Subject: Electronic CIPHER, Issue 16, July 28, 1996 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 16 July 28, 1996 Carl Landwehr, Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1800 lines total] o Letter from the TC Chair o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o Clinton orders commission on critical infrastructure protection o MLS MISSIng from MISSI? o UK groups agree on patient pseudonym scheme, by Ross Anderson o US cryptography policy debate continues on same track Conference Reports [none] Questionnaire on practical security experiments New reports available via FTP and WWW Interesting Links Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers: Crypto '96, New Sec Paradigms, many more o Journal and Newsletter articles o Book Registry of Security and Privacy Research Projects [no entries!] Calendar >>>>>>>>>>>>>>Data Security Letter subscription offer<<<<<<<<<<< How to join the TC on Security and Privacy Publications for sale TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ The IEEE Technical Committee on Security and Privacy (TCSP) has traditionally met once a year at the IEEE Symposium on Security and Privacy, our flagship conference. This year, Chuck Pfleeger and I will be hosting a second meeting at the National Information Systems Security Conference in Baltimore, Maryland, which will be held in October 1996. (We apologize to our non-US members, but due to budget restrictions the West and East coasts of the US are as close as we have been able to accommodate the greatest number of our TCSP members.) Everyone is invited to attend the TCSP meeting in October. Time, Room Number and Agenda for the October TCSP meeting will be provided in later issues of Cipher. Feel free to send email to me or Chuck for suggested topics of discussion. See the Cipher list of security conferences for more information on the conference. Our new Chair for the TCSP Subcommittee on Security Conferences is Steve Kent, the position also held by the General Chair for the IEEE Symposium on Security and Privacy. Steve Kent replaces Dale Johnson , to whom the TCSP owes a great deal of thanks for his outstanding work as Chair of the 1996 IEEE Symposium on Security and Privacy and for his continued support. We are always looking for ways to improve our TC and the services the TCSP provides to its members and the community. Send TCSP correspondence to: dmcooper@ix.netcom.com or pfleeger@tis.com. Deborah M. Cooper TCSP Chair ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, If you check the Cipher web pages regularly, you will know that many of the items in this issue have been available for a week or two; my apologies to the authors for not getting this issue out until now, but I think you will find the content worthwhile nonetheless. The next Cipher will appear (I hope!) in mid- to late- September. A few highlights in the area of security and privacy since the last issue: In June, a three judge panel in Philadelphia ruled that the US Communications Decency Act indeed violated the US Constitution and issued a preliminary injunction against its enforcement. In July, the Justice Department announced that it would appeal the case to the Supreme Court. NIST held a workshop on sharing computer vulnerability data; results should be available soon, but in the meantime, Chris Klaus of ISS has devoted a section of his web site to this topic; see http://www.iss.net/vd/vd.html On the countermeasures side, Janet Misich of DISA's Center for Information Systems Security broadcast a call for security products to be placed in their catalog and database; contact her at spd@ncr.disa.mil or (703)681-1345 if you have a product to list. Also in June, the UK Department of Trade and Industry held a meeting on "Trusted Third Party" proposals; check sci.crypt for a stinging account of it by Ross Anderson. Brian Gladman also distributed comments on the UK's cryptographic policies, suggesting that while the proposals represent progress of a sort, they raise many questions that so far are unanswered. The text of the government's position is said to be available at http://dtiinfo1.dti.gov.uk/cii/encrypt/ but I was unable to get through just now. Reports also circulated that the OECD, meeting in Paris June 26-28 to consider cryptography policy, failed to take the next step toward international recognition of key-escrow systems. The group is scheduled meet in Paris again September 26-27. Inter@ctive Week reported that Trusted Information Systems announced the sale of a system that would support commercial key escrow applications to "a large multinational corporation with headquarters outside the US." The firm was speculated to be Royal Dutch Shell. The Internet Architecture Board (IAB) and Internet Engineering Steering Group (IESG) also weighed in with a statement on cryptographic policy and the Internet, arguing that restriction on the use of cryptography, on key length, and other controls are against the interest of consumers. The statement favors "ready access to uniform strong cryptographic technology for all Internet users in all countries." Meanwhile, testimony of luminaries of the cryptographic world was heard on Capitol Hill and via live audio over the Internet concerning the PRO-CODE legislation. No one's opinions seemed to be changing very much, though Netscape has now been permitted to distribute its export-controlled versions electronically. See the New Reports section of this issue for other export-controlled source code made available for electronic distribution since June. Mastercard and Visa published a new specification for Secure Electronic Transactions (SET). According to some reports, earlier versions of the specification provided less cardholder information to the retail merchant, to prevent fraud, but the current version reflects changes made in response to merchants' complaints and permits them greater access to cardholder data. Cipher needs your contributions; there have been (and will be, in August) several conferences that I would like to receive reports on, and there are probably others you know about and I don't. Please don't hesitate to write up what you learn that you think will be of general interest and send it in. Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, OSF Research Institute (zurko@osf.org) ____________________________________________________________________ This issue's highlights are from e$ and e$pam. Privacy continues to get a lot of attention on the Net. A Los Angeles television reporter used the name of a convicted child killer, Richard Allen Davis, and sent off a money order for $277 to the Metromail Corporation, which is owned by publishing giant R. R. Donnelly & Sons and is the nation's largest compiler and seller of consumer data. The reporter received a list of more than 5,000 children's names, addresses, phone numbers and ages. One can imagine other sorts of experiments targeting single women, gays and lesbians, and other group whose members are targets of attacks by virtue of their group membership. Cookies are also getting their share of air time. Subscribers to doubleclick.net put a request for a doubleclick cookie on their home page, allowing doubleclick to collect statistics on visitors to their subscriber base, and target advertising to those visitors, based on other home pages they've visited. A poster claimed that www.privnet.com and the Internet Fast Forward netscape plugin for Windows can selectively filter cookie transmissions to web servers (as well as filtering out unwanted images, including but not limited to advertisements). The big news this month was NTT's announcement of an encryption chip made in Japan (which therefore does not have the restrictions that US-made crypto does). They did not have the licenses to sell RSA in the US, but they're negotiating with RSA to get them. A mailing list created by the US Federal Trade Commission to allow interested parties to discuss the issues surrounding the privacy interests of consumers visiting web sites. The address to subscribe to it is PRIVACY-REQUEST@FTC.GOV. The discussion topic centers on whether the FTC should regulate consumer web information. There is also a new email list called hackerpunks, that is totally anonymous. The subscription address is hackerpunks-owner@alpha.c2.org, but only pseudonyms from @alpha.c2.org may subscribe and post to the list. Information warfare has also been getting a lot of attention. The director of the CIA announced plans for a center concerned with "very, very large" scale attacks to information infrastructures. In addition, the London Times published a story about attacks on financial institutions involving blackmailing and threats of suspended computer service. None of the sources in the story were named. Drawing an analogy with encryption and US ITAR, a poster reported that A piper is being taken to court for practicing on Hampstead Heath, which has a bye-law forbidding music. Mr Brooks, the piper, has