_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 63 November 18, 2004 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Commentary and Opinion o Terry Benzel's announcement of DETER: A Laboratory for Security Research o Carrie Gate's announcement of the SiLK Suite of Netflow Tools o Sean Turner and Russ Housley's report on IETF Revises Cryptographic Message Syntax and Secure Multipurpose Internet Mail Extensions o Jason Holt's report on The Rise of Pairing-based Cryptography and Identity-Based Encryption o Robert Bruen's review of Steal This File Sharing Book. What They Won't Tell You About File Sharing by Wallace Wang o Robert Bruen's review of Open Source Security Tools. A Practical Guide to Security Applications by Howlett, Tony o Robert Bruen's review of Security Sage's Guide to Hardening the Network Infrastructure by Andres, Steven and Brian Kenyon o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month Cipher's web version has a new look. We feature a picture by Giandomenico Tiepolo of the Trojans welcoming the Greek's wooden horse. Our previous logo was well-suited to an era of limited bandwidth, but today a smoother and more artistic graphic appearance is possible for almost all of our online readers. I think that wireless networks are the new Trojan Horse of our time. The proliferation of anonymous access points makes it all too easy to connect to someone else's bandwidth and someone else's data. Caveat connector. We have four excellent news articles written expressly for Cipher. They are greatly appreciated and show how Cipher thrives on the generous contributions of security researchers like you. Until next year, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://home.adelphi.edu/~spock/cipher/cfp.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. * 12/ 1/04: Cluster Security - The Paradigm Shift, Cardiff, UK; submissions are due, http://www.ncassr.org/projects/cluster-sec/ccgrid05/ * 12/ 6/04-12/10/04: 20th Annual Computer Security Applications Conference Tucson, Arizona, http://www.acsac.org * 12/10/04: Workshop on Policies, Stockholm, Sweden; submissions are due; http://www.sics.se/policy2005/ -------------- * 1/ 3/05- 1/ 6/05: HICSS-SSNS, Waikoloa, Hawaii http://www.hicss.hawaii.edu, information sprague@hawaii.edu * 1/ 5/05: Chapter proposals for Digital Crime book, submissions are due; http://cgi.di.uoa.gr/~nkolok/Idea.html * 1/ 7/05: Workshop on Trust, Security and Privacy for Ubiquitous Computing Taormina, Italy, submissions are due, http://www.iit.cnr.it/TSPUC2005/>www.iit.cnr.it/TSPUC2005/ * 1/10/05- 1/11/05: WITS, Long Beach, California; http://chacs.nrl.navy.mil/wits05 wits05chair@itd.nrl.navy.mil * 1/17/05: Information Hiding, Barcelona, Spain; http://kison.uoc.edu/IH05 * 1/26/05: Applied Cryptography and Network Security, New York City, NY http://acns2005.cs.columbia.edu/cfp.html submissions are due * 1/28/05: Computer Security Foundations Workshop, Aix-en-Provence, France http://www.lif.univ-mrs.fr/CSFW18/ submissions are due; amadio@cmi.univ-mrs.fr * 1/31/05- 2/ 3/05: Australasian Information Security Workshop On Digital Rights Management, Newcastle, Australia http://www.cs.newcastle.edu.au/~acsw05 -------------- * 2/ 3/05- 2/ 4/05: Network and Distributed System Security Symposium, San Diego, California; kseo@bbn.com http:// * 2/ 3/05- 2/ 4/05: Workshop on Protocols for Fast Long-distance Networks. Lyon, France, http://www.ens-lyon.fr/LIP/RESO/pfldnet2005 * 2/14/05- 2/18/05: RSA Conference, Cryptographers' Track, San Francisco, CA, http://www.rsasecurity.com/rsalabs/node.asp?id=2015 * 2/25/05: Symposium on Usable Privacy and Security Pittsburgh, PA; http://cups.cs.cmu.edu/soups/ submissions are due * 2/25/05: Workshop on the Economics of Information Security, Cambridge, MA; http://www.infosecon.net/workshop/index.html * 2/28/05- 3/ 3/05: Financial Cryptography and Data Security Roseau, The Commonwealth Of Dominica; http://www.ifca.ai/fc05/ -------------- * 3/13/05- 3/17/05: ACM SAC, Track on Trust, Recommendations, Evidence and other Collaboration Know-how; Santa Fe, NM; http://www.trustcomp.org/treck/, information sac.treck.info@trustcomp.org * 3/17/05- 3/22/05: Verification of Infinite State Systems with Application to Security Timisoara, Romania; http://vissas.ieat.ro/ * 3/31/05- 4/ 1/05: Information Assurance Workshop, Washington, DC; http://iwia.org/2005/CfP_WS2005.html -------------- * 4/ 1/05: IEEE Internet Computing Special Issue on P2P and Ad Hoc Nets, submissions are due http://www.computer.org/internet/call4ppr.htm * 4/10/05- 4/15/05: Usenix Technical Conference. Anaheim, CA http://www.usenix.org/events/usenix05/cfp/general.html * 4/19/05- 4/21/05: 4th Annual PKI R&D Workshop: Multiple Paths to Trust Gaithersburg, MD; http://middleware.internet2.edu/pki05/ * 5/ 8/05- 5/11/05: IEEE Symposium on Security and Privacy Berkeley/Oakland, CA; http://www.ieee-security.org/TC/SP-Index.html srt@cs.unt.edu * 5/10/05: Cluster Security - The Paradigm Shift, ClusterSec, Cardiff, UK, http://www.ncassr.org/projects/cluster-sec/ccgrid05/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers Maintained by Sven Dietrich ____________________________________________________________________ IEEE Internet Computing, Special Security for P2P and Ad Hoc Networks Issue, November/December 2005. (Submission due 1 April 2005) Guest editors: Shiuhpyng Shieh (National Chiao Tung University) and Dan Wallach (Rice University) As the number of individual computing devices and the demand for mobility continue to grow, peer-to-peer (P2P) systems and ad hoc networks will become increasingly popular. Indeed, they are likely to become integral to the future computing and networking infrastructure. P2P systems create application-level virtual networks with their own routing mechanisms; they enable large numbers of computers to share information and resources directly, without dedicated central servers. Ad hoc networks allow mobile hosts, mobile devices, and sensor nodes to communicate when no fixed infrastructure is available. Although P2P systems and ad hoc networks make communication and resource sharing more convenient, however, they also introduce new security challenges due to inherent aspects such as dynamic topologies and membership, unreliability, severe resource constrains, and the absence of a trusted infrastructure.

