Subject:  Electronic CIPHER, Issue 2, December 5, 1994

       _/_/_/_/  _/_/_/  _/_/_/_/   _/    _/  _/_/_/_/  _/_/_/_/
      _/          _/    _/     _/  _/    _/  _/        _/     _/
     _/          _/    _/_/_/_/   _/_/_/_/  _/_/      _/_/_/_/
    _/          _/    _/         _/    _/  _/        _/   _/
   _/_/_/_/  _/_/_/  _/         _/    _/  _/_/_/_/  _/     _/

Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 2       December 5, 1994      Carl Landwehr, Editor
Contents:                                         [1675 lines total]
Letter from the Editor                           [starts on line 38]
  Security and Privacy News                                [line 87]
   o  Leonard Kleinrock calls for improved Internet 
      security architecture.
   o  Common Criteria to be briefed this week at ACSAC
Calls for papers: conferences and special journal issues  [line 140]   
TC Publications for sale!                                 [line 203]
Conference News and Reports                               [line 235]
   o  Call for meetings and workshops at IEEE 1995        [line 238] 
      Security and Privacy Symposium            
   o  Report on the European Symposium on Research in     [line 256]
      Computer Security (ESORICS '94) by John McLean
   o  Report on the Second ACM Conference on Computer and [line 472]
      Communications Security by Avi Rubin
Reader's guide to recent security and privacy literature [line 1161]
   Paper lists from conferences                          [line 1161]
   Tables of contents of recent periodicals              [line 1352]
   Recent books                                          [line 1461]
Calendar                                                 [line 1489]
Interesting Links                                        [line 1553]
TC Officers                                              [line 1631]
Information for Subscribers and Contributers             [line 1650]

Letter from the Editor

Thanks to substantial contributions from John McLean and Avi Rubin, our
second issue is arriving on your electronic doorstep earlier than I had
predicted.  I am hoping for reports on a couple of conferences held in
December, so perhaps we will have a New Year's issue as well -- but
this depends on contributions from our readers! 

This issue is a long one (1675 lines, or about 28 pages, at 60 lines
per page).  This is partly due to listings of paper titles in the
Reader's Guide section, which includes the recent ACM CCS-2, ESORICS,
and Tenth ACSAC lists.  Please let me know if receiving an e-mail
message this size causes you a problem, so I can estimate a suitable
maximum size for future issues.  Additional paper lists from earlier
1994 conferences (Oakland, Franconia, and IFIP WG11.3 conferences) are
available in the hypertext version of Cipher.

Terry Benzel, our TC chair, has been too busy (not least with TC
business) to provide a new Letter from the Chair for this issue, but I
expect she will have some things to say in the next one.

I urge you to try out the hypertext version of the newsletter now
available at URL if you
have not done so already.  The IEEE Computer Society's home page
( now includes a direct pointer to Cipher in
case you forget where we are (thanks to Mark Haas, 1995 IEEE VP for
Conferences and Tutorials,  for providing this).

Nearly all the material in this issue (EI #2) has been available on the
Web for two weeks, and I plan to continue posting updates there as they
arrive.  As you will see in this issue, many of the departments I had
planned have materialized, and I have added a few new departments 
(e.g., announcing TC publications for sale).

I have had a suggestion for starting a section on "who's where" to
announce changes of position and address for people within the security
community.  If you think this would be a good idea (would you want to
use it?) please let me know.

We still need contributions concerning relevant standards activities
as well as news and opinions from the membership.

Finally, holiday greetings to all!
Carl Landwehr
Editor, Cipher

Security and Privacy News Items
 o 14 November 94: Kleinrock calls for improved Internet security

   From IEEE COMPUTER, November 1994, p.7: News Briefs, by Lisa
   Armstrong, Edittech Int'l

   The Internet needs a major overhaul, according to Leonard Kleinrock,
   the man who pioneered the development of Arpanet, predecessor to
   the Internet, and who is now proposing a new architecture for the
   wildly growing "net." 

   Kleinrock, who chairs the University of California, Los Angeles,
   Computer Science Department and the Technology Transfer Institute,
   said, "A whole new architecture needs to be built into the system.
   Issues cannot be handled by add-ons." The issues that Kleinrock
   emphasized include security, dissatisfaction with the Internet's "best
   effort" service, and addressing considerations. 

   The new Internet Protocol, IP6, is the "first step," Kleinrock said. "It
   has extended addressing far enough to last a very long time. However,
   it makes the assumptions of packet switching and best-effort quality
   of service." Best-effort service means that Internet users can transfer
   data only if the necessary bandwidth is available. Otherwise, "too bad"
   for the user. 

   One of the loudest complaints regarding the Internet is security, or
   lack of it. Along with valuable on-line information, those who surf
   Internet waters encounter security hazards. Users can secure their own
   networks from intruders, but that doesn't protect them when they
   connect to other networks. 

   "We need a comprehensive security architecture," Kleinrock said. "We
   need to build authorization, encryption, and passwords into the
   hardware and software." 

   Kleinrock chairs the National Research Council's Computer Science
   and Telecommunications Board. In May, a CSTB-appointed
   committee presented a report that made recommendations for the
   Internet overhaul.

 o 8 November 94: Common Criteria to be presented at 10th ACSAC.
   Marshall Abrams announced today by e-mail that the Common
   Criteria will be presented Tuesday, December 6th at the Annual
   Computer Security Applications Conference in Orlando. There will be
   a three hour presentation in the afternoon. More information
   concerning the presentation is expected soon. 

The Editor seeks newsworthy items related to security and privacy
technical issues. Please keep contributions brief and interesting. 
Please send mail to 
Calls for Papers
(see also Calendar) 
 o Journals 
    o IEEE Trans. on Knowledge and Data Engineering is planning a
      special issue on secure database systems technology. Editors
      for the issue are Bhavani Thuraisingham,, and T.C. Ting,
      Areas of interest include, but are not limited to: 
       o Secure relational database systems, object-oriented
         database systems, distributed and heterogeneous
         database systems, and knowledge-based management
       o Designing and securing databases and applications 
       o Security for medical information systems and banking
       o Special topics such as secure concurrency control,
         inference problems, and data models 
      Eight copies of manuscripts up to 30 type-written,
      double-spaced pages are due to the guest editors by 1 February
      1995. Acceptances will be announced 1 June, 1995, final
      manuscripts are due 1 August 1995, and publication of the issue
      is planned for February, 1996. For additional information, send
      e-mail to the editors at the addresses given above. 
 o Conferences 
      See also Cipher Calendar and NRL CHACS CFP list. 
    o CRYPTO '95 August 27-31, 1995, University of California at
      Santa Barbara. 
    o Second annual workshop on Selected Areas in Cryptography
      (SAC '95). May 18-19, 1995, Carleton University, Ottawa,
      Canada. Original papers are solicited on all practical aspects of
      key establishment in distributed systems and design
      implementation of symmetric encryption algorithms. Eight
      copies of abstract due by March 10 to Evangelos Kranakis, 
      Carleton University. Queries to: 
    o Second Conference on the Mathematics of Dependable Systems
      (MDS 95), 4-6 September, 1995, University of York, England. 
 o Other 
    o NIST CHISSA Seeks White Papers: SPECIAL NOTICES Section:
      SP of CBD dated 08/Nov/94: CALL FOR WHITE PAPERS:
      establishing the Center for High Integrity Software Systems
      Assurance (CHISSA) as a collaborative approach for
      government, industry, and academia to pursue visionary
      solutions to industry-defined problems, coordinate activities
      relating to high integrity software systems (HISS) technology
      and ensure its partners have equitable access to solutions
      developed in domains such as commerce, manufacturing,
      transportation, health care, entertainment. White Papers from
      industry, government, and academia should focus on problems
      of developing, maintaining and assuring HISS. The papers will
      assist the Steering Committee in selecting an initial focus within
      the broader scope and will be used to develop a research
      agenda, plan workshops, identify partners, determine strategies
      for technology transfer, and develop a proposed Cooperative
      Research and Development Agreement between CHISSA and its
      partners. Papers due by 1/21/95. For details or to submit,
      contact: Delores Wallace, (301) 975-3340, NIST, Room B266,
      Tech. Bldg., Gaithersburg, Maryland 20899-0001. dwallace at (301) 975-3340 Fax: (301) 926-3696 World Wide
      Web: Detailed call for papers 

TC Publications for Sale
We have a few surplus copies of the proceedings of the Oakland conference
(199N IEEE Symposium on Research in Security and Privacy) available for
purchase by TC members at favorable rates. Current issues in stock and
prices are as follows: 

       Price by mail 
       from TC      IEEE CS Press       IEEE CS Press
Year   TC members   IEEE member price   List Price
----   ----------   -----------------   -------------
1992   $15              $43               $86
1993   $20              $30               $60
1994   $30              $30+$4 S&H        $60+$5 S&H

Please add $5 to the prices listed above for overseas delivery. If you would
like to place an order, please send a letter specifying 

 o which issues you would like, 
 o where to send them, and 
 o a check in US dollars, payable to the 1995 IEEE Symposium on
   Security and Privacy to: 

Charles N. Payne
Treasurer, IEEE TC on Security and Privacy
Code 5542
Naval Research Laboratory
Washington, DC 20375-5337
U S A 

Sorry, we are not yet ready for electronic commerce! 
Conference News and Reports
Workshops/Meetings Solicited for Oakland 1995 
The IEEE Symposium on Security and Privacy traditionally draws a
diverse, international attendance of respected computer security and
INFOSEC researchers.  The 1995 Symposium will be held Monday, May 8,
through Wednesday noon, May 10, at the Claremont Resort Hotel, Oakland,
California.  Referees are now reviewing an excellent collection of
submissions for this year's symposium.

