Subject: Electronic CIPHER, Issue 31, March 15, 1999 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 31 March 15, 1999 Paul Syverson, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [4060 lines total] o Letter from the Editor o Letter from Deborah Cooper, IEEE/CS Board of Governors Twentieth Anniversary IEEE Symposium on Security and Privacy Announcement Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko Highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM. o Clinton Administration proposes $1.4 Billion for Computer Security o Willis Ware wins IFIP's Kristian Beckman Award Commentary and Opinion: Book Reviews by Bob Bruen o Internet Besieged Countering Cyberspace Scofflaws edited by Dorothy Denning and Peter Denning o Information Warfare and Security by Dorothy Denning Conference Reports: o Network and Distributed System Security Symposium by Tatyana Ryutov o 2nd Workshop on Research with Security Vulnerability Databases by Mahesh V. Tripunitara o Financial Cryptography by Ryan Lackey, Olin Sibert, and Alex van Someren New Interesting Links on the Web: NSFF Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers o Journal and Newsletter articles Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Publications for Sale -- S&P and CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Well it's been way too long since the last issue; although with snow falling outside my window it does not feel all that far from December here in Washington. We are pleased to bring you another issue of the Cipher newsletter. This issue features writeups of the ISOC Symposium on Network and Distributed Security, the Financial Cryptography Conference, and the Workshop on Research with Security Vulnerability Databases. As always, if you have attended or will be attending any such conference in the near future, we urge you to consider contacting us about writing up the experience for Cipher. We also present our regular features: one interesting twist, this is an all Denning issue for the book reviews by Bob Bruen. Those of you who receive this by email will have received the program and call for participation for the twentieth anniversary IEEE Symposium on Security and Privacy. This promises to be an exciting program, with a good look at where we've been, where we are, and where we're headed. And of course, it will feature the usual collection of quality research paper presentations. This will also be a special Symposium in that it will be the last in an unbroken line of convenings at the Claremont in Oakland stretching back to the first one. Get there if you can. As always, our contributors have made this issue what it is. Thank You. Paul Syverson Editor, Cipher ______________________________________________________________________ Letter from Deb Cooper, IEEE CS Board of Governors and Past TCSP Chair ______________________________________________________________________ What's New at the Computer Society The newest offerings from the Computer Society are MDLS (electronic access to 17 Digital Library periodicals), IT Pro and on-line access to IEEE Computer Society conference proceedings. Conference proceedings (including the 1998 S&P Symposium) are currently available on-line at no charge to all Computer Society members and a few proceedings are available to everyone. (http://www.computer.org/conferen/proceed/dlproceed.htm) The premiere issue of IT Pro is currently accessible online to all at http://computer.org/itpro. If you are not already a Computer Society or IEEE member, you can get 1999 Computer Society membership and a subscription to IT Pro at a 30% discount. This offer is not advertised and you must use a special application form to receive the discounted rate. Applications can be requested from gcarter@computer.org. Information about MDLS is available at the Computer Society web site. A major goal this year is to work on volunteer recruiting and making volunteerism more rewarding for participants. To this end, I am asking Cipher readers to send me your thoughts on how the Computer Society can be more responsive to the needs of our community and what could and should be improved. I personally would be interested in any ideas for outreach and student programs. The TCSP continues to be one of the most successful and dynamic Technical Committees of the IEEE Computer Society, due to the contributions of its volunteer members. My thanks to all! Deborah M. Cooper IEEE Computer Society Board of Governors, 1998-2000 Past TCSP Chair d.cooper@computer.org ____________________________________________________________________ Twentieth Anniversary IEEE Symposium on Security and Privacy ____________________________________________________________________ Announcements were mailed to Cipher readers recently. They can also be found on the Web at: or in plain text format at: ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ _______________________________________________________________________ LISTWATCH: items from security-related mailing lists (March 11, 1999) by Mary Ellen Zurko (mzurko@iris.com) _______________________________________________________________________ This issue's highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM. Microsoft uses DCE UUIDs to uniquely identify OLE objects. What could be wrong with an engineering decision like that? It has turned into a major privacy problem. GUIDs (which is what they're now called by Microsoft) include the machine's Ethernet address. They're put into Office97 documents, and also reported by the registration wizard that collects the user's name and other demographic information. So, in theory, any document created with Microsoft tools can be traced to its creator. Microsoft's group product manager for Windows said the registration program shouldn't be sending that information without the user's consent (why would a user think to not let it send a GUID?), and that Microsoft technicians would look through the company's databases and expunge information that had already been collected. Phar Lap Software Inc. initially reported the problem. Intel's Pentium III includes a unique serial number that can identify the processor (and perhaps indirectly the user). The stated purpose is to help corporations track and manage their PC inventory, and to provide another level of security for online banking and e-commerce applications. Conversation on this feature keeps going on, and on, in part because it neither seems extrodinarily effective for its stated purpose, nor seems to be something that can be securely turned off to keep it from doing any ancillary damage. Schneier points out that because of the untrusted software that runs on the box, "the only positive usage for processor IDs is the one usage that Intel said they would not do: stolen processor tracking." Discussion on cypherpunks pointed out Ethernet cards and Sun Unix boxes also have serial numbers that are accessible. There was also a bit of debate about how much privacy is already lost and how innocuous this feature is. You can expect to see conversations like this last one for some time to come, in part inspired by Scott McNealy's (Sun CEO) quote: "You have zero privacy anyway. Get over it." In a priceless another quote, David Aucsmith, security architect for chip maker Intel said "This is a new focus for the security community...The actual user of the PC -- someone who can do anything they want -- is the enemy." The Intel Developers Forum he spoke at spawned the rumor that the ID is really there for copy protection. Intel has announced several changes since some threatened boycotts, including moving the default to disabling the ID. Major PC vendors say they will disable the ID in the basic input/output system (BIOS) software. A quotable quote from Gateway's VP of product management & planning: "We know that the BIOS mechanism is completely secure." A cypherpunk pointed out that a trojan could flip the appropriate bit in CMOS, then cause the PC to reboot to enable it. Zero Knowledge Systems published an ActiveX program that bypasses Intel's Pentium Serial Number (PSN) Control Utility . It puts the serial number in a cookie file even when the Intel utility indicates the ID number is turned off. An article on patent problems states that U.S. Patent 5848161 covers the practice of using encryption functions to hide credit card account numbers on the Internet . The White House has a new privcay czar (first chief counselor for privacy), Peter Swire. He says he's going to review federal, private-sector and international privacy issues created by new information technologies. A British government report has given the IT community 3 weeks to come up with an alternative to key escrow. The Department of Trade and Industry's policy had proposed licensing of encryption providers that would require them to hold copies of users' encryption keys for law-enforcement access to electronic communications. Interested parties have indicated the time is too short for meaningful dialog. In more excitment from the UK, news reports had said that hackers had seized control of one of Britain's Defense Ministry's military communications satellites and issued blackmail threats. After a few days of speculation on the veracity of the report, the Ministry dismissed the story as "not true". In a humorous aside, someone tried to anonymously send email to cypherpunks indicating that they had done this sort of thing before. Unfortunately, they cc'ed the list directly, so it came with full headers. Anonymity isn't easy. A sudden (small) spate of announcements came for "infomediaries" who want to provide privacy by managing customers' personal profiles (I'm sure it's only my choice of phrasing that makes this sound like "War is Peace" :-). PersonaXpress by PrivaSeek will provide a free service to maintain, update, and control the type and amount of personal information that marketers and advertisers draw from their customers they browse the Web. Their profiles will be encrypted and stored in Persona Vault. Companies accessing the information will be "screened" then asked to sign a contract "stating that they will adhere to a set of privacy practices". Another venture, Lumeria, will release an open-source version of their system so that other infomediaries can support it. This will also help to build trust, a big issue in this market-to-be. One the same theme as infomediaries, "drkoop.com, a leading consumer healthcare network led by Dr. C. Everett Koop, former U.S. Surgeon General, announced [2/19] it is developing a Web-based personal medical record for consumers. The drkoop.com Personal Medical Record (PMR) will be introduced in the second quarter of 1999 and will be free to all Americans. It will enable consumers to create a lifelong record of their health that is secure and private." Continuing with medical information, somehow private patient information found its way to the search area of the University of Michigan Health System. This was reported anonymously to Lauren Weinstein, PRIVACY Forum Moderator. The data was primarily names, addresses, phone numbers, and patient IDs (which in this case, and contrary to the norm, were *not* equivalent to Social Security Numbers). The problem was fixed rapidly after Lauren reported it. Although the URLs were publicly accessible, U Mich believes that only an insider could have found them. >From Peter G. Neumann and risks: "Sean Trifero was sentenced to one year in prison by a U.S. District Judge for intentionally damaging computer systems (Harvard, Amherst, a Florida ISP, and Alliant Technologies, including planting sniffers and denial-of-service attacks) and unauthorizedly accessing others (Arctic Slope Regional Corp. and Barrows Cable, Alaska), three years subsequent probation, 150 hours of community service, and $31,650 restitution. [Source: PRNewswire, 23 Feb 1999]" Discussion of the UPS signature pads that trap your signature while you write it brought out a story from someone who said that UPS had claimed a suspect delivery had been made and signed for. When they pushed UPS and asked for a copy of the signature, they got it. It was the recipient's name, but it clearly was not in their hand. The theory was the delivery person had signed for it. And now listwatch quotes TBTF reporting on CRYPTO-GRAM (with the URLs to go straight to the source :-): ..The long reach of the NSA US spy agency has been reading other nations' cable traffic as if it were the morning paper Bruce Schneier's CRYPTO-GRAM newsletter [5], always a compelling read for those interested in the technicalities or politics of cryptography, sends word of one of the great hacks of all time. It seems that over 50 years ago the US National Security Agency, in cooperation with its German counterpart, compromised CryptoAG, a Swiss manufacturer of cipher machines and other cryptographic pro- ducts. Its customers were governments, embassies, military units, even the Vatican. The security agencies installed "back doors" in CryptoAG products (which reportedly worked by sending secret decod- ing keys along with each encrypted message) and for at least half a century have been reading the top-secret documents of 120 of the world's governments. Some countries tried to abandon CryptoAG but found their options limited -- the US had sometimes required pur- chase of particular machines as a condition for favors. Pakistan was allegedly granted American military credits with only one pro- viso, that it buy its encryption equipment from CryptoAG. The full, fascinating story ran in Covert Action Quarterly [6]. [5] http://www.counterpane.com/crypto-gram.html [6] http://www.caq.com/CAQ/caq63/caq63madsen.html RSA opened an Australis office, staffing with with well known SSLeay developers. "Australia's Defence Department had awarded Security Dynamics a licence -- thought to be the first of its type in Australia -- to export uncrackable, commercial versions of SSLeay from the Brisbane centre, and Security Dynamics would use the office as its global export centre for SSL technology, bypassing US military bans." Freedom software was announced by Zero Knowledge Systems. It is based on a number of Cypherpunks inspired techologies, including anonymity, nyms, mixing, and traffic analysis defense. The shocker back in January was that the French Government abandoned its effort to control domestic use of encryption. Prime Minister Jospin announced they would abandon most aspects of the encryption legislation adopted in 1996. They anticipation proposed legislation allowing complete freedom in the use of all cryptography, abolishing the requirement to use trusted third parties, and providing instead increase funding for the police, combined with enhanced authority to demand plaintext in the course of an investigation. Recognizing that it would take several months to modify the legislation, he announced that the level for free use of encryption inside France would be raised administratively from the current 40-bit level to 128 bits. Shortly before that announcement, the NSA banned Furbies from the offices in case they could record parts of classified conversations. While there was discussion about whether or not Furbies actually record any new utterances, no one addressed the potential for covert channels based on how Furbies might adapt to time at the NSA... Lonne Allen Jaffe (jaffe@fas.harvard.edu) and others of Harvard University is working on a research paper on the use of ciphers by scientists to prove the authenticity of their work from the 16th century onward. If you have any information on the subject, they'd like to hear it. ____________________________________________________________________ Clinton Administration proposes $1.4 Billion for Computer Security ____________________________________________________________________ According to a report in the January 29 issue of Science, as part of its call for new spending on advanced technology R&D, the Clinton administration is proposing that $1.464 billion be spent on "critical infrastructure protection and computer security," an increase of 40% over what's currently spent in this area. Most of the funding is earmarked for applied research on computer security through the Defense Department, but about $3 million would go toward new computer science scholarships with the goal of creating a "cyber-corps" of electronic network defenders. Congress is likely to approve or even increase the proposed funds, according to Rep. Curt Weldon (R-Penn.), who chairs the House Armed Services Subcommittee on research. ____________________________________________________________________ Willis Ware wins IFIP's Kristian Beckman Award ____________________________________________________________________ The Kristian Beckman Awards Committee of Technical Committee 11 of IFIP, the International Federation For Information Processing, announced on March 9 that the 1999 Kristian Beckman Award is awarded to Dr. Willis Ware of the US. The Kristian Beckman Award was created in honour of Kristian Beckman, the first Chairman of TC 11. The objective of the award is to publicly recognise an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective. ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ Internet Besieged Countering Cyberspace Scofflaws edited by Dorothy Denning and Peter Denning. ACM Press 1998. 547 pages. Biographies of Contributers Index. $34.95 ISBN 0-201-30820-7. LoC HV6773.I57 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ This is a fairly hefty book with five major sections containing thirty-four papers by well known members of the security field and few others. It is a good collection of papers that should be read by those interested in the internet and security, but read from the point of view of history. The majority of the papers have published in journals, on the web or given as a speech somewhere, covering the early to mid part of the 1990s. Some of the papers are good technical presentations, such as Woo and Lam's Authentication for Distributed Systems (1992) and Kent's Internet Privacy Enhanced Mail (1993). Others are detailed explanations on practical matters such as Kim and Spafford's Tripwire: A Case Study in Integrity Monitoring and Test Driving SATAN by Doty. Then there are those that I am forced to ponder the reason for inclusion, like a speech by Janet Reno: Law Enforcement in Cyberspace address and the two policy statements for acceptable use at the home universities of the editors. Another excellent group of papers is represented by Cheswick's An Evening with Berferd (1994) which are anecdotal in nature, but very instructive. In general the book is enjoyable, meaningful reading, although given the title and the tone, I feel the editors are pushing their agenda that the world is under a threat so great from the net that only more law enforcement intrusion into our private lives will save us. The editors have made no secret of their support for key escrow, the clipper chip and restrictions of the availability of strong crypto to the masses. There are several papers in the book by the editors covering key recovery systems, encryption policy, etc. that reflect this point of view. Let me offer the editors some advice: The net is the next big step in human communication capability. Human interaction carries problems that began at the first meeting of a couple of humans, so the net is no different in that respect. We are on the verge of a many to many communication mesh that will involve anyone who wishes to be involved, where everyone will have the ability to talk, not just those with great resources. It is one of the greatest mechanisms of freedom and equality since the creation of democracy. Naturally there will be some serious bumps in the road because not everyone is a nice person, but trying to prevent freedom from spreading because of a few pain in the neck hackers is simply not the right choice. And it will not work anyway. The five sections of the book are: 1) The Worldwide Network 2) Internet Security 3) Cryptography 4) Secure Electronic Commerce 5) Law, Policy, and Education The first section was mediocre, the second was the best in the book, also had the most papers (10), the Crypto section had good papers, but only five, limiting an otherwise interesting interesting section. The commerce section was satisfactory in size and scope. The last section has eight papers, little actual content, and certainly one sided, however, with one gem at the very end by Major Gregory White and Captain Gregory Nordstrom covering a course they teach in hacking/security at the Air Force Academy (at least in 1996). It would be worth reading/writing a more detailed account of the course than this short paper provides, as well as the experience over several years of teaching the course. There is a definite shortage of security related courses built into computer science programs of our colleges and universities making this one a member of an small, elite group. Overall, in spite of a few shortcomings, this collection of papers is a book I can recommend for content, style and educational value. There is no requirement to agree with the viewpoints of others to appreciate their contributions to the field. Bringing together this book was one of those contributions. ____________________________________________________________________ Information Warfare and Security by Dorothy Denning. Addison-Wesley. 1999. 522 pages. Bibliography, endnotes and index. Paper $34.95. ISBN 0-201-43303-6. LoC U163.D46. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Professor Denning's latest contribution to world of security and privacy is the best resource book on information warfare available. While is difficult to say that any book is exhaustive on such a topic, the work is extensive. The amount of research and preparation shows through in this well organized book. She has brought much more than the usual hacker stories with a successful attempt to offer a theoretical basis for information warfare. The three main divisions are the Introduction, Offensive Information Warfare and Defensive Information Warfare. The introduction is only three chapters starting with the Gulf War, but they give us insights and background for the remainder of the book, which starts with the Gulf War. The theoretical approach for many readers places such a book in the academic environment, but it also gives credibility to an idea that often sounds like Hollywood's idea of the Y2K problem. From the media accounts of 16 year old hackers to serious wartime decoding of enemy battle plans may seem to be a bit of a stretch until one associates the underlying foundations of manipulating the bits with each activity. The difference is only that of extent, not a difference in kind. One analogy would be the difference between a child accidently killing someone while playing with a handgun and soldiers shooting each other on a battlefield. Electrons have been added to the arsenal available to everyone. We need to better understand the impact on humanity because it is sizable. The intrusiveness of the new use of electrons appears in pranks, crime international relations, warfare, finance and the telephones, just to name a few areas. Underneath it all, the effects are felt in anything related to information/knowledge: its creation, storage, modification and communication. This goes the heart of much of the social interaction of people. You do not need to be the head of an army to require important information. A medical emergency makes a phone number a life and death bit of information for the those involved. The net continues to expand daily and will most likely continue to expand until every inch of the planet and nearby planets will be reachable. More and more people are gaining access. These people are not the techies of the 70s and 80s. They are pretty much part of the general population who bring with them all the things that the general population thinks about, except now they have a very powerful means of communicating that was not available. The growth of hackers and crackers is one sign of this, but the use of electrons in physical warfare is another, as is the growth of the surveillance society. Everyone got a video camera in the 90s, now everyone will get a PC with a net connection for the new millennium. The section on offensive information warfare presents the important are of perception management as practiced by the military in war, the media in business and the government in political activities. Perception management takes on a new level of importance in our times because of the new availability of hard to understand technical information and the extensive quantity of this and other information. Those who do not or can not deal with large volumes of information will be subject to misinformation at the click of a mouse. We have already seen its early stages with president's impeachment trial. The problem will only increase in severity over time. In a far reaching sweep of the issues, topics covered include technical information from traffic analysis and cryptography to national security and politics. Another example, identity theft, is something each of us ought to take seriously along with anonymity. A widespread reading of Information Warfare and Security followed by broad based discussions would be helpful to all of us. We should think about the need to educate as many of our fellow citizens as possible before control is lost due to ignorance. The book is organized such that it can be used as a textbook for a college course, a reference book or one that is just good reading. Highly recommended. ______________________________________________________________________ Conference Reports ______________________________________________________________________ ______________________________________________________________________ Network and Distributed System Security Symposium (NDSS '99) San Diego, California February 03 - February 05, 1999. by Tatyana Ryutov (tryutov@isi.edu) ______________________________________________________________________ [Another writeup of this symposium by Mahesh Tripunitara can be found on the Web at (html version) (text version) -Paul] Network and Distributed System Security Symposium was held in San Diego, California, from February 03 - February 05, 1999. The goal of the symposium was to provide a highly interactive and supportive forum for new research in Internet security. The symposium home page is http://info.isoc.org/ndss99. There were over 200 participants representing 18 countries from business, academia, and government with interests in cryptology and computer security. My apologies in advance for not knowing the names of some attendees who I quote below. I missed the first session and parts of some other sessions, so I was not able to describe questions and responses from the audience for the first session and part of what was said in some panel discussions. The first session was "USER AUTHENTICATION AND PUBLIC KEY CRYPTOGRAPHY," run by Jonathan Trostle (Cisco Systems). The first paper was "Secure Password-Based Protocol for Downloading a Private Key" by Radia Perlman (Sun Microsystems Laboratories, United States) and Charlie Kaufman (Iris Associates, United States). The goal of the proposed protocols is to securely download user's environment from the network given only user name and password. These protocols are variants of EKE and SPEKE modified to provide better performance. Additional advantages are resistance to denial of service attacks, stateless servers, and ability to use salt. The related protocols providing similar capabilities were discussed. Some protocols require knowledge of sensitive information (server public key), other protocols were excessively strong for the defined goal, they require more messages or more computation. The next paper was "A Real-World Analysis of Kerberos Password Security" by Thomas Wu (Stanford University, United States). This paper discusses well-known Kerberos vulnerability to off-line dictionary attacks, providing and analyzing the results of an experiment using Internet password cracking package. The input dictionary included precompiled word list, user-specific information and transformations that users often do when selecting passwords, e.g. adding digits as prefixes and suffixes and capitalizing letters. Over 2000 passwords (from a Kerberos realm containing over 25 000 user accounts) were guessed. Analysis of the successfully guessed passwords provides interesting insights into the ways users select their passwords. The author recommended using preauthentication combined with secure remote password protocol (e.g. SRP, SPEKE) and light password strength-checking to protect authentication system from dictionary attacks, rather then requiring enforcement of a harder passwords administrative policy. The first session ended with "Secure Remote Access to an Internal Web Server" by Christian Gilmore, David Kormann, and Aviel D. Rubin (AT&T Labs Research, United States). One goal is to allow access to the internal web server from outside of the firewall without any modification to the internal infrastructure (firewall and internal web server). Another goal is to make the web browsing session to appear the same when users are connecting from behind the firewall. The first goal is achieved using strong authentication based on one-time password scheme on top of SSL. The firewall prohibits initiating connections from outside, so outside connections are handled by a proxy server, which has one component operating behind the firewall and the other one on the outside. The inside component maintains a control connection to the external one. It is used to receive browser requests from outside and forward them to the internal web server. The second goal is addressed by rewriting URLs. New URLs are constructed from the original ones and include some security information. Some limitations of the presented system were pointed out: when URLs (pointing behind the firewall) are dynamically generated by scripts, there is no way to parse and therefore rewrite them which leads to the failure of the request. A panel (session 2), "SECURITY AND THE USER", was moderated by Win Treese (Open Market, Inc., United States). Mary Ellen Zurko (Iris Associates, United States), in her talk "User-centered Security" discussed two approaches to a system design: user-centered and traditional one. She pointed out the conflict between them and suggested some ways to deal with it. First, Mary gave a user-centered perspective, stating that the user should be in control of the system and the system should provide clear interface and correct information. In the case of a problem with the use of the system, it's the system fault, not the user. Then she presented traditional information security perspective, the main purpose of which is protection of organization resources. Cooperation of administrators, programmers and users is required. If there is an error, system is not always the only one to blame. To cope with this problem a user-centered approach to