20 여상수(763~772).hwp - PDF 무료 다운로드

13 5 2009 10 사전검증을통한행정정보보호시스템도입방안 여상수 *, 이동범 **, 곽진 ** Sang-Soo Yeo *, Dong-Bum Lee ** and Jin Kwak ** 요약,...,. Abstract According as information-oriented society is propelled, development of various information security systems is achieved, and introduction of information security system is increasing for service offer securing from nation and public institution. In particular, government information system is increasing interest about security assessment service of government information system because verification about security is weighed first of all. Accordingly, study about various security assessment services is preceded in domestic and overseas. In this paper, analyze security assessment service of Britain and Canada, and we proposed about pre-qualification introduction plan of government information system that can offer user of nation and public institution reliability. Key words : Government Information Security System, Pre-qualification I. 서론,.. (CMVP : Cryptographic Module Validation Program), (CC : Common Criteria), * (Division of Computer Engineering, Mokwon University) ** (Department of Information Security Engineering, Soonchunhyang University) (Corresponding Auther) : : 2009 7 22 () : 2009 7 23 ( : 2009 10 23) : 2009 10 30

764 13 5 2009 10 (ISMS : Information Security Management System) IT., [1-3].,. [4-5].,.,.. 2, 3. 4, 5. Ⅱ. 관련연구 2-1 국내평가서비스 2-1-1.,., [6]. 1. 표 1. 정보보호제품평가 인증관련기관의역할 Table 1. Role of information security product assessment and certification relevant organization 2-1-2 ㆍ,, 27( )., IT.,,, /, / /.

,, ; 765..,, [7]. 1. 2-2-2 FTA FTA CESG fast track.,.. FTA 2001 CESG IA. 그림 1. 암호검증체계 Fig. 1. Korea Cryptographic Module Validation Program (KCMVP) 2-2-3 CHECK.,,,. CHECK. FTA CC. 2-2 영국평가서비스 2-2-1 SYS SYS IT (MOD) (CESG : Communications Electronics Security Group),. IT,. SYS 2002 IT (UK IT Security Evaluation Criteria (ITSEC) method) [8]. 2-2-4 CAPS CAPS CESG. CAPS, CAPS. CAPS. CAPS "Baseline", "Enhanced", "High Grade" 3. Baseline Restricted Private" FIPS 140-2 FIPS 140-2.

766 13 5 2009 10 CAPS CC [9]. 2-2-5 CCTM (CSIA : Central Sponsor for Information Assurance) / (CCTM : CSIA Claims Tested Mark) 2005 1. 2008 4 7 (CESG : Communication Electronics Security Group) (CCTM : CESG Claims Tested Mark). 표 2. 정보보증방식의요구사항 Table 2. Information Assurance Method Requirements CC SYS FTA CHECK CAPS CCTM / -- / / /. ISO/IEC 17025 (UKAS : United Kingdom Accreditation Service)., / - (claims testing)., / [10]. 2. 2-3 캐나다평가서비스 2-3-1 IPPP (IPPP : ITS Product Pre-qualification Program).. (IPPL : ITS Pre-qualification Product List). [11-12]. FIPS 140-1 FIPS 140-2

,, ; 767 IT.. FIPS 140-1 FIPS 140-2 CMVP,,,.,.,. 3. 표 3. 정보기술보안사전자격제품목록분류표 Table 3. ITS Pre-qualified Product List Categories Ⅲ. 사전검증을통한행정정보보호시스템 표 4. 공통평가기준의보안기능클래스 Table 4. Security function class of Common Criteria FAU 도입방안. 3-1 공통평가기준의보안기능클래스, 2. ISO/IEC 15408 2. TOE(Target of Evaluation), PP(Protection Profile) ST(Security Target)., TOE TOE. TOE,. 4,, [13-15].,,, FCO () FCS FDP FIA