Meeting rooms can be made available at the hotel Wednesday afternoon,
Thursday, and Friday, May 10-12, in conjunction with the Symposium.  If
you are organizing a computer security related meeting or workshop next
spring, plan now to take advantage of this opportunity to schedule your
meeting or workshop in conjunction with this symposium.  You may be
able to both reduce your total meeting and meeting costs and draw a
better attendance than if you schedule your meeting separately. 

For additional details, please contact the Editor.
Report on European Symposium on Research in Computer Security 94 
(ESORICS '94) November 7-9, 1994 Old Ship Hotel, Brighton, UK
by John McLean

The European flavor of the third incarnation of this biennial
conference was evident from its location, an old ballroom where
Paganini had played 163 years earlier. The distinction between this
conference and similar U.S. conferences was emphasized in the opening
remarks of Conference Chair,  Roger Needham. Needham told the audience
of about 75 practitioners that European research in computer security
tended to be practical, as opposed to (North) American research which
tended to focus on metaphysical discussions of what confidentiality
means. He then went on to remind us that a symposium was originally a
drinking party. He concluded by stating that the focus of this
symposium was computer security, rather than theoretical cryptography.

The conference included 26 papers (all contained in the proceedings:
Computer Security -- ESORICS 94, ed. Dieter Gollman, Lecture Notes in
Computer Science 875, Springer-Verlag, Berlin, ISBN 3-540-58618-0, 468
pages), an invited talk, and a panel session. This report includes only
a very brief overview of each of the papers, followed by fuller
discussions of the invited presentation and the panel session.

In Monday's opening session on measures, Thomas Beth presented a metric
for measuring trust between two different networks, and Vasilios
Zorkadis used queuing theory to measure the degradation security
introduces into network performance and examined various methods for
lessening this degradation.  This was followed by a session on high
assurance software. In this session Bill Roscoe introduced a CSP-based
version of Noninterference that requires that the purge of a trace be
deterministic, Daniel Le Metayer presented some work on performing
information flow analysis of programs at compile time, and Chris
Sennett presented a method for performing static analysis on compiled

Following lunch, a session on key management featured a presentation by
Wenbo Mao on designing secure key exchange protocols, and Els Van
Herreweghen offered a new password and key-exchange protocol based on
an atomic challenge/response exchange. The afternoon ended with a
session on authentication. This session featured two talks by Jennifer
Seberry and a presentation by Birgit Pfitzmann of work by Lidong Chen,
who could not attend the conference. Seberry's first talk was on the
use of Rabin's concept of a beacon to provide authentication in
distributed systems, and her second described the authentication
services found in the Kuperee (a mythical kangaroo) server, which is
based on a public key cryptosystem.  Chen's paper presents two
oblivious signature schemes.

Tuesday began with a second session on key management. Ueli Maurer
presented a calculus for reasoning about security in open networks and
Wenbo Mao presented ways to strengthen the Kerberos and KryptoKnight
protocols. Following this session was an invited talk which will be
discussed below and a session on digital payments. In the latter

Jean-Marc Piveteau offered a method for anonymous digital payments that
reduces the size of the necessary supporting database. Birgit Pfitzmann
next described the ESPRIT Project's CAFE digital payment system, and
then Ross Anderson presented a paper arguing that the purpose of
commercial security is not so much to reduce the risk of a security
violation, but rather to shed liability.

The afternoon began with a session on distributed systems in which
Bruno d'Ausbourg and Pierre Siron each reported on a distributed
security subsystem that implements Bieber and Cuppens' concept of
secure dependencies over a network. Christel Calas then presented a
distributed file system that enforces the secure dependencies concept.
The day ended with a panel session that is discussed below.

The last day (Wednesday) opened with a session on access controls in
which Ravi Sandhu discussed the expressive power of the unary
transformation model. Sandhu showed that, contrary to a claim made in
his and Srinivas Ganta's 1994 Oakland paper, the unary transformation
model is equivalent in expressive power to the binary transformation
model. However, this equivalence holds only if every subject has a
unique type. Following Sandhu, Marc Dacier showed how to extend to
Sandhu's TAM model to deal with authorization schemes involving sets of
privileges. The session concluded with Clare Robinson's report on
modes of operation for security systems.

The last two sessions were devoted to database security.  In the first
session Elisa Bertino presented a secure mark-and-sweep garbage
collection algorithm.  This was followed by Frederic Cuppens'
discussion of the decomposition of multilevel objects in an
object-oriented database and a presentation by Roshan Thomas on secure
write-ups in replicated architectures.  In the second session, Amihai
Motro used the concepts of overlapping and overlaying views to address
the aggregation problem, and Gilles Trouessin used the concepts of
internal information flow controls and external information flow
controls to secure a database.

Although the papers were generally well received, the most energetic
audience reaction was generated by an invited talk by Henry Becker of
Zergo Consultants, who spoke on security research in the financial
sector, and a panel session, chaired by Helmut Kurth of IABG, on
security evaluations in practice.

Becker emphasized the current gap between security research and
industry.  Industry focuses on the management and control of
information and information systems in the face of flatter and more
autonomous organizations, pervasive distributed processing, increased
automation and out-sourcing, and legal and due-care requirements.  This
has led to a lot of money going into security, but most of the money is
spent in ways security research does not address.  For example, Becker
estimates that English banks spend 50% of their information technology
budget on security (a figure also matched in Japan).  However, only 6%
- 9% of the information technology budget goes to purchasing security.
The bulk of the money goes to managing security.  Hence, security is
primarily seen as a management issue whose solution will be through
management tools.

Particular management needs include better risk analysis tools, better
ways to measure the effectiveness of security awareness programs,
generic interfaces that will allow security decisions to be made even
in the face of the uncertainty produced by the current export debates,
and ways to ``de-skill'' the job of the security administrator.
Industry also needs methods for achieving positive assurance, but
evaluation documents such as the ITSEC are viewed as being too
government-oriented.  Industry needs something that is simpler and less
expensive, something more like conformance to codes of practice or
review by experts.  Finally, Becker predicts that industry will need
products to provide secure email, secure internet connectivity, secure
card technology, and secure telecommuting.  (Interestingly, he does not
predict an industry future for biometrics, however, because of the
danger of lawsuits due to bodily injury that may result from retinal
scans or similar technology.)  However, he stresses that the main concern
here is the implementation and management of technology, rather than
technology development.

The gap between commercial and noncommercial security was further
examined in the panel on security evaluation in practice.  Kurth opened
the panel by comparing US and European evaluation procedures.  He noted
that European evaluations are performed by private companies rather
than the government and usually take less time than U.S.  evaluations.
European criteria also allow more flexibility with respect to
functionality than the U.S. criteria.  However, he noted that current
practice in both Europe and the U.S. has several problems:

- the criteria are too government-oriented with commercial aspects
  being poorly covered;
- evaluation results are not in a form useful for procuring a system,
  integrating a system, or developing a system security plan;
- evaluation criteria focus too much on correctness rather than on
  effectiveness (i.e., what vulnerabilities a system contains);
- there is no link between associated standards (e.g., between security
  and safety);
- there is no practical approach to re-evaluation;
- there is no push to sell evaluated systems in the commercial world.

Nevertheless, Kurth thinks that if the evaluation processes could be
altered to meet commercial needs, it would be useful since it is more
efficient to test a product once, rather than have each company conduct
its own test.

Stefan Geyres stated that although the French DoD has adopted the
ITSEC, there is currently no commercial body performing evaluations and
no push to form one.  When commercial interest rises, it is not clear
that the ITSEC will be what is wanted.  Although the French DoD is
interested in ITSEC levels E4 and E5.  French commercial companies are
interested only in levels E3 and below.

This sentiment was echoed by R. P. Lampard of the U.K.'s National
Physics Laboratory.  Given the low levels of assurance wanted by
industry, Lampard argued for the use of conformance testing.

