Subject: Electronic CIPHER, Issue 5, April 10, 1995 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 5 April 10, 1995 Carl Landwehr, Editor ==================================================================== Contents: [1532 lines total] Letter from the Editor [starts on line 46] Letter to the Editor [starts on line 89] Security and Privacy News Briefs: [line 133] o SATAN not so devilish? o Russia bans unlicensed crypto o US Commerce Dept. encryption survey (due 15 April) o NSA offers ISAKMP Internet Draft for attribution o NCSC ITSEC, PAT documents available by anonymous FTP Conference News and Reports: o IETF meeting summary by Avi Rubin [Line 209] o CMAD III workshop summary by Steve Lodin, Christoph Schuba, and Sandeep Kumar [Line 370] o CFP95 conference report [pointer only] [Line 660] o Oakland Security and Privacy Symposium update: Poster session space available; book sale, 802.10 (SILS), P1363 meetings announced[Line 668] Standards News and Reports o Intro to Cryptographic Standards by Richard Ankney [line 695] o WWW Security Standards news items [line 1064] New calls for papers: 5 conferences, 1 Journal [line 1113] Reader's guide to recent security and privacy literature [line 1163] Paper lists from conferences: CSFW-8 and INET '95 [line 1163] Relevant papers from recent journals and periodicals[7][line 1241] Recent books [1] [line 1279] Calendar: [line 1287] Who's Where: recent address changes [line 1401] Interesting Links - 8 new places to surf [line 1411] TC publications for sale! [line 1453] TC officers [line 1488] Information for Subscribers and Contributers [line 1508] ______________________________________________________________________ Letter from the Editor ______________________________________________________________________ Dear Readers, With this issue, Cipher introduces Richard Ankney's contributions on security standards. His initial article provides an excellent summary that we will use to start a permanent section on the Cipher home page introducing and summarizing the current state of security and privacy standards. Other contributions to this section continue to be welcome. Conference reports are provided by Avi Rubin on the just-completed IETF meeting and by Steve Lodin, Christoph Schuba, and Sandeep Kumar on the Computer Misuse and Anamoly Detection workshop held in January. The Computers, Freedom, and Privacy conference is a little outside our technical focus, but it has become a leading forum for discussions of policy. To keep Cipher's length within reasonable bounds, I decided not to include Lorrie Cranor's interesting meeting report verbatim, but I encourage those of you with an interest in this meeting to follow the URL for her report on CFP95, which was held March 28-31. Evidently the answer to my query in EC#4 as to whether NCSC (now NISS) proceedings will be cataloged (e.g. by IEEE or ACM) is still "no," but I am most pleased to provide Jack Holleran's letter on how to obtain copies of recent proceedings. I hope Cipher readers will take advantage of his offer! Our quiz from the last issue had a success rate of 100%: exactly one entry arrived, and it was correct! Yves Deswarte, of LAAS-CNRS, in Toulouse, correctly identified the quote as coming from Stan Ames's paper in the 1981(!) Symposium on Security and Privacy. I found it a remarkably current observation, and I worry a little whether the lack of response indicates a lack of readership. If not, I worry more that we are in danger of fulfilling Santayana's oft-quoted aphorism about the past. Again, I offer many thanks to our contributors, and I invite all of you to provide Cipher with newsworthy reports. If you like to read it, please help write it! Carl Landwehr Editor, Cipher ______________________________________________________________________ Letter to the Editor ______________________________________________________________________ To the Editor, IEEE Cipher: The last issue of Cipher has duly flogged my soul into bearing the following news about previous proceedings for the National Computer Security Conference. This conference has also been known as the NBS Conference. The last several proceedings are available at a price with which even the ACM and IEEE cannot compete ... the cost of a phone call. Single copies can be obtained (drum roll please) by dialing (410)766-8729. We will also provide single copies of the popular rainbow series and the products and services catalog. All for the amazing price of a phone call. What's the catch? This offer is only good for US Citizens. Requests from other countries should be emailed to NISS_Conference@Dockmaster.ncsc.mil. We will try to fulfill requests, but there is no guarantee. The last shipment took 2 1/2 months to get to its destination. With the proceedings, supplies are limited; when they are gone, they're gone. We will not be reprinting them. For the next issue, we will have a total list of papers (i.e. the table of contents) from all previous conferences, with dates. And for those who have grown to love the National Computer Security Conference, it also has been renamed to the National Information Systems Security Conference. Speaking of proceedings, you too can guarantee yourself a copy by attending this year's conference, being held in the Baltimore Convention Center, October 10-13, 1995. The first 2000 attendees will also receive a CDRom with the proceedings included. There will be no excess CDRoms, so plan to attend. Additional information will be available at (301)975-2771 {Tammy Grice, NIST}. See you there. Suitably flogged, Jack Holleran National Computer Security Center jack@dockmaster.ncsc.mil ______________________________________________________________________ Security and Privacy in the News ______________________________________________________________________ o SATAN not so devilish? The widely feared April 5 release of SATAN (Security Administrator Tool for Analyzing Networks) by Dan Farmer and Wietse Venema has had little visible effect as yet (though according to some reports, his work on the security scanning tool that provides a web browser interface may have cost Dan Farmer his position with Silicon Graphics). Perhaps it will turn out to satisfy its authors stated intention to make it easier to secure systems without causing widespread new break-ins. To date, Los Altos Technologies has released a freeware tool "Gabriel" that is supposed to detect whether SATAN is being used to probe a system, and Matthew Gray of net.Genesis(tm) Corp. has identified a security hole in SATAN itself. For details and later developments (and your own copy of the source), see the COAST archive http://www.cs.purdue.edu/coast/satan.html o Russia Bans Unlicensed Crypto Found circulating on the Internet was the following report: Subject: A ban on cryptography in Russia Edict no.334 (April 3, 1995) of the President of Russian Federation imposes an all-embracing ban on all cryptographic systems except those licensed by the Federal Agency for Governmental Communications and Information. - Section 4 bans all activities in development, production, sales and use of unlicensed cryptographic systems as well as rendering cryptographic services. - Section 5 bans import of unlicensed cryptographic systems. - Section 6 instructs Federal Counterintelligence and other agencies to detect violations of this edict. o US Commerce Department encryption survey (due 15 April) The US Bureau of Export Administration (in the Commerce Department) has released a questionnaire for companies that produce software encryption products in order to help assess the effect of current export control policies on worldwide encryption software sales and the international competitiveness of the U.S. software industry. The survey applies to all software that contains cryptography (password protection, data encoding, digital signatures, etc.), including mass market software for which encryption is not the primary function. Completed questionnaires are due 15 April 1995; the study is to be completed by 1 July 1995 and will be used by the Interagency Working Group on Encryption and Telecommunications Policy in evaluating the overall U.S. encryption policy, including export control regulations. The questionnaire is available at URL: http://www.bsa.org/bsa/docs/encsrvy.html or contact Karen Swasey, voice (202)482-5953 or fax (202)482-3195. o NSA offers ISAKMP Internet Draft for attribution Douglas Maughan, Barbara Patrick, and Mark Schertler of the National Security Agency offered an Internet Draft, entitled Internet Security Association and Key Management Protocol (ISAKMP), to the IPSEC working group of the Internet Engineering Task Force (see Avi Rubin's report in this issue). The open attribution of this submission appears to mark a change in NSA policy. It is available in ascii at URL ftp://ietf.cnri.reston.va.us/internet-drafts/draft-nsa-isakmp-00.txt o NCSC ITSEC, PAT documents available by anonymous FTP The Interpreted Trusted Computer System Evaluation Criteria (12 January 1995) and two Process Action Team (PAT) documents: "Form and Content of Vendor Design Documentation" and "Form and Content of Vendor Test Documentation" (both drafts dated May 1994) are now available in PostScript by anonymous FTP from the NRL ITD anonymous FTP server, URL ftp://chacs.itd.nrl.navy.mil/pub/chacs. Thanks to Jeremy Epstein for his help in downloading these from Dockmaster and to NSA for