• Proceedings of the Korean Information Science Society Conference
• /
• 2001.10a
• /
• pp.757-759
• /
• 2001

인증서의 유효성을 검사하기 위해 인증기관의 디렉도리내에 있는 최신의 인증서 폐지 목록을 많은 사용자가 동시에 조회시 시스템의 부하 및 속도 저하를 가중시킬 수 있다. 본 논문에서는 디렉토리에 대한 부하를 분산시키고 효율적으로 인증서 유효성 검사를 수행하기 위해 사용자 PC내에 자동 업데이트 엔진을 두어 인증서내의 CRL 분배점을 통한 인증서 폐지 목록을 다운로드 하는 방법을 제안하였다. 다운로드된 인증서 폐지 목록은 사용자의 인증서와 함께 유효성 검사에 이용되며 디렉토리에 대한 조회 횟수를 분산시켜부하를 감소시킬 수 있다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.10
• /
• pp.4136-4156
• /
• 2020

Recently, data can be safely shared or stored using the infrastructure of cloud computing in various fields. However, issues such as data security and privacy affect cloud environments. Thus, a variety of security technologies are required, one of them is security technology using CP-ABE. Research into the CP-ABE scheme is currently ongoing, but the existing CP-ABE schemes can pose security threats and are inefficient. In terms of security, the CP-ABE approach should be secure against user collusion attacks and masquerade attacks. In addition, in a dynamic cloud environment where users are frequently added or removed, they must eliminate user access when they leave, and so users will not be able to access the cloud after removal. A user who has left should not be able to access the cloud with the existing attributes, secret key that had been granted. In addition, the existing CP-ABE scheme increases the size of the ciphertext according to the number of attributes specified by the data owner. This leads to inefficient use of cloud storage space and increases the amount of operations carried out by the user, which becomes excessive when the number of attributes is large. In this paper, CP-ABE access control is proposed to block access of withdrawn users in dynamic cloud environments. This proposed scheme focuses on the revocation of the attributes of the withdrawn users and the output of a ciphertext of a constant-size, and improves the efficiency of the user decryption operation through outsourcing.

• Journal of Digital Contents Society
• /
• v.14 no.1
• /
• pp.81-88
• /
• 2013

The increase of the smartphone users has popularized the mobile payment and the mobile credit card users are rapidly getting increased. The mobile credit cards that currently used provide its users with the service through downloading mobile credit card information into USIM. The mobile credit card saved in USIM has the minimized information for the security and is based on PKI. However certificate-based payment system has a complicated procedure and costs a lot of money to manage the certificates and CRL(Certificate Revocation List). Furthermore, It can be a obstacle to develop local e-commerce in Korea because it is hard for foreigners to use them. We propose the secure and efficient mobile credit card payment protocol based on certificateless signcryption which solve the problem of certificate use.

• Journal of KIISE:Information Networking
• /
• v.37 no.5
• /
• pp.327-338
• /
• 2010

Complete Subtree scheme(CS) is a well known broadcast encryption scheme to perform group rekeying in a stateless manner. However, statelessness comes at a cost in terms of storage and message overhead in transmitting key material. We propose a Merged Complete Subtree scheme(MCS) to reduce the communication overhead. It is more practical to make broadcast encryption schemes in network environments with limited bandwidth resources. We define all possible subset unions for ever two subsets of CS as new subsets having own key. The modification causes more storage overhead. Nevertheless, it is possible to make the size of a header, including key materials, half using subset unions of MCS, because the size of a header depends on the number of used subsets. Our evaluation therefore shows that the proposed scheme significantly improves the communication overhead of CS, reducing by half the rekey communication cost. The proposed scheme has the advantage of rekey communication cost when the number of revoked users is significant percentage of the number of potential users. The proposed scheme is fully collusion resistant.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.4
• /
• pp.25-37
• /
• 2004

A certificate is expected to use for its entire validity period. However, a false information record of user and compromise of private key may cause a certificate to become invalid prior to the expiration of the validity period. The CA needs to revoke the certificate. The CA periodically updates a signed data structure called a certificate revocation list(CRL) at directory server. but as CA updates a new CRL at directory server. the user can use a revoked certificate. Not only does this paper analyzes a structure of CRL and a characteristic of certificate status conviction, OCSP method but also it proposes a new certificate status verification method adding an observer information in handshake process between user and server.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.97-101
• /
• 2007

The purpose of DRM is to protect the copyrights of content providers and to enable only designated users to access digital contents. From the consumers' point of view, they have a tendency to go against complex and confusing limitations. Moreover, consumers' rights of use of the content obtained legally were frequently harmed by arbitrary limitations. The concept of Authorized Domain (AD) was presented to remove such problems. However, the previous work on authorized domain has two problems. The first is that it requires a rather expensive revocation mechanism for withdraw process. The second is that the modules still can play contents which are previously obtained even though they are currently out of the authorized domain. On the contrary, our scheme presents the content from being played by modules which are out of the domain for better security. Furthermore our scheme does not need to maintain a revocation list and prevent replay attack.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.105-114
• /
• 2009

Messages exchanged among vehicles must be authenticated in order to provide collision avoidance and cooperative driving services in VANET. However, digitally signing the messages can violate the privacy of users. Therefore, we require authentication systems that can provide conditional anonymity. Recently, Zhang et al. proposed conditionally anonymous authentication system for VANET using tamper-resistant hardware. In their system, vehicles can generate identity-based public keys by themselves and use them to sign messages. Moreover, they use batch verification to effectively verify signed messages. In this paper, we provide amelioration to Zhang et al.'s system in the following respects. First, we use a more efficient probabilistic signature scheme. Second, unlike Zhang et al., we use a security proven batch verification scheme. We also provide effective solutions for key revocation and anonymity revocation problems.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.381-384
• /
• 2002

현재 인증서의 상태 검증을 실시간으로 제공하기 위해 각 CA(Certificate Authority)들은 고전적 방법인 CRL(Certificate Revocation List) 배포보다는 OCSP(Online Certificate Status Protocol)을 통하여 인증서의 상태에 대한 정보를 실시간으로 제공한다. 그러나, 경로검증 및 인증서 정책 맵핑 및 정책검증과 인증서 상태검증을 제공하는 SCVP(Simple Certificate Validation Protocol)는 CRL을 사용하는 한계로 인하여 실시간 검증을 제공하지 못하고 있다. 또한 OCSP는 인증서의 실시간 상태검증만을 제공할 뿐, 인증서의 경로검증과 인증서 정책 맵핑 및 정책검증에 대한 서비스는 제공하지 못하고 있다. 따라서, 이러한 두 프로토콜의 단점을 보안하고, 인증서 검증서버가 제공해야 하는 모든 서비스를 제공하기 위해 OCSP와 SCVP의 연동방안에 대한 연구를 통하여 SCVP에서의 실시간 검증을 제공할 수 있도록 한다.

• Journal of the Korea Society of Computer and Information
• /
• v.22 no.9
• /
• pp.49-55
• /
• 2017

Despite the Openflow's switch migration occurs after the channel was established in secure manner (optional), the current cryptography protocol cannot prevent the insider attack as the attacker possesses a valid public/private key pair. There are methods such as the certificate revocation list (CRL) or the online certificate status protocol (OCSP) that tries to revoke the compromised certificate. However, these methods require a management system or server that introduce additional overhead for the communication. Furthermore, these methods are not able to mitigate power abuse of an insider. In this paper, we propose a role-based identity-based cryptography (RB-IBC) that integrate the identity of the node along with its role so the nodes within the network can easily mitigate any role abuse of the nodes. Besides that, by combining with IBC, it will eliminate the need of exchanging certificates and hence improve the performance in a secure channel.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.04a
• /
• pp.907-909
• /
• 2002

전자 신뢰 매커니즘 기반의 정보사회에서는 기밀성과 인증의 확보가 필수적이며 이를 위해서는 전자서명 기술을 포함하고 있는 공개키 기반의 인증서관리 체계의 확립이 선결되어야 한다. [3] 인증서의 정당성을 검증하기 위해 검증자는 소유자의 인증서와 그 인증서를 인증한 공인인증기관의 인증서를 검증해야 하고, 이전에 인증서 폐지를 확인해야 하며, 실제 공개키 기반구조 환경에서 인증서의 유효성을 검증하기 위해서는 인증서 자체 검사와 함께 최상위 인증기관(루트CA)으로부터 사용자에게 인증서를 발행한 단말CA까지의 인증트리를 검증해야 한다[3]. 본 연구에서는 효율적인 인증서 폐지정보의 검증을 위해 다중 CA환경에 적합한 NPKI상에 B-Tree데이터구조를 적용하는 인증서 폐지 검증 방안을 제안하고자 한다.