Subject: Electronic CIPHER, Issue 9, September 18, 1995 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 9 September 18, 1995 Carl Landwehr, Editor ==================================================================== Contents: [1570 lines total] Letter from the Editor Security and Privacy News Briefs: o Cryptography policy developments o LISTWATCH: WWW-Security -- SSL challenge broken by Mary Ellen Zurko o IPSEC RFC's released o PGPfone Beta available o Gates foresees unprintable, unforwardable e-mail o Citibank thieves transferred $12M o Time features Infowar o MS Word "prank" macro o Windows '95 security items Articles and Conference Reports: o Crypto 95 -- Notes on R. Morris, A. Shamir invited talks by Jim Gillogly and Paul Syverson o Perspective on Data Encryption Policy by Peter H. Lewis o Computer Secure Foundations Workshop 8 Summary by Simon Foley Calls for Papers: ACM Workshop on RBAC, IFIP WG 11.3 1996, Info Hiding Reader's guide to recent security and privacy literature o Communications and Multimedia Security: IT Sicherheit '95, Graz, Austria o Third Conf. on Computer and Communications Security '96, New Delhi, India o New Security Paradigms Workshop '95, La Jolla, California o Relevant papers from recent journals and periodicals o New Books: Computer Crime; Applied Cryptography 2nd Ed. Calendar Who's Where: recent address changes New Reports available via FTP and WWW Interesting Links DSL subscription offer How to join the TC on Security and Privacy Publications for sale TC officers Information for Subscribers and Contributers ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Just a typical, slow-news August/September: the Windows '95 release triggered a flurry of security-related items, Time magazine featured a cover story on information warfare, evidence came to light that criminals had used computers to transfer nearly $12M from Citibank accounts, and the pot of international policies on export and use of cryptography continued to boil, with the Clinton administration floating a new policy permitting civilian agencies to use key escrow systems other than Clipper. This issue includes items or pointers on all of these topics and more. With the proliferation of web sites storing technical information related to security and privacy, it's not easy to visit them regularly to keep up with new publications. Observing this, Milan Kuchta has suggested that, in addition to Cipher's "Interesting Links" section, we include a section listing pointers to recently published technical reports available by FTP or WWW. This we have done, and we encourage you to send pointers to Cipher when you produce or find relevant new reports. Thanks to our many contributors; please send more! In particular, two films now in theaters focus on security and privacy -- anyone care to write comparative reviews? Also, anyone interested on providing reports on conferences coming up in the next month or so (DCCA-5, NISS-18, ICI, etc.) please send me a note. Carl Landwehr Editor, Cipher ______________________________________________________________________ Security and Privacy News Briefs ______________________________________________________________________ Cryptography Policy Developments -------------------------------- Cryptography policy continues to be a hot topic. The National Research Council's project on national cryptography policy convened at Woods Hole this summer and plans to meet again in November. In early August, however, the Clinton administration suggested that it might consider a new policy for key escrow in which individual users could select different escrow schemes, as long as the government could obtain copies of the escrowed keys with proper authorization. A workshop to discuss the policy and solicit reaction was held at the National Institutes of Standards and Technology in Gaithersburg in early September. Reactions to the policy and the workshop have varied, and rather than try to summarize them, Cipher has obtained permission to include what seems to be a broad and balanced account written by Peter H. Lewis of the New York Times (later in this issue; also see pointers in the "Reports available via FTP and WWW" section). Saturday, Sept. 16, Elizabeth Corcoran reported in the Washington Post that a meeting between government and industry officials the previous day had ended with private sector representatives feedling "confused" and "burned." Steve Walker of TIS was reported to have likened the process of developing a policy agreeable to all parties as trying to find a way through a maze that had never before been successfully traversed. Elsewhere, Ross Anderson's item on possible future Australian crypto policy, circulated widely on the net and abstracted in Cipher EI#8 drew a rebuttal from Steve Orlowski, and the rebuttal drew another reply from Ross. Rather than reprint these, Cipher suggests that interested readers read Orlowski's paper for themselves; it can be found at: http://commerce.anu.edu.au/comm/staff/RogerC/Info_Infrastructure/Orlowski.html It's clear that national cryptographic policy is a sensitive issue and many governments are trying to assess and reconcile a number of competing positions. ______________________________________________________________________ LISTWATCH: WWW-Security list items,summarized by Mary Ellen Zurko, OSF ______________________________________________________________________ Exportable encryption for the Web is broken: The big news in WWW security circles this month was that a student at INRIA broke the SSL challenge (see http://www.portal.com/~hfinney/sslchal.html for the challenge, and http://pauillac.inria.fr/~doligez/ssl/announce.txt for the report on breaking it). The challenge was to break the encryption of a particular submission of a Web form using Netscape Navigator's "secure" mode. It was encrypted with the default exportable encryption mode, 40-bit RC4. The student who broke it used "a brute force search on a network of about 120 workstations and a few parallel computers at INRIA, Ecole Polytechnique, and ENS. The key was found after scanning a little more than half the key space in 8 days." The debate raged over whether this is a clear indication that the US export restrictions on cryptography are out of date, and whether it is ethical to produce products that follow those strictures, and claim that they are secure. A second challenge was cracked in under 32 hours using around 300 computers on the Internet. The timing of the NIST dialogues on exporting strong encryption if it uses key escrow could hardly be better. Most of this information was reposted on www-buyinfo from cypherpunks. ______________________________________________________________________ IPSEC RFCs Released ______________________________________________________________________ The IPSEC protocol, designed to support improved IP-layer security, both for IPv4 and IPv6, progressed to the next stage of Proposed Standard in early August with the release of RFCs 1825, 1826, 1827, 1828, and 1829. "RFC" means Request for Comments, and Cipher readers are encouraged to participate. Still to come is a standard for key management; one such standard, called "Photuris" is under active development. Cipher readers can find the RFCs at URL http://ds.internic.net/ds/rfc-index.html. ______________________________________________________________________ Gates foresees unprintable, unfowardable e-mail ______________________________________________________________________ In an article addressing privacy issues published in the New York Times, the Manchester Guardian, and perhaps elsewhere, Bill Gates claims: "Technology can overcome this privacy problem: expect to see e-mail that, at the option of the sender, cannot be forwarded or printed on paper." Do any Cipher readers have an idea what technology might accomplish this? A video camera seems an effective way to defeat anything your editor can imagine. ______________________________________________________________________ Citibank thieves transferred $12M ______________________________________________________________________ According to reports from Reuters, a Russian hacker from St. Petersburg and accomplices are accused of hacking into Citibank's electronic banking system in Parsippany, New Jersey and illegally transferring $12M to other bank accounts in San Francisco, the Netherlands, and Finland. The Russian, 28-year-old Vladimir Levin, is currently fighting extradition to the U.S. in hearings in London. He has been held there since last March 3, when he was arrested at Heathrow, according to the reports. Citibank has stated that it recovered all but $400,000 of the transferred funds, according to the Wall Street Journal. The September 17 issue of the Washington Post carried a full page ad encouraging readers to "Call Citibank today and start using our PC banking service for free." ______________________________________________________________________ TIME features Infowar ______________________________________________________________________ The August 21 issue of TIME magazine featured three articles on information warfare, including one detailing scenarios from a RAND war game. Cipher readers who missed the issue but have Web access may be able to find it by going to URL http://www.pathfinder.com/ Choose "Search" from the home page, select the TIME database, and use "infowar" as the phrase to search for. The August 10, 1995 issue of Defense