Subject: Electronic CIPHER, Issue 4, March 10, 1995 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 4 March 10, 1995 Carl Landwehr, Editor ==================================================================== Contents: [892 lines total] Letter from the Chair [starts on line 42] Letter from the Editor -- with Quiz! [line 66] Security and Privacy News Briefs: [line 112] o Internet security (lack) in the news o Could better security have saved Baring's? o US legislative notes o Mass declassification of US imagery o Triple DES standard to be developed Conference News and Reports: o Oakland program released [Line 202] o IEEE P1363 PK crypto std group to meet at Oakland [Line 220] o NCSC becomes NISS [Line 241] Citing Cipher [Line 250] Calls for papers: 8 conferences, 1 Journal [line 302] Reader's guide to recent security and privacy literature [line 382] Paper lists from conferences: Oakland, IFIP/SEC, etc. [line 385] Relevant papers from recent journals and periodicals [line 597] Recent books [line 677] Calendar: first event listed for the year 2000 [line 682] Who's Where: recent address changes [line 772] Interesting Links - 7 new places to surf [line 777] TC publications for sale! [line 815] TC officers [line 850] Information for Subscribers and Contributers [line 869] ______________________________________________________________________ Letter from the TC Chair ______________________________________________________________________ It is hard to believe that it is already March. The two major TC sponsored events the Security and Privacy Symposium, May 8 - 10, in Oakland California, and the Computer Security Foundations Workshop, June 13-15, in Kerry Ireland are just around the corner. Look for more details about both of these events elsewhere in this newsletter. We will be holding our annual TC meeting in conjunction with the Security and Privacy Symposium. Please plan on attending and seeing how you can get more involved with your TC! As I mentioned in January, we need to establish a nominating committee and balloting process for electing TC Chairs. I am looking for volunteers to form a nominating committee. In addition to the nomination process, this committee will also need to define a balloting process which meets the TAB guidelines. So far I have had only one volunteer! Please contact me and help with this important job. Terry Vickers Benzel Chair Technical Committee on Security and Privacy ______________________________________________________________________ Letter from the Editor ______________________________________________________________________ In lieu of a February Cipher, you should have received the Oakland advance program and registration information. If you checked the Cipher Web page in mid-February, however, you may have seen updates to the reader's guide, new calls for papers, and additions to the calendar as well as a few other items that are being e-mailed in this issue. Quiz time: I'll send a free copy of the Oakland proceedings from any of the last three years to the first person who sends me the correct identification. (author, year, paper title) of the following quote, which Cathy Meadows noticed recently. [Hint: it was published in an Oakland proceedings. Sorry, NRLers not eligible!] While useful for allowing users of various security levels to share common hardware, the original problem that they were designed to solve, security kernels are less than ideal for solving applications that are truly multilevel, the problem that now needs to be addressed. ... Security kernels were first justified as a basis for allowing users having multiple clearances to share common hardware. As hardware costs have plummeted, this original justification needs to be rethought. The emerging problem appears to be the inability to communicate and process information effectively at multiple levels without imposing unnecessary constraints on users. ... One method for maximizing the near term applications of security kernels ... is to rely more on physical isolation and cryptography. Consider the following secure architecture. A security kernel ... is at the hub of a distributed system that is to be used for calculating and processing information. The actual calculation and data processing exists on nonsecure traditional operating systems that are appended to this hub. These "engines" provide the horse power for the architecture. File storage could be provided by appending another untrusted machine with the data encrypted. ... In this fashion, a secure system is built out of pieces only one of which must be multilevel secure. Carl Landwehr Editor, Cipher ______________________________________________________________________ Security and Privacy in the News ______________________________________________________________________ Unless you have been hibernating for the past two months, you will have noticed quite a bit of coverage