-------------------------------------------------------------------------- _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 81 November 18, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o IEEE Computer Society News, by Hilarie Orman and Jon Millen o NIST Announces the SHA-3 Hash Function Competition o "Fuzzing: Brute Force Vulnerability Discovery" by Michael Sutton, Adam Greene and Pedram Amini. Reviewed by Richard Austin. * Conference and Workshop Announcements o Upcoming calls-for-papers and events o Calendar listings * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers, This issue features an interesting book review by Richard Austin, an announcement about another algorithm competition sponsored by the US National Institute of Standards and Technology (NIST), and some news of the IEEE Computer Society. This newsletter is an activity of the IEEE Computer Society Technical Committee on Security and Privacy (TCSP), and the Computer Society holds organizational meetings to which we (the TCSP) have an opportunity to send a representive. I attended the meetings this November, and I got meet other committee representatives and members of the Computer Society's staff. It's interesting to learn more about how the organization functions, and I have a brief report on the activities and benefits of membership. The calendar of events notes that the Financial Cryptography conference meets in January of 2008, and the conference has free day care arrangements for attendees bringing children and some stipends for primary caregivers who need financial help in meeting their care obligations. This seems like a great idea, and I encourage all conference organizaters and conference sponsors to give the idea serious consideration in planning their next events. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ IEEE Computer Society Administrative Meetings Week by Hilarie Orman and Jon Millen, TCSP ____________________________________________________________________ The IEEE Computer Society held meetings of its committees during the first week of November. I represented the Technical Committee on Security and Privacy (TCSP) by virtue of my position as the incoming Vice Chair of the committee. The Computer Society announced some financial difficultites earlier this year, and by instituting cost cutting measures they have reduced their projected deficit by two-thirds. Further cost reductions are in the works, and there is no imminent crisis. However, the Society would like to increase membership, and each Technical Committee is looking for ways to attract student members, to find the most forward-looking topics in the Committee's core areas, and to reach out to potential members who are not primarily academic. The TCSP has already taken some steps in these directions through involving its symposia in industry and government sponsorship for student travel to our events and by sponsoring co-located workshops in innovative new areas with the Security and Privacy Symposium. However, we do not spend time educating our attendees about the benefits of membership in IEEE and the Computer Society (except through the structure of our conference registration fees!) Thus, I encourage Cipher readers to consider the benefits of membership, as described by our current TC chair, Jon Millen: Membership in the Computer Society comes with a free subscription to "Computer", the society's flagship magazine. "Computer" is a resource that practitioners, researchers, and managers can rely on to provide timely information about current research developments, trends, best practices, and changes in the profession. Another key Computer Society member benefit is access to the IEEE Computer Society Digital Library (CSDL). Get online, unlimited access to the best collection of computing information available anywhere for one low cost. There are many other benefits, including free access to 1300 online technical courses and 500 IT books and articles. For more information on member benefits, go to http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=ieeecs_level1&path=ieeecs/join&file=benefits.xml&xsl=generic.xsl& [Ed. The Computer Society has not yet learned about tinyurl.] Join today at http://computer.org/promos/tcmember. You have nothing to risk, as the society will refund your membership dues if you are ever dissatisfied. There are three new technical committees in the Computer Society now: haptics, nanotechnology, and mobile networking systems. All three are well-connected to their communities through their workshops and conferences. They certainly embody the Computer Society's committment to fostering the best of new technologies. If you have ideas for activities that you think the TCSP could undertake that would be of interest to you, please let us know. Our email address is "tc curlya