Subject: Electronic CIPHER, Issue 23, August 15, 1997 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 23 August 15, 1997 Carl Landwehr, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1150 lines total] o Letter from the Past TC Chair o Letter from the TC Chair o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o Recent Windows NT and Windows 95 o PGP 5.0 Source Code Exported -- Legally? Commentary and Opinion: [none this issue] Conference Reports: [none this issue] New reports available via FTP and WWW: lots of new items here Interesting Links: Who's Where: recent address changes: Eggers, Cudney Calls for Papers: ICDCS, ICTSMA, SIGMOD/PODS, SICON, ACM CCS Reader's guide to recent security and privacy literature o Conference Papers: ICICS, DIMACS Workshop on Crypto Protocols o Journal and Newsletter articles: CACM, JCS, Crosstalk, Annals, etc. o Books: Two books on web security Calendar Data Security Letter subscription offer Publications for sale -- CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Immediate Past TC Chair ____________________________________________________________________ Dear TC Members: Please join me in welcoming our new TCSP senior officers. Chuck Pfleeger, previous TCSP Vice-Chair, is our new TCSP Chair. Working with Chuck these past two years, I have witnessed his commitment to the best interests of our TCSP. Our newly elected TCSP Vice-Chair and incumbent Chair is Tom Berson. Tom has been a wellspring of innovative and adroit solutions for the challenges faced by the TCSP and Oakland conference organizers for over two decades. The TCSP will certainly benefit from the leadership of Chuck Pfleeger and Tom Berson. I would like to thank the members of the TCSP Executive Committee: Senior Advisor, Terry Benzel; Academic Affairs Chair, Karl Levitt; Standards Chair, Greg Bergren; Conference Chair, Steve Kent; and Cipher Editor, Carl Landwehr. Carl and his Cipher volunteers continue to produce a technical newsletter of unparalleled quality. Steve Kent, Mike Reiter, George Dinolt, Paul Karger and Charles Payne are to be commended for a highly successful 1997 Symposium on Security and Privacy. Greg Bergren was our lifeline to a multitude of security standards activities, and kept us always informed. Our first Academic Affairs chair, Karl Levitt, had the formidable task of organizing an agenda and establishing liaisons with academia, and we appreciate his efforts. As immediate past TCSP chair, I succeed Terry Benzel as senior advisor. Terry has made my job easier,and we have all benefited from her shared insights and contributions. As a volunteer member, I will continue to focus on ways for the Computer Society to improve its member services and working relationships with the TCSP and other technical committees. Surprisingly enough, I am a nominee for the Computer Society Board of Governors. I view this as an opportunity to take our TCSP experiences strategies up one level in the Computer Society. The TCSP continues to be one of the most successful and dynamic Technical Committees of the IEEE Computer Society, due to the contributions of its members. I extend my sincere gratitude to all our TCSP members and dedicated volunteers for the achievements of the past two years. I look forward to a great future for our TCSP under the leadership of Chuck and Tom and our new Executive Committee officers. Thanks again to all of you for your support! Deborah M. Cooper Immediate Past Chair, Technical Committee on Security and Privacy ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ Dear TC Members: I am very pleased to be addressing you in this first message as chair of the IEEE Computer Society Technical Committee on Security and Privacy. The importance of our profession is evident from the fact that we get front page coverage in the popular press, something few if any other technical committees do. I want to introduce the other officers and board members who will also support this technical committee. Tom Berson has agreed to be the vice chair for the next two years, which means he will then succeed me as chair for 1999-2001 (I leave him the year 2000 problem). Tom is quite well known in our profession, most recently as a cryptanalyst, but also as someone who has the breadth of knowledge to appreciate a formal proof or to understand a TCB design. More than once we have called on him to help determine the outstanding paper at the annual Symposium on Security and Privacy (the Oakland conference), again demonstrating our respect for his technical skills. What fewer people know, however, is that Tom has also played a crucial role on negotiations that have kept the Oakland conference at the Claremont hotel in Oakland. In fact, he is involved in shuttle diplomacy again this year. I think Tom will be an excellent chair after my term of office. Carl Landwehr is continuing as Cipher editor, thank goodness. The time and energy that Carl puts into producing this newsletter is something that few of you realize. Over the last two years I have found out how well Carl keeps Cipher going because it looks effortless even from the inside: somehow all the pieces come together. Carl, of course, has a regular corps of people who help out on different parts of Cipher, and Carl regularly announces who they are and thanks them publicly. And anybody else who would like to adopt an area to cover or write an article on a recent event in our field would be most welcome. Carl, like Tom, has filled most of the organizing roles of our technical