보고서 정보
주관연구기관 |
한국전자통신연구원 Electronics and Telecommunications Research Institute |
연구책임자 |
김정녀
|
참여연구자 |
김승주
,
이형우
,
유일선
|
보고서유형 | 최종보고서 |
발행국가 | 대한민국 |
언어 |
한국어
|
발행년월 | 2017-04 |
과제시작연도 |
2016 |
주관부처 |
미래창조과학부 Ministry of Science, ICT and Future Planning |
등록번호 |
TRKO201700017260 |
과제고유번호 |
1711035415 |
사업명 |
IT·SW융합산업원천기술개발 |
DB 구축일자 |
2017-11-25
|
키워드 |
모바일 보안플랫폼.보안 가상화 플랫폼.군사용 보안.Mobile Security Platform.Security Hypervisor.Military Security.Common Criteria Evaluation Assurance Level.Korea Cryptographic Validation Program.
|
초록
▼
- 세계 최초 가상화 기반 안전한 실행 영역을 제공하는 스마트단말 보안플랫폼 기술 개발
- 상용 단말(삼성 갤럭시 S3) 기반의 모바일 보안플랫폼 시제품 개발 및 기능 검증
- 수요처(국방분야) 요구사항에 따른 보안플랫폼 기반의 군사용 모바일 보안응용서비스 시제품 개발 및 운영 인프라 구축
- 국제 표준 규격(GP TEE API 및 FIPS-196)을 준수하는 보안플랫폼용 보안 API 규격 개발(인증서 기반 인증 속도 2초 이내 달성)
- 모바일 단말용 고성능 및 저전력 경량 암호 및 키관리 모듈 개발
‧
- 세계 최초 가상화 기반 안전한 실행 영역을 제공하는 스마트단말 보안플랫폼 기술 개발
- 상용 단말(삼성 갤럭시 S3) 기반의 모바일 보안플랫폼 시제품 개발 및 기능 검증
- 수요처(국방분야) 요구사항에 따른 보안플랫폼 기반의 군사용 모바일 보안응용서비스 시제품 개발 및 운영 인프라 구축
- 국제 표준 규격(GP TEE API 및 FIPS-196)을 준수하는 보안플랫폼용 보안 API 규격 개발(인증서 기반 인증 속도 2초 이내 달성)
- 모바일 단말용 고성능 및 저전력 경량 암호 및 키관리 모듈 개발
‧ OpenSSL 대비 암호 처리 속도 개선율 평균 33.4%, 배터리 소모량 개선율 평균 27.8% 달성
‧ 공개키 평균 생성 시간: 5ms 이하 달성
- 상용화 대비 공인 인증 진행
‧ 국제용 CC 인증 진행: 가상화를 통해 제공되는 분리된 운영 환경 기반의 보안플랫폼
‧ KCMVP Level 1 인증 진행: 모바일 단말용 경량 암호 모듈
( 출처 : 요약서 4p )
Abstract
▼
Results
• Completion of defining requirements for military convergence security solution system
- Define 13 items of user requirements and 26 items of system requirements for military convergence security solution system to be developed
- Approval of quality assurance for requirements defin
Results
• Completion of defining requirements for military convergence security solution system
- Define 13 items of user requirements and 26 items of system requirements for military convergence security solution system to be developed
- Approval of quality assurance for requirements definition among Q-Mark verification system which is the quality assurance process in ETRI
- Holding two round of advisory meeting in order to verify whether the military convergence security solution system developed based on the requirements provides the security functions required for the defense field
‧ Collection of additional verification and review comments
‧ Verification of security function and derivation of security service applicable to customer
• Completion of system design for military convergence security solution
- Creation of system design v1.0 and revision of v2.0
- Creation of block detail design v1.0 and revision of v2.0
‧ Security Service API Block (SSAB)
Provides a development security interface for application services(apps, etc.) in the normal domain and securre domain to use the security functions provided by ESPB
‧ Security Engine Block (EAL4 Security Platform Block, ESPB)
Provides core security functions such as secure storage, authentication and access control for users and apps, cryptographic algorithms and key management needed to ensure the security of various services running on the mobile device
‧ Inter-Domain Communication Block (IDCB)
Provides functions such as creation of channel for inter-domain communication between normal and secure domain, management of multiple app concurrent access, parsing of sending and receiving message, session management
‧ Operating System and Hypervisor Block (MHPB)
Provides the communication function of the hypervisor to link the OS of secure domain and the OS of normal domain
• Completion of developing mobile virtualization based secure platform
- Complete core module development for Android-based virtualization platform
‧ Complete core module development for virtualization based Operating System and Middleware
‧ Complete core module development for virtualization based multi-domain communication drivers
‧ Complete Interoperability & stability for Mobile security platform and military secure services
- Achieving Goal Value for Virtualization Engine Performance
‧ Measurement of virtualization performance through using benchmark measuring instrument (Dhrystone)
‧ Current overhead Virtualization engine: about 3.19% (Goal Value: Under 10%)
※ Dhrystone: a popular benchmark for CPU performance measurement. It can be demonstrated how much CPU performance is reduced by virtualization compared with non-virtualization
- Minimizing overhead Virtualization engine performance with improvement
‧ Optimize performance with virtualization platform by code optimization
‧ Improve the speed of your virtualization engine and memory availability by improving the memory virtualization within hypervisor platform
- Improvement and stability for security platform performance
