Subject: Electronic CIPHER, Issue 11, December 23, 1995 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 11 December 23, 1995 Carl Landwehr, Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1289 lines total] Letter from the TC Chair Letter from the Editor Security and Privacy News Briefs: o Covert timing channel threatens security of RSA private keys o LISTWATCH: recent items from Cypherpunks, WWW-security, and tbtf by Mary Ellen Zurko o Weak Password Encryption Exposed in Windows '95 o US Telecom Reform Legislation Nears Passage, Stirs Protest o US FTC Launches "Privacy Initiative" on Websites o Privacy International Releases "Big Brother Incorporated" o NSA NCSC to push EPL marketing, commercial evaluations o TCSEC C-level security considered "excellent" by some o Software blamed for voicemail misdelivery o PeopleSoft 5 security problems reported o Updated list of security mailing lists released Articles and Conference Reports: o Report from 34th IETF meeting, 4-8 December, by Hilarie Orman Calls for Papers: CRYPTO '96, USENIX Sec Symp, and 8 more Reader's guide to recent security and privacy literature o Conference Papers: includes GLOBECOM '95 and ISOC '96 (NDSS '96) o Journal and Newsletter articles o Book Calendar Who's Where: recent address changes New Reports available via FTP and WWW: Paul Kocher's paper + 7 Interesting Links >>>>>>>>>>>>>>Data Security Letter subscription offer<<<<<<<<<<< How to join the TC on Security and Privacy Publications for sale TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ Dear TC members, Seasons Greetings and Best Wishes to All S&P TC members! If you are not a member of the S&P TC and do not want to be left out in the cold, join today! The fastest way to join is via the IEEE CS web page (http://www.computer.org). This is also the easiest way to update your membership information. Dont worry about duplicate entries. The IEEE CS is in the process of updating its membership files and will cull lists for duplications based on the most recent information received. Act now while the IEEE CS is resolved to clean up its act for the New Year. The IEEE CS now keeps all the TC membership files and is in the process of updating its records. Members on record will be receiving first class mailers requesting updated information. (If you want to save postage, use the IEEE CS web page.) Remember, the only requirement for IEEE CS TC membership is your request to join. You need not be a member of the IEEE nor the CS to join our Technical Committee. Security has become a hot topic with the commercialization of the Internet and crossover technology in the telecommunications, entertainment and government markets. Our other charter is Privacy. In a recent Media Release from Privacy International (summarized in this issue of Cipher), we are reminded that Security and Privacy are two different concerns, often at odds. We are always looking for volunteers! And we continue to look forward to working with you to face the challenges of the future. Deborah M. Cooper Chair, 1995-1997 IEEE Technical Committee on Security and Privacy ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Greetings of the season to Cipher readers world-wide and best wishes for a happy and healthy 1996. It is hard to imagine how 1996 can focus much more interest on security issues and technology than we have seen in 1995. Magazines and newspapers have put security (particularly Internet security) on their front pages (a covert timing channel made the front page of the New York Times this month!), and book publishers evidently see a market as well. On a recent trip to a local general market bookstore, I found an entire rack full of books addressing computer and network security; I stopped counting at 30 titles. Major political stories since the last issue include the continuing progress of Telecommunications Reform legislation (see news briefs) through the U.S. Congress; this month it triggered the first (to my knowledge) public demonstrations concerning a computer network. Initial hearings on the Medical Records Confidential Act (S. 1360, also known as the "Bennett Bill") were held in mid-November; several groups have called for strengthening the privacy protections in the bill. NIST released a set of revised criteria for key escrow agents (the criteria and other documents are available at URL http://csrc.ncsl.nist.gov/keyescrow) and hosted a public meeting on December 5 that apparently attracted only about a third as many participants as the previous meeting. It is not clear that the new criteria have signficantly narrowed the distance between government and industry positions. Three different "Hacker Challenges" ended: Secure Computing Technologies reported that no one collected their prize for penetrating the Sidewinder, and ComVista also held onto their $10,000 challenge. Netscape, however, did award two $1,000 prizes, as well as numerous T-shirts, to users who found security flaws in Netscape Navigator 2.0 software. I hope to include some discussion on the topic of challenges in the next Cipher. Carl Landwehr Editor, Cipher ______________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ______________________________________________________________________ ______________________________________________________________________ Timing Channel Threatens RSA Security ______________________________________________________________________ [11 Dec. 95] The New York Times reported that Paul Kocher, a 22-year-old researcher who has worked as a computer security consultant to several major software companies, has identified a significant attack on the secuirty of the RSA public key encryption algorithm. From the perspective of many Cipher readers, the attack is of particular interest because it exploits an inadvertent covert timing channel in the execution of the RSA algorithm. Such covert timing channels have been a concern to researchers for years, but they have typically been dismissed as insignificant by most commercial vendors and, indeed, by many within the INFOSEC community. The idea behind the attack is that by observing closely the time it takes for the software executing the algorithm to complete the many multiplications it requires, one can deduce significant information about the factors involved in the multiplication, thereby greatly limiting the size of the space that needs to be searched to find the key. Details are available in a message to the Cypherpunks mailing list and in a web page by Kocher (http://www.cryptography.com). RSA Security responded (http://www.rsa.com/rsaqa.htm) that the vulnerability could be closed, either by padding the multiplication times or by randomizing them through a technique called "blinding". Evidently neither of these techniques is in place in current RSA implementations. ______________________________________________________________________ LISTWATCH: WWW Security News from Cypherpunks, WWW-Security, and TBTF by