of computer security issues in the popular press, mostly focused on the Internet. Here are a few items that have attracted your editor's notice. Internet Security ----------------- TIME, NEWSWEEK, USN&WR have all had major stories, and CBS's 60 Minutes devoted its lead segment to it (although the segment aired three weeks later than its originally rumored broadcast date). Events that have been stimulating the coverage include the TCP/IP spoofing attacks (documented in the first 1995 CERT advisory) and the arrest (again) of Kevin Mitnick. See the Interesting Links section for pointers on where to read more about these incidents. Could Better Security Have Saved Baring's? ------------------------------------------ The failure of Baring's Bank in the UK seems to involve a violation of the two-man rule, in that the accused trader was evidently overseeing his own trades. There may yet turn out to be violations of audit controls that could have been computer-enforced. Surely it would be feasible to have a computer-based system that would alert management to such risky behavior. With such a system in place the bank's owners and depositors would at least have another line of defense. US Legislative Notes -------------------- With the convening of the 104th US Congress has a variety of new bills have been introduced that may affect security and privacy in the U.S. A keyword search of the full text of legislation introduced in this Congress for bills containing the word "privacy" retrieved dozens of bills, such as from the Antitrust and Communications Reform Act (HR 411), which concerns a wide range of communication and electronic publishing services and contains many privacy-related sections; the Fair Health Information Practices Act, whose purposes are to define individual's rights with respect to health care information and to establish mechanisms to enforce the rights; and the Individual Privacy Protection Act (HR 184), which would establish and Individual Privacy Protection Board, appointed by the President. Among the dozens of bills introduced, a few have passed the House; among them is HR 830; here is an excerpt of possible interest to Cipher readers (emphasis added): Paperwork Reduction Act of 1995 (Passed by the House) `Sec. 3506. Federal agency responsibilities [ ... ] `(b) With respect to general information resources management, each agency shall-- `(1) manage information resources to-- `(A) reduce information collection burdens on the public; `(B) increase program efficiency and effectiveness; and `(C) improve the integrity, quality, and utility of information to all users within and outside the agency, including capabilities for ensuring dissemination of public information, public access to government information, and protections for privacy and security; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Thanks to the Library of Congress's Thomas Legislative Information Server for the information for this item. Mass Declassification of US Imagery ----------------------------------- The Clinton Administration announced on February 24 it will declassify thousands of satellite images collected prior to 1972, and has even made some sample images available on the World-Wide Web (see Interesting Links). Images collected by the CORONA, ARGON, and LANYARD missions during the period August 1960 - May, 1972 are to be declassified and made available from the National Archives Record Administration and from the US Geological Survey's Earth Resources Observation Sytem (EROS) Data Center. When the declassified images become available to the public, an Internet catalog and image browse capability for the entire collection will be accessible, at no charge, on the U.S. Geological Survey's Global Land Information System (GLIS); try it at URL http://edcwww.cr.usgs.gov/glis/glis.html. Triple DES Standard to be Developed ----------------------------------- An encryption standard based on triple-DES will be developed by Accredited Standards Committee (ASC) committee X9, which sets data security standards for US banking and financial services industries, according to a 13 Feb 95 message from the Center for Democratic Technology (CDT). ASC X9 will initiate a subcommittee, X9F, to develop technical standards for triple-DES applications. CDT also indicated that AT&T and VLSI Technologies have announced plans to develop products based on triple-DES, but exportability of such products from the US is an open question. ______________________________________________________________________ Oakland Program Released 5 minute abstracts, poster sessions, related meetings solicited ______________________________________________________________________ The program and registration information for the 1995 IEEE Symposium on Security and Privacy was e-mailed to the Cipher distribution list on February 10; the printed version should be arriving in mailboxes within the