Last May at the IEEE Security and Privacy Symposium I asked a researcher what the next big thing in novel physical attacks on computer systems might be. We've seen disks used as microphones and light fluctuations from screens used to extract data, what more is in store? His reply was non-committal but indicated that more was to come. His exact words were, "Physics sucks." That came to mind when I saw the announcement of research that uses lasers to cause microphones to vibrate at speech frequencies. Will physical exploits never cease? Not until physics is dead.
At the end of this year the Technical Committee on Security and
Privacy (the Computer Society organization that sponsors this
newsletter) will have a new chairman. After two years of service to
the organization, Sean Peisert is at the end of his term. He has
guided the security conferences through thorny issues with contracts
and publishing issues, and the TCSP is stronger for his leadership.
Ulfar Erlingsson, a stalwart of program committee participation and
leadership, will assume the position of chairman. Brian Parno, also
an S&P veteran, will be the new vice chair.
The Story of Computer Security Day, A Modern Fable for Our Holiday:
The American colonists had trouble setting up wifi during their first
winter, and their mobile devices were barely usable. The indigenous
people took pity on them and invited them to a day of free data. They
shared passwords for gaming sites and watched cat videos far into the
night. Later the colonists stole all the indigenous data and took
down the native networking system, replacing it with 3G and TCP/IP,
but they never forgot the gaming day. That is why Computer Security
Day is on November 30.
Happy American Thanksgiving
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference
reports are archived at
http://www.ieee-security.org/Cipher/ConfReports.html
____________________________________________________________________
Book Review By Sven Dietrich
11/24/2019
____________________________________________________________________
Protocols for Authentication and Key Establishment
by Colin Boyd, Anish Mathuria, and Douglas Stebila
Springer Verlag, Second Edition 2020.
ISBN ISBN 978-3-662-58145-2, ISBN 978-3-662-58146-9 (e-Book)
Second Edition, 2020,
Springer Verlag, Information Security and Cryptography Series,
521 pages
We go shopping online, we pay using our phones, we open our hotel rooms
and start our cars with an electronic key, we remotely turn on the air
conditioner at home, we login to discussion sites or blogs, we make
secure calls, and we text privately. All these pervasive actions in our
everyday lives require protocols for authentication and cryptographic
key establishment. So it was refreshing to see a second edition of Colin
Boyd and Anish Mathuria's book, this time with the addition of Douglas
Stebila, on this very subject matter of protocols and key establishment.
The last edition of the book had been published in 2003, which was quite
a different world when it comes to the ubiquity of the Internet or the
impact of mobile, personal devices. We find ourselves surrounded by
devices, interconnect with them, and constantly interact with online or
cloud services in one way or another. Subsequently we require those
communications to be authenticated and encrypted, the electronic
documents to be signed, and doctors' records or federal tax returns to
be secured in transit. Back in 2003, there had already been a plethora
of such protocols, but as the Internet and its ecosystem grew, so did
the number of protocols, associated cryptographic primitives, and threat
models. This new edition of the book, for which writing started in 2010,
provides a great insight into this domain with an overview of 225 (sic)
concrete protocols.
The second edition of the book is partitioned into 9 chapters and two
appendices, featuring three new chapters compared to the first edition.
The rich material added to this book shows that protocols and key
establishment are still an active area of research to this day. The book
provides everything the reader needs to understand about the topic, from
the basics to the most recent research and standards. The reader should
expect thorough and dense material, with protocol notation, protocol
examples, computational model explanations, and lessons learned from
many years of protocol development.
The first chapter contains an overview of the basic terms and concepts,
such as protocol architectures, key generation, cryptographic tools,
adversarial capabilities (what can the adversary do?), and protocol
goals (authentication, key establishment, entity authentication, etc.) A
worked out example of a protocol with an attack, a fix, and yet another
attack on the fix demonstrates the workings of continued protocol
analysis. The last part of the chapter has a brief overview of formal
protocol verification tools such as the NRL Protocol Analyzer, FDR,
Maude-NPA, ProVerif, and Scyther and Tamarin.
The second chapter introduces the importance of computational models in
the proof of security of a protocol. This new chapter covers the
computational models from two well-known models, the Bellare-Rogaway
model (BR93) and Canetti-Krawczyk (CK01) model, up to the most recent
extensions (such as LaMacchia et al.'s eCK, Menezes et al.s MU08,
Cremers et al.'s eCK-PFS, and Saar et al.'s seCK). These newer
computational models add more capabilities to the adversary (e.g.
getting intermediate results from a cryptographic computation) and
therefore bring a variety of evaluation approaches for protocols. The
authors show how these various models can be applied to single and group
key exchanges, for example.
The third chapter covers protocols using shared key cryptography and
discusses entity authentication protocols (such as the Woo-Lam
authentication protocol), server-less key establishment protocols (such
as the Andrew Secure RPC protocol), server-based key establishment
protocols (such as the Needham-Schroeder Shared Key protocol and the
Kerberos protocol), and more. The reader is walked through a series of
attacks and fixes, and learns to identify flaws and understand the fixes
and their limitations.
The fourth chapter then goes on to talk about authentication and key
transport using public key cryptography. Here we find the all too
familiar Needham-Schroeder Public Key protocol, the Public Key Kerberos
protocol, X.509 protocols, and several protocols from the ISO/IEC
standard for entity authentication.
The fifth chapter turns to key agreement protocols, where the reader
learns about key derivation function, key-share attacks, classes of key
agreement, and generic ways to construct protocols from weaker
components. The rest of the chapter is dedicated to discussing a variety
of key agreement protocols, including one well-known one from the world
of virtual private networks, IKEv2, and approaches to attack these
protocols.
