Subject: Electronic CIPHER, Issue 21, March 25, 1997 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 21 March 25, 1997 Carl Landwehr, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor ==================================================================== ____________________________________________________________________ *** REMINDER: Early Registration Rates for 1997 IEEE Symposium *** *** on Security and Privacy end Friday, March 28. Register Now! *** *** Registration form available at Cipher Web site or call *** *** www.itd.nrl.navy.mil/ITD/5540/ieee/cipher +1 908 582-5424 *** ____________________________________________________________________ Contents: [2345 lines total] o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o UK Policy on Licensing TTPs Proposed, Criticised o Two New Sources of Random Numbers o Attack Reports and Responses o U.S. Computer Security Breach During Desert Shield? o New IETF Working Group Formed to Standardize SSH Commentary and Opinion o Practical Experimentation in Information Security Education (A brief report from a survey) by Erland Jonsson and Lech Janczewski o Summary of Comments on "A Serious Problem for Key Escrow Systems?" by Yongfei Han Conference Reports: o Report on 1st Annual Workshop on Education in Computer Security (WECS '97) by Heather Hinton o Report on ISOC Symposium on Network and Distributed Systems by Richard Graveman New reports available via FTP and WWW: several Interesting Links: Who's Where: recent address changes Calls for Papers: CLEI'97,ACSAC'97,DIMACS WFVSP,IFIP-IICIS,ICDE '98 Reader's guide to recent security and privacy literature o Conference Papers: COMPASS '97, FSE '97, SNDSS '97 o Journal and Newsletter articles: TKDE, SIGSAC o Books: CRISIS report, Java security, and Digital Signature Schemes Calendar Data Security Letter subscription offer Publications NOT for sale TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, For the past 16 months, it was my privilege and pleasure to serve on the National Research Council's Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. The NRC staff organized site visits to hospitals and other healthcare institutions that keep medical records and have a reputation for doing a good job. We also heard from representatives of companies in related business areas, privacy advocates, and others. Paul Clayton of Columbia University's Dept. of Medical Informatics chaired the panel, and Jerry Sheehan of the NRC staff was the study director. A prepublication copy of the committee's report, For the Record: Protecting Electronic Health Information, was released on March 5 and is available at http://www2.nas.edu/cstbweb/52f2.html. The recommendations call for improvements in technical and organizational policies, practices, and procedures that should not surprise Cipher readers with a good background in computer security (though you might be surprised at the number of institutions that don't have these policies, practices, and procedures in place). Press coverage of many of the report's findings and recommendations has been gratifying, but there is one particular recommendation that, somewhat to my surprise, has received almost no attention. As it happens, this recommendation presents a technical challenge that some Cipher readers might like to pursue: Recommendation 4: Any effort to develop a universal patient identifier should weigh the presumed advantages of such an identifier against potential privacy concerns. Any method used to identify patients and to link patient records in a health care environment should be evaluated against the privacy criteria listed below. 1. The method should be accompanied by an explicit policy framework that defines the nature and character of linkages that violate patient privacy and specifies legal or other sanctions for creating such linkages. That framework should derive from the national debate advocated in recommendation 3. 2. It should facilitate the identification of parties that link records so that those who make improper linkages can be held responsible for their creation. 3. It should be unidirectional to the degree that is technically feasible: it should facilitate the appropriate linking of health records given information about the patient or provided by the patient (such as the patients identifier), but prevent a patients identity from being easily deduced from a set of linked health records or from the identifier itself. The first of the three parts of this recommendation calls for the development of a privacy policy, which is not a technical issue. The other two parts, however, do call for new technology. I think it is fair to say that the committee would have pointed to practical technologies that could make the linker of records visible and that were unidirectional, if it had been able to identify them. Perhaps Cipher readers can help, either by letting us know what we missed or developing something new. As I mentioned in my last letter, the issue of universal patient identifiers is of particular moment in the U.S., because legislation passed last August requires the Health and Human Services Department to develop recommendations on this topic very soon. On a lighter note, I would like to thank the many contributors to this issue and also to welcome Dr. James Davis of the Department of Electrical Engineering and Computer Science at Iowa State University to our slate of regular volunteers. Jim will be helping Hilarie Orman keep our Call for Papers file up-to-date. Please let me know if you would be interesting in helping to keep Cipher going. I am particularly interested in finding people to help keep the Reader's Guide current. Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ LISTWATCH Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, The Open Group Research Institute (m.zurko@opengroup.org) ____________________________________________________________________ This issue's highlights are from risks, http-wg, e$pam, cypherpunks, www-security, and tbtf. Counterpane Systems and UC Berkeley announced that researchers have discovered a flaw in the privacy protection of the Cellular Message Encryption Algorithm (CMEA), used in today's most advanced digital cellular phones. This flaw effects the privacy of numbers dialed. Other flaws have been pointed out in the voice privacy feature of this standard as far back as 1992. Although CMEA is a 64-bit symmetric cipher, flaws reduce the key length to 24 or 32 bits. See http://www.counterpane.com/cmea.html for the press announcement. Debate over the Cookie RFC in the HTTP working group has erupted, most recently due to a recent participant taking umbrage over the standard's privacy-motivated requirements. The standard requires browsers to give the user the ability to turn off acceptance of cookies, and to make that the default. The issue is whether a "wire" protocol should include user interface features in its standard, particularly since user interface is so important to browser success. Other paticipants recently took issue with the restrictions on cookies from domains outside of the main page's URL's domain ( http://www.wired.com/news/technology/story/2615.html). An ex-Sandia cryptographer is suing the NSA ( http://www.jya.com/whp1.htm). His complaint says he was fired in 1992 for attacking the quality of NSA's cryptography. The complaint alleges that classification of information was used to hide its deficiencies in crypto skills. RSA's RC5 48-bit challenge was broken in just over 13 days using more than 5000 machines across the internet ( http://www.cstp.umkc.edu/personal/bhugh/dicinfo.html). This same level of effort would have broken the 40-bit challenge in 40 minutes. By contrast, problems with process seem to be slow participation in the distributed DES crack. Organizers are asking participants to agree before participating about how the the prize money should be allocated. Some people say that they don't want to be bothered with dealing with that kind of "contract". Resources went to the RC5 crack that might have gone to the DES attempt. Some cypherpunks-types are concerned about certain provisions in the latest incarnation of the Pro-CODE bill ( http://jya.com/s377.htm). One concern is that anonymous remailers and fully anonymous digital cash might be export-restricted under the exception for hardware and software intentionally used to evade US law or taxes. Another is that the review board that meets with vendors of commercial encryption offerings is specifically exempted from open meeting requirements. Since maintaining security with a composed system is harder than with a monolithic one, it will come as no surprise that there were a rash of bugs of this sort this month. Internet Explorer (IE) had three highly publicized bugs involving the 'out of band' downloader; the code in IE that handles downloading of objects that are not handled internally by the browse ( http://www.cybersnot.com/iebug.html, http://dec.dorm.umd.edu/iebug.html, http://web.mit.edu/crioux/www/ie/index.html ). These bugs completely bypass any of the distributed code security measures like Authenticode. Patches are available. Microsoft took a lot of heat in techie circles for its spin control. By way of comparison, Sun found its most recent Java security bug during a "regular security review" and announced the problem. In addition, a privacy hole was found with the Shockwave plug-in and Navigator 3.x ( http://www.webcomics.com/shockwave/). Shockwave features can be used to send out data such as a user's private email. The architect and primary implementor of Authenticode published a piece in risks explaining the motivation and goals of Authenticode. Highlights include: users demand a rich computing experience, digital signing emulates traditional software distribution channels, automating the software installation process makes users lives dramatically better, Microsoft's private keys are managed inside BBN SafeKeyper boxes housed in a guarded steel and concrete bunker, users' bypassing the security infrastructure is highly discouraged, signatures allow for law enforcement to help redress any problems, Authenticode is an important innovation in terms of users' understanding and administering trust, and everyone plans on signing code in the future. There were many responses to all these points, providing a pretty good layout of all the issues. Open Market's OM-Transact product, which uses SSL with RC4 using 128-bit keys, was granted export approval, because it is narrowly tailored for financial applications. They had no requirement for key escrow. Errata: Although there does not seem to be any official information on the web, I've been informed that the Nordic Post Security Service is planning on using X.509 certificates, and not PGP. ____________________________________________________________________ UK Policy on Licensing TTPs Proposed, Criticised ____________________________________________________________________ The UK's Minister of Science and Technology released a proposed policy on licensing of Trusted Third Parties (TTPs) on March 21. The document is posted at http://dtiinfo1.dti.gov.uk/pubs/. Ross Anderson of Cambridge University quickly made a copy available at http://www.cl.cam.ac.uk/users/rja14/dti.html and issued a brief but sharp critique, asserting that the new policy would outlaw PGP servers and leave countries that refused to escrow keys out of international electronic commerce. Brian Gladman of Trusted Information Systems (TIS) registered similar concerns, though he feels some portions of the document have merit. He has posted a copy of the document as a web form that embeds both comments and a questionnaire that permits readers to register their own reactions, see: http://www.seven77.demon.co.uk/. Alternatively, comments may be e-mailed to ttp.comments@ciid.dti.gov.uk. Earlier, on March 18, TIS announced that a consortium of TIS, Microsoft, and IABG would provide "integrated technology that will both encrypt/decrypt data, and provide a way to recover the data should the original encryption key be lost." The pilot project is part of a study of confidentiality services led by IABG of Germany and sponsored by the European Commission. It intends to demonstrate a framework for strong encryption and key recovery that could be a basis for a secure electronic business infrastructure in Europe. TIS Key Recovery Centers located in France (Bull Engineering), Switzerland (R3 Security Engineering), Netherlands (Philips Crypto), Germany (IABG) and the UK (DRA-Malvern will act as TTPs. ____________________________________________________________________ New sources of random numbers ____________________________________________________________________ Need some hot random numbers? You can get some purportedly genuine (not psuedo) numbers from Hotbits at http://www.fourmilab.ch/hotbits/ There are some diverting pages there describing how the author (who appears to be John Walker of Neuchatel, Switzerland) built a small apparatus that uses a Geiger-Muller counter and a Krypton-85 radiation source to do the trick, and there appears to be enough detail for the home hobbyist to replicate his work -- or you can just download the bits from their site. If you want to use the random numbers for encryption, there has been some discussion in the RISKs forum discussion of the risks of having a good random number source but an untrustworthy connection to it. See Risks issues 18.89 - 18.93 available at http://catless.ncl.ac.uk/Risks/. A descripton of a more colorful (and bizarre) scheme for generating random numbers from Lava Lites also surfaced recently on the Internet. An article attributed to Mark Frauenfelder and entitled "Lava Lites: Easy to Break, Hard to Crack" describes a scheme said to have been developed by Landon Curt Noll, a cryptologist and number theorist with Silicon Graphics, along with his colleagues Robert G. Mende Jr. and Sanjeev Sisodiya. Six Lava Lites in different colors are set up in front of a digital camera, which takes a snapshot of them periodically. The digital image is run through a one-way hash-function to produce an 800-bit seed, which is used as the starting value for the "Blum Blum Shub" pseudorandom generator. According to the article, which was dated well in advance of 1 April, the authors are attempting to patent the ideas behind the technology. ____________________________________________________________________ Attack reports and responses ____________________________________________________________________ A joint study of U.S. government computer security by the FBI and the Computer Security Institute released on March 7 reported viruses and system pentration as the most frequent types of attacks or misuse detected, each reported by more than 50% of 104 respondents. An article on the report by Heather Harrald in Government Computer