committee, and Carl can always be counted on for his wise advice. As chair of the education committee, I asked Cynthia Irvine, and she has accepted. Cynthia is at the US Naval Postgraduate School and, like the Tom and Carl, she has experience in several parts of security, including operating systems and evaluation issues. Cynthia recently organized a workshop on curricula for university information security tracks (for more details, see her piece to appear in the September issue of IEEE Software). The reason I am most pleased to have Cynthia chair our education committee is that she holds a similar post with ACM. It would be easy to say that IEEE Computer Society and ACM are competitors, but I think that is exactly why Cynthia is the best person for this role. There is no point in fragmenting our field; quite the opposite, we can do better by the synergy from working cooperatively, with each society providing the kind of backup it can do best. The chair of the committee on conferences is the general chair of the Syposium on Security and Privacy, who next year will be Mike Reiter. Mike is another well-known researcher in the community, working primarily in design and analysis of protocols for accomplishing tasks ranging from authentication to auctions. As is the pattern with our officers, Mike served as registration chair (and general chair-in-waiting) for the conference, so that he is fully prepared to bring us another smoothly lfowing conference next year. My standards committee chair is currently unfilled; after many years of good service, Greg Bergren will be unavailable because he is entering a career training program where he works. The one final appointment, of sorts, is my "senior advisor," who will be Deborah Cooper, my immediate predecessor as technical committee chair. Deb and I have worked together these past two years on the issues that come up in this committee, and I have grown to respect her good sense, judgement, and leadership. She is a very tough act to follow, but I am pleased that as senior advisor she will be available for me to call on for advice and moral support. Those then are the names of people who will work with me on the leadership of this technical committee. But we require the assistance of many others who help with conference organizing, writing and reviewing papers and reports, and doing all the other things that help advance our technical committee and profession. Thanks to you all, and if you haven't yet helped with some of the unseen infrastructure work, we would be pleased to have volunteers. I want to continue a tradition Deborah started last year of holding a brief status meeting in conjunction with the National Information Systems Security Conference held in Baltimore in the autumn. I plan to hold another such meeting this year to pass along new information about our technical committee. The time and place will be posted with the rest of the announcements of that meeting. I am always open to suggestions of what we should be doing more of or differently to enhance the usefulness of our committee to you, our members. If you have thoughts you would like to share, please feel free to drop me a note at pfleeger@arca.com or by phone at +1 (703) 734-5611. Charles P. Pfleeger TCSP Chair ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Since we have letters from both the past and current TC chairs this issue, mine will be short. Thanks once again to Mary Ellen Zurko for an enjoyable LISTWATCH column in this issue. I've culled the best items from my queues of interesting URLs and news items, and I hope you will find some of them of interest. Many of you will have attended a security-related conference or workshop over the summer; if there was something interesting in it, please consider writing a short report for Cipher (and if there wasn't something worth reporting, why did you go?). Enjoy the rest of the summer; Cipher will return in late September, contributors willing! Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ___________________________________________________________________ LISTWATCH Security-Related News Items from Security-Related Mailing Lists by Mary Ellen Zurko, The Open Group Research Institute (8/8/97) (m.zurko@opengroup.org) ____________________________________________________________________ This edition's listwatch items come from the email lists e$pam, cryptography, cypherpunks, fight-censorship, oxdeadbeef, tbtf, and dcsb. There was some speculation and rumors on the cryptography list that DoD interest in Fortezza is waning. This included stories of a contract that was killed and the evolution of Fortezza being stalled in the context of the Defense Messaging System, as well as lack of requests for Fortezza from federal contractors. Intel's BIOS Update technology enables bug fixes to its microprocessors to be downloaded to the chips. A story discussing the security of this feature include claims that the microcode patch is encrypted, and after its header is examined "there are two levels of encryption in the processor that must occur before it will successfully load the update" (integrity and authentication? or just doubly-encrypted for confidentiality?). My favorite security measure for this protocol is that "There is no documentation. ... It's actually in the heads of less than 10 people in the whole of Intel." Mitsubishi has developed a software program which evaluates symmetric-key encryption algorithms, displaying the amount of computing power required to deduce the key, based on