agreeing to their distribution. ______________________________________________________________________ Report on 32st Internet Engineering Task Force Meeting by Avi Rubin ______________________________________________________________________ The Internet Engineering Task Force (IETF) held its 32nd meeting in Danvers, MA on April 3-7, 1995. The IETF has a www home page, http://www.ietf.cnri.reston.va.us/home.html, where more information can be found. Briefly, the IETF is the protocol engineering and development arm of the Internet. The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, network management, security, etc.). The April meeting had about 870 participants, down from about 1200 that attended in December. This may be partially due to the fact that the previous meeting was in San Jose, where more people could attend locally, although the reduction in attendance was surprising to most. The April meeting did not feature the technical presentations that began each every morning in San Jose. One of the reasons for reduced attendance at the security sessions may have been the small number of meetings that were held. The absence of several working group meetings was surprising. There were no meetings of the Privacy Enhanced Mail (PEM) working group, the Domain Name Server (DNS) working group, and the Web Transport Security (formerly http) working group. Also, the Independent Object Security (IOS) group that held a Bird of Feather (BOF) session in San Jose did not meet, and it is believed by many that this group will not be formed. There was only one meeting of the Internet Protocol Security (IPSEC) working group, which was surprising given the active number of drafts and the many controversial topics being actively debated on the mailing list. The IPSEC working group met on the last day of the security meetings, which probably explains the many impromptu sessions of IPSEC'ers meeting in the lounge to discuss issues relevant to their charter. There were three meetings of the Common Authentication Technologies (CAT) working group, and there was one meeting of the Authenticated Firewall Traversal (AFT) working group. In addition, there was a separate group, the site security handbook group, that is not part of the security area, and their meetings were unfortunately scheduled at the same time as the CAT meetings, so attendance was much lower than it probably would have been otherwise. There was also a BOF session on standardization of S/KEY, a one-time password scheme for authentication. The first security session of the 32nd IETF was Authenticated Firewall Traversal (AFT) on April 4, 9:00-11:30. The AFT working group has a mailing list at aft-request@unify.com. Ron Curris at Unify manages the list. There is also an archive at this site. This session was broadcast over the MBONE, and there were an estimated 130 people in attendance. The group is chartered to produce firewall traversal at the application layer. It is considering the SOCKS V5 protocol. Some open questions are how to assign method numbers, whether they should be reserved or assigned, if the MAC should remain a bit vector or be a capability like METHOD. Currently, no confidentiality is offered for UDP, and it is an open question whether this should be added. The consensus seemed to be that it should, but the session chair, Marcus Leech, and the speaker, Piers McMahon seemed to think this would be very difficult. There was also a debate about whether clients should be able to close authenticated connections, or if this should be left to the server. A criticism was made that the current draft does not support ICMP reply packets. Later in the meeting, Piers McMahon spoke about GSSAPI. He spoke about the different protection level agreements for UDP and TCP. The next security session was the Common Authentication Technologies (CAT) working group. This group has a mailing list at cat-ietf@mit.edu. Their archive is at bitsy.mit.edu:~/cat-ietf/archive. John Lin is the chair of this group. There were three meetings of this working group at the conference. The first meeting was on Tuesday, April 4, from 3:30-5:30. There were an estimated 85 people at the beginning of this meeting and about 40 when it was finished. Marc Horowitz from Openvision Technologies presented his draft on ftp security. He reviewed several changes that have been made to the draft. The question of whether or not to advance the document to a proposed standard was raised, and it was decided that there would be a last call for comments on the document by May 1st. The next topic was GSS-API, and changes to version 2 were discussed, as well as backwards compatibility and binary portability issues. Wednesday morning, April 5, began with a BOF session on standardization of S/KEY from 9-11:30. The co-chairs of the BOF were Neil Haller of Bellcore and Ran Atkinson of NRL. A working group will be formed with a mailing list at ietf-otp@bellcore.com and the archive is at ftp.bellcore.com:~pub/ietf-otp/archive. The first presenter was Ran Atkinson. He talked about NRL's One-time Passwords in Everything (OPIE) package. Version one is available from ftp.nrl.navy.mil in /pub/security/nrl-opie. Version two is being finished, and will be available shortly. Next, Neil Haller talked about Bellcore's two versions of S/KEY. Version one is available from ftp.bellcore.com:/pub/nmh/...skey|docs|mac|dos. Then, other people mentioned their implementations. Those are available at: avian.org:/src/hacks/skey.tgz.prerelease ftp.win.the.nl:/pub/security...logdaemon-* ftp.ftp.com:/pub/meister/skey.new (available in about a month) ftp.bpsinc.com:/pub/u/corwin/skey (available in about two weeks). The decision was made to form a working group that will probably produce a standard in less than a year. This was the most efficient, least controversial meeting I've ever seen at the IETF. Later on Wednesday, the CAT group held its next two meetings, with a half hour break in between. First, Elgamal from Netscape gave a presentation on the Secure Socket Layer (SSL) protocol. This protocol assumes an underlying public key infrastructure, and that clients are in possession of the server's public key, so that they can verify certificates. For Netscape this is accomplished by including the public key in the client software. The current package sits on top of TCP, and a UDP version is under consideration. Next, Carlisle Adams, and Dragan from BNR spoke about SPKM, a GSS mechanism that uses public keys, rather than symmetric ones. There are a total of four other implementations of this, including one by Sun Microsystems [10 April 95: Don Stephenson of Sun reports that their implementation is underway, but not complete -- CEL]. The draft is now in last call, meaning it will become a proposed standard soon. Finally, a protocol, IDUP-GSS (Independent Data Unit Protocol - Generic Security Services) was presented. Later, in the second session, Cliff Neuman presented extensions to Kerberos for public keys. There is also a draft for adding S/KEY authentication to Kerberos. The last security working group to meet was IPSEC. Interest was high, with an estimated over 150 people in attendance, and standing room only in the back. The mailing list for this group is ipsec@ans.net. The chairs of this group are Paul Lambert of Motorola and Ran Atkinson of NRL. Apparently, many decisions and much progress were made by this group in small meetings throughout the conference that featured the major players in this group. At the last IETF, there seemed to be about five proposals for key management that were equally popular, but through influence of one of the chairs and others, the group seems to have decided to adopt only one of those proposals, Photuris. This proposal is by Phil Karn of Qualcomm. Phil presented his current implementation, which runs over UPD. Hugo Krawczyk of IBM presented a modified Photuris, which corrects a drawback in the basic protocol, namely, that it forces a single execution path. The modified Photuris (Photuris plus) does not require extra exponentiations, when they are not needed. This is called fast rekeying. That is, new session keys can be generated without Diffie-Hellman exponentiations, when they can be avoided. Next, a proposal for a framework for IP layer security was presented by Mark Schertler of NSA. One of the dominant issues debated outside of the meeting was host versus user based keying. There seems to be a consensus that host-based keying is better, and that user-based keying should be an option. At the end of the IPSEC meeting, Steve Bellovin of ATT Bell Labs presented attacks on the current key management protocols. His cut and paste attacks demonstrate that there is no way to do secrecy without integrity, and that separating the two is totally insecure. The conclusion is that there must be a mandatory integrity check on all encrypted data. Finally, at the end of the IETF conference, the Security Area Advisory Group (SAAG) met. In this meeting, all of the security work that took place at the conference was summarized, including reports from all the working groups. Jeff Schiller, the area director for security, ran the meeting. The next IETF meeting will be in Stockholm, Sweden on July 17-21, 1995. For more information see http://www.ietf.cnri.reston.va.us/Stockholm.html. ______________________________________________________________________ CMAD III workshop summary