Charles Pfleeger of T.I.S. related his experience in having TMACH
evaluated in the U.S., the U.K., and Germany.  He found that although
different evaluation criteria used the same words, there was
substantial disagreement over the meaning of those words.  He also
found that evaluations in all three countries suffered from a lack of
clear lines of authority.  Although NSA has an hierarchical structure,
this does not imply that anybody is willing to make decisions. European
evaluations are even worse in this regard because separate evaluation
bodies and certification bodies can pass responsibilities back and
forth.  This lack of a clear line of authority also makes it difficult
to judge when an evaluation is over.  Once a particular evaluation body
is done, another body may decide to look things over.  Finally,
Pfleeger mentioned the problems with re-evaluation and shared his
fellow panelists' conclusion that evaluations are not yet commercially
viable.  During the question and answer period, Pfleeger also
noted that although the U.K. evaluation process and German evaluation
process are equally good, the former focuses on process and the latter
focuses on product.

Most of the question and answer period following the panel focused on
the commercial viability of evaluations.  Ross Anderson asked why a
U.K.  evaluation costs about $1,500,000 while an evaluation from Lloyds
for infosec insurance takes only 2 days.  Although Kurth doubted that
U.K.  evaluations cost so much, there was no doubting that evaluations
cost more than insurance assessments.  Geyres noted that more
information is revealed by the former (e.g., about covert channels),
but Anderson pointed out that the commercial world is not interested in
this information.  Chris Sennet pointed out that much of the effort in
evaluations was to protect systems from technical flaws, while most
security failures are the result of bad system management.  Kurth
expressed his faith that security management will improve so that this
will no longer be true in the future.  Anderson also pointed out that
commercial systems do not have sufficient documentation to be evaluated
under the ITSEC and argued that the certification of security consultants
would be the biggest single improvement the security community could
make.  Becker, the panel, and Anderson can all three be seen as cautioning
the evaluation community that they are out of touch with industry.
Insofar as the research community is driven by issues relevant to the
evaluation community, this caution applies to them as well.

Returning to Needham's opening remarks, his assessment of the
conference proved partially correct on all three counts.  Although the
conference mainly stayed away from confidentiality models, Bill
Roscoe's presentation was as metaphysical as anything seen at either
Oakland or Franconia.  Cryptography, though not a main focus, was
certainly evident in Lidong Chen's paper.  Finally, although a fair
amount of ale (and, given the location, a surprisingly large amount of
lager) was downed during the evening hours, daytime habits were marked
by British reserve.
Report on CCS'94: 2nd ACM Conference on Computer and Communications 
by Avi Rubin

The 2nd ACM Conference on Computer and Communications Security met
November 2-4 Friday, 1994 at the Holiday Inn, Fairfax, Virginia. This
report summarizes the conference sessions and panels as a supplement to
the proceedings [available from the ACM order department,
1-800-342-6626, e-mail, as ACM Order Number 537940,
$44, ($22 for ACM members)].

The conference as a whole drew perhaps a few more registrants than its
first edition (around 130 altogether) but felt somewhat less cohesive.
More people seemed to be picking and choosing which sessions to attend;
perhaps the greater number of invited talks by well-known speakers,
spaced regularly throughout the first edition kept the group together.
Nevertheless, there was a good selection of stimulating technical
papers, including Matt Blaze's highly publicized attack on Clipper, an
excellent talk on factoring by Arjen Lenstra that left the audience
ready to double the length of their keys, and an animated panel session
on Internet commerce.

Co-chairs Raymond Pyle and Dorothy Denning welcomed the participants,
and Denning announced that the conference would next meet in New Delhi,
India, in March, 1996. Exact dates and location are expected to be
available in January, 1995. Many participants later expressed surprise
at the move.

Comments are provided below on most of the papers; a few sessions are
summarized without addressing the papers in detail. The panels and two
invited talks are covered in more detail, as they do not appear in the

Technical Sessions

[Note: The name of the author presenting the paper is CAPITALIZED where
there is ambiguity. The conference authors and presenters have not had
the opportunity to review this summary; any errors and all opinions are
my personal responsibility.]

Wednesday, November 2

Support for File System Security Requirements of Computational E-mail Systems 
by Atul Prakash and TRENT JAEGER

This paper presented a scheme called computational e-mail. In this
scheme,e-mail messages contain scripts, and these execute when the
recipient reads the messages. Obviously, this introduces some serious
security problems [we used to call these "letter-bombs"--CEL].
Solutions to these include ATOMICMAIL, which provide I/O only to a
trusted interpreter or a single directory. Among the solutions explored
to solve the access control problems were safe-Tcl, Unix mode bits, AFS
and K4, AFS and DSSA, AFS and K5.

Secure Wireless LANs by V. Bhargavan

This paper was not presented because the author was absent.

The Design and Implementation of Tripwire: A File System Integrity Checker 
by GENE KIM and E. Spafford

Gene Kim announced that Spafford had intended to be at the conference,
but he was stuck in Indiana as a witness for a murder trial.

The purpose of Tripwire is to prevent unauthorized changes to a file
system and assess damage. Tripwire builds a database of attributes,
mostly from the inode information. Then, it builds a list of selection
criteria, such as binary files or log files being added to a system.
The addition of binary files seems dangerous, while new log files are
expected. Anotheradvantage to tripwire is that it also keeps system
administrators honest and forces them to comply with a policy. is the URL for obtaining

Exchange of Patient Records: Prototype Implementation of a Security
Attribute Service in X.500 

This paper describes a prototype system used by hospitals to store
sensitive medical information. Privacy is very important for sharing
medical information in a hospital, and yet the data must be available
to doctors and others who need them. The health insurance companies
must have the right access to data, and data integrity is important.
Other type of information is statistical, such as the scope of an
epidemic, and history of a disease. Each type of information comes with
its own restrictions and requirements from a security standpoint. E.g.
Legislation, patients, health insurance, medical: These four groups
have diverging interests.

There are various security rules that state who should have access to
what, for example:

  access to personal patient data should only be for responsible
    medical staff.  
  only physicians should be able to produce a medical result
    for the record. etc.

There are many different subjects, such as doctors and nurses, and they
can be in different roles. Similarly, there are different objects, such
as x-rays, text, voice etc., each with its own security requirements.
The organization uses X.500 as a directory service, with public-key
certificates. The following standards are used, X.509 personal desktop,
X.501, ECMA-138. Electronic mail, X.509, PEM. Archive (DFR ISO 10166).
Workflow integration (X.721, X.740 events).

A Process-Oriented Methodology for Assessing and Improving Software
by EDWARD AMOROSO, C. Taylor, J. Watson and J. Weiss

This group was assigned the task of developing a method of assessing
software trustworthiness. Among other things, this paper presents a
list of 48 trust principles and an organized hierarchy of six trust
classes. The diagram for trust that was presented is similar to that of
the Orange Book.  The talk consisted of some advice and recommendation
of the group for people who are under government contract. The speaker
mentioned several pitfalls and suggested how they can be handled. For
example, the government does not usually encourage publication of work
they are funding, but it was suggested that it is important to publish

Panel: Training security engineers 
Chair: Lance Hoffman 
Participants: Lance Hoffman (GWU), Ravi Sandhu (GMU), John Kimmins (Bellcore)

This panel was intended to explore the way in which security engineers
should be trained. There was a consensus that it is not being done
right at this time. In the discussion following the presentations by
the panelists, the debate centered on the structure of the masters
program in computer science. The panelists took the following

Ravi Sandhu: Educating security engineers from a University position:
we are not presently doing a good job. We currently need security
specialists. They should be prepared at the graduate level. Students
need foundations, operating systems, networks, distributed systems,
database systems, software engineering, algorithms, discrete math,
business, etc. Courses should be offered in Database security, security
models, applied cryptology, and distributed system security. This will
take more resources than we have. Such a program will develop because
there is a demand for it.

Lance Hoffman: George Washington University has a security
specialization for the Masters program. It is difficult to get funding
for these courses. He suggests borrowing guest lecturers and teachers
from companies.

John Kimmins: He looks at this more from the point of view of training
a group within a company from a managerial point of view. There is a
synergy between security and fraud. They used to be done separately,
and now the trend is to combine them.

Questions from the floor: Fundamental business education is missing.
The world's best security without considering the role of business will
not be used. Ravi Sandhu said this was an excellent point; John Kimmins
agreed.  Lance Hoffman suggested that its important to "Know your
client." Universities don't have as much interaction with the business
aspect of things. It can be handled at a University by bringing in

Question by NASA security architect James Coyne: In an era of shrinking
budgets, we need more than people trained in security for security's
sake. We need well-rounded engineers who can understand the security
issues in context of a budget. It is better to add security knowledge
to engineers than to specifically train security experts who live in
ivory towers. Ravi Sandhu suggests that it is impossible to know only
security because it requires such foundations such as systems,
networks, databases, etc. [Coyne reiterated this point in his
presentation on Friday].

A question was raised about the role of mathematics and formal
methods.  Ravi Sandhu put his slide back up, to show that it was
included. Lance Hoffman suggested that psychology and the ability to
interact with people are also important. Sandhu also suggested that
computer science and communications people don't know each other's
fields that well. However, it boils down to a resource problem. This is
not a good time to be launching new programs.