security is required: including a user in the model of the security system, good software engineering techniques (designing an easy, understandable user interface, performing usability tests for security software). Mark Ackerman (University of California at Irvine, United States) presented "Usability and Security" talk. Mark discussed the usability and main aspects of it: social, historical and physical. He tackled the issues of the human factors and human-computer interaction. The following report was kindly given to me by Dr. Peter Neumann (SRI, United States). I am citing it without any modifications. "Peter Neumann (who went last) noted a possibly connection between NDSS and the butterfly theme of Hans's luau: Franz Kafka (Metamorphosis). Security is still in the larval stage, and solutions when they emerge tend to be short-lived. Network and distributed system security is certainly a Kafka-esque nightmare, having metamorphosed into a gigantic army of bugs. PGN stressed the importance of broadening our narrow concerns about security to include reliability and system survivability in the face of various adversities. By addressing the more general problem, we can come up with better solutions. Perhaps most significant, he emphasized the importance of good software engineering practice. (Mary Ellen Zurko later noted the repeated occurrences of buffer overflows over the past many years, as an example of why good software engineering is so important.) PGN considered the fact that system users (e.g., airplane pilots) are often blamed for disasters that were in part attributable to bad system design and bad interface design -- and gave several illustrations. For example, see his Website (http://www.csl.sri.com/~neumann). He observed that system/network admins are also users, and that they are also victimized. He stressed the importance of better user authentication -- going beyond fixed reusable passwords -- and the need for people-tolerant systems. "Fool-proof" is a bad metaphor, because the experts can also mess up. PGN discussed the importance of open-source software as an alternative to bloatware systems with incredibly complicated user interfaces, along with the need to make open-source systems significantly more robust. One of the biggest impediments to security created by closed-source proprietary systems is that intrinsically lousy security cannot be openly assessed and cannot be easily improved by admins and users." The question and answer session touched on analogy between cryptographic key and regular key; digital signature and handwritten one. These notions are very different. How far will the analogy go? What are the aspects of usability to users? Some were concerned with the risk of brining physical world experiences into the Internet world. Someone noted that the analogy is good. Another replied "I do know what is going to happen in a physical world with my key, however I do not know much about my software key: what system it's going to go?" Some expressed a pessimistic view: user is at risk no matter what he does because the system itself is not secure: servers, web interfaces and OS are insecure. Alfred Osborne asked about the real solutions for the users. The answer was: there are no total solutions. Partial solutions include: increasing robustness of the system and ensuring trustworthy software distribution path (authentication, versioning), emphasis on the "open design" versus "hide everything" approach. Hide just implementation details, all other leave open. A participant rose the issue of education of users. There are two steps of getting familiar with a product: (1) product itself (2) security issues. An audience member asked if there should be established a national education standard to include security as a required course. One opinion was: security, reliability and good software design should be widely taught. Another opinion was: security must be embedded throughout entire curriculum, not to be taught separately. A participant pointed out that there will never be established security education of users, even developers. Another participant objected that he has probably forgotten that he was taught some basic security in elementary school. Another remark: people do not forget to lock the doors, they forget to upgrade their doors (or keys). One questioner asked: whom to blame if something goes wrong? There was a variety of answers, including: - everybody except me - blame the on who can fix it, even thought it's not his fault - user is not the one to blame, the fault is resulted from concatenation of different things - system should be "people prove" (fool prove and expert prove) and user friendly Some person observed: network security has some particular characteristics: a rubber who broke into your house will not take everything from your home at once, on the Internet all your staff is gone immediately and it is all over the Internet. Someone asked about liability, to what extend it can be adopted? To what degree insurance should be entering the Internet world? One opinion was: there is a beginning of this. It is not good for insurance, leverage for system developers. One participant joked "if software fails we will give you another copy of the software". Another participant noted that insurance of software is not doable because faults are often the result of human behavior. It's human problem. How can we educate users? Someone suggested certifying users :) In conclusion, the was a question what should we do when return to our work? - use the language without buffer overflow - good toolkit - good attitude toward authentication problem The third session "CRYPTOGRAPHIC PROTOCOLS" was hosted by David Balenson (TIS Labs at Network Associates, United States). The session began with a paper "Experimenting with Shared Generation of RSA Keys" by Michael Malkin, Thomas Wu, and Dan Boneh (Stanford University, United States) The goal of the paper was to investigate practical aspects of distributed shared RSA key generation. This method does not require involvement of a trusted dealer (who introduces a single point of attack). In this scheme K servers generate a modulus N=pq and exponents e and d, where e is public and d is private. The private key d is shared among K servers. The K servers perform private distributed computation to make sure N is the product of two primes, however non of the servers knows the factorization. The key d is never reconstructed at a single location and can be shared in the way to allow "t out of k" threshold signature generation. This is useful to achieve fault tolerance, therefore allowing the servers to issue a certificates without reconstructing the key d. One of the practical drawbacks of this distributed key generation scheme is that it takes more iterations: worst case run time estimation for the algorithm for finding a suitable N is O(n^2) (compare to single user generation O(2n)). The author presented practical optimizations based on distributed sieving and multithreading of key generation. He presented reasonable experimental key generation time measurements: 91 seconds for 1024 bit shared RSA key (3 333mhz PCs, 10Mbps Ethernet); 6 minutes across wide area network. Steve Kent asked if over n/2 participating parties are bad guys, will they be able to get sensitive information. The answer was: the algorithm is secure if over n/2 participants generate key properly. Someone asked: the communication is based on SSL, this means unicast. What are the performance implications of having no broadcast? The reply was: with the large numbers of servers performance is degrading, it does work better with fewer number of parties. The next paper was "Addressing the Problem of Undetected Signature Key Compromise" by Paul C. van Oorschot (Entrust Technologies, Canada) and Mike Just (Carleton University, Canada). Mike Just presented. The purpose of the paper was to study undetected key compromise, motivate others to consider this problem and provide solutions for detecting a compromise and preventing forged signature acceptance. The key idea is using a second level of authentication which results in a signature over the signed message to be returned to the originator of the message by trusted register. This allows the recipient of the signed message to make sure that the message was signed by the legitimate party, thus making possession of the signature key by an attacker insufficient for forging the signature. The main distinction of the proposed scheme is that two independent secrets are maintained by the signing user: one for the original signature and one for the secondary authentication. This provides a second level of protection as well as increases compromise detection likelihood. Detection is based on using a time-dependent counter, which allows detecting of a lack of synchronization between the signer and the trusted register. Preventing acceptance of bogus signatures is achieved by introduction of "cooling off" period: signed messages are not accepted until this period has not expired. This technique supports non-repudiation, since bogus messages would have been detected by the legitimate users and must have been reported. One drawback of the presented scheme is a requirement of on-line trusted third party. Mike noted that this is applicable to high-valued automated transactions. One participant asked: How do I know when the key expired and I should not use it any more, or if someone else started using it? Next was an interesting paper "Practical Approach to Anonymity in Large Scale Electronic Voting Schemes" by Andreu Riera and Joan Borrell (Universitat Autonoma de Barcelona, Spain). Andreu Riera presented. Their work considered how to implement a realistic large scale voting system. Their scheme is based on cooperation of multiple hierarchically arranged electoral authorities. The advantages of this scheme are: single non-anonymous voting session (a widely accepted solution is based on two sessions anonymous and non-anonymous) and no requirements for external mixes. The anonymity is provided by shuffling ballot boxes a number of times. There are restrictions to this approach. The proposed scheme can model all commonly accepted security requirements, except uncoercibility (inability of voters to prove in which way they voted), which require hardware components to be added into the scheme. A participant asked if the scheme was implemented. Andreu replied that they are working on the protocol. Someone asked: authentication of the voter is required, how privacy is maintained? Andreu explained that authentication of the voter private key is required, to assure privacy the blind signature mechanism is used. One questioner pointed out that in commercial voting systems all software is proprietary, they do not allow looking at the code, therefore there are many ways to subvert election, e.g. by means of covert channels. Another question was: Is this complexity practical for real system? Andreu: complexity is inevitable. A member of the audience asked if it is possible to detect who voted twice. Andreu: yes. Another question was about association between a voter and his vote. Andrew pointed out that it was not possible to detect association between a voter and his vote. The last session of the day was a panel "SECURING THE INTERNET'S EXTERIOR ROUTING INFRASTRUCTURE ", hosted by Sue Hares (Merit, United States). Sandra Murphy, TIS Labs at Network Associates, United States) was the first panelist. Sorry, I missed this one. Curtis Villamizer (ANS Communications, United States) talked about improving Internet routing robustness. Curtis pointed out that incorrect routing either malicious or unintended can cause traffic misrouting and routing related outage. Routing attacks not occur because of little impact (short-term denial of service) and high risk to be caught (many sites log routing activity). Curtis discussed authentication schemes used: - IGP protocols use peer to peer MD5 or password-based authentication - IBGP protocols use MD5 or TCP/MD5 authentication - some EBGP peer to peer TCP/MD5 He discussed the following approaches to improve external routing robustness: - information storage (DNS, IRR) - authorization - verification of route announcements (sanity filters applied to EBGP peers, signatures on route origin, signatures at each BGP exchange) In the end of his talk, Curtis discussed signature approaches: origin and full path. Signatures vs. filtering Signatures offer security advantage over filtering. Filters offer better scalability. Use of either one will improve routing robustness. Someone mentioned replay attacks. Curtis: Can incorporate time stamps in signatures, this is a fundamental change. The next question was whether the registry was implemented. Curtis: It's already happened. The third panelist Tony Li (Juniper Networks, Inc., United States) talked about BGP origin authentication. He identified the following problems: - malicious or erroneous injecting prefixes by Autonomous Systems - denial of service attacks - masquerading as another AS - tampering with advertisement He noted that the emphasis of this work was on finding practical solutions. Tony outlined the approach: 1) encode prefixes in DNS --hard part. He presented different encoding rules. 