next week. Deadline for early registration is 31 March, so don't delay! Also, remember that there is a new one hour session of very brief (5-minute) talks planned this year; submissions for that session have begun arriving already and will be accepted through April 3. For more information, contact Cathy Meadows (meadows@itd.nrl.navy.mil). Space is also available for the evening poster sessions; contact Dale Johnson (dmj@mitre.org) for further information. If you are interested in holding a meeting in conjunction with the conference and would like to reserve a meeting room at the Claremont, contact Carl Landwehr (Landwehr@itd.nrl.navy.mil). ______________________________________________________________________ IEEE P1363 - [Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography] to meet at Oakland; public invited ______________________________________________________________________ Burt Kaliski, chair of the IEEE P1363 working group, invites public participation at the next meeting of the group, be held from 1 to 6 p.m., Wednesday, May 10, 1995, at the Claremont Resort, Oakland, California immediately following the close of the 1995 IEEE Symposium on Security and Privacy. This sixth meeting of the group will review a draft standard for RSA, Diffie-Hellman and other public-key cryptography. If you would like to participate, please contact Burt Kaliski at RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX: (415) 595-4126, E-mail: burt@rsa.com. Draft sections and copies of previous minutes are available via anonymous ftp to rsa.com in the "pub/p1363" directory. The working group's electronic mailing list is ; to join, send e-mail to . The Claremont Resort is at the corner of Ashby and Domingo Avenues in Oakland, California, 14 miles from the Oakland Airport. Phone: (510) 843-3000. There is no fee for this meeting. ______________________________________________________________________ Is it a Rose? ______________________________________________________________________ First, it was the the Seminar on the DoD Computer Security Initiative, held at the Bureau of Standards in Gaithersburg. Seventh, it was the DoD/NBS COmputer Security Conference. Eighth, it became the National Computer Security Conference. At Eighteen,according to the latest call for papers, it has matured into the National Information Systems Security Conference. To a few of us, at least, it will forever remain the NBS Conference. But we have a question: when will the proceedings get into a cataloged series? ______________________________________________________________________ Citing Cipher ______________________________________________________________________ A difficulty that electronic publishing raises is how to cite sources appropriately. The following correspondence is provided to assist other Cipher readers who may have the same concern. From vnlaenen@idt.unit.no Thu Feb 16 09:44:47 1995 From: vnlaenen@idt.unit.no Subject: referencing cipher Hello Cipher, I am a Flemish student from KUL, Leuven, Belgium, writing my Masters' thesis at NTH in Trondheim, Norway. The subject is computer security, and in particular the problems with assurance in the criteria like e.g. the Common Criteria. I came across your e-magazine, and the report Cynthia Irving wrote on the 10th Annual Computer Security Applications Conference was very interesting. I can use it in my thesis as some very good examples on the problems there are just defining what assurance is. The problem however is that I do not know how I should best reference to your magazine. Can you help me on that? I assume there is no paper version of your magazine. Greetings, Filip Van Laenen Filip.VanLaenen@esat.kuleuven.ac.be vnlaenen@idt.unit.no --------------------------------------------------------------- From landwehr Thu Feb 16 10:29:25 1995 To: vnlaenen@idt.unit.no Subject: Re: referencing cipher Filip, I am glad you have found Cipher useful and in particular that Cynthia Irvine's report will be helpful in your thesis work. You are correct that there is no paper version -- I accepted the job of editing on the condition that there would be none! I had not thought about how to cite it, but I would suggest: Irvine, Cynthia, "Report on Tenth Annual Computer Security Applications Conference," Electronic Cipher #3, Jan. 13, 1995, IEEE Computer Society TC on Security and Privacy. URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html Including the URL for the Cipher archive is probably reasonable, though that information is subject to change. Regards, --Carl ________________________________________________________________________ Calls for Papers (new listings since last issue only) ________________________________________________________________________ (see also Calendar) o Conferences (soonest deadline first) o International Cryptography Institute 1995: Global Challenges, 21-22 September 1995, Washington, DC. Topics