Rob Shirey argued that much of what was presented as desirable training
will never fit into an undergraduate computer science curriculum.
Dennis Longley observed that the primary reason courses get into a
syllabus is that faculty want to teach them, not that someone has
levied a requirement for them. He argued that this is not, in fact, a
bad practice, because the faculty will teach courses they are
interested in with enthusiasm and integrity. He believes it is more
important to convey these attitudes to students than it is to cover any
specific body of information, since whatever technical details taught
are likely to be outmoded shortly in a rapidly progessing field.

Towards Acceptable Key Escrow Systems 
by Thomas Beth, H. Knobloch, M. Otten, G. Simmons and P. Wichmann

The entities of communications are persons, devices, and organizations.
The deficiencies of clipper were discussed. Namely, the Matt Blaze
attack, UK problem, time-stamp problem, and underencryption. The
requirements for acceptable, trustworthy and fair cryptosystems are:

   Privacy protection mechanisms for end-to-end confidentiality at user
     interface Encryption algorithms should not secret but public and
   negotiable by
     principals Key management is independent of encryption algorithm
     identification and authentication must be unforgeable
     confidentiality bypass procedures have to faithfully represent the
     legal rules or policies to be observed.

Confidentiality bypass facilities are needed for law enforcement,
backup, message recovery, and research data. The escrow should only go
through the key management level, and should have nothing to do with
the algorithm. An algorithm for doing authenticated key exchange with
escrow was presented (it's in the paper).

Protocol Failure in the Escrowed Encryption Standard
by Matt Blaze

Matt presented his now famous attack on the Clipper chip. He first
observed that the primary motivation for Clipper was as a drop-in
replacement for DES that would provide strong encryption for the "good
guys" but not for the "bad guys." His attack demonstrates how the "bad
guys" might be able to use the strong encryption Clipper provides
without being subject to eavesdropping by the authorities. He
identified two categories of "rogues": those who can interact with each
other, and those who can interact with anyone.

The attack makes use of the fact that the checksum in the LEAF is 16
bits. The checksum is influenced by the Initialization Vector (IV) and
the session key. The checksum includes other fields from the LEAF. Any
change in the rest of the LEAF affects the checksum. One attack is for
the sender to not send the LEAF, and for the receiver to generate a
LEAF himself and feed it in to go into decrypt mode. The two major
weaknesses of Clipper are that the checksum is only 16 bits, and the
sender and receiver have the same hardware. Thus, 2^112 of the 2^128
possible LEAFs have a valid checksum for the current session key.

Experimental results showed that you can find a LEAF in about 42
minutes. The LEAF test takes about 38ms, which is not fast enough for
real time telephony, but fast enough for many other applications. In
addition, the attack is easy to parallelize. Matt concluded that the
EES is vulnerable to misuse.

Panel: Corporate key escrow 
Chair: Ravi Ganesan 
Panelists: Ravi Ganesan (Bell Atlantic), Dorothy Denning (Georgetown U.), 
Scott Charney (Dept. of Justice), Carl Ellison (Trusted Information 
Systems, Inc.)

Denning: One important advantage to having key escrow is that products
that meet the key escrow requirements can be exported. Also, there is a
danger of data loss when data is encrypted under a key only known to
one person. For example, an attacker can hijack the data by encrypting
it and holding the key for ransom. The only person who knows the key
for some important data could get hit by a truck, etc.

Ganesan: Keys in Clipper are going into chips without any restrictions
on who is supposed to be able to get the keys and for what purpose, so
it is not likely that this system will be usable by corporations to
escrow the keys. There are a few other potential ones being built by
ATT, TIS, and Bell Atlantic. Some are hardware and some are software.
It is harder to solve the problem of corporate escrow than law
enforcement escrow.

Charney comes at this from a law enforcement perspective. There is a
danger that encryption can be abused. For example, someone can break
into a system and encrypt the data, and hold it for extortion. With the
consent of the corporation, the government has the right to search a
workstation of an employee if there is no expectation of privacy. The
emphasis is on the expectation of the user.

Ellison has trouble with the term key "escrow." This term was
originally used to describe a system built and used by the government.
Instead, he prefers distinguish three concepts: key escrow, government
access cryptography, and emergency access to keys. Just as we need to
keep outsiders out, it is important to ensure that insiders can get in,
that is, have access to the data that is encrypted. Another issue is
that the insider might be more than one person, or some k out of n
people, etc. We need fault tolerance in the storage and the access
mechanisms. Clipper cannot be used to solve all three problems;
software solutions are essential.

Secure Agreement Protocols: reliable and atomic group multicast in Rampart 
by Michael Reiter

High integrity services are achieved by taking a sample from a number
of servers, and accepting the majority answer. One requirement is that
the servers process requests in the same order, and that is why atomic
group multicast is necessary. All previous work on malicious corruption
of atomic group multicast assume a synchronous network. Thus, they are
not well-suited for hostile environments. Reiter presented protocols
for reliable multicast that ensure that correct members receive the
same messages in the same order. His main contributions are new
reliable and atomic group multicast protocols for asynchronous systems
subject to process corruptions.

Key Distribution via True Broadcasting 
by M. Just, E. Kranakis, D. Krizanc and P. Oorschot

A number theoretic scheme for broadcasting a key to a group of
privileged users who share secret primes with the distribution center.
This scheme was challenged by members of the audience, one of them
going so far as to say that it was broken. Other people seemed to feel
that there already existed better ways of doing this. In his defense,
the author was not given time to defend his work because time ran out.

Conditionally Secure Secret Sharing Scheme with Disenrollment Capability 
by Chris Charnes, JOSEF PIEPRZYK, and Rei Safavi-Naini

The authors defined a conditionally secure Shamir secret sharing scheme
using exponentiation in Galois fields and showed how the scheme can be
extended to arbitrary access structures. They showed that families of
threshold schemes provide two levels of disenrollment capability. They
give an algorithm which provides noninteractive verification of the
initial conditions in families of threshold schemes, and they describe
a covert channel.

Meta-El Gamal Signature Schemes 
by PATRICK HORSTER, H. Petersen and M. Michels

The author presented a chronology of previous work on the El Gamal
scheme, starting with the Ph.D. thesis of ElGamal, up to the current
work. Then, he presented his scheme.

Paper: Anonymous Credit Cards by S.H. Low, N.F. Maxemchuk and S. Paul

The author presented some very complex protocols for anonymous credit
cards. In personal communication, he suggested that the paper from the
anonymous ftp site is more up to date than the one in the proceedings,
which contains some errors.

Thursday, November 3

An Efficient Multiversion Algorithm for Secure Servicing of Transaction
Reads by P. AMMANN and S. Jajodia

The algorithm presented by the authors maintains a small fixed number
of versions, up to three, of a datum, rather than an arbitrary number
as most algorithms do. The snapshot architecture presented maintains
exactly 2 snapshots of each database, The authors used the version
function and assignment function to analyze serializability, and gave
an algorithm for satisfying correctness constraints.

A Temporal Authorization Model 
by E. Bertino, C. Bettini and P. SAMARATI

In this work, time is mapped to the set of natural numbers. An interval
is mapped [t1,t2]. An authorization contains an interval, followed by a
rule.  Constructs presented included whenevernot, whenever, unless, and
aslongas.  These are used to define derivation rules. There can be up
to 2 parameters in a derivation. A necessary restraint is that there be
no recursion on negative rules. Other actions are revoke and droprule.
They are invalidated for the current run, but are not deleted from the
authorization database.

Propagation of Authorizations in Distributed Database Systems 
by Pierangela Samarati, Paul Ammann, SUSHIL JAJODIA

The propagation of authorization at different sites may propagate
inconsistently. However, if the propagation is too controlled, it may
result in excessive delay. The authors presented an optimistic
authorization propagation algorithm.

Session: Cryptography II Chair: J. Stern

This was the second session on cryptography. Three papers were
presented.  Turnout was a bit lower than for other session due to the
esoteric nature of the material. The first paper was
Substitution-Permutation Networks Resistant to Differential and Linear
Cryptanalysis by H. Heys and S.  Tavares. The second paper was
Information Leakage of Boolean Functions and its Relationship to Other
Cryptographic Criteria by M. Zhang, S. Tavares and L. Campbell. The
final paper in this session was Authentication Codes that are r-folded
Secure against Spoofing by R. Safavi-Naini.

Session: Electronic Commerce Security Chair: R. Ganesan

This session turned out to be the most controversial one. First, a
paper on licensing, endorsements was presented. Then, the invited
speaker gave a very informative talk about secure-http, a title that
itself drew some criticism. Finally, everything broke loose during the
panel session, which turned out to be more of a bunch of sales pitches
than anything else, followed by comments by some very upset members of
the audience. Only the first paper appears in the proceedings.

The Role of Licensing, Insurance and Endorsements in Evaluating Trust
of Distributed System Services 
by CHARLIE LAI, G. Medvinsky and C. Neuman

The motivation for this work is that it is difficult for clients to
assess server integrity in large distributed systems. As a result,
there can be limited sharing. In the real world, there are
endorsements, such as AAA diamonds in a hotel, insurance credentials,
etc. Thus, this paper provides an infrastructure for issuing and
verifying credentials.