To explore these issues, IC invites contributions for a special issue on security for P2P and ad hoc networks. Appropriate topics include, but are not limited to: - key management, - authentication, - access control, - privacy and anonymity, - secure routing, - secure MAC protocols, - performance and security trade-offs, - intrusion detection and tolerance, and - denial of service. For more information, please see http://www.computer.org/internet/call4ppr.htm ______________________________________________________________________________ Cluster-Sec2005 Cluster Security - The Paradigm Shift - Held in conjunction with the 5th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid) 2005, May 10/11, 2005. (Submissions due 1 December 2004) Prior to the Spring of 2004, clusters have been protected using enterprise computer network security techniques where cluster nodes where treated as a collection of individual computers. After the successful Internet attacks on HPC centers worldwide in the Spring of 2004, there needs to be a paradigm shift in cluster security strategies. Clusters can no longer be thought of as just a collection of individual computers but rather as an integrated single unit in which any breach may result in a "class break" compromise of the entire cluster. Furthermore, it has also been shown that clusters communicating via grids create dependent risks between clusters such that any cluster compromise may cascade to effect an entire grid. This workshop focuses on stimulating new ideas in order to reshape cluster protection strategies. Clearly cluster security is a complex, multi-dimensional problem with dynamics over time so a large variety of approaches may be appropriate including prevention, monitoring, measurements, mitigation, and recovery. Papers with demonstrated results will be given priority. Two categories of papers will be considered: Long Paper (12 pages) and Work-In-Progress/Short Paper (6 pages). A list of potential topics includes but is not limited to the following: - cluster security as an emergent property - analysis of cluster attacks - new techniques to protect clusters - visualizing cluster security - commercial grade cluster security - failover cluster security - cluster-specific intrusion detection - the relationship between cluster security and grid security - cluster security vulnerabilities - cluster security best practices - storage security on clusters - storage survivability on clusters More information can be found on the workshop web page at http://www.ncassr.org/projects/cluster-sec/ccgrid05/ ____________________________________________________________________ ISH2005 International Workshop on Information Security & Hiding, Singapore, May 9-12, 2005. (Submissions due 10 December 2004) The ISH05 Workshop, held in conjunction with the International Conference on Computational Science & Its Applications (ICCSA '05), is intended as an international forum for researchers in all areas of information security and information hiding. Submissions of papers presenting a high-quality original research are invited for the Workshop tracks: - Cryptology (cryptography, cryptanalysis) - Security engineering (side-channel attacks, crypto implementations) - Steganology (steganography, steganalysis) - Digital Watermarking Topics of interest: - Side-channel analysis & countermeasures - Implementation of cryptographic algorithms, - Cryptographic hardware: factoring, cryptanalysis, random number generators, reconfigurable, processors, - Design & analysis of symmetric-key cryptosystems: block ciphers, stream ciphers, hash functions, MACs, modes of operation, backdoors - RFID & privacy - Public-key cryptography, Elliptic curve cryptosystems - Provable security - Trusted computing - Subliminal & covert channels - Steganography - Digital watermarking - Digital rights management - Links between cryptology and steganology More information can be found on the workshop web page at http://www.swinburne.edu.my/rphan/ISH05.htm ____________________________________________________________________ TSPUC2005 International Workshop on Trust, Security and Privacy for Ubiquitous Computing, Taormina, Sicily, Italy, June 13, 2005. (Submissions due 7 January 2005) This workshop aims at focusing the attention of the research community on the increasing complexity and relevance of trust, privacy and security issues in ubiquitous computing. Suggested submission topics include, but are not limited to the following ones in mobile (ad Hoc) networks, sensor networks, P2P systems, portable/embedded/weareable devices ... - Key establishment and distribution - Access control models, policies and mechanisms - Trust, reputation and recommendation management - Privacy and identity management - Digital assets management - Context/location aware computation - Self-organizing networks/communities - Intrusion and anomaly detection - Secure user-device interfaces - Distributed consensus in the presence of active adversaries - Analysis/simulation/validation techniques - Handling emergent properties - Phishing - attacks and countermeasures - Case studies For more info, see http://www.iit.cnr.it/TSPUC2005/ ____________________________________________________________________ IHW2005 7th Information Hiding Workshop, Barcelona, Spain, June 6-8, 2005. (Submissions due 17 January 2005) Many researchers are interested in hiding information or, conversely, in preventing