of interest include encryption policies, regulations, user needs, markets, cryptographic infrastructure, applications, etc. Speaker's proposals due by 15 March 1995 to Dorothy Denning (denning@cs.georgetown.edu) o Ninth Annual IFIP WG11.3 Working Conference on Database Security, 13-16 August, 1995, Rensselaerville, New York. Papers, panel proposals, and vendor technical proposals are due 20 March 1995 to Steven Demurjian (steve@brc.uconn.edu) or John Dobson (John.Dobson@newcastle.ac.uk) [papers]; David Spooner (spoonerd@cs.rpi.edu) [panel proposals]; or Marvin Schaefer (Schaefer@Dockmaster.ncsc.mil) [industrial presentations]. Further information: /http://www.cs.rpi.edu/ifip/. o Symposium on Fault Tolerant Computing (evidently part of XV Congress of the Brazilian Computer Society), 29 July - 4 August, Canela, Brazil. Relevant topics listed include data security. Papers in Portuguese, Spanish, or English accepted; original plus three copies of paper with abstract up to 20 pages double-spaced, due 31 March 1995 to Dr. Ingrid Jansch Porto (VISCTF@inf.ufrgs.br). o Cryptography - Policy and Algorithms Conference, 3-5 July 1995, Brisbane, Australia. Contributions up to 15 double-spaced pages are solicited on all aspects of encryption methodologies and associated algorithms along with the associated public policy and social/political implications of the technology and its use. Submissions due by April 10, 1995 to Ed Dawson (dawson@fit.qut.edu.au); send inquiries and requests for full call for papers to cpac@fit.qut.edu.au. o ICECCS'95 (previously listed here under CSESAW '95): First IEEE International Conference on Engineering of Complex Computer Systems, 6-10 November 1995, Fort Lauderdale, Florida. Joint with 5th CSESAW, 3rd IEEE RTAW and 20th IFAC/IFIP WRTP. Topics of interest include high assurance system design and engineering. Five copies of papers of no more than 5,000 words due 30 April 1995 to Alexander Stoyenko (alex@vulcan.njit.edu). o CISMOD '95: 6th International Conference on Information Systems and Management of Data, 15-17 November 1995, Bombay, India. Topics of interest include data security and data quality management. Five copies of paper (up to 16 double-spaced A4 pages) due 1 May 1995 to Subhash Bhalla (bhalla@u-aizu.ac.jp). Tutorial proposals also solicited. o 11th Annual Computer Security Applications Conference, 11-15 December 1995, New Orleans, Louisiana. Papers, panel/forum proposals, tutorials, and vendor presentations solicited. Papers (for blind refereeing) due 31 May 1995 to Gary Smith (smith@arca.va.com) or, if from Europe, to Klaus Keus (keus@bsi.de). For panel/forum proposal preparation instructions, contact Jody Heaney (heaney@mitre.org). Send tutorial proposals to Dan Fagin (faigin@aero.org) and vendor proposals to Steve Rome (romes@romulus.ncsc.mil). Student papers also solicited; contact Ravi Sandhu (sandhu@isse.gmu.edu). o Third ACM Conference on Computer and Communications Security, 14-16 March 1996, New Delhi, India. Papers (7 copies, not to exceed 7500 words, blind refereeing) due 1 July 1995 to Li Gong (gong@csl.sri.com) or Jacques Stern (Jacques.Stern@ens.fr). Further information: http://www.csl.sri.com/acm-ccs/ccs.html or e-mail to acmccs3@isse.gmu.edu. o Journals o Information Systems: Special Issue on Disaster Recovery in Database Systems. No specific mention of security or privacy, but the topic seems relevant to security concerns. Five copies of paper up to 30 pages, double-spaced (10 pt.), due 1 Nov 95 to Divyakant Agrawal, Computer Science Dept., UCSB (agrawal@cs.ucsb.edu). ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ Papers accepted for 1995 IEEE Symposium on Security and Privacy, May 8-10, 1995 ------------------------------------------------------------ o The Design and Implementation of a Secure Auction Service M. Franklin and M. Reiter (AT&T) o Cryptographic Credit Control in Pre-Payment Metering Systems R. Anderson (Cambridge) and S. J. Bezuidenhout (Eskom) o Preserving Privacy in a Network of Mobile Computers D. Cooper and Birman (Cornell) o Holding Intruders Accountable on the Internet S. Chen and T. Heberlein (UC Davis) o Integrating Security in the CORBA Based Architecture R. Deng, S. Bhonsle, W. Wang, A. Lazar (U of Singapore) o Practical Domain and Type Enforcement for UNIX L. Badger, S. Sterne, D. Sherman, K. Walker (TIS) o A Multilevel File System for High Assurance C. Irvine (NPS) o Formal Methods in the Theta Kernel M. Seager, D. Guaspari, M. Stillerman, C. Marceau (ORA) o Absorbing Covers and Intransitive Non-Interference S. Pinsky (NSA) o CSP and Determinism in Security Modelling W. Roscoe (Oxford) o The Semantics and Expressive Power of the MLR Data Model F. Chen and R. Sandhu (GMU) o A Network Version of the Pump M. Kang and I. Moskowitz (NRL) o An Architecture for Covert Channel Control in Realtime Networks and Multiprocessors R. Browne (Independent