News also reported that most attacks on government systems resulted from Internet access, reversing the trend of insider attacks by employees being the most likely source of attack. An(other) attack on a NASA web page prompted that agency to adopt a policy of placing all public access servers outside of an agencywide firewall. Users behind the firewall will have their WWW access limited to sites identified as "necessary for business." The U.S. Army officially announced the creation of its own Computer Emergency Response Team, ACERT (though it was reported that the team was "activated" last September). The Army was the last of the services to create such a team. NIST created a Federal Computer Incident Response Capability (FedCIRC) web site at http://fedcirc.llnl.gov, where you can find that in October through December 1996 FedCIRC responded to 13 hotline calls, among other things. The organization was launched last November 7; NIST subcontracts the operational incident handling capability to DARPA's CERT at CMU/SEI and Dept. of Energy's CIAC. NIST's responsibilities include managing the operation and utilizing the vulnerability data collected by FedCIRC. ____________________________________________________________________ U.S. Computer Security Breach During Desert Shield? ____________________________________________________________________ From EDUCOM, 25 March: During the Gulf War, computer vandals working from Eindhoven in the Netherlands cracked into U.S. government computers at 34 military sites to steal information about troop movements, missile capabilities, and other secret information; they then offered it to the Iraquis, but the Iraquis rejected it because they considered the information a hoax. Dr. Eugene Schultz, former head of computer security at the U.S. Department of Energy, has told the British Broadcasting Company: "We realized that these files should not have been stored on Internet-capable machines. They related to our military systems, they related to Operation Desert Shield at the time, and later Operation Desert Storm. This was a huge mistake." (London Telegraph 23 Mar 97) ____________________________________________________________________ New IETF Working Group Formed to Standardize SSH ____________________________________________________________________ From the Internet Society Newsletter distributed 25 March: A new working group, Secure Shell, has been formed in the Security area of the IETF. The goal of the group is to update and standardize the popular SSH protocol. SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwardings. It can automatically encrypt, authenticate, and copress transmitted data. The WG will attempt to assure that the SSH protocol: -- provides strong security against cryptanalysis and protocol attacks, -- can work reasonably well without a global key management or certificate infrastructure, -- can utilize existing certificate infrastructures (e.g., DNSSEC, SPKI, X.509) when available, -- can be made easy to deploy and take into use, -- requires minimum or no manual interaction from users, - is reasonably clean and simple to implement. The resulting protocol will operate over TCP/IP or other reliable but insecure transport. It is intended to be implemented at the application level. Chair of the WG is Perry Metzger . ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ Practical Experimentation in Information Security Education (A brief report from a survey) by Erland Jonsson and Lech Janczewski ____________________________________________________________________ In 1995 the Erasmus Bureau published a review of university programmes on Information Security [1] followed by a proposal for an Information Security curriculum [2]. This set of publications is the first systematic attempt to review the discipline and develop a universally accepted university program in the Information Security arena. However, these publications do not define the delivery methods. Therefore, during the IFIP/SEC'96 conference in Samos, Greece, the IFIP WG 11.8 discussed to what extent the information security education at university level should be supported by practical activities, demonstrations, experiments and projects. As a result of this discussion we undertook to make a world-wide survey of existing experiments and we produced a questionnaire that was distributed widely. (E.g. see Cipher, issue 16 and 17, 1996.) Around 20 answers were received, which resulted in a paper that will be presented on IFIPSEC'97 in Copenhagen, May 14-16, 1997 (http://www.datasik.dk/SEC97/index.html). The paper covers the rationale behind conducting such experimentation and puts it into a context of the "action learning" approach. Some of the difficulties with practical experiments are briefly discussed. Furthermore, the paper introduces a taxonomy along three axes: degree of applicability, degree of innovation and level of generalization. All the experiments are classified according to the taxonomy so that the distribution of the experiments in the three-dimensional taxonomy could be investigated. Not surprisingly are the experiments clustered into a few areas and it could be discussed whether this is optimal from an educational point of view. Selected experiments are presented and discussed in more detail. A full report of the results from the survey will be given at the IFIP WG 11.8 working group meeting that is held the day before the main conference. We are convinced that the survey is far from exhaustive and would like to encourage everyone to submit data of their experiments at any time. The intention is to put these experiments into a data bank that would be available to the security education community. Erland Jonsson, email: erland.jonsson@ce.chalmers.se Department of Computer Engineering, Chalmers University of Technology Lech J. Janczewski, email: l.janczewski@auckland.ac.nz School of Business and Economics, The University of Auckland References [1] Gritzalis, D. (Ed), University Programmes on Information Security, Dependability and Safety, European Commission, Erasmus ICP, Projekt ICP-94(&95)-G-4016/11, Report IS-CD-3c, Athens, July. 1995. [2] Katsikas, S., Gritzalis, D. (Eds), A Proposal for a Postgraduate Programme on Information Security, Dependability and Safety (Syllabus), Version 2.2, European Commission, Eras- mus ICP-94(&95)-G-4016/11, Report IS-CD-4a, Athens, Sept. 1995. ____________________________________________________________________ Summary of comments on "A Serious Problem for Key Escrow Schemes?" by Yongfei Han, Institute of Systems Science, National University of Singapore ____________________________________________________________________ A number of comments from well-known researchers on information security and key escrow systems, i.e. D. Denning, C. Mitchell, Bruce Schneier, Dieter Gollmann and Tatsuaki Okamoto, have come to me since my article on "A serious problem for key escrow systems?" published in IEEE Cipher Electronic Issue #20. In the short paper here, a summary of these comments with my points is given, and I propose some possible solutions. All of the comments think that the work in my article subverts key escrow systems. Prof. C. Mitchell said "whilst such a situation is not desirable, it is very difficult to avoid." In fact, unless their SK1 to SKn-1 are intercepted, the legal interceptors can do nothing to decrypt the message encrypted by SKn. Moreover, it is very hard for legal interceptors to keep always watching the communications of every possible criminals or active attackers. What I pursue is solutions to the problem. "Some schemes have been designed which try and avoid this problem; however many have turned out to be flawed, and my belief is that, in the end, there is little one can do" writes Prof. Mitchell. My point is that one is unlikely to find a mathematical approach or protocol to completely avoid the attack. It seems that we can not see a simple and easy solution to avoid the attack. However, the attack does not make key escrow useless. The key recovery function of key escrow systems is not degraded by the attack, and any lost key may still be recovered by key escrow schemes. If a key escrow system is to prevent the casual use of public secure networks in a way which defeats legitimate interception, the attack does not really relate to this "casual use" scenario. However, if a key escrow system is applied to business/personal telephones or regular users on the Internet and Intranet, it will be subverted by the attack. One of possible solutions is to increase the difficulty of changing and replacing key management systems in key escrow systems, and provide more protection mechanisms to key management systems. A second possible solution is that key escrow agences and key distribution centers randomly change users' keys, and intercept and check messages between users, so that the attack can be found effectively in time and further protection can be done immediately. A third possible solution is that there is a visible mark on the message encrypted using a legitimate key. The attack can be found when an illegitimate key has been used to encrypt a message. To avoid the attack in user's level, Dr. D. Gollmann said "Users must not be allowed to do their own encryption, you have to rely on a trusted service provider to encrypt data and escrow keys. Taken to its full length, you have to police all traffic ( and all data held somewhere in memory) and check whether they are encrypted (or simply compressed, written in a language you don't understand, etc)". The author would like to thank D. Denning, C. Mitchell, B. Schneier, D. Gollmann T. Okamoto and other researchers for their comments. ______________________________________________________________________ CONFERENCE REPORTS ______________________________________________________________________ ______________________________________________________________________ Review of 1st Annual Workshop on Education in Computer Security by Heather Hinton, Ryerson Polytechnic University, Toronto, Canada ______________________________________________________________________ The first WECS conference, sponsored by the ACM and the Naval Postgraduate School, Monterey, CA, was held in January, coincidental with the AT&T Pro-Am Golf Tournament at Pebble Beach. We had broad international attendance, with security practitioners and educators from North America, Europe, Great Britain and the Nordic countries. Each day had a theme, covering the basics of designing and implementing an INFOSEC curriculum, covered in panel and break out sessions. Day 1 focused on the "Scope and Content of INFOSEC Curricula". The goal of this day was to attempt to narrow down the core materials for INFOSEC education. Ron Ross (IDA) chaired the first panel, "Generating Demand for INFOSEC Education." The panelists are all "consumers" of INFOSEC educated students. Derek Simmel (CERT) noted that attackers are becoming more and more sophisticated, leading to a corresponding increase in security incidents. To combat this, we need to incorporate basic information security practices and skills into the educational curriculum, at all levels (junior school through advanced university-level degrees). Dan Faigan (The Aerospace Corporation) felt that the professional societies (ACM and IEEE) should be pro-active in this area. Specific curricula should be established, picking one or two universities to provide a complete, INFOSEC specialty (Master's level and beyond). (CS/CE/EE) students should graduate with an overview of the INFOSEC/COMPSEC areas, a rudimentary understanding of cryptography, and an exposure to security standards and networking skills (i.e., using a network, as opposed to schmoozing at the company Christmas party). Vic Machonacy (DOD/NSA) stated that we are currently at the stages of "Awareness" (typified by assimilation of information) and "Training" (actively seeking more knowledge, using long term memory). We have not begun to move through the learning continuum into the realm of education, to "accommodation and internalization". What we need is for all employees to have an awareness of security issues, coupled with a basic security literacy. Specialists who are involved with sensitive systems need security training, in how to manage, design, implement, operate, etc. sensitive systems. The security specialists and professionals need to move to the level of security education, focusing on "things you need to know." These include laws and regulations, fundamentals of security, and technology and organizational specific security elements. Vic felt that at this level, security professionals should have some sort of professional certification. Accomplishing these goals is going to require the cooperation of industry, government and academia. Bruce George (DOD/NSA) talked about the need for ISSE, Information Systems Security Engineering. The corresponding educational objectives include the "big picture", understanding of features versus assurance, and an understanding of cryptography and computer security. To this end, Bruce espouses and applauds the increase in tutorial tracks at INFOSEC/COMPSEC conferences. John McCumber (Trident) focused on the risk aspect of computer security and its inclusion in the curriculum. We need to know how (and teach people) to manage risks, including the cost of countermeasures and the affect of risk management on system performance. The abundance and proliferation of tools for attacking systems means that if we are teaching current tools for defense, we are too late. The second panel, chaired by Cynthia Irvine, explored the content of INFOSEC education. Jim Alves-Foss, of the University of Idaho, proposed a (set of) core curricula for students following one of three different security career paths: system administrator, system developer, and security researcher. A core INFOSEC/COMPSEC curriculum, common to all three paths, will supplement career-specific courses, at both the undergraduate and graduate level. The undergraduate core includes a course each in "computer security concepts" and computer network security. At the graduate level, core courses include cryptography and the design of secure systems. These courses are intended to supplement the traditional CS courses (such as operating systems, data management, etc), in which security issues are briefly discussed. Cynthia Irvine (Naval Postgraduate School) discussed the need for INFOSEC education of officers from many different backgrounds within the Navy. The curriculum at NPS focuses on the foundations of security, as well security planning and management; many officers, when returning to their ships, become the resident security-expert. Thus the courses at NPS make extensive use of laboratory exercises, with demonstrations and projects. At this graduate level, the computer-security