The sixth chapter is on transport layer security, the TLS protocol most
people will use in their browser, alone. Due to the scrutiny this
protocol (along with its predecessor SSL) has received over the last 20+
years, the dedication of a full chapter to this protocol is more than
justified. The authors have broken down the attacks by type, focusing on
which aspect of the TLS framework the attack works: attacks on the core
cryptography (such as Bleichenbacher's attack), crypto usage in
ciphersuites (such as the BEAST or POODLE attacks), TLS protocol
functionality (such as the DROWN or CRIME attacks), implementation
issues (such as "goto fail:", Heartbleed, and weak random number
generation), and application-level problems (such as SSL stripping).
This chapter covers everything SSL/TLS all the way up to TLSv1.3.
The seventh chapter goes on to identity-based key agreement schemes,
another new chapter (along with the second and sixth) to cover new
topics such as pairing-based ID-based schemes. There has been much
development in this area, hence once again the dedication of an entirely
new chapter. Starting from the classical Okamoto scheme, the reader is
invited to explore new approaches such as Smart's pairing-based ID-based
key agreement scheme and variants thereof, up to ID-based key agreement
schemes with additional properties, such as protocols with multiple key
generation centers.
The eighth chapter describes the classical PAKE, the Password-based
Authenticated Key Exchange protocols, which have been around for about
30 years. From Bellovin and Merritt's EKE to multi-party PAKE, the full
spectrum of such protocols with their assumptions and pitfalls is shown.
The ninth chapter rounds off the book with group key establishment,
including Diffie-Hellman generalizations, and explorations of variants
without Diffie-Hellman or using identity-based approaches. The chapter
shows how much progress there has been with group key agreement
protocols in the last 10-15 years.
Appendix A lists the relevant standards for these protocols. Both
international and US-based standards are discussed, sourcing the
information from ISO, IETF, IEEE, NIST, and ANSI. Moreover some
purpose-specific protocols are also listed, such as EMV (aka "Chip and
PIN" for your credit or bank card), Bluetooth device communications, Tor
anonymous browsing, Off-the-Record messaging (OTR), and the Signal
protocol for secure messaging and calling.
Appendix B engages the reader in a tutorial on building an actual key
establishment protocol. It starts from a naive outlook for a protocol
and slowly builds up the security assumptions and requirements,
iterating step by step through a series of attacks and fixes up to a
workable protocol. The chapter wraps up with Abadi and Needham's design
principles for cryptographic protocols.
While some of the old protocols and background have been removed from
the second edition, one will have to dust off a first edition copy in
order to discover some historical aspects, but this does not take away
from the quality of this up-to-date second edition book. The list of
references in this second edition, nearing almost 800 entries, is quite
an impressive collection for anyone seeking to explore the topic.
Colin Boyd, Anish Mathuria, and Doug Stebila are experts in their field
that have delivered a solid technical book on protocols and key
establishment. This book is a must-have for the real (or virtual, since
there is an e-Book!) library for anyone interested in this area. I truly
enjoyed reading this book as it brought me back to the beginning of my
academic career, when I looked at formally analyzing security of
protocols such as SSL.
-----------------------------------
Sven Dietrich reviews technology and security books for IEEE Cipher. He
welcomes your thoughts at spock at ieee dot org
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
-------------------
Google's Big Health Move: A Reach Too Far?
I'm the Google whistleblower. The medical data of millions of
Americans is at risk.
The Guardian
By Anonymous
November 14, 2019
https://www.theguardian.com/commentisfree/2019/nov/14/im-the-google-whistleblower-the-medical-data-of-millions-of-americans-is-at-risk
Summary:
A Google employee revealed that the company's Nightingale project is
using AI to analyze personal health records for a major health care
provider (Ascenion). The employee raised concerns about the privacy
of the patients because the data is not de-identitied and the patients
did not have a chance to opt-out of the process. Google engineers
have, in some cases, directly accessed personal records.
---------------------------
Will Google get away with grabbing 50m Americans' health records?
Google's reputation has remained relatively unscathed despite
behaviors similar to Facebook's. This could be the tipping point
The Guardian
November 14, 2019
By Julia Carrie Wong
https://www.theguardian.com/technology/2019/nov/14/google-healthcare-data-ascension
Summary:
This opinion piece asks if Google's privacy policies will become as
scorned as Facebook's policies were in the wake of the Cambridge
Analytica scandal. The Nightingale project has been criticized by
a whistleblower.
---------------------------
Google Is Basically Daring the Government to Block Its Fitbit Deal.
The company's moves into health data will test how serious antitrust
enforcers are about privacy issues.
Wired
Nov. 13, 2019
by Gilad Edelman
https://www.wired.com/story/google-fitbit-project-nightingale-antitrust/
Summary:
Even before project Nightingale was revealed, consumer advocates
expressed concern about the amount of personal data being amassed by
Google. The company's plans to acquire Fitbit accentuated those
concern, and at least one antitrust official at the Department of
Justice discussed the possibility of such data becoming a factor
in merger approvals. Google insists that there is not a problem and
that the Fitbit data won't be used for targeted advertising, but
Google's record on such promises is not clean.
The article notes that Google and Ascension say that their project is
permitted under the HIPAA regulations because Ascension is developing
peronsalized health care management for its members and is not selling
the data to third parties.
---------------------------
Privacy, consumer groups seek to block Google-Fitbit deal, citing
antitrust and privacy concerns
href=https://consumerfed.org/wp-content/uploads/2019/11/Opposition-Letter-GoogleFitbit-Merger.pdf
Summary:
This request to block the merger of Google and Fitbit asks
that the FTC use its authority under the Celler-Kefauver Act to avoid
a future where Google is "at the center of all services".
