Subject: Electronic CIPHER, Issue 20, February 10, 1997 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 20 February 10, 1997 Carl Landwehr, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1600 lines total] o Letter from the TC Chair o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o NIST-news: AES, TACDFIPSKMI, FIPS 140-1, CSSPAB Commentary and Opinion o A Serious Problem for Key Escrow Systems? by Yongfei Han (correspondence invited) o Peter Wayner: Regarding Bruen's review of Disappearing Cryptography o Two books on prime numbers and factorization reviewed by Bob Bruen Conference Reports: o None this issue New reports available via FTP and WWW: several Interesting Links: NSA/DARPA/DISA MOU; IBM Patent Server Who's Where: recent address changes Calls for Papers: Many! Reader's guide to recent security and privacy literature o Conference Papers: S&P '97 papers o Journal and Newsletter articles o Books Calendar Data Security Letter subscription offer Publications NOT for sale TC officers Information for Subscribers and Contributors >>>Program and Registration Forms for the 1997 IEEE Symposium<<< >>> on Security and Privacy <<< ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ Dear TC Members: The Computer Society Technical Committee Chairs last met November 19-20, 1996. Several items were discussed: * The Computer Society Conference Board is changing the rules for "in cooperation" status. While the changes have yet to be published, our TCSP was denied "in cooperation" support for the ACSAC conference in December 1996. I would like to know how our membership feels about this issue. * The Technical Activities Board is seeking ways to get more "grass root" involvement in their strategic planning. Ideas are being solicited. * The Computer Society issued new TC charters. The initial draft was discussed at our last TC meeting (NISS Conference, October 1996). TCs are allowed to make modifications, which must be approved by the Computer Society. I also recently received a message about a IEEE/CS member whose America On Line account was canceled because, apparently, someone was using her email address to distribute pornographic materials. She has received no assistance in determining why/how/by whom her email account was compromised. This raises an interesting question regarding the responsibilities of technical professionals in incidents like this. Should they be held responsible for making vulnerabilities in existing infrastructures known to users? For example, apparently some of the on-line "yellow pages" will let you modify their directory information about (other) Internet users. Tell us what you think. Deborah M. Cooper TCSP Chair ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, This issue brings with it the program and registration information for the 1997 IEEE Security and Privacy Symposium. The program committee faced a difficult task this year, as paper submissions were up more than 50% over last year. Though this is hard on authors, it is good for the audience, and I think that George Dinolt and Paul Karger, with the advice of the Program Committee, have put together a very interesting two-and-a-half days. The new year brought to Washington a new Congress that is already introducing security and privacy-related legislation and holding hearings. Tomorrow (if this reaches you on Monday), at 10 am, the second in a series of briefings on security in electronic communication and data storage is scheduled to be held in the Science Committee Hearing Room and will feature Daniel Geer, Daniel Lynch, Tsutomu Shimomura, Geoff Mulligan, Dan Famer, and Gene Spafford. If you are in DC, you might care to visit, and if not, perhaps CSPAN will cover the briefing as well. The EPIC web site already lists a dozen bills in the House and a half dozen in the Senate that are concerned with privacy. Among them are bills to repeal the Communications Decency Act, bills to prohibit denial of insurance based on genetic information, and even a "Consumer Internet Privacy Protection Act" that would require prior written consent before a computer serice could disclose a subscribers' personal information to a third party. See URL http://www.epic.org/privacy/bill_track.html for details. The Federal Reserve Board, responding to congressional legislation, solicited public comment during the period from December 23 - January 31 on issues to be addressed in a study concerning public availability and use of social security numbers and other sensitive identifying information about consumers. The legislation was apparently stimulated by the Lexis P-Trak incident last year. The Board is required to report to Congress by March 31, 1997, including any suggestions for legislative change. See http://www.bog.frb.fed.us/boarddocs/press/1996/19961223/ The Department of Health and Human Services also sought public comment in January regarding issues in medical privacy. The Health Insurance Portability and Accountability Act passed last year requires HHS to adopt standards providing for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system" within 18 months of its passage. The National Committee on Vital and Health Statistics, is to advise HHS about responses to this requirement. The National Counterintelligence Center (NACIC), a multi-agency organization of the U.S. government (http://www.nacic.gov/), published a report warning that the Internet is the "fastest growing modus operandi for unsolicited correspondence using computer elicitation between foreign entities and cleared US companies and their employees." Some observers criticized the report as alarmist; you can read it for yourself at: http://www.nacic.gov/cind/cindnov.htm#art2 So far, this winter has treated Washington kindly. Though it was cold enough to skate on the canal during the Inaugural ceremonies, our only significant snowfall came last weekend, bringing considerable beauty and relatively little trouble. I hope the weather (whether it's midwinter or midsummer) is as cooperative where you are. Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ LISTWATCH Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, The Open Group Research Institute (m.zurko@opengroup.org) ____________________________________________________________________ This issue's highlights are from cryptography, e$pam, tbtf, and dcsb. This issue's highlights are from risks, www-security, cryptography, e$pam, cypherpunks, tbtf, and ietf-announce. The RSA RC5 40-bit challenge was cracked in 3.5 hours by Berkeley graduate student Ian Goldberg. He got $1,000 for finding the challenge message "This is why you should use a longer key." He used about 250 idle machines, and found the key after exhausting about 30% of the keyspace. ActiveX attacks made the television and newspaper in Berlin. Hackers from the Chaos Computer Club demonstrated an ActiveX application which automatically checks to see if Quicken is on the machine it has been downloaded to. If so, Quicken is given a transfer order which is saved by Quicken in its pile of pending transfer orders. The next time the victim sends off the pending transfer orders to the bank all the orders are executed. The Berlin newspaper "Tagespiegel" quotes various officials at Microsoft et al expressing disbelief or outrage or saying "we're working on it". Some members of www-security thought people would catch the attack by checking outgoing transactions or balancing their checkbook. Others thought that it could be easily missed if the transactions were small with nondescript names. There's been a lot of talk about the new cryptography regulations (EAR). A quote from the EAR says that printed material is not subject to the EAR. One comment was that