Shamir's differential decryption method and Mitsubishi's proprietary linear decryption method. The program uses "simple approximations of the encryption algorithm" to determine "the minimal volume of computations needed to crack the code." AOL has announced a telemarketing plan that would include selling memebers' telephone numbers. They have decided not to do that, based on the reaction from customers and other intersted parties. See http://www.yahoo.com/headlines/970724/news/stories/aol_1.html for the story. There was a lot of discussion of government access to keys on cypherpunks. A policy brief from the Brookings Institution takes the line that "there are reasonable compromises" in the debate about government access to keys. The contents of most of the brief are familiar to those following the debate. The author believes that recent government trends towards listening to critics and evolving a more flexible policy based on that feedback may lead to a workable compromise. The author acknowledges that one of the problems with the approach is its potential for abuse, and recommends a permanent, verifiable audit trail of any government interception of electronic communications. Other key escrow discussion on cypherpunks suggested that keys should be split and held by the following parties, so that all of them had to agree for a valid key to be returned: 1. ACLU 2. NRA 3. Republican Nat'l Committee 4. Democratic Nat'l Committee 5. N Y Times 6. Washington Post 7. Christian Coalition 8. Libertarian Party 9. FBI 10. NSA 11. Speaker of the House of Representatives 12. U S Supreme Court Another suggestion was that the government go through a judge and/or the key holders to get the content as well as the key. Another subscriber suggested that the FBI and most other secret security agencies should also be forced to use key escrow. It was pointed out that the McCain-Kerrey bill does not require a court order to get keys, even though reports on the bill have implied that it does. A variety of mailing lists and individuals associated with an imprisoned member of cypherpunks got an email message that looks like it came from the IRS reporting on how that member pled guilty. There was speculation on just how the IRS got that list of email addresses to send to, including a question on whether it would violate the Electronic Communications Privacy Act if the email records had been obtained from a seized computer. An entertaining, unattributed story appeared on 0xdeadbeef: At a recent Sacramento PC User's Group meeting, a company was demonstrating its latest speech-recognition software. A representative from the company was just about ready to start the demonstration and asked everyone in the room to quiet down. Just then someone in the back of the room yelled, "Format C: Return." Unfortunately, the software worked. Dorothy Denning and William Baugh have completed a study called "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," which is to be published by the National Strategy Information Center. See http://guru.cosc.georgetown.edu/~denning/crypto/oc-abs.html for an excerpt. The study was unable to find any incident where cryptography significantly harmed an investigation. At DefCon 5, the hacker's convention in Las Vegas, Bruce Schneier is quoted as saying of cryptosystems, "The math is perfect. The computers are bad. The networks hideous. The people worse." The last piece of the puzzle of how general purpose web browsers and servers would be allowed to export 128-bit cryptography that could only be used by approved institutions (financial or US corporation) fell into place with the announcement that Verisign had gotten government approval to be the sole exportor of the "magic certificates". Discussion on cypherpunks included what would happen if the government decided those certificates should be revoked, or not renewed after their one year expiration date. The good news (as it were) is that most browsers can't deal with Certificate Revocation Lists yet. A Canadian-based firm, Entrust, is offering an encryption tool for personal use for free, over the Web (see http://www.entrust.com/solo.htm). It seems to include 128-bit symmetric key encryption, which is not generally available for export from the US. On a related note, an AP story states that a senior official of the NSA was overheard at a White House press conference saying "It would not take any twelve times the age of the universe to decrypt a 128-bit message. Thirty-three minutes is more like it." A quote from the July '97 "Computer Design" describing a Pentium-compatible microprocessor redefines the phrase "proof of correctness" by stating "IDT claims to have tested the C6 with most modern PC operating systems, including WIndows 95, Windows 3.1, NetWare, and Solaris for Intel. The complexity and pervasiveness of the Windows operating system generally are considered to make up an exacting proof of correctness...". ________________________________________________________________________ Recently reported Windows NT / Windows 95 problems and bug fixes ________________________________________________________________________ [Following reprinted with permission from SANS Network Security Digest, Vol. 1, No. 6., August 10, 1997. For subscription information, send e-mail to: sans@clark.net ] NT/WIN95 SECURITY PROBLEMS AND BUG FIXES The Microsoft Security page is located at: Additional NT Security Related web pages may be found at: A) Denial of Service Attack in Microsoft IIS for NT 4.0 - (6/30) By