---------------------------
Facebook Developers Scorn Privacy
Facebook Privacy Breach: 100 Developers Improperly Accessed Data
Threatpost
November 6, 2019
By Lindsey O'Donnell
https://threatpost.com/facebook-privacy-breach-developers-group-data/149930/
Summary:
Facebook's third-party app developers weren't supposed to get
information about group memberships for users who had not opted in to
such disclosures, but there was a glitch. In fact, developers in many
cases were able to access member profiles without restrictions.
"... as part of an ongoing review of the ways people can use Facebook
to share data with outside companies, we recently found that some apps
retained access to group member information for longer than we
intended," a Facebook spokesperson told Threatpost. Some observers
applaud Facebook's identification of the problem and its plans to fix
it, but others feel the company was sloppy in not finding and fixing
the problems a year ago.
---------------------------
If Lasers Could Talk ...
A laser pointer could hack your voice-controlled virtual assistant.
Researchers identified a vulnerability that allows a microphone to
'unwittingly listen to light as if it were sound'.
University of Michigan
November 5, 2019
Contact: Nicole Casal Moore
https://news.umich.edu/a-laser-pointer-could-hack-your-voice-controlled-virtual-assistant/
Summary:
A surprising linkage between light and sound was discovered by
researchers looking at how lasers affect mobile device microphones.
The laser beam can cause the microphone to vibrate, and by careful
manipulation of the light, the microphone will react as though it
were detecting a human voice.
---------------------------
CapitalOne's Data Breach
Information on the Capital One Cyber Incident
Caiptal One Financial Corporation Press Release
September 23, 2019
https://www.capitalone.com/facts2019/
Summary:
Though data breaches are all too common, almost too common to note,
having over 100 million credit card applications disclosed to
an outside party is still something to perk up the ears of any
security professional. CapitalOne detected the breach in mid-July
and notified the FBI. The perpetrator was apprehended and CapitalOne
is trying to help affected customers monitor their credit data.
---------------------------
Capital One replaces security chief after data breach
Tech Crunch
November 7, 2019
By Zack Whittaker
href=https://techcrunch.com/2019/11/07/capital-one-security-chief-shuffle/
Summary:
The CISO of CapitalOne was shunted aside after the data breach in
July, and the CIO of the commercial banking division replaced him.
The FBI took a Seattle resident into custody. This person was
a former Amazon Web Services employee and may have hacked into data
for other companies.
---------------------------
ATMs Insecure on LANs
Nautilus ATM Flaws Could Allow Hackers Access to Cash, Data
Bloomberg News
November 11, 2019
By William Turton
https://www.bloomberg.com/news/articles/2019-11-11/security-researchers-discover-flaws-in-u-s-cash-machines
Summary:
Nautilus Hyosung America, Inc. is the largest provider of ATMs in the
US, and security flaws in their products were discovered by Red
Balloon Security. Although the two flaws required access to the local
network of the ATM, they laid the machines bare to simple attacks.
Nautilus says no exploits occurred.
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.edu/jobscipher.html
(Nothing new since Cipher E151)
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Conference and Workshop Announcements
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Cipher calendar entries are announced on Twitter; follow ciphernews
Requests for inclusion in the list should sent per instructions:
http://www.ieee-security.org/Calendar/submitting.html
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
11/26/19-11/28/19: ISPEC, 15th International Conference on Information Security
Practice and Experience,
Kuala Lumpur, Malaysia; http://ccs.research.utar.edu.my/ispec2019/
11/27/19: DAC, Design Automation Conference,
Moscone Center West, San Francisco, CA, USA;
https://dac.com/call-for-contributions
Submissions are due
11/30/19: Springer Human-centric Computing and Information Sciences,
Thematic Issue on Security, trust and privacy for
Human-centric Internet of Things;
https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf
Submissions are due
11/30/19: PETS, 20th Privacy Enhancing Technologies Symposium,
Montreal, Canada; https://petsymposium.org
Submissions are due
12/ 1/19: SP, 41st IEEE Symposium on Security and Privacy,
San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/
Submissions are due (monthly deadlines)
12/ 7/19-12/ 8/19: BlockSys, International Conference on Blockchain and
Trustworthy Systems,
Guangzhou, China; http://blocksys.info/
12/10/19: ICSS, 5th Industrial Control System Security Workshop,
Held in conjunction with the Annual Computer Security Applications
Conference (ACSAC 2019),
San Juan, Puerto Rico;
https://www.acsac.org/2019/workshops/icss/ICSS_2019_CFP.pdf
12/10/19: IEEE Transactions on Emerging Topics in Computing (TETC) and
Transactions on Dependable and Secure Computing (TDSC),
Joint Special Section on Secure and Emerging Collaborative Computing
and Intelligent Systems;
https://www.computer.org/digital-library/journals/ec/call-for-papers-joint-special-section-on-secure-and-emerging-collaborative-computing-and-intelligent-systems
Submissions are due
12/10/19-12/11/19: WISTP, 13th WISTP International Conference on
Information Security Theory and Practice,
Paris, France; http://www.wistp.org
12/16/19-12/19/19: ICISS, 15th International Conference on Information
Systems Security,
Hyderabad, India; http://idrbt.ac.in/ICISS-2019/
1/ 1/20: SP, 41st IEEE Symposium on Security and Privacy,
San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/
