KR101701052B1 - Information security method in environment of internet of things and information security system using the method - Google Patents

Information security method in environment of internet of things and information security system using the method Download PDF

Info

Publication number
KR101701052B1
KR101701052B1 KR1020150120021A KR20150120021A KR101701052B1 KR 101701052 B1 KR101701052 B1 KR 101701052B1 KR 1020150120021 A KR1020150120021 A KR 1020150120021A KR 20150120021 A KR20150120021 A KR 20150120021A KR 101701052 B1 KR101701052 B1 KR 101701052B1
Authority
KR
South Korea
Prior art keywords
information
client terminal
attribute
encrypted
authentication center
Prior art date
Application number
KR1020150120021A
Other languages
Korean (ko)
Inventor
송유진
Original Assignee
동국대학교 경주캠퍼스 산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 동국대학교 경주캠퍼스 산학협력단 filed Critical 동국대학교 경주캠퍼스 산학협력단
Priority to KR1020150120021A priority Critical patent/KR101701052B1/en
Application granted granted Critical
Publication of KR101701052B1 publication Critical patent/KR101701052B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Abstract

Disclosed are a method for information security in the Internet of things and a system for information security using the method, which can improve security of sensitive information in an environment of the Internet of things. The method for information security in the Internet of things comprises the steps of: downloading, by a client terminal, information, in which sensitive information has been encrypted, from a cloud storage center; generating, by the client terminal, situation information, which includes a dynamic attribute, by using sensing data acquired via a sensor; transmitting, by the client terminal, the situation information to an authentication center; generating, by the authentication center, a decryption key based on the situation information; transmitting, by the authentication center, the decryption key to the client terminal; and decrypting, by the client terminal, the information, in which the sensitive information has been encrypted, by using the decryption key, and extracting, by the client terminal, the sensitive information. As described above, the encrypted sensitive information is decrypted based on the dynamic attribute, thereby further improving security of the sensitive information.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an information security method in an object Internet and an information security system using the same.

More particularly, the present invention relates to an information security method for protecting sensitive information sensed in an object internet environment and an information security system using the same.

Recently, due to the development of sensor network and ubiquitous computing technology, Internet of Things (IoT), that is, intelligent communication system that connects all objects based on internet and enables mutual communication between people, things, Technology and services. The Internet of Things has been created as a new service in various fields such as culture, life, health, education, traffic, and will continue to develop as an important technical field for solving social problems in various fields in the future.

In addition, it is expected that users will be able to create new value by providing various services that have not been possible until now, by enabling user support in special environments such as home, automobile, office, etc. as well as medical, .

In this way, the Internet of Things can be applied to various parts in the factory including smart devices such as smart phones and tablet PCs, wearable devices such as shoes, watches, patches and bands, household appliances such as televisions, audios, refrigerators, It is anticipated that everything in the streets, shops, and items in the store will be connected to the Internet to enrich our lives.

In the Internet environment, it is important to generate new information, ie, context information, by deducing information collected according to the user's situation in order to transmit accurate information. In a society where the Internet environment is established, a network will be formed that intelligently senses the surrounding environment information through the intelligence of all objects, recognizes the surrounding situation, and controls objects. To do this, information should be collected through various sensors, and sensitive information such as user's personal information and physical information may be included.

Since most Internet applications are made with the user's perception, the big difference in the changes that the Internet will bring is that the Internet devices are embedded in the environment without being seen or felt by people, so 'unconscious exposure' .

Personal information protection problems arise due to the inverse function of sensitive information contained in such situation information. Although 90% of the Internet-connected terminals acquire personal information, 70% of the terminals are using unencrypted networks, and most of the Internet products on the Internet are collecting personal information, A lot of products are coming out.

Object Internet provides intelligent services based on sensing information, and there are many risks such as personal information hacking and security breach. Unauthorized exposure through car driving records, habits, black box or street CCTV devices, smart meter metering of energy use by specific families, and citizen movement and activity characteristics by smartization are collected and analyzed . In addition, I am collecting the amount of food I eat, calories, momentum, distance, and path, analyzing my exercise characteristics and quantification of personal activities (digitization).