2) use DNSSEC to provide authentication 3) Use BGP look up each prefix in DNS (for performance BGP speakers can cache relevant RR, cache can persists across reboots) If there is a matching AS RR and the origin authenticates, authenticated path is preferred over unauthenticated, even in the case when authenticated path is less-specific. Only authenticated path is announced. Checking for authentication expiration. If there is no authentication information unauthenticated paths are still usable. If there is a matching AS RR and the origin does not authenticate: select a different path, in the case the path was advertised withdraw it. The last panelist was Charles Lynn (BBN Technologies, United States). He talked about Secure Border Gateway protocol. First he outlined the goals: overcome current BGP limitations and to design a dynamic, scalable and deployable protocol. Advantages of the S-BGP are authentication of participating entities (prefix owners, AS number owners, AS administrators participate), authorization of AS for prefix advertisement and use of a route. The design is based on: 1) IPsec to provide authentication, integrity and protection against replay attacks 2) PKI to support secure identification of BGP speakers, Owners of ASes and owners of address blocks 2) Attestations: - Address attestations validate that a destination address was originated by authorized AS. - Route attestations validated that an AS is authorized to use an AS path. 3) Certificates and attestations are used for validation of UPDATES 4) Each UPDATE includes one or more address attestations and a set of route attestations. Charles presented an address, AS and router certificates format and encoding of the attestations. Performance issues were discussed Optimizations were considered; caching validated routes, background validation Of alternate routes, keeping only necessary certificates fields in S-BGP databases, offload generation/signing of rout attestations. Charles concluded that prototype developing is in progress. The talk was quite long and no time was left for questions. The fifth section "POLICY AND TRUST MANAGEMENT" opened next day was run buy Warwick Ford (Verisign, United States). The first paper was "Distributed Policy Management for Java 1.2" by Pekka Nikander and Jonna Partanen (Helsinki University of Technology, Finland) Jonna presented. The main idea is to use SPKI certificates to achieve better scalability and dynamic access control management as alternative to static local permission configuration. Certificates are attached to protection domains, as well as retrieved from distributed certificate repository. The improvements include: ability to dynamically extend granted permissions and introduce new permission types, which may by dynamically derived from SPKI certificates as needed. Jonna presented the security architecture of JDK 1.2. She pointed out drawbacks: permissions associated with a domain must be defined prior loading the classes and assigning protection domains to classes is rigid. She pointed out that this was a default implementation, not the proposed architecture. The prototype implementation was discussed. Mary Zurko asked if the system was implemented. Jonna: not finished yet. Steve Kent asked about certificate revocation problem. Jonna: on-line validity tests, CRLs, not finished yet. A participant asked if everyone was allowed to put certificates in DNS. Jonna: It can be implemented so that to put it on your local DNS and not show it to anyone to ensure privacy. Another question was: Which chain of certificates do you select? Jonna: we have to find a valid chain, our chains are short. Someone asked if there was a way to establish one-time certificates. Jonna: Certificates are meant to be used many times, compromised certificates are revoked. The next paper was "Distributed Execution with Remote Audit" by Fabian Monrose (New York University, United States), Peter Wyckoff (New York University, United States), and Aviel Rubin (AT&T Labs Research, United States). Fabian Monrose presented. This work was concerned with misbehavior of the hosts participating in coarse-grained parallel computations in metacomputing environments. He presented design and Java-specific implementation of audit mechanism to detect such misbehavior. The technique is based on transforming a task into checkable units. For a host to cheat it must corrupt at least one of the units. This is more difficult then corrupting an entire computation by returning an error. The limitation is that proposed scheme detects misbehavior of only cheating hosts (ones who try to minimize resource expendures) with high probability. This is done by means of proof of execution, which is sent by the participating hosts to the verifier. The verifier checks the prove to determine if the component was correctly executed. The hosts that are trying to subvert the computations are not caught. The technique is based on the assumption that the task can be transformed into checkable units that have the similar execution time, which is not always feasible. This requirement limits a set of applications that may benefit from it. A participant asked if the system can be extended to do audit if the machines do not do what they are supposed to do. Fabian replied that there was a particular environment that could support it. Another one asked if workers can trust the manager. Fabian noted that workers are being paid for the performed computation, therefore they have to have some trust. The next paper "An Algebra for Assessing Trust in Certification Chains" by Audun Josang (Telenor R&D, Norway) ended the session. Audun Josang presented an interesting work on algebra for determining trust in certificate chains. It is based on subjective logic, which defines logical operations (with some untraditional "recommendation" and "consensus" operators) for manipulating opinions. Opinion is defined as a triplet consisting of belief, disbelief and uncertainty components. The motivation behind such metrics is belief that trust is not binary. Certificates are accompanied by opinions about key authenticity and recommendation trustworthiness. Authenticity of the public key is based on finding two valid chains: certificate chain and recommendation chain. To avoid undesirable dependencies, the algebra requires recommendations to be based on first-hand evidence only. This simplifies the problem of certificate revocation, since the recommender has the information about every recipient, therefore he is able to inform them about revoked certificate. The notorious VSR programming problem was brought up: how easy will it be for the end users to make use of this approach? Audun agreed that it is not easy, there is no an easy way to express uncertainty. Another question was: Second hand trust is a useful intuition, why prohibit it. Audun pointed out that restriction on the use of first-hand trust only enforces a certain ways for establishing certification paths. Next (sixth) session was a panel "A NETWORK SECURITY RESEARCH AGENDA", run by Fred Schneider (Cornell University, United States). Steven M. Bellovin (AT&T Labs-Research, United States) began his talk by defining the problems that in need to be solved. First, Steven described cryptography issues such as: need for higher speed for public key algorithms; PKI scaling problem and revocation of expired certificates; no one checks certificates; cryptography makes many things harder, e.g. compression, network management tools, QoS techniques. Next Steven touched on buggy software problems (notorious buffer overflows), routing attacks and environmental problems (operational errors often translate into security problems). In the end of his talk Steven outlined the challenges: learn how to use cryptography and write correct code; secure routing infrastructure and make systems powful but easy to use. Next two panels were presented by Steve T. Kent (BBN Technologies/GTE Internetworking, United States) and Roger Needham (Microsoft, United States), sorry did not get these two. Hilarie K. Orman (DARPA, United States) presented her talk "Perspectives on Progress and Directions for Network Security Research". First, Hilarie outlined the progress network security has made: commercial IPSEC, widespread SSL, PGP in products, secure key exchange standards (IEEE, ANSI, ATM, IETF). Then she discussed government (manageable security, flexible policy, risk assessment), industry concerns (performance impacts of security, end-to-end confidentiality clashes with network management, preservation of intellectual property) and new network security concerns (impact of embedded devices on Internet, reliability of the data received from sensing devices with wireless communication, access control and authorization issues). As conclusion, she gave an overview of security research directions: secure group communication and management, secure multicast routing, mapping policy to mechanism across organizations, high-speed networks, cryptography in the optical domain, practical mobile security, integrity of autonomous devices, strong availability guarantees, scientific/engineering basis for risk assessment, strong redundancy guarantees and monitors, smart attack/corruption detection and adaptive and automated response. Questions for panel given were: Is there a research on legislation? Why American model data collection model would not work in Europe? There was some discussion on legislation. In Europe, an agency collecting private data has to: (1) notify everyone that it is collecting data (2) state what it is collecting the data for and (3) report how data was used. In America, private data (e.g customer e-mail) can be sold to someone else without asking or notifying the customer. Other question was "Is it possible to reduce complexity to afford what we are implementing?" The answer was: "The problem is complex, this uderlying complexity does not lead to a simple solution". The seventh session was "NETWORK INFRASTRUCTURE PROTECTION", hosted by Christoph Schuba (Sun Microsystems, United States) The first paper was "PGRIP: PNNI Global Routing Infrastructure Protection" by Sabrina De Capitani di Vimercati (Universita di Milano, Italy), Patrick Lincoln (SRI International, United States) , Livio Ricciulli (SRI International, United States), and Pierangela Samarati (SRI International, United States). Patrick Lincoln presented. The paper was concerned with protecting the routing infrastructure from malicious and unintentional faults by (1) replicating network processing and communication resources and (2) using Byzantine fault tolerant protocols to identify failures. The routing protocols operates in clear, ones failure is detected security enhanced protocols are invoked to fix the problem. Thus the approach relies on cryptography only when absolutely necessary, therefore treating common case more efficiently. PNNI uses a hierarchical organization: nodes are grouped, each group has a leader. The group leaders themselves are grouped at a higher level of hierarchy. Only a subset of nodes, including a group leader in each peer group is equipped with PGRIP. These PGRIP enhanced nodes detect integrity compromises by evaluating changes to the local databases and resolves anomalies. Someone made an observation: if cryptography is optional then you do not know who you are talking to. Next paper was "Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks" by Ari Juels and John Brainard (RSA Laboratories, United States). Ari Juels presented. This was a very entertaining presentation. The idea is: in the absence of attack the server accepts request indiscriminately. When a connection depletion attack is suspected, the server starts accepting the connection requests selectively. Each client wishing to get service is given a unique puzzle, a cryptographic problem, which must be solved by the client in order to get the requested resources. A client puzzle incorporates time of request, server secret and client request information. Server operates in a stateless fashion: it checks the correctness of the solution, checks that the puzzle has not expired and makes sure that an attacker can not use same solution for multiple allocations. The idea is "nothing comes for free". An attacker has to have a large computational resources to mount an attack. The protocol is very flexible: hardness of puzzles can be dependent on the severity of the attack. The proposed protocol can be used to defend protocols such as TCP and SSL against connection depletion attacks. A disadvantage is that client has to have a software for solving the puzzles. He noted will be interesting for a server to pick up results of the puzzles and do research topic. Someone asked if the server had to maintain state, remember puzzles. Ari: no, server just checks if pre-image is equal to the answer. Someone else risen that an attacker can mount slowing down attacks, causing frustration of legitimate users. Ari: graceful degradation: stronger attack harder puzzles. Another question was if puzzles were cryptographically protected. How can one distinguish between legitimately generated puzzle and modified puzzles? Ari: this issue was not dealt with in the paper. The last (eighth) session was a panel "IPSEC: FRIEND OR FOE", held by Dan Nessett (3Com Corporation, United States). Rodney Thayer (EIS Corporation, United States) presented "Benefits of IPsec" talk. The IPsec was developed by a working groups from different backgrounds (IETF). It is based on modern technology. It provides platform and algorithm independence (cryptographic algorithms can be easily added and delete). Transparent to applications, different privacy and authentication options. IPsec implemented at the Network Layer which provides protection against network layer attacks, all necessary IP packets are protected, allows deployment in gateways, which in turn can provide scaled management of security. Allows network-wide security parameters. Bob Braden (USC/ISI, United States), who is only a simulated foe of IPsec, presented "Arguments Against IPsec" talk. 1) Operation of IPsec at the Network layer harms many things: when used for encryption, IP sec hides the transport layer , this is bad for network management (traffic flow and per-port usage information) and TCP performance enhancements (e.g. ACK snooping and ACK pacing). When used for integrity, it prevents legitimate and useful rewriting of protocol headers. 2) IPsec makes network security difficult: intrusion detection is more limited; the CPU cost of IPsec cryptography makes DoS attacks much easier. 3) IPsec adds complexity to the IP protocol level 4) Application-level security optimization along with having a good side(common IPsec service) has a downside: can not optimize for application requirements. 5) The decision to require IPsec in IPv6 may delay deployment of IPv6 Conclusion: Don't have enough experience with IPsec to say if it's good or bad. Steve Bellovin (AT&T Labs Research, United States) gave an overview of the proposed transport-friendly ESP principals, such as including protocol number in the clear, specification of the size of unencrypted leading portion, addition of padding for boundary alignment and cipher blocksize match. He discussed suggested alternatives SSL and SSL plus AH. The first one will require changes in each application, vulnerable to active DoS attacks and does not handle UDP. Addition of AH will only improve DoS vulnerability, leaving the other two problems. A participant expressed concern with possible configuration difficulties. The replay was: there are only 3 choices: (1) expose everything (2) expose nothing (3) some intermediate A participant asked if we can fix the existing architecture. Someone replyed: we should make administrative domain a part of the architecture Steve Bellovin: technology has changed therefore design Internet differently Bob Braden: the client has changed, commercialization of Internet Rodney Thayer: paradigm itself is changing Someone asked about impact of IPsec on network speed and processing time per packet? Steve Bellovin answered: there is progress in this field, some day they will put it on chips. Another question was: IPsec required for IPv6, will it be required for IPv4? Answer: NO!!! Someone asked about multicast. Answer: we do not know how to do key management for multicast. ______________________________________________________________________ 2nd Workshop on Research with Security Vulnerability Databases Purdue University, Lafayette Indiana January 21 and 22, 1999 by Mahesh V. Tripunitara (mahesh@ipo.att.com) AT&T Labs and CERIAS, Purdue University ______________________________________________________________________ Introduction On January 21 and 22, 1999, the Center for Research and Education in Information Assurance and Security (CERIAS) conducted the 2nd Workshop on Research with Security Vulnerability Databases. This report summarizes the happenings from the workshop. A security vulnerability, or simply, vulnerability, in a system is a characteristic that renders it susceptible to a security compromise. A security vulnerability database catalogues details on such vulnerabilities so that analysis, taxonomy and classification of those vulnerabilities is facilitated. Recently, Ivan Krsul completed his PhD dissertation from Purdue University titled "Software Vulnerability Analysis" that discusses how to build and use such databases effectively. The workshop was a follow-up to the 1st workshop that was held in conjunction with NIST in 1996, and to the dissertation work by Ivan. About 100 people from about 50 organizations attended the workshop. The organizations represented included governmental institutions, such as NIST and NSA, commercial organizations, such as IBM, Cisco and Secure