denied the charge. He claims he wasn't playing a musical instrument, but practicing with a weapon. In 1746 in England, bagpipes were declared to be instruments of war, not musical weapons, and a subsequent Act of Parliament specifically stated that they were weapons. An article in the Financial Times discusses face recognition technology. The state of Massachusetts is going to be using a system based on work at MIT's Media Lab, to identify people using multiple id's for fraud. The MIT work breaks up pictures of a face into pixels, normalizes for factors such as distance and lighting, and selects facial features that can most easily distinguish one face from another. A Florida bill (http://www.scri.fsu.edu/fla-leg/bills/senate-1996/sb0942.html) was introduced that supports digital signatures as a form of legal signature. While current laws do not preclude this use, the bill is meant to further legitimize their use. On Java security, Sun announced that Java would implement SKIP (Simple Key Management for Internet Protocol) for secure distribution of applets. SKIP is a sessionless key management protocol, and the product of an IETF working group. The International Cryptography Experiment (ICE) at http://www.tis.com/crypto/ice.html is concerned with evolving standards in CAPIs that promote international cryptography. Micropayments got a lot of discussion on several mailing lists, as well as a list of their own. They're interesting from a security point of view for their cost/security trade-offs. Each item needing protection has a very small value, but the aggregation of the items can turn into "real money." A bunch of time has been spent discussing just what is a micropayment (under $1 and above 1 cent seems to be the consensus, although there are systems that can cover part of this range in use already). Concerns about UI were raised (users don't want to be bothered with small payments vs. users want control of their money), as well as the economic impact of having to pay for what we get free today. There are few things I'd pay for that I get free today, but one of them is e$pam. It's Bob Hettinga's write-only electronic commerce channel, and it's where most of what I send to Cipher comes from. He's living proof of many of his favorite issues; that reputation capital can be built up, and that content selection is an increasingly important service. The subscription address is e$pam-request@intertrader.com. It puts out about 20 mail messages a day. It covers the security aspects of electronic commerce, as well as the economic theory, and everything in between. ____________________________________________________________________ Clinton orders commission on critical infrastructure protection ____________________________________________________________________ [15 July 1996] Executive Order 13010 of July 15, 1996 Critical Infrastructure Protection "Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property (``physical threats''), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures (``cyber threats''). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation." -- from the Order. E.O. 13010 goes on to establish a Commission on Critical Infrastructure Protection, including both government and private sector representatives, that will establish its objectives within 30 days, will identify and consult with relevant parties concerned with "critical infrastructure assurance issues", and will: - assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures; - determine what legal and policy issues are raised by efforts to protect critical infrastructures and assess how these issues should be addressed; - recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation; - propose any statutory or regulatory changes necessary to effect its recommendations; and - produce reports and recommendations to the Steering Committee as they become available; it shall not limit itself to producing one final report. The Commission is to be assisted by an Advisory Committee and will report to the President through a Principals Committee. A Steering Committee will approve the Commission's objectives and approve its reports. The Order charters the Commission for twelve months. The Order also establishes an Infrastructure Protection Task Force (IPTF) within the Department of Justice, chaired by the FBI, to "increase coordination of existing infrastructure protection efforts in order to better address, and prevent, crises that would have a debilitating regional or national impact" while the commission conducts its analysis and before the administration can act on its recommendations. The IPTF is to include at least one full-time member each from the FBI, the Department of Defense, and the National Security Agency, and its function is to identify and coordinate existing expertise, inside and outside of the Federal Government to: provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, prevent, halt, or confine an attack and to recover and restore service; issue threat and warning notices in the event advance information is obtained about a threat; provide training and education on methods of reducing vulnerabilities and responding to attacks on critical infrastructures; conduct after-action analysis to determine possible future threats, targets, or methods of attack; and coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation. Cipher readers may recall a report in EI#14 that suggested that the Justice Department was pressing for a "Cyberspace Defense policy task force" that would recommend policy within 12 months and a cyberspace defense "entity". E.O. 13010 appears to cast its net wider, in that it addresses water and energy supply and distribution systems, transportation, emergency services, and continuity of government as well as telecommunications, banking, and finance. The IPTF established by the order could, perhaps, fill the role suggested in the earlier report. The full text of E.O. 13010 is available from the U.S. Government Printing Office at http://www.gpo.gov/su_docs/aces/aces140.html search for the string "Executive Order 13010". ____________________________________________________________________ MLS MISSIng from MISSI? ____________________________________________________________________ [15 July 1996] "We don't have the technology today that we need to do pure MLS... Quite frankly, today we have two-level MLS, Secret and Unclassified. The technology to do Top Secret down to the Internet is just not there," said Nicholas Piazzola, chief of the National Security Agency's Multilevel Information System Security Initiative (MISSI), according to a report in Government Computer News by Paul Constance (July 15 issue, p. 60). The article reports that while MLS is still a long-term goal, the MISSI program has adopted a "more pragmatic, risk management approach focused on meeting the initial security needs of the Defense Message Systems." Three MISSI products are expected by the end of the year: the Fortezza encryption card (see http://www.armadillo.huntsville.al.us/), a Fortezza/DMS compliant commercial firewall for connecting Sensitive But Unclassified (SBU) DMS networks to the Internet (see http://mitten.ie.org:8000, and Secure Computing Corp.'s Secure Network Server, which is available now (see http://www.sctc.com/). A future Fortezza is expected to include commercial encryption algorithms such as DES and RSA. ____________________________________________________________________ UK groups agree on patient pseudonym scheme, by Ross Anderson ____________________________________________________________________ [21 June 1996] An agreement has been reached between the British Medical Association and the UK's main providers of healthcare analysis information services - CHKS Ltd (a subsidiary of HCIA Inc), the SEMA group, IMG and Reuters - to set minimum standards for the de-identification of medical records. These records are used in analysing hospital readmission rates, referral patterns and casemix, and in epidemiological research generally. Such studies require records of hospital care episodes to be linked, but they should still not be identifiable to individuals outside the hospital or other care provider (or else patient consent must be sought). A problem had arisen in that some (though not all) healthcare information companies had been identifying patients, and linking episodes, by their postcode and date of birth. This combination is enough to identify over 99% of UK residents. It has therefore been agreed that in future, de-identified medical records will not contain either the last two symbols of the postcode, or the day and month of birth. Thus for example CB5 9HF 15/09/1956 will become CB59 56 This is sufficient information for age related casemix studies, and to identify deprived areas. However, it is very rarely enough to identify individuals; there are on average six individuals with each combination of year of birth and postcode sector. In order that