Subject: Electronic CIPHER, Issue 29, October 7, 1998 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 29 October 7, 1998 Avi Rubin and Paul Syverson, Editors Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [3634 lines total] o Letter from the Editor o Twentieth Anniversary S&P Symposium Special Announcement 1999 IEEE Symposium on Security and Privacy Final Call for Papers 1999 IEEE Computer Security Foundations Workshop Initial Call for Papers Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o US loosens crypto export restrictions o NRC Report, Trust in Cyberspace, calls for federally funded research o TIS Labs Unveils New Digest Algorthm o US Dept. of Defense tightens policy for Web site postings o PKI collaborations, interoperations, and freeware standard implementations announced o Visa and Mastercard offer incentives for banks to use SET Commentary and Opinion: Book Reviews by Bob Bruen o Cracking DES. Secrets of Encryption Research, Wiretap Politics & Chip Design. by the Electronic Frontier Foundation. Reviewed by Robert Bruen Conference Reports: o CRYPTO '98 by David Balenson, David Carman, and David McGrew o USENIX ECommerce '98 by Radha Poovendran and Kevin Fu o NSPW '98 (New Security Paradigms Workshop) by Mary Ellen Zurko Conference announcements: o ASIACRYPT'98 o Workshop on Security in Large-Scale Distributed Systems o ACM Conference on Computer and Communications Security o USENIX Workshop on Smartcard Technology o 1999 USENIX Annual Conference o 8th USENIX Security Symposium o NDSS '99 New reports available via FTP and WWW: Schneier's Block Cipher course New Interesting Links on the Web: WIPO Treaty page, Bug and fix repository Who's Where: recent address changes Calls for Papers: AT, PODC, WECS, WISE, Dist. and Par. DBs, JSAC Reader's guide to recent security and privacy literature o Conference Papers o Journal and Newsletter articles Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Publications for Sale -- S&P and CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Once again, we are delighted to bring you an issue of the Cipher newsletter. We hope that you can turn your attention for several minutes away from the Monica Lewinsky/impeachment scandal and the stock market woes to focus on what's new in security and privacy, although we all know what's really important. (Actually, Mez did find a technically relevant wrinkle, which you can read in her Listwatch report.) In this issue, we bring you several calls for papers, conference reports, book reviews, news items and other announcements. Many thanks to all our associate editors and other contributors, without whom this issue would be much thinner and much less interesting. Avi Rubin and Paul Syverson Editors, Cipher ____________________________________________________________________ ____________________________________________________________________ Twentieth Anniversary S&P Symposium Special Announcement ____________________________________________________________________ The 1999 IEEE Symposium on Security and Privacy will be our twentieth meeting, and very likely the last one we will be able to hold at the Claremont. Papers for the symposium this year will appear not only in the standard paper proceedings but on a CD-ROM of all the papers from the first 20 years. So, get your submissions in by October 23. [The call for papers is below.] As the CFP indicates, the organizers have decided to extend the Symposium to a full three days in order to allow for some special events. I have some ideas, but I would like yours as well. Please think about what would make this meeting particularly special for you, and send me an e-mail (landwehr@itd.nrl.navy.mil). Also, please plan to attend. The dates are Sunday, May 9 - Wednesday, May 12; set them aside now! -Carl Landwehr ____________________________________________________________________ 1999 IEEE Symposium on Security and Privacy Final Call for Papers ____________________________________________________________________ also available on the Web at 1999 IEEE Symposium on Security and Privacy (with special 20th symposium events) May 9-12, 1999 Oakland, California sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) For 19 years, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security are solicited for submission to the 20th Symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. Topics of interest include, but are not limited to, the following: - Commercial and industrial security - Security and other critical system properties - Mobile code and agent security - Distributed systems security - Network security - Database security - Data integrity - Access control and audit - Information flow - Security verification - Viruses and worms - Security protocols - Authentication - Biometrics - Smartcards - Policy modeling - Intrusion detection - Privacy and anonymity A continuing feature of the symposium will be a session of 5-minute talks, where speakers can present preliminary research results or summaries of works published elsewhere. Abstracts of these talks will be distributed at the Symposium. In addition, a committee has been formed to organize special events to celebrate the 20th symposium. Ideas and proposals for such events are welcome and should be sent to the 20th Symposium Committee chair, Carl Landwehr, at landwehr@itd.nrl.navy.mil. This year, the conference will be three (3) full days to accommodate the special events in addition to the regular program. INSTRUCTIONS FOR PAPER SUBMISSIONS Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with a proceedings. Papers should be at most 20 pages excluding the bibliography and well-marked appendices (using 11-point font and reasonable margins on 8.5"x11" paper), and at most 25 pages total. Committee members are not required to read the appendices, and so the paper should be intelligible without them. Papers should be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text. Send via email to reiter@research.bell-labs.com a plain ASCII text message containing the title and abstract of your paper, the authors' names, email and postal addresses, phone and fax numbers, and identification of the contact author. If any bibliographic citations were blinded from the paper for anonymous review, then include the full bibliographic citations in this email message. In addition, submit your paper using ONE of the following two methods. We strongly encourage electronic submission in Postscript format. Using either method, the paper should contain the title and the abstract of the paper but not information that explicitly identifies the authors. Electronic submission (preferred): Instructions for submitting your Postscript paper by email can be obtained by sending email to sp99@research.bell-labs.com with the Subject line containing "HELP". Electronic submissions must be interpretable by Ghostscript, must use standard fonts or include the necessary fonts, and must be prepared for US letter (8.5"x11") page size. Authors who cannot meet these requirements should submit hardcopy instead. It is strongly recommended that you electronically submit your paper at least one week in advance of the submission deadline, to allow us adequate time to verify that we can print your paper (and if not, to allow you to submit your paper in hardcopy to be received by the submission deadline). We cannot be held responsible for papers that we cannot print. OR Hardcopy submission: Send twenty (20) copies of your paper to Li Gong at the address below with a separate cover letter indicating that your paper is a submission for the 1999 IEEE Symposium on Security and Privacy, and listing the authors' names, email and postal addresses, phone and fax numbers, and identifying the contact author. Li Gong Sun Microsystems, Inc. MS UCUP02-102 901 San Antonio Road Palo Alto, CA 94303-4900, USA (Telephone number for express/courier delivery purposes: +1-650-336-0600) Submissions received after the submission deadline or failing to conform to the guidelines above risk rejection without consideration of their merits. Where possible all further communications to authors will be via email. Paper submissions due: October 23, 1998 Acceptance notification: January 18, 1999 Final papers due: March 10, 1999 INSTRUCTIONS FOR PANEL PROPOSALS The conference may include panel sessions addressing topics of interest to the computer security community. Proposals for panels should be no longer than five (5) pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation. Send two (2) hardcopies of your proposal to Li Gong at the address above with a cover letter indicating that your proposal is for the 1999 IEEE Symposium on Security and Privacy, and listing the proposers' names, email and postal addresses, and phone and fax numbers. Panel proposals submissions due: October 23, 1998 Acceptance notification: January 18, 1999 INSTRUCTIONS FOR 5-MINUTE TALKS Abstracts for 5-minute talks should fit on one 8.5"x11" page, including the title and all author names and affiliations. Abstracts should be sent via email in plain ASCII format to Li Gong at li.gong@sun.com. The email should state that this abstract is being submitted for presentation at the 1999 IEEE Symposium on Security and Privacy, and should include the presenter's name, email and postal addresses, and phone and fax numbers. 5-minute abstracts due: March 12, 1999 Acceptance notification: March 26, 1999 General chair: John McLean (Naval Research Lab, USA) Vice chair: Jonathan Millen (SRI International, USA) Program co-chairs: Li Gong (Sun Microsystems, USA) Michael Reiter (Bell Labs, USA) Treasurer: Brian Loe (Secure Computing Corporation, USA) Program committee: Martin Abadi (Compaq SRC, USA) Steve Bellovin (AT&T Labs, USA) Bob Blakley (IBM, USA) Drew Dean (Xerox PARC, USA) Robert Deng (KRDL, Singapore) Dieter Gollmann (Microsoft Research, UK) Heather Hinton (Ryerson Polytechnic University, Canada) Cynthia Irvine (Naval Postgraduate School, USA) Wenbo Mao (HP Labs, UK) John McHugh (Portland State University, USA) John McLean (Naval Research Laboratory, USA) John Mitchell (Stanford University, USA) Roger Needham (University of Cambridge, UK) Phil Porras (SRI International, USA) Ravi Sandhu (George Mason University, USA) Sang Son (University of Virginia, USA) Dan Wallach (Rice University, USA) ____________________________________________________________________ 1999 IEEE Computer Security Foundations Workshop Initial Call for Papers ____________________________________________________________________ (also available on the Web at ) Call For Papers 12th IEEE Computer Security Foundations Workshop June 28-30, 1999 Mordano, Italy Sponsored by the Technical Committee on Security and Privacy of the IEEE Computer Society This workshop series brings together researchers in computer science to examine foundational issues in computer security. This year the workshop moves to continental Europe for the first time, near Bologna Italy. It is also timed to coordinate with FLoC (the Federated Logic Conference) taking place later the same week in relatively nearby Trento, and which includes a workshop on Formal Methods and Security Protocols. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: --------------- access control authentication data and system integrity database security network security distributed systems security information flow privacy anonymity security protocols security models formal methods for security as well as foundational issues relating to other critical system properties and in emerging areas such as mobile computing and executable content. The proceedings are published by the IEEE Computer Society and will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security. Instructions for Participants: Submission is open to anyone. Workshop attendance is limited to about 40 participants. Prospective participants should send an ELECTRONIC copy of a paper (limit 7500 words) or proposal for panel discussion to Paul Syverson at syverson@itd.nrl.navy.mil. Please clearly identify the contact author and provide email addresses and telephone numbers (both voice and fax). (Paper submissions will be accepted if received by the deadline, but electronic submission of postscript is strongly encouraged.) IMPORTANT DATES: Submission deadline: February 1, 1999 Notification of acceptance: March 12, 1999 Camera-ready papers: April 9, 1999 Program Committee ----------------- Paul Syverson (chair), Naval Research Laboratory, USA Martin Abadi, Compaq Systems Research Center, USA Simon Foley, University College Cork, Ireland Dieter Gollmann, Microsoft Research, UK Joshua Guttman, MITRE, USA Dahlia Malkhi, AT&T Labs--Research, USA John McLean, Naval Research Laboratory, USA John Mitchell, Stanford University, USA Jonathan Millen, SRI International, USA George Necula, University of California, Berkeley, USA Peter Ryan, Defence Evaluation and Research Agency, UK Pierangela Samarati, University of Milano, Italy Fred Schneider, Cornell University, USA Dennis Volpano, Naval Postgraduate School, USA Aris Zakinthinos, Independent Consultant, Canada Workshop Location ------------------ The workshop will be held at the Hotel Panazza, in Mordano, Italy. Mordano is a small town, very close to Imola, where each year the Formula One San Marino Grand Prix is held. Imola is about half an hour's drive from Bologna, a medieval city of half a million inhabitants, hosting the oldest university in Europe (founded in 1088). Other attractions in the area include Ravenna (capital of the western roman empire, with marvelous byzantine mosaics) and Ferrara (for some centuries an independent dukedom). Hotel Panazza is made up of seventeenth century buildings, newly restored (including air-conditioning). Facilities include a large park for relaxing walks, a romantic lake with swans and peacocks, a tennis court and two swimming pools for sport activites, a restaurant, and a conference hall in a former church. The hotel has forty-five rooms, each with private bathroom and telephone. Bologna is connected to many european cities by an international airport. Imola is about half an hour from Bologna by train or highway, and Mordano is about 5 minutes drive from the Imola exit of the highway. For those going on to FLoC, Trento is about 3 hours away by car and 4 hours by train. For further information contact: General Chair Program Chair Publications Chair Prof. Roberto Gorrieri Paul Syverson Joshua Guttman Dipartimento di Scienze Naval Research Laboratory The MITRE Corporation dell'Informazione Code 5543 202 Burlington Road Via Mura Anteo Zamboni 7 Washington, DC 20375 Bedford, MA 01730-1420 I-40127 Bologna, Italy USA USA +39 051-354509 +1 202-404-7931 +1 781-271-2654 gorrieri@cs.unibo.it syverson@itd.nrl.navy.mil guttman@mitre.org More online information at . ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ______________________________________________________________________ LISTWATCH: items from security-related mailing lists (10/6/98) by Mary Ellen Zurko, (mary_ellen_zurko@iris.com) ______________________________________________________________________ This issue's highlights are from cypherpunks, risks, tbtf, and crypto-gram. Several stories were posted about Echelon, "a global network of highly sensitive listening posts operated in part by America's most clandestine intelligence organization, the National Security Agency" according to Wired. This system is purported to have been searching through telephone, email, fax, and telex traffic looking for certain keywords. Each agency involved is said to have a set of keywords of concern, and full conversation or document is sent on when a keyword of interest is hit. There are accusations that the system was used to monitor European and Japanese businesses, to the potential advantage of US businesses as well. European Parliament discussion on the topic is at http://jya.com/ep091498-1.htm. CASIO is offering a prize (worth about $7K US) for breaking their message encoded with MDSR, which is based on on Multi-Dimensional Space Rotation and Time-Dependent Multi-Dimensional Space Rotation (http://www.casio.co.jp/en/). There was a lot of discussion on cypherpunks about defining and using a "cypherpunks license" in the spirit of GNU GPL, that requires developers who use code under this license to follow good cypherpunk practices like not using key recovery. It didn't seem like using a license was in the end the best place to try to encourage this sort of behavior. A DoD memo went out expressing concern that too much information about infrastructure and capabilities was being made available on Web pages, and it might be used by terrorists. Military organizations were tasked with reviewing their web sites' information and "strike a balance between openness and sound security." The army struck its balance by pulling all its web sites off the internet, with no indication of when they might be back. Bruce Schneier has created a self-stufy block-cipher cryptanalysis guide that sounds like fun to me. He publishes papers to describe the algorithms, challenges the student to try to reproduce published attacks, then points the student at the attacks to see how they did (http://www.counterpane.com/self-study.html). A British company is offering superior physical security for its Web server by putting it in a room they purchased that was formerly part of a military base. There it is protected from electronic eavesdropping, physical intrusion, and electromagnetic damage, as well as a nuclear strike. A flaw in Netscape's Javascript that could allow access to the user's cache was reported in the New York Times. As a sign of the times, there were quotes pointing out both what a big security violation it could be, and what a big privacy violation it could be. The Naval Surface Warfare Center reported on attacks that were launched in a synchronized fashion from a variety of sites in order to escape detection by auditing tools. The concept should be no surprise to anyone here, but it did surprise me that a report like that was posted on www.abcnews.com's technology section. The official Starr report was delivered to the White House as a WordPerfect document. When the White House converted it to HTML, the conversion process inserted some previous "deleted" footnotes and removed some other passages. Turns out "deleted" footnotes are scrubbed, just marked to be ignored. The conversion process ignored the "ignore" mark. One of the "deleted" footnotes that made it out had a mildly entertaining quote from Lewinsky about Clinton. The FTC decided to test claims of privacy self-regulation by surfing about 1,400 web sites. They found more than 90% collected personal information but only 14% disclosed how they would use it. Some sites don't publish a policy on purpose, so that they can't be accused of not holding to it. Last month, the FTC settled with Geocities, who the commission found was selling information in disregard of their posted policy. There was discussion on cypherpunks about ArcotSign ( http://www.arcot.com/camo2.html). Although they're not releasing technical details, several people, include Bruce Schneier, tried to explain the product without giving away protected information about it. Passwords cannot be verified by an offline attack, even if the password file is stolen from the client. This seems to involve some sort of obfuscation involving mathematical magic that simulates lots and lots of potential passwords, only one of which is correct. They use public key technology, but both the "public" and private keys must remain undisclosed. It's targeted at providing authentication with a party with whom you already have a relationship (a bank, your employer). The Mercantile Bank has stopped supporting Digicash (which it acquired along with the Mark Twain Bank). Rumor has it that another large institution will be announcing some sort of Digicash support later this year. In mid-September, the US updated its crypto export rules again. You can export 56 bit DES without any key recovery plans (this of course was after the EFF crack; see below). Exports of unlimited strength crypto have been "streamlined" to certain sectors, including subsidiaries of US firms (except in terrorist nations), insurance companies, health and medical organizations, and for the purposes of on-line merchant transaction. Two items from early September from TBTF: ----------------------------------------------- ..A digital signature makes e-commerce history Using smart cards in place of pens On his visit to Ireland last week, President Clinton and Irish Prime Minister Bertie Ahern made technology history as the first heads of state to sign an intergovernmental document digitally (it was a com- munique on e-commerce). The signing took place at 4 PM GMT on 9/4/98 at the Gateway 2000 plant in Dublin, Ireland. The smartcards and software for the event were provided by Baltimore Technologies [8], whose account you can read here [9]. Thanks to Mike Hanafin for timely word of this milestone. [8] http://www.baltimore.ie/ [9] http://www.baltimore.ie/news/press/pr980904.html [We're told that Clinton and Ahern swapped smart cards afterwards. I wonder if they had their PINs written on them . Mez] ..Crypto policy costs the US a citizen A financial cryptography practitioner becomes an African-Caribe Vince Cate gave up his US citizenship last Sunday [10] (registration and cookies required for this site). Cate, who lives in Anguilla, said he wants to be "free from the silly US laws on crypto." His company [11] develops software for financial cryptography. Cate is one of the organizers of the Financial Cryptography conferences on his Caribbean island; he's also the man who brought us the "Become