The Experts below are selected from a list of 35472 Experts worldwide ranked by ideXlab platform
Taihoon Kim - One of the best experts on this subject based on the ideXlab platform.
-
KES (2) - Security requirements for ubiquitous software development site
Lecture Notes in Computer Science, 2006Co-Authors: Taihoon KimAbstract:A PP (Protection Profile) defines an implementation-independent set of security requirements for a category of Target of Evaluations. Consumers or owners can therefore construct or cite a PP to express their security needs without reference to any specific IT products. Generally, PP contains security assurance requirements about the security of development environment for IT product or system and PP can applied to ubiquitous software development site. This paper proposes some security environments for ubiquitous software development site by analyzing the ALC_DVS.1 of the ISO/IEC 15408 and Base Practices (BPs) of the ISO/IEC 21827.
-
Security Requirements for Ubiquitous Software Development Site
Lecture Notes in Computer Science, 2006Co-Authors: Taihoon KimAbstract:A PP (Protection Profile) defines an implementation-independent set of security requirements for a category of Target of Evaluations. Consumers or owners can therefore construct or cite a PP to express their security needs without reference to any specific IT products. Generally, PP contains security assurance requirements about the security of development environment for IT product or system and PP can applied to ubiquitous software development site. This paper proposes some security environments for ubiquitous software development site by analyzing the ALC_DVS.1 of the ISO/IEC 15408 and Base Practices (BPs) of the ISO/IEC 21827.
-
threat description for developing security countermeasure
Advances in Multimedia, 2004Co-Authors: Seungyoun Lee, Myongchul Shin, Jaesang Cha, Taihoon KimAbstract:Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents such as ITSEC. The Common Criteria (CC) defines a Protection Profile (PP) that defines the security environments and specifies the security requirements and Protections of the product to be evaluated. The security environments consist of assumptions, threats, and organizational security policies, so the editor of the PP must describe the threats for the PP. This paper proposes a method for the description of the threats for developing PPs or countermeasures by introducing the concept of the assets protected by Target of Evaluations (TOE).
-
PCM (1) - Threat description for developing security countermeasure
Advances in Multimedia Information Processing - PCM 2004, 2004Co-Authors: Seungyoun Lee, Myongchul Shin, Jaesang Cha, Taihoon KimAbstract:Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents such as ITSEC. The Common Criteria (CC) defines a Protection Profile (PP) that defines the security environments and specifies the security requirements and Protections of the product to be evaluated. The security environments consist of assumptions, threats, and organizational security policies, so the editor of the PP must describe the threats for the PP. This paper proposes a method for the description of the threats for developing PPs or countermeasures by introducing the concept of the assets protected by Target of Evaluations (TOE).
-
ICCSA (1) - Reduction Method of Threat Phrases by Classifying Assets
Computational Science and Its Applications – ICCSA 2004, 2004Co-Authors: Taihoon Kim, Dong Chun LeeAbstract:Evaluation has been the traditional means of providing assurance. The Common Criteria (CC) defines a Protection Profile (PP) that defines the security environments and specifies the security requirements and Protections of the product to be evaluated. The security environments consist of assumptions, threats, and organizational security policies, so the editor of the PP must describe the threats for the PP. In this paper, we propose a new method for the description of the threats for the PP by introducing the concept of the assets protected by Target of Evaluations (TOE), and show some merits by applying that concept to the Network-based Intrusion Detection System (NIDS).
Dong Ho Won - One of the best experts on this subject based on the ideXlab platform.
-
MUSIC - Protection Profile for PoS (Point of Sale) System
Lecture Notes in Electrical Engineering, 2014Co-Authors: Hyun Jung Lee, Youngsook Lee, Dong Ho WonAbstract:A PoS system immediately obtains the data related to the sale at the time and place of purchase. It provides an initial interface for the credit card transaction to happen. Due to its dealing with sensitive data such as credit card information, many relevant organizations have been trying to suggest security standards. However, there still is no PoS system that guarantees security, which results in a lot of hacked PoS systems in different countries. This paper intends to draw out security functional requirements for a PoS system based on the CC, which can be used as a reference for its security evaluation.
