Subject: Electronic CIPHER, Issue 19, December 23, 1996 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 19 December 23, 1996 Carl Landwehr, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1647 lines total] o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko Commentary and Opinion o CEPIS Issues Cryptography Policy Statement o Spies, Steganography, Cryptography and Codebreakers: four book reviews by Bob Bruen Conference Reports: o DIMACS Network Vulnerability Workshop by Dave Millar o Twelfth ACSAC by Jeremy Epstein (and YOU?) New reports available via FTP and WWW Interesting Links: Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers: Fourth COCCS, DCCA-6, ASIAN o Journal and Newsletter articles, many, thanks to Anish Mathuria o Books Calendar Data Security Letter subscription offer Publications NOT for sale TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Holiday greetings to CIPHER readers everywhere, (and especially to CIPHER writers), and best wishes for a happy and healthy New Year. The Clinton administration's new crypto export regulations (see new reports section below, if you want to read them) drew fire from various quarters, including an editorial in the New York Times condemning them as "unworkable and trampling on privacy rights." The Council of European Informatics Societies (CEPIS), an umbrella organization for several European professional informatics societies, including BCS in the UK and GI and ITG/VDE in Germany, issued a genearl policy statement on the use of cryptography prior to the appearance of the latest regulations (see below). Of the three proposed World Intellectual Property Organization (WIPO) treaties, two passed in a somewhat modified form; the third and most controversial, which could have considerably restricted use of databases, did not. It appears that the treaties as signed will not make the temporary electronic copies of documents or other materials created for browsing purposes a copyright violation, but much more will probably be written on this topic in the coming months. Presumably it will be up to the various nations to decide whether to ratify the treaties agreed in Geneva. An interesting survey of the attitudes of Internet users on various topics, including concerns about data privacy, can be found at http://www.cc.gatech.edu/gvu/user_surveys/survey-10-1996/ This is Georgia Tech's Graphics, Visualization, and Usability Center. If you lock your keys in your new OnStar-equipped Cadillac, you can call a special number and the OnStar service can unlock your car remotely. But who else could? Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ LISTWATCH Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, OSF Research Institute (zurko@osf.org) ____________________________________________________________________ This issue's highlights are from cryptography, e$pam, tbtf, and dcsb. Federal judge Marilyn Hall Patel ruled (12/18) that government restrictions on the export of computer encryption programs are an unconstitutional interference with freedom of speech. The case was brought by Illinois professor of mathematics, Daniel Bernstein, who had been told that programs and academic papers required licenses to communicate abroad. A personal computer with several hundred thousand credit card accounts stored in it was stolen from a Visa office. The classic man-in-the-middle attack is being repackaged as "Web spoofing" by the Princeton team. Their report on how an attacker can imitate a Web site to a user, and a user to a Web site, is at http://www.cs.princeton.edu/sip/pub/spoofing.html. A group of Social Security Administration employees was arrested for passing confidential information on at least 1,000 people to credit card theives, for bribes of as little as $10. The theives were able to activate credit cards stolen from the mail with the holder's mother's maiden name. This report caused comment on how safe escrowed keys might be, and how much it might take to steal them. There was a lot of discussion of HP's crypto framework announcement (http://www.hp.com/go/icf), mostly because there was a lot of confusion about just what it is, what it's meant to accomplish, and what it means to the recent key escrow initiatives. It is designed to be flexible enough to support any governmental encryption policy. A hardware or software token activates the encryption support. They're using Microsoft's CAPI and Intel will build some hardware for it. Germany passed a Cyberspace law that, amoung other things, will outlaw cookies. Cookies are used both to maintain session state in the stateless HTTP protocol and to track user's movements on the Web. RSA Laboratories are inviting comments and for their next generation of the Public-Key Cryptography Standards. The current generation is available at http://www.rsa.com/rsalabs/pubs/PKCS/. Suggestions should be sent either to the pkcs-tng@rsa.com mailing list (subscribe by sending email with "subscribe pkcs-tng" in the message body to majordomo@rsa.com) or to pkcs-editor@rsa.com, whichever is deemed more appropriate. Ross Anderson and Markus Kuhn put out a report on how they cracked a smart card with a small amount of equipment and some hacking. They built equipment to send bad data to the card and observe the results. There are rumors that Digicash is going to hire a new CEO, and Chaum will become chief technology officer. ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ CEPIS Issues Cryptography Policy Statement ____________________________________________________________________ Cipher received the following statement from Kai Rannenberg, Secretary CEPIS LSI Network. CEPIS: Governmental Restrictions on Encryption Products Put Security at Risk The Council of European Professional Informatics Societies (CEPIS) - with nearly 200,000 professionals in its 20 member societies, the largest European association of professionals working in information technology (IT) - has agreed on a Cryptography Policy Statement. It gives an analysis of crypto restriction methods and concludes with the following recommendations: (1) The use of cryptography for identifying data corruption or authenticating people/organisations should be free of restrictions and encouraged by governments. (2) All individuals and organisations in the private and public sectors should be able to store and transmit data to others, with confidentiality protection appropriate for their requirements, and should have ready access to the technology to achieve this. (3) The opportunity for individuals or organisations in the private and public sectors to benefit from information systems should not be reduced by incommensurable measures considered necessary for the enforcement of law. (4) The governments of the world should agree on a policy relating to their access to other people's computerised data, while seeking the best technical advice available in the world on: (4.1) whether and which access mechanisms to computerised data are an effective, efficient and adequate way to fight (organised) crime and mount effective prosecution of criminals, and (4.2) how to implement the policy whilst minimising the security risks to organisations and individual citizens. (Evaluation and implementation of the policy will require regular review as the technology evolves). The full statement is available in the WWW in ASCII and HTML form. Easiest access is via the web page of the CEPIS "Legal & Security Issues" Network (CEPIS LSI Network), who prepared the statement: http://www.wi.leidenuniv.nl/~verrynst/cepislsi.html. Further there is a press release based on the statement. It can be reached via the CEPIS LSI Network web page, too. For more information on CEPIS please view http://www.bcs.org.uk/cepis.htm or contact Mrs. Peta Walmisley (E-Mail: cepis@bcs.org.uk, Tel/fax: +44 171 637 5607). Kai Rannenberg, Secretary CEPIS LSI Network (kara@iig.uni-freiburg.de) PGP key available on request and in http://www.iig.uni-freiburg.de/~kara/ ____________________________________________________________________ Steganography, Spies, Codebreakers, and Cryptography: Four Books Reviewed by Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ --------------------------------------------------------------------- Wayner, Peter. Disappearing Cryptography. AP Professional. 1996. 