Submissions are due (monthly deadlines; see CFP)
1/ 6/20- 1/ 8/20: IFIP11.9-DF, 16th Annual IFIP WG 11.9 International
Conference on Digital Forensics,
New Delhi, India; http://www.ifip119.org/
1/15/20: IEEE Transaction on Computers, Special Issue on Hardware Security;
https://www.computer.org/digital-library/journals/tc/call-for-papers-special-issue-on-hardware-security
Submissions are due
1/15/20: EdgeBlock, IEEE International Symposium on Edge Computing
Security and Blockchain,
Co-located with IEEE INFOCOM 2020, Beijing, China;
https://infocom2020.ieee-infocom.org/symposium-edge-computing-security-and-blockchain
Submissions are due
1/18/20: CNS, 8th IEEE Conference on Communications and Network Security,
Avignon, France; https://cns2020.ieee-cns.org/
Submissions are due
1/31/20: SADFE, 13th International Conference on Systematic
Approaches to Digital Forensic Engineering,
New York, NY, USA; http://www.sadfe.org/conference.html
Submissions are due
2/10/20: CPSS, 6th ACM Cyber-Physical System Security Workshop,
Held in conjunction with ACM AsiaCCS 2020,
Taipei, Taiwan; https://www.nics.uma.es/pub/CPSS2020/
Submissions are due
2/10/20: SACMAT, 25th ACM Symposium on Access Control Models and Technologies,
Barcelona, Spain; http://www.sacmat.org/
Submissions are due
2/15/20: USENIX-Security, 29th USENIX Security Symposium,
Boston, MA, USA;
https://www.usenix.org/conference/usenixsecurity20/call-for-papers
Submissions are due
2/15/20: DASC, 18th IEEE International Conference on Dependable, Autonomic
and Secure Computing,
Calgary, Canada; http://cyber-science.org/2020/dasc/
Submissions are due
2/23/20- 2/26/20: NDSS, Network and Distributed System Security Symposium,
San Diego, CA, USA;
https://www.ndss-symposium.org/ndss2020/call-for-papers/
2/29/20: PETS, 20th Privacy Enhancing Technologies Symposium,
Montreal, Canada; https://petsymposium.org
Submissions are due
4/27/20: EdgeBlock, IEEE International Symposium on Edge Computing
Security and Blockchain,
Co-located with IEEE INFOCOM 2020, Beijing, China;
https://infocom2020.ieee-infocom.org/symposium-edge-computing-security-and-blockchain
5/ 4/20- 5/ 7/20: HOST, 13th IEEE International Symposium on Hardware
Oriented Security and Trust,
San Jose, CA, USA; http://www.hostsymposium.org/
5/14/20- 5/15/20: SADFE, 13th International Conference on Systematic
Approaches to Digital Forensic Engineering,
New York, NY, USA; http://www.sadfe.org/conference.html
5/18/20- 5/20/20: SP, 41st IEEE Symposium on Security and Privacy,
San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2020/
5/30/20: IEEE Transactions on Intelligent Transportation Systems,
Special Issue on Deep Learning Models for Safe and Secure
Intelligent Transportation Systems;
http://jolfaei.info/IEEE-TITS.html
Submissions are due
6/ 1/20: CPSS, 6th ACM Cyber-Physical System Security Workshop,
Held in conjunction with ACM AsiaCCS 2020,
Taipei, Taiwan; https://www.nics.uma.es/pub/CPSS2020/
6/10/20- 6/12/20: SACMAT, 25th ACM Symposium on Access Control Models
and Technologies,
Barcelona, Spain; http://www.sacmat.org/
6/16/20- 6/18/20: EuroSP, 5th IEEE European Symposium on Security and Privacy,
Genova, Italy; https://www.ieee-security.org/TC/EuroSP2020/
6/22/20- 6/26/20: DASC, 18th IEEE International Conference on
Dependable, Autonomic and Secure Computing,
Calgary, Canada; http://cyber-science.org/2020/dasc/
6/29/20- 7/ 1/20: CNS, 8th IEEE Conference on Communications and
Network Security,
Avignon, France; https://cns2020.ieee-cns.org/
7/14/20- 7/18/20: PETS, 20th Privacy Enhancing Technologies Symposium,
Montreal, Canada; https://petsymposium.org
7/19/20- 7/23/20: DAC, Design Automation Conference,
Moscone Center West, San Francisco, CA, USA;
https://dac.com/call-for-contributions
8/12/20- 8/14/20: USENIX-Security, 29th USENIX Security Symposium,
Boston, MA, USA;
https://www.usenix.org/conference/usenixsecurity20/call-for-papers
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
(new since Cipher E151)
___________________________________________________________________
SP 2020 41st IEEE Symposium on Security and Privacy,
San Francisco, CA, USA,
May 18-20, 2020.
(Submissions due first day of each month)
https://www.ieee-security.org/TC/SP2020/
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has
been he premier forum for computer security research, presenting the
latest developments and bringing together researchers and
practitioners. We solicit previously unpublished papers offering novel
research contributions in any aspect of security or privacy. Papers
may present advances in the theory, design, implementation, analysis,
verification, or empirical evaluation and measurement of secure
systems. Topics of interest include:
- Access control and authorization
- Anonymity
- Application security
- Attacks and defenses
- Authentication
- Blockchains and distributed ledger security
- Censorship resistance
- Cloud security
- Cyber physical systems security
- Distributed systems security
- Economics of security and privacy
- Embedded systems security
- Forensics
- Hardware security
- Intrusion detection and prevention
- Malware and unwanted software
- Mobile and Web security and privacy
- Language-based security
- Machine learning and AI security
- Network and systems security
- Privacy technologies and mechanisms
- Protocol security
- Secure information flow
- Security and privacy for the Internet of Things
- Security and privacy metrics
- Security and privacy policies
- Security architectures
- Usable security and privacy
- Trustworthy computing
- Web security
This topic list is not meant to be exhaustive; S&P is interested in all
aspects of computer security and privacy. Papers without a clear application
to security or privacy, however, will be considered out of scope and may
be rejected without full review.