A license is a credential that indicates a service provider is legally
authorized to provide a service. Endorsement means that a service
provider has more rigorous standards set by the endorser. The final
class is liability insurance: the party insured is covered for any
legal obligations to pay damages inflicted upon a third party.
Certificates and proxies are issued for the various assurances and
endorsements. Clients can specify the types of licenses and
endorsements that it trusts. Thus, networks of trust relationships
develop. The author maps out these real-world trust systems into an
electronic, distributed system.

Secure HTTP: Making the World-Wide Web Safe for Commerce 
Invited Speaker, Allan Schiffman

Schiffman is the chief technical officer of EIT and the principal
architect of Commercenet. He started out giving some background on WWW
and Mosaic.  Secure-HTTP is an interoperable extension of http.
Unfortunately, IP address authentication is the most prevalent today.
IP addresses can only perform access control on hosts, not users. Also,
there is basic authentication, which consists of simple usernames and
passwords. This method is popular but flawed. Finally, PEM and PGP are
largely unused, while Kerberos has not been implemented with http. From
the perspective of user interface, expecting users to enter a
passphrase is too disruptive, when all they have to do is click a

S-http design goals are:
  - enable spontaneous commercial transactions 
  - negotiation of algorithms, modes & parameters 
  - layer separation (don't "fix" http) 
  - mechanism, not policy (where do certs come from? what do they mean?) 
  - interoperability (with existing clients, with various capabilities)

S-http is fully symmetric (almost) for client and server. Thus, it is
moving away from the traditional client-server model. Authentication
mechanisms include PKC RSA, DSS, shared-secret, and Kerberos. Key
exchange can be implemented using RSA D-H, shared secret, and

      - new http method "secure" affects proxies new http headers
      - additional html facilities
             new anchor property 
             new elements
   s-http focus: Negotiation
      - permit parties to express requirements and preferences used
	  in message headers and embedded in documents 
      - choice may depend on 
          capability of implementation 
          application requirements

S-http provides many different options to the user. It was not clear
whether the kitchen sink is included, but just about everything else
is.  The supported encapsulation formats are PKCS-7 or PEM or PGP.
Signature algorithms are RSA or DSA. Key exchange algorithms supported
are RSA, in-band, outband, D-H, and Kerberos. For message digest
algorithm, MD2, MD5 or SHA. The encryption algorithms supported are DES
EDE2/EDE3, DESX, IEA, RC2, and RC4. The protection modes are signature,
encryption, and keyed MAC.

Users are made aware of what's going on by icons that show that
something is unprotected, signed, encrypted, etc. Other progress
indicators show whats going on. (Laser beam scans across the
signature). There is also a security status pop-up window.

The first draft of the specification has been available since June, and
there is a reference implementation, available to Commercenet members.
There is also an EIT/RSA joint venture: Terisa systems for people to
integrate secure http into applications. The home page for s-http is; readers interested in
more details should look there.

Panel: Security Issues in Electronic Commerce 
Chair: C. Neuman
Panelists Allan Schiffman(EIT), Carol Benson (VISA), Doug Tygar (CMU),
Brian Boesch (Cybercash), Win Treese (Open Market)

Benson: At first, gave background on VISA as a company. Are interested
in e-commerce to facilitate the growth of the market, because
electronic fund transfers are more likely to involve credit card
purchases. Predicts secure transactions can take place on the Internet
for most users within a year and a half. This talk seemed more like a
marketing talk for potential VISA customers than anything else.

Tygar: Netbill is a system to handle micro-payments of a very small
volume.  Discussed the problem of atomicity. Transactions should either
completely abort, or completely finished. We need common standards for
security in electronic commerce.

Boesch: Talked about Cybercash. They are involved in the payment
process, not the entire transaction. We need relatively few mechanisms
that work well together.

Treese: Talked about Open Market system, and discussed security issues
such as authentication of the various parties. Open Market system has
an Internet payment switch between the Internet and the financial
network. is open for business today.

A member of the audience attacked the panel by stating that crackers
have broken everything before, with only the incentive of fun, no we
are giving them money as an incentive. He also said that greed was in
contrast to the goals that made the Internet possible.

This was a very lively panel, and almost everyone was disappointed when
time ran out. The general opinion seemed to be that commercial systems
on the Internet are an extremely challenging prospect at the very

New Protocols for Third-party-based Authentication and Secure Broadcast
by Li Gong

The scope of this work falls into the category of protocols where there
is a trusted third party. One motivation is to cut out strong
cryptography because it cannot be exported. Another is to avoid patent
problems. The general idea is that each client needs to solve a linear
equation with n unknowns, given n-1 unknowns, and the secret k, as the
nth unknown. Thus, no eavesdropper can figure out the new session key.
A proof is also provided that the requirements of Needham and Schroeder
necessitate at least a strong one- way hash function.

How to Simultaneously Exchange Secrets by General Assumptions by

It is difficult to have a simultaneous exchange of messages over the
Internet, whereas in the real word, this is easy when you are face to
face with someone. The problem is simple with a trusted third party,
but is difficult without one. This paper presents a gradual secret
releasing protocol to solve the problem. It involves each party
including a proof of correction of each bit that is transmitted.

A Key Distribution Method for Object-Based Protection 

The basic idea in this work is access-controlled decryption. It is
essentially a key management scheme. There is a Key release agent
(KRA), with a well- known public key. A user encrypts data with some
access control attributes using the public key of the KRA. The kra then
passes enough information to an authenticated user, B, for the data
that B is allowed to read. This can be realized with RSA or

Friday, November 4

On the Difficulty of Factoring 
Invited Speaker, Arjen Lenstra

[This paper is not in the proceedings, but Postscript (about
300KB) for a related paper, "Factoring" by Dr. Lenstra, from the
Proceedings of the International Workshop on Distributed Algorithms,
Springer Lecture Notes in Computer Science (LNCS) 857 (1994), pp.
28-38, is available at URL ]

Factoring is still thought to be a hard problem, but it is getting
easier faster than we expected. So, the security of long-term
applications might have to be re-evaluated.

Most public key systems are based on "supposedly" hard problems such as
factoring and discrete log. The key length should depend on the state
of the art in factoring and DL and the required security and intended
life span of the application. The choice of 512 bits (155 decimal
digits) dates back to the early eighties. Back then, it was believed to
be a lot harder than it is today.

Lenstra talked about the faulty statements made about the difficulty of
factoring in the late 70s and early 80s. The major developments in
factoring include the quadratic sieve in 1982, the special number field
sieve in 1988, and the number field sieve (NFS) in 1989. Lenstra then
discussed experiments using quadratic sieve.

The conclusion is that 1024 bits today might give about the same
security as 512 bits gave in the early eighties, and we are close to
factoring a 512 bit key.

How to Break Giffords Cipher 
by THOMAS CAIN and A. Sherman

This paper shows how to break a cipher designed by Dr. Giffer at MIT.
The system was used in the Boston area to encrypt data for subscribers.
The attack is a ciphertext-only attack on filter generator stream
ciphers. An implementation runs in 2^27 time and 2^18 space. The attack
is based on linear algebra, and the fact that the cipher leaks key bits
because it encodes ASCII text in such a way that it always assumes that
the high order bit is 0. When the plaintext is x-ored with the key
bits, the high order bits are leaked.

Parallel Collision Search with Application to Hash Functions and
Discrete Logarithms 
by P. van Oorschot and MICHAEL WIENER

This is a very important result in that it will change the way people
view the resistance of hash functions to collisions. One of the first
hurdles to overcome for any practical method is to eliminate large
memory requirements. The authors use Rivests trick of distinguished
points so that separate processors can detect collisions among
themselves. Each points stores information about which processor
detected it, and how many steps it took.

The general idea is to start with two messages, m and m. With k subtle
modification to a message, there are 2^k message variants. So, if all
the variants of 2 messages are hashed, all that is needed is to find
two that hash to the same value. This is not very practical from a
memory point of view. One idea is to only perform one round of the hash
function to speed things up. The authors estimate the cost of an MD5
collision machine. For $10 Million we get 350 processors, controllers,
etc, and expected time is 24 days to find collision. He also gave an
example of discrete logs in cyclic groups. A $10 million machine could
complete a discrete log over elliptical curves in approx. 36 days.

Application Access Control at Network Level 
by RAFIK MOLVA and Eric Rutsche

The idea is to do access control for applications at the network
level.  Todays solutions are firewalls and file system protection.
These are usually limited to one domain, and dont support intra-domain
security easily. Each host has a secret seed, which it uses to
construct a ticket.  These are placed in the network layer packets.
This provides authentication information. The tickets can be
precomputed and kept on each host. They currently don't have an

Network Security Probe 
by PIERRE ROLIN, L. Toutain and S. Gombault

The idea is that many existing applications, and also, TCP/IP are
insecure, but we have a lot invested in them already. The challenge is
to introduce modification to existing programs and to get people to
agree to them. We also need different security rules for different
organizations. Firewalls are pessimistic and thus, slow down all
message traffic, but they do reduce the risk. The approach present here
is optimistic. That is, all traffic is observed, and if an infraction
of a rule is detected, it is treated later.  However, there is
additional risk, because the damage might already be done. This is
compared to a radar gun detecting that someone is speeding, and then
pulling him over, rather than pulling everyone over and checking how
fast they were going.