‧ Reduce communication overhead of Front-end/Back-end drivers via code optimization
‧ Improve performance of message queue in secure domain via u/Cos-ii service tasks optimization
‧ Following figure shows comparison of performance test before and after enhancement on the virtualized security platform (based on file read/write through secure platform)
• Completion of developing security API Specifications for Security Platform
- Definition and development of security API specification for security platform
‧ Designed and developed based on the API list suggested by GlobalPlaform TEE standard, provides interface that security service apps of normal domain can use security function of secure domain
‧ Consists of Channel and session management, file management, user authentication management, encryption management, file system management group
- Development of standards-based authentication API in security platform environment
‧ Compatibility with existing authentication server conforming to FIPS-196 100% compliance
‧ protection of secret key and signature generation and verification processing in the secure domain using security platform to prevent unauthorized access and sensitive information leakage of unauthorized users
- Achieving Goal for authentication response time based on security platform
‧ Security platform based authentication response time: 1.834 sec. average (Target value: within 2 seconds)
‧ How to measure
Authentication response speed performance test is conducted in certificate-based authentication service operating environment in an environment composed of military security device, military authentication server, and military certificate verification server.
Military security eevice is a Galaxy S3 which is commercial terminal, device equipped with military convergence security system divided into normal domain and secure domain where security platform operates
The authentication response rate is measured as the average value of the certificate-based authentication execution time in the security platform
• Development of commercial smartphone based Prototype for mobile security platform
- Complete development environment for ARMv7 & ARMv8a(64-bit) based commercial smartphone applications
‧ Complete ARM-v7 based development environment on Ubuntu 14.04 LTS
‧ Complete ARM-v8a based development environment on Ubuntu 16.04 LTS
‧ Complete development environment for commercial devices(Samsung GalaxyS3 & Google Nexus6P)
- Complete debugging environment for commercial smartphone
‧ Complete ARM-v7 based TRACE32 debugging environment for hypervisor and security platform
‧ Complete ARM-v8a based TRACE32 debugging environment for hypervisor and security platform
- Applying security platform to commercial smartphone for Exynos4412(Galaxy S3)& Exynos7420 (Goolge Nexus6P)
‧ Applying and testing ARM-v7 based 32-bit hypervisor to commercial smartphone complete
‧ Applying and testing ARM-v8a based 64-bit hypervisor to commercial smartphone completed
‧ Applying and testing 32-bit hypervisor based kernel modules completed
‧ Applying and testing 64-bit hypervisor based kernel modules completed
‧ Applying and testing inter-domain communication on ARM-v7 based Android NDK r9b environment to Samsung GalaxyS3 completed
‧ Applying and testing inter-domain communication on ARM-v8a based Android NDK r12b environment to Google Nexus6P completed
- Complete security API and military service apps testing based on commercial smartphone applied to secure platform
‧ Applying secure platform to ODROID-Q2 and testing inter-operability using secure API & military service app are completed
‧ Applying secure platform to Samsung Galaxy S3 and testing inter-operability using secure API & military service app are completed
‧ Applying secure platform to MV7420 and testing inter-operability using secure API & military service app completed
‧ Applying secure platform to Google Nexus 6P and testing inter-operability using secure API is completed
• Development of Military Security Applications Based on Security Platform
- Development of security applications based on the comments that reviewed in two advisory meeting consisting of experts in the field of technology demand(Defense Agency etc)
‧ Including of TM address book, TM certificate management, TM camera, TM photograph, TM character, TM status propagation, TM communication service development
• Starting and onging of the international CC EAL 4 level certification
- Completion of 13 certificate documents for CC EAL4 certification for developed mobile terminal security platform (TMZ v1.0)