only 40 bit RC4 is exempt, and the EARs even have RSA's phone number so you can license it. Security fixes, firewall products, and virus-protection programs may be export-controlled now, even if they do not involve cryptography. Digital, Cylink, and TIS have been granted permission to export 56bit encryption software under the new rules. All three firms have agreed that they will add "key recovery" by 1999. [For news releases from various sources, see URLs: http://www.cylink.com/whatsnew/pressrel/govkey.htm http://www.tis.com/docs/products/recoverkey/rkeynews.html http://www.ibm.com/Security/html/prallitis.html -- CEL] Nordic Post Security Service hopes to provide secure email for every Nordic citizen. They plan on using PGP, with no "third-party" key holder, and RSA-algorithm encryption with a 1024-bit key. An NT denial of service bug was found. If you telnet, type a few characters, and disconnect to certain ports (perhaps unused ports; 135 was given as an example), CPU usage goes to 100% until rebooted. The workaround is to use the control panel to filter out unused ports. The Simple Public Key Infrastructure (spki) working group was formed in the IETF. Subscribe by sending e-mail to majordomo@c2.net with "subscribe spki [email address]" in the body. The end of December holidays brought on several spam attacks on email lists, include cypherpunks. There was discussion of various technical solutions, but most required extra person effort. In an unrelated move, cypherpunks went over to a moderated list on a temporary basis. Members with a strong anarchic/libertarian bent have problems with "censoring" the main line. Alternatives may include providing an alternate censored list. A Georgia law meant to punish a state legislator for the success of his partisan web page is being challenged by the ACLU. Part of this law punishes anyone who "uses any individual name... to falsely identify the person" (the legislator used an official seal without official sanction on his web page). The ACLU sees this suit as a defense of anonymous and pseudonymous speach on-line. A Maryland bill would make it illegal to send "annoying" or "embarrassing" e-mail. I wonder if I could go to jail if I was embarrassed about e-mail I sent out ... ____________________________________________________________________ NIST-news: AES, TACDFIPSKMI, FIPS 140-1, CSSPAB ____________________________________________________________________ [9 February 1997] A survey of the U.S. National Institute for Standards and Technology (NIST) web pages reveals a number of recent items that may be of interest to Cipher readers: - - - - - - - - - - - - - - - - - - - - - - - - - NIST Begins Work on Advanced Encryption Standard - - - - - - - - - - - - - - - - - - - - - - - - - On January 2, 1997, NIST published the following announcement in the Federal Register: A process to develop a Federal Information Processing Standard (FIPS) for Advanced Encryption Standard (AES) incorporating an Advanced Encryption Algorithm (AEA) is being initiated by the National Institute of Standards and Technology (NIST). As the first step in this process, draft minimum acceptability requirements and draft criteria to evaluate candidate algorithms are being published for comment. Also announced for comment are draft submission requirements. An open, public workshop on the draft minimum acceptability requirements, evaluation criteria and submission requirements has also been scheduled. It is intended that the AES will specify an unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century. A workshop on this subject is to be held at NIST on April 15. The Federal Register announcment can be found at URL: http://csrc.ncsl.nist.gov/encryption/newcrypt.txt and the workshop announcement is at URL: http://csrc.ncsl.nist.gov/encryption/workshop.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NIST Technical Advisory Committee to Develop FIPS for Federal Key Management Infrastructure to Hold Second Meeting - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Last fall, a Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure was formed. Dr. Stephen Kent of BBN was appointed to chair the committee. The Committee's assignment, as discussed in the charter, is to make technical recommendations regarding the development of a draft FIPS for Cryptographic Escrow Systems which could be incorporated into a Federal Key Management Infrastructure. The Committee will focus on the data recovery services of the Federal Key Management Infrastructure for both stored and communicated information. Its initial work assignments are as follows: * Developing recommended recovery system requirements (for confidentiality keys/plaintext, not keys used only for digital signature); * Drafting specifications or protocols for: o registration and re-registration of encryption keys (could be for user keys, organization keys, master keys, session keys, time period keys, etc.); o recovery of encryption-related keys and/or other information necessary for decryption for law enforcement access; and o use of more than one TTP for split-key storage. * Recommending validation/certification requirements for recovery systems, escrow entities, and products. The committee's meetings are open to the public. Following its first meeting in Dallas December 5-6, 1996, its will meet in San Francisco on February 19-20. The agenda and minutes of the first meeting, as well as further details on the second meeting, are available at http://csrc.nist.gov/tacdfipsfkmi/. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NIST Advisory Board to Review New Information Technology Effects on Privacy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Computer System Security and Privacy Advisory Board, at its December 10, 1996 meeting, passed the following resolution: As part of its work plan for 1997, the Board has decided to examine the effects of new information technology and government information practices on privacy. The fundamental legal protections for information privacy were established in the Privacy Act of 1974. In the 22 intervening years since passage of the Act, computer and communications technology have gone through enormous change. Congress has legislated more demands on agencies to establish data bases of personal information. Budgetary restrictions are changing federal record-keeping practices. Consistent with its statutory obligation to identify latent issues, the Board wishes to hear from the public in order to become more fully informed and to make better recommendations. Hearings and reports will presumably follow in due course. The CSSPAB is next scheduled to meet March 24-25 at NIST. - - - - - - - - - - - - - - FIPS 140-1 Deadline Passes - - - - - - - - - - - - - - FIPS 140-1 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. The standard (available at http://csrc.nist.gov/fips/fips1401.htm) was adopted three years ago and its implementation requires that, after 31 January 1997, "only FIPS 140-1 validated cryptographic modules will be considered as meeting the provisions of this standard." Prior to this deadline, it was acceptable to purchase modules that had been submitted for evaluation, but had not yet been validated, or modules that had simply been claimed by their makers to conform to the standard. A list of such modules and more details on the requirements can be found at http://csrc.nist.gov/cryptval/140-1/1401val.htm ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ A Serious Problem for Key Escrow Schemes? by Yongfei Han, Institute of Systems Science, National University of Singapore ____________________________________________________________________ Correspondence is invited on the following