Daily also carried an account of a wargame conducted at the Naval War College July 10-28 that included elements of information warfare attacks. In this scenario, while two major regional wars were in progress abroad, participants had to deal with "cyber-terrorists" who disrupted air traffic control and jammed commercial ship communications. Apparently it took some time for the participants to recognize that the incidents at home were part of a coordinated attack. ______________________________________________________________________ PGPfone Beta available ______________________________________________________________________ In late August, MIT announced that it is now distributing the BETA TEST release of PGPfone. According to the announcement, PGPfone (Pretty Good Privacy Phone) is a software package that turns a desktop or notebook computer into a secure telephone. It uses speech compression and strong cryptography protocols to support real-time secure telephone conversation. The Beta Test is currently available only for Macintosh computers; a Windows 95 version is in the works. PGPfone is being distributed in the U.S. and Canada via anonymous FTP and the World Wide Web. Anonymous FTP users should get the file "/pub/PGPfone/README" from net-dist.mit.edu. It provides instructions on how to download PGPfone. Web Users should go to the PGPfone Home Page at URL: http://web.mit.edu/network/pgpfone _____________________________________________________________________ MS Word "Prank" macro ______________________________________________________________________ Microsoft acknowledged the existence of a "prank" macro that can infect MS Word documents and released the following statement about it: Microsoft Word is a target of a virus-like macro which distributes itself through documents created in Word 6.0 for Windows; 3.1, Word 6.0.1 for the Macintosh, Word 6.0 for Windows NT; and Word for Windows 95. This macro does not affect earlier versions of Word for Windows or Word for the Macintosh. After you open a document containing the macro, documents you save will contain copies of it. Once installed, the macro only lets you save documents as templates. The macro does not otherwise affect the contents of documents, but it will replicate and distribute itself through Word documents. Microsoft also released a program to scan documents and remove the offending macro. Further information, and the scanner, are available at URL http://www.microsoft.com/msoffice/prank.htm ______________________________________________________________________ Windows '95 Security ______________________________________________________________________ The much-ballyhooed release of Windows '95 triggered a number of security-related news items. First, the behavior of the Registration Wizard (which potentially sends information about the user's configuration back to Microsoft), reported in Cipher last spring, continues to evoke some comment and concern. Second, some users reported error messages when trying to install the second Windows '95 disk. The problem apparently occurred if the user's existing system had a particular virus installed; for details on the problem and treatment, try URL: http://www.windows.microsoft.com/windows/support/disktwo.htm (though your editor was unable to get a response from it) Third, interactions between Window '95 and Novell Netware may result in unexpected behaviors (though Microsoft evidently disputes this), as described in the following copyrighted article (thanks to Gene Spafford for passing this to Cipher): New Software Is Blamed for Networking Problems at a Few Universities By SIMSON L. GARFINKEL, Special to the Mercury News (C) 1995, Simson L. Garfinkel Permission granted for electronic redistribution on the Internet Microsoft's new Windows 95 operating system is playing havoc with the computer networks at a few of the nation's universities, prompting at least one university to issue a policy restricting students and faculty from running Windows 95 on its computer network. University administrators say problems have occurred when a user running Windows 95 connects that machine to a network running the Novell Netware operating system, one of the most popular versions for allowing a group of computers to operate collectively, or over a ''network.'' Windows 95 has a new network feature that allows computer users to share information stored on each other's computers. The problem, according to people who have worked with the software, is that a computer running Windows 95 can be configured to masquerade as an organization's Novell Netware server, or centralized ''control'' computer. When that occurs, the computers trying to talk with the server shut down, or ''crash,'' university officials say. Utah State University already has instituted a policy forbidding its students and staff from using a specific type of Netware networking feature that's built into Windows 95. ''We have published a policy that we will come and break your kneecaps if you do this, so please don't,'' said Joe Doupnik, a professor of electrical engineering at Utah State University in Logan, Utah. Besides Utah State, representatives from the University of Kansas and some other institutions have reported similar problems. So far, no corporations have reported any troubles with the popular new operating system, according to a Microsoft spokesman. That suggests, according to computer experts, that it is only in less regulated environments -- such as college campuses -- where there may be problems. At larger corporations, the computer network is closely managed by experts who would know how to avoid the traps that could lead to the woes being experienced at some universities. The problem reported by the universities has to do with the inner workings of Novell's Netware operating system. Under normal circumstances, when a desktop computer running Novell's client software is turned on, one of the first things that the computer does is send a request out on the network for the nearest Novell server, said Doupnik. Under normal circumstances, the nearest Netware server responds to this request and tells the client computer how to go about accessing files on the organization's local area network. But when a Windows 95 computer configured to act like a server is attached to the same network, Doupnik said that computer can respond first. The result is that the person who has requested information from the network ends up with an unresponsive, or dead, computer. For the user running a computer with the Windows 95 operating system, nothing appears to be wrong. Microsoft, meanwhile, denies that the problem exists. ''We have done extensive testing with Novell's products,'' said Mike Conte, a group manager with Microsoft's Personal Systems Division. ''There was an issue . . . during the beta [test period], but actually the problem has been fixed for months. ''Normally, people won't encounter this issue at all, because it won't be turned on,'' Conte said, referring to the program that turns on the specific networking function. If users do turn it on, he said, they need to specify a ''preferred network'' for Novell Netware clients to use. Windows 95 will then automatically send the client's requests to the appropriate Netware server. But computer system administrators -- and Novell itself -- disagree. Novell and Microsoft are competitors in the lucrative networking software market. William Donahoo, director of product marketing at Novell, said his company has offered to work with Microsoft, but the Washington-based king of desktop operating systems has rebuffed Novell's overtures. ''We have several license programs and computability testing programs,'' Donahoo said. ''They have not wanted to participate. They have wanted to do it on their own.'' Donahoo said there is a way for system administrators to prevent system crashes, but representatives from the universities say they have been unable to resolve the problem. For example, Michael McGinnis, a network consultant at the University of Kansas in Lawrence, said a student at that university on Friday caused havoc on the network system when he tried to hook up to the network after he had installed Windows 95. McGinnis said it took him and two other computer consultants three hours to track down the culprit. ''I have had the problem, and I have gotten e-mail messages from system administrators at three other universities who have seen the problem,'' McGinnis said. McGinnis called Microsoft for technical support. ''I spent an hour on the phone, and couldn't get to anyone at Microsoft who knew anything about this problem. I talked to one tech support guy who said he didn't know of any such problem. He gave me a phone number of another Windows 95 Networking Support Group at Microsoft. I have not called them yet, because I didn't have authorization to spend $35.'' About this last point, McGinnis is particularly resentful. ''We bought 375 copies and they won't let me talk to a tech support person unless I pay them.'' ______________________________________________________________________ Crypto '95: Notes on Morris, Shamir Invited Talks ______________________________________________________________________ Crypto '95 attendance continued its upward trend this year, with over 300 participants. Proceedings are available from Springer-Verlag (see the IACR home page (http://www.swcp.com/~iacr/) or via the Interesting Links section