In this way, the risk that may occur in the Internet environment of the object is not only the place shared by the user but also the personal space and the data sensed inside the building are personal information or activity data (digital life generated through the wearable device or smart device attached to the person Log, etc.), the unexpected security incidents may occur.

SUMMARY OF THE INVENTION Accordingly, the present invention has been made to solve the above problems, and it is an object of the present invention to provide a method of securing information in the Internet, which can enhance the security of sensitive information in the Internet of objects.

Another object of the present invention is to provide an information security system in the Internet using the information security method.

According to another aspect of the present invention, there is provided a method for securing information on the Internet, the method comprising the steps of: a client terminal downloading information encrypted with sensitive information from a cloud storage center; Generating status information including a dynamic attribute by using the sensing data obtained through the sensor by the client terminal; The client terminal transmitting the status information to an authentication center; The authentication center generating a decryption key according to the status information; Transmitting the decryption key to the client terminal by the authentication center; And extracting the sensitive information by decrypting the encrypted information through the decryption key by the client terminal.

The sensitive information may include personal medical information.

The context information may be information generated based on a three-dimensional attribute having a conceptual attribute as a first axis, an operational attribute as a second axis, and a dynamic property as a third axis. have.

The conceptual attribute may include location information, identity information, time information, and activity information.

The operational attribute may include primary information that has not been subjected to a reasoning process but is sensed, and secondary information deduced through the primary information.

The dynamic attribute may include emotion information, biology information, infra information, and environment information.

The information security method may further include storing the encrypted information in the cloud storage center.

The encrypted information may be encrypted according to a ciphertext-policy attribute-based encryption (CP-ABE) based access control policy.

The step of storing the encrypted information may include: generating a security parameter PK and a master key MK by the authentication center; Transmitting the public key to the uploading terminal by the authentication center; Encrypting the sensitive information using the public key to generate the encrypted information; And the upload terminal uploading the encrypted information to the cloud storage center.

In the step of generating the decryption key according to the context information, the authentication center can generate the decryption key corresponding to the dynamic attribute using the master key (MK).

The information security method may further include the step of the authentication center determining whether or not to grant the write right of the sensitive information according to the accessor property of the client terminal.

The information security method may further include the step of the client terminal modifying the sensitive information and uploading the modified information to the cloud storage center when the client terminal is granted the write right of the sensitive information.

The information security system in the Internet according to an embodiment of the present invention includes a client terminal, an authentication center, and a cloud storage center.

The client terminal generates context information including a dynamic attribute using sensing data obtained through a sensor. The authentication center receives the context information from the client terminal, generates a decryption key according to the context information, and transmits the decryption key to the client terminal. The cloud storage center stores information in which sensitive information is encrypted. At this time, the client terminal downloads the encrypted information from the cloud storage center, and decrypts the encrypted information through the decryption key to extract the sensitive information.

The context information may be information generated based on a three-dimensional attribute having a conceptual attribute as a first axis, an operational attribute as a second axis, and a dynamic property as a third axis. have.

The conceptual attribute may include location information, identity information, time information, and activity information.

The operational attribute may include primary information that has not been subjected to a reasoning process but is sensed, and secondary information deduced through the primary information.

The dynamic attribute may include emotion information, biology information, infra information, and environment information.

The encrypted information may be encrypted according to a ciphertext-policy attribute-based encryption (CP-ABE) based access control policy.

The authentication center can determine whether to grant the write right of the sensitive information according to the accessor property of the client terminal.

As described above, according to the information security method in the Internet of things and the information security system using the same, security of the sensitive information can be enhanced by decoding the encrypted sensitive information according to the situation information including the dynamic attribute have. In other words, dynamic attributes are included in the range of context information based on CP-ABE (Ciphertext Policy-Attribute Based Encryption) and decoded according to the access control policy reflecting the extended multidimensional context attribute, We can safely protect sensitive information such as medical information.

