Subject: Electronic CIPHER, Issue 2, December 5, 1994 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 2 December 5, 1994 Carl Landwehr, Editor ==================================================================== Contents: [1675 lines total] Letter from the Editor [starts on line 38] Articles: Security and Privacy News [line 87] o Leonard Kleinrock calls for improved Internet security architecture. o Common Criteria to be briefed this week at ACSAC Calls for papers: conferences and special journal issues [line 140] TC Publications for sale! [line 203] Conference News and Reports [line 235] o Call for meetings and workshops at IEEE 1995 [line 238] Security and Privacy Symposium o Report on the European Symposium on Research in [line 256] Computer Security (ESORICS '94) by John McLean o Report on the Second ACM Conference on Computer and [line 472] Communications Security by Avi Rubin Reader's guide to recent security and privacy literature [line 1161] Paper lists from conferences [line 1161] Tables of contents of recent periodicals [line 1352] Recent books [line 1461] Calendar [line 1489] Interesting Links [line 1553] TC Officers [line 1631] Information for Subscribers and Contributers [line 1650] ______________________________________________________________________ Letter from the Editor ______________________________________________________________________ Thanks to substantial contributions from John McLean and Avi Rubin, our second issue is arriving on your electronic doorstep earlier than I had predicted. I am hoping for reports on a couple of conferences held in December, so perhaps we will have a New Year's issue as well -- but this depends on contributions from our readers! This issue is a long one (1675 lines, or about 28 pages, at 60 lines per page). This is partly due to listings of paper titles in the Reader's Guide section, which includes the recent ACM CCS-2, ESORICS, and Tenth ACSAC lists. Please let me know if receiving an e-mail message this size causes you a problem, so I can estimate a suitable maximum size for future issues. Additional paper lists from earlier 1994 conferences (Oakland, Franconia, and IFIP WG11.3 conferences) are available in the hypertext version of Cipher. Terry Benzel, our TC chair, has been too busy (not least with TC business) to provide a new Letter from the Chair for this issue, but I expect she will have some things to say in the next one. I urge you to try out the hypertext version of the newsletter now available at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher if you have not done so already. The IEEE Computer Society's home page (http://www.computer.org) now includes a direct pointer to Cipher in case you forget where we are (thanks to Mark Haas, 1995 IEEE VP for Conferences and Tutorials, for providing this). Nearly all the material in this issue (EI #2) has been available on the Web for two weeks, and I plan to continue posting updates there as they arrive. As you will see in this issue, many of the departments I had planned have materialized, and I have added a few new departments (e.g., announcing TC publications for sale). I have had a suggestion for starting a section on "who's where" to announce changes of position and address for people within the security community. If you think this would be a good idea (would you want to use it?) please let me know. We still need contributions concerning relevant standards activities as well as news and opinions from the membership. Finally, holiday greetings to all! Carl Landwehr Editor, Cipher ________________________________________________________________________ Security and Privacy News Items ________________________________________________________________________ o 14 November 94: Kleinrock calls for improved Internet security architecture From IEEE COMPUTER, November 1994, p.7: News Briefs, by Lisa Armstrong, Edittech Int'l The Internet needs a major overhaul, according to Leonard Kleinrock, the man who pioneered the development of Arpanet, predecessor to the Internet, and who is now proposing a new architecture for the wildly growing "net." Kleinrock, who chairs the University of California, Los Angeles, Computer Science Department and the Technology Transfer Institute, said, "A whole new architecture needs to be built into the system. Issues cannot be handled by add-ons." The issues that Kleinrock emphasized include security, dissatisfaction with the Internet's "best effort" service, and addressing considerations. The new Internet Protocol, IP6, is the "first step," Kleinrock said. "It has extended addressing far enough to last a very long time. However, it makes the assumptions of packet switching and best-effort quality of service." Best-effort service means that Internet users can transfer data only if the necessary bandwidth is available. Otherwise, "too bad" for the user. One of the loudest complaints regarding the Internet is security, or lack of it. Along with valuable on-line information, those who surf Internet waters encounter security hazards. Users can secure their own networks from intruders, but that doesn't protect them when they connect to other networks. "We need a comprehensive security architecture," Kleinrock said. "We need to build authorization, encryption, and passwords into the hardware and software." Kleinrock chairs the National Research Council's Computer Science and Telecommunications Board. In May, a CSTB-appointed committee presented a report that made recommendations for the Internet overhaul. o 8 November 94: Common Criteria to be presented at 10th ACSAC. Marshall Abrams announced today by e-mail that the Common Criteria will be presented Tuesday, December 6th at the Annual Computer Security Applications Conference in Orlando. There will be a three hour presentation in the afternoon. More information concerning the presentation is expected soon. The Editor seeks newsworthy items related to security and privacy technical issues. Please keep contributions brief and interesting. Please send mail to cipher@itd.nrl.navy.mil. ________________________________________________________________________ Calls for Papers ________________________________________________________________________ (see also Calendar) o Journals o IEEE Trans. on Knowledge and Data Engineering is planning a special issue on secure database systems technology. Editors for the issue are Bhavani Thuraisingham, thura@security.mitre.org, and T.C. Ting, ting@eng2.uconn.edu. Areas of interest include, but are not limited to: o Secure relational database systems, object-oriented database systems, distributed and heterogeneous database systems, and knowledge-based management systems o Designing and securing databases and applications o Security for medical information systems and banking systems o Special topics such as secure concurrency control, inference problems, and data models Eight copies of manuscripts up to 30 type-written, double-spaced pages are due to the guest editors by 1 February 1995. Acceptances will be announced 1 June, 1995, final manuscripts are due 1 August 1995, and publication of the issue is planned for February, 1996. For additional information, send e-mail to the editors at the addresses given above. o Conferences See also Cipher Calendar and NRL CHACS CFP list. o CRYPTO '95 August 27-31, 1995, University of California at Santa Barbara. o Second annual workshop on Selected Areas in Cryptography (SAC '95). May 18-19, 1995, Carleton University, Ottawa, Canada. Original papers are solicited on all practical aspects of key establishment in distributed systems and design implementation of symmetric encryption algorithms. Eight copies of abstract due by March 10 to Evangelos Kranakis, Carleton University. Queries to: sac95@scs.carleton.ca o Second Conference on the Mathematics of Dependable Systems (MDS 95), 4-6 September, 1995, University of York, England. o Other o NIST CHISSA Seeks White Papers: SPECIAL NOTICES Section: SP of CBD dated 08/Nov/94: CALL FOR WHITE PAPERS: HIGH INTEGRITY SOFTWARE SYSTEMS (HISS) NIST is establishing the Center for High Integrity Software Systems Assurance (CHISSA) as a collaborative approach for government, industry, and academia to pursue visionary solutions to industry-defined problems, coordinate activities relating to high integrity software systems (HISS) technology and ensure its partners have equitable access to solutions developed in domains such as commerce, manufacturing, transportation, health care, entertainment. White Papers from industry, government, and academia should focus on problems of developing, maintaining and assuring HISS. The papers will assist the Steering Committee in selecting an initial focus within the broader scope and will be used to develop a research agenda, plan workshops, identify partners, determine strategies for technology transfer, and develop a proposed Cooperative Research and Development Agreement between CHISSA and its partners. Papers due by 1/21/95. For details or to submit, contact: Delores Wallace, (301) 975-3340, NIST, Room B266, Tech. Bldg., Gaithersburg, Maryland 20899-0001. dwallace at nist.gov (301) 975-3340 Fax: (301) 926-3696 World Wide Web: Detailed call for papers ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ We have a few surplus copies of the proceedings of the Oakland conference (199N IEEE Symposium on Research in Security and Privacy) available for purchase by TC members at favorable rates. Current issues in stock and prices are as follows: Price by mail from TC IEEE CS Press IEEE CS Press Year TC members IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $15 $43 $86 1993 $20 $30 $60 1994 $30 $30+$4 S&H $60+$5 S&H Please add $5 to the prices listed above for overseas delivery. If you would like to place an order, please send a letter specifying o which issues you would like, o where to send them, and o