768 13 5 2009 10 FMT FPR TSF(TOE),, FPT TSF TSF FRU TOE FTA TOE TOE FTP -TSF/TSF-TSF 3-2 행정정보보호시스템의제품목록표,,.,,,,,,. 5, 6 [16]. 표 5. 제품분류기준 Table 5. Standard of classification for product // VOIP SSO, EAM, IM/IAM DRM // /COS PKI DB SMIME/PGP PC PC USB 표 6. 제안하는제품목록표 Table 6. Proposing checklist o o, o (, ) o (, ), o : Triple DES, AES, ARIA, RSA o : RSA, DSA o : Diffie-Hellman, RSA o : SHA-1, SHA-256, SHA-384, SHA-512, o : 2009. 00. 00 o : 2009. 00. 00 o Windows XP Professional / 9X / ME / NT/ Server 2003 o HP-UX 11i v3, AIX v6.1, Solaris 9 / 10 o Fedora 9 / 10, Red Hat Enterprise Linux 4 / 5 o,

,, ; 769 그림 2. 행정정보보호시스템도입절차 Fig. 2. Introduction procedure of government information system 3-3 행정정보보호시스템도입절차.,,,. 3-3-1. 7 [17]. 표 7. 검증시험평가항목 Table 7. Evaluation items of verification test,,,,,, IT,

770 13 5 2009 10 3-3-2,,,., [18]. 3-3-3, /.,.,.. 3-3-4,,.,,.. 3-3-5.,.,.,,. 3-3-6,,,. [19].,.,,

,, ; 771.,.,.,, 3-3-7.,. Ⅳ. 분석 4-1 인증기관.. 4-2 평가기관. 4-3 개발업체.. 4-4 국가및공공기관,.. Ⅴ. 결론.,.,. 참고문헌 [1] http://csrc.nist.gov/ [2] http://www.commoncriteriaportal.org/ [3] http://www.kisa.or.kr/

772 13 5 2009 10 [4] http://www.cse-cst.gc.ca/ [5] http://www.cesg.gov.uk/ [6] IT, " ", 2008. [7] http://www.kecs.go.kr [8] http://www.stsc.hill.af.mil [9] http://www.cesg.gov.uk [10] CESG, "Government Quality Mark-Directory of CESG Claims Tested Mark(CCTM) Awards for Products and Services", March 2009. [11] NIST, "FIPS Publication 140-3(Draft) : Security Requirements for Cryptographic Modules", July 2007. [12] CSEC, Canadian Common Criteria Evaluation and Certification Scheme(CCS) Scheme Description, May 2000. [13] ISO/IEC 15408, "Common Criteria for Information Technology Security Evaluation", version 3.1, Parts 1, 2007. [14] ISO/IEC 15408, "Common Criteria for Information Technology Security Evaluation", version 3.1, Parts 2, 2007. [15] ISO/IEC 15408, "Common Criteria for Information Technology Security Evaluation", version 3.1, Parts 3, 2007. [16] NIST, "Special Publication 800-70 : Security Configuration Checklists Program for IT products - Guidance for Checklists Users and Developers", May 2005. [17] CESG, "CESG CLAIMS TESTED MARK SCHEME : VENDOR GUIDE", March 2009. [18] CESG, "CESG CLAIMS TESTED MARK SCHEME : TEST LABORATORY GUIDE", March 2009. [19] CESG, "CESG CLAIMS TESTED MARK SCHEME : DECISION AUTHORITY GUIDE", February 2009. 여상수 ( 呂相壽 ) 200 8 : 2006 3~2007 2 : 2007 2~2008 1 : 2008 2~2009 2 : () 2009 3~ : 관심분야 :,, 이동범 ( 李東範 ) 곽진 ( 郭鎭 ) 2008 2 : () 2008 3~ : 관심분야 :,, 1994~2006 : (,, ) 2006 4 2006 11 : 2006 8 2006 11 : 2006 2007 2 : 2007 2~ : 관심분야 :, RFID,,, u-city