on Cipher's Web page) that cover the regular sessions, but we include notes on invited talks by Robert Morris, reported by Jim Gillogly, and Adi Shamir, reported by Paul Syverson. Bob Morris has reviewed Jim's summary, but, as Paul notes, Adi Shamir, has NOT have the opportunity to review Paul's summary.] --------- Notes on "Non-cryptographic Ways of Losing Information" a talk by Robert Morris, reported by Jim Gillogly --------- Bob Morris (recently retired from NSA) gave a fascinating invited lecture entitled "Non-cryptographic Ways of Losing Information". I hope he writes it up; until then, here are my notes from his presentation. Two things he said which I found new and fascinating: - During the early 1950's many major powers were discouraged by the tendency of then-modern crypto machines to fail in a way that would send plaintext instead of ciphertext, and they went to one time pads for most of their high-level enciphered traffic. Because of key re-use, we were regularly and routinely reading pieces of that traffic. This included many systems from various countries. (I wonder if he meant to include VENONA among these systems?) Sometimes the people who prepared OTP's would double their profit by selling them to more than one customer. - By the middle to late 1960's cryptanalysis became less cost effective than obtaining the information by other means -- wiretaps and so on. Morris emphasized and said we should write down these dicta: -->Never underestimate the attention, risk, money and time that an opponent will put into reading traffic. -->Rule 1 of cryptanalysis: check for plaintext. The real start of modern cryptology should be dated to the Enigma machines, which typified the new character of the art. Much has been made of the errors of the German cipher clerks, but egregious as they were, the errors made by the British cryptographers were vastly worse, and the American blunders were worse yet. German analysts regularly read and used Atlantic convoy orders throughout the war -- they were transmitted in an old code. One must always assume that the enemy has a copy of the machine/algorithm. A system that relies on keeping the algorithm secret is eventually doomed to failure, because it will always be discovered by some means or other. He sees microphones and antennas everywhere: the telephone line cord is an antenna; if telephone linemen were working on a pole outside his house he'd call the police an then find out what they were working on. In an unspecified country he called Lower Slobbovia (Al Capp, isn't it?) American troops used encrypted radiophones; when they broke they were taken to local repair shops to be fixed. When they got home the US engineers were interested to see the modifications that had been made. He mentioned a few similar instances, including the lovely carved wooden seal given to the US Embassy in Moscow to decorate the Ambassador's residence. [A replica is now on view at the National Cryptologic Museum with the transmitter cavity visible.] Cordless phones have a range of 5 miles or so. Use of cellular phones is increasing dramatically, as well as fax and modems. He discussed the Walker/Whitworth spying case, and said one of his design criteria is to design systems with Walker in them: it's not good enough to have a system where everyone must be trusted, but it must also be made robust against insiders. This may include going to non-paper systems, so that there are no paper keys that the Walkers of the world can shop to the other side. Threats and risks include: overconfidence, carelessness, eavesdropping and tapping, theft of floppies and other materials, purchase, theft of key material, burglary and blackmail. Much or most loss is due to insiders. In the future there will be more radio used for ordinary communications. Americans are unwilling to pay for secure telephones, but that's not the case in Europe. -------------------------- Notes on "Cryptography -- Myths and Realities", a talk by Adi Shamir Reported by Paul Syverson -------------------------- [Note: I produced this writeup from memory without the beneifit of notes, and Shamir has not had the opportunity to review it. So, caveat lector! -Paul Syverson] The IACR Distinguished Lecture, ``Cryptography---Myths and Realities'' was given by Adi Shamir. The lecture was both entertaining and informative, tracing the early history of events surrounding the development of the RSA algorithm and giving practical advice for computer security today. One of the first myths dispelled was that one has to be a longstanding expert on algorithms to come up with a good one. Shamir's first contact with Ron Rivest was in a letter suggesting they discuss the advanced algorithms course that the two would teach together when Shamir was visiting at MIT. Actually this letter, sent just weeks before the beginning of the spring term, was the first he knew of his assignment. And, at that point he had no background in algorithms! He also documented the laborious uphill struggle that the cryptographer faces as the cryptanalyst relentlessly swoops down on his work; apparently early proposals for what would become RSA were worked out on ski trips in Vermont that winter and spring. On the ride up someone would propose a scheme which would then be broken during the next run down the mountain. The final version actually came to Ron Rivest on another occasion as he lay delirious and sick on his couch at home. Another myth he refuted was that NSA is some vicious three headed monster. He agreed that it has three heads but said that, contrary to popular belief, his dealings with NSA had always been quite reasonable if sometimes a bit unclear. After the history lesson, Shamir concluded his talk with lessons for commercial security today, which he called the 10 Commandments of Commercial Security -------------------------------------- 1. Don't aim for perfect security So, be realistic, and do the best you can within your limits. Roughly, you should double security expenditure to halve risk. 2. Don't solve the wrong problem For example, note that US banks lose 10 billion dollars a year in check fraud but only 5 million in online fraud. 3. Don't sell security bottom-up (in terms of the personnel hierarchy). 4. Don't use cryptographic overkill Even bad crypto is usually the strong part of the system. 5. Don't make it complicated This yields more places to attack the system, and it encourages users to find ways to bypass security. 6. Don't make it expensive. 7. Don't use a single line of defense Have several layers so security can be maintained without expensive replacement of the primary line. 8. Don't forget the ``mystery attack'' Be able to regenerate security even when you have no idea what's going wrong. For example, smart cards are attackable but are great for quick cheap recovery. 9. Don't trust systems. 10. Don't trust people. ______________________________________________________________________ Perspective on Recent Events in Data Encryption Policy by Peter H. Lewis ______________________________________________________________________ [The following column crossed my electronic desk and struck me as a good summary of where the current discussions of public policy on encryption have led. Thanks to Peter Lewis for permitting us to include it here.--CEL] On The Net Column Monday, Sept. 11, 1995 Peter H. Lewis In terms of its ability to raise the nation's blood pressure, the debate over data encryption has not yet reached the same levels as gun control. But last week the Clinton Administration appeared to set the stage for an equally divisive national debate over the rights of businesses and individuals to keep secrets when using telephones, computers and other forms of electronic communications. In two days of public hearings last week in Gaithersburg, Md., home of the National Institute of Standards and Technology (NIST), the Administration in effect unveiled its long-awaited proposals to relax restrictions on the export of cryptographic software. In effect, the Administration drew a line in the virtual sands of cyberspace, signaling that it is willing to permit Americans to put stronger cryptographic locks on their electronic data only if a spare key to those locks is made available on demand to law enforcement agencies. There looms the conflict. Although the current debate is about export controls on an esoteric form of software that most Americans do not use, the "export" issue is ultimately irrelevant in today's era of global electronic voice and data networks, where passwords, not passports, are checked at the gates. Simply placing a common privacy program on an Internet-connected computer in Austin, Tex., is effectively no different from sending a shrink-wrapped copy of the program to Moscow. The real issue is how much privacy the Government is willing to allow its own citizens, and the latest word from the Clinton Administration is that the right to electronic privacy, like the right to bear arms, is not absolute. *** Cryptography is the science of secret writing. In this digital era, secret writing applies not just to notes handed from one spy to another, but also to telephone calls between individuals, funds transfers between banks, bank and credit card records, electronic mail, faxes, and an endless variety of computer files. The Clinton Administration has been clear and consistent in outlining its basic position on cryptographic systems. The goal