Computing, and educational institutions, such as Iowa State University. The workshop was split into two days. The first day consisted mostly of the presentation of eight papers and a demonstration of the vulnerability database from the Computer Operations Audit and Security Technology (COAST) lab. The eight papers were chosen from submissions of extended abstracts and full papers by a program committee. The papers are available in the proceedings published for the workshop. Ivan Krsul's PhD dissertation is also part of the proceedings. Ivan also submitted a note titled "Experiences in the Development of the COAST Vulnerability Database" to the workshop. Thursday In his welcoming remarks, Prof. Gene Spafford, the Director of CERIAS, spoke about the need to follow up on the important initiatives in the area of vulnerability databases. He indicated that the need for such databases is widespread, and effective use of such databases will revolutionize software engineering. He spoke about the motivation behind the workshop: to bring about a confluence of those that saw the pressing need to establish standards on this front, and establish such databases. The first talk was based on a paper by Dave Bailey, Fred Smith and Bob Abbott, who represent over 100 years of combined information security experience. Their paper is titled "Vulnerability Data: the Case for Sharing." They made the case for sharing of such data by pointing out the benefits from such sharing and the dangers from not sharing. The benefits from sharing are that security flaws, that seem to reappear every few years, can be eliminated, and that software development can be made more rapid by analysis of such flaws. They also discussed the Year 2000 problem as an instantiation of such a flaw and used it as an example to indicate the potential legal issues arising from such security flaws. The second presentation was based on a paper titled "VulDa: A Vulnerability Database" by D. Alessandri and M. Dacier of IBM-Zurich. They spoke about the vulnerability database from IBM and used sample entries from the database to demonstrate how it is populated and used for imparting information on such vulnerabilities and for analysis. They also discussed how the vulnerability database is used in their research in intrusion detection, and the conditions under which they would be willing to share the database with others. The third presentation was based on a paper by Aaron Schwartzbard and Anup K. Ghosh from Reliable Software Technologies titled "Establishing Common Exploit Information for Intrusion Detection." They spoke about data necessary for effective intrusion detection. In doing so, they related vulnerability and attack data to data needed for intrusion detection. They made the case for a common repository for such information, and effective tools and techniques to mine for and analyze data in such a repository. The fourth presentation was based on a paper titled "Mapping Attacks to Vulnerabilities" by Mahesh Tripunitara of Purdue University. He spoke about the problem of relating the vulnerabilities that are exploited, to the attacks that exploit them. He used a formal model for attacks in two examples to discuss the relationship between the set of attacks and the set of vulnerabilities they exploit. It was then time for the lunch break, which gave the participants a good opportunity to informally discuss several of their ideas, interests and intentions in vulnerability databases. The first presentation after lunch was by Thomas Daniels of Purdue University. He gave a demonstration of the COAST vulnerability database, which generated considered interest from the audience. He demonstrated the graphical user interface used to query and enter data into the database. He also picked a few examples to illustrate the fields based on which vulnerability data is stored and discussed tools for analysis of the data in the database. The sixth presentation was based on a paper titled "Towards a Common Enumeration of Vulnerabilities" by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability data. They related the CVE to current practices on vulnerability data sharing. The seventh presentation was based on a paper titled "Use of a Vulnerability Database for Writing Security Requirements" by Jim Williams of the MITRE Corporation. He presented his efforts in automating the specification of security requirements. The security requirements he spoke about are of the type indicated in the Common Criteria (CC.) He discussed a database that stores mappings from high level organizational security policies and requirements, to detailed attacks, vulnerabilities and countermeasures. The eighth presentation was based on a paper titled "The Proper Usage, Possible Benefits, and Risks of Open Vulnerability Databases" by Pascal Meunier of Purdue University. He discussed an open model for vulnerability databases with vulnerability data being freely shared and added. He then raised several contentious issues relating to such a model. He also presented his notion of the "ideal" open vulnerability database. The final presentation was based on a paper titled "Thoughts on Potential Sources of Error and Bias in Vulnerability Databases" by Ken Olthoff. He focussed on the problem of the possible corruption of vulnerability databases, either accidentally or maliciously. He also discussed some possible countermeasures from such corruption. Friday The first day concluded with the formation of working groups for the second day. Five working groups were established, with the participants in the workshop deciding for themselves which of the working groups each wanted to participate in. Working groups 1 through 4 dealt with various models and architectures for vulnerability databases. Working group 5 looked at issues fundamental to vulnerability databases, immaterial of the model used to construct them. Working group 1 dealt with the "fully available" or "open" model. This is a database that anyone can add to and read from. Copies are allowed to be made freely and the data and copies of the database can be used in whatever manner desired. Working group 2 dealt with the "centralized" model. This involves a database of which there is only one copy and is managed and controlled by a single agency or group. There may be some distribution in the access or update of data in the database, but there is always a "master copy." Working group 3 dealt with the "federated" model. This is a model in which there are several distributed databases, but with some centrality. The databases use a common schema or fields to store data, but the data is not necessarily replicated across all databases. The sharing of data occurs in an organized manner. Working group 4 dealt with the "balkanized" model. It was also called the "status quo" model because there was general agreement that this model indicates what currently exists. The model involves several databases, different both in terms of the data in them and in terms of how the data is organized. Access methods to each database are also different and sharing is not structured. Working group 5 dealt with overall issues for vulnerability databases, such as terminology, classifications, schema and storage. The group also dealt with issues on what data a vulnerability database should include. Each working group met for about 5 hours on the second day, dealing with such issues as ease of access and update in the model, intellectual property rights, access control, fault tolerance, expandability and flexibility, trans-national use, maintenance, location and staffing, scalability and longevity. The issues were dealt with both from a "model" standpoint and an "architecture" standpoint. Towards the end of the day, one person from each group made a presentation based on the respective discussions. Some of the presenters presented an analysis of their model, while others made a case for the model they had worked with. Each of the working groups is currently working on the final reports from the meetings for submission to a body of "main" editors that has the responsibility of consolidating the reports in to a single report. A standards document is in the offing. Concluding Remarks The workshop's goals were to set an agenda for standardization in all aspects related to vulnerability databases and initiate the building of the infrastructure to promote sharing of such data. Based on the enthusiastic participation and from preliminary feedback, the workshop was a success. Follow up work in now being conducted and those interested in involving themselves with the effort are encouraged to contact Prof. Gene Spafford (spaf@cs.purdue.edu.) ______________________________________________________________________ Third International Conference on Financial Cryptography (FC '99) Anguilla, British West Indies, February 22-25 1999 By Ryan Lackey, Olin Sibert, and Alex van Someren ______________________________________________________________________ [This report is my attempt to synthesize reports from all contributors, not always as cleanly as I would have liked. It is not a collaboration between its authors. Thus, all deserve credit for their contributions, but none is necessarily responsible for specific statements. -Paul Syverson] The third annual Financial Cryptography Conference (FC 99) was held in Anguilla in the British West Indies from Monday February 22 through Thursday February 25, 1999. The conference was a rousing success, Attendance was up again with approximately 130 participants from business, academia, and government with interests in cryptology, computer security, and/or the financial industries. There were many new attendees from previously unrepresented venues. For example, Victor Dostov led a contingent from St. Petersburg, Russia to hear from others and to talk about their own PayCash system for anonymous transactions. They are backed financially by Tavrichesky Bank in St. Petersburg, and one can find more information adn a demo of their system at . Once again, the conference took place in the increasingly cramped surroundings of the purpose-built conference facility at the InterIsland Hotel in Anguilla, BWI. Fortunately, the industrial dispute of American Airlines pilots apparently failed to disrupt the arrival of delegates from the United States. However, as is by now traditional, a certain amount of luggage remained sulking in San Juan, Puerto Rico even after its owners had been delivered. All parties did eventually seem to catch up with each other. As usual, the conference delegates were welcomed by the Anguillan Minister of Tourism. He reminded us that Anguilla's offshore tax haven status continues to be an incentive for the conference to be located there. Naturally, financial issues are thematic to the conference itself: sponsor and exhibitor e-Gold brought this home by distributing silver dollars to those who took time to learn more about their service (of which more later). One of the most popular technical themes was anonymous digital money protocols. The basic principles of these schemes, using blind signatures, have not changed significantly in recent times, but improvements were presented which recognised practical necessities. Firstly, that complete anonymity is e-cash schemes is undesirable, due to the possibility of undetectable blackmail or bank robbery, and the needs of the law enforcement agencies to trace money involved in criminal activity. Secondly, that detection of abuse such as double-spending of electronic coins needs to be practical. The conference was sponsored by: E-Gold, gold-backed electronic payment system, www.e-gold.com; Euro RSCG Interactive, web development and marketing, www.eurorscg.com; Hansa Bank, Anguilla offshore bank, www.hansa.net; nCipher, high speed hardware cryptographic accelerators, www.ncipher.com; Offshore Information Services, Anguilla server hosting, www.offshore.com.ai. The remainder of the description focuses on the technical program, consisting of presentations by cryptology and computer security researchers and practitioners. Highlights included the Tuesday "Crypto Predictions" invited talk by Adi Shamir, and the two panels on certificate status (Tuesday) and copyright issues (Wednesday). Speakers are [sometimes] identified by name and affiliation; an asterisk(*) identifies the presenter. As in 1998, the conference was opened by Victor Banks, the Anguillan Minister of Finance, who thanked us for coming and said we were very important to the island, both as an event and as the creators of the concepts on which much of Anguilla's success might be based. Banks spoke of Anguilla's favorable position to attract financial cryptography businesses, due to favorable tax situation, good weather, suitable regulation (including strict financial secrecy laws), and also proposed the idea of a "technology park" within which certain undesirable features of Anguilla, such as the telecommunications monopoly of Cable and Wireless, would be suspended. He apologized for being unable to stay, explaining that there was an election happening on March 4. Monday Morning (22 February) - Technical Program After the opening remarks, the first conference session, "Electronic Commerce", began. This session was chaired by Matt Franklin. The first paper was "Experimenting with Electronic Commerce on the PalmPilot" by Neil Daswani (*) and Dan Boneh (Stanford). Neil described an electronic payment system implemented in a PalmPilot. For these purposes, the PalmPilot is used like a smart card, but has no tamper resistance--so stored value schemes (like Mondex) are problematic. However, the device is implicitly trustworthy (and can interact with the user), so fraud by merchant terminals isn't an issue. The implementation is based on Rivest's PayWord scheme, adjusted to minimize storage and processing requirements; in particular, it uses RSA signatures in one direction (to the PalmPilot) and Elliptic Curve in the other, taking advantage of the superior performance of RSA verification and ECC signing. They had to contend with the Pilot's small memory, slow processor, and other limitations, and in the process benchmarked various cryptographic algorithms on the Pilot platform -- for instance, a 1024-bit RSA keypair generation would take approximately 20 minutes, also rapidly draining the device's batteries. Their design was driven by these limitations to use a hybrid ECC/RSA system, as certain operations in the RSA cryptosystem were substantially faster than in the ECC cryptosystem and vice versa. It also used a hash chain in order to minimize the number of public key operations required. The experimental application was to use a variant of the "Payword" scheme, called PDA-Payword, to purchase goods from a vending machine on the Stanford campus, using a docking system to interface with the pilot at point of sale. Their system only functioned with a single bank and single merchant. Some of the audience questions and suggestions seemed very productive -- online/offline precomputed signatures were suggested as a means of minimizing online computation on the limited Pilot platform, as well as schemes to use a desktop computer for high-speed calculation, downloading partially computed signatures to the Pilot for later use. "Blinding of Credit Card Numbers in the SET Protocol" Hugo Krawcsyk (Technion, IBM Research), presented by Gene Tsudik(*) (USC-ISI) This paper describes a mechanism for blinding customer identity in SET, necessary because customer identity is transmitted in the