公开(公告)号：KR100450405B1

公开(公告)日：2004-09-30

申请号：KR1020020047571

申请日：2002-08-12

Applicant: 한국전자통신연구원

Inventor： 김영수 ,  나중찬 ,  손승원

IPC: H04L12/22

Abstract: PURPOSE: A method for transmitting an access policy between routers by using identity is provided to correlate identity information as a public key with a personal key corresponding to the information by introducing a public key concept, thereby remarkably reducing calculations and transmissions without session keys. CONSTITUTION: An extension initializer(10) transmits a message to a policy manager(12)(S51). The policy manager(12) transmits a response message to the extension initializer(10)(S52). The extension initializer(10) transmits an encoded message, which is identity of a target router(11), to the target router(11)(S53). The target router(11) decodes the received message with a personal key, confirms an extension code and a policy, and transmits an encoded confirm message to the extension initializer(10) in order to inform the extension initializer(10) whether an extension is successfully installed(S54).

Abstract translation: 目的：提供一种通过使用身份在路由器之间传输访问策略的方法，通过引入公钥概念将作为公钥的身份信息与对应于该信息的个人密钥相关联，从而显着减少没有会话密钥的计算和传输。 构成：扩展初始化器（10）将消息发送给策略管理器（12）（S51）。 策略管理器（12）向扩展初始化器（10）发送响应消息（S52）。 扩展初始化器（10）向目标路由器（11）发送作为目标路由器（11）的标识的编码消息（S53）。 目标路由器（11）利用个人密钥对接收到的消息进行解码，确认扩展码和策略，并将扩展初始化器（10）发送编码的确认消息以通知扩展初始化器（10）扩展是 成功安装（S54）。

公开(公告)号：KR1020040076992A

公开(公告)日：2004-09-04

申请号：KR1020030012352

申请日：2003-02-27

Applicant: 한국전자통신연구원

Inventor： 이상수 ,  한종욱 ,  손승원 ,  박치항 ,  김종윤

IPC: H04N7/167

CPC classification number: G09C5/00

Abstract: PURPOSE: A system and a method for encoding/decoding images are provided to block a cryptographic attack carried out through analysis of encrypted information. CONSTITUTION: An image encoding system includes an image splitter(110), a random image generator(120), an encoder(130), and a phase card generator(140). The image splitter splits an input binary image into split images. The random image generator generates random images as many as the number of the split images. The encoder exclusive-ORs the split images and the random images one to one to generate encoded images as many as the number of the split images. The phase card generator gives phase values of pi and zero to pixel values of black and white constructing the encoded images to generate respective phase cards for the encoded images.

Abstract translation: 目的：提供一种用于编码/解码图像的系统和方法，以阻止通过分析加密信息进行的加密攻击。 构成：图像编码系统包括图像分离器（110），随机图像生成器（120），编码器（130）和相位卡生成器（140）。 图像分离器将输入二进制图像分割成分割图像。 随机图像生成器产生与分割图像的数量一样多的随机图像。 编码器将分割图像和随机图像一一对齐，以生成与分割图像数量一样多的编码图像。 相位卡发生器给出相位值pi和零到黑色和白色的像素值，构成编码图像以产生用于编码图像的各自的相位卡。

公开(公告)号：KR1020040055895A

公开(公告)日：2004-06-30

申请号：KR1020020082342

申请日：2002-12-23

Applicant: 한국전자통신연구원

Inventor： 김기영 ,  장종수 ,  손승원

IPC: G06F15/00

Abstract: PURPOSE: A device and a method for discriminated a security service on a wide range network are provided to detect a large-scale attack through the network and confront the attack depending on a security level by discriminating/setting a security path to a security service request as classifying a security service into each security level and assigning the security level to respective devices. CONSTITUTION: A network security service framework comprises a security policy server(1) and a security policy executing system(2) performing a network security service on the wide range network(10). A security policy transferring/managing communication protocol stack(20) transmits the security policy information between the security policy server and the security policy executing system. A security management domain has a discriminated security requirement and confronting function.

Abstract translation: 目的：提供一种用于区分广泛网络上的安全服务的设备和方法，以通过网络检测大规模攻击，并通过将安全路径识别/设置为安全服务请求来根据安全级别对抗攻击 将安全服务分类到每个安全级别，并将安全级别分配给各个设备。 构成：网络安全服务框架包括在宽范围网络（10）上执行网络安全服务的安全策略服务器（1）和安全策略执行系统（2）。 传送/管理通信协议栈（20）的安全策略在安全策略服务器和安全策略执行系统之间传输安全策略信息。 安全管理域具有歧视的安全要求和对抗功能。

公开(公告)号：KR1020040047097A

公开(公告)日：2004-06-05

申请号：KR1020020075180

申请日：2002-11-29

Applicant: 한국전자통신연구원

Inventor： 김정녀 ,  손승원 ,  박치항

IPC: G06F11/00

Abstract: PURPOSE: A method for preventing the stack overflow of a kernel level on a computer OS(Operating System) is provided to prevent the system admin authority acquisition using the stack overflow by copying/executing a signal code to an executable segment in the OS kernel and interrupting the code execution in a stack area. CONSTITUTION: A stack execution is prevented by initializing an executing code segment and a data segment in the kernel, and setting a limit of the executing code segment and the data segment(210,220). A signal return processing code for the stack execution is copied to the executable segment. A general protection fault trap generated when the stack overflow is executed in the stack area, is processed.

Abstract translation: 目的：提供一种防止计算机操作系统（操作系统）上的内核级别堆栈溢出的方法，以通过将操作系统内核中的可执行段复制/执行信号代码来防止使用堆栈溢出的系统管理权限获取，以及 中断堆栈区域中的代码执行。 构成：通过初始化内核中的执行代码段和数据段，并设置执行代码段和数据段的限制（210,220）来防止堆栈执行。 用于堆栈执行的信号返回处理代码被复制到可执行段。 在堆栈区域执行堆栈溢出时产生的一般保护故障陷阱被处理。

公开(公告)号：KR1020040043735A

公开(公告)日：2004-05-27

申请号：KR1020020072025

申请日：2002-11-19

Applicant: 한국전자통신연구원

Inventor： 이병길 ,  김현곤 ,  손승원 ,  박길흠

IPC: H04L12/14

CPC classification number: H04L63/0892 ,  H04L12/14 ,  H04M15/56 ,  H04W12/06

Abstract: PURPOSE: A method for interworking an accounting server separated from a diameter-based AAA authentication server is provided to separate a server for authentication and authority apply from an accounting server, thereby reliably connecting the authentication server with the accounting server as synchronizing the servers. CONSTITUTION: An authentication server(41) authenticates a user, generates data related to an authentication success reason or an authentication failure reason, and completes an authentication/authority verification process(S1). The authentication server(41) transmits basic information including session information and session activation information including supplementary information to an accounting server(42)(S2). An AAA client(43) generates new accounting data to generate an ACR(Account Request) message, and transmits the ACR message to the authentication server(41)(S4). The authentication server(41) transmits the ACR message to the accounting server(42)(S5). The accounting server(42) stores the ACR message, and transmits an ACA(Account Answer) message to the authentication server(41)(S6), then transmits the ACA message to the AAA client(43)(S7). The authentication server(41) transmits a session complete message to the accounting server(42)(S8). The accounting server(42) transmits a response message(S9).

Abstract translation: 目的：提供一种与基于直径的AAA认证服务器分离的计费服务器互通的方法，以便从计费服务器分离用于认证和授权的服务器，从而将认证服务器与计费服务器可靠地连接，使服务器同步。 构成：认证服务器（41）对用户进行认证，生成与认证成功原因或认证失败原因相关的数据，并且完成认证/授权验证处理（S1）。 认证服务器（41）向会计服务器（42）发送包括会话信息和包括补充信息的会话激活信息的基本信息（S2）。 AAA客户端（43）生成新的计费数据以生成ACR（账户请求）消息，并将ACR消息发送给认证服务器（41）（S4）。 认证服务器（41）向计帐服务器（42）发送ACR消息（S5）。 计费服务器（42）存储ACR消息，向认证服务器（41）发送ACA（Account Answer）消息（S6），然后向AAA客户端（43）发送ACA消息（S7）。 认证服务器（41）向会计服务器（42）发送会话完成消息（S8）。 计费服务器（42）发送响应消息（S9）。

公开(公告)号：KR1020040039845A

公开(公告)日：2004-05-12

申请号：KR1020020068066

申请日：2002-11-05

Applicant: 한국전자통신연구원

Inventor： 두소영 ,  유준석 ,  임재덕 ,  은성경 ,  김정녀 ,  손승원

IPC: H04L9/00

CPC classification number: H04L63/08 ,  H04L63/0428 ,  H04L63/105

Abstract: PURPOSE: An apparatus and a method for encrypting user authentication information and data using MAC(Mandatory Access Control) and RBAC(Role Based Access Control) are provided to perform an encrypting process corresponding to a grade of the user information by encrypting selectively a transmitting file according to an important grade of the transmitting file. CONSTITUTION: An apparatus for encrypting user authentication information and data using MAC and RBAC includes an FTP client program(10), a kernel layer(20), an FTP demon program(15), and a security database(30). The FTP client program(10) provides a user authentication information request and a server connection request. The kernel layer(20) is used for requesting the user authentication according to the server connection request of the FTP client program. In addition, the kernel layer is used for performing an encrypting/decrypting processing data of the FTP client program when being connected by a grade of MAC corresponding to the user authentication request. The FTP demon program(15) is used for analyzing the encrypted user authentication information and performing a user authentication process according to the grade of MAC. The security database(30) is used for storing the grade of MAC for the client and the grade of MAC for the data.

Abstract translation: 目的：提供一种使用MAC（强制访问控制）和RBAC（基于角色的访问控制）加密用户认证信息和数据的装置和方法，用于通过有选择地加密发送文件来执行与用户信息等级对应的加密处理 根据传输文件的重要等级。 构成：使用MAC和RBAC加密用户认证信息和数据的装置包括FTP客户端程序（10），内核层（20），FTP恶魔程序（15）和安全数据库（30）。 FTP客户端程序（10）提供用户认证信息请求和服务器连接请求。 内核层（20）用于根据FTP客户端程序的服务器连接请求请求用户认证。 此外，当通过与用户认证请求相对应的MAC级别连接时，内核层用于执行FTP客户端程序的加密/解密处理数据。 FTP恶魔程序（15）用于分析加密的用户认证信息，并根据MAC的等级进行用户认证过程。 安全数据库（30）用于存储客户端的MAC级别和数据的MAC级别。

公开(公告)号：KR1020040037583A

公开(公告)日：2004-05-07

申请号：KR1020020066130

申请日：2002-10-29

Applicant: 한국전자통신연구원

Inventor： 임재덕 ,  유준석 ,  은성경 ,  두소영 ,  김정녀 ,  손승원

IPC: H04L12/22

CPC classification number: H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: PURPOSE: An apparatus and a method for providing a reliable channel in a security OS(Operating System) to which MAC(Mandatory Access Control) is applied is provided to offer a new header for independently encoding a packet used in communication by a security level of the MAC and minimize network performance degradation using the security level of the MAC. CONSTITUTION: If data according to a communication request provided from a transmission-side user(S1) are for a packet transmission request, a reliable channel subsystem(12) judges whether a reliable channel is applied. If the reliable channel is applied, the reliable channel subsystem(12) composes a reliable channel header, encodes a specific portion of a packet, stores authentication information in the reliable channel header, and transmits the packet through a network(A). A MAC module(20) provides MAC information for indicating whether the reliable channel is applied. A kernel memory(30) provides an encryption key and an authentication key necessary for encoding a reliable channel application host address and the packet and generating authentication data. A reliable channel subsystem(12-1) retrieves the authentication data of the reliable channel header before decoding the packet received through the network(A). If the authentication data are valid, the reliable channel subsystem(12-1) decodes the encoded packet. If process for the reliable channel is ended, the reliable channel subsystem(12-1) transmits the packet to an upper level to transmit the packet to a reception-side user(S2). A kernel memory provides an authentication key and an encryption key necessary for checking authentication with respect to the packet encoded by the reliable channel subsystem(12) and decoding the packet.

Abstract translation: 目的：提供一种用于在应用MAC（强制访问控制）的安全OS（操作系统）中提供可靠信道的装置和方法，以提供用于通过安全级别独立地编码通信中使用的分组的新标题 MAC，并使用MAC的安全级别最小化网络性能下降。 构成：如果从发送侧用户（S1）提供的根据通信请求的数据用于分组发送请求，则可靠的信道子系统（12）判断是否应用了可靠的信道。 如果可靠的信道被应用，可靠的信道子系统（12）构成可信的信道报头，对分组的特定部分进行编码，将认证信息存储在可信的信道报头中，并通过网络（A）发送分组。 MAC模块（20）提供用于指示是否应用可靠信道的MAC信息。 内核存储器（30）提供对可靠的信道应用主机地址和分组进行编码所需的加密密钥和认证密钥，并生成认证数据。 可靠的信道子系统（12-1）在对通过网络（A）接收的分组进行解码之前检索可靠信道报头的认证数据。 如果验证数据有效，则可靠的信道子系统（12-1）解码编码的分组。 如果可靠信道的处理结束，则可靠信道子系统（12-1）将分组发送到上层，将分组发送给接收侧用户（S2）。 内核存储器提供验证密钥和加密密钥，用于检查关于由可靠信道子系统（12）编码的分组的认证并对分组进行解码。

公开(公告)号：KR100419574B1

公开(公告)日：2004-02-19

申请号：KR1020010058236

申请日：2001-09-20

Applicant: 한국전자통신연구원

Inventor： 김영수 ,  나중찬 ,  손승원

IPC: H04L9/00

Abstract: PURPOSE: A method for transmitting a safe and an active packet between the active nodes in an active network is provided to transmit and process the packet in the network at the end terminal nodes as well as at the middle nodes. CONSTITUTION: A method for transmitting a safe and active packet between the active nodes in an active network includes the steps of: broadcasting(403) with creating the information to be transmitted by a first active node as the active packet by utilizing a symmetric key encryption method; requesting(407) a key for the decryption of the symmetric key encryption method with the first active node by the second active node to receive the active packet broadcasted; transmitting the key for the decryption of the symmetric key encryption method by the first active node in response to the key request received from the second node; and implementing the information including the active packet by decrypting the broadcasted active packet by the second active node receiving the key for the decryption of the symmetric key encryption method.