‧ Creation of 13 kinds of documents consisting of security target, 5 kinds of life cycle support, 4 kinds of development, 2 kinds of manuals, and tests, and revision of documents by adjusting the scope of TOE
‧ Thirteen documents are under review based on Security Target, which is the core document describing the system usage environment, security environment, and security functional specification that make up the TOE by evaluation agency(TTA)
- Conduct consultation and consultation with related organizations to prepare CC EAL4 certification
‧ Continuous consultation with related organizations for CC EAL certification evaluation
IT security certification center, MISP CC department, Evaluation agency(TTA)
‧ Consulting with TTA for preparation of CC EAL certification for mobile device platform of military convergence security solution (2015.09 ~ 2016.01.29.)
- New product conformity review and certification evaluation commencement with certification office(IT security certification center) and evaluation agency(TTA) for international certification (2016.12)
‧ Selection of TTA as evaluation agency and submission of evaluation application(2016.10.28)
‧ Discussion of new product types for international certification of TMZ v1.0
New Product Type: Mobile Device Security Software
‧ Review of TOE and TOE operating environment, physical scope, logical scope, major security functions
‧ Explanation of TMZ v1.0 security functions at the meeting with three related organizations
‧ Verification of the evaluating capability of the evaluation agency(TTA)
- Completion of deciding to start the evaluation of CC EAL certification for TMZ v1.0 by submission presentation(December 23, 2016)
‧ Compensation of TOE and operating environment for CC evaluation by request of IT security certification center
‧ Proceed with the observation report by the evaluation agency
EOR-1st (2017.01.18), EOR-2nd (2017.02.23), EOR-3rd (2017.03.17)
- Operation of automated configuration management system for certification
‧ Management of issues by Bug tracking system, Trac
‧ Management of source by automation version management system, SVN
• Implementation of lightweight cryptographic module for mobile device security in military
- Selection of cryptographic algorithms to be implemented and design completion of cryptographic module
‧ Design of modules of Block encryption(SEED, ARIA, AES), operation mode(ECB, CBC, CTR, OFB, CFB), hash(SHA-2, SHA-3), random number generator(CTR-DRBG, HASH-DRBG), message authentication code(HMAC), key agreement protocol(DH), public key encryption(RSAES), digital signature(KCDSA, EC-KCDSA)
- Lightweight implementation of cryptographic module
‧ Implementation of selected cryptographic algorithms to optimize at lightweight mobile environments
‧ Implementation of additional functionalities for requiring KCMVP certification
- Completion of performance evaluation of cryptographic algorithm using visualized application
‧ Building smart phone-based test environment for evaluation on cryptographic module
‧ Known Answer Test and performance evaluation on cryptographic module
- Achieving Goal for cryptography performance
‧ Average improvement rate of performance of the cryptographic module: 33.4 %
‧ Average improvement rate of power consumption: 27.8 %
• Development of key management module for mobile device in military
- Requirements derivation of key management technology for lightweight environments in military and mobile through analysis on existing researches and techniques
- Design and development completion of key management technique for lightweight mobile environment
‧ Design and development of key generation, renewal and storage techniques for secure key management
‧ Design and development of mutual authentication techniques between key management daemon and application process
‧ Design and development of key pool structure for efficient key management
‧ Achievement : Average public key generation time in embedded board ≤ 5 ms(using key pool structure)
• Ongoing acquisition of KCMVP Level 1 security certification for the implemented cryptographic module
- Documents creation for KCMVP certification
‧ The basic and detailed design specification of cryptographic module, configuration management document, test report of cryptographic module
- Application for acquisition of KCMVP Level 1 security certification(2014.11)
- Reception of preliminary review and complement according to the review(2015.6)
- Preliminary review completion and contract for testing cryptographic module(2015.12)
- Ongoing CAVP test phase
• Completed DB construction for mobile device vulnerability analysis
- Obtain information on the vulnerabilities that have been published so far through CVEs, papers and technical documents.