29.95 295 pages. ISBN 0-12-738671-8. paperback. LC TK5105.59.W39. Bibliography. Index. http://access.digex.net:/~pcw/pcwpage.html pcw@access.digex.com --------------------------------------------------------------------- This a short book because the actual text stops at page 212, the next 65 pages are source code and an example of a grammar, so it's a quick read. It is listed as intermediate/advanced, but most of it is straight forward and clearly written. The biggest hurdles are knowing what steganography is, getting through a little bit of math (mostly Huffman encoding and RSA), and understanding Noam Chomsky's view of grammar. Enough of Chomsky's context-free grammar is presented to understand the chapter. Steganography seems to have two main audiences, those who know about and those who don't. Of those that do know about, there are two groups, those that like it and those that feel that security through obfuscation is not a good idea. Whether it is the best or even a reasonable option is not important to me, but instead it is more important to understand the idea. The basic concept is to hide information. In today's world we think of using unimportant bits in a high resolution digital image, so that the image is not altered such that it is perceptible, but if you know that those bits have meaning, you could collect together to find the message. In the old days a message could be hidden in a secret compartment which would also be a version of steganography. Wayner uses the phrase disappearing cryptography to mean steganography. The book has four parts to it, an introduction to the concept, a general explanation, and the third is information that is intended to help if you want to implement some of the algorithms. The fourth is the source code. Each chapter is structured the same way, with an allegorical story for the introduction followed by the general information and then the technical details, but there is no source code. The stories are cute, but not as useful the rest of the book, unless I missed the hidden messages. The discussion of mimicry and grammars to produce written passages with hidden messages is interesting. The choices of words of particular parts of speech in a sentence represent bits, so if "Joe" is 0 and "Fred" is 1, "is" and "here" each represent 0 and "was" and "there" were 1, then "Joe is here" would be 000, "Fred is here" would be 100, etc. The grammars and code to run them can quite complex if one tries to mimic a reasonable paragraph or essay that a human would write. The challenge is to have a sentence that looks reasonable that is generated on the fly, not something simple minded like my example. Wayner has a nice presentation of remailers that is good for anyone not familiar with them. He also gives clear explanations for Turing machines (and reversing them), white noise and basic encryption. Disappearing Cryptography is solid introduction to steganography that is both inexpensive and readable. --------------------------------------------------------------------- Norman Polmar and Thomas Allen. Spy Book: the encyclopedia of espionage. Random House. 1997 ISBN 0-679-42514-4. $30.00. LC JF525.I6P65. 633 pages. Bibliography, chronology and index of personalities. http://www.randomhouse.com/spybook/ --------------------------------------------------------------------- Spy Book delivers on its promise as an encyclopedia of espionage. There are over 2000 entries going back Biblical days through Aldrich Ames today. The coverage of topics is equally broad: people, organizations, events, and technical definitions, but it is most definitely geared toward the spies themselves an it is not perfect. For example, in the MI6 entry the header for the list of directors-general says MI5 and there is no entry for steganography, surely a spy's tool. These small flaws do not take away from the overall wealth of information that has been collected. A real plus for the book are the sixty photographs. They are helpful to round out the discussions and some are quite unique. There is a photo of J. Edgar Hoover with the child Shirley Temple looking through a microscope accompanying more than two pages of his personal history. Another interesting photo is Allan Pinkerton with President Abraham Lincoln out in the field. The pictures of the SR-71 Blackbird and U2 in the air are striking. On the water the Liberty (hit by Israel in 1967) and the Pueblo (captured by Korea in 1968) are also interesting supplements to the description of the events that made them famous. The spies are both real and fictional with entries for Harold Philby and James Bond. The fictional characters are listed by first name with an [F] following their name to avoid confusion. Pseudonyms are also designated with a [P]. Several authors such as Ian Fleming and John le Carre (David Cornwall) have entries since their work is mainly about espionage. The movies and literary spies are entries that cover the fictional entertainment world in the broader sense. In the real world of spies, one finds good coverage of Mossad (Israel), MI5 and MI6 (Britain), the CIA and the FBI, German Japan, France, China, and of course China. The historical work is enhanced by current events. One has wonder about the psychic work down by the DIA (Defense Intelligence Agency) for about $20 million from the mid-80s to 1995 in project Stargate, but the Soviets and the French also thought it worth investigating. The CIA took over the project and quietly closed it down. Each of the US military branches has several organizations or groups related to espionage and communications which are well covered. Individuals both famous and obscure are given detailed treatment. One of few known spies for Japan in the US was Velvalee Dickinson and her husband Lee. She used her doll shop in New York as a cover sending letters with code phrases to a Japanese agent with return addresses belonging to her customers. When the Japanese agent moved, the letters were properly returned the customers who could not understand what happened. Eventually Velvalee was arrested and convicted. The Dickinson case is in the company of articles like the one covering the now famous Enigma machine. A great picture of some German soldiers trying to troubleshoot one in a field vehicle is included. If you are unaware of the Soviet historical figures or the current Chinese status, Spy Book is a good source. This book is next to my copy of Kahn's Codebreakers as reference material worth reading. --------------------------------------------------------------------- David Kahn. The Codebreakers. The Story of Secret Writing. 1181 pages. Scribner. New York. Revised edition, 1996. $65.00 ISBN 0-684-8310-9. --------------------------------------------------------------------- It has been almost 30 years since the first edition of the this hefty tome was published. The new edition adds information right up to the Internet, or so the dust jacket says. The first edition of The Codebreakers, published in 1967, was a monumental work covering more history of secret communications in its 1,164 pages than any three, or maybe even four, other such books, if you could even find them. When I saw this new, updated edition in the bookstore, I snatched it up before someone else tried to wrestle it from my hands. I could hardly wait to get home to start reading. The depths of disappointment are usually equal to the heights of expectations, but this one hit especially hard. The revised and updated edition consists of a sixteen page chapter at the end of the book, one photograph exchanged and a one page preface for the new edition. The additional chapter, which promises to present the new world created in the 30 years, adds almost nothing to the book. Moreover, the photographs in this new edition are not as sharp as the first edition's, nor is the contrast as high quality. I am not sure exactly why they were degraded for the new edition. The replacement of the photographs of a cuneiform cryptogram and a 6th century wood ostracon with Rembrandt's Belshazzar's Feast is a bit of a mystery. The cuneiform and Coptic writing is legible whereas the point of the Rembrandt is not. The painting shows a celestial hand inscribing a code, but you cannot see the letters in the reproduction. All the illustrations are the same, the chapter notes have not changed, not even the limited bibliography is changed in the slightest. However, the two sets of photographs grouped between pages 268-269 and between pages 556-557 in the first edition are now between pages 270-271 and 558-559, respectively, in the new, updated edition. I guess that counts for something. And although there are no chapter notes for the new chapter, it did get indexed, increasing the index by a page. It is hard for me to understand how David Kahn could produce such great work, then be involved in the likes of this. Perhaps he explains it best in the new preface when he states: "At the same time, the absorption of Macmillan, the original publisher, by Simon & Schuster brought a young, energetic editor named Scott Meyers to handle The Codebreakers. He saw that I could fulfill my obligations to cryptology and at the same time help the book sell better by incorporating the new material as a single chapter." Kahn acknowledges that a lot has happened since 1967 in the world of cryptology. It is a shame he did not put the same effort into it as he he had for the rest of the history. It would have been worth buying. But since this is not the case, if you liked the first edition, then you will like the new edition (except for the diminished quality of the photographs and the $65.00). However, if you did not purchase the first edition then this edition is worth acquiring. --------------------------------------------------------------------- Douglas Stinson. Cryptography: Theory and Practice. CRC Press. 