Abstract translation: 目的：提供一种用于在活动网络中的活动节点之间发送安全和活动分组的方法，以在终端节点处以及在中间节点处在网络中发送和处理分组。 用于在活动网络中的活动节点之间发送安全活动分组的方法包括以下步骤：通过利用对称密钥加密来广播（403）第一活动节点将要发送的信息作为活动分组 方法; 由第二活动节点向第一活动节点请求（407）用于解密对称密钥加密方法的密钥以接收广播的活动分组; 响应于从第二节点接收到的密钥请求，发送由第一活动节点解密对称密钥加密方法的密钥; 以及通过由接收用于对称密钥加密方法的解密的密钥的第二活动节点解密广播的活动分组来实现包括活动分组的信息。

公开(公告)号：KR1020040014825A

公开(公告)日：2004-02-18

申请号：KR1020020047571

申请日：2002-08-12

Applicant: 한국전자통신연구원

Inventor： 김영수 ,  나중찬 ,  손승원

IPC: H04L12/22

CPC classification number: H04L63/0428 ,  G06F21/55 ,  H04L63/061

Abstract: PURPOSE: A method for transmitting an access policy between routers by using identity is provided to correlate identity information as a public key with a personal key corresponding to the information by introducing a public key concept, thereby remarkably reducing calculations and transmissions without session keys. CONSTITUTION: An extension initializer(10) transmits a message to a policy manager(12)(S51). The policy manager(12) transmits a response message to the extension initializer(10)(S52). The extension initializer(10) transmits an encoded message, which is identity of a target router(11), to the target router(11)(S53). The target router(11) decodes the received message with a personal key, confirms an extension code and a policy, and transmits an encoded confirm message to the extension initializer(10) in order to inform the extension initializer(10) whether an extension is successfully installed(S54).

Abstract translation: 目的：提供一种通过使用身份在路由器之间传输接入策略的方法，通过引入公共密钥概念将身份信息作为公开密钥与对应于信息的个人密钥相关联，从而显着地减少没有会话密钥的计算和传输。 构成：扩展初始化器（10）向策略管理器（12）发送消息（S51）。 策略管理器（12）向扩展初始化器（10）发送响应消息（S52）。 扩展初始化器（10）将作为目标路由器（11）的身份的编码消息发送到目标路由器（11）（S53）。 目标路由器（11）用个人密钥对接收到的消息进行解码，确认扩展码和策略，并将编码的确认消息发送到扩展初始化器（10），以通知扩展初始化器（10）扩展是否为 成功安装（S54）。

公开(公告)号：KR1020030090084A

公开(公告)日：2003-11-28

申请号：KR1020020028077

申请日：2002-05-21

Applicant: 한국전자통신연구원

Inventor： 한민호 ,  나중찬 ,  손승원

IPC: H04L12/733

CPC classification number: H04L45/566 ,  H04L45/02 ,  H04L45/32

Abstract: PURPOSE: A network for active packet transmission and a method for operating the same are provided to distribute active network topology information by creating opaque LSAs having active network topology information, flooding them to nodes in an OSPF domain, and configuring a routing table for active packet transmission using the flooded opaque LSAs. CONSTITUTION: A network for active packet transmission is composed of a plurality of active nodes(100-103) and generic nodes(110/1-110/7) using an OSPF routing protocol. Each active node is allocated an opaque type for an active network, creates opaque LSAs having active network topology information, and distributes the created opaque LSAs to the other active nodes that exist in an OSPF domain.

Abstract translation: 目的：提供一种主动分组传输网络及其操作方法，通过创建具有活跃网络拓扑信息的不透明LSA，将其泛洪到OSPF域中的节点，配置活动分组路由表，分配活动网络拓扑信息 使用淹没的不透明LSA进行传输。 构成：使用OSPF路由协议，由多个活动节点（100-103）和通用节点（110 / 1-110 / 7）组成用于主动分组传输的网络。 为活动网络分配每个活动节点不透明类型，创建具有活动网络拓扑信息的不透明LSA，并将创建的不透明LSA分发到OSPF域中存在的其他活动节点。