Mary Ellen Zurko, OSF ______________________________________________________________________ This month's WWW security news comes from cypherpunks (via Robert Hettinga's reposting service), www-security, and tbtf (Tasty Tidbit from the Technology Front). Students at Berkeley showed how they could patch NFS binaries to disable security in programs like Netscape. They pointed out that endpoint security (the security of desktop machines) is just as critical to Internet security as secure protocols for transmission. Community ConneXion ( http://www.c2.org/), an Internet ISP specializing in privacy, has added ecash and Java to its bounty list. They will provide a T-shirt to anyone who hacks the electronic cash system announced by Digicash bv and Mark Twain Bank (which, by the way, they also accept as payment for their services, offering a 5% discount for such payments). The Java promotion covers anyimplementation of Java (including Netscape's), as well as HotJava, Sun's Java-enabled browser. The Hack Java promotion was inspired by two bugs found in the alpha release of HotJava, one of which allowed applet's to set the browser's proxy, thereby allowing the adversay unlimited access to the browser's HTTP interactions. Digicash and Java join Netscape and Microsoft on C2's list. C2 is dedicated to enhancing the level of security available on the Internet through these promotions. Mondex, which is producing stored-value smart cards for electronic commerce, is under fire. They have promoted this debit card as privacy friendly, anonymous, and cash-like. However, the project manager is quoted as saying that Mondex uses a full audit trail of all transactions. Promotional material claims this information is only available to the card holder. The complaint is at http://www.privacy.org/pi/activities/mondex/complaint.txt. I was pleased to see someone on cypherpunks gush over "Network Security - PRIVATE Communication in a PUBLIC World" by Charlie Kaufman, Radia Perlman, and Mike Speciner, the way I do. It's a very well-written book, intuitive and lucid about all it's topics, including cryptographic protocols[See Reader's Guide section for citation -- CEL]. DejaNews (http://dejanews.com) archives Usenet postings, and offers a "sophisticated system for retrieving 'author profiles' of the individuals who have posted messages." People who believe that it is an invasion of privacy are finally understanding what kind of information can be put together out of public postings. With so much emphasis on confidentiality and authentication in Internet stories, it was good to see one with an emphasis on security auditing. Keith Dawson of tbtf posted a description of a Windows 95 security hole. He pointed out that machines connected full time to the Internet (without the protection of firewalls) are vulnerable to a feature that makes local drives available as network drives. Drives can be password-protected, but the combination of a lack of auditing and the fact that most humans don't choose passwords well shows that this feature offers little real security. A bug in Netscape's second beta version of their LiveScript facility (their licensing of the Java technology) allowed an applet to send a list of all the URLs a browser had visited to any server that the same browser visits. Information sometimes stored in URLs includes the parameters to a search engine request. Visa, Microsoft, and Spyglass announced a project to support credit card shopping on the World Wide Web, where Visa has agreed to cover losses if the software fails. I hope someone is transferring high-assurance software engineering techniques to this effort. ______________________________________________________________________ Weak Password Encryption Exposed in Windows '95 ______________________________________________________________________ [13 December 1995] The Automated Systems Security Incident Support Team (ASSIST) announced that Microsoft's implementation of a stream cipher encrypting algorithm for PWL (password) files has produced an easily broken encryption. The report was prompted by the release on the Internet of software that could break this encryption. The .PWL files contain Windows 95 Resource passwords, including access information for remote hosts. Resources possibly affected by passwords in .PWL files include, but are not limited to, the following: * Password-protected folders, directories, or printers for any accessible Windows 95 system. * Remote computers accessed either through the network, or other access techniques (i.e., ftp, telnet, Kermit, etc. ). * Windows NT computers that do not participate in a domain, or the Windows NT logon password if the NT system is not the Primary Network Logon Server. * NetWare Servers. In response, Microsoft has released an updated security component to upgrade the encryption used; see URL http://www.microsoft.com/windows/software/mspwlupd.htm for details. ______________________________________________________________________ US Telecommunications Reform Legislation Nears Passage, Stirs Protest ______________________________________________________________________ [21 December 1995] Telecommunications Reform legislation emerged from the House - Senate conference committee ready for final passage by both houses and signature by the President. Despite some backlash among Republican legislators apparently created by Vice President Gore's favorable comments on the bill, it appears likely that the bill will be passed and signed by President Clinton in its current form. The bill includes penalties for transmitting "indecent" material over telecommunication networks such as the Internet, and this language has sparked considerable protest among some groups. Several of these called for a "National Day of Protest" to be held on December 12, and newspapers carried reports of demonstrations in San Francisco and elsewhere. Proposals made in conference to change the "indecent" standard, criticized as vague and potentially unconstitutional, to a more narrow and legally well-established standard of information "harmful to minors" did not garner sufficient support to alter the final bill. ______________________________________________________________________ U.S. FTC Launches "Privacy Initiative" on Websites ______________________________________________________________________ E-mail received by Cipher 21 Dec 95: The US Federal Trade Commission has launched a "Privacy Initiative" to investigate whether the information collected at websites (either that affirmatively submitted by a visitor via a form or information collected based upon a visitor's selection of pages at a site to reflect personal interests) should be the subject of regulation by the FTC. To get background on this effort, you may want to read a speech by FTC Commissioner Varney on Electronic Commerce and Privacy which is available at the FTC's site under speeches (www.ftc.gov) or the Advertising Law Internet Site (www.webcom.com/~lewrose/home.html) under speeches. This week the staff of the FTC established a mailing list to allow interested parties to discuss the issues surrounding the privacy interests of consumers visiting web sites. To subscribe, send the message "subscribe" (without the quotes) to privacy-request@ftc.gov ______________________________________________________________________ Privacy International Releases "Big Brother Incorporated" ______________________________________________________________________ [4 December 1995] Privacy International, a London-based non-profit, non-government organization, has released a 150-page report entitled "Big Brother Incorporated: a report on the international trade in surveillance technology and its links to the arms industry." According to a media release, the report shows how technology companies in Europe and North America provide the surveillance infrastructure for police and military authorities in countries such as China, Indonesia, Nigeria, Angola, Rwanda and Guatemala. The report's primary concern is the flow of sophisticated computer-based technology from developed countries to developing countries, and particularly to non-democratic regimes. Privacy International was formed in 1990 and brings together privacy experts, human rights advocates, and technology experts in more than 40 countries, working toward the goal of promoting privacy issues worldwide. A summary of the report is available at ; for further information contact Simon Davies at davies@privint.demon.co.uk. ______________________________________________________________________ NSA to Push EPL Marketing, Commercial Evaluations; IBM AS/400 rated C2 ______________________________________________________________________ The National Security Agency's National Computer Security Center plans to raise the profile of its Evaluated Products List (EPL), according to an article by Paul Constance in Government Computer News (GCN). The article displays a snappy new logo that evaluated products will be able to display and reports that the NCSC plans to make the EPL available on the World Wide Web. Because it has only five NSA evaluators and sixty from federally funded R&D centers such as MITRE and Aerospace, NCSC will also become more selective about the products it chooses to evaluate, focusing on "market-leading operating systems and database software that meets industry standards for open, networked architecture and popular graphical interfaces," rather than accepting all products vendors offer for evaluation. At the same time, NCSC is cooperating with the National Institute for Standards and Technology (NIST) to study the feasibility of accrediting commercial laboratories to perform for-profit assessments of products up to the B1 level. An accreditation process could be in place as early as 1997, according to Dennis Kinch, chief of the NCSC's Trusted Product Evaluation division. A news item in the same issue of GCN reports that IBM's AS/400 has received a C2 rating after more than three years of testing. The rating applies to AS/400 D, E, and F models which are available in special government configurations, although they are no longer in general production. An IBM representative said that the rating could apply to the current F-10 model if it runs OS/400 Version 2, Release 3. The rating also extends to the DB2 database for OS/400, according to the item. ______________________________________________________________________ TCSEC C-Level Security Considered "Excellent" ______________________________________________________________________ [Nov. 13, 1995] As part of a comparison of three major PC operating systems, INFOWORLD provides an interesting mapping from their notion of security to the the Trusted Computer System Evaluation Criteria (TCSEC) levels. The product comparison of Windows 95, Windows NT 3.1, and OS/2 Warp Connect, Version 3 included an assessment of security provided by each in terms of the access available to it when operated as an individual workstation (not as the server end of a peer-to-peer connection). A table accompanying the ratings included the following correspondence between word scores and security ratings: Security Rating / Word score None / Unacceptable Minimal / Poor Low / Satisfactory Moderate / Good High / Very Good TCSEC class C / Excellent TCSEC class B / Excellent TCSEC class A / Excellent INFOWORLD described its testing procedure as follows: We assessed and configured each operating system's security based on its default installation options. We created users and implemented a security policy on those OSes that offered some form of security. The policy was as restrictive as possible wihout hindering the capabilities of applications. We simulated users logging in to the system either as a peer-to-peer workstation or as a client ot NetWare 4.10. Users fell into three classes: super-users (or administrators), targets, and hackers. The hackers attempted to change or delete the target user's workstation. At a minimum, we expected the OSes to provide rudimentary security features. We lowered a product's score if we could in any way modify the environment of the target users or were able to gain either information or indirect access to information about the target users. Features considered in the ratings, as listed, were passwords, unique IDs, access control by owner, access control by owner/group/world to directories, and access control by owner/group/world to files. A product providing all these features would apparently be labeled "High" for security unless it also was found to contain security holes. The results, in brief: OS2/Warp Connect, Version 3 Poor: aside from a simple desktop password, there is no security mechanism within OS/2 Warp. Windows 95 Poor: Windows 95 security should only be used as a deterrent to accidental damage. The operating system can't stop a determined hacker. Windows NT Workstation 3.51 Excellent: Windows NT offers government C2-level security with unique user IDs, token control, and advanced auditing capabilities. ______________________________________________________________________ Software Blamed for Voicemail Misdelivery ______________________________________________________________________ [8 Nov. 95] Bell Atlantic reported that its voicemail system, Answer Call, had indeed routed messages to the wrong mailboxes and attributed the problem to new software in its Arlington, Virginia voice mail center, according to a Washington Post article by Mike Mills on November 8. The problem was originally reported by the Post on Oct. 31; at that time Bell Atlantic reported that the problem was corrected when they rebooted the system. Although the original report carried an estimate that such errors were "a one in a million shot" the system has, in fact, 1.5 million subscribers, and the original article triggered eight additional reports of similar malfunctions from Northern Virginia residents. A church organist