an international arms trafficker in one click" page [12]. Before renouncing his US citizenship Cate paid about $5,000 for Mozambiquan citizenship. The Times article quotes a lawyer who specializes in export licenses as opining that Cates's gesture was not strictly necessary, because the law has always given more latitude to crypto- graphy used strictly for financial transactions [13]. [10]http://www.nytimes.com/library/tech/yr/mo/cyber/articles/06encrypt.html [11] http://www.secureaccounts.ai/ [12] http://www.tbtf.com/archive/05-05-96.html#i-a-traf [13] http://www.tbtf.com/archive/07-20-98.html#s08 ----------------------------------------------- There was a great deal of discussion on cypherpunks on the new UK custom's policy of scanning laptop hard drives looking for porn. There was some concern about this scanning being a vector for viruses, but it seems that their procedures are suitably prophylactic. There is also concern for protecting business secrets (and of course other privacy issues). Counterpane is offering $10,000 in prize money to the best attacks on Twofish during the first round of AES evaluation ( http://www.counterpane.com/twofish-contest.html). Just after the last Cipher went to press, John Gilmore, with backing from the EFF, cracked DES with "Deep Crack", a specialized parallel processor optimized for DES key search. I expect you've all heard about it already, but if you haven't, more information is at http://www.eff.org/descracker. At the same time, there was a lot of discussion on cypherpunks about "Private Doorbell", Cisco's answer to US crypto controls. Basically Cisco is saying their routers already meet law enforcement needs, as there is an operator that can be served with papers who can record traffic before (or after) it is encrypted ( http://www.cisco.com/warp/public/779/govtaff/policy/paper/paper_index.html) . There hasn't been much about it since; it may meet "death by procrastination", which seems to be the last resort reaction to interesting new approaches. Shameless personal plug department: In Schneier's CRYPTO-GRAM of August 15, 1998 stated: "IBM is giving away the source code to PKIX. Good for them. http://www.techweb.com/se/directlink.cgi?INW19980803S0013 " This is the project I'm working on (Iris is part of Lotus is part of IBM). The first snapshot is finally available at http://web.mit.edu/pfl/. ____________________________________________________________________ US loosens crypto export restrictions ____________________________________________________________________ On September 16, 1998, Vice President Gore announced a loosening of restrictions on exporting strong encryption products. Some of the highlights include: permission to export 56 bit encryption to all but 7 countries following a one-time review, permission to export arbitrarily strong encryption to 45 countries following a one-time review for the companies in the sectors of insurance, health and medical (except biochemical and pharmaceuticals), on-line merchants, and foreign subsidiaries of U.S. companies. Another change was that companies will no longer be required to set out a key recovery plan to qualify for export. Civil liberties groups were less than enthusiastic since the loosening still restricts export for individual use to 56-bits. Barry Steinhardt, president of the Electronic Frontier Foundation called the announcement "a half-step. The reliance on 56-bit crypto is almost laughable." [See a review below of the EFF book, Cracking DES.] Industry response was generally more favorable. Industry spokespersons found it less than they hoped for but a positive move and used expressions like "a good first step" in response to the announcement. ____________________________________________________________________ NRC Report, Trust in Cyberspace, calls for federally funded research ____________________________________________________________________ The US National Research Council released a report, Trust in Cyberspace, on September 29th. The report was prepared by a committee chaired by Fred Schneider of Cornell University and convened under the Computer Science and Telecommunications Board. The main conclusion of the report is that the federal government needs to take a lead in supporting research to bolster the security and reliability of networked information systems. The report observes the dire need for research to make the nation's vital services secure and reliable while noting the absence of incentives for the private sector to conduct this research. The report also proposes a research agenda to meet these needs. The released prepublication version of the report contains the following sections: Introduction, Public Telephone Network and Internet Trustworthiness, Software for Networked Information Systems, Reinventing Security, Trustworthy Systems from Untrustworthy Components, The Economic and Public Policy Context, and Conclusions and Research Recommendations. It can be viewed on the Web or purchased from the National Academy Press at www.nap.edu/readingroom/ ____________________________________________________________________ TIS Labs Unveils New Digest Algorthm ____________________________________________________________________ Network Associates' TIS Labs introduced a new mechanism for producing CRYPTO digests, called triple-Daves. While it is based on variations on single-Daves, which can be perfectly adequate for many purposes, the results of this combined approach seem very positive. See related story below under Conference Reports. ____________________________________________________________________ US Dept. of Defense tightens policy for Web site postings ____________________________________________________________________ Citing concern over the posting of sensitive information on DOD Web sites, Deputy Secretary of Defense John Hamre announced new guidelines on what can be posted. He noted the challenge of balancing the the need to have useful information on those sites while avoiding providing information that could be dangerous if misused by "malefactors of various sorts". Data related to military plans, lessons learned, exercises, known vulnerabilities, unit locations, military installation information and personal data on service personnel were all slated for immediate removal by the directive. There will also be a task force created under the assistant secretary of Defense for C3I to develop policies governing postings to DOD Web sites as well as DOD use of the Internet in general. ____________________________________________________________________ PKI collaborations, interoperations, and freeware standard implementations announced ____________________________________________________________________ In August, Netscape and Verisign struck a deal to integrate their PKI technology. At the same time, the firewall maker Check Point announced it will incorporate Entrust's PKI technology into its VPN software. Meanwhile, at the end of July IBM (Lotus, Iris) made their implementation of the IETF draft standard PKIX available for free through an MIT Web site http://web.mit.edu/pfl/. The company intends to integrate this implementation into their own products and hope that other vendors will do so as well. Finally, in September Network Associates announced a partnership with both Entrust and Verisign to ensure that PKI technology from these companies will smoothly interoperate with Network Associates' Net Tools. Ceritificates from both companies as well as from Network Associates' own PGP are planned to all be compatible when used with Net Tools. ____________________________________________________________________ Visa and Mastercard offer incentives for banks to use SET ____________________________________________________________________ Banks have so far been less than enthusiastic in adopting the use of SET, (Visa and Mastercard's Secure Electronic Transactions standard for Internet credit card transactions). To reduce this reluctance Visa is now waiving standard transaction fees if both the merchant's bank and the customer's bank are using SET. Mastercard meanwhile is providing banks with certificate issuing services that the banks would otherwise need to do themselves and making SET transactions function in the existing Mastercard system. On-line Internet merchants have also been hesitant to move on SET, and it remains to be seen what carrots (or sticks) will be offered to them. ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ Cracking DES. Secrets of Encryption Research, Wiretap Politics & Chip Design by the Electronic Frontier Foundation. O'Reilly 1998. 272 pages. $29.95 ISBN 1-56592-520-3 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ The struggle to protect ourselves from the overzealous folks in Washington DC has been pushed up a notch, a rather large notch. There is nothing like a little dose of reality to put an end to debates about what is possible and what is not. The folks in DC live by words and not by deeds, so as long as they can stretch out the debate they can keep a certain level of control over those who do not have the ability to understand the issues or their consequences. With the publication of Cracking DES, the debate over the security of DES is over. It is one of those moments similar to time physicist Richard Feynman dropped an o-ring into a glass of ice water during the public hearings on the Challenger disaster. All of the raging debate simply stopped. Now the debate over the security of DES simply stops, but new debates are raised at this point. These days truth is hard to find in DC, but we must ask the questions about lying by government employees on the level of a conspiracy between several agencies. There has been much debate among professionals and a constant defense of DES by government agencies and individuals. Did all these government employees really not know how easy it would be to crack DES? If the answer is yes, then our tax money has been seriously wasted. If no, then the lies are clear. I may not trust the NSA, but they are not stupid. Like Diffie and Landau's recent book, Privacy on the Line. The Politics of Wiretapping and Encryption, this book is an important landmark in the struggle to keep the freedom and liberties we enjoy. It is most unfortunate that the struggle is with our own government. Privacy on the Line was a carefully researched book which exposed the history of the government lies to keep encryption out of the hands of the American citizens. Cracking DES helps put encryption back in our hands. I suggested several years that the most important national struggle of the times we live in would be about our privacy and civil rights. As the pressure mounts on both sides, this will come to pass with a vengeance. The crux of the problem is the lack of compromise. In general, national debates have multiple solutions, but encryption is a binary choice: either we are free to use encryption strong enough to prevent the government from reading our communications or we are not. There is no place in between for weak encryption is no encryption. If the government succeeds in denying its citizen strong encryption at all times and all places, then the American fascist state will be born. So far the best weapon available is technical know-how and the willingness to share it (engineering as a political tool - curious). Check out your history for the writings by individuals in the pre-revolution American colonies to see how it works. Now, the book itself. It is a quick read if you skip over reading the code, because the code takes up about 150 pages and the schematics take up about 15 pages, about two thirds of the book. The code is meant to be scanned, with instructions on how to it and where to find tools to help. It is one of the strange quirks of our laws that allows a book to contain pretty much what we want, but a web page or an ftp site with same material is not allowed. It seems to me that since the distribution of books can not (at least for now) be stopped, they want to make it painful for everyone to acquire the material. Of course this all becomes moot once a non-American site appears with code scanned in. Oops, too late, check out http://www.replay.com/cracking_des/ if you would rather not go through the effort of scanning it yourself. I see two main reasons for the book. The first is to confront the government for its foolishness and the second is to provide the knowledge of how one builds a DES cracker. All of the hardware is described by part numbers and vendors. All the code necessary to run it is included. All that you need is the $210,000 it costs to build it, although I am sure that the community of free thinkers could donate parts, expertise and labor to do it for much less now that a design has been implemented. Like any other product, it will get cheaper and better over time. The interesting question, besides the obvious government issues, is how this will play out in the world of encryption. What else can come of this? Although most of the book is code, there is good reading as well, such as the forward by Whit Diffie. There is a section on the technical description that includes a discussion of the politics involved and a history of DES cracking. There are also several chapters of well chosen papers. Lastly, the instructions for building the parts are clearly presented in detail. While code is important, the instructions for building the machine are also important. Now if I only had $210,000 to spare... Cracking DES is not just recommended reading, but required. This issue is too important to ignore. I hope there will more efforts like this and the Diffie/Landau book in the near future. ______________________________________________________________________ Conference Reports ______________________________________________________________________ ______________________________________________________________________ CRYPTO '98: 18th Annual Cryptology Conference August 23--27, 1998, Santa Barbara, California by David Balenson, David Carman, and David McGrew, TIS Labs at Network Associates ______________________________________________________________________ The 18th Annual Cryptology Conference (CRYPTO '98) was held at its traditional location, the University of California at Santa Barbara, on August 23-27, 1998. The conference is sponsored by the International Association for Cryptologic Research (IACR), in cooperation with the IEEE Computer Society Technical Committee on Security and Privacy, and the Computer Science Department at the University of California, Santa Barbara (UCSB.) Andrew Klapper (University of Kentucky, USA) served as the General Chair. Hugo Krawczyk (Technion, Israel and IBM Research, USA) served as the Program Chair. This year, the ever popular conference attracted over 500 participants. The conference is a truly international event, with participants traveling from at least 31 countries spread around the globe: Argentina, Australia, Belgium, Brazil, Canada, China, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Israel, Italy, Japan, Korea, the Netherlands, Norway, Peru, Romania, Saudi Arabia, Singapore, Slovak Republic, South Korea, Sweden, Switzerland, Taiwan, Turkey, United Kingdom, and the United States. The proceedings are available from the publisher, Springer-Verlag: Advances in Cryptology - CRYPTO '98, Hugo Krawczyk (Ed.), Lecture Notes in Computer Science, Volume 1462, Springer-Verlag, 517 pages, 1998, ISBN 3-540-64892-5. See http://www.springer.de for further information. The program consisted of the formal paper presentations, as well as three invited talks, an evening rump session with short, informal presentations, and an IACR business meeting. Since the formal papers can be found in the proceedings, this report focuses on selected paper presentations and the other events. SELECTED PAPER PRESENTATIONS *** Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, Daniel Bleichenbacher (Bell Laboratories, Lucent Technologies, USA.) SSL Broken? RSA Flawed? Not exactly, but some implementations of SSL and similar protocols may be susceptible to an attack because of how they use the popular RSA algorithm. Daniel Bleichenbacher described this common method of using RSA that is implemented in many protocolsa method widely known and long standardized in RSAs Public Key Cryptographic Standards (PKCS) #1. The critical observation he makes is that the probability a random message is accepted by a recipient as PKCS #1 compliant is NOT vanishingly small. This property allows an attacker to use the message recipient as an oracle, and to deduce an RSA-protected message using a large, but not necessarily infeasible, number of trials. Bleichenbacher described his chosen ciphertext attack using three phases: blinding, slow phase, and fast phase. In the blinding phase, the attacker submits randomly chosen values until the recipient confirms that the pseudo-message is PKCS #1 conforming (e.g. by NOT returning an error). Note, the blinding phase is not necessary when the recipient is performing decryption. Next, in the slow phase, the attacker tries to find the smallest value, s, for which the chosen ciphertext, cs^e mod n is PKCS #1 conforming. Each successively smaller value for s narrows the interval over which the RSA-protected message must be. Finally, in the fast phase, only one interval remains, and the value s is increased and various pseudo-messages of the form cs^e mod n are attempted until only one possible value of the sought after message could result. The attack is particularly effective against implementations of the widely used SSL protocol, thus attracting significant attention earlier this year. The attack requires on the order of a million trials, however, and is therefore only applicable to cases with the recipient implementation automatically responds to an error (i.e. NOT e-mail). Of particular note, Bleichenbacher initially only disclosed this attack to RSADSI and major SSL vendors, allowing them to change their implementations and begin deploying the fix before the general public was even aware of the vulnerability. Countermeasures to the Bleichenbacher attack include supplying additional integrity checking of the RSA-protected message, providing less information upon error conditions and/or to begin using PKCS #1 v2 which specifies a less susceptible scheme based on Optimal Asymmetric Encryption Padding. *** A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack, Victor Shoup (IBM Zurich Research Lab, Switzerland) and Ronald Cramer (ETH Zurich, Switzerland.) Bleichenbacher's widely publicized chosen ciphertext attack on SSL emphasizes the necessity of having a practical, provably secure public key cryptosystem. Past work in this area has included provably secure schemes that are impractical, and practical schemes that conjecture security, but not provably so. For instance, the Optimal Asymmetric Encryption Padding (OAEP) scheme proposed for RSA appears to thwart Bleichenbachers and others chosen ciphertext attacks, but OAEP is not provably secure. Cramer and Shoup answer the call by describing a practical public key cryptosystem that is secure against chosen ciphertext attacks. The Cramer-Shoup public key encryption system proves that its security against adaptive chosen ciphertext attack relies on the hardness of the Diffie-Hellman decision problem. Since the hardness of the Diffie-Hellman decision problem is recognized as intractable, Cramer-Shoup resistance to adaptive chosen ciphertext attack is shown to be similarly intractable. The efficiency of the scheme is about twice the cost of an ElGamal implementation. IBM already plans to use Cramer-Shoup in its products although efficiency costs and licensing issues may slow wider use of this scheme in the marketplace. *** Identity Escrow, Joe Kilian (NEC Research Institute, USA) and Erez Petrank (IBM Haifa Research Lab, Israel.) Advances in technology have increased our use of identification-based access procedures for facilities such as toll highways and parking garages. However, applications such as these that frequently expose the users identity raise a genuine concern about the erosion of our privacy. The other end of spectrum, an environment that provides completely anonymity, may also be undesirable for our society. Might we miss an opportunity to identify a hit-and-run drunk driver who used our toll highway? Or not be able to identify someone who was in a parking garage at the time of a murder? Kilian and Petrank offer a compromise between complete anonymity and the need to know identity in extreme cases--identity escrow. An identity escrow system consists of four parties: (1) the user; (2) the issuer, who issues certificates allowing service; (3) the verifier, who verifies the identity process and the escrow proof; and (4) the escrow agent, the identity recoverer in emergency situations. To implement identity escrow, Kilian and Petrank offer schemes based on RSA and ElGamal group signature schemes. Similar to conventional key escrow schemes, the escrow agent is a trusted third party accessed only in emergencies. Unlike conventional key escrow schemes, however, the nature of the problem allows the escrow agent to be excluded from the initialization and normal operations of the identification system. *** Fast RSA-type Cryptosystem Modulo (p^k)q, Tsuyoshi Takagi (NTT Software Laboratories, Japan.) Although the RSA cryptosystem is one of the most practical public key cryptosystems used today, the performance of its private key operations makes it extremely slow in computationally-limited devices such as smart cards. Thus, cryptographers have continually pursued various methods to speed up these operations without