track includes courses in secure system management, building secure systems, policies, models and formal methods, network security, database security, and advanced topics in computer security, all supplemented by thesis research. Jens Lussem and Adrian Spalka (University of Bonn) discussed the need for computer security education at the high-school level. This is motivated by the extensive use of the Internet in Germany (with USD 40mil being put into the "Schulen ans Netz", Students on the Net, project). This is complicated as most high-school teachers have no education or training in computer security, yet are required to take responsibility for the secure operation of the high-school systems. Thus there is a need to educate the teachers and the students about computer security issues. At present, due to a lack of technical solutions, administrative measures are in place to regulate and control use of the Internet by students. Students are informed of prohibitions against misuse, usage is monitored for violations, and violators are sanctioned. In the meantime, there is a need for "security ergonomics", targeted at ordinary users. Heather Hinton (Ryerson Polytechnic University/University of Toronto) talked about the general computer security (overview) course offered at the University of Toronto; this is one of the most popular graduate courses offered, illustrating the student-driven demand. This course meets one need of computer security education: general graduate-level courses. The topics introduced in this course include viruses and other juicy bits (to keep them entertained until after the drop-date for the course), operating systems security, databases and network security, encryption, protocol analysis, risk analysis and legal and ethical issues. In addition, we need to have advanced undergraduate-level courses in computer security and we also require dedicated graduate-level programmes, such as those offered by the Royal Holloway (University of London) and James Madison University. In Belgium, there is no standardization of the CS education. Jean Ramaekers (Institute d'Informatique, Belgium) described a final semester course (in a 5-year degree programme) that has been offered since 1983, accounting for 30 hours in the entire curriculum. The main goal of this course is to think "globally" about computer security. Students learn techniques for managing security within large industrial organisations. Included in this curriculum is a discussion of the human aspects of security. On the first afternoon, the workshop split into "break-out" groups to discuss curriculum content and prerequisites for topics and educational levels. While the majority and minority views for each break-out group are too lengthy to report, what is of interest is how most groups separated out the educational audiences. All groups identified the need for computer security education within computer science / computer engineering, at the undergraduate and graduate levels. Several groups also went beyond this to address the education needs of different target audiences, including, by degree: Master's in Information Sciences, MBA's, Master's in Software Engineering, and other professional degrees, such as Medicine and Law, together with pre-university education. Cynthia Irvine used the analogy that "we don't teach everyone to be a brain surgeon, but we do teach children to wash their hands". In general, it was felt that some equivalent to "washing your hands" is required at the high-school and public-school levels (perhaps we should be instructing students to not take candy or diskettes from strangers). On Day 2, the overall theme was "INFOSEC Curricula: Novel Approaches to Delivering the Product". The first panel addressed "Spicing up INFOSEC Education" and was chaired by Matt Bishop (UC Davis). Erland Jonsson (Chalmers U. of Tech, Sweden) discussed his experiences with an undergraduate-level course, "Applied Security" (Erland snuck this course into the curriculum by assuring the administration that it would be "free", ie, additional to his regular teaching load). The major laboratory project in this course is a project in intrusion and intrusion detection. Students are let loose in a target system and told to break in using any means fair or foul. The more advanced students in this course often develop their own tools to aid in the attack, getting a real "hands-on" feel for computer security issues. Because of the adversarial nature of this course, the project must be carefully supervised by at least on "experiment leader" or supervisor. Hilarie Orman (U. Arizona/DARPA) talked about "Furem Fur Cognoscit". Hilarie recommends engaging the students using a "Spy vs. Spy" approach. A two-part project, involving defense and offense works well to engage students and illustrate security concepts. In the first part of the project, students develop and document a secure application. Projects are then swapped and students are encouraged to attack and break the swapped applications. To help with this sort of interactive education, Hilarie's wish list includes a pedagogical security game that can be used to implement a real-time competition. Any takers and or developers? David Oppenheimer (Princeton University) talked about his experiences implementing a fourth-year applied cryptography seminar course at Princeton. This course is of interest as it was proposed, prepared, and given, by undergraduate students to undergraduate students. Student projects made up a large part of this course. Some sample projects include a hardware encryption device, a secure online election system, and an implementation of Chaum-style digital cash. These projects were chosen by the students, reflecting their personal interests and talents. Peer review was used, so that the students could learn from each other. David offered suggestions to improve the course next time around. The biggest single improvement would be to include protocol analysis, in particular failure analysis. This was felt to be an ideal way to engage the class in discussion (and would produce good assignment topics). Paul Olson (National Cryptologic School) discussed the use of on-line micro-courses to implement the course "Trusted System Criteria and Concepts". This course was modularized, with one topic per lesson. These lessons were made as distinct as possible, although there is a flow imposed by the prerequisites of individual modules. The tool that allowed this to work is "Information Mapping", a means of presenting information in a way "psychologically tested to be more easily processed by the human brain". An information map is produced for each "chunk" of information (for example, one information map may define "What is a Target of Evaluation"). Information is presented under the headings of Introduction, Definition, Importance, Examples, Non-Examples, and Practice. Information maps are made available on-line, so that students can access them from home/work for self-study. The instructor is available as needed (via e-mail). Pedagogically, this is a great tool for introducing concepts, allowing lectures to immediately focus on the more detailed (and usually interesting) issues. Panel 4 addressed "Should Computer Security Education be Multi-Disciplinary", chaired by Heather Hinton. It seems that everybody agrees that it should in fact be multi-disciplinary, but no-one seemed to agree on what multi-disciplinarity actually implied. Larry Liebrock (U. Texas at Austin/Hewlett-Packard) described the graduate seminar "System Security and Systems Auditing Building", offered in the Graduate School of Business. The focus of this course included risk analysis and identification of "knowledge assets". Current security tools are used to familiarize students with the resources that are available. Art Duncan (Rensselaer Polytechnic Institute, New York) went one step further, stating that "all technical education should be multi- disciplinary." They should include sociological topics, as well as managerial, legal and ethical issues. In particular, a computer security course should include a section on "what are the legal and ethical implications of what I have learned in this course." Matt Bishop (UC Davis) took the multi-displinarity of computer security in the other direction, stating that computer security must be a part of any (and all) introductory courses in programming. Focusing on the design, implementation, testing, and deployment of programmes is the basis for future education in computer security. Dieter Gollman (Royal Holloway, University of London), described the multi-disciplinary nature of the MSc in Information Security offered at the Royal Holloway. This programme is a joint venture of the departments of Computer Science and Mathematics. In addition to the common courses in network security, cryptography, et cetera, there is an additional course in Security Management. This course is a series of lectures given by industry personnel, and includes topics such as "relating business requirements to security needs", and "regulatory controls". Marcel Spruit (Delft U. of Tech, the Netherlands) mentioned the human and organizational aspects to the implementation of security. For example, to address the management of security and the delegation of responsibility, topics normally discussed in psychology must be introduced into the computer security curricula. The second break-out session of the workshop addressed "potential teaching approaches and delivery methods for INFOSEC curricula." The overwhelming conclusion is that laboratories and projects are the best way to demonstrate security concepts. Day 3 of the workshop focused on "Organizing and Building the INFOSEC Education Infrastructure." The day began with a panel on "Preparing INFOSEC for Education in the 21st Century" Marie Wright (Western Conn State U) pointed out that intruders are very good at organising, sharing information and collaborating. INFOSEC and COMPSEC educators should learn from this. We need to establish resources and lines of communications so that we too can collaborate and share information. Book publishers can play a role in this by publishing (useful) security textbooks and educational materials. Deb Frincke (U. Idaho) described the distance education programme at U. Idaho. Lectures are all videotaped and mailed to distance education students. Students view the videotapes, do the related assignments, and return the tapes and completed assignments. One issue that Deb brought up surrounded the on-line (Internet) availability of educational materials for use by distance education students: what is the liability of the instructor and university if these materials are used (by a non-student) to successfully attack a system? Another issues surrounding distance education is the need to on-line simulations and intrusion detection systems to allow distant students to benefit from practical laboratories and projects. John Cordani (James Madison U) described the MIS programme at James Madison University. This programme targets students who have full-time jobs and are not able to attend classes within the traditional 9-5 structure. John pointed out that this is the likely path of post-graduate education in the future. This issues that must be addressed with INFOSEC/COMPSEC education include the timeliness of the education, when spread out over a longer time period than a traditional 8-month/1-year Master's degree. After all this, most participants were feeling somewhat overwhelmed. The workshop concluded with a wrap-up discussion of what we were going to do in the future. WECS'98 is already being planned. Ed Felton has set up a list-serve for COMPSEC/INFOSEC educators (to subscribe, send mail to majordomo@cs.princeton.edu). Heather Hinton is preparing a web-site to act as a respository for who is doing what in INFOSEC/COMPSEC education (for specific security courses. A preliminary URL for this page is www.ee.ryerson.ca:8080/~hhinton/compsec/security.html) This web page will contain pointers to the University, Department, and Course Home Pages (if any) of identified INFOSEC/COMPSEC courses being offered world-wide. Refer to the web page for details on how to have your courses included. ______________________________________________________________________ Report on the Internet Society 1997 Symposium on Network and Distributed System Security, San Diego, CA, February 10-11, 1997 by Richard Graveman, Bellcore ______________________________________________________________________ This fifth annual symposium (the first, in 1993, was sponsored by the PSRG) again brought together researchers, implementors, and users of network and distributed system security technologies on February 10 and 11, 1997, in San Diego. All who participated owe a debt of gratitude to Dave Balenson, whose efforts as General Chair ensured the continuing success of this event. NDSS can be characterized by a combination of application and infrastructure topics, a focus on current Internet security issues, emphasis on practical and implemented solutions, a mix of technical papers and panel presentations, ample time for discussion of each paper presented, and an entertaining and thought provoking after dinner speech at the banquet. NDSS '97 carried on all of these traditions in wonderful style. Major topic areas included Internet infrastructure and routing security, security for the World Wide Web, Java and ActiveX security, cryptographic protocols, public key management, and protection of privacy. Dave Balenson welcomed everyone and thanked all who contributed: Donald Heath and Martin Burack from ISOC; Cliff Neuman and Matt Bishop, the Program Chairs; Steve Welke, Publications; Tom Hutton, local arrangements; and Torryn Brazell and others, registration. Cliff Neuman said 13 of 47 papers were accepted. Four panels were added. He thanked the Program Committee for many hours' work, as well as all who submitted papers or suggestions. In addition to the paper Proceedings, Steve Welke put together a CD ROM with the 1997 and 1996 papers and other useful information. For copies of the Proceedings, contact IEEE Computer Society Press, 10662 Los Vaqueros Circle, P.O. Box 3014, Los Alamitos, CA 90720-1314 USA, telephone +1 714 821 8380, fax +1 714 821 4641, or cs.books@computer.org. Also, speakers' slides will be available at http://www.isoc.org/conferences/ndss97/. This report devotes most of its space to what's not on the CD or in the Proceedings, that is, what was said at the conference. In tradition, Steve Kent chaired the first session under the motto "Keeping America's bits safe for democracy." Nick Ogurtsov presented the first paper titled "Experimental Results of Covert Channel Elimination in One-Way Communication Systems," and based on research at the University of Arizona over the last year and