Systematization of Knowledge Papers
As in past years, we solicit systematization of knowledge (SoK) papers that
evaluate, systematize, and contextualize existing knowledge, as such papers
can provide a high value to our community. Suitable papers are those that
provide an important new viewpoint on an established, major research area,
support or challenge long-held beliefs in such an area with compelling
evidence, or present a convincing, comprehensive new taxonomy of such an
area. Survey papers without such insights are not appropriate. Submissions
will be distinguished by the prefix "SoK:" in the title and a checkbox on
the submission form. They will be reviewed by the full PC and held to the
same standards as traditional research papers, but they will be accepted
based on their treatment of existing work and value to the community, and
not based on any new research results they may contain. Accepted papers
will be presented at the symposium and included in the proceedings.
Workshops
The Symposium is also soliciting submissions for co-located workshops.
Further details on submissions can be found at
https://www.ieee-security.org/TC/SP2020/workshops.html.
Ongoing Submissions To enhance the quality and timeliness of the
scientific results presented as part of the Symposium, and to
improve the quality of our reviewing process, IEEE S&P now accepts
paper submissions 12 times a year, on the first of each month. The
detailed process can be found at the conference call-for-papers
page.
-------------------------------------------------------------------------
DAC 2020 Design Automation Conference,
Moscone Center West, San Francisco, CA, USA,
July 19 - 23, 2020.
(Submissions due 27 November 2019)
https://dac.com/call-for-contributions
For 57 years, the Design Automation Conference (DAC) has been recognized as
the leading-edge conference on research and practice in tools and
methodologies for the design and design automation of electronic circuits
and systems. DAC offers outstanding training, education, exhibits and
networking opportunities for a worldwide community of designers, researchers,
tool developers and vendors. Submissions are invited for Special Sessions,
Designer Track, IP and Embedded Systems Track papers and presentations,
poster sessions, panels, workshops, tutorials and co-located conferences.
Criteria, topics and deadlines for the major tracks are outlined briefly
below. Security and Privacy sessions at DAC address an urgent need to
create, analyze, evaluate, and improve the hardware, embedded systems
and software base of contemporary security solutions. Secure and
trustworthy software and hardware components, platforms and supply
chains are vital to all domains including financial, healthcare,
transportation, and energy. A revolution is underway in many industries
that are "connecting the unconnected." Such cyber-physical systems -- e.g.,
automobiles, smart grid, medical devices, etc. -- are taking advantage
of integration of physical systems with information systems. Notwithstanding
the numerous benefits, these systems are appealing targets of attacks.
The scope and variety of attacks on these systems present design
challenges that span embedded hardware, software, networking, and system design.
-------------------------------------------------------------------------
Springer Human-centric Computing and Information Sciences,
Thematic Issue on Security, trust and privacy for Human-centric
Internet of Things,
(Submissions due 30 November 2019)
https://toit.acm.org/pdf/ACM-ToIT-CfP-Decentralized_Blockchain_Applications.pdf
Guest Editors: Kim-Kwang Raymond Choo (University of Texas at San Antonio, USA),
Uttam Ghosh (Vanderbilt University, USA),
Deepak Tosh (University of Texas El Paso, USA),
Reza M. Parizi (Kennesaw State University, USA),
and Ali Dehghantanha (University of Guelph, Canada).
Cyber-physical system (CPS) integrates both cyber world and man-made
physical world using sensors, actuators and other Internet of Things
(IoT) devices, to achieve stability, security, reliability,
robustness, and efficiency in a tightly coupled
environment. Prevalence of such cyber-physical ecosystem (inherently
of distributed nature) imposes exacting demands on architect models
and necessitates the design of distributed solutions and other novel
approaches. This is essential in order to suitably address the
security and privacy concerns since CPS ecosystem involves humans as a
part of its core. Blockchain technology offers a distributed and
scalable solution to maintain a tamper-resistant ledger, which does
not require a central authority. Thus, it can best fit the need of
distributed solution to above mentioned security issues in
CPS. However, the challenge in integrating Blockchain with CPS is yet
to be addressed, which requires various cyber-physical nodes to work
effectively and collaboratively in an asynchronous environment. The
goal of this special issue is to bring together researchers from
different sectors to focus on understanding security challenges and
attack surfaces of modern cyber-physical systems, and architect
innovative solutions with the help of cutting-edge blockchain related
technologies. Potential topics include but are not limited to
following:
- Blockchain and mobile systems
- Security of transportation system using blockchain
- Use of blockchain to support mobile smart services and applications
- Blockchain in edge and cloud computing
- Blockchain schemes for decentralized secure transaction
- Distributed ledger and consensus schemes for CPS
- Performance optimization of blockchain and decentralized schemes
- Energy aware protocols and blockchain applications
- Fault tolerance and blockchain for CPS
- Decentralized (mobile) processing, computing, and storage infrastructure
- Blockchain for Software-defined networking based CPS
- Cybersecurity, protection, integrity, trust and privacy issues for
SDN-based CPS
- Blockchain and smart contracts for CPS security
-------------------------------------------------------------------------
IEEE Transactions on Emerging Topics in Computing (TETC) and Transactions on
Dependable and Secure Computing (TDSC),
Joint Special Section on Secure and Emerging Collaborative Computing
and Intelligent Systems,
(Submissions due 10 December 2019)
https://www.computer.org/digital-library/journals/ec/call-for-papers-joint
-special-section-on-secure-and-emerging-collaborative-computing-and-intelligent-systems
Guest Editors: Yuan Hong (Illinois Institute of Tech, USA),
Valerie Issarny (Inria, France), Surya Nepal (CSIRO, Australia),
and Mudhakar Srivatsa (IBM Research, USA).