others from doing so or detecting and extracting the hidden data. Although the protection of digital intellectual property has recently motivated most of the research in this area, there are many other applications of increasing interest to both the academic and business communities. Current research topics include: - anonymous communications, - covert channels in computer systems, - detection of hidden information (steganalysis), - digital forensic, - information hiding aspects of privacy, - steganography, - subliminal channels in cryptographic protocols, - watermarking for protection of intellectual property, - other applications of watermarking. Continuing a series of successful workshops that brought together these closely-linked research areas, the 7th International Workshop on Information Hiding will be held in Barcelona, Spain. Authors can submit their papers online at http://kison.uoc.edu/IH05 where detailed instructions are provided. ____________________________________________________________________ DIMVA2005 Second GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Vienna, Austria, July 6-8, 2005. (Submissions due 21 January 2005) The special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) organizes DIMVA as an annual conference that brings together experts from throughout Europe to discuss the state of the art in the areas of intrusion detection, detection of malware, and assessment of vulnerabilities. DIMVA emphasizes the collaboration and exchange of ideas between industry, academia, law enforcement and government, and invites four types of submissions: full papers, industry papers, panel proposals, and tutorial proposals. For more info, please see http://www.dimva.org/dimva2005 ____________________________________________________________________ CSFW18 18th IEEE Computer Security Foundations Workshop, Aix-en-Provence, France, June 20-22, 2005. (Submission due 25 January 2005) This workshop series brings together researchers in computer science to examine foundational issues in computer security. For background information about the workshop, and an html version of this Call for Papers, see the CSFW home page www.csl.sri.com/csfw/index.html We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: Access control Authentication Data and system integrity Database security Network security Distributed systems security Anonymity Intrusion detection Security for mobile computing Security protocols Security models Decidability issues Privacy Executable content Formal methods for security Information flow Language-based security This year's workshop will be held in Aix-en-Provence, France. Proceedings published by the IEEE Computer Society Press will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security. ____________________________________________________________________ ACNS2005 3rd Applied Cryptography and Network Security Conference, Columbia University, New York, NY, USA, June 7-10, 2005. (Submission due 26 January 2005) Original research papers on all technical aspects of cryptology are solicited for submission to ACNS '05, the Third annual conference on Applied Cryptography and Network Security. There are two tracks for ACNS: a research track and an industrial track. The latter has an emphasis on practical applications. In addition, submissions to the industrial track may be talk proposals (rather than full papers). The PC will consider moving submissions between tracks if the PC feels that a submission is more appropriate for that track (with author permission). Topics of relevance include but are not limited to: - Applied Cryptography, cryptographic constructions - Cryptographic applications: e.g., payments, fair exchange, time-stamping, auctions, voting, polling, location services. - Economic incentives for collaboration - Security modeling and protocol design in the context of rational and malicious adversaries - Security of limited devices: e.g., adversarial modeling, light-weight cryptography, efficient protocols and implementations. - Integrating security in Internet protocols: routing, naming, TCP/IP, multicast, network management, and the Web. - Intrusion avoidance, detection, and response: systems, experiences and architectures. - Network perimeter controls: firewalls, packet filters, application gateways. - Virtual private networks. - Web security and supporting systems security, such as databases, operating systems, etc. - Denial of Service: attacks and countermeasures. - Securing critical infrastructure: e.g., routing protocols, the power grid, and emergency communication. - Public key infrastructure, key management, certification, and revocation. - Implementation, deployment and management of network security policies. - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management. - Fundamental services on network and distributed systems: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability. - Integrating security services with system and application security facilities and protocols: e.g., message handling, file transport/access, directories, time synchronization, database management, boot services, mobile computing. - Security and privacy for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, Bluetooth, 802.11, and peer-to-peer systems. - Usable security. - Deployment incentives for security technology. - Web, chat, and email security, including topics such as spam prevention. For more info, please see: http://acns2005.cs.columbia.edu/cfp.html ____________________________________________________________________ Security-05 14th USENIX Security Symposium, Baltimore, MD, USA, August 1-5, 2005. (Submissions due 4 February 2005) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security of computer systems. The 14th USENIX Security Symposium will be held August 1-5, 2005, in Baltimore, MD. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. Submissions are due on February 4, 2005, 11:59 p.m. PST. The Symposium will span five days: a two-day training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions. For further info, see http://www.usenix.org/events/sec05/cfp/ ____________________________________________________________________ CRYPTO2005 Twenty-Fifth Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2005. (Submissions due 14 February 2005) The 25th International Cryptology Conference will be held at the University of California, Santa Barbara. The academic program covers all aspects of cryptology. Formal proceedings, published by Springer-Verlag, will be provided to registered attendees at the conference. Technical sessions will run from Monday morning to Thursday noon, with a non-technical activities half-day on Tuesday afternoon. For further info, see http://www.iacr.org/conferences/c2005/index.html ____________________________________________________________________ WEIS2005 Workshop on Economics and Information Security, Harvard University, Cambridge, MA, USA, June 2-4, 2005. (Submissions due 25 February 2005) Original Research Papers on all aspects of the Economics of Information Security are solicited for submission to the Fourth Workshop on the Economics of Information Security. Topics of interest include liability and other legal incentives, game theoretic models, economics of digital rights management, security in open source and free software, cyber-insurance, disaster recovery, trusted computing, reputation economics network effects in security and privacy, security in grid computing, return on security investment, security and privacy in pervasive computing, risk management, risk perception, economics of trust,n virus models, vulnerabilities and incentives, economics of malicious code, identity including PKI, access control, economics of electronic voting security, and economic perspectives on spam. We invite talks emphasizing economic theory, mathematical modeling, or legal theory. Past notable work used the tools of economics to offer insights into computer security; offered mathematical models of computer security or economics; detailed potential regulatory solutions to computer security; or clarified the challenges of improving security as implemented in practice. For more information, please see http://www.infosecon.net/workshop/cfp.html ____________________________________________________________________ SOUPS2005 Symposium on Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 6-8, 2005. (Submissions due 25 February 2005) The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions. We seek original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to, breakthrough models, innovative functionality and design, new applications of existing models or technology, usability testing of security features or security testing of usability features, and lessons learned from deploying and using usable privacy and security features. Papers should properly place the work within the field, cite related work, and clearly indicate the innovative aspects of the work or lessons learned as well as the contribution of the work to the field. Suggestions or proposals for panels, tutorials, or invited speakers should be sent to the general chair, lorrie AT acm.org, by February 25. For more information, please see http://cups.cs.cmu.edu/soups/ ____________________________________________________________________ DIMACS Workshop on Security of Web Services and E-Commerce, Rutgers University, Piscataway, NJ, USA, May 5-6, 2005. (Optional submission due Spring 2005) The growth of Web Services, and in particular electronic commerce activities based on them, is quickly being followed by work on Web Services security protocols. While core XML security standards like XMLDSIG, XMLENC and WS-Security have been completed, they only provide the basic building blocks of authentication, integrity protection and confidentiality for Web Services. Additional Web Services standards and protocols are required to provide higher-order operations such as trust management, delegation, and federation. At the same time, the sharp rise in "phishing" attacks and other forms of on-line fraud simply confirms that all our work on security protocols is for naught if we cannot make it both possible and easy for the average user to discover when a security property has failed during a transaction. This workshop aims to explore these areas as well as other current and future security and privacy challenges for Web Services applications and e-commerce. The workshop will be open to the public (no submission is necessary to attend). If you'd like to give a presentation please send a title and abstract to commerce2005@farcaster.com as soon as possible. Submissions may describe ongoing or planned work related to the security of Web Services and electronic commerce, or they may discuss important research problems or propose a research agenda in this area. Also, we intend this to be a participatory and interactive meeting so we hope you will be able to contribute to the meeting even without giving an announced talk. Presented under the auspices of the Special Focus on Communication Security and Information Privacy. ____________________________________________________________________ CMS2005 9th IFIP Conference on Communications and Multimedia Security, Salzburg, Austria,September 19-21, 2005. (Submissions due 10 April 2005) The CMS conference attempts to be a forum for researchers working on all aspects of communications and multimedia security. This year the organizers especially encourage submissions on topics such as security of information hiding, combined encryption and watermarking schemes, XML security and network security. Papers should have practical relevance to the construction or evaluation of secure systems; theoretical papers should demonstrate