1995 . 434 pages. ISBN 0-8493-8521-0 $67.?? Bibliography (201 items). Index. --------------------------------------------------------------------- Stinson's book is written from the perspective of applied discrete mathematics, making it far more theory than practice, as acknowledged in the preface. Coverage is based on "theoretical interest and practical importance." This means if you have trouble with math beyond algebra, this excellent textbook will be rough sledding for you. It is not an introductory book on cryptography. If on the other hand, you really want to know how the algorithms work and why, it is very useful. Unlike some other textbooks, in this one Alice and Bob handle discrete logarithms. There are lots of theorems, lemmas, proofs and formal definitions. He has divided the book into three main topics, private-key cryptography, public-key cryptography and research in cryptography. Each chapter has notes, references and exercises. While Stinson does not claim completeness for his book, most things are covered to some degree. DES, RSA, hashing and ElGamal get more attention, while Kerberos gets only a brief description. MD4 and MD5 are just small subsets of the hash chapter. The first three chapters are dedicated to private-key cryptography, with the requisite classical cryptography covered in the first. If you were intrigued by Schneier's brief explanation of Shannon's perfect secrecy, Stinson provides more detail in a complete chapter. His good DES chapter is the last in the private-key section. The largest topic is public-key cryptography, with six chapters devoted to it. The relationship of the ElGamal cryptosystem and the discrete logarithm problem is discussed along with several other associated algorithms, for example, Shanks' algorithm and Pohlig-Hellman. The chapter on identification schemes presents Schnorr's, Okamoto's, and Guillou & Quisquater's. The active areas of research covered in the last four chapters are authentication codes, secret sharing schemes, pseudo-random number generation and zero-knowledge proofs. Here, again, if Schneier has piqued your interest in the Blum-Blum-Shub generator, a much more detailed offering is available in Stinson. I have put this book next to Schneier's on my bookshelf. I recommend that if you are serious about cryptography, you should do the same. ______________________________________________________________________ CONFERENCE REPORTS ______________________________________________________________________ ______________________________________________________________________ Report on DIMACS Workshop on Network Threats by Dave Millar, U. of Pennsylvania ______________________________________________________________________ The DIMACS Workshop on Network Threats was held at The Center for Discrete Mathematics and Theoretical Computer Science (DIMACS) in Piscataway , NJ from December 4-6, 1996. The program, with links to abstracts for many of the talks, can be found at: http://dimacs.rutgers.edu/Workshops/Threats/program.html. A GLOBAL PERSPECTIVE ON NETWORK RISKS Peter G. Neumann PGN: Problems include: systems are not designed with full set of requirements in mind: e.g. mid-sixties East Coast power grid failure; 1980 arpanet outage (4 hours); 1988 Bell AT&T long lines failure. In each case the common denominator was that a flaw at one node propagated across the network. Need to develop a systems-oriented view to get there: step one is education. Has the impression that universities are not teaching a systems-level view. PhD in computer science didn't know what software engineering was. There is no hope for technical panaceas a la firewalls, IPv6, etc. They are just tools. Simson Garfinkel: The only hope is strict liability for vendors and credible threat of lawsuits for product liability. A REPRESENTATION OF PROTOCOL ATTACKS FOR RISK ASSESSMENT Catherine Meadows Problem is that it's difficult to prove quantitative measures of security. Attempted to develop non-quantitative techniques to compare vulnerabilities. Attacks are broken down into components, developed a taxonomy of stages. Successive stages enable following stages resulting in a "payoff". Stages are composed of "atomic actions". Created a graphical shorthand to document attacks. NETWORK SECURITY THREATS IN GENERAL Yvo Desmedt Theory of network reliability says that if u hosts are thought to be dishonest, and network is 2u+1 vertex connected, receiver can trust the message if he receives more than u+1 identical messages. If hosts authenticate themselves to adjacent hosts with secret key technology, the above would tell you that receiving u+1 messages would suffice to authenticate the message. But if you allow for malicious hosts that can spoof routes, u+1 identical messages do not suffice. However, if hosts authenticate to adjacent hosts with public key, the u+1 result holds. INFORMATION LEAKAGE IN ENCRYPTED KEY EXCHANGE Sarvar Patel Encrypted Key Exchange was developed to protect against off-line dictionary attacks. EKE includes random padding to protect against a class of information leakage that allowed an attacker to eliminate unlikely passwords and find the password with less than an exhaustive brute-force attack. However, the padding method chosen does not make all numbers equally probable under decryption, giving an attacker information to eliminate unprofitable dictionary guesses. Also proposed a method of transmitting encrypted primes without leakage. Rather than encrypt the prime directly, choose j between the chosen prime and the next larger prime. Encrypt and transmit j. Then the recipient decrypts j and picks next smaller number which is prime. APPARENT WEAKNESSES IN THE SECURITY DYNAMICS CLIENT/SERVER PROTOCOL Adam Shostack F2, SecureID's proprietary hash algorithm, has been reverse engineered and is available on some sites. Shostack found a weakness in SecureID protocol that allows an attacker to authenticate as a SecureID cardholder. First: SecureID basics: Secure ID card displays a new password every minute. User enters the time-dependent password and a PIN to a host to authenticate to a host. The host is running not a normal login, but a modified login that relies on Security Dynamics' authentication server ("Ace Server") to authenticate the user. Shostack's attack has an intruder sniff a legitimate SecureID authentication. Then, with that information, the intruder is able to spoof an authorization to the host from the Ace Server. Intruder needs to know the timestamp on the host and needs to be able to spoof the Ace server's IP address for the attack to work. Security Dynamics has fixed the problem. Shostack also mentioned that Security Dynamics' X11 GUI interface for managing the server may be weak, and sys admins may want to only administer the system locally with the command line interface. Also observed that SecureID does not protect against session hijacking attacks, for which encryption is needed (and encryption only protects against attacks between the endpoints - not against active attacks at the origin or destination hosts). RSA/Security Dynamics employee was present and noted that they were in the process of re-engineering the protocol from the "ground up" and would be publishing their protocols for public scrutiny. Audience member noted that there's also a denial of service attack: seven bad guesses and the account is suspended. FORMAL METHODS APPLIED TO SECURE NETWORK ENGINEERING Shi-Kai Chin Hopes that security may be the killer app that brings formal methods into wide acceptance for software/systems engineering. Problem is that other disciplines have better analytic techniques e.g. electrical engineers model every circuit as a pole-zero diagram or as the ratio of two polynomials. Software engineering needs a comparable discipline. He's trying Higher Order Logic. Applied Higher Order Logic theorem prover to RFC 1421 - Privacy Enhanced Mail specification (specifically message integrity). Intent was not to test for problems in the underlying encryption algorithms but to test that the protocol really delivered on its promise of authentic and/or private messages assuming that the underlying algorithms could be trusted. Higher Order Logic "proved" that the intent of the message integrity function was satisfied (assuming that the hash algorithm did not permit collisions.) Steve Bellovin asked if this approach would have uncovered a problem with an early implementation of PEM (DES in CBC mode). Not at this level of abstraction, but perhaps with a lower level. Michael Merrit suggested running the theorem prover against the boneyard of authentication protocols with known problems to see if a.) the known problems could be found, and b.) if new, unknown problems could be turned up. OVERVIEW AND SECURITY ANALYSIS OF RSA-TYPE CRYPTOSYSTEMS AGAINST VARIOUS ATTACKS Jean-Jacques Quisquater Presented implications of five attacks against RSA and three other RSA-type cryptosystems (LUC, KMOV, Demytko) RSA with low exponents (e<= 33) is vulnerable if attacker can get 1327 messages (for 1024 bit key) (Hastad attack.) 