The Internet coupled with recent advances in computing and information
technologies such as IoT, mobile Edge/Cloud computing,
cyber-physical-social systems, Artificial Intelligence/Machine
Learning/ Deep Learning, etc., have paved the way for creating next
generation smart and intelligent systems and applications that can
have transformative impact in our society while accelerating rapid
scientific discoveries and innovations. Unprecedented cyber-social,
and cyber-physical infrastructures and systems that span geographic
boundaries are possible because of the Internet and the growing number
of collaboration enabling technologies. With newer technologies and
paradigms getting increasingly embedded in the computing platforms and
networked information systems/infrastructures that form the digital
foundation for our personal, organizational and social processes and
activities, it is increasingly becoming critical that the trust,
privacy and security issues in such digital environments are
holistically addressed to ensure the safety and well-being of
individuals as well as our society. IEEE TETC and TDSC seek original
manuscripts for a Special Issue/Section on Collaborative Computing and
Intelligent Systems, covering the entire spectrum of relevant research
activities from infrastructures, models, and systems to applications,
and all of the security, privacy and trust aspects therein. Specific
topics of interest include, but are not limited to:
- Security, Privacy and Trust in Collaborative Computing: secure
interoperation of interacting/collaborative systems, secure data
management, practical privacy and integrity mechanisms for
outsourcing
- Emerging Internet-scale collaborative computing technologies: Cloud
to fog/edge computing, data and service models and metrics, big data
analytics for data-driven collaboration, cognitive collaboration
- Security, Privacy and Trust in AI/ML: Trusted AI, ML and deep
learning, Privacy-preserving ML and deep learning, Attacks on ML and
defense, Adversarial Machine Learning for security and privacy of
computing
- Crowdsourcing computing approaches: collaborative search and
question answering, human computation, social computing,
crowdsourcing and citizen science
- Security, Privacy and Trust in Cyber-physical environments: Security
and privacy in IoT, Trust, privacy and security for smart cities and
urban computing, Trust, security and safety in supply-chain
environments and critical infrastructures
- Collaboration in modern and emerging computing environments:
Collaboration in pervasive and cloud computing environments,
Blockchain/Distributed ledger for e-mobile commerce and intelligent
applications
- Security, Privacy and Trust in Digital payments and
cryptocurrencies: Anonymity, deanonymization and privacy in
blockchain systems, Provenance and trust in blockchain systems, New
forms of blockchains and consensus mechanisms and their impact upon
trust
- Emerging Collaborative computing Applications: smart cities,
disaster/crisis management, resilient critical infrastructures and
collaboration for personalized services.
-------------------------------------------------------------------------
IEEE Transaction on Computers, Special Issue on Hardware Security,
(Submissions due 15 January 2020)
https://www.computer.org/digital-library/journals/tc/call-for-papers-special-issue-on-hardware-security
Guest Editors: Amro Awad (University of Central Florida, USA)
and Rujia Wang (Illinois Institute of Technology, USA).
Recently, the hardware of computing systems has been a major target
for cyber attacks. Unlike software vulnerabilities, hardware attacks
and vulnerabilities can be difficult to detect, isolate or
prevent. Such hardware attacks include adversarial bus snoopers,
hardware trojans, and physical access to the system. Additionally,
side-channel attacks and covert-channel attacks typically exploit
unanticipated information leakage due to hardware implementation or
resource sharing. The recent Meltdown and Spectre attacks are
prominent examples of vulnerabilities resulting mainly from specific
hardware implementations. Moreover, emerging memory technologies, such
as non-volatile memories (NVMs), further facilitate hardware attacks
due to data remanence. Finally, in cloud systems where limited control
of the surrounding environment is an acceptable trade-off, the
presence of hardware attacks and vulnerabilities becomes even more
plausible. In this special issue on Hardware Security for IEEE
Transactions on Computers (TC), we invite original articles that
address issues related to the security of hardware components of
computing systems. Topics of interest to this special issue include,
but not limited to:
- Security Analysis of Commercial Trusted Execution Environments (TEEs)
- Performance Optimizations for Secure Hardware Architectures
- New Attack Models, Vulnerabilities, and Countermeasures for Emerging
Architectures and Technologies
- Software Support (e.g., compiler passes) for Leveraging Architectural
Support for Security
- Architectural Optimizations for Security Primitives, such as Oblivious
RAM (ORAM), Homomorphic Encryption (HE), etc.
- Mitigations of Hardware Vulnerabilities, Such as Safe Speculation and
Hardware Partitioning
- Secure-by-Design Hardware Architectures, Especially for Emerging
Processors (e.g., RISC-V)
- Secure Storage and Memory Systems
- Hardware Support for Detecting Anomalies (e.g., Hardware Trojans)
- Architectural and System Support for Privacy-Preserving Computation
-------------------------------------------------------------------------
EdgeBlock 2020 IEEE International Symposium on Edge Computing Security
and Blockchain,
Co-located with IEEE INFOCOM 2020,
Beijing, China,
April 27, 2020.
(Submissions due 15 January 2020)
https://infocom2020.ieee-infocom.org/symposium-edge-computing-security-and-blockchain
EdgeBlock 2020 is an international forum for researchers to present
their latest researches and perspectives on the intersection of
blockchain and edge computing (including Internet of Things -
IoT). This is an interdisciplinary area that is of increasingly
importance. For example, in our new networked society where there are
a broad range of IoT devices and cyber physical systems around us, and
data from these devices and systems generated at the edge of the
network are been sent to some edge devices or the cloud servers for
processing and storage. The utility of blockchain in a number of
applications, including to secure data-in-transit and data-at-rest in
IoT and cyber physical systems, has also been explored in the research
community. This is not surprising due to the inherent features of
blockchain, such as decentralization and immutability. Therefore, in
this workshop we are interested in determining how can we leverage
blockchain characteristics to establish trusted environments for IoT,
social networking, cyber security and other commercial applications.