by Steve Lodin, Christoph Schuba, and Sandeep Kumar ______________________________________________________________________ CMAD III--3rd Annual Workshop on Computer Misuse and Anomaly Detection Sonoma, California. January 10-12, 1995 S. Kumar, S. Lodin, Ch. Schuba COAST Laboratory Purdue University (This article is reprinted from v1(2) of "COAST Watch", the COAST Project electronic newsletter. An enhanced version is available via WWW from http://www.cs.purdue.edu/homes/swlodin/cmad/report.html) ----------------------------------------------------------------------- This workshop was sponsored by the National Security Agency, Air Force Information Warfare Center & the University of California Davis. Attendance was by invitation only. The workshop was attended by members from the legal community, CERT and security experts specializing in intrusion detection. The vendor community seemed under-represented. The highlight of the talk was a presentation by Tsutomu Shimomura who described how he was able to detect and recover from the intrusion on his computer systems at the San Diego Super Computing Center. Jan 10 (Auditing Applications Software) Talks on the opening day were started by Marv Shaefer of ARCA Systems Inc. who outlined and emphasized the differing requirements of auditing from the perspective of the OS and the application. He said that reconciling these differences would be important to audit next generation applications effectively. He said that the difficulty with auditing applications is that the nature of controls for an application often changes over time and that the separate access control policies may compose surprisingly. He stated that the objective of audit logging is to produce an accurate, immutable, and persistent record of relevant activity that can provide valid evidence to an auditor or other officials once a malfeasance has been detected. The next speaker was Olin Sibert of Oxford Systems who said that low level auditing at the OS/TCB/kernel level was becoming increasingly irrelevant for lack of general mechanisms to deduce higher level application abstractions from these events. He mentioned the need for generic audit trail formats and API to log application events. Olin explained using examples how "Computer Oriented" breaches were simpler to detect using traditionally understood notions of auditing than "Organization Oriented" based breaches which were policy based and ill defined. He also said that the intrusion detection community has thus far focused more on outside intrusions than on inside abuse. After an intermission Steve Smaha of Haystack Labs went on to describe the typical customer attitude to security. He said that customers were spending less on host based security controls and more on boundary control measures like firewalls. He then went on to describe the details of Haystack Labs' commercial intrusion detector called "Stalker". He mentioned that the working goal of an intrusion detection system is to provide accountability, do *misuse* (not anomaly) detection and possibly provide a unitary audit trail derived from several sources and its analysis. Professor Karl Levitt of UC Davis followed Steve Smaha and his talk was titled "Toward the Auditing of Application Programs". He said that application audit trails (AAT) should supplement system audit trails (SAT). He asked what system support might be required to produce trusted AAT and which applications were good candidates for generating AATs. He felt that DBMS, editors, financial and medical applications were promising candidates for application auditing. Jan 10 (Network Management) After lunch, Bill Cheswick of AT&T Bell Labs spoke on the use of firewalls to protect a network. He suggested setting up a "honeypot" machine on the internal net that is near the network gateway and that holds what appear to be goodies. The existence of this honeypot machine is made known to very few and is watched carefully. This honeypot machine serves as a snare for intruders who manage to break in past the bastion host. The idea of the honeypot is similar to putting a burglar alarm inside your safe, as a last (and cheap) measure to see if someone got through the security. These can be implemented even if other security measures, like firewalls, are infeasible. Marcus Ranum of Trusted Information Systems followed Bill and rambled at length (ed. his words, not ours). He proposed that the security community reduce its commitment to tracking the sources of attacks and building cases for prosecuting them. Marcus claimed that the cost and difficulty of tracking hackers, combined with the difficulty of prosecution, and the "slap on the wrist" that they get when brought to trial shows there is no cost justification. He pointed out further that from a cost/benefit approach, deterring hackers by prosecution appears to be much less effective than deterring hackers via technological countermeasures like firewalls and secure systems. The only effective means of directly countering hackers would be to take questionable measures such as declaring all-out information warfare against the hacker community, effectively sinking to their level. He noted that in some cases, this process appears to have begun. Improving the situation, Marcus claimed, is a matter of taking incremental steps by identifying countermeasures that would block off whole avenues of attack. He described a "wouldn't it be nice?" firewall, which does nothing but stamp incoming packets as "infected" and pass them on to internal machines running with environments that support different types of access control against different types of data. Thus, a TELNET session from the outside might be able to log in, but would be incapable of executing (or even seeing) certain programs or files. Files imported from the outside might not be executable until manually "blessed". Marcus concluded by begging for people to focus on building simple tools from which complex security architectures could be assembled, rather than the other way around. Paul Traina of Cisco Systems outlined how cryptography cannot easily solve the problem of maintaining the integrity of routes in the internet. The chief problem is performance. He showed why it is insufficient to assign a public/private key to every router and sign/encrypt the routing information before sending it to the next hop gateway. The problem is that this method does not provide end-to-end authentication of routes. To achieve that, one would need a path encryption which would allow the verifier to check a route update all the way to the source (similar to the X.509 certification scheme). Jan 11 (System Vulnerabilities) Bob Abbott of Abbott Computers Partners said that the primary problem facing the security community is the loss of confidence in security. He said that software glitches are the key to penetrations. Penetrations might exploit single glitches or a combination of glitches. The primary cause is the incomplete or inconsistent validation of parameters. The problem, in his view, should be cheaper to fix the problem at the operating system level. The three major reasons for continued penetrations are: 1. Software change cycle is more frequent (because of the market being more money driven). 2. There is more and larger software to be subverted. 3. There is a lack of understanding of how software maintenance increases the potential for penetrations. The conclusion is that all points of penetration prevention and detection should be considered. These include before penetration checks (software analysis, integrity reviews, testing, programming standards), during penetration checks (checksums, table integrity), and after penetration checks (table status, audit trails). Following Bob Abbott, Christoph Schuba of the COAST laboratory, Purdue University described a vulnerability in the Domain Name Service (DNS). He abstracted the problem to say that if the binding process (for example, mapping internet address numbers to domain names) can not be trusted then names cannot be trusted. The vulnerable points are a corrupted sender, receiver or intermediary, and the service provider itself. The best point of detection is an open question. To prevent vulnerabilities in DNS several methods can be employed: 1. Harden DNS (watch Paul Vixie's version of BIND). 2. Harden application usage. 3. Employ careful protocol design with security as an important consideration. 4. Use cryptographically strong methods. 