compromising the RSA cryptosystems security. Takagi presents a significant performance improvement for RSA private key operations. Conventionally, the RSA modulus is determined as the product of two primes (n=pq). Takagi, however, suggests constructing the modulus as the product of a prime and a prime power, n=(p^k)q. Using Takagi's technique, operations using the public modulus and public exponent proceed normally. Operations using the private key, however, take advantage of the Chinese remainder theorem and can be sped up significantly. The advantage occurs because, for the same relative size n, smaller p and q values can be used, allowing modular exponentiations with smaller moduli and exponents. For a 768-bit modulus of the form n=(p^2)q, with 256-bit primes p and q, private key operations are about three times faster than conventional RSA cryptosystems. Since the primes used are smaller, the obvious disadvantage of Takagis technique is increased susceptibility to factoring. At this time, however, for primes of at least 256 bits there are no known algorithms better than the number field sieve for finding the primes of the composite number (p^2)q. ADVANCES IN SYMMETRIC CRYPTANALYSIS Many new results in block cipher cryptanalysis and design have been presented this year, no doubt inspired by the Advanced Encryption Standard effort. At CRYPTO '98, there were five such presentations during the regular sessions, and the announcement of substantial new results during the rump session. By contrast, there was only one such presentation last year. There was a single new result on hash functions. *** From Differential Cryptanalysis to Ciphertext-Only Attacks, Alex Biryukov and Eyal Kushilevitz (Technion, Israel.) The authors show that non-random plaintexts, such as blocks of ASCII-encoded English, are much more likely than random plaintexts to contain differences that can be used in differential cryptanalysis. They study the distribution of differences in ASCII English blocks, and use their result to construct ciphertext-only attacks on MADRYGA and a four round version of RC5. *** Generalized Birthday Attacks on Unbalanced Feistel Networks, Charanjit S. Julta (IBM T.J. Watson Research Center, USA.) Julta's work generalizes birthday attacks on Luby-Rackoff ciphers to include the expanding unbalanced Feistel networks, that is, Luby-Rackoff ciphers with different sizes of left and right data halves, in which the random function takes its input from the smaller half. He bounds the number of chosen plaintexts needed to distinguish such a cipher from a random permutation. *** Quadratic Relation of S-box and Its Application to the Linear Attack of Full Round DES, Takeshi Shimoyama (TAO, Japan) and Toshinobu Kaneko (Science University of Tokyo, Japan.) The authors used Grobner bases to obtain quadratic relations of the DES S-boxes, and found a quadratic equation for S5 that could be used to improve the multiple approximations method of Kaliski and Robshaw. Though their attack reduces the amount of known plaintext by only 26%, it shows a useful new method for attacking ciphers. *** Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree Thomas Jakobsen. He applies a new result in coding theory (Sudan's algorithm for decoding Reed-Solomon codes beyond the error-correction diameter) to the cryptanalysis of block ciphers. His attack provides a way to attack ciphers whose round functions are approximately given by low-degree polynomials, improving on earlier work (Jakobsen and Knudsen's interpolation attack) which cryptanalyzes ciphers with round functions that are exactly given by low-degree polynomials. The use of low-degree round functions is motivated by their resistance to differential cryptanalysis, but Jakobsen's attack shows that these round functions are weak in their own way. *** Differential Collisions in SHA-0, Florent Chabaud and Antoine Joux (Centre d'Electronique de l'Armement, France). The authors show how to find collisions in the initial version of the SHA hash function with complexity 2^61, a factor of 2^19 less work than the "birthday paradox" attack. Their attack does not work on SHA-1, the revised version of SHA, suggesting that the unexplained change in the US standard hash function was a correction of this weakness. Their attack is related to the differential cryptanalysis of block ciphers, and capitalizes on a lack of diffusion in SHA-0. CRYPTOGRAPHY AND THE INTERNET Steve Bellovin (AT&T Labs Research, USA) presented an invited lecture on the implementation and use of cryptography within Internet protocols. A full paper on the topic appears in the proceedings. A copy of his slides as well as other interesting information on network security, cryptography, etc., can be found on his Web page at http://www.rsearch.att.com/~smb. Bellovin credited the current use of cryptography in protocols such as PGP, S/MIME, SSL, IPSec, and SET to faster CPU speeds that make the overhead of cryptography tolerable. He reviewed the current uses and limitation of cryptography in each of these protocols. PGP and S/MIME are both popular secure email protocols advancing in the IETF standards process, but still hampered by the lack of a widespread public key infrastructure (PKI). SSL is a general purpose mechanism mostly used for Web browser to server protection; it does have a PKI, but facilities for checking certificates are limited and rarely used by users; the dual of the email problem. IPSec is a network layer protocol that protects all transport protocols and application protocols that use transport protocols; IPSec protection can be applied to a user, a host or an entire network, but is currently being deployed and used mostly to protect firewall-to-firewall and remote-user-to-firewall communications; potential future use in end-systems will increase the need for an accompanying PKI. Finally, SET is a secure payment protocol allowing digitally signed orders among multiple parties consumers, banks, and merchants ostensibly eliminating the need to transmit credit cards numbers, though, Bellovin points out that, credit card numbers are still required as indices into databases. Bellovin described three areas requiring further work. There is still a need for increased cryptography speed, especially of public key operations in servers handling many clients, and of keyed integrity check algorithms such as those used in IPSec. There is also a strong need for secure routing protocols. It is not clear how to use cryptography to protect routing information, and while there has been some work in this area, the ideal solution requires extensive use of digital signatures, which would be prohibitively expensive. Finally, an interesting research area is providing cryptographic security for multicast communications, which, despite several proposals, has proven difficult possibly due to the many different uses and trust models associated with multicast sessions. Bellovin indicated that yet another area requiring work is the assignment of real world semantics to public key certificates. Also, of great importance and difficulty is the area of cryptographic engineering, which involves the difference between an academic paper that says encrypt a message M from A to B with a shared key K, and an implementation specification that says use a specific cipher, block size, mode of operation, IV, and key length in a specific interchange of messages. Secure protocols must handle secure negotiation of ciphers and their attributes. Security requirements can often be in conflict. Bellovin noted operational considerations produce challenges, citing examples with securing the Domain Name System (DNS) and with IPSec. He also expressed a need for more verification of cryptographic protocols and mechanisms used in the Internet, noting that, while verifying crypto protocols is hard enough, verifying real-world standards is much harder because of non-cryptographic features. In closing, Bellovin emphasized that cryptography cannot solve all of the Internet's security problems, the Internet suffers from a lot of bad cryptography, and the user interface to cryptography in software is often lacking. AES SPECIAL REPORT Miles Smid (National Institute of Standards and technology, USA) presented a Special Report on the First AES Conference, which was held in Ventura, CA the week preceding CRYPTO '98. Smid reviewed the AES process, spoke about the conference, and outlined remaining plans. The conference was the first in a planned series of three conferences to be held to help NIST determine which algorithm to select for the AES. The conference gave attendees a first look at each of the candidate algorithms: LOKI97, RUNDAEL, CAST-256, DEAL, FROG, DFC, MAGENTA, E2, CRYPTON, HPC, MARCS, RC6, SAFER+, TWOFISH, and SERPENT. Smid invited formal comments on the algorithms, including how well they meet the NIST criteria, any related intellectual property issues, cross-cutting analysis of multiple algorithms, and overall recommendations, including underlying rationale for such recommendations. Comments should be submitted via email to aesfirstround@nist.gov. The Second AES Conference will be held in Rome, Italy on March 22-23, 1999. Additional information about the AES process, including the information on the candidate algorithms and the official schedule, can be found at http://www.nist.gov/aes. During his special report, Smid provided some humor with his simple management strategy for developing AES. DES to AES in Seven Easy Steps: 1. Convince NIST management that DES is no longer fully secure; 2. Convince NIST management that 3DES is not good enough to be AES; 3. Challenge the world's best cryptographers to give you algorithms; 4. Challenge world's best cryptographers to cryptanalysis the algorithms (doing that today!); 5. Avoid getting arrested for violating export laws; 6. Pray for consensus; and 7. If all else fails define AES = DES. The CRYPTO '98 audience expressed it's admiration and appreciation to Smid for providing an open, international process for submitting and considering candidate algorithms. In response to a question from John Gilmore (Electronic Frontier Foundation, USA) regarding the role of NSA in this process, Smid answered that he has advised NSA of what he is doing, that NSA is supportive of the process, and that contrary to any news reports, NSA has not tried to set the schedule or stop the effort. He also indicated that NSA has agreed to look at the five finalists, he hopes they all will be acceptable to NSA, and he would be uncomfortable if an algorithm is not acceptable to NSA. IACR DISTINGUISHED LECTURE *** Michael Rabin (Harvard University, USA and Hebrew University, Israel.) Proof of Plaintext Knowledge and (Deniable) Authentication. Rabin presented new results not represented by the extended abstract contained in the conference proceedings. Encryption with proof of plaintext knowledge prevents captured ciphertext attacks, such as Bleichenbacher's attack on the SSL protocol using PKCS #1. Rabin presented an enhancement to a generic (semantically secure) public key encryption method, that provides it with a proof of plaintext knowledge (and retains its semantic security). Deniable authentication enables Alice to authenticate a message to Bob in such a way that Bob cannot convince Carol that Alice ever authenticatted that message; Alice can deny to Carol that she ever saw the message. An example of where this is useful would be if Alice and Carol were buyers, and Bob were a seller. Alice can use deniable authentication on her offers to Bob in such a way that Bob cannot use them to bargain with Carol. Rabin presented an efficient way to do deniable authentication with provable security. RUMP SESSION The rump session is an informal session of impromptu talks, including recent technical results and possibly also presentations on politics, history, standards, and humor. The session was organized and moderated by Stuart Haber (Surety Technologies, USA.) This year, the rump session was unusually serious in nature, with most, if not all of the talks, very technical in nature. There were a large number of talks on attacks and cryptanalysis, as well as many talks on new schemes and ciphers. A few of the notable presentations on recent results in cryptanalysis are described here. *** Adi Shamir, Alex Biryukov, and Eli Biham, presented Impossible Differential Attacks, Miss-in-the-middle Attacks on IDEA, and Impossible Cryptanalysis of SKIPJACK, respectively. This new approach to differential cryptanalysis uses "impossible differentials", that is, differentials which cannot appear in a plaintext/ciphertext pair, to eliminate keys from consideration and thus find the correct key. Such differentials can be found by finding differentials for the first half and the second half of a cipher that "miss in the middle", since their values do not match up. Biham used this new technique to break a 31-round version of the recently declassified SKIPJACK cipher (which is only one round away from the complete 32 round cipher). Check http://www.cs.technion.ac.il/~biham/Reports/SkipJack/ for a forthcoming report on this exciting result. *** The Electronic Frontier Foundation's DES search engine was described by John Gilmore and Paul Kocher. The $210,000 machine, which heats up the room it runs in to 150 degrees Fahrenheit, can find DES keys in about three days. Ron Rivest, representing RSADSI, presented Gilmore with the $10,000 prize for their prompt solution. Matt Blaze was also on hand to give a much more modest prize to the winners of his DES challenge: find matching pairs of plaintext and ciphertext numbers, consisting of nothing but repeated digits. More information is available online at http://www.eff.org/descracker/. *** An effort to build a machine that implements Hellman's time-memory tradeoff against DES was announced by Tsutomu Matsumoto. Information will become available at http://members.aol.com/pinebook as the project develops. IACR BUSINESS MEETING The International Association for Cryptologic Research (IACR) is a non-profit scientific organization whose purpose is to further international research in cryptology and related fields. The main activities of the IACR include: running the two annual conferences -- CRYPTO, EUROCRYPT, and, beginning in 2000, ASIACRYPT; publishing the Journal of Cryptology; and publishing a semi-annual newsletter. Additional information about the IACR and its activities are available via the Web at http://www.iacr.org. The IACR conducts an open business meeting at the CRYPTO conference. Of particular note during this business meeting: *** The IACR newsletter is in the process of being changed over to a primarily electronic publication. *** The 1998 election of new officers and 3 (out of 9) directors is underway. *** The University of Calfornia at Santa Barbara (UCSB) has been contracted to function as the IACR Secretariat providing administrative and membership services for the IACR. *** Efforts are underway to deal with the huge backlog of both submitted and accepted papers for the Journal of Cryptology. *** Most notably, an electronic version of the IACR conference proceedings will soon be available. A CDROM will be published containing: all the CRYPTO and EUROCRYPT proceedings from 1981-19997 (32 volumes), including the UCSB Tech Report from 1981, the 1982 proceedings which were not published by Springer, and the 1986 pre-proceedings; a cumulative author index for all 1,275 papers; a keyword index; and a search capability via Java Applet. An accompanying book will contain title pages, the author index, listing of the program comittees, etc. The CDROM and book will be published by Springer as Volume 1440 in the LNCS series. It is expected to be available by the end of the year. ______________________________________________________________________ USENIX ECommerce '98: The Third USENIX Workshop on Electronic Commerce September 1-3, 1998, Boston, Massachusetts by Radha Poovendran, University of Maryland, radha@isr.umd.edu and Kevin Fu, Bellcore, fubob@mit.edu ______________________________________________________________________ [The report authors provided notes independently on selected papers, which we have hacked together. ---Ed.] The 3rd Usenix Workshop on Electronics Commerce was held in Boston Ma, September 1-3, 1998, preceded by a day of tutorials on August 31. Bennet Yee from University of California, San Diego was the program chair and Daniel Geer from CertCo, LLC the PKI sessions coordinator. One exciting conference moment was when a fire alarm went off during the night of Sept. 1, rousing conference attendees from their beds. Efforts to locate the source of the alarm turned futile. Stuart Feldman from IBM Institute for Advanced Commerce was the keynote speaker. His talk was on Research Directions in electronics Commerce. He focused on communications, computing, commercial and privacy aspects of the e-commerce. He identified (a) Internet, (b) WWW, (c) Crypto Protocols, (d) Payment Technologies, (e) Recommender Systems as some of the research directions and went on to identify the following areas as some of the important specific areas: (a) privacy, (b) variable prices and negotiated deals, (c) evolving market place, (d) managing the end customer, (e) impact of globalization, (f) system foundation. From the service side, he identified speech processing, agent technology, complex multimedia including video as potential problems to be addressed. In discussing issues related to the communications, he referred to the last mile problem indirectly by mentioning the issues related to the bandwidth problems for the local end customer and also at the international level. Role of the Quality of service as a metric was mentioned and it was noted that the metric may suit for business critical applications and high end applications. Examples of Nagano Olympics (>= 100k hits/min) and Wimbledon (>= 145k hits/min)services on the web were presented. In discussing the e-commerce related privacy, he noted that many companies may not have appropriate policies regarding customer privacy and this being a hot button of 1998 for US & EU. It was noted that from the privacy view following are critical for customer confidence: (a) preventing the leakage of customer information, (b) developing anonymous transaction technologies, (c) need for having an information policy, (d) need for establishing credibility and enforcement of the policy. In terms of establishing an e-commerce setup (a) image building, (b) variable prices and negotiated deals such as auctions were discussed in detail. In discussing technology issues he noted that (a) rapid yet correct implementation, (b) deploying the new technology without disturbing the old one, (c) auditable business process, (d) identification of new market places and implications, (e)insurance and travel, all are to be carefully addressed. He also noted that with the e-commerce come the following set of new dynamics (a) new intermediaries, (b) hierarchicy vs new markets, (c) breaking and reformation of large firms, (d) unpredictable surges of demand, (e) unknown interaction patterns and implications, (f) complex software interactions. Scalability was discussed in terms of (a) number of agents each customer may have, (b) network scale, (c) computing scale, (d) mobile human and agent support. Database related issues such as integrating new and old customer were discussed. Questions were raised about the Nagano and Wibledon web access numbers provided. Someone noted that it was not clear whether the numbers given were the peak hit numbers or the average numbers. Another person pointed that it possibly was peak number since many people check the results of certain games and not all the games. Advances in Payment Technology: Chaired by Clifford Newman, University of Southern California Electronic Commerce and the Street Performer Protocol Bruce Schneier and John Kelsey, Counterpane Systems, Bruce Schnenier presented two peer-to-peer software-payment systems designed so that every user can be a buyer as well as a seller. One of them was for online and the other was for off-line clearing. They noted that any payment system should meet the following criteria (a) secure, (b) cheap, (c) widely available, (d) peer-to-peer. They noted that making the protocol light weight meant using no or fewer public keys and hence the need for interactions with a central server which drives up the communications. In their online clearing, they allowed the users to hold only local secrets and allowed the banks to hold the global secrets. Users authenticated themselves to the trusted server of the bank instead of to each other. This protocol requires that the person accepting the payment to have an accurate clock and is very similar to Kerberos protocol. A small amount of memory to keep track of the amounts transferred recently is also needed here. All the peers have sequence numbers that should never be repeated or go backward-they increment one value at a time. If Alice wants to make payment to Carol, Alice first forms a message with her current sequence number, payment request, payment amount, hash of the audit log; Alice chooses a random key and encrypt the random key K_0 with the key she shares with the bank- K_A. She then encrypts the message with the random key and sends her ID, and the encrypted messages. Bank checks for correctness and for "good" requests generates the authorizations and send the needed authorization and additional verifier for Carol via Alice. Carol can check the amount and the authorization. They modified the protocol based on the observation that the synchronization may be lost at times. The modified protocol