Consultant) o Version Pool Management in a Multilevel Secure Multiversion Transaction Manager; A. Warner and T. Keefe (Penn State) o Capacity Estimation and Auditibility of Covert Channels B. Venkatraman and R. E. Newman-Wolfe (U. of Florida) o Supporting Security Requirements in Multilevel Real-Time Databases R. David, S. Son (U. of Virginia), and R. Mukkamala(Old Dominion U) o The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems O. Sibert, (Oxford Systems), P. Porras, and R. Lindell (Aerospace) o Recent-Secure Authentication: Enforcing Revocation in Distributed Systems; S. Stubblebine (AT&T) o Reasoning About Accountability in Protocols for Electronic Commerce R. Kailar (Secureware) o The Interrogator Model J. Millen (MITRE) ----------------------------------------------------------------- Papers Accepted for IFIP/SEC 95, May 9-12, Capetown, South Africa ----------------------------------------------------------------- Invited Talks ------------- o Bill Murray (USA): Information security must pay - not cost o Lance Hoffman (USA): Encryption policy on the super highway o Donn Parker (USA): A new framework for Information Security to avoid Information anarchy o Sead Muftic (Sweden): Functional and operational security systems for open distributed environments o Kurt Bauknecht (Switzerland): The escalating role of Information Security Management o Fred Cohen (USA): Viruses, corruption, disruption and information assurances Refereed Papers --------------- o Improving the security of medical database systems. G Pangalos, D Gritzalis, M Khair, L Bozios (Greece) o Security within financial information systems. W de Koning (Netherlands) o An object-oriented approach to an IT risk management system. G Wahlgren (Sweden) o Systematic approach to security risk investigation. D Jokanovic (Japan) o A Holistic Approach to IT Security. L Yngstrom (Sweden) o A Practical conference key distribution system. V Chrissikopoulus, D Peppes (Greece) o A LAN voting protocol. V Hassler, R Posch (Austria) o Security in Group Applications: Lotus Notes as case study. A Hutchinson (Switzerland) o Auctioning by Satellite using Trusted Third Party Security Services. P Sanders, A Patel (UK) o Distributed Object Systems Security. V Varadharajan (UK) o Creating Security Applications Based on the Global Certificate Management System. N Kapidzic (Sweden) o Information security management in a distributed open environment. M Calitz, SH von Solms, R von Solms (South Africa) o Data Protection in communication and storage. P Kaijser (Germany) o Telesec - a Solution to Implementing Digital Signature in EDI/EDI FACT. P Fjelbye (Denmark) o On Paradigms for Security Policies in Multipolicy environments. W Kuhnhauser (Germany) o Key management and the Security of Management in Open Systems: the Samson Prototype. G Endersz, R Zamparo (Sweden) o Framework for access control models. B Lau (Netherlands) o LTTP Protection - A Pragmatic approach to licensing. R Hauser (Switzerland) o Detecting Intrusions in Smart Card Applications using Expert Systems and Neural Networks. T Alexandre, P Trane (France) o Reinforcing password authentication with typing biometrics. W de Ru, J Eloff (South Africa) o Common criteria for Information Technology Security Evaluation. P Overbeek (Netherlands) o Information security accreditation - the ISO 9000 route. L Meyer, R von Solms (South Africa) o Analysis of DES double key mode. G Carter, A Clark, E Dawson, L Nielsen (Australia) o Meta-Multisignature schemes based on the discrete logarithm problem. P Horster, M Michels, H Petersen (Germany) o Information Security Issues in Mobile Computing. T Hardjono (Austria) o Experience in Application of Composable Security Properties. N Zhang, Q Shi (UK) o Matching security policy to application needs. C Eckert (Germany) o A Methodology for the development of secure application systems. H Booysen, J Eloff (South Africa) o A Context Authentication service for role based access controls in distributed systems. R Holbein, S Teufel (Switzerland) o Handling Imprecise Information in Risk Management. L Ekenberg, M Danielson (Sweden) o Achieving an integrated design : The way forward for information security. J Hitchings (UK) o A Day in the life of a Swedish IT Security Officer: A Survey. S Kowalski (Sweden) o Developing Policies, Procedures and Information Security Systems. A Warman (UK) o A Classification of health information systems security flaws. D Gritzalis, I Kantzaveloi, S Katsikas, A Patel (Greece) o Extending Distributed Audit to Heterogeneous Audit Subsystems. Chii-Ren Tsai (USA) o Aligning Information Security Profiles with Organizational Policies. D Pottas, SH von Solms (South Africa) o Portrait of the computer criminal. J Carrol (Canada) o Comprehensive IT Security: A new approach to respond to Ethical and Social Issues Surrounding Information Security in the 21st Century. A Hartman, O Ullrich (Germany) o