episodes can still be linked, there will also be stored a pseudonym for the patient such as a hospital number, practice number or cryptographic hash function of the patient's name and date of birth (in which case there will be a key unique to each provider). This arrangement is not entirely sufficient for the secure handling of health information - further access control and statistical security measures are neededd to foil inferencing and other attacks. However it brings the following immediate benefits: 1. The threat to patient privacy is reduced by orders of magnitude. In particular, the databases are no longer of value to banks, credit reference agencies, insurers and law enforcement; 2. The accuracy of the statistics is significantly improved. At present, figures such as hospital readmission rates are skewed by the correlation between ill health and frequent address changes. Using a pseudonym rather than the postcode as the primary key will enable systems to discount address changes within the same district hospital's catchment area; 3. The standards are in line with the existing guidelines of the Royal College of General practitioners and the General Medical Services Committee of the BMA, which state that no data may be sent outside a general practice without patient consent unless patients cannot be identified by persons external to the practice. This will enable data collected in primary care to be used together with the secondary care records, subject to any inference controls that may be needed. It should be noted that the use of pseudonyms in medical research and clinical audit systems is well established in a number of countries, including Denmark, Germany and New Zealand. Papers on the systems in use in the latter two countries were given at the workshop on personal information held at Cambridge on the 21st and 22nd June 1996. ____________________________________________________________________ US cryptography policy debate continues on same track ____________________________________________________________________ [16 July 1996] Following June 26 Congressional hearings on proposed legislation that would loosen restrictions on the use and export of cryptography, Vice President Gore proposed new policies on July 12, but, according to New York Times writer John Markoff (July 13, p.33), failed to gain much support for them from the computer industry, civil libertarians, or privacy advocates. The new policies anticipate the development of a "global key management infrastructure" in which "trusted private sector parties" would verify digital signatures and "hold spare keys to confidential data" which could be obtained only by those who had lost keys to their own data or "by law enforcement officials acting under proper authority." According to Gore's explanation of the policy, the administration would be willing to temporarily drop some restrictions on the export of strong cryptography in return for industry cooperation on key escrow "(e.g., investments in products that support key recovery)". Also under consideration are policies to permit the export of encryption using longer keys for use in health care and insurance applications. Currently only financial institutions have such permission as a matter of policy, although permission for American firms to export strong cryptography for particular applications can be sought and approved on a case-by-case basis. The full text of the announcement is available at http://www.cdt.org/crypto/960712_Gore_stmnt.html; Gore's explanation of the policy is available at http://www.cdt.org/crypto/960712_Gore_expl.html. Encryption and data security were also highlighted in the first evening's broadcasts of the new Microsoft/NBC cable/Internet news channel (MSNBC) on July 15. Steve Walker of Trusted Information Systems was interviewed and discussed encryption policy; later New York Times writer John Markoff and others discussed the arrest of Kevin Mitnick. ______________________________________________________________________ Conference Reports ______________________________________________________________________ Sorry, no conference reports this issue. Cipher would be pleased to print conference reports from the following conferences if any readers can provide them: - 1996 Computer Security Foundations Workshop (June, 1996) - 6th USENIX Unix Security Symposium (July 22-25, 1996) - IFIP WG 11.3 Tenth Working Conference on Database Securty - Crypto '96 or other security and privacy related conference. ________________________________________________________________________ Questionnaire on Practical Data Security Experiments Erland Jonsson and Lech Janczewski ________________________________________________________________________ [9 July 1996] To Teachers in Computer Security and other interested parties, RE: Request for data on practical security experiments At the last IFIP Security conference on Samos in May 1996 there was an interesting discussion held on contents of data security courses/lectures. During that discussion the importance of experiments in teaching this discipline was emphasized. As "experiments" we understand any action beyond "pure" lecturing encompassing such activities as: * Analysis of various aspects of data security in real and laboratory environment * Development of new tools used for enhancing security of organisations, systems or components. Experiments in this sense means both activities conducted during the class presentations (DEMO), in laboratories (LAB), and in external organisations (FIELD). We decided to investigate this question in a more detailed way. We understand that without drawing on existing resources in this field our effort would be fruitless. Therefore, we would be very grateful if you could answer the enclosed questionnaire. It is an universal form good for any type of experiment. If during your data security courses you have more than one experiment would you please use one form per experiment. We plan to complete the research within a couple of months so your prompt action would be greatly appreciated. We will reference any material from you in our final report and we promise to send it to you. If you have any questions regarding this research will you kindly contact any of us (address below). Finally, if you feel that this message is not for you but rather for someone of your colleagues, please forward this message to her/him. Looking forward to your positive reply, Remaining sincerely yours, Erland Jonsson/Lech Janczewski QUESTIONNAIRE: ************************************************************************* ***DATA SECURITY EXPERIMENT*** University .............................................................. Faculty ................................................................ Department .............................................................. Course name ............................................................. Course level ............................................................ (undegraduate, graduate, etc) Experiment type DEMO LAB FIELD (circle) Experiment duration ...................................................... (in min, hours, days, etc) Experiment goal .......................................................... ....................................................................... Experiment description.................................................... ....................................................................... Assessment method ........................................................ (if appropriate) ....................................................................... *************************************************************************** Please send the form to: Dr Erland Jonsson Department of Computer Engineering Chalmers University of Technology Gothenburg, Sweden tel 46-31 772 1688 fax 46-31 772 3663 email: jonsson@ce.chalmers.se or Dr Lech J. Janczewski Department of Management Science and Information Systems The University of Auckland Auckland, New Zealand tel 64-9 373 7599 ext 7538 fax 64-9 373 7430 email: lech@auckland.ac.nz ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ As Mez notes in her LISTWATCH column, there has been a great deal of traffic on the net about "cookies" and their ramifications for security and privacy. (These cookies have nothing to do with Kerberos.) Here are pointers to two items that you may find of interest if you have missed this discussion. The first is a newspaper article describing what cookies are (so it may disappear as the issue in which it appears ages) and the second is the latest Internet draft standard on the topic. * Netscape World article explaining "cookies" and their uses http://www.netscapeworld.com/netscapeworld/nw-07-1996/nw-07-cookies.html * Internet Draft on "cookies" ftp://ds.internic.net/internet-drafts/draft-ietf-http-state-mgmt-03.txt Cipher is most pleased to be able to point readers to an on-line source for information on US Trusted Product Evaluation Program, including the current Evaluated Product List. This is something we have long thought should be available this way, and now it is. * NSA home page for the Trusted Product Evaluation Program, including pointers to the Evaluated Product List: href=http://www.radium.ncsc.mil/tpep/ [See past Cipher issues for pointers to the German EPL. If any readers can provide pointers to Canadian, UK, Australian, or other EPL's, Cipher will be happy to publish them.] A Revised Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Transaction Security Working Group of the IETF. Title : Security Extensions For HTML Author(s) : E. Rescorla, A. Schiffman Filename : draft-ietf-wts-shtml-01.txt Pages : 3 Date : 06/03/1996 This memo describes a syntax for embedding S-HTTP negotiation parameters in HTML documents. S-HTTP as described by draft-ietf-wts-shttp-03.txt contains the concept of negotation headers which reflect the potential receiver of a message's preferences as to which cryptographic enhancements should be applied to the message. This document describes a syntax for binding these negotiation parameters to HTML anchors. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-wts-shtml-01.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-wts-shtml-01.txt A Master's thesis entitled "Information Warfare: Implications for Forging the Tools" and the raw results of an "Information Warfare Delphi" (upon which the thesis is based) by USAF Major Roger D. Thrasher are currently available via the World Wide Web at: http://dubhe.cc.nps.navy.mil/~rdthrash/thesis.html Both documents are in Adobe Acrobat format. Please send comments to Major Thrasher at. U.S. Department of Defense Office of Information Security Research has released their implementation source code for their "Internet Security Association & Key Mgmt Protocol (ISAKMP)" to the net via MIT; it can be found at: http://web.mit.edu/network/isakmp/ The Naval Research Laboratory's implementation fo IPv6 is available at the same site. Current U.S. export restrictions limit the availability of the software to U.S. and Canadian citizens. A new Secure Electronic Transaction (SET) specification is available from Mastercard and Visa; check http://www.mastercard.com or http://www.visa.com ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Format: Description (first lines) followed by URL (last line) NSA's Trusted Product Evaluation Program (TPEP), http://www.radium.ncsc.mil/tpep/ and pointers the US Evaluated Product List http://www.radium.ncsc.mil/tpep/epl/index.html The Colossus Rebuild Project with links to pages on Bletchley Park. Fascinating photos and history of the rebuilding of this codebreaking computer http://www.cranfield.ac.uk/CCC/BPark/colossus ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 24 July 1996: Duncan Harris ITSEC Evaluations Manager 500 Oracle Parkway, Box 659410 Redwood Shores, CA 94065 djharris@us.oracle.com tel. +1.415.506.4007 fax: +1.415.506-7226 Gordon Buhle U.S. Security Evaluations Manager 500 Oracle Parkway, Box 659410 Redwood Shores, CA 94065 gbuhle@us.oracle.com tel. +1.415.506.2009 fax: +1.415.506-7226 Rajiv Sinha Security Evaluator 500 Oracle Parkway, Box 659410 Redwood Shores, CA 94065 rsinha@us.oracle.com tel. +1.415.506.0922 fax: +1.415.506-7226 Entered 5 June 1996: Gene Tsudik USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292-6695 gts@ISI.EDU tel. +1 (310) 822-1511 x 329 fax. +1 (310) 823-6714 Entered 4 June 1996: Aaron Cohen Information Security Specialist COMPUTER SCIENCES CANADA INC. (A subsidiary of Computer Sciences Corporation) 1900 City Park Drive, Suite 400 Gloucester, Ontario, Canada K1J 1A3 Tel: (613) 745-8255 Fax: (613) 745-4164 e-mail: acohen4@cscmail.csc.com _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar o The Internet Society Symposium on Network and Distributed System Security, San Diego, California, February 10-11, 1997. The symposium fosters the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Submissions to via email to sndss97-submissions@isi.edu by August 1, 1996. Instructions to authors are in the announcement the conference Web page. o IEEE Singapore International Conference on Networks, Kent Ridge, Singapore,April 14-17, 1997; submissions by email to sicon97@iscs.nus.sg by 1st August 1996. Network security and privacy is a topic of interest. Five copies in English should be sent to the conference chairman. o 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, April 2-4, 1997. Papers pertaining to all aspect of computer security are solicited for submission to the Fourth ACM Conference on Computer and Communications Security. Papers may present theory, technique, applications, and practical experience on a variety of topics including access control, accounting and audit, applied cryptography and cryptographic protocols, authentication and authorization, data/system integrity, electronic commerce, intrusion detection, key management, privacy, protection of software and intellectual property, run-time system security, secure networking, secure operating systems, security architectures and models, security management, security of distributed systems and databases, security protocols, and smart-cards and secure PDAs. Conference Web page; submissions due September 2, 1996. o High Performance Database Management for Large Scale Applications; Birmingham, England, April 7-8, 1997. Solicits papers that deal with performance issues enabling the support of database management for large scale applications; an example is security and privacy of transactions in electronic commerce. Conf Web page. Submissions to peters@ece.nwu.edu by October 1, 1996. JOURNALS Regular archival computer security journals: o Journal of Computer Security (JCS) [see Cipher Web pages or EI#9]; e-mail contacts for submissions: jajodia@isse.gmu.edu or jkm@mitre.org See also Web site: http://www.jcompsec.mews.org/ o Computers & Security [see Cipher Web pages or EI#9] e-mail contact for submissions: j.meyer@elsevier.co.uk o International Journal of Digital Libraries aims to advance the theory and practice of acquisition, definition, organization, management and dissemination of digital information via global networking. In particular, the journal will emphasize technical issues in digital information production, management and use, issues in high-speed networks and connectivity, inter-operability, and seamless integration of information, people, profiles, tasks and needs, security and privacy of individuals and business transactions and effective business processes in the Information Age. The first issue will appear in Summer 1996 (see announcement). Electronic submission is encouraged to speed up the process (for details please send email to dlib@adam.rutgers.edu). For hard copy submission, please mail five copies to: Prof. Nabil R. Adam, CIMIC, Rutgers University, Newark, NJ 07102, (201) 648-5239, adam@adam.rutgers.edu. Special Issues of Journals and Handbooks: listed earliest deadline first. o JCS Special issue on WWW security. The special issue of the Journal of Computer Security will be focused on research and development efforts leading to identify requirements and viable solutions for WWW security. Two kinds of papers will be considered: regular papers presenting new research results, and short papers describing ongoing projects. Submit five copies of papers (dbl-spaced; 12 pt; 30 pages max. for regular papers, 10 pages max. for short papers) describing original unpublished results on all security aspects of the WWW and its applications; each copy should have a cover page with title, name and address (including e-mail address) of author(s), an abstract of no more than 200 words, and a list of identifying keywords, to any of the editors. Editors of the special issue: Elisa Bertino, Gianpaolo Rossi, and Pierangela Samarati, Dipartimento di Scienze dell'Informazione, Universita' di Milano, Via Comelico, 39/41, 20135-Milano, Italy; phone: +39-2-55006227/257/272; fax: +39-2-55006253; e-mail: bertino,rossi,samarati@dsi.unimi.it. More information at http://www.dsi.unimi.it/Users/jcs-www. o Journal of Intelligent Information Systems (JIIS); Special Issue on Data Mining. As a young, promising research area with broad applications, data mining and knowledge discovery in databases has attracted great interest in the research communities of database systems, machine learning, statistics, high performance computing, information retrieval, data visualization, and many others. Security and social impact of data mining is a topic of interest. Five hard copies of the paper, with the length limited to 20 pages, should be submitted by November 1, 1996 to the conference chair. Also see web page. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ The notation [conference information] indicates there is a link to information about the conference on the Cipher web pages. * EDCC-2 (Second European Dependable Computing Conference), Taormina, Italy, October 2-4, 1996. [conference information]. Security-related paper: Friends - A Flexible Architecture for Implementing Fault Tolerant and Secure Distributed Applications. J.