1 is a block diagram illustrating a process of encrypting sensitive information in an information security system according to an embodiment of the present invention.
2 is a block diagram illustrating a process of decrypting encrypted information in the information security system of FIG.
3 is a conceptual diagram specifically illustrating a process of being encrypted by the information security system of FIG.
FIG. 4 is a conceptual diagram illustrating a process of decrypting by the information security system of FIG. 1; FIG.
FIG. 5 is a diagram for explaining context information in the decoding process of FIG.
FIG. 6 is a diagram for explaining an access structure in the process of decoding in FIG.
FIG. 7 is a view for explaining the situation recognition through the sensor fusion in the decoding process of FIG.

The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text.

It should be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprising" or "having ", and the like, are intended to specify the presence of stated features, integers, steps, operations, elements, parts, or combinations thereof, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, parts, or combinations thereof.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings.

FIG. 1 is a block diagram illustrating a process of encrypting sensitive information in an information security system according to an embodiment of the present invention. FIG. 2 illustrates a process of decrypting encrypted information in the information security system of FIG. Block diagram.

Referring to FIGS. 1 and 2, the information security system according to the present embodiment includes sensitive information (hereinafter referred to as 'sensitive information'), which should not be exposed to the outside in the Internet of Things (IOT) And may include an upload terminal 100, a client terminal 200, an authentication center 300, and a cloud storage center 400. The system of FIG. Here, the sensitive information may include personal medical information such as medical history of the patient.

The upload terminal 100 may encrypt the sensitive information stored internally or provided from the outside, and upload the encrypted information to the cloud storage center 400 to store the encrypted information. The upload terminal 100 may be a smart device such as a smart phone, a tablet PC, or a personal computer system. Here, the upload terminal 100 may be an individual, which is the subject of the sensitive information, or a terminal owned by an associated person having the same authority as the individual. Alternatively, when the individual or the person concerned accesses the authentication center 300 and the cloud storage center 400 using any terminal, the arbitrary terminal may correspond to the upload terminal 100 . For example, if the sensitive information is medical information, the individual may be a patient, and the person concerned may be a family member, a doctor, or the like.

The client terminal 200 may download and decrypt the encrypted information stored in the cloud storage center 400 to extract the sensitive information. The client terminal 200 may be a smart device such as a smart phone, a tablet PC, or the like, which can be moved while the user is carrying it, or a wearable device such as a shoe, a watch, a patch, or a band. Here, the client terminal 200 may be a terminal owned by the accessor who needs to confirm the sensitive information. In addition, when the accessor accesses the authentication center 300 and the cloud storage center 400 using an arbitrary mobile terminal, the arbitrary mobile terminal may correspond to the client terminal 200. For example, if the sensitive information is medical information, the accessor may be the patient himself, the patient's family, the patient's physician, rescue personnel, insurance company staff, and the like.

The authentication center 300 may provide information necessary for encrypting the sensitive information to the upload terminal 100 or provide the client terminal 200 with information necessary for decrypting the encrypted information.

The cloud storage center 400 may store the encrypted information provided from the upload terminal 100 and provide the stored encrypted information to the client terminal 200.

Hereinafter, a process in which the sensitive information is encrypted by the information security system and the encrypted information is decrypted will be described.

1, a process of encrypting and storing the sensitive information in the cloud storage center 400 will be described. Here, the encryption of the sensitive information may be performed according to, for example, a ciphertext-policy attribute-based encryption (CP-ABE) based access control policy.

The authentication center 300 can generate a security parameter PK and a master key MK at step S10.

The uploading terminal 100 may access the authentication center 300 and perform an authentication process in step S20. In order for the upload terminal 100 to log in, the upload terminal 100 itself or a user having the upload terminal 100 may input arbitrary authentication information to the authentication center 300 ). Here, steps S10 and S20 may be performed independently of each other regardless of the posterior relationship.