a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Code 5542 Naval Research Laboratory Washington, DC 20375-5337 U S A Sorry, we are not yet ready for electronic commerce! ________________________________________________________________________ Conference News and Reports ________________________________________________________________________ Workshops/Meetings Solicited for Oakland 1995 --------------------------------------------- The IEEE Symposium on Security and Privacy traditionally draws a diverse, international attendance of respected computer security and INFOSEC researchers. The 1995 Symposium will be held Monday, May 8, through Wednesday noon, May 10, at the Claremont Resort Hotel, Oakland, California. Referees are now reviewing an excellent collection of submissions for this year's symposium. Meeting rooms can be made available at the hotel Wednesday afternoon, Thursday, and Friday, May 10-12, in conjunction with the Symposium. If you are organizing a computer security related meeting or workshop next spring, plan now to take advantage of this opportunity to schedule your meeting or workshop in conjunction with this symposium. You may be able to both reduce your total meeting and meeting costs and draw a better attendance than if you schedule your meeting separately. For additional details, please contact the Editor. ________________________________________________________________________ Report on European Symposium on Research in Computer Security 94 (ESORICS '94) November 7-9, 1994 Old Ship Hotel, Brighton, UK by John McLean ________________________________________________________________________ The European flavor of the third incarnation of this biennial conference was evident from its location, an old ballroom where Paganini had played 163 years earlier. The distinction between this conference and similar U.S. conferences was emphasized in the opening remarks of Conference Chair, Roger Needham. Needham told the audience of about 75 practitioners that European research in computer security tended to be practical, as opposed to (North) American research which tended to focus on metaphysical discussions of what confidentiality means. He then went on to remind us that a symposium was originally a drinking party. He concluded by stating that the focus of this symposium was computer security, rather than theoretical cryptography. The conference included 26 papers (all contained in the proceedings: Computer Security -- ESORICS 94, ed. Dieter Gollman, Lecture Notes in Computer Science 875, Springer-Verlag, Berlin, ISBN 3-540-58618-0, 468 pages), an invited talk, and a panel session. This report includes only a very brief overview of each of the papers, followed by fuller discussions of the invited presentation and the panel session. In Monday's opening session on measures, Thomas Beth presented a metric for measuring trust between two different networks, and Vasilios Zorkadis used queuing theory to measure the degradation security introduces into network performance and examined various methods for lessening this degradation. This was followed by a session on high assurance software. In this session Bill Roscoe introduced a CSP-based version of Noninterference that requires that the purge of a trace be deterministic, Daniel Le Metayer presented some work on performing information flow analysis of programs at compile time, and Chris Sennett presented a method for performing static analysis on compiled code. Following lunch, a session on key management featured a presentation by Wenbo Mao on designing secure key exchange protocols, and Els Van Herreweghen offered a new password and key-exchange protocol based on an atomic challenge/response exchange. The afternoon ended with a session on authentication. This session featured two talks by Jennifer Seberry and a presentation by Birgit Pfitzmann of work by Lidong Chen, who could not attend the conference. Seberry's first talk was on the use of Rabin's concept of a beacon to provide authentication in distributed systems, and her second described the authentication services found in the Kuperee (a mythical kangaroo) server, which is based on a public key cryptosystem. Chen's paper presents two oblivious signature schemes. Tuesday began with a second session on key management. Ueli Maurer presented a calculus for reasoning about security in open networks and Wenbo Mao presented ways to strengthen the Kerberos and KryptoKnight protocols. Following this session was an invited talk which will be discussed below and a session on digital payments. In the latter session, Jean-Marc Piveteau offered a method for anonymous digital payments that reduces the size of the necessary supporting database. Birgit Pfitzmann next described the ESPRIT Project's CAFE digital payment system, and then Ross Anderson presented a paper arguing that the purpose of commercial security is not so much to reduce the risk of a security violation, but rather to shed liability. The afternoon began with a session on distributed systems in which Bruno d'Ausbourg and Pierre Siron each reported on a distributed security subsystem that implements Bieber and Cuppens' concept of secure dependencies over a network. Christel Calas then presented a distributed file system that enforces the secure dependencies concept. The day ended with a panel session that is discussed below. The last day (Wednesday) opened with a session on access controls in which Ravi Sandhu discussed the expressive power of the unary transformation model. Sandhu showed that, contrary to a claim made in his and Srinivas Ganta's 1994 Oakland paper, the unary transformation model is equivalent in expressive power to the binary transformation model. However, this equivalence holds only if every subject has a unique type. Following Sandhu, Marc Dacier showed how to extend to Sandhu's TAM model to deal with authorization schemes involving sets of privileges. The session concluded with Clare Robinson's report on modes of operation for security systems. The last two sessions were devoted to database security. In the first session Elisa Bertino presented a secure mark-and-sweep garbage collection algorithm. This was followed by Frederic Cuppens' discussion of the decomposition of multilevel objects in an object-oriented database and a presentation by Roshan Thomas on secure write-ups in replicated architectures. In the second session, Amihai Motro used the concepts of overlapping and overlaying views to address the aggregation problem, and Gilles Trouessin used the concepts of internal information flow controls and external information flow controls to secure a database. Although the papers were generally well received, the most energetic audience reaction was generated by an invited talk by Henry Becker of Zergo Consultants, who spoke on security research in the financial sector, and a panel session, chaired by Helmut Kurth of IABG, on security evaluations in practice. Becker emphasized the current gap between security research and industry. Industry focuses on the management and control of information and information systems in the face of flatter and more autonomous organizations, pervasive distributed processing, increased automation and out-sourcing, and legal and due-care requirements. This has led to a lot of money going into security, but most of the money is spent in ways security research does not address. For example, Becker estimates that English banks spend 50% of their information technology budget on security (a figure also matched in Japan). However, only 6% - 9% of the information technology budget goes to purchasing security. The bulk of the money goes to managing security. Hence, security is primarily seen as a management issue whose solution will be through management tools. Particular management needs include better risk analysis tools, better ways to measure the effectiveness of security awareness programs, generic interfaces that will allow security decisions to be made even in the face of the uncertainty produced by the current export debates, and ways to ``de-skill'' the job of the security administrator. Industry also needs methods for achieving positive assurance, but evaluation documents such as the ITSEC are viewed as being too government-oriented. Industry needs something that is simpler and less expensive, something more like conformance to codes of practice or review by experts. Finally, Becker predicts that industry will need products to provide secure email, secure internet connectivity, secure card technology, and secure telecommuting. (Interestingly, he does not predict an industry future for biometrics, however, because of the danger of lawsuits due to bodily injury that may result from retinal scans or similar technology.) However, he stresses that the main concern here is the implementation and management of technology, rather than technology development. The gap between commercial and noncommercial security was further examined in the panel on security evaluation in practice. Kurth opened the panel by comparing US and European evaluation procedures. He noted that European evaluations are performed by private companies rather than the government and usually take less time than U.S. evaluations. European criteria also allow more flexibility with respect to functionality than the U.S. criteria. However, he noted that current practice in both Europe and the U.S. has several problems: - the criteria are too government-oriented with commercial aspects being poorly covered; - evaluation results are not in a form useful for procuring a system, integrating a system, or developing a system security plan; - evaluation criteria focus too much on correctness rather than on effectiveness (i.e., what vulnerabilities a system contains); - there is no link between associated standards (e.g., between security and safety); - there is no practical approach