1024-bit RSA with secret key less than 2exp256 is vulnerable to Wiener attack. "Garbage Man in the Middle" will crack RSA key with one message: Alice encrypts message m to give ciphertext c & sends c to Bob. Mallory blocks the message so Bob doesn't see it. Mallory intercepts the message and transforms ciphertext c into c'. Then sends c' on its way to Bob, who decrypts c' into gibberish message m'. Bob throws out message m' in his garbage. Mallory retrieves m' from Bob's garbage and using ciphertext derives Bob's key. (This doesn't have to be an active attack, does it? As long as Mallory can trick Bob into decrypting gibberish and not disposing of it properly, Bob's in trouble without any help from Alice, right?) Michael Merritt suggested that the results be summarized into concrete recommendations for sizes of exponent, frequency of key change, key size, etc. SPOOFING ATTACKS ON THE WEB Ed Felten Not talking about DNS or IP spoofing - that's a well-known problem. Talking about fooling users into making security-relevant decisions - by fabricating for them a contrived, deceptive context. This is not a protocol attack. It's more of a social engineering attack, but with a technical spin. Most trivial form of spoofing: Pop up a dialogue box asking for a password/credit card number. Make it look like a real dialogue box. More sophisticated attack: Pop up a dialogue box just when a user is expecting it from a legitimate source. E.G. run a hidden javascript on the user's machine waiting for him to go to a site to download software. When he goes to the site, pop up a dialogue box asking him if he wants to download something. If you choose the name right, chances are user might choose to accept it. Next level of attack is mirroring a site: make a copy of a sensitive site on the attacker's web server. Maybe collect passwords, if the user is accustomed to entering passwords into the site. Next level up is "whole-web mirroring" Kind of a "twisted, evil twin" of the web. Rely on the look and feel of the real web to make the user believe s/he is seeing the real web. This is a powerful attack: It handles forms, cgi scripts, can mirror search engines, handles almost all types of content. Gets nasty with bookmarks since problem will persist across sessions unless the user looks in the bookmark file and notices the real address. SSL doesn't help: attacker can still spoof a blue key. (Seems to me user could check the certificate, no? but who checks certificates) How to combat mirroring: 1. Have *servers* authenticate *clients*. Use SSL (assuming SSL key exchange really prevents man-in-the middle attack). 2. Provide obvious unspoofable context - i.e. if virtually all web pages were signed and displayed on the window border (this is probably a long way off). Once user is aware of this problem, its easy to trace, but attackers will probably use throw-away hacked sites. Also - trouble is most people aren't suspicious and may not notice for a while if ever. WEB SECURITY: HIGH LEVEL OVERVIEW Drew Dean Digitally-signed applets help some, but: -Signed code can still attack you & you don't know it. -The fact that 100,000 people have used the signed code without incident is not necessarily proof that the code is safe: it could be that the code is targeted somehow (e.g. in time or in address-space). -Still relies on a digital certificate infrastructure which still does notexist. In spite of this, digitally signed code may help organizations achieve a measure of security in running internally developed code where there is some good way of distributing the organization's certificate (along with the browser, say) and where there is an additional basis for trust apart from technical. "Servlets" are coming: client uploads executable to the server. Database searches and agents will use this approach very likely. Should raise some interesting security problems. BLOCKING JAVA APPLETS AT THE FIREWALL Avi Rubin Rubin's first remark: Should have been titled "Blocking Java Applets at the Firewall - Not" Why try to block applets? protect against malicious code, denial of service, high-level spoofing (trojan horses, e-mail/smtp/sendmail abuse), covert channels, undermining firewalls) There are several strategies to block a java applet in an application gateway: prevent all GETS on "*.class", prevent any gets on applet tags, don't allow in anything starting with "cafe babe" (first few bytes of every java applet?). However - every strategy can be bypassed: -Express "applet" as "%41pplet" -Applet might come in as compressed MIME type. Firewall would be unable to uncompress. When contacted vendors who claimed that they blocked applets, every one answered either: -"It's proprietary" or -"We use *.class, cafe babe and [applet tags]." When weaknesses were described they said "Oh - that's interesting." Considered giving up on firewall and giving users a custom browser which will only run digitally-signed applets, but two problems: who will distribute all the software, and how do you stop someone from installing their own browser? (Answer - force all external web access through an internal web proxy server) ((But someone in the audience thought the anonymizer could get around any firewall attempts to implement this.) Conclusion: even if firewalls could block applets, it seems like there will likely be problems when you try to merge the two policies: Firewall says trust insiders, control outsiders capabilities through the firewall; Java says trust no one; control their actions on the platform. Audience: why are you so worried about outsiders? Every study says your biggest problem is insiders. Others in audience questioned the studies: how current are those numbers, are organizations reporting outside incidents at the same rate they report internal incidents, etc.? JAVA - THREAT OR MENACE? Steve Bellovin Problem is: we want absolute security. We want "do what I mean" security. e.g. when I want to pay for a book over the web, grab my credit card number out of a file without me having to remember it, but don't let anyone get at it. Problem: most functions that are needed are the very functions that can be exploited with bad consequences: file I/O can be used to read sensitive files, popup windows can be used to coax me to type passwords. Browsers see bytecode - not java source. Bytecode verifier purports to enforce rules over java source, but not true: Bytecode verifier permits a "goto", e.g. which can not be coded in java. Bytecode verifier and class loader are complicated (3500 LOC for BC verifier). This model is too complex to be trusted. There is nothing like a system call that permits one to know entry and exit points. Everything is an "invoke" Java relies on DNS for enforcement. DNS has problems. In fact DNS has been used to compromise the model. DNS queries leak information by going around the model. Denial of service not even considered in security model. Digitally-signed certificates are no worse than store-bought software in theory. But: doesn't scale on the web. Also - if software distributors are not careful about signatures and certificates (i.e. if they're signing, creating certificates on their web server) there could be trouble. Also - unlike store-bought software, the attacker knows the buyer and can target an attack. Will people really look at certificates? Next best thing: add local admin tools so that a site can control policy site-wide (Netscape says they've got it already.) Eliminate reliance on the bytecode verifier. Dan Wallach explained some of Netscape's plans. Classes of permissions are being created (e.g. typical game permissions). Game will then ask for game permissions which might be more meaningful to users. Drew Dean: bytecode is very hard to verify. Requires dataflow analysis. Bellovin: Java is probably here to stay. There are no economic forces to alter the outcome. Not many reports of malicious applets. Some present had heard of some reports of problems that might have been caused by applets. Steve Bellovin (standing in for Bill Cheswick) Stupid Net Tricks When sniffing incidents first got big 2-3 years ago, many ISPs were sniffed for months because of insecure workstations on the backbone. Not widely reported at the time. Network 18 was down for several hours: someone broadcast that they were that network on an ISP. If you were closer to that ISP's router than to 18 you got the bogus route. NETWORK SECURITY: WHERE DOES THE REAL THREAT LIE Millicent Watts Review of types of threats, need for vigilance. Reported on some failures of voice recognition (failed safe). Surveillance technology - Yvo Desmedt