clear, in the customer's certificate (which is transmitted in the clear because of export considerations). The transaction itself (which is encrypted) carries the actual credit card number, which is matched against the customer ID using an HMAC-based construction that provides both secrecy and unforgeability. These properties are important because credit card numbers are relatively small (20 digits), so it should not be possible to guess valid numbers, or to validate guesses. This talk described in excruciating detail the design process which led to the selection of the SHA-1 HMAC construction as the credit card number blinding function in the SET protocol. SET requires the creation of a cardholder ID which is related to the cardholder's credit card number, but must protect the credit card number itself from evesdropping, as well as protection from exhaustive search of the (small) credit card number space. The function must also be collision resistant. However, linkability across transactions is acceptable. HMAC SHA-1 meets these requirements, and has been selected as the official SET blinding function. After a brief coffee break, the next session commenced -- "Anonymity Control", chaired by Yair Frankel. "Trustee Tokens - Simple and Practical Anonymous Digital Coin Tracing" Ari Juels(*) - RSA Laboratories Ari presented a simplified anonymous coin system, trading off features and trustee flexibility for simplicity of protocol. The scheme requires Alice to send a blank coin and blinding factor to a trustee, who validates the coin, and returns a signed trustee token, which is then used by the bank when issuing the actual coin. The scheme can be extended to prevent the trustee from spending coins, and to allow a single trustee interaction to validate many coins. It is based on Chaumian E-cash, but may be extensible to other schemes as well. Ari believes that the extensions to blinded electronic cash have compromised the initial simplicity and elegance of the design in their pursuit of various features, including tracing of coins. In this system, the user interacts with a trustee during coin withdrawal, providing the issuer of the coins with transcripts, or tokens, of interaction with the trustee which assure the issuer that the trustee can trace coins on demand. This system can be layered on top of many electronic cash schemes, and is relatively efficient. A great deal of efficiency can be realized by the user withdrawing large numbers of trustee tokens instead of going to the trustee before every transaction. In the questions following the presentation, the point was raised that if the user had large numbers of trustee tokens on the user's hard drive, they became an attractive target for theft if the user was forced to withdraw coins. Another audience member was concerned that the trustee could steal coins of the user, which is addressed by using a public key pair rather than the coin itself in the trustee token. Finally, questions of general trustee policy and the requirements to become a trustee were raised -- it is important that malicious users not be able to be their own trustees, but also important that honest users be given a wide enough selection of trustees to assure that the trustees do not collude to spuriously unblind users' coins. "A New Approach for Anonymity Control in Electronic Cash Systems" Tomas Sander(*), Amnon Ta-Shma, International Computer Science Institute, Berkeley This paper's goal is to be able to deter money laundering and related activities by limiting the amount of E-cash that any particular user can have, while still preserving the privacy of legitimate users. This paper is one of the first online electronic cash systems to take advantage of a fundamental observation -- of those activities requiring financial privacy, only those made by criminals involve large amounts of money -- honest users do not particularly want their few large transactions, such as buying real estate, to be highly confidential. Because traditional E-cash is transferrable, laundering is easy--but introducing a "non-transferrability secret" (NTS) that is valuable to the users, and required to effect transfers, motivates user not to engage in inappropriate behaviour. In their system, Sander and Ta-Shmra restrict users to a single account, a maximum monthly withdrawal of US$ 10 000, and incorporate a "non-transferability secret" to prevent a subset of the users from pooling funds for illegal purposes. The system provides guaranteed anonymity for transfers under $10k/month, without having to trust an external trustee, unlike most other "fair electronic cash systems". The scheme is based on Brands' E-cash, because it appears that blind signature schemes may be unable to be usable except by involving escrow agents. A questioner pointed out that laundering can always occur in small denominations spread over a large number of users, perhaps by automated software. Sander and Ta-Shmra concede that their system could be used for small time criminals, but raise the question of exactly how desirable it is to provide the authorities with highly detailed data on small transactions, even technically illegal ones, if the cost is privacy for average users. In the next session, Fraud Management, chaired by David Goldschlag, there was a last minute change of schedule. Yacov Yacobi's talk was delayed until Thursday and replaced by the following. "Dynamic Fault-Robust Cryptosystems for Enterprise Organizational Change Control" Yair Frankel(*) and Moti Young (CertCo) This paper explored handling organizational changes (such as changes in roles and duties, mergers and spinouts, etc.) that require reassignment of cryptographic keys and rules involving keys. "Views" are defined to represent each party's knowledge of the system state and inference rules for making deductions. Fault-tolerant cryptographic primitives, such as revocation, threshold schemes, can be used to accommodate changes. A very interesting question was raised after this presentation: how does one deal with root keys and the very top of the tree during major corporate events such as mergers? There seems to be no clear answer to this question, although there was some handwaving about involving the board of directors. "Assessment of Counterfeit Detection Systems for Smart Card Based E-Cash" K. Ezawa, G. Napiorkowski, M. Kossarski(*) (Mondex International) The authors describe a simulator for the Mondex environment, modeling the behaviour of system participants (consumers, merchants, issuers), as well as the monitoring systems, in the face of attacks. Ledger controls are used (and planned) in the system to detect introduction of counterfeit value, matching total float against transactions. The attack scenario involved 200 days of normal use, followed by 6 days of attack (1 test, 1 full attack, 1 monitoring, and 3 more full attack), and was successfully detected. This presentation was primarily about the Mondex system and Mondex's internal simulators. They have a system which allows Mondex to simulate the injection of counterfeit value into the system, then monitor its dispersion through the system, under various fraud detection mechanisms, to see how fast counterfeit value spreads diffuses through the system and is redeemed. Their model assumes payee cards cannot distinguish between counterfeit and real mondex cash, and takes advantage of the Mondex design feature whereby hardware-enforced value limits are possible on each device. They also have made the decision to maximize Mondex income, rather than making fraud impossible -- if it costs a huge amount of money to compromise a card, and the expected return is less, there are not concerned, calling this simple vandalism. A questioner asked what would be done in response to such an attack, which was answered, roughly, as "we've thought about it, we have rules and procedures, and we'll deal with it if it happens" A point raised in separate discussion after the presentation is that a widespread attack on the Mondex system may be successful, as if one can spend a large amount of money to come up with an efficient way to compromise cards, then compromise a large number of cards, it may be possible to make a net profit. Also, the question of compromising Mondex without compromising the smartcards themselves, by tampering with client software on the user's PC to divert payments covertly to the attacker, was not addressed in the Mondex fraud prevention model. Monday Afternoon (22 February) - Exhibitor Sessions "Governance in DigiGold" Ian Grigg (Systemics, E-Gold) In this exhibitor talk, Ian described the processes that are used by the gold-backed DigiGold banking system. There are three types: static governance, representing the "Ricardian Contract" (which is both human-readable and machine interpretable, and digitally signed) of the bank with its customers; dynamic governance, providing realtime, user-initiated auditing of the bank's operation, and structural governance, which deals with separation of duties, auditing, and limiting the trust placed in bank employees (and is required because cryptography alone cannot stop insider fraud). He presented his seven layer financial cryptography model, and specifically went into his layer five, governance, which is responsible for ensuring the underlying layers (cryptography, software engineering, electronic cash, and accounting) are operating to support the transport of value and the user-level application, and that the transport of value and user-level application are conducted within pre-defined rules. Ian introduced several security features of general applicability which are being implemented for the DigiGold.net system. The first technique is static defense, using cryptographically signed contracts which fully specify the behavior of various parties in the system. In the Ricardo system on which DigiGold.net is built end-users agree to contracts before using a particular currency, and a currency is identified by the cryptographic hash of the currency's own contract, ensuring that the contract cannot be changed without a user's knowledge and acceptance. The second technique is dynamic defense, using realtime auditing. Many auditors involved in electronic commerce have spoken of increased frequency of audits for electronic commerce businesses, and the Ricardo system allows the ultimate evolution of this -- any end user can perform a full audit on the entire system at any time. The final set of techniques is structural protection, including the very important separation of concerns. In the DigiGold system, a multiplicity of parties are involved in well defined roles to ensure that no single party can defraud the system. The e-gold system is used to hold the gold reserves, the server operator is responsible solely for technical operation of the DigiGold server, there is a day to day operations manager responsible for handling normal user transactions, a trusted third party who can generate new money but only send it to the manager, and the legal entity that is DigiGold has a board of direction responsible for ensuring various parts of the system operate correctly. Each of these roles can be subdivided to require multiple individuals, and external auditing can be added to each. An interesting observation was that DigiGold started out using the PGP web-of-trust signature model, then switched to X.509 as an "emerging standard", and now plans to switch back to the PGP model because it works so much more effectively. Questions covered dispute handling (some protection from protocols, maybe use personal hardware devices to limit scope of fraud), understanding the bank's contract (which experts will analyze, and render opinions), and the PGP/X.509 distinction. Locating and Managing Your Intellectual Property Offshore Lynwood Bell(*) (Span/Hansa Group, Hansa Bank) Lyn talked about how business enterprises can be structured to achieve tax advantages by holding assets in Anguilla, and illustrated with two examples: Murex, a pharmaceutical company, and the (unnamed) former owner of the domain name "bingo.com". Murex holds its patents in Anguilla, which means that infringement suits in other countries can only shut down local manufacturing operations, not the whole business, and also raises a significant barrier to suits in general--as well as making the company operate free of corporate taxes. The domain name company is more of a pure tax play: it was able to sell the "bingo.com" name at a huge profit, all untaxed because it was realized in Anguilla. Lyn characterized a few tests for offshore location: Can the valuable asset be moved? Can the work be subcontracted to another location (e.g., Anguilla company contracts to implementers in San Jose)? Can revenues reach the haven (sales good, royalty income bad, typically)? Is the plan defensible? (If the enterprise makes its initial invitation and business offer via an Anguilla-located server, and does acceptance and transfer of title there as well, it's strongly defensible, even if much other activity takes place elsewhere). Lyn Bell distinguished between tax treaty and full tax haven countries, differentiating between Anguilla (which is a tax haven) and Barbados (which is a tax treaty country, at least with Canada). The Span-Hansa group has affiliates in both locations, and Bell described situations in which it would be appropriate for a business to choose one location over the other. The presentation's most insistent point was that it is critical to move one's business offshore before it has real value, whenever possible. Bell presented the example of Microsoft, one of the most highly capitalized corporations in the world; for it to leave the United States would carry an impossible tax burden. He said that for many conference attendees, it should be possible to move intellectual property, such as a new electronic cash system, offshore immediately after it is developed, before it has any real value, and thus avoid taxes on it entirely. He described several potential pitfalls, including the taxes on royalties enforced by many nations. Since many pieces of intellectual property, including software, are licensed on a royalty basis, this is an especially relevant issue. Effectively, royalty streams are taxed by many nations even if the parent entity is offshore. Bell estimates that the Span-Hansa group has been responsible for billions of dollars in deals over the past 10 years. Hansa Bank, and Counsel Ltd (the corporate services affiliate), offered a special deal for conference attendees, establishment of an Anguillan corporation for half the normal price of $1100, or $550, to take advantage of the unique advantages of an Anguillan corporation. Monday's evening event was a cocktail party at the Mariner's hotel on Anguilla, one of the recommended hotels for the conference. After this cocktail party, some attendees went to a local French restaurant for continued discussion of financial cryptography. During that conversation, one of the main problems of internet electronic payment systems was discussed -- how to add value to the system quickly and conveniently for the average user, and how to allow those users to redeem value from the system. Among the diners were Bob Hettinga, founder of the Financial Cryptography conference series, and Paul Guthrie, VP for Research at VISA International. Hettinga suggested (and continued to maintain) that the ATM networks (e.g. Cirrus, Plus) were the best means of doing this, having the electronic cash mint act as a third party ATM, with