Report on the Internet Society Symposium on Network and Distributed System Security, San Diego, CA, February 22-23, 1996

by Christoph L. Schuba

The fourth Symposium on Network and Distributed System Security (SNDSS) was held at the Princess Hotel in San Diego, CA on February 22-23, 1996. This one-track symposium was sponsored by the Privacy and Security Research Group of the Internet Research Task Force with support from the Internet Society (ISOC).

The symposium was well attended, with about 300 registered attendees. Thursday consisted of four sessions, two of which were panel discussions. The refereed paper sessions addressed electronic mail security, distributed object systems, and distributed system security. The panels discussed scalability of security in distributed object systems and intellectual property protection. After the dinner banquet, Henry Kluepfel (Vice President, SAIC) was invited to speak about "Security and Fraud on the Information Superhighway". The last scheduled activity for the day was a BOF on security in Java.

Friday consisted again of four sessions, the last one was a panel discussion on public-key infrastructure. The other sessions covered aspects of network security, key management, and encryption.

The purpose of the symposium is to bring together people who are building software and/or hardware to provide network and distributed system security services. It has a focus on practical aspects, such as actual system design, and implementation. It targets researchers, implementors, and users of network and distributed systems facilities. Forty submissions for refereed papers, panels, and BOFs and the work of the program committee resulted in an outstanding symposium program.

Thursday, February 22


James Ellis (general chair, CERT) opened the symposium with welcoming remarks and thanks to the chairs that brought the symposium together: Donna Leggett (registration chair), Thomas Hutton (local arrangement chair), Stephen Welke (publication chair), Clifford Neuman and David Balenson (Program Chairs), the session chairs Stephen Kent, Danny Nesset, Michael Roe, Peter Neumann, Matt Bishop, Burt Kaliski, Avi Rubin, and Warwick Ford, the rest of the Program Committee, and a number of external reviewers.

The first session regarding "Electronic Mail Security" was chaired by Stephen Kent (BBN) and featured two talks.

The first talk was given by Ceki Gulcu (IBM) (joint work with Gene Tsudik) with the title "Mixing E-mail with BABEL". Gulcu discussed the goals and desired properties of anonymous email, such as availability of the service to anyone, strong guarantee of anonymity, minimal trust in remailers, and a remailer infrastructure that can resist attacks. He then introduced the design and salient features of the BABEL anonymous remailer. The basic idea is that the sender repeatedly encrypts the message with the public keys of the remailers that are on the forward path to the destination. Return path information is included in the message to enable replies. This approach has its obvious scalability problems, but is resistant to a number of active and passive attacks, and assumes little trust in intermediate remailers. A prototype implementation is based on freely available software: Perl and PGP.

The following presentation was given by Kazuhiko Yamamoto (Nara IST, Japan) who described and demonstrated a design for the "Integration of PGP and MIME". The advantage is obvious: combining PGP's privacy services and MIME's capability of exchanging multipart, multimedia documents offers privacy for any non-textual documents. The design allows for the embedding of PGP objects into MIME with a backward compatibility with PGP. It offers confidentiality and authenticity on a whole MIME message, or only selected parts. A prototype was implemented in Emacs LISP and is operational on various emacs platforms.

The second session in the morning was titled "Distributed Object Systems". Dan Nessett (Sun Microsystems) chaired this session that contained one presentation of a refereed paper and one panel discussion.

The sole paper in this session was presented by Nicholas Yialelis (joint work with Morris Sloman, both Imperial College London, UK). He described a "Security Framework Supporting Domain Based Access Control in Distributed Systems". Explicit goals of this work are to provide a security platform for distributed applications that makes access control and authentication mechanisms transparent to the application level, and to support the enforcement of access control policies that are specified using management domains. The latter has the advantage that policies can be specified in terms of groups of objects. Therefore it is not necessary to specify policies for possibly millions of individual objects in large scale systems. The architecture provides for a host manager server that is present on all hosts and supports the host manager object, an authentication agent object, and an access control agent object. The provided security is transparent to the applications, and only few modifications are necessary at the applications servers. The components communicate with their remote peers via secure channels. A prototype implementation is underway in the CORBA-compliant Orbix environment.

Bret Hartman (BlackWatch Technology), Dan Nessett, and Nicholas Yialelis served on the following panel. The objective of the panel was to discuss the question of "Scalability of Security in Distributed Object Systems". Hartman began with a brief overview of the problem area. To manage a set of objects, rather than the individual objects separately is a powerful mechanism. The challenges include how to compose policies that are specified on sets of objects, if compositions can scale in the presence of complex security requirements, and how different solutions to the previous two challenges might interoperate. Dan Nessett provided three example applications of large scale distributed object systems to explore the applicability and advantages of security policy domains. The examples addressed the question of federated domains, federated domains with transitive trust requirements, and security policy updates. The first two examples centered around the insight that technical solutions are necessary but not sufficient to provide good security. The search for higher level solutions must go on, and a true solution will in addition to technical aspects have many other facets, such as nondisclosure agreements, trust, object domains, ...and lots of lawyers.