ieee-security.org" (you may know curlya as "@"). We are, of course, especially interested in volunteers who can help us organize and carry out these events. ____________________________________________________________________ NIST Issues Call for a New 'Hash' Algorithm http://www.nist.gov/public_affairs/techbeat/tb2007_1108.htm#sha November 8, 2007 ____________________________________________________________________ The National Institute of Standards and Technology (NIST) has opened a competition to develop a new cryptographic "hash" algorithm, a tool that converts a file, message or block of data to a short "fingerprint" for use in digital signatures, message authentication and other computer security applications. The competition is NIST’¡Çs response to recent advances in the analysis of hash algorithms. The new hash algorithm will be called Secure Hash Algorithm-3 (SHA-3) and will augment the hash algorithms currently specified in the Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard. NIST's goal is that SHA-3 provide increased security and offer greater efficiency for the applications using cryptographic hash algorithms. FIPS standards are required for use in federal civilian computer systems and are often adopted voluntarily by private industry. FIPS 180-2 specifies five cryptographic hash algorithms, including SHA-1 and the SHA-2 family of hash algorithms. Because serious attacks have been reported in recent years against cryptographic hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a similar design, NIST has decided to standardize an additional hash algorithm to augment the ones currently specified in FIPS 180-2. NIST issued a Call for a New Cryptographic Hash Algorithm (SHA-3) Family in a Federal Register Notice on Nov. 2, 2007. The announcement specifies the submission requirements, the minimum acceptability requirements, and the evaluation criteria for candidate hash algorithms. Entries for the competition must be received by Oct. 31, 2008. Details about the competition are available at http://www.nist.gov/hash-competition Media Contact: Ben Stein, bstein@nist.gov, (301) 975-3097 ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Review By Richard Austin November 12, 2007 ____________________________________________________________________ Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene and Pedram Amini. Addison-Wesley, 2007. ISBN 0-321-44611-9 Amazon.com $34.64 Bookpool.com $34.50 Unless you're a security professional who has decided the connected world is a far too dangerous place and have retreated into your sealed bunker with your isolated, cement encased computers, you have heard of the concept of "fuzzing" and its utility in discovering security vulnerabilities. But I suspect most of us have only the basic notion that it somehow involves flooding a piece of software with every possible input and waiting for something unexpected to happen. Sutton et al. quickly reveal that there is a lot more to be said and give us a fascinating look at how fuzzers work, how to build one and some tantalizing hints at how they could be made much better. The book opens with a 5-chapter introduction to the process of vulnerability discovery and the place that fuzzing can play within it. The introduction is comprehensive and includes topics ranging from the history of fuzzing, a taxonomy of fuzzer types, thorny issues of data representation and an in-depth review of the requirements for effective fuzzing. The second part is really the "meat" of the book and after an opening chapter on "Automation and Data Generation," covers the broad topics of fuzzing environment variables and arguments, web applications, file formats, network protocols, web browsers and a very new topic, in-memory fuzzing. For each major topic, the presentation begins with an introductory chapter that indentifies the targets, the most appropriate fuzzing methods and the types of faults likely to be generated. This introduction is then followed by detailed chapters on how to perform fuzzing on both the Unix and Windows platforms. The detailed fuzzing presentations are in-depth and often use tools that are available on the book's companion web site. Relevant code is listed with clear explanations, assessment of limitations and suggestions for how the tool could be extended and improved. Often the presentation is illustrated with an example of how a real vulnerability was discovered using the method, and these expositions are an education in and of themselves. The discussion of in-memory fuzzing is quite interesting as it's a new concept that the authors mention has not yet been implemented in even a public proof-of-concept mode. The core idea is that rather than working through the presentation logic of an application to get the inputs into the application, the fuzzer actually "hooks" into the processing logic directly and supplies the fuzzed inputs. The advantages in speed (e.g., not having to transmit fuzzed inputs over a network link, etc) is at least partially offset by the difficulties aptly summed up in the authors' statement that "in-memory fuzzing is not for the faint of heart." The third part of the book is devoted to "Advanced Fuzzing Technologies" and covers fuzzing frameworks, automated protocol dissection using "proxy fuzzers" interposed between the client and the server, some cutting edge techniques borrowed from bioinformatics and genetic algorithms, and intelligent fault detection (IOW, better ways to tell when your "fuzzer has done right by doing wrong.") The final section of the book provides a retrospective that fits fuzzing techniques into the SDLC and a look into the future through examination of some of the commercial fuzzing tools that are becoming available. This book will appeal first to the hard-core technical security professional, but I think the more management-oriented among us would be ill-served by fleeing back to our spreadsheets at the first glimpse of a code listing. Fuzzers are in the hands of both the good and the bad and it would behoove all of us to understand their potential. The book's introductory chapters and the introductory chapter for each major fuzzing topic are highly recommended for all audiences. As might be said, "You need to read this book - your adversary has." ----- Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an iterant university instructor and security consultant. He welcomes your thoughts and comments at rda7838@kennesaw.edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Wiley InterScience Security and Communication Networks Journal, Special Issue on Clinical Information Systems (CIS) Security, July/August 2008. http://www3.interscience.wiley.com/cgi-bin/jtoc/114299116 (Submission Due 10 February 2008) Guest editors: Theodore Stergiou (KPMG Kyriacou Advisors AE, Greece), Dimitrios Delivasilis (Incrypto Ltd., Greece), Mark S Leeson (University of Warwick, UK), and Ray Yueh-Min Huang (National Cheng-Kung University, Taiwan, R.O.C.) Managing records of patient care has become an increasingly complex issue with the widespread use of advanced technologies. The vast amount of information for every routine care must be securely processed over different data bases. Clinical Information Systems (CIS) address the need for a computerized approach in managing personal health information. Hospitals and public or private health insurance organizations are continuously upgrading their database and data management systems to more sophisticated architectures. The possible support of the large patient archives and the flexibility of a CIS in providing up-to-date patient information and worldwide doctors' collaboration, have leveraged the research on CIS both in academic and government domains. At the same time, it has become apparent that patients require more control over their clinical data, either being results of clinical examinations or medical history. Due to the large amount of information that can be found on the Internet and the free access to medical practitioners and hospitals worldwide, patients may choose to communicate their information so as to obtain several expert opinions regarding their conditions. Given the sensitive nature of the information stored and inevitably in transit, security has become an issue of outmost necessity. Numerous EU and US research projects have been launched to address security in CIS (e.g. EUROMED, ISHTAR, RESHEN), whereas regulatory compliance to acts such as the HIPAA has become an obligation for centers moving to CIS. This Special Issue will serve as a venue for both academia and industry individuals and groups working in this fast-growing research area to share their experiences and state-of-the-art work with the readers. The topics of interest in this Special Issue include, but are not limited to: - Authentication techniques for CIS - Authorization mechanisms and approaches for patient-centric data - Public Key Infrastructures to support diverse clinical information environments and networks - Cryptographic protocols for use to secure patient-centric data - Secure communication protocols for the communication of clinical data - Wireless sensor networks security - Body sensor networks security - CIS Database security - Interoperability across diverse CIS environments (national and multilateral) - Government and international regulatory and compliance requirements For more information, please see http://www3.interscience.wiley.com/cgi-bin/jtoc/114299116/ . --- APE 2008 , 1st International Workshop on Advances in Policy Enforcement, Held in conjunction with the 3rd International Conference on Availability, Reliability and Security (ARES 