to re-evaluation; - there is no push to sell evaluated systems in the commercial world. Nevertheless, Kurth thinks that if the evaluation processes could be altered to meet commercial needs, it would be useful since it is more efficient to test a product once, rather than have each company conduct its own test. Stefan Geyres stated that although the French DoD has adopted the ITSEC, there is currently no commercial body performing evaluations and no push to form one. When commercial interest rises, it is not clear that the ITSEC will be what is wanted. Although the French DoD is interested in ITSEC levels E4 and E5. French commercial companies are interested only in levels E3 and below. This sentiment was echoed by R. P. Lampard of the U.K.'s National Physics Laboratory. Given the low levels of assurance wanted by industry, Lampard argued for the use of conformance testing. Charles Pfleeger of T.I.S. related his experience in having TMACH evaluated in the U.S., the U.K., and Germany. He found that although different evaluation criteria used the same words, there was substantial disagreement over the meaning of those words. He also found that evaluations in all three countries suffered from a lack of clear lines of authority. Although NSA has an hierarchical structure, this does not imply that anybody is willing to make decisions. European evaluations are even worse in this regard because separate evaluation bodies and certification bodies can pass responsibilities back and forth. This lack of a clear line of authority also makes it difficult to judge when an evaluation is over. Once a particular evaluation body is done, another body may decide to look things over. Finally, Pfleeger mentioned the problems with re-evaluation and shared his fellow panelists' conclusion that evaluations are not yet commercially viable. During the question and answer period, Pfleeger also noted that although the U.K. evaluation process and German evaluation process are equally good, the former focuses on process and the latter focuses on product. Most of the question and answer period following the panel focused on the commercial viability of evaluations. Ross Anderson asked why a U.K. evaluation costs about $1,500,000 while an evaluation from Lloyds for infosec insurance takes only 2 days. Although Kurth doubted that U.K. evaluations cost so much, there was no doubting that evaluations cost more than insurance assessments. Geyres noted that more information is revealed by the former (e.g., about covert channels), but Anderson pointed out that the commercial world is not interested in this information. Chris Sennet pointed out that much of the effort in evaluations was to protect systems from technical flaws, while most security failures are the result of bad system management. Kurth expressed his faith that security management will improve so that this will no longer be true in the future. Anderson also pointed out that commercial systems do not have sufficient documentation to be evaluated under the ITSEC and argued that the certification of security consultants would be the biggest single improvement the security community could make. Becker, the panel, and Anderson can all three be seen as cautioning the evaluation community that they are out of touch with industry. Insofar as the research community is driven by issues relevant to the evaluation community, this caution applies to them as well. Returning to Needham's opening remarks, his assessment of the conference proved partially correct on all three counts. Although the conference mainly stayed away from confidentiality models, Bill Roscoe's presentation was as metaphysical as anything seen at either Oakland or Franconia. Cryptography, though not a main focus, was certainly evident in Lidong Chen's paper. Finally, although a fair amount of ale (and, given the location, a surprisingly large amount of lager) was downed during the evening hours, daytime habits were marked by British reserve. ________________________________________________________________________ Report on CCS'94: 2nd ACM Conference on Computer and Communications Security by Avi Rubin ________________________________________________________________________ The 2nd ACM Conference on Computer and Communications Security met November 2-4 Friday, 1994 at the Holiday Inn, Fairfax, Virginia. This report summarizes the conference sessions and panels as a supplement to the proceedings [available from the ACM order department, 1-800-342-6626, e-mail acmpubs@acm.org, as ACM Order Number 537940, $44, ($22 for ACM members)]. The conference as a whole drew perhaps a few more registrants than its first edition (around 130 altogether) but felt somewhat less cohesive. More people seemed to be picking and choosing which sessions to attend; perhaps the greater number of invited talks by well-known speakers, spaced regularly throughout the first edition kept the group together. Nevertheless, there was a good selection of stimulating technical papers, including Matt Blaze's highly publicized attack on Clipper, an excellent talk on factoring by Arjen Lenstra that left the audience ready to double the length of their keys, and an animated panel session on Internet commerce. Co-chairs Raymond Pyle and Dorothy Denning welcomed the participants, and Denning announced that the conference would next meet in New Delhi, India, in March, 1996. Exact dates and location are expected to be available in January, 1995. Many participants later expressed surprise at the move. Comments are provided below on most of the papers; a few sessions are summarized without addressing the papers in detail. The panels and two invited talks are covered in more detail, as they do not appear in the proceedings. Technical Sessions [Note: The name of the author presenting the paper is CAPITALIZED where there is ambiguity. The conference authors and presenters have not had the opportunity to review this summary; any errors and all opinions are my personal responsibility.] Wednesday, November 2 Support for File System Security Requirements of Computational E-mail Systems by Atul Prakash and TRENT JAEGER This paper presented a scheme called computational e-mail. In this scheme,e-mail messages contain scripts, and these execute when the recipient reads the messages. Obviously, this introduces some serious security problems [we used to call these "letter-bombs"--CEL]. Solutions to these include ATOMICMAIL, which provide I/O only to a trusted interpreter or a single directory. Among the solutions explored to solve the access control problems were safe-Tcl, Unix mode bits, AFS and K4, AFS and DSSA, AFS and K5. Secure Wireless LANs by V. Bhargavan This paper was not presented because the author was absent. The Design and Implementation of Tripwire: A File System Integrity Checker by GENE KIM and E. Spafford Gene Kim announced that Spafford had intended to be at the conference, but he was stuck in Indiana as a witness for a murder trial. The purpose of Tripwire is to prevent unauthorized changes to a file system and assess damage. Tripwire builds a database of attributes, mostly from the inode information. Then, it builds a list of selection criteria, such as binary files or log files being added to a system. The addition of binary files seems dangerous, while new log files are expected. Anotheradvantage to tripwire is that it also keeps system administrators honest and forces them to comply with a policy. http://www.cs.purue.eu/homes/spaf/coast.html is the URL for obtaining Tripwire. Exchange of Patient Records: Prototype Implementation of a Security Attribute Service in X.500 by MARJAN JURECIC and H. Bunz This paper describes a prototype system used by hospitals to store sensitive medical information. Privacy is very important for sharing medical information in a hospital, and yet the data must be available to doctors and others who need them. The health insurance companies must have the right access to data, and data integrity is important. Other type of information is statistical, such as the scope of an epidemic, and history of a disease. Each type of information comes with its own restrictions and requirements from a security standpoint. E.g. Legislation, patients, health insurance, medical: These four groups have diverging interests. There are various security rules that state who should have access to what, for example: access to personal patient data should only be for responsible medical staff. only physicians should be able to produce a medical result for the record. etc. There are many different subjects, such as doctors and nurses, and they can be in different roles. Similarly, there are different objects, such as x-rays, text, voice etc., each with its own security requirements. The organization uses X.500 as a directory service, with public-key certificates. The following standards are used, X.509 personal desktop, X.501, ECMA-138. Electronic mail, X.509, PEM. Archive (DFR ISO 10166). Workflow integration (X.721, X.740 events). A Process-Oriented Methodology for Assessing and Improving Software Trustworthiness by EDWARD AMOROSO, C. Taylor, J. Watson and J. Weiss This group was assigned the task of developing a method of assessing software trustworthiness. Among other things, this paper presents a list of 48 trust principles and an organized hierarchy of six trust classes. The diagram for trust that was presented is similar to that of the Orange Book. The talk consisted of some advice and recommendation of the group for people who are under government contract. The speaker mentioned several pitfalls and suggested how they can be handled. For example, the government does not usually encourage publication of work they are funding, but it was suggested that it is important to publish anyway. Panel: Training security engineers Chair: Lance Hoffman Participants: Lance Hoffman (GWU), Ravi