is to allow American citizens and companies to use the strongest possible cryptographic technology, while at the same time preserving the ability of law enforcement agencies to perform court-authorized wiretaps as part of the effort to catch drug dealers, terrorists, child pornographers and other miscreants. In other words, it favors strong cryptography, but not too strong. One way to measure the strength of cryptographic software is the length of the software key necessary to encode and decode a message. The longer the key, in terms of digital bits, the harder it is for an unauthorized user to decipher the message. In recent years, the Government has generally permitted Americans to export cryptographic software with key lengths up to 40 bits. Experts say that 40-bit keys are secure from casual snooping, but will fall quickly to a determined codebreaker. The fact that the Government allows 40-bit encryption systems to be exported is a pretty good indication that the National Security Agency can break them easily. There are literally hundreds of stronger cryptography programs readily available outside the United States, and these stronger programs are attractive to businesses that want to safeguard their data from Internet bandits and corporate and government spies. Last week, after more than a year of intense analysis of the software export controls issue, the Government unveiled what it said was the best possible compromise. Under the new policy, companies can export encryption algorithms using 64-bit keys, which are much more secure, but only if spare keys are made available to law enforcement agents under standard legal procedures. Otherwise, the 40-bit limit continues to apply. The "spare key" technology, officially known as key escrow, is anathema to many privacy advocates who fear Government abuses. The Government first proposed a key escrow system with its so-called Clipper Chip, a technology that failed to win acceptance even as a voluntary standard. Unlike Clipper, which was based on a classified algorithm called Skipjack that only a few people outside the Government were allowed to examine, the new policy allows people to use any algorithm they choose -- as long as it uses a key no larger than 64 bits, and as long as the keys are entrusted to a domestic third party accessible to the Government, and as long as the key escrow mechanisms cannot be readily altered or bypassed. Also unlike Clipper, which required a special tamper-proof microprocessor that would have added cost, complexity and extra power requirements to communications devices, the new proposals can be implemented entirely in software. Key escrow systems make a lot of sense for most American companies, at least for internal use. Having a spare set of keys lessens the risk of a disgruntled employee or saboteur locking up vital company files. But key escrow is also unpopular with American computer and software companies, who say it prevents them from competing against foreign companies that have no similar constraints, and with many multinational corporations, who say it prevents them from working with foreign companies that don't especially care for the idea of Uncle Sam holding the keys to their data banks. "If this was intended to be any sort of compromise, I don't think it achieved its end," said Whitfield Diffie, a Distinguished Engineer at Sun Microsystems who attended the meetings. "I didn't see anybody who was enthusiastic." *** Raymond G. Kammer, deputy director of NIST, suggested that the hearings last week were intended to elicit public comment, and that the Administration's final positions on cryptographic policy are still under analysis. However, the emergence of key escrow issues at the NIST proceedings suggest that key escrow is emerging as a non-negotiable demand by some factions of the Clinton Administration, especially the Justice Department and the Federal Bureau of Investigation, led by Louis Freeh. Mr. Freeh sincerely believes that data encryption is a weapon, and has publicly called for domestic restrictions on civilian cryptography. "If this fails," said one observer familiar with the Administration's thinking on the proposed change in cryptographic policy, "it's going to lead to a very devisive debate. And the irony, for libertarians who oppose key escrow, is that if it fails, I am convinced that Louis Freeh cannot be true to his job without proposing domestic controls on data encryption." "He's not going to give up without a fight, and neither is the Justice Department," said the observer, who spoke on the condition he not be identified. Others say they do not think the Clinton Administration has yet arrived at a concrete position, even after more than a year of study and debate. "I don't think it's a final offer," said John Gilmore, a member of the board of directors of Cygnus Support Inc., a computer company in Mountain View, Calif. "It looks to me like a weak strawman, a first offer, a proposal to dance." The question is whether American citizens and businesses have the patience to wait for the music to start. And the issue may be moot, anyway. "The Internet Architecture Board has specifically decided to ignore export controls in designing the security infrastructure for the next generation of Internet protocols," Mr. Gilmore said. "The Internet of 1998 will provide automatic, secure, and fully private communication, without key escrow, internationally. The protocols will be implemented independently in a dozen different countries." In other words, the international Internet community is already planning to jump over the new line in the sand drawn last week by the Clinton Administration. Cryptography that is stronger and better than the Government's proposed system will become an integral part of the Internet, and American companies and individuals would be foolish not to use it. At that point, millions of Americans will come in direct conflict with Government policy, and the popular gun-control bumper sticker may be replaced by one that says, "If cryptography is outlawed, only outlaws will have cryptography." Peter H. Lewis, P.O. Box 162490, Austin, TX, 78716-2490 (512) 328-8258 ... "All the Disclaimers That Fit in Print" plewis@nytimes.com ______________________________________________________________________ Report on the 8th IEEE Computer Security Foundations Workshop by Simon Foley ______________________________________________________________________ [The following article will appear in the next issue of SIGSAC Review and appears here with permission of its editor, Catherine Meadows, and the author. This piece supplements Cipher's earlier account by Trent Jaeger in EI#7. Simon Foley chaired the meeting reported.-- CEL] ----------------------------------------------------------------------- The purpose of the Computer Security Foundations Workshop is to bring together researchers to explore fundamental issues in computer security. Each year, papers and panel sessions are presented in foundational areas such as: access control, cryptographic protocols, database security, integrity and availability, information flow, and formal methods for security. This year the workshop was held in Dromquinna Manor, Kenmare, County Kerry, Ireland, June 13-15, 1995. It was the first time the workshop was held outside the USA. Dromquinna Manor, situated on a peninsula on the south-west coast of Ireland, provided the kind of peaceful environment, in an idyllic setting, that has become synonymous with the workshop. The number of submissions to the workshop were up on the previous three years, perhaps due in part to the attractive venue, but most certainly due to the lively technical discussions that can be expected during the workshop. It was the hard work of Program Chair Li Gong(SRI, USA), Program Committee, authors and panelists, that made the workshop such a success. The first session, chaired by Simon Foley, was on Composition and comprised of three papers about relationships between information flow properties and composition. In his presentation of The Composability of Non-Interference (A. Zakinthinos and E.S. Lee, U. Toronto, Canada), Aris Zakinthinos proposed a novel, composable, non-interference property that permitted a degree of feedback. He argued that non-interference was more appealing (than restrictiveness), because unlike restrictiveness, it has a more intuitive feel and a larger class of systems satisfy the property. Lars Wulf presented Composing and Decomposing Systems under Security Properties, co-authored with A.W. Roscoe (both Oxford U., UK). He argued that a more expressive model than traces should be used when capturing information flow properties in CSP. The authors studied separability, and its relationship to composition, in terms of the failures-divergences model. A conclusion was that separability is not a sound property for systems that have (internal) nondeterminism. The final paper, Algebraic Properties of System Composition in the Loral, Ulysses and McLean Trace Models was presented by Alfred Maneki (DOD, USA), who gave a catalogue of algebraic properties for the three information flow properties. His conclusion was one of caution: one should be mindful of how compositions are made, even if the property is composable. Michael Reiter (AT&T Bell Labs, USA) chaired the session on Authentication Protocols. Li Gong, was to present a paper, Optimal Authentication Protocols Resistant to Password Guessing