-C. Fabre and T. Prennou (LAAS-CNRS, Toulouse, France) * CARDIS '96: Second Smart Card and Advanced Applications Conference, Amsterdam, September 18-20, 1996 [conference information]. Papers to be presented (from preliminary program): - On the Design of a Stream Cipher and a Hash Function Suitable to Smart Card Applications, Yongdae Kim, Sangjin Lee, Choonsik Park, Electronics and Telecommunications Research Institute, Taejon, Korea - Authenticating Outputs of Computer Software Using a Cryptographic Coprocessor, Bruce Schneier, John Kelsey, Counterpane Systems, Minneapolis, USA - Biometrics on Smartcards: An Approach to Keyboard Behavioral Signature, Thomas J. Alexandre Carnegie Mellon Univ., Pittsburgh, USA - Arithmetic co-processors for public-key cryptography: The state of the art, David Naccache, David M'Raihi, Gemplus PSI, Sarcelles, France - FAME: A 3rd Generation Coprocessor for Optimising Public Key Cryptosystems in Smart Card Applications, Ronald Ferreira, Ralf Malzahn, Peter Marissen, Jean Jacques Quisquater, Thomas Wille, Philips Smart Cards and Systems, Paris, France; Philips Semiconductors, Hamburg, Germany; Math RiZK, Rhode-Saint-Genhse, Belgium - Efficient Compression Algorithms for Smart Cards, Renaud Lecat, Jean-Jacques Quisquater, Univ. Louvain-la-Neuve, Belgium - Structuring and Visualising an IC-card Security Standard, Hugh Glaser, Pieter H. Hartel, Eduard K. de Jong Frz, Univ. of Southampton, England; QC Technology, Zaandam, The Netherlands - Using formal methods to cultivate trust in Smart Card Operating Systems, Marjan I. Alberda, Pieter H. Hartel, Eduard K. de Jong Frz Univ. of Amsterdam, The Netherlands; Integrity Arts Inc, San Mateo, USA - Protection of Software Algorithms Executed on Secure Microprocessors, H.D.L. Hollmann, J.P.M.G. Linnartz, J.H. v. Lint, C.P.M.J. Baggen, Philips Research Laboratories, Eindhoven, The Netherlands. - Multi-Application Smart Cards and Encrypted Data Processing, Josep Domingo-Ferrer, Univ. Rovira i Virgili, Tarragona, Catalonia, Spain - Agent and Smart Card based System for User's Mobility, David Carlier, Sylvain Lecomte, Patrick Trane, RD2P, Univ. de Lille, France; Tokyo Institute of Technology, Japan - How Smart Cards Can Take Benefits from Object-Oriented Technologies? Patrick Biget, Patrick George, Jean-Jacques Vandewalle, RD2P, Univ. de Lille, France * IFIP TC-6 and TC-11 Joint Working Conference on Communications and Multimedia Security, University of Essen, Germany, September 23-24, 1996. [conference information]. - A.Krannig, Fraunhofer-IGD Darmstadt, Germany PLASMA Platform for Secure Multimedia Applications - E.B.Fernandez, K.R.Nair, M.M.Larrondo-Petrie, Y.Xu, Florida Atlantic University, USA High-Level Security Issues in Multimedia/Hypertext Systems - S.M.Furnell, N.J.Salmons, P.W.Sanders, C.T.Stockel, M.J.Warren University of Plymouth, UK Approaches to Security in Healthcare Multimedia Systems - M.Laurent, Tilicom Bretagne, France Security Flows Analysis of the ATM Emulated LAN Architecture - M.Michels, P.Horster, University of Chemnitz-Zwickau, Germany Cryptanalysis of a voting scheme - M.S.Olivier, Rand Afrikaans University, South Africa Using Workflow to Enhance Security in Federated Databases - S.Hoff, K.Jakobs, D.Kesdogan, University of Aachen, Germany Anonymous Mobility Management for Third Generation Mobile Networks - P.Lipp, V.Hassler Graz University of Technology, Austria Security Concepts for the WWW - J.Forni, J.L. Melzs, Polytechnic University of Catalonia, Spain An Integrated Solution for Secure Communications over B-ISDN - G.Vassilacopoulos, V.Chrissikopoulos, D.Peppes, University of Piraeus, Greece Network Security in a Telemedicine System - H.Cheng, X.Li, University of Alberta, Canada On The Application of Image Decomposition to Image Compression and Encryption - Y.Ding, P.Horster, H.Petersen, University of Chemnitz-Zwickau, Germany A new approach for delegation using hierarchical delegation tokens - S.Lucks, University of Goettingen, Germany BEAST: A Fast Block Cipher for Arbitrary Blocksizes - T.Gustavsson, Stockholm University, Sweden A WWW Based Certification Infrastructure for Secure Open Network Transactions - R.Oppliger, M.Bracher, A.Albanese, University of Berne, Switzerland Distributed Registration and Key Distribution for Online Universities - J.Schwenk, Deutsche Telekom AG, Germany Establishing a Key Hierarchy for Conditional Access without Encryption - R.Grimm, K.Zangeneh, GMD Darmstadt, Germany Cybermoney in the Internet: An Overview over new Payment Systems in the Internet - C.Radu, R.Govaerts, J.Vandewalle, University of Leuven, Belgium A Restrictive Blind Signature Scheme with Applications to Electronic Cash - S.Puetz, University of Siegen, Germany Secure Billing - Incontestable Charging - R.Posch, H.Leitold, F.Pucher, Graz University of Technology, Austria ISDN LAN Access: Remote Access Security and User Profile Management - A.Hutchison, M.Kaiserswerth, P.Trommler, IBM Zurich, Switzerland Secure World Wide Web Access to Server Groups - C.Schmidt, University of Aachen, Germany Access Control System Using Dynamic Handwriting Features - S.Kokolakis, Athens University of Economics and Business, Greece Is there a need for new information security models? - S.K.Katsikas, D.A.Gritzalis, P.Spirakis, University of the Aegean, Greece Attack Modelling in Open Network Environments - M.Sobirey, B.Richter, H.Koenig, University of Cottbus, Germany The Intrusion Detection System AID - Architecture and experiences in automated audit analysis - S.K.Katsikas, N.Theodoropoulos, University of the Aegean, Greece Defending Networks: The Expert System Component of SECURENET - P.M.Boshoff, M.S.Olivier, Rand Afrikaans University, South Africa Increasing Firewall Reliability by Recording Routes * ESORICS-96, European Symposium on Research in Computer Security, September 25-27, 1996, Rome, Italy. [conference information]. - M. Waidner, "Development of a Secure Electronic Marketplace for Europe" IBM Zurich Research Lab., Zurich (Switzerland) - W. Mao, "A Light-Weight Micro-Cash Payment Technique for the Internet" Hewlett-Packard Labs., Bristol (UK) - J. Camenisch, U. Maurer, M. Stadler, "Digital Payment Systems with Passive Anonymity-Revoking Trustees" ETH Zurich, Zurich (Switzerland) - V. Atluri, W-K. Huang, "An Authorization Model for Workflows" Rutgers University, Newark (NJ - USA) - R. Sandhu, "Role Hierarchies and Constraints for Lattice-Based Access Controls" George Mason University, Fairfax (VA - USA) - Peter Landrock, "Secure Electronic Commerce - How and when?"(Invited Speech) Aarhus University & Cryptomathic, Aarhus Science Park, Denmark - V. Nicomette, Y. Deswarte, "A Multilevel Security Model for Distributed Object Systems" LAAS-CNRS & INRIA, Toulouse (France) - S. De Capitani di Vimercati, P. Samarati, "An Authorization Model for Federated Systems" University of Milan, Milan (Italy) - W. Farmer, J. Guttman, V. Swarup, "Security for Mobile Agents: Authentication and State Appraisal" The MITRE Corporation, Bedford (MA - USA) - N. Asokan, G. Tsudik, M. Waidner, "Server Supported Signatures" IBM Zurich Research Lab., Zurich (Switzerland) - S. F. Wu, "Sleepy Network-Layer Authentication Service for IPSEC" North Carolina State University, Raleigh (NC - USA) - J. Zhou, D. Gollmann, "Certified Electronic Mail" University of London, Egham (UK) - B. Schneier (*), J. Kelsey (*), J. Walker (**), "Distributed Proctoring" (*) Counterpane Systems, Minneapolis (MN - USA) (**) Walker Digital, Stamford (CT - USA) - P. Bonatti (*), M. L. Sapino (*), V. S. Subrahamanian (**), "Merging Heterogeneous Security Orderings" (*) University of Turin, Turin (Italy) (**) University of Maryland, College Park (MD - USA) - S. Schneider, A. Sidiropoulos, "CSP and Anonymity" University of London, Egham (UK) - G. Wedel (*), V. Kessler (**), "Formal Semantics for Authentication Logics" (*) RWTH Aachen, Aachen (Germany) (**) Siemens AG, Corporate Research and Development, Munich (Germany) - V. Lotz, "Threat Scenarios as a Means to Formally Develop Secure Systems" Siemens AG, Corporate Research and Development, Munich (Germany) - A. Warner (*), Q. Li (*), S. Pal (**), T. Keefe (*), "The Impact of Multilevel Security on Database Buffer Management" (*) The Pennsylvania State University - Pittsburg (PA - USA) (**) Microsoft Corporation, Redmond (VA - USA) - D.G. Marks, A. Motro, S. Jajodia, "Controlled disclosure of sensitive information" George Mason University, Fairfax (VA - USA) - L. Mancini (*), I. Ray (**), "Secure Concurrency Control in MLS Databases with Two Versions of Data" (*) University of Genoa, Genoa (Italy) (**) George Mason University, Fairfax (VA - USA) - U. Maurer, "Modelling a Public-Key Infrastructure" ETH Zurich, Zurich (Switzerland) - C. Meadows, "Analyzing the Needham-Schroeder Public-Key Protocol" Naval Research Lab., Washington