their practical significance. The proceedings will be published by Springer in their Lecture Notes in Computer Science (LNCS) series. For details and submission instructions please refer to: http://cms2005.sbg.ac.at ____________________________________________________________________ CCS 2005 12th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, November 7-11, 2004. (Submission due 8 May 2005) Papers offering novel research contributions to any aspect of computer security are solicited for submission to the 12th ACM conference. The primary focus is on high-quality original unpublished research, case studies, and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing arguments for the practical significance of the results. Theory must be justified by compelling examples illustrating its application. Topics of interest include: - access control - authentication - accounting and audit - database and system security - security for mobile code - applied cryptography - data/system integrity - smart-cards and secure PDAs - cryptographic protocols - e-business/e-commerce - intrusion detection - inference/controlled disclosure - key management - privacy and anonymity - security management - intellectual property protection - information warfare - secure networking - security verification - commercial and industry security See http:///www.acm.org/sigsac/ccs/ for details. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Announcement by Terry Benzel, USC ISI November 17, 2004 DETER: A Laboratory for Security Research ____________________________________________________________________ The goal of the DETER laboratory effort is to create, maintain, and support a collaborative and vendor-neutral experimental environment for cyber-security research. It is intended to provide a center for interchange and collaboration among security researchers and testbed builders. The DETER effort includes: Deter testbed: a shared testbed infrastructure that is specifically designed for medium-scale (e.g., 100 node) repeatable experiments, and especially for experiments that may involve "risky" code. DETER research community: a community of academic, industry, and government researchers working toward better defenses against malicious attacks on our networking infrastructure, especially critical infrastructure. The nucleus of the DETER laboratory effort is formed of two research projects, funded by the National Science Foundation (NSF) and the U.S. Department of Homeland Security Advanced Research Projects Agency (HSARPA): DETER -- Cyber Defense Technology Experimental Research project The DETER project designs, builds, and operates the (http://www.isi.edu/deter/docs/testbed.overview.htm) DETER testbed, to provide experimental infrastructure and tools for security research. The partners in DETER are UC Berkeley, USC's Information Sciences Institute (USC-ISI), and McAfee Research.  EMIST -- (http://www.isi.edu/deter/emist.temp.html) Evaluation Methods for Internet Security Technology network, EMIST is developing scientifically rigorous testing frameworks and methodologies for representative classes of network attacks and defense mechanisms. It currently includes research efforts in DDoS defense, worm propagation, and BGP routing attacks. Partners in the EMIST effort include Penn State, McAfee Research, ICSI, Purdue, SPARTA Inc., SRI International, and UC Davis. The DETER testbed is designed to provide an experimental environment in which * government, academic, and industry cyber-security researchers can safely analyze and measure attacks and develop attack mitigation and confinement strategies. In addition, * the DETER project will provide tools and resources to enable repeatable experiment methodologies, allowing different researchers to duplicate and analyze the same experiments. DETER is constructed using the "cluster testbed" technology developed by the University of Utah and known as "Emulab" (see http://www.emulab.net/). Much of the online documentation for DETER is taken from Emulab, since much of the control and administrative software is the same. However, there are some differences between DETER and Emulab, primarily to assure greater safety for malevolent code in DETER. For example, a DETER experiment does not have a direct IP path to the Internet, unlike an Emulab experiment. There will be no charge for the use of the DETER testbed. Acceptable use policies are approved by the sponsoring agencies The DETER testbed is targeted, at least initially, at support for open and publishable research projects, typically academic research.. An initial version of the DETER testbed has been in operation since March 2004. DETER has been used by three research teams under the EMIST project to perform experiments on DDoS attacks, worm propagation, and BGP attacks using the initial testbed. The DETER and EMIST teams held a workshop in late October to invite additional members of the research community to join the DETER experimenters community. We invite interested researchers to visit the DETER web site at http://www.isi.edu/deter and to request access to the testbed by sending a request to deterinfo @ isi.edu ____________________________________________________________________ Announcement by Carrie Gates, CERT/CC November 12, 2004 The SiLK Suite of Netflow Tools ____________________________________________________________________ CERT/NetSA (Network Situational Awareness) has been developing a set of tools for the analysis of large amounts of NetFlow data. The SiLK (System for Internet-Level Knowledge) Suite was developed with two primary considerations: performance and security analysis. Performance has been a key consideration as the tools are intended for sites that receive large numbers of NetFlow records (such as ISPs and large organizations), and this has guided the format used for collection and storage. Security