This idea was not generally accepted by the audience. It is
counter-intuitive to be optimistic when looking at network security.
There is concern that the damage may already be done by the time it is

Panel: Firewalls 
Chair: Steve Bellovin Panelists: Steve Bellovin and Ravi Ganesan

First Ganesan spoke about the future of firewalls. The old focus was
that a firewall is placed between two different networks. The new focus
is that an administrative domain is divided up within itself, and each
one is maintained under its own rules. He introduced the idea of
internal firewalls. One reason they are needed is that there is a lot
of inter-site traffic. Remote logins are the rule, not the exception,
and they need to be cheap. The thing is that a balance must be found
between convenience and security, whereas in the past you really had to
choose one. It also needs to be configurable. There need to be filter
compilers to reduce the complexity of managing a firewall.

Ganesan also said that applications will probably run directly over
ATM, and that TCP/IP may go away. This implies that secure virtual
circuits will resurface.

Bellovin said that he thinks Ganesan is wrong about ATM. He said that
bad system administration is a serious problem, and so are bugs. The
problem of not upgrading because "things work well enough already."
Perimiters are breaking down. IPNG provides some window of opportunity
for doing firewalls better.

Final Sessions: Experience and Multilevel Security

The last two sections addressed Experience and Multilevel Security.
These took place Friday afternoon, and were consequently somewhat
sparsely attended. The first two talks were "Security Modeling for
Organizations" by Alison Anderson, Dennis Longley and Lam For Kwok and
"Mainstreaming Automated Information Systems Security Engineering" by
J. Coyne and N.  Kluksdahl. Coyne, who presented this paper, argued
that NASA's Johnson Space Flight Center had both reduced cost and
increased security of its systems by dismissing its institutional
"security experts" and contracting with outside consultants who had
specific knowledge of vulnerabilities in the systems they had
installed. The consultants were able to demonstrate specific flaws and
recommend fixes, which would be installed by ordinary engineers who
might have had some additional training in security matters.  Coyne
referred to this change as a shift from "compliance-based" security
(simply complying with a set of regulations), to a "risk-reduction"

The final three talks on multilevel security were "The Compatibility of
Composable Policies" by Heather Hinton and Stewart Lee; "An Entropy
Conservation Law for Testing the Completeness of Covert Channel
Analysis" by Randy Browne; and "Prerequisite Confidentiality" by John
Nestor and Stewart Lee. Both Hinton and Nestor reported work based on
event systems and concerning composability issues, which have been the
source of considerable study at the University of Toronto in recent
years. Browne attacked a different problem: how can one determine, and
assess the capacity of a "complete" set of covert covert channels in a
Reader's Guide to Current Technical Literature in Security and Privacy
Part 1: Conference Papers
A. Tenth Annual Computer Security Applications Conference, 
Orlando, FL, December 5-9 1994 (Paper and author list taken from Advance 
Program; panel sessions and papers without author lists are not included here) 

 o A Practical Approach to High Assurance Multilevel Secure Computing
   Service J. Froscher, M. Kang, J. McDermott, O. Costich, C. Landwehr, NRL 
 o Security Concerns for Distributed Systems R. Dobry & M. Schanken, NSA 
 o Security for the Common Object Request Broker Architecture
   (CORBA) S. Chapin, W. Herndon, L. Notargiacomo, M. Katz, T.
   Mowbray, The MITRE Corp. 
 o Composing System Integrity Using I/O Automata E. Amoroso & M.
   Merritt, AT&T Bell Labs 
 o Applying the Abadi-Lamport Composition Theorem in Real-World
   Secure System Integration Environments J. Hemenway & J. Fellows,
   Grumman Data Systems 
 o Role-Based Access Control: A Multi-Dimensional View R. Sandhu, E.
   Coyne, H. Feinstein, C. Youman, SETA Corporation 
 o Secure System Composition G. King, Computer Science Corp. 
 o Architectural Impact on Performance of a Multilevel Database System
   M. Kang, J. Froscher, NRL & R. Mukkamala, Old Dominion University 
 o Benchmarking Multilevel Secure Database Systems Using the MITRE
   Benchmark V. Doshi, W. Herndon, S. Jajodia, C. McCollum, The
   MITRE Corp. 
 o Organizing MLS Databases from a Data Modeling Point of View
   G.Pernul & G. Quirchmayr, University of Vienna 
 o A Practical Approach to User Authentication M. Brown, Univ. of
 o Audit Reduction and Misuse Detection in Heterogeneous
   Environments: Framework and Application P. Proctor, SAIC 
 o The Design of an Audit Trail Sanitization Tool E. Fisch, G. White, U.
   Pooch, Texas A&M University 
 o Automated Detection of Vulnerabilities in Privileged Programs by
   Execution Monitoring C. Ko, G. Fink, K. Levitt, University of
   California, Davis 
 o Networked Information Discovery & Retrieval Tools: Security
   Capabilities & Needs L. Schaefer & B. McKenney, The MITRE Corp. 
 o Property-based Testing of Privileged Programs G. Fink & K. Levitt,
   University of California, Davis 
 o STU-III - Multilevel Secure Computer Interface E. Myers, Department
   of Defense 
 o A Prototype Multilevel-Secure DoD Directory P. Boucher & T. Lunt,
   SRI International 
 o A Validated Security Policy Modeling Approach J. Freeman, R. Neely,
   M. Heckard, CTA, Inc. 
 o A Secure E-Mail Gateway (Building an RCAS External Interface) R.
   Smith, The Boeing Company 
 o The MITRE Security Perimeter D. Goldberg, The MITRE Corp. 
 o EINet: A Secure, Open Network for Electronic Commerce D.
   Rosenthal, MCC 
 o System-of-Systems Security Engineering D. Bodeau, The MITRE
 o AOS: Avionics Operating System for Multi-level Secure Real-Time
   Environments M. Bernstein, TIS & C. Kim, Hughes Aircraft Company 
 o The Effects of Trusted Technology on Distributed Applications M.
   Joyce, The MITRE Corp. 
 o Availability: Theory and Fundamentals for Practical Evaluation and
   Use K. Keus, BSI 
 o Ops/Intel Interface Lessons Learned: The Integrator's Perspective K.
   Arndt, M. Burgoon, J. Firey, K. Rodenhausen, The MITRE Corp. 
 o Using Security Models to Investigate CMW Design and
   Implementation C. Robinson & S. Wiseman, Defense Research Agency 
 o Performance Analysis of a Method for High Level Prevention of
   Traffic Analysis Using Measurements from a Campus Network B.
   Venkatraman & R. Newman-Wolf, University of Florida, Gainesville 
 o Where We Stand in Multilevel Security (MLS): Requirements,
   Approaches, Issues, and Lessons Learned B. Neugent, The MITRE
 o Why Bad Things Happen to Good Systems, and What to Do About It J.
   Kahn & M. Abrams, The MITRE Corp. 
 o A View of Cryptography in TCSEC Products J. Epstein, Cordant, Inc. 

B. ESORICS-94 (European Sympoisum on Research in Computer Security), 
   Brighton, UK, 2-9 November, 1994 

 o Valuation of Trust in Open Networks T. Beth, M. Borcherding, B. Klein 
 o Performance Requirements in Data Communication Systems V.
 o Non-interference through Determinism A.W. Roscoe, J.C.P. Woodcock,
   L. Wulf 
 o Mechanical Proof of Security Properties J.P. Banatre, C. Bryce, D. Le
 o Security through Types C. O'Halloran, C.T. Sennett 
 o Designing Secure Key Exchange Protocols C. Boyd 
 o Robust and Secure Password and Key Change Method R. Hauser, P.
   Jansson, R. Molva, G. Tsudik, E. Van Herreweghen 
 o Beacon Based Authentication A. Jiwa, J. Seberry, Y.L. Zheng 
 o Authentication via Multi-Service Tickets in the Kuperee Server T.
   Hardjono, J. Seberry 
 o Oblivious Signatures L. Chen 
 o A Model for Establishing Secure Channels in Open Networks U.M.
   Maurer, P.E. Schmid 
 o On Strengthening Authentication Protocols to Foil Cryptanalysis W.
   Mao, C. Boyd 
 o Security Research for the Financial Sector H. Beker 
 o Efficient Electronic Payment Systems Protecting Privacy J.L.
   Camenisch, J.M. Piveteau, M.A. Stadler 
 o The ESPRIT Project CAFE - High Security Digital Payment Systems 
   J.P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjolsnes, F.
   Muller, T. Pedersen, B. Pfitzmann, P. de Rooj, B. Schoenmakers, M.
   Schunter, L. Vallee, M. Waidner 
 o Liability and Computer Security: Nine Principles R.J. Anderson 
 o Implementing Secure Dependencies over a Network by Designing a
   Distributed Secure SubSystem B. d'Ausbourg 
 o A Secure Medium Access Control Protocol: Security vs Performances 
   P. Siron, B. d'Ausbourg 
 o Distributed File Systems over a Multilevel Secure Architecture,
   Problems and Solutions C. Calas 
 o On the Expressive Power of the Unary Transformation Model R.S.
   Sandhu, S. Ganta 
 o Privilege Graph: an Extension to the Typed Access Matrix Model M.
   Dacier, Y. Deswarte 
 o A Consideration of the Modes of Operation for Secure Systems C.
   Robinson, S.R. Wiseman 
 o Mark-and-Sweep Garbage Collection in Multilevel Secure
   Object-Oriented Database System A. Ciampichetti, L. Mancini, E.
 o Decomposition of Multi-level Objects in an Object-Oriented
   Database N. Boulahia-Cuppens, F. Cuppens, A. Gabillon, K.
 o Supporting Object-based High-assurance Write-up in Multilevel
   Databases for Replicated Architecture R. Thomas, R.S. Sandhu 
 o Aggregation in Relational Databases: Controlled Disclosure of
   Sensitive Information A. Motro, D.G. Marks, S. Jajodia 
 o Information Flow Controls vs Interference Controls: An Integrated
   Approach F. Cuppens, G. Trouessin 