DC (USA) * New Security Paradigms '96 Workshop Lake Arrowhead, California, 18-20 September, 1996. - Harmonized Development Model for Information Security Jussipekka Leiwo, Monash University - Simulated Social Control for Secure Internet Commerce Lars Rasmussen and Swerker Jansson, Swedish Institute of Computer Science - User-Centered Security Mary Ellen Zurko and Rich Simon, OSF Research Institute - A New Model of Security for Distributed Systems Chenxi Wang, William A. Wulf, and Darrell Kienzle, University of Virginia - Personal Security Assistance for Secure Internet Commerce Andreas Rasmussen and Swerker Jansson, Swedish Inst. of Computer Science - Communicating Security Agents Robert Filman, Software Technology Center, and Ted Linden, Lockheed Martin Missiles and Space - The Emperor's Old Armor Bob Blakley, IBM NS Distributed Systems - Developing and Using a "Policy Neutral" Access Control Policy Duane Olawsky, Todd Fine, and Edward A. Schneider, Secure Computing Corporation - Run-Time Secure Evaluation: Can We Afford It? Cristina Serban and Bruce McMillin, University of Missouri-Rolla - A New Security Paradigm for Distributed Resource Managment and Access Control Steven J. Greenwald, Naval Research Laboratory - Access Control in Federated Systems Pierangela Samarati and Sabrina De Capitani di Vimercati, Univ. of Milan - Managing Time for Service and Security Ruth Nelson, Information Systems Security and Elizabeth Swart, University of Massachusetts at Boston - Availability Policies in Adversarial Situations Hilary Hosmer, Data Systems Security - The Concept of Trust and its Implications for the Security in Distributed Systems Audun Josang, Norwegian University of Science and Technology - CAPSL: Common Authentication Protocol Specification Language Jonathan Millen, MITRE - Positive Feedback and the Madness of Crowds Hilarie Orman, University of Arizona - Just Sick About Security Jeff Williams, Arca Systems * TPHOLs '96 - The 1996 International Conference on Theorem Proving in Higher Order Logics, Turku, Finland, 26-30 August, 1996. [conference information]. Security-related paper: Deciding cryptographic protocol adequacy with HOL: the implementation. Stephen H. Brackin (Arca Systems, Inc.) * Method Engineering'96: Principles For Method Construction And Tool Support, Atlanta, Georgia, August 25-28, 1996. [conference information]. Security-related paper: Structural Artifacts in Method Engineering: The Security Imperative Richard Baskerville (Denmark, USA [sic]) * CRYPTO '96, Santa Barbara, California, August 18-22, 1996 - Keying Hash Functions for Message Authentication Mihir Bellare, Univ. California at San Diego, USA Ran Canetti, MIT, USA, and Hugo Krawczyk, IBM, USA - Universal Hashing and Multiple Authentication M. Atici, and Douglas Stinson,Univ. Nebraska at Lincoln, USA - Universal Hash Functions from Exponential Sums over Finite Fields and Galois Rings Tor Helleseth, University of Bergen, Norway Thomas Johansson, Lund University, Sweden - Asymmetric Cryptography with a Hidden Monomial Jacques Patarin, CP8 TRANSAC, France - Anonymous Communication and Anonymous Cash Daniel Simon, Microsoft, USA - Weaknesses in Some Threshold Cryptosystems Susan Langford, Atalla Corp., USA - Hidden Collisions on DSS Serge Vaudenay, Ecole Normal Superieure, France - The Dark Side of 'Black-Box' Cryptography, or: Why Should We Trust Capstone? Adam Young, Columbia Univ., USA, and Moti Yung, IBM, USA - Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems Paul Kocher, Stanford, USA - All Bits in $ax+b$ mod $p$ Are Hard Mats Naslund, Royal Insitute of Technology, Sweden - Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes Dan Boneh, Princeton Univ., USA Ramarathnam Venkatesan, Bellcore, USA - Security of $2^t$-Root Identification and Signatures Claus P. Schnorr, Univ. Frankfurt, Germany - Robust and Efficient Sharing of RSA Functions Rosario Gennaro, MIT, USA, Stanislaw Jarecki, MIT, USA, Hugo Krawczyk, IBM, USA, and Tal Rabin, MIT, USA - New Generation of Secure and Practical RSA-Based Signatures Ronald Cramer, CWI, The Netherlands Ivan Damgaard, Aarhus Univ., Denmark - Proving Without Knowing: On Oblivious, Agnostic and Blindfolded Provers Markus Jakobsson, Univ. California at San Diego, USA Moti Yung, IBM, USA - Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing Shai Halevi and Silvio Micali, MIT, USA - Improved Differential Attacks on RC5 Lars Knudsen, Katholieke Univ. Leuven, Belgium Willi Meier, HTL, Switzerland - Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude Paul van Oorschot and Michael Wiener, Bell-Northern Research, Canada - Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES John Kelsey and Bruce Schneier, Counterpane Systems, USA David Wagner, Univ. California at Berkeley, USA - How to Protect DES Against Exhaustive Key Search Joe Kilian, NEC Research Institute, USA Phillip Rogaway, Univ. California at Davis, USA - Diffie-Hellman Oracles Ueli Maurer and Stefan Wolf, ETH Zuerich, Switzerland - Algorithms for Black-Box Fields and Their Application to Cryptography Dan Boneh and Richard Lipton, Princeton Univ., USA - Fast Hashing on the Pentium Antoon Bosselaers,Rene Govaerts, and Joos Vandewalle, Katholieke Univ. Leuven, Belgium - On Fast and Provably Secure Message Authentication Based on Universal Hashing Victor Shoup, Bellcore, USA - Quantum Cryptography over Underground Optical Fibers R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, and C. Simmons, Los Alamos National Labs, USA - Quantum Key Distribution and String Oblivious Transfer in Noisy Channels Dominic Mayers, Univ. de Montreal, Canada - Linear Complexity of Periodic Sequences: A General Theory James Massey, Swiss Federal Institute of Technology, Switzerland Shirlei Serconek, Univ. Federal de Goias, Brazil - Generalization of Siegenthaler Inequality and Schnorr-Vaudenay Multipermutations Paul Camion and Anne Canteaut, INRIA, France - Trade-offs Between Communication and Storage in Unconditionally Secure Schemes for Broadcast Encryption and Interactive Key Distribution Carlo Blundo, Univ. di Salerno, Italy Luiz Frota Mattos, CEPESC/SAE, Brazil Douglas Stinson, Univ. Nebraska at Lincoln, USA - New Results on Visual Cryptography Stefan Droste, Univ. Dortmund, Germany - Invited Talks: - Relation of Theory to Practice in Cryptography [exact title to be announced] Ron Rivest, MIT, USA - Export Controls: Past, Present, and Future Andy Clark, Independent consultant - [title to be announced] Cliff Stoll - Cryptographic applications in electronic commerce Ernest Brickell - Cryptology, Technology, and Politics Whit Diffie * SAC '96: Third Annual Workshop on Selected Areas in Cryptography, Kingston, Ontario, Canada, August 15-16, 1996. [conference information]. - "Akelarre: A New Block Cipher Algorithm", G.A. Maranon, D. Martinez, F.M. Vitini and A.P. Dominguez, Instituto de Fisica Aplicada, Spain - "CRISP: A Feistel Cipher With Hardened Key-scheduling", M. Leech, Nortel, Canada - "Provably Secure and Efficient Block Ciphers", P. Morin, Carleton University, Canada - "Message Encryption and Authentication Using One-Way Hash Function", C.H. Lim, Centre for Advanced Crypto-Technology, Baekdoo InfoCrypt, Inc., Korea - "New Bounds on the Number of Functions Satisfying the Strict Avalanche Criterion", A.M. Youssef, T.W. Cusick, P. Stanica and S.E. Tavares, Queen's University, Canada and SUNY at Buffalo, U.S.A. - "Difference Distribution Table of a Regular Substitution Box", X.-M. Zhang, U. of Wollongong, Australia and Y. Zheng, Monash University, Australia - "Practical S-box Design", S. Mister and C. Adams, Nortel, Canada - "Modelling Avalanche in DES-Like Ciphers", H. Heys, Memorial University, Canada - "An Efficient Public-Key Based Security Protocol", G. Horn, V. Kessler and K. Muller, Siemens AG, Germany - "Montgomery Multiplication in GF(2**k)", G.K. Koc and T. Acar, Oregon State University, U.S.A. - "A Parallel Implementation of RSA", D. Pearson, Cornell University, U.S.A. - "Sparse RSA Secret Keys and Their Generation", C.H. Lim and P.J. Lee, Pohang University of Science and Technology, Korea - "A New Class of Substitution-Permutation Networks", A.M. Youssef, S.E. Tavares, Queen's University, Canada and H.M. Heys, Memorial University, Canada - "Nonlinear Generators with a Guaranteed Large Linear Complexity", P. Caballero-Gil and A. Fuster-Sabater, Spain - Invited lectures: - Paul Syverson, Naval Research Laboratory, Washington DC, "Time in the Formal Analysis of Authentication Protocols" - Serge Vaudenay, Ecole Normale Superieure, Paris, "Towards Provable Security for Feistel Ciphers" * 6th USENIX UNIX Security Symposium, San Jose, CA, July 22-25, 1995. [conference information]. - Keynote Address: A Simple Distributed Security Infrastructure Ronald L. Rivest, MIT Laboratory for Computer Science - A Secure Environment for Untrusted Helper Applications Ian Goldberg, David Wagner, Randi Thomas and Eric A. Brewer, University of California, Berkeley - A DNS filter and Switch