Sandhu (GMU), John Kimmins (Bellcore) This panel was intended to explore the way in which security engineers should be trained. There was a consensus that it is not being done right at this time. In the discussion following the presentations by the panelists, the debate centered on the structure of the masters program in computer science. The panelists took the following positions: Ravi Sandhu: Educating security engineers from a University position: we are not presently doing a good job. We currently need security specialists. They should be prepared at the graduate level. Students need foundations, operating systems, networks, distributed systems, database systems, software engineering, algorithms, discrete math, business, etc. Courses should be offered in Database security, security models, applied cryptology, and distributed system security. This will take more resources than we have. Such a program will develop because there is a demand for it. Lance Hoffman: George Washington University has a security specialization for the Masters program. It is difficult to get funding for these courses. He suggests borrowing guest lecturers and teachers from companies. John Kimmins: He looks at this more from the point of view of training a group within a company from a managerial point of view. There is a synergy between security and fraud. They used to be done separately, and now the trend is to combine them. Questions from the floor: Fundamental business education is missing. The world's best security without considering the role of business will not be used. Ravi Sandhu said this was an excellent point; John Kimmins agreed. Lance Hoffman suggested that its important to "Know your client." Universities don't have as much interaction with the business aspect of things. It can be handled at a University by bringing in guests. Question by NASA security architect James Coyne: In an era of shrinking budgets, we need more than people trained in security for security's sake. We need well-rounded engineers who can understand the security issues in context of a budget. It is better to add security knowledge to engineers than to specifically train security experts who live in ivory towers. Ravi Sandhu suggests that it is impossible to know only security because it requires such foundations such as systems, networks, databases, etc. [Coyne reiterated this point in his presentation on Friday]. A question was raised about the role of mathematics and formal methods. Ravi Sandhu put his slide back up, to show that it was included. Lance Hoffman suggested that psychology and the ability to interact with people are also important. Sandhu also suggested that computer science and communications people don't know each other's fields that well. However, it boils down to a resource problem. This is not a good time to be launching new programs. Rob Shirey argued that much of what was presented as desirable training will never fit into an undergraduate computer science curriculum. Dennis Longley observed that the primary reason courses get into a syllabus is that faculty want to teach them, not that someone has levied a requirement for them. He argued that this is not, in fact, a bad practice, because the faculty will teach courses they are interested in with enthusiasm and integrity. He believes it is more important to convey these attitudes to students than it is to cover any specific body of information, since whatever technical details taught are likely to be outmoded shortly in a rapidly progessing field. Towards Acceptable Key Escrow Systems by Thomas Beth, H. Knobloch, M. Otten, G. Simmons and P. Wichmann The entities of communications are persons, devices, and organizations. The deficiencies of clipper were discussed. Namely, the Matt Blaze attack, UK problem, time-stamp problem, and underencryption. The requirements for acceptable, trustworthy and fair cryptosystems are: Privacy protection mechanisms for end-to-end confidentiality at user interface Encryption algorithms should not secret but public and negotiable by principals Key management is independent of encryption algorithm identification and authentication must be unforgeable confidentiality bypass procedures have to faithfully represent the legal rules or policies to be observed. Confidentiality bypass facilities are needed for law enforcement, backup, message recovery, and research data. The escrow should only go through the key management level, and should have nothing to do with the algorithm. An algorithm for doing authenticated key exchange with escrow was presented (it's in the paper). Protocol Failure in the Escrowed Encryption Standard by Matt Blaze Matt presented his now famous attack on the Clipper chip. He first observed that the primary motivation for Clipper was as a drop-in replacement for DES that would provide strong encryption for the "good guys" but not for the "bad guys." His attack demonstrates how the "bad guys" might be able to use the strong encryption Clipper provides without being subject to eavesdropping by the authorities. He identified two categories of "rogues": those who can interact with each other, and those who can interact with anyone. The attack makes use of the fact that the checksum in the LEAF is 16 bits. The checksum is influenced by the Initialization Vector (IV) and the session key. The checksum includes other fields from the LEAF. Any change in the rest of the LEAF affects the checksum. One attack is for the sender to not send the LEAF, and for the receiver to generate a LEAF himself and feed it in to go into decrypt mode. The two major weaknesses of Clipper are that the checksum is only 16 bits, and the sender and receiver have the same hardware. Thus, 2^112 of the 2^128 possible LEAFs have a valid checksum for the current session key. Experimental results showed that you can find a LEAF in about 42 minutes. The LEAF test takes about 38ms, which is not fast enough for real time telephony, but fast enough for many other applications. In addition, the attack is easy to parallelize. Matt concluded that the EES is vulnerable to misuse. Panel: Corporate key escrow Chair: Ravi Ganesan Panelists: Ravi Ganesan (Bell Atlantic), Dorothy Denning (Georgetown U.), Scott Charney (Dept. of Justice), Carl Ellison (Trusted Information Systems, Inc.) Denning: One important advantage to having key escrow is that products that meet the key escrow requirements can be exported. Also, there is a danger of data loss when data is encrypted under a key only known to one person. For example, an attacker can hijack the data by encrypting it and holding the key for ransom. The only person who knows the key for some important data could get hit by a truck, etc. Ganesan: Keys in Clipper are going into chips without any restrictions on who is supposed to be able to get the keys and for what purpose, so it is not likely that this system will be usable by corporations to escrow the keys. There are a few other potential ones being built by ATT, TIS, and Bell Atlantic. Some are hardware and some are software. It is harder to solve the problem of corporate escrow than law enforcement escrow. Charney comes at this from a law enforcement perspective. There is a danger that encryption can be abused. For example, someone can break into a system and encrypt the data, and hold it for extortion. With the consent of the corporation, the government has the right to search a workstation of an employee if there is no expectation of privacy. The emphasis is on the expectation of the user. Ellison has trouble with the term key "escrow." This term was originally used to describe a system built and used by the government. Instead, he prefers distinguish three concepts: key escrow, government access cryptography, and emergency access to keys. Just as we need to keep outsiders out, it is important to ensure that insiders can get in, that is, have access to the data that is encrypted. Another issue is that the insider might be more than one person, or some k out of n people, etc. We need fault tolerance in the storage and the access mechanisms. Clipper cannot be used to solve all three problems; software solutions are essential. Secure Agreement Protocols: reliable and atomic group multicast in Rampart by Michael Reiter High integrity services are achieved by taking a sample from a number of servers, and accepting the majority answer. One requirement is that the servers process requests in the same order, and that is why atomic group multicast is necessary. All previous work on malicious corruption of atomic group multicast assume a synchronous network. Thus, they are not well-suited for hostile environments. Reiter presented protocols for reliable multicast that ensure that correct members receive the same messages in the same order. His main contributions are new reliable and atomic group multicast protocols for asynchronous systems subject to process corruptions. Key Distribution via True Broadcasting by M. Just, E. Kranakis, D. Krizanc and P. Oorschot A number theoretic scheme for broadcasting a key to a group of privileged users who share secret primes with the distribution center. This scheme was challenged by members of the audience, one of them going so far as to say that it was broken. Other people seemed to feel that there already existed better ways of doing this. In his defense, the author was not given time to defend his work because time ran out. Conditionally Secure Secret Sharing Scheme with Disenrollment Capability by Chris Charnes, JOSEF PIEPRZYK, and Rei Safavi-Naini The authors defined a conditionally secure Shamir secret sharing scheme using exponentiation in Galois fields and showed how the scheme can be extended to arbitrary access structures. They showed that families of threshold schemes provide two levels of disenrollment capability. They give an algorithm which provides noninteractive