5. Watch the IETF Working Group on DNS. Following Christoph, Kevin Ziese of the Air Force Information Warfare Center spoke on the need to share vulnerability data among the security community. He also focused on the lack of a common, consistent way of dissecting vulnerabilities into common classes from which a researchable data base of vulnerabilities could be developed. He said that vulnerabilities tend to cluster in classes and that we often focus on fixing a particular vulnerability rather than attempting to fix the class. He said the security problem has taken a new dimension with the explosive growth of the WWW and that every connection is a potential threat. His recommendations include developing a taxonomy to understand the process, developing a methodology for dissecting vulnerabilities and implementing a measurement process. Vulnerabilities are a symptom, not the disease. The use of metrics should drive the countermeasures employed. The development of plug-and-play modules for security is needed. Tsutomu Shimomura followed Kevin Ziese and described an attack on his computer system at the San Diego Super Computing Center. The attack was a realization of the classic attack using IP spoofing described in the paper by Robert Morris and later by Steve Bellovin ("Security Problems in the TCP/IP Protocol Suite", 1989). Because of good instrumentation, the attack was monitored well. It involved wedging the TCP state machine, then predicting TCP sequence numbers. After the fake TCP connection was established, the intruders gained access by making the intruded machine believe that their machine was a trusted machine. The most disturbing aspect of this attack was that the attack seemed scripted or automated based on the timing of events. The attack also involved compiling and installing a kernel loadable module. There is a tool floating around called TAP which is a kernel module that allows you to watch streams on SunOS, and capture what a person is typing. It is easy to modify so that you could actually write to the stream thus emulating that person and hijacking their terminal connection. A method for stopping the IP spoofing attack is to make sure firewalls and screening routers are setup to block traffic that originates from the outside that has source addressing inside. A method for stopping the second attack is to disable the capability of the kernel to load modules dynamically after all valid modules are loaded. Der Mouse developed a script for SunOS 4.1.2 to do this. It is retrievable from ftp://coast.cs.purdue.edu/pub/tools/unix/disable_mod_cmds. The attack seemed specifically to target Tsutomu. He even played audio files of the attackers leaving voice mail. For the story that beat the CERT Advisory, see the Monday, January 23, 1995 issue of The New York Times. The front page story by John Markoff is titled "Data Network Is Found Open To New Threat". In the weeks that followed, nearly every newspaper, magazine, and TV news program carried information about the incident. Further references are the CERT Advisory on this intrusion and Steven Bellovin's response to the attack and the publicity. Jan 11 (Protection Mechanisms for CMAD Systems) Next, Dr. Matt Bishop of UC Davis spoke about protecting CMAD systems. He discussed a model with the following principals: Agent, Director, & Notifier. Then he examined the threats imposed on each of these principals by the following types of attacks: modification, masquerading, denial of service, flooding, interception, assurance & replay. Jan 12 (Legal Issues: Present and Future) Not surprisingly, one of the more interesting sessions involved the legal experts. Prosecuting attorney Bill Cook described some of the issues surrounding the development and execution of taking a computer-related case to trial. Some of the potential problem areas described by Bill include copyrighted material, patented programs, trade secrets, defamation, pornography, viruses, and technology transfer. Martha Stansell-Gamm from the US Department of Justice Computer Crime Unit discussed some of the goals the DOJ has been pursuing in the US and abroad. She explained recent legislative amendments to the wiretap statute in the Digital Telephony Act, and also discussed training programs for federal prosecutors and agents. Also in the legal session, Kevin Ziese described the legal issues encountered and the close interaction he had with the Department of Justice when the Air Force Information Warfare Center discovered an intrusion at an Air Force site. Their actions required many interpretations of the current legal situation. Stansell-Gamm concluded the session by saying "Kids, don't do this at home". Jan 12 (Customer Requirements: Present and Future) Tom Longstaff from CERT moderated the last session of the workshop. He briefly talked about the requirements of the customers of CERT and concluded that unobtrusive and free solutions are wanted. He then introduced the panelists who discussed the topics from their point of view: Dave Bailey, Galaxy Computer Services; Steve Lodin, Purdue University COAST Project & Delco Electronics Corp; Carolyn Tubyrfill Sun Microsystems; Toney Jennings, Trident Data Systems; Pete Hammes ASSIST; Susan Odneal, Kaiser Permanente; and Dan Essin, USC. Steve spoke from his experience as a system administrator at Delco Electronics Corp. He looked at customer requirements as present requirements, future requirements and the grand vision. Present requirements stress quick solutions that can avert the main threat and patch the currently poor state of security to some reasonable, but not necessarily perfect state. This means mainly perimeter defense to protect against outside threats. He did not spend much time on the grand vision, basically a perfect world without any threats, because what prevention cannot ward off, a highly configurable, reliable, and functionally correct IDS can detect and lead to almost instantaneous correction. The most interesting part of the talk was therefore the future requirements. Steve expanded the metaphor of perimeter defense to a more active border patrol providing firewall functionality, auditing capabilities, and an inclusion of future technologies such as mobile networking that will disrupt and blur the definition of a perimeter. All existing and future platforms of operating systems and networking technology have to be supported in a uniform way. A special role of support will fall to the vendors. He also raised the question why the vendor community was represented so poorly at the workshop - a point that was picked up in later talks and extensively discussed. Final points included next generation network protocols such as IPv6 and the necessity of multinational support for virtual network perimeters. Toney Jennings and Tim Grance, talked about the implementation of DIDS at an Air Force site with more that 250 workstations. The requirements for the product were generated after the product was implemented. Test sites seemed to get more interested in the product because of its network management capabilities than because of its original purpose. Susan Odneal talked about the restructuring that Kaiser Permanente is going through and the effects it will have on their security requirements. In conclusion, the workshop was enlightening. The need for more vendor representation was apparent. It was concluded by the participants that there is a need for another workshop next year. For more information about any particular session, contact the individual speakers. There will be workshop proceedings available later, contact Matt Bishop for more information. ______________________________________________________________________ Fifth Conference on Computers, Freedom, and Privacy (CFP '95) Report by Lorrie Faith Crannor ______________________________________________________________________ Please see URL http://www.ccrc.wustl.edu/pub/lorracks/papers/cfp95.html for the full report, which includes pointers to many other places. ______________________________________________________________________ Oakland Security and Privacy Symposium Update: Poster sessions available; Book sale announced; 802.10 & P1363 to meet ______________________________________________________________________ Plans for the coming 1995 IEEE Symposium on Security and Privacy continue to mature, and the hotel's room block is nearly filled. The Symposium meets 8-10 May at the Claremont Resort in Oakland, California (or Berkeley, if you enter from the loading dock!). Program Chair Catherine Meadows reports an excellent response to the call for five minute talks on recent developments. Space for poster sessions is still available; contact Dale Johnson (dmj@mitre.org) if you would like to take advantage of this opportunity. Cynthia Irvine (irvine@cs.nps.navy.mil) of the Naval Postgraduate School is arranging a display of technical books for sale from all publishers. If there are particular publishers or books you are interested in, please contact her. A second standards meeting has been announced in conjunction with the Symposium: Ken Alonge (Alonge_Ken@po.gis.prc.com), chair of the IEEE 802.10 standards working group [Standard for Interoperable LAN/MAN Security (SILS)], invites public participation in a meeting to be held Wednesday, May 10 (pm), through Friday, May 12. Topics to be discussed include standards for key management and security management (802.10c and 802.10d). Send e-mail to Ken if you plan to attend. As previously announced, Burt Kaliski (burt@rsa.com), chair of the IEEE P1363 working group [Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography], will chair a public meeting of that group, from 1 to 6 p.m., Wednesday, May 10, 1995; please send him e-mail if you plan to participate. ________________________________________________________________________ Introduction to Cryptographic Standards by Richard Ankney ________________________________________________________________________ This column describes a number of new and planned cryptographic standards. Many of the standards are being developed by ANSI X9F, which writes security standards for the financial services industry. Financial Industry Security Standards (ANSI X9F) ----------------------------------------------- The banking community has traditionally been more concerned about security than other