-
Protection Profile for pos point of sale system
MUSIC, 2014Co-Authors: Hyun Jung Lee, Youngsook Lee, Dong Ho WonAbstract:A PoS system immediately obtains the data related to the sale at the time and place of purchase. It provides an initial interface for the credit card transaction to happen. Due to its dealing with sensitive data such as credit card information, many relevant organizations have been trying to suggest security standards. However, there still is no PoS system that guarantees security, which results in a lot of hacked PoS systems in different countries. This paper intends to draw out security functional requirements for a PoS system based on the CC, which can be used as a reference for its security evaluation.
-
Protection Profile for unidirectional security gateway between networks
International journal of security and its applications, 2013Co-Authors: Hyun Jung Lee, Dong Ho WonAbstract:Development of hacking techniques demands more and more network security. For this reason, Major facilities as well as government agencies divide the Protected Network from Internet Network Physically. However, if Internal/external network is divided, file transfer and work efficiency is reduced. To solve this problem and to transfer data between the Internet Network and protected Network, Unidirectional Security Gateway System was born. This paper analyzes unidirectional Security Gateway and suggests a Protection Profile based on the CC V3.1 to help develop and evaluation of unidirectional Security Gateway.
-
Threat modeling of a mobile device management system for secure smart work
Electronic Commerce Research, 2013Co-Authors: Keunwoo Rhee, Sang Woon Jang, Dong Ho Won, Sooyoung Chae, Sang-oh Park, Sangwoo ParkAbstract:To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it is important to perform extensive threat modeling to develop realistic and meaningful security requirements and functionalities. In this paper, we analyze some current threat modeling methodologies, propose a new threat modeling methodology and present all possible threats against a mobile device management system by analyzing and identifying threat agents, assets, and adverse actions. This work will be used for developing security requirements such as a Protection Profile and design a secure system.
-
Protection Profile for data leakage Protection system
International Conference on Future Generation Information Technology, 2011Co-Authors: Hyun Jung Lee, Dong Ho WonAbstract:Most of the biggest financial or insurance companies in the world that deal with critical client information are now considering introducing a Data Leakage Protection(DLP) system in order to reduce the risk of data loss. However, there is no standard for the introduction of a DLP system, which leads to companies still having the problem of information leakage even after the introduction. This paper analyzes various channels of information leakage and suggests a Protection Profile based on the CC V3.1 to help develop and introduce a DLP system that can prevent in-house information leakage.
Seungjoo Kim - One of the best experts on this subject based on the ideXlab platform.
-
Analysis on Vulnerability of Home Healthcare Medical Devices and Development of Protection Profile Based on Common Criteria Version 3.1
2011 First ACIS JNU International Conference on Computers Networks Systems and Industrial Engineering, 2011Co-Authors: Changwhan Lee, Seungjoo Kim, Kwangwoo Lee, Dong Ho WonAbstract:Recently, there has been increased interest in home healthcare service due to prosperity of information technology and distribution of developed medical devices. Home healthcare service is a service that enables patients to receive medical service at home, without visiting a hospital. However, since the insecurely processed information can directly affect patients' health and lives, security must be taken into consideration. In this paper, we discuss the vulnerabilities and threats to consolidate security and reliability of home healthcare service, and propose a Protection Profile for home healthcare medical devices based on Common Criteria.
-
Protection Profile for secure e voting systems
Information Security Practice and Experience, 2010Co-Authors: Kwangwoo Lee, Dong Ho Won, Yunho Lee, Seungjoo KimAbstract:In this paper, we propose a Protection Profile for e-voting systems. Currently, there are three Protection Profiles for e-voting systems, BSI-PP-0031 in Germany, PP-CIVIS in France, and IEEE P1583 in USA. Although these Protection Profiles consider the overall security requirements for e-voting systems, they did not consider the voter verifiable audit trail. The voter verifiable audit trail allows voters to verify that their votes were captured correctly. Moreover, it provides a means to audit the stored electronic results, and to detect possible election fraud. Today, several voter verifiable audit trail e-voting systems already exist in the market, and used in public elections. However, a Protection Profile does not reflect this situation. Therefore, it is required that a Protection Profile for e-voting systems should consider the voter verifiability. To accomplish this, we propose a Protection Profile considering the voter verifiability with the existing Protection Profiles, and then discuss voter verifiability issues related to the electoral process. The proposed Protection Profile can be used to increase reliability of the entire e-voting process and tabulation result.