2008), Barcelona, Catalonia, Spain, March 4-7, 2008. http://www.telematik.uni-freiburg.de/ape/ (Submissions due 20 November 2007) The problem of complying with increasingly complex requirements is gaining importance in organizations of all sizes. Such requirements stipulate how organizations must perform a number of accountable actions with regard to, e.g., accounting -- Basel II and SOX -- and the treatment of personal information -- HIPAA, Fair Information Practices and negotiated privacy preferences. From a technical standpoint, these requirements are mere policies whose modeling (expression), adherence (enforcement), and verification (audit) dictate the workflow of organizations. The goal of this workshop is to bring together researchers and practitioners working on innovative methods for policy enforcement and its a posteriori audit. The focus of the workshop is primarily technological, yet it encourages papers with a multidisciplinary character, encompassing for instance economic, legal, and sociological aspects, as well as papers more purely focused on information technology. Submission topics include, but are not limited to: - A posteriori policy enforcement - Complementing a priori and a posteriori approaches to enforcement - Usage control - Audit strategies - Forensics and legal issues - Provable enforcement - Accountability and liability - Secure logging mechanisms - Expression of security and privacy requirements - Monitoring techniques - Implementation experiences For more information, please see http://www.telematik.uni-freiburg.de/ape --- IFIP-CIP 2008, 2nd Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Arlington, Virginia, USA, March 16-19, 2008. http://www.ifip1110.org/ (Submissions due 31 December 2007) The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the inaugural conference in March 2007, the Second Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. The conference will be limited to eighty participants to facilitate interactions among researchers and intense discussions of research and implementation issues. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security For more information, please see http://www.ifip1110.org/ --- ATC 2008, 5th International Conference on Autonomic and Trusted Computing, Oslo, Norway, June 23-25, 2008. http://www.ux.uis.no/atc08/ (Submissions due 5 January 2008) Computing systems including hardware, software, communication and networks are growing dramatically in both scale and heterogeneity, becoming overly complex. Such complexity is getting even more critical with the ubiquitous permeation of embedded devices and other pervasive systems. To cope with the growing and ubiquitous complexity, Autonomic Computing (AC) focuses on self-manageable computing and communication systems that exhibit self-awareness, self-configuration, self-optimization, self-healing, self-protection and other self-x operations to the maximum extent possible without human intervention or guidance. Organic Computing (OC) additionally emphasizes natural-analogue concepts like self-organization and controlled emergence. Trusted/Trustworthy Computing (TC) aims at making computing and communication systems as well as services available, predictable, traceable, controllable, assessable, sustainable, dependable, persist-able, security/privacy protect-able, etc. ATC-08 addresses the most innovative research and development in these challenging areas and includes all technical aspects related to autonomic/organic computing (AC/OC) and trusted computing (TC). Topics of interest include, but are not limited to: - AC/OC Theory and Models (Nervous/organic models, negotiation, cooperation, competition, self-organization, emergence, etc.) - AC/OC Architectures and Systems (Autonomic elements & their relationship, frameworks, middleware, observer/controller architectures, etc.) - AC/OC Components and Modules (Memory, storage, database, device, server, proxy, software, OS, I/O, etc.) - AC/OC Communication and Services (Networks, self-organized net, web service, grid, P2P, semantics, agent, transaction, etc.) - AC/OC Tools and Interfaces (Tools/interfaces for AC/OC system development, test, monitoring, assessment, supervision, etc.) - Trust Models and Specifications (Models and semantics of trust, distrust, mistrust, over-trust, cheat, risk, reputation, reliability, etc.) - Trust-related Security and Privacy (Trust-related secure architecture, framework, policy, intrusion detection/awareness, protocols, etc.) - Trusted Reliable and Dependable Systems (Fault-tolerant systems, hardware redundancy, robustness, survivable systems, failure recovery, etc.) - Trustworthy Services and Applications (Trustworthy Internet/web/grid/P2P e-services, secured mobile services, novel applications, etc.) - Trust Standards and Non-Technical Issues (Trust standards and issues