Items from security-related news (E69.Nov-2005)

Special to Cipher, IETF Revises TLS Protocol Specification, by Eric Rescorla and Russ Housley

Transport Layer Security (TLS) [1] is probably the most widely used Internet security protocol. TLS provides a generic secure channel abstraction for use by upper layer application protocols. While originally designed for use with HyperText Transfer Protocol (HTTP) [2], it is also used to secure a wide variety of protocols ranging from the Simple Mail Transport Protocol (SMTP) [3] to the Session Initiation Protocol (SIP) [4].

The IETF has revised TLS, creating TLS 1.1 [5], to address some vulnerabilities and to add new functionality:

  • The initial IETF version of TLS, TLS 1.0, was a revision of the Secure Sockets Layer (SSL) version 3. TLS 1.0 was published in January 1999. TLS 1.1 was approved by the IESG last July, and it is currently in the IETF RFC Editor Queue. TLS 1.1 contains minor improvements to address some recent attacks [6,7] on the Cipher-Block Chaining (CBC) encryption modes used with DES, 3DES, and AES. TLS 1.1 also clarifies a number of interoperability issues.
  • Addition of Camellia Cipher Suites to Transport Layer Security [8] adds support for the Camellia algorithm, which has been standardized by the NESSIE initiative.
  • Addition of SEED Cipher Suites to Transport Layer Security [9] adds support for the SEED algorithm, which is a Korean national standard developed by KISA (Korean Information Security Agency).
  • Pre-Shared Key Ciphersuites for Transport Layer Security [10] allows clients and servers to use a shared symmetric key to authenticate the creation of a TLS connection. This mode is expected to be useful by itself as well as for integration with other authentication protocols. This document is also in the RFC Editor Queue.
  • The TLS Working Group has finished the specification for the use of Elliptic Curve Cryptography (ECC) with TLS [11]. IETF Last Call of this document will complete on November 22nd, and then the IESG will begin its review. The document might be in the RFC Editor queue before the end of the year.
  • In the wake of the recent attacks on MD5 and SHA-1, the TLS Working Group is begining work on TLS 1.2, which will start the transition away from those one-way hash functions. In addition, the TLS Working Group has recently adopted a work item to develop counter mode (CTR) cipher suites for AES. These cipher suites will allow the security of AES with the same low packet space overhead of the RC4 stream cipher.

    Elisa Bertino Receives Computer Society Award; article contributed by Gene Spafford

    Professor Elisa Bertino, CERIAS's Director of Research, has been named as the 2005 recipient of the Computer Society's Tsutomu Kanai Award. The Computer Society of the IEEE makes this award each year. The Tsutomu Kanai Award was created by a generous endowment from Hitachi, Ltd. It recognizes major contributions to state-of-the- art distributed computing systems and their applications. The award consists of a certificate, crystal memento, and a $10,000 honorarium.

    Previous winners of the award are listed at

    This is a major award for outstanding contributions, and it is very well deserved.

    Virgil Gligor to Receive NIST/NSA Security Award; article contributed by Gene Spafford

    Dr. Virgil Gligor, one of the country's pioneering figures in computer security, will be presented with the 2006 National Information Systems Security Award by the National Institute of Standards and Technology and the National Security Agency in a ceremony at the 26th Annual Computer Security Applications Conference in Tucson, AZ On Dec. 6, 2005.

    The award recognizes individuals for scientific or technological breakthroughs, outstanding leadership, highly distinguished authorship, or significant long-term contributions in the computer security field.

    Gligor, a professor of electrical and computer engineering at the University of Maryland, College Park, MD, will receive the prestigious award for his outstanding contributions to advance computer security technology. Gligor has been a leader in computer security research and education for 30 years in a broad range of areas including access control mechanisms, penetration analysis, denial-of-service protection, cryptographic protocols, and applied cryptography.

    Previous winners of this award:

    1988     Steve Walker
    1989     Willis Ware
    1990     Jim Anderson
    1991     Roger Schell
    1992     Walter Tuckman
    1993     Robert Courtney
    1994     Donn Parker
    1995     Dennis Branstad
    1996     Whit Diffie, Martin Hellman, & Ron Rivest
    1997     David Clark
    1998     Butler Lampson
    1999     Dorothy Denning
    2000     Eugene H. Spafford
    2002     Peter G. Neumann
    2005     Virgil Gligor

    Homeland Security's ARPA Stretches Budget for Internet Security, contributed by Richard Schroeppel Original article from InformationWeek, J. Nicholas Hoover
    Nov. 8, 2005

    "With a shrinking budget, the Advanced Research Projects Agency's cyber-security arm has to leverage internal expertise with that of academia and industry to get research done and have products commercialized."

    The article mentions the agency's commercialization focus and its ongoing research projects for security-awareness, discovering botnets, secure information repositories about Internet traffic patterns, adding security to the Domain Naming System, and secure Internet routing. Concerns about thin clients for Internet access are also surfaced.

    ThePrivacyPlace.Org 2005 Privacy Survey is Underway, by Annie Anton

    Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us with our investigations of privacy policy expression and user comprehension.

    The URL is:

    We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey which takes about 5 to 10 minutes to complete. The results will be made available in 2006 via our project website

    There are prizes and IBM sponsored giveaways.

    NIST Hash Workshop, October 31 - November 1, 2005

    The recent NIST workshop on cryptographic hashes was an interesting event with several good talks. NIST is focusing on determining what to use for a hashing standard in place of SHA-1, how fast to move to the next standard, and whether or not the SHA-2 family is sufficiently secure for the future. The discover of the MD5 collisions, Xiaoyun Wang, spoke about progress towards similar attacks on SHA-1, indicating that the work factor may now be as low as 2^64. Cryptographic hash functions age quickly. The papers are online at