analysis has been the driving motivation behind the development of this suite of tools. A number of summarization and statistical analysis tools are provided, along with tools to efficiently create, retrieve, and manipulate arbitrary sets of IP addresses and related information. These tools have been in operational use at a large site for the past two years, and have been used to do network analysis of DoS attacks, scan activity, worm tracking, and backdoor detection. This suite has been released under the GPL and is available at: http://silktools.sourceforge.net A paper - ``More Netflow Tools: For Performance and Security'' by Carrie Gates, Michael Collins, Michael Duggan, Andrew Kompanek and Mark Thomas - on the tools with some sample security uses will be presented at the 18th Large Installation System Administration (LISA) conference on Thursday, 18 November 2004. After the conference, the paper will be available at: http://www.usenix.org/events/lisa04/tech/gates.html. John McHugh will also be presenting a tutorial at the Annual Computer Security Applications Conference (ACSAC) on Tuesday, 7 December 2004, that uses these tools. See http://www.acsac.org/ for more information. ____________________________________________________________________ Report by By Sean Turner and Russ Housley September 23, 2004 IETF Revises Cryptographic Message Syntax and Secure Multipurpose Internet Mail Extensions ____________________________________________________________________ Numerous protocols such as the Simple Mail Transport Protocol (SMTP, RFC 2821), the Session Initiation Protocol (SIP, RFC 3261), and the Electronic Data Interchange (EDI) protocols, and some of the Public Key Information (PKI) certificate management protocols employ the CMS (Cryptographic Message Syntax) to protect their payloads. The IETF has revised the CMS and Secure Mail Internet Mail Extensions (S/MIME) specifications to address protocol implementation issues and to support additional protocols: CMS has been revised twice since it was initially published as PKCS #7 Version 1.5 (RFC 2315). RFC 2630 was the first standards-track version of CMS. The first standards-track revision, RFC 3369, adds an optional password based key management scheme, adds an extension mechanism to support new key management schemes, clarifies RFC 2315 signature compatibility issues, and moves algorithm information to CMS Algorithms (RFC 3230). The second standards-track version, RFC 3852, adds an extension mechanism that supports additional certificate formats for the verification of digital signatures. All updates retain backwards compatibility with RFC 2630 and RFC 3369. CMS Algorithms (RFC 3370) provides algorithm information. It separates the algorithm specification from the protocol specification allowing both specifications to be updated without impacting one another. S/MIME Version 3.1 Message Specification (RFC 3851) replaces S/MIME Version 3.0 Message Specification (RFC 2633). Diffie-Hellman key agreement is no longer required; instead, support for RSA key transport is required. This change aligns the standard with actual use in the Internet. Optional support for AES symmetric encryption algorithm was also added, but Triple-DES remains the mandatory-to-implement symmetric encryption algorithm. The digital signature algorithm requirements were also changed. Support for both RSA and DSS is required on reception; however, and either RSA or DSS can be used on origination. Also, several implementation issues were clarified. S/MIME Version 3.1 Certificate Handling (RFC 3850) replaces S/MIME Version 3.0 Certificate Handling (RFC 2632) by including support for both Version 1 and 2 Certificate Revocation Lists (CRLs), making permitting the use of Version 2 attribute certificates optional to support, but prohibiting the use of Version 1 attribute certificates. Also, several other implementation issues were clarified. Securing X.400 Content With S/MIME (RFC 3854) specifies how to apply CMS constructs to sign and encrypt X.400 content. Transporting S/MIME Object in X.400 (RFC 3855) specifies how to convey CMS signed and encrypted contents over an X.400 message transfer system. S/MIME Examples (approved, but not yet published) provides detailed technical examples of message bodies formatted using CMS and S/MIME. The hope is that the test data will help with product development and testing, helping to ensure cross-vendor interoperability. Ongoing work in the area includes mechanisms to exchange S/MIME capabilities between end users, and algorithm specifications. The S/MIME working group is also working on the necessary documentation to progress the CMS and S/MIME documents to Draft standard, which requires two interoperable implementations of each protocol feature. For more information, contact Sean Turner (turners @ ieca.com), Blake Ramsdell (ramsdell @ sendmail.com), or Russ Housley (housley @ vigilsec.com). ____________________________________________________________________ Report by Jason Holt November 10, 2004 The Rise of Pairing-based Cryptography and Identity-Based Encryption ____________________________________________________________________ Arjen Lenstra writes in the preface to the Autumn 2004 issue of the Journal of Cryptology (http://www.iacr.org/jofc/jofc.html): ...These days, the bilinear map that the pairing gives rise to is regarded as one of the basic tools that are at any cryptographer's disposal -- with no need to understand or fully appreciate its mathematical intricacies. Using pairings has become a mainstream cryptologic activity. Lenstra appears to be correct; of the 35 papers presented in the research track of CCS (http://www.acm.org/sigs/sigsac/ccs/CCS2004/) last month, at least 3 made significant use of pairings, and the pairing-based crypto lounge now lists 205 papers (http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html). The