The authentication center 300 may transmit the public key PK generated in operation S10 to the upload terminal 100 in operation S30.

The upload terminal 100 may generate the encrypted information by encrypting the sensitive information that is stored in the inside or provided from the outside using the public key PK provided from the authentication center 300 S40).

The upload terminal 100 may upload the encrypted information generated in step S40 to the cloud storage center 400 and store the uploaded information in step S50.

Next, a process of decrypting the encrypted information will be described with reference to FIG.

The client terminal 200 may access the cloud storage center 400 and download the encrypted information from the cloud storage center 400 in operation S60.

In operation S70, the client terminal 200 may generate status information including a dynamic attribute using sensing data acquired through a sensor (not shown) mounted inside or separately installed.

The client terminal 200 may transmit the status information generated in step S70 to the authentication center 300 (S80). Here, prior to the transmission of the status information, the client terminal 200 may access the authentication center 300 and perform authentication by providing authentication information.

The authentication center 300 can generate a decryption key according to the status information provided from the client terminal 200 (S90). For example, the authentication center 300 may generate the corresponding decryption key according to the dynamic attribute using the master key MK (S90).

The authentication center 300 can transmit the decryption key generated in step S90 to the client terminal 200 (S100).

The client terminal 200 may decrypt the encrypted information downloaded from the cloud storage center 400 through the decryption key provided from the authentication center to extract the sensitive information (S110). Also, the client terminal 200 may display the sensitive information through a display device.

In this embodiment, steps S60 and S70 to S100 may be performed independently of each other regardless of the subsequent relationship.

Meanwhile, the authentication center 300 may determine whether or not to grant the write permission of the sensitive information according to the accessor property of the client terminal 200. That is, the authentication center 300 determines the accessor property using the authentication information provided by the client terminal 200, and determines whether to provide only the decryption key for the simple read or the decryption key, It is possible to decide whether or not to grant write permission to modify the information after decryption. For example, in the case where the sensitive information is medical information, the access right may be granted to the user even if the accessor property is the patient himself, the family member, or the doctor, and if the accessor property is the rescue member or insurance company employee, I can not.

When the client terminal 200 is granted the write permission of the sensitive information, the client terminal 200 may modify the sensitive information and upload the corrected information to the cloud storage center 400 to store the corrected information.

Meanwhile, the context information generated in step S70 includes a three-dimensional attribute having a conceptual attribute as a first axis, an operational attribute as a second axis, and a dynamic attribute as a third axis As shown in FIG.

Specifically, for example, the conceptual attribute may include Location information, Identity information, Time information, and Activity information. The operational attribute may include primary information that has not been subjected to a reasoning process but is sensed, and secondary information deduced through the primary information. The dynamic attribute may include emotion information, biology information, infra information, and environment information.

Hereinafter, a specific embodiment of the information security system will be described.

FIG. 3 is a conceptual diagram specifically illustrating a process of being encrypted by the information security system of FIG. 1, and FIG. 4 is a conceptual view illustrating a process of decrypting by the information security system of FIG.

3 and 4, the authentication center 300 includes a system initialization unit for generating a public key PK and a master key MK, which are security parameters of the system, a user ID and a password (User DB) portion used for storing the data.

In addition, the authentication center 300 includes a verification unit for verifying the ID of each logged-in user, a public key (PK) as a security parameter for the authenticated user and a client software, (Key Generation) unit for generating a decryption key according to a situation where the decryption key is generated.

The upload terminal 100 may include an encryption unit and the client terminal 200 may include a context aware unit and a decryption unit for collecting the status of the user.

(1) The system initialization unit of the authentication center 300 generates the system security parameter public key PK and the master key MK, and then transmits the public key PK to the authentication unit, the master unit MK to the key generation unit Respectively.

(2) After the initial user registers in the authentication center 300, the upload terminal 100 can input the ID and password of the user and log into the system.

(3) The authentication unit of the authentication center 300 can confirm the user information stored in the user database unit and transmit the public key (PK) to the upload terminal 100.