a half. Bell-LaPadula security policy only allows data flow from Low to High. Solutions like physical isolation do not even allow desirable Low to High flow, and a one-way fiber link offers no reliability. But even if only ACKs flow from High to Low, covert channels are possible. Solutions running over TCP/IP have included Store and Forward Protocol (SAFP), the Pump, and Upwards Channel. SAFP uses a large, trusted buffer, but the buffer can fill up, recreating the covert channel. The Pump also uses a buffer, but hides acknowledgment rates from the High side with an historic moving average. It is being implemented in real systems, but is hard to analyze information theoretically. Upwards Channel uses blind write up with a buffer, but this is bounded in either data rate precision or reliability. They implemented all of these plus their new system, called the Quantized Pump. The basic idea is to limit the downward channel information theoretically. The gateway has a buffer manipulated by Low and High trusted processes. The High trusted process can signal the Low one with at most L bits per second. The bits sent down tell the Low side to raise or lower the data rate by some factor. The throughput is equal to SAFP, and the buffer size can be shown to grow as a quadratic in L. If raising means the same, but consecutive lowering is by twice the previous amount, the buffer now grows as L log L. By lowering to zero, growth is linear, but throughput is only 45% of SAFP. In summary, the Quantized Pump is easy to configure and analyze, has a provable bound on the covert channel, and offers comparable performance results with previous methods. Steve Kent asked about "mass storage" transfer from Low to High: high latency, but good in other respects. This is the "SAFP infinite buffer size" case. Dan Nessett asked about non-military applications involving leakage of extremely sensitive data. In the second paper, David Martin talked about work he did at Bellcore under the title "Blocking Java Applets at the Firewall." With applets, an outsider can assume the identity of an insider, but applets are supposed to be restricted: they cannot read or write the disk or use the network indiscriminately. They may, however, break the security and be able to run unrestricted Java code or native code. The applet may also be able to get the firewall to help it. The main attack in the paper tricks the firewall by choosing low ftp data channel port numbers. Another example uses html. The idea is the Applet can only open outgoing connections to the server that delivered it. The inside system GETs an applet through its proxy machine with an extra loopback connection at the proxy server. This tricks the inside system about where the applet came from. Blocking applets can be done by stripping out "applet" tags or detecting the Java class file signature 0x CA FE BA BE, but this requires parsing the stream. Applets may, however, be in zipped archives, for instance, so all plug-ins must be simulated at the firewall. Long term, this is a losing battle. General solutions require changes at the workstation: better sandboxes and digital signatures. Questions came up about products. Applets have appeared in Usenet News and also in e-mail read by Netscape. Scanners that are being implemented have to "unpack the world," and even then cannot cope with end-to-end encryption. In addition, JavaScript and ActiveX deliver the executable in html, so the html needs to be parsed, and looking for "CA FE BA BE" does not work. Abdelaziz Mounji gave the third talk of the session titled "Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection & Configuration Analysis." Configuration analysis uses predicate logic to check for known vulnerabilities in the file system. Changes can be tracked continuously. Intrusion detection uses analysis of the audit trail with a rule based language RUSSEL. The main work here is to integrate the two approaches, so, for example, an intruder cannot successfully open and close a hole quickly. Detection rules can vary with the results of the configuration analysis and trigger audit trail analyses automatically. An example showed how the two communicate with each other. Performance measurements showed that real-time configuration analysis is practical and that the two systems are useful in combination. A dynamically adaptive system was built, and several extensions are planned. See http://www.info.fundp.ac.be/~cri/DOCS/asax.html. One question asked, why not just fix the problem? This is difficult and possibly dangerous. Peter Neumann pointed out the need to address not just outside intrusion but also insider misuse. Session 2 was a panel chaired by Aviel Rubin: Security of Downloadable Executable Content, Past, Present, and Future. Avi noted that Java, JavaScript, and ActiveX are configured into the Netscape and IE browsers, and people use the same machine to keep personal finances or corporate secrets and surf the Web. He then introduced the panelists in turn. Ed Felten at Princeton has found flaws in Java and other systems. He said that executable content meets a user need; it is dynamic and interesting. Java accepts code from anywhere and tries to run it safely, but it may let hostile code break the sandbox. ActiveX, on the other hand, puts the burden on the user and risks trusting too many programs. They have found several problems, often attributed to complexity and product development pressures. Java security depends on safe typing. Type safety flaws and implementation errors have been fixed, but even though security is improved, no protection against denial of service exists. Type safety depends on language semantics. Gray areas in the definition or API are potential vulnerabilities that strain the limits of formal methods. Dynamic linking is one such problem area. On the horizon, JDK 1.1 will have new functionality that brings along new security concerns: remote invocation and persistent objects; garbage collection and finalization; flexible security mechanisms including digital signatures; complexity of JIT compilation; and general new release bugs. Li Gong is Java Security Architect at JavaSoft. Java is 500 days old and has 45 million potential users. It is like X11 and C++ rolled into one. Security requires access control on critical resources (files, network connections, and windows). It also helps construct secure applications. The four cornerstones are (1) language safety (type safety, bytecode verifier, classloader); (2) system security infrastructure (protection domain, access control, authorization, delegation, policy); (3) crypto APIs (SHA-1, DES, 3-DES, MD5); and (4) network and Web security protocols (authentication, SSL, SKIP). Next, Jim Roskind from Netscape explained that Java security is class based, which makes it private, protected, and isolated. It has no direct memory manipulation and no "evil" casting. Still, Java can "lure" one into calling it, and security problems can occur: system.out is not final, so it could be changed; the code base is large (font attack); type name confusion can occur (load it twice and get casting). There are also DNS or other infrastructure problems or implementation flaws. The traditional Java Security Manager is centralized and has a non-extensible base class. The security semantics are separated physically from coding semantics. But class granularity privileging is both too broad and binary. Too many classes become privileged, and the TCB becomes gigantic. Netscape 3.0x has three states rather than two, a reduced TCB, and performance validation. It also has CallerDepth added to check*() calls (semantics exposed to callers), and other "last resort checks." Class signing will establish identity of authors. Release 4.0 will have additional features. Peter Neumann from SRI said that the past was concerned with hardware and software capability models. Today the hardware and software do not support these items well. The vulnerability list is huge: OS, telecommunications infrastructure, browsers, and people. What must we be able to trust? Everything may be on the trusted path. A digitally signed Trojan Horse is still a Trojan Horse. The hardware and the network do not offer adequate support for security. Different security policies often cannot be combined. The future will have to take much more of a systems view of networking. The tradeoff between detection and prevention must be balanced. Authentication and accountability will be helped with signatures, but there are no easy answers, even with cryptography. Digital signing is not the whole solution. Firewalls are semi-permeable; mechanisms may interact badly. Several discussion points followed. Peter Neumann said that formal methods help by forcing one to be precise. Hardware encapsulation is no cure all, if the hardware has potential faults. Building trustworthy systems out of untrusted components is a major challenge. Li Gong and Jim Roskind pointed out that Java security is becoming more comprehensive, and plug-ins can also have vulnerabilities. The need for downloadable executables was questioned. The big gain is distributed computation, e.g., time managers. Jeff Schiller noted that signed code can also be abused. Look at the Chaos Computer Club's Quicken attack. Whose fault is it? Steve Kent predicted that sandbox constraints will give way to need to get to the file system. Then an access control system will be needed. But people have been unable to use fine grained access control effectively. An indicator on the browser as to whether Java is enabled was suggested. User interfaces, however, are vulnerable to spoofing, so decorations like the key do not buy that much. Peter Neumann recalled how the TCB turned out to be much bigger than the kernel: printer drivers, etc. All of this reoccurs with Java. Is risk inherent? How do we use our experience? Session 3 on Protocol Implementation and Analysis was chaired by Christoph Schuba, who remarked that the emphasis is more on analysis than implementation. The first two papers aim at prevention, the third at something that did go wrong. Stephen H. Brackin of Arca Systems (brackin@arca.com) described "An Interface Specification Language for Automatically Analyzing Cryptographic Protocols." Using an example of a cryptographic protocol failure, he described an analytic tool implemented in a commercial product. Even in a hostile environment, authentication and confidentiality can be achieved with protocols using cryptographic primitives and shared or confirmable secrets. Protocol failure, however, is a weak link in network security. Tatebayashi, Matsuzaki, and Newman published a protocol at Crypto '89, in which they have found 13 errors. Belief logics formalize reasoning about authentication. His analytic tool called ISL is derived from Gong-Needham-Yahalom logic. It can express sending, receiving, belief, freshness, conveyance, shared secrets, possession, recognizability, trustworthiness, not-from-here checks, message extensions, and feasibility constraints. Subgoals are proved step by step, and the unproved subgoals point to potential problems that, in fact, show where messages are not authenticated. Running this tool on commercial protocols also led to improved documentation. He concluded that analysis is worthwhile, even though it will not find all problems. Dan Nessett asked what expertise is needed to use these tools. Steve Kent asked about denial of service attacks. Steve Bellovin asked what could not be detected, e.g. non-disclosure violations. Steve Bellovin then presented "Probable Plaintext Cryptanalysis of the IP Security Protocols." Since secret initialization vectors thwart known plaintext attacks against the first block, he speculated about a rumor that systems with secret IVs cannot be exported. Probable message attacks were common, for example in Enigma. Rotor settings were attacked with a two block probable plaintext approach. DES is a strong cipher, but the key size is too small. DES cracking, however, assumes known plaintext, so he examined sources of known plaintext in the protocol headers. IP-ESP-TCP, IP-ESP-UDP, or IP-ESP-IP-TCP are all possible IPSec structures. The header also has a replay detection counter. A single packet attack can guess many bits and feed them to the search engine. Starting the replay counter at zero or one gives away 30-31 bits of probable plaintext (this has since been changed). Version/header and TOS/precedence yield 15-16 bits. Packet length (16 bits) may be given away with TCP ACKs, and 556 is also a common value. Source and destination addresses may yield another 64 bits. By cracking two packets from the same stream, the cost doubles, but the attack is much stronger. Within the same connection, port numbers will match, sequence numbers change slowly, and flags/window/urgent yield 48 more likely bits. Even the replay counter will not change much. So single IP packet cracking has 54-58 bits to go by, double has 127; if it's TCP, the numbers are 88 and 124; for UDP, 28 and 48. Traffic analysis can identify TCP open; packet lengths can reveal port numbers. Timings also give protocol clues (e.g., telnet or multiple flurries of downloaded Web images). The possible defenses are (1) avoiding host to host tunnel mode; (2) using secret internal addresses; (3) using host pair or firewall pair, rather than per connection, keying. As in VJ compression, drop port numbers; or just DON'T USE DES. Jeff Schiller asked whether one can get the IP stack brand with this approach. Steve Kent asked about attacks on the message text even if the headers are done carefully, the advice not to start replay counters at zero, and whether bad implementations will proliferate. He speculated that header compression may not be worth it. Matt Blaze reiterated that using longer keys is the better answer. Bryn Dole's paper titled "Misplaced Trust: Kerberos Version 4 Session Keys" reported on work done at COAST. The problem was in the random number generator; keys had only 20 bits of entropy. A SPARC 5 broke them in 25 seconds, but a library of cribs could break them in microseconds. Three things went wrong. The challenge of RNGs was underestimated; the repaired RNG was in the code but never got called; a code review failed to detect that the old RNG was still in use. This was obscured in a #define in a header file. An operational breakdown in process had occurred. The owner of the code could not get reviews done; multiple code trees existed; no regression testing was done. Software trust is complicated: old, mature, open systems; public source code; secure protocols and standards; design by smart people. Kerberos had all of these! Reverse engineering has shown the futility of security by obscurity, while openness allows public scrutiny. But there is no guarantee. Experts may not look. Old software may have