noted "Things that think" - technology where more and more consumer goods/personal articles have chips in them. E.G. your shoes trigger elevator doors and such, but can be used for more nefarious purposes. (Anyone know if Italian shoemaker Bruno Magli is using them yet?) DEMONSTRATION OF HACKER TECHNIQUES Cindy Cullen Demonstrated rootkit which replaces key unix binaries with ones which hide intruder's presence. No longer chosen tool of the elite hackers - available easily and being modified, sometimes carelessly. Also demonsrated ttywatcher. Run on a host it will display connections to any tty (in or out). Encrypted passwords/data are displayed (because intrusion is at the endpoint), connection can be taken over by root user with ttywatcher. UNDERSTANDING AND DEFENDING AGAINST SYN ATTACKS Alexis Rosen Sorry to say I had to miss this one, though I understand the recommendations were same as those shared on the security lists: trim down the timeout parameter, etc. CHANNELS: AVOIDING UNWANTED ELECTRONIC MAIL Robert J. Hall Another one I hated to miss. The approach was to add a new sendmail header which included some cryptographic authentication information. Different headers, taken together with your email address allow you to create different personas: one for private discussion with trusted correspondents, one for "send only" to public mailing lists. For more info, the paper is available at: ftp://ftp.research.att.com/dist/hall/papers/agents/channels-long.ps Many thanks to the presenters, organizers and to DIMACS (Rutgers, Princeton, AT&T Bell Labs, BellCore, NFS) for an excellent workshop. ______________________________________________________________________ Report on the 1996 (Twelfth) Annual Computer Security Applications Conference by Jeremy Epstein ______________________________________________________________________ [Editor's note: Jeremy could not attend all of the sessions, so he cautions that these notes are incomplete -- in particular, none of the sessions after early afternoon on Thursday are covered. If you would like to make it more complete by sending me a note, please do, and I will update the Web version of this report -- CEL] The 12th Annual Computer Security Applications Conference (ACSAC) was held December 8-13 in San Diego CA. While the organizers put together an excellent conference, the weather was cold and rainy - exactly what most of us were hoping to escape! The first two days of the conference were devoted to tutorials, which I did not attend. The keynote speech by David Keyes of the FBI described the Presidential Commission on Critical Information Infrastructure, its structure and goals. The commission (whose Web page www.pccip.gov should be operational by the end of the year) is chartered with making recommendations on protecting the national infrastructure and setting up an organization to carry out those recommendations. Most commission members (half of whom will be from private industry) have not yet been appointed, so real work has not yet started. A pointed questioner asked what would be accomplished by this commission other than a report, since others (e.g., "Computers at Risk") have already pointed out the problem, and there's been no action. Mr. Keyes said that this time there's a plan to get up an implementation organization, which will mean that the recommendations won't simply go on the shelf. The distinguished lecturer was Dr. Roger Schell of Novell, whose talk was titled "The Internet Rules but the Emperor Has No Clothes". Dr. Schell is one of the earliest members of the security community, and is widely credited as "father of the Orange Book". Dr. Schell's thesis refers to the fairy tale "The Emperor's New Clothes", in which highly paid tailors accept large sums of money to create imaginary clothes, and everyone but a small child is afraid to tell the emperor. In that vein, Dr. Schell suggested that many of our solutions are elegant clothes for a naked emperor. He noted that while the problems change, the underlying security requirements do not, and high assurance systems are more necessary today than ever. Making users responsible for their own security assessments is akin to having them "performing their own brain surgery", Dr. Schell asserted. Third party assessments (such as those performed by the NCSC) are more valuable than ever. Dr. Schell pointed out that the "penetrate and patch" model of security didn't work in the past and still doesn't work today. Many recent innovations are dangerous; he called Java an "automatic malicious software distribution mechanism." Dr. Schell proposes that high assurance MLS is exactly what companies need to protect themselves from the Internet. He also criticized the Common Criteria (CC), which confuses the security field by providing unlimited numbers of incomparable security targets so users cannot compare products. Finally, he suggested that the CC has more than made up for the terseness of the TCSEC. In total, a thought provoking and provocative lecture. The main body of the conference had two tracks. On Wednesday, both tracks were refereed papers and panels. On Thursday and Friday there was one refereed paper/panel track and a vendor presentations track. Track A, late Wednesday morning The "Security Engineering" session was chaired by Jody Heany of MITRE. Andreas Sterbenz of the University of Graz (Austria) described the Java security model. His concern was not with bugs in implementation, but rather with the overall design. He proposed a four layer model with the language, virtual machine, runtime library, and runtime environment. Flaws in each of the layers can result in security violations, as the overall security architecture is quite fragile. In response to a question, he said that Microsoft's ActiveX uses signed applications, but he had no other information. He also said that the new version of Java due out in the spring adds digital signatures for applets, but doesn't solve the underlying weaknesses. An audience member added that Sun recently posted a Java security model on their Web page. The second paper in the session was "Implementing Security policy in a Large Defence Procurement" presented by Michael Nash of Gamma Secure Systems. He described the design and implementation of a very large integrated system for the Royal Air Force supplies and engineering. The system will have 35,000 users at 100 sites at a cost of about US$750M. Most information is either unclassified or restricted (less classified than U.S. Confidential). A small amount of information is Secret, and the system was design to process and protect both classified and unclassified data. After designing the system, they determined that very few users needed access to the classified data and that the classified data was static. As a result, they put the classified data on CDROMs and provide standalone machines to access it in those few locations where it is needed, rather than dealing with MLS problems. The final paper in the session, "An Authenticated Camera" was presented by Chris Hall from Counterpane Systems. The camera in question is a design but has not been built. It provides a digital signature of each picture including a hash of the image, the time and date, and the identity of the user taking the picture. Using a method similar to cipher block chaining prevents playback of images while omitting one or more from the sequence. They wanted a guarantee of location (so it would prove where the picture was taken), but this was impossible because GPS data isn't trusted (i.e., signed so as to prevent forgery). The camera cannot guarantee that what is in the picture is real (i.e., that the image is of an actual scene rather than of a prop). The design assumes that the camera can be protected from tampering. Other considerations are use of an accurate clock and feasible methods of authenticating to the camera (such as using a thumbprint). Track A, early Wednesday afternoon The "Secure Links" session was chaired by Ravi Sandhu. Myong Kang of NRL presented the first paper, titled "A Case Study of Two NRL Pump Prototypes". The NRL pump is a secure one-way device that allows for information flow from low to high while maintaining performance and minimizing covert channels. Two versions of the pump were built: the E-pump (an event-driven pump) which is an application layer pump implemented as trusted software running on a Wang XTS-300, and the D-pump (a network pump) which was built on DOS as a transport layer pump. The focus of the talk was on comparing the two versions. The E-pump won't lose messages because it waits until the high application acknowledges receipt before discarding it, while the D-pump (because it operates at the transport layer) can only wait for acknowledgment by the receiving system. The D-pump performed better than the E-pump, since it was running on a system with much lower overhead. The authors concluded that the applications layer (not the transport