-------------------------------------------------------------------------
CNS 2020 8th IEEE Conference on Communications and Network Security,
Avignon, France,
June 29 - July 1, 2020.
(Submissions due 18 January 2020)
https://cns2020.ieee-cns.org/
The IEEE Conference on Communications and Network Security (CNS) is a premier
forum for cybersecurity researchers, practitioners, policy makers, and
users to exchange ideas, techniques and tools, raise awareness, and
share experiences related to all practical and theoretical aspects of
communications and network security. The conference seeks submissions
from academia, government, and industry presenting novel research results
in communications and network security. Particular topics of interest
include, but are not limited to:
- Anonymity and privacy technologies
- Biometric authentication and identity management
- Censorship countermeasures and privacy
- Combating cyber-crime (anti-spam, anti-phishing, anti-fraud techniques, etc.)
- Computer and network forensics
- Cyber deterrence strategies
- Data and application security
- Data protection and integrity
- Game-theoretic security technologies
- Implementation and evaluation of networked security systems
- Information-theoretic security
- Intrusion detection, prevention, and response
- Key management, public key infrastructures, certification, revocation,
and authentication
- Malware detection and mitigation
- Security metrics and models
- Physical-layer and cross-layer security technologies
- Security and privacy for big data
- Security and privacy for data and network outsourcing services
- Security and privacy for mobile and wearable devices
- Security and privacy in cellular networks
- Security and privacy in cloud and edge computing
- Internet Security: Protocols, standards, measurements
- Security and privacy in crowdsourcing
- Security and privacy in cyber-physical systems
- Security and privacy in emerging wireless technologies and applications
(dynamic spectrum sharing, cognitive radio networks, millimeter wave
communications, MIMO systems, smart/connected vehicles, UAS, etc.)
- Security and privacy in peer-to-peer and overlay networks
- Security and privacy in WiFi, ad hoc, mesh, sensor, vehicular, body-area,
disruption/delay tolerant, and social networks
- Security and privacy in smart cities, smart and connected health, IoT,
and RFID systems
- Security for critical infrastructures (smart grids, transportation
systems, etc.)
- Security for future Internet architectures and designs
- Security for software-defined and data center networks
- Security in machine learning
- Social, economic, and policy issues of trust, security, and privacy
- Traffic analysis
- Usable security and privacy
- Web, e-commerce, m-commerce, and e-mail security
-------------------------------------------------------------------------
SADFE 2020 13th International Conference on Systematic Approaches to
Digital Forensic Engineering,
New York, NY, USA,
May 14-15, 2020.
(Submissions due 31 January 2020)
http://www.sadfe.org/conference.html
The 13th International Conference on Systematic Approaches to Digital
Forensic Engineering (SADFE) is calling for paper, panel, poster, and
tutorial submissions in the broad field of Digital Forensics from both
practitioner and researcher's perspectives. With the dynamic change
and rapid expansion of the types of electronic devices, networked
applications, and investigation challenges, systematic approaches for
automating the process of gathering, analyzing and presenting digital
evidence are in unprecedented demands. The SADFE conference aims at
promoting solutions for related problems. Past speakers and attendees
of SADFE have included computer scientists, social scientists,
forensic practitioners, lawyers and judges. The synthesis of hard
technology and science with social science and practice forms the
foundation of this conference. Papers focusing on any of the system,
legal, or practical aspects of digital forensics are solicited.
-------------------------------------------------------------------------
CPSS 2020 6th ACM Cyber-Physical System Security Workshop,
Held in conjunction with ACM AsiaCCS 2020,
Taipei, Taiwan,
June 1, 2020.
(Submissions due 10 February 2020)
https://www.nics.uma.es/pub/CPSS2020/
Cyber-Physical Systems (CPS) of interest to this workshop consist of
large-scale interconnected systems of heterogeneous components interacting
with their physical environments. There exist a multitude of CPS devices
and applications deployed to serve critical functions in our lives thus
making security an important non-functional attribute of such systems.
This workshop will provide a platform for professionals from academia,
government, and industry to discuss novel ways to address the ever-present
security challenges facing CPS. We seek submissions describing theoretical
and practical solutions to security challenges in CPS. Submissions
pertinent to the security of embedded systems, IoT, SCADA, smart grid,
and other critical infrastructure are welcome.
-------------------------------------------------------------------------
SACMAT 2020 25th ACM Symposium on Access Control Models and Technologies,
Barcelona, Spain,
June 10-12, 2020.
(Submissions due 10 February 2020)
http://www.sacmat.org/
The organizing committee of the 25th ACM Symposium on Access Control
Models and Technologies (SACMAT 2020) invites contributions on all aspects
of access control. The symposium will provide participants the opportunity
to present work at different levels of development, from early work on
promising ideas to fully developed technical results as well as system
demonstrations. The symposium will feature a Best Paper Award. The
program will include keynote talks, research paper presentations, demos,
a panel, and a poster session. Papers offering novel research contributions
are solicited for submission. Accepted papers will be presented at the
symposium and published by the ACM in the symposium proceedings. In
addition to the regular research track, this year SACMAT will again
host a special track: Blue Sky/Vision Track. Researchers are invited
to submit papers describing promising new ideas and challenges of
interest to the community as well as access control needs emerging
from other fields. We are particularly looking for potentially
disruptive and new ideas which can shape the research agenda for
the next 10 years. We encourage submissions that present ideas that
may have not been completely developed and experimentally evaluated.
-------------------------------------------------------------------------
USENIX-Security 2020 29th USENIX Security Symposium,
Boston, MA, USA, August 12-14, 2020.
