Abstract:
본 발명은 암호화/복호화 키를 이용한 메시지 송수신 방법에 관한 것으로 특히, 전자적 수단을 이용한 메시지의 송수신 진행 중에 송신자와 수신자가 각각 암호화/복호화 키를 생성할 수 있을 뿐만 아니라, 암호화/복호화에 사용된 키를 복구할 수 있는 암호화/복호화 키를 이용한 메시지 송수신 방법에 관한 것이다. 본 발명이 제공하는 암호화/복호화 키를 이용한 메시지 송수신 방법은 (a)사용자가 자신의 개인키와 공개키를 생성하여 상기 공개키를 키 복구 대행기관(KRA)에 등록하고 공유된 비밀정보를 설정하는 사용자 등록 단계; 및 (b)송신 사용자는 전송 메시지의 복호화에 필요한 세션 키의 복구 정보를 생성하여 수신 사용자에게 전송하고, 상기 수신 사용자는 상기 복구 정보로부터 상기 복호화에 필요한 키를 직접 생성하여, 상기 전송 메시지를 복호화하는 암호 통신 단계를 포함하여 본 발명의 목적 및 기술적 과제를 달성한다. 아울러 본 발명의 목적 및 기술적 과제를 달성하기 위해 (c)상기 수신 사용자가 상기 KRA에 상기 세션 키의 복구를 요청하는 키 복구 요청 단계를 더 포함할 수 있다.
Abstract:
PURPOSE: A role based access control method is provided to control an access request based on a user role at a kernel level for preventing or intercepting a system hacking. CONSTITUTION: The method comprises several steps. A process selects effective roles among current roles by checking whether the roles, whose current member is the process, exist with the data on all the generated roles stored at a role data file(S1). The generation number of the effective roles, stored at the role data file, is compared with that of the roles, stored at an object security database, and a permission value of the role defined at an object is regarded as meaningless in a case that the two generation numbers are not same(S2). An OR operation is applied to attribute values defined at the object corresponding to the remaining roles processed via the steps, S1 and S2, it is checked whether a requested attribute value exists at the object, and an access permission result is output according to the check result(S3).
Abstract:
PURPOSE: An apparatus and a method for encrypting user authentication information and data using MAC(Mandatory Access Control) and RBAC(Role Based Access Control) are provided to perform an encrypting process corresponding to a grade of the user information by encrypting selectively a transmitting file according to an important grade of the transmitting file. CONSTITUTION: An apparatus for encrypting user authentication information and data using MAC and RBAC includes an FTP client program(10), a kernel layer(20), an FTP demon program(15), and a security database(30). The FTP client program(10) provides a user authentication information request and a server connection request. The kernel layer(20) is used for requesting the user authentication according to the server connection request of the FTP client program. In addition, the kernel layer is used for performing an encrypting/decrypting processing data of the FTP client program when being connected by a grade of MAC corresponding to the user authentication request. The FTP demon program(15) is used for analyzing the encrypted user authentication information and performing a user authentication process according to the grade of MAC. The security database(30) is used for storing the grade of MAC for the client and the grade of MAC for the data.
Abstract:
PURPOSE: An apparatus and a method for providing a reliable channel in a security OS(Operating System) to which MAC(Mandatory Access Control) is applied is provided to offer a new header for independently encoding a packet used in communication by a security level of the MAC and minimize network performance degradation using the security level of the MAC. CONSTITUTION: If data according to a communication request provided from a transmission-side user(S1) are for a packet transmission request, a reliable channel subsystem(12) judges whether a reliable channel is applied. If the reliable channel is applied, the reliable channel subsystem(12) composes a reliable channel header, encodes a specific portion of a packet, stores authentication information in the reliable channel header, and transmits the packet through a network(A). A MAC module(20) provides MAC information for indicating whether the reliable channel is applied. A kernel memory(30) provides an encryption key and an authentication key necessary for encoding a reliable channel application host address and the packet and generating authentication data. A reliable channel subsystem(12-1) retrieves the authentication data of the reliable channel header before decoding the packet received through the network(A). If the authentication data are valid, the reliable channel subsystem(12-1) decodes the encoded packet. If process for the reliable channel is ended, the reliable channel subsystem(12-1) transmits the packet to an upper level to transmit the packet to a reception-side user(S2). A kernel memory provides an authentication key and an encryption key necessary for checking authentication with respect to the packet encoded by the reliable channel subsystem(12) and decoding the packet.
