• Journal of the Korea Society of Computer and Information
• /
• v.24 no.8
• /
• pp.59-66
• /
• 2019

As the monetary value of cryptocurrency increases, the security measures for cryptocurrency becomes more important. A limitation of the existing cryptocurrency exchanges is their vulnerability to threats of hacking due to their centralized manner of management. In order to overcome such limitation, blockchain technology is increasingly adopted. The blockchain technology enables decentralization and Peer-to-Peer(P2P) transactions, in which blocks of information are linked in chain topology, and each node participating in the blockchain shares a distributed ledger. In this paper, we propose and implement a mobile electronic wallet that can safely store, send and receive cryptocurrencies. The proposed mobile cryptocurrency wallet connects to the network only when the wallet actively is used. Wallet owner manages his or her private key offline, which is advantageous in terms of security. JavaScript based wallet apps were implemented to respectively run on Android and iOS mobile phones. I demonstrate the process of transferring Ethereum cryptocurrency from an account to another account through Ropsten, a test net for Ethereum. Hardware wallets, such as Ledger Nano S, provide a slightly higher level of security, yet have the disadvantages of added burden of carrying additional physical devices and high costs (about 80$).

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.3
• /
• pp.1356-1366
• /
• 2011

The TPM(Trusted Platform Module) is a hardware chip to support a trusted computing environment. A rightful user needs a command authorization process in order to use principal TPM commands. To get command authorization from TPM chip, the user should perform the OIAP(Object-Independent Authorization Protocol) or OSAP(Object-Specific Authorization Protocol). Recently, Chen and Ryan alerted the vulnerability of insider attack on TPM command authorization protocol in multi-user environment and presented a countermeasure protocol SKAP(Session Key Authorization Protocol). In this paper, we simulated the possibility of insider attack on OSAP authorization protocol in real PC environment adopted a TPM chip. Furthermore, we proposed a novel countermeasure to defeat this insider attack and improve SKAP's disadvantages such as change of command suructures and need of symmetric key encryption algorithm. Our proposed protocol can prevent from insider attack by modifying of only OSAP command structure and adding of RSA encryption on user and decryption on TPM.

• Journal of the Korea Computer Industry Society
• /
• v.6 no.3
• /
• pp.465-476
• /
• 2005

The wireless sensor network consists of a number of sensor nodes which have physical constraints. Each sensor node senses surrounding environments and sends the sensed information to Sink. In order to alleviate the inherent vulnerability in security of the wireless sensor nodes with the hardware constraints, the lightweight security protocol is needed and a variety of research is ongoing. In this paper, we propose a non-hierarchical sensor network and a security protocol that is suitable for monitoring man-made objects such as bridges. This paper, furthermore, explores a two-layer authentication, key distribution scheme which distributes the key and location of a sensor node in advance, and an effective security routing protocol which can take advantage of the Sleep and Awake state. This also results in the increased data transfer rate by increasing the number of alternative routing paths and the reduced energy consumption rate.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.143-148
• /
• 2007

In the context of mass traffic, firewall system cannot record normal log files against DDoS attack. The loss of log record causes that a firewall system does not know whether a packet is normally filtered or not, and firewall log, which is an essential data for the counter measure of violation accident, cannot be verified as trusted. As a network speed increases, these problems happen more frequently and largely. Accordingly, the method to use simply additional hardware devices is not recommended for the popularization of firewall. This paper is devoted to verify the loss of iptable log that is the mother's womb of most domestic firewall systems and show that the log handling methods for conventional firewall systems are needed to improve.

• Journal of Internet Computing and Services
• /
• v.15 no.3
• /
• pp.79-90
• /
• 2014

User authentication based on ID and PW has been widely used. As the Internet has become a growing part of people' lives, input times of ID/PW have been increased for a variety of services. People have already learned enough to perform the authentication procedure and have entered ID/PW while ones are unconscious. This is referred to as the adaptive unconscious, a set of mental processes incoming information and producing judgements and behaviors without our conscious awareness and within a second. Most people have joined up for various websites with a small number of IDs/PWs, because they relied on their memory for managing IDs/PWs. Human memory decays with the passing of time and knowledges in human memory tend to interfere with each other. For that reason, there is the potential for people to enter an invalid ID/PW. Therefore, these characteristics above mentioned regarding of user authentication with ID/PW can lead to human vulnerabilities: people use a few PWs for various websites, manage IDs/PWs depending on their memory, and enter ID/PW unconsciously. Based on the vulnerability of human factors, a variety of information leakage attacks such as phishing and pharming attacks have been increasing exponentially. In the past, information leakage attacks exploited vulnerabilities of hardware, operating system, software and so on. However, most of current attacks tend to exploit the vulnerabilities of the human factors. These attacks based on the vulnerability of the human factor are called social-engineering attacks. Recently, malicious social-engineering technique such as phishing and pharming attacks is one of the biggest security problems. Phishing is an attack of attempting to obtain valuable information such as ID/PW and pharming is an attack intended to steal personal data by redirecting a website's traffic to a fraudulent copy of a legitimate website. Screens of fraudulent copies used for both phishing and pharming attacks are almost identical to those of legitimate websites, and even the pharming can include the deceptive URL address. Therefore, without the supports of prevention and detection techniques such as vaccines and reputation system, it is difficult for users to determine intuitively whether the site is the phishing and pharming sites or legitimate site. The previous researches in terms of phishing and pharming attacks have mainly studied on technical solutions. In this paper, we focus on human behaviour when users are confronted by phishing and pharming attacks without knowing them. We conducted an attack experiment in order to find out how many IDs/PWs are leaked from pharming and phishing attack. We firstly configured the experimental settings in the same condition of phishing and pharming attacks and build a phishing site for the experiment. We then recruited 64 voluntary participants and asked them to log in our experimental site. For each participant, we conducted a questionnaire survey with regard to the experiment. Through the attack experiment and survey, we observed whether their password are leaked out when logging in the experimental phishing site, and how many different passwords are leaked among the total number of passwords of each participant. Consequently, we found out that most participants unconsciously logged in the site and the ID/PW management dependent on human memory caused the leakage of multiple passwords. The user should actively utilize repudiation systems and the service provider with online site should support prevention techniques that the user can intuitively determined whether the site is phishing.