reported receiving several messages intended for others over a period of a month, including one from a defense contractor detailing plans to bid on a federal project. In the November 8 article, Paul Miller of Bell Atlantic reported that the problems occurred when new software at the Arlington voice mail center "reacted poorly" with another program that checks to make sure voice messages are correctly routed. He said that the source of the problem had been identified and corrected. ______________________________________________________________________ PeopleSoft security flaws reported, corrected ______________________________________________________________________ PeopleSoft 5.0 contains includes several security weaknesses, according to an article by Barb Cole in the 6 November issue of Network World. The problems include storing unencrypted passwords on users' desktops in Windows memory, passing unencrypted passwords over the network, and storing a master identification providing access to advanced network privileges on Windows clients where it could be found by hackers. PeopleSoft, described as the No. 3 vendor of client/server applications, provides a suite of pre-built financial, distribution, and human resources applications. The flaws were reported earlier by First Albany Corp.-META Technology Research, according to Network World. Patches to reduce the vulnerability of passwords stored on the client side are included in PeopleSoft 5.0.1, now available. Changes planned for early 1996 will encrypt passwords sent over networks. A subsequent article by Ilan Greenberg in the 13 November issue of INFOWORLD reported that the 5.0.1 release indeed solves this particular problem. The article reports that PeopleSoft plans to incorporate Open Horizon, Inc.'s desktop security technology (including Connection Security Module, for better encryption and authentication of passwords), directly into PeopleSoft's applications by next March. Representatives of competing products from Oracle and Hyperion Software Corp. said their products were not subject to the kinds of security holes that had troubled the PeopleSoft product, according to INFOWORLD. ______________________________________________________________________ Updated list of security mailing lists released ______________________________________________________________________ [21 December 1995] Chris Klaus of Internet Security Systems has released an updated version of his comprehensive list of security mailing lists. The complete list is a bit long for the e-mail version of Cipher, but lists reported are: General Security Lists Security Products * 8lgm (Eight Little Green Men) * Firewall-1 * Academic-Firewalls * Linux * Alert * Linux Alert * Best of Security * SOS Freestone Firewall package * Bugtraq * Tiger * COAST Security Archive * TIS Firewall Toolkit * Computer Privacy Digest (CPD) * Computer Underground Digest (CuD) Vendors and Organizations * Cypherpunks * CERT * Cypherpunks-Announce * CIAC * European Firewalls * HP * Firewalls * Sun * Intruder Detection Systems * Infsec-L * Phrack * PRIVACY Forum * Risks * SAS (French Speaking Firewalls) * S-HTTP * Sneakers * Secure Socket Layer - Talk * UNINFSEC - University Information Security Forum * Virus * Virus Alert * WWW Security Details on how to join each of the lists are available at or send e-mail to info@iss.net with "send index" as the body of the message. ______________________________________________________________________ ARTICLES AND CONFERENCE REPORTS ______________________________________________________________________ _______________________________________________________________________ Summary of 34th IETF Meeting, held 4-8 December 1995, Dallas by Hilarie Orman ______________________________________________________________________ Progress in defining and implementing a proposed network layer security standard and associated key exchange methods enlivened the IPSEC working group meeetings at the 34th IETF held in Dallas December 4th through 8th. The working group, which has been meeting at IETF's for the last 4 years, has defined a set of enhancements for IP packets for authentication and integrity, and orthogonally, privacy. Several implementors were on-hand with laptop machines, and they exchanged ICMP ("ping") packets using the Authentication Header (AH) enhancements which protect an entire IP message, and the encryption enhancements (ESP), which make the IP payload opaque. The required algorithms for use with these options are MD5 for AH and DES for ESP, and these were the ones used in the demonstrations. The RFC's that define the architecture, the AH and ESP headers, and the environment for applying the algorithms are RFC's 1825, 1826, 1827, 1828, and 1829, available from the ftp directory ftp://ds.internic.net/documents/rfc. Two key exchange protocols using the Diffie-Hellman algorithm were demonstrated: Photuris and SKIP. In each case, two independent implementations achieved interoperation. Photuris and SKIP differ primarily in regard to supplying Perfect Forward Secrecy; Photuris can supply a session key that is independent of any long-term state, while SKIP keys are interdependent for the life of an advertised public component. As a corollary, Photuris requires maintenance of some state information while the key is computed, and SKIP is stateless. The draft documents describing these protocols are available from . ftp://ds.internic.net/documents/internet-drafts. Progress on a third key exchange protocol, ISAKMP, was discussed in the working group, and two implementations were demonstrated immediately following the working group meeting. ISAKMP is designed to serve as an "umbrella" for many, perhaps thousands, of key exchange methods. Photuris has been influenced by ISAKMP, and the Diffie-Hellman algorithm is only one of a class of methods that can be supported by either protocol. Other working groups in the security area that met were the Public Key Infrastructure (X.509) Group, Common Authentication Technology, Domain Name System (DNS) Security, One Time Password Authentication (OTP), and the HTTP Transaction Security group. The DNS extensions are relevant to the IP security work because they provide a possible method for distributing public keys for use in authenticating the key components that are essential to the Diffie-Hellman exchanges. The DNS security extensions are described in ftp://ds.internic.net/documents/internet-drafts/ draft-ietf-dnssec-secext-06.txt The OTP working group has move its specification forward towards publication as a Proposed Standard RFC. It is expected to become a Proposed Standard in early January 1996. A freely distributable implementation of this specification is available by anonymous FTP from: ftp.nrl.navy.mil/pub/security/nrl-opie Minutes for the meetings will be available at ftp://ds.internic.net/documents/minutes directory. In a surprising development, the SNMPv2 group determined that they