sending a request with a URL of a certain length (typically between 4 and 8K) you can cause an access server violation which requires a reboot to fix. Unsaved data may be lost. Microsoft has provided a patch for this problem. Exploits for this problem have been published on the Internet. This problem effects Versions 2.0 and 3.0 on NT systems running 4.0. For more information see the CIAC bulletin at: ---------------------- B) Denial of Service Attack on Windows/NT using ICMP - (7/2) This problem is similar to the Ping of Death attacks discussed earlier this year. By sending a corrupt ICMP packet you can cause a Windows/NT system to freeze and require a reboot. Patches are available at For more information see the CIAC bulletin at: ------------------------ C) Bug fixes released for NT3.51 (7/26) Patches fix two known security problems [Q143474 - Anonymous login user (Red Button) and Q161372 - SMB signing to prevent "Man in the middle" attacks.] Fixes are available at: ------------------------- D) Kernel Routine Error in NT 4.0 Service Pack 3.0 - (7/4) A program called getadmin.exe, which has been distributed on the Internet, grants administrative privileges to normal users. The program takes advantage of a bug in a low-level kernel routine. Microsoft has published a fix for this problem: Later discussions on bugtraq revealed this patch did not fix the problem entirely. Additional information on the vulnerability can be found at: ------------------------- E) Yet Another Netscape Communicator Bug (7/25) The latest version of Communicator (4.0.1a) was supposed to correct a security bug discovered in June. However, there is a flaw in the way LiveConnect has been implemented in 4.0.1a. The end result is similar to the situation with the previous bug: a malicious user can monitor all of your web activity. For more information, see the article at: ------------------------- F) A New Fragmentation Attack (Win NT) When reassembling a fragmented IP packet, the Microsoft implementation does not require the first fragment to have an offset value of zero. It merely checks whether the sum of the lengths of the collected fragments equals the total length of the original unfragmented IP packet. If enough fragments have been received so that this condition holds, the NT stack will happily reassemble what it has accumulated so far. This problem has been fixed with Service Pack 3. For more information see: ________________________________________________________________________ PGP Version 5.0 Source Code Exported -- Legally? ________________________________________________________________________ According to an August 13, 1997 story by Robert Lemos in PC Week, currently readable at: http://www8.zdnet.com/pcweek/news/0811/13acryp.html source code was for PGP 5.0 was "legally" posted at a University of Oslo web site. The source code was published in a book, the book was scanned into a machine by hackers, who proofread the code and posted it. According to the article, the source code had previously been posted on a Dutch site, but there had been no assertion that the export was legal. It is not clear from the article whether the U.S. courts have actually decided that the form of export reportedly used to generate the Oslo version is exempt from the ITAR regulations; see Cipher EI#14, "Federal District Court Rules Source Code is Protected Speech." ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o www.radium.ncsc.mil/tpep/process/review.html NSA TPEP site includes a variety of documents available for download and review, including a protection profile for firewalls o http://www.redbooks.ibm.com/sg244949/4949fm.htm IBM Redbook (draft) Security on the Web Using DCE Technology o http://www.cert.org/research/JHThesis/index.html An Analysis of Security Incidents on the Internet 1989-1995 by Dr. John D. Howard, Ph.D. dissertaion based on CERT incident data. o http://www.cert.org/research/isw97_hypertext/isw97.html Proceedings of Information Survivability Workshop Feb., 1997, San Diego, organized by CMU-SEI. Medical security/privacy items: o http://aspe.os.dhhs.gov/admnsimp/pvcy0731.htm Protecting the privacy of health information HHS Secretary Donna Shalala's 7/31/97 speech to the National Press Club. o http://www.acm.org/usacm/privacy/simons_medical.html Congressional testimony by Barbara Simons, representing U.S. Public Policy Committee of ACM on privacy and security of medical databases. Anonymity-related items: o http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/ "Onion-routing" approach to anonymous Internet connections, by Goldschlag, Syverson, & Reed, NRL. Now seeking beta testers. o http://www.research.att.com/projects/crowds "Crowds" approach to private web transactions by Reiter & Rubin, AT&T, seeking testers. o http://www.dcs.ex.ac.uk/~aba/eternity/ An approach to anonymous publication, by Adam Beck, seeking beta testers Cryptography policy items o http://site108240.primehost.com/hir-hear.htm Declassified transcript of U.S. House of Representatives Committee on International Relations closed hearings on encryption policy, held June 26, 1997 o http://jya.com/fbi-encrypt2.htm FBI Director Louis Freeh's testimony on encryption policy before Senate Judiciary Committee, July 6, 1997. o http://www.crypto.com/key_study The Risks of Key Recovery, Key Escrow and Trusted Third-Party Encryption by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whit Diffie, John Gilmore, Peter Neumann, Ron Rivest, Jeff Schiller, and Bruce Schneier US Govt. Internet policy