layer) is the right place to build the pump, but that a more efficient high-assurance system is needed for the pump to be practical. The second paper in the session was "Asymmetric Isolation" presented by John Davidson of Norex. Like the pump, this idea is a secure on-way device. Unlike the pump, there are no acknowledgments, and hence no potential for covert channels. By using a fiber optic cable, they were able to build the low-to-high channel using off the shelf parts, and gain a high degree of assurance that no information flows from high to low. Some configuration file manipulation was necessary to prevent confusing systems as to how to route packets. Several audience members pointed out that this approach means that the low system must self-throttle to avoid overrunning the high system, which could lead to the high system losing data. The final paper in the session was "Starlight: Interactive Link" by Mark Anderson of the Australian Defence Science and Technology Organisation (DSTO). This paper, which won the "best paper award", described a hardware device and associated software that allow running windows of two classifications on an untrusted workstation running UNIX and X. The architecture is a high computer which displays the data and runs X applications, a low computer that runs X applications, and the Starlight device that connects the two computers. The keyboard and mouse are connected to the Starlight device, and the user selects whether the input should be treated as high or low using a physical switch (thus routing the input to the appropriate computer). A surrogate X server on the low machine allows X clients to run unmodified while passing information from low to high; a surrogate X client on the high machine allows the real X server at high to run unmodified with the low X clients. The system does not provide visible window labels, but a device attached to the monitor provides LEDs to indicate whether the user is operating at high or low. Track A, late Thursday morning The "Security Architecture" session was chaired by Emilie Siarkiewicz from Rome Laboratory. The first paper, "Using Fortezza for Transparent File Encryption" presented by Jeremy Epstein of Cordant, described the design of the Assure product (a DOS/Windows security add-on) and how they used Fortezza to replace DES for transparent file encryption. Several of the Fortezza features that work well for message encryption (such as automatic creation of new initialization vectors whenever data is encrypted) make transparent file encryption very difficult to implement. The product uses a shadow file structure to hold Fortezza encryption keys and initialization vectors, which a questioner pointed out is fragile in the case of file system corruption. The second paper, "An Extended Capability Architecture to Enforce Dynamic Access Control Policies" was not presented. The third paper, "SIGMA: Security for Distributed Object Interoperability between Trusted and Untrusted Systems" was presented by Deborah Shands as neither of the authors was available. SIGMA is trying to facilitate MLS operations within the context of CORBA. The concept of a "multilevel enclave" introduced in the presentation drew some questions. Readers can find details on the project at the TIS web site under distributed systems research, at http://www.tis.com/docs/research/distributed/sigma.html Track A, early Thursday afternoon The "Firewalls" session was chaired by Jeremy Epstein of Cordant. The first paper, "Operation Chain Link: The Deployment of a Firewall at Hanscom Air Force Base" was presented by Dan Vukelich (the author, Julie Connolly, was unable to attend due to a blizzard). The project started by surveying what network services were needed, and what the network security policy should be, which was termed "socializing the project". Using network monitors, they discovered several services that were being used that were not known. Before installing the firewall, it was staged in a lab using actual IP addresses, which helped find several problems before the system was turned on. After installation, they discovered several required services that hadn't been detected earlier because they were used rarely, and their use had not coincided with the monitoring period. Major concerns include ongoing maintenance due to personnel turnover, the presence of (unmonitored) communications to other military bases, and the presence of modem pools. The second paper, "Mandatory Protection for Internet Server Software" was presented by Rick Smith of Secure Computing. Three different models of "mandatory" protection are proposed for firewalls: the change root (chroot) facility, traditional MAC, and type enforcement. Chroot allows creation of restricted portions of a file system that an application can run in, but doesn't control access to resources such as sockets. Some of the most popular firewalls, including Raptor, Gauntlet, and V-One appear to use chroot. MAC is much stronger than chroot, as it allows segregation of applications within the same computer. Cyberguard (and possibly other firewall products) use MAC as their primary protection mechanism. Type enforcement provides strict rules for what applications can do, and is claimed to be stronger than MAC. Secure Computing's Sidewinder is claimed as the only firewall using type enforcement. In response to a question about whether the type enforcement databases are difficult to configure securely, the author agreed that a head-to-head comparison would be useful. The author concluded by noting that it's depressing to think about Windows NT as the future, since it's not built to resist attack using mandatory controls. ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ * Implications for Central Banks of the Development of Electronic Money, Basle, October 1996. Copyright Bank for International Settlements 1996: http://jya.com/bis_emoney.html * Draft critique of US crypto policy (ASCII) (PostScript), by Matt Blaze, as recently delivered to Computer and Communications Industry Association: ftp://ftp.research.att.com/dist/mab/policy.txt * Dartmouth Workshop on Transportable Agents, Sept. 27-28, 1996. Includes discussion on security aspects of agent technology. General information: http://www.cs.dartmouth.edu/~agent/workshop/ Summaries of presentations: http://www.cs.dartmouth.edu/~agent/workshop/summaries.html * "Why Cryptography is Harder than it Looks" -- Essay by Bruce Schneier http://www.counterpane.com/whycrypto.html * IEEE Guidelines for Engineers dissenting on Ethical Grounds: http://www.flsig.org/fcieee/eth_comm/eth_guid.html * Improved Differential Fault Analysis by Ross J Anderson and Markus G Kuhn. From the paper: "In [1], Biham and Shamir announce an attack on DES based on 200 ciphertexts in which one-bit errors have been induced by environmental stress. Here we show an attack that requires less than ten ciphertexts. Furthermore, our attack is practical in that it uses a fault model that has been implemented in attacks on real smartcards.": ftp://ftp.cl.cam.ac.uk/users/rja14/dfa * New U.S. crypto export regulations, from the Federal Register, December 13, 1996, if you want to read the original instead of the interpretations: http://jya.com/ke121396.htm * Covert Channels in the TCP/IP Protocol Suite by Craig Rowland http://www.psionic.com/papers.html * Simson Garfinkel on dangers of ActiveX "controls" http://www.packet.com/packet/garfinkel/96/47/index2a.html ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ Journal of Internet Banking and Commerce http://www.arraydev.com/commerce/JIBC/ ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 20 November 1996: Judith A. Hemenway SAIC (Science Applications International Corp.) 10260 Campus Point Drive, M/S E3 San Diego, CA 92121 e-mail: Judith.A.Hemenway@cpmx.saic.com Tel: (619) 646-9126 fax: (619) 535-7230 Entered 14 November 1996: David A. Cooper Department of Computer Science Thornton Hall University of Virginia Charlottesville, VA 22903 cooper@cs.virginia.edu Tel: (804)-982-2228 Julie LeMoine Concept Five Technologies, Inc. 25 Burlington Mall Road Burlington, MA 01803-4141 jel@concept5.com Tel.