bugs. New features, fixes, and maintenance may introduce bugs, and some are never found. Even provably secure protocols must be implemented correctly and used for the designed purpose. Algorithms and protocols are both important. In summary, the importance of random numbers should not be underestimated, and OS or hardware support is desirable. Open design is good but not a guarantee. Jeff Schiller pointed out that Kerberos was easy to fix because all random numbers are generated on the security servers. One client based system always picked an all zero key. Commercial software cannot be examined, which has implications for black box testing. Steve Kent responded that closed designs can also be done competently, and that publishing does not guarantee expert review. Others asked how to evaluate commercial software, where the internal quality control processes are not visible. Finally, Matt Blaze pointed out a typo in Section 2.2 of the paper. Session 4 was a panel chaired by Russ Mundy and titled Security of the Internet Infrastructure. The Internet infrastructure is an interaction of pieces; software from many places; standards built from multiple implementations; IP, routing, name service, and network management. Protocols must support security, software must implement the protocols, and policies and correct usage are also required. What belongs to infrastructure? OSPF, BGP, DNS, ARP, SNMP, IP, and DHCP, yes, but probably not SMTP or telnet. Emerging infrastructure includes IPSec/ISAKMP/Oakley, DNSSEC, and SNMP-NG. But standardization and implementation do not imply use (e.g., MOSS). SNMP-NG is a long story. SNMP is approaching 10 years old with no security. An advisory team was built from two competing camps (v2* and USEC). The approach is now more modular. Documents will describe the modularity; implementations may or may not follow it. Authentication and privacy, along with timeliness, are the most important issues. The standard working group will be re-chartered, and the documents will be revised prior to the April IETF. Paul Lambert of Oracle stated that security must address messages, names, routing, time, and system management; it must provide confidentiality, integrity, authentication, non-repudiation, and access control. Key management, PKI, and trust management are needed. IPSec, which leaves outer packet headers unencrypted and allows encryption at hosts, routers, or firewalls, uses key management to create security associations and protect IP datagrams. Before this, only link encryption was available. This is a major advance that has a long history; PLI, IPLI, Blacker, Caneware, and NES were precursors. SDNS was published by NIST as SP3, SP4, and KMP. ISO specified NLSP in the 1990s. Today, ISAKMP, Oakley, ISAKMP-Oakley Resolution, In-line Keying, and the Internet DOI make up the main stream standards work. He also mentioned SKIP and Photuris, as well as S/Wan and John Gilmore's S/Wan- Linux. W3C is looking at the semantics of signatures. ActiveX has no policy: signatures are binary. W3C has a metalanguage PICS to describe labels or assertions. Trust management and assertions can help support manageable security. IPSec is a good base; there are too many protocol specific mechanisms. Olafur Gudmundsson discussed DNSSEC. DNS is strictly hierarchical and loosely synchronized. It relies on cacheing. Threats are incorrect configuration, data insertion, fake nameservers, stale data, and incorrect TTL behavior in servers. DNSSEC provides cryptographic bindings with SIG and KEY resource records (RR), which add signatures and provide public keys in the process. Today, it secures nameserver to nameserver, but not nameserver to resolver interfaces. A chain of keys is verified. The NXT RR allows one to deny existence authoritatively; zone security depends on the parents' being secure. The NS and A records are called "glue," because they are hints, not authoritative. The .com domain signs its own A and NS and is authoritative. The root signs .com's KEY, however. A total of 754,789 names in .com were signed in 38 hours, a major undertaking. An exportable implementation exists, and the root will be signed. For the time being, unsecured parents may exist, and last hop (resolvers) may trail behind. Dynamic update has been incorporated using an on-line key. Routing usually comes up with no pre-configured information. OSPF link state routing can be secured with signatures. Distance vector protocols can be [partially] secured with mechanisms that secure the messages. DHCP currently has no security and is implemented on low-end machines. The standard security mechanisms have been proposed, but it is difficult to secure something that does not know its own name. Some of these methods are "all or nothing." Legacy systems are becoming less of an issue. Solutions are proposed as needed; they need to be standardized and deployed. Steve Bellovin said he dialed in on a cell phone and used PPP encryption controls, IPSec to the firewall, and SSH to his host. He read some PGP mail, and browsed with SSL. We have a lot of security mechanisms. Transmission protection. Origin protection. Architecture is needed. MobileIP, IPSec, and firewalls interact. DHCP makes naming the endpoints problematical. SSL does not know much about the Web. Higher layer protocols? SET, MOSS, PGP, MSP, S/MIME, PEM, etc. Where do keys come from and why do none of them work together? Can Oakley/ISAKMP be used for anything else but IPSec? The Internet is basically bottom up. PGP is simple and installable. SSH and PGP can be done oneself, without a system administrator. Then there is the international issue. SSH come from Finland. And crypto does not solve all of the problems; maybe half of them. Bugs in code are most of the rest. Half have been in sendmail. Dan Farmer says he can get into 75% of the machines he looks at by exploiting simple problems like sendmail and a wuftpd race condition. Dan Nessett asked about address resolution. It's primarily a LAN issue. Steve Bellovin says that the routing infrastructure is totally fragile and attacks on it allow the Internet to be broken badly today. The general quality of ISPs is down with their increase in numbers. One can buy an "ISP in a box." More filtering is needed by the larger ones. Steve Kent asked about interdomain routing as well. Jeff Schiller said the PKI challenge was counter to the Internet culture, according to which some root servers are run by volunteers. PKI showed up with the lawyers. VeriSign says the end user is supposed to use a trusted system (like Windows 95?). PKI breeds monopoly behavior, and the Internet snubs this behavior. The banquet speaker was Jeff Schiller of MIT, also IETF Security Area Director; he titled his talk "Encryption Key Recovery Considered Harmful." After a few introductory remarks about life at MIT and as an IETF Area Director, he got into the main topic. In 1991, a paragraph was put in several bills that it was the "sense of Congress" that keys should be turned over to the government when appropriate. This proposal showed up about five times without making any progress. Then Clipper arrived in April 1993. It set the tone for where the government was going. (Earlier, in 1987, the NSA-proposed CCEP had been rejected by industry.) Now it's 1997, and several window dressings of Clipper have also come and gone. The latest is key recovery, whereby the appeal to business is, "What if employees lose your keys?" It is an appeal to synergy, but it does not hold up under closer scrutiny. Why do we want to encrypt data? Most data are not too sensitive. Laptops, agreed, have low vapor pressure, so encrypting their hard disks is a good idea. But usually the tradeoff is "would I rather lose this or would I rather have it compromised?" Consider, for instance, the spy manual that says, "The following methods are probably illegal, so check first." Communications security never needs to be recovered. The government wants these keys, at our expense and at our increased risk. What does this mean for individuals, as opposed to business? Key recovery centers may make a best effort, but what is their real liability? How long are keys escrowed? For ever? Key recovery centers are targets, like the CIA Web site. In the real world, we deal with bits; details. In the real world, it is different. TIS proposes a data recovery center. But the first court order may allow law enforcement to seize the entire box, not just one key. Perfect forward secrecy is different again. The keys are immediately destroyed after use. In 1982, Al Bates of the FBI was asked, doesn't the Mafia know you are listening in? Sort of. Occasionally they would overhear a conversation about a drug deal, and all the agents who showed up would be killed. Bank vaults have a timer that will not open until 9 AM because of kidnapping. What about root keys? What is their protection against kidnapping? Could the person in charge subvert key recovery? Yes. Should new certificates only be signed between 9 AM and 5 PM? No one has said. Note that the key recovery center is an extremely weak link. In the new rules on the export of key recovery systems, the U.S. government wants to have control over the individuals who will run the recovery center. Foreign governments cannot accept this easily. So this leads to bilateral agreements and dual access. Our own government may not be out to get us, but what is the least common denominator across all of these bilateral agreements? It seems as if one may as well not encrypt. The word "balance" is another funny term. "We must balance the needs of ... ." Balance is not part of venetian blind design. We take it for granted today that our thoughts are private. What about 100 years from now? If someone invents a mind reading device, we would likely have laws against using it. Only the police can use it, and only with a court order. Then someone else may invent a helmet that shuts out the device, and law enforcement screams for "balance." We do not need "balance." The same argument can be made for torture. Key recovery is not about business. It is about government access. The word "escrow" used to be a good word. This is a ruse to confuse the public; it is a crock; it is wrong. And for the companies that have signed up to make some money from this, shame on you! Session 5 on Routing Security was chaired by Hilarie Orman, who asked: The experts who stood on the shoulders of giants and designed the protocols that guide packets through the Internet surely would not have forgotten to put security in the protocol, would they have? Karen Sirois presented work done at BBN titled "Securing the Nimrod Routing Architecture." The focus is on protecting against degradation or denial of service. Security requirements, especially availability, were derived from the architecture and potential attacks. The attacks involved modification, rearrangement, replay, delay, or introduction of new messages, as well as taking control of a point in the network. Nimrod is DARPA funded and in the IETF standards process. It uses service specific information and is highly scalable. Nodes and endpoints have attributes; they form a distributed database and are clustered hierarchically; the active elements in a node are agents (e.g., endpoint representatives, forwarding, routing). Nodes produce link state maps locally and use these to generate routes. Data origin authentication and connectionless integrity are the primary requirements. Access control and a weak form of non-repudiation are also needed. Confidentiality is secondary. IPSec ESP with anti-replay in tunnel mode and optional encryption was selected, since it is more efficient and inclusive than AH. Another protocol is used for the shared secrets. Digital signatures were used end to end to provide non- repudiation and access control for multi-point broadcast. RSA, SHA-1, and X.509v3 certificates were used, with DNS for SubjectAlternateNames. Timestamps are used as an anti-replay mechanism for updates and query responses, and hash values within a window are saved. Access control is identity based; cacheing of specific messages supports weak non- repudiation. Byzantine attacks still pose hard problems, and implementation flaws are a potential vulnerability. Questions covered clock reliability, formal analysis, certificate management, and management traffic. Next, Brad Smith presented work on "Securing Distance-Vector Routing Protocols," done at UC Santa Cruz. Messages contain one or more updates with a destination and distance. Routers maintain a shortest path tree. Changes cause the tree to be recomputed, and then new routes are passed to neighbors. Updates can be fabricated; unauthorized nodes can participate; nodes can masquerade or hijack sessions; links can be subverted by an intruder; software in routers can be modified. These attacks can result in "black hole routes" (denial of service, when a zero cost route gets advertised and the network implodes), reconfiguring the logical topology (inaccurate accounting and disclosure of traffic), and routing traffic snooping that discloses path information. The model assumes a PKI exists for routers, information from routers can only be trusted when from direct neighbors, and communications depends only on IP. The countermeasures are message protection and update protection. Message protection works as in RIP v2: a message sequence number plus AH-like security. Update protection uses digital signatures by the originating router, update sequence information, and predecessor network analysis to protect the distance field. Timestamps versus sequence number tradeoffs were considered. Each message has a 128 bit keyed hash and 32 bit sequence number. Each update has these plus a 64 bit predecessor plus 32 bit originating address. Computing time is an additional cost. Subverted routers can still fabricate incident links and delete updates, and any node can snoop routing information. (BGP uses TCP links that can be encrypted, but others use broadcast.) In conclusion, protection from outsiders is relatively straightforward; protection from subverted routers requires sequence and predecessor information as well. The solutions can be applied to many protocols: IDRG, BGP, RIP, RIP-2. Questions addressed key management and use of the term digital signature for keyed has message authenticators. Gene Tsudik presented work done at IBM Zurich titled "Reducing the Cost of Security in Link-State Routing." This is a more abstract approach to Dijkstra'a shortest path link state algorithms; it does not look at Ford-Fulkerson distance vector algorithms. Confidentiality is not a requirement, but origin authentication, non-repudiation, integrity, timeliness, and ordering are. The solutions employ PK based digital signatures, one-way hash functions, and hash chain constructs (Lamport). Hash chains