items o http://www.iitf.nist.gov/eleccomm/ecomm.htm A Framework For Global Electronic Commerce, by President William J. Clinton and Vice President Albert Gore, Jr. o http://www.ccic.gov Next Generation Internet implementation plan. Send comments to: ngi@ccic.gov ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ o http://www.jya.com/crypto.htm John Young's "cryptome": extensive and current archive of a broad range of news items, legislation, reports, etc., on cryptography policy, technology, and related items (also free of appalling and wasteful graphics). o http://www.opengroup.org/RI/www/jkrb Java - Kerberos web site ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 9 August 1997 Kenneth W. Eggers CygnaCom Solutions, Inc. Suite 100 West 7927 Jones Branch Drive McLean, VA 22102-3305 phone: (703) 848-0883 email: eggers@cygnacom.com Paul F. Cudney Lockheed Martin Technical Operations 2401 E. El Segundo Boulevard El Segundo, CA 90245-4636 Tel: (310) 727-1001 Fax: (310) 725-5902 e-mail: cudneypf@nic.techops.lmco.com _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. Abbreviated listings this issue; web will be updated as soon as possible. 18th International Conf. on Distributed Computing Systems, CWI, Amsterdam. Submissions due 1 October 1997. Conference held May 26-29, 1998. Conference and paper submission information available at: http://icdcs.fernuni-hagen.de/ or e-mail to bernd.kraemer@fernuni-hagen.de 5th International Conf. on Telecommunications Systems Modelling and Analysis, Nashville. Submissions due 1 October 1997, Conference held March 20-23, 1998. No web page listed, information from: gavishb@ctrvax.vanderbilt.edu ACM SIGMOD/PODS '98 Joint conference, Seattle, Washington. SIGMOD submissions due 3 November, 1997 (abstracts due Oct. 27 by e-mail). PODS submissions due 17 November, 1997. Conference held June 1-4, 1998. Submissions and conference information said to be available at: http://www.boeing.com/sigmod98/ 6th IEEE Singapore Int'l Conf. on Networks, Singapore. Submissions due 12/19/97, conference held July 1-4, 1998. Submissions and conference information available at http://www.iscs.nus.edu.sg/~sicon or by e-mail from sicon@iscs.nus.edu.sg 5th ACM Conf. on Computer and Communications Security, San Francisco. Submissions due April 3, 1998, conference held November 2-5, 1998. Submission and conference information available at: http://www.research.att.com/~reiter/ccs5/ or by e-mail from reiter@research.att.com JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. [No new entries this issue] ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ o International Conference on Information and Communications Security, November 11-13, Beijing, P.R. China. Regular Papers: - Electronic Commerce with Secure Intelligent Trade Agents; Jaco van der Merwe, S.H.von Solms (South Africa) - Construction of Correlation Immune Boolean Fuctions; Ed Dawson, Cuan-Kun Wu. (Australia) - Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA; John Kelsey, Bruce Schneier, and David Wagner (USA) - Efficient Scalable Fair Cash with Off-line Extortion Prevention; Holger Petersen, Guillaume Poupard (France) - Enforcing Traceability in Software; Colin Boyd (Australia) - Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Zn*; Colin Boyd (Australia) - Making Unfair a "Fair" Blind Signature Scheme; Jacques Traore (France) - On the Decomposition Constructions for Perfect Secret Sharing Schemes; Hung-Min Sun and Bor-Liang Chen (Taiwan) - Proxy Signatures, Revisite; Seungjoo Kim, Sangjoon Park and Dongho Won (Korea) - A^{2}-code = Affine resolvable + BIBD; Satoshi Obana, Kaoru Kurosawa (Japan) - Hiding the Hidden: A Software System for Concealing Ciphertext as Innocuous Text; Mark Chapman, George Davida (USA) - A Multiplication-Addition Structure Against Differential Attack; Feng Zhu, Bao-An Guo (China) - Stateless Connections; Tuomas Aura, Pekka Nikander (Finland) - A New and optimal chosen-message attack on RSA-type cryptosystems; Daniel Bleichenbacher, Marc Joye and Jean-Jacques Quisquater (USA and Belgium) - Traceable Visual Cryptography; Ingrid Biehl, Susanne Wetzel (Germany) - On Weak RSA-Keys Produced from Pretty Good Privacy; Yasuyuki Sakai, Kouichi Sakurai and Hirokazu Ishizuka (Japan) - Efficient Construction of Secure Hyperelliptic Discrete Logarithm Problems; Jinhui Chao, Nori Matsuda and Shigeo Tsujii (Japan) - On Strict Estimation Method of Provable Security Against Differential and Linear Cryptanalysis; Yasuyoshi Kaneko, Shiho Moriai and Kazuo Ohta (Japan) - A Trust Policy Framework; Audun Josang (Norway) - Trapdoor one-way permutations and multivariate polynomials; Louis Goubin and Jacques Patarin (France) - Asymmetric Cryptography with S-Boxes; Louis Goubin and Jacques Patarin (France) - Computational Learning Theoretic Cryptanalysis of Language Theoretic Cryptosystems; Takeshi Koshiba (Japan) - Multisender Authentication Systems with Unconditional Security; R. Safavi-Naini and K. M. Martin (Australia and Belgium) - Protocols for Issuing Public-Key Certificates over the Internet; James W. Gray, III and Kin Fai Epsilon IP (Hong Kong) - Minimizing the Use of Random Oracles in Authenticated Encryption; Schemes Phillip Rogaway and Mihir Bellare (USA) - An Effective Genetic Algorithm for Finding Highly Nonlinear Boolean Functions; William Millan Andrew Clark Ed Dawson (Australia) - Security Comments on the Hwang-Chen Algebraic-code Cryptosystem; Mohssen Alabbadi (Saudi Arabia) - Design of a Security Platform for CORBA based Application; Rakman