verification of the initial conditions in families of threshold schemes, and they describe a covert channel. Meta-El Gamal Signature Schemes by PATRICK HORSTER, H. Petersen and M. Michels The author presented a chronology of previous work on the El Gamal scheme, starting with the Ph.D. thesis of ElGamal, up to the current work. Then, he presented his scheme. Paper: Anonymous Credit Cards by S.H. Low, N.F. Maxemchuk and S. Paul The author presented some very complex protocols for anonymous credit cards. In personal communication, he suggested that the paper from the anonymous ftp site is more up to date than the one in the proceedings, which contains some errors. Thursday, November 3 An Efficient Multiversion Algorithm for Secure Servicing of Transaction Reads by P. AMMANN and S. Jajodia The algorithm presented by the authors maintains a small fixed number of versions, up to three, of a datum, rather than an arbitrary number as most algorithms do. The snapshot architecture presented maintains exactly 2 snapshots of each database, The authors used the version function and assignment function to analyze serializability, and gave an algorithm for satisfying correctness constraints. A Temporal Authorization Model by E. Bertino, C. Bettini and P. SAMARATI In this work, time is mapped to the set of natural numbers. An interval is mapped [t1,t2]. An authorization contains an interval, followed by a rule. Constructs presented included whenevernot, whenever, unless, and aslongas. These are used to define derivation rules. There can be up to 2 parameters in a derivation. A necessary restraint is that there be no recursion on negative rules. Other actions are revoke and droprule. They are invalidated for the current run, but are not deleted from the authorization database. Propagation of Authorizations in Distributed Database Systems by Pierangela Samarati, Paul Ammann, SUSHIL JAJODIA The propagation of authorization at different sites may propagate inconsistently. However, if the propagation is too controlled, it may result in excessive delay. The authors presented an optimistic authorization propagation algorithm. Session: Cryptography II Chair: J. Stern This was the second session on cryptography. Three papers were presented. Turnout was a bit lower than for other session due to the esoteric nature of the material. The first paper was Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis by H. Heys and S. Tavares. The second paper was Information Leakage of Boolean Functions and its Relationship to Other Cryptographic Criteria by M. Zhang, S. Tavares and L. Campbell. The final paper in this session was Authentication Codes that are r-folded Secure against Spoofing by R. Safavi-Naini. Session: Electronic Commerce Security Chair: R. Ganesan This session turned out to be the most controversial one. First, a paper on licensing, endorsements was presented. Then, the invited speaker gave a very informative talk about secure-http, a title that itself drew some criticism. Finally, everything broke loose during the panel session, which turned out to be more of a bunch of sales pitches than anything else, followed by comments by some very upset members of the audience. Only the first paper appears in the proceedings. The Role of Licensing, Insurance and Endorsements in Evaluating Trust of Distributed System Services by CHARLIE LAI, G. Medvinsky and C. Neuman The motivation for this work is that it is difficult for clients to assess server integrity in large distributed systems. As a result, there can be limited sharing. In the real world, there are endorsements, such as AAA diamonds in a hotel, insurance credentials, etc. Thus, this paper provides an infrastructure for issuing and verifying credentials. A license is a credential that indicates a service provider is legally authorized to provide a service. Endorsement means that a service provider has more rigorous standards set by the endorser. The final class is liability insurance: the party insured is covered for any legal obligations to pay damages inflicted upon a third party. Certificates and proxies are issued for the various assurances and endorsements. Clients can specify the types of licenses and endorsements that it trusts. Thus, networks of trust relationships develop. The author maps out these real-world trust systems into an electronic, distributed system. Secure HTTP: Making the World-Wide Web Safe for Commerce Invited Speaker, Allan Schiffman Schiffman is the chief technical officer of EIT and the principal architect of Commercenet. He started out giving some background on WWW and Mosaic. Secure-HTTP is an interoperable extension of http. Unfortunately, IP address authentication is the most prevalent today. IP addresses can only perform access control on hosts, not users. Also, there is basic authentication, which consists of simple usernames and passwords. This method is popular but flawed. Finally, PEM and PGP are largely unused, while Kerberos has not been implemented with http. From the perspective of user interface, expecting users to enter a passphrase is too disruptive, when all they have to do is click a button. S-http design goals are: - enable spontaneous commercial transactions - negotiation of algorithms, modes & parameters - layer separation (don't "fix" http) - mechanism, not policy (where do certs come from? what do they mean?) - interoperability (with existing clients, with various capabilities) S-http is fully symmetric (almost) for client and server. Thus, it is moving away from the traditional client-server model. Authentication mechanisms include PKC RSA, DSS, shared-secret, and Kerberos. Key exchange can be implemented using RSA D-H, shared secret, and Kerberos. Impacts - new http method "secure" affects proxies new http headers - additional html facilities new anchor property new elements s-http focus: Negotiation - permit parties to express requirements and preferences used in message headers and embedded in documents - choice may depend on capability of implementation application requirements S-http provides many different options to the user. It was not clear whether the kitchen sink is included, but just about everything else is. The supported encapsulation formats are PKCS-7 or PEM or PGP. Signature algorithms are RSA or DSA. Key exchange algorithms supported are RSA, in-band, outband, D-H, and Kerberos. For message digest algorithm, MD2, MD5 or SHA. The encryption algorithms supported are DES EDE2/EDE3, DESX, IEA, RC2, and RC4. The protection modes are signature, encryption, and keyed MAC. Users are made aware of what's going on by icons that show that something is unprotected, signed, encrypted, etc. Other progress indicators show whats going on. (Laser beam scans across the signature). There is also a security status pop-up window. The first draft of the specification has been available since June, and there is a reference implementation, available to Commercenet members. There is also an EIT/RSA joint venture: Terisa systems for people to integrate secure http into applications. The home page for s-http is http://www.eit.com/projects/s-http/index.html; readers interested in more details should look there. Panel: Security Issues in Electronic Commerce Chair: C. Neuman Panelists Allan Schiffman(EIT), Carol Benson (VISA), Doug Tygar (CMU), Brian Boesch (Cybercash), Win Treese (Open Market) Benson: At first, gave background on VISA as a company. Are interested in e-commerce to facilitate the growth of the market, because electronic fund transfers are more likely to involve credit card purchases. Predicts secure transactions can take place on the Internet for most users within a year and a half. This talk seemed more like a marketing talk for potential VISA customers than anything else. Tygar: Netbill is a system to handle micro-payments of a very small volume. Discussed the problem of atomicity. Transactions should either completely abort, or completely finished. We need common standards for security in electronic commerce. Boesch: Talked about Cybercash. They are involved in the payment process, not the entire transaction. We need relatively few mechanisms that work well together. Treese: Talked about Open Market system, and discussed security issues such as authentication of the various parties. Open Market system has an Internet payment switch between the Internet and the financial network. http://www.openmarket.com is open for business today. A member of the audience attacked the panel by stating that crackers have broken everything before, with only the incentive of fun, no we are giving them money as an incentive. He also said that greed was in contrast to the goals that made the Internet possible. This was a very lively panel, and almost everyone was disappointed when time ran out. The general opinion seemed to be that commercial systems on the Internet are an extremely challenging prospect at the very least. New Protocols for Third-party-based Authentication and Secure Broadcast by Li Gong The scope of this work falls into the category of protocols where there is a trusted third party. One motivation is to cut out strong cryptography because it cannot be exported. Another is to avoid patent problems. The general idea is that each client needs to solve a linear equation with n unknowns, given n-1 unknowns, and the secret k, as the nth unknown. Thus, no eavesdropper can figure out the new session key. A proof is also provided that the requirements of Needham and Schroeder necessitate at least a strong one- way hash function. How to Simultaneously Exchange Secrets by General Assumptions by TATSUAKI OKAMOTO and K. Ohta It is difficult to have a simultaneous exchange of messages over the Internet, whereas in the real word, this is easy when you are face to face with someone. The problem is simple with a trusted third party, but is difficult without one. This