electronic cash withdrawals and deposits being treated exactly like physical cash. Guthrie, who is familiar with the ATM networks since VISA owns one of them, argued that the ATM networks were unsuitable due to security requirements for PIN entry into only approved tamper-resistant modules, general unavailability of third-party bank deposits on the network as a whole, and other factors. I suggested the ACH network as a possibility, and some electronic cash vendors have taken preliminary steps to use this system, through membership in NACHA. Guthrie also suggested SET, as this would allow credit card transactions to be conducted security over the Internet (also offered by SSL) but would also eliminate chargeback risk for the electronic cash issuer. Additionally, the e-gold payment system was suggested as a repudiation-free source of funding for electronic cash systems, operating in ounces of gold, rather than traditional government currencies. Another interesting topic raised during the discussion was recent investigation by Shamir and Rivest which concludes the EFF's "Deep Crack" massively parallel machine, could be used as the "micromint hash engine" in Rivest's MicroMint micropayment system. This system requires a device capable of searching for a large number of n-way hash collisions, something Deep Crack is capable of doing. TUESDAY Tuesday's session opened with Adi Shamir's invited talk, "Crypto Predictions", chaired by Jacques Stern. "Crypto Predictions" Adi Shamir(*) (Weizmann Institute) Adi started off the Tuesday session with his "Three Laws of Commercial Security": (1) Crypto is bypassed, not broken: improving the crypto isn't very helpful, because it's already by far the strongest link in the chain; (2) There are no secure systems, only varying degrees of insecurity: don't bother adding bells and whistles because complexity is your worse enemy; and (3) To halve the insecurity, expect to double the cost: small early investments help a lot, so it's better to make the system convenient, transparent, and cheap--don't strive for the unreachable airtight goal. By these principles, there are many adequate security designs: paper money, postage stamps, mechanical locks, vending machines, access control, smart cards, and tickets. Some of these systems will be used for many years, regardless of technical advantages of replacement solutions, because they are "good enough": cost to attack is much greater than expected return. He illustrated the notion of "bypass" attacks with some examples: The first example breaks a "Provably correct implementation of unconditionally secure key exchange protocol using quantum cryptography" by sending light back down the optical fiber to read the polarizer angle directly (rather than anything to do with the single photons used in the protocol. That is, after the keys are set up, one taps the fiber and sends a strong pulse of light back through the fiber at the original transmitter, then reads the internal reflections from the transmitter itself to determine the earlier polarization configuration of system. Shamir says none of the systems under test today resist this simple attack. The second example fabricates a false "Tamper-proof photo-ID document" by submitting a "photograph" printed in two types of ink: one that fades over time, and one that becomes apparent over time (perhaps after being exposed to strong UV light). This would allow the photograph to be changed after the fact without tampering with the lamination at all. The third example allows cheating on multiple-choice exams by sending morse code through a mobile phone or pager's vibrating indicator--a signal not perceptible to the proctors. Shamir broke with some of the security community by advocating some measure of security through obscurity, at least for systems small enough to attract attention from an attacker themselves. He also advocates a diversity of underlying designs. He was primarily concerned that a flaw would be found in a widely deployed system, such that a "scripted" attack could be mounted on a large number of sites with little marginal cost, and also that deploying a single system widely raises the incentive for attackers to test it. Generally, those in the Internet security community have encouraged widely publishing their designs (unlike the intelligence, finance, and telecommunications industries), such that a maximum number of researchers can test it. Shamir's proposal is something of a departure from this, although his reasons are good. Adi's prediction for E-commerce is that it will continue to expand rapidly, generating both huge stock valuations and many business failures, and will use primarily SSL ("good enough"), not SET, anonymous cash, or other specialized schemes. He predicts that E-Cash (e.g., Mondex) will not be successful short-term as an alternative for cash in physical commerce, but may see success in closed systems such as enterprises, universities, and the military; a key is including E-Cash as part of a multi-application smart card. Micropayments over the Internet, on the other hand, he predicts will begin to be widely used (e.g., the MicroMint system) because they fill a real need, have no export controls, and can be implemented and integrated with today's technology. Adi expects that Smart Cards are headed for a major crisis, largely because of indirect attacks (fault analysis, timing analysis, power analysis, etc.). He described an extension to Kocher's power analysis (joint with Eli Biham) which detects the Hamming weight of individual bytes being written to memory and can therefore be used to solve a series of linear equations to deduce values when bits are related (as they are, for example, in DES key schedule generation). Shamir had an even more grave predition about security on the desktop computer. He said, "I think the PC architecture is basically doomed as a security device. If I were selecting security features for the world's worst security architecture, all of those features are present in the PC." The architecture is completely open, every file can be modified by any program, programs come from unknown sources, etc. The problem is getting worse, and is exacerbated by the overwhelming complexity of operating systems (35 million lines of code in Windows 2000?). The only secure solution seems to be a new class of simple, securable devices. He also recounted an interaction with the Israeli state security apparatus in which they revealed absolutely no investigations were seriously hampered by the use of encryption technology by suspects, due to other weaknesses in overall security, or simply quality investigative work. "PCs are the worst possible platform for secure computation, and the situation is getting worse." He also quoted RFC 602, demonstrating that the problem has been around since the days of the ARPAnet. However, he admitted that this analysis was only of the Microsoft Windows platform, not alternate operating systems for personal computers. He predicts a major relaxation of export controls over the next few years, but an unanticipated consequence of the Y2K bug: it will permit introduction of malicious code into many, many systems, allowing information warfare attacks on those systems months or years later, long after backups are decommissioned or useless. Finally, for cryptographic algorithms, he predicts that the AES process seems like it will yield ciphers "good enough" for any foreseeable application (even 50 years of Moore's Law won't help for 256-bit keys); that multivariate public key schemes will continue to prove unsuccessful; and that factoring-based schemes seem to be OK today, although it's been 10 years since a major factoring breakthrough, and another may come soon. In response to questions, Adi was skeptical about quantum computation ever being practical for real problems, and suggested that elliptic curve and factoring are about equally vulnerable--for especially strong security, one could use both. The next session, Public-Key Certificates, was chaired by Clifford Neuman. "Reasoning About Certification: On Bindings Between Entities and Public Keys" Reto Kohlas(*), Ueli Maurer (ETH) This paper addressed the need for a language and formal semantics to express the relationships between public keys and responsible entities. It's important to formalize the relationship, because simple statements (e.g., "the entity owns the public key", "the entity claims sole ownership of the public key") mean different things, and, worse, are inherently suspect. The important statement seems to be "the entity is liable for statements signed with the key", and the authors introduce the concept of Views (which may differ for different parties, such as the transaction participants versus judges) and inference rules for determining what statements are valid within a view. The model is incomplete: it needs to address attributes, authorization, timestamps, and revocation. A questioner observed that there is a superficial similarity to BAN logic; BAN deals with authentication, which is different from this logic. They presented several interesting statements: sole ownership of a key can generally not be verified or certified; ownership of a key alone is generally acceptable except for situations where the key is used to assume liability, in which case legally binding commitments are needed; and self-certificates imply ownership of the corresponding private key. "Online Certificate Status Checking in Financial Transactions: The Case For Reissuance" Barbara Fox, Brian LaMacchia(*) (Microsoft) The point of this paper is that the response to an online query ("is this certificate still valid?") is really just another certificate, likely with a limited validity period. These certificates are important for high-value transactions, because freshness is increasingly important as transaction value increases. Using certificates, rather than another specialized form of "validity response" also simplifies issuance of receipts (i.e., the certificate) and sale of transactions (because a chain of freshness certificates can be accumulated as the transaction passes from hand to hand). LaMacchia also presented reissuing certificates with short expiration periods rather than using OCSP as a way of minimizing complexity and redesign in existing code. Questioners asked about representing repudiation semantics, and whether it's a good idea to have the CA be making policy decisions about freshness, rather than the certificate user. Another question asked whether XML would be a more convenient representation than X.509; it would, but we have X.509 already. Panel: Certificate Revocation and Validation: One Year Later Mike Mayers (VeriSign) Ambarish Malpani (Valicert) Patrick RIchard (Xcert) Carl Ellison (Intel) The last technical session on Tuesday was a panel following up on the topic introduced at FC '98. There has been good progress: the Online Certificate Status Protocol has moved all the way to an IESG draft, but there are still semantic and technical issues: revocation is, at best, a mechanism for saying "not invalid". Alternative mechanisms (signed LDAP attributes, extended protocols for certificate acquisition, extensions to "delta CRLs") may become important. Legal issues are still unclear (trust model, liability transfer). Ambarish spoke about ValiCert's implementations, and stressed that Validation Authorities (VAs) are inherently different from Certificate Authorities (CAs): their processes are different, response requirements are different. etc. This distinction argues for using different mechanisms (perhaps several) for validation as opposed to issuance; it also provides a framework to charge for use of certificates, rather than issuance. Patrick talked about problems with real-world use of certificates and revocation; the problem is bounded within enterprise environments, and therefore amenable to technical solutions, but harder in the global Internet, which likely cannot be satisfied by a single ubiquitous approach. Internet transactions, in particular, need to determine credit validity--and don't care as much about name bindings. Carl characterized revocation as a performance problem, not a security problem: you choose your techniques based on your requirements. Classical "anti-matter certificates" are easy to understand, but inherently flawed; time-disjoint CRLs are more complex, but have a sound underlying mathematical model, and can be tuned to place the load where it's most appropriate, by adjusting CRL size, lifetime (in fact, using CRLs, it's not clear that an original certificate ever has to be signed). However, this isn't enough: even if there are separate CAs and VAs, it's not the case that they are the parties who can determine whether a certificate is valid for a particular transaction. The real issues are semantics of trust authorization and naming, not revocation. Floor questions included discussion of OCSP versus CRLs, and the tradeoffs between CRL issuance frequency and CRL size. Small, frequent, CRLs are like OCSP; large ones are more of a problem. OCSP can build in decision policies of the VA, rather than relying on the client to decide (but is this always good?), can make the important CA/VA distinction, and can support time synchronization. OCSP can also allow use of a low-assurance identity certificate, validated by a high-assurance VA. Other questions dealt with the proliferation of certificate issuers (e.g., every Windows PC, every PGP instance); this will be an issue, but it's important to distinguish between issuers (signing keys) and parties that accept liability. A final question asked whether there's really a need for fast revocation; in practice, it seems that there aren't many examples, and most of them (e.g., money center banks) already deal with the problem effectively and wouldn't rely on certificate revocation anyway. Alternatively, "If you're going to validate the certificate on every transaction with a trusted party, why bother issuing long-term certificates at all". After lunch, there were no commercial sessions. There was, however, a meeting of the International Financial Cryptography Association, which runs Financial Cryptography the conference. Ron Rivest did not run again, replaced by Adam Shostack, and Lucky Green was reelected. The board of IFCA thus consists of Bob Hettinga, Ray Hirschfeld, Vince Cate, Lucky Green, and Adam Shostack. The question of where to hold Financial Cryptography 00 was also preliminarily discussed, and evaluation forms were handed out. Tuesday's evening event was the conference rump session, chaired by Avi Rubin, replacing Matt Blaze [who was vacationing in New Jersey, rather than sweating it out in Anguilla with the rest of us.