Choi, Jungchan Na, Kwonli Lee, Eunmi Kim and Wooyong Han (Korea) - Self-synchronized message randomization methods for subliminal channels; Kazukuni Kobara and Hideki Imai (Japan) - An Improved Key Stream Generator Based on the Programmable Cellular Automata; Miodrag J. Mihaljevic (Yugoslavia) - A Language for Specifying Sequences of Authorization Transformations and its Application; Vijay Varadharajan and Yun Bai (Australia) - A Secure Code for Recipient Watermarking agaist Conspiracy Attacks by All Users; Hajime Watanabe and Tadao Kasami (Japan) - Proving decision power in round-optimal perfect zero-knowledge; Giovanni Di Crescenzo, Kouichi Sakurai and Moti Yung (USA and Japan) - Duality of Boolean Functions and Its Cryptographic Significance; Yuliang Zheng, Xiao-Mo Zhang Hideki Imai (Australia and Japan) - Critical Analysis of Security in Voice Hiding Techniques; Li-Wu Chang and Ira S. Moskowitz (USA) - Remarks on the Multiple Assignment Secret Sharing Scheme; Josef Pieprzyk, Hossein Ghodosi and Rei Safavi-Naini, (Australia) - Secure document management and distribution in an open network environment; Antonio Lioy, Fabio Maino and Marco Mezzalama (Italy) Short Papers: - On the Powerline System; Paul Camion and Herve Chabanne (France) - An Implementable Scheme for Secure Delegation of Computing and Data; Josep Domingo-Ferrer And Ricardo X. Sanchez (Spain) - Sharing Secret Information in Hierarchical Groups; Josef Pieprzyk, Chris Charnes Keith Martin Rei Safavi-Naini (Australia) - An Anonymous and Undeniable Payment Scheme; Liqun Chen and Chris Mitchell (U.K.) - Fast software elliptic curve cryptosystems; Atsuko Miyaji and Takatoshi Ono (Japan), Henri Cohen (France) - Improved Fast Software Implementation of Block Ciphers; Takeshi Shimoyama and Seiichi Amada and Shiho Moriai (Japan) - Distributed Cryptographic Function Application Protocols; Audre Postma, Thijs Krol and Egbert Molenkamp (the Netherlands) - Two Efficient RSA Multisignature Schemes; Sangjoon Park (Korea) - Publicly Verifiable Partial Key Escrow; Wenbo Mao (U.K.) - Proposal for User Identification Scheme Using Mouse; Eiji Okamoto, Kenichi Hayashi and Masahiro Mambo (Japan) - Fault Tolerant Anonymous Channel; Wakaha Ogata, Kaoru Kurosawa, Kazue Sako and Kazunori Takatani (Japan) o DIMACS Workshop on Design and Formal Verification of Crypto Protocols New Rutgers Univ., New Jersey, Sept. 3-5, 1997. - CSP, PVS, and a Recursive Authentication Protocol; Jeremy Bryans and Steve Schneider, Royal Holloway and Bedford New College - Modeling and Automated Verification of Authentication Protocols; Parosh Abdulla, Bengt Jonsson, and Aletta Nylen Department of Computer Systems - Cryptolog: A Theorem Prover for Cryptographic Protocols; Bart De Decker and Frank Piessens, K. U. Leuven - A Weakest Precondition Calculus for Analysis of Cryptographic Protocols; J. Alves-foss and T. Soule, U. of Idaho - Model Checking for Security Protocols; Will Marrero, Edmund Clarke, and Somesh Jha, Carnegie Mellon - Using the ASTRAL Model Checker for Cryptographic Protocol Analysis; Zhe Dang and Richard A. Kemmerer, UC Santa Barbara - Digital Signatures With Encryption: Fact and Fiction; Tomasz Kozlowski and Scott A. Smolka SUNY at Stonybrook - A New Algorithm for the Automatic Verification of Authentication; Protocols: From Specifications to Flaws and Attack Scenarios M. Debbabi & M. Mejri & N. Tawbi & I. Yahmadi, Laval University - The Perfect ``Spy'' for Model-Checking Cryptoprotocols; A.W. Roscoe and M.H. Goldsmith Oxford University Computing Laboratory and Formal Systems (Europe) Ltd - Extensional Goals in Authentication Protocols; Colin Boyd, Queensland University of Technology - Using Non Interference for the Analysis of Security Protocols; Riccardo Focardi and Roberto Gorrieri Universita' Ca' Foscari di Venezia and Universita' di Bologna - An Application of the WDL Theory of System Composition to the Analysis of Cryptographic Protocols; Alfred Maneki, NSA - Design of an Application-Level Security Infrastructure; Carl A. Gunter and Trevor Jim, U Penn - A Semantics for BAN Logic; Annette Bleeker and Lambert Meerkens, CWI - Using a Multimodal Logic to Express Conflicting Interests in Security Protocols; Antti Huima and Tuomas Aura - SPEAR: Security Protocol Engineering and Analysis Resources; J.P. Beckmann, P. de Goede, and A. Hutchison U. of Cape Town - Closing the Idealization Gap with Theory Generation; Darrell Kindred and Jeannette Wing, Carnegie Mellon - Automatic Formal Analysis of Two Large Commercial Protocols; Stephen Brackin, Arca Systems - Formal Analysis of IP Layer Security; Sarah Mocas and Tom Schubert, Portland State U. - Finite-State Analysis of SSL 3.0 and related Protocols; John Mitchell, Vitaly Shmatikov, and Ulrich Stern, Stanford U. - Model-based Design and Verification of Security Protocols using LOTOS; Francois Germeau and Guy Leduc, Universite de Liege - Using Isabelle to Prove Properties of the Kerberos Authentication System; G. Bella and L. C. Paulson, Cambridge U. - Cautionary Note for Protocol Designers: Security Proof is not Enough; A. Gillet, M. Joye and J.-J. Quisquater, U. C. Louvain - On Known and Chosen Cipher Pairs; Stuart Stubblebine and Catherine Meadows AT&T and NRL - Cryptographic Module Flaws and Analysis Techniques; Tom Markham, Secure Computing - Two Weak Leaks in the Formal Methods Chain; Carl Gunter, Insup Lee, and Andre Scedrov, U. Penn _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters _______________________________________________________________________ o IEEE Annals of the History of Computing, Vol. 19, No. 3 (July-Sept 1997). Donald Mackenzie and Garrel Pottinger. Mathematics, technology, and trust: formal verification, computer security, and the U. S. military. pp. 41-59. o Communications of the ACM, Vol. 40, No. 8 (August 1997): - Thomas C. Rindfleisch. Privacy, information technology, and health care. pp. 92-101. - Brock N. Meeks. Privacy lost, anytime, anywhere. pp. 11-13. o Journal of Computer Security, Vol. 4, No. 4 [received about 7/97]: - M. K. Reiter, M.K. Franklin, J. B. Lacy, and R. N. Wright. The Omega key management service. pp.267-288. - S.-C. Chuang. Security ATM networks. pp. 289-330. - M. Bishop. Conspiracy and information flow in the Take-Grant protection model. pp. 331-360. o Crosstalk, The Journal of Defense Software Engineering, Vol. 10, No. 8 (August, 1997). Karen Ferraiolo and Victoria Thompson. Let's just be mature about security: using a CMM for security engineering. pp. 15-20. o Computers & Security Volume 16, Number 2 (1997). (Elsevier) Features: - Fred Cohen. Information system defences: a priliminary classification scheme. pp. 94-114. - Stephane Bouniol. The puzzle theorem -- the less I know, the less I can disclose. pp. 115-126. Refereed Papers: - Dennis Volpano and Cynthia Irvine. Secure flow typing. pp. 137-144. - O. Tettero, D.J. Out, H.M. Franken, and J. Schot. Information security embedded in the design of telematics systems. pp. 145-164. o ACM Software Engeneering Notes, Vol. 22, No. 4 (July 1997). Don Reifer. Report on 4th ACM Conf. on Computer and Communications Security. pp.32-33. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ o Rubin, Aviel D., Daniel Geer, and Marcus J. Ranum, Web Security Sourcebook: A Complete Guide to Web Security Threats and Solutions John Wiley & Sons, ISBN: 0-471-18148-X, paperback. Book info and review available from http://www.clark.net/pub/mjr/websec/ o Garfinkel, S. and G. Spafford. Web Security & Commerce. O'Reilly, June, 1997, ISBN 1-56592-269-7, 506 pages, $32.95. Review available at http://www.web-vantage.com/wv/970808v4.cfm. (but you may have to register at http://www.web-vantage.com/ first in order to read it). Publisher info at http://www.ora.com/catalog/websec/index.html. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 8/17/97- 8/21/97: Crypto '97, Santa Barbara, California 8/25/97- 8/27/97: IDEAS '97. Montreal, Canada Conf Web page 9/ 3/97- 9/ 5/97: DIMACS Security Ver, Piscataway, NJ DIMACS Web page 9/ 8/97- 9/10/97: SAFECOMP97. University of York, UK Conf Web page 9/ 9/97: USENIX Sec Symp. San Antonio, Texas Conf Web page. Submissions to securitypapers@usenix.org; 9/22/97- 9/24/97: INTRA-FORA. Linz, Austria Conf Web page 9/22/97- 9/25/97: IC3N '97, Las Vegas, NV Conf Web page 9/23/97- 9/26/97: NSPW '97, Great Langdale, Cumbria, UK 9/26/97- 9/30/97: MOBICOM '97, Budapest, Hungary Conf Web page 10/ 1/97: ICDCS '98, Amsterdam, submissions due 10/ 1/97: ICTSMA '98, Nashville, Tennessee, Submissions due 10/ 1/97: WOBIS '97, Budapest, Hungary; Conf Web page 10/ 5/97-10/ 8/97: SOSP '97, Malo, France; Conf Web page 10/ 6/97-10/10/97: NISS '97, Baltimore, MD, Conf web page 10/ 6/97: ETAPS '98, Lisbon, Portugal, Conf Web page; Submissions to Nivat@litp.ibp.fr; 10/24/97-10/26/97: EDOC '97; Gold Coast, Australia. Conf Web page 10/25/97: IEEE Net Mag Special Issue; submissions to liny@csie.nctu.edu.tw 10/27/97: SIGMOD/PODS '98, Seattle, Washington, SIGMOD abstracts due 10/28/97-10/31/97: ICNP '97, Atlanta, Georgia; Conf Web page 10/31/97-11/ 5/97: WebNet97. Toronto, Canada; Conf Web page 11/ 1/97: IEEE Personal Communications Special Issue on Mobile Computing Systems and the Web, submissions due 11/03/97: SIGMOD/PODS '98, Seattle, Washington, SIGMOD submissions due 11/ 6/97-11/ 7/97: RBAC97. McLean, Virginia Conf Web page 11/10/97: IEEE Network Magazine Special Issue on Active and Programmable Networks; Conf Web page; submissions due to tchen@gte.com 11/11/97-11/13/97: ICICS '97, Beijing, P.R. China 11/12/97-11/14/97: Chilean CompSci Soc, Valparaiso, Chile; 11/17/97: SIGMOD/PODS '98, Seattle, Washington, PODS submissions due 11/19/97-11/21/97: ICCC '97. Cannes, France Conf Web page 12/ 4/97-12/ 5/97: IFIP-IICIS. Zurich, Switzerland Conf Web page 12/ 8/97-12/12/97: ACSAC '97, San Diego, CA 12/19/97: SICON '98, Singapore, submissions due 12/17/97-12/19/97: ISCOM '97. Hsinchu, Taiwan Conf Web page 1/ 6/98- 1/ 9/98: ENCXCS. Hawaii, HI Conf Web page 1/16/98: IFIP/SEC '98, Vienna and Budapest, Austria and Hungary; Conf Web page Submissions due to rposch@iaik.tu; 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 2/ 2/98- 2/ 3/98: ADC '98. The Levels, South Australia 2/23/98- 2/27/98: ICDE '98. Orlando, Florida Conf Web page 3/10/98: IFIP WG11.3 Chalkidiki, Greece; Conf Web page Submissions due to jajodia@gmu.edu; 3/11/98- 3/13/98: SNDSS '98, San Diego, California Conf Web page 3/20/98- 3/23/98: ICTSMA '98, Nashville, Tennessee 3/30/98- 4/ 3/98: ETAPS '98. Lisbon, Portugal, Conf Web page 4/ 3/98: CCS '98, San Francisco, CA, submissions due 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/26/98- 5/29/98: ICDCS '98, Amsterdam 6/ 1/98- 6/ 4/98: SIGMODS/PODS '98, Seattle, Washington 7/ 1/98- 7/ 4/98: SICON '98, Singapore 7/15/98- 7/17/98: IFIP WG11.3, Chalkidiki, Greece Conf Web page 8/31/98- 9/ 4/98: IFIP/SEC '98, Vienna and Budapest, Austria and Hungary; Conf Web page 11/ 2/98-11/ 5/98: CCS '98, San Francisco, CA 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, * ACSAC = Annual Computer Security Applications