(617)229-5327 Entered 12 November 1996: D. Elliott Bell (David) Mitretek Systems, Inc 7525 Colshire Drive McLean VA 22102 bell@mitretek.org Tel. (703) 610-1652 _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar CRYPTO '97. Santa Barbara, CA, August 17-21, 1997. Original papers on all technical aspects of cryptology are solicited for submission to Crypto '97, the Seventeenth Annual IACR Crypto Conference. Crypto '97 is organized by the International Association for Cryptologic Research (IACR), in cooperation with the IEEE Computer Society Technical Committee on Security and Privacy, and the Computer Science Department of the University of California, Santa Barbara. For more information, access http://www.iacr.org/. Submit cover letter and 18 (eighteen!) copies of an anonymous paper (double-sided copies preferred) to Burt Kaliski, Program Chair, Crypto '97, RSA Laboratories East, 20 Crosby Drive, Bedford, MA 01730 USA, for receipt by Feb 13, 1997. No e-email or fax submissions. Proceedings will be published in the Springer-Verlag Lecture Notes in Computer Science. SECOND AUSTRALASIAN CONFERENCE ON INFORMATION SECURITY AND PRIVACY (ACISP'97), provisional dates 7-9 July 1997, Sydney, Australia. Papers pertaining to all aspects of computer systems and information security are solicited; papers relating to practical experience and commercial applications in security are particularly welcome. Submit electronic copy of title page (authors identified) and (separately) anonymized body of paper in PostScript by e-mail (preferred) or 7 (seven) copies of anonymized papers up to 15 pages of single-spaced 12-point type to the Program Co-Chair: Vijay Varadharajan, Department of Computing, University of Western Sydney, Nepean, P.O.Box 10, Kingswood, NSW 2747, Australia. E-mail : acisp97submissions@st.nepean.uws.edu.au to arrive not later than 15 February 1997. Full submission details available by e-mail, or on Cipher web page. ELEVENTH ANNUAL IFIP WG 11.3 WORKING CONFERENCE ON DATABASE SECURITY Lake Tahoe, California August 11-13, 1997. The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in database security. Papers and panel proposals are solicited. Submit five copies of papers up to 5000 words by March 10, 1997 to either T.Y. Lin (tylin@cs.sjsu.edu) Dept. Math and Comp. Sci., San Jose State U., 129 S. 10th St., San Jose, CA 95192, or Xiaolei Qian (qian@csl.sri.com), Computer Science Laboratory, SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025. No fax or e-mail submissions of papers, but panel submissions, also invited, are preferred in electronic form. Details on IFIP WG11.3 and the conference available at http://www.cs.rpi.edu/ifip/. NEW SECURITY PARADIGMS '97, Langdale Hotel, Great Langdale, Cumbria, UK, September 23-26, 1997. This workshop is sponsored by ACM and the University of Newcastle upon Tyne. Paradigm shifts disrupt the status quo, destroy outdated ideas, and open the way to new possibilities. This workshop explores deficiencies of current computer security paradigms and examines radical new models which address those deficiencies. The 1997 workshop will strike a balance between building on the foundations laid in past years and exploring in new directions. Participants have discussed alternative models for access control, intrusion detection; new definitions of security, privacy, secrecy and trust; biological and economic models of security; multiple policies, etc. The constructive workshop environment is for about 25 participants at Langdale Hotel in the beautiful English Lake District. The refereed papers will be printed in a workshop proceedings. Submit via email by April 4, 1997, to zurko@osf.org and to meadows@itd.nrl.navy.mil a research paper or a 5-10 page position paper, together with a justification (describing why your paper might be appropriate for the workshop), a statement whether at least one author will be able to attend for the entire duration of the workshop; or 5 hard-copies by March 28, 1997, to Mary Ellen Zurko, The Open Group Research Institute, 11 Cambridge Center, Cambridge, MA 02142 USA. Conference Web page: http://www.cs.uwm.edu/~new-paradigms JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. THEORY AND APPLICATIONS OF OBJECT SYSTEMS (TAPOS) special issue on OBJECT TECHNOLOGY, DATABASE SYSTEMS, AND THE WORLD-WIDE WEB. TAPOS describes itself as a journal for high-quality peer-reviewed research in all areas of object technology; for more information on the journal, see http://www.dbis.informatik.uni-frankfurt.de/~taposadm. As the Internet and the WWW become preferred media for broadcasting, content dissemination, data access, personal communications, distance education, electronic commerce, and other as yet unforeseen applications, it becomes urgent to explore the interactions between these new media and other well established technologies for information access. This special issue will focus on the interaction among object technology, database systems, and the WWW. A long list of topics of interest includes security, particularly with respect to access databases through the web. Send unpublished manuscripts presenting original research for consideration for this issue, which is tentatively planned to appear in April of 1998, by MAY 31, 1997 to the editor: Alberto Mendelzon, Computer Systems Research Institute, University of Toronto, 6 King's College Road, Toronto, Canada M5S 3H5 (e-mail to mendel@db.toronto.edu). Electronic submissions are encouraged, preferably in the form of Postscript files. Please contact the editor to discuss the details of electronic submission. For hard copy submissions, send five copies to the address above. JOURNAL OF SYSTEMS AND SOFTWARE (North-Holland) SPECIAL ISSUE ON FORMAL METHODS TECHNOLOGY TRANSFER The purpose of this special issue of Journal of Systems and Software is to address the issue of why, in spite of many research results claiming the practical applications of formal methods for increased reliability, we do not see wide usage. The objective is to explore ways in which the benefits of formal methods - whatever constitutes the most important benefits of formal methods - can be transitioned into practice and how the gap between the expectations of industrial practitioners and the research results of academia can be narrowed. We are inviting experts from both industry and research institutions to share their ideas and expertise. Further details available at: http://cs.unomaha.edu/jss Submit articles up to 6,000 words by 1 March 1997 to Hossein Saiedian, JSS, Dept. of Computer Science, U. of Nebraska at Omaha, Omaha, NE 68182-0500. E-mail queries to hossein@cs.unomaha.edu. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ The notation [conference information] indicates there is a link to information about the conference on the Cipher web pages. * Sixth IFIP Working Conference on Dependable Computing for Critical Applications, 5-7 March, 1997, Eibsee-Hotel, Grainau (near Garmisch-Partenkirchen), Germany, security-related paper: "Experimenting Quantitative Evaluation Tools for Monitoring Operational Security," Rodolphe Ortalo, Yves Deswarte, Mohamed Kaaniche, LAAS-CNRS & INRIA, Toulouse. Papers to be presented at the Fourth ACM Conference on Computer and Communications Security, April 4-7, 1997, Zurich, Switzerland, (from preliminary technical program). - Fair Exchange with a Semi-Trusted Third Party Matthew Franklin, Mike Reiter (AT&T Research) - Optimistic Protocols for Fair Exchange N. Asokan, Matthias Schunter, Michael Waidner (IBM Zurich Lab and Univ. Dortmund) - Static Typing with Dynamic Linking Drew Dean (Princeton University) - Secure Digital Names Scott Stornetta, Stuart Haber (Surety Technologies) - A Calculus for Cryptographic Protocols: The Spi Calculus Martin Abadi, Andrew D. Gordon (DEC SRC and Cambridge) - Authentication via Keystroke Dynamics Fabian Monrose, Avi Rubin (New York Univ. and Bellcore) - Path Independence for Authentication in Large-Scale Systems Mike Reiter, Stuart Stubblebine (AT&T Research) - Proactive Password Checking with Decision Trees Francesco Bergadano, Bruno Crispo, Giancarlo Ruffo (Univ. of Turin) - Verifiable Partial Key Escrow Mihir Bellare, Shafi Goldwasser (UC San Diego and MIT) - New Blind Signatures Equivalent to Factorisation David Pointcheval, Jacques Stern (ENS/DMI, France) - Proactive Public-Key and Signature Schemes Markus Jakobsson, Stanislaw Jarecki, Amir Herzberg, Hugo Krawczyk, Moti Yung (IBM TJ Watson and Bankers Trust) - A New On-Line Cash Check Scheme Robert H. Deng, Yongfei Han, Albert B. Jeng, Teow-Hin Ngair (National University of Singapore) - Conditional Purchase Orders John Kelsey, Bruce Schneier (Counterpane Systems) - The Specification and Implementation of 'Commercial' Security Requirements including Dynamic Segregation of Duties Simon Foley (University College, Cork, Ireland) - On the Importance of Securing Your Bins: The Garbage-Man-in-the-Middle Attack Marc Joye, Jean-Jacques Quisquater (Univ. Louvain) - Improved Security Bounds for Pseudorandom Permutations Jacques Patarin (Bull) - Asymmetric Fingerprinting for Larger Collusions Birgit Pfitzmann, Michael Waidner (Univ. Hildesheim and IBM Zurich Lab) * ASIAN '96 -- Asian Computing Science Conference, December 2-5, Singapore. Security-related papers: - Broadcasting in Star Graphs with Byzantine Failures Yukihiro Hamada, Aohan Mei, Feng Bao, Yoshihide Igarashi - Blind Threshold Signatures Based on Discrete Logarithm Wen-Shenq Juang, Chin-Laung Lei - Computation of the k-Error Linear Complexity of Binary Sequences with Period 2^n Takayasu Kaida, Satoshi Uehara, Kyoki Imamura - Symbolic Rights and Vouchers for Access Control in Distributed Object Systems Vincent Nicomette, Yves Deswarte - The Heuristics for the Constrained Multicast