industries (although this is changing). Various X9 committees developed a number of notable cryptographic standards during the 1980s, including: X9.9: DES MAC (wholesale) X9.19: DES MAC (retail) X9.23: DES encryption (wholesale) X9.17: DES key management (wholesale) X9.24: DES key management (retail) Since 1991, X9F has been working primarily on public key standards. These include the following: X9.30 is a three-part standard for irreversible public key algorithms. Part 1 of the standard is the NIST Digital Signature Algorithm. Part 2 is the NIST Secure Hash Algorithm. Part 3 deals with certificate management for DSA. Recall a certificate is a structure which binds a user's name to his/her public key, and is signed by a trusted third party called the Certification Authority (CA). CAs may be arranged in a hierarchy, for scalability. Certificates may be revoked prior to expiration and placed on the CA's certificate revocation list (CRL). Part 3 defines operational controls and procedures for use of certificates. Controls are defined for distribution of a CA's public key, revocation of certificates for various reasons, protection pf private keys, etc. The relevant data structures are specified using ASN.1. All information is contained in an X.509 (public key) certificate and attribute certificates, which contain additional information associated with a user. A new standard, X9.45 (see below) will define the use of attribute certificates for authorization of banking transactions. The standard also specifies formats for multiply signed certificates and transactions. Appendices deal with trust models, i.e., what certification authority (CA) do I trust, and how do I verify a chain of certificates from that CA to a certificate of interest, and other topics. Part 3 also defines an extension mechanism for certificates and CRLs, which is also being adopted by ISO as part of X.509. The standard defines several CRL extensions, including a revocation reason (allowing different processing in the event of, say, a key compromise as opposed to name change) and the ability to temporarily suspend, rather than revoke, a certificate. Part 3 is, to say the least, a fairly major piece of work. Part 1 of the standard is awaiting publication. Part 2 was published in early 1994 (although it must be updated to address SHA-1, since SHA was found to have a weakness). Part 3 is out for X9 ballot, after which there will be a public comment period prior to publication. X9.31 is a three-part standard for reversible public key algorithms. Part 1 is the RSA signature standard, based on the existing ISO 9796 standard. It specifies a rather complex padding mechanism which provides an enormous amount of redundancy to protect against forgery. Part 2 specifies hash algorithms which may be used with RSA. These include the usual suspects (MD2, MD5, and SHA) as well as a DES-based hash proposed by IBM, MDC-2. Part 3 of X9.31 addresses certificate management, and is largely identical to Part 3 of X9.30. Part 1 has been through all ballots and public comment, and is awaiting resolution of the Public Key Partners dispute prior to publication. Due to some rather questionable procedural maneuvering on the part of some members of X9 (at least the way this author reads the X9 rules), work on the other parts has also been shelved for the time being. X9.42 is a standard for Diffie-Hellman key agreement. Besides the standard Diffie-Hellman exchange, this standard defines a variant which can be used for store-and-forward applications. The variant uses the derived key and other random data provided (in the clear) by either or both parties as input to a hash function. The output from the hash function is used as the key. The astute reader will note that this algorithm behaves the same way as the key exchange algorithm used by the NSA Capstone chip, allowing its use as a drop-in replacement (at the application or API level). This standard will likely go to ballot in the fall of 1995. X9.44 is a standard for transport of keys using RSA. The key(s) being transferred are concatenated with authentication information (e.g. the ID of the sender) to form an encryption block. This block is then masked using the output of a hash function, the seed of which is also masked and concatenated to the block. This masking hides any structure which the block may have had. The block is then encrypted using an RSA public key. This standard is on the shelf until the PKP patent issues are resolved. X9.45 defines enhanced management controls using attribute certificates. The digital signature control models put forward thus far do not contain sufficient security or authorization controls to offer a high-value non-repudiation service for either wholesale financial or other large scale commercial applications. This standard defines strategies for reducing the risks associated with digital signature systems. Much of this builds on the use of public key certificates and attribute certificates, as defined in X9.30 Part 3 and X9.31 Part 3. Attribute certificates are used to convey authorizations and restrictions that inform verifiers when an entity's signature would be considered valid, i.e., when the signature authorizes a document or transaction. These circumstances might include requirements, for example, that the monetary value be less than or equal to a specified dollar amount, or that another entity "cosign" the document. This standard will also define mechanisms for electronic timestamping and notarization of documents, as well as delegation of authority from one user to another. X9.41 specifies mechanisms to manage security services. This standard is basically a protocol to negotiate security attributes between two entities (e.g., required security services, algorithms, crypto module requirements). It uses the IEEE 802.10c key management protocol as a base. This protocol is used to negotiate a key, which then protects the actual negotiation. IEEE 802.10c is described in more detail below. There are also several standards that are new enough to not have numbers assigned. There is a fairly complete draft of a certificate extensions standard. This is being coordinated with ISO. - An entity may, in general, have multiple certificates, stored in its directory entry. To assist in determining which certificate is needed to verify a signature, a key identifier may appear in the certificate. The key identifier of the CA certificate needed to verify the signature on a (user) certificate may also appear in the user certificate. Similarly, a certificate may indicate the intended usage of the public key (signature, encryption, etc.). - Certificates may be used in environments where multiple policies apply. Thus, a certificate may indicate the policies with which it may be used. Qualifier information may be associated with the policy identifier, for use by the application. Additionally, a certificate may be restricted to use with particular policies and key usages. - To facilitate use by applications based on other types of names than X.500 names, the certificate may contain additional name forms (e.g. Internet mail addresses). Other identifying information needed to ensure the identity - The private key used to sign a document may be used over a different (much shorter) period than the public key used to verify the signature, which may be subject to regulations regarding record retention. A private key validity period may be included to the certificate. - There is also a requirement to automate the verification of a certification path. This includes situations where the path crosses multiple certificate policy domains. A path must be verifiable without requiring human intervention, and without knowledge of specific policies by the verifier. Policy knowledge is required by a CA, when issuing a certificate containing a policy identifier, and the verifier must indicate a set of acceptable policies, but the verification logic is not required to perform any processing beyond byte-by-byte comparison of policy identifiers. - There is also a need to constrain the length and structure of a certification path. This includes mechanisms to distinguish end user certificates from CA certificates, to limit the certification path length, and to restrict the namespace for which a CA can certify. - For CRLs, it must be possible to unambiguously detect CRL issuance, regardless of the CRL distribution strategy; a CRL serial number is defined for this purpose. It must also be possible to constrain the size of CRLs, by partitioning the CRL into pieces (e.g. CA vs. user certificates, or by revocation reason), or by issuing "delta CRLs" which only contain revocations since the last CRL. Finally, work has just started on a standard proposed by the Federal Reserve. This standard is for triple DES, as an alternative to the single DES algorithm used in, for example, the current X9.23 standard for message encryption. -------------------------------------------------------------- ANSI X12 X12.58 (version 2) defines EDI security structures. Security is implemented using security headers and trailers to encapsulate data at either of the two levels (individual transaction or functional group) within an EDI interchange. Encryption, authentication (MACs) and assurances (digital signatures) are supported. Encryption uses symmetric algorithms, with key management using either symmetric or public key cryptography to envelope the symmetric key used to encrypt a transaction. The standard allows for multiple signatures, which may be computed over the transaction, previous signatures on the transaction ("countersignatures"), or both. Signers may include timestamps, signature purpose, and other information in the signature computation as well. This standard is currently in ballot. -------------------------------------------------------------- IEEE IEEE 802.10c specifies a key management protocol for use by lower layers in the protocol stack. (The protocol itself runs at the application layer.) 