Abstract:
PURPOSE: A file security system using a security level and a method for managing an encryption key are provided to encrypt or decrypt a file having the security level by using the encryption key of each security level, and to offer the file to a user, or save the file in a disk. CONSTITUTION: The disk(130) stores the encryption key matched with the security level set by an access control module(120), a key file storing the encryption key, and the file encrypted by the encryption key. A kernel memory(140) stacks the encryption key stored in the disk(130) according to the driving of the encryption file system(110). The encryption file system(110) draws out the encryption key matched with the security level of the file to read or stored by the user from the kernel memory(140), and transmits the file decrypted or encrypted by the encryption key to the user, or stores the file in the disk.
Abstract:
이동 IPv6 환경에서 AAA(Authentication Authorization Accounting) 기반 구조를 통한 IPSec 보안 연계 분배 방법 및 시스템이 개시되어 있다. 본 발명은 AAA 기반 구조와 연동된 모바일 IPv6환경에서 이동 노드와 홈에이전트간에 IPSec 보안 연계를 분배하는 IPSec 보안 연계 분배 방법에 있어서, 이동 노드가 상기 AAA기반구조로 보안 연계 분배를 요청하면 소정의 인증 절차를 거쳐 상기 홈에이전트에 보안 연계 분배에 필요한 정보를 요청하는 과정, 홈에이전트로부터 보안 연계 분배 요청의 정책 정보와 일치하는 정책의 존재 여부와 알고리듬 선택 메시지를 수신하면 그 메시지를 바탕으로 보안 연계 구성 정보를 생성하는 과정, 생성된 보안 연계 정보 메시지를 상기 이동 노드 및 상기 홈 에이전트로 분배하는 과정을 포함한다.
Abstract:
A file security system uses a security class set by an access control module. The file security system includes a disk, a kernel memory and an encryption file system. The disk includes a key file in which an encryption key corresponding to the security class is stored and a file encoded by the encryption key. The encryption key stored in the disk is loaded into the kernel memory when the file security system starts operating. The encryption file system extracts an encryption key corresponding to a security class of a file that a user intends to read or store; decodes or encodes the file by using the extracted encryption key; and then provides the decoded file to the user or stores the encoded file in the disk.
Abstract:
이동 IPv6 환경에서 AAA(Authentication Authorization Accounting) 기반 구조를 통한 IPSec 보안 연계 분배 방법 및 시스템이 개시되어 있다. 본 발명은 AAA 기반 구조와 연동된 모바일 IPv6환경에서 이동 노드와 홈에이전트간에 IPSec 보안 연계를 분배하는 IPSec 보안 연계 분배 방법에 있어서, 이동 노드가 상기 AAA기반구조로 보안 연계 분배를 요청하면 소정의 인증 절차를 거쳐 상기 홈에이전트에 보안 연계 분배에 필요한 정보를 요청하는 과정, 홈에이전트로부터 보안 연계 분배 요청의 정책 정보와 일치하는 정책의 존재 여부와 알고리듬 선택 메시지를 수신하면 그 메시지를 바탕으로 보안 연계 구성 정보를 생성하는 과정, 생성된 보안 연계 정보 메시지를 상기 이동 노드 및 상기 홈 에이전트로 분배하는 과정을 포함한다.
Abstract:
PURPOSE: A method for controlling access using a token having security attribute on a computer system is provided to keep security even if a storing device is flown out by storing a file after encryption using an encryption attribute, and to put no special limitation for conventional operation while keeping the security by making a system manager read only the encrypted contents for backup. CONSTITUTION: The computer system gives the token having the security attribute to a user permitted to access to a file(S101). A user process checks an access request for the file. It is judged that the access requested file has the token having the security attribute(S103). If the file has the token, the access to the file is permitted. If not, the access is permitted or refused by judging that the user requesting the access has the same token(S104).
Abstract:
PURPOSE: A role based access control method is provided to control an access request based on a user role at a kernel level for preventing or intercepting a system hacking. CONSTITUTION: The method comprises several steps. A process selects effective roles among current roles by checking whether the roles, whose current member is the process, exist with the data on all the generated roles stored at a role data file(S1). The generation number of the effective roles, stored at the role data file, is compared with that of the roles, stored at an object security database, and a permission value of the role defined at an object is regarded as meaningless in a case that the two generation numbers are not same(S2). An OR operation is applied to attribute values defined at the object corresponding to the remaining roles processed via the steps, S1 and S2, it is checked whether a requested attribute value exists at the object, and an access permission result is output according to the check result(S3).