News Bits

12/23/08, NIST requests comments,

NIST announces the release of draft Special Publication 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication, This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. Please submit comments to with "Comments on SP 800-120" in the subject line.

The comment period closes on January 30, 2009.


Applications are Invited for the Position of Editor-in-Chief for IEEE Transactions on Dependable and Secure Computing,

The IEEE Computer Society seeks applicants for the position of Editor-in-Chief (EIC) of IEEE Transactions on Dependable and Secure Computing. The initial two-year term of the new EIC is to begin 1 January 2010.

In general, candidates for all IEEE Computer Society Editor in Chief positions should possess a good understanding of industry, academic, and government aspects of the specific publication's field. IEEE Transactions on Dependable and Secure Computing emphasizes the research into foundations, methodologies, and mechanisms that support the achievement-through design, modeling, and evaluation-of systems and networks that are dependable and secure to the desired degree without compromising performance. The focus also includes measurement, modeling, and simulation techniques, and foundations for jointly evaluating, verifying, and designing for performance, security, and dependability constraints. In addition, candidates must demonstrate the managerial skills necessary to process manuscripts through the editorial cycle in a timely fashion. An EIC must be able to attract respected experts to his or her editorial board. Major responsibilities of the EIC include

Applicants should possess recognized expertise in the computer science and engineering community, have editorial experience, and be able to lead an active editorial board and work effectively with technical and publishing professionals. Applicants must have clear employer support.

Prospective candidates are asked to provide a complete resume or curriculum vitae, a brief plan (or vision statement) for the publication's future, and a letter of support from their institution or employer in electronic form by 2 March 2009. Material should be sent as PDF files to Jennifer Carruth , the staff coordinator for the IEEE TDSC search, who will coordinate getting all information to the search committee and its Chair.

MD5 collisions exploited to demonstrate "Rogue Certificate Authority"

Researchers in the Netherlands carried out a tour de force of trust exploitation by capitalizing on a well-known weakness in the MD5 hash function. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger state:

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.