could reach no consensus on security extensions to the Simple Network Monitoring Protocol, and so they will remove those extensions from the current draft. _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ (see also Calendar) CONFERENCES Listed earliest deadline first. See also Cipher Calendar and NRL CHACS CFP list. o Australian Workshop on Mobile Computing & Databases & Applications, Melbourne, Australia, 1 February 1996, Web page: The goal of this workshop is to bring together researchers and practitioners with mobile communications background, database research interests, advanced applications and distributed computing systems research & development skills to discuss all aspects of emerging mobile computing paradigm. A topic of interest is security in mobile computing systems Authors are invited to submit extended abstracts or position papers (at most 4 pages or up to 1500 words). Submissions should be in the form of a single uuencoded compressed PostScript file sent by email. Submissions to Zaslavsky@monash.edu.au by 15 December, 1995. o 18th Biennial Symposium on Communiations, Kingston, Ontario, Canada, June 3-5, 1996. This symposium is intended to provide a forum for engineers and researchers in the area of Communications and Signal Processing. A specific area of interest is Cryptography & Security. Five copies of an Abstract and a thousand-word (1000) Summary should be sent to Dr. H. T. Mouftah, mouftah@eleceng.ee.queensu.ca, by January 22, 1996. o CRYPTO '96, Santa Barbara, California, August 18-22, 1996. Crypto '96, the Sixteenth Annual Crypto Conference, is organized by the International Association for Cryptologic Research (IACR), in cooperation with the IEEE Computer Society Technical Committee on Security and Privacy, and the Computer Science Department of the University of California, Santa Barbara. Original papers are solicited on all technical aspects of cryptology. Please send a cover letter, one title page and 16 copies of an extended abstract. They must be received by the Program Chair, Neil Koblitz (koblitz@math.washington.edu) no later than February 14, 1996 (or postmarked by February 4, 1996 and sent via airmail). o Twenty-second International Conference on Very Large Data Bases, 3-6 September 1996, Bombay, India. Papers solicited in the general field of databases, including paper and panel proposals on "futuristic topics." Topics of interest include data consistency, integrity, and security. Submit six copies of original papers not longer than 5000 words to the appropriate program chair (Asia/Australia: Nandlal L. Sarda, nls@cse.iitb.ernet.in; Americas: C. Mohan, mohan@almaden.ibm.com; Europe: Alejandro Buchmann, buchmann@dvs1.informatik.th-darmstadt.de), by 23 February 1996. The announcement emphasizes that there will be no grace period for late submissions. o Smart Card Research and Advanced Application Conference, Lille, France, September 18-20, 1996; Conf Web page: . Topics range from electrical engineering on the hardware side to tailor-made cryptographic applications on the software side. Submissions of 16 copies of a full paper (see announcement for full details) by March 1, 1996. o High-Assurance Systems Engineering Workshop, Lake, Canada, October 22, 1996; Conf Web page: The primary focus of the Workshop is on innovative research results in the area of high-assurance (real-time, reliable, safety-critical, and secure) systems. Complex systems' engineering issues, including hardware design, software engineering (both formal and informal methods), testing and performance evaluation, are particular focus of the Workshop. Authors are invited to submit original, previously unpublished papers in five copies to Dr. Sourav Bhattacharya (sourav@acm.org) by March 15, 1996. Questions regarding the Workshop may also be sent to Professor Farokh Bastani (FBastani@uh.edu). o 6th USENIX UNIX Security Symposium, San Jose, California, July 22-25, 1996. The goal of this symposium is to bring together security and cryptography practitioners, researchers, system administrators, systems programmers, and others with an interest in applying cryptography, network and computer security, and especially the area where these overlap. The focus on applications of cryptography is intended to attract papers in the fields of electronic commerce and information processing, as well as security. Conf Web page: . Abstracts due March 19, 1996; for details send email to securityauthors@usenix.org. o 7th Int'l Conference and Workshop on Database and Expert Systems Applications, Zurich, Switzerland, September 9-13, 1996; Conf Web page. The aim of DEXA 96 is to present both research contributions in the area of data and expert systems and a large spectrum of already implemented or just being developed applications; security is a suggested topic. Authors are invited to submit original research contributions or experience reports in English. Papers should be double-spaced and no longer than 5.000 words. A separate cover sheet must be included which provides the following information: title, name of author(s), postal and electronic mail addresses, telephone and fax numbers. Authors are invited to send 4 copies of their paper to Prof. Dr. Roland R. Wagner by March 31, 1996. o 6th International Conference on Database Theory, Delphi, Greece, January 8-10, 1997. A topic of interest is fundamentals of security and privacy in databases. Conf Web page: . Authors are invited to submit 8 copies of a full conference paper (which might be an extended abstract where proofs are only sketched) of about 5000 words (10 typed pages in no less than 11-point font) by June 13, 1996, to one of the program co-chairs, Foto Afrati (afrati@cs.ece.ntua.gr) or Phokion G. Kolaitis (kolaitis@cse.ucsc.edu). o First Asia-Pacific Conference on Knowledge Discovery and Data Mining, Singapore. Goal is to bring together researchers and practitioners from basic and applied research and information industries, and to push forward the state-of-art of KDD. The conference technical programme will include paper presentations, posters, invited talks, panels, and tutorials in a two-day event. Security and privacy are topics of interest. Info available from hweeleng@iti.gov.sg; Conf Web page: JOURNALS Regular archival computer security journals: o Journal of Computer Security (JCS) [see Cipher Web pages or EI#9]; e-mail contacts for submissions: jajodia@isse.gmu.edu or jkm@mitre.org o Computers & Security [see Cipher Web pages or EI#9] e-mail contact for submissions: j.meyer@elsevier.co.uk Special Issues of Journals and Handbooks: listed earliest deadline first. [No new entries this issue] ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ GLOBECOM'95, IEEE 1995 Global Telecommunications Conference, Westin Stamford & Westin Plaza, Singapore, November 13-17 1995 (security-related papers only): o A Flexible and Secure Multicast Architecture for ATM Networks, Shaw-Cheng Chuang (University of Cambridge, UK) o