-
ISPEC - Protection Profile for secure e-voting systems
Information Security Practice and Experience, 2010Co-Authors: Kwangwoo Lee, Dong Ho Won, Yunho Lee, Seungjoo KimAbstract:In this paper, we propose a Protection Profile for e-voting systems. Currently, there are three Protection Profiles for e-voting systems, BSI-PP-0031 in Germany, PP-CIVIS in France, and IEEE P1583 in USA. Although these Protection Profiles consider the overall security requirements for e-voting systems, they did not consider the voter verifiable audit trail. The voter verifiable audit trail allows voters to verify that their votes were captured correctly. Moreover, it provides a means to audit the stored electronic results, and to detect possible election fraud. Today, several voter verifiable audit trail e-voting systems already exist in the market, and used in public elections. However, a Protection Profile does not reflect this situation. Therefore, it is required that a Protection Profile for e-voting systems should consider the voter verifiability. To accomplish this, we propose a Protection Profile considering the voter verifiability with the existing Protection Profiles, and then discuss voter verifiability issues related to the electoral process. The proposed Protection Profile can be used to increase reliability of the entire e-voting process and tabulation result.
-
Protection Profile for connected interoperable drm framework
Workshop on Information Security Applications, 2009Co-Authors: Donghyun Choi, Dong Ho Won, Sungkyu Cho, Seungjoo KimAbstract:Nowadays, interoperability of DRM is an issue in market. It can be achieved by three different approaches: full-format, configuration-driven and connected interoperability. In particular, the connected interoperability refers to devices that contact an online translation service. When the consumers want to transfer content to a different device, they access the online translation server and rely upon online services. The connected interoperability does not need defining one standard and has the ability to monitor. Therefore, the connected interoperability is used more than others in market. However, in the connected interoperability, even though two distinct DRM systems want to share the content, they cannot share the content if the online translation server does not guarantee reliability. In this paper, we propose a Protection Profile for connected interoperable DRM framework to solve the problem. This PP can be used to establish trust between the DRM provider and the online translation server for interoperability. If that happens, the connected interoperable DRM market will be more active than before.
-
WISA - Protection Profile for Connected Interoperable DRM Framework
Information Security Applications, 2009Co-Authors: Donghyun Choi, Dong Ho Won, Sungkyu Cho, Seungjoo KimAbstract:Nowadays, interoperability of DRM is an issue in market. It can be achieved by three different approaches: full-format, configuration-driven and connected interoperability. In particular, the connected interoperability refers to devices that contact an online translation service. When the consumers want to transfer content to a different device, they access the online translation server and rely upon online services. The connected interoperability does not need defining one standard and has the ability to monitor. Therefore, the connected interoperability is used more than others in market. However, in the connected interoperability, even though two distinct DRM systems want to share the content, they cannot share the content if the online translation server does not guarantee reliability. In this paper, we propose a Protection Profile for connected interoperable DRM framework to solve the problem. This PP can be used to establish trust between the DRM provider and the online translation server for interoperability. If that happens, the connected interoperable DRM market will be more active than before.
Kwangwoo Lee - One of the best experts on this subject based on the ideXlab platform.
-
Protection Profile of personal information security system designing a secure personal information security system
Trust Security And Privacy In Computing And Communications, 2011Co-Authors: Hyun Jung Lee, Kwangwoo Lee, Dong Ho WonAbstract:As cyber-crimes using personal information such as ID theft are increasing, there is a need for appropriate technology or law to protect privacy. To this end, the Korean Government established the Privacy Act on March 29th 2011. The Privacy Act prescribes a specification for dealing with privacy with the intention to protect personal information from being collected, leaked, misused, or abused so that it can improve rights and interests of the nation and eventually realize the dignity and value of man. The United States, Japan, Canada, and several countries of the EU have their own privacy law being established or revised. Although there must be differences depending on the circumstances of each country, the ultimate goal of the privacy law should be the same. Consequently, there might be the same or similar technical Protection required by all these countries. Between the increasing interest in protecting personal information and the establishment of the Privacy Act, many industries are having relevant products released one after another. Customers without knowledge of the law and the product types cannot decide what they need. This paper intends to derive necessary security functions of a personal information security system based on the Common Criteria and analyze the limit of the products in order to make guidelines for privacy and information Protection system.