most visible application of pairings has been the identity-based cryptosystem proposed by Boneh and Franklin in 2001 (http://crypto.stanford.edu/ibe/). IBE allows public keys to be generated for any {identifying string, certificate authority public key} pair; only the CA can generate the corresponding private key. Three digital credential systems were introduced last year which all include pairing-based implementations: * Secret Handshakes http://www2.parc.com/csl/members/smetters/publications/handshakes.pdf * Oblivious Signature-Based Envelopes http://citeseer.ist.psu.edu/rd/13353010%2C566198%2C1%2C0.25%2CDownload/http%3AqSqqSqwww.cis.syr.eduqSq%7EweduqSqResearchqSqpaperqSqpodc2003.pdf * Hidden Credentials http://isrl.cs.byu.edu/pubs/wpes03.pdf Other applications include databases which encrypt records based on keywords which can only be decrypted by clients who have received private keys for records with a particular keyword. Expect pairings to continue to play a major part in cryptography. The IBE-like systems they give rise to, with their ability to generate public keys for any string, have enabled a host of new transactions to take place. Their implementation over elliptic curves means that signatures and ciphertexts tend to be only a few hundred bits long. The question of whether the underlying bilinear diffie-hellman (BDH) problem is indeed intractable also presents a fascinating challenge for number theorists. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Robert Bruen November 18, 2004 ____________________________________________________________________ Wang, Wallace. Steal This File Sharing Book. What They Won't Tell You About File Sharing. No Starch Press 2004. ISBN 1-59327-050-X LoC TK5105.525.W36.  272 pages. $19.95. Index. Ah, Peer-To-Peer, P2P, File Sharing, the RIAA - so many problems, so few solutions. Little else comes close to being the poster child for the effect of the analog-to-digital change in our world today. Putting blatant security problems aside, giving file sharing capabilities for the average Joe is a far more serious long-term threat to our way of life than almost anything else. "Our way of life" in this instance includes institutions that control our decisions about when we watch, look at, or listen to recordings. It means the way business is conducted and the way we look at our culture. The threat is different from vulnerabilities in software in which a security hole is found, an exploit released and a fixed distributed. The whole point of peer relationships is that no supervisor or controller intervenes, not unlike Martin Luther's view that started the Protestant religion, that there should be no intermediary between him and his God. The consequences of that seemingly innocuous wish have been monumental. The P2P experience could have been a quiet one, but institutions have appeared to both facilitate it and prevent it, causing growth in both directions. The RIAA has continued its Sherman's March lawsuit juggernaut, now joined by the Motion Picture Industry. The war is big because the money is big. The shift of control, and thus revenue streams, is moving ahead because it is easy and obvious. The resisters to this change are trying to be just as powerful. It seems to me that the underlying technology of sharing files will be allowed just because it is a neutral technology, like a car. No one is going to outlaw cars because someone used one as a getaway vehicle. You can, however, be arrested or lose possession of your car if you allow it to be used in a crime. The same approach will be the way file sharing ends up. It happened to jukeboxes, VCRs and other technologies. The fun part is passing through the actual change as we are doing now. In order to understand the game you need a scorecard, because the game is complex. The technology of sharing a file is simple, but the P2P networks set up for this purpose and the legal battles surrounding them are not simple. Wang has put together a really good resource for understanding the complicated environment by way of his readable explanations. He also helps to focus issues such as: What impact does the content being shared have on how sharing is done, and how it is resisted? It is not just music and movies that are shared. The movies run from homemade adult films to Hollywood productions. Some producers use the courts and others do not. I found this book well done and it has good resources, so I recommend it for learning about the issue. Sooner or later we will all deal with the fundamental problem. The ultimate solution may be something that is not obvious now and will have a major impact on our entertainment media. ____________________________________________________________________ Book Review By Robert Bruen November 17, 2004 ____________________________________________________________________ Howlett, Tony. Open Source Security Tools. A Practical Guide to Security Applications. Prentice Hall 2005. 578 pages. $49.99. ISBN 0-321-19443-8 LoC QA76.9A25H6985 2004. Index, CDROM, 5 appendices, References List. This book fills a gap in the literature by bringing all the important Open Source security tools into one place. Several other books have done justice to Open Source security tools as part of their overall objective, but Howlett started with Open Source and worked from that point. Moreover, he has done an excellent job of collecting then presenting the tools. For the cost of the book, the reader gets as complete a suite of tools as necessary to engage in all areas of security, from encryption to mapping to sniffing to preparation and VPNs. Wireless is even included. Open Source Security Tools is not just about free stuff. It is a comprehensive collection of mature tools which provide the capability to cope with the security demands of today. The Open Source community is able to compete with the closed source