related to personality, ethics, sociology, culture, psychology, economy, etc.) For more information, please see http://www.ux.uis.no/atc08/ --- SEC 2008, 23rd International Information Security Conference, Co-located with IFIP World Computer Congress 2008, Milan, Italy, September 8-10, 2008. http://sec2008.dti.unimi.it (Submissions due 10 January 2008) The conference seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Topics of interest include, but are not limited to: - access control - accounting and audit - anonymity - applied cryptography - authentication - computer forensics - cryptographic protocols - database security - data protection - data/system integrity - digital rights management - electronic frauds - identity management - information warfare - intrusion detection - key management - law and ethics - peer-to-peer security - privacy-enhancing technology - secure location services - secure networking - security education - security management - smartcards - commercial and industry security - data and application security - inference/controlled disclosure - risk analysis and risk management - intellectual property protection - security in IT outsourcing - security for mobile code - trust management - trust models For more information, please see http://sec2008.dti.unimi.it IFIP-TM 2008, Joint iTrust and PST conferences on Privacy, Trust Management and Security, Trondheim, Norway, June 18-20, 2008. http://www.ntnu.no/videre/konferanse/IFIPTM08/ (Submissions due 11 January 2008) The mission of the IFIPTM 2008 conference is to share research solutions to problems of Trust, Security and Privacy and to identify new issues and directions for future research and development work. IFIPTM 2008 invites research submissions on all topics related to Trust, Security and Privacy, including but not limited to those listed below: - Security and trust for composite applications - Trust models, formalization, specification, analysis and reasoning - Engineering of trustworthy and secure software - The ethics, sociology and psychology of trust - Security management and usability issues including security configuration - Trust management frameworks for secure collaborations - Language security - Security and privacy for software as a service (SaaS) - Security and trust for Web 2.0 mashups - Legal issues related to the management of trust - Semantically-aware security management - Adaptive security policy management - Security, trust and privacy for service oriented architectures - Mobile security - Anonymity and privacy vs. accountability - Critical infrastructure protection, public safety and emergency management - Intrusion detection systems and technologies - Operating systems security - Network security (anti-virus, anti-DoS-tools, firewalls etc.) - Privacy and identity management in e-services - Biometrics, national ID cards, identity theft - Distributed trust and reputation management systems - Human computer interaction and privacy, security & trust - Applications of trust and reputation management in e-services For more information, please see http://www.ntnu.no/videre/konferanse/IFIPTM08/ --- CSF 2008, 21st IEEE Computer Security Foundations Symposium, Pittsburgh, PA, USA, June 23-25, 2008. http://www.cylab.cmu.edu/CSF2008/ (Submissions due 29 January 2008) The IEEE Computer Security Foundations (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. The CiteSeer Impact page (http://citeseer.ist.psu.edu/impact.html ) lists CSF as 38th out of more than 1200 computer science venues, top 3.11% in impact based on citation frequency. New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are sought as well as papers. Possible topics include, but are not limited to: - Access control - Anonymity and Privacy - Authentication - Data and system integrity - Database security - Decidability and complexity - Distributed systems security - Electronic voting - Executable content - Formal methods for security - Information flow - Intrusion detection - Language-based security - Network security - Resource usage control - Security for mobile computing - Security models - Security protocols - Trust and trust management For more information, please see http://www.cylab.cmu.edu/CSF2008/ --- USENIX-Security 2008, 17th USENIX Security Symposium, San Jose, California, USA, July 28-August 1, 2008. http://www.usenix.org/sec08/cfpa (Submissions due 30 January 2008) On behalf of the 17th USENIX Security Symposium (USENIX Security '08) program committee, we are inviting you to submit high-quality papers in all areas relating to systems and network security. Please note that the USENIX Security Symposium is primarily a systems security conference. Papers whose contributions are primarily new cryptographic algorithms or protocols, cryptanalysis, electronic commerce primitives, etc., may not be appropriate for this conference. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Botnets - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Intrusion and anomaly detection and prevention - Malicious code analysis, anti-virus, anti-spyware - Network infrastructure security - Operating system security - Privacy-preserving (and -compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security policy - Self-protecting and healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Usability and security - Voting systems analysis and security - Wireless and pervasive/ubiquitous computing security - Web security For more information, please see http://www.usenix.org/sec08/cfpa/ --- SOUPS 2008, Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 23-25, 2008. http://cups.cs.cmu.edu/SOUPS (Submissions due 29 February 2008) The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design - new applications of existing models or technology - field studies of security or privacy technology - usability evaluations of security or privacy features or security testing of usability features - lessons learned from deploying and using usable privacy and security features For more information, please see http://cups.cs.cmu.edu/SOUPS/ --- Pairing 2008, 2nd International Conference on Pairing-based Cryptography, Egham, UK, September 1-3, 2008, http://www.pairing-conference.org/ (Submissions due 16 March 2008) Pairing-based cryptography is an extremely active area of research which has allowed elegant solutions to a number of long-standing open problems in cryptography (such as efficient identity-based encryption). New developments continue to be made at a rapid pace. The aim of "Pairing" conference is thus to bring together leading researchers and practitioners from academia and industry, all concerned with problems related to pairing-based cryptography. Authors are invited to submit papers describing their original research on all aspects of pairing-based cryptography, including, but not limited to the following topics: Area I: Novel cryptographic protocols - ID-based and certificateless cryptosystems - Broadcast encryption, signcryption etc - Short/multi/aggregate/group/ring/threshold/blind signatures - Designed confirmer or undeniable signatures - Identification/authentication schemes - Key agreement Area II: Mathematical foundations - Weil, Tate, Eta, and Ate pairings - Security consideration of pairings - Other pairings and applications of pairings in mathematics - Generation of pairing friendly curves - (Hyper-) Elliptic curve cryptosystems - Number theoretic algorithms - Addition algorithms in divisor groups Area III: SW/HW implementation - Secure operating systems - Efficient software implementation - FPGA or ASIC implementation - Smart card implementation - RFID security - Middleware security - Side channel and fault attacks Area IV: Applied security - Novel security applications - Secure ubiquitous computing - Security management - PKI models - Application to network security - Grid computing - Internet and web security - E-business or E-commerce security For more information, please see http://www.pairing-conference.org ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 11/20/07: Advances in Policy Enforcement (APE), Barcelona, Catalonia; Submissions are due; http://www.telematik.uni-freiburg.de/ape>, info: anjomshoaa@ifs.tuwien.ac.at 11/20/07: http://www.cylab.cmu.edu/CSF2008/>Computer Security Foundations Symposium (CSF), Pittsburgh, PA; Submissions are due 11/20/07: Privacy and Security by means of Artificial Intelligence (PSAI), Barcelona, Catalonia, Spain; http://crises-deim.urv.cat/psai/ Submissions are due 11/24/07: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD, submissions are due http://middleware.internet2.edu/idtrust/2008/> 12/ 2/07-12/ 6/07: ASIACRYPT (ASIACRYPT), Kuching, Sarawak, Malaysia; info: http://www.swinburne.edu.my/asiacrypt2007/, info: asiacrypt2007@iacr.org 12/ 9/07-12/11/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), http://www.qatar.cmu.edu/asian07, Dohar, Qatar; info: asian07@qatar.cmu.edu 12/10/07-12/14/07: Annual Computer Security Applications Conference (ACSAC), http://www.acsac.org/>, Miami Beach, Florida 12/14/07: Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK; Submissions are due; http://www.haisa.org, info: info@haisa.org 12/16/07-12/20/07: Information Systems Security (ICISS), http://siis.cse.psu.edu/iciss07, Delhi, India 1/ 6/08: Workshop on Security for Mobile Wireless Communications (SeMIC), Bangalore, India; http://www.comsware.org/workshop_SeMIC08.htm, info: llazos@u.washington.edu 1/10/08: Information Security Conference (SEC), http://sec2008.dti.unimi.it, Milan, Italy; Submissions are due; (no proceedings) 1/14/08: Applied Cryptography and Network Security (ACNS), Columbia University, New York