is more complicated and calls for verifying from time to time if the users have received all the deposits they were supposed to at the time of verification. For the case of off-line clearing, they note the similarities to a checking account. It uses public keys and certificates with no CRL. The certificates are short lived. Clock synchronization is implicit in this protocol as well. Variety Cash: A Multi-Purpose Electronic Payment System Mihir Bellare, J. Garay, C. Jutla, M. Yung Variety cash has the issuer as the mint. Coins are tokens authenticated under issuer master key. System is on-line. Issuer has a coin database and the merchant checks with the issuer for validity of the token. Master key is only at the issuer site and the spent coins can be erased from the database. At the time of withdrawal, the issuer checks the association of the user ID and the token but the database of ID association is separate from the coin database that the merchant can lookup. They noted that the coins can be bought in any number or denomination and the protocol has atomicity for withdrawal and spending. They noted that the main cost arises from the requirement for on-line issuer. This leads to some investment cost in processing capability for the issuer but may be reasonable for moderate load of users. Jutla noted that they have an implementation in place. Netcents: A Lightweight Protocol for Secure Micropayments Tomi Poutanen, Michael Stumm, Heather Hinton Netcents supports transactions from penny to a larger amount. It is an off-line scheme and does not require the issuer to be around at the time of transaction. Key idea is the extension of the scrips in Millicent to floating scrips. A Netcents floating scrips is a signed container of electronic currency passed from one vendor to another such that at any time it is active at only one vendor location. The Netcents scrips is not vendor specific and contains a public ( also called vendor scrip) and a private part. The vendor scrip contains the public key and the monetary balance and is signed by the issuing authority and distributed to the vendor upon customer request. Purchasing is executed with the help of an electronic purchase order (EPO) which contains a snapshot of the scrip signed by the private key in the customer scrip. The EPO identifies the payer, payee, purchased item and the balance remaining. Netcents scrip is not vendor specific and hence eliminates the need for nay broker services. Netcents proposes to prevent vendor fraud by having the vendor pay an up front fee of some sort to the bank as an insurance against such fraud. Netcents is atomic in money and goods but does not support Tygar's notion of certified delivery. Netcents provides online arbitration with the audit of signed EPO. Session 2: Public Key Implementation Case Study Presenter: Juan Rodriguez-Torrent IBM and NACHA Respondent: Steve Cohen, ncipher Inc. Juan noted that the mission of the NACHA Internet council is to "facilitate the development of global electronic commerce by enabling businesses and consumers to utilize present and future payments over open networks in a secure and cost-effective manner". He noted that the there are three Internet council working groups based on three components of the e-commerce-namely (a) trust, (b) risk, (c) payments. Pilot assumptions were (a) Financial institutions function as CAs for their customers, (b) pilot uses process of authorizations for pre-authorized debits as testing environment, (c) pilot requires sufficient diversity to demonstrate interoperability, (d) pilot will test online validation and CRL's. Pilot Participants are : Bank of America, Citibank, Mellon Bank, Zion's Bank, CertCo & Digital Trust Company, Entrust, GTE CyberTrust, IBM Corporation, VeriSign. Other organizations involved that will form the CARAT are NASIRE, NASPO, NASACT, individual states, federal govt. agencies etc. Pilot components included technical implementation, business practices, legal agreements, certification policy. He then presented the four corner model and identified the bank, customer and the merchant communication technology requirements. Lessons learned to date were summarized as from the legal team: certificate policy is the glue ; from the technical team: (a) clarity and specificity, (b) agreements at the technical level are not sufficient, (c) there is no such thing as a small project when competing interests are present. He identified the show stoppers as (a) lack of generalized client server software, (b) lack of user interface feedback, and (c) lack of consistency in the user interface. Auction Markets: Chaired by Avi Rubin from AT&T Research In a humorous effort to address the research topic of the session, Avi began the session by conducting an English auction. The initial asking price was $40. I was tempted to ask $10 below his asking price. With different bidders from the audience willing to pay more money, the auction was won by Win Treese, who paid $90 for a plaid USENIX dress shirt, a Crowds T-shirt, a ribbon that labeled him a child process (he had a baby girl a couple of weeks earlier), and the computer security book of his choice. Avi used a protocol with Bennet Yee, the program chair, as the trusted third party and the $90 went to the charity of the winner's choice. The Auction Manager: Market Middleware for Large-Scale Electronic Commerce Tracy Mullen, Michael Wellman, University of Michigan Tracy presented. Their paper addressed the problem of hiding the complexity of purchasing from a vast and dynamic array of goods and services and presented a solution using the auction manager. Their auction manager model was part of the university of Michigan Digital Library commerce infrastructure. Their solution was based on applying inference rules for specific buyer and seller and the possible market offerings at the time of the query. They also noted that their model was capable of responding to the dynamic nature of the demands by composing or decomposing market offering. Task is accomplished by generating and tracking auctions, matching agents to potential markets, and providing means to notify agents when the markets of interest to them are being offered. Tracy noted that they intend to experiment with various policies for auction creations in the future. Internet Auctions Manoj Kumar, Stuart Feldman, IBM T. J. Watson Research Center Manjo presented. In early stage of his talk, manoj noted that his work was implemented such that it reused several part of the already existing IBM software products and hence reflecting Stu's Keynote speech of not having to disturb the existing technology in another sector. Manoj noted that an auction application should be flexible enough to support various types of auctions around the global market if it is to be used successfully. Manoj and Mike (co-author of the next paper) took time to review different types of auctions. In English Auction or Open-Cry auction, buyers gather physically or virtually at a prespecified location at a fixed time. Each buyer is allowed to hear the bids of the competitor and is allowed a time window within which he/she has to offer a higher bid to be a successful bidder. In a sealed bid auction, buyers are required to submit their bids before a deadline and the bids are kept secret till the time deadline. At a certain time after the deadline, the bids are revealed and the winner is chosen. Sealed auctions can be conducted in multiround format to simulate the "excitement" of the frenzy noted in the loud cry auction (which Avi conducted). Dutch auctions are better suited for perishable goods and the auctioneer asks a higher price at the beginning and keeps decreasing the price till the buyer emerge for the asking price. In this type of auction, not all the buyers will be given the same price. Nature of the negotiated price depends on the "desperateness" of the auctioneer. One example is the airline service that has very higher price fluctuation depending on the time of purchase. Manoj noted the security being a major issue and referred to Franklin and Reiter's work on a secure auction protocol in their early work. His talk touch upon the legal issues, cheating, sabotage, scalability, and availability, social issues, double auctions and stock exchange. His talk created a flurry of question as in the case of panel discussions. Electronic Auctions with Private Bids J. D. Tygar, Michael Harvey, CMU Mike presented. They used the concepts of secure computation using polynomial schemes to develop computational methods for first-price and second-price auctions without revealing the individual secrets to the auctioneers. Making use of the results by BGW paper and the error correcting polynomial constructions therein, the authors were able to choose appropriate conditions on polynomials to ensure not only anonymity but also error correction in their computational model. Wednesday September 2 Trust Models Presenter: Paul van Oorschot, Chief Scientist, Entrust Technologies Respondent: Bill Frantz, Electric Communities After an announcement that both Northwest and Air Canada were now both on strike, Paul van Oorschot talked about trust models for Public Key Infrastructures (PKI). Bill Frantz responded to van Oorschot's definitions. Van Oorschot received his doctorate from the University of Waterloo and is the co-author of the Handbook of Applied Cryptography. Bill Frantz has been working in the computer security business for over 25 years. He has worked on security for commercial timesharing systems, private communication systems, and systems designed for the open Internet. He is one of the early designer/implementors on the KeyKOS operating system, a secure capability-based system designed to meet B3 security requirements. Van Oorschot defined general ideas concerning trust. The statement "A trusts B" denotes that "A assumes that B will behave exactly as A expects." In questions after the session, Greg Rose suggested that this definition was enlightening - in fact, it explains why we all trust Bill Clinton. The rest of the presentation concerned trust relationships and trust models. Common mechanisms to establish trust include hard-coded information in software (e.g., Netscape certificates), an out-of-band digest (e.g., certification validation via fingerprints), secure communication protocols, and signatures from a trusted authority. In selecting a mechanism, one considers cost, the requirement for trust maintenance, compatibility with existing organizational capabilities, and the ability to scale. Van Oorschot outlined four basic trust models: hierarchical, enterprise (or distributed), browser, and personal. All the models utilize the concept of a certification authority (CA) for scalability and distribution of risk. In the hierarchical trust model, all parities start with a CA's public key. In order to establish trust in another party, one needs a chain of certificates from the root CA to the party in question. The hierarchical model makes sense when there is a closed system or an obvious entity to play the role of the root CA. For instance, this makes sense for SET where there is one root -- organizations such as VISA would operate below the root. However, it is rare for an organization to be truly hierarchical, except for a dictatorship or centralized corporate structure. Moreover, the root CA becomes a single point of failure. This would be particularly problematic if the PKI were part of a critical infrastructure. Van Oorschot also noted that a PKI should be about building communities of trust you want to belong to. This differs from the case of a closed system where everyone would more likely join a single community of trust. In the enterprise (or distributed) trust model, parties trust local CAs. Although there is no all-powerful authority, qualified relationships can be established between local CAs. Moreover, special cases allow for hierarchies and spoke-and-hub (e.g., ANX automotive exchange) models. But if everyone trusts the hub to certify, the model becomes analogous in some ways to a rooted hierarchy. The key difference is that the defining characteristic of a rooted hierarchy is that trust is anchored at the root, i.e. that is where trust chains start; however in hub model, trust flows through the hub. The enterprise model makes sense when there is no obvious entity to play the role of root. Additionally, this model allows bottom-up growth (like the Internet) and no CA becomes a single point of failure. In the browser trust model, each CA operates as a root for its own hierarchy. The browser comes stocked with a set of hard-coded CA public keys. This model is capable of large scale. However, the end user has no idea which CA key is being relied on to establish trust relationships. Also, a typical user will simply click notices away to clear the dialog boxes. In the personal trust model (related to the web of trust), all entities are end users. Since there are no CAs, interactions are one on one. The end user imports public keys from other end users. This model best suits security-aware individuals. The model has poor scalability. It may be desirable to be able to revoke a certificate. For instance, one could specify an expiration date or certificate revocation list (CRL). In practice, revocation is the hardest problem. The difficulty arises not in the cryptography, but in the software engineering. Van Oorschot emphasized that short lifetimes do not work well for signature keys. A signature key typically needs to last a long time. However, short lifetimes can work when certifying encryption keys. [Radha also observed: Van Oorschot noted that the characterizing questions/issues of trust models are: (a) who certifies the keys, (b) how easy to create, maintain and update, (c) granularity of trust, (d) ability of technology to adopt to supporting existing businesses, (e) how easy it is to revoke?. He noted that the granularity of trust increases in the order of hierarchy--> browser--> enterprise --> web of trust (personal trust) and the increasing capability to represent inter-business trust is in the order of hierarchy--> browser--> personal--> enterprise. He summarized his talk by pointing to the issues of (a) managability of trust relationship, (b) each model has its place (which I call PVO Lemma). ] In closing, van Oorschot predicted that if a global PKI arises, we will see a variety of trust models in use. Next, Bill Frantz responded to a few points from van Oorschot's presentation. He began by telling a story of trust, "I trust my wife; she meets the definition of trust." But it is not clear whether this model is useful for commerce. Frantz also questioned van Oorschot's loose definition of trust. One trusts someone or something for a particular purpose. Trust is not binary nor is it transitive. What level of trust is needed for commerce? Frantz drew an analogy to trade in Malaysia. Commerce is as natural to humans as is breathing. A vendor trusts the paper money. A customer trusts that the goods to fulfill an expectation. There is a minimal level of trust necessary for commerce. Several audience members lined up to ask questions. An audience participant asked van Oorschot why he discussed trust as a binary relationship rather than a degree of trust. For instance, it may be common to ask with how much money do you trust a person. Van Oorschot responded with a question. Do you trust someone 60% of the time? Is there a limit to trust? As far as transitivity goes, it does not hold up well. In practice, one needs contractual set agreements behind all these statements. Another person asked why van Oorschot's model does not say, "A trusts B to degree D." Van Oorschot simply responded that you need to walk before you run. Greg Rose pointed out that trust comes with risk. Whenever we introduce trust, there is automatically a risk. Rose asked whether this can work backwards. That is, whenever there is risk, is there some implied level of trust? Frantz gave an inconclusive answer, but he believes trust and risk are related in the majority of cases. An attendee stated that the browser trust model left out the browser manufacturer and delivery agent as trusted parties. Users are trusting more than just an explicit CA. Van Oorschot agreed that there is some degree of trust, but he chose to answer the question offline. Dan Geer pointed out that trust is the issue, but revocation is the hard problem. Is the main issue how risk is propagated? Bankers think about cashing in by packaging risk. Aside from management of risk, a problem comes up with how to resolve disputes. Was a certificate revoked at a certain time? Frantz responded that in terms of risk management, we should not move risk around. We pay for risk one way or another. Rather, one should work on a system to reduce risk. Geer agreed, but he reasoned that if CAs are driven by banks in the future, banks will consider risks as something bought and sold at a profit. Frantz claimed this is already true for credit card based Internet commerce. It all comes down to insurance and a 3% transaction fee. Geer finally asked whether revocation models and trust models are necessary one for one or whether they can exist in an overlapping world. Van Oorschot said there is no single answer. Whoever issues certificates should be responsible for revoking its own certificates. Frantz eluded the question by saying, "I hope to read the proceedings in the next conference." The next question involved identification. Van Oorschot explained that an organization selling certificates could sell a money-back guarantee that a particular individual is bound to a particular key. In $10 million transactions, there is no way to expect a $10 certificate to hold its water. Authorization is different from endorsing a public key. It's a matter of trust in a public key versus trust in what the public key stands for. Another audience member asked whether bootstrapping based on passwords is weak. "All cryptography reduces you to trusting keys," van Oorschot reminded the audience. The cheapest method is a password. If one is willing to pay more, one can require a hardware token. Biometrics are another option. Frantz further commented that password security depends on physical security. The following question began with a monologue, summarized below, on "a neat toy" called public key signatures. Since we have this high tech wax seal, we are tempted to find new uses for it. For years, people have made commercial transactions under common law which dictate how to deal when someone cheats or refuses to pay. It seems as if we try to solve everything with public key cryptography. We are technologists, not attorneys. Why fit business models to tools instead of fitting tools to business models. Van Oorschot responded, "If you can save money." Another audience member asked how Entrust Technologies intends to apply its patent on CRLs. Entrust is making it available royalty free on the condition that those who want to use the CRL technology must make any of their related technology free as well. This statement drew much applause from the audience. Earlier Frantz advised reducing risk rather than moving risk around. An audience member commented that one can shift risk to a place you you do not care much about, but you are almost always moving risk. Frantz responded with a counterexample. Online credit card validation reduces risks when compared to offline credit cards. A clerk could thumb through revoked credit card numbers -- or not bother. Technology has reduced the risk. Van Oorschot hinted that looking at who owns the risk is a good place to start. Secure Systems Session Chair: Mark Manasse, Compaq Systems Research Center A Resilient Access Control Scheme for Secure Electronic Transactions Jong-Hyeon Lee, University of Cambridge Jong-Hyeon Lee spoke about a way to authenticate customers without having to disclose customer secrets to a merchant. Lee is a student of Ross Anderson. Incidentally, Lee is also capable of security in two dimensions -- Aikido. Despite the vulnerability to copying, passwords and Personal Identification Numbers (PINs) commonly authenticate customers to service providers. Lee sought for a simple and secure electronic transaction model without having to explicitly transfer customer secrets and without having to use public key cryptography. A scheme by Needham to control PINs is simple, provides for privacy, separates capabilities, and is customer-oriented. However, it is susceptible to replay attacks and bogus ATM machines. Inspired by Needham's scheme to control bank PINs, Lee developed a customer-oriented transaction model in which the customer generates and maintains personal secrets. The model allows for a transaction procedure amongst three principles: a customer, a merchant, and a bank. Principles can participate in registration, transaction, or secret-revocation procedures. A somewhat lengthy protocol explains the communication amongst the principles. By using only hash functions, Lee's model enhances privacy for the customer and ensures non-repudiation. The registration procedure mimics that of Needham's scheme and the transaction procedure uses a technique from Kryptoknight. In Lee's online scheme, the customer is involved with all procedures. An offline scheme works in a similar manner, but there is some extra communication between the merchant and customer. Asked whether there exists an implementation, Lee explained there is yet no implementation for this scheme, but there is for Needham's scheme. See http://www.cl.cam.ac.uk/~jhl21 for more information. ---- Trusting Trusted Hardware: Towards a Formal Model for Programmable Secure Coprocessors Sean W. Smith