(4) The upload terminal 100 encrypts the sensitive information such as the medical history using the public key PK according to the access control policy proposed by the encryption unit, and then uploads the encrypted information to the cloud storage center 400 .

(5) The client terminal 200 can collect the user's situation information through the sensor. At this time, the situation information can be divided into various attributes. In particular, dynamic information such as user's emotional information and biometric information can be collected.

(6.1) The client terminal 200 can download the encrypted information in the cloud storage center 400.

(6.2) The key generation unit of the authentication center 300 may generate the decryption key corresponding to the master key (MK) and the context information by receiving the collected status information of the user.

(6.3) The decryption unit of the client terminal 200 may decrypt the encrypted information by receiving the decryption key transmitted from the key generation unit.

Hereinafter, the status information collected by the client terminal 200 will be described as an example.

FIG. 5 is a diagram for explaining context information in the decoding process of FIG.

Referring to FIG. 5, the context information includes a situation where a situation changes dynamically in a two-dimensional configuration for classifying a situation in terms of Conceptual Attribute and Operational Attribute, Lt; / RTI > For example, you can construct a dynamic attribute by adding a z-axis to the x and y axes.

The conceptual attribute includes 'Location, Identity, Time, Activity' which is the most basic situation information, and data or sensor data without consideration of the current situation in the operational property. , And secondary information, which is arbitrary information that can be calculated using this. In the dynamic attribute, it is possible to add a tertiary such as emotion information, biometric information, infrastructure information, and environmental information that can be deduced from biometric data and secondary data fusion.

An exemplary scenario of a health care system in the Internet environment of the information security system is as follows.

Suppose that the user, an older person, falls out of hiking and falls. The location data of the elderly people sensed by the system are not changed for a certain period of time. Especially, the location is the high risk interval such as fallen attention and fogging. Biometric data such as the degree of impact sensed by the smart device and the blood pressure change due to heart rate and bleeding And can ask for assistance to the rescue team. At this time, the rescue team can check the history of the elderly people encrypted in the cloud. The medical history of the decrypted elderly can be used to identify diabetes and provide first aid treatment focusing on hemostasis and blood replenishment. At the same time, the hospital will be able to arrange prompt treatment for patients with optimal conditions (distance, expertise, etc.). That is, when a user including a physician, a rescue team, and a patient approaches a resource such as a medical history of an encrypted patient, the access authority is verified by using a decryption key generated according to attributes of each situation.

According to such a scenario, for example, the location data may be obtained from the GPS, the primary location data may be obtained from the GPS, and the secondary information may be used to indicate whether the location is a high-risk group. Tertiary can be information that can deduce an accident occurred to a specific user through a change of the user's biometric data and can grasp the position and distance of the hospital suitable for the user's situation.

Although the above-described information security system is applied to the healthcare system, the system may be applied to other security systems for data access and processing based on general system design.

Hereinafter, an access control policy for decoding based on context recognition will be described.

FIG. 6 is a diagram for explaining an access structure in the process of decoding in FIG.

Referring to FIG. 6, in this embodiment, a context-aware access control policy based on a three-dimensional attribute can be proposed by adding dynamic attributes to the two-dimensional attribute base of conceptual attributes and operational attributes.

The proposed access control policy can be used in various environments basically, but it is based on the scenario and the CP-ABE algorithm to meet the condition record of the elderly using the healthcare system in the internet environment of things We can propose a context aware access control policy. Patient's personal medical information is very sensitive information, and security must be sufficiently verified to maintain safety.

According to the scenario, context aware access control policy (T) can be composed of three parts: conceptual attribute (CA), operational attribute (OA), and dynamic attribute (DA). In addition, policies can be established based on access control attributes (ACA) or accessor attributes for access control.

T = {OA AND CA AND DA} AND ACA

A two-dimensional OA can contain both a CA with a Primary attribute and a Secondary derived from it.