problem, posed by Yongfei Han. Suppose users A and B observe regulations and submit their private keys to the key escrow agents for escrow (No matter how they generate the keys). Then A and B distribute their session key (SK1) encrypted under that private, escrowed key. If law enforcement agencies want to read the messages between A and B, the agencies retrieve the private key from the key escrow agents to obtain SK1, then decrypt the message. Suppose A uses SK1 to encrypt a session key (SK2) in terms of a public agreement and then sends the encrypted SK2 to B, who decrypts it again. A and B start to communicate using SK2 to encrypt messages. The method can be continued until A and B use SKn-1 to encrypt SKn and from now on use SKn to encrypt messages to each other. If law enforcement agencies intercept messages between A and B when A and B have used SKn to encrypt them (n>2), how can those agencies decrypt that traffic? To obtain SKn, they need SK1, SK2, ..., SKn-1. But they cannot get the set of keys SKi (1 Key escrow schemes must sort out this problem; otherwise they will not be able to prevent criminals from using "legal means" to achieve secret communication. [The author would like to thank the editor for polishing the English.] ____________________________________________________________________ Peter Wayner: Regarding Bruen's Review of "Disappearing Cryptography" ____________________________________________________________________ To the Editor: I would like to thank Bob Bruen and CIPHER for reviewing my book Disappearing Cryptography. Hiding information is an important technique that can have many practical applications and I hope my book will help people understand the topic. One point needs to be clarified. The primary reason my publisher and I chose the title "Disappearing Cryptography" is most people with a background in computer science don't know what "steganography" means. But I also incorporate the word "cryptography" to make a larger point. Some of the algorithms I present are not just "security through obscurity." There are plenty of theoretical and practical reasons why some of the algorithms can present hard-to-break security as well as obscurity. The algorithms aren't just mathematical equivalents to microdots and hidden compartments, they can be mathematical safes as well. While it is hard to ever offer any guarantees of cryptographic strength, I think that many of the algorithms could prove to be quite secure over time. There are some preliminary theoretical indications that suggest they could very strong. Of course, theory is not the same as practice and I could easily be proven wrong. Widespread study is the only practical measure of cryptographic strength and I hope my book will make these subjects interesting to a number of researchers. Thank you again. -Peter Wayner (pcw@access.digex.net) ____________________________________________________________________ Two Books on Primes and Factorization Reviewed by Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ -------------------------------------------------------------------- Reisel, Hans. Prime Numbers and Computer Methods for Factorization. 2nd ed. Birkhauser. Boston. 1994. ISBN 0-8176-3743-5 and 3-7643-3743-5. Index, short chapter bibliographies, list of textbooks, 9 appendices, and 24 tables. 464p. $69.50 http://www.birkhauser.com/cgi-win/ISBN/0-8176-3743-5 Ribenboim, Paulo. The New Book of Prime Number Records. 3rd ed. Springer Verlag. New York 1996. Index, chapter bibliographies, and 53 tables. 541p. $59.95 http://www.springer-ny.com/catalog/np/sep95np/DATA/0-387-94457-5.html --------------------------------------------------------------------- Prime numbers are at the root of current computer security techniques involving cryptography such that the level of security is approximately equivalent the difficulty of factoring. Some understanding of this problem is necessary for anyone interested in security and privacy, so I offer two good books that will provide enough background for most of us. Naturally each has pointers for further reading. Both books are written for mathematicians not computer security professionals, although both have sections on public keys and Reisel has Pascal code for various factorization methods. Appropriately this year is the first of the twin primes (1997,1999). Having been available for a couple of years Reisel's book has already been deemed worthwhile. There are only seven chapters, but there are nine appendices. The chapters deal with fundamental problems; primes below a given limit, the distribution of primes, the recognition of primes and factoring. Factoring is broken into two chapters, one on classical method and one on modern methods. The seventh chapter is a short presentation on RSA. The second half of the book is split between the appendices (almost one hundred forty pages on the algebra necessary for the first half of the book) and the tables. The tables are composed of primes, factors in many formats, quadratic residues and formulas for cyclotomic polynomials. There is even an appendix devoted to elliptic curves. He begins with a good introduction the concept of a prime number and the prime number theorem. Alongside this he describes the basic sieve of Eratosthenes in works, mathematical terms and Pascal code. The code for the book is available via ftp (ftp.nada.kth.se Num/riesel-comp.tar). This helpful approach is maintained throughout the book. It always increases my chance of understanding something when there are multiple methods of explanation. Probably the two most important chapters are the one on the recognition of prime numbers and the modern factorization methods. In recognizing primes, he covers composite tests and primality tests, making the point that not all primality tests require factorization. The chapter on modern techniques naturally emphasizes computer applications. The many techniques presented, while not the complete set of techniques, are representative and instructive, and show the activity of the field today. Riesel's book certainly worth having for learning about primes numbers and how the are factored. Paulo Ribenboim's book is in its third edition, attesting to its success. It is not just about prime number records, but it is a great history of prime numbers with the personalities involved in the development of the field. There are many number groups, series and methods named after the personalities, such as Fermat numbers, Mersenne numbers, Lucas pseudoprimes, Wilson primes and so on. All have their place in history and in working with prime numbers. While Ribenboim does not claim to be complete, he has collected an extensive amount of material on prime numbers which is quite readable. As an example of its scope, this is one of the few sources that include an explanation Waring's problem. There are many prime number records in this book, for example, the largest (258,716 digits) in a table of the 28 largest, the largest palindromic prime (11,811 digits), the largest know prime in which all the digits are prime (3120 digits), the smallest primes with either 1000 or 2000 or 3000 digits, and the largest known prime with all digits either 1 or 0 (5856 digits). Many more curiosities are in the book, but there is much more than just the records and the history. The six chapters also cover recognizing primes, functions defining primes, and the distribution of primes. The last chapter is about heuristic and probabilistic results about prime numbers. Ribenboim has a sense of humor expressed throughout the book that makes it entertaining while still being true to the mathematics. He even has haiku written by Basho included. This is a large compilation of research