and Vernon Austel, IBM TJ Watson Research Center Sean Smith from the Secure Systems and Smart Cards group of IBM presented his findings on proving the security of secure coprocessors with respect to FIPS 140-1 level 4 certification. His group worked on three goals: achieving level 4 certification as a research project, verifying the soundness or finding the holes in the coprocessor, and formally describing the coprocessor. The Federal Information Processing Standard (FIPS) 140-1 specifies security requirements for cryptographic modules. The most stringent level in the standard, FIPS 140-1 level 4, requires a formal model of a system and formal proof of security. As of this writing, level 4 is yet an unachieved grail. A secure coprocessor is a piece of hardware that must survive in a hostile environment. It must guarantee that memory contents will be zeroized upon any foreseeable attack. A secure coprocessor needs to defend against threats such as changes in voltage, temperature, and radiation. Such a programmable device is useful for e-commerce. A mechanical theorem prover iterated over a logical abstraction of the coprocessor. First, a formal model was made from a finite state machine. Then a specification was written in LISP to prove simple properties of security. The proof must show that the coprocessor maintains its security guarantees despite hardware failures and hardware attacks. Guarantees for security fall into three categories: safe execution, safe access, and safe zeroization. Other assertions include authenticated execution, recoverability, and fault tolerance. The proof involves 2000 lines of C, 75 execution states, and 7500 lines of a mechanical proof. Right now just the hardware and bootstrap is being submitted for level 4 certification. IBM's plans for actual certification are still undecided. In this research, IBM went through a lot of the legwork for the boostrap layer as an exercise. However, Smith notes it would be "really cool" to go all the way with it. In the future, Smith hopes to evaluate the programs on the coprocessor. However, Smith expects complications since the hardware could interrupt the software and the software could start interrupting the software. Pointing out that FIPS is aging, an audience member asked Smith to share hints on where FIPS is falling short and where it goes too far. Smith replied that on the too-stringent side, FIPS requires the use of DSA for signatures. Everyone wants to use RSA, but to be FIPS compliant the coprocessor must contain algorithms no one wants to use. On the other hand, FIPS does not address security requirements of the manufacturing process. Another audience member brought up the topic of differential power analysis with current fluctuations. Many security attacks result from crossing levels of abstraction (power analysis, buffer overrun, etc). Smith was ambivalent on whether good proof techniques can capture these attacks. For more information, see http://www.ibm.com/security/cryptocards/ and the IBM 4758 product brochure G325-1118. ---- On Secure and Pseudonymous Client-Relationships with Multiple Servers Daniel Bleichenbacher, Eran Gabber, Phil Gibbons, Yossi Matias, and Alain Mayer, Lucent Technologies, Bell Laboratories {bleichen, eran, gibbons, matias, alain}@research.bell-labs.com Alain Mayer talked about Janus, a cryptographic engine to establish and maintain pseudonymous relationships. Mayer enjoys hacking JavaScript and having fun on the web. Coincidentally, Mayer uses the same Microsoft clip art in his presentation as does the Crowds project. Janus facilitates relative pseudonymity. That is, a client is anonymous with respect to the client population (e.g., an ISP customer base). The server knows a message came from a particular client population, but it does not know which member of the population. Janus also allows for persistent relationships between clients and servers. Weak or strong authentication via passwords or keys allow for repeat visits. Absolute anonymity is hard to achieve. There is a penalty in ease of use and performance. The work on Janus is complimentary to other anonymizing efforts and can be combined with other techniques. There is a distinction between data anonymity and connection anonymity. In data anonymity, data flowing over a connection does not reveal an identity. In this case the adversary would attack server endpoints. In connection anonymity, the connection itself does not reveal an identity and the vulnerability is traffic analysis. There are several candidate Janus functions. Mayer has three requirements of the function. First, it must ensure uniqueness of aliases among clients and resist impersonation. In other words, it must be hard to find an input that results in the same alias. Second, the function must not reveal information about client. Third, there must be forward secrecy and statelessness for client mobility. Mayer described one such function involving a password-keyed hash of a client identifier, server identifier, and a usage tag. Mayer finds the CBC-MAC approach more promising than a simple hash because secrecy under a chosen message attack implies secrecy of passwords. The CBC-MAC approach fulfills all three requirements. Janus works with email aliases. Aliased email can also help filter junk mail. A client may have a different mailbox for each server. One can filter (even by a third party) by ignoring mail to a particular alias for a server. Mayer also explained several places to house a Janus engine. In a local approach, the Janus engine lives in the client. Aliases would be routed through a proxy. This minimizes outside trust and cooperates with mobile code and Personal Privacy Preferences (P3P) repositories. In a gateway approach, a client need not download software. This allows easy upgrades and maintenance. In a third party approach, the Janus engine would exist in the outside world. The third party preserves subnet anonymity. Mayer pointed out that if you look at a gateway or local approach, the domain name or IP address does not reveal its alias or real address. A vendor could ask for a credit card for identity validation. An audience participant asked whether anonymity is really beyond research and useful in real world. Mayer responded that according to surveys on electronic commerce, end users worry about privacy. A high percentage of users leave sites which present a fill-out form. To demonstrate practicality, Mayer offered the example of personalized web pages. A user no longer must remember passwords for services such as My Yahoo or NYT. Janus can be a tool to make personalized sites as easy to visit as regular sites. The Lucent Personalized Web Assistant uses a Janus engine. See http://lpwa.com:8000/ for more information. Luncheon Talk: Digital Bearer Settlement and the Geodesic Economy Robert Hettinga, Philodox Financial Technology Evangalism Robert gave me the following site for details on his work (www.philodox.com). He mentioned in his talk it is not about privacy. It is about reducing risks and financial costs. Building hierarchical societies along the way to civilization was noted and it was noted that applying too paranoid models ==> non-profitability. Applying financial cryptography to bearer settlement should be cheaper. Since his talk was directed to indicating that there was no strict need for structural procedures, someone pointed out that "Bunch of strangers collaborated in Titanic" and someone else pointed out Titanic was a disaster. I could not really extract more out of his talk. Panel Discussion on Electronic Commerce Needs No PKI Presenter: Win Treese, Open Market Respondent: Joan Feigenbaum, AT&T Labs- Research Win noted that why do we need certificates? He noted that Cisco/Amazon/Dow are already online line without PKI. He also noted that PKI is not an enabler for e-commerce. He then presented the following trap that often used: "e-comm needs security --> PKI is needed --> Bring PKI". He noted that before plugging the PKI, one needs to look at what the business model is and how the money is supposed to be made. He presented the following examples Basic Models ____________________________________________________ | Xaction Relationship | |---------------------------------------------------| Retail | amazon.com Consumer Reports| | Business Week | | Financial Times | |___________________________________________________| | | Business to | Computers Supply chain | Business | Office Supplies EDI | |___________________________________________________| He noted that the PKI systems that need to have the following properties: (a) simple, (b) usable, (c) understandable, (d) solves business problems, (e) framework should be simple so that, user need not worry about it in terms of legal issues, and the business implications of being simple. He pointed that the journey is as important as the directions and concluded. Joan responded by noting that the commonly assumed phone book metaphor of the PKI is not "good" and pointed that the DH paper probably led to this interpretation. Instead of narrowly defining the PKI as identifying an individual to a key ( or as phone book), she preferred to bind it to an authorization related to some privilege. She noted in the e-commerce, a public key may be used to authorize a transaction by signing it, and the act of signing is an authorization bound to the key and not a directory listing based binding to the name. Joan further pointed that the the binding of credentials to the key should incorporate more information related to the authorization the key carries for different applications. She also noted that more e-commerce applications will benefit from widespread deployment of an application-independent, general-purpose notion of "proof of compliance". One of the audience kept arguing that the PKI is absolutely not needed. Deployable Internet/Web Services Session Chair: Doug Tygar, CMU Secure WWW Transactions Using Standard HTTP and Java Applets F. Bergadano, Universita di Torino, Italy; B. Crispo, University of Cambridge and Universita di Torino; M. Eccettuato, Universita di Torino, Italy Francesco Bergadano presented an alternative for securing HTTP transactions. This solution uses local Java applets on the client side to establish a secure link with the server. Existing solutions include modifications to the application protocol (e.g., SHTTP), a secure transport below the browser (e.g., SSL/TLS, DCE-Web transport APIs), proxy-based services, and network layer changes (e.g., IPsec). Bergadano's group wanted to achieve privacy, authentication, and possibly non-repudiation. However, they did not want to implement a new browser or modify existing browsers. Moreover, they wanted to provide strong cryptography and make the source code freely available. The proposed architecture uses normal HTTP, TCP, and a Java-capable browser. Essentially the client runs an applet from the server. This applet triggers a local applet that communicates with a local application on the client. This application in turn creates an encrypted channel with the server. This approach requires relatively few changes. More important, Bergadano claims it does not require trust of the browser. It is desirable to separate security routines from the browser. This approach is similar to a proxy-based approach. However, a proxy must intervene with all communication. Bergadano's approach only becomes active when an HTTP transaction is explicitly asked to be secure. Launching several questions, Avi Rubin asked Bergadano to answer just one: Where did you put security, is it better than SSL, why can't you run a simple proxy, and are you assuming you can change a firewall configuration? Taking a deep breath, Bergadano jokingly asked what time is dinner. He chose to answer the SSL and firewall question. In the case of SSL, one needs a trusted browser which supports SSL. In Europe, one cannot easily obtain a standard browser with strong cryptography. As for the firewall, Bergadano reported that the implementation was run on an open network. He was unsure about interactions with a firewall since a secondary channel must be established between the client and server. Another USENIX attendee commented that if this approach gets well used and works, it would be consumed by a browser. For more information and the source code, see http://security.unito.it/. ---- SWAPEROO: A Simple Wallet Architecture for Payments, Exchanges, Refunds, and Other Operations Neil Daswani, Dan Boneh, Hector Garcia-Molina, Steven Ketchpel, and Andreas Paepcke, Stanford University {daswani, dabo, hector, ketchpel, paepcke}@cs.stanford.edu Neil Daswani, a graduate student at Stanford, presented the SWAPEROO digital wallet project. Started in September 1997, this project aimed to identify desirable wallet properties and features, define a wallet interaction model, define clean APIs for a wallet and its components, and build a prototype. Daswani's group decided that a generalized wallet should be extensible, non-web-centric, symmetric, and client-driven. First, a wallet architecture should be extensible. Rather than being completely proprietary, it should support multiple instruments and protocols. Second, a wallet architecture should not rely on a web interface as the sole common interface. The basic architecture should be written once to be run anywhere. This enables the use of alternative devices such as Personal Digital Assistants (PDAs). Third, symmetry allows for common services across commerce applications. Current wallet implementations are often non-symmetric; little infrastructure is shared between the client and server sides. Fourth, a wallet architecture should be client-driven. The user should initiate all transactions. Vendors should not be capable of automatically invoking a client's digital wallet. After all, would you want a vendor reaching for your wallet as soon as you enter a store? Next, Daswani described a wallet interaction model. This has many steps and is included in the proceedings. After starting a transaction, wallets can negotiate on a protocol. Because of symmetry, the user and vendor have similar wallets. SWAPEROO has been implemented in C++ (PalmOS) and Java (Windows). Future work includes populating the wallet, experimenting with other devices (e.g., smart cards), working on the architecture, and abstracting out the data manager. One question was asked about symmetry. Since everyone would have wallets of a similar design, is there any reason clients would not want to communicate with each other? Daswani responded that there are no restrictions. Another question involved protection of the wallet's memory. Given that the wallet must be run in some protected memory, how are new instruments and protocols securely installed and initialized? Daswani answered that for PalmPilots, this is a problem. However, by running the wallet in an environment with a capabilities-based security model, such as the Java Gateway Security Model, new modules could safely be linked into the wallet from trusted third parties. A related paper on the PalmPilot implementation will appear in the future. The PalmPilot implementation lets a user buy a food item from a particular vending machine at Stanford. For more information, see http://www-db.stanford.edu/~daswani/wallets/ Their wallet has a bit more complicated diagram as shown below: User user user profile interface interface manager __ /|\ API |\ | \ | \ \|/ _\/ Instrument Wallet Client API Manager <----> controller __ /|\ /| | / | / | Protocol |/__ | Manager | /|\ | | | \|/ \|/ Communication Manager The Eternal Resource Locator: An Alternative Means of Establishing Trust on the World Wide Web Ross Anderson, Vashek Matyas, Fabien A. Petitcolas, University of Cambridge {rja14, vm206, fapp2}@cl.cam.ac.uk This paper presented authors' experience with the development of an infrastructure that would support reliable e-distribution of medical books, and hot news and regulations. Authors noted that the use of X.509 was strongly opposed by the medical community and the EU rules are based on an argument by Alexander Rossnagel directing that the electronic structures should reflect the professional practice. Moreover, attempts by the German and Austrian govts in using the smart cards as access tokens for both patients and doctors failed since the cards had the centralizing effects. Authors noted that in their efforts to implement the system, they were forced to realize that the tree of hashes should be the primary mechanism for protecting the information with the X.509 mechanism being used as a secondary for limited tasks in the case of medical and book publishing. They then tried to show how this cane be used for general web publishing. In web related publishing, instead of signing the whole web page, they proposed to sign a part of the page denoted as the HASHBODY using the algorithms specified in HASH element. The HASH element contains (a) methods specifying the hash algorithms, (b) value of the hash, (c) a hash chain path that can be used to check the integrity of a given page, (d) the URL attribute optionally indicating where the page normally resides. Authors note that checking the hash involves computing the hash value on all the bytes of an HTML document between the hash-input border tags and comparing it with the one provided within the hash input. This URL-with-hash is called by authors as ERL or "eternal resource locator" since it makes static objects unique for ever. Vashek Matyas presented the results of an alternative means of managing trust in electronic publishing. He spoke about WAX, a proprietary hypertext system for medical publishing. WAX uses hashes in combination with HTML links as an Eternal Resource Locator (ERL). Matyas is also the co-editor of the Global Trust Register, a massive directory with its own rating scheme of "top-level" PGP keys and X.509 certificates. In the hierarchical WAX system, there are shelves owned by publishers, books owned by editors, and chapters owned by authors. WAX must protect against several threats: book contents could be altered, an incorrect book source could be claimed, or a publisher or author could deny past content. Matyas stressed that there are no confidentiality or audit requirements - only integrity and authenticity. The WAX system originally used RSA for digital signatures. However, problems cropped up. In particular, RSA digital signatures require a Public Key Infrastructure (PKI), expiring keys cause problems for long-lasting information, compromised keys are difficult to address, and RSA-DSI royalties were expensive. As a result, WAX uses one-time signatures as an intermediate solution. New HTML elements allow hashes and public keys to be embedded in documents. In addition to the standard linking information, the A element also includes a HASHVALUE parameter. When a browser follows a link, it can hash the appropriate contents and verify whether the document is authentic. For instance, a link may appear as link. The examresults page would contain further information to reconstruct the hash. Pure ERLs apply easily to static texts (e.g., health care, law and contracting, banking). One can also store hashes with bookmarks for change control. Additionally, this system can interact with public key mechanisms. Currently, work progresses on medical applications (WAX, British National Formulary), incorporation of XML discussed with industrial partners, and formalization of the ERL logic extended by public key parameters. For more information, email vm206@cl.cam.ac.uk or visit http://www.cl.cam.ac.uk/~fapp2/papers/ec98-erl/ or http://www.medinfo.cam.ac.uk/wax/ ---- Detecting Hit Shaving in Click-Through Payment Schemes Michael Reiter, AT&T Labs - Research; Vidod Anupam and Alain Mayer, Lucent Technologies, Bell Laboratories {reiter,anupam,alain}@research.bell-labs.com "Sheriff" Mike Reiter analyzed several mechanisms to calculate upper and lower bounds on referrals to another site. This is particularly useful in web advertising where an advertiser receives a payment directly proportional to the number of "click throughs" generated. This paper received the best paper award. Reiter received his doctorate from Cornell, then moved to AT&T labs. He is now moving to Lucent. A user U "clicks through" site A to site B if A serves a page to U and then U clicks on a link in A's page to reach B. Here A is the referrer and B is the target. In a click-through payment scheme, B pays A for each referral that A gives to B. There are two common forms of fraud in click-through payment schemes. Hit shaving results when site B fails to credit site A for referrals. Hit inflation results when site A causes bogus referrals to site B. This paper discusses practical and immediately useful techniques to detect hit shaving. Reiter described two classes of solutions to detect hit shaving. In a heuristic approach, the target site need not cooperate or even have knowledge of the process. But in a cooperative approach, one can achieve better accuracy and non-repudiation of click throughs. For both classes, the detection techniques are mostly invisible to the user. The detection process must enable site A to monitor how often site B receives a request from any user U with a referrer field indicating A. This leads to the question of how to calculate upper and lower bounds on hit counts. Site A can record an upper bound on its referrals to site B with no cooperation from B. When user U clicks on a link to site B, A is told about the click. Then user U continues to B. One can implement this using HTTP redirection or a CGI script. A second approach uses JavaScript and an invisible frame to notify site A of the intent to follow a