-
An Improved Protection Profile for Multifunction Peripherals in Consideration of Network Separation
Lecture Notes in Electrical Engineering, 2011Co-Authors: Changbin Lee, Kwangwoo Lee, Namje Park, Dong Ho WonAbstract:Multifunction peripherals, capable of networking and equipped with several hardcopy functions with various security functions, are taking place of printers and other printing devices in office workplaces. However, the security functions within a multifunction peripheral and its IT environments may have vulnerabilities. The information transmitted in multifunction peripherals includes very sensitive data since the device is networked to transmit data including confidential information. There have been international efforts to mitigate this anxiety of consumers through common criteria. In 2009, a series of standards for multifunction peripherals were developed. These Protection Profiles are classified in accordance to four different operational environments. However, though multifunction peripherals treat confidential information, network separation issue is not regarded in classifying the operational environments. Thus, in this paper, we present an operational environment and propose a Protection Profile that is appropriate for the new environment.
-
TrustCom - Protection Profile of Personal Information Security System: Designing a Secure Personal Information Security System
2011IEEE 10th International Conference on Trust Security and Privacy in Computing and Communications, 2011Co-Authors: Hyun Jung Lee, Kwangwoo Lee, Dong Ho WonAbstract:As cyber-crimes using personal information such as ID theft are increasing, there is a need for appropriate technology or law to protect privacy. To this end, the Korean Government established the Privacy Act on March 29th 2011. The Privacy Act prescribes a specification for dealing with privacy with the intention to protect personal information from being collected, leaked, misused, or abused so that it can improve rights and interests of the nation and eventually realize the dignity and value of man. The United States, Japan, Canada, and several countries of the EU have their own privacy law being established or revised. Although there must be differences depending on the circumstances of each country, the ultimate goal of the privacy law should be the same. Consequently, there might be the same or similar technical Protection required by all these countries. Between the increasing interest in protecting personal information and the establishment of the Privacy Act, many industries are having relevant products released one after another. Customers without knowledge of the law and the product types cannot decide what they need. This paper intends to derive necessary security functions of a personal information security system based on the Common Criteria and analyze the limit of the products in order to make guidelines for privacy and information Protection system.
-
Analysis on Vulnerability of Home Healthcare Medical Devices and Development of Protection Profile Based on Common Criteria Version 3.1
2011 First ACIS JNU International Conference on Computers Networks Systems and Industrial Engineering, 2011Co-Authors: Changwhan Lee, Seungjoo Kim, Kwangwoo Lee, Dong Ho WonAbstract:Recently, there has been increased interest in home healthcare service due to prosperity of information technology and distribution of developed medical devices. Home healthcare service is a service that enables patients to receive medical service at home, without visiting a hospital. However, since the insecurely processed information can directly affect patients' health and lives, security must be taken into consideration. In this paper, we discuss the vulnerabilities and threats to consolidate security and reliability of home healthcare service, and propose a Protection Profile for home healthcare medical devices based on Common Criteria.
-
Protection Profile for secure e voting systems
Information Security Practice and Experience, 2010Co-Authors: Kwangwoo Lee, Dong Ho Won, Yunho Lee, Seungjoo KimAbstract:In this paper, we propose a Protection Profile for e-voting systems. Currently, there are three Protection Profiles for e-voting systems, BSI-PP-0031 in Germany, PP-CIVIS in France, and IEEE P1583 in USA. Although these Protection Profiles consider the overall security requirements for e-voting systems, they did not consider the voter verifiable audit trail. The voter verifiable audit trail allows voters to verify that their votes were captured correctly. Moreover, it provides a means to audit the stored electronic results, and to detect possible election fraud. Today, several voter verifiable audit trail e-voting systems already exist in the market, and used in public elections. However, a Protection Profile does not reflect this situation. Therefore, it is required that a Protection Profile for e-voting systems should consider the voter verifiability. To accomplish this, we propose a Protection Profile considering the voter verifiability with the existing Protection Profiles, and then discuss voter verifiability issues related to the electoral process. The proposed Protection Profile can be used to increase reliability of the entire e-voting process and tabulation result.