paper presents a gradual secret releasing protocol to solve the problem. It involves each party including a proof of correction of each bit that is transmitted. A Key Distribution Method for Object-Based Protection by W. Ford and MICHAEL WIENER The basic idea in this work is access-controlled decryption. It is essentially a key management scheme. There is a Key release agent (KRA), with a well- known public key. A user encrypts data with some access control attributes using the public key of the KRA. The kra then passes enough information to an authenticated user, B, for the data that B is allowed to read. This can be realized with RSA or Diffie-Hellman. Friday, November 4 On the Difficulty of Factoring Invited Speaker, Arjen Lenstra [This paper is not in the proceedings, but Postscript (about 300KB) for a related paper, "Factoring" by Dr. Lenstra, from the Proceedings of the International Workshop on Distributed Algorithms, Springer Lecture Notes in Computer Science (LNCS) 857 (1994), pp. 28-38, is available at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/lenstrafactoring.ps ] Factoring is still thought to be a hard problem, but it is getting easier faster than we expected. So, the security of long-term applications might have to be re-evaluated. Most public key systems are based on "supposedly" hard problems such as factoring and discrete log. The key length should depend on the state of the art in factoring and DL and the required security and intended life span of the application. The choice of 512 bits (155 decimal digits) dates back to the early eighties. Back then, it was believed to be a lot harder than it is today. Lenstra talked about the faulty statements made about the difficulty of factoring in the late 70s and early 80s. The major developments in factoring include the quadratic sieve in 1982, the special number field sieve in 1988, and the number field sieve (NFS) in 1989. Lenstra then discussed experiments using quadratic sieve. The conclusion is that 1024 bits today might give about the same security as 512 bits gave in the early eighties, and we are close to factoring a 512 bit key. How to Break Giffords Cipher by THOMAS CAIN and A. Sherman This paper shows how to break a cipher designed by Dr. Giffer at MIT. The system was used in the Boston area to encrypt data for subscribers. The attack is a ciphertext-only attack on filter generator stream ciphers. An implementation runs in 2^27 time and 2^18 space. The attack is based on linear algebra, and the fact that the cipher leaks key bits because it encodes ASCII text in such a way that it always assumes that the high order bit is 0. When the plaintext is x-ored with the key bits, the high order bits are leaked. Parallel Collision Search with Application to Hash Functions and Discrete Logarithms by P. van Oorschot and MICHAEL WIENER This is a very important result in that it will change the way people view the resistance of hash functions to collisions. One of the first hurdles to overcome for any practical method is to eliminate large memory requirements. The authors use Rivests trick of distinguished points so that separate processors can detect collisions among themselves. Each points stores information about which processor detected it, and how many steps it took. The general idea is to start with two messages, m and m. With k subtle modification to a message, there are 2^k message variants. So, if all the variants of 2 messages are hashed, all that is needed is to find two that hash to the same value. This is not very practical from a memory point of view. One idea is to only perform one round of the hash function to speed things up. The authors estimate the cost of an MD5 collision machine. For $10 Million we get 350 processors, controllers, etc, and expected time is 24 days to find collision. He also gave an example of discrete logs in cyclic groups. A $10 million machine could complete a discrete log over elliptical curves in approx. 36 days. Application Access Control at Network Level by RAFIK MOLVA and Eric Rutsche The idea is to do access control for applications at the network level. Todays solutions are firewalls and file system protection. These are usually limited to one domain, and dont support intra-domain security easily. Each host has a secret seed, which it uses to construct a ticket. These are placed in the network layer packets. This provides authentication information. The tickets can be precomputed and kept on each host. They currently don't have an implementation. Network Security Probe by PIERRE ROLIN, L. Toutain and S. Gombault The idea is that many existing applications, and also, TCP/IP are insecure, but we have a lot invested in them already. The challenge is to introduce modification to existing programs and to get people to agree to them. We also need different security rules for different organizations. Firewalls are pessimistic and thus, slow down all message traffic, but they do reduce the risk. The approach present here is optimistic. That is, all traffic is observed, and if an infraction of a rule is detected, it is treated later. However, there is additional risk, because the damage might already be done. This is compared to a radar gun detecting that someone is speeding, and then pulling him over, rather than pulling everyone over and checking how fast they were going. This idea was not generally accepted by the audience. It is counter-intuitive to be optimistic when looking at network security. There is concern that the damage may already be done by the time it is detected. Panel: Firewalls Chair: Steve Bellovin Panelists: Steve Bellovin and Ravi Ganesan First Ganesan spoke about the future of firewalls. The old focus was that a firewall is placed between two different networks. The new focus is that an administrative domain is divided up within itself, and each one is maintained under its own rules. He introduced the idea of internal firewalls. One reason they are needed is that there is a lot of inter-site traffic. Remote logins are the rule, not the exception, and they need to be cheap. The thing is that a balance must be found between convenience and security, whereas in the past you really had to choose one. It also needs to be configurable. There need to be filter compilers to reduce the complexity of managing a firewall. Ganesan also said that applications will probably run directly over ATM, and that TCP/IP may go away. This implies that secure virtual circuits will resurface. Bellovin said that he thinks Ganesan is wrong about ATM. He said that bad system administration is a serious problem, and so are bugs. The problem of not upgrading because "things work well enough already." Perimiters are breaking down. IPNG provides some window of opportunity for doing firewalls better. Final Sessions: Experience and Multilevel Security The last two sections addressed Experience and Multilevel Security. These took place Friday afternoon, and were consequently somewhat sparsely attended. The first two talks were "Security Modeling for Organizations" by Alison Anderson, Dennis Longley and Lam For Kwok and "Mainstreaming Automated Information Systems Security Engineering" by J. Coyne and N. Kluksdahl. Coyne, who presented this paper, argued that NASA's Johnson Space Flight Center had both reduced cost and increased security of its systems by dismissing its institutional "security experts" and contracting with outside consultants who had specific knowledge of vulnerabilities in the systems they had installed. The consultants were able to demonstrate specific flaws and recommend fixes, which would be installed by ordinary engineers who might have had some additional training in security matters. Coyne referred to this change as a shift from "compliance-based" security (simply complying with a set of regulations), to a "risk-reduction" approach. The final three talks on multilevel security were "The Compatibility of Composable Policies" by Heather Hinton and Stewart Lee; "An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysis" by Randy Browne; and "Prerequisite Confidentiality" by John Nestor and Stewart Lee. Both Hinton and Nestor reported work based on event systems and concerning composability issues, which have been the source of considerable study at the University of Toronto in recent years. Browne attacked a different problem: how can one determine, and assess the capacity of a "complete" set of covert covert channels in a system. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ A. Tenth Annual Computer Security Applications Conference, Orlando, FL, December 5-9 1994 (Paper and author list taken from Advance Program; panel sessions and papers without author lists are not included here) o A Practical Approach to High Assurance Multilevel Secure Computing Service J. Froscher, M. Kang, J. McDermott, O. Costich, C. Landwehr, NRL o Security Concerns for Distributed Systems R. Dobry & M. Schanken, NSA o Security for the Common Object Request Broker Architecture (CORBA) S. Chapin, W. Herndon, L. Notargiacomo, M. Katz, T. Mowbray, The MITRE Corp. o Composing System Integrity Using I/O Automata E. Amoroso & M. Merritt, AT&T Bell Labs o Applying the Abadi-Lamport Composition Theorem in Real-World Secure System Integration Environments J. Hemenway & J. Fellows, Grumman Data Systems o Role-Based Access Control: A Multi-Dimensional View R. Sandhu, E. Coyne, H. Feinstein, C. Youman, SETA Corporation o Secure System Composition G. King, Computer Science Corp. o Architectural Impact on Performance of a Multilevel Database System M. Kang, J. Froscher, NRL & R. Mukkamala, Old Dominion University o Benchmarking Multilevel Secure Database Systems Using the MITRE Benchmark V. Doshi, W. Herndon, S. Jajodia, C. McCollum, The MITRE Corp. o Organizing MLS Databases from a Data Modeling Point of View G.Pernul & G. Quirchmayr, University of Vienna o A Practical Approach to User Authentication M. Brown, Univ. of Alabama o Audit Reduction and Misuse Detection in Heterogeneous Environments: Framework and Application P. Proctor, SAIC o The Design of an Audit Trail Sanitization Tool E. Fisch, G. White, U. Pooch, Texas A&M University o Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring C. Ko, G. Fink, K. Levitt, University of California, Davis o Networked Information Discovery & Retrieval Tools: Security Capabilities & Needs L. Schaefer & B. McKenney, The MITRE Corp. o Property-based Testing of Privileged Programs G. Fink & K. Levitt, University of California, Davis o STU-III - Multilevel Secure Computer Interface E. Myers, Department of Defense o A Prototype Multilevel-Secure DoD Directory P. Boucher & T. Lunt, SRI International o A Validated Security Policy Modeling Approach J. Freeman, R. Neely, M. Heckard, CTA, Inc. o A Secure E-Mail Gateway (Building an RCAS External Interface) R. Smith, The Boeing Company o The MITRE Security Perimeter D. Goldberg, The MITRE Corp. o EINet: A Secure, Open Network for Electronic Commerce D. Rosenthal, MCC o System-of-Systems Security Engineering D. Bodeau, The MITRE Corp. o AOS: Avionics Operating System for Multi-level Secure Real-Time Environments M. Bernstein, TIS & C. Kim, Hughes Aircraft Company o The Effects of Trusted Technology on Distributed Applications M. Joyce, The MITRE Corp. o Availability: Theory and Fundamentals for Practical Evaluation and Use K. Keus, BSI o Ops/Intel Interface Lessons Learned: The Integrator's Perspective K. Arndt, M. Burgoon, J. Firey, K. Rodenhausen, The MITRE Corp. o Using Security Models to Investigate CMW Design and Implementation C. Robinson & S. Wiseman, Defense Research Agency o Performance Analysis of a Method for High Level Prevention of Traffic Analysis Using Measurements from a Campus Network B. Venkatraman & R. Newman-Wolf, University of Florida, Gainesville o Where We Stand in Multilevel Security (MLS): Requirements, Approaches, Issues, and Lessons Learned B. Neugent, The MITRE Corp. o Why Bad Things Happen to Good Systems, and What to Do About It J. Kahn & M. Abrams, The MITRE Corp. o A View of Cryptography in TCSEC Products J. Epstein, Cordant, Inc. B. ESORICS-94 (European Sympoisum on Research in Computer Security), Brighton, UK, 2-9 November, 1994 o Valuation of Trust in Open Networks T. Beth, M. Borcherding, B. Klein o Performance Requirements in Data Communication Systems V. Zorkadis o Non-interference through Determinism A.W. Roscoe, J.C.P. Woodcock, L. Wulf o Mechanical Proof of Security Properties J.P. Banatre, C. Bryce, D. Le Metayer o Security through Types C. O'Halloran, C.T. Sennett o Designing Secure Key Exchange Protocols C. Boyd o Robust and Secure Password and Key Change Method R. Hauser, P. Jansson, R. Molva, G. Tsudik, E. Van Herreweghen o Beacon Based Authentication A. Jiwa, J. Seberry, Y.L. Zheng o Authentication via Multi-Service Tickets in the Kuperee Server T. Hardjono, J. Seberry o Oblivious Signatures L. Chen o A Model for Establishing Secure Channels in Open Networks U.M. Maurer, P.E. Schmid o On Strengthening Authentication Protocols to Foil Cryptanalysis W. Mao, C. Boyd o Security Research for the Financial Sector H. Beker o Efficient Electronic Payment Systems Protecting Privacy J.L. Camenisch, J.M. Piveteau, M.A. Stadler o The ESPRIT Project CAFE - High Security Digital Payment Systems J.P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjolsnes, F. Muller, T. Pedersen, B. Pfitzmann, P. de Rooj, B. Schoenmakers, M. Schunter, L. Vallee, M. Waidner o Liability and Computer Security: Nine Principles R.J. Anderson o Implementing Secure Dependencies over a Network by Designing a Distributed Secure SubSystem B. d'Ausbourg o A Secure Medium Access Control Protocol: Security vs Performances P. Siron, B. d'Ausbourg o Distributed File Systems over a Multilevel Secure Architecture, Problems and Solutions C. Calas o On the Expressive Power of the Unary Transformation Model R.S. Sandhu, S. Ganta o Privilege Graph: an Extension to the Typed Access Matrix Model M. Dacier, Y. Deswarte o A Consideration of the Modes of Operation for Secure Systems C. Robinson, S.R. Wiseman o Mark-and-Sweep Garbage Collection in Multilevel Secure Object-Oriented Database System A. Ciampichetti, L. Mancini, E. Bertino o Decomposition of Multi-level Objects in an Object-Oriented Database N. Boulahia-Cuppens, F. Cuppens, A. Gabillon, K. Yazdanian o Supporting Object-based High-assurance Write-up in Multilevel Databases for Replicated Architecture R. Thomas, R.S. Sandhu o Aggregation in Relational Databases: Controlled Disclosure of Sensitive Information A. Motro, D.G. Marks, S. Jajodia o Information Flow Controls vs Interference Controls: An Integrated Approach F. Cuppens, G. Trouessin C. Second ACM Conference on Computer and Communications Security, Nov. 2-4, Fairfax, Virginia o Support for the File System Security Requirements of Computational E-Mail Systems, A. Prakash and T. Jaeger o Secure Wireless LANs, V. Bhargavan o The Design and Implementation of Tripwire: A File System Integrity Checker, G. Kim and E. Spafford o Exchange of Patient Records: Prototype Implementation of a Security Attribute Service in X.500, M. Jurecic and H. Bunz o A Process-Oriented Methodology for Assessing and Improving Software Trustworthiness, E. Amoroso, C. Taylor, J.Watson and J. Weiss o Clipper Repair Kit - Towards Acceptable Key Escrow Systems, T. Beth, H. Knobloch, M. Otten, G. Simmons and P. Wichmann o Protocol Failure in the Escrowed Encryption Standard, M. Blaze o Secure Agreement Protocols: Reliable and Atomic Group Multicast in Rampart, M. Reiter o Key Distribution via True Broadcasting, M. Just, E. Kranakis, D. Krizanc, P. Van Oorschot o Conditionally Secure Secret Sharing Scheme with Disenrollment Capability, C. Charnes and J. Pieprzyk o Meta-ElGamal Signature Schemes, P. Horster, H. Petersen and M. Michels o Anonymous Credit Cards, S. Low, N. Maxemchuk and S. Paul o An Efficient Multiversion Algorithm for Secure Servicing of Transaction Reads, P. Ammann and S. Jajodia o A Temporal Authorization Model, E. Bertino, C. Bettini and P. Samarati o Propagation of Authorizations in Distributed Database Systems, P. Samarati, P. Ammann and S. Jajodia o Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis, H. Heys and S. Tavares o Information Leakage of Boolean Functions and its Relationship to Other Cryptograpahic Criteria, M. Zhang, S. Tavares and L. Campbell o Authentication Codes that are r-fold Secure Against Spoofing, R. Safavi-Naini o The Role of Licensing, Insurance and Endorsements in Evaluating Trust of Distributed System Services, C. Lai, G. Medvinsky and C. Neuman o New Protocols for Third-Party-Based Authentication and Secure Broadcast, L. Gong o How to Simultaneously Exchange Secrets by General Assumptions, T. Okamoto and K. Ohta o A Key Distribution Method for Object-Based Protection, W. Ford and M. Wiener o On the difficulty of factoring, A. Lenstra o How to Break Gifford's Cipher, T. Cain and A. Sherman o Parallel Collision Search with Application to Hash Functions and Discrete Logarithms, P. Van Oorschot and M. Wiener o Application Access Control at Network Level, R. Molva and E. Rutsche o Network Security Probe , P. Rolin, L. Toutain and S. Gombault o Security Modelling for Organizations, A. Anderson, L. Kwok and D. Longley o Mainstreaming Automated Information Systems Security Engineering, J. Coyne and N. Kluksdahl o The Compatibility of Composable Policies, H. Hinton and S. Lee o An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysis, R. Browne o Prerequisite Confidentiality, J. Nestor and S. Lee ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles ________________________________________________________________________ o IEEE Communications Magazine, Sept. 1994. Issue on "Securing the Information Superhighway", Ravi Ganesan, Guest Editor: o Ravi Ganesan. Guest editorial: Security the information superhighway. pp.28-30. o B. Clifford Neuman and Theordore Ts'o. Kerberos: an authentication service for computer networks. pp.33-39. o Ravi S. Sandhu and Pierangela Samarati. Access control: principles and practice. pp.40-48. o Steven M. Bellovin and Williarm R. Cheswick. Network firewalls. pp.50-57. o Dorothy E. Denning and Miles Smid. Key escrowing today. pp.58-69. o Patrick W. Brown. Digital signatures: are they legal for electronic commerce? pp.76-81. o Henry M. Kluepfel. Securing a global village and its resources. pp.82-89. o Communications of the ACM, Vol. 37 (1994) o Number 11, November o Ravi Ganesan and Ravi Sandhu. Securing cyberspace. (Guest editors' introduction), pp.28-31. o Ross J. Anderson. Why cryptosystems fail. pp.32-41. o Roger M. Needham. Denial of service: an example. pp.42-47. o Ralf C. Hauser. Does licensing require new access control techniques? pp. 48-55. o Gustavus J. Simmons. Cryptanalysis and protocol failures. pp.56-65. o Paul C. Clark and Lance J. Hoffman. BITS: a smartcard protected operating system. pp.66-70. o Number 9, September o George W. Hart. To decode short cryptograms. pp. 102. o Lance J. Hoffman, Faraz A. Ali, Steven L. Heckler, and Ann Huybrechts. Cryptography policy. pp. 109. o Peter G. Neumann. Inside RISKS: expectations of security and privacy. p. 138. o Number 8, August o Katherine Fithen and Barbara Fraser. CERT incident response and the Internet. pp. 108-113. o Susan Landau, Stephen Kent, Clint Brooks, Scott Charney, Dorothy Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller, Peter G. Neumann, and David Sobel. Crypto policy perspectives. pp. 115-121. o ACM SIGCOMM Computer Communication Review, Volume 24, Number 3 (July, 1994). o D.F. Hadj Sadok and Judith Kelner. Privacy enhanced mail design and implementation perspectives. pp.38-46. o AT&T Technical Journal, Volume 72, Number 5, September/October 1994. o Thomas A. Brooks and Michael