C. Second ACM Conference on Computer and Communications Security, 
   Nov. 2-4, Fairfax, Virginia 
 o Support for the File System Security Requirements of Computational
   E-Mail Systems, A. Prakash and T. Jaeger 
 o Secure Wireless LANs, V. Bhargavan 
 o The Design and Implementation of Tripwire: A File System Integrity
   Checker, G. Kim and E. Spafford 
 o Exchange of Patient Records: Prototype Implementation of a Security
   Attribute Service in X.500, M. Jurecic and H. Bunz 
 o A Process-Oriented Methodology for Assessing and Improving
   Software Trustworthiness, E. Amoroso, C. Taylor, J.Watson and J.
 o Clipper Repair Kit - Towards Acceptable Key Escrow Systems, T.
   Beth, H. Knobloch, M. Otten, G. Simmons and P. Wichmann 
 o Protocol Failure in the Escrowed Encryption Standard, M. Blaze 
 o Secure Agreement Protocols: Reliable and Atomic Group Multicast in
   Rampart, M. Reiter 
 o Key Distribution via True Broadcasting, M. Just, E. Kranakis, D.
   Krizanc, P. Van Oorschot 
 o Conditionally Secure Secret Sharing Scheme with Disenrollment
   Capability, C. Charnes and J. Pieprzyk 
 o Meta-ElGamal Signature Schemes, P. Horster, H. Petersen and M.
 o Anonymous Credit Cards, S. Low, N. Maxemchuk and S. Paul 
 o An Efficient Multiversion Algorithm for Secure Servicing of
   Transaction Reads, P. Ammann and S. Jajodia 
 o A Temporal Authorization Model, E. Bertino, C. Bettini and P.
 o Propagation of Authorizations in Distributed Database Systems, P.
   Samarati, P. Ammann and S. Jajodia 
 o Substitution-Permutation Networks Resistant to Differential and
   Linear Cryptanalysis, H. Heys and S. Tavares 
 o Information Leakage of Boolean Functions and its Relationship to
   Other Cryptograpahic Criteria, M. Zhang, S. Tavares and L. Campbell 
 o Authentication Codes that are r-fold Secure Against Spoofing, R.
 o The Role of Licensing, Insurance and Endorsements in Evaluating
   Trust of Distributed System Services, C. Lai, G. Medvinsky and C.
 o New Protocols for Third-Party-Based Authentication and Secure
   Broadcast, L. Gong 
 o How to Simultaneously Exchange Secrets by General Assumptions, T.
   Okamoto and K. Ohta 
 o A Key Distribution Method for Object-Based Protection, W. Ford and
   M. Wiener 
 o On the difficulty of factoring, A. Lenstra 
 o How to Break Gifford's Cipher, T. Cain and A. Sherman 
 o Parallel Collision Search with Application to Hash Functions and
   Discrete Logarithms, P. Van Oorschot and M. Wiener 
 o Application Access Control at Network Level, R. Molva and E.
 o Network Security Probe , P. Rolin, L. Toutain and S. Gombault 
 o Security Modelling for Organizations, A. Anderson, L. Kwok and D.
 o Mainstreaming Automated Information Systems Security Engineering,
   J. Coyne and N. Kluksdahl 
 o The Compatibility of Composable Policies, H. Hinton and S. Lee 
 o An Entropy Conservation Law for Testing the Completeness of Covert
   Channel Analysis, R. Browne 
 o Prerequisite Confidentiality, J. Nestor and S. Lee 

Reader's Guide to Current Technical Literature in Security and Privacy
Part 2: Journal and Newsletter Articles

o IEEE Communications Magazine, Sept. 1994. Issue on "Securing the
Information Superhighway", Ravi Ganesan, Guest Editor: 

 o Ravi Ganesan. Guest editorial: Security the information superhighway.
 o B. Clifford Neuman and Theordore Ts'o. Kerberos: an authentication
   service for computer networks. pp.33-39. 
 o Ravi S. Sandhu and Pierangela Samarati. Access control: principles
   and practice. pp.40-48. 
 o Steven M. Bellovin and Williarm R. Cheswick. Network firewalls.
 o Dorothy E. Denning and Miles Smid. Key escrowing today. pp.58-69. 
 o Patrick W. Brown. Digital signatures: are they legal for electronic
   commerce? pp.76-81. 
 o Henry M. Kluepfel. Securing a global village and its resources.

o Communications of the ACM, Vol. 37 (1994) 
o Number 11, November 

 o Ravi Ganesan and Ravi Sandhu. Securing cyberspace. (Guest editors'
   introduction), pp.28-31. 
 o Ross J. Anderson. Why cryptosystems fail. pp.32-41. 
 o Roger M. Needham. Denial of service: an example. pp.42-47. 
 o Ralf C. Hauser. Does licensing require new access control techniques?
   pp. 48-55. 
 o Gustavus J. Simmons. Cryptanalysis and protocol failures. pp.56-65. 
 o Paul C. Clark and Lance J. Hoffman. BITS: a smartcard protected
   operating system. pp.66-70. 

o Number 9, September 

 o George W. Hart. To decode short cryptograms. pp. 102. 
 o Lance J. Hoffman, Faraz A. Ali, Steven L. Heckler, and Ann
   Huybrechts. Cryptography policy. pp. 109. 
 o Peter G. Neumann. Inside RISKS: expectations of security and privacy.
   p. 138. 

o Number 8, August 

 o Katherine Fithen and Barbara Fraser. CERT incident response and the
   Internet. pp. 108-113. 
 o Susan Landau, Stephen Kent, Clint Brooks, Scott Charney, Dorothy
   Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller, Peter G.
   Neumann, and David Sobel. Crypto policy perspectives. pp. 115-121. 

o ACM SIGCOMM Computer Communication Review, Volume 24, Number 3
(July, 1994). 

 o D.F. Hadj Sadok and Judith Kelner. Privacy enhanced mail design and
   implementation perspectives. pp.38-46. 

o AT&T Technical Journal, Volume 72, Number 5, September/October 1994. 

 o Thomas A. Brooks and Michael M. Kaplan. Security Technologies.
 o David P. Maher. Trust in the new information age. pp. 9-16. 
 o Andrew M. Odlyzko. Public key cryptography. pp.17-23. 
 o Karl A. Siil. An introduction to cryptanalysis. pp.24-29. 
 o Matt Blaze, Jack Lacy, Thomas London, and Mike Reiter. Issues and
   mechanisms for trustworthy systems: creating transparent mistrust. pp.
 o Edward Amoroso, W.E. Kleppinger, and David Majette. An
   engineering approach to secure system analysis, design, and
   integration. pp. 40-51. 
 o Ronald L. Sharp, Steven R. Eisen, W.E. Kleppinger, and Mark E. Smith.
   Network security in a heterogeneous environment. pp.52-60. 
 o Stephan A. Sherman, Richard Skibo, and Richard S. Murray. Secure
   network access using multiple applications of AT&T's smart card. pp.
 o Nicholas F. Maxemchuk. Electronic document distribution. pp.73ff. 

o Computing Systems Volume 7, Number 1 (Winter 1994) Matt Bishop, Guest

 o Matt A. Bishop, Guest Editorial p. v 
 o Willis H. Ware, Policy Considerations for Data Networks, p. 1. 
 o Raphael Yahalom, Birgit Klein, Thomas Beth. Trust-Based Navigation
   in Distributed Systems. p. 45 
 o Marjan Krajewski, Jr., John C. Chipehak, David A. Chodorow,
   Jonathon T. Trostle. Applicability of Smart Cards to Network User
   Authentication. p. 75. 
 o Allan Heydon, J.D. Tygar. Specifying and Checking UNIX Security
   Constraints. p. 91. 
 o Leonard J. LaPadula. A Rule-Set Approach to Formal Modeling of a
   Trusted Computer System. p. 113. 