A Symmetric Cipher Using Autonomous and Non-Autonomous Cellular Automata, B Srisuchinwong (Thammasat Univ, Thailand), T A York (Univ of Manchester, UK), Ph. Tsalides (Democritus Univ of Thrace, Greece) o An ID-Based Cryptographic Technique for IFF, Kwei Tu (Lockheed Eng'g & Sciences Company, USA) o A Probabilistic Encryption Using Very High Residuosity and its applications, Sung Jun Park and Dong Ho Won (Sung Kyun Kwan University, Korea) o Secure Communications Using Chaos, Jaejin Lee, Chungyong Lee and Douglas B Williams (Georgia Institute of Technology, USA) o Data Communication Via Chaotic Encoding and Associated Security Issues, Jaafar M H Elmirghani, (University of Northumbria at Newcastle, UK) o Authenticated Key Distribution and Secure Broadcast Using No Conventional Encryption: A Unified Approach Based on Block Codes, Robert H Deng (National University of Singapore), Li Gong (SRI International, USA), Aurel A Lazar (Columbia University, USA), Weiguo Wang (National University of Singapore) o Securing Data Transfer in Asynchronous Transfer Mode Networks, Robert H Deng, (National University of Singapore), Li Gong (SRI International, USA), Aurel A Lazar (Columbia University, USA) o Document Identification to Discourage Illicit Copying, S H Low, A M Lapone, N F Maxemchuk (AT&T Bell Laboratories, USA) o Trade-Offs in Routing Private Multicast Traffic, Li Gong and Nachum Shacham (SRI International, USA) Papers to be presented at the Internet Society Symposium on Network and Distributed Systems Security, San Diego, CA, February 22-23, 1996, as listed in the preliminary program distributed December 5, 1995. Registration: request e-mail form from Ndss96reg@isoc.org. o Mixing E-mail with BABEL, Gene Tsudik and Ceki Gulcu (IBM Research Division, Zurich Research Laboratory, SWITZERLAND) o An Integration of PGP and MIME, Kazuhiko Yamamoto (Nara Institute of Science and Technology, JAPAN) o A Security Framework Supporting Domain Based Access Control in Distributed Systems, Nicholas Yialelis and Morris Sloman (Imperial College, London) o A Flexible Distributed Authorization Protocol, Jonathan Trostle (CyberSAFE, USA) and B. Clifford Neuman (Inf. Sci. Institute, USC, USA) o Preserving Integrity in Remote File Location and Retrieval, Trent Jaeger (Univ of Michigan, USA) and Aviel D. Rubin (Bellcore, USA) o C-HTTP - The Development of a Secure, Closed HTTP-Based Network on the Internet, Takahiro Kiuchi (University of Tokyo, JAPAN) and Shigekoto Kaihara (University of Tokyo Hospital, JAPAN) o Designing an Academic Firewall: Policy, Practice and Experience with SURF, Michael B. Greenwald, Sandeep K. Singhal, Jonathan R. Stone, and David R. Cheriton (Stanford University, USA) o Digital Signature Protection of the OSPF Routing Protocol, Sandra Murphy and Madelyn Badger (Trusted Information Systems, USA) o A Case Study of Secure ATM Switch Booting, Shaw-Cheng Chuang and Michael Roe (University of Cambridge, UNITED KINGDOM) o SKEME: A Versatile Secure Key Exchange Mechanism for Internet, Hugo Krawczyk (IBM T.J. Watson Research Center, USA) o IDUP and SPKM: Developing Public-Key-Based APIs and Mechanisms for Communication Security Services, Carlisle Adams (Bell-Northern Research, CANADA) o An Empirical Study of Secure MPEG Video Transmissions, Iskender Agi and Li Gong (SRI International, USA) o Parallelized Network Security Protocols, Erich Nahum and David J. Yates (University of Massachusetts, USA), Sean O'Malley, Hilarie Orman and Richard Schroeppel (University of Arizona, USA) o A "Bump in the Stack" Encryptor for MS-DOS Systems, David A. Wagner (University of California at Berkeley, USA) and Steven M. Bellovin (AT&T Bell Laboratories, USA) Twelfth Int. Conf. on Data Engineering (ICDE), New Orleans, LA, 26 Feb.-1 March 1996, (security related paper only): o Secure mediated databases. K.S. Candan, Sushil Jajodia and V.S. Subrahmanian. Workshop on Formal Methods in Software Practice (FMSP '96), San Diego, CA, 10-11 January, 1996 (security related paper only): o A framework for specification and verification of information flow security policies. R. V. Puri and W. A. Wulf _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ * Dr. Dobb's Journal, Vol. 21 No. 1 (Jan. 1996). - T. J. Pope. Password files. pp.72-77. - B. Schneier. Differential and linear cryptanalysis. pp. 42-49. - I. Goldberg and D. Wagner. Randomness and the Netscape browser. pp. 58-65. * Computers & Security Volume 14, Number 6 (1995). (Elsevier) Special Features: - Claude Oliver. Privacy anonymity and accountability. pp. 489-490. - Alan Krull. Controls in the next millennium: anticipating the IT-enabled future. pp.491-495. - Jim Reid. Open systems security: traps and pitfalls. pp. 496-517. Refereed Papers: - F. Stoll. The need for decentralization and privacy in mobile communications networks. p. 527-540. - Raymond Lo, Karl Levitt, and Ronald Olsson. MCF: a malicious code filter. p. 541-566. * OnTheInternet Vol. 1, No. 5 (Nov-Dec 1995) (Internet Society) Peter Harter. Netlaw: security standards and snowballing. pp.10-11. * ACM SIGCOMM Computer Communication Review, Volume 25, Number 5 (October, 1995). G. White and U. Pooch. Problems with DCE security services. pp.5-12. * Wireless Networks, Vol. 1 No. 3 (Oct. 1995). (Baltzer Science Pub.) - L. Gong and N. Schacham. Multicast security and its extension to a mobile environment. pp. 281-296. - D. A. Cooper and K. P. Birman. The design and implementation of a private message service for mobile computers. pp. 297-310. * ;login: (The USENIX association newsletter), Vol. 20, No. 6 (December 1995): P. Honeyman. Digest of the USENIX Workshop on Electronic Commerce. pp. 6-19. * Information Processing Letters, Vol. 56, No. 3 (November 1995): - G. Lowe. An attack on the Needham-Schroeder public-key authentication protocol. pp. 131-133. - J. Clark and J. Jacob. On the security of recent protocols. pp. 151-155. * Computers & Security Volume 14, Number 5 (1995). (Elsevier) Refereed Papers: - A. Doumas, K. Mavroudakis, D. Gritzalis, and S. Katsikas. Design of a neural network for recognition and classification of computer viruses. p. 435-448. - Muninder Kailay and Peter Jarratt. RAMeX: a prototype expert system for computer security risk analysis and management. p. 449-464. - Thomas Hardjono and Jennifer Seberry. Applications of smartcards for anonymous and verifiable databases. p. 465-472. * IEEE Journal on Selected Areas in Communications, Vol. 13, No. 8 (October 1995). Issue on "The Global Internet", J. Crowcroft, D. Estrin, H. Schulzrinne, and M. Schwartz, Guest editors [URL: http://www.research.att.com/jsac] - J. Crowcroft, D. Estrin, H. Schulzrinne, and M. Schwartz. Guest Editorial - The Global Internet. pp. 1366-1370. - J.T. Brassil, S. Low, N.F. Maxemchuk and L. O'Gorman. Electronic Marking and Identification Techniques to Discourage Document Copying. pp. 1495-1504. - B.C. Neuman. Security, Payment, and Privacy for Network Commerce. pp. 1523-1531. (Invited paper) * Information Processing Letters, Vol. 56, No. 2 (October 1995): T.W. Cusick. Cryptanalysis of a public key system based on Diophantine equations. pp. 73-75. * BYTE, Vol. 20, No. 10 (October 1995): P. Wayner. Picking the Crypto Locks. pp. 77-80. * IEEE Transactions on Computers, Vol. 44, No. 9 (September 1995): L. O'Connor. A Differential Cryptanalysis of Tree-Structured Substitution-Permutation Networks. pp. 1150-1152. * Dr. Dobb's Journal, Vol. 20, No. 9 (September 1995) pp. 137-138.: B. Schneier. The Blowfish Encryption Algorithm: One Year Later. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ * C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communications in a Public World. Prentice-Hall, Englewood Cliffs, NJ, ISBN 0-13-061466-1. ________________________________________________________________________ Calendar ________________________________________________________________________ Internet Conference Calendar, URL:http://www.automatrix.com/conferences/ is also worth a look. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== o 12/22/95: CoopIS96, Brussels, Belgium; Submissions to ake@cs.purdue.edu. o 12/27/95-12/30/95: 7th COMAD, Pune, India; anand@pspl.ernet.in or krishnam@hplabs.hp.com o 12/31/95: IH Workshop '96, Cambridge, UK, submissions due; ross.anderson@cl.cam.ac.uk o 1/10/96: Journal ICDE 96; Submissions for journal special issue to dimitris@gte.com or (jari.veijalainen@vtt.fi). o 1/11/96: FMSP '96 San Diego, CA, sriram.sankar@sun.com o 1/15/96: DMKD96 Montreal, Canada. Papers to rng@cs.ubc.ca, o 1/15/96: INET96, Montreal, Canada. Submissions due to inet-submission@isoc.org.. o 1/15/96: COMPASS96, Gaithersburg, Maryland; Submissions to faulk@itd.nrl.navy.mil. o 1/22/96: SOC18. Kingston, Ontario, Canada; submissions due to mouftah@eleceng.ee.queensu.ca. o 1/29/96: ACISP96. Woolongong, NSW, Australia. Submissions to josef@cs.uow.edu.au; o 1/31/96: IFIP96 Mobile CommnsAbstracts due to IFIP96@acs.org.au. o 1/31/96: ISTCS96, Jerusalem, Israel. Submissions due to istcs96@cs.rice.edu. o 2/ 1/96: BDBIS, Tallinn, Estonia. Abstracts to balt96@cs.ioc.ee. o 2/ 1/96: MCDA96. Melbourne, Australia. o 2/ 2/96: CSFW96. County Kerry, Ireland. Wkshop Submissions due to mischu@research.att.com. o 2/14/96: CRYPTO96. Santa Barbara, California. Submissions due to koblitz@math.washington.edu; o 2/20/96: IFIP WG 11.3, Como, Italy, submissions due, samarati@dsi.unimi.it or sandhu@isse.gmu.edu o 2/20/96- 2/21/96: FISP96, San Diego, CA; Federal Internet Security Plan o 2/21/96-2/23/96: FSE Workshop '96, Cambridge, UK,; dieter@dcs.rhbnc.ac.uk o 2/22/96- 2/23/96: SNDSS '96, San Diego, CA; http://nii.isi.edu/info/sndss o 2/23/96: VLDB96, Bombay, India. American submissions due to mohan@almaden.ibm.com; o 2/26/96- 3/ 1/96: ICDE '96, New Orleans; icde96@cis.ufl.edu o 2/26/96- 2/27/96: IMC'96, Rostock, Germany. Workshop Home Page o 3/ 1/96: WebNet. San Francisco, CA; Submissions to AACE@virginia.edu. o 3/ 1/96: SCRAPC96, Lille, France Submissions due by mail; o 3/ 7/96- 3/ 8/96: RTDB96, Newport Beach, California. o 3/14/96- 3/16/96: CCS-3, New Delhi; gong@csl.sri.com or Jacques.Stern@ens.fr o 3/15/96: ESORICS'96, Rome, Italy. Submissions due; bertino@hermes.mc.dsi.unimi.it o 3/15/96: HASE96. Niagara-on-the-Lake, Canada; Hard-copy submissions due to sourav@acm.org. o 3/21/96- 3/24/96: TSMCFP96 Nashville, Tenn.; lundeng@ctrvax.vanderbilt.edu. o 3/18/96: KDD96. Portland, Oregon, Submissions due, kdd@aaai.org. Conf Web page o 3/19/96: USENIX Sec Symp, San Jose, California; Abstracts due, details from securityauthors@usenix.org; o 3/27/96- 3/30/96: CFP '96, Cambridge, MA; cfp96@mit.edu o 3/31/96: DEXA96. Zurich, Switzerland; Submissions due; dexa@faw.uni-linz.ac.at for info; o 4/10/96- 4/13/96: CWCP, Cambridge, UK; tmal@cl.cam.ac.uk o 4/16/96- 4/18/96: METAD. Silver Spring, Maryland o 4/30/96- 5/ 3/96: 8th CCSS, Ottawa; questions to ccss96@cse.dnd.ca. o 5/ 5/96- 5/ 8/96: IEEE S&P 96; dmj@mitre.org o 5/21/96- 5/24/96: IFIP/SEC 96 - Greece; sec96@aegean.ariadne-t.gr o 5/27/96- 5/30/96: ICDCS96 Kowloon, Hong Kong. o 5/30/96- 6/1/96: IH Workshop '96, Cambridge, UK; ross.anderson@cl.cam.ac.uk o 6/ 2/96: DMKD96 Montreal, Canada. o 6/ 3/96- 6/ 6/96: SIGMOD/PODS '96, Montreal, Canada o 6/ 3/96- 6/ 5/96: SOC18, Kingston, Ontario, Canada. o 6/10/96- 6/12/96: CSFW96. County Kerry, Ireland Wkshop o 6/10/96- 6/11/96: ISTCS96. Jerusalem, Israel. o 6/12/96- 6/14/96: BDBIS. Tallinn, Estonia o 6/17/96- 6/21/96: COMPASS96, Gaithersburg, Maryland; o 6/13/96: ICDT97, Delphi, Greece; Submissions due to afrati@cs.ece.ntua.gr; o 6/18/96- 6/20/96: ICSSDBM '96, Stockholm; pers@sto.foa.se o 6/19/96- 6/21/96: CoopIS96, Brussels, Belgium. o 6/24/96- 6/26/96: ACISP96, Woolongong, NSW, Australia. o 6/25/96- 6/28/96: INET96. Montreal, Canada o 7/22/96- 7/24/96: IFIP WG 11.3, Como, Italy, samarati@dsi.unimi.it or sandhu@isse.gmu.edu o 7/22/96- 7/25/96: USENIX Sec Symp, San Jose, California; o 8/ 3/96- 8/ 5/96: KDD96. Portland, Oregon o 9/2/96-9/6/96: IFIP96 Mobile Commns Canberra, Australia. o 8/18/96- 8/22/96: CRYPTO96, Santa Barbara, California o 9/ 3/96- 9/ 6/96: VLDB96, Bombay, India o 9/ 9/96- 9/13/96: DEXA96, Zurich, Switzerland. o 9/18/96- 9/20/96: SCRAPC96, Lille, France o 9/25/96- 9/27/96: ESORICS'96, Rome; bertino@hermes.mc.dsi.unimi.it o 10/16/96-10/19/96: WebNet. San Francisco, CA o 10/22/96: HASE96. Niagara-on-the-Lake, Canada; o 11/??/96: ESORICS '96, Rome, Italy; no e-mail address available o 1/ 8/97- 1/10/97: ICDT97, Delphi, Greece; o 2/??/97: PAKDD '97, Singapore. Info hweeleng@iti.gov.sg; o 5/ 4/97- 5/ 7/97: IEEE S&P 97; no e-mail address available o 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available o 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available o 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available o 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available o 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available o 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available o 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: o ACISP = Australasian Conference on Inf. Security and Privacy, ACISP96 o ACSAC = Annual Computer Security Applications Conference o BDBIS = Baltic Workshop on DB and IS, BDBIS o CCS-3 = 3rd ACM Conference on Computer and Communications Security o CCSS = Annual Canadian Computer Security Symp o CIKM = Int. Conf. on Information and Knowledge Management CIKM '95 o COMAD = Seventh Int'l Conference on Management of Data (India) o CISMOD = Int'l Conf. on Information Systems and Management of Data o CFP = Conference on Computers, Freedom, and Privacy o CoopIS96 = First IFCIS Int'l Conference on Cooperative Information Systems, CoopIS96. o COMPASS = Conference on Computer Assurance COMPASS'96 o CPAC = Cryptography - Policy and Algorithms Conference o CRYPTO = IACR Annual CRYPTO Conference CRYPTO96 o CSFW = Computer Security Foundations Workshop CSFW96 and Wkshp page o CWCP = Cambridge Workshop on Cryptographic