Ethical information security in a cross-cultural environment. K Nance, M Strohmaier (USA) o From social requirements to technical solutions - Bridging the gap with User-Oriented Data Security. U Kohl (Switzerland) ----------------------------------------------------------------- Security-related papers accepted by the 6th Australasian Database Conference, Adelaide, South Australia, 30-31 January 1995 ----------------------------------------------------------------- o Ahmad Baraani-Dastjerdi, Janusz R. Getta, Josef Pieprzyk and Reihaneh Safavi-Naini, U. Wollongong, "A cryptographic solution to discretionary access control in structurally object-oriented databases" o Thomas Hardjono and Jennifer Seberry, U. Wollongong "Information security in mobile databases" o Janet Aisbett and Greg Gibbon, D.S.T.O. "Sanitisation as a constraint on multilevel secure relational databases" ----------------------------------------------------------------- Security-related papers accepted by the 18th Australasian Computer Science Conference Adelaide, South Australia, 1-3 February 1995 ----------------------------------------------------------------- o "Security enhanced direct store delivery system", Nitin Devikar and Yuliang Zheng, U. Wollongong o "Generalized cumulative arrays and their applications to secret sharing schemes", Chris Charnes and Josef Pieprzyk, U. Wollongong o "The ring based conference authentication service", Damien de Paoli and Andrzej Goscinski, Deakin U. o Renee Napier, William Laverty, Doug Mahar, Ron Henderson, Michael Hiron and Michael Wagner, Aust.Nat.U., "Keyboard user verification: towards an accurate, efficient and ecologically valid algorithm" o M. Gysin and J. Seberry, U. Wollongong, "New normal sequences of length 25" o A.M. Mathuria, R. Safavi-Naini and P.R. Nickolas, U. Wollongong, "On the automation of GNY logic" ----------------------------------------------------------------- Security related papers at the 1994 International Computer Symposium (ICS '94), National Chiao Tung University, Taiwan, Dec 12-15, 1994 ----------------------------------------------------------------- Thanks to Anish Mathuria of the Centre for Computer Security Research at the University of Wollongong, Australia, for forwarding the following information. Copies of the following papers may be available from the conference secretariat: Prof. Shu-Yuen Hwang Dept. of Comp. Sci. & Info. Engg. National Chiao Tung University Hsinchu, Taiwan 30050, R.O.C Tel: 886-35-712121 ext. 3701 Fax: 886-35-724176 Email: syhwang@csie.nctu.edu.tw o "An Image Encryption Scheme based on Quadtree Compression Scheme", Henry Ker-Chang Chang and Jiang-Long Liu (National Defense Management College, Taiwan), pp. 230-237 o "New signature with message recovery against forgery", Chien-Yuan Chen and Wei-Pang Yang (National Chiao Tung University, Taiwan), and Chin-Chen Chang (National Chung Cheng University, Taiwan), pp. 293-296 o "Enhancing Security in GSM", Chenthurvasan Duraiappan and Yuliang Zheng, (University of Wollongong, Australia), pp. 297-302 o "Some Remarks on the Logic of Gong, Needham and Yahalom", Anish Mathuria, Reihaneh Safavi-Naini and Peter Nickolas (University of Wollongong, Australia), pp. 303-308 o "A Collision Free Secret Ballot Protocol for Computerized General Elections", Wen-Shenq Juang, Chin-Laung Lei and Chun-I Fan (National Taiwan University, Taiwan), pp. 309-314 o "Security and Maintenance of Publicly Accessible PC Using Remote Boot", Peng-Chor Leong and Bu-Sung Lee (Nanyang Technological University, Singapore), pp. 426-432 o "Open Distributed Security", D.F. Hadj Sadok and Judith Kelner (Universidade Federal de Pernambuco, Brasil), pp. 433-438 o "A Key Management Approach for Access Control in User Hierarchies", Gwoboa Horng (National Chung-Hsing University, Taiwan), pp. 439-444 o "A New Verification Mechanism for Server-Aided Secret Computation Protocols for Modular Exponentiation", Shin-Jia Hwang and Wei-Pang Yang (National Chao Tung University), and Chin-Chen Chang (National Chung Cheng University, Taiwan), pp. 445-450 ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ o ACM Trans. on Database Systems, Vol. 19, No. 4 (Dec 1994). M. Winslett, K. Smith, and X. Qian. Formal query languqages for secure relational databases. pp.626-663. o ACM Trans. on Computer Systems, Vol. 12, No. 4 (Nov 1994). - M. K. Reiter, K. P. Birman, and R. van Renesse. A security architecture for fault-tolerant systems. pp.340-371. - J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and protection in a single-address-space operating system. pp.271-307. o Journal of the ACM, Vol. 41, No. 6 (Nov 1994): T. Rabin. Robust sharing of secrets when the dealer is honest or cheating. pp.1089-1109. o IEEE Trans. on Computers, Vol. 44, No. 1 (Jan 1995): C.H. Lin, C.C. Chang, and R.C.T. Lee. A new public-key cipher system based upon the Diophantine equations. pp.13-19. o Communications