at the periphery of most people's interest, but it also illuminates the foundation of our electronic security and privacy. The explanations of prime numbers of all kinds are supported by an extensive bibliography for each chapter and lots of proofs in the chapters. It is great reference book for prime numbers with numerous tables, including the list of prime numbers up to 10,093. If you want to know about anything to do with prime numbers, this is the place to start. ______________________________________________________________________ CONFERENCE REPORTS ______________________________________________________________________ None this issue. ______________________________________________________________________ ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ * This page is from the U.S. Commerce department's Bureau of Export Administration, and includes pointers to the actual regulations transferring crypto items from U.S. Munitions List to Commerce List, published 30 Dec., 1996. There are also pointers to related items, including an address by Ambassador David Aaron, Special Envoy for Cryptography, delivered at the RSA Data Security Conference in the last week of January. http://www.bxa.doc.gov/encstart.htm * Dan Farmer's survey on Internet insecurity. Interesting reading. http://www.trouble.org/ * Web Spoofing: An Internet Con Game, by E.W. Felten, D. Balfanz, D. Dean, and D. S. Wallach, Princeton T.R. 540-96. The report explains how an attacker might create a "shadow copy" of the entire WWW (including this page ...) and cause false or misleading data to be sent to victims. http://www.cs.princeton.edu/sip/pub/spoofing.html * A Framework for Global Electronic Commerce -- draft document released by Clinton administration for comment. E-mail comments to gii@a1.eop.gov; the initial comment period will last until January 23, 1997. http://www.iitf.nist.gov/electronic_commerce.htm * Defense Science Board's report on Information Warfare - Defense http://www.jya.com/iwd.htm * Several versions of the internet-draft of a Certificate Policy and Certification Practice Statement Framework and a paper describing a security flaw in the X.509 specification. http://www.cygnacom.com/documents.html * Federal Trade Commission staff report on a public workshop on consumer privacy on the Global Information Infrastructure. The workshop was held in June 1996, but the report was not available until December. http://www.ftc.gov/bcp/conline/pubs/privacy/privacy1.htm ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ ARPA/NSA/DISA Memorandum of Agreement for coordinating Infosec research programs: http://www.ito.darpa.mil/ResearchAreas/Information_Survivability/MOA.html IBM Patent Server Online access to over two million patent descriptions, dating back to January, 1971. Also the last ten years of images. http://patent.womplex.ibm.com/ ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 6 February 1997 Cristina Serban AT&T Research Labs 307 Middletown-Lincroft Rd. Lincroft, NJ 07738 Tel: 908-576-3279 e-mail: csb@cmprime.cis.att.com Entered 29 January 1997 Eric Maiwald Director Security Services Sons Business Solutions, Inc. 12612 Gravenhurst Lane North Potomac, MD 20878 Tel: 301-977-6966 fax: 301-947-3539 e-mail: emaiwald@fred.net Entered 7 January 1997: John C. Kennedy Novell, Inc. 122 East 1700 South Provo, UT 84606 email: jkennedy@novell.com Tel: (801)861-5282 Entered 3 January 1997: Avi Rubin AT&T Research Labs Room 2A-406A PO Box 636 600 Mountain Avenue Murray Hill, NJ 07974-0636 Tel: 908-582-7468 fax: 908-582-5192 e-mail: rubin@research.att.com WEB: http://www.cs.nyu.edu/~rubin/ S Johann Bezuidenhoudt IBM South Africa (Pty) Ltd Private Bag X9907 Sandton 2146 South Africa e-mail: johann@za.ibm.com Tel: +27 11 302 6098 _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar [Cipher readers: so many calls for papers that involve security or privacy have appeared since the last issue, that it has not been possible for your editors to summarize them here. If you consult the calendar entries on the Cipher web pages, you will find hyperlinks to full CFPs for all of the following conferences. Here, for each new conference since the last issue, we list only the conference name, the date submissions are due, the URL for the call, and the date and location of the conference. The URLs given below are the ones provided by the conferences themselves, since these should have the latest information. Sometimes these may be inaccessible, however, in which case readers should try the Cipher calendar links to copies stored at the University of Arizona. --CEL] PKS 97 Public Key Solutions 1997 (PKS '97) Submissions due 21 February http://www.certicom.com/html/pks/papers.htm Conference location: Toronto, Canada, April 28-30 IRISH 97: First Irish Workshop on Formal Methods Submissions due 13 February http://www.cs.tcd.ie/butrfeld/IWFM97/IWFM97.html Conference location: Dublin, Ireland, 3-4 July PTP 97: First International Workshop on Proof Transformation and Presentation Submissions due 28 February http://jswww.cs.uni-sb.de/~ptp-97 Conference location: Castle Dagstuhl, Saarland, Germany, April 8-10 HASE 97: IEEE High-Assurance Systems Engineering Workshop Submissions due 28 February http://er4www.eng.ohio-state.edu/hase97 Conference location: Washington, D.C., August 11-12 MOBICOM: Third ACM/IEEE International Conference on Mobile Computing and Networking Submissions due 1 March http://www.monarch.cs.cmu.edu/~mobicom97/ Conference location: Budapest, Hungaray, Sept. 26-30 WebNet97: World Conference of the WWW, Internet, and Intranet Submissions due 7 March http://www.aace.org/conf/webnet/call97.html Conference location: Toronto, Canada, Oct. 31-Nov. 5 SOSP 97: 16th ACM Symposium on Operating Systems Principles Submissions due 7 March http://www.cs.washington.edu/sosp16/cfp-01.html Conference location: St. Malo, France, October 5-8 R&D Opportunities in Federal Information Systems Submissions due 15 March http://www.isi.edu/nsf/ Conference location: To be determined, May 13-15 Electronic Commerce for Content II Submissions due 15 March http://www.ima.org/store/ip-ga/forum.html Conference location: Washington, D.C., April 28-29 ENTRSEC: Second International Workshop on Enterprise Security Submissions due 25 March http://www.cerc.wvu.edu/SECWK/ Conference location: Cambridge, MA, June 18-20 ICCC: International Conference for Computer Communications Submissions due 1 April http://www.prism.uvsq.fr Conference location: Cannes, France, November 19-21 INTRA FORA: First Int. Conf. on INTRANET Foundation, Research, and Applications Submissions due 10 April http://www.ifs.tuwien.ac.at/intrafora Conference location: Univ. of Linz, Austria, Sept. 22-24 ICICS: International Conference on Information and Communications Security Submissions due 30 May http://www.cs.arizona.edu/xkernel/www/cipher/cfps/cfp-ICIC.html Conference location: Beijing, China, November 11-13 RBAC: Second ACM Workshop on Role-Based Access Control Submissions due 1 June http://www.list.gmu.edu/rbac.html Conference location: George Mason Univ., Virginia, November 6-7, 1997 JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. IEEE Internet Computing (IC) is a new bimonthly magazine from the IEEE Computer Society designed to help the engineer productively use the ever expanding technologies and resources of the Internet. Internet Computing and IC on-line will provide developers and users with the latest advances in Internet-based computer applications and supporting technologies such as the World Wide Web, Java programming, and Internet-based agents. Through the use of peer-reviewed articles as well as essays, interviews, and roundtable discussions, IC will address the