work as follows: Alice generates a secret, repeatedly hashes it n times, and gives this to Bob. Then she releases the pre-images in reverse order. In many cases, link state updates do not change much. So, they propose an anchored link state update when the hash chain is depleted or the information changes. Otherwise, just the next hash sequence value is released. The next step is to observe that, in general, links are either up or down. So, each node generates N x K x S hashes, N is length of chain, K is # links, and S is # states, typically two. This handles more frequent state changes. Each node can report on all incident links at once at the cost of one hash per link reported on. Hash functions are all that is required, along with good randomness and loose clock synchronization. "Continuous" link state functions and frequent variations may make this approach impractical. Murphy and Badger at NDSS '96 and Perlman's thesis were used as sources. Steve Kent asked about hashes chains not being exhausted at the same rate. Another question had to do with changing the set of designated routers. A third asked about running multiple routing protocols. Session 6, Security for the World Wide Web, was chaired by Win Treese. First, Brian C. Schimpf of Gradient Technologies presented "Securing Web Access with DCE." Gradient has worked with the Open Group Research Institute to speed the development of secure C/S applications using Web technology. The idea was to use the DCE infrastucture (location independence of servers and security). DCE provides strong (Kerberos based) authentication, data integrity, confidentiality, and a flexible and convenient authorization model. SLP, the secure local proxy, runs under the browser on the desktop. It just passes normal URLs through, but looks up servers when it sees DCE names. Then it gets authorization information (a service ticket) for the user. The http request is then tunneled through authenticated RPC. The DCE-aware server unwraps this and uses the authorization information. A Web toolkit library is available to help build application servers. Identity and group based authorizations are performed at the server by an ACL manager. The ACL model was extended to support sparse ACLs. Attributes are inherited downward dynamically. The target audience for this technology is within an organization and between cooperating organizations, rather than external electronic commerce on the Web. Steve Kent asked about load sharing: DCE does support this, although somewhat differently. A comparison with SSL 3 was also discussed. The session key granularity is different. Session 6 continued with a panel discussion. Barbara Fox (bfox@microsoft.com) of Microsoft described Shared Key Authentication for the TLS Protocol. Some essential changes to SSL are being introduced, in particular, shared key or password based authentication with backwards compatibility. Even if weak passwords (PINs) and weak encryption (40 bits) are used, passwords can be protected better. An optional SharedKey message is appended to ClientHello. The proposal is still being modified. This is in the tls-passauth draft by Daniel Simon. SCHANNEL.DLL will be the MS product that uses this. Fred Avolio talked about Web commerce, both from the client and server sides. Clients have to protect themselves better, e.g., "click here to self-destruct." Web servers on "sacrificial" machines are also a questionable idea. Asked about the most important issues, Brian Schimpf said management of security and scaling; Barbara Fox listed authentication, digital signatures, and public understanding; Fred Avolio stressed integrity as well; people tend to believe what computers tell them. What approach is recommended for addressing the mix of authentication methods? The needs for password pass-through, for authentication gateways, and for ways of handling legacy applications were cited. Steve Kent asked about the ability to issue certificates in the name of an account number and use SSL 3.0. Barbara Fox responded that they want to encourage this. Large installed card bases are still expensive in terms of customer support. It may still cost $10 / certificate. Dan Nessett asked what is being done about authorization and access control. Brian Schimpf answered that DCE has one model, which also supports a straight SSL interface to it. Netscape 4.0 contains a "capability space." Except for client and server hello, why have other messages also been added? Barbara Fox said the motivation was to use the Master Shared Secret to maintain exportability. What about Kerberos support? It seems likely to be subsumed by SharedSecret authentication. A question came up about what the user sees versus what the smart card signs. A lot of user interface work and consumer understanding has not been done yet. People do not really put much emphasis on credit card vulnerabilities, and transparency to the user will be important. User configurability will be demanded. Web purchases are a major convenience internationally. A lot of emphasis is being put on the "wallet" model. The big fear is a loss large enough to undermine confidence. The biggest fraud in credit cards is merchant fraud, and the biggest loss is people who do not pay their bills, so Web commerce amounts more to shifting the risks around. How will all this security technology impact firewalls? Perimeter defense and end to end encryption are different problems. Firewalls will change somewhat. Jonathan Trostle of CyberSafe chaired Session 7 on Public Key Management. The first two papers dealt with the X.500 model and enhancements to it. The third paper considered extensions to Kerberos. Lourdes Lopez of Universidad Politecnica de Madrid presented "Hierarchical Organization of Certification Authorities for Secure Environments." The objectives are generality, openness, and ease of deployment. Version 3 of X.509 has been an important step. They have generalized the model and formally specified the policy. A tool named SecKit implements X.509: generation of keys, sending and receiving secure files (signed and encrypted), and access to the Directory. It runs on X-11 or MS Windows. SecServer generates keys, certificates, and CRLs. It implements an RA and CA. In the experiment, SecServer interfaces both with the X.500 Directory and SecKit users. In the first model, the Communal Security Rules Group implements multiple layers of CAs within different policies defined at the root. This was generalized in the second model, which introduces Group CAs and Subgroup CAs. Certification under different policies or by different CAs is possible. The third model also has policy CAs. Multiple CAs lead to certificate path validation options. Either the lowest common node or the foreign root is chosen. Andrew Young from University of Salford, U.K., reported on "Trust Models in ICE-TEL." ICE-TEL is a European-wide follow-up to the PASSWORD Project. They have 17 partners from 13 countries, software from COST, GMD, ISODE, and SSE, and they want to build and pilot secure WWW, S/MIME, and X.500 applications. Use of a PKI requires trust in third parties who have attested to public keys. Guarantees and liability are important. Who asserts what about whom? What is the policy? Syntactic and semantic checks? The PGP approach is the "trusted introducer." It has low start up cost and complexity but poor scalability. The PEM trust model consists of a single hierarchy with multiple policies, in which the CAs are arranged hierarchically, the PCAs publish a policy, and the IPRA ties the PCAs together. It scales well, but getting started is hard. You cannot just install two copies and go ahead. PGP is user centric; PEM is organization centric. ICE-TEL aims to support diverse domains from individuals to large organizations and to allow for growth and flexibility. Trust between domains is by choice and need not be mutual or transitive. Each domain contains trust points that cross certify each other; trust points advertise a policy; users advertise a path to a trust point. Each user stores the public key of a trusted user and the public key plus policy of a trusted CA. The model accommodates individuals, small companies, large companies, and their interactions. The advantages are scalable deployment, flexible reorganization, explicit use of policy, and support for embedded high security domains. Questions addressed revocation and path discovery. John Chung-I Chuang of CMU gave the last talk titled "Distributed Authentication in Kerberos Using Public Key Cryptography." PKDA is a proposed extension to Kerberos Version 5. Public key cryptography can reduce or eliminate the sensitive data in the KDC and distribute the functionality of the ticket granting service. (Consider, for example, the scalability of an on-line banking application with millions of customers.) PKDA is an RFC 1510 extension and builds on X.509 and PKCS. SSL 3.0, pk-init from ISI, and PKDA are all described in Internet Drafts. SSL supports TCP but not UDP; clients and servers exchange certificates; both cache state information and resend this when needed; revocation is not specified. Pk-init supports TCP and UDP and has no client keys in the KDC. PKDA runs at a higher layer than SSL 3.0 and supports UDP. It has end-to-end encryption across proxies and gateways and ticket reusability, which means the client stores the session key and resends the ticket with a fresh authenticator. No three way handshake as in SSL is needed for re-establishment. Compared with pk- init, PKDA is fully distributed (no central KDC), has enhanced privacy, but requires modification of both client and server code, whereas pk- init only requires modification of client code. Clients in PKDA communicate directly with the application server to obtain a certificate. Clients make up the session keys. Delegation in PKDA is a direct extension of Kerberos. The client has to set the "proxiable" flag. If a PKDA client communicates with a server that does not understand PKDA, a local, replicated TGS can be contacted to retrieve a conventional TGT. The benefits of pk-init are then achieved without having to modify server code. They have a working implementation for CMU's NetBill (using DCE RPCs and an enhanced IDL compiler). They have verified the protocols formally. The I-D will be revised and reissued. Session 8 was a panel on Web Privacy and Anonymity chaired by Cliff Neuman. The broad issues are that Web browsers, servers, and proxies can learn a lot about users' interests. This information can be hidden by technical means, but servers may also need this information. Social and legal pressure may prevent inappropriate use; acceptable use may be negotiated; and auditing and endorsement may provide assurance. Jean Camp of Sandia said that privacy means the subject controls information rather than the owner (security). What are you doing on the Web? Communicating, purchasing, retrieving information. Free information can be read anonymously. Lamont vs. Postmaster General was about having to register to get information about communism. The ECPA protects us from observers but not from other participants. In Olmstead, the Court said there was no search: the wires are outside the home. Katz reversed this: there is a reasonable expectation of privacy. In NAACP vs. Alabama, the state wanted the membership list. The Web is about associating and assembling. The Right to Financial Privacy Act limits government. In U.S. vs. Miller, 1976, the Court ruled that a financial transaction is inherently public. Aggregate information poses new problems: cookies, anonymous proxies, and pseudonyms can be used. Anonymous transactions can still be billed effectively. Privacy depends on service provider policy, system configuration, and services. Browsers give away machine and OS information, as well as previous pages, helpers, and our e-mail address. Current debate centers around HR 98, the Consumer Internet Privacy Act; more information about it can be obtained from EPIC (www.epic.org). Peter Neuman of SRI mentioned the many stories of privacy violations in the Risks Archives, including government and medical records. The Web makes aggregation and inference much easier. Anonymity is important: whistle blowers, violence and hate crime victims. For payments, anonymity is double edged. The risks are also technical. Billing messages can contain covert information. Voting has many interesting aspects. Anonymous systems without accountability will not work. Even with accountability, the infrastructure must be secured. Gene Tsudik from ISI asked whether anonymity is a blessing or a curse. It is good for commerce, counseling, whistle blowing, voting, free speech, polling, and surveying. What is there to hide? Names, identifiers, account numbers, location, linkability, timing (when do you read e-mail?), and volume. From whom is there to hide? Intended recipients, casual eavesdroppers, professional eavesdroppers, global observers, or an impostor of oneself. Anonymity can apply to the transport (remailers, www.anonymizer, MIXs) or mechanism (e-money). MIXs for synchronous communications are needed. See also the MobileIP work being done at Aachen. The panel posed several questions: Relationship of speech to privacy? What is it possible to achieve simultaneously? Purloined identities? The Joe Klein case: identification through writing style? Next logical step? Dan Nessett asked for better problem definition. Personal interactions involve an implicit contract. This contract may be misunderstood or explicitly violated. But part of the problem is unequal bargaining power. Banking or getting a driver's license demands your social security number. People may have the desire to browse but be left alone. Unsolicited e-mail and accidental name matches occur. Do we have a model of the problem? Privacy is deep and multi-faceted. Expectations vary from setting to setting. Today, the Internet is a "country you enter voluntarily." Hilarie Orman distinguished one-time anonymity from repeated identity anonymity (unabomber or deep throat). How much of this is new and how much is just a new setting for what existed before? People are made responsible for errors others make about them. The electronic world makes collection easier and lower cost. "Deleted" data is not deleted but just marked "deleted." Do we have the implicit right to report on our dealings with other people? For instance, people who do not pay their bills? Tax avoidance is an issue with financial transactions. Keyword search is easy with altavista, and allows, for example, job applicant screening. There are legitimate needs to have a private conversation; also there is a conflict with government interests. Jeff Schiller compared this with the three laws of thermodynamics: You can't win; you can't break even; you can't get out of the game. I would like again to thank Dave Balenson for the opportunity to provide these notes, and I sincerely hope to see you next February in San Diego. ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ http://www.gits.fed.gov/htm/access.htm Report on how the Clinton administration plans to employ information technology in its effort to "reinvent government"; includes some explicit effort to address security and privacy issues. http://www.sjmercury.com/acm97/ Coverage by the San Jose Mercury of the ACM '97 conference, including articles on each of the keynote speeches. http://www.aclu.org/issues/cyber/trial/sctran.html The verbatim transcript of the oral argument at the U.S. Supreme Court Wednesday, March 19, in the Communications Decency Act case. There have been many press reports, but it is interesting to see the original. And one of the briefs (the ACLU's amicus brief) filed is available as well, at http://www.shsl.com/internet/supcourt/brief.html http://www.revisor.leg.state.mn.us/cgi-bin/bldbill.pl?bill=H0056.0&session=ls80 Proposed Minnesota legislation regarding digital signatures, defining certification authorities and providing for licensing. http://www.ndu.edu/ndu/inss/actpubs/dcom/dcomcont.html Defending Cyberspace and Other Metaphors by Martin Libicki of the National Defense University http://www.isoc.org/internet-history/ A Brief History of the Internet, by Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff. ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ http://www.dsd.gov.au Australian Defence Signals Directorate (Australian evaluated products list available here) ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 19 February 1997 Randall Atkinson Senior Staff Engineer @Home Network 385 Ravendale Drive Mountain View, CA 94043 Tel: (415)937-8127 e-mail: rja@inet.org _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar * IFIP-IICIS International Federation for Information Processing, First Working Conference on Integrity and Internal Control in Information Systems, Zurich, Switzerland December 4-5, 1997 (submissions due May 15, 1997). Conference web page: http://www.ifip.tu-graz.ac.at/TC11/CONF/CFPINS.html Although it is well-known that confidentiality, integrity and availability are high-level objectives of IT security, much of the attention in the security arena has been devoted to the confidentiality aspect of security. IFIP TC-11 Working Group 11.5 has been charged with exploring the area of the integrity objective within IT security and the relationship between integrity in information systems and the overall internal control systems that are established in organisations to support the corporate governance codes. We solicit papers describing original ideas and results on foundations and applications related to the subject of integrity and internal control in information systems. Suggested topics include but are not limited to: o integrity maintenance in databases and distributed databases o integrity maintenance in legacy systems and in non-traditional systems o active mechanisms for integrity maintenance o static and dynamic integrity constraints o methods for dealing with incomplete or inconsistent information o autonomy versus global integrity in multi-database systems o efficient methods for checking integrity o users and organizational requirements with respect to integrity o integrity requirements necessary to implement an internal control structure within an organization o system and data integrity maintenance during recovery processes o integrity of archival data o methods for implementing data retention policies o methods to repair integrity of data warehouses o methods to integrate managerial judgement on the action to take in relation to identified data errors o integrity of data dictionaries * CLEI'97 Chilean Computer Science Society, Valparaiso, Chile, November 12-14, 1997. (submissions are due: May 16,1997). Conference web page: http://www.inf.utfsm.cl/clei97/ The conference will take place as part of a bigger event together with the XXIII Latin-American Conference in Informatics and the Fourth South American Workshop on String Processing locally organized by the Technical University Federico Santa Maria. Papers presenting original research in Computer Science are being sought. Typical, but not exclusive, topics include: Algorithms and Data Structures, Complexity Theory, Artificial Intelligence, Distributed Systems, Computer Algebra, Human-Computer Interaction, Computer Architecture, Office Automation, Computer Graphics, Operating Systems, Databases, Performance Evaluation, Data Communications, Programming Languages, Software Engineering, and Data Security and Cryptography. Extended abstracts are due by May 16, 1997. * 13th Annual Computer Security Applications Conference, Dec. 8-12, 1997, San Diego, CA. The conference solicits original papers (up to 7500 words), panel proposals (min. 1 page), vendor presentations, and tutorials that address practical approaches to solving these problems in federal, state and local governments, departments of defense, and commercial environments. Selected papers will be those that present examples of in-place or attempted solutions to real problems; lessons learned; original research analyses, and approaches to securing our information infrastructure. All papers, panel/forum proposals, and vendor and tutorial proposals are due by May 30, 1997. Full details available from Vince Reed (vreed@mitre.org) or Art Friedman (arf@mitre.org), or the conference web page: http://www.isse.gmu.edu/~acsac/1997/cfp.html * ICDE'98 The 14th International Conference on Data Engineering, Orlando, Florida, February 23-27, 1998. (full papers are due June 2,1996; an abstract of the paper is due May 26, 1997). Data Engineering deals with the use of engineering techniques and methodologies in the design, development and assessment of information systems for different computing platforms and application environments. The 14th International Conference on Data Engineering will continue in its tradition of being a premier forum for presentation of research results and advanced data-intensive applications and discussion of issues on data and knowledge engineering. The mission of the conference is to share research solutions to problems of today's information society and to identify new issues and directions for future research and development work. The complete list of topics, instructions for submitting papers or panel proposals can be found in the call for papers or the conference web page. * DIMACS'97 Workshop on Formal Verification of Security Protocols, DIMACS Center, CoRE Building, Rutgers University, September 3-5, 1997 (Abstracts are due June 16, 1997; full papers are due August 1, 1997). Details at: http://dimacs.rutgers.edu/Workshops/Cryptographic As we come to rely more and more upon computer networks to perform vital functions, the need for cryptographic protocols that can enforce a variety of security properties has become more and more important. Since it is notoriously difficult to design cryptographic protocols correctly, this increased reliance on them to provide security has become cause for some concern. This is especially the case since many of the new protocols are extremely complex. In answer to these needs, research has been intensifying in the application of formal methods to cryptographic protocol verification. The goal of this workshop is to facilitate this process by bringing together those were are involved in the design and standardization of cryptographic protocols, and those who are developing and using formal methods techniques for the verification of such protocols. To this end we plan to alternate papers with panels soliciting new paths for research. We are particularly interested in paper and panel proposals addressing new protocols with respect to their formal and informal analysis. Other topics of interest include, but are not limited to - Progress in belief logics - Use of theorem provers and model checkers in verifying crypto protocols - Interaction between protocols and cryptographic modes of operation - Methods for unifying documentation and formal, verifiable specification - Methods for incorporating formal methods into crypto protocol design - Verification of cryptographic API systems - Formal definition of correctness of a cryptographic protocol - Arithmetic capability required for proofs of security for number theoretic systems - Formal definitions of cryptographic protocol requirements - Design methodologies - Emerging needs and new uses for cryptographic protocols - Multiparty protocols, in particular design and verification methods On-line conference information: registration form, accommodations, travel arrangements, and general conference information. JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. * Journal of Telecommunication Systems, call for papers for a special issue on multimedia systems. (submissions due April 15, 1997). Multimedia systems and applications have attracted significant attention during the last few years. The ability to deliver audio and video to end-users, in addition to data, has created possibilities which will revolutionize industries ranging from education and advertising, with applications such as digital libraries, distant learning, expert advice and real-time video clip playback, to tele-collaboration, electronic commerce and entertainment, with such applications as video-conferencing, telecommuting, video-on-demand, etc. The Journal of Telecommunication Systems is planning a special issue on multimedia to address this emerging technology. The issue will address all issues of multimedia systems with special focus on issues related to networking and telecommunication systems. Papers are solicited for this issue in the following areas (but not limited to): Multimedia information processing compression/decompression); Multimedia storage and retrieval; Network issues (QoS, protocols, performance/modeling, etc); Telecommunication systems requirements for multimedia; Telecommunication systems architecture and implementation; Security issues; End-to-end multimedia system architecture; and Multimedia applications and application design. More information is available in the call for papers (see Cipher Web page) and on the journal's web page: http://www.ics.forth.gr/events/telej/telej.html * Special Issue of IEEE Personal Communications Magazine on Mobile Systems and the Web (submissions are due November 1, 1997). The information revolution that the pundits have been predicting seems finally to be upon us. Instantaneous access to information, which has always been dreamed of, is being realized today with the advent of the World Wide Web. Browsing (surfing) the web is becoming an increasingly common activity for computer users from all domains of life. A web browser probably represents the most ubiquitous interface mechanism to computers today, in terms of the number of people who are comfortable in using it. Web access from mobile platforms would truly represent an example of ubiquitous computing, realising the vision of computing anytime, anywhere and by everyone. However, the reality is that HTTP is not a mobile friendly protocol, and extremely wasteful of bandwidth. The current model of browsing the web is also open to criticism along the same lines. In general, the problems are one of resource constrained browsing platforms connecting to the network via thin pipes that are prone to disconnection. To facilitate web browsing from mobile platforms, it is important to understand these limitations and devise techniques and methodologies which will help alleviate these problems. The special issue will be devoted to articles which describe such techniques. A representative list (not all inclusive) of topics would include the following as they impact web browsing from wireless platforms: * granularity reduction of multimedia data for wireless links * information location and filtering * prefetching and caching * delayed fetching * location dependent data * improvements in HTTP protocol * anticipatory caching More information about submitting a paper can be found in the call-for-papers (check the Cipher Web page). ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ Security-related papers to be presented at COMPASS '97, Gaithersburg, MD June 18-19, 1997 o "Using the B-Toolkit to Ensure Safety in SCR Specifications" Indrakshi Ray and Paul Ammann (George Mason University) o "Assured VLSI Design with Formal Verification" Jang Dae Kim and Shiu-Kai Chin (Syracuse University) o "On the Formal Verification of Delegation in SESAME" Mehdi Ayadi (LAMSADE-Universite Paris IX Dauphine), Dominique Bolignano (Dyade) o "Tools for Formal Specification, Formal Verification, and Validation of Requirements" Constance Heitmeyer, James Kirby, and Bruce Labaw (Naval Research Laboratory) o "Automatic Generation of Test Vectors for SCR-Style Specifications" Mark R. Blackburn (Software Productivity Consortium), Robert D. Busser (T-VEC Technologies), Joseph S. Fontaine (AlliedSignal) o "On the Uniformity of Error Propagation in Software" C. C. Michael and R. Jones (Reliable Software Technologies Corporation) o "Perturbation Analysis of Computer Programs" Larry J. Morell (Hampton University) Branson W. Murrill (Virginia Commonwealth University) o "On the Analysis of Software Rejuvenation Policies" Sachin Garg (Duke), Antonio Puliafito (Universita di Catania, Italy), Miklos Telek (Technical University of Budapest), Kishor S. Trivedi (Duke) o "Reusing Tests of Reusable Software Components" C. C. Michael (Reliable Software Technologies Corporation) o "Effect of Repair Policies on Software Reliability" Swapna S. Gokhale, Peter N. Marinos and Kishor S. Trivedi (Duke), Michael R. Lyu (Lucent Technologies) o "Simulation-based Test of Fault-tolerant Group Membership Services" Guillermo A. Alvarez and Flaviu Cristian (University of California at San Diego) Papers presented at the Internet Society Symposium on Network and Distributed Systems Security, San Diego, CA, February 10-11, 1997, as listed in the preliminary program. Full papers should eventually be available via Internet Society Web Pages. o Experimental Results of Covert Channel Elimination in One-Way Communication Systems Nick Ogurtsov, Hilarie Orman, Richard Schroeppel, Sean O'Malley, and Oliver Spatscheck (University of Arizona, USA) o Blocking Java Applets at the Firewall David M. Martin Jr., Sivaramakrishnan Rajagopalan and Aviel D. Rubin (Bellcore, USA) o Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection & Configuration Analysis Abdelaziz Mounji and Baudouin Le Charlier (Institut D'Informatique, Namur, BELGIUM) o An Interface Specification Language for Automatically Analyzing Cryptographic Protocols Stephen H. Brackin (Arca Systems, USA) o Probable Plaintext Cryptanalysis of the IP