companies, as is shown by this book. We are seeing an increasing number of Windows open source tools, which may turn out to be a Trojan Horse for Microsoft and the closed source industry. This collection of tools, the book's organization and the explanations are the best yet. Many good books exist for some of these tools, such as Snort and Nessus, but not for most of the tools. They are scattered in other good books. Many of these other books bring in scanners and sniffers, but have left out forensics tools or intrusion detection. Some of the older books had not yet come across wireless issues just because of when they were written, making Howlett's book more up to date. Mainly a defensive book, it does cover Wipe and some of its relatives. The tools represent a fairly comprehensive approach to security, including log file analysis, preparation for incidents, disaster recovery planning and security management. There are enough tools across a broad enough spectrum to consider the book as a tool itself to securing a site. It is also an excellent source for learning security because of the explanations. After presenting the reasoning behind a category of tools he delves into several tools for each category. The last chapter deserves special mention. Although short, it does make a pitch for Open Source Software, highlighting the Free Software Foundation, SourceForge and the others. A highly recommended book, that goes on my shelf next to Snort 2.1, Nessus and Building Open Source Network Security Tools. Open Source Security is building an impressive library of quality books. I am looking ahead to the next one. ____________________________________________________________________ Book Review By Robert Bruen September 20, 2004 ____________________________________________________________________ Andres, Steven and Brian Kenyon. Security Sage's Guide to Hardening the Network Infrastructure. Syngress 2004.ISBN 1-931836-01-9. 512 pages. $59.95. Index. If you already understand how networks are put together and yours works well, but you haven't been all that concerned about securing it, then this is a worthwhile book. Each of the components has more to it than simple configuration and maintenance rules, and they require some more understanding of detailed functions and how the outside world sees the network. Reacting to the sploit of the day is not enough; it helps if you can set up things to protect generally against problems. For example, firewalls are pretty common. They get configured to allow some things in and keep other things out, but perhaps the firewall itself as a target did not occur to you. What kind of attacks are possible, what has been seen and what do you do about it? A firewall is subject to attacks from inside as well as denial of service attacks. However there are specific attacks that might not be so obvious because they are possible only on a specific vendor's firewall. Some of the these known attacks and defenses are explained. The authors show a real sense of humor throughout the book, and that humor helps one digest an otherwise serious topic. The book also has numerous figures that are so important when trying to discuss networks, but there are not extraneous, distracting graphics. They follow an outline for each chapter which includes a checklist, a summary, links and mailing lists plus a few other sections. It gives the busy reader a chance to take a quick look to see if the chapter will be useful at that moment. If you are a teacher of networks and/or security, the end of chapter material is helpful. There are no questions or lab assignments, but the presentation style is helpful, although the book was not intended to be a textbook. The chapter on network switching contains a lot of basic material about networks, which would serve as a good introduction to networks or as supplementary material. The security aspects are somewhat limited, covering techniques such as password protection and turning off unnecessary features. That the chapter helps to set up the following chapter which covers defending switches and routers. Here we are given standard attacks, like spoofing, denial of service, and buffer overflows. The chapter is short and to the point. If "Hardening the Network Infrastructure" used within the right context, it is a useful and helpful book. There are numerous products, both commercial and free, which are evaluated, as well as FAQs, notes and pointers. The attack explanations are brief. If one were to use the checklist approach to hardening a network, the book would be successful. If one expects detailed attack explanation, then disappointment would ensue. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html Jonathan Millen The MITRE Corporation Mail Stop S119 202 Burlington Road Rte. 62 Bedford, MA 01730-1420 781-271-5172 (voice) jmillen@mitre.org _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2004 Symposium proceedings are available for $25 plus shipping and handling. The 2003 proceedings are $20 plus shipping and handling; the 2000 proceedings are $15 plus shipping and handling. The 1998 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Hilarie Orman (see below) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine The MITRE Corporation U.S. Naval Postgraduate School Mail Stop S119 Computer Science Department 202 Burlington Road Rte. 62 Code CS/IC Bedford, MA 01730-1420 Monterey CA 93943-5118 781-271-51 (voice) (408) 656-2461 (voice) jmillen@mitre.org irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Department of Computer Science Purple Streak, Inc. and Engineering 500 S. Maple Dr. School of Engineering Salem, UT 84653 Southern Methodist University (801) 423-1052 (voice) P.O. Box 750122 cipher-editor@ieee-security.org Dallas, TX 75275-0122 (214) 768-8541 (voice) http://www.engr.smu.edu/~tchen ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html