Managed Office
On the Road
In Town
At Home
IdentityConnecting users with services and with others (Federation)
People have multiple identities, each within a specific context or domain
Work – me@company.com
Family – me@smith.family
Hobby – me@icedevils.team
Volunteer – me@association.org
Collaboration
PC
Video
Voice Telephony
Smart Phone
Whatever you’re doing
(applications)
Whatever you’re using
(devices)
Web Apps
ERP
Wherever you are
(across various access types)

Network Identity is essential
Need end-to-end trust model

노드-허브-클러스트 등 네트워크 계층
26

At what layer do you address a specific problem?
Can a specific solution “scale up” to the Federation/ Community Layer?
How do I get “clueful” people at each layer?
How do I communicate between layers?

Trusted Internet Connections—TIC
Reduce Government Internet connections to 50
Lowers the demand for skilled personnel
Uses models from DoD and DHS
Agencies share Internet connections
In theory: simplifies protecting Internet connections Government-wide
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf
27

The Cybertastic Future: Management
Use the Enterprise, Project, and Integration Layers
Start in bite-sized pieces and consolidate wherever possible
Need “clueful” people at all layers
Organization at the Federation Layer for self-regulation—some people are already doing it
28

Some useful web resources
ITU-T Home page http://www.itu.int/ITU-T/
Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en
Cybersecurity Portal http://www.itu.int/cybersecurity/
Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html
Recommendations http://www.itu.int/ITU-T/publications/recs.html
ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml
ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html
LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html

30
질의와 토론

최근 특허 사례 (출원인:세종대,동국대, 발명가:강장묵 외)
효율적인 개인정보 유통경로의 안전관리를 위한 개인 정보 보호 장치 및 방법
{PERSONAL INFORMATION PROTECTION APPARATUS AND METHOD
FOR MANAGING DISTRIBUTION CHANNEL OF PERSONAL INFORMATION EFFICIENTLY AND SAFELY}