802.10c is also the basis of ANSI X9.41, and will also be progressed in ISO. The protocol consists of two exchanges. The first establishes a symmetric key (by selecting a manually established key, using public key techniques, or a key distribution center), and the second negotiates security attributes appropriate to the calling protocol or application. This means, for example, that X9.41 can merely define an appropriate set of attributes, and use the key establishment mechanisms defined by IEEE (or they could alternatively define their own mechanisms). -------------------------------------------------------------- DoD The Message Security Protocol (MSP) is designed for use in the Defense Message System (DMS). It specifies a security "wrapper" for X.400 message contents. Services include authentication, integrity, and non repudiation (using DSS signatures), and encryption (using Skipjack, and the Capstone Key Exchange Algorithm for key management, i.e. deriving per-recipient keys to encrypt the message encryption key). MSP is an excellent example of a secure message encapsulation protocol, although one could argue it depends too much on the use of public key algorithms. -------------------------------------------------------------- ITU-T (formerly CCITT) X.400 (1988) also provides a plethora of security services, but these are implemented within the message envelope rather than as part of the message content. (Recall MSP is effectively part of the message content, with the real message content embedded inside it. This means it can be conveyed over any X.400 (or other) mail transport, regardless of "vintage".) Besides the end-to-end services mentioned above, a variety of services internal to the message transfer service itself are provided, e.g., authentication between adjacent components, proof of submission of messages, authentication of delivery reports, proof of delivery (signed receipts), etc. X.435 (1991) defines a means to convey EDI over X.400, and builds additional security services on top of those defined in X.400. -------------------------------------------------------------- ASTM E31.20 defines a standard for authentication of health care information. The cryptographic portion is basically taken from ANSI X9.30 Part 3, with particular emphasis on use of multiple signatures with different purposes (author, transcriptionist, reviewer, etc.). The standard also specifies requirements for secure user authentication, and contains some tutorial material on biometric authentication, trusted timestamping, etc. This standard is currently out for the first of what will likely be several ballots, as there is some movement to attempt to grandfather in existing "closed" (e.g. mainframe-based) medical record systems. -------------------------------------------------------------- Internet RFCs and Drafts Most CIPHER readers are probably familiar with RFCs 1421-1424, i.e. Privacy Enhanced Mail. These standards define a format for securing RFC 822 messages, using digital signatures and encryption. In many respects, this is a "7-bit" version of MSP (not surprising, considering at least one key person worked on both protocols). RFC 1422 defines a top-down certification infrastructure, where the world is divided into multiple "policy domains" (e.g., high assurance, low assurance) based on the CAs toward the top of the hierarchy. Since PEM and MIME were developed in parallel, there was originally little interaction between the two groups. Recently, however, draft RFCs were published specifying the provision of PEM services using MIME. PEM headers conveying signature and key management information were effectively placed in separate body parts, rather than as header lines in front of the actual message. This seems to be a more elegant and flexible solution, since it can be extended by simply specifying new MIME body parts. Additionally, non-certificate-based key management is allowed. For example, public keys can be conveyed (along with identification information) in the appropriate body part, which is simply signed by a (hopefully trusted) third party. This allows construction of PGP-like key management models in the MOSS (MIME Object Security Services) framework. Other cryptographic mechanisms are being defined for securing HTTP, the protocol used by the World Wide Web. The two camps seem to be: Secure HTTP, which simply encapsulates HTTP messages inside PEM or PKCS #7 (see below), and the Secure Sockets Layer (SSL), which runs below HTTP (or any other protocol), and above TCP. SSL secures a client/server session, by authenticating the server to the client (and optionally vice versa), and encrypting and MACing data under keys derived during session establishment. Time (and the market) will tell which protocol will survive, although at least one vendor is hedging his bets by supporting both. ---------------------------------------------------------------------- Cryptographic API Standards There is a great deal of interest in the use of cryptographic APIs to isolate application developers from crypto details. This interest comes from standards bodies (particularly X9), vendor consortia (X/Open), and government agencies (NIST, NSA, etc.). Here's a brief description of the APIs of interest to X9. These APIs are at different "layers of abstraction", and an appropriate one would be selected based on the cryptographic awareness of the application. The Generic Security Services API (GSS-API) is a high-level API which provides session-oriented security services (confidentiality, integrity, authentication and non repudiation) between "crypto-oblivious" applications. The application MAY select particular mechanisms (e.g. Kerberos, or public key authentication) but in general would use defaults. The only calls needed are to initiate secure communications with a partner, "protect" each message being sent, and terminate the dialog when appropriate. The first version of GSS-API is RFC 1508; incremental upgrades are being made, and there is currently an Internet draft of version 2 of GSS-API. The Independent Object Protection (IOP) variant of GSS-API supports store- and-forward applications, where the sender does not actually establish a session with the recipient. Again, a minimal number of calls are necessary to secure a message. This is currently a draft, and will likely progress to RFC in April. X/Open is developing a Generic Crypto Services API, which provides more direct access to services like encryption, hashing, signature computation, and key management algorithms. The API allows for the establishment of cryptographic contexts, and sharing of contexts between applications. This "layer" would be used to implement the mechanisms used by GSS-API and its IOP variant. It is hoped that X/Open will publish this around the end of 1995. X/Open solicits contributions from other standards bodies and individuals. Cryptoki (PKCS #11) is an abstract token interface API developed by RSA Data Security. It is the only API to deal directly with issues of object management within a token, session establishment with a token, etc. A final version of this API is expected in a few weeks, although it appears it will not be as algorithm-independent as the previous drafts. --------------------------------------------------------------------- RSADSI Public Key Cryptography Standards (PKCS) RSADSI and its licensees have produced a number of other important de facto standards. PKCS #1 (RSA Encryption and Signature) defines padding rules and other details when using RSA. PKCS #3 (Diffie-Hellman) defines ASN.1 structures and algorithmic details for Diffie-Hellman key agreement. PKCS #5 (Password-based Encryption) defines a mechanism to derive a symmetric key from a "password", using a hash algorithm. PKCS #6 (Extended Certificate Syntax) defines a way to extend a certificate by adding arbitrary attributes to it. This appears to have been overtaken by events (i.e. the ISO work in this area results in a simpler structure). PKCS #7 (Cryptographic Message Syntax) defines ASN.1 structures for signed and/or encrypted messages. This formed the basis for the ANSI X9 work on multiply signed structures and the like. Unfortunately, the two are not identical. PKCS #8 (Private Key Information Syntax) defines ASN.1 structures to convey private keys (with associated attributes) as cleartext and in encrypted form. PKCS #9 (Selected Attribute Syntaxes) defines attributes for use with the above standards. PKCS #10 (Certificate Request Syntax) defines ASN.1 structures for requesting the issuance of a certificate. (Needless to say, this forms the basis of an equivalent structure in X9.30 Part 3.) PKCS #11 (Abstract Token Interface API) was discussed above. ________________________________________________________________________ World-Wide Web Security