of the ACM, Vol. 38 (1995) Number 2, February: Daniel Stevenson, Nathan Hillery, and Greg Byrd. Secure communications in ATM networks. pp.45-53. o SIGSAC Security Audit & Control Review, Volume 13, Number 1 (January 1995): - D. Sidwell and T. Ehrsam. CMW information labels: a DBMS perspective. pp.2-6. - J. Adams and D. Luther. The evolution of MaxSix trusted networking. pp. 7-11. - Scott Scudamore. MultiSIX: How it improves interoperability in a multi-vendor network. pp. 12-16. o IEEE COMPUTER Vol. 28, No. 1, January, 1995, Mark Lomas and Bruce Christianson. To whom am I speaking? Remote booting in a hostile world. pp.50-54. o Computers & Security Volume 13, Number 8 (1994). (Elsevier) Refereed Papers: - Imtiaz Mohammed and David M. Dilts. Design for dynamic user-role-based security. pp.661-672. - S.H. von Solms and Isak van der Merwe. The management of computer security profiles using a role-oriented approach. pp.673-680. - Chin-Chen Chang, Jao-Ji Shen and Tzong-Chen Wu. Access control with binary keys. pp.681-686. - H. Gustafson, E. Dawson, L. Nielsen, and W. Caelli. A computer package for measuring the strength of encryption algorithms. pp.687-698. o Computers & Security Volume 13, Number 7 (1994). (Elsevier) Refereed Papers: - Thomas Hardjono, Yuliang Zheng and Jennifer Seberry. Database authentication revisited. pp.573-580. - Chi-Sung Laih, Wen-Hong Chiou and C.C. Chang. Authentication and protection of public keys. pp.581-586. - Jeffrey Picciotto and Richard D. Graubart. Extended labeling policies for enhanced application support. pp. 587-601. - Jorng-Twu Liaw. A dynamic cryptographic key generation and information broadcasting scheme in information systems. pp.601-610. - Mark H. Looi and William J. Caelli. A note on supplying a trusted clock via a secure device. pp.611-614. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Biskup, J., M. Morgenstern, and C. E. Landwehr, eds. Database Security, VIII: Status and Prospects. IFIP Transactions A-60, Elsevier Science B.V., Amsterdam, ISBN: 0 444 81972 2, 412 pp., $129.50 (discounts available to IEEE CS and ACM members). ________________________________________________________________________ Calendar ________________________________________________________________________ Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== 3/10/95: SAC '95 ext. abstracts due; sac95@scs.carleton.ca 3/15/95: ICI '95 proposals due; denning@cs.georgetown.edu 3/17/95: DCCA-5 papers due; morganti@settimo.italtel.it 3/17/95: IC3N '95 submissions due; kia@unlv.edu 3/20/95: IFIP WG11.3 9thWC papers due:ting@eng2.uconn.edu (T.C.Ting) 3/24/95: NSPW '95 papers due (hardcopy); meadows@itd.nrl.navy.mil 3/31/95: MDS-95, papers due, York, England; IMACRH@V-E.ANGLIA.AC.UK 3/31/95: SFTC-VI papers due; VISCTF@inf.ufrgs.br 4/ 1/95: NSPW '95 papers due (e-mail); John.Dobson@newcastle.ac.uk 4/ 3/95: IEEE S&P 5-min talk abstracts due; meadows@itd.nrl.navy.mil 4/10/95: CPAC '95 submissions due; cpac@fit.qut.edu.au 4/30/95: ICECCS '95 submissions due; alex@vulcan.njit.edu 5/ 1/95: CISMOD '95 papers due; bhalla@u-aizu.ac.jp 5/ 1/95- 5/ 6/95: 6th Nat'l OPSEC Conf Albuquerque; (301)982-0720 5/ 7/95- 5/12/95: IEEE S&P 95; dmj@mitre.org (registration) 5/ 9/95- 5/11/95: IFIP/SEC '95 Capetown; IFIPSEC95@RKW.RAU.AC.ZA 5/16/95- 5/19/95: 7th CCSS, Ottawa; CCSS7@cse.dnd.ca 5/18/95- 5/19/95: SAC '95, Ottawa; sac95@scs.carleton.ca 5/22/95- 5/24/95: Eurocrypt '95, France; iacr95@ccett.fr 6/ 1/95: JCMC iss.:elect.commerce; papers due; steinfield@tc.msu.edu 6/ 5/95- 6/ 7/95: 5th USENIX Sec Symp, Utah; conference@usenix.org 6/13/95- 6/15/95: CSFW-8, Ireland; s.foley@cs.ucc.ie 6/26/95- 6/30/95: COMPASS '95; BONNIE.DANNER@trw.sprint.com 7/ 1/95: CCS-3 papers due; gong@csl.sri.com or Jacques.Stern@ens.fr 7/ 3/95- 7/ 5/95: CPAC '95, Australia cpac@fit.qut.edu.au 7/29/95- 8/ 4/95: SFTC-VI, Canela, Brazil; VISCTF@inf.ufrgs.br 8/13/95- 8/16/95: IFIP WG11.3,New York(RPI); ting@eng2.uconn.edu 8/22/95- 8/25/95: NSPW '95 San Diego (UCSD);meadows@itd.nrl.navy.mil 8/27/95- 8/31/95: Crypto'95 Santa Barbara; tavares@ee.queensu.ca 8/28/95- 8/30/95: MMDMS, Blue Mt. Lake, NY; nwosuck@harpo.wh.att.com 9/ 5/95- 9/ 6/95: MDS-95, York, England ; IMACRH@V-E.ANGLIA.AC.UK 9/20/95- 9/21/95: IT-Sicherheit '95, Graz; rposch@iaik.tu-graz.ac.at 9/20/95- 9/23/95: IC3N '95, Las Vegas kia@unlv.edu 9/21/95- 9/22/95: ICI '95, Washington DC; denning@cs.georgetown.edu 9/27/95- 9/29/95: DCCA-5, Champaign, IL; no e-mail address available 10/10/95-10/13/95: NISS-18, Baltimore, MD; NISS_Conference@Dockmaster.ncsc.mil 11 1/95: IS iss. on disaster recov.; papers due; agrawal@cs.ucsb.edu 11/ 6/95-11/10/95: ICECCS '95, Fort Lauderdale; alex@vulcan.njit.edu 11/15/95-11/17/95: CISMOD '95 Bombay; bhalla@u-aizu.ac.jp 3/14/96- 3/16/96: CCS-3, New Delhi; gong@csl.sri.com or Jacques.Stern@ens.fr 4/30/96- 5/ 3/96: 8th CCSS, Ottawa; no e-mail address available 5/ 5/96- 5/ 8/96: IEEE S&P 96; no e-mail address available 5/ 5/96- 6/ 9/96: IFIP/SEC 96 - Greece; no e-mail address available 11/??