o Computers & Security Volume 13, Number 5. (Elsevier) Refereed Papers: 

 o Karin Badenhorst and Jan Eloff. TOPM: a formal approach to the
   optimization of information technology risk management. pp.
 o Eike Born and Helmut Steigler. Discretionary access control by means
   of usage conditions. pp. 437-450. 

o Computers & Security Volume 13, Number 4. (Elsevier) Refereed Papers: 

 o E.E.O. Roos Lindgreen and I.S. Herschberg. On the validity of the
   Bell-LaPadula model. pp. 317-334. 
 o D. Longley and S. Vasudevan. Effect of key generators on the
   automatic search for flaws in key management schemes. pp.335-348. 
 o D.N.J. Mostert and S.H. von Solms. A methodology to include
   computer security, safety and resilience requriements as part of the
   user requirement. pp. 349-364. 
Reader's Guide to Current Technical Literature in Security and Privacy
Part 3: Books
 o Ford, Warwick.Computer communications security: principles,
   standard protocols and techniques.Prentice Hall P T R, Englewood
   Cliffs, NJ, ISBN 0-13-799453-2, 494 pages, $58. 
 o Thuraisingham, Bhavani, Ravi Sandhu, and T.C. Ting, editors. Security
   for object-oriented systems: Proceedings of the OOPSLA '93
   conference workshop on security for object-oriented systems..
   Springer-Verlag, New York, 1994, ISBN 0-387-19877-6. 
 o Castano, Silvana, Mariagrazia Fugini, Giancarlo Martella, and
   Pierangela Samarati. Database security. ACM Press/Addison-Wesley,
   1994, ISBN 0-201-59375-0. 
 o Abrams, Marshall D., Sushil Jajodia, and Harold J. Podell(eds.). 
   Information security: an integrated collection of essays. IEEE
   Computer Society Press, ISBN 0-8186-3662-9. 700 pages, $58
   (discounts available to IEEE CS members). 
 o Amoroso, Edward, Fundamentals of computer security technology, P T
   R Prentice-Hall, ISBN 0-13-108929, 1994, 404 pages, $48. 
 o Cheswick, William R., and Steven M. Bellovin, Firewalls and Internet
   security: repelling the wily hacker, Addison-Wesley, 1994, ISBN
   0-201-63357-4(paper), 305 pages, $24.95. 
 o Neumann, Peter G., Computer-related risks, Addison-Wesley, 1994,
   ISBN:O-201-55805-X (paper), 320 pages, $24.75. 
 o Schneier, Bruce, Applied cryptography: protocols, algorithms, and
   source code in C, John Wiley & Sons, Inc. 1994, ISBN
   0-471-59756-2(paper), 618 pages, $44.95. 
Dates              Event, Location    Point of Contact/ more information
-----              ---------------    ----------------------------------

Updated 14 November 1994

Date (Month/Day/Year), Event, Locations, e-mail for more info, Hyperlink
(if any)

12/ 5/94-12/ 9/94: ACSAC - Orlando;  (Vince Reed)
1/14/95: COMPASS '95 papers due;     or 
2/ 3/95: CSFW-8 papers due;         
2/13/94: papers due, 5th USENIX Sec Symp, Utah;
2/16/95- 2/17/95: ISOC-Symp, San Diego; 
                                              (Gloria Carrier)
3/ 1/95: NCSC-18 papers due;        
3/10/95: SAC '95 ext. abstracts due;
3/17/95: DCCA-5 papers due;         
3/20/95: IFIP WG11.3 papers due;     (T.C.Ting)
3/24/95: NSPW '95 papers due (hardcopy);
3/31/95: MDS-95, papers due, York, England;   IMACRH@V-E.ANGLIA.AC.UK
4/ 1/95: NSPW '95 papers due (e-mail);
4/ 3/95: IEEE S&P 5-min talk abstracts due;
5/ 7/95- 5/12/95: IEEE S&P 95;       (registration)
5/ 9/95- 5/11/95: IFIP/SEC '95 Capetown;      IFIPSEC95@RKW.RAU.AC.ZA
5/18/95- 5/19/95: SAC '95, Ottawa;  
5/22/95- 5/24/95: Eurocrypt '95, France;
6/ 5/95- 6/ 7/95: 5th USENIX Sec Symp, Utah;
6/13/95- 6/15/95: CSFW-8, Ireland;  
6/26/95- 6/30/95: COMPASS '95;      
8/13/95- 8/16/95: IFIP WG11.3,New York(RPI); (T.C.Ting)
8/27/95- 8/31/95: Crypto'95 Santa Barbara;
8/22/95- 8/25/95: NSPW '95 San Diego (UCSD);
9/ 5/95- 9/ 6/95: MDS-95, York, England;      IMACRH@V-E.ANGLIA.AC.UK
9/27/95- 9/29/95: DCCA-5, Champaign, IL;      no e-mail address available
10/10/95-10/13/95: NCSC-18, Baltimore;
3/??/96: CCS-3, New Delhi;                    exact dates to be available 1/95
5/ 5/96- 5/ 8/96: IEEE S&P 96;                no e-mail address available
5/ 5/96- 6/ 9/96: IFIP/SEC 96-Greece;         no e-mail address available
11/??/96: ESORICS '96, Rome, Italy;           no e-mail address available
5/ 4/97- 5/ 7/97: IEEE S&P 97;                no e-mail address available

CCS-2 = 2nd Annual ACM Conference on Computer and Communications Security
CCSS = 7th Annual Canadian Computer Security Symposium
CSFW = Computer Security Foundations Workshop
DCCA = Dependable Computing for Critical Applications
ESORICS = European Symposium on Research in Computer Security
IEEE S&P = IEEE Symposium on Research in Security and Privacy
IFIP/SEC = International Conference on Information Security (IFIP TC11)
IFIP WG11.3 = IFIP WG11.3 9th Working Conf. on Database Security
MDS '95 = Second Conf. on the Mathematics of Dependable Systems
NCSC = National Computer Security Conference
NSPW = New Security Paradigms Workshop
ISOC-Symp = Internet Society 1995 Symposium on Network and 
            Distributed System Security
SAC '95= 2nd Annual Workshop on Selected Areas of Cryptography
         USENIX Sec Symp = USENIX UNIX Security Symposium
Interesting Links
URL (first line) followed by description (second line)

Government sources:
If you want to start at the top!
NIST Computer Security Resource Clearinghouse - pointers to many places
NRL Center for High Assurance Computer Systems, with IEEE and XTP-1 ptrs
ARPA home page
NASA Langley Research Center - and pointers to other Government Labs
Software Engineering Institute Information Server

Professional societies and organizations:
IEEE Computer Society home page
ACM home page, with pointers to IFIP, Internet Society, etc.
Internet Society Home Page
Internet Society's Internet Engineering Task Force home page
IFIP Home Page
IFIP WG 11.3 (Database Security) home page

Other places for interesting research papers and announcements
SRI-CSL SRI International Computer Science Lab home page
OSF Research Institute home page
Distributed Object Computing - GTE Research group home page
An AT&T Bell Laboratories Research World-Wide Web Server
Computer Science Technical Reports Archive Sites
Jonathan Bowen
{Tele}Communications Information Sources
Uebercracker's Security Web
Bellcore Trusted Software Integrity System
TC Officer Roster
Chair:                               Vice Chair:
 Terry Vickers Benzel                 Deborah Cooper
 Trusted Information Systems          Director, Information Systems Security
 11340 W. Olympic Blvd, Suite 265     Unisys Govt. Information Systems Group
 Los Angeles, CA 90064                12010 Sunrise Valley Drive
 (310) 477 - 5828                     Reston, VA 22091                      (703)847-3895

Newsletter Editor:                   Standards Subcommittee Chair
 Carl Landwehr                         [VOLUNTEEER NEEDED!]
 Code 5542
 Naval Research Laboratory
 Washington, DC 20375-5337
Information for Subscribers and Contributors
SUBSCRIPTIONS:  To subscribe, send e-mail to 
 (which is NOT automated) with subject line "subscribe".  To remove yourself
 from the subscription list, send e-mail to
 with subject line "unsubscribe".
 Those with access to hypertext browsers may prefer to read Cipher that way.
 It can be found at URL

CONTRIBUTIONS: to  are invited.  Cipher is a
 NEWSletter, not a bulletin board or forum.  It has a fixed set of
 departments, defined by the Table of Contents.  Please indicate in the
 subject line for which department your contribution is intended. For
 Calendar entries, please include an e-mail address for the
 USUAL DISCLAIMERS APPLY.  All reuses of Cipher material should respect
 stated copyright notices, and should cite the sources explicitly; as a
 courtesy, publications using Cipher material should obtain permission
 from the contributors.

ARCHIVES:  Available at URL

==============end of Electronic Cipher Issue #2, 12/5/94====================