Internet's widening impact on engineering practice and society. IC is soliciting regular papers and papers for theme issues, listed below. To submit, send e-mail to any member of the editorial board. Include a plain text abstract, and a URL from which the paper can be viewed. Members of the editorial board are listed on the IC web page. Author guidelines are available at http://www.computer.org/pubs/internet/auguide.htm Topics include system engineering issues such as agents, agent message protocols, engineering ontologies, web scaling, intelligent search, on-line catalogs, distributed document authoring, electronic design notebooks, electronic libraries, security, remote instruction, distributed project management, reusable service access and validation, electronic commerce, and Intranets. ------------------- Coming Theme Issues ------------------- Agents: Editorial Board Contacts: What kinds of agents are performing useful Munindar Singh work on the Internet? Papers should singh@ncsu.edu clearly define both the applications and or technologies being used as well as the Michael Huhns sense of "agent." Applications should be huhns@sc.edu demonstrable. Issues include security, Due date: March 15, 1997 mobility, and agent communication languages. Claims about the efficacy of one approach or language should be supported by examples from applications. Intranets: Editorial Board Contact: What special technologies are being William C. Regli developed inside companies to integrate regli@cme.nist.gov applications into an Intranet? How heavily Due date: May 7, 1997 do Intranets use Internet facilities? Articles on integration, interfaces, security, and special purpose integration systems are solicited, as well as development histories and tools. Internet Economics: Editorial Board Contact: What is the state of the art in Electronic Charles Petrie Commerce? Who pays for the Internet? How petrie@cdr.stanford.edu do the economic policies of different Due date: July 9, 1997 countries affect the use of the Internet? Are economically motivated routing policies affecting Internet access for some groups? Papers on all these subjects and related ones should have a strong technical background. Both actual case studies as well as simulations are encouraged. Technologies for both studying and implementing economic policies as well as electronic commerce are relevant. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ The notation [conference information] indicates there is a link to information about the conference on the Cipher web pages. 1997 IEEE Symp. on Security and Privacy, May 5-7, Oakland, CA Preliminary List of Papers: - Toward Acceptable Metrics of Authentication Michael K. Reiter and Stuart G. Stubblebine (AT&T Laboratories- Research) - An Authorization Scheme for Distributed Object Systems V. Nicomette and Y. Deswarte (LAAS-CNRS & INRIA, France) - A Logical Language for Expressing Authorizations Sushil Jajodia (George Mason University), Pierangela Samarati (Universita' di Milano) and V. S. Subrahmanian (University of Maryland ) - Anonymous Connections and Onion Routing Paul F. Syverson (NRL), David M. Goldschlag and Michael G. Reed(NRL) - The Design and Implementation of a Multilevel Secure Log Manager Vikram R. Pesati, Thomas F. Keefe and Shankar Pal (Penn State University) - A Secure and Reliable Bootstrap Architecture A. Arbaugh and David J. Farber and Jonathan M. Smith (U. of Pennsylvania) - An MBone Proxy for a Firewall Toolkit Kelly Djahandari and Dan Sterne (Trusted Information Systems) - Secure Software Architectures Mark Moriconi, Xiaolei Qian, R. A. Riemenschneider (SRI) and Li Gong (SunSoft) - A General Theory of Security Properties and Secure Composition A. Zakinthinos and E.S. Lee (Cambridge University, U.K.) - Analyzing Consistency of Security Policies Laurence Cholvy and Frederic Cuppens (ONERA CERT, France). - Packet Filtering: Local Enforcement for Global Policies Joshua D. Guttman (MITRE Corp.) - Providing Flexibility in Information Flow Control for Object-Oriented Systems; Elena Ferrari, Pierangela Samarati and Elisa Bertino (Universita' di Milano) and Sushil Jajodia (George Mason University) - Automated Analysis of Cryptographic Protocols J. Mitchell, M. Mitchell, and U. Stern, (Stanford University) - How to Systematically Classify Computer Security Intrusions Ulf Lindqvist and Erland Jonsson (Chalmers U. of Technology, Sweden) - Surviving Information Warfare Attacks on Databases Paul Ammann and Sushil Jajodia (George Mason Univeristy), Catherine D. McCollum and Barbara T. Blaustein (MITRE Corp.) - Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-based Approach Calvin Ko (TIS) and Manfred Ruschitzka and Karl Levitt (U. Cal. - Davis) - Catalytic Inference Analysis: Detecting Inference Threats due to Knowledge Discovery; John Hale and Sujeet Shenoi (University of Tulsa) - Analysis of a Denial of Service Attack on TCP Christoph L. Schuba, Ivan V. Krsuland Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram and Diego Zambon (Purdue University) - Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage; A. Young and M.Yung (Columbia University) - Number Theoretic Attacks On Secure Password Schemes; Sarvar Patel(Bellcore) _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters _______________________________________________________________________ o IEEE Spectrum, Vol. 34, No. 2 (February 1997). Special issue on electronic money: - Tekla S. Perry. Exectronic money: toward a virutal wallet. pp. 18-19. - Edward W. Kelley, Jr. Future of electronic money: a regulator's perspective. - Marvin A. Sirbu. Credits and debits on the Internet. pp. 23-29. - David Chaum and Stefan Brands. 'Minting' electronic cash. pp. 30-34. - Peter S. Gemmell. Traceable e-cash. pp. 35-37. - Stanley E. Morris. Crime and prevention: a Treasury viewpoint. pp. 38-39. - Robert W. Baldwin and C. Victor Chang. Locking the e-safe. pp. 40-46. - Carol Hovenga Fancher. In your pocket: smartcards. pp. 47-53. - Michael C. McChesney. Banking in cyberspace: an investment in itself. pp. 54-59. - Steven M. H. Wallman. Technology takes to securities trading.pp. 60-65. - Alfred R. Berkeley III. Nasdaq's technology floor: its president takes stock. - Mike Ter Maat. The economics of e-cash. pp. 68-73. - Howard Anderson. Money and the Internet: a strange new relationship. pp. 74-76. o IEEE COMPUTER, Vol. 30, No. 2 (February 1997). Andreas Pfitzmann, Birgit Pfitzmann, Matthias Schunter, and Michael Waidner. Trusting mobile user devices and security modules. pp. 61-68. Internet Kiosk: Public key cryptography. pp.101-104. o IEEE/ACM Transactions on Networking, Vol. 4, No. 6 (Dec 1996): S. H. Low, N.F. Maxemchuk, and S. Paul. Anonymous Credit Cards and Their Collusion Analysis. pp. 809-816. o Journal of Cryptology, Vol. 10, No. 1 (Winter, 1997): - P. de Rooij. On Schnorr's Preprocessing for Digital Signature Schemes. pp. 1-16. - D. Beaver, J. Feigenbaum, J. Kilian, and P. Rogaway. Locally Random Reductions: Improvements and Applications. pp. 17-36. - Toshiya Itoh, Yuji Ohta, and Hiroki Shizuya. A Language-Dependent Cryptographic Primative. pp. 37-49. - H. Dobbetin. RIPEMD with Two-Round Compress Function Is Not Collision-Free. pp. 1-16. - B. S. Kaliski, Jr. A Chosen Message Attack on Demytko's Elliptic Curve Cryptosystem. pp. 17-36. o ACM SIGOPS Operating System Review, Vol. 31, No. 1 (Jan, 1997). - Vijay Varadharajan. Extending the schematic protection model II: revocation. pp. 64-77. - Marie Rose Low and James A. Malcolm. A joint authorisation scheme. pp. 88-96. o IEEE Trans. on Computers Vol. 46, Number 1 (Jan. 1997). S. Papadimitrious, A. Bezerianos, T. Bountis. Secure communication with chaotic systems of difference equations. pp. 