- Provides a sample of the test-bed for analyzing the vulnerability, a link to check relevant information, and a tool for analysis.
( 출처 : SUMMARY 20p )
목차 Contents
- 표지 ... 1
- 제 출 문 ... 2
- 보고서 요약서 ... 4
- 요약문 ... 6
- SUMMARY ... 19
- 목차 ... 33
- 표목차 ... 35
- 그림목차 ... 36
- 제1장. 연구개발과제의 개요 ... 39
- 1. 연구 개발 목적 ... 39
- 2. 연구개발의 필요성 ... 40
- 3. 연구개발 범위 ... 42
- 제2장. 국내외 기술 개발 현황 ... 43
- 1. 군용 모바일 단말 제품 동향 ... 43
- 2. 가상화 플랫폼 기술 및 제품 동향 ... 43
- 3. 보안플랫폼 기술 동향 ... 51
- 4. 보안플랫폼용 보안API 기술 동향 ... 54
- 5. 경량 암호 기술 동향 ... 60
- 6. 모바일 단말 보안 취약성 분석 기술 동향 ... 63
- 7. 모바일 단말 관련 CC 인증 동향 ... 63
- 제3장. 연구 수행 내용 및 성과 ... 65
- 1. 군사용 융합보안 솔루션 시스템 요구사항 정의 ... 65
- 2. EAL 4급 군사용 융합보안 솔루션 시스템 설계 ... 65
- 3. 가상화 기반 보안플랫폼 개발 ... 70
- 4. 보안플랫폼용 보안 API 개발 ... 88
- 5. 상용단말 기반 시제품 개발 ... 92
- 6. 보안플랫폼 기반 군용 보안응용프로그램 개발 ... 98
- 7. 국제용 CC 인증 착수 및 진행 ... 104
- 8. 모바일 단말용 경량 암호 및 키관리 기술 개발 ... 110
- 9. KCMVP Level 1 보안 등급 인증 ... 129
- 10.모바일 단말용 보안 취약성 분석 기술 연구 ... 133
- 제4장. 목표 달성도 및 관련 분야 기여도 ... 135
- 1. 목표 달성도 ... 135
- 2. 관련 분야 기여도 ... 138
- 제5장. 연구개발성과의 활용계획 ... 143
- 1. 국방 분야 보안 기술 사업화 추진 ... 143
- 2. 국방 및 민간 분야의 스마트 보안단말 사업화 추진 ... 144
- 3. KCMVP 인증 암호 모듈 사업화 추진 ... 145
- 제6장. 연구 과정에서 수집한 해외 과학기술 정보 ... 146
- 1. 주요 학회 프로시딩 자료 ... 146
- 2. 주요 연구 자료(논문) ... 147
- 제7장. 연구개발성과의 보안등급 ... 149
- 제8장. 국가과학기술종합정보시스템에 등록한 연구시설·장비현황 ... 150
- 제9장. 연구개발과제 수행에 따른 연구실 등의 안전 조치 이행 실적 ... 151
- 1. 한국전자통신연구원 ... 151
- 2. 고려대 산학협력단 ... 152
- 제10장. 연구개발과제의 대표적 연구 실적 ... 153
- 제11장. 기타 사항 ... 154
- 1. 수요처(국방분야) 중심의 전문가 자문 회의 운영 ... 154
- 2. 사업화 추진 실적 및 방안 ... 155
- 3. 신규 고용 실적 ... 158
- 제12장. 참고 문헌 ... 159
- 붙임1. 자체 보안관리 진단표 ... 162
- 붙임2. 연구실 안전조치 이행표 ... 164
- 끝페이지 ... 166
※ AI-Helper는 부적절한 답변을 할 수 있습니다.