Conference 13th Annual * ADC = Australasian Database Conference, ADC '98 * CCS = ACM Conference on Computer and Communications Security * CITSS = Canadian Information Technology Security Symposium * COMPASS = Conference on Computer Assurance COMPASS '97 * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CRYPTO = IACR Annual CRYPTO Conference CRYPTO97 * CSFW = Computer Security Foundations Workshop CSFW10 , Wrkshp Page * DASFAA = Database Systems For Advanced Applications DASFAA '97 * DIMACS Security Ver = DIMACS Workshop on Formal Verification of Security Protocols '97 workshop * EDOC = Enterprise Distributed Object Computing Workshop EDOC '97 * Electronic Commerce for Content II = Forum on Technology-Based Intellectual Property Management URL * ENCXCS = Engineering Complex Computer Systems Minitrack of HICSS ENCXCS * ENM = Enterprise Networking ENM '97 * ENTRSEC = International Workshop on Enterprise Security ENTRSEC '97 * ETAPS = European Joint Conferences on Theory and Practice of Software * FMP = Formal Methods Pacific FMP '97 * GBN = Gigabit Networking Workshop GBN'97 * HASE = High-Assurance Systems Engineering Workshop HASE '97 * HICSS = Hawaii International Conference on Systems Sciences * HPTS = Workshop on High Performance Transaction Systems * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICCC = International Conference for Computer Communications ICCC '97 * IC3N = Int'l Conf. on Computer Communications aand Networks * ICDCS = Int'l Conf. in Distributed Computing Systems * ICDE = Int. Conf. on Data Engineering ICDE '98 * ICI = International Cryptography Institute * ICICS = International Conference on Information and Communications Security ICICS '97 * ICNP = IEEE International Conf. on Network Protocols * ICTSMA = Int'l Conf on Telecomm. Sys. Modelling and Analysis * IDEAS = Int'l Database Engineering and Applications Symposium IDEAS '97 * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IESS = Int'al Symposium on Software Engineering Standards IESS '97 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IFIP-IICIS = First Working Conference on Integrity and Internal Control in Information Systems * INET = Internet Society Annual Conference * INETCOMP = IEEE Internet Computing (magazine) * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications INTRA-FORA * IRISH = Irish Workshop on Formal Methods IRISH97 * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISCOM - International Symp. on Communications * JCS = Journal of Computer Security WWW issue * JTS = Journal of Telecommunications Systems, special multimedia issue * MOBICOM = Mobile Computing and Networking MOBICOM '97 * NGITS = World Conference of the WWW, Internet, and Intranet NGITS '97 * NISS = National Information Systems Security Conference NISS * NSPW = New Security Paradigms Workshop NSPW '96 * OSDI = Operating Systems Design and Implementation OSDI '96 * PKS = Public Key Solutions PKS '97 * PTP = Workshop on Proof Transformation and Presentation PTP '97 * RBAC = ACM Workshop on Role-Based Access Control RBAC '97 * RIDE = High Performance Database Management for Large Scale Applications RIDE97 * SAFECOMP = Computer Safety, Reliability and Security SAFECOMP '97 * SICON = IEEE Singapore International Conference on Networks * SIGMOD/PODS = ACM SIGMOD Confs on Mgmt of Data / Prin. of DB Systems * SNDSS = Symposium on Network and Distributed System Security (ISOC) * SOSP = 16th ACM Symposium on Operating Systems Principles SOSP '97 * TAPOS = Theory and Applications of Object Systems, special issue Objects, Databases, and the WWW TAPOS * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * WebNet = World Conference of the Web Society, WebNet 97 * WOBIS = Workshop on Satellite-based Information Services ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale (NOT!) ________________________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy Sorry! Strong response has reduced our stocks of old proceedings, and we have closed this year's conference books, so we will not be accepting any more orders until spring 1998. You may still order current (1997) and some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. But, if you are interested in a copy of the current or past proceedings of the Computer Security Foundations Workshop, send a note to Josh Guttman at guttman@mitre.org. Pricing is $25 for this year's proceedings, $10 for those from prior years. Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A e-mail: cpayne@securecomputing.com ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 6889 Boone Blvd Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice-Chair: Newsletter Editor: Thomas A. Berson Carl Landwehr Anagram Laboratories Code 5542 P.O. Box 791 Naval Research Laboratory Palo Alto, CA 94301 Washington, DC 20375-5337 berson@anagram.com (202) 767-3381 (650)324-0100 landwehr@itd.nrl.navy.mil Chair, Academic Affairs Subcommittee: Chair, Security Conferences Subcommittee: Prof. Cynthia Irvine Michael Reiter U.S. Naval Postgraduate School AT&T Labs Computer Science Department Room A269 Code CS/IC 180 Park Ave Monterey CA 93943-5118 Florham Park NJ 07932-0971 (408) 656-2461 (voice) (973) 360-8349 (voice) irvine@cs.nps.navy.mil (973) 360-8809 (fax) reiter@research.att.com Chair, Standards Subcommittee: * watch this space * ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9708 where N is the number of the issue desired and 9703 captures the year and month it appeared. ========end of Electronic Cipher Issue #23, 15 August 1997=============