Attacks, but in the tradition of CSFW spontaneity, he proposed instead, ten foundational issues for computer security. They were: secure initial access (by universal authentication format); high integrity and easily accessible pseudo-random number generators; highly available non-tamperable global time service on internet; sensible placement of security mechanisms within internet; secure, dynamically constituted groups; provably secure protocols; refinement of security properties and specifications; secure (heterogeneous) system composition; secure system inter-operation, and sensible integration of security and fault tolerance. The second paper, Key Distribution without Individual Trusted Authentication Servers, was presented by Liqun Chen (co-authors, D. Gollmann and C. Mitchell, all U. London). Chen described the problem of establishing secure (symmetric) channels between entities who share no secret, and where some authentication servers cannot be trusted. The advantages, over existing solutions, of their protocol, include, less (and smaller) messages, greater choice of hash function, and a lower computational complexity. The session after lunch, Analysis of Cryptographic Protocols was chaired by Gene Tsudik (IBM, Switzerland). Colin Boyd (U. Manchester, UK), presented Towards a Classification of Key Agreement Protocols, and advised caution when selecting hash functions. His `menagerie' of hash functions (acronyms, BOW, MIOW and WOOF), help in classifying key agreement protocols into three different types, which he described. The second speaker, Wenbo Mao (HP Labs, UK) proposed An Augmentation of BAN-Like Logics. He noted that errors are easily made during the protocol idealization step. His approach does not change the axioms of the logic, but proposes that stages of the idealization be described using new operators. After a break for cream teas on the lawns of Dromquinna, the first day was concluded by a panel session on What Makes a Cryptographic Protocol Dependable? The moderator was Catherine Meadows (NRL, USA), with panelists Colin Boyd, Dieter Gollmann and Michael Merritt (AT&T Bell Labs, USA). The motivation for the panel was that there exists a large body of work describing various conditions that cryptographic protocols should satisfy to be reliable/dependable. However, these requirements are often contradictory when taken together. Colin Boyd's position was that we should follow the formal top down principles of dependable systems development. He suggested a layered approach, with refinement between layers providing correctness: first, specify the security requirements for messages in the system; second, design/describe the protocol in an abstract manner, but avoid details about specific cryptographic algorithms, and third, implement. He argued that many existing protocols are not specified properly, feeling that approaches such as using CSP/FDR are good because they force the specifier to be precise. In light of this Bob Morris wondered do we even know what cryptographic protocols are intended to do in the first place? Dieter Gollmann also asked this same question of protocols and repudiation, suggesting that the problem is, not being able to focus on what we want to talk about. He agreed with Boyd's layered approach and argued that when designing protocols we should: always use the correct level of abstraction; disassociate signature from encryption with a secret key; keep proofs a distance from protocol, and make all initial assumptions on keys, nonces and algorithm explicit. Michael Merritt wondered if insight could be gained by taking the viewpoint of dependable protocols as a form of fault tolerant distributed algorithms. With fault tolerance one is interested in the reachable states of a system, while with a protocol, we are interested in the reachable states of an adversary. However, he pointed to a number of problems that make developing dependable protocols harder. He felt that secure refinement will be a difficult problem, especially given that an adversary attacks the implementation, not the specification. He suggested that refinement could be a process of re-examining the steps from previous levels to make sure they still hold. Bill Roscoe agreed that refinement of specifications involving true nondeterminism is very hard. John McLean wondered if properties like subliminal channels might get overlooked by refinement and suggested that perhaps refinement should be viewed as just a way to narrow down what one needs to look at when developing a protocol. Mark Lomas outlined a system which used two individually `dependable' protocols together in such a way that they failed. Others had similar experiences, often due to protocol assumptions not being made explicit. Michael Merritt wondered how we specify `you do not do anything incredibly stupid', and suggested analyzing substitution attacks as a way to avoid problems of extending protocols later on. Li Gong felt that at the protocol level we should not be concerned with low-level details about crypto-system attacks etc., making it even harder to analyze. He argued that it is the person who codes the protocol who should ask the relevant questions about what appropriate ciphers to use. Before chairing the first session of day two, Jonathan Millen (MITRE, USA) asked the audience to consider the state of computer security foundations and its relationship to the photograph of Staigue Fort on the proceeding's cover (an early medieval stone fort near Dromquinna Manor). He speculated that the fort looked like a foundation, but nothing was ever built on it and furthermore, it was crumbling on top! The first paper in this session on Issues in Implementations was The Security Checker: A Semantics-based Tool for the Verification of Security Properties, by R. Focardi, R. Gorrieri and V. Panini (U. Bologna, Italy). In his talk, Ricardo Focardi, described work on adapting the CCS Concurrency Workbench to model-check information flow properties of CCS style specifications. The checking algorithms have poor(some exponential), worst case complexity results. However, in practice the authors have found the time and space requirements for the algorithms to be reasonable, especially if algebraic properties (for example, parallel composition) of the security property are used to reduce the number of states to be checked. Trent Jaeger presented Implementation of a Discretionary Access Control Model for Script-based Systems (co-author Atul Prakash, both from U. Michigan, USA). He proposed an access control model tailored specifically for script based systems. The model provides roles for processes running command scripts: accesses are determined by the rights of the process and script author. The model has been implemented using Safe-Tcl under Kerberos and Taos. In the absence of the authors, J.V. Janeri (MITRE, USA), D.B. Darby and D.D. Schnackenberg (Boeing, USA), Jonathan Millen presented their paper Building Higher Resolution Synthetic Clocks for Signaling in Covert Timing Channels. Millen described a network LAN covert channel, and its countermeasures, based on process scheduling. Controlling the channel by adjusting clock granularity can conflict with the timing requirements of network software. This was exemplified by the discovery of an Heisenberg-like principle: the covert channel worked when debugging code was present in the software, but decayed when it was removed! Michael Merritt chaired the session on cryptographic protocols, which focused on using algebraic techniques for verifying protocols (as opposed to BAN style approaches). A.W. Roscoe's paper was on Modeling and Verifying Key-Exchange Protocols using CSP and FDR, but he spoke about subsequent ongoing work at Oxford with P. Gardiner, G. Lowe and M. Goldsmith. Their approach is to use CSP to describe the agents in the protocol (responder, server, initiator, adversary) and use the FDR tool to model check safety and liveness properties of the protocol. The second paper, Using Temporal logic to Specify and Verify Cryptographic Protocols (Progress Report), by J.W. Gray III (Hong Kong U. of Science and Technology) and J. McLean, was presented by John McLean. The goal of their research is to provide a single logic in which requirements specification, protocol specification and proof of correctness can all be done within the same formalism. In this respect, they have effectively recast the Prolog, context free grammar and temporal logic components of the NRL protocol analyzer tool into Lamport's Raw Temporal Logic of Actions. The session adjourned for lunch, which was had down by the sea shore. The session on Secure Systems was chaired by John McLean. Tom Keefe (Penn State, USA) presented Concurrency Control for Federated Multilevel Secure Database Systems (co-author I.E. Kang, GTE Labs, USA). He explained their interest in building federated multilevel DBMS on top of autonomous, pre-existing multilevel DBMS systems. Their approach uses a secure validation protocol which ensures serializability across the federation, maintains local autonomy of individual DBMS and ensures multilevel security. While their protocol currently requires the security lattices of local DBMS's to be total, the resulting lattice for the secure federation is not necessarily total. Keefe also described a novel method for untrusted timestamp generation that can be used in their protocol. Jeremy Jacob (University of York, UK) presented