M. Kaplan. Security Technologies. pp.4-8. o David P. Maher. Trust in the new information age. pp. 9-16. o Andrew M. Odlyzko. Public key cryptography. pp.17-23. o Karl A. Siil. An introduction to cryptanalysis. pp.24-29. o Matt Blaze, Jack Lacy, Thomas London, and Mike Reiter. Issues and mechanisms for trustworthy systems: creating transparent mistrust. pp. 30-39. o Edward Amoroso, W.E. Kleppinger, and David Majette. An engineering approach to secure system analysis, design, and integration. pp. 40-51. o Ronald L. Sharp, Steven R. Eisen, W.E. Kleppinger, and Mark E. Smith. Network security in a heterogeneous environment. pp.52-60. o Stephan A. Sherman, Richard Skibo, and Richard S. Murray. Secure network access using multiple applications of AT&T's smart card. pp. 61-72. o Nicholas F. Maxemchuk. Electronic document distribution. pp.73ff. o Computing Systems Volume 7, Number 1 (Winter 1994) Matt Bishop, Guest Editor. o Matt A. Bishop, Guest Editorial p. v o Willis H. Ware, Policy Considerations for Data Networks, p. 1. o Raphael Yahalom, Birgit Klein, Thomas Beth. Trust-Based Navigation in Distributed Systems. p. 45 o Marjan Krajewski, Jr., John C. Chipehak, David A. Chodorow, Jonathon T. Trostle. Applicability of Smart Cards to Network User Authentication. p. 75. o Allan Heydon, J.D. Tygar. Specifying and Checking UNIX Security Constraints. p. 91. o Leonard J. LaPadula. A Rule-Set Approach to Formal Modeling of a Trusted Computer System. p. 113. o Computers & Security Volume 13, Number 5. (Elsevier) Refereed Papers: o Karin Badenhorst and Jan Eloff. TOPM: a formal approach to the optimization of information technology risk management. pp. 411-436. o Eike Born and Helmut Steigler. Discretionary access control by means of usage conditions. pp. 437-450. o Computers & Security Volume 13, Number 4. (Elsevier) Refereed Papers: o E.E.O. Roos Lindgreen and I.S. Herschberg. On the validity of the Bell-LaPadula model. pp. 317-334. o D. Longley and S. Vasudevan. Effect of key generators on the automatic search for flaws in key management schemes. pp.335-348. o D.N.J. Mostert and S.H. von Solms. A methodology to include computer security, safety and resilience requriements as part of the user requirement. pp. 349-364. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Ford, Warwick.Computer communications security: principles, standard protocols and techniques.Prentice Hall P T R, Englewood Cliffs, NJ, ISBN 0-13-799453-2, 494 pages, $58. o Thuraisingham, Bhavani, Ravi Sandhu, and T.C. Ting, editors. Security for object-oriented systems: Proceedings of the OOPSLA '93 conference workshop on security for object-oriented systems.. Springer-Verlag, New York, 1994, ISBN 0-387-19877-6. o Castano, Silvana, Mariagrazia Fugini, Giancarlo Martella, and Pierangela Samarati. Database security. ACM Press/Addison-Wesley, 1994, ISBN 0-201-59375-0. o Abrams, Marshall D., Sushil Jajodia, and Harold J. Podell(eds.). Information security: an integrated collection of essays. IEEE Computer Society Press, ISBN 0-8186-3662-9. 700 pages, $58 (discounts available to IEEE CS members). o Amoroso, Edward, Fundamentals of computer security technology, P T R Prentice-Hall, ISBN 0-13-108929, 1994, 404 pages, $48. o Cheswick, William R., and Steven M. Bellovin, Firewalls and Internet security: repelling the wily hacker, Addison-Wesley, 1994, ISBN 0-201-63357-4(paper), 305 pages, $24.95. o Neumann, Peter G., Computer-related risks, Addison-Wesley, 1994, ISBN:O-201-55805-X (paper), 320 pages, $24.75. o Schneier, Bruce, Applied cryptography: protocols, algorithms, and source code in C, John Wiley & Sons, Inc. 1994, ISBN 0-471-59756-2(paper), 618 pages, $44.95. ________________________________________________________________________ Calendar ________________________________________________________________________ Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- Calendar Updated 14 November 1994 Date (Month/Day/Year), Event, Locations, e-mail for more info, Hyperlink (if any) 12/ 5/94-12/ 9/94: ACSAC - Orlando; vreed@mitre.org (Vince Reed) 1/14/95: COMPASS '95 papers due; rushby@csl.sri.com or ftp.csl.sri.com 2/ 3/95: CSFW-8 papers due; gong@csl.sri.com 2/13/94: papers due, 5th USENIX Sec Symp, Utah; securityauthors@usenix.org 2/16/95- 2/17/95: ISOC-Symp, San Diego; gcarrier@mitre.org (Gloria Carrier) 3/ 1/95: NCSC-18 papers due; NCS_Conference@Dockmaster.ncsc.mil 3/10/95: SAC '95 ext. abstracts due; sac95@scs.carleton.ca 3/17/95: DCCA-5 papers due; morganti@settimo.italtel.it 3/20/95: IFIP WG11.3 papers due; ting@eng2.uconn.edu (T.C.Ting) 3/24/95: NSPW '95 papers due (hardcopy); meadows@itd.nrl.navy.mil 3/31/95: MDS-95, papers due, York, England; IMACRH@V-E.ANGLIA.AC.UK 4/ 1/95: NSPW '95 papers due (e-mail); John.Dobson@newcastle.ac.uk 4/ 3/95: IEEE S&P 5-min talk abstracts due; meadows@itd.nrl.navy.mil 5/ 7/95- 5/12/95: IEEE S&P 95; dmj@mitre.org (registration) 5/ 9/95- 5/11/95: IFIP/SEC '95 Capetown; IFIPSEC95@RKW.RAU.AC.ZA 5/18/95- 5/19/95: SAC '95, Ottawa; sac95@scs.carleton.ca 5/22/95- 5/24/95: Eurocrypt '95, France; iacr95@ccett.fr 6/ 5/95- 6/ 7/95: 5th USENIX Sec Symp, Utah; conference@usenix.org (registration) 6/13/95- 6/15/95: CSFW-8, Ireland; s.foley@cs.ucc.ie 6/26/95- 6/30/95: COMPASS '95; BONNIE.DANNER@trw.sprint.com 8/13/95- 8/16/95: IFIP WG11.3,New York(RPI); ting@eng2.uconn.edu (T.C.Ting) 8/27/95- 8/31/95: Crypto'95 Santa Barbara; tavares@ee.queensu.ca 8/22/95- 8/25/95: NSPW '95 San Diego (UCSD); meadows@itd.nrl.navy.mil 9/ 5/95- 9/ 6/95: MDS-95, York, England; IMACRH@V-E.ANGLIA.AC.UK 9/27/95- 9/29/95: DCCA-5, Champaign, IL; no e-mail address available 10/10/95-10/13/95: NCSC-18, Baltimore; NCS_Conference@Dockmaster.ncsc.mil 3/??/96: CCS-3, New Delhi; exact dates to be available 1/95 5/ 5/96- 5/ 8/96: IEEE S&P 96; no e-mail address available 5/ 5/96- 6/ 9/96: IFIP/SEC 96-Greece; no e-mail address available 11/??/96: ESORICS '96, Rome, Italy; no e-mail address available 5/ 4/97- 5/ 7/97: IEEE S&P 97; no e-mail address available Key: CCS-2 = 2nd Annual ACM Conference on Computer and Communications Security CCSS = 7th Annual Canadian Computer Security Symposium CSFW = Computer Security Foundations Workshop DCCA = Dependable Computing for Critical Applications ESORICS = European Symposium on Research in Computer Security IEEE S&P = IEEE Symposium on Research in Security and Privacy IFIP/SEC = International Conference on Information Security (IFIP TC11) IFIP WG11.3 = IFIP WG11.3 9th Working Conf. on Database Security MDS '95 = Second Conf. on the Mathematics of Dependable Systems NCSC = National Computer Security Conference NSPW = New Security Paradigms Workshop ISOC-Symp = Internet Society 1995 Symposium on Network and Distributed System Security SAC '95= 2nd Annual Workshop on Selected Areas of Cryptography USENIX Sec Symp = USENIX UNIX Security Symposium ________________________________________________________________________ Interesting Links ________________________________________________________________________ Format: URL (first line) followed by description (second line) Government sources: ------------------- http://www.whitehouse.gov If you want to start at the top! http://csrc.ncsl.nist.gov/ NIST Computer Security Resource Clearinghouse - pointers to many places http://www.itd.nrl.navy.mil:80/ITD/5540/ NRL Center for High Assurance Computer Systems, with IEEE and XTP-1 ptrs http://infosec.nosc.mil/infosec.html SPAWAR INFOSEC Homepage http://ftp.arpa.mil/ ARPA home page http://mosaic.larc.nasa.gov/nasaonline/gov.html NASA Langley Research Center - and pointers to other Government Labs http://www.sei.cmu.edu/ Software Engineering Institute Information Server Professional societies and organizations: ----------------------------------------- http://www.computer.org IEEE Computer Society home page http://www.acm.org ACM home page, with pointers to IFIP, Internet Society, etc. http://info.isoc.org/ Internet Society Home Page http://www.ietf.cnri.reston.va.us/home.html Internet Society's Internet Engineering Task Force home page http://www.dit.upm.es/~cdk/ifip.html IFIP Home Page http://www.cs.rpi.edu/ifip/ IFIP WG 11.3 (Database Security) home page Other places for interesting research papers and announcements -------------------------------------------------------------- http://www.csl.sri.com/ SRI-CSL SRI International Computer Science Lab home page http://riwww.osf.org:8001/ OSF Research Institute home page http://info.gte.com/ftp/doc/doc.html Distributed Object Computing - GTE Research group home page http://www.research.att.com/ An AT&T Bell Laboratories Research World-Wide Web Server http://www.rdt.monash.edu.au/tr/siteslist.html Computer Science Technical Reports Archive Sites http://www.comlab.ox.ac.uk/oucl/people/jonathan.bowen.html Jonathan Bowen http://www.tansu.com.au/Info/communications.html {Tele}Communications Information Sources http://dfw.net:80/~aleph1/ Uebercracker's Security Web http://info.bellcore.com/BETSI/betsi.html Bellcore Trusted Software Integrity System ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Terry Vickers Benzel Deborah Cooper Trusted Information Systems Director, Information Systems Security 11340 W. Olympic Blvd, Suite 265 Unisys Govt. Information Systems Group Los Angeles, CA 90064 12010 Sunrise Valley Drive (310) 477 - 5828 Reston, VA 22091 tcvb@la.tis.com (703)847-3895 cooper@rtc.reston.paramax.com Newsletter Editor: Standards Subcommittee Chair Carl Landwehr [VOLUNTEEER NEEDED!] Code 5542 Naval Research Laboratory Washington, DC 20375-5337 (202)767-3381 Landwehr@itd.nrl.navy.mil ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: To subscribe, send e-mail to(which is NOT automated) with subject line "subscribe". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ARCHIVES: Available at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html ==============end of Electronic Cipher Issue #2, 12/5/94====================