• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.3
• /
• pp.649-664
• /
• 2015

Recently, the risk of security incidents has been increased due to change of IT environment and development of new hacking methods. Event study methodology that measures the effect of a specific security incident on the stock price is widely adopted to analyze the damage cost of security incidents on market value. However, analysis of company's temporary stock price change is limited to immediate practical implication, and reputation loss should be considered as a collateral damage caused by security incidents. We analyzed 52 security incidents of listed Korean companies in the last decade; by refining the criteria presented by Tobin's q, we quantitatively showed that the companies has significantly higher reputation loss due to security loss than the other companies. Our research findings can be used in order that the companies can efficiently allocate its resource and investment for information security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1189-1206
• /
• 2020

Recently, ICT companies do not directly design, develop, produce, operate, maintain, and dispose of products and services, but are outsourced or outsourced companies are increasingly in charge. Attacks arising from this are also increasing due to difficulties in managing vulnerabilities for products and services in the process of consignment and re-consignment. In order to respond to this, standards and systems for security risk management of ICT supply chain are being established and operated overseas, and various case studies are being conducted. In addition, research is being conducted to solve supply chain security problems such as Software Bill of Materials (SBOM). International standardization organizations such as ISO have also established standards and frameworks for security of ICT supply chain. In this paper, we presents ICT supply chain security management items suitable for domestic situation by comparing and analyzing ICT supply chain security standards and systems developed as international standards with major countries such as the United States and EU, and explains the necessity of cyber security framework for establishing ICT supply chain security system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.6
• /
• pp.3-15
• /
• 2009

Recently, Wu proposed a three small classes of finite fields $F_{2^n}$ for low-complexity bit-parallel multipliers. The proposed multipliers have low-complexities compared with those based on the irreducible pentanomials. In this paper, we propose a new Repeated Polynomial(RP) for low-complexity bit-parallel multipliers over $F_{2^n}$. Also, three classes of Irreducible Repeated polynomials are considered which are denoted, respectively, by case 1, case 2 and case3. The proposed RP bit-parallel multiplier has lower complexities than ones based on pentanomials. If we consider finite fields that have neither a ESP nor a trinomial as an irreducible polynomial when $n\leq1,000$. Then, in Wu''s result, only 11 finite fields exist for three types of irreducible polynomials when $n\leq1,000$. However, in our result, there are 181, 232, and 443 finite fields of case 1, 2 and 3, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1079-1090
• /
• 2014

Data mining is a technique to get the useful information that can be utilized for marketing and pattern analysis by processing the data that we have. However, when we use this technique, data provider's personal data can be leaked by accident. To protect these data from leakage, there were several techniques have been studied to preserve privacy. Vertically partitioned data is a state called that the data is separately provided to various number of user. On these vertically partitioned data, there was some methods developed to distinguishing kth element and (k+1) th element by using score. However, in previous method, we can only use on two-party case, so in this paper, we propose the extended technique by using paillier cryptosystem which can use on multi-party case.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1175-1184
• /
• 2014

Android provides a message-passing mechanism called intent. While it helps easy developments of communications between intra and inter applications, it can be vulnerable to attacks. In particular, implicit intent, differing from explicit intent specifying a receiving component, does not specify a component that receives a message and insecure ways of using implicit intents may allow malicious applications to intercept or forge intents. In this paper, we focus on security vulnerabilities of implicit intent and review researched attacks and solutions. For the case of implicit intent using 'developer-created action', specific attacks and solutions have been published. However, for the case of implicit intent using 'Android standard action', no specific attack has been found and less studied. In this paper, we present a new attack on implicit intent using Android standard action and propose solutions to protect smart phones from this attack.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.4
• /
• pp.919-928
• /
• 2018

Out-Of-Bounds (OOB) is one of the most powerful vulnerabilities in heap memory. The OOB vulnerability allows an attacker to exploit unauthorized access to confidential information by tricking the length of the array and reading or writing memory of that length. In this paper, we propose a method to automatically detect OOB vulnerabilities in heap memory using dynamic symbol execution and shadow memory table. First, a shadow memory table is constructed by hooking heap memory allocation and release function. Then, when a memory access occurs, it is judged whether OOB can occur by referencing the shadow memory, and a test case for causing a crash is automatically generated if there is a possibility of occurrence. Using the proposed method, if a weak block search is successful, it is possible to generate a test case that induces an OOB. In addition, unlike traditional dynamic symbol execution, exploitation of vulnerabilities is possible without setting clear target points.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.287-297
• /
• 2019

When cryptographic algorithms are implemented to provide countermeasures against the side-channel analysis, designers frequently employ the combined countermeasures between the first-order masking scheme and hiding schemes. Their combination can be enough to offer security and efficiency. However, if dummy operations can be distinguished from real operations, an attacker can extract the secret key with lower complexity than the intended attack complexity by the designer inserting the dummy operations. In this paper, we categorize types of variables used in a dummy operation when C language is employed. Then, we present the novel vulnerability that can distinguish dummy operations for all cases where the hiding schemes are applied using different types of variables. Moreover, the countermeasure is provided to prevent the novel vulnerability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.149-156
• /
• 2011

In the recent years, power analysis attacks were widely investigated, and so various countermeasures have been proposed. In the case of block ciphers, masking methods that blind the intermediate values in the en/decryption computations are well-known among these countermeasures. But the cost of non-linear part is extremely high in the masking method of block cipher, and so the countermeasure for S-box must be efficiently constructed in the case of AES, ARIA and SEED. Existing countermeasures for S-box use the masked S-box table to require 256 bytes RAM corresponding to one S-box. But, the usage of the these countermeasures is not adequate in the lightweight security devices having the small size of RAM. In this paper, we propose the new countermeasure not using the masked S-box table to make up for this weak point. Also, the new countermeasure reduces time-complexity as well as the usage of RAM because this does not consume the time for generating masked S-box table.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.21-28
• /
• 2009

In the recent years, power attacks were widely investigated, and so various countermeasures have been proposed, In the case of block ciphers, masking methods that blind the intermediate values in the algorithm computations(encryption, decryption, and key-schedule) are well-known among these countermeasures. But the cost of non-linear part is extremely high in the masking method of block cipher, and so the inversion of S-box is the most significant part in the case of AES. This fact make various countermeasures be proposed for reducing the cost of masking inversion and Zakeri's method using normal bases over the composite field is known to be most efficient algorithm among these masking method. We rearrange the masking inversion operation over the composite field and so can find duplicated multiplications. Because of these duplicated multiplications, our method can reduce about 10.5% gates in comparison with Zakeri's method.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.2
• /
• pp.646-663
• /
• 2014

Scrum is one of the most popular and efficient agile development methods. However, like other agile methods such as Extreme Programming (XP), Feature Driven Development (FDD), and the Dynamic Systems Development Method (DSDM), Scrum has been criticized because of lack of support to develop secure software. Thus, in 2011, we published research proposing the idea of a security backlog (SB). This paper represents the continuation of our previous research, with a focus on the evaluation in industry-based case study. Our findings highlight an improved agility in Scrum after the integration of SB. Furthermore, secure software can be developed quickly, even in situations involving requirement changes of software. Based on our experimental findings, we noticed that, when integrating SB, it is quite feasible to develop secure software using an agile Scrum model.