Protocols o DCCA = Dependable Computing for Critical Applications o DEXA = Int'l Conference and Workshop on Database and Expert Systems Applications, DEXA96 o DMKD96 = Workshop on Research Issues on Data Mining and Knowledge Discovery, and CFP. o DOOD = Conference on Deductive and Object-Oriented Databases DOOD '95 o ESORICS = European Symp on Research in Computer Security ESORICS'96 o FISP = Federal Internet Security Plan Workshop, FISP96. o FISSEA = Federal Information Systems Security Educators' Association o FMSP = Formal Methods in Software Practice o FSE = Fast Software Encryption o HASE = High-Assurance Systems Engineering Workshop HASE96 o HPTS = Workshop on High Performance Transaction Systems o IC3N = Int'l Conference on Computer Communications and Networks o ICDCS96 = The 16th Int'l Conference on Distributed Computing Systems, ICDCS96 o ICDE = Int. Conf. on Data Engineering ICDE '95 o ICDT = Int'l Conference on Database Theory ICDT97. o ICI = Int'l Cryptography Institute o ICECCS = Int'l Conference on Engineering of Complex Computer Systems o ICSSDBM = Int. Conf. on Scientific and Statistical Database Management o IEEE S&P = IEEE Symp on Security and Privacy - IEEE S&P '96 o IFIP/SEC = Int'l Conference on Information Security (IFIP TC11) o IFIP WG11.3 = IFIP WG11.3 10th Working Conference on Database Security o IFIP96 Mobile Commns = IFIP 1996 World Conference, Mobile Communications o IH Workshop '96 = Workshop on Information Hiding o IMACCC = IMA Conference on Cryptography and Coding, 5th IMACC o IMC96 = IMC'96 Information Visualization and Mobile Computing o INET = Internet Society Annual Conference o INET96 = The Internet: Transforming Our Society Now, INET96 o IS = Information Systems (journal) o ISTCS = Fourth Israeli Symp on Theory of Computing and Systems, ISTCS96. o IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Society o JBCS = Journal of the Brazilian Computer Society o JCMS = Journal of Computer Mediated Communication o KDD96 = The Second Int'l Conference on Knowledge Discovery and Data Mining (KDD-96) o MCN '95 = ACM Int. Conf. on Mobile Computing and Networking MCN '95 o MCDA = Australian Workshop on Mobile Computing & Databases & Applications; MCDA96. o MDS '95 = Second Conference on the Mathematics of Dependable Systems MDS-95 o METAD = First IEEE Metadata Conference METAD o MMDMS = First Int. Wkshop on Multi-Media Database Management Systems o NCSC = National Computer Security Conference o NISS = National Information Systems Security Conference o NSPW = New Security Paradigms Workshop o OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling OOER '95 o PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data Mining, PAKDD97 o RBAC'95 = First ACM Workshop on Role-Based Access Control o RTDB'96 = First Int'l Workshop on Real-Time Databases: Issues and Applications, RTDB96. o SAC '95 = 2nd Annual Workshop on Selected Areas of Cryptography o SCRAPC = Smart Card Research and Advanced Application Conference SCRAPC96 o SFTC-VI = Symp on Fault Tolerant Computing - VI (Brazil) o SIGMOD/PODS - ACM SIGMOD Int'l Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symp on Principles of Database Systems o SNDSS = Symp on Network and Distributed System Security (Internet Society) o SOC = 18th Biennial Symp on Communications, SOC18. o TSMCFP96 = 4th Int'l Conference on Telecommunication Systems o USENIX Sec Symp = USENIX UNIX Security Symp, 6th Annual. o VLDB = 22nd Int'l Conference on Very Large Data Bases, VLDB96. o WDAG-9 = Ninth Int. Workshop on Distributed Algorithms o WebNet = World Conference of the Web Society, WebNet96. ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 22 December 1995: Randall J. Atkinson Cisco Systems 170 West Tasman Drive San Jose, CA 95134-1706 voice: (408) 526-6566 fax: (408) 526-4952 e-mail: rja@cisco.com ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o Paul Kocher paper on timing attack on RSA (HTML) 13 December 1995 o Tunneling SSL Through a WWW Proxy by A. Luotonen; Revised Internet-Draft, 14 December 1995. Extends current WWW proxy protocol to allow an SSL client to open a secure tunnel through the proxy. o Use of the GSS-API for Web Security by D. Rosenthal; Internet-Draft from Web Transaction Security Working Group of the IETF, 6 November 1995. Describes a means of using Generic Security Service API to secure WWW transactions, enabling mutual authentication and data encryption capabilities to be incorporated into Web clients and servers in a security technology- independent way. o MasterCard Secure Electronic Payment Protocol Specification, revised 10 November 1995 o Microsoft/Visa Secure Transaction Technology http://www.microsoft.com/industry/fin/fintech.htm o MIME Object Security Services", 10/03/1995. o RFC 1847: Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted", 10/03/1995. o Information Technology for Control of Money Laundering; OTA report ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Format: Description (first lines) followed by URL (last line) Government sources/information: ------------------------------- [no new entries] Professional societies and organizations: ----------------------------------------- [no new entries] Other places for interesting research papers, announcements, assistance ----------------------------------------------------------------------- The Applied Cryptography Case: Phil Karn's page documenting his CJR for Bruce Schneier's book http://www.qualcomm.com/people/pkarn/export/index.html ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to join the TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://info.computer.org:80/tab/tcapplic.htm PLEASE NOTE THAT THE FORM IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Just the thing for holiday giving: proceedings from the 1995 IEEE Symposium on Security and Privacy in a festive red and green cover. Also available are those old favorites in blue, orange, and pink, for purchase by TC members at favorable rates. Current issues in stock and continuing LOW PRICES are as follows: Price by mail from TC IEEE CS Press IEEE CS Press Year TC members IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $10 Only available from TC! 1993 $15 Only available from TC! 1994 $20 $30+$4 S&H $60+$5 S&H 1995 $25 $25+$4 S&H $50+$4 S&H For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying which issues you would like, o where to send them, and o a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 We remain unready to plunge our figurative toe into the inviting but potentially treacherous waters of electronic commerce! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Greg Bergren 10528 Hunters Way Laurel, MD 20723-5724 (410)684-7302 (410)684-7502 (fax) glbergr@missi.ncsc.mil ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9506 where N is the number of the issue desired and 9506 captures the year and month it first appeared. =======end of Electronic Cipher Issue #11, 23 December 1995================