City, NY; http://acns2008.cs.columbia.edu/ Submissions are due 1/18/08: UPSEC, San Francisco, CA; http://www.usenix.org/upsec08/cfp Submissions are due; info: upsec08chairs@usenix.org 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), http://fc08.ifca.ai, Cozumel, Mexico 1/30/08: USENIX Security Symposium (USENIXSec), San Jose, CA; http://www.usenix.org/sec08/cfpa/ Submissions are due; info: sec08chair@usenix.org 2/ 4/08: Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA, Paris, France; http://www.dimva.org/dimva2008/, Submissions are due 2/10/08- 2/13/08: Network and Distributed System Security Symposium (NDSS), http://www.isoc.org/tools/conferences/NDSS08,San Diego, California 2/11/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia; http://www.uow.edu.au/conferences, Submissions are due 2/29/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ Submissions are due 3/ 4/08- 3/ 6/08: Symposium on Identity and Trust on the Internet (IDtrust), Gaithersburg, MD http://middleware.internet2.edu/idtrust/2008/> 3/ 4/08- 3/ 7/08: Advances in Policy Enforcement (APE), Barcelona, Catalonia; http://www.telematik.uni-freiburg.de/ape info: anjomshoaa@ifs.tuwien.ac.at 3/ 4/08- 3/ 7/08: Privacy and Security by means of Artificial Intelligence (PSAI), Barcelona, Catalonia, Spain, http://crises-deim.urv.cat/psai/ 3/ 4/08- 3/ 7/08: Secure Software Engineering (SecSE), Barcelona, Catalonia; http://www.ares-conference.eu/conf info: SecSE08 "replace with at-character" gmail.com 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceara', Brazil; http://www.acm.org/conferences/sac/sac2008/ info: Jean-Marc.Seigneur@trustcomp.org 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan, http://www.rcis.aist.go.jp/asiaccs08 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA http://discovery.csc.ncsu.edu/WiSec08 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; http://async.org.uk/async2008/ 4/14/08: UPSEC, San Francisco, CA; http://www.usenix.org/upsec08/cfp info: upsec08chairs@usenix.org 6/ 3/08- 6/ 6/08: Applied Cryptography and Network Security (ACNS), Columbia University, New York City, NY, http://acns2008.cs.columbia.edu/ 6/23/08- 6/25/08: Computer Security Foundations Symposium (CSF), Pittsburgh, PA; http://www.cylab.cmu.edu/CSF2008/ 7/ 8/08- 7/18/08: Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK; http://www.haisa.org ; info: info@haisa.org 7/10/08- 7/11/08: Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA, Paris, France; http://www.dimva.org/dimva2008/ 7/14/08- 7/16/08: Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia; http://www.uow.edu.au/conferences 7/23/08- 7/25/08: Symposium On Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS 7/28/08- 8/ 1/08: http://www.usenix.org/sec08/cfpa/>USENIX Security Symposium (USENIXSec), San Jose, CA; info: sec08chair@usenix.org 9/ 8/08- 9/10/08: Information Security Conference (SEC), Milan, Italy; (no proceedings) http://sec2008.dti.unimi.it 10/31/08: NIST SHA3 Hash Functio Competition (NIST-SHA3); http://www.nist.gov/hash-competition>info: bstein@nist.gov; Submissions are due ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since 80) ____________________________________________________________________ ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== From http://cisr.nps.edu/jobscipher.html The George Washington University Department of Computer Science Washington, DC 20052 ASSISTANT PROFESSOR, in network and computer security Application review will begin in January 2008 and will continue until the position is filled http://www.cs.gwu.edu University of North Carolina at Charlotte Department of Software and Information Systems UNC Charlotte Charlotte, NC 28223 ASSISTANT OR ASSOCIATE Application review will begin in January 2007 and will continue until the position is filled. URL: http://www.sis.uncc.edu Northern Kentucky University Highland Heights, KY 41099 Assistant/Associate Professor of Computer Science in the following areas - Information Security, Secure Software Development, Computer Forensics, Database and/or Networking with a preference for Networking and Security Applications will be accepted until the position is filled. http://www.nku.edu/~csc/positions.html Radboud University Nijmegen Nijmegen, the Netherlands 2 PhD positions Positions available until filled. http://www.sos.cs.ru.nl/group/vacancies/index.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Deborah Shands The MITRE Corporation The Aerospace Corporation Mail Stop S119 El Segundo, CA 202 Burlington Road Rte. 62 oakland07-chair@ieee-security.org Bedford, MA 01730-1420 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: and Technical Committee Treasurer: Yong Guan Hilarie Orman Iowa State University Purple Streak, Inc. oakland08-chair@ieee-security.org 500 S. Maple Dr. cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year