Melanie Volkamer - One of the best experts on this subject based on the ideXlab platform.
-
Evaluation of Electronic Voting: Requirements and Evaluation Procedures to Support Responsible Election Authorities
2009Co-Authors: Melanie VolkamerAbstract:Electronic voting has a young and attractive history, both in the design of basic cryptographic methods and protocols and in the application by communities who are in the vanguard of technologies. The crucial aspect of security for electronic voting systems is subject to research by computer scientists as well as by legal, social and political scientists. The essential question is how to provide a trustworthy base for secure electronic voting, and hence how to prevent accidental or malicious abuse of electronic voting in elections. To address this problem, Volkamer structured her work into four parts: 'Fundamentals' provides an introduction to the relevant issues of electronic voting. 'Requirements' contributes a standardized, consistent, and exhaustive list of requirements for e-voting systems. 'Evaluation' presents the proposal and discussion of a standardized evaluation methodology and certification procedure called a core Protection Profile. Finally, 'Application' describes the evaluation of two available remote electronic voting systems according to the core Protection Profile. The results presented are based on theoretical considerations as well as on practical experience. In accordance with the German Society of Computer Scientists, Volkamer succeeded in specifying a 'Protection Profile for a Basic Set of Security Requirements for Online Voting Products', which has been certified by the German Federal Office for Security in Information Technology. Her book is of interest not only to developers of security-critical systems, but also to lawyers, security officers, and politicians involved in the introduction or certification of electronic voting systems.
-
Core Protection Profile
Lecture Notes in Business Information Processing, 2009Co-Authors: Melanie VolkamerAbstract:In Chap. 6, a list of requirements for remote electronic voting systems is provided as well as the exact definition of the addressed target of evaluation. Moreover, in Chap. 7, the Common Criteria is identified as an appropriate evaluation technique for remote electronic voting systems.
-
Proof of Concept
Lecture Notes in Business Information Processing, 2009Co-Authors: Melanie VolkamerAbstract:The previous part discusses the GI/BSI/DFKI Protection Profile which constitutes after the implementation of the identified improvements as the proposed evaluation methodology for remote electronic voting systems. The result can now be applied to available systems. Currently, there is no system that has been evaluated against the GI/BSI/DFKI Protection Profile or even against the improved version.
-
Electronic Voting - Development of a Formal IT-Security Model for Remote Electronic Voting Systems
2008Co-Authors: Rüdiger Grimm, Melanie VolkamerAbstract:Remote electronic voting systems are more and more used not so much for parliamentary elections, but nevertheless for elections on lower levels as in associations and at universities. In order to have a basis for the evaluation and certification, in Germany a Common Criteria Protection Profile [PP08] is developed, which defines basic requirements for remote electronic voting systems. This Protection Profile requires a rather low evaluation depth (EAL2+). For elections on higher levels an appropriate adjustment of the evaluation depth is recommended. In its first part this paper points out that increasing the evaluation depth beyond EAL5 is not possible at present, since EAL6 requires formal methods and in particular a formal IT security model. Such a formal model does not exist yet. In the second part, this paper proposes a first step to an IT security model for remote electronic voting systems, which, however, considers only a subset of the security objectives defined in the Protection Profile [PP08].
-
Electronic Voting - Security Requirements for Non-political Internet Voting
2006Co-Authors: Rüdiger Grimm, Kai Reinhard, Melanie Volkamer, Robert Krimmer, Nils Meißner, Marcel WeinandAbstract:This paper describes the development of security requirements for non-political Internet voting. The practical background is our experience with the Internet voting within the Gesellschaft fur Informatik (GI - Informatics Society) 2004 and 2005. The theoretical background is the international state-of-the-art of requirements about electronic voting, especially in the US and in Europe. A focus of this paper is on the user community driven standardization of security requirements by means of a Protection Profile of the international Common Criteria standard.