link. These techniques produce an upper bound because one cannot be sure whether B actually receives the hit. The notification represents the intention to visit site B, but not a guarantee to visit site B. Techniques to calculate a lower bound are not so clean or simple. After a user follows the link on site A to reach site B, the user notifies site A. A receives notification only if the connection to B worked. Reiter described a rather complicated procedure which spawned a new browser window and used JavaScript. Since one window cannot access another window's namespace, there are a few hoops to jump through. A detection window probes the namespace of the window attempting to contact site B. When the detection window is no longer allowed to probe the other window, it knows the connection to site B was successful. The detection window then notifies site A by requesting a particular URL. The lower bound technique has a few caveats. The user might close the a window before A is notified. Additionally, this only detects that some page is loaded. The user may have stopped the request to site B and traveled elsewhere. A few tricks (e.g., hiding the toolbar) can make it hard for the user to by-pass the notification process, but it also can cause annoyances to the user. Reiter suggests using both lower and upper bound detection on referrals. The two measurements should be fairly similar. In the cooperative approaches, site B acknowledges each referral as the referral happens. In a naive solution, B would open a connection to A for each hit. In a distributed approach, B's page would make the user request another page from site A as an acknowledgment. It is also possible to provide for non-repudiation with digital signatures. B includes a digital signature while serving a page. However, this could easily become prohibitively costly. Hash chaining can alleviate some of the performance problems. Reiter revealed a few disadvantages of hit shaving detection. There is a negative impact on user privacy. Web sites can discover your browsing habits. The schemes are also incompatible with anonymizing services such as Crowds or LPWA. Questions began on a humorous note. How did Reiter become involved with this project? The saga began when Reiter placed his email address on a web page. A spammer sent an email about click-through payments and that a 1998 Corvette would be awarded for the highest number click throughs. Thinking something must be fishy, Reiter began to analyze click-through payment schemes. A few questions about ethics and morality popped up. All concerned impediments to the user (e.g., awkward windows popping up) and pornography. Reiter cleverly escaped the questions with witty remarks. However, Reiter made it clear that improving the porn industry is not his goal. Click-through payment schemes are relevant for all types of web advertising. Finally one attendee pointed out that these schemes act like a poor man's Remote Procedure Call via URLs. Asked whether he was on to something bigger, Reiter replied that there might be overlap or some related opportunities. Thursday: Sept 3rd Consumer Service: Chaired by Win Treese OpenMarket, Inc, Sales Promotion on the Internet Manoj Kumar, Quoc-Bao Nguyen, Colin Parris, Anant Jhingran IBM T. J Watson Center Manoj presented a sales promotion application for distributing and redeeming coupons on the Internet. The talk focused on the fraud related issues and economic related pricing. Manoj also noted that a model was implemented at IBM. [Our report authors were unable to attend the remainder of the sessions. The rest of the conference schedule is as follows.---Ed.] General-Purpose Digital Ticket Framework Ko Fujimara and Yoshiaki Makajima, NTT Information Communication Systems Labs Towards a Framework for Handling Disputes in Payment Systems N. Asokan, Els Van Herreweghen, and Michael Steiner, IBM Zurich Research Laboratory Session Current Mapping of PKI to Law Presenter: Dan Greenwood, Commonwealth of Massachusetts Respondent: Jane Winn, Sothern Methodist University School of Law Panel Name-Centric vs. Key-Centric PKI Moderator: Bob Blakley, IBM Key-Centric Presenters: Carl Ellison, Intel Perry Metzger, Piermont Information Systems Name-Centric Presenters: Warwick Ford, Verisign Steve Kent, CyberTrust Solutions, GTE Schedule of Short Talks/Works-in-Progress Reports (WIPs) Secure JavaScript in Mozilla Vinod Anupam & Alain Mayer, Bell Labs Murali Rangarajan, Rutgers University Electronic Commerce on the Move John du Pre Gauntt, Public Network Europe, The Economist Group Electronic Multdimensional Auctions Otto Kopplus, Erasmus University, Rotterdam Multi-Agent Contracting Maksim Tsvetovat, University of Minnesota Smart Card Deployment Within a Closed PKI Bob Carter, InterClear Onion Routing Status Report Paul Syverson, Naval Research Laboratory A Trustee-Underwriter Model for Digital Bearer Transaction Settlement Robert Hettinga, Philodox ______________________________________________________________________ NSPW '98: New Security Paradigms Workshop September 22-25, 1998, Charlottesville, Virginia by Mary Ellen Zurko, Iris Associates (mzurko@iris.com) ______________________________________________________________________ I apologize to all the attendees whose comments I noted but forgot to whom to attribute them. New Security Paradigms Workshop 1998 was held at the Boar's Head Inn in Charlottesville, VA, and chaired by Bob Blakley (IBM). NSPW is a workshop set up to foster and explore new approaches to security. The workshop founder, Hilary Hosmer (Data Security Inc.), chaired the first session, The Software Life-Cycle. The first paper, "Toward A Secure System Engineering Methodology", by Chris Salter (NSA), O. Sami Saydjari (DARPA), Bruce Schneier (Counterpane Systems), and James Wallner (NSA), was presented by Sami. Sami is a DARPA PM interested in redirecting community energy toward solving the hard problems of information system security engineering. He suggests that the government contribute threat models and the community contributes its expertise in quality system engineering. He believes that current DoD issues such as the need to use new advanced in network technology and full integration of all aspects of the system reflects industry issues. The DoD needs to use commercial technology, standards based application, crypto and public key infrastructures, and needs to ensure the information they manage is available to the users who need it. They need automated systems that remove the latencies in the system. Sami sees technology as the key driving factor; if the technology is irresistible, the DoD will use it. Sami suggests that we work on determining then strengthening the weakest link; the place where the work factor for the adversary is lowest. We should also model both adversary behavior and the effectiveness of counter measures to determine the likeliest targets. We need to determine how to build a secure system from flawed and tampered pieces. We need to take a look at the community that creates reliable systems out of unreliable components. We need to make flexible, controllable systems so that they can be changed as the adversary's strategy changes. He recommends the Joint Vision 2010 paper for understanding the future of warfare. There was much discussion about whether the DoD recognizes this sea change, and if so, what parts. Mike Williams pointed out a paper on a defect tolerant computer architecture from Science this year, by the UCLA department of chemistry and HP. Another participant suggested that our old adversarial model obsolete. It's not a simple chess game but a game with multiple sides with shifting alliances, cheating, shifting rules, and so on. Another argued that efficiency is often the enemy of survivability. Sami argued that we need to do them both; that's the paradigm shift he's looking for. The second paper was "Security Engineering in an Evolutionary Acquisition Environment" by Marshall D. Abrams (The MITRE Corporation). His paper is about engineering as opposed to computer science and advocates evolutionary system development as a new paradigm to help understand large systems. Since you cannot state the requirements at the beginning he is trying to merge the evolutionary spiral model with security engineering to put security in the system from the beginning. He is working on an FAA project right now that it attempting to do this. They are going to learn from experience; the first iteration will be highly imperfect. The cycle is called "the wheel of reincarnation". They will analyze the security risk (which involves considerable judgement), develop a risk management plan (where the biggest risk is career risk), and choose a mix of countermeasures that provide adequate protection within available funding without impeding the efficient flow of information to those who require ready access to it. Then they'll develop the system, apply system security engineering tools, test and verify. At that point, the next iteration begins. They're about > through the first iteration of trying this model out. Establishing and controlling requirements and reviewing against them has worked really well. The contractor has worked less well; it's been hard getting everyone working on same objectives. They've insisted on putting all security features in the prototypes, because prototypes get fielded. Some discussion touched on whether to assume that all software was already subverted. Someone called it the "rhinosaurus in the parlor"; something that we all know about but don't want to discuss. Another attendee argued that older logic bombs may be less useful than newer ones. It was pointed out that releases are concurrent, not sequential, in industry. There was also a question about what happens when the architecture rules out needed changes. The only answer seemed to be you would try something else. Session 2, on Protection, was chaired by John Michael "Mike" Williams. It's first paper was "An Integrated Framework for Security and Dependability" by Erland Jonsson (Chalmers University of Technology). His goal was to provide a framework that encourages measurements of security. His aim is to make the concept of security clearer (as it must be well-defined to be measured), though he may have simply take the confusion to a higher level. He postulates that security and dependability are complex attributes of the same meta-concept. His approach is a regrouping and redefinition of the concepts within a novel framework based on the preventative (input) and behavioral characteristics (output) of an object system. The measurements are also divided between input and output and address the difference between authorized and non-authorized users (users and non-users). He suggests defining preventive measures based on the effort it takes to make an intrusion (clearly a theme of several of the papers here). Data collection for the modeling of the effort parameter can be done by means of performing intrusion experiments in a reference system. His framework rearranges and merges the dependability attributes of reliability, availability, and safety and the security attributes of availability, confidentiality, and integrity. He categorizes integrity as preventative and confidentiality and availability as behavioral. He wants to measure fault introduction, failure, and the correctness of system. An attendee noted that the non-repeatability of measurement is an issue. The next paper was "Meta Objects for Access Control: A Formal Model for Role-Based Principals" by Thomas Riechmann and Franz J. Hauck (University of Erlangen-Nurnberg). Thomas presented. His Security Meta-Objects (SMOs) are attached to object references. They can intercept calls, control propagation and check for attachments. SMOs can implement access checks and provide principal information. All aspects but this last one were discussed in a previous paper. Principal SMOs provide information on whose behalf calls are executed. A reference with a principal SMO is a capability for a call on behalf of the principal. As a pure capability it can't leave our application part. Newly obtained references inherit the principal SMO. The principal SMO detaches itself when the reference passed out of our application part. It is automatically invoked by the runtime system when references are passed. His paper contains a formal model of domains, object references, method invocations, the principal SMOs and their global policy. SMOs can also be programmed to act as roles. He has a Java prototype of his work. Discussion included whether this was a delegation mechanism (it's not) and whether anonymity at the target object is supported. Simon Foley posited that the paradigm is a separation of concerns, separating security functionality out from functionality. He asked about interactions with other meta objects for things like synchronization. Bob Blakley pointed out that in CORBA, they have to do certain things in certain orders but haven't run in to any cycles yet. Session 3 on Integrity was chaired by Cristina Serban (AT&T Labs). The first paper was "Evaluating System Integrity" by Simon Foley (University College, Cork). He posits that there is no such thing as a security property, just correctness or dependability properties. Thus, the new paradigm is the old paradigm for correctness. He goes on to consider what system integrity is. Biba and Clark & Wilson define how, but not what, to achieve. There is no guarantee that a user cannot use some unexpected route to bypass integrity controls. He considers system examples involving both humans and computers. He defines dependability as a property of an enterprise about the service it delivers, whereby the enterprise may include details about the nature of the reliability of its infrastructure. Assurance is the argument that the system is dependable. A safety refinement specifies that everything the implementation does is legal. We might be talking about functional correctness all the time; the failure model is the thing that changes. Statistical attacks can't be captured in the framework as it currently exists. It does provide a definition for external consistency: correspondence between the data object and the real world object it represents. Simon then summarized. The same property characterizes different attributes of dependability; there are different attack and fault models. When a designer claims a system is fault tolerant or that a protocol properly authenticates, the designer is claiming the system is dependable. Security verification may be correctness verification. An attendee asked what it takes to create a dependable internet worm. There was also discussion about duration of dependability needing to be covered. The next paper was "Position Paper: Prolepsis on The Problem of Trojan-Horse-Based Integrity Attacks" by John McDermott (NRL). A prolepsis is an argument to an objection before the objection is raised. While the previous paper covered process integrity, this is data integrity. His paper is attacking a weak link, and talking heuristics, not formalisms. John stated that when people considered whether trojan horses are really a problem, they tend to respond that either they're not there or it's too hard a problem to consider. One attendee asked about the difference between a trojan horse and erroneous code. John stated that there is not a lot of difference between a trojan horse and dll. One attendee suggested the difference is that one is designed to do something bad for you while the other is badly designed to do something for you. Sami took the contrarian position that people underestimate how hard it is to create trojan horses to do anything other than denial of service. His specific point of view was that it is difficult to have goal directed national impact. Marv responded that all you need is Visual Basic for applications or access through a similar meta trojan horse. John pointed out that if you're using commercial off-the-shelf technology, knowledge of system is available and not a barrier. Trojan horses are easy to write, they're not very big. John then asked us how we'd prevent the propagation of trojan horses. Hilary suggested configuration management procedures. Another attendee suggested code signing. John pointed out that authenticode can't be applied to a dll. He stated that Byzantine general and threshold schemes for keys work, but they won't make it into real products and systems, because of the overhead. He advocates the use of logical replication, session replay, and pre and post condition checks. He noted that redundancy is expensive, and bulk replication is the cheapest strategy. One attendee asked how you tell which is the correct copy. John suggests using a person to look at it. Bob pointed out that logs of updates may help. An attendee noted that updates are accepted fairly blindly now. The first session on Thursday was on Assurance, chaired by Marv Shaefer (Arca Systems, Inc.). The first paper was "Death, Taxes, and Imperfect Software: Surviving the Inevitable" by Crispin Cowan, Calton Pu (both of Oregon Graduate Institute of Science & Technology), and Heather Hinton (Ryerson Polytechnic University). Crispin presented. Their work is aimed at surviving attacks against insecure systems. Security bugs are chronic and normal, so they are promoting security bug tolerance. The paper categorizes techniques for doing this. Crispin stated that it's hard to produce perfect security and its overhead degrades the appeal of the system. Customers don't purchase secure OSes. It's completely rational for vendors to give customers what they want. Attendees countered pointing out that virus protection is a thriving industry and many ads do mention security. Crispin countered with noting that ads don't mention correctness. There are a variety of bug tolerance techniques. For games, no one cares if they crash. People using editors checkpoint regularly. When the OS crashes, they reboot. Replication is effective against independent failures, but an attacker may explicitly corrupt backups. An attendee noted that checkpointing is only successful if you know what a secure state is. For surviving attacks that exploit bugs, Crispin noted that fault isolation has worked. Each component should stop exporting its bugs and stop exporting other components bugs. Their work categorizes survivability adaptations by what is adapted vs. how it is adapted. What can be the interface or the implementation. How can be a restriction or permutation. Interface restrictions, such as access control, can be static or dynamic. The paper gives examples within each of the categories. Crispin said that intrusion detection is vital to dynamic restrictions, however an attendee pointed out that the *-property as initially defined was adaptive to history, not intrusion detection. Crispin suggested adding redundant checks to code. An attendee pointed out that could add bugs. Crispin suggested using automatic mechanisms. The attendee countered that those could also have bugs. Someone pointed out that those tools could be written by people who care more, like security people. The alternative technique is removing vulnerable code, such as when configuring a firewall or (attempting to) turn off Java in your browser. Restrictions make attacks less damaging, while permutations make attacks more expensive to mount. Permutations offer the benefits of security through obscurity persistently. An attendee pointed out that "security through obscurity" traditionally refers to algorithms. Interface permutations may make the attacker cautious and it increases the complexity of the search space. Fred Cohen deception tool kit was the only example cited for this class. An attendee pointed out that implementation permutations may insert a lot of bugs. Crispin suggested this was only difficult because our programs are over-specified in languages that are too low level. An attendee asked how you can measure how good it is, a theme that recurred throughout the workshop. The next paper was "A Graph-Based System for Network-Vulnerability Analysis" by Laura Painton Swiler and Cynthia Phillips (Sandia National Laboratories). Cindy presented. They are interested in quantitatively measuring the operational security of a system in comparison with others. The quantities are estimates for gross comparisons that identify the dominant vulnerabilities and enable you to examine the configuration and policy issues for a given system. They represent a system as a graph with a goal node. A path from some start node to the goal node represents an attack. It can be as comprehensive as the set of attacks you understand. The analysis produces the "best" paths from the point of view of the attacker. It may also provide useful simulations. There are a variety of inputs into the system. An attacker profile has capabilities that can be changed as attack proceeds. Default profiles represent stereotypes. They are steering clear of human behavior issues; they can't figure out how to quantify cleverness or intelligence. They plan on prototyping the system in a year, which won't be as general as their model. A configuration file documents the system hardware, software, network, routers, and so on. The attack template contains information about generic and atomic steps in known or hypothesized attacks. These steps have a start node, an end node, and conditions that must be met. The edges between the nodes have weights. The source of weights can be expert opinion, statistical data, or experimentation. Edges represent a change in state in the attack graph. The system may be able to recognize new permutations of attacks. They want to generate the set of near