for Packet-filtering Gateways Bill Cheswick, Lucent Technologies; Steven M. Bellovin, AT&T Research - Confining Root Programs with Domain and Type Enforcement Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David L. Sherman, Karen A. Oostendorp, Trusted Information Systems, Inc. - SSH - Secure Login Connections Over the Internet Tatu Ylonen, Helsinki University of Technology - Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks Barry Jaspan, Consultant - Security Mechanism Independence in ONC RPC Mike Eisler, Roland J. Schemers and Raj Srinivasan, SunSoft, Inc. - Establishing Identity Without Certification Authorities Carl Ellison, Cybercash, Inc. - Secure Deletion of Data from Magnetic and Solid-State Memory Peter Gutmann, University of Auckland - A revocable backup system Dan Boneh and Richard J. Lipton, Princeton University - Achieving Atomicity in Electronic Commerce and Its Impact on Communication Efficiency Jiawen Su and J.D. Tygar, Carnegie Mellon University - Kerberos on Wall Street Isaac Hollander, P. Rajaram and Constantin Tanno Morgan Stanley & Co. - A Framework for Building an Electronic Currency System Lei Tang, Carnegie Mellon University - Invited Talk: "Just another convicted Perl hacker" Randal Schwartz, Stonehenge Consulting Services - Chrg-http: A Tool for Micropayments on the World Wide Web Lei Tang, Carnegie Mellon University; Steve Low, AT&T Research - Building Systems That Flexibly Download Executable Content Trent Jaeger and Atul Prakash, University of Michigan; Avi Rubin, Bellcore - Enabling Secure Collaboration over the Internet Li Gong, SRI International - Invited Talk: Using Technical Means to Protect Individual Privacy: The C2.NET Privacy Model Sameer Parekh, Community ConneXion - Public Key Distribution with Secure DNS James M. Galvin, EIT/VeriFone - Compliance Defects in Public Key Cryptography Don Davis, Independent Consultant - Texas A&M University Anarchistic Key Authorization (AKA) David Safford, Douglas Schales and David Hess, Texas A&M University - Invited Talk: "Firewalls: Are they being used right? Are they cost-effective?" Marcus Ranum, V-ONE Corporation - Murphy's law and computer security Wietse Venema, Eindhoven University of Technology - NetKuang--A Multi-Host Configuration Vulnerability Checker Dan Zerkle and Karl Levitt, University of California, Davis - Problem Areas for the IP Security Protocols Steven M. Bellovin, AT&T Research - Invited Talk: PGP Library API Derek Atkins, Sun Microsystems, Inc. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ * Computing Systems, Vol. 9, No. 2 (Spring 1996): M. Bishop and M. Dilger. Checking for Race Conditions in File Accesses. pp. 131-152. * IEEE Micro, Vol. 16, No. 3 (June 1996): - M. Abdelguerfi, B. Kaliski, Jr., and W. Patterson. Guest Editors' Introduction: Public-Key Security Systems. pp. 10-13. - D. Naccache and D. M'Raihi. Cryptographic Smart Cards. pp. 14-24. - C. Koc, T. Acar and B. Kaliski, Jr. Analyzing and Comparing Montgomery Multiplication Algorithms. pp. 26-33. - A.iZuquete and P. Guedes. Transparent Authentication and Confidentiality for Stream Sockets. pp. 34-41. - J.-F. Dhem, D. Veithen, and J.-J. Quisquater. SCALPS: Smart Card for Limited Payment Systems. pp. 42-51. * Communications of the ACM, Vol. 39, No. 5 (May 1996): R. Fagin, M. Naor and P. Winkler. Comparing Information Without Leaking It. pp. 77-85. * Information Processing Letters, Vol. 58, No. 4 (May 1996): S.-J. Hwang, C.-C. Chang and W.-P. Yang. Authenticated encryption schemes with message linkage. pp. 189-194. * Computer Networks & ISDN Systems, Vol. 28, No. 7-11 (May 1996): P.-A. Pays and F. de Comarmond. An intermediation and payment system technology. pp. 1197-1206. * IEEE Communications Magazine, Vol. 34, No. 5 (May 1996): J. Brassil, A. Choudhury, D. Kristol, A. Lapone, S. Low, N. Maxemchuk and L. O'Gorman. SEPTEMBER - Secure Electronic Publishing Trial. pp. 48-55. * The Journal of Logic Programming, Vol. 26, No. 2 (February 1996): C. Meadows. The NRL Protocol Analyzer: An Overview. pp. 113-131. * OnTheInternet Vol. 2, No. 3 (May-June 1996) (Internet Society) - Hank Kluepfel. Inside out you turn me.pp. 18-23. - Michael Greenwald, Sandeep K. Singhal, Jonathan R. Stone, and David R. Cheriton. Designing an academic firewall. pp. 24-33. [Based on "Designing an academic firewall: policy, practice, and experience with SURF, same authors, Proc. 2nd Working Conf. on Reverse Engineering, IEEE, July 1996(?)]. - Dixie Baker, Steve Manning, Kraig Meyer, and Stuart Schaeffer. Addressing threats in World Wide Web technology. pp. 34-41, 46. [Based on article, same title and authors, Proc. Computer Security Applications Conf., IEEE, Dec., 1995]. - Jonathan Littman. The fugitive game: online with Kevin Mitnick, pp. 42-45. Excerpt of book, same title. * ACM SIGCOMM Computer Communication Review, Volume 26, Number 2 (April, 1996). W. Tuvell. Response to "Problems with DCE security services," pp. 64-73. * Computers & Security Volume 15, Number 2 (1996). (Elsevier) Special Features: - Edwin B. Heinlein. Medical records security. pp. 100-113. - Fred Cohen. A note on distributed coordinated attacks. pp.103-122. Refereed Papers: - Hiroyuki Matsumoto and Ikuro Oyaizu. A confidentiality system for ISDN inter-PC high-speed file transfer. pp. 141-156. - Marcel Spruit and Maarten Looijen. IT security in Dutch practice. pp. 147-170. - Udi Manber. A simple scheme to make passwords based on one-way functions much harder to crack. pp. 171-179. * COMPUTER, Vol. 29, No. 6 (June 1996). Simson L. Garfinkel. Internet Kiosk: Public key cryptography. pp. 101-104. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Book ________________________________________________________________________ * Peter T. Davis (Ed.). Securing Client/Server Computer Networks. McGraw-Hill, New York, 1996, 589 pp., ISBN: 0-07-015841-X. $50. ________________________________________________________________________ Cipher Registry of Security and Privacy Research Projects ________________________________________________________________________ (New entries only; for complete list see Cipher Web pages) Send new submissions to cipher@itd.nrl.navy.mil ________________________________________________________________________ Calendar ________________________________________________________________________ Internet Conference Calendar, URL:http://www.automatrix.com/conferences/ is also worth a look. ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hotlink on the Cipher Web pages to conference information. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 7/28/96- 7/31/96: FIRST '96, Santa Clara, California; Conf Web page 8/ 1/96: SNDSS '97, San Diego, California; Conf Web page. Submissions to sndss97-submissions@isi.edu.; [*], Kent Ridge, Singapore 8/ 1/96: SICON97, Kent Ridge, Singapor\ e; submissions due by mail; sicon97@iscs.nus.sg; 8/ 3/96- 8/ 5/96: KDD96. Portland, Oregon Conf Web page See Web page. 8/14/96- 8/16/96: MMDMS, Mountain Lake, NY. Conf web page. 8/15/96- 8/16/96: SAC '96, Kingston, Ontario, Canada 8/18/96- 8/22/96: CRYPTO96, Santa Barbara, California 8/27/96- 8/30/96: TPHOLs '96, Turku, Finland; Conf Web page 8/30/96: DASFAA '97; Melbourne, Australia. Conf Web page. Submissions due by email to rwt@cit.gu.edu.au; 8/30/96: ICDE '97, Birmingham, UK; Conf Web page. Submissions due by mail; 8/31/96- 9/ 2/96: ATMA, Goa, India; Conf Web page. 9/2/96-9/6/96: IFIP96 Mobile Commns Canberra, Australia. 9/ 2/96: 4th CCS, Zurich, Switzerland; Conf Web page. Submissions by mail due; 9/ 3/96- 9/ 6/96: VLDB96, Bombay, India 9/ 3/96: DCCA6, Garmisch-Partenkirchen, Germany. 9/ 3/96- 9/ 5/96: WITAT '96, Columbia, MD; workshop web page 9/ 9/96- 9/13/96: DEXA96, Zurich, Switzerland. Conf Web page 9/16/96 - 9/19/96: NSPW '96, Lake Arrowhead, CA ; questions to newparadigms96@itd.nrl.navy.mil. Conf web page 9/18/96- 9/20/96: SCRAPC96, Lille, France Conf Web page 9/23/96- 9/24/96: IFIPTC6TC11, University of Essen, Germany; Conf Web page. 9/23/96- 9/27/96: SDSP96, Perth, Australia 9/25/96- 9/27/96: ESORICS'96, Rome; bertino@hermes.mc.dsi.unimi.it 9/30/96-10/ 3/96: PRAGOCRYPT '96, Prague 9/30/96: JCS special issue on WWW security; submissions due by mail; issue page 10/ 1/96: RIDE '97; Birmingham, England, Conf Web page. Submissions due to peters@ece.nwu.edu; 10/11/96: FSE4, Haifa, Israel; Conf Web page. Submissions to biham@cs.technion.ac.il; 10/16/96-10/19/96: WebNet. San Francisco, CA Conf Web page 10/16/96-10/19/96: IC3N96, Rockville, Washington D. C. 10/21/96-10/25/96: ICECCS96; Montreal, Quebec. Conf Web page 10/22/96: HASE96. Niagara-on-the-Lake, Canada; Conf Web page 10/22/96-10/25/96: NISS96. Baltimore, Maryland 10/29/96-11/ 1/96: OSDI '96 Seattle, WA; Conf web page 10/29/96-11/ 1/96: ICNP96, Columbus, Ohio; Conf Web page 11/ 1/96: Data Mining special issue of JIIS; journal web page. Submissions due. 11/ 3/96-11/ 7/96: ASIACRYPT96, Kyongju, South Korea Conf Web page 11/11/96-11/12/96: MOBICOM96, Rye, NY; conf Web page 11/11/96-11/13/96: CSI '96,Chicago, Illinois 11/14/96-11/15/96: IPIC96, Cambridge, Massachusetts; Conf Web page 11/15/96: ENM '97, Montreal, Quebec. Submissions by mail; 12/ 2/96-12/ 4/96: ASIAN '96, Singapore. Conf Web page 12/ 9/96-12/13/96: 12th Annual ACSAC, San Diego, CA. Conf web page. 1/ 8/97- 1/10/97: ICDT97, Delphi, Greece; Conf Web page 1/27/97- 1/29/97: FSE4, Haifa, Israel; Conf Web page. 2/ 8/97- 2/14/97: MMD '97. San Jose, California; Conf Web page 2/10/97- 2/11/97: SNDSS '97, San Diego, California. Conf Web page 2/23/97- 2/24/97: PAKDD '97, Singapore. Info hweeleng@iti.gov.sg; Conf Web page 3/ 5/97- 3/ 7/97: DCCA6. Garmisch-Partenkirchen, Germany. 