Routing Zong-Ben Xu, Bo-Ting Yang - On Design and Analysis of a New Block Cipher Xun Yi _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters _______________________________________________________________________ * Dr. Dobb's Journal, Vol. 22, No. 1 (January 1997): - A. Bosselaers, H. Dobbertin, and B. Preneel. The RIPEMD-160 cryptographic hash function. pp. 24-29. - A. Johnson. Steganography for DOS programmers. pp. 48-51. * Computers & Security Volume 15, Number 5 (1996). (Elsevier) Special features: - E. B. Heinlein. Computer security in China. pp. 369-376. - R. T. Moulton and M. E. Moulton. Electronic communications risk management: a checklist for business managers. pp. 377-386. Refereed papers: - Tzong-Chen Wu and Hung-Sung Sung. Authenticating passwords over an insecure channel. pp. 431-440. - Gregory White. cooperating security managers: distributed intrusion detection systems. pp. 441-450. * Computing Systems, Vol. 9, No. 3 (Summer 1996): C. Calabrese. A Tool for Building Firewall-Router Configurations. pp. 239-253. * Data and Knowledge Engineering, Vol. 21, No. 1 (December 1996): S. Castano, G. Martella and P. Samarati. Analysis, comparison and design of role-based security specifications. pp. 31-55. * Computer Networks and ISDN Systems, Vol. 28, No. 14 (November 1996): S. Kolletzki. Secure Internet banking with Privacy Enhanced Mail - A protocol for reliable exchange of secured order forms. pp. 1891-1899. M. Gehrke and T. Hetschold. Management of a public key certification infrastructure - Experiences from the DeTeBerkom project BMSec. pp. 1901-1914. * Dr. Dobb's Journal, Vol. 21, No. 11 (November 1996): M. Shoffner and M. Hughes. Java and Web-Executable Object Security. pp. 38-49. * IEEE Personal Communications, Vol. 3, No. 5 (October 1996): S. Mohan. Privacy and Authentication Protocols for PCS. pp. 34-38. * IEEE Transactions on Software Engineering, Vol. 22, No. 10 (October 1996): N. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. Olsson. A Methodology for Testing Intrusion Detection Systems. pp. 719-729. * Information Processing Letters, Vol. 60, No. 1 (October 1996): A. Jabri. The unicity distance: An upper bound on the probability of an eavesdropper successfully estimating the secret key. pp. 43-47. * Computer Communications, Vol. 19, No. 9-10 (August 1996): - V. Varadharajan and C. Calvelli. Key management for a secure LAN-SMDS network. pp. 813-823. - G. Horng and C. Yang. Key authentication scheme for cryptosystems based on discrete logarithms. pp. 848-850. - T.-C. Wu, S.-L. Chou and T.-S. Wu. Two ID-based multisignature protocols for sequential and broadcasting architectures. pp. 851-856. * Journal of the ACM, Vol. 43, No. 3 (May 1996): O. Goldreich and R. Ostrovsky. Software Protection and Simulation on Oblivious RAMs. pp. 431-473. * ACM SIGCOMM Computer Communication Review, Volume 26, Number 5 (October, 1996). D.P. Jabion. Strong password-only authenticated key exchange. pp. 5-26. * Computers & Security Volume 15, Number 2 (1996). (Elsevier) _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ * Peter Wayner. Disappearing Cryptography: Being and Nothingness on the Net. AP Professional, 1996. 295 pp. $29.95. ISBN 0-12-738671-8. Review by Bob Bruen. Also reviewed in Dr. Dobb's Journal, January, 1997. * Norman Polmar and Thomas Allen. Spy Book: the Encyclopedia of Espionage. Random House. 1997 ISBN 0-679-42514-4. $30.00. LC JF525.I6P65. 633 pages. Bibliography, chronology and index of personalities. Review by Bob Bruen. http://www.randomhouse.com/spybook/ * David Kahn. The Codebreakers. The Story of Secret Writing. Revised Edition, 1996. Scribner, New York. 1181 pages, $65. Review by Bob Bruen. ________________________________________________________________________ ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 1/ 8/97- 1/10/97: ICDT97, Delphi, Greece; Conf Web page 1/20/97- 1/22/97: FSE4, Haifa, Israel; Conf Web page. 1/29/97- 1/31/97: WECS '97, Monterey, CA. 1/31/97: IESS '97, Walnut Creek, California 1/31/97: SSSC, Copenhagen, papers due, eloff@rkw.rau.ac.za, http://genie.rau.ac.za/ifip 2/ 5/97: ACISP '97, Sydney, Australia,submissions due, 2/ 7/97: CSFW10, Rockport, MA; Workshop Web page, submissions due, 2/ 8/97- 2/14/97: MMD '97. San Jose, California; Conf Web page 2/10/97- 2/11/97: SNDSS '97, San Diego, California. Conf Web page 2/12/97- 2/13/97: ISW '97 SEI InfoSurv Workshop, San Diego, California 2/13/97: CRYPTO '97, Santa Barbara, CA, submissions due, burt@rsa.com 2/14/97: FMP '97, Wellington, New Zealand, submissions due; Conf web page 2/16/97: NISSC '97, Baltimore, papers due (NISSConference@dockmaster.ncsc.mil) 2/23/97- 2/24/97: PAKDD '97, Singapore.Info hweeleng@iti.gov.sg; Conf Web page 3/ 5/97- 3/ 7/97: DCCA6. Garmisch-Partenkirchen, Germany. 3/ 10/97: IFIP WG 11.3, submissions due to T. Y. Lin (tylin@cs.sjsu.edu) or Xiaolei Qian (qian@csl.sri.com), Conf web page; 3/20/97- 3/23/97: TSMA '97; Nashville, TN 4/ 1/97- 4/ 4/97: DASFAA '97; Melbourne, Australia Conf Web page 4/ 1/97- 4/ 3/97: CORBA SW, Baltimore, MD 4/ 2/97- 4/ 4/97: 4th CCS, Zurich, Switzerland; Conf Web page 4/ 3/97- 4/ 5/97: ICAST '97, Schaumburg, Illinois, Conf web page 4/ 4/97: NSPW '97,Cumbria,UK, papers due http://www.cs.uwm.edu/~new-paradigms 4/ 7/97- 4/11/97: ICDE '97, Birmingham, UK; Conf Web page 4/ 7/97- 4/ 8/97: RIDE '97. Birmingham, England Conf Web page 4/ 9/97- 4/11/97: ISADS97, Berlin, Germany; Conf Web page 4/14/97- 4/17/97: SICON97, Kent Ridge, Singapore 5/ 4/97- 5/ 7/97: IEEE S&P, Oakland, California; Conf Web page 5/14/97- 5/16/97: SSSC, Copenhagen, Denmark http://genie.rau.ac.za/ifip 5/14/97: Chilean CompSci Soc, Valparaiso, Chile; papers due. Conf Web page; 5/11/97- 5/15/97: Eurocrypt '97, Konstanz, Germany 5/12/97- 5/16/97: CITSS, Ontario, Canada; info from citss@cse-cst.gc.ca 6/ 1/97- 6/ 6/97: IESS '97, Walnut Creek, CA 6/11/97- 6/12/97: ENM '97, Montreal, Quebec 6/10/97- 6/12/97: CSFW10, Rockport, MA; Workshop Web page 7/ 7/97- 7/ 9/97: ACISP '97, Sydney, Australia, vijay@st.nepean.uws.edu.au 7/ 9/97- 7/11/97: FMP '97, Wellington, New Zealand, Conf web page 8/11/97- 8/13/97: IFIP WG 11.3, Lake Tahoe, California, Conf web page 8/17/97- 8/21/97: CRYPTO '97, Santa Barbara, California 9/ 9/97: USENIX Sec Symp. San Antonio, TexasConf Web page. Submissions to securitypapers@usenix.org; 10/ 6/97-10/10/97: NISSC '96, Baltimore 11/12/97-11/14/97: Chilean CompSci Soc, Valparaiso, Chile; Conf web page 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, * ACSAC = Annual Computer Security Applications Conference 12th Annual * ASIAN = Asian Computing Science Conference ASIAN '96 * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CRYPTO = IACR Annual CRYPTO Conference CRYPTO97 * CSFW = Computer Security Foundations Workshop CSFW10 , Wrkshp Page * DCCA = Dependable Computing for Critical Applications DCCA6 * DASFAA = Database Systems For Advanced Applications DASFAA '97. * ENM = Enterprise Networking ENM '97 * FSE = Fast Software Encryption Workshop FSE4 * FMP = Formal Methods Pacific FMP '97 * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICDE = Int. Conf. on Data Engineering ICDE '97 * ICDT = International Conference on Database Theory ICDT97. * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IESS = International Symposium on Software Engineering Standards IESS '97 * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISW '97 = CERT/SEI Information Survivability Workshop '97 * MMD = Multimedia Data Security MMD '97 * NISS = National Information Systems Security Conference NISS97 * NSPW = New Security Paradigms Workshop NSPW '97 * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data * RIDE = High Performance Database Management for Large Scale Applications * SICON = IEEE Singapore International Conference on Networks SICON '97 * SNDSS = Symposium on Network and Distributed System Security (Internet Society) NDSS '97 * SSSC = IFIP WG 11.2 Small Systems Security Conference * TSMA = 5th International Conference on Telecommunication Systems - Modeling and Analysis TSMA '97 * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * WECS = ACM Workshop on Computer Security Education, WECS '97 ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale (NOT) ________________________________________________________________________ Proceedings of past Symposium proceedings will be available again in a few months. The store is temporarily closed until our new checking account is opened. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Chair, Subcommittee on Security Conferences: Greg Bergren Dr. Stephen Kent 10528 Hunters Way BBN Corporation Laurel, MD 20723-5724 70 Fawcett Street (410)684-7302 Cambridge, MA 02138 (410)684-7502 (fax) (617) 873-3988 glbergr@missi.ncsc.mil kent@bbn.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9612 where N is the number of the issue desired and 9612 captures the year and month it appeared. ========end of Electronic Cipher Issue #19, 23 December 1996=============