the paper Specifying Security for CSCW Systems (co-author, S. Foley). He described what the authors believe to be a reasonable method for specifying functionality and security (confidentiality) requirements for CSCW applications. Testing the method against a simple case study, they were surprised that security turned out to be very simple to specify. Jacob suggested that this came about as a result of the way the application is modularized, and because so much is captured by the functionality requirements. The panel session Considering the Common Criteria concluded the second day, with moderator Jane Sinclair (Open University, UK) and panelists, Jeremy Jacob, Jonathan Millen and Bronia Szczygiel(NPL, UK). Jane Sinclair gave the motivation for the panel and asked a number of questions about the Criteria she hoped we might find answers for. The first panelist, Jonathan Millen, outlined the key components of the Criteria, described how it might be used, and gave pointers to those aspects of the Criteria that are open to opportunities to do further technical work (practically everything). He noted that the Criteria typically defines what is required, but gives no assistance on how to do it; he felt that further support/guidance documentation should be provided. He finished with the meta-challenge: do we really know enough to do what is required by the Criteria? Jeremy Jacob felt there little trace of the security foundations community in the Criteria documentation, and asked if the people developing it are paying any attention to us, or do we have anything to offer them anyhow? John McLean noted that the Orange book did enshrine the view of the technical community, and halted them in their tracks. Bronia Szczygiel argued that the Criteria does not meet user's needs, is incomplete and inflexible and should address the integrity of the entire enterprise, not just the computer system. But she felt that its principles were good, i.e., addressing what your security is, rather than low-level details. She suggested that conformance testing for security can give an added objectivity that is not got from evaluation alone. There was speculation from the audience as to whether `evaluated to CC' was like `Intel Inside': will it help sell systems? This was countered by, perhaps it is a warning. This seemed indicative of audience's mood: one of skepticism on whether it would be used in commercial practice. Perhaps, using the Criteria is like the Irish dancing seen that night in Dromquinna: just a lot of fancy footwork? The session for the final day of the workshop, Information Flow was chaired by Joshua Guttman (MITRE, USA). Paul Syverson(NRL, USA) presented a paper The Epistemic Representation of Information Flow Security in Probabilistic Systems, co-author J.W. Gray III. He outlined a logic for security in which information flows due to time and probability can be accounted for. Their logic, iss built on the standard Halpern-Tuttle model of knowledge and probability in systems, and represents a bringing together of previous work in the areas of noninterference and epistemic logic for modeling security. Connection Policies and Controlled Interference, by W.R. Bevier, R.M. Cohen and W.D. Young (Computational Logic, USA) was presented by Bill Young. He described a generalization of their work (presented at this workshop last year) on intransitive non-interference. Typical intransitive noninterference requirements are at the granularity of agents: whether agents may/may not interfere. Controlled noninterference permits a finer granularity by using connection policies to define what channels connect agents, and effectively capture how agents may/may not interfere with each other. He concluded by examining related work on intransitive noninterference, separability and type enforcement(assured pipelines). We were fortunate to have three days of glorious sunshine, giving delegates the opportunity to discuss their research over walks by the sea, across mountains, and as with every previous year, over games of croquet. Congratulations to this year's Croquet Tournament winner, Bill Roscoe, and the runner-up Aris Zakinthinos. At the business meeting, held after the last session, it was agreed to use Dromquinna Manor as the workshop venue for 1996. The workshop will run June 10--12, 1996. Simon Foley will remain as General Chair and the Programme Chair will be Michael Merritt. For further information about the workshop contact Simon Foley (at the address above), or access the CSFW web page at: http://www.csl.sri.com/ieee-csfw/csfw.html. Information about obtaining copies of this year's CSFW8 proceedings is also available at this site. ________________________________________________________________________ Calls for Papers (new listings since last issue only) ________________________________________________________________________ (see also Calendar) o Conferences Listed earliest deadline first. See also Cipher Calendar and NRL CHACS CFP list. Listed earliest deadline first o ACM Workshop on Role-Based Access Control, 30 Nov. - 1 Dec. 1995, Gaithersburg, MD. The workshop is planned to bring together users, vendors and researchers who are interested in fostering and promoting RBAC. The Workshop's objectives are to provide a forum for rapid dissemination of new ideas and developments in RBAC, and to cultivate convergence towards a standard framework for RBAC and related access control issues. Users, vendors and researchers desiring to participate should submit 2-3 page position papers describing their interest and activities in RBAC to Ravi Sandhu (sandhu@isse.gmu.edu). o Workshop on Information Hiding, 30 May - 1 June 1996, Isaac Newton Institute, Cambridge, UK. Contributions sought on research and practice in information hiding techniques, as used in copyright marking of digital objects, covert channels in computer systems, subliminal channels in cryptographic protocols, LPI communications, and various kinds of anonymity services ranging from steganography through location security to digital elections. Send eight copies of papers up to 15 pages, suitable for blind refereeing, to Ross Anderson (ross.anderson@cl.cam.ac.uk) by 31 December 1995. Electronic submissions (preferably latex using llncs.sty) also accepted. o Tenth Annual IFIP WG 11.3 Working Conference on Database Security, 22-24 July 1996, Como, Italy. Submit papers (up to 5000 words) and panel proposals presenting original, unpublished research results, practical experiences, and innovative ideas in database security to one of the program co-chairs (Pierangela Samarati (samarati@dsi.unimi.it) and Ravi Sandhu (sandhu@isse.gmu.edu)) by February 20, 1996. The call for papers includes a summary of current issues of concern to the Working Group. Journals [Note: these publications are included in this issue for completeness; they will always accept submissions of relevant papers.--CEL] o Journal of Computer Security (JCS) is an archival research journal for significant advances in computer security. Subject areas include architecture, operating systems, database systems, networks, authentication, distributed systems, formal models, verification, algorithms, mechanisms, and policies. Submissions: send six copies to one of the editors in chief: Sushil Jadodia, ISSE Dept., George Mason University, 440 University Drive, Fairfax, VA 22030, or Jonathan Millen, The MITRE Corporation, 202 Burlington Road, Bedford, MA 01730. Subscriptions: contact IOS Press, Van Diemenstraat 94, 1013 CN Amsterdam, Netherlands, fax: +31 20 22 6055, e-mail: Marie-Louise.Kok@ios.nl, for information about individual or institutional subscriptions or back issues. o Computers & Security aims to satisfy the needs of managers and experts involved in computer security by providing a blend of research developments, innovations, and practical management advice. Original submissions on all computer security topics are invited, particularly those of pracitcal benefit to the practitioner. Four copies of papers from 5-10,000 words should be sent to the editor, John Meyer, at Elsevier Advanced Technology, P.O. Box 150, Kidlington, Oxford, OX5 1AS, United Kingdom. Telephones: voice +44(0)1865 843848 / 843000; fax +44 (0) 1865 843971. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ Papers to be presented at the Third ACM Conference on Computer and Communications Security, March 14-16, 1996, New Delhi, India, (preliminary list, subject to minor changes). ------------------------------------------------------------------------- o Unified Login with Pluggable Authentication Modules, Vipin Samar (Sun Microsystems, USA) o Secure External References in Multimedia Email Messages, Burkhard Wiegel (German National Research Center for IT) o Securing ATM Networks, Shaw-Cheng Chuang (University of Cambridge, UK) o Diffie-Hellman Key Distrubution Extended to Group Communication, Gene Tsudik (IBM Zurich Research Laboratory, Switzerland) o Key Management in the Omega System, Michael Reiter, Matthew Franklin, John Lacy, and Rebecca Wright (AT&T Bell Laboratories, USA) o Proxy Signatures for Delegating Signing Operation, Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto (JAIST, Japan) o Batch Exponentiation for Fast DLP-Based Signature Generation, David M'Raihi and David Naccache (GEMPLUS, France) o Human-Computer Cryptography: An Attempt, Tsutomu Matsumoto (Yokohama National University, Japan) o Revokable and Versatile Electronic Money, Markus Jakobsson (UCSD) Moti Yung (IBM T.J. Watson Res. Center, USA) o An Efficient Fair Payment System, Jan Camenisch, Jean-Marc Piveteau, and Markus Stadler (ETH Zurich and Union Bank of Switzerland) o Reasoning about Authentication and Revocation: Timeliness Constraints of Obtaining Confidence, Stuart Stubblebine and Rebecca Wright (AT&T Bell Laboratories, USA) o An Approach to the Formal Verification Of Cryptographic Protocols, Dominique Bolignano (Bull S.A./OSS, France) o An Advanced Commit Protocol for MLS Distributed Database Systems, Indrajit Ray, Elisa Bertino, Sushil Jajodia, Luigi Mancini (University of Milan, Italy, and George Mason University, USA) o Several Secure Store and Forward Devices, David Goldschlag (Naval Research Laboratory, USA) o An Experiment on DES Statistical Cryptanalysis, Serge Vaudenay (ENS/DMI, France) o Breaking and Repairing a Convertible Undeniable Signature Scheme, Markus Michels (University of Technology Chemnitz-Zwickau, Germany) o Cryptanalysis of Private-Key Encryption Schemes Based on Burst-Error-Correcting Codes, Hung-Min Sun and Shiuh-Pyng Shieh (National Chiao Tung University, Taiwan) o Access Control and Signatures via Quorum Secret Sharing, Moni Naor and Avishai Wool (The Weizmann Institute, Israel) o A Non-timestamped Authorization Model for Relational Databases, Elisa Bertino, Sushil Jajodia, and Pierangela Samarati (Univ. of Milan, Italy, and George Mason University, USA) --------------------------------------------------------------------------- Papers to be presented at IT Sicherheit '95, Communications and Multimedia Security, IFIP TC-6 TC-11 and Austrian Computer Society Joint Working Conference, 20-21 September, Graz, Austria ------------------------------------------------------------------------ o Invited Talk: The Puzzling Science of Information Integrity, Gustavus J. Simmons o Issues of Attack in Distributed Systems - An Attack Generic Model, I. Kantzavelou, A. Patel (UCL Dublin) o Covered Trust Values in Distributed Systems, B. Borcherding, M. Borcherding (University of Karlsruhe) o File Server Architecture For an Open Distributed Document System, B. Christianson, P. Hu, B. Snook (University of Hertfordshire) o A heuristic for securing Hypertext documents, M.S. Olivier (Rand Afrikaans University, Johannesburg) o Multimedia - Security - and Quality Issues K. Keus, R. Thomys (BSI Bonn) o The Graphical Interface for Secure Mail F. Bracun, B. Jerman-Blazic, T. Klobucar, D. Trcek (Jozef Stefan Institute, Slovenia) o Security Subjects and their classification criteria in the Network Security Reference Model, T. Chikaraishi, T. Shimomura, T. Ohta (ATR Kyoto) o A strategic approach to a national security policy, H. Zeger (Arge Daten, Wien) o Managing information security in a client/server environment with distributed, object-oriented role-based security, J.van der Merwe, S.H. von Solms, M.S.Olivier (Rand Afrikaans University) o Authorization in the Distributed Object Enviroment MOdel for Fine-grained Access Control (MOFAC), J. von Solms, M.S. Olivier, S. von Solms, (Rand Afrikaans University) o Interworking Public Key Certification Infrastructure for Europe, P. Lipp, V.Hassler, (Technische Universitat Graz) o Invited Speaker: The Patient Card and its Position in a New Health Care System, C.O.Koehler (German Cancer Research Center Heidelberg) o Access Control for Federated Database Environments - A Taxonomy of Design Choices, W. E_maier, F. Kastner, S. Preishuber, (Research Institute for Applied Knowledge Processing, Hagenberg ), G. Pernul(Universitdt Wien), A.M. Tjoa (Technische Universitat Wien) o Authorization in Multimedia Conferencing Systems, E. Fernandez, P. Chien (Florida Atlantic University, Boca Raton) o Authentication and Key Distribution in Computer Networks and Distributed Systems, R. Oppliger (Universitdt Bern) o Hidden Signature Schemes based on the discrete logarithm problem and related concepts, P. Horster, M. Michels, H. Petersen (University of Technology Chemnitz-Zwickau) o Digital signature schemes based on Lucas functions, P. Horster, M. Michels, H. Petersen (University of Technology Chemnitz-Zwickau) o Powerpermutations on prime residue classes, H. Fischer, C. Stingl (Universitdt Klagenfurt) o Hill cipher application to multimedia security, N. Nikitakos (Hellenic Navy) o From Steganographia to Subliminal Communication, O. Horak o On the fractal nature of the set of all binary sequences with almost perfect linear complexity profile, H. Niederreiter, M. Vielhaber (Austrian Academy of Sciences , Vienna) ---------------------------------------------------------------------------- Papers presented at the 1996 New Paradigms Workshop, held 22-25 August 1995 at the University of California at San Diego, La Jolla, California ---------------------------------------------------------------------------- o 'TSUPDOOD? Repackaged Problems for You and MMI, Becky Bace and Marvin Schaefer o Security for Infinite Networks, Ruth Nelson and Hilary Hosmer o Research Issues in Authorization Models for Hypertext Systems, Elisa Bertino and Pierangela Samarati o Unhelpfulness as a Security Policy, Ruth Nelson o QuARC Security, John Yesberg and Mark Anderson o Administration in a Multiple Policy/Domain Environment, William Ford o Virtual Enterprises and the Enterprise Security Architecture, Tom Haigh o Software Systems Risk Management and Assurance, Sharon Fletcher et al. o Applying the Dependability Paradigm to Computer Security, Cathy Meadows o Pretty Good Assurance, Jeffrey Williams, Marv Schaefer, Douglas Landoll o Review of Assurance Work in the UK, John Dobson o Credentials for Privacy and Interoperation, V.E. Jones, N. Ching, M. Winslett ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ o SIGSAC Security Audit & Control Review Volume 13, Number 3 (July 1995)[special issue Issues 94 Workshop on Public Key Cryptography]: - Harvey H. Rubinovitz. Issues 94 - public key - trials and tribulations. pp. 2-4. - Diane E. Coe and Frank J. Smith. Developing and deploying a corporate-wide digital signature capability. pp.5-8. - Warwick Ford. Advances in public-key certificates. pp.9-15. o SIGSAC Security Audit & Control Review Volume 13, Number 2 (April 1995). C. S. Guynes and R. G. Thorn. Network security in a client/server environment. pp. 7-12. o Computers & Security Volume 14, Number 3 (1995). (Elsevier) Refereed Papers: - Frank Deane, Kate Barrelle, Ron Henderson and Doug Mahar. Perceived acceptability of biometric security systems. pp.225-232. - Matt Bishop and Daniel Klein. Improving system security via proactive password checking. pp. 233-250. - H. Booysem and J. Eloff. Classification of objects for improved access control. pp.251-266. o Information Processing Letters, Vol. 55, No. 3 (August 1995). L. Gong. Collisionful keyed hash functions with selectable collisions, pp. 167-170. o Information Processing Letters, Vol. 55, No. 1 (July 1995). H-Y. Lin and L. Harn. Fair reconstruction of a secret. pp. 45-47. o IEEE Transactions on Computers, Vol. 44, No. 7 (July 1995). S-M. Yen and C-S. Laih. Improved Digital Signature Suitable for Batch Verification. pp. 957-959. o MIT Technology Review, Vol. 98, No. 5 (July 1995). Dorothy Denning. Resolving the encryption dilemma: The case for the clipper chip. pp. 48-55. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Schneier, B. Applied Cryptography, Second Edition. According to the author, this is a major expansion of the popular first edition ("50% more words"). Publication date is 15 November, but a 15% pre-publication discount may be available; write schneier@winternet.com. o Icove, D., K. A. Seger, W. R. VonStorch, and E. H. Spafford. Computer Crime: A Crimefighter's Handbook. O'Reilly & Associates, $24.95. ________________________________________________________________________ Calendar ________________________________________________________________________ Internet Conference Calendar, URL:http://www.automatrix.com/conferences/ is also worth a look. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== 9/17/95- 9/20/95; HPTS 95, Asilomar, CA; neowens@vnet.ibm.com 9/20/95- 9/21/95: IT-Sicherheit '95, Graz; rposch@iaik.tu-graz.ac.at 9/20/95- 9/23/95: IC3N '95, Las Vegas kia@unlv.edu 9/21/95- 9/22/95: ICI '95, Washington DC; denning@cs.georgetown.edu 9/27/95- 9/29/95: DCCA-5, Champaign, IL; no e-mail address available 10/ 2/95: JBCS spec issue on DBMS papers due; laender@dcc.ufmg.br 10/10/95-10/13/95: NISS-18, Baltimore, MD; NISS_Conference@Dockmaster.ncsc.mil 10/23/95: RBAC '95, Maryland, submissions due; sandhu@isse.gmu.edu 10/23/95: SIGMOD/PODS '96, Montreal, submissions due; SIGMOD: sigmod96@research.att.com; PODS: hull@cs.colorado.edu 11 1/95: IS iss. on disaster recov.; papers due; agrawal@cs.ucsb.edu 11/ 6/95:IEEE S&P '96 submissions due; mchugh@cs.pdx.edu 11/ 6/95-11/10/95: ICECCS '95, Fort Lauderdale; alex@vulcan.njit.edu 11/14/95-11/15/95: ACM MCN '95 Berkeley, CA; mcn95-submission@cs.columbia.edu 11/15/95: ICSSDBM '96, Stockholm, submissions due; pers@sto.foa.se 11/15/95-11/17/95: CISMOD '95 Bombay; bhalla@u-aizu.ac.jp 11/29/95-12/ 2/95: CIKM '95, Baltimore; nicholas@cs.umbc.edu 11/30/95-12/ 1/95: RBAC'95,NIST,Gaithersburg,MD; sandhu@isse.gmu.edu 11/30/95: ACM Computer Security Day; computer_security_day@acm.org 12/ 4/95-12/ 7/95: DOOD '95, Singapore; mendel@db.toronto.edu 12/11/95-12/15/95: ACSAC '95, New Orleans; smith@arca.va.com 12/13/95-12/15/95: OOER '95, G.C., Australia; mikep@icis.qut.edu.au 