(Submissions due 15 May 2019, 23 August 2019, 15 November 2019, and 15
February 2020)
https://www.usenix.org/conference/usenixsecurity20/call-for-papers
The USENIX Security Symposium brings together researchers, practitioners,
system administrators, system programmers, and others interested in the latest
advances in the security and privacy of computer systems and networks. All
researchers are encouraged to submit papers covering novel and scientifically
significant practical works in computer security. The Symposium will span three
days with a technical program including refereed papers, invited talks, posters,
panel discussions, and Birds-of-a-Feather sessions. Co-located events will
precede the Symposium on August 10 and 11.
-------------------------------------------------------------------------
DASC 2020 18th IEEE Int'l Conference on Dependable, Autonomic and
Secure Computing,
Calgary, Canada,
June 22-26, 2020.
(Submissions due 15 February 2020)
http://cyber-science.org/2020/dasc/
IEEE DASC 2020 aims to bring together computer scientists, industrial
engineers, and researchers to discuss and exchange experimental and
theoretical results, novel designs, work-in-progress, experience, case
studies, and trend-setting ideas in the areas of dependability,
security, trust and/or autonomic computing systems. Topics of
particular interests include the following tracks, but are not limited
to:
Track 1. Dependable and Fault-tolerant Computing
Track 2. Network and System Security and Privacy
Track 3. Autonomic Computing and Autonomous Systems
Track 4. Industrial Applications and Emerging Techniques
-------------------------------------------------------------------------
PETS 2020 20th Privacy Enhancing Technologies Symposium,
Montreal, Canada,
July 14-18, 2020.
(Submissions due 31 May 2019, 31 August 2019, 30 November 2019, and 29
February 2020)
https://petsymposium.org
The annual Privacy Enhancing Technologies Symposium (PETS) brings
together privacy experts from around the world to present and discuss
recent advances and new perspectives on research in privacy
technologies. The 20th PETS event will be organised by Concordia
University and the Universite du Quebec a Montreal and held in
Montreal, Canada, on a date in 2020 yet to be determined. Papers
undergo a journal-style reviewing process, and accepted papers are
published in the journal Proceedings on Privacy Enhancing Technologies
(PoPETs).
PoPETs, a scholarly, open-access journal for research papers on privacy,
provides high-quality reviewing and publication while also supporting the
successful PETS community event. PoPETs is published by Sciendo, part of De
Gruyter, which has over 260 years of publishing history. PoPETs does not
have article processing charges (APCs) or article submission charges.
Authors can submit papers to PoPETs four times a year, every three months,
and are notified of the decisions about two months after submission. In
addition to accept and reject decisions, papers may receive resubmit with
major revisions decisions, in which case authors are invited to revise and
resubmit their article to one of the following two issues. We endeavor to
assign the same reviewers to revised submissions. Each paper accepted in
the PoPETs 2020 volume must be presented in person at the PETS 2020
symposium.
-------------------------------------------------------------------------
IEEE Transactions on Intelligent Transportation Systems,
Special Issue on Deep Learning Models for Safe and Secure Intelligent
Transportation Systems,
(Submissions due 30 May 2020)
http://jolfaei.info/IEEE-TITS.html
Guest Editors: Alireza Jolfaei (Macquarie University, Australia),
Neeraj Kumar (Thapar Institute of Engineering and Technology, India),
Min Chen (Huazhong University of Science and Technology, China),
and Krishna Kant (Temple University, USA).
Autonomous vehicular technology is approaching a level of maturity that
gives confidence to the end users in many cities around the world for
their usage so as to share the roads with manual vehicles. Autonomous and
manual vehicles have different capabilities which may result in surprising
safety, security and resilience impacts when mixed together as a part of
Intelligent Transportation System (ITS). For example, autonomous vehicles are
able to communicate electronically with one another, make fast decisions and
associated actuation, and generally act deterministically. In contrast, manual
vehicles cannot communicate electronically, are limited by the capabilities and
slow reaction of human drivers, and may show some uncertainty and even
irrationality in behaviour due to the involvement of human. At the same time,
humans can react properly to more complex situations than autonomous vehicles.
Unlike manual vehicles, the security of computing and communications of
autonomous vehicles can be compromised thereby precluding them from achieving
individual or group goals. Given the expected mixture of autonomous and manual
vehicles that is expected to persist for many decades, safety and security
issues for a mixture of autonomous and manual vehicles are crucial to
investigate before autonomous vehicles enter our roadways in numbers. To
improve the safety and security of the transportation system, the artificial
intelligence (AI) based techniques and deep learning models have extensively
been applied to data-driven ITS model. Despite the pioneering works on the
integration of ITS data with deep learning techniques, such techniques still
require more accurate perception since the false positives generated during
the execution of the algorithms can perturb the utility real-time data
analytics particularly for safety applications in ITS. More importantly, the
recent breakthrough in generative adversarial networks in machine learning
better demonstrates the criticality of the safety problems in ITS in the
presence of advanced persistent threats as that adversarial models can be
generated at an accelerating pace. Therefore, it is crucial to understand how
both types of vehicles will fare in terms of safety (avoidance of dangerous
situations), performance (acceptable delays and throughput), and resilience
(fast recovery from dangerous situations) under a variety of uncertain
situations without and with attacks on autonomous vehicle
communications in in the presence of hidden advertises who exploit
machine learning security loop holes. Despite the existing research on
cyber-attacks on the functions of individual vehicles, the focus on
the interplay of different types of vehicles under the influence of
cyber-adversaries is missing. To address the above-mentioned
challenges, there is a need for new algorithmic developments beyond
traditional topics in big data, deep neural networks, and cyber
security. The aim of this special issue is to provide a multi-aspect
up-to-date reference for theoretical development of deep learning
models and techniques for improving security and safety in ITS.
-------------------------------------------------------------------------
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <