Subject: Electronic CIPHER, Issue 17, October 1, 1996 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 17 October 1, 1996 Carl Landwehr, Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1475 lines total] o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o Gore Announces New U.S. Policy on Crypto Exports o Bellcore Researchers Claim Smart Card Security Flaw Conference Reports [TTAP Workshop, IFIP WG 11.3 10th Working Conf.] New reports available via FTP and WWW [OS/Security Workshop & more] Interesting Links Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers: Crypto '96, New Sec Paradigms, many more o Journal and Newsletter articles o Book Registry of Security and Privacy Research Projects [no entries!] Calendar -->Questionnaire on practical security experiments<-- Data Security Letter subscription offer >>>>>>>>>>>>>How to join/renew your TC Membership at no cost!<<<<<<< >>>>>>>>>>>>> PLEASE RENEW TODAY USING THIS FORM <<<<<<< Publications NOT for sale Computer Entrepreneur Nominations Requested by IEEE Computer Society TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, First, thanks very much to my colleague Andy Moore, who took care of Cipher chores while I was away for four weeks in August. And thanks to all of you for your patience in waiting for this issue. Please notice the submission dates for next spring's Symposium on Security and Privacy: papers are due 15 November. Program Co-chairs George Dinolt and Paul Karger are planning to accept submissions either electronically or by hard copy. I plan to mail the full call for papers to the Cipher mailing list soon after this issue appears. Erland Jonsson reports an encouraging response to the questionnaire published in the last issue, but he has asked to distribute it one more time in hopes of additional responses; it appears near the end of this issue. The IEEE Computer Society asks that TC members please send in new membership renewal forms before 31 December. The form appears in this issue (as it has in every other issue); please do fill it out and send it in. It costs nothing more than a stamp, and it will put you on the IEEE CS's roster of TC members (or keep you from falling off). Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, OSF Research Institute (zurko@osf.org) ____________________________________________________________________ This issue's highlights are from e$pam, http-wg, privacy, tbtf, www-security, risks, and www-buyinfo. The IPSEC working group of the IETF remains unable to come to consensus about a key management standard. A design group tried to merge SKIP, ISAKMP, and OAKLEY, and failed. Since people are fielding encryption solutions that require key management, the concern is that the lack of a standard will cause interoperability headaches, and slow down the dissemination of encryption support. A popular pseudonmyous server in Finland (anon.penet.fi) with over half a million users was shut down by its owner. The owner is closing it down for the time being "because the legal issues governing the whole Internet in Finland are yet undefined." A Finnish court's preliminary decision was that the privacy remailers could be violated by court order. The owner is collecting reactions for and against this sort of service, and stories about why anyone would need such a service, at support@anon.penet, against@anon.penet.fi, and why@anon.penet.fi, respectively. In the HTTP working group of the IETF, Digest Authentication (which cryptographically hashes passwords instead of passing them in the moral equivalent of the clear) is slated for inclusion in HTTP 1.1, which is on its way to Proposed Standard. There has always been a tension between getting a cheap replacement for Basic Authentication out there fast, and making it a better protocol. Issues about man-in-the-middle attacks are being raised again (servers can protect against them, but don't have to). Netscape was taken to task for not supporting Digest, while representatives of Netscape said that they would not integrate something that was not stable. We're getting closer to the penny-a-page vision on the Web. Clickshare ( http://www.clickshare.com/clickshare) is getting close to announcing services that track movements and settle charges down to as little as 10 cents per query. US Bank is beginning to thumb-print non-customers who cash checks. Statistics indicate this is more of a deterrent than a way to catch someone cashing a bad check. A member of cypherpunks was interested in a good steganography program for communicating with a friend in a country that is not crypto-friendly. Someone has software that forms Mad-Lib style sentences of the form "The _THING _VERBs to the _PLACE." Another pointed to a program that can hide information in .gifs. A third has worked on software that has a dictionary of pairs of synonyms (each representing 1 or 0), that will scan freeform text and embed a bit in each of the dictionary words it finds. An interesting quote from DefCon founder Dark Tangent, a.k.a. Jeff Moss: "Hacking as we know it is dying. Everything is specialized today. There's wireless, IP, ISDN, NT -- it gets crazy." Baruch Awerbuch, a professor of computer science at The Johns Hopkins University, is studying the economics of sharing computer power over the Internet (and calling it metacomputing). He acknowledges that there are security issues, and "it will also require a change in the close attachment most people feel toward their computers." A CD full of all sorts of crypto share and freeware may soon be available. See http://www.rpini.com/crypto/cryptocd.html. A fair trading office in London found that mondex is not truly anonymous (they were claiming it for a while until the complaint was filed by PI director Simon Davies). See http://www.privacy.org/pi/activities/mondex/. The folks at Princeton who found so many Java holes (including two news ones in early August that allow full read/write access to files) are turning their attention to Internet Explorer. They found a way to run any DOS command on the machine of someone using IE that visits a malicious page. A U.S. Army private faces spying charges, but his lawyer claims that he had broken into a supposedly impenetrable system after advising his superiors of defects in the security system. He seems to have also given a Chinese friend of his a password on an unclassified system. See http://www.yahoo.com/headlines/960821/news/stories/spy_1.html [sorry -- this link seems to be out of date -- CEL.]. In mid-August, the Department of Justice's Web site was broken into and altered. Luckily for them, the alteration was fairly obvious (it involved nudity and racism, as well as anti-CDA sentiments). Various sites backed up the hacked site before the DoJ yanked it. [And, after Mez wrote this, the CIA's web site was relabeled as the "Central Stupidity Agency", apparently by hackers from Sweden. It seems to still be off the air at this writing -- CEL] ActiveX's security model (or lack thereof) has been getting discussion, since it might turn out to be Microsoft's answer to Java. They plan on moving to signed signed applets, much like Java is discussing signed classes. However, they have no encompassing sandbox like Java's VM that provides additional restrictions. There's an ActiveX control on the web that gracefully shuts down your Windows95 system ( http://www.halcyon.com/mclain/ActiveX/). The possibility of encrypting information for 100 years was discussed on cypherpunks. The hottest issue seemed to be how to protect a key for 100 years (in space, at the bottom of the ocean, escrowed with long-lived institutions like the Catholic church, the Chinese government, and Oxford). The Communication Security Corporation announced a telephone security device supporting triple-DES. Both Netscape and Microsoft have 128-bit US versions of their browsers available. Netscape uses the service http://www.lookupusa.com/lookupusa/ada/ada.htm to determine if you can receive the software electronically. It directly connects with a mapping service so you can get a direct map for the person's exact location. The original risks poster has an unlisted phone number, but found himself. I have a phone number listed under my husband's name, and did not find myself. They have a separate business lookup, but I found my family's business in the personal lookup (they don't pay for a business phone listing). John Gilmore is trying to get 5% of the Internet encrypting "opportunistically" by December. He's planning on putting IPSEC into Linux, then using Linux gateways to encrypt all traffic when it's going to a site behind another of the gateways ( http://www.cygnus.com/~gnu/swan.html). In early August, the Sunday Times reported that American intelligence agents hacked into European Parliament computers. Oregon will sell you a tape with license plate information on it. Someone put a search engine into that data on the web, but then suspended the service pending consideration of the ruckus raised. There seems to be nothing illegal about it. MasterCard and VISA have chosen their CA's (GTE and Verisign, respectively), and are planning on testing their SET implementations in the fourth quarter of this year (in time for Xmas?). In http://www.gsu.edu/~lawadmn/gsulaw.html, the author posits that encrypted email would be necessary to maintain attorney-client confidentiality for all email concerning a client. [But the listing seems to have vanished?? or maybe it's posted steganographically?--CEL] It's the end of a Web era; www-buyinfo is shutting down. Dave Kristol was the first to get many of us talking about electronic commerce on the Web, and www-buyinfo spawned a bunch of email distribution lists and working groups in the area. ____________________________________________________________________ Gore Announces New U.S. Policy on Crypto Exports ____________________________________________________________________ [1 October 1996] Vice President Gore announced today that the United States would permit the export of 56-bit key lenth encryption products under general license after a one-time review, contingent on industry commitments to build and market future products that support key recovery. The policy presumes "that a trusted party (in some cases internal to the user's organization) would recover the user's confidentiality key for the user or for law enforcement officials acting under proper authority. Access to keys would be provided in accordance with destination country policies and bilateral understandings. No key length limits or algorithm restrictions will apply to exported key recovery products." Domestic use of key recovery will be voluntary, and Americans remain free to use any encryption system domestically. In addition, encryption products would no longer be treated as munitions; "after consultation with Congress, jurisdiction for commercial encryption controls will be transferred from the State Department to the Commerce Department. The Administration also will seek legislation to facilitate commercial key recovery, including providing penalties for improper release of keys, and protecting key recovery agents against liability when they properly release a key." This policy will last "up to two years," after which time the export of 56-bit products not supporting key recovery would no longer be permitted. Gore asserted that the new policy is "broadly consistent with the recent recommendations of the National Research Council" (see Cipher EI#15). The announcement followed unattributed reports in today's Washington Post and New York Times of the new policy. Whether the new policy will succed in "cutting off an emotional four-year-old debate with the computer industry over the export of information-scrambling technology," as the Post story suggested, may depend in part on the public perception of the strength of 56-bit key products. The Post also reported that several companies, led by IBM, have a technical plan that will comply with the new policy. The possible effects of moving the export jurisdiction from State to Commerce are discussed in a piece circulated by Stewart Baker, an attorney with Steptoe and Johnson, formerly General Counsel for the NSA. Mr. Baker writes that while the Commerce Department should have the staff and procedures to avoid imposing unnecessary delays, the FBI and the Justice Department will now be involved, and they are newcomers to this process. Further, the Commerce Department has an established procedure for "foreign availability" reviews, which are intended to determine whether "a product is so widely available abroad that controls are ineffective and should be lifted." The conduct and procedures of such a review may be a point of contention between the Commerce and Justice Departments, according to Baker. The full text of Vice President Gore's statement is available on the Cipher Web pages. ____________________________________________________________________ Bellcore Researchers CLaim Smart Card Security Flaw ____________________________________________________________________ [26 September 1966] A potential security flaw may permit counterfeiting of many types of electronic cash smart cards now circulating in Europe and under test in the U.S., according to a report by John Markoff in the Sept. 26 New York Times, page D1. The flaw is documented in a research paper that is about to be published by Richard Lipton and two colleagues (one of whom seems to be Richard DeMillo). Lipton is chief scientist at Bell Communications Research (Bellcore) as well as a professor of computer science at Princeton. DeMillo, vice president for information technology at Bellcore, said "Our technique is like tiny lever that makes it possible to pry open the vault that the secret information is stored in." The attack evidently depends on forcing the smart card to make a calculation error; the error would be used to provide information about the secret data maintained within the card. The error might be triggered by irradiating the card or through other means. A Mastercard executive who had been shown a draft of the report characterized the attack as "speculative." Thorough assessment of the practicality of the attack and its implications for chipcard manufacturers and e-cash vendors awaits full publication of the report. ______________________________________________________________________ Conference Reports ______________________________________________________________________ NIST/NSA Formally Unveils Trust Technology Assessment Program by Jeremy Epstein, Cordant, Inc. ________________________________________________________________________________ The Trust Technology Assessment Program (TTAP) is a joint effort by NIST and NSA to allow evaluation of low assurance commercial products by commercially licensed facilities. On September 26, NIST and NSA held a public workshop to explain how TTAP will work. This is a summary of the workshop. The TTAP project has been underway for about five years, and has been explained in numerous papers and conference panels. The workshop was to make available, for the first time, the documents that provide detailed explanations of how organizations can become licensed to perform TTAP evaluations and how TTAP evaluations will be performed. The 45 workshop attendees were about 50% potential TTAP laboratories, 25% vendors, and 25% government (mostly TTAP presenters). Under TTAP, evaluations will be performed by LTEFs (Licensed TTAP Evaluation Facilities). There are two parts to understanding TTAP: the licensing process and the evaluation process. To be licensed, an organization needs to be accredited under NIST's National Voluntary Laboratory Accreditation Program (NVLAP). In addition, the organization must pay accreditation fees and pass an on-site assessment (which includes reviewing the backgrounds of the proposed evaluators, conducting an evaluator proficiency exam, and examining the organization's quality assurance). Once the LTEF is licensed, it can conduct TTAP evaluations. Initially, TTAP will cover TCSEC C2 evaluations only. TTAP evaluations will be reviewed by an NSA Technical Review Board (TRB), just as is done with the current NSA-run Trusted Product Evaluation Process (TPEP) evaluations. TTAP evaluations may eventually include TCSEC B1 evaluations, C2 and/or B1 network evaluations, and Common Criteria evaluations. A set of draft documents were handed out describing the above processes in detail: o "TTAP Scheme" describes the overall concept o "TTAP Technical and Organizational Requirements for Accreditation", (known as "TORA", but consisting of one volume rather than the five one might expect :-) together with the "NVLAP Procedures and General Requirements" (NIST Handbook 150) describe how to become an LTEF o "Derived Verification Requirements for TCSEC Class C2: Controlled Access Protection" describes how LTEFs will evaluate C2 products o "TRB Expectations" was not released All of these will be available (soon) from the TTAP Web site http://csrc.nist.gov/ttap. NIST and NSA invited comments and questions on the documents and the process (send to ttap@csmes.ncsc.nist.gov). A workshop will be held on November 20 at the Institute for Defense Analysis (IDA) in Alexandria VA to discuss TTAP further. Under government sponsorship, Computer Sciences Corporation (CSC) started an experimental TTAP evaluation of Hewlett-Packard's HP-UX to determine the viability of the process. Thus far, the CSC team has completed IPAR TRB, after expending approximately 6 person-years of evaluation effort. Starting in spring 1997, NIST will begin a two year pilot program to accredit LTEFs and do TTAP evaluations. The plan is that once a sufficient number of LTEFs are accredited, NSA will cease beginning new C2 evaluations. One of the more interesting topics covered was the business case for being an LTEF. While NIST and NSA were unable to give expected effort levels or costs for a TTAP evaluation, members of the audience estimated the cost from $300K (for a very straightforward evaluation, such as a standalone UNIX system) to $2,000K or more for a more typical complex product. Although a dollar figure was not provided, the CSC experiment seems to bear out that this is an accurate order of magnitude for cost. It remains to be seen whether vendors will pay these fees to an LTEF in addition to the expenses already incurred to develop and support the evaluation of a trusted product. The NIST representative suggested that an LTEF might be more viable once other types of evaluations are started (such as Common Criteria evaluations of firewalls). It is unclear today whether vendors will spend the money to support both a TTAP and an ITSEC (European) evaluation, given that U.S. government organizations will accept an ITSEC evaluation if there is no competitive product with a U.S. rating. Finally, several vendors expressed the opinion that unless government organizations start purchasing evaluated products rather than obtaining waivers, there is no value to the vendor in evaluating the product. ______________________________________________________________________ Report on the 10th IFIP WG 11.3 Working Conference on Database Security by David Spooner, Chair, IFIP WG 11.3 ______________________________________________________________________ IFIP WG 11.3 held its tenth working conference on database security at Villa Olmo, in Como, Italy, on July 22-24, 1996. The conference included the presentation of fourteen refereed papers, two invited talks, two panel sessions, and a group exercise session. This conference restored a long standing tradition of holding the working conference on a waterfront, in this case, Lake Como. By all accounts, the conference was a success. The conference began with two invited talks. Teresa Lunt (ARPA) discussed "Strategic Directions in Computer Security Research," making the point that there is a growing demand for secure systems, but current secure technologies are often fragile. She identified many areas where additional research is needed, including affordability, generic solutions, richer policies, scalability, and metrics for demonstrating progress. Bhavani Thuraisingham (MITRE) discussed "Data Warehousing, Data Mining, and Security," suggesting that there is much commercial interest in data warehousing and data mining and that the security field needs to look carefully at the implications of these technologies on privacy and security of data. The next session was on federated systems and included the presentation of three papers. The first paper was presented by Zahir Tari (Royal Melbourne Institute of Technology) and was titled "Security Enforcement in the DOK Federated Database System" (co-author, George Fernandez). Tari discussed a unified security model and an architecture for distributed heterogeneous database systems that integrates many existing security models. The second paper was presented by Martin Olivier (Rand Afrikaans University) and was titled "Integrity Constraints in Federated Databases." Olivier discussed a technique that allows a database system to obtain a certified guarantee of data integrity for the data it receives from another system in a federation. The final paper in the session was presented by Silvana Castano (University of Milan) and was titled "An Approach to Deriving Global Authorizations in Federated Database Systems." Castano discussed issues in computing global authorizations from local authorizations in a federated system. The next session was a panel discussion chaired by Sushil Jajodia on "Multilevel Secure Transaction Processing: Is It Well Understood?" The panelists were Vijay Atluri (Rutgers University), Thomas Keefe (Penn State University), Catherine McCollum (MITRE), and Ravi Mukkamala (Old Dominion University). In general, the panelist shared the opinion that much work has been done on the problem and that solutions are known with certain limitations. They differed in their views of the importance of future work in this area, since existing commercial systems do not yet incorporate much of the work. Several panelists called for the need to better understand the needs of the customer. The second day of the conference began with a session on object-oriented security. The first paper in this session was presented by John Hale (University of Tulsa) and was titled "A Framework for High Assurance Security of Distributed Objects" (co-authors Jody Threet and Sujeet Shenoi). Hale discussed the use of a process calculus tailored for concurrent objects to develop a formal model and layered architecture for secure interoperation of heterogeneous distributed objects. The second paper in this session was presented by Reind van de Riet (Free University) and was titled "An Object-Oriented Database Architecture for Providing High-Level Security in Cyberspace" (co-author Ehud Gudes). He discussed the concept of alter-egos as a representation for people in cyberspace. He also discussed an implementation based on Mokum, an object-oriented knowledge- base system, and on CORBA. The final paper in this session was presented by Frederic Cuppens (ONERA-CERT) and was titled "A Logical Approach to Model a Multilevel Object Oriented Database" (co-author Alban Gabillon). Cuppens discussed a formalization and extension of the Multiview model using a language based on first-order logic. The next session was a group exercise lead by Pierangela Samarati (University of Milan) and Ravi Sandhu (George Mason University) on "Open Questions in Database Security." It began with a presentation by John Campbell (Department of Defense, U.S.A.) on "Secure Database System Issues." Campbell identified a number of issues requiring additional research, including secure distributed systems, multimedia systems, parallel systems, and heterogeneous systems. This was followed by a general discussion with the goal of identifying important research areas in database security. Some of the issues discussed included: (1) development of a reference model (possibly component based) and metrics to better define what a secure database system is, (2) how to deal with the fact that we must accept a non-ideal world with untrusted components mixed with trusted components, (3) how much can be done in an application-independent way and what depends on the semantics of a particular application system, and (4) recognition of the fact that the database is often just one component of a larger system, and we must consider the security of the larger system, not just the database by itself. This session was followed by an afternoon of sightseeing in the Como area and a social dinner in small local restaurant. The food, wine and conversation were all excellent. The final day of the conference began with a session on multilevel databases. The first paper in this session was presented by Sushil Jajodia (George Mason University) and was titled "A Secure Locking Protocol for Multilevel Database Management Systems" (co-authors Luigi Mancini and Indrajit Ray). Jajodia discussed a secure locking protocol that produces serializable histories of transactions for single version data. The protocol requires only a trusted lock manager. The next paper was presented by Gary Grossman (ARCA Systems) and was titled "A Data Model for a Multilevel Replicated X.500 Server" (co-author Marvin Schaefer). Grossman discussed the incorporation of multiple sensitivity levels into an X.500 directory service through the use of replication. The final paper of the session was presented by Bhavani Thuraisingham (MITRE) for Janet Aisbett (University of Tasmania) and was titled "An Information Theoretic Analysis of Architectures for Multilevel Secure Databases." This paper discusses a framework for accessing the cost of security in a distributed database architecture from an information theory point of view. The next session was on new directions in database system security. It began with a presentation by Thomas Hinke (University of Alabama, Huntsville) of a paper titled "A Framework for Inference-Directed Data Mining" (co-authors Harry Delugach and Randall Wolf). Hinke discussed a second- path inference detection approach using association cardinalities. The second paper in this section was presented by Vijay Atluri (Rutgers University) and was titled "An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment" (co-author Wei-Kuang Huang). This paper shows how Petri Nets can be used to detect and prevent task dependencies that violate security in workflow models. The next session was a panel organized by Ravi Sandhu (George Mason University) on implementation experiences and prospects. The panelists were LouAnna Notargiacomo (Oracle), Dan Thomsen (Secure Computing Corporation) and Jess Worthington (Informix). During initial presentations by the panelists and subsequent discussion, the point was made that users want more tailorable security policies than are available today in commercial systems. Traditional mandatory access control is not want everyone wants. New technologies such as the world wide web are having an impact on what users want. There appears to be a market for secure database products, but these products must support a wider variety of policies and enforcement mechanisms and they must be easy to use. The final session of the conference was on role-based security and began with a presentation by Silvia Osborn (University of Western Ontario) titled "On the Interaction Between Role-Based Access Control and Relational Databases" (co-authors Laura Reid and Gregory Wesson). Osborn discussed issues and techniques for mappings between a role graph and the set of privileges in a relational database system. The final paper in this session was presented by T. C. Ting and was titled "Generics and Exception Handling for Supporting User-Role Based Security in Object-Oriented Systems" (co- authors S. A. Demurjian, M. Price, and M.-Y. Hu). This paper extends the authors' previous work to handle extensibility and reuse for role-based security enforcement mechanisms to facilitate the design of software systems. Special thanks go to the organizing committee for the working conference who put together a well run and interesting conference: Elisa Bertino (General Chair), Pierangela Samarati (Program Co-Chair), Ravi Sandhu (Program Co-Chair), and Silvana Castano (Local Arrangements). The proceedings for the working conference will be published by Chapman & Hall Publishing Company (London) in early 1997. The title will be "Database Security X: Status and Prospects," with editors P. Samarati and R. Sandhu. The next IFIP WG 11.3 Working Conference will be held in Lake Tahoe, California, on August 11-13, 1997. The call for papers can be accessed from the world wide web page for the working group using the following address: http://www.cs.rpi.edu/ifip/. ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o From Cypherpunks: Two articles of interest concerning Cold War codebreaking from the UK Daily Telegraph: - "Codebreakers come clean", by Christopher Andrew, at URL references the continuing release of the NSA's Venona files (see ) - "GCHQ to release Cold War Files" by Michael Smith, at URL reports the release some of the UK's Venona files in response to the NSA's action. o DARPA and NSA organized an operating system/security workshop, held May 22-23, 1996. The proceedings, including a number of interesting papers listing research challenges, briefings presented at the workshop, and more, are now available at: http://www.ito.darpa.mil/Proceedings/OS_Security/. If you back up a level to http://www.ito.darpa.mil/Conferences.html you can find more materials, some security related, from other DARPA ITO conferences and briefings. o The Common Criteria are now available in a hyperlinked format at: http://www.tno.nl/instit/fel/refs/cc.html There are also links at this site for downloaded PostScript versions. o Privacy International has accumulated a variety of materials on National ID cards at: http://www.privacy.org/pi/activities/idcard/. o The final Workshop on Information Technology - Assurance and Trustworthiness was held 3-5 September, and a summary of the results is being (gradually) posted at URL: http://aaron.cs.umd.edu/witat/witat96sum.html ________________________________________________________________________ Interesting Links [new entries only] No new entries to report this issue. ________________________________________________________________________ ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 15 September 1996: Phillip A. Porras Computer Science Laboratory SRI International 333 Ravenswood Avenue Menlo Park California 94025-3493 Porras@CSL.sri.com Entered 3 September 1996: Li Gong Sun Microsystems 2550 Garcia Avenue, MS UCUP01-202 Mountain View, CA 94043-1100, USA gong@eng.sun.com tel: +1(408)343-1825 fax: +1(408)343-1553 _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar o Fast Software Encryption Workshop 1997, Haifa, Israel, January 27-29, 1997; Conf Web page. Interested parties are invited to submit original unpublished papers on the design and analysis of fast encryption algorithms and hash functions. Preproceedings will be available at the meeting. The final proceedings is expected to be published in the Springer-Verlag Lecture Notes in Computer Science. Send submissions to biham@cs.technion.ac.il by October 11, 1996. o 1997 IEEE Symposium on Security and Privacy, Oakland, California, May 4-7, 1997. The Symposium on Security and Privacy has, for 16 years, been the premier forum for the presentation of developments in computer security and for bringing together researchers and practitioners in the field. We seek to build on this tradition of excellence by re-emphasizing work on engineering and applications while maintaining our interest in theoretical advances. See the conference Web page for information about electronic and paper submissions. Submissions are due Nov. 15, 1996. o Enterprise Networking '97, Montreal, Quebec, June 11-12, 1997. Topics of interest include: * Integration of subsystems of enterprise networks, such as e-mail gateways, LAN switches, bridges and routers, database systems, and security and authentication mechanisms with the internets to provide "end-user" oriented services, such as video- conferencing, multi-media mails, etc., * Enterprise information resource management. Enterprise Networks Management (e.g., configuration, fault, performance, accounting, security, etc.). Submissions are due to the program chair, Bhumip Khasnabish (bhumip@gte.com) by mail by November 15, 1996. JOURNALS Regular archival computer security journals: o Journal of Computer Security (JCS) [see Cipher Web pages or EI#9]; e-mail contacts for submissions: jajodia@isse.gmu.edu or jkm@mitre.org See also Web site: http://www.jcompsec.mews.org/ o Computers & Security [see Cipher Web pages or EI#9] e-mail contact for submissions: j.meyer@elsevier.co.uk o International Journal of Digital Libraries aims to advance the theory and practice of acquisition, definition, organization, management and dissemination of digital information via global networking. In particular, the journal will emphasize technical issues in digital information production, management and use, issues in high-speed networks and connectivity, inter-operability, and seamless integration of information, people, profiles, tasks and needs, security and privacy of individuals and business transactions and effective business processes in the Information Age. Electronic submission is encouraged to speed up the process (for details please send email to dlib@adam.rutgers.edu). For hard copy submission, please mail five copies to: Prof. Nabil R. Adam, CIMIC, Rutgers University, Newark, NJ 07102, (201) 648-5239, adam@adam.rutgers.edu. Special Issues of Journals and Handbooks: listed earliest deadline first. o ACM-MONET. Special Issue of the Journal on Special Topics in Mobile Networking and Applications. Journal Web page. This special issue will concentrate on the problems associated with mobile and wireless networking in the Internet, primarily at the network layer and above. Internet security issues are a relevant topic. Authors should email an electronic Postscript copy of their paper to one of the guest editors by November 15, 1996. Submissions should be limited to 20 double spaced pages, excluding figures, graphs, and illustrations. Submissions can be sent to perk@watson.ibm.com. Journal of Intelligent Information Systems (JIIS); Special Issue on Data Mining. As a young, promising research area with broad applications, data mining and knowledge discovery in databases has attracted great interest in the research communities of database systems, machine learning, statistics, high performance computing, information retrieval, data visualization, and many others. Security and social impact of data mining is a topic of interest. Five hard copies of the paper, with the length limited to 20 pages, should be submitted by November 1, 1996 to the conference chair. Also see web page. o Journal of Intelligent Information Systems (JIIS); Special Issue on Data Mining. As a young, promising research area with broad applications, data mining and knowledge discovery in databases has attracted great interest in the research communities of database systems, machine learning, statistics, high performance computing, information retrieval, data visualization, and many others. Security and social impact of data mining is a topic of interest. Five hard copies of the paper, with the length limited to 20 pages, should be submitted by November 1, 1996 to the conference chair. Also see web page. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ The notation [conference information] indicates there is a link to information about the conference on the Cipher web pages. * HASE '96 (IEEE High-Assurance Systems Engineering Workshop), Niagara-on-the-Lake, Canada, October 21-22, 1996, [conference information] security-related papers: - A General Approach to Secure Component Composition Q. Shi, N. Zhang, Liverpool John Moores University, UK. - A Framework for MLS Interoperability. M.H. Kang, J.N. Froscher, and I.S. Moskowitz, Naval Research Laboratory, USA. - Multiversion Transaction Scheduler for Centralized MultiLevel Secure Database Systems. T.F. Keefe, Penn State U., W.T. Tsai, U. of Minnesota. * Papers to be presented at Asiacrypt '96, 4-6 November, Kyongu, South Korea (from preliminary program): - A Message Recovery Signature Scheme Equivalent to DSA over Elliptic Curves, Atsuko Miyaji (Matsushita, Japan) - Cryptographic Protocols Based on Real-quadratic A-Fields, Ingrid Biehl, Bernd Meyer (Univ. des Saarlandes, Germany), Christoph Thiel (Gesellschaft fuer Automation und Organisation, Germany) - Minding your $p$'s and $q$'s, (#) Ross Anderson (Cambridge Univ., UK), Serge Vaudenay (ENS, France) - Authenticated Multi-Party Key Agreement, Mike Just (Carleton Univ., Canada), Serge Vaudenay (ENS, France) - Cryptography and the Internet : Lessons and Challenges Kevin McCurley (Sandia National Lab., USA) - Generating Standard DSA Signatures without Long Inversion, Arjen K. Lenstra (Citibank, USA) - A Fast Software Implementation for Arithmetic Operations in $GF(2^n)$, Erik De Win, Antoon Bosselaers, Servaas Vandenberghe, Peter De Gersem, Joos Vandewalle (Katholieke Univ. Leuven, Belgium) - Hash Function based on Block Ciphers and Quaternary Codes, Lars Knudsen, Bart Preneel (Katholieke Univ. Leuven, Belgium) - Generalized Feistel Networks, Kaisa Nyberg (Finnish Defence Forces, Finland) - On Applying Linear Cryptanalysis to IDEA, (#) Philip Hawkes (Univ. of Queensland, Australia), Luke O'Connor (Distributed Systems Technology Center, Australia) - A Multi-Recastable Ticket Scheme for Electronic Elections, Chun-I Fan, Chin-Laung Lei (National Taiwan Univ., Taiwan) - Some Remarks on a Receipt-free and Universally Verifiable Mix-type Voting Scheme, Markus Michels, Patrick Horster (Univ. of Technology Chemnitz-Zwickau, Germany) - Observations on Non-repudiation, Jianying Zhou, Dieter Gollmann (Univ. of London, UK) - On the Efficiency of One-time Digital Signatures, Daniel Bleichenbacher (Bell Lab., USA), Ueli Maurer (ETH Zuerich, Switzerland) - A Hidden Cryptographic Assumption in No-Transferable Identification Schemes, Kouichi Sakurai (Kyushu Univ., Japan) - Electronic Money and Key Management from Global and Regional Points of View, Shigeo Tsujii (Chuo Univ., Japan) - Limiting the Visible Space Visual Secret Sharing Schemes and their Application to Human Identification, Kazukuni Kobara, Hideki Imai (Univ. of Tokyo, Japan) - Towards Characterizing when Information-Theoretic Secret Key Agreement is Possible, Ueli Maurer, Stefan Wolf (ETH Zuerich, Switzerland) - Key Sharing Based on the Wire-tap Channel Type II Concept with Noisy Main Channel, V. Korjik, D. Kushnir (St. Petersburg Univ. of Telecommunications, Russia) - Generalization of Higher Order SAC to Vector Output Boolean Functions, Kaoru Kurosawa, Takashi Satoh, (Tokyo Institute of Technology, Japan) - On the Correlation Immune Functions and their Nonlinearity, Seongtaek Chee, Sangjin Lee, Daiki Lee, (Electronics and Telecommunications Research Institute, Korea), Soo Hak Sung (PaiChai Univ., Korea) - How to Date Blind Signatures, Masayuki Abe, Eiichiro Fujisaki (NTT, Japan) - Provably Secure Blind Signature Schemes, (#) David Pointcheval, Jacques Stern (ENS, France) - Cost-Effective Payment Schemes with Privacy Regulation, (#) David M'Raihi (Gemplus, France) - Mis-representation of Identities in E-Cash Schemes and How to Prevent it, Agnes Chan (Northeastern Univ.,USA), Yair Frankel, Philip MacKenzie (Sandia National Lab., USA), Yiannis Tsiounis (Northeastern Univ, USA) - "Indirect Discourse Proofs": Achieving Efficient Fair Off-Line E-cash, Yair Frankel (Sandia National Lab., USA), Yiannis Tsiounis (Northeastern Univ, USA), Moti Yung (IBM, USA) - The Validation of Cryptographic Algorithms, Jacques Stern (ENS, France) - Convertible Group Signatures, Seung Joo Kim (Sung Kyun Kwan Univ., Korea), Sung Jun Park (KISA, Korea), Dong Ho Won (Sung Kyun Kwan Univ., Korea) - How to Utilize the Transformability of Digital Signatures for Solving the Oracle Problem, Masahiro Mambo (JAIST, Japan), Kouichi Sakurai (Kyushu Univ., Japan), Eiji Okamoto (JAIST, Japan) - On the Risk of Disruption in Several Multiparty Signature Schemes, Markus Michels, Patrick Horster (Univ. of Technology Chemnitz-Zwickau, Germany) - Correlation Attacks on Cascades of Clock Controlled Shift Registers, Willi Geiselmann (Univ. of Karlsruhe, Germany), Dieter Gollmann (Univ. of London, UK) - Conditional Correlation Attack on Nonlinear Filter Generators, Sangjin Lee, Seongtaek Chee, Sangjoon Park, Sungmo Park (Electronics and Telecommunications Research Institute, Korea) - The Cryptographic Security of the Syndrome Decoding Problem for Rank Distance Codes, Florent Chabaud, Jacques Stern (ENS, France) - A World Wide Number Field Sieve Factoring Record: on to 512 Bits, James Cowie (Cooperating Systems Co., USA), Bruce Dodson (Lehigh Univ.,USA), R. Marije Elkenbracht-Huizing(Centrum voor Wiskunde en Informatica, The Netherlands) Arjen K. Lenstra (Citibank, USA), Peter L. Montgomery (USA) Joerg Zayer (USA) _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters ________________________________________________________________________ * ACM SIGOPS Operating System Review, Vol. 30, No. 4 (Oct, 1996). Chris J. Mitchell and Liqun Chen. Comments on the S/Key user authentication scheme. pp. 12-16. * IEEE Trans. on Knowledge and Data Engineering Vol. 8, Number 4 (August 1996).P. Samarati, E. Bertino, and S. Jajodia. An authorization model for a distributed hypertext system. pp. 555-562. * Journal of Computer Security, Vol. 3, No. 4 (1994/1995)[received 9/96]: - S. N. Foley and J. L. Jacob. Specifying security for computer supported collaborative working. pp. 233-254. - L. Chen, D. Gollmann, and C. J. Mitchell. Distributing trust amongst multiple authentication servers. pp. 255-268. - A. Zakinthinos and E. S. Lee. The composability of non-interference. pp. 269-282. - M. Bishop. Theft of information in the take-grant protection model. pp. 283-308. - C. Blundo, L. A. Frota Mattos, and D. R. Stinson. Multiple key distribution maintaining user anonymity via broadcast channels. pp. 309-322. * ACM SIGOPS Operating System Review, Vol. 30, No. 3 (July, 1996). - Paul F. Syverson. A new look at an old protocol. pp. 1-4. - Vijay Varadharajan and Phillip Allen. Joint actions based authorization schemes. pp 32-45. * ACM SIGSAC Security Audit & Control Review, Vol. 14, No. 3 (July 1966). - James J. Mavrikides. Security issues in a networked UNIX and MVS/VM environment. pp. 2-8. - C. S. Guynes, R.M. Gollady, and R. A. Huff. Database security in a client/server environment. pp. 9-12. - Sam Nitzberg.Emerging security issues involving the presence of microphone and video cameras in the computing environment. pp. 13-16. - Marie A. Wright. Silence and secrecy: a historical sketch of the NSA. pp. 17-20. * IEICE [Japan] Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E79-A, No. 7 (July 1996): - T. Hardjono and J. Seberry. Security Issues in Mobile Information Networks. pp. 1021-1026. - H. Watanabe, T. Fujiwara and T. Kasami. An Improved Method for Formal Security Verification of Cryptographic Protocols. pp. 1089-1096. * Designs, Codes and Cryptography, Vol. 8, No. 3 (June 1996): J. Domingo-Ferrer. Achieving Rights Untransferability with Client-Independent Servers. pp. 263-271. * Information Processing Letters, Vol. 58, No. 6 (June 1996): S. Obana and K. Kurosawa. Veto is impossible in secret sharing schemes. pp. 293-295. * Computer Communications, Vol. 19, No. 5 (May 1996): M. Prabhu and S. Raghavan. Tutorial: Security in computer networks and distributed systems. pp. 379-388. * IEEE Trans. on Parallel and Distributed Systems, Vol. 7, No. 6 (June 1996). P. Ammann, S. Jajodia, and P. Frankl. Globally consistent event ordering in one-directional distributed environments. pp. 665-670. * ACM SIGSAC Security Audit & Control Review, Vol. 14, No. 2 (April 1996). - R. Sandhu. Report on the First ACM Workshop on role-based access control. pp. 2-4. - Richard Graveman and Li Gong. Summary of the Third ACM Conference on Computer and Communications Security. pp. 5-7. - Tony Greening. Ask and ye shall receive: a study in "social engineering". pp. 8-14. * ACM Computing Surveys, Vol. 28, No. 1 (March 1996): (Selected articles from the issue dedicated to Paris Kanellakis.) - S. Jajodia. Database Security and Privacy. pp. 129-131. - R. Sandhu and P. Samarati. Authentication, Access Control, and Audit. pp. 241-243. * Computers & Security Volume 15, Number 3 (1996). (Elsevier) Special Features: - Nigel Miller. Establishing web sites -- legal issues and risks. pp. 198-202. - Clive Blatchford. Internet as pornutopia? pp. 203-208. - Paul Evans. Information protection for publishers. pp. 209-211. - Eike Born. Enforcing legal ownership rights by an access control system. pp. 212-220. Refereed papers: - Shiuh-Jen Wang and Jin-Fu Chang. Smart card based secure password authentication scheme. pp. 231-238. - W. g. de Ru and J. H. P. Eloff. Risk analysis modelling with the use of fuzzy logic. pp. 239-248. - Jing-Jang Hwang. A conventional approach to secret balloting in computer networks. pp. 249-263. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Book ________________________________________________________________________ No new book announcements received ________________________________________________________________________ Cipher Registry of Security and Privacy Research Projects ________________________________________________________________________ (New entries only; for complete list see Cipher Web pages) No new entries received this time; please send new submissions to cipher@itd.nrl.navy.mil ________________________________________________________________________ Calendar ________________________________________________________________________ Gene Spafford reports he is starting a computer security events calendar at http://arisia.cs.purdue.edu/ -- check it out. ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hotlink on the Cipher Web pages to conference information. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 10/ 1/96: RIDE '97; Birmingham, England, Conf Web page. Submissions due to peters@ece.nwu.edu; 10/ 1/96: TSMA '97. Nashville, TN. Submissions due to chairman; 10/11/96: FSE4, Haifa, Israel; Conf Web page. Submissions to biham@cs.technion.ac.il; 10/16/96-10/19/96: WebNet. San Francisco, CA Conf Web page 10/16/96-10/19/96: IC3N96, Rockville, Washington D. C. 10/21/96-10/25/96: ICECCS96; Montreal, Quebec. Conf Web page 10/22/96: HASE96. Niagara-on-the-Lake, Canada; Conf Web page 10/22/96-10/25/96: NISS96. Baltimore, Maryland 10/29/96-11/ 1/96: OSDI '96 Seattle, WA; Conf web page 10/29/96-11/ 1/96: ICNP96, Columbus, Ohio; Conf Web page 11/ 1/96: Data Mining special issue of JIIS; journal web page. Submissions due. 11/ 1/96: IEEE Network Magazine special issue on security, submissions due. 11/ 3/96-11/ 7/96: ASIACRYPT96, Kyongju, South Korea Conf Web page 11/11/96-11/12/96: MOBICOM96, Rye, NY; conf Web page 11/11/96-11/13/96: CSI '96,Chicago, Illinois 11/14/96-11/15/96: IPIC96, Cambridge, Massachusetts; Conf Web page 11/15/96: ENM '97, Montreal, Quebec. Submissions by mail; 11/15/96: DART96. Rockville, MD Conf Web page 11/15/96: ACM-MONET, Journal Web page 11/15/96: IEEE S&P, Oakland, California. Conf Web page; electronic submissions due 12/ 2/96-12/ 4/96: ASIAN '96, Singapore. Conf Web page 12/ 9/96-12/13/96: 12th Annual ACSAC, San Diego, CA. Conf web page. 1/ 8/97- 1/10/97: ICDT97, Delphi, Greece; Conf Web page 1/20/97- 1/22/97: FSE4, Haifa, Israel; Conf Web page. 2/ 8/97- 2/14/97: MMD '97. San Jose, California; Conf Web page 2/10/97- 2/11/97: SNDSS '97, San Diego, California. Conf Web page 2/23/97- 2/24/97: PAKDD '97, Singapore. Info hweeleng@iti.gov.sg; Conf Web page 3/ 5/97- 3/ 7/97: DCCA6. Garmisch-Partenkirchen, Germany. 3/20/97- 3/23/97: TSMA '97; Nashville, TN 4/ 1/97- 4/ 4/97: DASFAA '97; Melbourne, Australia Conf Web page 4/ 2/97- 4/ 4/97: 4th CCS, Zurich, Switzerland; Conf Web page 4/ 7/97- 4/11/97: ICDE '97, Birmingham, UK; Conf Web page 4/ 7/97- 4/ 8/97: RIDE '97. Birmingham, England Conf Web page 4/ 9/97- 4/11/97: ISADS97, Berlin, Germany; Conf Web page 4/14/97- 4/17/97: SICON97, Kent Ridge, Singapore 5/ 4/97- 5/ 7/97: IEEE S&P, Oakland, California; Conf Web page 5/13/97- 5/16/97: 9th CCSS, Ottawa; no e-mail address available 6/11/97- 6/12/97: ENM '97, Montreal, Quebec 7/??/97: ACISP'97, Syndney, Australia, vijay@st.nepean.uws.edu.au 9/ 9/97: USENIX Sec Symp. San Antonio, TexasConf Web page. Submissions to securitypapers@usenix.org; 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CCSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CCSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CCSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, ACISP96 * ACM-MONET = Special Issue of the Journal on Special Topics in Mobile Networking and Applications ACM-MONET * ACSAC = Annual Computer Security Applications Conference 12th Annual. * ASIAN = Asian Computing Science Conference ASIAN '96 * ATMA = Advanced Transaction Models and Architectures ATMA * BDBIS = Baltic Workshop on DB and IS, BDBIS * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium * CIKM = Int. Conf. on Information and Knowledge Management CIKM '95 * COMAD = Seventh Int'l Conference on Management of Data (India) * CISMOD = International Conf. on Information Systems and Management of Data * CFP = Conference on Computers, Freedom, and Privacy * COMPASS = Conference on Computer Assurance COMPASS'96 * CoopIS96 = First IFCIS International Conference on Cooperative Information Systems, CoopIS96. * CPAC = Cryptography - Policy and Algorithms Conference * CRYPTO = IACR Annual CRYPTO Conference CRYPTO96 * CSFW = Computer Security Foundations Workshop CSFW96 and Wkshp page * CSI = Computer Security Institute Conference CSI96 * CVDSWS = Invitational Workshop on Computer Vulnerability Data Sharing CVDSWS. * CWCP = Cambridge Workshop on Cryptographic Protocols * DART = Databases: Active & Real-Time DART '96 * DASFAA = Database Systems For Advanced Applications DASFAA '97. * DCCA = Dependable Computing for Critical Applications DCCA6 * DEXA = International Conference and Workshop on Database and Expert Systems Applications, DEXA96 * DMKD96 = Workshop on Research Issues on Data Mining and Knowledge Discovery,Web page and CFP. * DOOD = Conference on Deductive and Object-Oriented Databases DOOD '95 * EdCS = Education in Computer Security EdCS * ENM = Enterprise Networking ENM '97 * ESORICS = European Symposium on Research in Computer Security ESORICS'96 * FIRST = Computer Security Incident Handling and Response FIRST '96 * FISP = Federal Internet Security Plan Workshop, FISP96. * FISSEA = Federal Information Systems Security Educators' Association * FME = Formal Methods Europe, FME '96 * FMSP = Formal Methods in Software Practice * FSE = Fast Software Encryption Workshop FSE4 * HASE = High-Assurance Systems Engineering Workshop HASE96 * HPTS = Workshop on High Performance Transaction Systems * IC3N = International Conference on Computer Communications and Networks IC3N '96 * ICDCS96 = The 16th International Conference on Distributed Computing Systems, ICDCS96 * ICDE = Int. Conf. on Data Engineering ICDE '97 * ICDT = International Conference on Database Theory ICDT97. * ICECCS = International Conference on Engineering of Complex Computer Systems ICECCS '96 * ICI = International Cryptography Institute * ICNP96 = International Conference on Network Protocols ICNP96 * ICSSDBM = Int. Conf. on Scientific and Statistical Database Management * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 10th Working Conference on Database Security * IFIP96 Mobile Commns = IFIP 1996 World Conference, Mobile Communications * IH Workshop '96 = Workshop on Information Hiding * IMACCC = IMA Conference on Cryptography and Coding, 5th IMACC * IMC96 = IMC'96 Information Visualization and Mobile Computing * INET = Internet Society Annual Conference * INET96 = The Internet: Transforming Our Society Now, INET96 * IPIC = Integration of Enterprise Information and Processes, IPIC96 * IPSWG = Internet Privacy and Security Workshop IPSWG '96 * IS = Information Systems (journal) * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISTCS = Fourth Israeli Symposium on Theory of Computing and Systems, ISTCS96. * IT-Sicherheit '95 = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Society * IWES = International Workshop on Enterprise Security IWES * JBCS = Journal of the Brazilian Computer Society * JCMS = Journal of Computer Mediated Communication * JCS = Journal of Computer Security WWW issue * JDSE = Journal of Distributed Systems Engineering; Future Directions for Internet Technology JDSE * KDD96 = The Second International Conference on Knowledge Discovery and Data Mining (KDD-96) * MCN = ACM Int. Conf. on Mobile Computing and Networking. See MOBICOM * MCDA = Australian Workshop on Mobile Computing & Databases & Applications; MCDA96. * MDS '95 = Second Conference on the Mathematics of Dependable Systems MDS-95 * METAD = First IEEE Metadata Conference METAD * MMD = Multimedia Data Security MMD '97 * MMDMS = Wkshop on Multi-Media Database Management Systems MMDMS '96 * MOBICOM = Mobile Computing and Networking MOBICOM '96. * NCSC = National Computer Security Conference * NISS = National Information Systems Security Conference NISS96 * NSPW = New Security Paradigms Workshop NSPW '96 * OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling OOER '95 * OSDI = Operating Systems Design and Implementation OSDI '96 * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data Mining, PAKDD97 * PISEE = Personal Information - Security, Engineering, and Ethics PISEE * RBAC'95 = First ACM Workshop on Role-Based Access Control * RIDE = High Performance Database Management for Large Scale Applications RIDE97 * RTDB'96 = First International Workshop on Real-Time Databases: Issues and Applications, RTDB96. * SAC = Workshop on Selected Areas of Cryptography SAC '96 * SCRAPC = Smart Card Research and Advanced Application Conference SCRAPC96 * SDSP = UK/Australian International Symposium On DSP For Communication Systems SDSP '96 * SECURICOM = World Congress on the Security of Information Systems and Telecommunication, SECURICOM '96 * SFC = Society and the Future of Computing SFC '96 * SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) * SICON = IEEE Singapore International Conference on Networks SICON '97 * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * SNDSS = Symposium on Network and Distributed System Security (Internet Society) NDSS '97 * SOC = 18th Biennial Symposium on Communications, SOC18. * TPHOLs = Theorem Proving in Higher Order Logics TPHOLs96 * TSMA = 5th International Conference on Telecommunication Systems - Modeling and Analysis TSMA '97 * USENIX Sec Symp = USENIX UNIX Security Symposium, 7th Annual. * VLDB = 22nd International Conference on Very Large Data Bases, VLDB96. * WDAG-9 = Ninth Int. Workshop on Distributed Algorithms * WebNet = World Conference of the Web Society, WebNet96. * WITAT = Workshop on Information Technology - Assurance and Trustworthiness\ WITAT '96 * WWWC = International World Wide Web Conference WWWC96. ________________________________________________________________________ Questionnaire on Practical Data Security Experiments Erland Jonsson and Lech Janczewski ________________________________________________________________________ [REPEATED FROM PREVIOUS ISSUE] To Teachers in Computer Security and other interested parties, RE: Request for data on practical security experiments At the last IFIP Security conference on Samos in May 1996 there was an interesting discussion held on contents of data security courses/lectures. During that discussion the importance of experiments in teaching this discipline was emphasized. As "experiments" we understand any action beyond "pure" lecturing encompassing such activities as: * Analysis of various aspects of data security in real and laboratory environment * Development of new tools used for enhancing security of organisations, systems or components. Experiments in this sense means both activities conducted during the class presentations (DEMO), in laboratories (LAB), and in external organisations (FIELD). We decided to investigate this question in a more detailed way. We understand that without drawing on existing resources in this field our effort would be fruitless. Therefore, we would be very grateful if you could answer the enclosed questionnaire. It is an universal form good for any type of experiment. If during your data security courses you have more than one experiment would you please use one form per experiment. We plan to complete the research within a couple of months so your prompt action would be greatly appreciated. We will reference any material from you in our final report and we promise to send it to you. If you have any questions regarding this research will you kindly contact any of us (address below). Finally, if you feel that this message is not for you but rather for someone of your colleagues, please forward this message to her/him. Looking forward to your positive reply, Remaining sincerely yours, Erland Jonsson/Lech Janczewski QUESTIONNAIRE: ************************************************************************* ***DATA SECURITY EXPERIMENT*** University .............................................................. Faculty ................................................................ Department .............................................................. Course name ............................................................. Course level ............................................................ (undergraduate, graduate, etc) Experiment type DEMO LAB FIELD (circle) Experiment duration ...................................................... (in min, hours, days, etc) Experiment goal .......................................................... ....................................................................... Experiment description.................................................... ....................................................................... Assessment method ........................................................ (if appropriate) ....................................................................... *************************************************************************** Please send the form to: Dr Erland Jonsson Department of Computer Engineering Chalmers University of Technology Gothenburg, Sweden tel 46-31 772 1688 fax 46-31 772 3663 email: jonsson@ce.chalmers.se or Dr Lech J. Janczewski Department of Management Science and Information Systems The University of Auckland Auckland, New Zealand tel 64-9 373 7599 ext 7538 fax 64-9 373 7430 email: lech@auckland.ac.nz ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://info.computer.org:80/tab/tcapplic.htm PLEASE NOTE THAT THE FORM IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ____________________________________________________________________ Computer Entrepreneur Award Call for Nominations ____________________________________________________________________ The IEEE Computer Society solicits nominations for the prestigious "Computer Entrepreneur Award". Nominations for the 1997 award are due by September 18, 1996. * This award recognizes a manager or leader who has been responsible * for the growth of some segment of the computer industry, or a * technical manager whose entrepreneurial leadership built the * computer industry. The efforts must have taken place over fifteen years * earlier, and the industry effects must be generally and openly visible. Past recipients of this award include: Kenneth Olsen Gene Amdahl J. Presper Eckert William Norris Gordon Moore Robert Noyce Erwin Tomash William Hewlett David Packard Daniel Bricklin Nominations are sought from throughout the international computer industry and from both hardware and software communities. For the 1997 award, the principal effort being recognized must have taken place or been started during or before 1982. The nomination form is available on the Web at: http://www.computer.org/awards/nomfms/cenomfm.htm The selection committee will be glad to assist with researching and perfecting possible nominations. If you know of a deserving candidate, you can suggest the name and why he or she is appropriate for the Computer Entrepreneur Award. Committee members can then help you complete the information needed for full consideration of your nominee. You do not have to be an IEEE or Computer Society member to make a nomination. For further information on the Computer Entrepreneur Award, contact the selection committee chair: Elliot Chikofsky, DMR Group / TRECOM P.O. Box 400, Burlington, MA 01803 USA phone +1-617-272-0049; fax +1-617-272-8464 e.chikofsky@computer.org The IEEE Computer Society is the largest technical society of the Institute of Electrical and Electronics Engineers (IEEE). For information on the IEEE Computer Society and IEEE, refer to http://www.computer.org or contact: IEEE-CS, 1730 Massachusetts Avenue NW, Washington, DC 20036 USA +1-202-371-0101 fax +1-202-728-9614 l.harris@computer.org ________________________________________________________________________ TC Publications for Sale (NOT) ________________________________________________________________________ Proceedings of past Symposium proceedings will be available again in a few months. The store is temporarily closed until our new checking account is opened. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Chair, Subcommittee on Security Conferences: Greg Bergren Dr. Stephen Kent 10528 Hunters Way BBN Corporation Laurel, MD 20723-5724 70 Fawcett Street (410)684-7302 Cambridge, MA 02138 (410)684-7502 (fax) (617) 873-3988 glbergr@missi.ncsc.mil kent@bbn.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9506 where N is the number of the issue desired and 9506 captures the year and month it first appeared. ========end of Electronic Cipher Issue #17, 1 October 1996================