12/18/95-12/20/95: 5th IMACCC, Cirencester, UK; colin.boyd@man.ac.uk 12/27/95-12/30/95: 7th COMAD, Pune, India; anand@pspl.ernet.in or krishnam@hplabs.hp.com 12/31/95: IH Workshop'96, submissions due;ross.anderson@cl.cam.ac.uk 1/11/96: FMSP '96 San Diego, CA, sriram.sankar@sun.com 1/29/96: ACISP '96, Wollongong, NSW, Australia; submissions due, josef@cs.uow.edu.au 2/20/96: IFIP WG 11.3, Como, Italy, submissions due, samarati@dsi.unimi.it or sandhu@isse.gmu.edu 2/22/96- 2/23/96: SNDSS '96,San Diego; http://nii.isi.edu/info/sndss 2/23/96: VLDB '96 submissions due; nls@cse.iitb.ernet.in 2/26/96- 3/ 1/96: ICDE '96, New Orleans; icde96@cis.ufl.edu 3/14/96- 3/16/96: CCS-3, New Delhi; gong@csl.sri.com or Jacques.Stern@ens.fr 3/15/96: ESORICS'96, Rome, submissions due; bertino@hermes.mc.dsi.unimi.it 3/27/96- 3/30/96: CFP '96, Cambridge, MA; cfp96@mit.edu 4/30/96- 5/ 3/96: 8th CCSS, Ottawa; no e-mail address available 5/30/95- 6/1/96: IH Workshop '96, Cambridge, UK; ross.anderson@cl.cam.ac.uk 5/ 5/96- 5/ 8/96: IEEE S&P 96; dmj@mitre.org 5/21/96- 6/24/96: IFIP/SEC 96 - Greece; no e-mail address available 6/ 3/95- 6/ 6/95: SIGMOD/PODS '96, Montreal, Canada 6/18/96- 6/20/96: ICSSDBM '96, Stockholm; pers@sto.foa.se 6/24/96- 6/26/96: ACISP '96,Wollongong,Australia;josef@cs.uow.edu.au 7/22/96- 7/24/96: IFIP WG 11.3, Como,Italy, samarati@dsi.unimi.it or sandhu@isse.gmu.edu 9/ 3/96 9/ 6/96: VLDB '96, Bombay, India; nls@cse.iitb.ernet.in 9/25/96- 9/27/96: ESORICS'96, Rome; bertino@hermes.mc.dsi.unimi.it 5/ 4/97- 5/ 7/97: IEEE S&P 97; Oakland no e-mail address available 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: ==== ACISP = Australasian Conference on Information Security and Privacy ACSAC = Annual Computer Security Applications Conference CCS-3 = 3rd ACM Conference on Computer and Communications Security CCSS = Annual Canadian Computer Security Symposium CIKM = Int. Conf. on Information and Knowledge Management CIKM '95 COMAD = Seventh Int'l Conference on Management of Data (India) CISMOD = International Conf. on Information Systems and Management of Data CFP = Conference on Computers, Freedom, and Privacy CPAC = Cryptography - Policy and Algorithms Conference CSFW = Computer Security Foundations Workshop DCCA = Dependable Computing for Critical Applications DOOD = Conference on Deductive and Object-Oriented Databases DOOD '95 ESORICS = European Symposium on Research in Computer Security FISSEA = Federal Information Systems Security Educators' Association FMSP = Formal Methods in Software Practice HPTS = Workshop on High Performance Transaction Systems IC3N = Int. Conference on Computer Communications and Networks ICDE = Int. Conf. on Data Engineering ICDE '95 ICI = International Cryptography Institute ICECCS = Int. Conf. on Engineering of Complex Computer Systems ICSSDBM = Int. Conf. on Sci. and Statistical Database Management IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '96 IFIP/SEC = Int. Conference on Information Security (IFIP TC11) IFIP WG11.3 = IFIP WG11.3 10th Working Conf. on Database Security IH Workshop '96 = Workshop on Information Hiding IMACCC = IMA Conference on Cryptography and Coding INET = Internet Society Annual Conference IS = Information Systems (journal) ISOC-Symp = Internet Society Symposium on Network and Distributed System Security IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Soc. JBCS = Journal of the Brazilian Computer Society JCMS = Journal of Computer Mediated Communication MCN '95 = ACM Int. Conf. on Mobile Computing and Networking MDS '95 = Second Conference on the Mathematics of Dependable Systems MMDMS = First Int. Wkshop on Multi-Media Database Management Systems NCSC = National Computer Security Conference NISS = National Information Systems Security Conference NSPW = New Security Paradigms Workshop OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling RBAC'95 = First ACM Workshop on Role-Based Access Control SAC '95 = 2nd Annual Workshop on Selected Areas of Cryptography SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems SNDSS = Symp. on Network and Distributed Sys. Sec. (Internet Society) USENIX Sec Symp = USENIX UNIX Security Symposium VLDB = Int'l Conf. on Very Large Databases WDAG-9 = Ninth Int. Workshop on Distributed Algorithms ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Posted 11 August 1995: Gary S. Lynch Research Director, Information Security Services Gartner Group 56 Top Gallant Road - P.O. Box 10212 Stamford, CT 06904-2212 (203) 316-1111 (voice) (203) 316-1100 (fax) gslynch@interserv.com or glynch@gartner.com Posted 8 August 1995: Dr. D. Elliott Bell Principal Engineer The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 (703) 883-6275 dbell@mitre.org Bell@dockmaster.ncsc.mil Prof. E. Stewart Lee University of Cambridge Computer Laboratory New Museums Site Pembroke Street Cambridge CB2 3QG United Kingdom Stewart.Lee@cl.cam.ac.uk Updated 8 August 1995: Dixie Baker Science Applications International Corporation 10770 Wateridge Circle, M/S 121 San Diego, CA 92121 email: dixie_baker@cpqm.saic.com phone: (310) 613-3603 ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ Gene Spafford announces the availability of two new theses: Taimur Aslam's MS thesis: A taxonomy of security faults in the Unix operating system: ftp://coast.cs.purdue.edu/pub/COAST/papers/aslam-taxonomy-msthesis.ps.Z Sandeep Kumar's Ph.D. dissertation: Classification and detection of computer intrusions: ftp://coast.cs.purdue.edu/pub/COAST/papers/kumar-intdet-phddiss.ps.Z Also, Gene has reorganized the COAST archive and encourages Cipher readers to revisit it and comment. URL: http://www.cs.purdue.edu/coast IPSEC RFC's 1825 - 1829 can be found at: http://ds.internic.net/ds/rfc-index.html. IITF report on Intellectual Property and the National Information Infrastructure: http://www.uspto.gov/web/ipnii/ INET 95 papers on security (and other topics; full papers available at http://www.isoc.org/HMP/proc1.html): A Distributed Authorization Model for WWW by Jose Kahan Oblatt http://www.isoc.org/HMP/PAPER/107/abst.html Using Public Key Technology -- Issues of Binding and Protection by James Glavin and Sandra Murphy, TIS http://www.isoc.org/HMP/PAPER/147/abst.html Simple Key-Management for Internet Protocol (SKIP) by Ashar Aziz, Martin Patterson, and Geoff Baehr http://www.isoc.org/HMP/PAPER/244/abst.html Secure TCP -- Providing Security Functions in TCP Layer by Toshiyuki Tsutsumi, and Suguru Yamaguchi http://www.isoc.org/HMP/PAPER/144/abst.html Measured Interference of Security Mechanisms with Network Performance by K. Claffy, Hans-Werner Braun, Andrew Gross http://www.isoc.org/HMP/PAPER/215/abst.html Information on the Sept. NIS&T Key Escrow Export meeting http://www.isse.gmu.edu/students/pfarrell/nistmeeting.html "NIST/NSA/DoJ view of SKE" by Carl Ellison http://www.clark.net/pub/cme/html/nist-ske.html ________________________________________________________________________ ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Format: Description (first lines) followed by URL (last line) Government sources/information: ------------------------------- No new ones this issue Professional societies and organizations: ----------------------------------------- No new ones this issue Other places for interesting research papers, announcements, assistance ----------------------------------------------------------------------- Pathfinder: Time-Warner Publications http://www.pathfinder.com Unix Security http://www.alw.nih.gov/Security/security.html ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher acticles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) or phoned to 301-854-5338. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to join the TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, I have omitted the list of other TCs and just included the TC on Security and Privacy, which I have marked) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://info.computer.org:80/tab/tcapplic.htm PLEASE NOTE THAT THE FORM IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Despite the sweltering D.C. summer just ending, the Proceedings of the 1995 IEEE Symposium on Security and Privacy remain as fresh and green as they were last spring. They continue to be available, along with those old favorites in blue, orange, and pink, for purchase by TC members at favorable rates. Current issues in stock and continuing LOW PRICES are as follows: Price by mail from TC IEEE CS Press IEEE CS Press Year TC members IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $10 Only available from TC! 1993 $15 Only available from TC! 1994 $20 $30+$4 S&H $60+$5 S&H 1995 $25 $25+$4 S&H $50+$4 S&H For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying o which issues you would like, o where to send them, and o a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 We remain unready to plunge our figurative toe into the inviting but potentially treacherous waters of electronic commerce! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems(UK) Ltd. Arlington, VA 22216 41 Surbiton Road (703)908-9312 voice and fax Kingston upon Thames KT1 2HG dmcooper@ix.netcom.com ENGLAND pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Nominations invited ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9506 where N is the number of the issue desired and 9506 captures the year and month it first appeared. =======end of Electronic Cipher Issue #9, 18 September 1995================