27-38. o IEEE COMPUTER Vol. 30, No. 1, January, 1997. - Sara Reese Hedberg. HP's international cryptography framework: compromise or threat? pp. 28-30. - Randall J. Atkinson. Toward a more secure internet. pp. 57-61. o IEEE Software Vol.14, No. 1 (Jan/Feb 1977). - Charles P. Pfleeger. The fundamentals of information security. pp.15 ff. - Karl Dakin. What if there were no software piracy? pp. 20-21. o Communications of the ACM, Vol. 40, No. 1 (January 1997): - A. S. Grimshaw, Wm. A. Wulf, et. al. The Legion vision of a worldwide virtual computer. pp. 39-45. - Carey Nachenberg. Computer virus -- antivirus coevolution. pp. 46-51. - Bruce Schneier. Inside Risks: cryptography, security and the future. p. 138. o Computers & Security Volume 15, Number 8 (1996). (Elsevier) Refereed Papers: - Lam For Kwok and Dennis Longley. A security officer's workbench. pp. 695-706. - Frederick B. Cohen. A secure World-Wide-Web daemon. pp. 707-724. - Markus Michels, David Naccache, and Holger Petersen. GOST 34.10 -- a brief overview of Russia's DSA. pp. 725-732. o Computers & Security Volume 15, Number 7 (1996). (Elsevier) Refereed Papers: - Vesselin Bontchev. Possible macro virus attacks and how to prevent them. pp. 595-626. - Cees Jansen and Piet van der Vlist. Message encipherment with minimal expansion and redundancy -- doing better than ISO-10126. pp. 627-632. - John Yesberg and Mark Anderson. Quantitative authentication and vouching. pp. 633-646. o Computers & Security Volume 15, Number 6 (1996). (Elsevier) Special features: - Bob Frank. Security issues in the virtual corporation. pp. 471-476. - Ken Lindup. The role of information security in corporate governance. pp. 477-485. - Gerald Kovacich. Establishing a network security programme. pp. 486-498. - Edwin Heinlein. Year 2000 -- a real IS security issue. pp. 499-500. - Jim Press. Object oriented cryptographic facility design: export considerations. pp. 507-514. Refereed papers: - Vijay Varadharajan and Claudio Calvelli. Extending the schematic protection model -- II. Revocation. pp. 525-536. - Sung-Ming Yen. Cryptanalysis and repair of the multi-verifier signature with verifier specification. pp. 537-544. o ACM SIGSAC Security Audit & Control Review, Vol. 14, No. 4 (October 1966). - H. Rubinovitz. Issues '95 -- Electronic commerce. pp. 2-6. - S. Bhakhtiari, R. Gonzalez, R. Safavi-Naini, H. W. Peter Beadle. Payment systems for hypermedia information systems. pp. 7-11. - Joseph Arceneaux. Experiences in the art of security. pp. 12-16. - Benjamin Wright. Signing tax returns with a digital pen. pp. 17-22. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Reisel, Hans. Prime Numbers and Computer Methods for Factorization. 2nd ed. Birkhauser. Boston. 1994. ISBN 0-8176-3743-5 and 3-7643-3743-5. Index, short chapter bibliographies, list of textbooks, 9 appendices, and 24 tables. 464p. $69.50 http://www.birkhauser.com/cgi-win/ISBN/0-8176-3743-5 Review by Bob Bruen in this issue. o Ribenboim, Paulo. The New Book of Prime Number Records. 3rd ed. Springer Verlag. New York 1996. Index, chapter bibliographies, and 53 tables. 541p. $59.95 http://www.springer-ny.com/catalog/np/sep95np/DATA/0-387-94457-5.html Review by Bob Bruen in this issue. o Steve Sutton. Windows NT Security. Trusted Systems Training, Inc. Urbana, IL, 1996, 330 pp., $39.95. Reviewed in Infosecurity News, January, 1997. o Andre Bacard. The Computer Privacy Handbook. Peachpit Press, 1996, 274 pp., ISBN 1-56609-171-3, $24.95. Reviewed in Infosecurity News, January, 1997. o Peter T. Davis and Barry D. Lewis.Computer Security for Dummies. IDG Books, 1996, 342 pp., ISBN 1-56884-635-5, $19.99. Reviewed in Infosecurity News, January, 1997. o Fred Simonds. Network Security: Data and Voice Communications. McGraw Hill, Inc. Hightstown, NJ, 1996, 395 pp., ISBN 0-07-057639-4, $60. Reviewed in ACM Computing Reviews, Jan. 1997. o Frederick B. Cohen. Protection and Security on the Information Superhighway. John Wiley & Sons, Inc., New York, NY, 1995, 301 pp., ISBN 0-471-11389-1, $24.95. Reviewed in ACM Computer Reviews, Jan. 1997. ________________________________________________________________________ ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 2/12/97- 2/13/97: ISW '97 SEI InfoSurv Workshop, San Diego, California 2/13/97: CRYPTO '97, Santa Barbara, CA, submissions due, burt@rsa.com 2/13/97: IRISH '97. Dublin, Ireland; submissions due: oregang@cork.cig.mot.com 2/14/97: FMP '97, Wellington, New Zealand, submissions due; Conf web page 2/15/97: ACISP '97, Sydney, Australia,submissions due 2/16/97: NISSC '97, Baltimore, papers due (NISSConference@dockmaster.ncsc.mil) 2/17/97- 2/20/97: DATANET '97, Miami, Florida, conf web page 2/21/97: PKS '97. Toronto, Ontario, Submissions to kmorningstar@certicom.com; 2/23/97- 2/24/97: PAKDD '97, Singapore.Info hweeleng@iti.gov.sg; Conf Web page 2/28/97: PTP '97. Saarland, Germany, Submissions to ptp-97@cs.uni-sb.de; 2/28/97: HASE97. Washington, DC, Submissions due to yen@cps.msu.edu; 3/ 1/97: MOBICOM '97. Budapest, Hungary, Submissions due to mobicom97@monarch.cs.cmu.edu; 3/ 1/97: JSS, Special issue on formal methods; submissions due to hossein@cs.unomaha.edu. Journal web page 3/ 5/97- 3/ 7/97: DCCA6. Garmisch-Partenkirchen, Germany. 3/ 7/97: WebNet97, Toronto, Canada, Conf Web page. Submissions due; 3/ 7/97: SOSP '97, Malo, France; Conf Web page; 3/10/97: IFIP WG 11.3, submissions due to T. Y. Lin (tylin@cs.sjsu.edu) or Xiaolei Qian (qian@csl.sri.com), Conf web page; 3/15/97: INETCOMP, Agents issue, Submissions to singh@ncsu.edu 3/15/97: R&D Opportunities in Federal Information Systems, papers due to lbrandt@nsf.gov 3/15/97: Electronic Commerce for Content II. Washington, DC Submissions to forum@ima.org; 3/20/97- 3/23/97: TSMA '97; Nashville, TN 3/25/97: ENTRSEC. Cambridge, Massachusetts, Submissions to bcdavis@appliedknowledge.com; 4/ 1/97- 4/ 4/97: DASFAA '97; Melbourne, Australia Conf Web page 4/ 1/97- 4/ 3/97: CORBA SW, Baltimore, MD 4/ 1/97: ICCC97. Cannes, France,Submissions due to ICCC97@prism.uvsq.fr 4/ 2/97- 4/ 4/97: 4th CCS, Zurich, Switzerland; Conf Web page 4/ 3/97- 4/ 5/97: ICAST '97, Schaumburg, Illinois, Conf web page 4/ 4/97: NSPW '97,Cumbria,UK, papers due http://www.cs.uwm.edu/~new-paradigms 4/ 5/97: GBN '97. Kobe, Japan; Conf Web page 4/ 7/97- 4/11/97: ICDE '97, Birmingham, UK; Conf Web page 4/ 7/97- 4/ 8/97: RIDE '97. Birmingham, England Conf Web page 4/ 8/97- 4/10/97: PTP '97. Saarland, Germany Conf Web page 4/ 9/97- 4/11/97: ISADS97, Berlin, Germany; Conf Web page 4/10/97: INTRA-FORA. Linz, Austria, Submissions due to intra@faw.uni-linz.ac.at 4/14/97- 4/17/97: SICON97, Kent Ridge, Singapore 4/15/97: JTS, special multimedia issue; Conf Web page 4/28/97- 4/30/97: PKS '97, Toronto, Ontario Conf Web page 4/28/97- 4/29/97: Electronic Commerce for Content II Washington, DC 5/ 4/97- 5/ 7/97: IEEE S&P, Oakland, California; Conf Web page 5/ 7/97: INETCOMP, Intranets issue, Submissions due to regli@cme.nist.gov 5/11/97- 5/15/97: Eurocrypt '97, Konstanz, Germany 5/12/97- 5/16/97: CITSS, Ontario, Canada; info from citss@cse-cst.gc.ca 5/13/97-5/15/97: R&D Opportunities in Federal Information Systems 5/14/97- 5/16/97: SSSC, Copenhagen, Denmark http://genie.rau.ac.za/ifip 5/14/97: Chilean CompSci Soc, Valparaiso, Chile; papers due. Conf Web page; 5/30/97: ICICS '97, submissions due, Beijing, P.R. China 5/31/97: TAPOS97. Conf Web page Submissions to mendel@db.toronto.edu; [*] 6/ 1/97- 6/ 6/97: IESS '97, Walnut Creek, CA 6/ 1/97: RBAC97. McLean, Virginia, Submissions due to ecoyne@seta.com. 6/11/97- 6/12/97: ENM '97, Montreal, Quebec 6/10/97- 6/12/97: CSFW10, Rockport, MA; Workshop Web page 6/18/97- 6/20/97: ENTRSEC. Cambridge, Massachusetts Conf Web page 6/30/97- 7/ 3/97: NGITS '97. Neve Ilan, Israel Conf Web page 7/ 3/97- 7/ 4/97: IRISH '97. Dublin, Ireland Conf Web page 7/ 7/97- 7/ 9/97: ACISP '97, Sydney, Australia, vijay@st.nepean.uws.edu.au 7/ 9/97- 7/11/97: FMP '97, Wellington, New Zealand, Conf web page 7/ 9/97: INETCOMP, Economics issue, Magazine web page Submissions to petrie@cdr.stanford.edu; 8/11/97- 8/12/97: HASE97. Washington, DC Conf Web page 8/11/97- 8/13/97: IFIP WG 11.3, Lake Tahoe, California, Conf web page 8/17/97- 8/21/97: CRYPTO '97, Santa Barbara, California 8/25/97- 8/27/97: IDEAS '97. Montreal, Canada Conf Web page 9/ 8/97- 9/10/97: SAFECOMP97. University of York, UK Conf Web page 9/ 9/97: USENIX Sec Symp. San Antonio, TexasConf Web page. Submissions to securitypapers@usenix.org; 9/22/97- 9/24/97: INTRA-FORA. Linz, Austria Conf Web page 9/23/97- 9/26/97: NSPW '97, Great Langdale, Cumbria, UK 9/26/97- 9/30/97: MOBICOM '97, Budapest, Hungary Conf Web page 10/ 5/97-10/ 8/97: SOSP '97, Malo, France; Conf Web page 10/ 6/97-10/10/97: NISSC '96, Baltimore 10/31/97-11/ 5/97: WebNet97. Toronto, Canada; Conf Web page 11/ 6/97-11/ 7/97: RBAC97. McLean, Virginia Conf Web page 11/11/97-11/13/97: ICICS '97, Beijing, P.R. China 11/12/97-11/14/97: Chilean CompSci Soc, Valparaiso, Chile; Conf web page 11/19/97-11/21/97: ICCC '97. Cannes, France Conf Web page 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, * ACSAC = Annual Computer Security Applications Conference 12th Annual * ASIAN = Asian Computing Science Conference ASIAN '96 * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CRYPTO = IACR Annual CRYPTO Conference CRYPTO97 * CSFW = Computer Security Foundations Workshop CSFW10 , Wrkshp Page * DCCA = Dependable Computing for Critical Applications DCCA6 * DASFAA = Database Systems For Advanced Applications DASFAA '97. * DATANET = Datanet Security, Annual International Conference and Exhibition on Wide Area Network Security DATANET '97 * ENM = Enterprise Networking ENM '97 * ENTRSEC = International Workshop on Enterprise Security ENTRSEC '97 * FSE = Fast Software Encryption Workshop FSE4 * FMP = Formal Methods Pacific FMP '97 * HASE = High-Assurance Systems Engineering Workshop HASE '97 * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICDE = Int. Conf. on Data Engineering ICDE '97 * ICDT = International Conference on Database Theory ICDT97. * ICCC = International Conference for Computer Communications ICCC '97 * ICICS = International Conference on Information and Communications * IDEAS = Int'l Database Engineering and Applications Symp. IDEAS '97 * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IESS = International Symposium on Software Engineering Standards IESS '97 * INETCOMP = IEEE Internet Computing Online ("Webzine") * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications INTRA-FORA * IRISH = Irish Workshop on Formal Methods IRISH97 * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISW '97 = CERT/SEI Information Survivability Workshop '97 * JSS = Journal of Systems and Software (North-Holland) Special Issue on Formal Methods Technology Transfer * MMD = Multimedia Data Security MMD '97 * MOBICOM = Mobile Computing and Networking MOBICOM '97 * NISS = National Information Systems Security Conference NISS97 * NGITS = World Conference of the WWW, Internet, and Intranet NGITS '97 * NSPW = New Security Paradigms Workshop NSPW '97 * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data * PKS = Public Key Solutions PKS '97 * PTP = Workshop on Proof Transformation and Presentation PTP '97 * RBAC = ACM Workshop on Role-Based Access Control RBAC '97 * RIDE = High Performance Database Management for Large Scale Applications * SAFECOMP = Computer Safety, Reliability and Security SAFECOMP '97 * SICON = IEEE Singapore International Conference on Networks SICON '97 * SNDSS = Symposium on Network and Distributed System Security (Internet Society) NDSS '97 * SOSP = 16th ACM Symposium on Operating Systems Principles SOSP '97 * SSSC = IFIP WG 11.2 Small Systems Security Conference * TSMA = 5th International Conference on Telecommunication Systems - Modeling and Analysis TSMA '97 * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * WebNet = World Conference of the Web Society, WebNet 97. * WECS = ACM Workshop on Computer Security Education, WECS '97 ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale (NOT) ________________________________________________________________________ Proceedings of past Symposium proceedings will be available again soon. The store is temporarily closed until our new checking account is opened. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Chair, Subcommittee on Security Conferences: Greg Bergren Dr. Stephen Kent 10528 Hunters Way BBN Corporation Laurel, MD 20723-5724 70 Fawcett Street (410)684-7302 Cambridge, MA 02138 (410)684-7502 (fax) (617) 873-3988 glbergr@missi.ncsc.mil kent@bbn.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9612 where N is the number of the issue desired and 9612 captures the year and month it appeared. ========end of Electronic Cipher Issue #20, 10 February 1997============= 1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY _/_/ _/ _/ _/ _/ May 5-7, 1997 _/_/ _/_/_/ The Claremont Resort _/ _/ Oakland, California _/ _/ _/_/ Sponsored by the _/_/_/ IEEE Technical Committee on Security and Privacy _/ _/ In cooperation with the _/ _/ International Association of Cryptologic Research _/_/_/ _/ Symposium Committee _/ Stephen Kent, General Chair _/_/_/ _/_/_/_/ Michael Reiter, Vice Chair _/ _/ _/ George Dinolt, Program Co-Chair _/ _/ _/ Paul Karger, Program Co-Chair _/_/_/ _/ _/ _/ PRELIMINARY PROGRAM _/ _/ Subject to Change _/ _/ Sunday May 4, 1997 4:00-7:00 Registration and Reception Monday May 5, 1997 8:00 Registration 8:30 Introductory Remarks 9:00 Panel/Debate Resolved: The concept of Trusted Computing Base as a basis for constructing systems to meet security requirements is fundamentally flawed and should no longer be used to justify system security architectures. Arguing in favor: Lead: Bob Blakley (IBM) Second: Darrell Kienzle (U. of Virginia) Opposed: Lead: William R. Shockley Second: LT (USN) James P. Downey (Naval Postgraduate School) Moderator: John D. McLean (Naval Research Labs) 10:30-11:00 Break 11:00-12:00 Authorization and Authentication Toward Acceptable Metrics of Authentication Michael K. Reiter and Stuart G. Stubblebine (AT&T Labs--Research) An Authorization Scheme for Distributed Object Systems V. Nicomette and Y. Deswarte (LAAS-CNRS & INRIA, France) A Logical Language for Expressing Authorizations Sushil Jajodia (George Mason University), Pierangela Samarati (Universita' di Milano) and V. S. Subrahmanian (University of Maryland) 12:00-1:30 Lunch 1:30-3:00 Applications Anonymous Connections and Onion Routing Paul F. Syverson, David M. Goldschlag and Michael G. Reed (Naval Research Labs) The Design and Implementation of a Multilevel Secure Log Manager Vikram R. Pesati, Thomas F. Keefe and Shankar Pal (Penn State University) A Secure and Reliable Bootstrap Architecture A. Arbaugh and David J. Farber and Jonathan M. Smith (University of Pennsylvania) An MBone Proxy for a Firewall Toolkit Kelly Djahandari and Dan Sterne (Trusted Information Systems) 3:00-3:30 Break 3:30-5:00 Security Theory Secure Software Architectures Mark Moriconi, Xiaolei Qian, R. A. Riemenschneider (SRI) and Li Gong (JavaSoft) A General Theory of Security Properties and Secure Composition A. Zakinthinos and E.S. Lee (Cambridge University, U.K.) Analyzing Consistency of Security Policies Laurence Cholvy and Frederic Cuppens (ONERA CERT, France) 6:00-7:30 Reception Tuesday May 6, 1997 9:00-10:30 Panel: Ensuring Assurance in Mobile Computing Moderator: Marv Schaefer (Arca) Panel Members: Sylvan Pinsky (NSA) Drew Dean (Princeton University) Jim Roskind (Netscape) Li Gong (JavaSoft) TBD (Microsoft) 10:30-11:00 Break 11:00-12:00 Architectures Packet Filtering: Local Enforcement for Global Policies Joshua D. Guttman (MITRE) Providing Flexibility in Information Flow Control for Object-Oriented Systems Elena Ferrari, Pierangela Samarati and Elisa Bertino (Universita' di Milano) and Sushil Jajodia (George Mason University) Automated Analysis of Cryptographic Protocols J. Mitchell, M. Mitchell, and U. Stern (Stanford University) 12:00-1:30 Lunch 1:30-3:00 Intrusion Detection and Beyond How to Systematically Classify Computer Security Intrusions Ulf Lindqvist and Erland Jonsson (Chalmers University of Technology, Sweden) Surviving Information Warfare Attacks on Databases Paul Ammann and Sushil Jajodia (George Mason Univeristy), Catherine D. McCollum and Barbara T. Blaustein (MITRE) Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-based Approach Calvin Ko (Trusted Information Systems), Manfred Ruschitzka and Karl Levitt (University of California Davis) Catalytic Inference Analysis: Detecting Inference Threats due to Knowledge Discovery John Hale and Sujeet Shenoi (University of Tulsa) 3:00-3:30 Break 3:30-5:00 5-Minute talks on breaking research results 5:00-6:00 Meeting, Technical Committee on Security and Privacy Wednesday May 7, 1997 9:00-10:30 Panel: Security in Innovative New Operating Systems Moderator: Cynthia E. Irvine (Naval Postgraduate School) Panel Members: Brian Bershad, Spin Project (University of Washington) Frans Kaashoek, Exokernel Project (Massachusetts Institute of Technology) Jay Lepreau, Flux Project (University of Utah) George Necula, Fox Project (Carnegie Mellon University) Larry Peterson, Scout Project (University of Arizona) 10:30-11:00 Break 11:00-12:00 System Vulnerabilities Analysis of a Denial of Service Attack on TCP Christoph L. Schuba, Ivan V. Krsuland, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram and Diego Zambon (Purdue University) Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage A. Young and M. Yung (Columbia University) Number Theoretic Attacks On Secure Password Schemes Sarvar Patel (Bellcore) 12:00-12:15 Final Remarks 1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY _/_/ _/ _/ REGISTRATION FORM _/ _/ _/_/ _/_/_/ Name:_____________________________________________ _/ _/ _/ _/ Affiliation:_____________________________________________ _/_/ _/_/_/ Postal Address:_____________________________________________ _/ _/ _/ _/ _____________________________________________ _/_/_/ _/ _____________________________________________ _/ _/_/_/ _/_/_/_/ Phone:_____________________________________________ _/ _/ _/ _/ _/ _/ Fax:_____________________________________________ _/_/_/ _/ _/ _/ Email:_____________________________________________ _/ _/ _/ _/ Note: Address information will be distributed to attendees. Please enter the appropriate registration category. Payment must be included and must be either by check in U.S. dollars, drawn on a U.S. bank and made payable to "IEEE Symposium on Security and Privacy", or by credit card. Dates are strictly enforced by postmark. Advance registration (up to 28 March 1997) ___ Member, IEEE or Computer Society (Member #__________, required).$310.00 ___ Non-Member......................................................$385.00 ___ Full-time Student...............................................$100.00 Late registration (from 29 March 1997) ___ Member, IEEE or Computer Society (Member #__________, required).$370.00 ___ Non-Member......................................................$460.00 ___ Full-time Student...............................................$100.00 Do you wish to present at a poster session or lead an evening discussion? [ ] Yes [ ] No Do you have any special requirements?_________________________________________ Please indicate your method of payment by checking the appropriate box: [ ] Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM) Credit card authorization: (Charges will appear on your statement as made by IEEE COMPUTER SOCIETY. Note: your credit card number will be transmitted to the IEEE over the Internet, using an SSL-protected link.) Visa MasterCard American Express Diners Club [ ] [ ] [ ] [ ] Credit Card Number:_________________________________________________________ Card Holder Name:______________________________Expiration Date:_____________ Signature (required for credit card payments):______________________________ Mail registration to: Or FAX this form (CREDIT CARD Michael Reiter REGISTRATIONS ONLY) to: AT&T Labs Research FAX: +1 908 582-5192 Room 2A-343A VOICE: +1 908 582-5424 600 Mountain Avenue Murray Hill, NJ 07974 >>>>SORRY, NO REGISTRATIONS BY EMAIL. NO REFUNDS.<<<< Five-Minute Research Talks Session ================================== This year we will continue our tradition of having one session of five-minute research talks. If you are interested in presenting a five-minute talk, please submit a one-page abstract including the title and all authors' names and affiliations to George W. Dinolt at George W. Dinolt, Program Co-Chair Lockheed Martin Western Development Laboratories Mail Stop X20 3200 Zanker Road San Jose, CA 95134 Abstracts must be received by Friday, April 18, 1997 at 6:00 PM PST. Abstracts will be distributed at the conference. Please note that the five-minute time limit will be strictly enforced. Evening Sessions ================ The 1997 IEEE Symposium on Security and Privacy will accommodate poster sessions and evening discussions. There will be rooms with blackboards and bulletin boards for interested parties to post presentations on work in progress, recent research results, and innovative proposals, or to lead discussions on topics of current interest. These rooms will be available Monday and Tuesday, May 5 and 6, from 8 p.m. to midnight. If you are interested in posting a presentation or organizing a discussion on a particular topic, please indicate so on the registration form. Hotel Reservations - The Claremont Resort ========================================= The Claremont Resort in Oakland, California is situated in the Oakland-Berkeley hills overlooking the San Francisco Bay on 22 acres of beautifully landscaped lawns and gardens. Facilities include the Claremont Pool and Tennis Club and The Spa at the Claremont. To reach the hotel, allow 35 minutes from the Oakland Airport and 45 minutes from the San Francisco Airport. Bayporter Express (+1 415 467-1800) provides shuttle service from either airport to the Claremont Resort. The charge is $12 from the Oakland Airport and $13 from the San Francisco Airport, per person one way. Parking is available at the hotel at a cost of $8 per day for guests and a maximum of $9 per day for non-guests. Hotel reservations must be made under the group name IEEE Symposium on Security and Privacy. The group rate is $108 single, $120 double occupancy, plus 11% tax. These rates are available for the period May 2-9, 1997. The cut-off date for reservations is Friday, April 4, 1997. Reservations made after this date will be accepted on a space available basis. Reservations must be accompanied by an advance deposit or credit card guarantee. You may cancel your individual reservations up to 48 hours prior to arrival, after which your deposit becomes non-refundable. Please be advised the check-in time is after 3:00 p.m.; check-out is 12 noon. For reservations and information, contact: The Claremont Resort, Ashby and Domingo Avenues, Oakland, CA 94623-0363; Phone: +1 800 551-7266 (7 a.m. to 8:30 p.m., PST) or +1 510 843-3000; Fax: +1 510 549-8582. ================================================================================