Standards Culled from recent published reports by the editor ________________________________________________________________________ Ferment in Security Standards for the World Wide Web ++++++++++++++++++++++++++++++++++++++++++++++++++++ An article in INFOWORLD, March 13, 1995, p.3: "Web consortium leans toward SHTTP," by Karen Rodriguez, reports that at a security working group meeting, a show of hands of World Wide Web Consortium (W3C) members favored SHTTP, an implementation of the RSA Data Security Inc. encryption standard developed by Enterprise Integrated Technologies Inc. (EIT) as a standard for Web-based encryption and authentication. The article also notes that Netscape Communications Corp. is promoting its Secure Socket Layer (SSL) as an alternative standard. The article quotes an unnamed source from Microsoft as asserting that SSL is a near-term, practical solution, while SHTTP is "longer term." In a "clarification" dated 3 March, Tim Berners-Lee, director of the W3 consortium, cautioned that despite "a strong sentiment" expressed at the 22 February W3C Security Group that a W3C security protocol could proceed from an existing commercial design through adding features from other designs, this suggestion should not be taken as an endorsement of any base design. See URL: http://www.w3.org/hypertext/WWW/Security/News/950303_Statement forBerners-Lee's clarification. Netscape has recently released a reference implementation of SSL, which encrypts data between client and server, free (for noncommercial purposes). A discussion of Netscape's position on SSL, security, and standards generally is available at URL http://home.mcom.com/info/open-standards.html EIT provides answers to frequently asked questions about secure Mosaic and secure httpd, as well as a pointer to the latest internet draft for SHTTP at URL http://www.eit.com/projects/s-http/faq.html Update ++++++ In a press release dated March 20, Netscape Communications Corp. announced support for its SSL protocol from about 20 companies, including Apple Computer, Inc., Bank of America, ConnectSoft, Delphi Internet Services Corporation, Digital Equipment Corporation, First Data Corporation, IBM, MarketNet, MasterCard International Inc., MCI Communications Corp., Microsoft Corporation, Novell, Inc., Open Market, Prodigy, Silicon Graphics, Inc., StarNine, Sun Microsystems, Inc., Visa International, and Wells Fargo. See http://home.mcom.com/info/newsrelease17.html for their announcement. ________________________________________________________________________ Calls for Papers (new listings since last issue only) ________________________________________________________________________ (see also Calendar) o Conferences Listed earliest deadline first. See also Cipher Calendar and NRL CHACS CFP list. Listed earliest deadline first. o Fourth International Conference on Deductive and Object-Oriented Databases, 4-7 December 1995, Singapore. Topics of interest include security and integrity enforcment. Submit five copies of papers up to 5,000 words in length (in English) to regional program co-chair: Alberto Medelzon (mendel@db.toronto.edu), Americas; Laurent Vieille (L.vieille@frcl.bull.fr), Europe, Tok Wang Ling (lingtw@iscs.nus.sg) Far East not later than 15 April 1995. o ACM International Conference on Mobile Computing and Networking 1995, 14-15 November, 1995, Berkeley, California. Topics of interest include security, scalability and reliability issues for mobile/wireless systems. Electronic submission: e-mail contributions of 15 pages or less in PostScript version 2 or later to mcn95-submission@cs.columbia.edu not later than 17 April 1995. o Fourteenth International Conference on Object-Oriented and Entity Relationship Modelling (formerly the Entity-Relationship Conference), 13-15 December 1995, Gold Coast, Queensland, Australia. Send five copies of "original and compelling" papers up to 5000 words to Mike Papazoglou (mikep@icis.qut.edu.au) not later than 21 April 1995. Panel and tutorial proposals also solicited. o Ninth International Workshop on Distributed Algorithms (WDAG-9), 13-15 September, 1995, Le Mont Saint Michel, France. Topics of interest include mechanisms for security in distributed systems, fault-tolerant algorithms, self-stabilizing algorithms, and algorithms for managing replicated data. Submit 15 copies (hard-copy only) of up to 15 page paper, including 150 word abstract to Jean-Michel Hilary or Michel Raynal {helary | raynal} @irisa.fr not later than 21 April 1995. o Twelfth International Conference on Data Engineering, 26 Feb. - 1 March, 1996, New Orleans, Lousiana. Topics of interest include network databases and security. Submit 6 copies (hard-copy only) of up to 25 pages (6000 words) not later than 31 May 1995 to Stanley Y. W. Su, icde96@cis.ufl.edu. o Journals - Journal of the Brazilian Computer Society Special Issue on Databases, April 1996. Suggested topics include integrity and security. Submit 5 copies of your paper (about 20 A4 pages or 8000 words) to Alberto H. F. Laender (laender@dcc.ufmg.br) by 2 October 1995. Details available at http://www.dcc.unicamp.br/~jbcs. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ Papers to be presented at the 8th IEEE Computer Security Foundations Workshop (CSFW-8), Dromquinna Manor, Kenmare, County Kerry, Ireland, June 13-15, 1995, as announced 21 March 1995 in the Preliminary Program. o The Composability of Non-Interference, Aris Zakinthinos and E.S. Lee (University of Toronto) o Composing and Decomposing Systems under Security Properties, A.W. Roscoe and L. Wulf (Oxford University) o Algebraic Properties of System Composition in the Loral, Ulysses and McLean Trace Models, A.P. Maneki (DoD, U.S.A.) o Optimal Authentication Protocols Resistant to Password Guessing Attacks,Li Gong (SRI International) o Key Distribution without Individual Trusted Authentication Servers, Liqun Chen, Dieter Gollmann, and Christopher Mitchell (Royal Holloway, University of London) o Towards a Classification of Key Agreement Protocols, Colin Boyd (University of Manchester) o An Augmentation of BAN-Like Logics, Wenbo Mao (HP Laboratories, Bristol) o The Security Checker: a Semantics-Based Tool for the Verification of Security Properties, R. Focardi, R. Gorrieri, and V. Panini (University of Bologna) o Implementation of a Discretionary Access Control Model for Script-based Systems, Trent Jaeger and Atul Prakash (University of Michigan) o Building Higher Resolution Synthetic Clocks for Signaling in Covert Timing Channels, John Janeri, Daniel Schnackenberg, and Daylan Darby (The MITRE Corporation and Boeing Defense and Space Group) o Modelling and verifying key-exchange protocols using CSP and FDR, A.W. Roscoe (Oxford University) o Using Temporal Logic to Specify and Verify Cryptographic Protocols, James W. Gray, III and John McLean (H.K. Univ. of Science and Technology and U.S. Naval Research Lab) o Concurrency Control for Federated Multilevel Secure Database Systems, I.E. Kang and T.F. O'Keefe (GTE Laboratories and Pennsylvania State University) o Specifying Security for CSCW Systems, Simon Foley and Jeremy Jacob (University College, Cork, and University of York) o The Epistemic Representation of Information Flow Security in Probabilistic Systems, Paul F. Syverson and James W. Gray, III (U.S. Naval Research Lab and H.K. Univ. of Science and Technology) o Connection Policies and Controlled Interference, William R. Bevier, Richard M. Cohen, and William D. Young (Computational Logic, Inc.) ============================================================ Security and privacy related papers extracted from INET'95 Preliminary Program ============================================================ o A Simple Active Attack Against TCP, Laurent Joncheray; lpj@merit.edu o Secure TCP -- Providing Security Functions in TCP Layer, Toshiyuki Tutumi; tosiyu-t@is.aist-nara.ac.jp o Measured Interference of Network Security Mechanisms with Network Performance, K Claffy; kc@upeksa.sdsc.edu o A Distributed Authorization Model for WWW, Jose Kahan; kahan@ccett.fr o Using Public Key Technology -Issues of Binding and Protection, James Galvin; galvin@tis.com o Simple Key-management for Internet Protocol(SKIP), Carolyn Turbyfill; carolyn.turbyfill@eng.sun.com o Using the Internet to Decrease Software Piracy, Ralf Hauser; hauser@acm.org o Digital Cash and Monetary Freedom, Jon Matonis; 74774.3663@compuserve.com o CyberCash: Payments Systems for the Internet, Stephen Crocker; crocker@cybercash.com o Internet Policy Issues in New Zealand, Colin Jackson; colin.jackson@comms.moc.govt.nz o Censorship and Internet: A Singapore Perspective, Hwa Ang Peng; mcmangph@leonis.nus.sg o Issues in the Transborder Flow of Scientific and Technical Data, Paul Uhlir; puhlir@nas.edu ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ o Journal of Computer Security, Vol. 2, No. 4 (1993)[received 3/22/95]: - J.D. Horton, R.H. Cooper, W.F. Hyslop, B.G. Nickerson, O.K. Ward, R. Harland, E. Ashby, and W.M. Stewart. The cascade vulnerability problem. pp.279-290. - J.T. Trostle. Modelling a fuzzy time system. pp. 291-309. - V. Atluri, E. Bertino, and S. Jajodia. Achieving stricter correctness requirements in multilevel secure database management systems. pp.311-351. o IEEE Trans. on Software Engineering, Vol. 21, No. 3 (Mar 1995): K. Ilgun, R.A. Kemmerer, and P.A. Porras. State transition analysis: a rule-based intrusion detection approach. pp.181-199. o Information Processing Letters, Volume 53, Number 2, February 1995 (thanks to Anish Mathuria for this entry): - Chae Hoon Lim, Pil Joong Lee. Several practical protocols for authentication and key exchange. pp. 91-96. - Tzonelih Hwang, Yung-Hsiang Chen. On the security of SPLICE/AS - The authentication system in WIDE Internet. pp. 97-101. - Tzonelih Hwang, Narn-Hih Lee, Chuan-Ming Li, Ming-Yung Ko, Yung-Hsiang Chen. Two attacks on Neuman-Stubblebine authentication protocols. pp. 103-107. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Stallings, W. Network and Internetwork Security Principles and Practice. Prentice Hall, Englewood Cliffs, NJ, ISBN 0-02-415483-0, 1995, 462pp., $53.95. ________________________________________________________________________ Calendar ________________________________________________________________________ The Internet Conference Calendar, URL: http://www.automatrix.com/conferences/ is also worth a look. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== 4/10/95: CPAC '95 submissions due; cpac@fit.qut.edu.au 4/15/95: DOOD '95 submissions due; mendel@db.toronto.edu 4/17/95: MCN '95 submissions due; mcn95-submission@cs.columbia.edu 4/21/95: OOER '95 submissions due; mikep@icis.qut.edu.au 4/30/95: ICECCS '95 submissions due; alex@vulcan.njit.edu 5/ 1/95: CISMOD '95 papers due; bhalla@u-aizu.ac.jp 5/ 1/95- 5/ 6/95: 6th Nat'l OPSEC Conf Albuquerque; (301)982-0720 5/ 7/95- 5/12/95: IEEE S&P 95; dmj@mitre.org (registration) 5/ 9/95- 5/11/95: IFIP/SEC '95 Capetown; IFIPSEC95@RKW.RAU.AC.ZA 5/16/95- 5/19/95: 7th CCSS, Ottawa; CCSS7@cse.dnd.ca 5/18/95- 5/19/95: SAC '95, Ottawa; sac95@scs.carleton.ca 5/22/95- 5/24/95: Eurocrypt '95, France; iacr95@ccett.fr 5/31/95: ICDE '95 submissions due; icde96@cis.ufl.edu 5/31/95: ACSAC '95 submissions due; smith@arca.va.com 6/ 1/95: JCMC iss.:elect.commerce; papers due; steinfield@tc.msu.edu 6/ 5/95- 6/ 7/95: 5th USENIX Sec Symp, Utah; conference@usenix.org 6/13/95- 6/15/95: CSFW-8, Ireland; s.foley@cs.ucc.ie 6/26/95- 6/30/95: COMPASS '95; BONNIE.DANNER@trw.sprint.com 6/27/95- 6/30/95: INET '95; http://www.isoc.org/inet95.html 7/ 1/95: CCS-3 papers due; gong@csl.sri.com or Jacques.Stern@ens.fr 7/ 3/95- 7/ 5/95: CPAC '95, Australia cpac@fit.qut.edu.au 7/29/95- 8/ 4/95: SFTC-VI, Canela, Brazil; VISCTF@inf.ufrgs.br 7/31/95: 5th IMACCC papers due; colin.boyd@man.ac.uk 8/13/95- 8/16/95: IFIP WG11.3,New York(RPI); ting@eng2.uconn.edu 8/22/95- 8/25/95: NSPW '95 San Diego (UCSD);meadows@itd.nrl.navy.mil 8/27/95- 8/31/95: Crypto'95 Santa Barbara; tavares@ee.queensu.ca 8/28/95- 8/30/95: MMDMS, Blue Mt. Lake, NY; nwosuck@harpo.wh.att.com 9/ 5/95- 9/ 6/95: MDS-95, York, England ; IMACRH@V-E.ANGLIA.AC.UK 9/13/95- 9/15/95: WDAG-9, Le Mont St. Michel,France; raynal@irisa.fr 9/17/95- 9/20/95; HPTS 95, Asilomar, CA; neowens@vnet.ibm.com 9/20/95- 9/21/95: IT-Sicherheit '95, Graz; rposch@iaik.tu-graz.ac.at 9/20/95- 9/23/95: IC3N '95, Las Vegas kia@unlv.edu 9/21/95- 9/22/95: ICI '95, Washington DC; denning@cs.georgetown.edu 9/27/95- 9/29/95: DCCA-5, Champaign, IL; no e-mail address available 10/ 2/95: JBCS spec issue on DBMS papers due; laender@dcc.ufmg.br 10/10/95-10/13/95: NISS-18, Baltimore, MD; NISS_Conference@Dockmaster.ncsc.mil 11 1/95: IS iss. on disaster recov.; papers due; agrawal@cs.ucsb.edu 11/ 6/95-11/10/95: ICECCS '95, Fort Lauderdale; alex@vulcan.njit.edu 11/15/95-11/17/95: CISMOD '95 Bombay; bhalla@u-aizu.ac.jp 11/30/95: ACM Computer Security Day; computer_security_day@acm.org 12/ 4/95-12/ 7/95: DOOD '95, Singapore; mendel@db.toronto.edu 12/11/95-12/15/95: ACSAC '95, New Orleans; smith@arca.va.com 12/13/95-12/15/95: OOER '95, G.C., Australia; mikep@icis.qut.edu.au 12/18/95-12/20/95: 5th IMACCC, Cirencester, UK; colin.boyd@man.ac.uk 2/26/96- 3/ 1/96: ICDE '96, New Orleans; icde96@cis.ufl.edu 3/14/96- 3/16/96: CCS-3, New Delhi; gong@csl.sri.com or Jacques.Stern@ens.fr 4/30/96- 5/ 3/96: 8th CCSS, Ottawa; no e-mail address available 5/ 5/96- 5/ 8/96: IEEE S&P 96; no e-mail address available 5/21/96- 6/24/96: IFIP/SEC 96 - Greece; no e-mail address available 11/??/96: ESORICS '96, Rome, Italy; no e-mail address available 5/ 4/97- 5/ 7/97: IEEE S&P 97; no e-mail address available 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: ==== ACSAC = Annual Computer Security Applications Conference CCS-3 = 3rd ACM Conference on Computer and Communications Security CCSS = Annual Canadian Computer Security Symposium CISMOD = International Conf. on Information Systems and Management of Data CPAC = Cryptography - Policy and Algorithms Conference CSFW = Computer Security Foundations Workshop DCCA = Dependable Computing for Critical Applications DOOD = Conference on Deductive and Object-Oriented Databases ESORICS = European Symposium on Research in Computer Security FISSEA = Federal Information Systems Security Educators' Association HPTS = Workshop on High Performance Transaction Systems IC3N = Int. Conference on Computer Communications and Networks ICDE = Int. Conf. on Data Engineering ICI = International Cryptography Institute ICECCS = Int. Conference on Engineering of Complex Computer Systems IEEE S&P = IEEE Symposium on Security and Privacy IFIP/SEC = International Conference on Information Security (IFIP TC11) IFIP WG11.3 = IFIP WG11.3 9th Working Conference on Database Security IMACCC = IMA Conference on Cryptography and Coding INET = Internet Society Annual Conference IS = Information Systems (journal) ISOC-Symp = Internet Society Symposium on Network and Distributed System Security IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Soc. JBCS = Journal of the Brazilian Computer Society JCMS = Journal of Computer Mediated Communication MCN '95 = ACM Int. Conf. on Mobile Computing and Networking MDS '95 = Second Conference on the Mathematics of Dependable Systems MMDMS = First Int. Wkshop on Multi-Media Database Management Systems NCSC = National Computer Security Conference NISS = National Information Systems Security Conference NSPW = New Security Paradigms Workshop OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling SAC '95= 2nd Annual Workshop on Selected Areas of Cryptography SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) USENIX Sec Symp = USENIX UNIX Security Symposium WDAG-9 = Ninth Int. Workshop on Distributed Algorithms ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Deborah Cooper P.O. Box 17753 Arlington, VA 22216 (703)908-9312 voice and fax dmcooper@ix.netcom.com ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Format: URL (first line) followed by description Government sources/information: ------------------------------- http://www.dtic.dla.mil/iac DoD Information Analysis Center (IAC) Hub Page http://ciac.llnl.gov/cstc/ Computer Security Technology Center at Lawrence Livermore National Lab Professional societies and organizations: ----------------------------------------- http://www.automatrix.com/conferences/ The Internet Conference Calendar Other places for interesting research papers and announcements -------------------------------------------------------------- ftp://ftp.win.tue.nl/pub/security/satan_doc.README List of sites where SATAN is available; (among these is the COAST archive at Purdue http://www.cs.purdue.edu/coast/coast.html/) http://java.sun.com and http://java.sun.com/1.0alpha2/doc/security/security.html HotJava(tm): The Security Story -- if you are concerned about security in Web browsers http://www.bsa.org/bsa/docs/encsrvy.html Encryption Software Marketing Survey for US Dept. of Commerce -- Responses due 15 April 1995 http://julmara.ce.chalmers.se/stefan/WWW/Cyberlinks/security.html Stefan Petersson, Chalmers University (Gothenburg, Sweden) http://www/zurich.ibm.ch/Technology/Security/sirene/index.html Sirene: security web page at IBM-Zurich; many links ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Yes! Still occupying a corner of my office are surplus copies of the proceedings of the Oakland conference (199N IEEE Symposium on Research in Security and Privacy) available for purchase by TC members at favorable rates. Current issues in stock and prices are as follows: Price by mail from TC IEEE CS Press IEEE CS Press Year TC members IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $15 $43 $86 1993 $20 $30 $60 1994 $30 $30+$4 S&H $60+$5 S&H For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying o which issues you would like, o where to send them, and o a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Code 5542 Naval Research Laboratory Washington, DC 20375-5337 U S A Sorry, we are (still) not ready for electronic commerce! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Terry Vickers Benzel Deborah Cooper Trusted Information Systems P.O. Box 17753 11340 W. Olympic Blvd, Suite 265 Arlington, VA 22216 Los Angeles, CA 90064 (703)908-9312 voice and fax (310) 477 - 5828 dmcooper@ix.netcom.com tcvb@la.tis.com Newsletter Editor: Standards Subcommittee Chair Carl Landwehr [watch this space!] Code 5542 Naval Research Laboratory Washington, DC 20375-5337 (202)767-3381 Landwehr@itd.nrl.navy.mil ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: To subscribe, send e-mail to (which is NOT automated) with subject line "subscribe". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ARCHIVES: Available at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html ========end of Electronic Cipher Issue #5, 10 April 1995================