The third session was on "Distributed System Security". Michael Roe (University of Cambridge, UK) chaired this session.

Jonathan Trostle (CyberSAFE) spoke first, about "A Flexible Distributed Authorization Protocol" (joint work with Clifford Neuman, ISI). The work is based on the observation that considerable effort has been put into creating interoperability among authentication methods, but authorization methods have received far less attention. Trostle presented a flexible authorization protocol that provides the full generality of restricted proxies while supporting the functionality of and interoperability with existing authorization models, such as OSF DCE, and SESAME V2.

Trent Jaeger (University of Michigan) presented "Preserving Integrity in Remote File Location and Retrieval" (joint work with Avi Rubin, Bellcore). Jaeger's work addresses the two problems of locating files and verification of file integrity in the presence of untrusted networks, or mobile systems with little memory. He described a service that provides the capability to automatically locate, retrieve, and verify files specified by a client using a single trusted principal, a certification authority (CA). CAs generate and sign certificates that associate an author with a file and a cryptographic digest of the file. Automated location is possible because all remote files are published with location servers.

Takahiro Kiuchi (University of Tokyo) presented the final speech in this session titled "C-HTTP - The Development of a Secure, Closed HTTP-Based Network on the Internet" (joint work with his colleague Shigekoto Kaihara). The components of the system are a client-side proxy, a server-side proxy, and a C-HTTP name server. Client-side proxies and server-side proxies communicate with each other using a secure encrypted protocol while communication between a user agent and its client-side proxy or an origin server and server-side proxy are performed using current HTTP/1.0. The C-HTTP based secure, encrypted name and certification service is used, instead of the DNS. The aim of C-HTTP is to assure institutional level security, in contrast to other secure HTTP protocols currently proposed which are oriented toward secure end-user to end-user HTTP communications.

The last session of the day, "Intellectual Property Protection", was chaired by Peter Neumann (SRI). The panel consisted of brief presentations by the panelists and a question and answer session. Olin Sibert (Electronic Publishing Resources) proposed a decentralized approach to electronic publishing of intellectual property. Components of such an approach are decentralized servers, 'crypto (un)lock' technology for making documents (in)accessible, and 'local' participation and enforcement of end systems. Olin also advocated the view that in the business world security requirements differ from military requirements. Russ Housley (Spyrus) represented a vendor of PCMCIA crypto hardware for metering remote use. Dan Boneh (Princeton University) described a method of using public key cryptography to mark complex documents, such as images, to allow the owner of the document to identify each authorized copy and its owner. The scheme can protect against collusion. It fails if automated tools can be utilized to remove the protecting fingerprints, such as spacing in text documents. A number of different topics were addressed during the following question and answer period. Peter Neumann asked if electronic commerce products can be made secure? The joint opinion of all panelists concluded that this is impossible, and that the real question is how to make the publishing systems resilient enough, such that fraud is limited to an acceptable level. The remaining questions centered around Boneh's work on fingerprinting documents. It was asked if the assumption that products can be associated with the initial purchaser is reasonable, and if so, how much this violates personal privacy issues. The last question discussed if there are methods of fingerprinting that do not affect the artistic contents of the work.

Friday, February 23


The first session on the second day on "Network Security" was chaired by Matt Bishop (UC Davis). This session included three presentations.

Jonathan Stone (Stanford University) described "Designing an Academic Firewall: Policy, Practice, and Experiences with SURF" (joint work with colleagues Michael Greenwald, Sandeep Singhal, and David Cheriton). The interesting premise of this work was that corporate firewall designs are neither effective nor appropriate for academic or corporate research environments. The research group built the Stanford University Research Firewall (SURF). The policy implemented by this firewall allows less restrictive outward information flow than the traditional model. Services, such as e-mail, WWW, and anonymous FTP work transparently for internal users. SURF was constructed using off-the-shelf software and hardware components.

Secondly, Sandra Murphy (TIS) described "Digital Signature Protection of the OSPF Routing Protocol" (joint work with colleague Madelyn Badger). The talk reported on work in progress to protect the OSPF routing protocol through the use of cryptography, specifically digital signatures. The routing information is signed with an asymmetric cryptographic algorithm, allowing each router recipient to check the source and integrity of the information. Murphy discussed fundamental issues in security of routing protocols, reviewed the basics of OSPF operation, the proposed design, and remaining vulnerabilities (such as the age field not being protected by the keyed hash).

Michael Roe (University of Cambridge, UK) concluded the session by his "Case Study of Secure ATM Switch Booting" in the context of the Fairisle ATM switch environment (joint work with his colleague Shaw-Cheng Chuang). Roe examined a few techniques for booting Asynchronous Transfer Mode (ATM) switches securely over an insecure network. Each of the techniques assumed a different trust model. The work assumes an open multi-service network where ATM switches are booted with third party software, possibly even using a third party booting service. In that environment it is important to ensure that the switches are booted with authorized and authenticated boot code. Michael examined the threats and presented schemes of countering the threats.