4/ 1/97- 4/ 4/97: DASFAA '97; Melbourne, Australia Conf Web page 4/ 2/97- 4/ 4/97: 4th CCS, Zurich, Switzerland; Conf Web page 4/ 7/97- 4/11/97: ICDE '97, Birmingham, UK; Conf Web page 4/ 7/97- 4/ 8/97: RIDE '97. Birmingham, England Conf Web page 4/ 9/97- 4/11/97: ISADS97, Berlin, Germany; Conf Web page 4/14/97- 4/17/97: SICON97, Kent Ridge, Singapore 5/ 4/97- 5/ 7/97: IEEE S&P 97; no e-mail address available 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available 6/11/97- 6/12/97: ENM '97, Montreal, Quebec 7/97: ACISP '97, Sydney, details from: vijay@st.nepean.uws.edu.au 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, ACISP97 * ACSAC = Annual Computer Security Applications Conference 12th Annual. * ASIAN = Asian Computing Science Conference ASIAN '96 * ATMA = Advanced Transaction Models and Architectures ATMA * BDBIS = Baltic Workshop on DB and IS, BDBIS * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium * CIKM = Int. Conf. on Information and Knowledge Management CIKM '95 * COMAD = Seventh Int'l Conference on Management of Data (India) * CISMOD = International Conf. on Information Systems and Management of Data * CFP = Conference on Computers, Freedom, and Privacy * COMPASS = Conference on Computer Assurance COMPASS'96 * CoopIS96 = First IFCIS International Conference on Cooperative Information Systems, CoopIS96. * CPAC = Cryptography - Policy and Algorithms Conference * CRYPTO = IACR Annual CRYPTO Conference CRYPTO96 * CSFW = Computer Security Foundations Workshop CSFW96 and Wkshp page * CSI = Computer Security Institute Conference CSI96 * CVDSWS = Invitational Workshop on Computer Vulnerability Data Sharing CVDSWS. * CWCP = Cambridge Workshop on Cryptographic Protocols * DASFAA = Database Systems For Advanced Applications DASFAA '97. * DCCA = Dependable Computing for Critical Applications DCCA6 * DEXA = International Conference and Workshop on Database and Expert Systems Applications, DEXA96 * DMKD96 = Workshop on Research Issues on Data Mining and Knowledge Discovery,Web page and CFP. * DOOD = Conference on Deductive and Object-Oriented Databases DOOD '95 * EdCS = Education in Computer Security EdCS * ENM = Enterprise Networking ENM '97 * ESORICS = European Symposium on Research in Computer Security ESORICS'96 * FIRST = Computer Security Incident Handling and Response FIRST '96 * FISP = Federal Internet Security Plan Workshop, FISP96. * FISSEA = Federal Information Systems Security Educators' Association * FME = Formal Methods Europe, FME '96 * FMSP = Formal Methods in Software Practice * FSE = Fast Software Encryption Workshop FSE4 * HASE = High-Assurance Systems Engineering Workshop HASE96 * HPTS = Workshop on High Performance Transaction Systems * IC3N = International Conference on Computer Communications and Networks IC3N '96 * ICDCS96 = The 16th International Conference on Distributed Computing Systems, ICDCS96 * ICDE = Int. Conf. on Data Engineering ICDE '97 * ICDT = International Conference on Database Theory ICDT97. * ICECCS = International Conference on Engineering of Complex Computer Systems ICECCS '96 * ICI = International Cryptography Institute * ICNP96 = International Conference on Network Protocols ICNP96 * ICSSDBM = Int. Conf. on Scientific and Statistical Database Management * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '96 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 10th Working Conference on Database Security * IFIP96 Mobile Commns = IFIP 1996 World Conference, Mobile Communications * IH Workshop '96 = Workshop on Information Hiding * IMACCC = IMA Conference on Cryptography and Coding, 5th IMACC * IMC96 = IMC'96 Information Visualization and Mobile Computing * INET = Internet Society Annual Conference * INET96 = The Internet: Transforming Our Society Now, INET96 * IPIC = Integration of Enterprise Information and Processes, IPIC96 * IPSWG = Internet Privacy and Security Workshop IPSWG '96 * IS = Information Systems (journal) * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISTCS = Fourth Israeli Symposium on Theory of Computing and Systems, ISTCS96. * IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Society * IWES = International Workshop on Enterprise Security IWES * JBCS = Journal of the Brazilian Computer Society * JCMS = Journal of Computer Mediated Communication * JCS = Journal of Computer Security WWW issue * JDSE = Journal of Distributed Systems Engineering; Future Directions for Internet Technology JDSE * KDD96 = The Second International Conference on Knowledge Discovery and Data Mining (KDD-96) * MCN = ACM Int. Conf. on Mobile Computing and Networking. See MOBICOM * MCDA = Australian Workshop on Mobile Computing & Databases & Applications; MCDA96. * MDS '95 = Second Conference on the Mathematics of Dependable Systems MDS-95 * METAD = First IEEE Metadata Conference METAD * MMD = Multimedia Data Security MMD '97 * MMDMS = Wkshop on Multi-Media Database Management Systems MMDMS '96 * MOBICOM = Mobile Computing and Networking MOBICOM '96. * NCSC = National Computer Security Conference * NISS = National Information Systems Security Conference NISS96 * NSPW = New Security Paradigms Workshop NSPW '96 * OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling OOER '95 * OSDI = Operating Systems Design and Implementation OSDI '96 * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data Mining, PAKDD97 * PISEE = Personal Information - Security, Engineering, and Ethics PISEE * RBAC'95 = First ACM Workshop on Role-Based Access Control * RIDE = High Performance Database Management for Large Scale Applications RIDE97 * RTDB'96 = First International Workshop on Real-Time Databases: Issues and Applications, RTDB96. * SAC = Workshop on Selected Areas of Cryptography SAC '96 * SCRAPC = Smart Card Research and Advanced Application Conference SCRAPC96 * SDSP = UK/Australian International Symposium On DSP For Communication Systems SDSP '96 * SECURICOM = World Congress on the Security of Information Systems and Telecommunication, SECURICOM '96 * SFC = Society and the Future of Computing SFC '96 * SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) * SICON = IEEE Singapore International Conference on Networks SICON '97 * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * SNDSS = Symposium on Network and Distributed System Security (Internet Society) NDSS '97 * SOC = 18th Biennial Symposium on Communiations, SOC18. * TPHOLs = Theorem Proving in Higher Order Logics TPHOLs96 * TSMCFP96 = 4th International Conference on Telecommunication Systems * USENIX Sec Symp = USENIX UNIX Security Symposium, 6th Annual. * VLDB = 22nd International Conference on Very Large Data Bases, VLDB96. * WDAG-9 = Ninth Int. Workshop on Distributed Algorithms * WebNet = World Conference of the Web Society, WebNet96. * WITAT = Workshop on Information Technology - Assurance and Trustworthiness\ WITAT '96 * WWWC = International World Wide Web Conference WWWC96. ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to join the TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://info.computer.org:80/tab/tcapplic.htm PLEASE NOTE THAT THE FORM IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Proceedings of the 1996 Conference proceedings are now available, and we have reduced prices on some of the older issues. Please help us liquidate the backlog by ordering several copies for your friends! Price by mail per volume IEEE CS Press IEEE CS Press Year from TC* IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $10 Only available from TC! 1993 $10 Only available from TC! 1994 $15 $30+$4 S&H $60+$5 S&H 1995 $25 $30+$4 S&H $60+$4 S&H 1996 $30 *price includes shipping and handling For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying * which issues you would like, * where to send them, and * a check in US dollars, payable to the 1995 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Chair, Subcommittee on Security Conferences: Greg Bergren Dr. Stephen Kent 10528 Hunters Way BBN Corporation Laurel, MD 20723-5724 70 Fawcett Street (410)684-7302 Cambridge, MA 02138 (410)684-7502 (fax) (617) 873-3988 glbergr@missi.ncsc.mil kent@bbn.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9506 where N is the number of the issue desired and 9506 captures the year and month it first appeared. =======end of Electronic Cipher Issue #16, 28 July 1996================