-P.S.] A special feature of this year's rump session was a prize offered by E-Gold: USD$350 equivalent in an e-gold account (effectively a little over 1 ounce of physical gold, since E-gold is 100% backed with gold and the price of gold was approximately $290 per troy oz). This prize was for the best rump session presentation, as decided by a panel appointed by Avi. [The most fun talk, which had the advantage of being a temporally distributed presentation, was Avi's movie guide for Crypto geeks. The titles are given here, but it loses alot without the movie posters. -P.S.] The top ten cryptography movies. These were: BreakDES at Tiffany's; 9 1/2 Weeks to Factor RSA; Saving Private Data; Good Will Hunting; The XOR Cyst; My Own Private Key; The China Remainder Syndrome; E T mod n; Feistel Attraction; and There's Something About m-ary arithmetic where m is the Product of Two Large Primes. [N.B. I caught some, but possibly not all, attribution mistakes in the Rump Session writeup -P.S.] Tomas Sander spoke on "Auditable Anonymous Electronic Cash", addressing the problem that the consumer has no recourse (in many E-cash schemes) if the issuer goes bankrupt, using a Merkle tree to establish an auditable correspondence between withdrawals and reserves. Stuart Stubblebine spoke on "Stack and Queue Integrity on Hostile Platforms", describing how to use hash functions and MACs to enable a trusted computer (such as a smart card) to manage large data structures in untrusted storage with O(1) overhead. Kazue Sako, who won the Rump Session award, spoke about a "Digital Lottery Server", an mechanism for using hash functions to make a fair, auditable, and random choice among several participants. She also introduced us to Hanako, Keiko, and Yuko, who are Alice and Bob's Japanese cousins. Specifically, she described a theoretical fair lottery system and implementation of a different lottery system, used in several cases already on the world wide web, originally inspired by a need to sell an event ticket on short notice. Paul Syverson spoke on "Establishing Title for Dynamic Objects", about the difficulty of defining ownership of objects whose title changes over time. He gave a very brief and highly self-referential presentation about dynamic object things and ownership, using the presentation itself as an example of an object which has changed ownership from one party to another. This puzzled the audience while they tried to figure it out. [This was basically a joke---masquerading as a real piece of research---about a bunch of people without a submission to FC constructing one so they could go to the conference. The joke was on me: more than one person came up to me afterwards wanting to know if they could get the paper -P.S.] Josh Jaffe then gave a much more serious presentation, with actual machine-printed slides. The talk was about using power analysis to reverse engineer smartcards, and it showed visuals of the kind of signals recovered from smartcards during the attacks. He also described the mathematical techniques used to recover meaningful data from the apparent mess. Paul Kocher talked about "How not to Fix Single-DES Protocols". He described how a response by banks to the demonstrated weakness in DES's short keyspace, using rapid keychange, can in fact lower security against certain kinds of attacks. He came up with a way of breaking DES in 2 hours on a fast PC given certain assumptions about key change rate. The naive solution of changing DES keys frequently actually makes systems with known plaintext easier to break by exploiting the time-memory tradeoff: 2^40 precomputations to create a table with 2^24 entries enable finding keys with 2^32 effort (at O(2^16) operations per test). Mark Miller described his "E" programming language -- a capabilities system built on the idea that pure objects are equivalent to pure capabilities. The system is the latest in a series of capabilities based adventures, and is proposed as an ideal environment for working on smart contracts, self enforcing documents which can be executed and evaluated by a machine, rather than a lawyer. Ueli Maurer described a result in "General Secure Multiparty Computation from Any Linear Secret Sharing Scheme", which involves a technique for performing the "multiply" operation (as well as "add") in linear schemes that is efficient and operates on any field. This included means of changing users in an existing group and other important administrative features. Rachel Willmer talked about "Smart Cards on the Internet". She asserted smartcards (not just Mondex but smart cashcards in general) will in the future prove good at providing an equivalent for cash on the Internet, sharing many of the same characteristics - low-value, immediate settlement, relatively private, two-way transactions - whereas credit and debit cards cannot do this. Also she noted that in the "real-world" trials, smartcards have proved good at replacing coins, e.g. in parking meters, laundromats -- but not proved as good in transactions already suitable for credit and debit cards. She also brought up the smartcard reader deployment problem, but said these are coming down in price, which should help solve the problem, although not necessarily in the US first. Ian Goldberg talked about the "ZeroKnowledge Anonymity Service", pointing out that "anonymous E-cash" isn't very anonymous when your IP address is being disclosed while making payments on the Web. The ZeroKnowledge product enables efficient IP-level anonymity services for arbitrary higher-level protocols. The system appeared to be a combination of mixmaster remailers, onion routers, crowds, and other systems, commercially packaged. Bryce Wilcox talked about "Using the Rivest and Shamir Interlock Protocol for Half Duplex Communications", describing a scheme based on contingent messages, in which each party anticipates the other party's potential responses, to send inherently one-way communication with the Interlock Protocol. Viktor Dostov spoke on the "PayCash System for Online Payments", addressing the problem that the bank must be trusted (because it can fake double-spending) in a traditional Chaumian E-cash system, using a structure called PayBooks. Adam Shostack spoke on "Towards Eliminating the Middleman in Money Laundering", describing a scheme involving apparently legitimate merchants to enable distribution of illegal goods without involving an explicit money launderer using cryptographic receipts from the store as token currency. Paul Lambert spoke on "An Efficient Public Key Language", a work in progress designed to make efficient public key certificates (especially elliptic curve) with simple semantics, small size (under 50 bytes, total), and no ASN.1. This had applications such as tiny certificates for 2-d barcode postage indicia, using very small signatures, and an application-specific increase in efficiency by eliminating verbose generic headers. Neil Daswani spoke about a cryptographic deletion system. Phil MacKenzie spoke on "Compromivacy", for compromise of privacy. The compromise of privacy is assumed to be potentially worthwhile in this system when a user interacts with a market research organization. This was a scheme for transactions involving personal information by selling the results of a buyer's queries against protected information, with zero-knowledge proofs of validity. Bryce Wilcox spoke on "Traditional PGP for Windows", using the current-day PGP Developer's Kit to build a command-line PGP interface compatible with PGP 5.0 keys and formats; it will be available open source. Paul Syverson announced the oncoming availability of "2nd Generation Onion Routing", which is going through the NRL review process now and is expected to be released as an open source distribution. Someone, who's name we lost gave a presentation describing a new electronic currency, the "negabuck", eliminating fraud and theft by declaring the currency to have negative value, such that no one would want to counterfeit or steal it. While this was intended to be humorous, there actually are practical applications for certain negative-value currencies, such as tax scrip. Marc Briceno gave a status report on the "DigiCash Acquisition Consortium" he has organized, which expects very soon to announce a flexible and opening Vince Cate spoke about "Weaknesses of the Verifone Terminal", observing that the protocols for communicating with a Verifone merchant terminal permit a user to act as an arbitrary merchant, request arbitrary refunds, and other weaknesses; apparently there is no crypto, no authentication, no real security in those interactions. The prize was awarded to Kazui Sako. The panel approved of the Japanese equivalents of Alice, Bob, etc. used in describing her system, and favored her actually-implemented system over some of the more theoretical presentations. Douglas Jackson of e-gold.com walked Sako through the account creation process in front of the audience and then transfered $350 in e-gold to her. The prize for best rump session presentation was in fact so popular that some with accepted papers in the formal sessions were considering withdrawing their own papers from the formal session to enter in the rump session in order to have a chance at the prize, proving that financial cryptographers are often motivated by financial considerations as much as purely academic ones. It would not be a surprise if such a prize were offered in the future. WEDNESDAY The first session on Wednesday, Steganography, was chaired by Yacov Yacobi. Nicko van Someren presented work with Adi Shamir detailing new means of efficiently searching large volumes of data for cryptographic data. They took advantage of several special features of cryptographic data (encrypted data as well as keys) -- the number theoretic properties of RSA keys, the locally-high entropy in symmetric keys and encrypted data, and simple high-speed tests, including visual pattern-recognition. They presented a "lunchtime attack" where one could successfully recover a hidden key from a user's hard drive while the user is away for lunch, as well as schemes to recover keys used in copy protection and license control from program binaries themselves. An important result of this is new reason for software publishers to not depend upon compiled-in keys in user-readable software for software licensing or security purposes. Previously, it seemed that hiding a key in the bulk of a large program might be enough defense, but the visuals shown in this presentation clearly identified regions of high-entropy key data in even a large program, and the analytical tests were even more powerful. The final talk in this session was presented by Markus Breitbach. It was work with Hideki Imai, "On channel capacity and modulation in watermarking of digital still images". The talk differentiated between reversible and irreversible image transformations, and singled out jamming attacks as a major potential problem to overcome, drawing parallels to military communications systems. A binary alphabet was shown to be the most efficient in terms of channel capacity. The next session was Content Distribution, chaired by Berry Schoenmakers. The presentation talk in this section was presented by Avisha Wool, work with Abdalla and Shavitt, "Towards making broadcast encryption practical". They described solutions for symmetric key encrypted broadcasts, such as satellite television, with minimal requirements for key storage, with the useful feature of being able to target a particular subset of a subscriber base for a particular broadcast. They made the fundamental observation that it is usually ok to allow some free riders to view a broadcast, as long the number of free riders can be bounded, and the chances of a given user viewing a broadcast without paying are acceptably low. They use a system which is a hierarchical tree of keys, with users belonging to multiple groups of increasing generality, such that when enough of a subtree is filled with users, the parent key is used instead. They did mathematical analyses of various group sizes, modifications to the basic scheme, and concluded that eliminating large groups and adding more partially-overlapping small groups would improve the average efficiency of the scheme. The last academic paper presented on Wednesday was David Goldschlag's "Conditional access concepts and principles", joint work with David Kravitz. He detailed the business case for divx-style access control on media, the security rationale for closed systems in conditional access control (such as the non-standard storage format of Divx discs), and the risk analysis that is undertaken before deploying such a system. Two kinds of video decryption technology, the external smartcard which returns keys used in satellite systems, and the all-in-one key/decrypt module used in Divx, were presented, and various strengths and weaknesses of each were explained. The main point in this presentation was in some ways parallel to the Mondex fraud-modeling presentation given earlier -- Conditional Access technology (often confusingly called "CA" technology, unrelated to Certificate Authorities) works best when the goal is to prevent economic benefit to the attacker, rather than making all attacks infeasible. According to Goldschlag, the legitimate content distributor has an advantage over pirates in distribution technology, so as long as the conditional access scheme is sufficient to prevent the pirate from leveraging the legitimate provider's infrastructure, requiring the pirate to get into the business of content distribution himself, it is successful. The point was raised later that compressed audio distribution (i.e. mp3) is already evolved to the point where legitimate providers have little competitive advantage over pirates, and others suggested that even video is not far from this point. In his presentation, Goldschlag said content redistribution is a major problem. Finally, Joan Feigenbaum chaired a panel, "Fair use, intellectual property, and the information economy", comprised of: Erin Sawyer (Cooley Godward LLP); Jon Amster (replacing Ed Fish); Dan Boneh (Stanford); Brian LaMacchia (Microsoft); David Goldschlag (DivX); and Jon Callas (Network Associates). The topics of copyright protection and the rights of consumer and producer were the focus of this lively panel discussion. The forthcoming US Digital Millenium Act attracted attention for its attempt to give legal status to content protection mechanisms. Concern was expressed that this would outlaw legitimate research into such things as smartcard security, and that providers may use technical means to enforce restrictions which the law could not. This led on to 'fair use' of copyright material, which is a right under UK law but not under US, and the possibilities that this may be denied in future. It was suggested that, in future, media would be licensed to the user rather than sold - some panel members expressed fears that this may be used to prevent analysis and criticism of the product and this was a denial of free speech. It was also suggested that consumers would be resistant to distribution arrangements which were more restrictive that those currently available, and that this would lead to growth in Internet sales outside of conventional channels. Specific presentations went as follows: Callas, who previously testified in Congress about the potentially chilling effect of anti-circumvention legislation on security research, described the compromise reached with the government by which one can safely undertake security research without the consent of the product's manufacturer -- one should ask the manufacturer for permission, but a response is not required (it is unclear how this is different from simple notification), and the results should be made available to the manufacturer. Goldschlag made a case for the "first sale doctrine" not applying to the DivX conditional access DVD system. He also cited the Japanese music market, where first sale does seem to apply, and redistribution is consequently rampant. CDs in the Japanese market cost approximately 80% more than in the US market as a result. Sawyer described the "Uniform Commercial Code 2b", a massive effort by the legal community to take into account current and future changes in the business environment. Sawy