OA = {CA AND DAV}

The CA may be composed of four sub-attributes that the user accesses via when, where, and by which device.

CA = {Who AND When AND Where and Which Which}

DA has attribute values of emotion information (EmAV, Emotion Attribute Value), biology attribute value (BAV), infrastructure information value (IAV), and environment attribute value (EnAV).

DA = {EMAV OR BAV OR IAV OR EnAV}

The access control attribute is used to express the user's right to the resource and can be set flexibly according to the system and the service. However, the access control attribute in this embodiment can be read-only (RO), read / write , And Read-Write).

ACV = {RO AND RW}

Thus, the following policy can be set to control access to the patient's history record F:

The policy Tro can be defined under the context condition that can operate in a read-only mode in the history field F. The accessor was a rescue crew and Patient 1 was stunned and shocked for a period of time in a mountainous area. In the above situation, it can be deduced that a fallen patient occurs, so that when the rescuer approached the patient's medical history, the patient's personal information and medical history can be decrypted and confirmed. The rescue personnel can read the patient's medical history and perform first-aid treatment accordingly, but can not correct the information.

OR {LowBlodPressure} OR {} {} {} {} {} {} {} {} {} {} {{ LowTemperature}} AND RO.

The policy Trw can be defined under context conditions that can operate in the read and write modes of the History F. When patient 1 is transferred to a neighboring specialty hospital considering his / her illness and falls, he / she can decrypt and read out the medical history and possibly modify it according to the treatment situation.

AND {{Mountain} AND {PC}} AND {{DangerPlace} AND {NonMove}} AND {{Shock} OR {LowBlodPressure} OR {LowTemperature}} and Trw = {{{Doctor} AND {PatientNo1} AND { RW.

Hereinafter, a process in which the context information is generated in the client terminal 200, that is, a process of recognizing the status of the user through the client terminal 200 will be described.

FIG. 7 is a view for explaining the situation recognition through the sensor fusion in the decoding process of FIG.

Referring to FIG. 7, the client terminal 200 can recognize the user's situation through various sensors and sensor fusion.

Sensor fusion is the use of a microcontroller to fuse discrete data from a variety of sensors to enable more accurate and reliable data validation than using data from each individual sensor itself.

Sensor Fusion can explain how it works by describing sensory acquisitions and processing scenarios in which humans experience external environments. It is transmitted to the brain through the peripheral nervous system by receiving sensory information of visual, auditory, chemical senses (smell and taste) and surface sensation (touch), and the brain decides how to respond to a given situation or experience, . Even in the Internet environment, sensor fusion can play a similar role. Sensor fusion can provide a much higher level of perception and new response by integrating the inputs of various sensors to realize more accurate and reliable sensing.

Interaction between human, natural, environmental, and machine infrastructures can provide useful data to determine context awareness as in Figure 7. Sensors can make the experience more 'personal' by providing access to human thinking.

Specifically, for example, a heartbeat that is increased due to physical activity has a different pattern and slope from that which is increased by adrenaline caused by excitement. Therefore, analyzing the sensing data related to this can electronically detect the type of emotion displayed by a person.

On the other hand, it is also possible to monitor emotions electronically by monitoring physiological variables and conditions and collecting data. For example, a pressure sensor can be used to confirm Muscle relaxation (MR) and muscle contraction (MC), and heart rate variability (HRV) . In addition, the degree of sweat (S: Sweat) can be confirmed through the electrostatic capacity sensor, and the attitude (A) can be confirmed by monitoring the relaxation state of the body using the accelerometer (seizure action, .