/96: ESORICS '96, Rome, Italy; no e-mail address available 5/ 4/97- 5/ 7/97: IEEE S&P 97; no e-mail address available 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: ==== CCS-3 = 3rd ACM Conference on Computer and Communications Security CCSS = Annual Canadian Computer Security Symposium CISMOD = International Conf. on Inf. Systems and Management of Data CPAC = Cryptography - Policy and Algorithms Conference CSFW = Computer Security Foundations Workshop DCCA = Dependable Computing for Critical Applications ESORICS = European Symposium on Research in Computer Security FISSEA = Federal Information Systems Security Educators' Assoc. IC3N = International Conf. on Computer Communications and Networks ICI = International Cryptography Institute ICECCS = Int'l Conf. on Engineering of Complex Computer Systems IEEE S&P = IEEE Symposium on Research in Security and Privacy IFIP/SEC = International Conference on Inf. Security (IFIP TC11) IFIP WG11.3 = IFIP WG11.3 9th Working Conf. on Database Security IS = Information Systems (journal) IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working Conf. of IFIP TC-6 and TC-11 and Austrian Computer Soc. JCMS = Journal of Computer Mediated Communication MDS '95 = Second Conf. on the Mathematics of Dependable Systems MMDMS = First Int. Wkshop on Multi-Media Database Management Systems NISS = National Information Systems Security Conference (formerly National Computer Security Conference) NSPW = New Security Paradigms Workshop ISOC-Symp = Internet Society 1995 Symposium on Network and Distributed System Security SAC '95= 2nd Annual Workshop on Selected Areas of Cryptography SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) USENIX Sec Symp = USENIX UNIX Security Symposium ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ I know that people are retiring and changing jobs out there, but evidently they don't want publicity -- no contributions this time. ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Format: URL (first line) followed by description Government sources/information: ------------------------------- http://www.ota.gov/ U.S. Congress Office of Technology Assessment; includes short summaries of studies in progress. Check out "Director-Approved Special Responses" under "Industry, Telecommunications, and Commerce" http://www.dtic.dla.mil/lablink/ Lablink, pointers to US government laboratories and research centers Professional societies and organizations: ----------------------------------------- http://hsdwww.res.utc.com/std/gateway/orgindex.html National Standards System Network Prototype; gateway to servers for many standards organizations: ISO, IEEE, ITU, NIST, etc. Other places for interesting research papers and announcements -------------------------------------------------------------- http://www.msen.com/~emv/tubed/spoofing.html Internet spoofing reference page; provides links to various references concerning recent Internet spoofing attacks. http://www.cs.purdue.edu/homes/swlodin/cmad_report.html Report on Third Annual Workshop on Computer Misuse and Anomaly Detection held at UC Davis 10-12 January 1995.[available soon] http://mls.saic.com/library.html SAIC Security Library http://www.nas.edu/ U.S. National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council home page ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Yes! We still have a few surplus copies of the proceedings of the Oakland conference (199N IEEE Symposium on Research in Security and Privacy) available for purchase by TC members at favorable rates. Current issues in stock and prices are as follows: Price by mail from TC IEEE CS Press IEEE CS Press Year TC members IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $15 $43 $86 1993 $20 $30 $60 1994 $30 $30+$4 S&H $60+$5 S&H For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying o which issues you would like, o where to send them, and o a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Code 5542 Naval Research Laboratory Washington, DC 20375-5337 U S A Sorry, we are still not ready for electronic commerce! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Terry Vickers Benzel Deborah Cooper Trusted Information Systems 11340 W. Olympic Blvd, Suite 265 Los Angeles, CA 90064 (310) 477 - 5828 tcvb@la.tis.com Newsletter Editor: Standards Subcommittee Chair Carl Landwehr [VOLUNTEEER NEEDED!] Code 5542 Naval Research Laboratory Washington, DC 20375-5337 (202)767-3381 Landwehr@itd.nrl.navy.mil ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: To subscribe, send e-mail to (which is NOT automated) with subject line "subscribe". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ARCHIVES: Available at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html =======end of Electronic Cipher Issue #4, 10 March 1995================