optimal paths as a reflection of total system security. They are modeling at a very fine granularity and hoping that produces reasonable probabilities for each step. This approach only signals vulnerabilities that can be part of a complete attack. There was some discussion over whether that was good or bad. They are starting to look at prolog matching and unification, and would like to look at optimal defense placement. There was some discussion on how much will be classified (for example, the profile of national scale attacker). They hope to make as much as possible unclassified. An attendee pointed out that some actions can sometimes be benign or part of an attack, and that particular input into the system could be very large. Session 5 was Tough Stuff, chaired by Cathy Meadows (NRL). Cathy humorously pointed out that the session was so tough that we had to put a lunch break in the middle of it. The first paper was "The Parsimonious Downgrading and Decision Trees Applied to the Inference Problem" by LiWu Chang and Ira S. Moskowitz (NRL). Ira presented, though he redirected several of the tough questions to LiWu. This paper deals with declassification of information from high to low. In the ideal world (from high's perspective), low is stupid and stays stupid. In reality, low is stupid and gets smart. Stuff has to be sent from high to low. There is a national order to declassify more stuff, more quickly. Their work uses a decision tree technique to determine the probability of the value of missing data based on the existing base set. Their paper has a simple, easy to follow example involving hair color, lotion use, and burn state. They calculate conditional entropy; 0 is best. Their technique gets the "best" rules for interpreting the data based on information theory (which values in which columns imply which other values in the column of interest). They make the maximum use of the available information. They then go on to use parsimonious downgrading to keep low from learning the rules. The goal is to just take out the right piece of high data to mess up the entropy/temperature. They use a Bayesian approach, which is extremely controversial. Ira noted the difficulty in finding the right data to remove in terms of both functionality and security requirements. He suggested we might use utility functions from economy. Dan Essin was concerned about the damage from the extra information that is withheld, particularly if it is concerned with personally identified records. Someone noted that the census bureau will put out data that is changed to control inference. Ira is not against putting a person in the loop. Another attendee suggested they investigate how expert downgraders do it. The next paper was "Server-Assisted Cryptography" by Donald Beaver (IBM/Transarc Corp). Don is interested in parsimonious trust and server-assisted (commodity-based) cryptography. He wants to obtain crypto resources from service providers and increase their robustness through composition. He doesn't want to have to go to trusted places. He wants to pick random places because it's hard to corrupt everyone on the world. The client should only have to use simple software (not full crypto) to use these resources. He uses composition to get the opposite effect of weakest link. His talk covered the evolution of large systems, modeling trust and risk, changing the trust model for trusted third parties (TTPs), changing the interaction model for threshold cryptography, and some examples. The evolution and design of large systems involves division of labor, specialization, replication, compartmentalization, differentiation, increased functionality, and translation. Don considers if and how these apply to cryptography, security, and crypto tools. He focuses on division of labor, specialization and differentiation. An attendee noted that separation of duties is a division of labor. The common extremes of trust models are "do it yourself crypto" which may not scale well, and big trust in particular parties, which scaled moderately well using coordinated, compartmental systems. He suggests democracy as an uncommon extreme (or it may be communism, he's not sure): trust everybody but trust nobody. He points out that threshold signature schemes are complex and highly interactive (unscalable). He aims to make TTPs less vulnerable, and democracies less interactive. We trust the TTP for functionality and discretion. He would like to minimize vulnerability by not relying on the TTPs discretion. Information only flows from the third party, not to it. One example that he gave was to take one time pads from multiple parties and xor them. As long as one is good, you get an improved one. Discussion concerned just how much discretion we require from TTPs such as CAs, and the fact that no zero knowledge proof can prove that an authentication is correct. The final session of the day was chaired by Mary Ellen Zurko (Iris Associates). It was a discussion topic called "What is the Old Security Paradigm?" led by Steven J. Greenwald (Independent Consultant). Discussion began with the paper's title. A reviewer had suggested that there might not be just one. Someone suggested the evaluation, pluggability , layerability paradigm from the rainbow series, which assumes that systems can be separately evaluated and composed. Someone else suggested confidentiality, availability and integrity (CAI), which was the thrust Steve's discussion paper. Steve suggests we might want to formalize or model one or more "old" paradigms so that we can be rigorous and to allow for comparison with suggested new paradigms. The old paradigm is not necessarily obsolete. An attendee commented that just because we're using it right now doesn't mean it's not obsolete. The old ones still working, sometimes in new paradigm systems. They are useful for teaching, preserve knowledge and history, and allow us to learn from our past. Steve suggested three contexts for the old paradigm: government, military, and commercial. An attendee added the personal context, which may be only for new paradigms. Steve's survey starts in 1880, with the census, moves to 1945 when computers emerge, transitions in the 1950's when computers were mass produced, and targets the late 1970's as the beginning of the current era when computer security emerges as a truly separate field. An attendee questioned his emphasis on computing while ignoring communications. An attendee commented that, by mid 1960's, when most commercial banks had installed computers, was when the Y2K problem was getting inserted. Someone noted that they had to worry about people born in 1800's and still alive. There was discussion on the Ware report (which was from the 1940's but classified until 1969) and the Anderson report (which provided the initial formal model). Someone noted that just because it's not one of the old paradigms we have identified doesn't mean it's a new paradigm. Our memories tend to be somewhat selective. There are current myths about the Orange Book; that it was all or nothing (nope, there were levels) and that we thought it solved everything (nope; there was "beyond A1" and the authors were deeply aware of many unsolved issues). Someone noted that the Ware and Anderson reports were definitive, brilliant, written in English, and currently hard to find. The final session was on Availability, chaired by Brenda Timmerman (California State University, Northridge). The first paper was "Tolerating Penetrations and Insider Attacks by Requiring Independent Corroboration" by Clifford Kahn (EMC Corporation). His talk covered the notions of independent corroboration and compromise tolerance, a formal model, grounding the model, and limitations and directions. The goal is to tolerate compromise of (diverse) information sources. The work is applicable when information may be compromised, there are redundant, somewhat independent information sources, but they are not too redundant (only a few information sources know whether a given assertion is true). The word "independence" covers a lot of common-sense (hard) reasoning, yet humans make fairly good judgments about independence. We consider how trustworthy we think each party is, whether we know (or suspect) any compromising connections between the parties, what barriers we know of between the parties, and the set of interests relative to which we are judging. We use a diagnostic approach. Cliff's work models trust as a number between 0 and 1, which indicates the probability of compromise of the information source. It also models compromising connections as a set of influences (institutions, vulnerabilities, relationships (marriage)) and a strength-of-influence matrix (with a row for each influence and a column for each principal). Entries are numbers between 0 and 1. Barriers are modeled with a similar matrix. He also models set of interests. The analyzer's interests affect the trust metrics. The model gives the analyzer the full trust metric of 1. An attendee pointed out that that assumes you make no mistakes. We cannot estimate the probability of compromise with precision. A rough estimate may suffice. We might tune it with a learning algorithm and train the learning algorithm with human oracles. The model has no influences on influences so it has to, flatten the chains of influence. Attendees pointed out that the model assumes influences are tree structured. Marriage is circular graph. A compromise tolerant system keeps working even if some of the components are compromised, including human operators. An attendee noted that removal of an operator doesn't remove the influence. Hilary pointed out that the model misses the lone prophet who says something is going to change tomorrow. The final paper of the workshop was "A New Model for Availability in the Face of Self-Propagating Attacks" by Meng-Jang Lin, Aleta Ricciardi (both of The University of Texas at Austin), and Keith Marzullo (University of California at San Diego). Meng-Jang presented. The attacks considering can replicate themselves and propagate to other systems. This models push services and mobile agents, among others. They looked at the effect of scale and dissemination strategies. Their work is based on an epidemiological model of a simple epidemic and rigid rules for mixing. An infection cannot be cured. The mixing rules are homogeneous; all processes are interconnected. They use availability as a metric. The spread of infection is modeled as a stochastic process. They ask, what is the availability of the system after having run for some period of time? And, how long can a system run until the availability is unacceptably low? They consider four dissemination strategies: peer, coordinator-cohort, ring and tree. They take these strategies from existing multi cast protocols. The probability of a process being infected when it receives the infection is always the same. Discussion questioned whether in some systems perhaps that should be weakened. They can approximate a diverse population by calling them the same with a particular probability. An attendee noted that this describes password cracking well but describes a DOS attack on Unix less well, particularly if there's someone invulnerable in a ring. It also doesn't model carrier states. Their simulations indicate that the ring is best for the defender but has the worst latency (these two are directly related in their measurements). The coordinator-cohort is best for the attacker. In between those two, the peer spreads more than the tree. An attendee noted that this assumes that all nodes are equally important. Perhaps more surprisingly, the larger the number of nodes, the more messages are sent, so that the availability goes down. In the future, they may look at information propagation and gossip protocols (or advertising) where infection is desired. Hilary suggested that epidemiological communication may be analogous to the grapevine. ________________________________________________________________________ Conference announcements ________________________________________________________________________ ASIACRYPT'98, the fourth ASIACRYPT conference on the theory and applications of cryptologic techniques, Beijing, People's Republic of China, October 18-22, 1998. It is sponsored by the State Key Laboratory of Information Security (SKLOIS) and Asiacrypt Steering Committee (ASC), in cooperation with the International Association for Cryptologic Research (IACR). Further information can be found at http://www.bta.net.cn/csp/isdata/index.htm Registration is still open for the Workshop on Security in Large-Scale Distributed Systems, held in conjunction with the IEEE Symposium on Reliable Distributed Systems. The workshop is at Purdue University on October 20 and is co-sponsored by the President's NSTAC, CERIAS, and the IEEE. More info is on the WWW page at The ACM Conference on Computer and Communications Security (CCS) is the ACM's premier forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security. The 5th conference in the series will be held on November 2-5, 1998, in San Francisco, California. Further information, including a preliminary program, can be found at "http://www.research.att.com/~reiter/ccs5/". USENIX Workshop on Smartcard Technology May 10-11, 1999 McCormick Place, Chicago, Illinois, USA Co-sponsored by CardTech/SecureTech and held in conjunction with CardTech/SecureTech - May 11-14, 1999 [http://www.ctst.com/] Workshop for researchers & practitioners to learn from each other the state of the art in practical applications and deployment of technology that extends the use of smart cards for authentication, electronic commerce, and secure personal data storage. Extended abstracts due: December 1, 1998. Please email submissions to smartcard99submit@usenix.org WEB SITE: http://www.usenix.org/events/smartcard99 1999 USENIX Annual Conference June 6-11, 1999 Monterey Conference Center, Monterey, California, USA Sponsored by the USENIX Association Highlights original and innovative papers in applications, architecture, implementation, and performance of modern computing systems. Full Paper submissions due: December 2, 1998. WEB SITE: http://www.usenix.org/events/usenix99 for details and submission instructions. 8th USENIX Security Symposium August 23-26, 1999 JW Marriott Hotel, Washington D.C., USA Sponsored by the USENIX Association; in cooperation with The CERT Coordination Center Brings together researchers, developers, and security administrators interested in advances in security technologies and the design and implementation of security strategies. Full paper submissions due: March 16, 1999 Please email submissions to securitypapers@usenix.org. WEB SITE: http://www.usenix.org/events/sec99 NDSS '99, the Internet Society (ISOC) 6th annual Network and Distributed System Security (NDSS) Symposium to be held February 3-5, 19999 at the Catamaran Resort Hotel in San Diego, CA. NDSS '99 brings together researchers, implementors, and users of network and distributed system security technologies to discuss today's important security issues and challenges. Further information, including preliminary program and registration information, is available at http://www.isoc.org/ndss99. ________________________________________________________________________ NDSS '99 List of accepted papers ________________________________________________________________________ o Secure Password-Based Protocol for Downloading a Private Key, Radia Perlman (Sun Microsystems Laboratories, United States) and Charlie Kaufman (Iris Associates, United States) o A Real-World Analysis of Kerberos Password Security, Thomas Wu (Stanford University, United States) o Secure Remote Access to an Internal Web Server, Christian Gilmore, David Kormann, and Aviel D. Rubin (AT&T Labs - Research, United States) o Experimenting with Shared Generation of RSA Keys, Michael Malkin, Thomas Wu, and Dan Boneh (Stanford University, United States) o Addressing the Problem of Undetected Signature Key Compromise, Paul C. van Oorschot (Entrust Technologies, Canada) and Mike Just (Carleton University, Canada) o Practical Approach to Anonymity in Large Scale Electronic Voting Schemes, Andreu Riera and Joan Borrell (Universitat Autonoma de Barcelona, Spain) o Distributed Policy Management for Java 1.2, Pekka Nikander and Jonna Partanen (Helsinki University of Technology, Finland) o Distributed Execution with Remote Audit, Fabian Monrose (New York University, United States), Peter Wyckoff (New York University, United States), and Aviel Rubin (AT&T Labs - Research, United States) o An Algebra for Assessing Trust in Certification Chains, Audun Josang (Telenor R&D, Norway) o PGRIP: PNNI Global Routing Infrastructure Protection, Sabrina De Capitani di Vimercati (Universita di Milano, Italy), Livio Ricciulli (SRI International, United States), and Pierangela Samarati (SRI International, United States) o Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks, Ari Juels and John Brainard (RSA Laboratories, United States) ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o http://www.counterpane.com/self-study.html Self-Study Course in Block Cipher Cryptanalysis B. Schneier "This is a self-study course in block-cipher cryptanalysis. With it, a student can follow an ordered path through the academic literature and emerge out the other side fully capable of breaking new algorithms and publishing new cryptanalytic results." ________________________________________________________________________ New Interesting Links on the Web ________________________________________________________________________ o http://www.cs.purdue.edu/homes/spaf/WIPO/ Readers can find out about the WIPO legislation and what it threatens to do. [News item about this in 07/98 issue of Cipher.] o http://www.infilsec.com/vulnerabilities Infilsec Vulnerabilities Engine. "The database aims to act as a repository for the vulnerabilities and fixes of the type discussed on mailing lists such as Bugtraq, NTBugtraq and Best-of-Security." ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Carl Ellison Intel 2111 NE 25th Ave M/S JF3-373 Hillsboro OR 97124 Phone: +1-503-264-2900 Fax: +1-503-264-6225 Email: cme@jf.intel.com Web: http://pobox.com/~cme Matt Franklin Xerox PARC 3333 Coyote Hill Road Palo Alto, CA 94304 Phone: 650-812-4228 fax: 650-812-4471 email: franklin@parc.xerox.com Tim Levin Naval Postgraduate School Computer Science Department 833 Dyer Rd. Monterey, CA 93943 Phone: (408) 656 2239 levin@cs.nps.navy.mil Jim Litchko General Manager IMSI 2101 Wilson Boulevard, Suite 916 Arlington, Va 22201 Phone: 703-528-0334 Fax: 703-528-3477 jlitchko@imsidc.com Dr. Richard B. Neely, CISSP SAIC 3259A Progress Dr. Orlando FL 32826 Voice: 407/281-4949 x14 Fax: 407/281-8131 rbneely@aol.com John Pescatore johnp@entrust.com Senior Consultant 301-421-4055 301-421-4052 (fax) Entrust Technologies, Inc. Box 457 Ashton, MD 20861-0457 Mike Reiter Bell Laboratories, Room 2A-342 700 Mountain Avenue Murray Hill, New Jersey 07974 USA Phone: +908-582-4328 Fax : +908-582-1239 Email: reiter@research.bell-labs.com Web : http://www.bell-labs.com/user/reiter/ Ernst Erich Schnoor eschnoor@mail.tnet.de V+S Datentechnik und Software http://www.multi-matrix.com _______________________________________________________________________ Calls for Papers (full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. AT '98 URL:http://www.mctr.umbc.edu/Workshop/wat98/ Workshop on Agent Technologies, November 17-18, 1998, University of Maryland Baltimore County. The goal of the workshop is to provide a forum where researchers and developers can meet to exchange ideas and report on leading-edge developments in the area of agent technologies. If you wish to participate, please provide a short abstract describing research or ideas which you would be willing to present. Submit abstracts to mctr@cs.umbc.edu no later than October 23, 1998. PODC '99. URL: www.cs.tamu.edu/people/hlee/podc99 Eighteenth Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, May 4-6, 1999, Atlanta, Georgia (part of FCRC, April 29 - May 6, 1999). (submissions due November 3, 1998) Research contributions to the theory, design, specification, implementation or application of distributed systems are solicited. Papers describing algorithmic issues encountered in development of experimental or commercial systems are especially encouraged. This year PODC especially encourages papers addressing distributed computing issues regarding mobile computing and the Internet. Topics of interest include, but are not limited to: o distributed algorithms and their complexity, o specification, semantics and verification of distributed systems, o fault tolerance of distributed systems, o cryptographic and security protocols for distributed systems, o mobile computing, o distributed computing issues in the Internet, including the Web, o communication network protocols and architectures, o multiprocessor/cluster architectures and algorithms, o distributed operating systems and databases, o consistency conditions, concurrency control and synchronization, o distributed systems management, o distributed applications and object-oriented computing. The complete call for papers can be found at the above URL. WECS '99. URL: http://cisr.nps.navy.mil/events/wecs/wecs99_announce.html Workshop on Education in Computer Security, 4-6 January 1999, Asilomar Conference Center, Pacific Grove, California USA. (submissions due: Nov. 30, 1998 to the program chair, Cynthia Irvine, irvine@cs.nps.navy.mil, Complete CFP at the above URL. Online registration by October 15 at http://cisr.nps.navy.mil/events/wecs/wecs99_register.html ) The Workshop on Education in Computer Security is