As described above, according to the present embodiment, when a user who intends to confirm the sensitive information decrypts and confirms the encrypted information according to the context information including the dynamic attribute, security of the sensitive information is further enhanced . In other words, dynamic attributes are included in the range of context information based on CP-ABE (Ciphertext Policy-Attribute Based Encryption) and decoded according to the access control policy reflecting the extended multidimensional context attribute, We can safely protect sensitive information such as medical information.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

100: upload terminal 200: client terminal
300: Authentication Center 400: Cloud Storage Center

Claims (19)

The client terminal downloading the encrypted information from the cloud storage center;
Generating status information including a dynamic attribute by using the sensing data obtained through the sensor by the client terminal;
The client terminal transmitting the status information to an authentication center;
The authentication center generating a decryption key according to the status information;
Transmitting the decryption key to the client terminal by the authentication center; And
And the client terminal decrypting the encrypted information through the decryption key to extract the sensitive information,
The situation information
Dimensional property having a conceptual attribute as a first axis, an operational attribute as a second axis, and a dynamic property as a third axis,
The conceptual attribute
Location information, identity information, time information, and activity information,
The operational attribute
Primary information that is not sensed without being inferred and second information that is inferred through the primary information,
The dynamic attribute
Wherein the information includes at least one of emotion information, biology information, infra information, and environment information. The method of claim 1,
Wherein the information includes personal medical information. delete delete delete delete The method of claim 1, further comprising: storing the encrypted information in the cloud storage center. 8. The method of claim 7, wherein the encrypted information
Wherein the information is encrypted according to a CP-ABE (ciphertext-policy attribute-based encryption) based access control policy. 9. The method of claim 8, wherein storing the encrypted information comprises:
Generating a security parameter public key (PK) and a master key (MK) by the authentication center;
Transmitting the public key to the uploading terminal by the authentication center;
Encrypting the sensitive information using the public key to generate the encrypted information; And
And uploading the encrypted information to the cloud storage center by the uploading terminal. The method as claimed in claim 9, wherein, in the step of generating the decryption key according to the context information,
Wherein the authentication center generates the corresponding decryption key according to the dynamic attribute using the master key (MK). The method according to claim 1, further comprising the step of the authentication center determining whether or not to grant write permission of the sensitive information according to an accessor property of the client terminal. 12. The method as claimed in claim 11, further comprising the step of the client terminal modifying the sensitive information and uploading the modified information to the cloud storage center when the client terminal is granted write permission of the sensitive information Of information security methods. A client terminal for generating context information including dynamic attributes using sensing data obtained through a sensor;
An authentication center for receiving the status information from the client terminal, generating a decryption key according to the status information, and transmitting the decryption key to the client terminal; And
Wherein the sensitive information includes a cloud storage center storing encrypted information,
The client terminal
Receiving the encrypted information from the cloud storage center, decrypting the encrypted information through the decryption key to extract the sensitive information,
The situation information
Dimensional property having a conceptual attribute as a first axis, an operational attribute as a second axis, and a dynamic property as a third axis,
The conceptual attribute
Location information, identity information, time information, and activity information,
The operational attribute
Primary information that is not sensed without being inferred, and secondary information that is inferred through the primary information,
The dynamic attribute
Wherein the information includes at least one of emotion information, biology information, infra information, and environment information. delete delete delete delete 14. The method of claim 13, wherein the encrypted information
Wherein the information is encrypted according to a CP-ABE (ciphertext-policy attribute-based encryption) based access control policy. 14. The system of claim 13, wherein the authentication center
And determines whether or not to grant the write right of the sensitive information according to the accessor property of the client terminal.
KR1020150120021A 2015-08-26 2015-08-26 Information security method in environment of internet of things and information security system using the method KR101701052B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150120021A KR101701052B1 (en) 2015-08-26 2015-08-26 Information security method in environment of internet of things and information security system using the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150120021A KR101701052B1 (en) 2015-08-26 2015-08-26 Information security method in environment of internet of things and information security system using the method

Publications (1)

Publication Number Publication Date
KR101701052B1 true KR101701052B1 (en) 2017-01-31

Family

ID=57990663

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150120021A KR101701052B1 (en) 2015-08-26 2015-08-26 Information security method in environment of internet of things and information security system using the method

Country Status (1)