Security Protocols, Steven M. Bellovin (AT&T Research, USA) o Misplaced Trust: Kerberos Version 4 Session Keys Bryn Dole (Sun Microsystems), Steve Lodin (Delco Electronics), and Eugene Spafford (Purdue University, USA) o Securing the Nimrod Routing Architecture Karen E. Sirois and Stephen T. Kent (BBN Corporation, USA) o Securing Distance-Vector Routing Protocols Bradley R. Smith, Shree Murthy and J.J. Garcia-Luna-Aceves (University of California Santa Cruz, USA) o Reducing the Cost of Security in Link-State Routing R. Hauser, A. Przygienda and G. Tsudik (IBM and USC/ISI, USA) o Securing Web Access with DCE Brian C. Schimpf (Gradient Technologies, USA) o Hierarchical Organization of Certification Authorities for Secure Environments Lourdes Lopez (Universidad Politecnica de Madrid, SPAIN) o Trust Models in ICE-TEL Andrew Young and Nada Kapidzic Cicovic (Univeristy of Salford, UNITED KINGDOM) o Distributed Authentication in Kerberos Using Public Key Cryptography Marvin Sirbu and John Chung-I Chuang (Carnegie Mellon University USA) Papers presented at the Fast Software Encryption Workshop 1997 (FSE4) January 20-22, 1997, Haifa, Israel. o $\chi^{2}$ Cryptanalysis of the SEAL Encryption Algorithm, Helena Handschuh, Henri Gilbert o Partitioning Cryptanalysis, C. Harpes, J.L. Massey o The Interpolation Attack on Block Ciphers, Thomas Jakobsen, Lars R. Knudsen o Best Differential Characteristic Search of FEAL, Kazumaro Aoki, Kunio Kobayashi, Shiho Moriai o New Block Encryption Algorithm MISTY, Mitsuru Matsui o The Design of the ICE Encryption Algorithm, Matthew Kwan o TWOPRIME: A Fast Stream Ciphering Algorithm, Cunsheng Ding, Valtteri Niemi, Ari Renvall, Arto Salomaa o On Nonlinear Filter Generators, Markus Dichtl o Chameleon --- A New Kind of Stream Cipher, Ross Anderson, Charalampos Manifavas o Improving Linear Cryptanalysis of LOKI91 by Probabilistic Counting Method, Kouichi Sakurai, Souichi Furuya o Cryptanalysis of Ladder-DES, Eli Biham o A Family of Trapdoor Ciphers, Vincent Rijmen, Bart Preneel o The Block Cipher Square, Joan Daemen, Lars Knudsen, Vincent Rijmen o xmx, a Firmware-Oriented Block Cipher Based on Modular Multiplications, David M'Raihi, David Naccache, Jacques Stern, Serge Vaudenay o MMH: Software Message Authentication in the Gbit/second Rates, Shai Halevi, Hugo Krawczyk o Fast Message Authentication using Efficient Polynomial Evaluation, Valentine Afanassiev, Christian Gehrmann, Ben Smeets o Reinventing the \overstrike{Wheel} Travois: Encryption/MAC in 30 ROM Bytes, Gideon Yuval o All-Or-Nothing Encryption and The Package Transform, Ronald L. Rivest o On the Security of Remotely Keyed Encryption, Stefan Lucks o Sliding Encryption: A Cryptographic Tool for Mobile Agents, Adam Young, Moti Yung o Fast Software Encryption: Designing Encryption Algorithms for Optimal Software Speed on the Intel Pentium Processor, Bruce Schneier, Doug Whiting o A Fast New DES Implementation in Software, Eli Biham o Optimizing a Fast Stream Cipher for VLIW, SIMD, and Superscalar Processors, Craig S.K. Clapp Presentations at the "Recent Results" Session: o On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited, Moni Naor, Omer Reingold o Optimal Galois Field Bases which are not Normal, Preda Mihailescu o Speeding Up with Chinese Remaindering can be Dangerous, Marc Joye, Jean-Jacques Quisqater o An Algorithm to Calculate a Precise Differential Probability of DES F-Function, Kazumaro Aoki, Kazuo Ohta, Takashi Hyodo o On the Security of BEAR and LION, and Ladder-DES, Lars Knudsen o The RSA Data Security Secret Key Challenge, Matt Robshaw o Differential Fault Analysis Revisited, Eli Biham, Adi Shamir o The Guy Fawkes Protocol, Ross Anderson, Bruno Cryspo, Jong-Hyeon Lee, Charalampos Manifavas, Roger Needham _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters _______________________________________________________________________ o Dr. Dobb's Journal, Vol. 22, No. 4 (April 1997). Aleksandr Jurisic and Alfred J. Menezes. Elliptic curves and cryptography. pp. 26-37. o IEEE Trans. on Knowledge and Data Engineering Vol. 9 No. 1 (Jan-Feb 1997). E. Bertino, P. Samarati, and S. Jajodia. An extended authorization model for relational databases. pp. 85-101. o ACM SIGSAC Security Audit & Control Review, Vol. 15, No. 1 (January 1997): - Schimpf, Gerhard. Security management for administration and control of corporate-wide diverse systems. ppp.4-10. - Russell, Selwyn. Multisignature algorithms for ISO 9796. pp.11-14. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Dam, Kenneth W., and Herbert S. Lin, eds. Cryptography's Role in Security the Information Society. National Academy Press, 688 pp., $44.95. (This is the final version of the NRC report on cryptography reported in Cipher EI#15, June 1, 1996.) o Pfitzmann, Birgit. Digital Signature Schemes: General Framework and Fail-Stop Signatures. Springer-Verlag, 396 pp., $59.50. o McGraw, Gary and Ed Felten. Java Security: Hostile Applets, Holes, and Antidotes.John Wiley & Sons, 192 pp., $19.95. Also available: Java Security: Managing the Risks. Multimedia CD-ROM companion to the book, MindQ Publishing, $59.95. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 3/25/97: ENTRSEC. Cambridge, Massachusetts, Conf Web page Submissions to bcdavis@appliedknowledge.com; 4/ 1/97- 4/ 4/97: DASFAA '97; Melbourne, Australia Conf Web page 4/ 1/97- 4/ 3/97: CORBA SW, Baltimore, MD 4/ 1/97: ICCC97. Cannes, FranceSubmissions to ICCC97@prism.uvsq.fr; 4/ 2/97- 4/ 4/97: 4th CCS, Zurich, Switzerland; Conf Web page 4/ 3/97- 4/ 5/97: ICAST '97, Schaumburg, Illinois, Conf web page 4/ 4/97: NSPW '97, Great Langdal, Cumbria, UK, submissions due. 4/ 5/97: GBN '97. Kobe, Japan; Conf Web page 4/ 7/97- 4/11/97: ICDE '97, Birmingham, UK; Conf Web page 4/ 7/97- 4/ 8/97: RIDE '97. Birmingham, England Conf Web page 4/ 8/97- 4/10/97: PTP '97. Saarland, Germany Conf Web page 4/ 9/97- 4/11/97: ISADS97, Berlin, Germany; Conf Web page 4/10/97: INTRA-FORA. Linz, Austria, Submissions due to intra@faw.uni-linz.ac.at 4/14/97- 4/17/97: SICON97, Kent Ridge, Singapore 4/15/97: JTS, special multimedia issue; Conf Web page 4/21/97: MOBICOM '97. Budapest, Submissions to mobicom97@monarch.cs.cmu.edu; 4/28/97- 4/30/97: PKS '97, Toronto, Ontario Conf Web page 4/28/97- 4/29/97: Electronic Commerce for Content II Washington, DC 5/ 4/97- 5/ 7/97: IEEE S&P, Oakland, California; Conf Web page 5/ 7/97: INETCOMP, Intranets issue, Submissions to regli@cme.nist.gov 5/11/97- 5/15/97: Eurocrypt '97, Konstanz, Germany 5/12/97- 5/16/97: CITSS, Ontario, Canada; info from citss@cse-cst.gc.ca 5/13/97- 5/15/97: R&D Opportunities in Federal Information Systems, 5/15/97: IFIP-IICIS. Zurich, Switzerland, questions: jajodia@isse.gmu.edu; 5/16/97: Chilean CompSci Soc, Valparaiso, Chile; papers due by email to sccc97@dcc.uchile.cl Conf Web page; 5/30/97: ICICS '97, submissions due, Beijing, P.R. China 5/30/97: ACSAC '97, San Diego, submissions due to ACSAC_program_chair@smiley.mitre.org 5/31/97: TAPOS97. Conf Web page Submissions to mendel@db.toronto.edu; 6/ 1/97- 6/ 6/97: IESS '97, Walnut Creek, CA 6/ 1/97: RBAC97. McLean, Virginia, Submissions to ecoyne@seta.com.; 6/ 1/97: ENCXCS, Hawaii, HI, Submissions to broggi@computer.org; 6/ 2/97: ICDE '98. Orlando, Florida, Submissions to s.urban@asu.edu; 6/11/97- 6/12/97: ENM '97, Montreal, Quebec 6/10/97- 6/12/97: CSFW10, Rockport, MA; Workshop Web page 6/16/97: DIMACS Security Ver, Piscataway, NJ; email abstracts to orman@darpa.mil and meadows@itd.nrl.navy.mil; 6/16/97- 6/19/97 COMPASS'97,Gaithersburg,MD http://hissa.ncsl.nist.gov/compass/ 6/18/97- 6/20/97: ENTRSEC. Cambridge, Massachusetts Conf Web page 6/30/97- 7/ 3/97: NGITS '97. Neve Ilan, Israel Conf Web page 7/ 3/97- 7/ 4/97: IRISH '97. Dublin, Ireland Conf Web page 7/ 7/97- 7/ 9/97: ACISP '97, Sydney, Australia, vijay@st.nepean.uws.edu.au 7/ 9/97- 7/11/97: FMP '97, Wellington, New Zealand, Conf web page 7/ 9/97: INETCOMP, Economics issue, Submissions to petrie@cdr.stanford.edu; 8/11/97- 8/13/97: IFIP WG 11.3, Lake Tahoe, California, Conf web page 8/11/97- 8/12/97: HASE97. Washington, DC Conf Web page 8/17/97- 8/21/97: CRYPTO '97, Santa Barbara, California 8/25/97- 8/27/97: IDEAS '97. Montreal, Canada Conf Web page 9/ 3/97- 9/ 5/97: DIMACS Security Ver, Piscataway, NJ DIMACS Web page 9/ 8/97- 9/10/97: SAFECOMP97. University of York, UK Conf Web page 9/ 9/97: USENIX Sec Symp. San Antonio; Submissions: securitypapers@usenix.org; 9/22/97- 9/24/97: INTRA-FORA. Linz, Austria Conf Web page 9/23/97- 9/26/97: NSPW '97, Great Langdale, Cumbria, UK 9/26/97- 9/30/97: MOBICOM '97, Budapest, Hungary Conf Web page 10/ 5/97-10/ 8/97: SOSP '97, Malo, France; Conf Web page 10/ 6/97-10/10/97: NISS '97, Baltimore, MD 10/31/97-11/ 5/97: WebNet97. Toronto, Canada; Conf Web page 11/ 1/97: IEEE Personal Communications Special Issue on Mobile Computing Systems and the Web, submissions due 11/ 6/97-11/ 7/97: RBAC97. McLean, Virginia Conf Web page 11/11/97-11/13/97: ICICS '97, Beijing, P.R. China 11/12/97-11/14/97: Chilean CompSci Soc, Valparaiso, Chile; 11/19/97-11/21/97: ICCC '97. Cannes, France Conf Web page 12/ 4/97-12/ 5/97: IFIP-IICIS. Zurich, Switzerland Conf Web page 12/ 8/97-12/12/97: ACSAC '97, San Diego, CA 1/ 6/98- 1/ 9/98: ENCXCS. Hawaii, HI Conf Web page 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 2/23/98- 2/27/98: ICDE '98. Orlando, Florida Conf Web page 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, * ACSAC = Annual Computer Security Applications Conference 13th Annual * CCS = ACM Conference on Computer and Communications Security * CITSS = Canadian Information Technology Security Symposium * COMPASS = Conference on Computer Assurance COMPASS '97 * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CRYPTO = IACR Annual CRYPTO Conference CRYPTO97 * CSFW = Computer Security Foundations Workshop CSFW10 , Wrkshp Page * DASFAA = Database Systems For Advanced Applications DASFAA '97 * DIMACS Security Ver = DIMACS Workshop on Formal Verification of Security Protocols '97 workshop * Electronic Commerce for Content II = Forum on Technology-Based Intellectual Property Management URL * ENCXCS = Engineering Complex Computer Systems Minitrack of HICSS ENCXCS * ENM = Enterprise Networking ENM '97 * ENTRSEC = International Workshop on Enterprise Security ENTRSEC '97 * FMP = Formal Methods Pacific FMP '97 * GBN = Gigabit Networking Workshop GBN'97 * HASE = High-Assurance Systems Engineering Workshop HASE '97 * HICSS = Hawaii International Conference on Systems Sciences * HPTS = Workshop on High Performance Transaction Systems * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICCC = International Conference for Computer Communications ICCC '97 * ICDE = Int. Conf. on Data Engineering ICDE '98 * ICI = International Cryptography Institute * ICICS = International Conference on Information and Communications Security ICICS '97 * IDEAS = Int'l Database Engineering and Applications Symposium IDEAS '97 * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IESS = Int'al Symposium on Software Engineering Standards IESS '97 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IFIP-IICIS = First Working Conference on Integrity and Internal Control in Information Systems * INET = Internet Society Annual Conference * INETCOMP = IEEE Internet Computing (magazine) * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications INTRA-FORA * IRISH = Irish Workshop on Formal Methods IRISH97 * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * JCS = Journal of Computer Security WWW issue * JTS = Journal of Telecommunications Systems, special multimedia issue * MOBICOM = Mobile Computing and Networking MOBICOM '97 * NGITS = World Conference of the WWW, Internet, and Intranet NGITS '97 * NISS = National Information Systems Security Conference NISS * NSPW = New Security Paradigms Workshop NSPW '96 * OSDI = Operating Systems Design and Implementation OSDI '96 * PKS = Public Key Solutions PKS '97 * PTP = Workshop on Proof Transformation and Presentation PTP '97 * RBAC = ACM Workshop on Role-Based Access Control RBAC '97 * RIDE = High Performance Database Management for Large Scale Applications RIDE97 * SAFECOMP = Computer Safety, Reliability and Security SAFECOMP '97 * SICON = IEEE Singapore International Conference on Networks SICON '97 * SOSP = 16th ACM Symposium on Operating Systems Principles SOSP '97 * TAPOS = Theory and Applications of Object Systems, special issue Objects, Databases, and the WWW TAPOS * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * WebNet = World Conference of the Web Society, WebNet 97 ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale (YES!) ________________________________________________________________________ The daffodils and magnolias are blooming in Washington, and we are back in business! Proceedings of the 1996 IEEE Symposium on Security and Privacy are now available, and we have reduced prices on some of the older issues. Please help us liquidate the backlog by ordering several copies for your friends! Price by mail per volume IEEE CS Press IEEE CS Press Year from TC* IEEE member price List Price ---- ---------- ----------------- ------------- 1992 $10 Only available from TC! 1993 $10 Only available from TC! 1994 $15 $30+$4 S&H $60+$5 S&H 1995 $25 $30+$4 S&H $60+$4 S&H 1996 $30 *price includes shipping and handling For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume to the prices listed above. If you would like to place an order, please send a letter specifying * which issues you would like, * where to send them, and * a check in US dollars, payable to the 1997 IEEE Symposium on Security and Privacy to: Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A e-mail: cpayne@securecomputing.com Sorry, we are not yet ready for electronic commerce! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Vice Chair: Deborah Cooper Charles P. Pfleeger P.O. Box 17753 Trusted Information Systems, Inc. Arlington, VA 22216 3060 Washington Rd., (703)908-9312 voice and fax Glenwood, MD 21738 dmcooper@ix.netcom.com (301)854-6889 (voice) (301)854-5363 (fax) pfleeger@tis.com Newsletter Editor: Chair, Subcommittee on Academic Affairs: Carl Landwehr Prof. Karl Levitt Code 5542 University of California, Davis Naval Research Laboratory Division of Computer Science Washington, DC 20375-5337 Davis CA 95611 (202)767-3381 (916)752-0832 landwehr@itd.nrl.navy.mil levitt@iris.ucdavis.edu Standards Subcommittee Chair: Chair, Subcommittee on Security Conferences: Greg Bergren Dr. Stephen Kent 10528 Hunters Way BBN Corporation Laurel, MD 20723-5724 70 Fawcett Street (410)684-7302 Cambridge, MA 02138 (410)684-7502 (fax) (617) 873-3988 glbergr@missi.ncsc.mil kent@bbn.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9703 where N is the number of the issue desired and 9703 captures the year and month it appeared. ========end of Electronic Cipher Issue #21, 25 March 1997=============