The sixth session of the symposium was on "Key Management", chaired by Burt Kaliski (RSA).

Hugo Krawczyk (IBM T.J. Watson) began with a discussion of "SKEME, A Versatile Secure Key Exchange Mechanism for Internet". SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over the Internet. It provides clear tradeoffs between security and performance as required by the different scenarios without incurring unnecessary system complexity. The protocol supports key exchange based on public keys, key distribution centers, or manual installation, and provides for fast and secure key refreshment. Additionally, SKEME selectively provides perfect forward secrecy, allows for replaceability and negotiation of the underlying cryptographic primitives, and addresses privacy issues as anonymity and repudiatability.

The final talk before lunch was given by Carlisle Adams (BNR, Canada) on "IDUP and SPKM: Developing Public-Key Based APIs and Mechanisms for Communication Security Services". Carlisle discussed the progress in the development of APIs and mechanisms which provide a comprehensive set of security services to application developers. Existing APIs, though similar, are developed for distinct environments: the session API (GSS) is aimed at the on-line real-time messaging environment; the store-and-forward API (IDUP) is particularly suited for electronic-mail types of environments. Both APIs were designed to be easy to use, yet with appropriate public-key-based mechanisms include many necessary services for communication security, such as data origin authentication, data confidentiality, data integrity, and support for non-repudiation. A full key management and certification infrastructure can be provided by implementations of these APIs/mechanisms in a way which is completely transparent to the calling application, thus ensuring maximum flexibility and scalability to future environments.


Avi Rubin (Bellcore) opened the seventh session on "Encryption", encompassing three presentations.

Iskender Agi (SRI) presented "An Empirical Study of Secure MPEG Video Transmissions" (joint work with colleague Li Gong). MPEG is an industrial strength standard for video processing and is widely used in multimedia applications in the Internet. No security provision is specified in the standard. The speakers conducted an experimental study of previously proposed selective encryption schemes for MPEG video security. This study showed that these methods are inadequate for sensitive applications. Agi also discussed the tradeoffs between levels of security and computational and compression efficiency.

The second presentation titled "Parallelized Network Security Protocols" described a joint effort by Erich Nahum, David J. Yates (both University of Massachusetts), Sean O'Malley, Hillarie Orman, and Richard Schroeppel (all University of Arizona). The premise is that shared-memory multiprocessors make attractive server platforms. The paper is an experimental performance study that examines how encryption protocol performance can be improved using parallelism. The authors show linear speedup for several different Internet-based cryptographic protocol stacks running on a symmetric shared-memory multiprocessor using two different approaches to parallelism.

The last presentation was by David A. Wagner (UC Berkeley) who spoke about a TCP/IP security extension for MS-DOS systems "A 'Bump in the Stack' Encryptor for MS_DOS Systems" (joint work with Steven Bellovin, AT&T Bell Labs). Source code is not readily available for MS-DOS systems. Therefore, Wagner implemented the IP security extensions using the packet driver interface. The IPSEC module sits between the generic Ethernet driver and the hardware driver; it emulates each to the other. The work showed that it is possible to add IP security features by exploiting open interfaces. However, the implementation has several problems, such as the duplication of functionality (IP fragmentation).

The final session of the symposium was a panel on "Public-Key Infrastructure". Chair and moderator Warwick Ford (BNR) introduced the panel members and gave brief comments on the importance of the topic. He also acknowledged that the subject was too broad, and restricted it to the question of how many credentials are needed. The panelists gave short presentations and answered several questions from the audience. John Wankmueller (MasterCard International) stressed one point in his presentation: MasterCard and VISA take a different approach to certification than most other other systems: they try to establish that a valid account is used, not the identity of the user. Authenticating account numbers is in a sense obscuring the identity of users. Wankmueller then presented the architecture of a certification hierarchy that was developed to secure MasterCard electronic commerce transactions. Taher ElGamal (Netscape) focussed on the importance of user friendly and transparent security features. It therefore did not matter how many certificates were needed, if all the user has to do is to click on an icon to commit to a transaction, and the software beneath it determines which certificate is needed. There will most likely be a multitude of certificates: identity type, authorization type, and special purpose certificates. Universal certificates are possible to design, but complicated. Different countries have different styles (e.g., phone cards). ElGamal claimed that a likely outcome is to have about as many important certificates as plastic cards in one's wallet. Michael Baum (Verisign) represented the commercial public-key infrastructure service provider perspective. He asked if the lack of a single certificate is really a problem. He focussed on the practices and the legal side. The remainder of the time was spent with questions from the floor. Steve Kent observed that there is no need for multiple credentials not only because of different types of identity, but also because of context of identity. Bob Abbott challenged the trust in the system by asking what recourse customers have against fraudulent merchants.