Country Link
KR (1) KR101701052B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018151390A1 (en) 2017-02-14 2018-08-23 주식회사 유니온플레이스 Internet of things device
KR20190028088A (en) 2017-09-08 2019-03-18 충남대학교산학협력단 Key Management Method for IoT Data Security in Cloud Computing
KR20190063193A (en) * 2017-11-29 2019-06-07 고려대학교 산학협력단 METHOD AND SYSTEM FOR DATA SHARING FOR INTERNET OF THINGS(IoT) MANAGEMENT IN CLOUD COMPUTING

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011045723A1 (en) * 2009-10-15 2011-04-21 Koninklijke Philips Electronics N.V. Ciphertext-policy attribute-based encryption and re-encryption
KR20130079865A (en) * 2012-01-03 2013-07-11 서울대학교산학협력단 Shared virtual memory management apparatus for securing cache-coherent

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011045723A1 (en) * 2009-10-15 2011-04-21 Koninklijke Philips Electronics N.V. Ciphertext-policy attribute-based encryption and re-encryption
KR20130079865A (en) * 2012-01-03 2013-07-11 서울대학교산학협력단 Shared virtual memory management apparatus for securing cache-coherent

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018151390A1 (en) 2017-02-14 2018-08-23 주식회사 유니온플레이스 Internet of things device
US10757571B2 (en) 2017-02-14 2020-08-25 Unionplace Co., Ltd. Internet of things device
KR20190028088A (en) 2017-09-08 2019-03-18 충남대학교산학협력단 Key Management Method for IoT Data Security in Cloud Computing
KR20190063193A (en) * 2017-11-29 2019-06-07 고려대학교 산학협력단 METHOD AND SYSTEM FOR DATA SHARING FOR INTERNET OF THINGS(IoT) MANAGEMENT IN CLOUD COMPUTING
KR102050887B1 (en) 2017-11-29 2019-12-02 고려대학교 산학협력단 METHOD AND SYSTEM FOR DATA SHARING FOR INTERNET OF THINGS(IoT) MANAGEMENT IN CLOUD COMPUTING

Similar Documents

Publication Publication Date Title
US9626521B2 (en) Physiological signal-based encryption and EHR management
Torre et al. A framework for personal data protection in the IoT
Sorber et al. An amulet for trustworthy wearable mHealth
JP6049246B2 (en) Biological transplant medical device and control method thereof
CN106462743A (en) Systems and methods for using eye signals with secure mobile communications
US10855957B2 (en) Wireless augmented video system and method to detect and prevent insurance billing fraud and physical assault for remote mobile application
US11765139B1 (en) Transmitting sensitive information securely over unsecured networks without authentication
US20140089007A1 (en) Device to user association in physiological sensor systems
KR101701052B1 (en) Information security method in environment of internet of things and information security system using the method
Ahmed et al. Insights into Internet of Medical Things (IoMT): Data fusion, security issues and potential solutions
Dixit et al. Human bond communication: the holy grail of holistic communication and immersive experience
Kumar et al. A review of applications, security and challenges of internet of medical things
Georgi et al. Proposal of a remote monitoring system for elderly health prevention
Mosenia Addressing security and privacy challenges in Internet of Things
Sellahewa et al. Biometric Authentication for Wearables
Kumar et al. Body Sensor Networks Architecture and security issues in Healthcare application
Shah Privacy and security issues of wearables in healthcare
US11633539B1 (en) Infusion and monitoring system
Torre et al. Fitness trackers and wearable devices: how to prevent inference risks?
Žarić et al. Ambient assisted living systems in the context of human centric sensing and IoT concept: EWall case study
Chukwunonyerem et al. Review on security of wireless body area sensor network
Sridhar et al. Wearable devices in healthcare 4.0: effects, trends and challenges
Vijayalakshmi et al. Internet of Things: Immersive Healthcare Technologies
Fragopoulos et al. Security framework for pervasive healthcare architectures utilizing MPEG-21 IPMP components
Kuttalingam et al. A novel data security for hospital records management using Internet of Things

Legal Events

Date Code Title Description
GRNT Written decision to grant