intended to bring together those interested in developing and enhancing instruction in computer security within undergraduate and graduate computer science programs. The Workshop's objectives are to provide a forum for discussion of ideas and techniques in computer security education. There will be two themes for the 1999 workshop: o the use of analogies to describe difficult concepts in computer security o teaching use of commercial-off-the-shelf technologies to achieve security solutions and the challenge of using commercially available products to achieve assurance objectives It is expected that the outcome of the workshop will be a set of materials that will permit participants and others to enhance the teaching of security. As part of the workshop a tutorial is planned. It will be at least one half day and will be on a topic which will increase our expertise in some important area. WISE1 1st World Conference on Information Security Education, June 17-19, 1999, Stockholm, Sweden. (Submissions due: November 30, 1998) [posted here: October 1, 1998]. IFIP Working Group 11.8 (IT Security Education) invites you to contribute to their activities by submitting papers and panel suggestions for the first world conference, to be held at the Department of Computer and System Sciences (DSV), Stockholm University. Potential topics include teaching (and assessment) of computer security education for audiences in academia, industry, the military, and IT professionals. Please see the conference web page at www.dsv.su.se/WISE1/cfp.htm for a detailed list of topics and for instructions for submitting an original paper. JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. A special issue of Distributed and Parallel Databases: An International Journal Kluwer Academic Publishers, Special issue Editors: Vijay Atluri and Pierangela Samarati. (submissions due: September 30, 1998) [posted here: July 6, 1998] Recognizing the importance of the research in computer security, Distributed and Parallel Databases: An International Journal is organizing a special issue on security. The primary focus of this special issue will be on high-quality original unpublished research, case studies, as well as implementation experiences in any area of computer and communication security. Suggested topics include but are not limited to: Accounting and Audit, Authorization and Access Control, Authentication, Applied Cryptography, Computer Security and Public Policy, Data/System Integrity, Electronic Commerce and Virtual Banking, Information Warfare, Intrusion Detection, Intellectual Property Protection, Privacy and Anonymity, Security for Digital Libraries, Security in Data and Knowledge Bases, Security in Data Warehouses, Security in Workflow Systems, Security in Mobile and Wireless Systems, Security Management, Secure Networking and Protocols. Manuscripts must be written in English and should include a cover page with title, name and address (including e-mail address) of author(s), an abstract, and a list of identifying keywords. Manuscripts must be submitted as Postscript files via electronic mail to Prof. Vijay Atluri at atluri@andromeda.rutgers.edu. In addition, send five hard copies of your submission to: Melissa Parsons, Journals Editorial Office, Kluwer Academic Publishers, 101 Philip Drive, Norwell, MA 02061, USA; tel: (+1)781-871-6600; fax: (+1)781-878-0449; e-mail: mparsons@wkap.com. A special issue of IEEE Journal on Selected Areas in Communications (JSAC) Special Issue on Network Security. Publication date: January, 2000. Guest Editors: Hilarie Orman, Ueli Maurer, Stephen Kent, and Stephen Bellovin. (submissions due: February 5, 1999) [posted here September 16, 1998]. This special issue of JSAC will be devoted to recent research results that describe or forecast significant changes in the feasibility of delivering security solutions (such as major improvements in cryptographic efficiency), or describe progress in areas that have been especially difficult, or are relevant to newer technologies, such as optical or mobile wireless communication. Of special interest are papers that relate their results to use on the Internet today or to use on next generation networks. Papers are solicited in the following areas: Cryptography-based network systems, such as secure private networks and transactional security; Public-key infrastructures; Applying new cryptographic methods to network communication; New cryptographic protocols supporting secure network systems; Anonymous communication; Recent cryptographic theory advances; Optical network security; Mobile wireless network security; Formal analysis of network security systems; Trends in network-based attacks; Secure group communication; Policy expression and enforcement. Papers in strongly related areas, especially those involving novel technologies, are also encouraged. Manuscripts to be considered for submission should be sent by email to Hilarie Orman (ho@cs.arizona.edu) by February 5, 1999. The manuscripts must be in Postscript, viewable in ghostscript. The manuscripts must be in Postscript, viewable in ghostscript, or six copies can be sent by mail; contact Hilarie Orman well prior to the deadline for the mailing address. Please note the IEEE formatting requirements; information for authors can be found at: gump.bellcore.com:5000/Guidelines/info.html The JSAC home page is at gump.bellcore.com:5000. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ For papers given at CRYPTO, USENIX Ecommerce, and NSPW, see above reports. Third International Workshop on Enterprise Security, Stanford, CA, USA, June17-19, 1998. o Setting up a secure Web server and clients on an Intranet. J. Claessens, M. Vandenwauver, B. Preneel and J. Vandewalleo o The Problem with Multiple Roots in Web Browsers - Certificate Masquerading. Capt. J. Hayes o Security and Confidentiality in Healthcare Informatics. Y. Al-Salqan and J. Jagannathan o Cooperative Security: A Model for the New Enterprise. B. Fox and B. LaMacchia o A Model-Driven Approach to System Security Engineering. J. Maley, Al Milheizer, D. Higginbotham and B. Suskie o Antropolocentric Approach into IT Security Awareness M. Siponen and J. Kajava o Efficient Security for Large and Dynamic Multicast Groups. G. Caronni, M. Waldvogel, D. Sun and B. Plattner o Sabotage-proof Routing. R. Perlman o Development of an Intranet Security Infrastructure and Its Applications. Y.-K. Hsu o Authorization and Attribute Certificates for Widely Distributed Access Control. W. Johnston, S. Mudumba and M. Thompson o A Public Key Encryption System for Defective Data Transmission. R. Naujoks and M. Gustafsson o A Ubiquitous Secure and Reliable Digital Data Repository System. R. Deng o Using SESAME's GSS-API to add security to Unix applications. M. Vandenwauver, P. Ashley, M. Rutherford and S. Boving o Service Session Security in TINA - Dynamic Role Creation and Management in TINA Service Environment. T. Hamada o WebGroup: a secure group access control tool for the World-Wide Web. F. Petitcolas and K. Zhang INET'98, Geneva, Switzerland, July 21-24, 1998. [Security-related papers only] o LDAPv3 Versus X.511 DAP Security: A Comparison and How to Sign LDAPv3 Operations. V. Hassler o Smart Access: Strong Authentication on the Web. T. Verschuren o How to Organize Companywide Authentication and E-Mail Encryption. M. Bogen, M. Lenz, A. Reichpietsch and P. Simons o A Sociology of Hackers. T. Jordan and P. Taylor o Security Incidents on the Internet. J. Howard o Security and Confidence in Electronic Commerce: Certification Authorities. I. Hernando o Payment in Electronic Commerce. P. Michon o Merging of EDI Security Requirements with Internet Security Technologies. K. Copeland and C. Hwang o Pretense: A New Threat to Electronic Settlement Systems. S. Miwa and Y. Shinoda o Securing Ordinary TCP Services Through Tunnels. M. Bogen, M. Lenz, A. Reichpietsch and P. Simons o Study from Hybrid Implementation of SwIPe and IPsec. M. Fujie, J. Itoh, T. Tochihara, H. Shirasaki and K. Utashiro o A Novel Use of Distributed Directory Service. B. Manning ESORICS'98, Louvain-la-Neuve, Belgium, September 16-18, 1998. o Fixed vs. Variable-Length Patterns for Detecting Suspicious Process Behavior. H. Debar, M. Dacier, M. Nassehi and A. Wespi o A Tool for Pro-active Defense Against the Buffer Overrun Attack. D. Bruschi, E. Rosti and R. Banfi o A Kernelized Architecture for Multilevel Secure Application Policies. S. Foley o Dealing with Multi-Policy Security in Large Open Distributed Systems. C. Bidan and V. Issarny o A Flexible Method for Information System Security Policy Specification. R. Ortalo o On the Security of Some Variants of the RSA Signature Scheme. M. Michels, M. Stadler and H.-M. Sun o Side Channel Cryptanalysis of Product Ciphers. J. Kelsey, B. Schneier, C. Hall and D. Wagner o On the Security of Digital Tachographs. R. Anderson o A Flexible Authorization Model and its Formal Semantics. E. Bertino and E. Ferrari, F. Buccafurri and P. Rullo o Authorization in CORBA Security. G. Karjoth o Rules for Designing Multilevel Object-Oriented Databases. F. Cuppens and A. Gabillon o A Subjective Metric of Authentication. A. Josang o A Sound Logic for Analysing Electronic Commerce Protocols. V. Kessler and H. Neumann o Kerberos Version IV: Inductive Analysis of the Secrecy Goals. G. Bella and L. Paulson o MPEG PTY-Marks: Cheap Detection of Embedded Copyright Data in DVD-Video. J.-P. Linnartz and J. Talstra o DHWM: A Scheme for Managing Watermarking Keys in the Aquarelle Multimedia Distributed System. D. Augot, C. Fontaine and J.-F. Delaigle o The "Ticket" Concept for Copy Control Based on Embedded Signalling. J.-P. Linnartz o Authentication and Payment in Future Mobile Systems. G. Horn and B. Preneel o Distributed Temporary Pseudonyms: A New Approach for Protecting Location Information in Mobile Communication Networks. D. Kesdogan, P. Reichl and K. Junghaertchen o A Mix-Mediated Anonymity Service and its Payment. E. Franz and A. Jerichow o Offline Verification for Java Card Byte Code Using a Model Checker. J. Posegga and H. Vogt o Formalizing the Java Security Architecture of JDK 1.2. L. Kassab and S. Greenwald o EUROMED-JAVA: Trusted Third Party Services for Securing Medical Java Applets. D. Polemi, A. Varvitsiotis and A. Marsh _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters by Anish Mathuria _______________________________________________________________________ IEEE Network, Vol. 12, No. 3 (May/June 1998): o D. Scott Alexander, W. Arbaugh, M. Hicks, P. Kakkar, A. Kermoytis, J. Moore, C. Gunther, S. Nettles and J. Smith. The SwitchWare Active Network Architecture. pp. 29-36. o D. Scott Alexander, W. Arbaugh, A. Keromytis and J. Smith. A Secure Active Network Environment Architecture: Realization in SwitchWare. pp. 37-45. Information Processing Letters, Vol. 66, No. 6 (June 1998): o T.-M. Hsieh, Y.-S. Yeh, Y.-C. Hsieh and C.-C. Wang. A homophonic DES. pp. 317-320. Computer Communications, Vol. 21, No. 7 (June 1998): o B. Soh and S. Young. Distributed computing: an experimental investigation of a malicious denial-of-service applet. pp. 670-674. Computer Communications, Vol. 21, No. 8 (June 1998): o C. Wang, C. Lin, C. Chang Threshold signature schemes with traceable signers in group communications. pp. 771-776. Computer Communications, Vol. 21, No. 9 (July 1998): o T. Kwon and J. Song. Efficient and secure password-based authentication protocols against guessing attacks. pp. 853-861. IBM Systems Journal, Vol. 37, No. 3 (1998): o L. Koved, A. Nadalin, D. Neal and T. Lawson. The evolution of Java security. pp. 349-364. Communications of the ACM, Vol. 41, No. 8 (August 1998): o L. Cranor and B. LaMacchia. Spam! pp. 74-83. o R. Coldwell. Viewpoint Did Chuck Babbage Predict Software Piracy. pp. 25-27. IEICE Transactions on Communications, Vol. E81-B, No. 8 (August 1998): o A. Shimizu, T. Horioka and H. Inagaki. A Password Authentication Method for Contents Communications on the Internet. pp. 1666-1673. IEEE Computer, Vol. 31, No. 9 (September 1998): o P. Dowd and J. McHenry. Network Security: It's Time to Take It Seriously. pp. 24-28. o B. Schneier. Cryptographic Design Vulnerabilities. pp. 29-33. o A. Rubin and D. Geer Jr. A Survey of Web Security. pp. 34-42. o R. Oppliger. Security at the Internet Layer. pp. 43-47. o W. Arbaugh, J. Davin, D. Farber and J. Smith. Security for Virtual Private Networks. pp. 48-55. o T. Taeman, R. Hutchinson, L. Pierson, P. Sholander and E. Witzke. Algorithm-Agile Encryption in ATM Networks. pp. 57-64. ACM Operating Systems Review, Vol. 32, No. 4 (October 1998): o R. Anderson, F. Bergadano, B. Crispo, J.H. Lee, C. Nanifavas, and R. Needham. A New Family of Authentication Protocols. pp. 9-20. o C.J. Mitchell and C.Y. Yeun Fixing A Problem in the Helsinki Protocol. 21-24. o D. Patiyoot and S.J. Shepherd. Techniques for Authentication Protocols and Key Distribution on Wireless ATM Networks. pp. 25-32. o M. Joye and S.M. Yen. ID-Based Secret-Key Cryptography. pp. 40-46. o B. Wagner. Controlling Cgi Programs. pp. 40--46. o W. E. Kuhnhauser A Classification of Interdomain Actions. pp. 47--61. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "CWP" indicates there is a hyperlink to a coference web page on the Cipher Web pages. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 10/18/98-10/22/98: ASIACRYPT '98. Beijing, PRC; CWP 10/20/98-10/23/98: WSLSDSW. Lafayette, IN; CWP 10/22/98-10/23/98: RBAC '98. Arlington, VA, CWP 10/23/98: S&P 99 submissions due, CWP 11/ 1/98: USENIX IDS, extended abstracts due, CWP 11/ 3/98-11/ 5/98: CCS-5. San Francisco, CA, USA, CWP 11/13/98-11/14/98: HASE '98, Washington, DC; CWP 11/19/98-11/20/98: IIIS, Fairfax, VA, CWP 11/30/98: WSS '99, Submissions to anish@cis.ohio, CWP 11/30/98: WECS '99, exercises to irvine@cs.nps.navy.mil, CWP 12/ 1/98: ISCC99, Submissions to zeletin@fokus.gmd.de, CWP 12/ 7/98-12/11/98: 14th ACSAC, Phoenix, AZ, CWP 12/10/98: ICATM 99. Submissions due to lorenz@colmar.uha.fr, CWP 12/14/98-12/17/98: SETA '98, Singapore, CWP 12/15/98: MOBICOM 99. Submissions due to mobicom99@cs.rutgers.edu., CWP 12/18/98-12/19/98: ICISC '98, Seoul, Korea; CWP 1/ 4/99- 1/ 6/99: WECS '99, Pacific Grove, California CWP 1/ 5/99- 1/ 8/99: ECT track of HICSS-32, Maui, Hawaii, CWP 1/ 6/99- 1/ 8/99: DCCA-7 at San Jose, California; CWP 2/ 3/99- 2/ 5/99: NDSS '99, San Diego, California; CWP 2/ 5/99: JSAC Special Issue on Network Security, subs due to ho@cs.arizona.edu 2/22/99- 2/25/99: FC '99, Anguilla, BWI, CWP 3/ 1/99- 3/ 3/99: PKC 99, Kanto Japan, CWP 4/11/99- 4/12/99: USENIX IDS; Santa Clara, California CWP 5/ 2/99- 5/ 6/99: Eurocrypt '99, Prague, Czech Republic, CWP 5/ 9/99- 5/12/99: IEEE S&P 99; Oakland, CWP 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 6/ 5/99: WSS '99, Austin, Texas CWP 6/21/99- 6/23/99: ICATM '99. Colmar, France CWP 7/ 6/99- 7/ 8/99: ISCC '99. Sharm El Sheikh, Red Sea, Egypt CWP 8/15/99- 8/19/99: MOBICOM 99. Seattle, Washington CWP 8/15/99- 8/19/99: Crypto '99, Santa Barbara, California, CWP 8/23/99- 8/26/99: USENIX Sec '99, Washington DC, CWP, conference@usenix.org 9/22/99- 9/24/99: NSPW '99, Ontario, Canada, no address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland? no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy * ACSAC = Annual Computer Security Applications Conference * CAiSE*98 = Conference on Advanced Information Systems Engineering * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium (see CITSS) * CITSS = Canadian Information Technology Security Symposium * CFP = Conference on Computers, Freedom, and Privacy * CRYPTO = IACR Annual CRYPTO Conference * CSFW = Computer Security Foundations Workshop CSFW 11 * DCCA = Dependable Computing for Critical Applications * DOCSec = Second Workshop on Distributed Object Computing Security * ECC = Workshop on Elliptic Curve Cryptography * ECT = Electronic Commerce Technologies Track of HICSS-32 * ECDLP = Workshop on the Elliptic Curve Discrete Logarithm Problem ECDLP * ESORICS = European Symposium on Research in Computer Security * EUROCRYPT = IACR Annual CRYPTO workshop in Europe * FC = IFCA Annual Financial Cryptography Conference * FSE = Fast Software Encryption Workshop * HASE = High-Assurance Systems Engineering Workshop * HICSS-32 = 32nd Hawaii International Conference on System Sciences * HPN = IFIP Conference on High Performance Networking * IEEE S&P = IEEE Symposium on Security and Privacy * ICATM = International IEEE Conference on ATM * ICICS = International Conference on Information and Communications Security * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * INET = Internet Society Annual Conference * ISCC = IEEE Symposium on Computers and Communications * JCS = Journal of Computer Security * MOBICOM = Mobile Computing and Networking * NCISSE = National Colloquium for Information Systems Security Education * NISS = National Information Systems Security Conference * NSPW = New Security Paradigms Workshop NSPW * PKC = Practice and Theory in Public Key Cryptography * RAID = Workshop on the Recent Advances in Intrusion Detection * RBAC = ACM Workshop on Role-based Access Control * SAC = Workshop on Selected Areas of Cryptography * SETA = Sequences and their Applications * SICON = IEEE Singapore International Conference on Networks SICON '98 * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * NDSS = Symp. on Network and Distributed System Security (Internet Society) * USENIX IDS = USENIX Workshop on Intrusion Detection and Network Monitoring * USENIX Sec = USENIX Security Symposium * WDAG = Workshop on Distributed Algorithms (now DISC) * WECS = Workshop on Education in Computer Security * WETICE = IEEE Workshops on Enabling Technologies, Infrastructure for Collaborative Enterprises * WFMSP = Workshop on Formal Methods and Security Protocols * WSLSDS = Workshop on Security in Large-Scale Distributed Systems * WSS = Workshop on Self-Stabilizing Systems ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ * Swiss Federal Institute of Technology, Lausanne (EPFL), Communications System Section Assistant, Associate, or Full Professor in Security of Communication and Information Systems Date closed: January 9, 1999 http://sscwww.epfl.ch * Dept. of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Assistant, Associate, or Full Professor in Computer Engineering (special interest in networks and security) Date closed: December 15, 1997, or until filled http://vulcan.ee.iastate.edu/~davis/job-ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor, (9/98) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_prof_ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Computer Scientist, (9/21/97) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_97de055.html * US Air Force Academy Department of Computer Science, Colorado Springs, CO, Professor, (7/98) http://www.usafa.af.mil/dfcs/ * Purdue University, Computer Science Department, West Lafayette, IN Assistant Professor, tenure track, also Assoc. and Full Prof., (2/98) http://www.cs.purdue.edu/facAnnounce This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ Registry of Research Projects ________________________________________________________________________ My name: Ernst Erich Schnoor e-mail address: eschnoor@mail.tnet.de project title: Multi-Matrix Method, New Techniques in Cryptography affiliation: V+S Datentechnik und Software Goal: Reactivating polyalphabetic substitution by >byte encryption< URL: http://www.multi-matrix.com ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: http://computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ o Proceedings of the 1998 IEEE CS Symposium on Security and Privacy Copies are available directly from the TC on Security and Privacy for $25 per copy. This price includes domestic shipping and handling. For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please send a letter specifying * how many issues you would like, * where to send them, and * a check in US dollars, payable to the IEEE Symposium on Security and Privacy to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A e-mail: loe@securecomputing.com Sorry, we are not yet ready for electronic commerce! You may also order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. o Proceedings of the Computer Security Foundations Workshops (2 through 11, excluding 4) The most recent Computer Security Foundation Workshop (CSFW11) took place the 9th through 11th of June in Rockport, Massachusetts USA. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of all earlier proceedings (except the first and fourth) are also available at $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 8229 Boone Blvd, Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Thomas A. Berson Prof. Cynthia Irvine Anagram Laboratories U.S. Naval Postgraduate School P.O. Box 791 Computer Science Department Palo Alto, CA 94301 Code CS/IC (650) 324-0100 (voice) Monterey CA 93943-5118 berson@anagram.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Newsletter Co-editors: Paul Syverson Avi Rubin Code 5543 AT&T Labs - Research Naval Research Laboratory Room B282 Washington, DC 20375-5337 180 Park Ave. (202) 404-7931 (voice) Florham Park NJ 07932-0971 (202) 404-7942 (fax) (973) 360-8356 (voice) syverson@itd.nrl.navy.mil (973) 360-8809 (fax) rubin@research.att.com Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Michael Reiter Intel Corporation AT&T Labs - Research JF2-74 Room A269 2111 N.E. 25th Ave 180 Park Ave Hillsboro OR 97124 Florham Park NJ 07932-0971 (503) 264-5562 (voice) (973) 360-8349 (voice) (503) 264-6225 (fax) (973) 360-8809 (fax) awk@ibeam.intel.com reiter@research.att.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html =========end of Electronic Cipher Issue #29, 7 October 1998==============